analyze-security: check for ProtectProc=/ProcSubset=

author Lennart Poettering <lennart@poettering.net>

Thu, 6 Aug 2020 12:38:43 +0000 (14:38 +0200)

committer Lennart Poettering <lennart@poettering.net>

Mon, 24 Aug 2020 18:11:10 +0000 (20:11 +0200)
author Lennart Poettering <lennart@poettering.net>
Thu, 6 Aug 2020 12:38:43 +0000 (14:38 +0200)
committer Lennart Poettering <lennart@poettering.net>
Mon, 24 Aug 2020 18:11:10 +0000 (20:11 +0200)
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c

index 9a822de879fa1f7f73f3f56408c0fb1a3b9ee767..16ab4f893e129bdd31b0342811a6ebd68657e167 100644 (file)
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -50,6 +50,8 @@ struct security_info {
          bool ip_filters_custom_egress;
  
          char *keyring_mode;
+        char *protect_proc;
+        char *proc_subset;
          bool lock_personality;
          bool memory_deny_write_execute;
          bool no_new_privileges;
@@ -135,6 +137,8 @@ static void security_info_free(struct security_info *i) {
          free(i->root_image);
  
          free(i->keyring_mode);
+        free(i->protect_proc);
+        free(i->proc_subset);
          free(i->notify_access);
  
          free(i->device_policy);
@@ -388,6 +392,44 @@ static int assess_keyring_mode(
          return 0;
  }
  
+static int assess_protect_proc(
+                const struct security_assessor *a,
+                const struct security_info *info,
+                const void *data,
+                uint64_t *ret_badness,
+                char **ret_description) {
+
+        assert(ret_badness);
+        assert(ret_description);
+
+        if (streq_ptr(info->protect_proc, "noaccess"))
+                *ret_badness = 1;
+        else if (STRPTR_IN_SET(info->protect_proc, "invisible", "ptraceable"))
+                *ret_badness = 0;
+        else
+                *ret_badness = 3;
+
+        *ret_description = NULL;
+
+        return 0;
+}
+
+static int assess_proc_subset(
+                const struct security_assessor *a,
+                const struct security_info *info,
+                const void *data,
+                uint64_t *ret_badness,
+                char **ret_description) {
+
+        assert(ret_badness);
+        assert(ret_description);
+
+        *ret_badness = !streq_ptr(info->proc_subset, "pid");
+        *ret_description = NULL;
+
+        return 0;
+}
+
  static int assess_notify_access(
                  const struct security_assessor *a,
                  const struct security_info *info,
@@ -1149,6 +1191,24 @@ static const struct security_assessor security_assessor_table[] = {
                  .range = 1,
                  .assess = assess_keyring_mode,
          },
+        {
+                .id = "ProtectProc=",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=",
+                .description_good = "Service has restricted access to process tree (/proc hidepid=)",
+                .description_bad = "Service has full access to process tree (/proc hidepid=)",
+                .weight = 1000,
+                .range = 3,
+                .assess = assess_protect_proc,
+        },
+        {
+                .id = "ProcSubset=",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProcSubset=",
+                .description_good = "Service has no access to non-process /proc files (/proc subset=)",
+                .description_bad = "Service has full access to non-process /proc files (/proc subset=)",
+                .weight = 10,
+                .range = 1,
+                .assess = assess_proc_subset,
+        },
          {
                  .id = "NotifyAccess=",
                  .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
@@ -1908,6 +1968,8 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                  { "IPEgressFilterPath",      "as",      property_read_ip_filters,                0                                                         },
                  { "Id",                      "s",       NULL,                                    offsetof(struct security_info, id)                        },
                  { "KeyringMode",             "s",       NULL,                                    offsetof(struct security_info, keyring_mode)              },
+                { "ProtectProc",             "s",       NULL,                                    offsetof(struct security_info, protect_proc)              },
+                { "ProcSubset",              "s",       NULL,                                    offsetof(struct security_info, proc_subset)               },
                  { "LoadState",               "s",       NULL,                                    offsetof(struct security_info, load_state)                },
                  { "LockPersonality",         "b",       NULL,                                    offsetof(struct security_info, lock_personality)          },
                  { "MemoryDenyWriteExecute",  "b",       NULL,                                    offsetof(struct security_info, memory_deny_write_execute) },
author	Lennart Poettering <lennart@poettering.net>
	Thu, 6 Aug 2020 12:38:43 +0000 (14:38 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Mon, 24 Aug 2020 18:11:10 +0000 (20:11 +0200)