summaryrefslogtreecommitdiffstats
path: root/src/analyze/analyze-security.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/analyze/analyze-security.c')
-rw-r--r--src/analyze/analyze-security.c37
1 files changed, 36 insertions, 1 deletions
diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c
index 0962950dd0..3cf6515f5f 100644
--- a/src/analyze/analyze-security.c
+++ b/src/analyze/analyze-security.c
@@ -45,6 +45,9 @@ struct security_info {
bool ip_address_allow_localhost;
bool ip_address_allow_other;
+ bool ip_filters_custom_ingress;
+ bool ip_filters_custom_egress;
+
char *keyring_mode;
bool lock_personality;
bool memory_deny_write_execute;
@@ -590,7 +593,10 @@ static int assess_ip_address_allow(
assert(ret_badness);
assert(ret_description);
- if (!info->ip_address_deny_all) {
+ if (info->ip_filters_custom_ingress || info->ip_filters_custom_egress) {
+ d = strdup("Service defines custom ingress/egress IP filters with BPF programs");
+ b = 0;
+ } else if (!info->ip_address_deny_all) {
d = strdup("Service does not define an IP address whitelist");
b = 10;
} else if (info->ip_address_allow_other) {
@@ -1824,6 +1830,33 @@ static int property_read_ip_address_allow(
return sd_bus_message_exit_container(m);
}
+static int property_read_ip_filters(
+ sd_bus *bus,
+ const char *member,
+ sd_bus_message *m,
+ sd_bus_error *error,
+ void *userdata) {
+
+ struct security_info *info = userdata;
+ _cleanup_(strv_freep) char **l = NULL;
+ int r;
+
+ assert(bus);
+ assert(member);
+ assert(m);
+
+ r = sd_bus_message_read_strv(m, &l);
+ if (r < 0)
+ return r;
+
+ if (streq(member, "IPIngressFilterPath"))
+ info->ip_filters_custom_ingress = !strv_isempty(l);
+ else if (streq(member, "IPEgressFilterPath"))
+ info->ip_filters_custom_ingress = !strv_isempty(l);
+
+ return 0;
+}
+
static int property_read_device_allow(
sd_bus *bus,
const char *member,
@@ -1873,6 +1906,8 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
{ "FragmentPath", "s", NULL, offsetof(struct security_info, fragment_path) },
{ "IPAddressAllow", "a(iayu)", property_read_ip_address_allow, 0 },
{ "IPAddressDeny", "a(iayu)", property_read_ip_address_allow, 0 },
+ { "IPIngressFilterPath", "as", property_read_ip_filters, 0 },
+ { "IPEgressFilterPath", "as", property_read_ip_filters, 0 },
{ "Id", "s", NULL, offsetof(struct security_info, id) },
{ "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) },
{ "LoadState", "s", NULL, offsetof(struct security_info, load_state) },