ipe: add permissive toggle

IPE, like SELinux, supports a permissive mode. This mode allows policy authors to test and evaluate IPE policy without it affecting their programs. When the mode is changed, a 1404 AUDIT_MAC_STATUS will be reported. This patch adds the following audit records: audit: MAC_STATUS enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 audit: MAC_STATUS enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1 The audit record only emit when the value from the user input is different from the current enforce value. Signed-off-by: Deven Bowers <deven.desai@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@linux.microsoft.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Deven Bowers <deven.desai@linux.microsoft.com> 2024-08-02 23:08:24 -0700
committer: Paul Moore <paul@paul-moore.com> 2024-08-20 14:02:27 -0400
commit: a68916eaedcd01f254ac4c09ca12b5065d710fd0 (patch)
tree: 4d9f82724404cf29cbfaa9150f439e1e3b2933d4 /security/ipe/eval.h
parent: f44554b5067b36c14cc91ed811fa1bd58baed34a (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/ipe/eval.h b/security/ipe/eval.h
index 42b74a7a7c2b..80b74f55fa69 100644
--- a/security/ipe/eval.h
+++ b/security/ipe/eval.h
@@ -16,6 +16,7 @@
 
 extern struct ipe_policy __rcu *ipe_active_policy;
 extern bool success_audit;
+extern bool enforce;
 
 struct ipe_superblock {
 	bool initramfs;
author	Deven Bowers <deven.desai@linux.microsoft.com>	2024-08-02 23:08:24 -0700
committer	Paul Moore <paul@paul-moore.com>	2024-08-20 14:02:27 -0400
commit	a68916eaedcd01f254ac4c09ca12b5065d710fd0 (patch)
tree	4d9f82724404cf29cbfaa9150f439e1e3b2933d4 /security/ipe/eval.h
parent	f44554b5067b36c14cc91ed811fa1bd58baed34a (diff)