From 734c0901f9156a1d995a6d4b60370e2aeeba6ece Mon Sep 17 00:00:00 2001 From: desbma Date: Fri, 29 Mar 2024 22:00:28 +0100 Subject: [PATCH] chore: more clippy lints --- Cargo.toml | 17 + src/cl.rs | 1 + src/main.rs | 6 +- src/strace/parser.rs | 311 ++++++++------- src/summarize.rs | 26 +- src/systemd/options.rs | 884 ++++++++++++++++++++--------------------- src/systemd/service.rs | 12 +- 7 files changed, 638 insertions(+), 619 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index f941a95..7269157 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -40,6 +40,23 @@ nightly = [] # for tests only as-root = [] +[lints.rust] +missing_docs = "warn" +unsafe_code = "forbid" + +[lints.clippy] +clone_on_ref_ptr = "warn" +dbg_macro = "warn" +format_push_string = "warn" +if_then_some_else_none = "warn" +multiple_inherent_impl = "warn" +ref_patterns = "warn" +semicolon_inside_block = "warn" +str_to_string = "warn" +string_to_string = "warn" +unneeded_field_pattern = "warn" +verbose_file_reads = "warn" + [package.metadata.deb] name = "shh" depends = "$auto, strace" diff --git a/src/cl.rs b/src/cl.rs index c0c6a77..5b753dd 100644 --- a/src/cl.rs +++ b/src/cl.rs @@ -4,6 +4,7 @@ use std::path::PathBuf; use clap::Parser; +/// Command line arguments #[derive(Parser, Debug)] pub struct Args { #[command(subcommand)] diff --git a/src/main.rs b/src/main.rs index b5256cf..b4739b7 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,3 +1,5 @@ +//! Systemd Hardening Helper + #![cfg_attr(all(feature = "nightly", test), feature(test))] use std::{ @@ -42,7 +44,7 @@ fn main() -> anyhow::Result<()> { let strace_version = strace::StraceVersion::local_system()?; log::info!("Detected versions: Systemd {sd_version}, Linux kernel {kernel_version}, strace {strace_version}"); if strace_version < strace::StraceVersion::new(6, 4) { - log::warn!("Strace version >=6.4 is strongly recommended, if you experience strace output parsing errors, please consider upgrading") + log::warn!("Strace version >=6.4 is strongly recommended, if you experience strace output parsing errors, please consider upgrading"); } // Parse cl args @@ -145,7 +147,7 @@ fn main() -> anyhow::Result<()> { "Resolved systemd options: {}", resolved_opts .iter() - .map(|o| format!("{}", o)) + .map(|o| format!("{o}")) .collect::>() .join(", ") ); diff --git a/src/strace/parser.rs b/src/strace/parser.rs index 35074d7..604f670 100644 --- a/src/strace/parser.rs +++ b/src/strace/parser.rs @@ -253,7 +253,7 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { .rsplit(' ') .next() .unwrap() - .to_string(); + .to_owned(); Ok(SyscallArg::Integer { value: IntegerExpression::BinaryNot(Box::new(IntegerExpression::NamedConst(name))), metadata: None, @@ -266,7 +266,7 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { .map(|m| parse_buffer(m.as_str())) .map_or(Ok(None), |v| v.map(Some))?; Ok(SyscallArg::Integer { - value: IntegerExpression::NamedConst(tokens[0].to_string()), + value: IntegerExpression::NamedConst(tokens[0].to_owned()), metadata, }) } else { @@ -277,11 +277,11 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { IntegerExpression::LeftBitShift { bits: Box::new(IntegerExpression::Literal(1)), shift: Box::new(IntegerExpression::NamedConst( - one_shift.to_string(), + one_shift.to_owned(), )), } } else { - IntegerExpression::NamedConst(t.to_string()) + IntegerExpression::NamedConst(t.to_owned()) } }) .collect(); @@ -293,7 +293,7 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { } } else if let Some(struct_) = caps.name("struct") { let mut members = HashMap::new(); - let mut struct_ = struct_.as_str().to_string(); + let mut struct_ = struct_.as_str().to_owned(); while !struct_.is_empty() { // dbg!(&struct_); if struct_ == "..." { @@ -311,8 +311,8 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { .ok_or_else(|| anyhow::anyhow!("Unable to parse struct member value"))?; let v = parse_argument(&caps)?; // dbg!(&v); - members.insert(k.to_string(), v); - struct_ = struct_[k.len() + 1 + caps.get(0).unwrap().len()..struct_.len()].to_string(); + members.insert(k.to_owned(), v); + struct_ = struct_[k.len() + 1 + caps.get(0).unwrap().len()..struct_.len()].to_owned(); } Ok(SyscallArg::Struct(members)) } else if let Some(array) = caps.name("array") { @@ -331,13 +331,13 @@ fn parse_argument(caps: ®ex::Captures) -> anyhow::Result { Ok(SyscallArg::Buffer { value: buf, type_ }) } else if let Some(macro_) = caps.name("macro") { let (name, args) = macro_.as_str().split_once('(').unwrap(); - let args = args[..args.len() - 1].to_string(); + let args = args[..args.len() - 1].to_owned(); let args = ARG_REGEX .captures_iter(&args) .map(|a| parse_argument(&a)) .collect::>()?; Ok(SyscallArg::Macro { - name: name.to_string(), + name: name.to_owned(), args, }) } else if let Some(multiplication) = caps.name("multiplication") { @@ -381,7 +381,7 @@ fn parse_line(line: &str, unfinished_syscalls: &[Syscall]) -> anyhow::Result Ok(OptionValue::Boolean(true)), "false" => Ok(OptionValue::Boolean(false)), - _ => Ok(OptionValue::String(s.to_string())), + _ => Ok(OptionValue::String(s.to_owned())), } } } @@ -224,7 +224,7 @@ impl FromStr for OptionWithValue { .ok_or_else(|| anyhow::anyhow!("Missing '=' char in {s:?}"))?; Ok(Self { - name: name.to_string(), + name: name.to_owned(), value: value.parse().unwrap(), // never fails }) } @@ -273,7 +273,7 @@ impl fmt::Display for OptionWithValue { "{}", values .iter() - .map(|v| v.to_string()) + .map(|v| v.to_owned()) .collect::>() .join(" ") ) @@ -287,545 +287,545 @@ lazy_static! { static ref SYSCALL_CLASSES: HashMap> = HashMap::from([ ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L374 - "aio".to_string(), + "aio".to_owned(), HashSet::from([ - "io_cancel".to_string(), - "io_destroy".to_string(), - "io_getevents".to_string(), - "io_pgetevents".to_string(), - "io_pgetevents_time64".to_string(), - "io_setup".to_string(), - "io_submit".to_string(), - "io_uring_enter".to_string(), - "io_uring_register".to_string(), - "io_uring_setup".to_string(), + "io_cancel".to_owned(), + "io_destroy".to_owned(), + "io_getevents".to_owned(), + "io_pgetevents".to_owned(), + "io_pgetevents_time64".to_owned(), + "io_setup".to_owned(), + "io_submit".to_owned(), + "io_uring_enter".to_owned(), + "io_uring_register".to_owned(), + "io_uring_setup".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L389 - "basic-io".to_string(), + "basic-io".to_owned(), HashSet::from([ - "_llseek".to_string(), - "close".to_string(), - "close_range".to_string(), - "dup".to_string(), - "dup2".to_string(), - "dup3".to_string(), - "lseek".to_string(), - "pread64".to_string(), - "preadv".to_string(), - "preadv2".to_string(), - "pwrite64".to_string(), - "pwritev".to_string(), - "pwritev2".to_string(), - "read".to_string(), - "readv".to_string(), - "write".to_string(), - "writev".to_string(), + "_llseek".to_owned(), + "close".to_owned(), + "close_range".to_owned(), + "dup".to_owned(), + "dup2".to_owned(), + "dup3".to_owned(), + "lseek".to_owned(), + "pread64".to_owned(), + "preadv".to_owned(), + "preadv2".to_owned(), + "pwrite64".to_owned(), + "pwritev".to_owned(), + "pwritev2".to_owned(), + "read".to_owned(), + "readv".to_owned(), + "write".to_owned(), + "writev".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L411 - "chown".to_string(), + "chown".to_owned(), HashSet::from([ - "chown".to_string(), - "chown32".to_string(), - "fchown".to_string(), - "fchown32".to_string(), - "fchownat".to_string(), - "lchown".to_string(), - "lchown32".to_string(), + "chown".to_owned(), + "chown32".to_owned(), + "fchown".to_owned(), + "fchown32".to_owned(), + "fchownat".to_owned(), + "lchown".to_owned(), + "lchown32".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L423 - "clock".to_string(), + "clock".to_owned(), HashSet::from([ - "adjtimex".to_string(), - "clock_adjtime".to_string(), - "clock_adjtime64".to_string(), - "clock_settime".to_string(), - "clock_settime64".to_string(), - "settimeofday".to_string(), + "adjtimex".to_owned(), + "clock_adjtime".to_owned(), + "clock_adjtime64".to_owned(), + "clock_settime".to_owned(), + "clock_settime64".to_owned(), + "settimeofday".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L434 - "cpu-emulation".to_string(), + "cpu-emulation".to_owned(), HashSet::from([ - "modify_ldt".to_string(), - "subpage_prot".to_string(), - "switch_endian".to_string(), - "vm86".to_string(), - "vm86old".to_string(), + "modify_ldt".to_owned(), + "subpage_prot".to_owned(), + "switch_endian".to_owned(), + "vm86".to_owned(), + "vm86old".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L444 - "debug".to_string(), + "debug".to_owned(), HashSet::from([ - "lookup_dcookie".to_string(), - "perf_event_open".to_string(), - "pidfd_getfd".to_string(), - "ptrace".to_string(), - "rtas".to_string(), - "s390_runtime_instr".to_string(), - "sys_debug_setcontext".to_string(), + "lookup_dcookie".to_owned(), + "perf_event_open".to_owned(), + "pidfd_getfd".to_owned(), + "ptrace".to_owned(), + "rtas".to_owned(), + "s390_runtime_instr".to_owned(), + "sys_debug_setcontext".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L456 - "file-system".to_string(), + "file-system".to_owned(), HashSet::from([ - "access".to_string(), - "chdir".to_string(), - "chmod".to_string(), - "close".to_string(), - "creat".to_string(), - "faccessat".to_string(), - "faccessat2".to_string(), - "fallocate".to_string(), - "fchdir".to_string(), - "fchmod".to_string(), - "fchmodat".to_string(), - "fcntl".to_string(), - "fcntl64".to_string(), - "fgetxattr".to_string(), - "flistxattr".to_string(), - "fremovexattr".to_string(), - "fsetxattr".to_string(), - "fstat".to_string(), - "fstat64".to_string(), - "fstatat64".to_string(), - "fstatfs".to_string(), - "fstatfs64".to_string(), - "ftruncate".to_string(), - "ftruncate64".to_string(), - "futimesat".to_string(), - "getcwd".to_string(), - "getdents".to_string(), - "getdents64".to_string(), - "getxattr".to_string(), - "inotify_add_watch".to_string(), - "inotify_init".to_string(), - "inotify_init1".to_string(), - "inotify_rm_watch".to_string(), - "lgetxattr".to_string(), - "link".to_string(), - "linkat".to_string(), - "listxattr".to_string(), - "llistxattr".to_string(), - "lremovexattr".to_string(), - "lsetxattr".to_string(), - "lstat".to_string(), - "lstat64".to_string(), - "mkdir".to_string(), - "mkdirat".to_string(), - "mknod".to_string(), - "mknodat".to_string(), - "newfstatat".to_string(), - "oldfstat".to_string(), - "oldlstat".to_string(), - "oldstat".to_string(), - "open".to_string(), - "openat".to_string(), - "openat2".to_string(), - "readlink".to_string(), - "readlinkat".to_string(), - "removexattr".to_string(), - "rename".to_string(), - "renameat".to_string(), - "renameat2".to_string(), - "rmdir".to_string(), - "setxattr".to_string(), - "stat".to_string(), - "stat64".to_string(), - "statfs".to_string(), - "statfs64".to_string(), - "statx".to_string(), - "symlink".to_string(), - "symlinkat".to_string(), - "truncate".to_string(), - "truncate64".to_string(), - "unlink".to_string(), - "unlinkat".to_string(), - "utime".to_string(), - "utimensat".to_string(), - "utimensat_time64".to_string(), - "utimes".to_string(), + "access".to_owned(), + "chdir".to_owned(), + "chmod".to_owned(), + "close".to_owned(), + "creat".to_owned(), + "faccessat".to_owned(), + "faccessat2".to_owned(), + "fallocate".to_owned(), + "fchdir".to_owned(), + "fchmod".to_owned(), + "fchmodat".to_owned(), + "fcntl".to_owned(), + "fcntl64".to_owned(), + "fgetxattr".to_owned(), + "flistxattr".to_owned(), + "fremovexattr".to_owned(), + "fsetxattr".to_owned(), + "fstat".to_owned(), + "fstat64".to_owned(), + "fstatat64".to_owned(), + "fstatfs".to_owned(), + "fstatfs64".to_owned(), + "ftruncate".to_owned(), + "ftruncate64".to_owned(), + "futimesat".to_owned(), + "getcwd".to_owned(), + "getdents".to_owned(), + "getdents64".to_owned(), + "getxattr".to_owned(), + "inotify_add_watch".to_owned(), + "inotify_init".to_owned(), + "inotify_init1".to_owned(), + "inotify_rm_watch".to_owned(), + "lgetxattr".to_owned(), + "link".to_owned(), + "linkat".to_owned(), + "listxattr".to_owned(), + "llistxattr".to_owned(), + "lremovexattr".to_owned(), + "lsetxattr".to_owned(), + "lstat".to_owned(), + "lstat64".to_owned(), + "mkdir".to_owned(), + "mkdirat".to_owned(), + "mknod".to_owned(), + "mknodat".to_owned(), + "newfstatat".to_owned(), + "oldfstat".to_owned(), + "oldlstat".to_owned(), + "oldstat".to_owned(), + "open".to_owned(), + "openat".to_owned(), + "openat2".to_owned(), + "readlink".to_owned(), + "readlinkat".to_owned(), + "removexattr".to_owned(), + "rename".to_owned(), + "renameat".to_owned(), + "renameat2".to_owned(), + "rmdir".to_owned(), + "setxattr".to_owned(), + "stat".to_owned(), + "stat64".to_owned(), + "statfs".to_owned(), + "statfs64".to_owned(), + "statx".to_owned(), + "symlink".to_owned(), + "symlinkat".to_owned(), + "truncate".to_owned(), + "truncate64".to_owned(), + "unlink".to_owned(), + "unlinkat".to_owned(), + "utime".to_owned(), + "utimensat".to_owned(), + "utimensat_time64".to_owned(), + "utimes".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L537 - "io-event".to_string(), + "io-event".to_owned(), HashSet::from([ - "_newselect".to_string(), - "epoll_create".to_string(), - "epoll_create1".to_string(), - "epoll_ctl".to_string(), - "epoll_ctl_old".to_string(), - "epoll_pwait".to_string(), - "epoll_pwait2".to_string(), - "epoll_wait".to_string(), - "epoll_wait_old".to_string(), - "eventfd".to_string(), - "eventfd2".to_string(), - "poll".to_string(), - "ppoll".to_string(), - "ppoll_time64".to_string(), - "pselect6".to_string(), - "pselect6_time64".to_string(), - "select".to_string(), + "_newselect".to_owned(), + "epoll_create".to_owned(), + "epoll_create1".to_owned(), + "epoll_ctl".to_owned(), + "epoll_ctl_old".to_owned(), + "epoll_pwait".to_owned(), + "epoll_pwait2".to_owned(), + "epoll_wait".to_owned(), + "epoll_wait_old".to_owned(), + "eventfd".to_owned(), + "eventfd2".to_owned(), + "poll".to_owned(), + "ppoll".to_owned(), + "ppoll_time64".to_owned(), + "pselect6".to_owned(), + "pselect6_time64".to_owned(), + "select".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L559 - "ipc".to_string(), + "ipc".to_owned(), HashSet::from([ - "ipc".to_string(), - "memfd_create".to_string(), - "mq_getsetattr".to_string(), - "mq_notify".to_string(), - "mq_open".to_string(), - "mq_timedreceive".to_string(), - "mq_timedreceive_time64".to_string(), - "mq_timedsend".to_string(), - "mq_timedsend_time64".to_string(), - "mq_unlink".to_string(), - "msgctl".to_string(), - "msgget".to_string(), - "msgrcv".to_string(), - "msgsnd".to_string(), - "pipe".to_string(), - "pipe2".to_string(), - "process_madvise".to_string(), - "process_vm_readv".to_string(), - "process_vm_writev".to_string(), - "semctl".to_string(), - "semget".to_string(), - "semop".to_string(), - "semtimedop".to_string(), - "semtimedop_time64".to_string(), - "shmat".to_string(), - "shmctl".to_string(), - "shmdt".to_string(), - "shmget".to_string(), + "ipc".to_owned(), + "memfd_create".to_owned(), + "mq_getsetattr".to_owned(), + "mq_notify".to_owned(), + "mq_open".to_owned(), + "mq_timedreceive".to_owned(), + "mq_timedreceive_time64".to_owned(), + "mq_timedsend".to_owned(), + "mq_timedsend_time64".to_owned(), + "mq_unlink".to_owned(), + "msgctl".to_owned(), + "msgget".to_owned(), + "msgrcv".to_owned(), + "msgsnd".to_owned(), + "pipe".to_owned(), + "pipe2".to_owned(), + "process_madvise".to_owned(), + "process_vm_readv".to_owned(), + "process_vm_writev".to_owned(), + "semctl".to_owned(), + "semget".to_owned(), + "semop".to_owned(), + "semtimedop".to_owned(), + "semtimedop_time64".to_owned(), + "shmat".to_owned(), + "shmctl".to_owned(), + "shmdt".to_owned(), + "shmget".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L592 - "keyring".to_string(), + "keyring".to_owned(), HashSet::from([ - "add_key".to_string(), - "keyctl".to_string(), - "request_key".to_string(), + "add_key".to_owned(), + "keyctl".to_owned(), + "request_key".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L600 - "memlock".to_string(), + "memlock".to_owned(), HashSet::from([ - "mlock".to_string(), - "mlock2".to_string(), - "mlockall".to_string(), - "munlock".to_string(), - "munlockall".to_string(), + "mlock".to_owned(), + "mlock2".to_owned(), + "mlockall".to_owned(), + "munlock".to_owned(), + "munlockall".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L610 - "module".to_string(), + "module".to_owned(), HashSet::from([ - "delete_module".to_string(), - "finit_module".to_string(), - "init_module".to_string(), + "delete_module".to_owned(), + "finit_module".to_owned(), + "init_module".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L618 - "mount".to_string(), + "mount".to_owned(), HashSet::from([ - "chroot".to_string(), - "fsconfig".to_string(), - "fsmount".to_string(), - "fsopen".to_string(), - "fspick".to_string(), - "mount".to_string(), - "mount_setattr".to_string(), - "move_mount".to_string(), - "open_tree".to_string(), - "pivot_root".to_string(), - "umount".to_string(), - "umount2".to_string(), + "chroot".to_owned(), + "fsconfig".to_owned(), + "fsmount".to_owned(), + "fsopen".to_owned(), + "fspick".to_owned(), + "mount".to_owned(), + "mount_setattr".to_owned(), + "move_mount".to_owned(), + "open_tree".to_owned(), + "pivot_root".to_owned(), + "umount".to_owned(), + "umount2".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L635 - "network-io".to_string(), + "network-io".to_owned(), HashSet::from([ - "accept".to_string(), - "accept4".to_string(), - "bind".to_string(), - "connect".to_string(), - "getpeername".to_string(), - "getsockname".to_string(), - "getsockopt".to_string(), - "listen".to_string(), - "recv".to_string(), - "recvfrom".to_string(), - "recvmmsg".to_string(), - "recvmmsg_time64".to_string(), - "recvmsg".to_string(), - "send".to_string(), - "sendmmsg".to_string(), - "sendmsg".to_string(), - "sendto".to_string(), - "setsockopt".to_string(), - "shutdown".to_string(), - "socket".to_string(), - "socketcall".to_string(), - "socketpair".to_string(), + "accept".to_owned(), + "accept4".to_owned(), + "bind".to_owned(), + "connect".to_owned(), + "getpeername".to_owned(), + "getsockname".to_owned(), + "getsockopt".to_owned(), + "listen".to_owned(), + "recv".to_owned(), + "recvfrom".to_owned(), + "recvmmsg".to_owned(), + "recvmmsg_time64".to_owned(), + "recvmsg".to_owned(), + "send".to_owned(), + "sendmmsg".to_owned(), + "sendmsg".to_owned(), + "sendto".to_owned(), + "setsockopt".to_owned(), + "shutdown".to_owned(), + "socket".to_owned(), + "socketcall".to_owned(), + "socketpair".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L662 - "obsolete".to_string(), + "obsolete".to_owned(), HashSet::from([ - "_sysctl".to_string(), - "afs_syscall".to_string(), - "bdflush".to_string(), - "break".to_string(), - "create_module".to_string(), - "ftime".to_string(), - "get_kernel_syms".to_string(), - "getpmsg".to_string(), - "gtty".to_string(), - "idle".to_string(), - "lock".to_string(), - "mpx".to_string(), - "prof".to_string(), - "profil".to_string(), - "putpmsg".to_string(), - "query_module".to_string(), - "security".to_string(), - "sgetmask".to_string(), - "ssetmask".to_string(), - "stime".to_string(), - "stty".to_string(), - "sysfs".to_string(), - "tuxcall".to_string(), - "ulimit".to_string(), - "uselib".to_string(), - "ustat".to_string(), - "vserver".to_string(), + "_sysctl".to_owned(), + "afs_syscall".to_owned(), + "bdflush".to_owned(), + "break".to_owned(), + "create_module".to_owned(), + "ftime".to_owned(), + "get_kernel_syms".to_owned(), + "getpmsg".to_owned(), + "gtty".to_owned(), + "idle".to_owned(), + "lock".to_owned(), + "mpx".to_owned(), + "prof".to_owned(), + "profil".to_owned(), + "putpmsg".to_owned(), + "query_module".to_owned(), + "security".to_owned(), + "sgetmask".to_owned(), + "ssetmask".to_owned(), + "stime".to_owned(), + "stty".to_owned(), + "sysfs".to_owned(), + "tuxcall".to_owned(), + "ulimit".to_owned(), + "uselib".to_owned(), + "ustat".to_owned(), + "vserver".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L695 - "pkey".to_string(), + "pkey".to_owned(), HashSet::from([ - "pkey_alloc".to_string(), - "pkey_free".to_string(), - "pkey_mprotect".to_string(), + "pkey_alloc".to_owned(), + "pkey_free".to_owned(), + "pkey_mprotect".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L703 - "privileged".to_string(), + "privileged".to_owned(), HashSet::from([ - "@chown".to_string(), - "@clock".to_string(), - "@module".to_string(), - "@raw-io".to_string(), - "@reboot".to_string(), - "@swap".to_string(), - "_sysctl".to_string(), - "acct".to_string(), - "bpf".to_string(), - "capset".to_string(), - "chroot".to_string(), - "fanotify_init".to_string(), - "fanotify_mark".to_string(), - "nfsservctl".to_string(), - "open_by_handle_at".to_string(), - "pivot_root".to_string(), - "quotactl".to_string(), - "quotactl_fd".to_string(), - "setdomainname".to_string(), - "setfsuid".to_string(), - "setfsuid32".to_string(), - "setgroups".to_string(), - "setgroups32".to_string(), - "sethostname".to_string(), - "setresuid".to_string(), - "setresuid32".to_string(), - "setreuid".to_string(), - "setreuid32".to_string(), - "setuid".to_string(), - "setuid32".to_string(), - "vhangup".to_string(), + "@chown".to_owned(), + "@clock".to_owned(), + "@module".to_owned(), + "@raw-io".to_owned(), + "@reboot".to_owned(), + "@swap".to_owned(), + "_sysctl".to_owned(), + "acct".to_owned(), + "bpf".to_owned(), + "capset".to_owned(), + "chroot".to_owned(), + "fanotify_init".to_owned(), + "fanotify_mark".to_owned(), + "nfsservctl".to_owned(), + "open_by_handle_at".to_owned(), + "pivot_root".to_owned(), + "quotactl".to_owned(), + "quotactl_fd".to_owned(), + "setdomainname".to_owned(), + "setfsuid".to_owned(), + "setfsuid32".to_owned(), + "setgroups".to_owned(), + "setgroups32".to_owned(), + "sethostname".to_owned(), + "setresuid".to_owned(), + "setresuid32".to_owned(), + "setreuid".to_owned(), + "setreuid32".to_owned(), + "setuid".to_owned(), + "setuid32".to_owned(), + "vhangup".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L739 - "process".to_string(), + "process".to_owned(), HashSet::from([ - "capget".to_string(), - "clone".to_string(), - "clone3".to_string(), - "execveat".to_string(), - "fork".to_string(), - "getrusage".to_string(), - "kill".to_string(), - "pidfd_open".to_string(), - "pidfd_send_signal".to_string(), - "prctl".to_string(), - "rt_sigqueueinfo".to_string(), - "rt_tgsigqueueinfo".to_string(), - "setns".to_string(), - "swapcontext".to_string(), - "tgkill".to_string(), - "times".to_string(), - "tkill".to_string(), - "unshare".to_string(), - "vfork".to_string(), - "wait4".to_string(), - "waitid".to_string(), - "waitpid".to_string(), + "capget".to_owned(), + "clone".to_owned(), + "clone3".to_owned(), + "execveat".to_owned(), + "fork".to_owned(), + "getrusage".to_owned(), + "kill".to_owned(), + "pidfd_open".to_owned(), + "pidfd_send_signal".to_owned(), + "prctl".to_owned(), + "rt_sigqueueinfo".to_owned(), + "rt_tgsigqueueinfo".to_owned(), + "setns".to_owned(), + "swapcontext".to_owned(), + "tgkill".to_owned(), + "times".to_owned(), + "tkill".to_owned(), + "unshare".to_owned(), + "vfork".to_owned(), + "wait4".to_owned(), + "waitid".to_owned(), + "waitpid".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L769 - "raw-io".to_string(), + "raw-io".to_owned(), HashSet::from([ - "ioperm".to_string(), - "iopl".to_string(), - "pciconfig_iobase".to_string(), - "pciconfig_read".to_string(), - "pciconfig_write".to_string(), - "s390_pci_mmio_read".to_string(), - "s390_pci_mmio_write".to_string(), + "ioperm".to_owned(), + "iopl".to_owned(), + "pciconfig_iobase".to_owned(), + "pciconfig_read".to_owned(), + "pciconfig_write".to_owned(), + "s390_pci_mmio_read".to_owned(), + "s390_pci_mmio_write".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L781 - "reboot".to_string(), + "reboot".to_owned(), HashSet::from([ - "kexec_file_load".to_string(), - "kexec_load".to_string(), - "reboot".to_string(), + "kexec_file_load".to_owned(), + "kexec_load".to_owned(), + "reboot".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L789 - "resources".to_string(), + "resources".to_owned(), HashSet::from([ - "ioprio_set".to_string(), - "mbind".to_string(), - "migrate_pages".to_string(), - "move_pages".to_string(), - "nice".to_string(), - "sched_setaffinity".to_string(), - "sched_setattr".to_string(), - "sched_setparam".to_string(), - "sched_setscheduler".to_string(), - "set_mempolicy".to_string(), - "set_mempolicy_home_node".to_string(), - "setpriority".to_string(), - "setrlimit".to_string(), + "ioprio_set".to_owned(), + "mbind".to_owned(), + "migrate_pages".to_owned(), + "move_pages".to_owned(), + "nice".to_owned(), + "sched_setaffinity".to_owned(), + "sched_setattr".to_owned(), + "sched_setparam".to_owned(), + "sched_setscheduler".to_owned(), + "set_mempolicy".to_owned(), + "set_mempolicy_home_node".to_owned(), + "setpriority".to_owned(), + "setrlimit".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L807 - "sandbox".to_string(), + "sandbox".to_owned(), HashSet::from([ - "landlock_add_rule".to_string(), - "landlock_create_ruleset".to_string(), - "landlock_restrict_self".to_string(), - "seccomp".to_string(), + "landlock_add_rule".to_owned(), + "landlock_create_ruleset".to_owned(), + "landlock_restrict_self".to_owned(), + "seccomp".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L816 - "setuid".to_string(), + "setuid".to_owned(), HashSet::from([ - "setgid".to_string(), - "setgid32".to_string(), - "setgroups".to_string(), - "setgroups32".to_string(), - "setregid".to_string(), - "setregid32".to_string(), - "setresgid".to_string(), - "setresgid32".to_string(), - "setresuid".to_string(), - "setresuid32".to_string(), - "setreuid".to_string(), - "setreuid32".to_string(), - "setuid".to_string(), - "setuid32".to_string(), + "setgid".to_owned(), + "setgid32".to_owned(), + "setgroups".to_owned(), + "setgroups32".to_owned(), + "setregid".to_owned(), + "setregid32".to_owned(), + "setresgid".to_owned(), + "setresgid32".to_owned(), + "setresuid".to_owned(), + "setresuid32".to_owned(), + "setreuid".to_owned(), + "setreuid32".to_owned(), + "setuid".to_owned(), + "setuid32".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L835 - "signal".to_string(), + "signal".to_owned(), HashSet::from([ - "rt_sigaction".to_string(), - "rt_sigpending".to_string(), - "rt_sigprocmask".to_string(), - "rt_sigsuspend".to_string(), - "rt_sigtimedwait".to_string(), - "rt_sigtimedwait_time64".to_string(), - "sigaction".to_string(), - "sigaltstack".to_string(), - "signal".to_string(), - "signalfd".to_string(), - "signalfd4".to_string(), - "sigpending".to_string(), - "sigprocmask".to_string(), - "sigsuspend".to_string(), + "rt_sigaction".to_owned(), + "rt_sigpending".to_owned(), + "rt_sigprocmask".to_owned(), + "rt_sigsuspend".to_owned(), + "rt_sigtimedwait".to_owned(), + "rt_sigtimedwait_time64".to_owned(), + "sigaction".to_owned(), + "sigaltstack".to_owned(), + "signal".to_owned(), + "signalfd".to_owned(), + "signalfd4".to_owned(), + "sigpending".to_owned(), + "sigprocmask".to_owned(), + "sigsuspend".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L854 - "swap".to_string(), + "swap".to_owned(), HashSet::from([ - "swapoff".to_string(), - "swapon".to_string(), + "swapoff".to_owned(), + "swapon".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L861 - "sync".to_string(), + "sync".to_owned(), HashSet::from([ - "fdatasync".to_string(), - "fsync".to_string(), - "msync".to_string(), - "sync".to_string(), - "sync_file_range".to_string(), - "sync_file_range2".to_string(), - "syncfs".to_string(), + "fdatasync".to_owned(), + "fsync".to_owned(), + "msync".to_owned(), + "sync".to_owned(), + "sync_file_range".to_owned(), + "sync_file_range2".to_owned(), + "syncfs".to_owned(), ]) ), ( // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L939 - "timer".to_string(), + "timer".to_owned(), HashSet::from([ - "alarm".to_string(), - "getitimer".to_string(), - "setitimer".to_string(), - "timer_create".to_string(), - "timer_delete".to_string(), - "timer_getoverrun".to_string(), - "timer_gettime".to_string(), - "timer_gettime64".to_string(), - "timer_settime".to_string(), - "timer_settime64".to_string(), - "timerfd_create".to_string(), - "timerfd_gettime".to_string(), - "timerfd_gettime64".to_string(), - "timerfd_settime".to_string(), - "timerfd_settime64".to_string(), - "times".to_string(), + "alarm".to_owned(), + "getitimer".to_owned(), + "setitimer".to_owned(), + "timer_create".to_owned(), + "timer_delete".to_owned(), + "timer_getoverrun".to_owned(), + "timer_gettime".to_owned(), + "timer_gettime64".to_owned(), + "timer_settime".to_owned(), + "timer_settime64".to_owned(), + "timerfd_create".to_owned(), + "timerfd_gettime".to_owned(), + "timerfd_gettime64".to_owned(), + "timerfd_settime".to_owned(), + "timerfd_settime64".to_owned(), + "times".to_owned(), ]) ), ]); @@ -865,20 +865,20 @@ pub fn build_options( exceptions: vec![], })); options.push(OptionDescription { - name: "ProtectSystem".to_string(), + name: "ProtectSystem".to_owned(), possible_values: vec![ OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple(protect_system_yes_nowrite)), }, OptionValueDescription { - value: OptionValue::String("full".to_string()), + value: OptionValue::String("full".to_owned()), desc: OptionEffect::Simple(OptionValueEffect::Multiple( protect_system_full_nowrite, )), }, OptionValueDescription { - value: OptionValue::String("strict".to_string()), + value: OptionValue::String("strict".to_owned()), desc: OptionEffect::Simple(OptionValueEffect::DenyWrite(PathDescription::Base { base: "/".into(), exceptions: vec!["/dev/".into(), "/proc/".into(), "/sys/".into()], @@ -890,10 +890,10 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectHome= let home_paths = ["/home/", "/root/", "/run/user/"]; options.push(OptionDescription { - name: "ProtectHome".to_string(), + name: "ProtectHome".to_owned(), possible_values: vec![ OptionValueDescription { - value: OptionValue::String("read-only".to_string()), + value: OptionValue::String("read-only".to_owned()), desc: OptionEffect::Simple(OptionValueEffect::Multiple( home_paths .iter() @@ -921,7 +921,7 @@ pub fn build_options( )), }, OptionValueDescription { - value: OptionValue::String("tmpfs".to_string()), + value: OptionValue::String("tmpfs".to_owned()), desc: OptionEffect::Simple(OptionValueEffect::Multiple( home_paths .iter() @@ -945,7 +945,7 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp= options.push(OptionDescription { - name: "PrivateTmp".to_string(), + name: "PrivateTmp".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple(vec![ @@ -963,7 +963,7 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateDevices= options.push(OptionDescription { - name: "PrivateDevices".to_string(), + name: "PrivateDevices".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple(vec![ @@ -988,14 +988,14 @@ pub fn build_options( .map(|p| PathBuf::from("/dev/").join(p)) .collect(), }), - OptionValueEffect::DenySyscalls(DenySyscalls::Class("raw-io".to_string())), + OptionValueEffect::DenySyscalls(DenySyscalls::Class("raw-io".to_owned())), ])), }], }); // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelTunables= options.push(OptionDescription { - name: "ProtectKernelTunables".to_string(), + name: "ProtectKernelTunables".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple( @@ -1041,7 +1041,7 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelModules= options.push(OptionDescription { - name: "ProtectKernelModules".to_string(), + name: "ProtectKernelModules".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple(vec![ @@ -1054,14 +1054,14 @@ pub fn build_options( base: "/usr/lib/modules/".into(), exceptions: vec![], }), - OptionValueEffect::DenySyscalls(DenySyscalls::Class("module".to_string())), + OptionValueEffect::DenySyscalls(DenySyscalls::Class("module".to_owned())), ])), }], }); // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectKernelLogs= options.push(OptionDescription { - name: "ProtectKernelLogs".to_string(), + name: "ProtectKernelLogs".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple(vec![ @@ -1080,7 +1080,7 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectControlGroups= options.push(OptionDescription { - name: "ProtectControlGroups".to_string(), + name: "ProtectControlGroups".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::DenyWrite(PathDescription::Base { @@ -1098,11 +1098,11 @@ pub fn build_options( && (kernel_version >= &KernelVersion::new(5, 8, 0)) { options.push(OptionDescription { - name: "ProtectProc".to_string(), + name: "ProtectProc".to_owned(), // Since we have no easy & reliable (race free) way to know which process belongs to // which user, only support the most restrictive option possible_values: vec![OptionValueDescription { - value: OptionValue::String("ptraceable".to_string()), + value: OptionValue::String("ptraceable".to_owned()), desc: OptionEffect::Simple(OptionValueEffect::Hide(PathDescription::Pattern( regex::bytes::Regex::new("^/proc/[0-9]+(/|$)").unwrap(), ))), @@ -1113,7 +1113,7 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute= // https://github.com/systemd/systemd/blob/v254/src/shared/seccomp-util.c#L1721 options.push(OptionDescription { - name: "MemoryDenyWriteExecute".to_string(), + name: "MemoryDenyWriteExecute".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::DenyWriteExecuteMemoryMapping), @@ -1168,18 +1168,18 @@ pub fn build_options( "AF_XDP", ]; options.push(OptionDescription { - name: "RestrictAddressFamilies".to_string(), + name: "RestrictAddressFamilies".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::List { values: afs.iter().map(|s| s.to_string()).collect(), - value_if_empty: Some("none".to_string()), + value_if_empty: Some("none".to_owned()), negation_prefix: false, repeat_option: false, mode: ListMode::WhiteList, }, desc: OptionEffect::Cumulative( afs.into_iter() - .map(|af| OptionValueEffect::DenySocketFamily(af.to_string())) + .map(|af| OptionValueEffect::DenySocketFamily(af.to_owned())) .collect(), ), }], @@ -1192,12 +1192,12 @@ pub fn build_options( // a socket file descriptor is passed to it from another process. // Although this is probably a very rare/niche case, it is possible, so we consider it only in aggressive mode options.push(OptionDescription { - name: "PrivateNetwork".to_string(), + name: "PrivateNetwork".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::Multiple( afs.into_iter() - .map(|af| OptionValueEffect::DenySocketFamily(af.to_string())) + .map(|af| OptionValueEffect::DenySocketFamily(af.to_owned())) .collect(), )), }], @@ -1212,7 +1212,7 @@ pub fn build_options( .cartesian_product(SocketProtocol::iter()) .collect(); options.push(OptionDescription { - name: "SocketBindDeny".to_string(), + name: "SocketBindDeny".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::List { values: deny_binds @@ -1235,21 +1235,21 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#LockPersonality= options.push(OptionDescription { - name: "LockPersonality".to_string(), + name: "LockPersonality".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), // In practice, the option allows the call if the default personality is set, but we don't // need to model that level of precision. // The "deny" modeling prevents false positives desc: OptionEffect::Simple(OptionValueEffect::DenySyscalls(DenySyscalls::Single( - "personality".to_string(), + "personality".to_owned(), ))), }], }); // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#RestrictRealtime= options.push(OptionDescription { - name: "RestrictRealtime".to_string(), + name: "RestrictRealtime".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), desc: OptionEffect::Simple(OptionValueEffect::DenyRealtimeScheduler), @@ -1258,12 +1258,12 @@ pub fn build_options( // https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectClock= options.push(OptionDescription { - name: "ProtectClock".to_string(), + name: "ProtectClock".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::Boolean(true), // This option essentially does the same thing as deny @clock desc: OptionEffect::Simple(OptionValueEffect::DenySyscalls(DenySyscalls::Class( - "clock".to_string(), + "clock".to_owned(), ))), }], }); @@ -1281,7 +1281,7 @@ pub fn build_options( let mut syscall_classes: Vec<_> = SYSCALL_CLASSES.keys().cloned().collect(); syscall_classes.sort(); options.push(OptionDescription { - name: "SystemCallFilter".to_string(), + name: "SystemCallFilter".to_owned(), possible_values: vec![OptionValueDescription { value: OptionValue::List { values: syscall_classes @@ -1308,9 +1308,9 @@ pub fn build_options( // This is actually very safe to enable, but since we don't currently support checking for its // compatibility during profiling, only enable it in aggressive mode options.push(OptionDescription { - name: "SystemCallArchitectures".to_string(), + name: "SystemCallArchitectures".to_owned(), possible_values: vec![OptionValueDescription { - value: OptionValue::String("native".to_string()), + value: OptionValue::String("native".to_owned()), desc: OptionEffect::None, }], }); diff --git a/src/systemd/service.rs b/src/systemd/service.rs index 21f0a48..7564098 100644 --- a/src/systemd/service.rs +++ b/src/systemd/service.rs @@ -26,12 +26,12 @@ impl Service { pub fn new(unit: &str) -> Self { if let Some((name, arg)) = unit.split_once('@') { Self { - name: name.to_string(), - arg: Some(arg.to_string()), + name: name.to_owned(), + arg: Some(arg.to_owned()), } } else { Self { - name: unit.to_string(), + name: unit.to_owned(), arg: None, } } @@ -44,7 +44,7 @@ impl Service { if let Some(arg) = self.arg.as_ref() { format!("@{arg}") } else { - "".to_string() + "".to_owned() } ) } @@ -106,7 +106,7 @@ impl Service { let shh_bin = env::current_exe()? .to_str() .ok_or_else(|| anyhow::anyhow!("Unable to decode current executable path"))? - .to_string(); + .to_owned(); // Wrap all ExecStartXxx directives let mut exec_start_idx = 1; @@ -278,7 +278,7 @@ impl Service { .map(|l| l.starts_with(&format!("{key}="))) .unwrap_or(true) }) - .map(|l| l.map(|l| l.split_once('=').unwrap().1.trim().to_string())) + .map(|l| l.map(|l| l.split_once('=').unwrap().1.trim().to_owned())) .collect::, _>>()?; while let Some(clear_idx) = new_vals.iter().position(|v| v.is_empty()) { new_vals = new_vals[clear_idx + 1..].to_vec();