From: Luca Boccassi Date: Sat, 30 Apr 2022 22:29:10 +0000 (+0100) Subject: analyze security: print DeviceAllow list X-Git-Tag: v251-rc2~41 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6a59dfa108997f5022e1d0fd9acc4ed79c9686b8;p=thirdparty%2Fsystemd.git analyze security: print DeviceAllow list Many sandboxing options add implicit DeviceAllow rules, which might be confusing for users running systemd-analyze security and not expecting it. Print the list. Fixes https://github.com/systemd/systemd/issues/23185 --- diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 102722bbc0f..5b4d4caf46a 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -100,7 +100,7 @@ typedef struct SecurityInfo { bool delegate; char *device_policy; - bool device_allow_non_empty; + char **device_allow; Set *system_call_architectures; @@ -168,6 +168,7 @@ static SecurityInfo *security_info_free(SecurityInfo *i) { free(i->notify_access); free(i->device_policy); + strv_free(i->device_allow); strv_free(i->supplementary_groups); set_free(i->system_call_architectures); @@ -720,8 +721,14 @@ static int assess_device_allow( if (STRPTR_IN_SET(info->device_policy, "strict", "closed")) { - if (info->device_allow_non_empty) { - d = strdup("Service has a device ACL with some special devices"); + if (!strv_isempty(info->device_allow)) { + _cleanup_free_ char *join = NULL; + + join = strv_join(info->device_allow, " "); + if (!join) + return log_oom(); + + d = strjoin("Service has a device ACL with some special devices: ", join); b = 5; } else { d = strdup("Service has a minimal device ACL"); @@ -2259,7 +2266,6 @@ static int property_read_device_allow( void *userdata) { SecurityInfo *info = userdata; - size_t n = 0; int r; assert(bus); @@ -2279,11 +2285,11 @@ static int property_read_device_allow( if (r == 0) break; - n++; + r = strv_extendf(&info->device_allow, "%s:%s", name, policy); + if (r < 0) + return r; } - info->device_allow_non_empty = n > 0; - return sd_bus_message_exit_container(m); } @@ -2622,7 +2628,13 @@ static int get_security_info(Unit *u, ExecContext *c, CGroupContext *g, Security info->ip_filters_custom_ingress = !strv_isempty(g->ip_filters_ingress); info->ip_filters_custom_egress = !strv_isempty(g->ip_filters_egress); - info->device_allow_non_empty = !LIST_IS_EMPTY(g->device_allow); + + LIST_FOREACH(device_allow, a, g->device_allow) + if (strv_extendf(&info->device_allow, + "%s:%s%s%s", + a->path, + a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "") < 0) + return log_oom(); } *ret_info = TAKE_PTR(info); diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index 38403a45b76..393297b17f4 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -68,6 +68,7 @@ rm /tmp/testfile2.service cat </tmp/testfile.service [Service] ExecStart = echo hello +DeviceAllow=/dev/sda EOF # Prevent regression from #13380 and #20859 where we can't verify hidden files @@ -94,6 +95,9 @@ systemd-analyze security --threshold=90 --offline=true /tmp/testfile.service \ && { echo 'unexpected success'; exit 1; } set -e +# Ensure we print the list of ACLs, see https://github.com/systemd/systemd/issues/23185 +systemd-analyze security --offline=true /tmp/testfile.service | grep -q -F "/dev/sda" + rm /tmp/testfile.service cat </tmp/img/usr/lib/systemd/system/testfile.service