diff options
author | Lennart Poettering <lennart@poettering.net> | 2018-06-20 18:52:52 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-06-20 22:33:47 +0200 |
commit | be405b909e5d78b43e3af47e0d10cd84c714e2f3 (patch) | |
tree | 9bc1fa2b21eeaaf5f6609905af57094365cd004b | |
parent | 92963e74dfa597038ca35799980ba8832fc8c5a4 (diff) | |
download | systemd-be405b909e5d78b43e3af47e0d10cd84c714e2f3.tar.gz |
condition: add new conditon ConditionSecurity=uefi-secureboot
We have the detector call for this anyway, and it's useful for
conditioning out dbxtool.service, hence let's add this tiny new option.
-rw-r--r-- | man/systemd.unit.xml | 14 | ||||
-rw-r--r-- | src/shared/condition.c | 3 |
2 files changed, 9 insertions, 8 deletions
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 92c0f6297a..7605c43375 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1107,15 +1107,13 @@ kernels into older versions provided by distributions. Hence, this check is inherently unportable and should not be used for units which may be used on different distributions.</para> - <para><varname>ConditionSecurity=</varname> may be used to - check whether the given security module is enabled on the + <para><varname>ConditionSecurity=</varname> may be used to check + whether the given security technology is enabled on the system. Currently, the recognized values are - <varname>selinux</varname>, - <varname>apparmor</varname>, - <varname>tomoyo</varname>, - <varname>ima</varname>, - <varname>smack</varname> and - <varname>audit</varname>. The test may be negated by + <varname>selinux</varname>, <varname>apparmor</varname>, + <varname>tomoyo</varname>, <varname>ima</varname>, + <varname>smack</varname>, <varname>audit</varname> and + <varname>uefi-secureboot</varname>. The test may be negated by prepending an exclamation mark.</para> <para><varname>ConditionCapability=</varname> may be used to diff --git a/src/shared/condition.c b/src/shared/condition.c index 525cc94936..2969a89b4e 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -21,6 +21,7 @@ #include "cap-list.h" #include "cgroup-util.h" #include "condition.h" +#include "efivars.h" #include "extract-word.h" #include "fd-util.h" #include "fileio.h" @@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) { return use_ima(); if (streq(c->parameter, "tomoyo")) return mac_tomoyo_use(); + if (streq(c->parameter, "uefi-secureboot")) + return is_efi_secure_boot(); return false; } |