condition: add new conditon ConditionSecurity=uefi-secureboot
We have the detector call for this anyway, and it's useful for conditioning out dbxtool.service, hence let's add this tiny new option.
This commit is contained in:
parent
92963e74df
commit
be405b909e
|
@ -1107,15 +1107,13 @@
|
||||||
kernels into older versions provided by distributions. Hence, this check is inherently unportable and should
|
kernels into older versions provided by distributions. Hence, this check is inherently unportable and should
|
||||||
not be used for units which may be used on different distributions.</para>
|
not be used for units which may be used on different distributions.</para>
|
||||||
|
|
||||||
<para><varname>ConditionSecurity=</varname> may be used to
|
<para><varname>ConditionSecurity=</varname> may be used to check
|
||||||
check whether the given security module is enabled on the
|
whether the given security technology is enabled on the
|
||||||
system. Currently, the recognized values are
|
system. Currently, the recognized values are
|
||||||
<varname>selinux</varname>,
|
<varname>selinux</varname>, <varname>apparmor</varname>,
|
||||||
<varname>apparmor</varname>,
|
<varname>tomoyo</varname>, <varname>ima</varname>,
|
||||||
<varname>tomoyo</varname>,
|
<varname>smack</varname>, <varname>audit</varname> and
|
||||||
<varname>ima</varname>,
|
<varname>uefi-secureboot</varname>. The test may be negated by
|
||||||
<varname>smack</varname> and
|
|
||||||
<varname>audit</varname>. The test may be negated by
|
|
||||||
prepending an exclamation mark.</para>
|
prepending an exclamation mark.</para>
|
||||||
|
|
||||||
<para><varname>ConditionCapability=</varname> may be used to
|
<para><varname>ConditionCapability=</varname> may be used to
|
||||||
|
|
|
@ -21,6 +21,7 @@
|
||||||
#include "cap-list.h"
|
#include "cap-list.h"
|
||||||
#include "cgroup-util.h"
|
#include "cgroup-util.h"
|
||||||
#include "condition.h"
|
#include "condition.h"
|
||||||
|
#include "efivars.h"
|
||||||
#include "extract-word.h"
|
#include "extract-word.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "fileio.h"
|
#include "fileio.h"
|
||||||
|
@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) {
|
||||||
return use_ima();
|
return use_ima();
|
||||||
if (streq(c->parameter, "tomoyo"))
|
if (streq(c->parameter, "tomoyo"))
|
||||||
return mac_tomoyo_use();
|
return mac_tomoyo_use();
|
||||||
|
if (streq(c->parameter, "uefi-secureboot"))
|
||||||
|
return is_efi_secure_boot();
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue