analyze: handle CAP_BPF support

2024-07-22 18:55:10 +00:00 · 2022-05-03 14:24:42 +10:00 · 2022-05-03 14:24:42 +10:00 · 4f7a629e6c
parent bebf6fcf22
commit 4f7a629e6c
3 changed files with 20 additions and 0 deletions
--- a/man/systemd-analyze.xml
+++ b/man/systemd-analyze.xml
@ -1261,6 +1261,9 @@ NR NAME                SHA256
              <row>
                <entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
              </row>
+              <row>
+                <entry>CapabilityBoundingSet_CAP_BPF</entry>
+              </row>
              <row>
                <entry>UMask</entry>
              </row>
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = {
                .assess = assess_capability_bounding_set,
                .parameter = (UINT64_C(1) << CAP_SYS_PACCT),
        },
+        {
+                .id = "CapabilityBoundingSet=~CAP_BPF",
+                .json_field = "CapabilityBoundingSet_CAP_BPF",
+                .description_good = "Service may load BPF programs",
+                .description_bad = "Service may not load BPF programs",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
+                .weight = 25,
+                .range = 1,
+                .assess = assess_capability_bounding_set,
+                .parameter = (UINT64_C(1) << CAP_BPF),
+        },
        {
                .id = "UMask=",
                .json_field = "UMask",
--- a/test/units/testsuite-65.sh
+++ b/test/units/testsuite-65.sh
@ -563,6 +563,12 @@ cat <<EOF >/tmp/testfile.json
    "weight": 25,
    "range": 1
    },
+"CapabilityBoundingSet_CAP_BPF":
+    {"description_good": "Service may load BPF programs",
+    "description_bad": "Service may not load BPF programs",
+    "weight": 25,
+    "range": 1
+    },
 "UMask":
    {"weight": 100,
    "range": 10