www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Deven Bowers <deven.desai@linux.microsoft.com>
	Sat, 3 Aug 2024 06:08:24 +0000 (23:08 -0700)
committer	Paul Moore <paul@paul-moore.com>
	Tue, 20 Aug 2024 18:02:27 +0000 (14:02 -0400)
commit	a68916eaedcd01f254ac4c09ca12b5065d710fd0
tree	4d9f82724404cf29cbfaa9150f439e1e3b2933d4	tree
parent	f44554b5067b36c14cc91ed811fa1bd58baed34a	commit \| diff

ipe: add permissive toggle

IPE, like SELinux, supports a permissive mode. This mode allows policy
authors to test and evaluate IPE policy without it affecting their
programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS will
be reported.

This patch adds the following audit records:

    audit: MAC_STATUS enforcing=0 old_enforcing=1 auid=4294967295
      ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
    audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295
      ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1

The audit record only emit when the value from the user input is
different from the current enforce value.

Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@linux.microsoft.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

security/ipe/audit.c		diff \| blob \| history
security/ipe/audit.h		diff \| blob \| history
security/ipe/eval.c		diff \| blob \| history
security/ipe/eval.h		diff \| blob \| history
security/ipe/fs.c		diff \| blob \| history