doc: add autogenerated list of supported systemd options

synacktiv · Nov 3, 2024 · 9ea16cb · 9ea16cb
1 parent 7620b50
commit 9ea16cb
Show file tree

Hide file tree

Showing 6 changed files with 160 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ See [this article](https://www.synacktiv.com/publications/systemd-hardening-made
 
 [Official repository](https://github.com/desbma/shh) - [Mirror repository](https://github.com/synacktiv/shh)
 
+[Currently supported systemd options](systemd_options.md)
+
 ## Installation
 
 ### Dependencies

diff --git a/release b/release
@@ -14,7 +14,9 @@ cargo update
 cargo check
 cargo test --bins
 
-git add Cargo.{toml,lock}
+RUST_LOG=warn cargo run -- list-systemd-options > systemd_options.md
+
+git add Cargo.{toml,lock} systemd_options.md
 
 git commit -m "chore: version ${VERSION}"
 git tag -f -m "Version ${VERSION}" "${VERSION}"
diff --git a/src/cl.rs b/src/cl.rs
@@ -54,6 +54,8 @@ pub(crate) enum Action {
     /// Act on a systemd service unit
     #[clap(subcommand)]
     Service(ServiceAction),
+    /// Dump markdown formatted list of supported systemd options
+    ListSystemdOptions,
 }
 
 #[derive(Debug, clap::Subcommand)]

diff --git a/src/main.rs b/src/main.rs
@@ -173,6 +173,28 @@ fn main() -> anyhow::Result<()> {
             service.reload_unit_config()?;
             service.action("try-restart", false)?;
         }
+        cl::Action::ListSystemdOptions => {
+            println!("# Supported systemd options");
+            let mut sd_opts =
+                sd_options(&sd_version, &kernel_version, &cl::HardeningMode::Aggressive);
+            sd_opts.sort_unstable_by_key(|o| o.name);
+            for sd_opt in sd_opts {
+                println!("- [`{sd_opt}`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#{sd_opt}=)");
+                for opt_val in sd_opt.possible_values {
+                    match opt_val.value {
+                        systemd::OptionValue::Boolean(v) => {
+                            println!("    - `{}`", if v { "true" } else { "false" });
+                        }
+                        systemd::OptionValue::String(v) => println!("    - `{v}`"),
+                        systemd::OptionValue::List { values, .. } => {
+                            for val in values {
+                                println!("    - `{val}`");
+                            }
+                        }
+                    }
+                }
+            }
+        }
     }
 
     Ok(())

diff --git a/src/systemd/mod.rs b/src/systemd/mod.rs
@@ -5,7 +5,9 @@ mod resolver;
 mod service;
 mod version;
 
-pub(crate) use options::{build_options, OptionDescription, SocketFamily, SocketProtocol};
+pub(crate) use options::{
+    build_options, OptionDescription, OptionValue, SocketFamily, SocketProtocol,
+};
 pub(crate) use resolver::resolve;
 pub(crate) use service::Service;
 pub(crate) use version::{KernelVersion, SystemdVersion};

diff --git a/systemd_options.md b/systemd_options.md
@@ -0,0 +1,128 @@
+# Supported systemd options
+- [`CapabilityBoundingSet`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#CapabilityBoundingSet=)
+    - `CAP_BLOCK_SUSPEND`
+    - `CAP_BPF`
+    - `CAP_CHOWN`
+    - `CAP_MKNOD`
+    - `CAP_NET_RAW`
+    - `CAP_PERFMON`
+    - `CAP_SYS_BOOT`
+    - `CAP_SYS_CHROOT`
+    - `CAP_SYS_MODULE`
+    - `CAP_SYS_NICE`
+    - `CAP_SYS_PACCT`
+    - `CAP_SYS_PTRACE`
+    - `CAP_SYS_TIME`
+    - `CAP_SYS_TTY_CONFIG`
+    - `CAP_SYSLOG`
+    - `CAP_WAKE_ALARM`
+- [`LockPersonality`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#LockPersonality=)
+    - `true`
+- [`MemoryDenyWriteExecute`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#MemoryDenyWriteExecute=)
+    - `true`
+- [`PrivateDevices`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateDevices=)
+    - `true`
+- [`PrivateNetwork`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=)
+    - `true`
+- [`PrivateTmp`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateTmp=)
+    - `true`
+- [`ProtectClock`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectClock=)
+    - `true`
+- [`ProtectControlGroups`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectControlGroups=)
+    - `true`
+- [`ProtectHome`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectHome=)
+    - `read-only`
+    - `true`
+    - `tmpfs`
+- [`ProtectKernelLogs`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectKernelLogs=)
+    - `true`
+- [`ProtectKernelModules`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectKernelModules=)
+    - `true`
+- [`ProtectKernelTunables`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectKernelTunables=)
+    - `true`
+- [`ProtectProc`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectProc=)
+    - `ptraceable`
+- [`ProtectSystem`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#ProtectSystem=)
+    - `true`
+    - `full`
+    - `strict`
+- [`RestrictAddressFamilies`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RestrictAddressFamilies=)
+    - `AF_ALG`
+    - `AF_APPLETALK`
+    - `AF_ATMPVC`
+    - `AF_ATMSVC`
+    - `AF_AX25`
+    - `AF_BLUETOOTH`
+    - `AF_BRIDGE`
+    - `AF_CAIF`
+    - `AF_CAN`
+    - `AF_DECnet`
+    - `AF_ECONET`
+    - `AF_IB`
+    - `AF_IEEE802154`
+    - `AF_INET`
+    - `AF_INET6`
+    - `AF_IPX`
+    - `AF_IRDA`
+    - `AF_ISDN`
+    - `AF_IUCV`
+    - `AF_KCM`
+    - `AF_KEY`
+    - `AF_LLC`
+    - `AF_LOCAL`
+    - `AF_MPLS`
+    - `AF_NETBEUI`
+    - `AF_NETLINK`
+    - `AF_NETROM`
+    - `AF_PACKET`
+    - `AF_PHONET`
+    - `AF_PPPOX`
+    - `AF_QIPCRTR`
+    - `AF_RDS`
+    - `AF_ROSE`
+    - `AF_RXRPC`
+    - `AF_SECURITY`
+    - `AF_SMC`
+    - `AF_TIPC`
+    - `AF_UNIX`
+    - `AF_VSOCK`
+    - `AF_WANPIPE`
+    - `AF_X25`
+    - `AF_XDP`
+- [`RestrictRealtime`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#RestrictRealtime=)
+    - `true`
+- [`SocketBindDeny`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#SocketBindDeny=)
+    - `ipv4:tcp`
+    - `ipv4:udp`
+    - `ipv6:tcp`
+    - `ipv6:udp`
+- [`SystemCallArchitectures`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#SystemCallArchitectures=)
+    - `native`
+- [`SystemCallFilter`](https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#SystemCallFilter=)
+    - `@aio:EPERM`
+    - `@basic-io:EPERM`
+    - `@chown:EPERM`
+    - `@clock:EPERM`
+    - `@cpu-emulation:EPERM`
+    - `@debug:EPERM`
+    - `@file-system:EPERM`
+    - `@io-event:EPERM`
+    - `@ipc:EPERM`
+    - `@keyring:EPERM`
+    - `@memlock:EPERM`
+    - `@module:EPERM`
+    - `@mount:EPERM`
+    - `@network-io:EPERM`
+    - `@obsolete:EPERM`
+    - `@pkey:EPERM`
+    - `@privileged:EPERM`
+    - `@process:EPERM`
+    - `@raw-io:EPERM`
+    - `@reboot:EPERM`
+    - `@resources:EPERM`
+    - `@sandbox:EPERM`
+    - `@setuid:EPERM`
+    - `@signal:EPERM`
+    - `@swap:EPERM`
+    - `@sync:EPERM`
+    - `@timer:EPERM`