In some cases an offline analysis should ignore some fields, for example
a portable service in an image will never list RootImage/RootDirectory, as
they are added at runtime, and thus can be skipped.
normalized to the 1…100 range, and used to determine the overall exposure level of the unit.
By allowing users to manipulate these fields, the 'security' verb gives them the option to
decide for themself which ids are more important and hence should have a greater effect on
- the exposure level.</para>
+ the exposure level. A weight of <literal>0</literal> means the setting will not be
+ checked.</para>
<programlisting>
{
d = strdup("Service runs in special boot phase, option is not appropriate");
if (!d)
return log_oom();
+ } else if (weight == 0) {
+ badness = UINT64_MAX;
+ d = strdup("Option excluded by policy, skipping");
+ if (!d)
+ return log_oom();
} else {
r = a->assess(a, info, data, &badness, &d);
if (r < 0)
cat <<EOF >/tmp/testfile.json
{"UserOrDynamicUser":
{"description_bad": "Service runs as root user",
- "weight": 2000,
+ "weight": 0,
"range": 10
},
"SupplementaryGroups":
projects / thirdparty / systemd.git / commitdiff
