2 # SPDX-License-Identifier: LGPL-2.1-or-later
3 # shellcheck disable=SC2016
6 systemd-analyze log-level debug
7 export SYSTEMD_LOG_LEVEL
=debug
9 mkdir
-p /tmp
/img
/usr
/lib
/systemd
/system
/
10 mkdir
-p /tmp
/img
/opt
/
12 touch /tmp
/img
/opt
/script0.sh
13 chmod +x
/tmp
/img
/opt
/script0.sh
15 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
17 ExecStart = /opt/script0.sh
21 # Default behaviour is to recurse through all dependencies when unit is loaded
22 systemd-analyze verify
--root=/tmp
/img
/ testfile.service \
23 && { echo 'unexpected success'; exit 1; }
25 # As above, recurses through all dependencies when unit is loaded
26 systemd-analyze verify
--recursive-errors=yes --root=/tmp
/img
/ testfile.service \
27 && { echo 'unexpected success'; exit 1; }
29 # Recurses through unit file and its direct dependencies when unit is loaded
30 systemd-analyze verify
--recursive-errors=one
--root=/tmp
/img
/ testfile.service \
31 && { echo 'unexpected success'; exit 1; }
35 # zero exit status since dependencies are ignored when unit is loaded
36 systemd-analyze verify
--recursive-errors=no
--root=/tmp
/img
/ testfile.service
38 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
40 cat <<EOF >/tmp/testfile.service
45 ExecStart = echo hello
48 cat <<EOF >/tmp/testfile2.service
50 Requires = testfile.service
53 ExecStart = echo hello
56 # Zero exit status since no additional dependencies are recursively loaded when the unit file is loaded
57 systemd-analyze verify
--recursive-errors=no
/tmp
/testfile2.service
60 # Non-zero exit status since all associated dependencies are recursively loaded when the unit file is loaded
61 systemd-analyze verify
--recursive-errors=yes /tmp
/testfile2.service \
62 && { echo 'unexpected success'; exit 1; }
65 rm /tmp
/testfile.service
66 rm /tmp
/testfile2.service
68 cat <<EOF >/tmp/testfile.service
70 ExecStart = echo hello
73 # Prevent regression from #13380 and #20859 where we can't verify hidden files
74 cp /tmp
/testfile.service
/tmp
/.testfile.service
76 systemd-analyze verify
/tmp
/.testfile.service
78 rm /tmp
/.testfile.service
80 # Alias a unit file's name on disk (see #20061)
81 cp /tmp
/testfile.service
/tmp
/testsrvc
83 systemd-analyze verify
/tmp
/testsrvc \
84 && { echo 'unexpected success'; exit 1; }
86 systemd-analyze verify
/tmp
/testsrvc
:alias.service
88 # Zero exit status since the value used for comparison determine exposure to security threats is by default 100
89 systemd-analyze security
--offline=true
/tmp
/testfile.service
92 #The overall exposure level assigned to the unit is greater than the set threshold
93 systemd-analyze security
--threshold=90 --offline=true
/tmp
/testfile.service \
94 && { echo 'unexpected success'; exit 1; }
97 rm /tmp
/testfile.service
99 cat <<EOF >/tmp/img/usr/lib/systemd/system/testfile.service
101 ExecStart = echo hello
107 # The new overall exposure level assigned to the unit is less than the set thresholds
108 # Verifies that the --offline= option works with --root=
109 systemd-analyze security
--threshold=90 --offline=true
--root=/tmp
/img
/ testfile.service
111 # Added an additional "INVALID_ID" id to the .json to verify that nothing breaks when input is malformed
112 # The PrivateNetwork id description and weight was changed to verify that 'security' is actually reading in
113 # values from the .json file when required. The default weight for "PrivateNetwork" is 2500, and the new weight
114 # assigned to that id in the .json file is 6000. This increased weight means that when the "PrivateNetwork" key is
115 # set to 'yes' (as above in the case of testfile.service) in the content of the unit file, the overall exposure
116 # level for the unit file should decrease to account for that increased weight.
117 cat <<EOF >/tmp/testfile.json
118 {"UserOrDynamicUser":
119 {"description_bad": "Service runs as root user",
123 "SupplementaryGroups":
124 {"description_good": "Service has no supplementary groups",
125 "description_bad": "Service runs with supplementary groups",
126 "description_na": "Service runs as root, option does not matter",
131 {"description_good": "Service has no access to hardware devices",
132 "description_bad": "Service potentially has access to hardware devices",
137 {"description_good": "Service cannot install system mounts",
138 "description_bad": "Service may install system mounts",
143 {"description_good": "Service doesn't have access to the host's network",
144 "description_bad": "Service has access to the host's network",
149 {"description_good": "Service has no access to other software's temporary files",
150 "description_bad": "Service has access to other software's temporary files",
155 {"description_good": "Service does not have access to other users",
156 "description_bad": "Service has access to other users",
160 "ProtectControlGroups":
161 {"description_good": "Service cannot modify the control group file system",
162 "description_bad": "Service may modify the control group file system",
166 "ProtectKernelModules":
167 {"description_good": "Service cannot load or read kernel modules",
168 "description_bad": "Service may load or read kernel modules",
172 "ProtectKernelTunables":
173 {"description_good": "Service cannot alter kernel tunables (/proc/sys, …)",
174 "description_bad": "Service may alter kernel tunables",
179 {"description_good": "Service cannot read from or write to the kernel log ring buffer",
180 "description_bad": "Service may read from or write to the kernel log ring buffer",
185 {"description_good": "Service cannot write to the hardware clock or system clock",
186 "description_bad": "Service may write to the hardware clock or system clock",
195 {"description_good": "Service cannot change system host/domainname",
196 "description_bad": "Service may change system host/domainname",
204 "RootDirectoryOrRootImage":
205 {"description_good": "Service has its own root directory/image",
206 "description_bad": "Service runs within the host's root directory",
211 {"description_good": "Service cannot change ABI personality",
212 "description_bad": "Service may change ABI personality",
216 "MemoryDenyWriteExecute":
217 {"description_good": "Service cannot create writable executable memory mappings",
218 "description_bad": "Service may create writable executable memory mappings",
223 {"description_good": "Service processes cannot acquire new privileges",
224 "description_bad": "Service processes may acquire new privileges",
228 "CapabilityBoundingSet_CAP_SYS_ADMIN":
229 {"description_good": "Service has no administrator privileges",
230 "description_bad": "Service has administrator privileges",
234 "CapabilityBoundingSet_CAP_SET_UID_GID_PCAP":
235 {"description_good": "Service cannot change UID/GID identities/capabilities",
236 "description_bad": "Service may change UID/GID identities/capabilities",
240 "CapabilityBoundingSet_CAP_SYS_PTRACE":
241 {"description_good": "Service has no ptrace() debugging abilities",
242 "description_bad": "Service has ptrace() debugging abilities",
246 "CapabilityBoundingSet_CAP_SYS_TIME":
247 {"description_good": "Service processes cannot change the system clock",
248 "description_bad": "Service processes may change the system clock",
252 "CapabilityBoundingSet_CAP_NET_ADMIN":
253 {"description_good": "Service has no network configuration privileges",
254 "description_bad": "Service has network configuration privileges",
258 "CapabilityBoundingSet_CAP_SYS_RAWIO":
259 {"description_good": "Service has no raw I/O access",
260 "description_bad": "Service has raw I/O access",
264 "CapabilityBoundingSet_CAP_SYS_MODULE":
265 {"description_good": "Service cannot load kernel modules",
266 "description_bad": "Service may load kernel modules",
270 "CapabilityBoundingSet_CAP_AUDIT":
271 {"description_good": "Service has no audit subsystem access",
272 "description_bad": "Service has audit subsystem access",
276 "CapabilityBoundingSet_CAP_SYSLOG":
277 {"description_good": "Service has no access to kernel logging",
278 "description_bad": "Service has access to kernel logging",
282 "CapabilityBoundingSet_CAP_SYS_NICE_RESOURCE":
283 {"description_good": "Service has no privileges to change resource use parameters",
284 "description_bad": "Service has privileges to change resource use parameters",
288 "CapabilityBoundingSet_CAP_MKNOD":
289 {"description_good": "Service cannot create device nodes",
290 "description_bad": "Service may create device nodes",
294 "CapabilityBoundingSet_CAP_CHOWN_FSETID_SETFCAP":
295 {"description_good": "Service cannot change file ownership/access mode/capabilities",
296 "description_bad": "Service may change file ownership/access mode/capabilities unrestricted",
300 "CapabilityBoundingSet_CAP_DAC_FOWNER_IPC_OWNER":
301 {"description_good": "Service cannot override UNIX file/IPC permission checks",
302 "description_bad": "Service may override UNIX file/IPC permission checks",
306 "CapabilityBoundingSet_CAP_KILL":
307 {"description_good": "Service cannot send UNIX signals to arbitrary processes",
308 "description_bad": "Service may send UNIX signals to arbitrary processes",
312 "CapabilityBoundingSet_CAP_NET_BIND_SERVICE_BROADCAST_RAW":
313 {"description_good": "Service has no elevated networking privileges",
314 "description_bad": "Service has elevated networking privileges",
318 "CapabilityBoundingSet_CAP_SYS_BOOT":
319 {"description_good": "Service cannot issue reboot()",
320 "description_bad": "Service may issue reboot()",
324 "CapabilityBoundingSet_CAP_MAC":
325 {"description_good": "Service cannot adjust SMACK MAC",
326 "description_bad": "Service may adjust SMACK MAC",
330 "CapabilityBoundingSet_CAP_LINUX_IMMUTABLE":
331 {"description_good": "Service cannot mark files immutable",
332 "description_bad": "Service may mark files immutable",
336 "CapabilityBoundingSet_CAP_IPC_LOCK":
337 {"description_good": "Service cannot lock memory into RAM",
338 "description_bad": "Service may lock memory into RAM",
342 "CapabilityBoundingSet_CAP_SYS_CHROOT":
343 {"description_good": "Service cannot issue chroot()",
344 "description_bad": "Service may issue chroot()",
348 "CapabilityBoundingSet_CAP_BLOCK_SUSPEND":
349 {"description_good": "Service cannot establish wake locks",
350 "description_bad": "Service may establish wake locks",
354 "CapabilityBoundingSet_CAP_WAKE_ALARM":
355 {"description_good": "Service cannot program timers that wake up the system",
356 "description_bad": "Service may program timers that wake up the system",
360 "CapabilityBoundingSet_CAP_LEASE":
361 {"description_good": "Service cannot create file leases",
362 "description_bad": "Service may create file leases",
366 "CapabilityBoundingSet_CAP_SYS_TTY_CONFIG":
367 {"description_good": "Service cannot issue vhangup()",
368 "description_bad": "Service may issue vhangup()",
372 "CapabilityBoundingSet_CAP_SYS_PACCT":
373 {"description_good": "Service cannot use acct()",
374 "description_bad": "Service may use acct()",
383 {"description_good": "Service doesn't share key material with other services",
384 "description_bad": "Service shares key material with other service",
389 {"description_good": "Service has restricted access to process tree(/proc hidepid=)",
390 "description_bad": "Service has full access to process tree(/proc hidepid=)",
395 {"description_good": "Service has no access to non-process/proc files(/proc subset=)",
396 "description_bad": "Service has full access to non-process/proc files(/proc subset=)",
401 {"description_good": "Service child processes cannot alter service state",
402 "description_bad": "Service child processes may alter service state",
407 {"description_good": "Service user cannot leave SysV IPC objects around",
408 "description_bad": "Service user may leave SysV IPC objects around",
409 "description_na": "Service runs as root, option does not apply",
414 {"description_good": "Service does not maintain its own delegated control group subtree",
415 "description_bad": "Service maintains its own delegated control group subtree",
420 {"description_good": "Service realtime scheduling access is restricted",
421 "description_bad": "Service may acquire realtime scheduling",
426 {"description_good": "SUID/SGIDfilecreationbyserviceisrestricted",
427 "description_bad": "ServicemaycreateSUID/SGIDfiles",
431 "RestrictNamespaces_user":
432 {"description_good": "Servicecannotcreateusernamespaces",
433 "description_bad": "Servicemaycreateusernamespaces",
437 "RestrictNamespaces_mnt":
438 {"description_good": "Service cannot create file system namespaces",
439 "description_bad": "Service may create file system namespaces",
443 "RestrictNamespaces_ipc":
444 {"description_good": "Service cannot create IPC namespaces",
445 "description_bad": "Service may create IPC namespaces",
449 "RestrictNamespaces_pid":
450 {"description_good": "Service cannot create process namespaces",
451 "description_bad": "Service may create process namespaces",
455 "RestrictNamespaces_cgroup":
456 {"description_good": "Service cannot create cgroup namespaces",
457 "description_bad": "Service may create cgroup namespaces",
461 "RestrictNamespaces_net":
462 {"description_good": "Service cannot create network namespaces",
463 "description_bad": "Service may create network namespaces",
467 "RestrictNamespaces_uts":
468 {"description_good": "Service cannot create hostname namespaces",
469 "description_bad": "Service may create hostname namespaces",
473 "RestrictAddressFamilies_AF_INET_INET6":
474 {"description_good": "Service cannot allocate Internet sockets",
475 "description_bad": "Service may allocate Internet sockets",
479 "RestrictAddressFamilies_AF_UNIX":
480 {"description_good": "Service cannot allocate local sockets",
481 "description_bad": "Service may allocate local sockets",
485 "RestrictAddressFamilies_AF_NETLINK":
486 {"description_good": "Service cannot allocate netlink sockets",
487 "description_bad": "Service may allocate netlink sockets",
491 "RestrictAddressFamilies_AF_PACKET":
492 {"description_good": "Service cannot allocate packet sockets",
493 "description_bad": "Service may allocate packet sockets",
497 "RestrictAddressFamilies_OTHER":
498 {"description_good": "Service cannot allocate exotic sockets",
499 "description_bad": "Service may allocate exotic sockets",
503 "SystemCallArchitectures":
507 "SystemCallFilter_swap":
511 "SystemCallFilter_obsolete":
515 "SystemCallFilter_clock":
519 "SystemCallFilter_cpu_emulation":
523 "SystemCallFilter_debug":
527 "SystemCallFilter_mount":
531 "SystemCallFilter_module":
535 "SystemCallFilter_raw_io":
539 "SystemCallFilter_reboot":
543 "SystemCallFilter_privileged":
547 "SystemCallFilter_resources":
559 "AmbientCapabilities":
560 {"description_good": "Service process does not receive ambient capabilities",
561 "description_bad": "Service process receives ambient capabilities",
572 # Reads in custom security requirements from the parsed .json file and uses these for comparison
573 systemd-analyze security
--threshold=90 --offline=true \
574 --security-policy=/tmp
/testfile.json \
575 --root=/tmp
/img
/ testfile.service
577 # The strict profile adds a lot of sanboxing options
578 systemd-analyze security
--threshold=20 --offline=true \
579 --security-policy=/tmp
/testfile.json \
581 --root=/tmp
/img
/ testfile.service
584 # The trusted profile doesn't add any sanboxing options
585 systemd-analyze security
--threshold=20 --offline=true \
586 --security-policy=/tmp
/testfile.json \
587 --profile=/usr
/lib
/systemd
/portable
/profile
/trusted
/service.conf \
588 --root=/tmp
/img
/ testfile.service \
589 && { echo 'unexpected success'; exit 1; }
591 systemd-analyze security
--threshold=50 --offline=true \
592 --security-policy=/tmp
/testfile.json \
593 --root=/tmp
/img
/ testfile.service \
594 && { echo 'unexpected success'; exit 1; }
597 rm /tmp
/img
/usr
/lib
/systemd
/system
/testfile.service
599 if systemd-analyze
--version |
grep -q -F "+ELFUTILS"; then
600 systemd-analyze inspect-elf
--json=short
/lib
/systemd
/systemd |
grep -q -F '"elfType":"executable"'
603 systemd-analyze log-level info