condition: add ConditionPathIsEncrypted=

author Lennart Poettering <lennart@poettering.net>

Thu, 14 May 2020 16:30:23 +0000 (18:30 +0200)

committer Lennart Poettering <lennart@poettering.net>

Fri, 15 May 2020 13:50:09 +0000 (15:50 +0200)
author Lennart Poettering <lennart@poettering.net>
Thu, 14 May 2020 16:30:23 +0000 (18:30 +0200)
committer Lennart Poettering <lennart@poettering.net>
Fri, 15 May 2020 13:50:09 +0000 (15:50 +0200)
diff --git a/src/analyze/analyze-condition.c b/src/analyze/analyze-condition.c

index d0cefa099202d08587eea631f05986e537ee5489..370256b4339c32709dccbe14c54742027ba73aac 100644 (file)
--- a/src/analyze/analyze-condition.c
+++ b/src/analyze/analyze-condition.c
@@ -21,6 +21,7 @@ static const condition_definition condition_definitions[] = {
          { "ConditionPathIsSymbolicLink",     config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK    },
          { "ConditionPathIsMountPoint",       config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT      },
          { "ConditionPathIsReadWrite",        config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE       },
+        { "ConditionPathIsEncrypted",        config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED        },
          { "ConditionDirectoryNotEmpty",      config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY      },
          { "ConditionFileNotEmpty",           config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY           },
          { "ConditionFileIsExecutable",       config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE       },
@@ -44,6 +45,7 @@ static const condition_definition condition_definitions[] = {
          { "AssertPathIsSymbolicLink",        config_parse_unit_condition_path,   CONDITION_PATH_IS_SYMBOLIC_LINK    },
          { "AssertPathIsMountPoint",          config_parse_unit_condition_path,   CONDITION_PATH_IS_MOUNT_POINT      },
          { "AssertPathIsReadWrite",           config_parse_unit_condition_path,   CONDITION_PATH_IS_READ_WRITE       },
+        { "AssertPathIsEncrypted",           config_parse_unit_condition_path,   CONDITION_PATH_IS_ENCRYPTED        },
          { "AssertDirectoryNotEmpty",         config_parse_unit_condition_path,   CONDITION_DIRECTORY_NOT_EMPTY      },
          { "AssertFileNotEmpty",              config_parse_unit_condition_path,   CONDITION_FILE_NOT_EMPTY           },
          { "AssertFileIsExecutable",          config_parse_unit_condition_path,   CONDITION_FILE_IS_EXECUTABLE       },
diff --git a/src/shared/condition.c b/src/shared/condition.c

index 9f4c7fe3380f7639644dfc541d7c61840cd99505..2dbc14938acf08d9f293da730ac05621feb3ae06 100644 (file)
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -25,6 +25,7 @@
  #include "extract-word.h"
  #include "fd-util.h"
  #include "fileio.h"
+#include "fs-util.h"
  #include "glob-util.h"
  #include "hostname-util.h"
  #include "ima-util.h"
@@ -672,6 +673,20 @@ static int condition_test_path_is_read_write(Condition *c) {
          return path_is_read_only_fs(c->parameter) <= 0;
  }
  
+static int condition_test_path_is_encrypted(Condition *c) {
+        int r;
+
+        assert(c);
+        assert(c->parameter);
+        assert(c->type == CONDITION_PATH_IS_ENCRYPTED);
+
+        r = path_is_encrypted(c->parameter);
+        if (r < 0 && r != -ENOENT)
+                log_debug_errno(r, "Failed to determine if '%s' is encrypted: %m", c->parameter);
+
+        return r > 0;
+}
+
  static int condition_test_directory_not_empty(Condition *c) {
          int r;
  
@@ -725,6 +740,7 @@ int condition_test(Condition *c) {
                  [CONDITION_PATH_IS_SYMBOLIC_LINK]    = condition_test_path_is_symbolic_link,
                  [CONDITION_PATH_IS_MOUNT_POINT]      = condition_test_path_is_mount_point,
                  [CONDITION_PATH_IS_READ_WRITE]       = condition_test_path_is_read_write,
+                [CONDITION_PATH_IS_ENCRYPTED]        = condition_test_path_is_encrypted,
                  [CONDITION_DIRECTORY_NOT_EMPTY]      = condition_test_directory_not_empty,
                  [CONDITION_FILE_NOT_EMPTY]           = condition_test_file_not_empty,
                  [CONDITION_FILE_IS_EXECUTABLE]       = condition_test_file_is_executable,
@@ -852,6 +868,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
          [CONDITION_PATH_IS_SYMBOLIC_LINK] = "ConditionPathIsSymbolicLink",
          [CONDITION_PATH_IS_MOUNT_POINT] = "ConditionPathIsMountPoint",
          [CONDITION_PATH_IS_READ_WRITE] = "ConditionPathIsReadWrite",
+        [CONDITION_PATH_IS_ENCRYPTED] = "ConditionPathIsEncrypted",
          [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
          [CONDITION_FILE_NOT_EMPTY] = "ConditionFileNotEmpty",
          [CONDITION_FILE_IS_EXECUTABLE] = "ConditionFileIsExecutable",
@@ -882,6 +899,7 @@ static const char* const assert_type_table[_CONDITION_TYPE_MAX] = {
          [CONDITION_PATH_IS_SYMBOLIC_LINK] = "AssertPathIsSymbolicLink",
          [CONDITION_PATH_IS_MOUNT_POINT] = "AssertPathIsMountPoint",
          [CONDITION_PATH_IS_READ_WRITE] = "AssertPathIsReadWrite",
+        [CONDITION_PATH_IS_ENCRYPTED] = "AssertPathIsEncrypted",
          [CONDITION_DIRECTORY_NOT_EMPTY] = "AssertDirectoryNotEmpty",
          [CONDITION_FILE_NOT_EMPTY] = "AssertFileNotEmpty",
          [CONDITION_FILE_IS_EXECUTABLE] = "AssertFileIsExecutable",
diff --git a/src/shared/condition.h b/src/shared/condition.h

index 84322e74259a0cf1e2a80db64fd74af559383e8e..6064ccdaed56eaef2691c7ee12865a8885ffd22b 100644 (file)
--- a/src/shared/condition.h
+++ b/src/shared/condition.h
@@ -28,6 +28,7 @@ typedef enum ConditionType {
          CONDITION_PATH_IS_SYMBOLIC_LINK,
          CONDITION_PATH_IS_MOUNT_POINT,
          CONDITION_PATH_IS_READ_WRITE,
+        CONDITION_PATH_IS_ENCRYPTED,
          CONDITION_DIRECTORY_NOT_EMPTY,
          CONDITION_FILE_NOT_EMPTY,
          CONDITION_FILE_IS_EXECUTABLE,
@@ -96,6 +97,7 @@ static inline bool condition_takes_path(ConditionType t) {
                        CONDITION_PATH_IS_SYMBOLIC_LINK,
                        CONDITION_PATH_IS_MOUNT_POINT,
                        CONDITION_PATH_IS_READ_WRITE,
+                      CONDITION_PATH_IS_ENCRYPTED,
                        CONDITION_DIRECTORY_NOT_EMPTY,
                        CONDITION_FILE_NOT_EMPTY,
                        CONDITION_FILE_IS_EXECUTABLE,
diff --git a/src/test/test-condition.c b/src/test/test-condition.c

index 8c48518774d672f085c26df737ca4263e3e7ec85..0c78194185d2b9e2795c5a4e1100695a37ddc0c9 100644 (file)
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@@ -112,6 +112,11 @@ static void test_condition_test_path(void) {
          assert_se(condition_test(condition) > 0);
          condition_free(condition);
  
+        condition = condition_new(CONDITION_PATH_IS_ENCRYPTED, "/sys", false, false);
+        assert_se(condition);
+        assert_se(condition_test(condition) == 0);
+        condition_free(condition);
+
          condition = condition_new(CONDITION_PATH_IS_SYMBOLIC_LINK, "/dev/stdout", false, false);
          assert_se(condition);
          assert_se(condition_test(condition) > 0);
author	Lennart Poettering <lennart@poettering.net>
	Thu, 14 May 2020 16:30:23 +0000 (18:30 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 15 May 2020 13:50:09 +0000 (15:50 +0200)
src/analyze/analyze-condition.c		patch \| blob \| blame \| history
src/shared/condition.c		patch \| blob \| blame \| history
src/shared/condition.h		patch \| blob \| blame \| history
src/test/test-condition.c		patch \| blob \| blame \| history