From 82100ef486cf7e3b1df64b6bb29db43ac146ac6c Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 4 Nov 2021 19:48:58 +0000 Subject: [PATCH] analyze: allow a custom policy to skip a check with weight=0 In some cases an offline analysis should ignore some fields, for example a portable service in an image will never list RootImage/RootDirectory, as they are added at runtime, and thus can be skipped. --- man/systemd-analyze.xml | 3 ++- src/analyze/analyze-security.c | 5 +++++ test/units/testsuite-65.sh | 2 +- 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index d3dfa9e5261..e072d661312 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1081,7 +1081,8 @@ Service b@0.service not loaded, b.socket cannot be started. normalized to the 1…100 range, and used to determine the overall exposure level of the unit. By allowing users to manipulate these fields, the 'security' verb gives them the option to decide for themself which ids are more important and hence should have a greater effect on - the exposure level. + the exposure level. A weight of 0 means the setting will not be + checked. { diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 400eebbda8a..d3e011e903f 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1764,6 +1764,11 @@ static int assess(const SecurityInfo *info, d = strdup("Service runs in special boot phase, option is not appropriate"); if (!d) return log_oom(); + } else if (weight == 0) { + badness = UINT64_MAX; + d = strdup("Option excluded by policy, skipping"); + if (!d) + return log_oom(); } else { r = a->assess(a, info, data, &badness, &d); if (r < 0) diff --git a/test/units/testsuite-65.sh b/test/units/testsuite-65.sh index 64a7a34ed95..3218462c769 100755 --- a/test/units/testsuite-65.sh +++ b/test/units/testsuite-65.sh @@ -108,7 +108,7 @@ systemd-analyze security --threshold=90 --offline=true --root=/tmp/img/ testfile cat </tmp/testfile.json {"UserOrDynamicUser": {"description_bad": "Service runs as root user", - "weight": 2000, + "weight": 0, "range": 10 }, "SupplementaryGroups": -- 2.47.3