From: Lennart Poettering Date: Wed, 20 Jun 2018 16:52:52 +0000 (+0200) Subject: condition: add new conditon ConditionSecurity=uefi-secureboot X-Git-Tag: v239~12 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=be405b909e5d78b43e3af47e0d10cd84c714e2f3;p=thirdparty%2Fsystemd.git condition: add new conditon ConditionSecurity=uefi-secureboot We have the detector call for this anyway, and it's useful for conditioning out dbxtool.service, hence let's add this tiny new option. --- diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml index 92c0f6297a9..7605c433758 100644 --- a/man/systemd.unit.xml +++ b/man/systemd.unit.xml @@ -1107,15 +1107,13 @@ kernels into older versions provided by distributions. Hence, this check is inherently unportable and should not be used for units which may be used on different distributions. - ConditionSecurity= may be used to - check whether the given security module is enabled on the + ConditionSecurity= may be used to check + whether the given security technology is enabled on the system. Currently, the recognized values are - selinux, - apparmor, - tomoyo, - ima, - smack and - audit. The test may be negated by + selinux, apparmor, + tomoyo, ima, + smack, audit and + uefi-secureboot. The test may be negated by prepending an exclamation mark. ConditionCapability= may be used to diff --git a/src/shared/condition.c b/src/shared/condition.c index 525cc94936f..2969a89b4e3 100644 --- a/src/shared/condition.c +++ b/src/shared/condition.c @@ -21,6 +21,7 @@ #include "cap-list.h" #include "cgroup-util.h" #include "condition.h" +#include "efivars.h" #include "extract-word.h" #include "fd-util.h" #include "fileio.h" @@ -376,6 +377,8 @@ static int condition_test_security(Condition *c) { return use_ima(); if (streq(c->parameter, "tomoyo")) return mac_tomoyo_use(); + if (streq(c->parameter, "uefi-secureboot")) + return is_efi_secure_boot(); return false; }