From 4f7a629e6c11fb2f060f18a62d073410ffa5a0ca Mon Sep 17 00:00:00 2001 From: Peter Hutterer Date: Tue, 3 May 2022 14:24:42 +1000 Subject: [PATCH] analyze: handle CAP_BPF support --- man/systemd-analyze.xml | 3 +++ src/analyze/analyze-security.c | 11 +++++++++++ test/units/testsuite-65.sh | 6 ++++++ 3 files changed, 20 insertions(+) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 5b7f22c87c3..1ea16372fc6 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1261,6 +1261,9 @@ NR NAME SHA256 CapabilityBoundingSet_CAP_SYS_TTY_CONFIG + + CapabilityBoundingSet_CAP_BPF + UMask diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 730f07092eb..2745100f5d9 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = { .assess = assess_capability_bounding_set, .parameter = (UINT64_C(1) << CAP_SYS_PACCT), }, + { + .id = "CapabilityBoundingSet=~CAP_BPF", + .json_field = "CapabilityBoundingSet_CAP_BPF", + .description_good = "Service may load BPF programs", + .description_bad = "Service may not load BPF programs", + .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=", + .weight = 25, + .range = 1, + .assess = assess_capability_bounding_set, + .parameter = (UINT64_C(1) << CAP_BPF), + }, { .id = "UMask=", .json_field = "UMask", diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index d76eb1a2eb7..ae8cd98a4eb 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -563,6 +563,12 @@ cat </tmp/testfile.json "weight": 25, "range": 1 }, +"CapabilityBoundingSet_CAP_BPF": + {"description_good": "Service may load BPF programs", + "description_bad": "Service may not load BPF programs", + "weight": 25, + "range": 1 + }, "UMask": {"weight": 100, "range": 10 -- 2.47.3