/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/ /*** This file is part of systemd. Copyright 2010 Lennart Poettering systemd is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. systemd is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with systemd; If not, see . ***/ #include #include #include #include #include #include #include #include "sd-id128.h" #include "util.h" #include "condition.h" #include "virt.h" #include "path-util.h" #include "fileio.h" #include "unit.h" #include "smack-util.h" #include "apparmor-util.h" #include "ima-util.h" #include "selinux-util.h" #include "audit.h" static int condition_test_security(Condition *c) { assert(c); assert(c->parameter); assert(c->type == CONDITION_SECURITY); if (streq(c->parameter, "selinux")) return mac_selinux_use() == !c->negate; if (streq(c->parameter, "smack")) return mac_smack_use() == !c->negate; if (streq(c->parameter, "apparmor")) return mac_apparmor_use() == !c->negate; if (streq(c->parameter, "audit")) return use_audit() == !c->negate; if (streq(c->parameter, "ima")) return use_ima() == !c->negate; return c->negate; } static int condition_test_capability(Condition *c) { _cleanup_fclose_ FILE *f = NULL; cap_value_t value; char line[LINE_MAX]; unsigned long long capabilities = -1; assert(c); assert(c->parameter); assert(c->type == CONDITION_CAPABILITY); /* If it's an invalid capability, we don't have it */ if (cap_from_name(c->parameter, &value) < 0) return -EINVAL; /* If it's a valid capability we default to assume * that we have it */ f = fopen("/proc/self/status", "re"); if (!f) return -errno; while (fgets(line, sizeof(line), f)) { truncate_nl(line); if (startswith(line, "CapBnd:")) { (void) sscanf(line+7, "%llx", &capabilities); break; } } return !!(capabilities & (1ULL << value)) == !c->negate; } static bool condition_test_needs_update(Condition *c) { const char *p; struct stat usr, other; assert(c); assert(c->parameter); assert(c->type == CONDITION_NEEDS_UPDATE); /* If the file system is read-only we shouldn't suggest an update */ if (path_is_read_only_fs(c->parameter) > 0) return c->negate; /* Any other failure means we should allow the condition to be true, * so that we rather invoke too many update tools then too * few. */ if (!path_is_absolute(c->parameter)) return !c->negate; p = strappenda(c->parameter, "/.updated"); if (lstat(p, &other) < 0) return !c->negate; if (lstat("/usr/", &usr) < 0) return !c->negate; return (usr.st_mtim.tv_sec > other.st_mtim.tv_sec || (usr.st_mtim.tv_sec == other.st_mtim.tv_sec && usr.st_mtim.tv_nsec > other.st_mtim.tv_nsec)) == !c->negate; } static bool condition_test_first_boot(Condition *c) { int r; assert(c); assert(c->parameter); assert(c->type == CONDITION_FIRST_BOOT); r = parse_boolean(c->parameter); if (r < 0) return r; return ((access("/run/systemd/first-boot", F_OK) >= 0) == !!r) == !c->negate; } static int condition_test(Condition *c) { assert(c); switch(c->type) { case CONDITION_PATH_EXISTS: return (access(c->parameter, F_OK) >= 0) == !c->negate; case CONDITION_PATH_EXISTS_GLOB: return (glob_exists(c->parameter) > 0) == !c->negate; case CONDITION_PATH_IS_DIRECTORY: { struct stat st; if (stat(c->parameter, &st) < 0) return c->negate; return S_ISDIR(st.st_mode) == !c->negate; } case CONDITION_PATH_IS_SYMBOLIC_LINK: { struct stat st; if (lstat(c->parameter, &st) < 0) return c->negate; return S_ISLNK(st.st_mode) == !c->negate; } case CONDITION_PATH_IS_MOUNT_POINT: return (path_is_mount_point(c->parameter, true) > 0) == !c->negate; case CONDITION_PATH_IS_READ_WRITE: return (path_is_read_only_fs(c->parameter) > 0) == c->negate; case CONDITION_DIRECTORY_NOT_EMPTY: { int k; k = dir_is_empty(c->parameter); return !(k == -ENOENT || k > 0) == !c->negate; } case CONDITION_FILE_NOT_EMPTY: { struct stat st; if (stat(c->parameter, &st) < 0) return c->negate; return (S_ISREG(st.st_mode) && st.st_size > 0) == !c->negate; } case CONDITION_FILE_IS_EXECUTABLE: { struct stat st; if (stat(c->parameter, &st) < 0) return c->negate; return (S_ISREG(st.st_mode) && (st.st_mode & 0111)) == !c->negate; } case CONDITION_KERNEL_COMMAND_LINE: return condition_test_kernel_command_line(c); case CONDITION_VIRTUALIZATION: return condition_test_virtualization(c); case CONDITION_SECURITY: return condition_test_security(c); case CONDITION_CAPABILITY: return condition_test_capability(c); case CONDITION_HOST: return condition_test_host(c); case CONDITION_AC_POWER: return condition_test_ac_power(c); case CONDITION_ARCHITECTURE: return condition_test_architecture(c); case CONDITION_NEEDS_UPDATE: return condition_test_needs_update(c); case CONDITION_FIRST_BOOT: return condition_test_first_boot(c); case CONDITION_NULL: return !c->negate; default: assert_not_reached("Invalid condition type."); } } bool condition_test_list(const char *unit, Condition *first) { Condition *c; int triggered = -1; /* If the condition list is empty, then it is true */ if (!first) return true; /* Otherwise, if all of the non-trigger conditions apply and * if any of the trigger conditions apply (unless there are * none) we return true */ LIST_FOREACH(conditions, c, first) { int r; r = condition_test(c); if (r < 0) log_warning_unit(unit, "Couldn't determine result for %s=%s%s%s for %s, assuming failed: %s", condition_type_to_string(c->type), c->trigger ? "|" : "", c->negate ? "!" : "", c->parameter, unit, strerror(-r)); else log_debug_unit(unit, "%s=%s%s%s %s for %s.", condition_type_to_string(c->type), c->trigger ? "|" : "", c->negate ? "!" : "", c->parameter, r > 0 ? "succeeded" : "failed", unit); c->state = r > 0 ? CONDITION_STATE_SUCCEEDED : CONDITION_STATE_FAILED; if (!c->trigger && r <= 0) return false; if (c->trigger && triggered <= 0) triggered = r > 0; } return triggered != 0; }