Home
last modified time | relevance | path

Searched full:ipe (Results 1 – 25 of 44) sorted by relevance

12

/linux/security/ipe/
H A DKconfig3 # Integrity Policy Enforcement (IPE) configuration
7 bool "Integrity Policy Enforcement (IPE)"
19 control. A key feature of IPE is a customizable policy to allow
28 This option specifies a filepath to an IPE policy that is compiled
30 is deployed via the $securityfs/ipe/policies/$policy_name/active
36 bool "IPE policy update verification with secondary keyring"
40 Also allow the secondary trusted keyring to verify IPE policy
46 bool "IPE policy update verification with platform keyring"
50 Also allow the platform keyring to verify IPE policy updates.
54 menu "IPE Trus
[all...]
H A Dhooks.c13 #include "ipe.h"
19 * ipe_bprm_check_security() - ipe security hook function for bprm check.
28 * * %-EACCES - Did not pass IPE policy
39 * ipe_mmap_file() - ipe security hook function for mmap check.
51 * * %-EACCES - Did not pass IPE policy
67 * ipe_file_mprotect() - ipe security hook function for mprotect check.
78 * * %-EACCES - Did not pass IPE policy
99 * ipe_kernel_read_file() - ipe security hook function for kernel read.
108 * * %-EACCES - Did not pass IPE policy
145 * ipe_kernel_load_data() - ipe security hook function for kernel load data.
[all …]
H A DMakefile5 # Makefile for building the IPE module as part of the kernel tree.
9 cmd_polgen = scripts/ipe/polgen/polgen security/ipe/boot_policy.c $(2)
13 $(obj)/boot_policy.c: scripts/ipe/polgen/polgen $(CONFIG_IPE_BOOT_POLICY) FORCE
22 ipe.o \
H A Ddigest.c9 * ipe_digest_parse() - parse a digest in IPE's policy.
12 * Digests in IPE are defined in a standard way:
16 * consistently. The parsed digest will be saved in @value in IPE's
75 * ipe_digest_eval() - evaluate an IPE digest against another digest.
92 * ipe_digest_free() - free an IPE digest.
106 * ipe_digest_audit() - audit a digest that was sourced from IPE's policy.
110 * Digests in IPE are audited in this format:
H A Dipe.c7 #include "ipe.h"
25 .name = "ipe",
65 * ipe_init() - Entry point of IPE.
68 * start up. During this phase, IPE registers its hooks and loads the
94 DEFINE_LSM(ipe) = {
95 .name = "ipe",
H A Deval.c15 #include "ipe.h"
29 * build_ipe_sb_ctx() - Build initramfs field of an ipe evaluation context.
31 * @file: Supplies the file struct of the file triggered IPE event.
42 * @ino: Supplies the inode struct of the file triggered IPE event.
72 * @ino: Supplies the inode struct of the file triggered IPE event.
86 * ipe_build_eval_ctx() - Build an ipe evaluation context.
89 * @op: Supplies the IPE policy operation associated with the evaluation.
309 * This is the loop where all policy evaluations happen against the IPE policy.
387 #define KBUILD_MODNAME "ipe"
391 MODULE_PARM_DESC(success_audit, "Start IPE with success auditing enabled");
[all …]
H A Dfs.c9 #include "ipe.h"
19 * setaudit() - Write handler for the securityfs node, "ipe/success_audit"
48 * getaudit() - Read handler for the securityfs node, "ipe/success_audit"
67 * setenforce() - Write handler for the securityfs node, "ipe/enforce"
100 * getenforce() - Read handler for the securityfs node, "ipe/enforce"
119 * new_policy() - Write handler for the securityfs node, "ipe/new_policy".
191 * ipe_init_securityfs() - Initialize IPE's securityfs tree at fsinit.
205 root = securityfs_create_dir("ipe", NULL); in ipe_init_securityfs()
H A Daudit.c11 #include "ipe.h"
89 * audit_rule() - audit an IPE policy rule.
124 * @act: Supplies the IPE's evaluation decision, deny or allow.
222 audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
250 audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=%d errno=%d", in ipe_audit_policy_activation()
258 * ipe_audit_enforce() - Audit a change in IPE's enforcement state. in ipe_audit_policy_load()
272 " enabled=1 old-enabled=1 lsm=ipe res=1", in ipe_audit_policy_load()
H A Dpolicy_fs.c11 #include "ipe.h"
33 * read_pkcs7() - Read handler for "ipe/policies/$name/pkcs7".
77 * read_policy() - Read handler for "ipe/policies/$name/policy".
115 * read_name() - Read handler for "ipe/policies/$name/name".
153 * read_version() - Read handler for "ipe/policies/$name/version".
196 * setactive() - Write handler for "ipe/policies/$name/active".
243 * getactive() - Read handler for "ipe/policies/$name/active".
281 * update_policy() - Write handler for "ipe/policies/$name/update".
333 * delete_policy() - write handler for "ipe/policies/$name/delete".
H A Dpolicy.c9 #include "ipe.h"
16 /* lock for synchronizing writers across ipe policy */
42 * ipe_free_policy() - Deallocate a given IPE policy.
145 * @pkcs7: Supplies a pointer to a pkcs7-signed IPE policy.
H A Dipe.h12 #define pr_fmt(fmt) "ipe: " fmt
/linux/Documentation/admin-guide/LSM/
H A Dipe.rst3 Integrity Policy Enforcement (IPE)
9 attempting to use IPE. If you're looking for more developer-focused
10 documentation about IPE please see :doc:`the design docs </security/ipe>`.
15 Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
17 mechanisms that rely on labels and paths for decision-making, IPE focuses
23 To elaborate, in the context of IPE, system components primarily refer to
28 unchangeable over time. For example, IPE policies can be crafted to trust
31 initramfs" becomes an immutable property under IPE's consideration.
35 integrity and trust. For example, IPE allows the definition of policies
39 checks, allowing IPE to enforce policies that trust files protected by
[all …]
/linux/Documentation/security/
H A Dipe.rst3 Integrity Policy Enforcement (IPE) - Kernel Documentation
9 If you're looking for documentation on the usage of IPE, please see
10 :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
15 The original issue that prompted IPE's implementation was the creation
30 over IMA+EVM as the *integrity mechanism* in the original use case of IPE
109 IPE, as its name implies, is fundamentally an integrity policy enforcement
110 solution; IPE does not mandate how integrity is provided, but instead
114 level of security guarantees; and IPE allows sysadmins to express policy for
117 IPE does not have an inherent mechanism to ensure integrity on its own.
122 Therefore, IPE was designed around:
[all …]
H A Dindex.rst22 ipe
/linux/security/
H A DKconfig232 source "security/ipe/Kconfig"
273 …default "landlock,lockdown,yama,loadpin,safesetid,smack,selinux,tomoyo,apparmor,ipe,bpf" if DEFAUL…
274 …default "landlock,lockdown,yama,loadpin,safesetid,apparmor,selinux,smack,tomoyo,ipe,bpf" if DEFAUL…
275 default "landlock,lockdown,yama,loadpin,safesetid,tomoyo,ipe,bpf" if DEFAULT_SECURITY_TOMOYO
276 default "landlock,lockdown,yama,loadpin,safesetid,ipe,bpf" if DEFAULT_SECURITY_DAC
277 default "landlock,lockdown,yama,loadpin,safesetid,selinux,smack,tomoyo,apparmor,ipe,bpf"
/linux/drivers/clk/mediatek/
H A DMakefile20 obj-$(CONFIG_COMMON_CLK_MT6779_IPESYS) += clk-mt6779-ipe.o
105 obj-$(CONFIG_COMMON_CLK_MT8186_IPESYS) += clk-mt8186-ipe.o
119 obj-$(CONFIG_COMMON_CLK_MT8188_IPESYS) += clk-mt8188-ipe.o
131 obj-$(CONFIG_COMMON_CLK_MT8192_IPESYS) += clk-mt8192-ipe.o
145 obj-$(CONFIG_COMMON_CLK_MT8195_IPESYS) += clk-mt8195-ipe.o
H A Dclk-mt8195-ipe.c49 .name = "clk-mt8195-ipe",
H A Dclk-mt8186-ipe.c52 .name = "clk-mt8186-ipe",
H A Dclk-mt6779-ipe.c54 .name = "clk-mt6779-ipe",
H A Dclk-mt8192-ipe.c54 .name = "clk-mt8192-ipe",
/linux/arch/s390/kernel/
H A Djump_label.c37 unsigned char *ipe = (unsigned char *)expected; in jump_label_bug() local
42 pr_emerg("Expected: %6ph\n", ipe); in jump_label_bug()
/linux/Documentation/filesystems/
H A Dfsverity.rst89 - Integrity Policy Enforcement (IPE). IPE supports enforcing access
92 "IPE policy" specifically allows for the authorization of fs-verity
96 details on configuring IPE policies and understanding its operational
97 modes, please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
477 "fs.verity.require_signatures" described in the next item. The IPE LSM
513 verification in conjunction with the IPE LSM, which supports defining
516 operations, such as execution. Note that IPE doesn't require
518 Please refer to :doc:`IPE admin guide </admin-guide/LSM/ipe>` for
/linux/include/dt-bindings/memory/
H A Dmt8186-memory-port.h203 /* LARB 19 -- IPE */
209 /* LARB 20 -- IPE */
/linux/include/net/libeth/
H A Drx.h210 * @ipe: IP checksum error
223 u32 ipe:1; member
/linux/scripts/
H A DMakefile59 subdir-$(CONFIG_SECURITY_IPE) += ipe

12