Skip to content

Commit

Permalink
feat: changeable effects (WIP)
Browse files Browse the repository at this point in the history
  • Loading branch information
@desbma-s1n
desbma-s1n committed Nov 15, 2024
1 parent baeea83 commit 7743017
Show file tree
Hide file tree
Showing 3 changed files with 190 additions and 36 deletions.
27 changes: 26 additions & 1 deletion src/summarize.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ impl ValueCounted for u16 {
}
}

impl<T: Eq + ValueCounted> CountableSetSpecifier<T> {
impl<T: Eq + Ord + Clone + ValueCounted> CountableSetSpecifier<T> {
fn contains_one(&self, needle: &T) -> bool {
match self {
Self::None => false,
Expand All @@ -116,6 +116,31 @@ impl<T: Eq + ValueCounted> CountableSetSpecifier<T> {
Self::All => !matches!(other, Self::None),
}
}

/// Remove a single element from the set
/// The element to remove **must** be in the set, otherwise may panic
#[expect(clippy::unwrap_used)]
pub(crate) fn remove(&mut self, to_rm: &Self) {
debug_assert!(self.intersects(to_rm));
let Self::One(e) = to_rm else { unreachable!() };
match self {
Self::None => unreachable!(),
Self::One(_) => {
*self = Self::None;
}
Self::Some(es) => {
let idx = es.iter().position(|e2| e == e2).unwrap();
es.remove(idx);
}
Self::AllExcept(excs) => {
let idx = excs.binary_search(e).unwrap_err();
excs.insert(idx, e.to_owned());
}
Self::All => {
*self = Self::AllExcept(vec![e.to_owned()]);
}
}
}
}

/// Quantify something that is done or denied
Expand Down
22 changes: 22 additions & 0 deletions src/systemd/options.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,14 @@ use crate::{
systemd::{KernelVersion, SystemdVersion},
};

use super::resolver::OptionValueUpdater;

/// Systemd option with its possibles values, and their effect
#[derive(Debug)]
pub(crate) struct OptionDescription {
pub name: &'static str,
pub possible_values: Vec<OptionValueDescription>,
pub value_updater: Option<OptionValueUpdater>,
}

impl fmt::Display for OptionDescription {
Expand Down Expand Up @@ -862,6 +865,7 @@ pub(crate) fn build_options(
})),
},
],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome=
Expand Down Expand Up @@ -918,6 +922,7 @@ pub(crate) fn build_options(
)),
},
],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
Expand All @@ -936,6 +941,7 @@ pub(crate) fn build_options(
}),
])),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices=
Expand Down Expand Up @@ -968,6 +974,7 @@ pub(crate) fn build_options(
OptionValueEffect::DenySyscalls(DenySyscalls::Class("raw-io")),
])),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables=
Expand Down Expand Up @@ -1014,6 +1021,7 @@ pub(crate) fn build_options(
.collect(),
)),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules=
Expand All @@ -1034,6 +1042,7 @@ pub(crate) fn build_options(
OptionValueEffect::DenySyscalls(DenySyscalls::Class("module")),
])),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelLogs=
Expand All @@ -1053,6 +1062,7 @@ pub(crate) fn build_options(
}),
])),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups=
Expand All @@ -1065,6 +1075,7 @@ pub(crate) fn build_options(
exceptions: vec![],
})),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=
Expand All @@ -1085,6 +1096,7 @@ pub(crate) fn build_options(
regex::bytes::Regex::new("^/proc/[0-9]+(/|$)").unwrap(),
))),
}],
value_updater: None,
});
}

Expand All @@ -1098,6 +1110,7 @@ pub(crate) fn build_options(
ProgramAction::WriteExecuteMemoryMapping,
)),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictAddressFamilies=
Expand Down Expand Up @@ -1173,6 +1186,7 @@ pub(crate) fn build_options(
.collect(),
),
}],
value_updater: None,
});

if let HardeningMode::Aggressive = mode {
Expand All @@ -1194,6 +1208,7 @@ pub(crate) fn build_options(
}),
)),
}],
value_updater: None,
});
}

Expand Down Expand Up @@ -1234,6 +1249,7 @@ pub(crate) fn build_options(
.collect(),
),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LockPersonality=
Expand All @@ -1248,6 +1264,7 @@ pub(crate) fn build_options(
"personality",
))),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime=
Expand All @@ -1259,6 +1276,7 @@ pub(crate) fn build_options(
ProgramAction::SetRealtimeScheduler,
)),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock=
Expand All @@ -1271,6 +1289,7 @@ pub(crate) fn build_options(
"clock",
))),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#CapabilityBoundingSet=
Expand Down Expand Up @@ -1430,6 +1449,7 @@ pub(crate) fn build_options(
},
desc: OptionEffect::Cumulative(cap_effects.into_iter().map(|(_c, e)| e).collect()),
}],
value_updater: None,
});

// https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
Expand Down Expand Up @@ -1464,6 +1484,7 @@ pub(crate) fn build_options(
.collect(),
),
}],
value_updater: None,
});

if let HardeningMode::Aggressive = mode {
Expand All @@ -1477,6 +1498,7 @@ pub(crate) fn build_options(
value: OptionValue::String("native".to_owned()),
desc: OptionEffect::None,
}],
value_updater: None,
});
}

Expand Down
Loading

0 comments on commit 7743017

Please sign in to comment.