From 9d995d54b54dcf9c776a0d88edad3b6aab3c36b5 Mon Sep 17 00:00:00 2001 From: Auke Kok Date: Sat, 11 May 2013 13:40:08 -0700 Subject: [PATCH] Add support for ConditionSecurity=ima Just as with SMACK, we don't really know if a policy has been loaded or not, as the policy interface is write-only. Assume therefore that if ima is present in securityfs that it is enabled. Update the man page to reflect that "ima" is a valid option now as well. --- TODO | 2 -- man/systemd.unit.xml | 5 +++-- src/core/condition.c | 2 ++ 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/TODO b/TODO index 8d4b937a5..9b276746f 100644 --- a/TODO +++ b/TODO @@ -456,8 +456,6 @@ Features: * ExecOnFailure=/usr/bin/foo -* ConditionSecurity= should learn about IMA and SMACK - * udev: - remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n) - move to LGPL diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index c56837a6e..5ab988178 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -983,9 +983,10 @@ ConditionSecurity= may be used to check whether the given security module is enabled on the - system. Currently the only recognized + system. Currently the recognized values values are selinux, - apparmor, and + apparmor, + ima and smack. The test may be negated by prepending an exclamation diff --git a/src/core/condition.c b/src/core/condition.c index abed4e5bf..4293d6d1f 100644 --- a/src/core/condition.c +++ b/src/core/condition.c @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { #endif if (streq(parameter, "apparmor")) return access("/sys/kernel/security/apparmor/", F_OK) == 0; + if (streq(parameter, "ima")) + return access("/sys/kernel/security/ima/", F_OK) == 0; if (streq(parameter, "smack")) return access("/sys/fs/smackfs", F_OK) == 0; return false; -- 2.30.2