condition, man: Add support for ConditionSecurity=apparmor

Checking for the apparmor directory in securityfs means the apparmor module is
loaded and enabled, and hence should suffice as a test.

https://bugs.freedesktop.org/show_bug.cgi?id=63312

diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index 2f2d1a1d4a689c4b2ff781fc09c1561748966b09..3360a719a2ba90dbe552cfc90007b3a22450a417 100644 (file)
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -984,7 +984,8 @@
                                 may be used to check whether the given
                                 security module is enabled on the
                                 system.  Currently the only recognized
-                                value is <varname>selinux</varname>.
+                                values are <varname>selinux</varname>
+                                and <varname>apparmor</varname>.
                                 The test may be negated by prepending
                                 an exclamation
                                 mark.</para>

diff --git a/src/core/condition.c b/src/core/condition.c
index 30199c10e3bbbeedab5ec05d05db37cdd21b4e2b..4aa5530c3645b8ba7ddc9f01789d7e73182da366 100644 (file)
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -162,6 +162,8 @@ static bool test_security(const char *parameter) {
         if (streq(parameter, "selinux"))
                 return is_selinux_enabled() > 0;
 #endif
+       if (streq(parameter, "apparmor"))
+               return access("/sys/kernel/security/apparmor/", F_OK) == 0;
         return false;
 }