an error.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><option>--profile=<replaceable>PATH</replaceable></option></term>
+
+ <listitem><para>With <command>security</command> <option>--offline=</option>, takes into
+ consideration the specified portable profile when assessing the unit(s) settings.
+ The profile can be passed by name, in which case the well-known system locations will
+ be searched, or it can be the full path to a specific drop-in file.</para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><option>--threshold=<replaceable>NUMBER</replaceable></option></term>
elif __contains_word "$verb" ${VERBS[SECURITY]}; then
if [[ $cur = -* ]]; then
- comps='--help --version --no-pager --system --user -H --host -M --machine --offline --threshold --security-policy --json=off --json=pretty --json=short --root --image'
+ comps='--help --version --no-pager --system --user -H --host -M --machine --offline --threshold --security-policy --json=off --json=pretty --json=short --root --image --profile=default --profile=nonetwork --profile=strict --profile=trusted'
elif ! __contains_word "--offline" ${COMP_WORDS[*]}; then
if __contains_word "--user" ${COMP_WORDS[*]}; then
mode=--user
'--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \
'--security-policy=[Allow user to use customized requirements to compare unit file(s) against]: PATH' \
'--json=[Generate a JSON output of the security analysis table]:MODE:(pretty short off)' \
+ '--profile=[Include the specified profile in the security review of the unit(s)]: PATH' \
'--no-pager[Do not pipe output into a pager]' \
'--man=[Do (not) check for existence of man pages]:BOOL:(yes no)' \
'--generators=[Do (not) run unit generators]:BOOL:(yes no)' \
#include "bus-map-properties.h"
#include "bus-unit-util.h"
#include "bus-util.h"
+#include "copy.h"
#include "env-util.h"
#include "format-table.h"
#include "in-addr-prefix-util.h"
#include "manager.h"
#include "missing_capability.h"
#include "missing_sched.h"
+#include "mkdir.h"
#include "nulstr-util.h"
#include "parse-util.h"
#include "path-util.h"
bool run_generators,
unsigned threshold,
const char *root,
+ const char *profile,
PagerFlags pager_flags,
JsonFormatFlags json_format_flags) {
if (r < 0)
return r;
+ if (profile) {
+ /* Ensure the temporary directory is in the search path, so that we can add drop-ins. */
+ r = strv_extend(&m->lookup_paths.search_path, m->lookup_paths.temporary_dir);
+ if (r < 0)
+ return log_oom();
+ }
+
log_debug("Loading remaining units from the command line...");
STRV_FOREACH(filename, filenames) {
continue;
}
+ /* When a portable image is analyzed, the profile is what provides a good chunk of
+ * the security-related settings, but they are obviously not shipped with the image.
+ * This allows to take them in consideration. */
+ if (profile) {
+ _cleanup_free_ char *unit_name = NULL, *dropin = NULL, *profile_path = NULL;
+
+ r = path_extract_filename(prepared, &unit_name);
+ if (r < 0)
+ return log_oom();
+
+ dropin = strjoin(m->lookup_paths.temporary_dir, "/", unit_name, ".d/profile.conf");
+ if (!dropin)
+ return log_oom();
+ (void) mkdir_parents(dropin, 0755);
+
+ if (!is_path(profile)) {
+ r = find_portable_profile(profile, unit_name, &profile_path);
+ if (r < 0)
+ return log_error_errno(r, "Failed to find portable profile %s: %m", profile);
+ profile = profile_path;
+ }
+
+ r = copy_file(profile, dropin, 0, 0644, 0, 0, 0);
+ if (r < 0)
+ return log_error_errno(r, "Failed to copy: %m");
+ }
+
k = manager_load_startable_unit_or_warn(m, NULL, prepared, &units[count]);
if (k < 0) {
if (r == 0)
bool offline,
unsigned threshold,
const char *root,
+ const char *profile,
JsonFormatFlags json_format_flags,
PagerFlags pager_flags,
AnalyzeSecurityFlags flags) {
assert(bus);
if (offline)
- return offline_security_checks(units, policy, scope, check_man, run_generators, threshold, root, pager_flags, json_format_flags);
+ return offline_security_checks(units, policy, scope, check_man, run_generators, threshold, root, profile, pager_flags, json_format_flags);
if (strv_length(units) != 1) {
overview_table = table_new("unit", "exposure", "predicate", "happy");
bool offline,
unsigned threshold,
const char *root,
+ const char *profile,
JsonFormatFlags json_format_flags,
PagerFlags pager_flags,
AnalyzeSecurityFlags flags);
static char *arg_unit = NULL;
static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF;
static bool arg_quiet = false;
+static char *arg_profile = NULL;
STATIC_DESTRUCTOR_REGISTER(arg_dot_from_patterns, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_dot_to_patterns, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
STATIC_DESTRUCTOR_REGISTER(arg_security_policy, freep);
STATIC_DESTRUCTOR_REGISTER(arg_unit, freep);
+STATIC_DESTRUCTOR_REGISTER(arg_profile, freep);
typedef struct BootTimes {
usec_t firmware_time;
arg_offline,
arg_threshold,
arg_root,
+ arg_profile,
arg_json_format_flags,
arg_pager_flags,
/*flags=*/ 0);
" --iterations=N Show the specified number of iterations\n"
" --base-time=TIMESTAMP Calculate calendar times relative to\n"
" specified time\n"
+ " --profile=name|PATH Include the specified profile in the\n"
+ " security review of the unit(s)\n"
" -h --help Show this help\n"
" --version Show package version\n"
" -q --quiet Do not emit hints\n"
ARG_THRESHOLD,
ARG_SECURITY_POLICY,
ARG_JSON,
+ ARG_PROFILE,
};
static const struct option options[] = {
{ "base-time", required_argument, NULL, ARG_BASE_TIME },
{ "unit", required_argument, NULL, 'U' },
{ "json", required_argument, NULL, ARG_JSON },
+ { "profile", required_argument, NULL, ARG_PROFILE },
{}
};
break;
+ case ARG_PROFILE:
+ if (isempty(optarg))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Profile file name is empty");
+
+ if (is_path(optarg)) {
+ r = parse_path_argument(optarg, /* suppress_root= */ false, &arg_profile);
+ if (r < 0)
+ return r;
+ if (!endswith(arg_profile, ".conf"))
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Profile file name must end with .conf: %s", arg_profile);
+ } else {
+ r = free_and_strdup(&arg_profile, optarg);
+ if (r < 0)
+ return log_oom();
+ }
+
+ break;
+
case 'U': {
_cleanup_free_ char *mangled = NULL;
--security-policy=/tmp/testfile.json \
--root=/tmp/img/ testfile.service
+# The strict profile adds a lot of sanboxing options
+systemd-analyze security --threshold=20 --offline=true \
+ --security-policy=/tmp/testfile.json \
+ --profile=strict \
+ --root=/tmp/img/ testfile.service
+
set +e
+# The trusted profile doesn't add any sanboxing options
+systemd-analyze security --threshold=20 --offline=true \
+ --security-policy=/tmp/testfile.json \
+ --profile=/usr/lib/systemd/portable/profile/trusted/service.conf \
+ --root=/tmp/img/ testfile.service \
+ && { echo 'unexpected success'; exit 1; }
+
systemd-analyze security --threshold=50 --offline=true \
--security-policy=/tmp/testfile.json \
--root=/tmp/img/ testfile.service \
projects / thirdparty / systemd.git / commitdiff
