daandemeyer / rpms / systemd

Forked from rpms/systemd 2 years ago
Clone
Source Code
GIT

Blame SOURCES/0326-analyze-check-for-RestrictSUIDSGID-in-systemd-analyz.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9-beta c9s-sig-hyperscale drop-selinux extras extras-boot-time network-extras reduce-diff-rawhide v252-4.597.7-c8s v252-4.598.7-c8s
  1.   df98bb77f7cdd32c4e75d509ca4abc46ecef6546
  2.   SOURCES
  3.   0326-analyze-check-for-RestrictSUIDSGID-in-systemd-analyz.patch
Blob History Raw
5d2ee9 
From 3d338556760632b9c8b646a719d56e02e3ad2088 Mon Sep 17 00:00:00 2001
5d2ee9 
From: Lennart Poettering <lennart@poettering.net>
5d2ee9 
Date: Wed, 20 Mar 2019 19:20:35 +0100
5d2ee9 
Subject: [PATCH] analyze: check for RestrictSUIDSGID= in "systemd-analyze
5d2ee9 
 security"
5d2ee9
5d2ee9 
And let's give it a heigh weight, since it pretty much can be used for
5d2ee9 
bad things only.
5d2ee9
5d2ee9 
(cherry picked from commit 9d880b70ba5c6ca83c82952f4c90e86e56c7b70c)
5d2ee9 
Related: #1687512
5d2ee9 
---
5d2ee9 
 src/analyze/analyze-security.c | 12 ++++++++++++
5d2ee9 
 1 file changed, 12 insertions(+)
5d2ee9
5d2ee9 
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
5d2ee9 
index eec040d5c3..969101c57b 100644
5d2ee9 
--- a/src/analyze/analyze-security.c
5d2ee9 
+++ b/src/analyze/analyze-security.c
5d2ee9 
@@ -69,6 +69,7 @@ struct security_info {
5d2ee9
5d2ee9 
         uint64_t restrict_namespaces;
5d2ee9 
         bool restrict_realtime;
5d2ee9 
+        bool restrict_suid_sgid;
5d2ee9
5d2ee9 
         char *root_directory;
5d2ee9 
         char *root_image;
5d2ee9 
@@ -1130,6 +1131,16 @@ static const struct security_assessor security_assessor_table[] = {
5d2ee9 
                 .assess = assess_bool,
5d2ee9 
                 .offset = offsetof(struct security_info, restrict_realtime),
5d2ee9 
         },
5d2ee9 
+        {
5d2ee9 
+                .id = "RestrictSUIDSGID=",
5d2ee9 
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictSUIDSGID=",
5d2ee9 
+                .description_good = "SUID/SGID file creation by service is restricted",
5d2ee9 
+                .description_bad = "Service may create SUID/SGID files",
5d2ee9 
+                .weight = 1000,
5d2ee9 
+                .range = 1,
5d2ee9 
+                .assess = assess_bool,
5d2ee9 
+                .offset = offsetof(struct security_info, restrict_suid_sgid),
5d2ee9 
+        },
5d2ee9 
         {
5d2ee9 
                 .id = "RestrictNamespaces=~CLONE_NEWUSER",
5d2ee9 
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=",
5d2ee9 
@@ -1862,6 +1873,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
5d2ee9 
                 { "RestrictAddressFamilies", "(bas)",   property_read_restrict_address_families, 0                                                         },
5d2ee9 
                 { "RestrictNamespaces",      "t",       NULL,                                    offsetof(struct security_info, restrict_namespaces)       },
5d2ee9 
                 { "RestrictRealtime",        "b",       NULL,                                    offsetof(struct security_info, restrict_realtime)         },
5d2ee9 
+                { "RestrictSUIDSGID",        "b",       NULL,                                    offsetof(struct security_info, restrict_suid_sgid)        },
5d2ee9 
                 { "RootDirectory",           "s",       NULL,                                    offsetof(struct security_info, root_directory)            },
5d2ee9 
                 { "RootImage",               "s",       NULL,                                    offsetof(struct security_info, root_image)                },
5d2ee9 
                 { "SupplementaryGroups",     "as",      NULL,                                    offsetof(struct security_info, supplementary_groups)      },

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation