Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2346696ybh; Fri, 17 Jul 2020 16:17:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1rGas65IaGJ1jIFyxGbLWihsDpSnSrfHz7lpOjzMyikbbK137ToEfhiC8vhup1voSFVT0 X-Received: by 2002:a17:906:1a54:: with SMTP id j20mr10615055ejf.455.1595027860638; Fri, 17 Jul 2020 16:17:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595027860; cv=none; d=google.com; s=arc-20160816; b=DW3sCJdop1ewGo7LsULk2hSeo5R/WZlHYZsYdxIpZptb+TsWxtmOVPXnNCiaCNSMwv ENT1F7uNAzZ+FSw/CdLLfrKUQ4mDmnrGrlwiJLJm+EuhFEUkfZLjnYxL1FURHPUmTW9w q4bXQPB5ItBCsAoj5XZeMYpDJuJYICzq+8NJPoGTArktrcMOLr8d+BeLFX3BWsYt4lQr rSiYM+x3gJZ+jh6VTpvsEmJBrU0exTn/qTBXBjAboHc72NQBkr6mdvHvRKO8L1c3xJJp syvATgjwbPUYMD73RMp1O5r9DEHgGKqIVF1Focq4SykEAuovspTo7E6Oxgrsw6GtjnmV VVhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=ef+sx4FCFDKD8f3Ki+AsdS8ty08ol0udXIqRaW/LotY=; b=yUhlnOGnZUgFmCZFaXo271zi+N+v1Nz4aRFm2tyTaLkMXKalGi4IE2oma6Fu4fWffq dMl+JttRoMQ267JN/+aexcKo4GexRjsvlakRlmiBOxQcvQauXfJNlc1qKCSf9kSSyszi lR8mRw+qN2ONEw7fqabHrFgQtAcO6OsGMKhnQFGgMrTkDW2zW+25P8fT4SaFGc/+gq6c 74yUfHY2TBQ7xL97gwxHdFPUCgpsnNrB5wFqG2CPt4oJqdTtlKWxHfnYV3c1TA5N7wHZ zO62MZKsd2FcmZgyqJ/reChD2ON77IPJCLCVtEEApkPxPzZeik4YTERyM4mZWaFJyUgs cHhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=fdLx60Wr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si5760177ejc.295.2020.07.17.16.17.13; Fri, 17 Jul 2020 16:17:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@infradead.org header.s=merlin.20170209 header.b=fdLx60Wr; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727919AbgGQXRC (ORCPT + 99 others); Fri, 17 Jul 2020 19:17:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40938 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726205AbgGQXRB (ORCPT ); Fri, 17 Jul 2020 19:17:01 -0400 Received: from merlin.infradead.org (merlin.infradead.org [IPv6:2001:8b0:10b:1231::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2A412C0619D2; Fri, 17 Jul 2020 16:17:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Content-Transfer-Encoding:Content-Type: In-Reply-To:MIME-Version:Date:Message-ID:From:References:Cc:To:Subject:Sender :Reply-To:Content-ID:Content-Description; bh=ef+sx4FCFDKD8f3Ki+AsdS8ty08ol0udXIqRaW/LotY=; b=fdLx60WrqkoLK0sx3eeSx3fc9N 3qOh4xfeXZP10F++06CYZ4Rmm7x1bsqctucy8nQ8WuHzDgRtwf1QrjkX5nXQFxK8s/jSL19ljUcla p/6ai/LQ2UUMUymEemZ6ZyBXX28cUNa5S1z+bWZsztTRxj23xM4qBz8yoZ19jNphDiDYkZI/1HC4w b6TaNVcF5FTAUVCQzjVSZAvJnD35iemwUUiQtlAMTcqNO9wHVp5GrDwkofK6+3qE0bTO4UK+Xy6zQ zIROU9XnA9sAsui+cfATf/D/j0ihYFz8ygvjFft8+Yfh4FeHrCJOx74BzXcnF9RaEf2kZrejtgwou TkWKdrsQ==; Received: from [2601:1c0:6280:3f0::19c2] by merlin.infradead.org with esmtpsa (Exim 4.92.3 #3 (Red Hat Linux)) id 1jwZb2-0005Vh-Az; Fri, 17 Jul 2020 23:16:52 +0000 Subject: Re: [RFC PATCH v4 02/12] security: add ipe lsm evaluation loop and audit system To: Deven Bowers , agk@redhat.com, axboe@kernel.dk, snitzer@redhat.com, jmorris@namei.org, serge@hallyn.com, zohar@linux.ibm.com, viro@zeniv.linux.org.uk, paul@paul-moore.com, eparis@redhat.com, jannh@google.com, dm-devel@redhat.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org, linux-audit@redhat.com Cc: tyhicks@linux.microsoft.com, linux-kernel@vger.kernel.org, corbet@lwn.net, sashal@kernel.org, jaskarankhurana@linux.microsoft.com, mdsakib@microsoft.com, nramas@linux.microsoft.com, pasha.tatshin@soleen.com References: <20200717230941.1190744-1-deven.desai@linux.microsoft.com> <20200717230941.1190744-3-deven.desai@linux.microsoft.com> From: Randy Dunlap Message-ID: <4b0c9925-d163-46a2-bbcb-74deb7446540@infradead.org> Date: Fri, 17 Jul 2020 16:16:43 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0 MIME-Version: 1.0 In-Reply-To: <20200717230941.1190744-3-deven.desai@linux.microsoft.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/17/20 4:09 PM, Deven Bowers wrote: > +config SECURITY_IPE_PERMISSIVE_SWITCH > + bool "Enable the ability to switch IPE to permissive mode" > + default y > + help > + This option enables two ways of switching IPE to permissive mode, > + a sysctl (if enabled), `ipe.enforce`, or a kernel command line > + parameter, `ipe.enforce`. If either of these are set to 0, files is set > + will be subject to IPE's policy, audit messages will be logged, but > + the policy will not be enforced. > + > + If unsure, answer Y. -- ~Randy