condition: add ConditionPathIsEncrypted=
It's easy to add, and should be pretty useful, in particular as in AssertPathIsEncrypted= as it can be used for checking that some path is encrypted before some service is invoked that might want to place secure material there.
This commit is contained in:
parent
89fe653544
commit
7f19247b5e
|
@ -21,6 +21,7 @@ static const condition_definition condition_definitions[] = {
|
||||||
{ "ConditionPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK },
|
{ "ConditionPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK },
|
||||||
{ "ConditionPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT },
|
{ "ConditionPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT },
|
||||||
{ "ConditionPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE },
|
{ "ConditionPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE },
|
||||||
|
{ "ConditionPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED },
|
||||||
{ "ConditionDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY },
|
{ "ConditionDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY },
|
||||||
{ "ConditionFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY },
|
{ "ConditionFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY },
|
||||||
{ "ConditionFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE },
|
{ "ConditionFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE },
|
||||||
|
@ -44,6 +45,7 @@ static const condition_definition condition_definitions[] = {
|
||||||
{ "AssertPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK },
|
{ "AssertPathIsSymbolicLink", config_parse_unit_condition_path, CONDITION_PATH_IS_SYMBOLIC_LINK },
|
||||||
{ "AssertPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT },
|
{ "AssertPathIsMountPoint", config_parse_unit_condition_path, CONDITION_PATH_IS_MOUNT_POINT },
|
||||||
{ "AssertPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE },
|
{ "AssertPathIsReadWrite", config_parse_unit_condition_path, CONDITION_PATH_IS_READ_WRITE },
|
||||||
|
{ "AssertPathIsEncrypted", config_parse_unit_condition_path, CONDITION_PATH_IS_ENCRYPTED },
|
||||||
{ "AssertDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY },
|
{ "AssertDirectoryNotEmpty", config_parse_unit_condition_path, CONDITION_DIRECTORY_NOT_EMPTY },
|
||||||
{ "AssertFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY },
|
{ "AssertFileNotEmpty", config_parse_unit_condition_path, CONDITION_FILE_NOT_EMPTY },
|
||||||
{ "AssertFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE },
|
{ "AssertFileIsExecutable", config_parse_unit_condition_path, CONDITION_FILE_IS_EXECUTABLE },
|
||||||
|
|
|
@ -25,6 +25,7 @@
|
||||||
#include "extract-word.h"
|
#include "extract-word.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
|
#include "fs-util.h"
|
||||||
#include "glob-util.h"
|
#include "glob-util.h"
|
||||||
#include "hostname-util.h"
|
#include "hostname-util.h"
|
||||||
#include "ima-util.h"
|
#include "ima-util.h"
|
||||||
|
@ -672,6 +673,20 @@ static int condition_test_path_is_read_write(Condition *c) {
|
||||||
return path_is_read_only_fs(c->parameter) <= 0;
|
return path_is_read_only_fs(c->parameter) <= 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int condition_test_path_is_encrypted(Condition *c) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(c);
|
||||||
|
assert(c->parameter);
|
||||||
|
assert(c->type == CONDITION_PATH_IS_ENCRYPTED);
|
||||||
|
|
||||||
|
r = path_is_encrypted(c->parameter);
|
||||||
|
if (r < 0 && r != -ENOENT)
|
||||||
|
log_debug_errno(r, "Failed to determine if '%s' is encrypted: %m", c->parameter);
|
||||||
|
|
||||||
|
return r > 0;
|
||||||
|
}
|
||||||
|
|
||||||
static int condition_test_directory_not_empty(Condition *c) {
|
static int condition_test_directory_not_empty(Condition *c) {
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
|
@ -725,6 +740,7 @@ int condition_test(Condition *c) {
|
||||||
[CONDITION_PATH_IS_SYMBOLIC_LINK] = condition_test_path_is_symbolic_link,
|
[CONDITION_PATH_IS_SYMBOLIC_LINK] = condition_test_path_is_symbolic_link,
|
||||||
[CONDITION_PATH_IS_MOUNT_POINT] = condition_test_path_is_mount_point,
|
[CONDITION_PATH_IS_MOUNT_POINT] = condition_test_path_is_mount_point,
|
||||||
[CONDITION_PATH_IS_READ_WRITE] = condition_test_path_is_read_write,
|
[CONDITION_PATH_IS_READ_WRITE] = condition_test_path_is_read_write,
|
||||||
|
[CONDITION_PATH_IS_ENCRYPTED] = condition_test_path_is_encrypted,
|
||||||
[CONDITION_DIRECTORY_NOT_EMPTY] = condition_test_directory_not_empty,
|
[CONDITION_DIRECTORY_NOT_EMPTY] = condition_test_directory_not_empty,
|
||||||
[CONDITION_FILE_NOT_EMPTY] = condition_test_file_not_empty,
|
[CONDITION_FILE_NOT_EMPTY] = condition_test_file_not_empty,
|
||||||
[CONDITION_FILE_IS_EXECUTABLE] = condition_test_file_is_executable,
|
[CONDITION_FILE_IS_EXECUTABLE] = condition_test_file_is_executable,
|
||||||
|
@ -852,6 +868,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
|
||||||
[CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink",
|
[CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink",
|
||||||
[CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint",
|
[CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint",
|
||||||
[CONDITION_PATH_IS_READ_WRITE] = "ConditionPathIsReadWrite",
|
[CONDITION_PATH_IS_READ_WRITE] = "ConditionPathIsReadWrite",
|
||||||
|
[CONDITION_PATH_IS_ENCRYPTED] = "ConditionPathIsEncrypted",
|
||||||
[CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
|
[CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
|
||||||
[CONDITION_FILE_NOT_EMPTY] = "ConditionFileNotEmpty",
|
[CONDITION_FILE_NOT_EMPTY] = "ConditionFileNotEmpty",
|
||||||
[CONDITION_FILE_IS_EXECUTABLE] = "ConditionFileIsExecutable",
|
[CONDITION_FILE_IS_EXECUTABLE] = "ConditionFileIsExecutable",
|
||||||
|
@ -882,6 +899,7 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = {
|
||||||
[CONDITION_PATH_IS_SYMBOLIC_LINK] = "AssertPathIsSymbolicLink",
|
[CONDITION_PATH_IS_SYMBOLIC_LINK] = "AssertPathIsSymbolicLink",
|
||||||
[CONDITION_PATH_IS_MOUNT_POINT] = "AssertPathIsMountPoint",
|
[CONDITION_PATH_IS_MOUNT_POINT] = "AssertPathIsMountPoint",
|
||||||
[CONDITION_PATH_IS_READ_WRITE] = "AssertPathIsReadWrite",
|
[CONDITION_PATH_IS_READ_WRITE] = "AssertPathIsReadWrite",
|
||||||
|
[CONDITION_PATH_IS_ENCRYPTED] = "AssertPathIsEncrypted",
|
||||||
[CONDITION_DIRECTORY_NOT_EMPTY] = "AssertDirectoryNotEmpty",
|
[CONDITION_DIRECTORY_NOT_EMPTY] = "AssertDirectoryNotEmpty",
|
||||||
[CONDITION_FILE_NOT_EMPTY] = "AssertFileNotEmpty",
|
[CONDITION_FILE_NOT_EMPTY] = "AssertFileNotEmpty",
|
||||||
[CONDITION_FILE_IS_EXECUTABLE] = "AssertFileIsExecutable",
|
[CONDITION_FILE_IS_EXECUTABLE] = "AssertFileIsExecutable",
|
||||||
|
|
|
@ -28,6 +28,7 @@ typedef enum ConditionType {
|
||||||
CONDITION_PATH_IS_SYMBOLIC_LINK,
|
CONDITION_PATH_IS_SYMBOLIC_LINK,
|
||||||
CONDITION_PATH_IS_MOUNT_POINT,
|
CONDITION_PATH_IS_MOUNT_POINT,
|
||||||
CONDITION_PATH_IS_READ_WRITE,
|
CONDITION_PATH_IS_READ_WRITE,
|
||||||
|
CONDITION_PATH_IS_ENCRYPTED,
|
||||||
CONDITION_DIRECTORY_NOT_EMPTY,
|
CONDITION_DIRECTORY_NOT_EMPTY,
|
||||||
CONDITION_FILE_NOT_EMPTY,
|
CONDITION_FILE_NOT_EMPTY,
|
||||||
CONDITION_FILE_IS_EXECUTABLE,
|
CONDITION_FILE_IS_EXECUTABLE,
|
||||||
|
@ -96,6 +97,7 @@ static inline bool condition_takes_path(ConditionType t) {
|
||||||
CONDITION_PATH_IS_SYMBOLIC_LINK,
|
CONDITION_PATH_IS_SYMBOLIC_LINK,
|
||||||
CONDITION_PATH_IS_MOUNT_POINT,
|
CONDITION_PATH_IS_MOUNT_POINT,
|
||||||
CONDITION_PATH_IS_READ_WRITE,
|
CONDITION_PATH_IS_READ_WRITE,
|
||||||
|
CONDITION_PATH_IS_ENCRYPTED,
|
||||||
CONDITION_DIRECTORY_NOT_EMPTY,
|
CONDITION_DIRECTORY_NOT_EMPTY,
|
||||||
CONDITION_FILE_NOT_EMPTY,
|
CONDITION_FILE_NOT_EMPTY,
|
||||||
CONDITION_FILE_IS_EXECUTABLE,
|
CONDITION_FILE_IS_EXECUTABLE,
|
||||||
|
|
|
@ -112,6 +112,11 @@ static void test_condition_test_path(void) {
|
||||||
assert_se(condition_test(condition) > 0);
|
assert_se(condition_test(condition) > 0);
|
||||||
condition_free(condition);
|
condition_free(condition);
|
||||||
|
|
||||||
|
condition = condition_new(CONDITION_PATH_IS_ENCRYPTED, "/sys", false, false);
|
||||||
|
assert_se(condition);
|
||||||
|
assert_se(condition_test(condition) == 0);
|
||||||
|
condition_free(condition);
|
||||||
|
|
||||||
condition = condition_new(CONDITION_PATH_IS_SYMBOLIC_LINK, "/dev/stdout", false, false);
|
condition = condition_new(CONDITION_PATH_IS_SYMBOLIC_LINK, "/dev/stdout", false, false);
|
||||||
assert_se(condition);
|
assert_se(condition);
|
||||||
assert_se(condition_test(condition) > 0);
|
assert_se(condition_test(condition) > 0);
|
||||||
|
|
Loading…
Reference in a new issue