diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:42 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:42 +0000 |
commit | 78e9bb837c258ac0ec7712b3d612cc2f407e731e (patch) | |
tree | f515d16b6efd858a9aeb5b0ef5d6f90bf288283d /src/analyze/analyze.c | |
parent | Adding debian version 255.5-1. (diff) | |
download | systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.tar.xz systemd-78e9bb837c258ac0ec7712b3d612cc2f407e731e.zip |
Merging upstream version 256.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/analyze/analyze.c')
-rw-r--r-- | src/analyze/analyze.c | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 021de65..cf4894a 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -13,6 +13,7 @@ #include "alloc-util.h" #include "analyze.h" +#include "analyze-architectures.h" #include "analyze-blame.h" #include "analyze-calendar.h" #include "analyze-capability.h" @@ -25,6 +26,7 @@ #include "analyze-exit-status.h" #include "analyze-fdstore.h" #include "analyze-filesystems.h" +#include "analyze-image-policy.h" #include "analyze-inspect-elf.h" #include "analyze-log-control.h" #include "analyze-malloc.h" @@ -41,7 +43,6 @@ #include "analyze-unit-files.h" #include "analyze-unit-paths.h" #include "analyze-verify.h" -#include "analyze-image-policy.h" #include "build.h" #include "bus-error.h" #include "bus-locator.h" @@ -224,6 +225,7 @@ static int help(int argc, char *argv[], void *userdata) { " capability [CAP...] List capability definitions\n" " syscall-filter [NAME...] List syscalls in seccomp filters\n" " filesystems [NAME...] List known filesystems\n" + " architectures [NAME...] List known architectures\n" " condition CONDITION... Evaluate conditions and asserts\n" " compare-versions VERSION1 [OP] VERSION2\n" " Compare two version strings\n" @@ -238,7 +240,7 @@ static int help(int argc, char *argv[], void *userdata) { " fdstore SERVICE... Show file descriptor store contents of service\n" " image-policy POLICY... Analyze image policy string\n" " pcrs [PCR...] Show TPM2 PCRs and their names\n" - " srk > FILE Write TPM2 SRK to stdout\n" + " srk [>FILE] Write TPM2 SRK (to FILE)\n" "\nOptions:\n" " --recursive-errors=MODE Control which units are verified\n" " --offline=BOOL Perform a security review on unit file(s)\n" @@ -270,6 +272,7 @@ static int help(int argc, char *argv[], void *userdata) { " specified time\n" " --profile=name|PATH Include the specified profile in the\n" " security review of the unit(s)\n" + " --unit=UNIT Evaluate conditions and asserts of unit\n" " --table Output plot's raw time data as a table\n" " -h --help Show this help\n" " --version Show package version\n" @@ -557,18 +560,21 @@ static int parse_argv(int argc, char *argv[]) { return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --offline= is only supported for security right now."); - if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs")) + if (arg_offline && optind >= argc - 1) + return log_error_errno(SYNTHETIC_ERRNO(EINVAL), + "Option --offline= requires one or more units to perform a security review."); + + if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs", "architectures", "capability", "exit-status")) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs right now."); + "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs, architectures, capability, exit-status right now."); if (arg_threshold != 100 && !streq_ptr(argv[optind], "security")) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --threshold= is only supported for security right now."); - if (arg_runtime_scope == RUNTIME_SCOPE_GLOBAL && - !STR_IN_SET(argv[optind] ?: "time", "dot", "unit-paths", "verify")) + if (arg_runtime_scope == RUNTIME_SCOPE_GLOBAL && !streq_ptr(argv[optind], "unit-paths")) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), - "Option --global only makes sense with verbs dot, unit-paths, verify."); + "Option --global only makes sense with verb unit-paths."); if (streq_ptr(argv[optind], "cat-config") && arg_runtime_scope == RUNTIME_SCOPE_USER) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), @@ -596,7 +602,7 @@ static int parse_argv(int argc, char *argv[]) { if (streq_ptr(argv[optind], "condition") && arg_unit && optind < argc - 1) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No conditions can be passed if --unit= is used."); - if ((!arg_legend && !streq_ptr(argv[optind], "plot")) || + if ((!arg_legend && !STRPTR_IN_SET(argv[optind], "plot", "architectures")) || (streq_ptr(argv[optind], "plot") && !arg_legend && !arg_table && FLAGS_SET(arg_json_format_flags, JSON_FORMAT_OFF))) return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --no-legend is only supported for plot with either --table or --json=."); @@ -650,6 +656,7 @@ static int run(int argc, char *argv[]) { { "image-policy", 2, 2, 0, verb_image_policy }, { "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs }, { "srk", VERB_ANY, 1, 0, verb_srk }, + { "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures }, {} }; @@ -673,7 +680,8 @@ static int run(int argc, char *argv[]) { arg_image_policy, DISSECT_IMAGE_GENERIC_ROOT | DISSECT_IMAGE_RELAX_VAR_CHECK | - DISSECT_IMAGE_READ_ONLY, + DISSECT_IMAGE_READ_ONLY | + DISSECT_IMAGE_ALLOW_USERSPACE_VERITY, &mounted_dir, /* ret_dir_fd= */ NULL, &loop_device); |