From 57ab451e856fc9a5722499b499ac988e4988577a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 20 Jun 2018 22:35:36 +0200 Subject: [PATCH 1/2] NEWS: mention ConditionSecurity=uefi-secureboot Follow-up for be405b909e5d78b43e3af47e0d10cd84c714e2f3. --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 10f632216f..aa0929cf61 100644 --- a/NEWS +++ b/NEWS @@ -333,6 +333,9 @@ CHANGES WITH 239 in spe: system namespacing options. One such service is systemd-udevd.service wher this is now used by default. + * ConditionSecurity= gained a new value "uefi-secureboot" that is true + when the system is booted in UEFI "secure mode". + * A new unit "system-update-pre.target" is added, which defines an optional synchronization point for offline system updates, as implemented by the pre-existing "system-update.target" unit. It From fc65dabdb5e7357555d117d7aef950f4dd000a5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 20 Jun 2018 22:46:13 +0200 Subject: [PATCH 2/2] test-condition: extend tests to all ConditionSecurity= values Also print out what we detect, for manual verification. --- src/test/test-condition.c | 35 ++++++++++++++++++++++++++++++----- 1 file changed, 30 insertions(+), 5 deletions(-) diff --git a/src/test/test-condition.c b/src/test/test-condition.c index 59f8629dba..7ce6ee80ea 100644 --- a/src/test/test-condition.c +++ b/src/test/test-condition.c @@ -13,6 +13,7 @@ #include "audit-util.h" #include "cgroup-util.h" #include "condition.h" +#include "efivars.h" #include "hostname-util.h" #include "id128-util.h" #include "ima-util.h" @@ -23,6 +24,7 @@ #include "smack-util.h" #include "string-util.h" #include "strv.h" +#include "tomoyo-util.h" #include "user-util.h" #include "util.h" #include "virt.h" @@ -429,16 +431,21 @@ static void test_condition_test_security(void) { assert_se(condition_test(condition) != mac_selinux_use()); condition_free(condition); - condition = condition_new(CONDITION_SECURITY, "ima", false, false); - assert_se(condition); - assert_se(condition_test(condition) == use_ima()); - condition_free(condition); - condition = condition_new(CONDITION_SECURITY, "apparmor", false, false); assert_se(condition); assert_se(condition_test(condition) == mac_apparmor_use()); condition_free(condition); + condition = condition_new(CONDITION_SECURITY, "tomoyo", false, false); + assert_se(condition); + assert_se(condition_test(condition) == mac_tomoyo_use()); + condition_free(condition); + + condition = condition_new(CONDITION_SECURITY, "ima", false, false); + assert_se(condition); + assert_se(condition_test(condition) == use_ima()); + condition_free(condition); + condition = condition_new(CONDITION_SECURITY, "smack", false, false); assert_se(condition); assert_se(condition_test(condition) == mac_smack_use()); @@ -448,6 +455,23 @@ static void test_condition_test_security(void) { assert_se(condition); assert_se(condition_test(condition) == use_audit()); condition_free(condition); + + condition = condition_new(CONDITION_SECURITY, "uefi-secureboot", false, false); + assert_se(condition); + assert_se(condition_test(condition) == is_efi_secure_boot()); + condition_free(condition); +} + +static void print_securities(void) { + log_info("------ enabled security technologies ------"); + log_info("SELinux: %s", yes_no(mac_selinux_use())); + log_info("AppArmor: %s", yes_no(mac_apparmor_use())); + log_info("Tomoyo: %s", yes_no(mac_tomoyo_use())); + log_info("IMA: %s", yes_no(use_ima())); + log_info("SMACK: %s", yes_no(mac_smack_use())); + log_info("Audit: %s", yes_no(use_audit())); + log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot())); + log_info("-------------------------------------------"); } static void test_condition_test_virtualization(void) { @@ -663,6 +687,7 @@ int main(int argc, char *argv[]) { test_condition_test_kernel_version(); test_condition_test_null(); test_condition_test_security(); + print_securities(); test_condition_test_virtualization(); test_condition_test_user(); test_condition_test_group();