Just as with SMACK, we don't really know if a policy has been
loaded or not, as the policy interface is write-only. Assume
therefore that if ima is present in securityfs that it is
enabled.
Update the man page to reflect that "ima" is a valid option
now as well.
* ExecOnFailure=/usr/bin/foo
-* ConditionSecurity= should learn about IMA and SMACK
-
* udev:
- remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
- move to LGPL
<para><varname>ConditionSecurity=</varname>
may be used to check whether the given
security module is enabled on the
- system. Currently the only recognized
+ system. Currently the recognized values
values are <varname>selinux</varname>,
- <varname>apparmor</varname>, and
+ <varname>apparmor</varname>,
+ <varname>ima</varname> and
<varname>smack</varname>.
The test may be negated by prepending
an exclamation
#endif
if (streq(parameter, "apparmor"))
return access("/sys/kernel/security/apparmor/", F_OK) == 0;
+ if (streq(parameter, "ima"))
+ return access("/sys/kernel/security/ima/", F_OK) == 0;
if (streq(parameter, "smack"))
return access("/sys/fs/smackfs", F_OK) == 0;
return false;
~ianmdlvl / elogind.git / commitdiff