ipe.rst - OpenGrok cross reference for /linux/Documentation/admin-guide/LSM/ipe.rst

Lines Matching full:ipe
3 Integrity Policy Enforcement (IPE)
9    attempting to use IPE. If you're looking for more developer-focused
10    documentation about IPE please see :doc:`the design docs </security/ipe>`.
15 Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
17 mechanisms that rely on labels and paths for decision-making, IPE focuses
23 To elaborate, in the context of IPE, system components primarily refer to
28 unchangeable over time. For example, IPE policies can be crafted to trust
31 initramfs" becomes an immutable property under IPE's consideration.
35 integrity and trust. For example, IPE allows the definition of policies
39 checks, allowing IPE to enforce policies that trust files protected by
42 IPE leverages immutable properties, such as a file's origin and its
45 For the IPE policy, specifically, it grants the ability to enforce
58 To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under
59 :menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
65 IPE works best in fixed-function devices: devices in which their purpose
70 IPE is a long-way off for use in general-purpose computing: the Linux
72 the web of trust), which IPE has no support for it yet. Instead, IPE
78 makes it difficult to utilize IPE in systems where a package manager is
82 The digest_cache LSM [#digest_cache_lsm]_ is a system that when combined with IPE,
88 IPE cannot verify the integrity of anonymous executable memory, such as
91 for IPE to ensure the integrity of this code to form a trust basis.
93 IPE cannot verify the integrity of programs written in interpreted
97 through one of IPE's hooks, but they are merely text files that are read
103 IPE's EXECUTE operation enforcement differs between compiled executables and
108 ``execveat()`` with ``AT_EXECVE_CHECK`` flag. Unlike exec syscalls that IPE
116 IPE specifically targets the risk of tampering with user-space executable
122 loader and libc. The primary function of IPE in this context is to prevent
125 IPE achieves this by verifying the integrity and authenticity of all
131 authorization criteria, IPE will deny its execution. Additionally, IPE
146 IPE does not mitigate threats arising from malicious but authorized
149 Additionally, IPE draws hard security boundary between userspace and
151 the scope of IPE and mitigation is left to other mechanisms.
156 IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
172 The next portion of IPE policy are rules. Rules are formed by key=value
173 pairs, known as properties. IPE rules require two properties: ``action``,
174 which determines what IPE does when it encounters a match against the
184 kernel that can provide a measure of integrity verification, such that IPE
191 IPE policy supports comments. The character '#' will function as a
194 The default behavior of IPE evaluations can also be expressed in policy,
204 A default must be set for all known operations in IPE. If you want to
221 As a result, IPE has addressed this problem through a concept of a "boot
227 a path to a plain-text version of the IPE policy to apply. This policy
228 will be compiled into the kernel. If not specified, IPE will be disabled
258    cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy
261 ``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
263 the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``.
298 Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will
303 ``/sys/kernel/security/ipe/policies/$policy_name/active``.
306    echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"
311 IPE also provides a way to delete policies. This can be done via the
313 ``/sys/kernel/security/ipe/policies/$policy_name/delete``.
316    echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"
324    writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
329 IPE supports two modes of operation: permissive (similar to SELinux's
335 line parameter ``ipe.enforce=(0|1)``, or the securityfs node
336 ``/sys/kernel/security/ipe/enforce``.
341    all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
351 … fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.s…
358 This event indicates that IPE made an access control decision; the IPE
362 Determining whether IPE is in permissive or enforced mode can be derived
371 | ipe_op    | string     | No        | The IPE operation name associated with the log              …
373 | ipe_hook  | string     | No        | The name of the LSM hook that triggered the IPE event       …
375 | enforcing | integer    | No        | The current IPE enforcing state 1 is in enforcing mode, 0 is…
377 | pid       | integer    | No        | The pid of the process that triggered the IPE event.        …
379 …    | No        | The command line program name of the process that triggered the IPE event       |
395 …CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
399 This event indicates that IPE switched the active poliy from one to another
401 Note IPE can only have one policy active at a time, all access decision
439 …68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 errno=0
490 | -ENOKEY        | Key used to sign the IPE policy not found in keyring   |
494 | -ESTALE        | Attempting to update an IPE policy with older version  |
504 …): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
508 …): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
519 | enforcing     | integer    | No        | The enforcing state IPE is being switched to, 1 is in en…
521 | old_enforcing | integer    | No        | The enforcing state IPE is being switched from, 1 is in …
540 IPE supports success auditing. When enabled, all events that pass IPE
543 ``ipe.success_audit=(0|1)`` or
544 ``/sys/kernel/security/ipe/success_audit`` securityfs file.
546 This is *very* noisy, as IPE will check every userspace binary on the
552    all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
557 As explained above, IPE properties are ``key=value`` pairs expressed in IPE
563 properties supported by IPE are listed below:
569 as the first token. IPE supports the following operations:
609    Determines what IPE should do when a rule matches. Must be in every
794 - `Github Repository <https://github.com/microsoft/ipe>`_
795 - :doc:`Developer and design docs for IPE </security/ipe>`
809    IMA and IPE are functionally very similar. The significant difference between
812    Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's
813    kernel read operations, whereas IPE is capable of controlling execution
815    trust in the initial super-block, whereas trust in IPE is stemmed from kernel
822 .. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on
828                       the Linux crypto API; IPE does not impose any
833                      kernel's fsverity support; IPE does not impose any