systemd-analyze: use config value in RestrictNamespaces id (#20645)

author Kyle Laker <kyle@laker.email>

Mon, 6 Sep 2021 15:33:16 +0000 (11:33 -0400)

committer GitHub <noreply@github.com>

Mon, 6 Sep 2021 15:33:16 +0000 (17:33 +0200)
author Kyle Laker <kyle@laker.email>
Mon, 6 Sep 2021 15:33:16 +0000 (11:33 -0400)
committer GitHub <noreply@github.com>
Mon, 6 Sep 2021 15:33:16 +0000 (17:33 +0200)
diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml

index fb2a1caa9e5378cf392ada1895766fdcb3061cb5..8e8f776377afcf4774086fed3668c0b38af17760 100644 (file)
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@@ -967,25 +967,25 @@ Service b@0.service not loaded, b.socket cannot be started.
                  <entry>RestrictSUIDSGID</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWUSER</entry>
+                <entry>RestrictNamespaces_user</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWNS</entry>
+                <entry>RestrictNamespaces_mnt</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWIPC</entry>
+                <entry>RestrictNamespaces_ipc</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWPID</entry>
+                <entry>RestrictNamespaces_pid</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWCGROUP</entry>
+                <entry>RestrictNamespaces_cgroup</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWUTS</entry>
+                <entry>RestrictNamespaces_uts</entry>
                </row>
                <row>
-                <entry>RestrictNamespaces_CLONE_NEWNET</entry>
+                <entry>RestrictNamespaces_net</entry>
                </row>
                <row>
                  <entry>RestrictAddressFamilies_AF_INET_INET6</entry>
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c

index 03b63cd1b311c2b61d1486f7ae05938b3851ec06..adb73ab7a99daa8139645031aba7f371591c7dc6 100644 (file)
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -1340,8 +1340,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .offset = offsetof(SecurityInfo, restrict_suid_sgid),
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWUSER",
-                .json_field = "RestrictNamespaces_CLONE_NEWUSER",
+                .id = "RestrictNamespaces=~user",
+                .json_field = "RestrictNamespaces_user",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create user namespaces",
                  .description_bad = "Service may create user namespaces",
@@ -1351,8 +1351,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWUSER,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWNS",
-                .json_field = "RestrictNamespaces_CLONE_NEWNS",
+                .id = "RestrictNamespaces=~mnt",
+                .json_field = "RestrictNamespaces_mnt",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create file system namespaces",
                  .description_bad = "Service may create file system namespaces",
@@ -1362,8 +1362,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWNS,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWIPC",
-                .json_field = "RestrictNamespaces_CLONE_NEWIPC",
+                .id = "RestrictNamespaces=~ipc",
+                .json_field = "RestrictNamespaces_ipc",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create IPC namespaces",
                  .description_bad = "Service may create IPC namespaces",
@@ -1373,8 +1373,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWIPC,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWPID",
-                .json_field = "RestrictNamespaces_CLONE_NEWPID",
+                .id = "RestrictNamespaces=~pid",
+                .json_field = "RestrictNamespaces_pid",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create process namespaces",
                  .description_bad = "Service may create process namespaces",
@@ -1384,8 +1384,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWPID,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWCGROUP",
-                .json_field = "RestrictNamespaces_CLONE_NEWCGROUP",
+                .id = "RestrictNamespaces=~cgroup",
+                .json_field = "RestrictNamespaces_cgroup",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create cgroup namespaces",
                  .description_bad = "Service may create cgroup namespaces",
@@ -1395,8 +1395,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWCGROUP,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWNET",
-                .json_field = "RestrictNamespaces_CLONE_NEWNET",
+                .id = "RestrictNamespaces=~net",
+                .json_field = "RestrictNamespaces_net",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create network namespaces",
                  .description_bad = "Service may create network namespaces",
@@ -1406,8 +1406,8 @@ static const struct security_assessor security_assessor_table[] = {
                  .parameter = CLONE_NEWNET,
          },
          {
-                .id = "RestrictNamespaces=~CLONE_NEWUTS",
-                .json_field = "RestrictNamespaces_CLONE_NEWUTS",
+                .id = "RestrictNamespaces=~uts",
+                .json_field = "RestrictNamespaces_uts",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
                  .description_good = "Service cannot create hostname namespaces",
                  .description_bad = "Service may create hostname namespaces",
diff --git a/test/units/testsuite-63.sh b/test/units/testsuite-63.sh

index 4474cc3a2a56ca65647f57368e51cfa420ec252e..6899c66ae6397276b40e820f6454cb0d04a7d20d 100755 (executable)
--- a/test/units/testsuite-63.sh
+++ b/test/units/testsuite-63.sh
@@ -412,43 +412,43 @@ cat <<EOF >/tmp/testfile.json
      "weight": 1000,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWUSER":
+"RestrictNamespaces_user":
      {"description_good": "Servicecannotcreateusernamespaces",
      "description_bad": "Servicemaycreateusernamespaces",
      "weight": 1500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWNS":
+"RestrictNamespaces_mnt":
      {"description_good": "Service cannot create file system namespaces",
      "description_bad": "Service may create file system namespaces",
      "weight": 500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWIPC":
+"RestrictNamespaces_ipc":
      {"description_good": "Service cannot create IPC namespaces",
      "description_bad": "Service may create IPC namespaces",
      "weight": 500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWPID":
+"RestrictNamespaces_pid":
      {"description_good": "Service cannot create process namespaces",
      "description_bad": "Service may create process namespaces",
      "weight": 500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWCGROUP":
+"RestrictNamespaces_cgroup":
      {"description_good": "Service cannot create cgroup namespaces",
      "description_bad": "Service may create cgroup namespaces",
      "weight": 500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWNET":
+"RestrictNamespaces_net":
      {"description_good": "Service cannot create network namespaces",
      "description_bad": "Service may create network namespaces",
      "weight": 500,
      "range": 1
      },
-"RestrictNamespaces_CLONE_NEWUTS":
+"RestrictNamespaces_uts":
      {"description_good": "Service cannot create hostname namespaces",
      "description_bad": "Service may create hostname namespaces",
      "weight": 100,
author	Kyle Laker <kyle@laker.email>
	Mon, 6 Sep 2021 15:33:16 +0000 (11:33 -0400)
committer	GitHub <noreply@github.com>
	Mon, 6 Sep 2021 15:33:16 +0000 (17:33 +0200)
man/systemd-analyze.xml		patch \| blob \| blame \| history
src/analyze/analyze-security.c		patch \| blob \| blame \| history
test/units/testsuite-63.sh		patch \| blob \| blame \| history