summaryrefslogtreecommitdiffstats
path: root/src/analyze/analyze-security.c
diff options
context:
space:
mode:
authorPeter Hutterer <peter.hutterer@who-t.net>2022-05-03 06:24:42 +0200
committerLuca Boccassi <luca.boccassi@gmail.com>2023-11-01 11:25:59 +0100
commit4f7a629e6c11fb2f060f18a62d073410ffa5a0ca (patch)
tree3c8d65546587da9949f42d227a68fbba372ad9ae /src/analyze/analyze-security.c
parentman: explicitly mention that environment.d/ cannot be used to set the service... (diff)
downloadsystemd-4f7a629e6c11fb2f060f18a62d073410ffa5a0ca.tar.xz
systemd-4f7a629e6c11fb2f060f18a62d073410ffa5a0ca.zip
analyze: handle CAP_BPF support
Diffstat (limited to 'src/analyze/analyze-security.c')
-rw-r--r--src/analyze/analyze-security.c11
1 files changed, 11 insertions, 0 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 730f07092e..2745100f5d 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -1250,6 +1250,17 @@ static const struct security_assessor security_assessor_table[] = {
.parameter = (UINT64_C(1) << CAP_SYS_PACCT),
},
{
+ .id = "CapabilityBoundingSet=~CAP_BPF",
+ .json_field = "CapabilityBoundingSet_CAP_BPF",
+ .description_good = "Service may load BPF programs",
+ .description_bad = "Service may not load BPF programs",
+ .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#CapabilityBoundingSet=",
+ .weight = 25,
+ .range = 1,
+ .assess = assess_capability_bounding_set,
+ .parameter = (UINT64_C(1) << CAP_BPF),
+ },
+ {
.id = "UMask=",
.json_field = "UMask",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#UMask=",
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 04:43:18 +0100