You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Setting ProtectClock=yes doesn't invalidate DeviceAllow= in systemd-analyze security.
Unexpected behaviour you saw
I can either set ProtectClock=yes and get this (no matter what I do with DeviceAllow= itself):
$ systemd-analyze security memory-saturation-exporter.service | grep -v ✓
NAME DESCRIPTION EXPOSURE
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
→ Overall exposure level for memory-saturation-exporter.service: 1.1 OK 🙂
Or set ProtectClock=no and get this:
$ systemd-analyze security memory-saturation-exporter.service | grep -v ✓
NAME DESCRIPTION EXPOSURE
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✗ ProtectClock= Service may write to the hardware clock or system clock 0.2
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
→ Overall exposure level for memory-saturation-exporter.service: 1.1 OK 🙂
Interestingly, in either case the sum of exposures does not add up to 1.1.
Steps to reproduce the problem
Set ProtectClock=yes for a service and observe the following in systemd-analyze security output:
✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1
Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered:
systemd version the issue has been seen with
255.4
Used distribution
Debian Bookworm
Linux kernel version used
6.6.27
CPU architectures issue was seen on
None
Component
No response
Expected behaviour you didn't see
Setting
ProtectClock=yes
doesn't invalidateDeviceAllow=
insystemd-analyze security
.Unexpected behaviour you saw
I can either set
ProtectClock=yes
and get this (no matter what I do withDeviceAllow=
itself):Or set
ProtectClock=no
and get this:Interestingly, in either case the sum of exposures does not add up to 1.1.
Steps to reproduce the problem
Set
ProtectClock=yes
for a service and observe the following insystemd-analyze security
output:Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: