Add support for ConditionSecurity=ima

Just as with SMACK, we don't really know if a policy has been
loaded or not, as the policy interface is write-only. Assume
therefore that if ima is present in securityfs that it is
enabled.

Update the man page to reflect that "ima" is a valid option
now as well.

TODO

@@ -456,8 +456,6 @@ Features:
 
 * ExecOnFailure=/usr/bin/foo
 
-* ConditionSecurity= should learn about IMA and SMACK
-
 * udev:
   - remove src/udev/udev-builtin-firmware.c (CONFIG_FW_LOADER_USER_HELPER=n)
   - move to LGPL

man/systemd.unit.xml

@@ -983,9 +983,10 @@
                                 <para><varname>ConditionSecurity=</varname>
                                 may be used to check whether the given
                                 security module is enabled on the
-                                system.  Currently the only recognized
+                                system. Currently the recognized values
                                 values are <varname>selinux</varname>,
-                                <varname>apparmor</varname>, and
+                                <varname>apparmor</varname>,
+                                <varname>ima</varname> and
                                 <varname>smack</varname>.
                                 The test may be negated by prepending
                                 an exclamation

src/core/condition.c

@@ -164,6 +164,8 @@ static bool test_security(const char *parameter) {
 #endif
         if (streq(parameter, "apparmor"))
                 return access("/sys/kernel/security/apparmor/", F_OK) == 0;
+        if (streq(parameter, "ima"))
+                return access("/sys/kernel/security/ima/", F_OK) == 0;
         if (streq(parameter, "smack"))
                 return access("/sys/fs/smackfs", F_OK) == 0;
         return false;