From be405b909e5d78b43e3af47e0d10cd84c714e2f3 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 20 Jun 2018 18:52:52 +0200 Subject: [PATCH] condition: add new conditon ConditionSecurity=uefi-secureboot We have the detector call for this anyway, and it's useful for conditioning out dbxtool.service, hence let's add this tiny new option. --- man/systemd.unit.xml | 14 ++++++-------- src/shared/condition.c | 3 +++ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 92c0f6297a..7605c43375 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1107,15 +1107,13 @@ kernels into older versions provided by distributions. Hence, this check is inherently unportable and should not be used for units which may be used on different distributions. - ConditionSecurity= may be used to - check whether the given security module is enabled on the + ConditionSecurity= may be used to check + whether the given security technology is enabled on the system. Currently, the recognized values are - selinux, - apparmor, - tomoyo, - ima, - smack and - audit. The test may be negated by + selinux, apparmor, + tomoyo, ima, + smack, audit and + uefi-secureboot. The test may be negated by prepending an exclamation mark. ConditionCapability= may be used to diff --git a/src/shared/condition.c b/src/shared/condition.c index 525cc94936..2969a89b4e 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -21,6 +21,7 @@ #include "cap-list.h" #include "cgroup-util.h" #include "condition.h" +#include "efivars.h" #include "extract-word.h" #include "fd-util.h" #include "fileio.h" @@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) { return use_ima(); if (streq(c->parameter, "tomoyo")) return mac_tomoyo_use(); + if (streq(c->parameter, "uefi-secureboot")) + return is_efi_secure_boot(); return false; }