From: Topi Miettinen <toiwoton@gmail.com>
Date: Wed, 27 Feb 2019 13:26:43 +0000 (+0200)
Subject: analyze security: check for ProtectHostname=yes
X-Git-Tag: v242-rc1~235
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=527bd7f1854bce20a308f6ca589e488deeaaf895;p=thirdparty%2Fsystemd.git

analyze security: check for ProtectHostname=yes
---

diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index a007ed1da47..9e4cac6e294 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -49,6 +49,7 @@ struct security_info {
         bool memory_deny_write_execute;
         bool no_new_privileges;
         char *notify_access;
+        bool protect_hostname;
 
         bool private_devices;
         bool private_mounts;
@@ -768,6 +769,16 @@ static const struct security_assessor security_assessor_table[] = {
                 .assess = assess_protect_home,
                 .default_dependencies_only = true,
         },
+        {
+                .id = "ProtectHostname=",
+                .description_good = "Service cannot change system host/domainname",
+                .description_bad = "Service may change system host/domainname",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHostname=",
+                .weight = 50,
+                .range = 1,
+                .assess = assess_bool,
+                .offset = offsetof(struct security_info, protect_hostname),
+        },
         {
                 .id = "ProtectSystem=",
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=",
@@ -1861,6 +1872,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                 { "PrivateUsers",            "b",       NULL,                                    offsetof(struct security_info, private_users)             },
                 { "ProtectControlGroups",    "b",       NULL,                                    offsetof(struct security_info, protect_control_groups)    },
                 { "ProtectHome",             "s",       NULL,                                    offsetof(struct security_info, protect_home)              },
+                { "ProtectHostname",         "b",       NULL,                                    offsetof(struct security_info, protect_hostname)          },
                 { "ProtectKernelModules",    "b",       NULL,                                    offsetof(struct security_info, protect_kernel_modules)    },
                 { "ProtectKernelTunables",   "b",       NULL,                                    offsetof(struct security_info, protect_kernel_tunables)   },
                 { "ProtectSystem",           "s",       NULL,                                    offsetof(struct security_info, protect_system)            },