• Casey Schaufler's avatar
    Smack: Allow an unconfined label in bringup mode · bf4b2fee
    Casey Schaufler authored
    I have vehemently opposed adding a "permissive" mode to Smack
    for the simple reasons that it would be subject to massive abuse
    and that developers refuse to turn it off come product release.
    I still believe that this is true, and still refuse to add a
    general "permissive mode". So don't ask again.
    
    Bumjin Im suggested an approach that addresses most of the concerns,
    and I have implemented it here. I still believe that we'd be better
    off without this sort of thing, but it looks like this minimizes the
    abuse potential.
    
    Firstly, you have to configure Smack Bringup Mode. That allows
    for "release" software to be ammune from abuse. Second, only one
    label gets to be "permissive" at a time. You can use it for
    debugging, but that's about it.
    
    A label written to smackfs/unconfined is treated specially.
    If either the subject or object label of an access check
    matches the "unconfined" label, and the access would not
    have been allowed otherwise an audit record and a console
    message are generated. The audit record "request" string is
    marked with either "(US)" or "(UO)", to indicate that the
    request was granted because of an unconfined label. The
    fact that an inode was accessed by an unconfined label is
    remembered, and subsequent accesses to that "impure"
    object are noted in the log. The impurity is not stored in
    the filesystem, so a file mislabled as a side effect of
    using an unconfined label may still cause concern after
    a reboot.
    
    So, it's there, it's dangerous, but so many application
    developers seem incapable of living without it I have
    given in. I've tried to make it as safe as I can, but
    in the end it's still a chain saw.
    Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
    bf4b2fee
smack.h 11.7 KB