]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
projects / thirdparty / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bebf6fc)
analyze: handle CAP_BPF support
authorPeter Hutterer <peter.hutterer@who-t.net>
Tue, 3 May 2022 04:24:42 +0000 (14:24 +1000)
committerLuca Boccassi <luca.boccassi@gmail.com>
Wed, 1 Nov 2023 10:25:59 +0000 (10:25 +0000)
man/systemd-analyze.xml patch | blob | blame | history
src/analyze/analyze-security.c patch | blob | blame | history
test/units/testsuite-65.sh patch | blob | blame | history

diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml
index 5b7f22c87c321c7cc97c203563156bcdb27de586..1ea16372fc6db16ecfea37e0aef149e238add822 100644 (file)
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -1261,6 +1261,9 @@ NR NAME                SHA256
               <row>
                 <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
               </row>
+              <row>
+                <entry>CapabilityBoundingSet_CAP_BPF</entry>
+              </row>
               <row>
                 <entry>UMask</entry>
               </row>
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 730f07092eb32cccd1d0e7a187864e6ee7876849..2745100f5d98b4b25673879eb83188770c25cd39 100644 (file)
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = {
                 .assess = assess_capability_bounding_set,
                 .parameter = (UINT64_C(1) << CAP_SYS_PACCT),
         },
+        {
+                .id = "CapabilityBoundingSet=~CAP_BPF",
+                .json_field = "CapabilityBoundingSet_CAP_BPF",
+                .description_good = "Service may load BPF programs",
+                .description_bad = "Service may not load BPF programs",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
+                .weight = 25,
+                .range = 1,
+                .assess = assess_capability_bounding_set,
+                .parameter = (UINT64_C(1) << CAP_BPF),
+        },
         {
                 .id = "UMask=",
                 .json_field = "UMask",
diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh
index d76eb1a2eb778c2aa3df3c4b99803f06f93abf08..ae8cd98a4eb7c31dba8921b3031f48cdc315b776 100755 (executable)
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@@ -563,6 +563,12 @@ cat <<EOF >/tmp/testfile.json
     "weight": 25,
     "range": 1
     },
+"CapabilityBoundingSet_CAP_BPF":
+    {"description_good": "Service may load BPF programs",
+    "description_bad": "Service may not load BPF programs",
+    "weight": 25,
+    "range": 1
+    },
 "UMask":
     {"weight": 100,
     "range": 10
Unnamed repository; edit this file 'description' to name the repository.