core: add ConditionSecurity=tpm2 support
This commit is contained in:
parent
7509c7fdf9
commit
bce334a31c
|
@ -1257,9 +1257,9 @@
|
||||||
<listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
|
<listitem><para><varname>ConditionSecurity=</varname> may be used to check whether the given
|
||||||
security technology is enabled on the system. Currently, the recognized values are
|
security technology is enabled on the system. Currently, the recognized values are
|
||||||
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
|
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
|
||||||
<literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal> and
|
<literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
|
||||||
<literal>uefi-secureboot</literal>. The test may be negated by prepending an exclamation
|
<literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
|
||||||
mark.</para>
|
an exclamation mark.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
|
@ -480,6 +480,21 @@ static int condition_test_ac_power(Condition *c, char **env) {
|
||||||
return (on_ac_power() != 0) == !!r;
|
return (on_ac_power() != 0) == !!r;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int has_tpm2(void) {
|
||||||
|
int r;
|
||||||
|
|
||||||
|
/* Checks whether the system has at least one TPM2 resource manager device, i.e. at least one "tpmrm"
|
||||||
|
* class device */
|
||||||
|
|
||||||
|
r = dir_is_empty("/sys/class/tpmrm");
|
||||||
|
if (r == -ENOENT)
|
||||||
|
return false;
|
||||||
|
if (r < 0)
|
||||||
|
return log_debug_errno(r, "Failed to determine whether system has TPM2 support: %m");
|
||||||
|
|
||||||
|
return !r;
|
||||||
|
}
|
||||||
|
|
||||||
static int condition_test_security(Condition *c, char **env) {
|
static int condition_test_security(Condition *c, char **env) {
|
||||||
assert(c);
|
assert(c);
|
||||||
assert(c->parameter);
|
assert(c->parameter);
|
||||||
|
@ -499,6 +514,8 @@ static int condition_test_security(Condition *c, char **env) {
|
||||||
return mac_tomoyo_use();
|
return mac_tomoyo_use();
|
||||||
if (streq(c->parameter, "uefi-secureboot"))
|
if (streq(c->parameter, "uefi-secureboot"))
|
||||||
return is_efi_secure_boot();
|
return is_efi_secure_boot();
|
||||||
|
if (streq(c->parameter, "tpm2"))
|
||||||
|
return has_tpm2();
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue