Skip to content

Commit

Permalink
feat: add systemd option whitelist for testing
Browse files Browse the repository at this point in the history
  • Loading branch information
@desbma
desbma committed Feb 5, 2025
1 parent d8b6ac5 commit 1bd3d49
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 12 deletions.
7 changes: 7 additions & 0 deletions src/cl.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ pub(crate) struct HardeningOptions {
/// try to merge paths with the same parent
#[arg(long, default_value = "5")]
pub merge_paths_threshold: NonZeroUsize,
/// Disable all systemd options except for these (case sensitive).
/// Opther options may be generated when mutating options to make them compatible.
/// For testing only
#[arg(long, num_args=1..)]
pub systemd_options: Option<Vec<String>>,
}

impl HardeningOptions {
Expand All @@ -55,6 +60,7 @@ impl HardeningOptions {
filesystem_whitelisting: false,
#[expect(clippy::unwrap_used)]
merge_paths_threshold: NonZeroUsize::new(1).unwrap(),
systemd_options: None,
}
}

Expand All @@ -66,6 +72,7 @@ impl HardeningOptions {
filesystem_whitelisting: true,
#[expect(clippy::unwrap_used)]
merge_paths_threshold: NonZeroUsize::new(usize::MAX).unwrap(),
systemd_options: None,
}
}

Expand Down
4 changes: 4 additions & 0 deletions src/systemd/options.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2143,6 +2143,10 @@ pub(crate) fn build_options(
});
}

if let Some(options_to_keep) = &hardening_opts.systemd_options {
options.retain(|o| options_to_keep.iter().any(|k| o.name == k));
}

log::debug!("{options:#?}");
Ok(options)
}
Expand Down
24 changes: 12 additions & 12 deletions src/systemd/resolver.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -380,22 +380,24 @@ mod tests {
systemd::{build_options, KernelVersion, SystemdVersion},
};

fn test_options(names: &[&str]) -> Vec<OptionDescription> {
fn test_options_safe(names: &[&str]) -> (Vec<OptionDescription>, HardeningOptions) {
let sd_version = SystemdVersion::new(254, 0);
let kernel_version = KernelVersion::new(6, 4, 0);
build_options(&sd_version, &kernel_version, &HardeningOptions::safe())
.unwrap()
.into_iter()
.filter(|o| names.contains(&o.name))
.collect()
let hardening_opts = HardeningOptions {
systemd_options: Some(names.iter().map(|n| (*n).to_owned()).collect()),
..HardeningOptions::safe()
};
(
build_options(&sd_version, &kernel_version, &hardening_opts).unwrap(),
hardening_opts,
)
}

#[test]
fn test_resolve_protect_system() {
let _ = simple_logger::SimpleLogger::new().init();
let hardening_opts = HardeningOptions::safe();

let opts = test_options(&["ProtectSystem"]);
let (opts, hardening_opts) = test_options_safe(&["ProtectSystem"]);

let actions = vec![];
let candidates = resolve(&opts, &actions, &hardening_opts);
Expand Down Expand Up @@ -425,9 +427,8 @@ mod tests {
#[test]
fn test_resolve_protect_home() {
let _ = simple_logger::SimpleLogger::new().init();
let hardening_opts = HardeningOptions::safe();

let opts = test_options(&["ProtectHome"]);
let (opts, hardening_opts) = test_options_safe(&["ProtectHome"]);

let actions = vec![];
let candidates = resolve(&opts, &actions, &hardening_opts);
Expand Down Expand Up @@ -516,9 +517,8 @@ mod tests {
#[test]
fn test_resolve_private_tmp() {
let _ = simple_logger::SimpleLogger::new().init();
let hardening_opts = HardeningOptions::safe();

let opts = test_options(&["PrivateTmp"]);
let (opts, hardening_opts) = test_options_safe(&["PrivateTmp"]);

let actions = vec![];
let candidates = resolve(&opts, &actions, &hardening_opts);
Expand Down

0 comments on commit 1bd3d49

Please sign in to comment.