mirror of
https://github.com/systemd/systemd
synced 2024-10-15 20:45:09 +00:00
analyze: handle CAP_BPF support
This commit is contained in:
parent
bebf6fcf22
commit
4f7a629e6c
|
@ -1261,6 +1261,9 @@ NR NAME SHA256
|
|||
<row>
|
||||
<entry>CapabilityBoundingSet_CAP_SYS_TTY_CONFIG</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>CapabilityBoundingSet_CAP_BPF</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>UMask</entry>
|
||||
</row>
|
||||
|
|
|
@ -1249,6 +1249,17 @@ static const struct security_assessor security_assessor_table[] = {
|
|||
.assess = assess_capability_bounding_set,
|
||||
.parameter = (UINT64_C(1) << CAP_SYS_PACCT),
|
||||
},
|
||||
{
|
||||
.id = "CapabilityBoundingSet=~CAP_BPF",
|
||||
.json_field = "CapabilityBoundingSet_CAP_BPF",
|
||||
.description_good = "Service may load BPF programs",
|
||||
.description_bad = "Service may not load BPF programs",
|
||||
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
|
||||
.weight = 25,
|
||||
.range = 1,
|
||||
.assess = assess_capability_bounding_set,
|
||||
.parameter = (UINT64_C(1) << CAP_BPF),
|
||||
},
|
||||
{
|
||||
.id = "UMask=",
|
||||
.json_field = "UMask",
|
||||
|
|
|
@ -563,6 +563,12 @@ cat <<EOF >/tmp/testfile.json
|
|||
"weight": 25,
|
||||
"range": 1
|
||||
},
|
||||
"CapabilityBoundingSet_CAP_BPF":
|
||||
{"description_good": "Service may load BPF programs",
|
||||
"description_bad": "Service may not load BPF programs",
|
||||
"weight": 25,
|
||||
"range": 1
|
||||
},
|
||||
"UMask":
|
||||
{"weight": 100,
|
||||
"range": 10
|
||||
|
|
Loading…
Reference in a new issue