mirror of
https://github.com/systemd/systemd
synced 2024-07-21 18:24:38 +00:00
unit: add "cvm" option for ConditionSecurity
The "cvm" flag indicates whether the OS is running inside a confidential virtual machine. Related: https://github.com/systemd/systemd/issues/27604 Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
f460fec915
commit
95d043b159
|
@ -1404,8 +1404,8 @@
|
|||
security technology is enabled on the system. Currently, the recognized values are
|
||||
<literal>selinux</literal>, <literal>apparmor</literal>, <literal>tomoyo</literal>,
|
||||
<literal>ima</literal>, <literal>smack</literal>, <literal>audit</literal>,
|
||||
<literal>uefi-secureboot</literal> and <literal>tpm2</literal>. The test may be negated by prepending
|
||||
an exclamation mark.</para>
|
||||
<literal>uefi-secureboot</literal>, <literal>tpm2</literal> and <literal>cvm</literal>.
|
||||
The test may be negated by prepending an exclamation mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
|
@ -24,6 +24,7 @@
|
|||
#include "cgroup-util.h"
|
||||
#include "compare-operator.h"
|
||||
#include "condition.h"
|
||||
#include "confidential-virt.h"
|
||||
#include "cpu-set-util.h"
|
||||
#include "creds-util.h"
|
||||
#include "efi-api.h"
|
||||
|
@ -689,6 +690,8 @@ static int condition_test_security(Condition *c, char **env) {
|
|||
return is_efi_secure_boot();
|
||||
if (streq(c->parameter, "tpm2"))
|
||||
return has_tpm2();
|
||||
if (streq(c->parameter, "cvm"))
|
||||
return detect_confidential_virtualization() > 0;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@
|
|||
#include "battery-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "condition.h"
|
||||
#include "confidential-virt.h"
|
||||
#include "cpu-set-util.h"
|
||||
#include "efi-loader.h"
|
||||
#include "env-util.h"
|
||||
|
@ -784,6 +785,12 @@ TEST(condition_test_security) {
|
|||
assert_se(condition);
|
||||
assert_se(condition_test(condition, environ) == is_efi_secure_boot());
|
||||
condition_free(condition);
|
||||
|
||||
condition = condition_new(CONDITION_SECURITY, "cvm", false, false);
|
||||
assert_se(condition);
|
||||
assert_se(condition_test(condition, environ) ==
|
||||
(detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
|
||||
condition_free(condition);
|
||||
}
|
||||
|
||||
TEST(print_securities) {
|
||||
|
@ -795,6 +802,8 @@ TEST(print_securities) {
|
|||
log_info("SMACK: %s", yes_no(mac_smack_use()));
|
||||
log_info("Audit: %s", yes_no(use_audit()));
|
||||
log_info("UEFI secure boot: %s", yes_no(is_efi_secure_boot()));
|
||||
log_info("Confidential VM: %s", yes_no
|
||||
(detect_confidential_virtualization() != CONFIDENTIAL_VIRTUALIZATION_NONE));
|
||||
log_info("-------------------------------------------");
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue