[systemd-commits] 2 commits - man/systemd.unit.xml src/core TODO

Auke-Jan Kok auke at kemper.freedesktop.org
Sat May 11 13:43:24 PDT 2013 

 TODO                 |    2 --
 man/systemd.unit.xml |    5 +++--
 src/core/condition.c |   10 ++++++----
 3 files changed, 9 insertions(+), 8 deletions(-)

New commits:
commit 9d995d54b54dcf9c776a0d88edad3b6aab3c36b5
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date:   Sat May 11 13:40:08 2013 -0700

    Add support for ConditionSecurity=ima
    
    Just as with SMACK, we don't really know if a policy has been
    loaded or not, as the policy interface is write-only. Assume
    therefore that if ima is present in securityfs that it is
    enabled.
    
    Update the man page to reflect that "ima" is a valid option
    now as well.

diff --git a/TODO b/TODO
index 8d4b937..9b27674 100644
--- a/TODO
+++ b/TODO
@@ -456,8 +456,6 @@ Features:
 
 * ExecOnFailure=/usr/bin/foo
 
-* ConditionSecurity= should learn about IMA and SMACK
-
 * udev:
   - remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
   - move to LGPL
diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
index c56837a..5ab9881 100644
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@@ -983,9 +983,10 @@
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
-                                system.  Currently the only recognized
+                                system. Currently the recognized values
                                 values are <varname>selinux</varname>,
-                                <varname>apparmor</varname>, and
+                                <varname>apparmor</varname>,
+                                <varname>ima</varname> and
                                 <varname>smack</varname>.
                                 The test may be negated by prepending
                                 an exclamation
diff --git a/src/core/condition.c b/src/core/condition.c
index abed4e5..4293d6d 100644
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
 #endif
         if (streq(parameter, "apparmor"))
                 return access("/sys/kernel/security/apparmor/", F_OK) == 0;
+        if (streq(parameter, "ima"))
+                return access("/sys/kernel/security/ima/", F_OK) == 0;
         if (streq(parameter, "smack"))
                 return access("/sys/fs/smackfs", F_OK) == 0;
         return false;

commit a41f47abd349b55fc4077fbb69d5da7eb6663668
Author: Auke Kok <auke-jan.h.kok at intel.com>
Date:   Sat May 11 13:35:38 2013 -0700

    Re-indent with spaces.

diff --git a/src/core/condition.c b/src/core/condition.c
index 16cae6d..abed4e5 100644
--- a/src/core/condition.c
+++ b/src/core/condition.c
@@ -162,10 +162,10 @@ static bool test_security(const char *parameter) {
         if (streq(parameter, "selinux"))
                 return is_selinux_enabled() > 0;
 #endif
-	if (streq(parameter, "apparmor"))
-		return access("/sys/kernel/security/apparmor/", F_OK) == 0;
-	if (streq(parameter, "smack"))
-		return access("/sys/fs/smackfs", F_OK) == 0;
+        if (streq(parameter, "apparmor"))
+                return access("/sys/kernel/security/apparmor/", F_OK) == 0;
+        if (streq(parameter, "smack"))
+                return access("/sys/fs/smackfs", F_OK) == 0;
         return false;
 }

More information about the systemd-commits mailing list