From: Peter Hutterer Date: Tue, 3 May 2022 04:24:42 +0000 (+1000) Subject: analyze: handle CAP_BPF support X-Git-Tag: v255-rc1~73 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4f7a629e6c11fb2f060f18a62d073410ffa5a0ca;p=thirdparty%2Fsystemd.git analyze: handle CAP_BPF support --- diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 5b7f22c87c3..1ea16372fc6 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1261,6 +1261,9 @@ NR NAME SHA256 CapabilityBoundingSet_CAP_SYS_TTY_CONFIG + + CapabilityBoundingSet_CAP_BPF + UMask diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 730f07092eb..2745100f5d9 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = { .assess = assess_capability_bounding_set, .parameter = (UINT64_C(1) << CAP_SYS_PACCT), }, + { + .id = "CapabilityBoundingSet=~CAP_BPF", + .json_field = "CapabilityBoundingSet_CAP_BPF", + .description_good = "Service may load BPF programs", + .description_bad = "Service may not load BPF programs", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=", + .weight = 25, + .range = 1, + .assess = assess_capability_bounding_set, + .parameter = (UINT64_C(1) << CAP_BPF), + }, { .id = "UMask=", .json_field = "UMask", diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index d76eb1a2eb7..ae8cd98a4eb 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -563,6 +563,12 @@ cat </tmp/testfile.json "weight": 25, "range": 1 }, +"CapabilityBoundingSet_CAP_BPF": + {"description_good": "Service may load BPF programs", + "description_bad": "Service may not load BPF programs", + "weight": 25, + "range": 1 + }, "UMask": {"weight": 100, "range": 10