diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c index d0cefa0992..370256b433 100644 --- a/src/analyze/analyze-condition.c +++ b/src/analyze/analyze-condition.c @@ -21,6 +21,7 @@ static const condition_definition condition_definitions[] = { { "ConditionPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK }, { "ConditionPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT }, { "ConditionPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE }, + { "ConditionPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED }, { "ConditionDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY }, { "ConditionFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY }, { "ConditionFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE }, @@ -44,6 +45,7 @@ static const condition_definition condition_definitions[] = { { "AssertPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK }, { "AssertPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT }, { "AssertPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE }, + { "AssertPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED }, { "AssertDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY }, { "AssertFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY }, { "AssertFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE }, diff --git a/src/shared/condition.c b/src/shared/condition.c index 9f4c7fe338..2dbc14938a 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -25,6 +25,7 @@ #include "extract-word.h" #include "fd-util.h" #include "fileio.h" +#include "fs-util.h" #include "glob-util.h" #include "hostname-util.h" #include "ima-util.h" @@ -672,6 +673,20 @@ static int condition_test_path_is_read_write(Condition *c) { return path_is_read_only_fs(c->parameter) <= 0; } +static int condition_test_path_is_encrypted(Condition *c) { + int r; + + assert(c); + assert(c->parameter); + assert(c->type == CONDITION_PATH_IS_ENCRYPTED); + + r = path_is_encrypted(c->parameter); + if (r < 0 && r != -ENOENT) + log_debug_errno(r, "Failed to determine if '%s' is encrypted: %m", c->parameter); + + return r > 0; +} + static int condition_test_directory_not_empty(Condition *c) { int r; @@ -725,6 +740,7 @@ int condition_test(Condition *c) { [CONDITION_PATH_IS_SYMBOLIC_LINK] = condition_test_path_is_symbolic_link, [CONDITION_PATH_IS_MOUNT_POINT] = condition_test_path_is_mount_point, [CONDITION_PATH_IS_READ_WRITE] = condition_test_path_is_read_write, + [CONDITION_PATH_IS_ENCRYPTED] = condition_test_path_is_encrypted, [CONDITION_DIRECTORY_NOT_EMPTY] = condition_test_directory_not_empty, [CONDITION_FILE_NOT_EMPTY] = condition_test_file_not_empty, [CONDITION_FILE_IS_EXECUTABLE] = condition_test_file_is_executable, @@ -852,6 +868,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = { [CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink", [CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint", [CONDITION_PATH_IS_READ_WRITE] = "ConditionPathIsReadWrite", + [CONDITION_PATH_IS_ENCRYPTED] = "ConditionPathIsEncrypted", [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty", [CONDITION_FILE_NOT_EMPTY] = "ConditionFileNotEmpty", [CONDITION_FILE_IS_EXECUTABLE] = "ConditionFileIsExecutable", @@ -882,6 +899,7 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = { [CONDITION_PATH_IS_SYMBOLIC_LINK] = "AssertPathIsSymbolicLink", [CONDITION_PATH_IS_MOUNT_POINT] = "AssertPathIsMountPoint", [CONDITION_PATH_IS_READ_WRITE] = "AssertPathIsReadWrite", + [CONDITION_PATH_IS_ENCRYPTED] = "AssertPathIsEncrypted", [CONDITION_DIRECTORY_NOT_EMPTY] = "AssertDirectoryNotEmpty", [CONDITION_FILE_NOT_EMPTY] = "AssertFileNotEmpty", [CONDITION_FILE_IS_EXECUTABLE] = "AssertFileIsExecutable", diff --git a/src/shared/condition.h b/src/shared/condition.h index 84322e7425..6064ccdaed 100644 --- a/src/shared/condition.h +++ b/src/shared/condition.h @@ -28,6 +28,7 @@ typedef enum ConditionType { CONDITION_PATH_IS_SYMBOLIC_LINK, CONDITION_PATH_IS_MOUNT_POINT, CONDITION_PATH_IS_READ_WRITE, + CONDITION_PATH_IS_ENCRYPTED, CONDITION_DIRECTORY_NOT_EMPTY, CONDITION_FILE_NOT_EMPTY, CONDITION_FILE_IS_EXECUTABLE, @@ -96,6 +97,7 @@ static inline bool condition_takes_path(ConditionType t) { CONDITION_PATH_IS_SYMBOLIC_LINK, CONDITION_PATH_IS_MOUNT_POINT, CONDITION_PATH_IS_READ_WRITE, + CONDITION_PATH_IS_ENCRYPTED, CONDITION_DIRECTORY_NOT_EMPTY, CONDITION_FILE_NOT_EMPTY, CONDITION_FILE_IS_EXECUTABLE, diff --git a/src/test/test-condition.c b/src/test/test-condition.c index 8c48518774..0c78194185 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -112,6 +112,11 @@ static void test_condition_test_path(void) { assert_se(condition_test(condition) > 0); condition_free(condition); + condition = condition_new(CONDITION_PATH_IS_ENCRYPTED, "/sys", false, false); + assert_se(condition); + assert_se(condition_test(condition) == 0); + condition_free(condition); + condition = condition_new(CONDITION_PATH_IS_SYMBOLIC_LINK, "/dev/stdout", false, false); assert_se(condition); assert_se(condition_test(condition) > 0);