ipe.rst - OpenGrok cross reference for /linux/Documentation/admin-guide/LSM/ipe.rst

Lines Matching full:ipe
3 Integrity Policy Enforcement (IPE)
9    attempting to use IPE. If you're looking for more developer-focused
10    documentation about IPE please see :doc:`the design docs </security/ipe>`.
15 Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
17 mechanisms that rely on labels and paths for decision-making, IPE focuses
23 To elaborate, in the context of IPE, system components primarily refer to
28 unchangeable over time. For example, IPE policies can be crafted to trust
31 initramfs" becomes an immutable property under IPE's consideration.
35 integrity and trust. For example, IPE allows the definition of policies
39 checks, allowing IPE to enforce policies that trust files protected by
42 IPE leverages immutable properties, such as a file's origin and its
45 For the IPE policy, specifically, it grants the ability to enforce
58 To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under
59 :menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
65 IPE works best in fixed-function devices: devices in which their purpose
70 IPE is a long-way off for use in general-purpose computing: the Linux
72 the web of trust), which IPE has no support for it yet. Instead, IPE
78 makes it difficult to utilize IPE in systems where a package manager is
82 The digest_cache LSM [#digest_cache_lsm]_ is a system that when combined with IPE,
88 IPE cannot verify the integrity of anonymous executable memory, such as
91 for IPE to ensure the integrity of this code to form a trust basis.
93 IPE cannot verify the integrity of programs written in interpreted
97 through one of IPE's hooks, but they are merely text files that are read
103 IPE specifically targets the risk of tampering with user-space executable
109 loader and libc. The primary function of IPE in this context is to prevent
112 IPE achieves this by verifying the integrity and authenticity of all
118 authorization criteria, IPE will deny its execution. Additionally, IPE
133 IPE does not mitigate threats arising from malicious but authorized
136 Additionally, IPE draws hard security boundary between userspace and
138 the scope of IPE and mitigation is left to other mechanisms.
143 IPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
159 The next portion of IPE policy are rules. Rules are formed by key=value
160 pairs, known as properties. IPE rules require two properties: ``action``,
161 which determines what IPE does when it encounters a match against the
171 kernel that can provide a measure of integrity verification, such that IPE
178 IPE policy supports comments. The character '#' will function as a
181 The default behavior of IPE evaluations can also be expressed in policy,
191 A default must be set for all known operations in IPE. If you want to
208 As a result, IPE has addressed this problem through a concept of a "boot
214 a path to a plain-text version of the IPE policy to apply. This policy
215 will be compiled into the kernel. If not specified, IPE will be disabled
245    cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy
248 ``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
250 the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``.
285 Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will
290 ``/sys/kernel/security/ipe/policies/$policy_name/active``.
293    echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"
298 IPE also provides a way to delete policies. This can be done via the
300 ``/sys/kernel/security/ipe/policies/$policy_name/delete``.
303    echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"
311    writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
316 IPE supports two modes of operation: permissive (similar to SELinux's
322 line parameter ``ipe.enforce=(0|1)``, or the securityfs node
323 ``/sys/kernel/security/ipe/enforce``.
328    all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
338 … fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.s…
345 This event indicates that IPE made an access control decision; the IPE
349 Determining whether IPE is in permissive or enforced mode can be derived
358 | ipe_op    | string     | No        | The IPE operation name associated with the log              …
360 | ipe_hook  | string     | No        | The name of the LSM hook that triggered the IPE event       …
362 | enforcing | integer    | No        | The current IPE enforcing state 1 is in enforcing mode, 0 is…
364 | pid       | integer    | No        | The pid of the process that triggered the IPE event.        …
366 …    | No        | The command line program name of the process that triggered the IPE event       |
382 …CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
386 This event indicates that IPE switched the active poliy from one to another
388 Note IPE can only have one policy active at a time, all access decision
426 …68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1 errno=0
477 | -ENOKEY        | Key used to sign the IPE policy not found in keyring   |
481 | -ESTALE        | Attempting to update an IPE policy with older version  |
491 …): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
495 …): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
506 | enforcing     | integer    | No        | The enforcing state IPE is being switched to, 1 is in en…
508 | old_enforcing | integer    | No        | The enforcing state IPE is being switched from, 1 is in …
527 IPE supports success auditing. When enabled, all events that pass IPE
530 ``ipe.success_audit=(0|1)`` or
531 ``/sys/kernel/security/ipe/success_audit`` securityfs file.
533 This is *very* noisy, as IPE will check every userspace binary on the
539    all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.
544 As explained above, IPE properties are ``key=value`` pairs expressed in IPE
550 properties supported by IPE are listed below:
556 as the first token. IPE supports the following operations:
596    Determines what IPE should do when a rule matches. Must be in every
781 - `Github Repository <https://github.com/microsoft/ipe>`_
782 - :doc:`Developer and design docs for IPE </security/ipe>`
796    IMA and IPE are functionally very similar. The significant difference between
799    Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's
800    kernel read operations, whereas IPE is capable of controlling execution
802    trust in the initial super-block, whereas trust in IPE is stemmed from kernel
811 .. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on
817                       the Linux crypto API; IPE does not impose any
822                      kernel's fsverity support; IPE does not impose any