kernels into older versions provided by distributions. Hence, this check is inherently unportable and should
not be used for units which may be used on different distributions.</para>
- <para><varname>ConditionSecurity=</varname> may be used to
- check whether the given security module is enabled on the
+ <para><varname>ConditionSecurity=</varname> may be used to check
+ whether the given security technology is enabled on the
system. Currently, the recognized values are
- <varname>selinux</varname>,
- <varname>apparmor</varname>,
- <varname>tomoyo</varname>,
- <varname>ima</varname>,
- <varname>smack</varname> and
- <varname>audit</varname>. The test may be negated by
+ <varname>selinux</varname>, <varname>apparmor</varname>,
+ <varname>tomoyo</varname>, <varname>ima</varname>,
+ <varname>smack</varname>, <varname>audit</varname> and
+ <varname>uefi-secureboot</varname>. The test may be negated by
prepending an exclamation mark.</para>
<para><varname>ConditionCapability=</varname> may be used to
#include "cap-list.h"
#include "cgroup-util.h"
#include "condition.h"
+#include "efivars.h"
#include "extract-word.h"
#include "fd-util.h"
#include "fileio.h"
return use_ima();
if (streq(c->parameter, "tomoyo"))
return mac_tomoyo_use();
+ if (streq(c->parameter, "uefi-secureboot"))
+ return is_efi_secure_boot();
return false;
}