summaryrefslogtreecommitdiffstats
path: root/src/analyze/analyze.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/analyze/analyze.c')
-rw-r--r--src/analyze/analyze.c26
1 files changed, 17 insertions, 9 deletions
diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c
index 021de65..cf4894a 100644
--- a/src/analyze/analyze.c
+++ b/src/analyze/analyze.c
@@ -13,6 +13,7 @@
#include "alloc-util.h"
#include "analyze.h"
+#include "analyze-architectures.h"
#include "analyze-blame.h"
#include "analyze-calendar.h"
#include "analyze-capability.h"
@@ -25,6 +26,7 @@
#include "analyze-exit-status.h"
#include "analyze-fdstore.h"
#include "analyze-filesystems.h"
+#include "analyze-image-policy.h"
#include "analyze-inspect-elf.h"
#include "analyze-log-control.h"
#include "analyze-malloc.h"
@@ -41,7 +43,6 @@
#include "analyze-unit-files.h"
#include "analyze-unit-paths.h"
#include "analyze-verify.h"
-#include "analyze-image-policy.h"
#include "build.h"
#include "bus-error.h"
#include "bus-locator.h"
@@ -224,6 +225,7 @@ static int help(int argc, char *argv[], void *userdata) {
" capability [CAP...] List capability definitions\n"
" syscall-filter [NAME...] List syscalls in seccomp filters\n"
" filesystems [NAME...] List known filesystems\n"
+ " architectures [NAME...] List known architectures\n"
" condition CONDITION... Evaluate conditions and asserts\n"
" compare-versions VERSION1 [OP] VERSION2\n"
" Compare two version strings\n"
@@ -238,7 +240,7 @@ static int help(int argc, char *argv[], void *userdata) {
" fdstore SERVICE... Show file descriptor store contents of service\n"
" image-policy POLICY... Analyze image policy string\n"
" pcrs [PCR...] Show TPM2 PCRs and their names\n"
- " srk > FILE Write TPM2 SRK to stdout\n"
+ " srk [>FILE] Write TPM2 SRK (to FILE)\n"
"\nOptions:\n"
" --recursive-errors=MODE Control which units are verified\n"
" --offline=BOOL Perform a security review on unit file(s)\n"
@@ -270,6 +272,7 @@ static int help(int argc, char *argv[], void *userdata) {
" specified time\n"
" --profile=name|PATH Include the specified profile in the\n"
" security review of the unit(s)\n"
+ " --unit=UNIT Evaluate conditions and asserts of unit\n"
" --table Output plot's raw time data as a table\n"
" -h --help Show this help\n"
" --version Show package version\n"
@@ -557,18 +560,21 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --offline= is only supported for security right now.");
- if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs"))
+ if (arg_offline && optind >= argc - 1)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Option --offline= requires one or more units to perform a security review.");
+
+ if (arg_json_format_flags != JSON_FORMAT_OFF && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs", "architectures", "capability", "exit-status"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
- "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs right now.");
+ "Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs, architectures, capability, exit-status right now.");
if (arg_threshold != 100 && !streq_ptr(argv[optind], "security"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --threshold= is only supported for security right now.");
- if (arg_runtime_scope == RUNTIME_SCOPE_GLOBAL &&
- !STR_IN_SET(argv[optind] ?: "time", "dot", "unit-paths", "verify"))
+ if (arg_runtime_scope == RUNTIME_SCOPE_GLOBAL && !streq_ptr(argv[optind], "unit-paths"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
- "Option --global only makes sense with verbs dot, unit-paths, verify.");
+ "Option --global only makes sense with verb unit-paths.");
if (streq_ptr(argv[optind], "cat-config") && arg_runtime_scope == RUNTIME_SCOPE_USER)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
@@ -596,7 +602,7 @@ static int parse_argv(int argc, char *argv[]) {
if (streq_ptr(argv[optind], "condition") && arg_unit && optind < argc - 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No conditions can be passed if --unit= is used.");
- if ((!arg_legend && !streq_ptr(argv[optind], "plot")) ||
+ if ((!arg_legend && !STRPTR_IN_SET(argv[optind], "plot", "architectures")) ||
(streq_ptr(argv[optind], "plot") && !arg_legend && !arg_table && FLAGS_SET(arg_json_format_flags, JSON_FORMAT_OFF)))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --no-legend is only supported for plot with either --table or --json=.");
@@ -650,6 +656,7 @@ static int run(int argc, char *argv[]) {
{ "image-policy", 2, 2, 0, verb_image_policy },
{ "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs },
{ "srk", VERB_ANY, 1, 0, verb_srk },
+ { "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },
{}
};
@@ -673,7 +680,8 @@ static int run(int argc, char *argv[]) {
arg_image_policy,
DISSECT_IMAGE_GENERIC_ROOT |
DISSECT_IMAGE_RELAX_VAR_CHECK |
- DISSECT_IMAGE_READ_ONLY,
+ DISSECT_IMAGE_READ_ONLY |
+ DISSECT_IMAGE_ALLOW_USERSPACE_VERITY,
&mounted_dir,
/* ret_dir_fd= */ NULL,
&loop_device);
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-15 15:01:56 +0000