Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ProtectClock= is incompatible with DeviceAllow= in systemd-analyze security #32513

Open
bobrik opened this issue Apr 26, 2024 · 0 comments
Open

ProtectClock= is incompatible with DeviceAllow= in systemd-analyze security #32513

bobrik opened this issue Apr 26, 2024 · 0 comments
Labels
analyze bug 🐛 Programming errors, that need preferential fixing

Comments

@bobrik
Copy link

bobrik commented Apr 26, 2024

systemd version the issue has been seen with

255.4

Used distribution

Debian Bookworm

Linux kernel version used

6.6.27

CPU architectures issue was seen on

None

Component

No response

Expected behaviour you didn't see

Setting ProtectClock=yes doesn't invalidate DeviceAllow= in systemd-analyze security.

Unexpected behaviour you saw

I can either set ProtectClock=yes and get this (no matter what I do with DeviceAllow= itself):

$ systemd-analyze security memory-saturation-exporter.service | grep -v ✓
  NAME                                                        DESCRIPTION                                                                   EXPOSURE
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                      0.1
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                              0.3
✗ PrivateNetwork=                                             Service has access to the host's network                                           0.5
✗ DeviceAllow=                                                Service has a device ACL with some special devices: char-rtc:r                     0.1
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                   0.2

→ Overall exposure level for memory-saturation-exporter.service: 1.1 OK 🙂

Or set ProtectClock=no and get this:

$ systemd-analyze security memory-saturation-exporter.service | grep -v ✓
  NAME                                                        DESCRIPTION                                                                   EXPOSURE
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                      0.1
✗ ProtectClock=                                               Service may write to the hardware clock or system clock                            0.2
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                              0.3
✗ PrivateNetwork=                                             Service has access to the host's network                                           0.5
✗ IPAddressDeny=                                              Service does not define an IP address allow list                                   0.2

→ Overall exposure level for memory-saturation-exporter.service: 1.1 OK 🙂

Interestingly, in either case the sum of exposures does not add up to 1.1.

Steps to reproduce the problem

Set ProtectClock=yes for a service and observe the following in systemd-analyze security output:

✗ DeviceAllow=                                                Service has a device ACL with some special devices: char-rtc:r                     0.1

Additional program output to the terminal or log subsystem illustrating the issue

No response
@bobrik bobrik added the bug 🐛 Programming errors, that need preferential fixing label Apr 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
analyze bug 🐛 Programming errors, that need preferential fixing
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bobrik @YHNdnzj