condition: add new conditon ConditionSecurity=uefi-secureboot
We have the detector call for this anyway, and it's useful for conditioning out dbxtool.service, hence let's add this tiny new option.
This commit is contained in:
parent
92963e74df
commit
be405b909e
|
@ -1107,15 +1107,13 @@
|
|||
kernels into older versions provided by distributions. Hence, this check is inherently unportable and should
|
||||
not be used for units which may be used on different distributions.</para>
|
||||
|
||||
<para><varname>ConditionSecurity=</varname> may be used to
|
||||
check whether the given security module is enabled on the
|
||||
<para><varname>ConditionSecurity=</varname> may be used to check
|
||||
whether the given security technology is enabled on the
|
||||
system. Currently, the recognized values are
|
||||
<varname>selinux</varname>,
|
||||
<varname>apparmor</varname>,
|
||||
<varname>tomoyo</varname>,
|
||||
<varname>ima</varname>,
|
||||
<varname>smack</varname> and
|
||||
<varname>audit</varname>. The test may be negated by
|
||||
<varname>selinux</varname>, <varname>apparmor</varname>,
|
||||
<varname>tomoyo</varname>, <varname>ima</varname>,
|
||||
<varname>smack</varname>, <varname>audit</varname> and
|
||||
<varname>uefi-secureboot</varname>. The test may be negated by
|
||||
prepending an exclamation mark.</para>
|
||||
|
||||
<para><varname>ConditionCapability=</varname> may be used to
|
||||
|
|
|
@ -21,6 +21,7 @@
|
|||
#include "cap-list.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "condition.h"
|
||||
#include "efivars.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) {
|
|||
return use_ima();
|
||||
if (streq(c->parameter, "tomoyo"))
|
||||
return mac_tomoyo_use();
|
||||
if (streq(c->parameter, "uefi-secureboot"))
|
||||
return is_efi_secure_boot();
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue