On 05/07/2013 01:32 PM, Lennart Poettering wrote: > On Tue, 07.05.13 13:21, Karol Lewandowski ([email protected]) wrote: > > Heya, > > Hmm, does that directory always exist? Or only if AppArmor is actually > runtime enabled?
/sys/fs/smackfs is only registered when smack lsm is actually enabled: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/smack/smackfs.c?id=e93072374112db9dc86635934ee761249be28370#n2179 > I.e. this check should ideally only return true if SMACK is not only > built into the kernel, but actually really enabled during > runtime. That's what the SELinux check does and what the most useful > semantics are. Ok, I see that libselinux will consider selinux to be disabled also when policy is not loaded: http://userspace.selinuxproject.org/trac/browser/libselinux/src/enabled.c#L12 I guess we could do something similar (inspect /proc/self/attr/current) but honestly, I don't think it's really needed. Rafał, could you correct me if I'm wrong? Cheers > >> Signed-off-by: Karol Lewandowski <[email protected]> >> >> diff --git a/man/systemd.unit.xml b/man/systemd.unit.xml >> index 49103da..256c813 100644 >> --- a/man/systemd.unit.xml >> +++ b/man/systemd.unit.xml >> @@ -984,8 +984,9 @@ >> may be used to check whether the given >> security module is enabled on the >> system. Currently the only recognized >> - values are <varname>selinux</varname> >> - and <varname>apparmor</varname>. >> + values are <varname>selinux</varname>, >> + <varname>apparmor</varname> and >> + <varname>smack</varname>. >> The test may be negated by prepending >> an exclamation >> mark.</para> >> diff --git a/src/core/condition.c b/src/core/condition.c >> index 4aa5530..16cae6d 100644 >> --- a/src/core/condition.c >> +++ b/src/core/condition.c >> @@ -164,6 +164,8 @@ static bool test_security(const char *parameter) { >> #endif >> if (streq(parameter, "apparmor")) >> return access("/sys/kernel/security/apparmor/", F_OK) == 0; >> + if (streq(parameter, "smack")) >> + return access("/sys/fs/smackfs", F_OK) == 0; >> return false; >> } >> > > > Lennart > _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
