analyze security: check for ProtectHostname=yes

author: Topi Miettinen <toiwoton@gmail.com> 2019-02-27 14:26:43 +0100
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2019-02-27 16:20:38 +0100
commit: 527bd7f1854bce20a308f6ca589e488deeaaf895 (patch)
tree: 5eedaedc4aa1d1052998edfbec0ee71608f8c465 /src/analyze
parent: selinux: don't log SELINUX_INFO and SELINUX_WARNING messages to audit (diff)
download: systemd-527bd7f1854bce20a308f6ca589e488deeaaf895.tar.xz
systemd-527bd7f1854bce20a308f6ca589e488deeaaf895.zip
1 files changed, 12 insertions, 0 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index a007ed1da4..9e4cac6e29 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -49,6 +49,7 @@ struct security_info {
         bool memory_deny_write_execute;
         bool no_new_privileges;
         char *notify_access;
+        bool protect_hostname;
 
         bool private_devices;
         bool private_mounts;
@@ -769,6 +770,16 @@ static const struct security_assessor security_assessor_table[] = {
                 .default_dependencies_only = true,
         },
         {
+                .id = "ProtectHostname=",
+                .description_good = "Service cannot change system host/domainname",
+                .description_bad = "Service may change system host/domainname",
+                .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHostname=",
+                .weight = 50,
+                .range = 1,
+                .assess = assess_bool,
+                .offset = offsetof(struct security_info, protect_hostname),
+        },
+        {
                 .id = "ProtectSystem=",
                 .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=",
                 .weight = 1000,
@@ -1861,6 +1872,7 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
                 { "PrivateUsers",            "b",       NULL,                                    offsetof(struct security_info, private_users)             },
                 { "ProtectControlGroups",    "b",       NULL,                                    offsetof(struct security_info, protect_control_groups)    },
                 { "ProtectHome",             "s",       NULL,                                    offsetof(struct security_info, protect_home)              },
+                { "ProtectHostname",         "b",       NULL,                                    offsetof(struct security_info, protect_hostname)          },
                 { "ProtectKernelModules",    "b",       NULL,                                    offsetof(struct security_info, protect_kernel_modules)    },
                 { "ProtectKernelTunables",   "b",       NULL,                                    offsetof(struct security_info, protect_kernel_tunables)   },
                 { "ProtectSystem",           "s",       NULL,                                    offsetof(struct security_info, protect_system)            },
author	Topi Miettinen <toiwoton@gmail.com>	2019-02-27 14:26:43 +0100
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2019-02-27 16:20:38 +0100
commit	527bd7f1854bce20a308f6ca589e488deeaaf895 (patch)
tree	5eedaedc4aa1d1052998edfbec0ee71608f8c465 /src/analyze
parent	selinux: don't log SELINUX_INFO and SELINUX_WARNING messages to audit (diff)
download	systemd-527bd7f1854bce20a308f6ca589e488deeaaf895.tar.xz systemd-527bd7f1854bce20a308f6ca589e488deeaaf895.zip