Maanya Goenka [Mon, 23 Aug 2021 21:21:50 +0000 (14:21 -0700)]
systemd-analyze: allow parsing of JSON file to obtain custom security requirements for comparison
The 'security' verb of systemd-analyze needs to be able to parse JSON files to be able to read in
the user-defined requirements and use them to determine the overall exposure level of the specified unit
file(s). The JSON files are expected to have a specific format where the keys in the file are the
unit ids consisting of only alphanumeric characters and underscores and the values are JSON objects
again consisting of key value pairs. The keys in these objects may include one or more of the following
properties: description_na, description_good, description_bad, weight, and range. The first three of these
are expected to be strings and the latter two are expected to be unsigned integer values. If one or more
of these properties is missing from the JSON object, then the default values of the properties as specified
in the hard coded set of security directives is used. The other properties that assess() needs to determine
overall exposure levels for a unit file for example, the assess function and parameter type among others,
are not to be included in the JSON files defined by the user because the values assigned to these fields
are expected to be consistent across unit files for each id.
Maanya Goenka [Mon, 23 Aug 2021 21:20:10 +0000 (14:20 -0700)]
systemd-analyze: add new 'security' option to allow user to choose custom requirements
A new option --security-policy= is added to work with the 'security' verb in order to enable
users to create and pass in a JSON file consisting of user defined requirements
against which to compare the specified unit file(s). These requirements then serve
as the measure of security threats for the file instead of the initial hard coded set of
requirements that the 'security' verb of systemd-analyze relied on.
Example Run:
A snapshot of the user defined testfile.json file is shown below instead of the complete file
for readability purposes.
{
"PrivateDevices":
{"description_good": "Service has no access to hardware devices",
"description_bad": "Service potentially has access to hardware devices",
"weight": 1000,
"range": 1
},
"PrivateMounts":
{"description_good": "Service cannot install system mounts",
"description_bad": "Service may install system mounts",
"weight": 1000,
"range": 1
},
"PrivateNetwork":
{"description_good": "Service has no access to the host's network",
"description_bad": "Service has access to the host's network",
"weight": 2500,
"range": 1
},
"PrivateTmp":
{"description_good": "Service has no access to other software's temporary files",
"description_bad": "Service has access to other software's temporary files",
"weight": 1000,
"range": 1
},
"PrivateUsers":
{"description_good": "Service does not have access to other users",
"description_bad": "Service has access to other users",
"weight": 1000,
"range": 1
}
}
1. I created the jsontest.service file in order to test the --security-policy= option as follows:
The security analysis table outputted below has been truncated to include only the first few lines for readability.
maanya-goenka@debian:~/systemd (custom-security)$ sudo build/systemd-analyze security --root= --offline=true
--security-policy=src/analyze/testfile.json jsontest.service
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION
✓ PrivateNetwork Service has no access to the host's network
✗ UserOrDynamicUser Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities
✓ PrivateMounts Service cannot install system mounts
✓ PrivateDevices Service has no access to hardware devices
→ Overall exposure level for jsontest.service: 8.3 EXPOSED 🙁
2. In order to ensure that the JSON data was actually being correctly parsed, I made some changes to the JSON
file, specifically to the id "PrivateNetwork" as follows:
Before:
--------
"PrivateNetwork":
{"description_good": "Service has no access to the host's network",
"description_bad": "Service has access to the host's network",
"weight": 2500,
"range": 1
}
After:
--------
"PrivateNetwork":
{"description_good": "Service runs without access to host network",
"description_bad": "Service has access to the host's network",
"weight": 6000,
"range": 1
}
As expected, the new description for the description_good field of the Private Network id was updated in
the analysis table outputted below and the overall exposure level of the unit file decreased because
the weight assigned to 'Private Network' (which is set to yes) increased from 2500 to 6000.
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION
✓ PrivateNetwork Service runs without access to the host's network
✗ UserOrDynamicUser Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities
✓ PrivateMounts Service cannot install system mounts
✓ PrivateDevices Service has no access to hardware devices
→ Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁
3. When paired with security's --threshold= option, systemd-analyze exits with a non-zero error status indicating
that the overall exposure level for the unit file (=78) is greater than the set threshold (=70). The same
jsontest.service file is used for the demo run below:
/usr/lib/systemd/system/plymouth-start.service:15: Unit configured to use KillMode=none. This is unsafe, as it disables systemd's
process lifecycle management for the service. Please update your service to use a safer KillMode=, such as 'mixed' or 'control-group'.
Support for KillMode=none is deprecated and will eventually be removed.
/usr/lib/systemd/system/gdm.service:30: Standard output type syslog is obsolete, automatically updating to journal. Please update your
unit file, and consider removing the setting altogether.
/usr/lib/systemd/system/dbus.socket:5: ListenStream= references a path below legacy directory /var/run/, updating
/var/run/dbus/system_bus_socket → /run/dbus/system_bus_socket; please update the unit file accordingly.
NAME DESCRIPTION
✓ PrivateNetwork Service runs without access to host network
✗ UserOrDynamicUser Service runs as root user
✗ CapabilityBoundingSet_CAP_SET_UID_GID_PCAP Service may change UID/GID identities/capabilities
✓ PrivateMounts Service cannot install system mounts
✓ PrivateDevices Service has no access to hardware devices
→ Overall exposure level for jsontest.service: 7.8 EXPOSED 🙁
Peter Hutterer [Tue, 31 Aug 2021 05:20:12 +0000 (15:20 +1000)]
tmpfiles.d: remove .Test-unix, it's obsolete
See libxtrans commit 0794b1b712a90b40e2b019c9edc6f96874493c52. The code
to generate this socket was removed 5 years ago and even before it was
conditional on #define TEST_t. There is no reference to that #define in
either the X server nor libX11's git history, or in any of the current
libX*.
Kristian Klausen [Mon, 30 Aug 2021 07:55:41 +0000 (09:55 +0200)]
gpt-auto-generator: Use volatile-root by default and automatic logic as fallback
Previously volatile-root was only checked if "/" wasn't backed by a
block device, but the block device isn't necessarily original root block
device (ex: if the rootfs is copied to a ext4 fs backed by zram in the
initramfs), so we always want volatile-root checked.
So shuffle the code around so volatile-root is checked first and
fallback to the automatic logic.
run/mount/systemctl: don't fork off PolicyKit/ask-pw agent when in --user mode
When we are in --user mode there's no point in doing PolicyKit/ask-pw
because both of these systems are only used by system-level services.
Let's disable the two agents for that automaticlly hence.
Yu Watanabe [Tue, 24 Aug 2021 09:11:20 +0000 (18:11 +0900)]
sd-netlink: drop sd_genl_family_t and introduce GenericNetlinkFamily
Kernel manages each genl family by its name, e.g. "nlctrl" or WG_GENL_NAME,
and its ID (used for nlmsg_type) is determined dynamically when the
corresponding module is loaded.
This commit makes sd-netlink follow the same way; now, sd_genl_family_t
is dropped, and sd_genl_message_new() takes a genl family name. Each
genl family is resolved when it is used first time, and its information
is stored in GenericNetlinkFamily.
Yu Watanabe [Tue, 24 Aug 2021 07:10:49 +0000 (16:10 +0900)]
sd-netlink: split type system for nfnl
This makes the root type system for nfnl indexed by subsystem, and
itroduces a next level type system for each subsystem. The second
level type systems are indexed by message types correspond to each
subsystem.
Let's only assign boolean values to a boolean variable.
Unit's condition_result is not of type ConditionResult, slightly
confusingly. Let's hence not assign one of ConditionResult's values to
it, but simple booleans.
This effectively doesn't make a difference, since CONDITION_ERROR is
true when cast to bool. But it's still ugly to rely on that. And
confusing.
Wind/owZ [Sun, 22 Aug 2021 00:19:18 +0000 (03:19 +0300)]
hwdb: Add sensor rule for Hometech Wi101
This commit was done to add sensor rule for Hometech Wi101. Note that this rule might be too general and need fixes. I couldn't test this on any other device since this one is the only one I have.
Daan De Meyer [Fri, 20 Aug 2021 10:02:25 +0000 (11:02 +0100)]
core: Add information on which condition failed to job skipped format string
When a job is skipped, it's useful to know exactly which condition failed so
let's add this information to the error message. Because we now return an
allocated string from job_done_message_format(), make sure we strdup() the
other formats as well so the caller can safely free the string returned by
job_done_message_format().
homed: always align home file systems to 4K boundaries
Let's carefully align all home file systems to 4K sector boundaries.
It's the safest thing to do, to ensure good perfomance on 4K sector
drives, i.e. today's hardware.
Yes, this means we'll waste 3.5K when resizing home dirs, but I think we
can live with that.
This ensures both the offsets where we start and the sizes of the file
systems/partitions/disk images are multiples of 4K always, both when
creating a new image and when resizing things.
Note that previously we aligned everything to 1024, but weren't quite as
careful.
Yu Watanabe [Wed, 25 Aug 2021 18:34:23 +0000 (03:34 +0900)]
udev/net: initialize coalesce tristate variables
Otherwise, 99-default.link may introduce something like the
following warnings:
----
Aug 26 03:23:59 systemd-udevd[519]: wlan0: Could not set coalesce settings, ignoring: Operation not supported
Aug 26 03:24:00 systemd-udevd[547]: wlp59s0: Could not set coalesce settings, ignoring: Operation not supported
----
Daan De Meyer [Tue, 24 Aug 2021 15:46:47 +0000 (16:46 +0100)]
core: Check unit start rate limiting earlier
Fixes #17433. Currently, if any of the validations we do before we
check start rate limiting fail, we can still enter a busy loop as
no rate limiting gets applied. A common occurence of this scenario
is path units triggering a service that fails a condition check.
To fix the issue, we simply move up start rate limiting checks to
be the first thing we do when starting a unit. To achieve this,
we add a new method to the unit vtable and implement it for the
relevant unit types so that we can do the start rate limit checks
earlier on.
The verity partition types are per-architecture already, and they contain the
hash data independently of whether we are on a given architecture. (Or in other
words, we would make *use* this partition on some architecture, but the
contents always *exists*.)
json: rework JSON_BUILD_XYZ() macros to use compound literals instead of compound statements
Compound statements is this stuff: ({ … })
Compound literals is this stuff: (type) { … }
We use compound statements a lot in macro definitions: they have one
drawback though: they define a code block of their own, hence if macro
invocations are nested within them that use compound literals their
lifetime is limited to the code block, which might be unexpected.
Thankfully, we can rework things from compound statements to compund
literals in the case of json.h: they don't open a new codeblack, and
hence do not suffer by the problem explained above.
The interesting thing about compound statements is that they also work
for simple types, not just for structs/unions/arrays. We can use this
here for a typechecked implicit conversion: we want to superficially
typecheck arguments to the json_build() varargs function, and we do that
by assigning the specified arguments to our compound literals, which
does the minimal amount of typechecks and ensures that types are
propagated on correctly.
We need one special tweak for this: sd_id128_t is not a simple type but
a union. Using compound literals for initialzing that would mean
specifiying the components of the union, not a complete sd_id128_t. Our
hack around that: instead of passing the object directly via the stack
we now take a pointer (and thus a simple type) instead.
Nice side-effect of all this: compound literals is C99, while compound
statements are a GCC extension, hence we move closer to standard C.