Add support for ConditionSecurity=ima
Just as with SMACK, we don't really know if a policy has been loaded or not, as the policy interface is write-only. Assume therefore that if ima is present in securityfs that it is enabled. Update the man page to reflect that "ima" is a valid option now as well.
This commit is contained in:
parent
a41f47abd3
commit
9d995d54b5
2
TODO
2
TODO
|
@ -456,8 +456,6 @@ Features:
|
||||||
|
|
||||||
* ExecOnFailure=/usr/bin/foo
|
* ExecOnFailure=/usr/bin/foo
|
||||||
|
|
||||||
* ConditionSecurity= should learn about IMA and SMACK
|
|
||||||
|
|
||||||
* udev:
|
* udev:
|
||||||
- remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
|
- remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
|
||||||
- move to LGPL
|
- move to LGPL
|
||||||
|
|
|
@ -983,9 +983,10 @@
|
||||||
<para><varname>ConditionSecurity=</varname>
|
<para><varname>ConditionSecurity=</varname>
|
||||||
may be used to check whether the given
|
may be used to check whether the given
|
||||||
security module is enabled on the
|
security module is enabled on the
|
||||||
system. Currently the only recognized
|
system. Currently the recognized values
|
||||||
values are <varname>selinux</varname>,
|
values are <varname>selinux</varname>,
|
||||||
<varname>apparmor</varname>, and
|
<varname>apparmor</varname>,
|
||||||
|
<varname>ima</varname> and
|
||||||
<varname>smack</varname>.
|
<varname>smack</varname>.
|
||||||
The test may be negated by prepending
|
The test may be negated by prepending
|
||||||
an exclamation
|
an exclamation
|
||||||
|
|
|
@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
|
||||||
#endif
|
#endif
|
||||||
if (streq(parameter, "apparmor"))
|
if (streq(parameter, "apparmor"))
|
||||||
return access("/sys/kernel/security/apparmor/", F_OK) == 0;
|
return access("/sys/kernel/security/apparmor/", F_OK) == 0;
|
||||||
|
if (streq(parameter, "ima"))
|
||||||
|
return access("/sys/kernel/security/ima/", F_OK) == 0;
|
||||||
if (streq(parameter, "smack"))
|
if (streq(parameter, "smack"))
|
||||||
return access("/sys/fs/smackfs", F_OK) == 0;
|
return access("/sys/fs/smackfs", F_OK) == 0;
|
||||||
return false;
|
return false;
|
||||||
|
|
Loading…
Reference in New Issue