mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-12-19 23:23:52 +08:00
Code Issues Packages Projects Releases Wiki Activity

systemd-analyze: use config value in RestrictNamespaces id (#20645)

Browse Source 
For most fields, the text shown by `.id` is the value that should be set
in the unit file; however, for RestrictNamespaces, it is not. Changing
this to show the actual text makes it more clear to a user what the
actual change that needs to be made to the unit file is.
This commit is contained in:
Kyle Laker 2021-09-06 11:33:16 -04:00 committed by GitHub
parent f77e015a88
commit c1e6f21556
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
man/systemd-analyze.xml
View File

@ -967,25 +967,25 @@ Service b@0.service not loaded, b.socket cannot be started.
<entry>RestrictSUIDSGID</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWUSER</entry>
<entry>RestrictNamespaces_user</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWNS</entry>
<entry>RestrictNamespaces_mnt</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWIPC</entry>
<entry>RestrictNamespaces_ipc</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWPID</entry>
<entry>RestrictNamespaces_pid</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWCGROUP</entry>
<entry>RestrictNamespaces_cgroup</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWUTS</entry>
<entry>RestrictNamespaces_uts</entry>
</row>
<row>
<entry>RestrictNamespaces_CLONE_NEWNET</entry>
<entry>RestrictNamespaces_net</entry>
</row>
<row>
<entry>RestrictAddressFamilies_AF_INET_INET6</entry>

28
src/analyze/analyze-security.c
View File

@ -1340,8 +1340,8 @@ static const struct security_assessor security_assessor_table[] = {
.offset = offsetof(SecurityInfo, restrict_suid_sgid),
},
{
.id = "RestrictNamespaces=~CLONE_NEWUSER",
.json_field = "RestrictNamespaces_CLONE_NEWUSER",
.id = "RestrictNamespaces=~user",
.json_field = "RestrictNamespaces_user",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create user namespaces",
.description_bad = "Service may create user namespaces",
@ -1351,8 +1351,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWUSER,
},
{
.id = "RestrictNamespaces=~CLONE_NEWNS",
.json_field = "RestrictNamespaces_CLONE_NEWNS",
.id = "RestrictNamespaces=~mnt",
.json_field = "RestrictNamespaces_mnt",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create file system namespaces",
.description_bad = "Service may create file system namespaces",
@ -1362,8 +1362,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWNS,
},
{
.id = "RestrictNamespaces=~CLONE_NEWIPC",
.json_field = "RestrictNamespaces_CLONE_NEWIPC",
.id = "RestrictNamespaces=~ipc",
.json_field = "RestrictNamespaces_ipc",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create IPC namespaces",
.description_bad = "Service may create IPC namespaces",
@ -1373,8 +1373,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWIPC,
},
{
.id = "RestrictNamespaces=~CLONE_NEWPID",
.json_field = "RestrictNamespaces_CLONE_NEWPID",
.id = "RestrictNamespaces=~pid",
.json_field = "RestrictNamespaces_pid",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create process namespaces",
.description_bad = "Service may create process namespaces",
@ -1384,8 +1384,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWPID,
},
{
.id = "RestrictNamespaces=~CLONE_NEWCGROUP",
.json_field = "RestrictNamespaces_CLONE_NEWCGROUP",
.id = "RestrictNamespaces=~cgroup",
.json_field = "RestrictNamespaces_cgroup",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create cgroup namespaces",
.description_bad = "Service may create cgroup namespaces",
@ -1395,8 +1395,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWCGROUP,
},
{
.id = "RestrictNamespaces=~CLONE_NEWNET",
.json_field = "RestrictNamespaces_CLONE_NEWNET",
.id = "RestrictNamespaces=~net",
.json_field = "RestrictNamespaces_net",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create network namespaces",
.description_bad = "Service may create network namespaces",
@ -1406,8 +1406,8 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = CLONE_NEWNET,
},
{
.id = "RestrictNamespaces=~CLONE_NEWUTS",
.json_field = "RestrictNamespaces_CLONE_NEWUTS",
.id = "RestrictNamespaces=~uts",
.json_field = "RestrictNamespaces_uts",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
.description_good = "Service cannot create hostname namespaces",
.description_bad = "Service may create hostname namespaces",

14
test/units/testsuite-63.sh
View File

@ -412,43 +412,43 @@ cat <<EOF >/tmp/testfile.json
"weight": 1000,
"range": 1
},
"RestrictNamespaces_CLONE_NEWUSER":
"RestrictNamespaces_user":
{"description_good": "Servicecannotcreateusernamespaces",
"description_bad": "Servicemaycreateusernamespaces",
"weight": 1500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWNS":
"RestrictNamespaces_mnt":
{"description_good": "Service cannot create file system namespaces",
"description_bad": "Service may create file system namespaces",
"weight": 500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWIPC":
"RestrictNamespaces_ipc":
{"description_good": "Service cannot create IPC namespaces",
"description_bad": "Service may create IPC namespaces",
"weight": 500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWPID":
"RestrictNamespaces_pid":
{"description_good": "Service cannot create process namespaces",
"description_bad": "Service may create process namespaces",
"weight": 500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWCGROUP":
"RestrictNamespaces_cgroup":
{"description_good": "Service cannot create cgroup namespaces",
"description_bad": "Service may create cgroup namespaces",
"weight": 500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWNET":
"RestrictNamespaces_net":
{"description_good": "Service cannot create network namespaces",
"description_bad": "Service may create network namespaces",
"weight": 500,
"range": 1
},
"RestrictNamespaces_CLONE_NEWUTS":
"RestrictNamespaces_uts":
{"description_good": "Service cannot create hostname namespaces",
"description_bad": "Service may create hostname namespaces",
"weight": 100,