[systemd-devel] [PATCH] condition, man: Add support for ConditionSecurity=smack
Lennart Poettering
lennart at poettering.net
Tue May 7 04:32:57 PDT 2013
On Tue, 07.05.13 13:21, Karol Lewandowski (k.lewandowsk at samsung.com) wrote:
Heya,
Hmm, does that directory always exist? Or only if AppArmor is actually
runtime enabled?
I.e. this check should ideally only return true if SMACK is not only
built into the kernel, but actually really enabled during
runtime. That's what the SELinux check does and what the most useful
semantics are.
> Signed-off-by: Karol Lewandowski <k.lewandowsk at samsung.com>
>
> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml
> index 49103da..256c813 100644
> --- a/man/systemd.unit.xml
> +++ b/man/systemd.unit.xml
> @@ -984,8 +984,9 @@
> may be used to check whether the given
> security module is enabled on the
> system. Currently the only recognized
> - values are <varname>selinux</varname>
> - and <varname>apparmor</varname>.
> + values are <varname>selinux</varname>,
> + <varname>apparmor</varname> and
> + <varname>smack</varname>.
> The test may be negated by prepending
> an exclamation
> mark.</para>
> diff --git a/src/core/condition.c b/src/core/condition.c
> index 4aa5530..16cae6d 100644
> --- a/src/core/condition.c
> +++ b/src/core/condition.c
> @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
> #endif
> if (streq(parameter, "apparmor"))
> return access("/sys/kernel/security/apparmor/", F_OK) == 0;
> + if (streq(parameter, "smack"))
> + return access("/sys/fs/smackfs", F_OK) == 0;
> return false;
> }
>
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list