#include <sys/statvfs.h>
#include <fnmatch.h>
-#include <systemd/sd-id128.h>
+#include "sd-id128.h"
#include "util.h"
#include "condition.h"
#include "virt.h"
#include "apparmor-util.h"
#include "ima-util.h"
#include "selinux-util.h"
+#include "audit.h"
-static bool condition_test_security(Condition *c) {
+static int condition_test_security(Condition *c) {
assert(c);
assert(c->parameter);
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
- return use_selinux() == !c->negate;
+ return mac_selinux_use() == !c->negate;
+ if (streq(c->parameter, "smack"))
+ return mac_smack_use() == !c->negate;
if (streq(c->parameter, "apparmor"))
- return use_apparmor() == !c->negate;
+ return mac_apparmor_use() == !c->negate;
+ if (streq(c->parameter, "audit"))
+ return use_audit() == !c->negate;
if (streq(c->parameter, "ima"))
return use_ima() == !c->negate;
- if (streq(c->parameter, "smack"))
- return use_smack() == !c->negate;
+
return c->negate;
}
-static bool condition_test_capability(Condition *c) {
+static int condition_test_capability(Condition *c) {
+ _cleanup_fclose_ FILE *f = NULL;
cap_value_t value;
- FILE *f;
char line[LINE_MAX];
- unsigned long long capabilities = (unsigned long long) -1;
+ unsigned long long capabilities = -1;
assert(c);
assert(c->parameter);
/* If it's an invalid capability, we don't have it */
if (cap_from_name(c->parameter, &value) < 0)
- return c->negate;
+ return -EINVAL;
/* If it's a valid capability we default to assume
* that we have it */
f = fopen("/proc/self/status", "re");
if (!f)
- return !c->negate;
+ return -errno;
while (fgets(line, sizeof(line), f)) {
truncate_nl(line);
}
}
- fclose(f);
-
return !!(capabilities & (1ULL << value)) == !c->negate;
}
-static bool condition_test(Condition *c) {
+static bool condition_test_needs_update(Condition *c) {
+ const char *p;
+ struct stat usr, other;
+
+ assert(c);
+ assert(c->parameter);
+ assert(c->type == CONDITION_NEEDS_UPDATE);
+
+ /* If the file system is read-only we shouldn't suggest an update */
+ if (path_is_read_only_fs(c->parameter) > 0)
+ return c->negate;
+
+ /* Any other failure means we should allow the condition to be true,
+ * so that we rather invoke too many update tools then too
+ * few. */
+
+ if (!path_is_absolute(c->parameter))
+ return !c->negate;
+
+ p = strappenda(c->parameter, "/.updated");
+ if (lstat(p, &other) < 0)
+ return !c->negate;
+
+ if (lstat("/usr/", &usr) < 0)
+ return !c->negate;
+
+ return (usr.st_mtim.tv_sec > other.st_mtim.tv_sec ||
+ (usr.st_mtim.tv_sec == other.st_mtim.tv_sec && usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec)) == !c->negate;
+}
+
+static bool condition_test_first_boot(Condition *c) {
+ int r;
+
+ assert(c);
+ assert(c->parameter);
+ assert(c->type == CONDITION_FIRST_BOOT);
+
+ r = parse_boolean(c->parameter);
+ if (r < 0)
+ return r;
+
+ return ((access("/run/systemd/first-boot", F_OK) >= 0) == !!r) == !c->negate;
+}
+
+static int condition_test(Condition *c) {
assert(c);
switch(c->type) {
case CONDITION_AC_POWER:
return condition_test_ac_power(c);
+ case CONDITION_ARCHITECTURE:
+ return condition_test_architecture(c);
+
+ case CONDITION_NEEDS_UPDATE:
+ return condition_test_needs_update(c);
+
+ case CONDITION_FIRST_BOOT:
+ return condition_test_first_boot(c);
+
case CONDITION_NULL:
return !c->negate;
* if any of the trigger conditions apply (unless there are
* none) we return true */
LIST_FOREACH(conditions, c, first) {
- bool b;
-
- b = condition_test(c);
- if (unit)
+ int r;
+
+ r = condition_test(c);
+ if (r < 0)
+ log_warning_unit(unit,
+ "Couldn't determine result for %s=%s%s%s for %s, assuming failed: %s",
+ condition_type_to_string(c->type),
+ c->trigger ? "|" : "",
+ c->negate ? "!" : "",
+ c->parameter,
+ unit,
+ strerror(-r));
+ else
log_debug_unit(unit,
"%s=%s%s%s %s for %s.",
condition_type_to_string(c->type),
c->trigger ? "|" : "",
c->negate ? "!" : "",
c->parameter,
- b ? "succeeded" : "failed",
+ r > 0 ? "succeeded" : "failed",
unit);
- c->state = b ? 1 : -1;
- if (!c->trigger && !b)
+ c->state = r > 0 ? CONDITION_STATE_SUCCEEDED : CONDITION_STATE_FAILED;
+
+ if (!c->trigger && r <= 0)
return false;
if (c->trigger && triggered <= 0)
- triggered = b;
+ triggered = r > 0;
}
return triggered != 0;
~ianmdlvl / elogind.git / blobdiff