condition: add ConditionSecurity

Using ConditionSecurity a unit can depend on a security module being
enabled/disabled. For now the only recognized security module is SELinux.

I'd like to use this feature for a unit that creates /.autorelabel if
SELinux is disabled, to ensure a relabel is done automatically when the
system is later rebooted with SELinux enabled.

diff --git a/src/condition.c b/src/condition.c
index 5ab77d80f8fdada75c9eada360ce79f0dc435517..ee0809f76d421a8ec32bb214b483f3b23a6f4c54 100644 (file)
--- a/src/condition.c
+++ b/src/condition.c
@@ -24,6 +24,10 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "util.h"
 #include "condition.h"
 
@@ -128,6 +132,14 @@ static bool test_virtualization(const char *parameter) {
         return streq(parameter, id);
 }
 
+static bool test_security(const char *parameter) {
+#ifdef HAVE_SELINUX
+        if (!strcasecmp(parameter, "SELinux"))
+                return is_selinux_enabled() > 0;
+#endif
+        return false;
+}
+
 bool condition_test(Condition *c) {
         assert(c);
 
@@ -157,6 +169,9 @@ bool condition_test(Condition *c) {
         case CONDITION_VIRTUALIZATION:
                 return test_virtualization(c->parameter) == !c->negate;
 
+        case CONDITION_SECURITY:
+                return test_security(c->parameter) == !c->negate;
+
         case CONDITION_NULL:
                 return !c->negate;
 
@@ -220,6 +235,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
         [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
         [CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
         [CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
+        [CONDITION_SECURITY] = "ConditionSecurity",
         [CONDITION_NULL] = "ConditionNull"
 };
 

diff --git a/src/condition.h b/src/condition.h
index 9913c8c84020b3395fa57c5707b20f130d955f4e..84028028c40f75721e6b23e76ce5097656a43cfa 100644 (file)
--- a/src/condition.h
+++ b/src/condition.h
@@ -32,6 +32,7 @@ typedef enum ConditionType {
         CONDITION_DIRECTORY_NOT_EMPTY,
         CONDITION_KERNEL_COMMAND_LINE,
         CONDITION_VIRTUALIZATION,
+        CONDITION_SECURITY,
         CONDITION_NULL,
         _CONDITION_TYPE_MAX,
         _CONDITION_TYPE_INVALID = -1

diff --git a/src/load-fragment.c b/src/load-fragment.c
index cb8c2508919c0b972d154a3bd2495b6965f9277e..eea545c8d983a02e7a41bfaa1380d1513c0fd6e9 100644 (file)
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@@ -1853,6 +1853,7 @@ static int load_from_path(Unit *u, const char *path) {
                 { "ConditionDirectoryNotEmpty", config_parse_condition_path, CONDITION_DIRECTORY_NOT_EMPTY, u,                "Unit"    },
                 { "ConditionKernelCommandLine", config_parse_condition_string, CONDITION_KERNEL_COMMAND_LINE, u,              "Unit"    },
                 { "ConditionVirtualization",    config_parse_condition_string, CONDITION_VIRTUALIZATION, u,                   "Unit"    },
+                { "ConditionSecurity",          config_parse_condition_string, CONDITION_SECURITY, u,                         "Unit"    },
                 { "ConditionNull",          config_parse_condition_null,  0, u,                                               "Unit"    },
 
                 { "PIDFile",                config_parse_path,            0, &u->service.pid_file,                            "Service" },