From c1e6f2155668f9246a23951fde3e1ef5c3ef900c Mon Sep 17 00:00:00 2001 From: Kyle Laker Date: Mon, 6 Sep 2021 11:33:16 -0400 Subject: [PATCH] systemd-analyze: use config value in RestrictNamespaces id (#20645) For most fields, the text shown by `.id` is the value that should be set in the unit file; however, for RestrictNamespaces, it is not. Changing this to show the actual text makes it more clear to a user what the actual change that needs to be made to the unit file is. --- man/systemd-analyze.xml | 14 +++++++------- src/analyze/analyze-security.c | 28 ++++++++++++++-------------- test/units/testsuite-63.sh | 14 +++++++------- 3 files changed, 28 insertions(+), 28 deletions(-) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index fb2a1caa9e5..8e8f776377a 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -967,25 +967,25 @@ Service b@0.service not loaded, b.socket cannot be started. RestrictSUIDSGID - RestrictNamespaces_CLONE_NEWUSER + RestrictNamespaces_user - RestrictNamespaces_CLONE_NEWNS + RestrictNamespaces_mnt - RestrictNamespaces_CLONE_NEWIPC + RestrictNamespaces_ipc - RestrictNamespaces_CLONE_NEWPID + RestrictNamespaces_pid - RestrictNamespaces_CLONE_NEWCGROUP + RestrictNamespaces_cgroup - RestrictNamespaces_CLONE_NEWUTS + RestrictNamespaces_uts - RestrictNamespaces_CLONE_NEWNET + RestrictNamespaces_net RestrictAddressFamilies_AF_INET_INET6 diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 03b63cd1b31..adb73ab7a99 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1340,8 +1340,8 @@ static const struct security_assessor security_assessor_table[] = { .offset = offsetof(SecurityInfo, restrict_suid_sgid), }, { - .id = "RestrictNamespaces=~CLONE_NEWUSER", - .json_field = "RestrictNamespaces_CLONE_NEWUSER", + .id = "RestrictNamespaces=~user", + .json_field = "RestrictNamespaces_user", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create user namespaces", .description_bad = "Service may create user namespaces", @@ -1351,8 +1351,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWUSER, }, { - .id = "RestrictNamespaces=~CLONE_NEWNS", - .json_field = "RestrictNamespaces_CLONE_NEWNS", + .id = "RestrictNamespaces=~mnt", + .json_field = "RestrictNamespaces_mnt", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create file system namespaces", .description_bad = "Service may create file system namespaces", @@ -1362,8 +1362,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWNS, }, { - .id = "RestrictNamespaces=~CLONE_NEWIPC", - .json_field = "RestrictNamespaces_CLONE_NEWIPC", + .id = "RestrictNamespaces=~ipc", + .json_field = "RestrictNamespaces_ipc", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create IPC namespaces", .description_bad = "Service may create IPC namespaces", @@ -1373,8 +1373,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWIPC, }, { - .id = "RestrictNamespaces=~CLONE_NEWPID", - .json_field = "RestrictNamespaces_CLONE_NEWPID", + .id = "RestrictNamespaces=~pid", + .json_field = "RestrictNamespaces_pid", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create process namespaces", .description_bad = "Service may create process namespaces", @@ -1384,8 +1384,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWPID, }, { - .id = "RestrictNamespaces=~CLONE_NEWCGROUP", - .json_field = "RestrictNamespaces_CLONE_NEWCGROUP", + .id = "RestrictNamespaces=~cgroup", + .json_field = "RestrictNamespaces_cgroup", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create cgroup namespaces", .description_bad = "Service may create cgroup namespaces", @@ -1395,8 +1395,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWCGROUP, }, { - .id = "RestrictNamespaces=~CLONE_NEWNET", - .json_field = "RestrictNamespaces_CLONE_NEWNET", + .id = "RestrictNamespaces=~net", + .json_field = "RestrictNamespaces_net", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create network namespaces", .description_bad = "Service may create network namespaces", @@ -1406,8 +1406,8 @@ static const struct security_assessor security_assessor_table[] = { .parameter = CLONE_NEWNET, }, { - .id = "RestrictNamespaces=~CLONE_NEWUTS", - .json_field = "RestrictNamespaces_CLONE_NEWUTS", + .id = "RestrictNamespaces=~uts", + .json_field = "RestrictNamespaces_uts", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictNamespaces=", .description_good = "Service cannot create hostname namespaces", .description_bad = "Service may create hostname namespaces", diff --git a/test/units/testsuite-63.sh b/test/units/testsuite-63.sh index 4474cc3a2a5..6899c66ae63 100755 --- a/test/units/testsuite-63.sh +++ b/test/units/testsuite-63.sh @@ -412,43 +412,43 @@ cat </tmp/testfile.json "weight": 1000, "range": 1 }, -"RestrictNamespaces_CLONE_NEWUSER": +"RestrictNamespaces_user": {"description_good": "Servicecannotcreateusernamespaces", "description_bad": "Servicemaycreateusernamespaces", "weight": 1500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWNS": +"RestrictNamespaces_mnt": {"description_good": "Service cannot create file system namespaces", "description_bad": "Service may create file system namespaces", "weight": 500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWIPC": +"RestrictNamespaces_ipc": {"description_good": "Service cannot create IPC namespaces", "description_bad": "Service may create IPC namespaces", "weight": 500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWPID": +"RestrictNamespaces_pid": {"description_good": "Service cannot create process namespaces", "description_bad": "Service may create process namespaces", "weight": 500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWCGROUP": +"RestrictNamespaces_cgroup": {"description_good": "Service cannot create cgroup namespaces", "description_bad": "Service may create cgroup namespaces", "weight": 500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWNET": +"RestrictNamespaces_net": {"description_good": "Service cannot create network namespaces", "description_bad": "Service may create network namespaces", "weight": 500, "range": 1 }, -"RestrictNamespaces_CLONE_NEWUTS": +"RestrictNamespaces_uts": {"description_good": "Service cannot create hostname namespaces", "description_bad": "Service may create hostname namespaces", "weight": 100,