From: Auke Kok Date: Sat, 11 May 2013 20:40:08 +0000 (-0700) Subject: Add support for ConditionSecurity=ima X-Git-Tag: v205~257 X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=9d995d54b54dcf9c776a0d88edad3b6aab3c36b5;p=elogind.git Add support for ConditionSecurity=ima Just as with SMACK, we don't really know if a policy has been loaded or not, as the policy interface is write-only. Assume therefore that if ima is present in securityfs that it is enabled. Update the man page to reflect that "ima" is a valid option now as well. --- diff --git a/TODO b/TODO index 8d4b937a5..9b276746f 100644 --- a/TODO +++ b/TODO @@ -456,8 +456,6 @@ Features: * ExecOnFailure=/usr/bin/foo -* ConditionSecurity= should learn about IMA and SMACK - * udev: - remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n) - move to LGPL diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index c56837a6e..5ab988178 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -983,9 +983,10 @@ ConditionSecurity= may be used to check whether the given security module is enabled on the - system. Currently the only recognized + system. Currently the recognized values values are selinux, - apparmor, and + apparmor, + ima and smack. The test may be negated by prepending an exclamation diff --git a/src/core/condition.c b/src/core/condition.c index abed4e5bf..4293d6d1f 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { #endif if (streq(parameter, "apparmor")) return access("/sys/kernel/security/apparmor/", F_OK) == 0; + if (streq(parameter, "ima")) + return access("/sys/kernel/security/ima/", F_OK) == 0; if (streq(parameter, "smack")) return access("/sys/fs/smackfs", F_OK) == 0; return false;