€•/      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ'/translations/zh_CN/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/zh_TW/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/it_IT/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/ja_JP/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/ko_KR/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ'/translations/sp_SP/admin-guide/LSM/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒA/var/lib/git/docbuild/linux/Documentation/admin-guide/LSM/ipe.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ"Integrity Policy Enforcement (IPE)”h]”hŒ"Integrity Policy Enforcement (IPE)”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒnote”“”)”}”(hŒÔThis is the documentation for admins, system builders, or individuals
attempting to use IPE. If you're looking for more developer-focused
documentation about IPE please see :doc:`the design docs </security/ipe>`.”h]”hŒ	paragraph”“”)”}”(hŒÔThis is the documentation for admins, system builders, or individuals
attempting to use IPE. If you're looking for more developer-focused
documentation about IPE please see :doc:`the design docs </security/ipe>`.”h]”(hŒ¯This is the documentation for admins, system builders, or individuals
attempting to use IPE. If youâ€™re looking for more developer-focused
documentation about IPE please see ”…””}”(hhÑhžhhŸNh Nubh)”}”(hŒ&:doc:`the design docs </security/ipe>`”h]”hŒinline”“”)”}”(hhÛh]”hŒthe design docs”…””}”(hhßhžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1hÝhhÙubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œadmin-guide/LSM/ipe”Œ	refdomain”hêŒreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆŒ	reftarget”Œ/security/ipe”uh1hhŸh³h KhhÑubhŒ.”…””}”(hhÑhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KhhËubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhh¶hžhhŸh³h Nubhµ)”}”(hhh]”(hº)”}”(hŒOverview”h]”hŒOverview”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KubhÐ)”}”(hXË  Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
complementary approach to access control. Unlike traditional access control
mechanisms that rely on labels and paths for decision-making, IPE focuses
on the immutable security properties inherent to system components. These
properties are fundamental attributes or features of a system component
that cannot be altered, ensuring a consistent and reliable basis for
security decisions.”h]”hXË  Integrity Policy Enforcement (IPE) is a Linux Security Module that takes a
complementary approach to access control. Unlike traditional access control
mechanisms that rely on labels and paths for decision-making, IPE focuses
on the immutable security properties inherent to system components. These
properties are fundamental attributes or features of a system component
that cannot be altered, ensuring a consistent and reliable basis for
security decisions.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj  hžhubhÐ)”}”(hX|  To elaborate, in the context of IPE, system components primarily refer to
files or the devices these files reside on. However, this is just a
starting point. The concept of system components is flexible and can be
extended to include new elements as the system evolves. The immutable
properties include the origin of a file, which remains constant and
unchangeable over time. For example, IPE policies can be crafted to trust
files originating from the initramfs. Since initramfs is typically verified
by the bootloader, its files are deemed trustworthy; "file is from
initramfs" becomes an immutable property under IPE's consideration.”h]”hX‚  To elaborate, in the context of IPE, system components primarily refer to
files or the devices these files reside on. However, this is just a
starting point. The concept of system components is flexible and can be
extended to include new elements as the system evolves. The immutable
properties include the origin of a file, which remains constant and
unchangeable over time. For example, IPE policies can be crafted to trust
files originating from the initramfs. Since initramfs is typically verified
by the bootloader, its files are deemed trustworthy; â€œfile is from
initramfsâ€ becomes an immutable property under IPEâ€™s consideration.”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj  hžhubhÐ)”}”(hX  The immutable property concept extends to the security features enabled on
a file's origin, such as dm-verity or fs-verity, which provide a layer of
integrity and trust. For example, IPE allows the definition of policies
that trust files from a dm-verity protected device. dm-verity ensures the
integrity of an entire device by providing a verifiable and immutable state
of its contents. Similarly, fs-verity offers filesystem-level integrity
checks, allowing IPE to enforce policies that trust files protected by
fs-verity. These two features cannot be turned off once established, so
they are considered immutable properties. These examples demonstrate how
IPE leverages immutable properties, such as a file's origin and its
integrity protection mechanisms, to make access control decisions.”h]”hX  The immutable property concept extends to the security features enabled on
a fileâ€™s origin, such as dm-verity or fs-verity, which provide a layer of
integrity and trust. For example, IPE allows the definition of policies
that trust files from a dm-verity protected device. dm-verity ensures the
integrity of an entire device by providing a verifiable and immutable state
of its contents. Similarly, fs-verity offers filesystem-level integrity
checks, allowing IPE to enforce policies that trust files protected by
fs-verity. These two features cannot be turned off once established, so
they are considered immutable properties. These examples demonstrate how
IPE leverages immutable properties, such as a fileâ€™s origin and its
integrity protection mechanisms, to make access control decisions.”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K!hj  hžhubhÐ)”}”(hX  For the IPE policy, specifically, it grants the ability to enforce
stringent access controls by assessing security properties against
reference values defined within the policy. This assessment can be based on
the existence of a security property (e.g., verifying if a file originates
from initramfs) or evaluating the internal state of an immutable security
property. The latter includes checking the roothash of a dm-verity
protected device, determining whether dm-verity possesses a valid
signature, assessing the digest of a fs-verity protected file, or
determining whether fs-verity possesses a valid built-in signature. This
nuanced approach to policy enforcement enables a highly secure and
customizable system defense mechanism, tailored to specific security
requirements and trust models.”h]”hX  For the IPE policy, specifically, it grants the ability to enforce
stringent access controls by assessing security properties against
reference values defined within the policy. This assessment can be based on
the existence of a security property (e.g., verifying if a file originates
from initramfs) or evaluating the internal state of an immutable security
property. The latter includes checking the roothash of a dm-verity
protected device, determining whether dm-verity possesses a valid
signature, assessing the digest of a fs-verity protected file, or
determining whether fs-verity possesses a valid built-in signature. This
nuanced approach to policy enforcement enables a highly secure and
customizable system defense mechanism, tailored to specific security
requirements and trust models.”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K-hj  hžhubhÐ)”}”(hŒ”To enable IPE, ensure that ``CONFIG_SECURITY_IPE`` (under
:menuselection:`Security -> Integrity Policy Enforcement (IPE)`) config
option is enabled.”h]”(hŒTo enable IPE, ensure that ”…””}”(hjW  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``CONFIG_SECURITY_IPE``”h]”hŒCONFIG_SECURITY_IPE”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjW  ubhŒ (under
”…””}”(hjW  hžhhŸNh NubhÞ)”}”(hŒ.Security -> Integrity Policy Enforcement (IPE)”h]”hŒ.Security -> Integrity Policy Enforcement (IPE)”…””}”(hjs  hžhhŸNh Nubah}”(h]”h ]”Œmenuselection”ah"]”h$]”h&]”Œrawtext”Œ?:menuselection:`Security -> Integrity Policy Enforcement (IPE)`”uh1hÝhjW  ubhŒ) config
option is enabled.”…””}”(hjW  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K:hj  hžhubeh}”(h]”Œoverview”ah ]”h"]”Œoverview”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ	Use Cases”h]”hŒ	Use Cases”…””}”(hj™  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj–  hžhhŸh³h K?ubhÐ)”}”(hX  IPE works best in fixed-function devices: devices in which their purpose
is clearly defined and not supposed to be changed (e.g. network firewall
device in a data center, an IoT device, etcetera), where all software and
configuration is built and provisioned by the system owner.”h]”hX  IPE works best in fixed-function devices: devices in which their purpose
is clearly defined and not supposed to be changed (e.g. network firewall
device in a data center, an IoT device, etcetera), where all software and
configuration is built and provisioned by the system owner.”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KAhj–  hžhubhÐ)”}”(hX^  IPE is a long-way off for use in general-purpose computing: the Linux
community as a whole tends to follow a decentralized trust model (known as
the web of trust), which IPE has no support for it yet. Instead, IPE
supports PKI (public key infrastructure), which generally designates a
set of trusted entities that provide a measure of absolute trust.”h]”hX^  IPE is a long-way off for use in general-purpose computing: the Linux
community as a whole tends to follow a decentralized trust model (known as
the web of trust), which IPE has no support for it yet. Instead, IPE
supports PKI (public key infrastructure), which generally designates a
set of trusted entities that provide a measure of absolute trust.”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KFhj–  hžhubhÐ)”}”(hX5  Additionally, while most packages are signed today, the files inside
the packages (for instance, the executables), tend to be unsigned. This
makes it difficult to utilize IPE in systems where a package manager is
expected to be functional, without major changes to the package manager
and ecosystem behind it.”h]”hX5  Additionally, while most packages are signed today, the files inside
the packages (for instance, the executables), tend to be unsigned. This
makes it difficult to utilize IPE in systems where a package manager is
expected to be functional, without major changes to the package manager
and ecosystem behind it.”…””}”(hjÃ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KLhj–  hžhubhÐ)”}”(hŒ›The digest_cache LSM [#digest_cache_lsm]_ is a system that when combined with IPE,
could be used to enable and support general-purpose computing use cases.”h]”(hŒThe digest_cache LSM ”…””}”(hjÑ  hžhhŸNh NubhŒfootnote_reference”“”)”}”(hŒ[#digest_cache_lsm]_”h]”hŒ1”…””}”(hjÛ  hžhhŸNh Nubah}”(h]”Œid1”ah ]”h"]”h$]”h&]”Œauto”KŒrefid”Œdigest-cache-lsm”Œdocname”höuh1jÙ  hjÑ  Œresolved”KubhŒr is a system that when combined with IPE,
could be used to enable and support general-purpose computing use cases.”…””}”(hjÑ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KRhj–  hžhubeh}”(h]”Œ	use-cases”ah ]”h"]”Œ	use cases”ah$]”h&]”uh1h´hh¶hžhhŸh³h K?ubhµ)”}”(hhh]”(hº)”}”(hŒKnown Limitations”h]”hŒKnown Limitations”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KVubhÐ)”}”(hX  IPE cannot verify the integrity of anonymous executable memory, such as
the trampolines created by gcc closures and libffi (<3.4.2), or JIT'd code.
Unfortunately, as this is dynamically generated code, there is no way
for IPE to ensure the integrity of this code to form a trust basis.”h]”hX  IPE cannot verify the integrity of anonymous executable memory, such as
the trampolines created by gcc closures and libffi (<3.4.2), or JITâ€™d code.
Unfortunately, as this is dynamically generated code, there is no way
for IPE to ensure the integrity of this code to form a trust basis.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KXhj  hžhubhÐ)”}”(hX”  IPE cannot verify the integrity of programs written in interpreted
languages when these scripts are invoked by passing these program files
to the interpreter. This is because the way interpreters execute these
files; the scripts themselves are not evaluated as executable code
through one of IPE's hooks, but they are merely text files that are read
(as opposed to compiled executables) [#interpreters]_.”h]”(hX…  IPE cannot verify the integrity of programs written in interpreted
languages when these scripts are invoked by passing these program files
to the interpreter. This is because the way interpreters execute these
files; the scripts themselves are not evaluated as executable code
through one of IPEâ€™s hooks, but they are merely text files that are read
(as opposed to compiled executables) ”…””}”(hj   hžhhŸNh NubjÚ  )”}”(hŒ[#interpreters]_”h]”hŒ2”…””}”(hj(  hžhhŸNh Nubah}”(h]”Œid2”ah ]”h"]”h$]”h&]”jê  Kjë  Œinterpreters”jí  höuh1jÙ  hj   jî  KubhŒ.”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K]hj  hžhubeh}”(h]”Œknown-limitations”ah ]”h"]”Œknown limitations”ah$]”h&]”uh1h´hh¶hžhhŸh³h KVubhµ)”}”(hhh]”(hº)”}”(hŒThreat Model”h]”hŒThreat Model”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjJ  hžhhŸh³h KeubhÐ)”}”(hŒÈIPE specifically targets the risk of tampering with user-space executable
code after the kernel has initially booted, including the kernel modules
loaded from userspace via ``modprobe`` or ``insmod``.”h]”(hŒ­IPE specifically targets the risk of tampering with user-space executable
code after the kernel has initially booted, including the kernel modules
loaded from userspace via ”…””}”(hj[  hžhhŸNh Nubj`  )”}”(hŒ``modprobe``”h]”hŒmodprobe”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj[  ubhŒ or ”…””}”(hj[  hžhhŸNh Nubj`  )”}”(hŒ
``insmod``”h]”hŒinsmod”…””}”(hju  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj[  ubhŒ.”…””}”(hj[  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KghjJ  hžhubhÐ)”}”(hX  To illustrate, consider a scenario where an untrusted binary, possibly
malicious, is downloaded along with all necessary dependencies, including a
loader and libc. The primary function of IPE in this context is to prevent
the execution of such binaries and their dependencies.”h]”hX  To illustrate, consider a scenario where an untrusted binary, possibly
malicious, is downloaded along with all necessary dependencies, including a
loader and libc. The primary function of IPE in this context is to prevent
the execution of such binaries and their dependencies.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KkhjJ  hžhubhÐ)”}”(hXS  IPE achieves this by verifying the integrity and authenticity of all
executable code before allowing them to run. It conducts a thorough
check to ensure that the code's integrity is intact and that they match an
authorized reference value (digest, signature, etc) as per the defined
policy. If a binary does not pass this verification process, either
because its integrity has been compromised or it does not meet the
authorization criteria, IPE will deny its execution. Additionally, IPE
generates audit logs which may be utilized to detect and analyze failures
resulting from policy violation.”h]”hXU  IPE achieves this by verifying the integrity and authenticity of all
executable code before allowing them to run. It conducts a thorough
check to ensure that the codeâ€™s integrity is intact and that they match an
authorized reference value (digest, signature, etc) as per the defined
policy. If a binary does not pass this verification process, either
because its integrity has been compromised or it does not meet the
authorization criteria, IPE will deny its execution. Additionally, IPE
generates audit logs which may be utilized to detect and analyze failures
resulting from policy violation.”…””}”(hj›  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KphjJ  hžhubhÐ)”}”(hŒqTampering threat scenarios include modification or replacement of
executable code by a range of actors including:”h]”hŒqTampering threat scenarios include modification or replacement of
executable code by a range of actors including:”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KzhjJ  hžhubhŒbullet_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ+Actors with physical access to the hardware”h]”hÐ)”}”(hjÀ  h]”hŒ+Actors with physical access to the hardware”…””}”(hjÂ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K}hj¾  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ.Actors with local network access to the system”h]”hÐ)”}”(hj×  h]”hŒ.Actors with local network access to the system”…””}”(hjÙ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K~hjÕ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ+Actors with access to the deployment system”h]”hÐ)”}”(hjî  h]”hŒ+Actors with access to the deployment system”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khjì  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ3Compromised internal systems under external control”h]”hÐ)”}”(hj  h]”hŒ3Compromised internal systems under external control”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K€hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ!Malicious end users of the system”h]”hÐ)”}”(hj  h]”hŒ!Malicious end users of the system”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ#Compromised end users of the system”h]”hÐ)”}”(hj3  h]”hŒ#Compromised end users of the system”…””}”(hj5  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K‚hj1  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubj½  )”}”(hŒ+Remote (external) compromise of the system
”h]”hÐ)”}”(hŒ*Remote (external) compromise of the system”h]”hŒ*Remote (external) compromise of the system”…””}”(hjL  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KƒhjH  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj¹  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1j·  hŸh³h K}hjJ  hžhubhÐ)”}”(hX—  IPE does not mitigate threats arising from malicious but authorized
developers (with access to a signing certificate), or compromised
developer tools used by them (i.e. return-oriented programming attacks).
Additionally, IPE draws hard security boundary between userspace and
kernelspace. As a result, kernel-level exploits are considered outside
the scope of IPE and mitigation is left to other mechanisms.”h]”hX—  IPE does not mitigate threats arising from malicious but authorized
developers (with access to a signing certificate), or compromised
developer tools used by them (i.e. return-oriented programming attacks).
Additionally, IPE draws hard security boundary between userspace and
kernelspace. As a result, kernel-level exploits are considered outside
the scope of IPE and mitigation is left to other mechanisms.”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K…hjJ  hžhubeh}”(h]”Œthreat-model”ah ]”h"]”Œthreat model”ah$]”h&]”uh1h´hh¶hžhhŸh³h Keubhµ)”}”(hhh]”(hº)”}”(hŒPolicy”h]”hŒPolicy”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj~  hžhhŸh³h KubhÐ)”}”(hŒÙIPE policy is a plain-text [#devdoc]_ policy composed of multiple statements
over several lines. There is one required line, at the top of the
policy, indicating the policy name, and the policy version, for
instance::”h]”(hŒIPE policy is a plain-text ”…””}”(hj  hžhhŸNh NubjÚ  )”}”(hŒ
[#devdoc]_”h]”hŒ3”…””}”(hj—  hžhhŸNh Nubah}”(h]”Œid3”ah ]”h"]”h$]”h&]”jê  Kjë  Œdevdoc”jí  höuh1jÙ  hj  jî  KubhŒ³ policy composed of multiple statements
over several lines. There is one required line, at the top of the
policy, indicating the policy name, and the policy version, for
instance:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj~  hžhubhŒliteral_block”“”)”}”(hŒ*policy_name=Ex_Policy policy_version=0.0.0”h]”hŒ*policy_name=Ex_Policy policy_version=0.0.0”…””}”hj³  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h K”hj~  hžhubhÐ)”}”(hŒÙThe policy name is a unique key identifying this policy in a human
readable name. This is used to create nodes under securityfs as well as
uniquely identify policies to deploy new policies vs update existing
policies.”h]”hŒÙThe policy name is a unique key identifying this policy in a human
readable name. This is used to create nodes under securityfs as well as
uniquely identify policies to deploy new policies vs update existing
policies.”…””}”(hjÁ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K–hj~  hžhubhÐ)”}”(hŒÃThe policy version indicates the current version of the policy (NOT the
policy syntax version). This is used to prevent rollback of policy to
potentially insecure previous versions of the policy.”h]”hŒÃThe policy version indicates the current version of the policy (NOT the
policy syntax version). This is used to prevent rollback of policy to
potentially insecure previous versions of the policy.”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K›hj~  hžhubhÐ)”}”(hXŒ  The next portion of IPE policy are rules. Rules are formed by key=value
pairs, known as properties. IPE rules require two properties: ``action``,
which determines what IPE does when it encounters a match against the
rule, and ``op``, which determines when the rule should be evaluated.
The ordering is significant, a rule must start with ``op``, and end with
``action``. Thus, a minimal rule is::”h]”(hŒ†The next portion of IPE policy are rules. Rules are formed by key=value
pairs, known as properties. IPE rules require two properties: ”…””}”(hjÝ  hžhhŸNh Nubj`  )”}”(hŒ
``action``”h]”hŒaction”…””}”(hjå  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒR,
which determines what IPE does when it encounters a match against the
rule, and ”…””}”(hjÝ  hžhhŸNh Nubj`  )”}”(hŒ``op``”h]”hŒop”…””}”(hj÷  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒj, which determines when the rule should be evaluated.
The ordering is significant, a rule must start with ”…””}”(hjÝ  hžhhŸNh Nubj`  )”}”(hŒ``op``”h]”hŒop”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒ, and end with
”…””}”(hjÝ  hžhhŸNh Nubj`  )”}”(hŒ
``action``”h]”hŒaction”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒ. Thus, a minimal rule is:”…””}”(hjÝ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KŸhj~  hžhubj²  )”}”(hŒop=EXECUTE action=ALLOW”h]”hŒop=EXECUTE action=ALLOW”…””}”hj3  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h K¦hj~  hžhubhÐ)”}”(hXl  This example will allow any execution. Additional properties are used to
assess immutable security properties about the files being evaluated.
These properties are intended to be descriptions of systems within the
kernel that can provide a measure of integrity verification, such that IPE
can determine the trust of the resource based on the value of the property.”h]”hXl  This example will allow any execution. Additional properties are used to
assess immutable security properties about the files being evaluated.
These properties are intended to be descriptions of systems within the
kernel that can provide a measure of integrity verification, such that IPE
can determine the trust of the resource based on the value of the property.”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K¨hj~  hžhubhÐ)”}”(hŒÀRules are evaluated top-to-bottom. As a result, any revocation rules,
or denies should be placed early in the file to ensure that these rules
are evaluated before a rule with ``action=ALLOW``.”h]”(hŒ¯Rules are evaluated top-to-bottom. As a result, any revocation rules,
or denies should be placed early in the file to ensure that these rules
are evaluated before a rule with ”…””}”(hjO  hžhhŸNh Nubj`  )”}”(hŒ``action=ALLOW``”h]”hŒaction=ALLOW”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjO  ubhŒ.”…””}”(hjO  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K®hj~  hžhubhÐ)”}”(hŒŠIPE policy supports comments. The character '#' will function as a
comment, ignoring all characters to the right of '#' until the newline.”h]”hŒ’IPE policy supports comments. The character â€˜#â€™ will function as a
comment, ignoring all characters to the right of â€˜#â€™ until the newline.”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K²hj~  hžhubhÐ)”}”(hŒªThe default behavior of IPE evaluations can also be expressed in policy,
through the ``DEFAULT`` statement. This can be done at a global level,
or a per-operation level::”h]”(hŒUThe default behavior of IPE evaluations can also be expressed in policy,
through the ”…””}”(hj}  hžhhŸNh Nubj`  )”}”(hŒ``DEFAULT``”h]”hŒDEFAULT”…””}”(hj…  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj}  ubhŒI statement. This can be done at a global level,
or a per-operation level:”…””}”(hj}  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kµhj~  hžhubj²  )”}”(hŒS# Global
DEFAULT action=ALLOW

# Operation Specific
DEFAULT op=EXECUTE action=ALLOW”h]”hŒS# Global
DEFAULT action=ALLOW

# Operation Specific
DEFAULT op=EXECUTE action=ALLOW”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h K¹hj~  hžhubhÐ)”}”(hX  A default must be set for all known operations in IPE. If you want to
preserve older policies being compatible with newer kernels that can introduce
new operations, set a global default of ``ALLOW``, then override the
defaults on a per-operation basis (as above).”h]”(hŒ½A default must be set for all known operations in IPE. If you want to
preserve older policies being compatible with newer kernels that can introduce
new operations, set a global default of ”…””}”(hj«  hžhhŸNh Nubj`  )”}”(hŒ	``ALLOW``”h]”hŒALLOW”…””}”(hj³  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj«  ubhŒA, then override the
defaults on a per-operation basis (as above).”…””}”(hj«  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K¿hj~  hžhubhÐ)”}”(hŒ—With configurable policy-based LSMs, there's several issues with
enforcing the configurable policies at startup, around reading and
parsing the policy:”h]”hŒ™With configurable policy-based LSMs, thereâ€™s several issues with
enforcing the configurable policies at startup, around reading and
parsing the policy:”…””}”(hjË  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÄhj~  hžhubhŒenumerated_list”“”)”}”(hhh]”(j½  )”}”(hŒeThe kernel *should* not read files from userspace, so directly reading
the policy file is prohibited.”h]”hÐ)”}”(hŒeThe kernel *should* not read files from userspace, so directly reading
the policy file is prohibited.”h]”(hŒThe kernel ”…””}”(hjâ  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*should*”h]”hŒshould”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jê  hjâ  ubhŒR not read files from userspace, so directly reading
the policy file is prohibited.”…””}”(hjâ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÈhjÞ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÛ  hžhhŸh³h Nubj½  )”}”(hŒThe kernel command line has a character limit, and one kernel module
should not reserve the entire character limit for its own
configuration.”h]”hÐ)”}”(hŒThe kernel command line has a character limit, and one kernel module
should not reserve the entire character limit for its own
configuration.”h]”hŒThe kernel command line has a character limit, and one kernel module
should not reserve the entire character limit for its own
configuration.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÊhj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÛ  hžhhŸh³h Nubj½  )”}”(hŒsThere are various boot loaders in the kernel ecosystem, so handing
off a memory block would be costly to maintain.
”h]”hÐ)”}”(hŒrThere are various boot loaders in the kernel ecosystem, so handing
off a memory block would be costly to maintain.”h]”hŒrThere are various boot loaders in the kernel ecosystem, so handing
off a memory block would be costly to maintain.”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÍhj"  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÛ  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jÙ  hj~  hžhhŸh³h KÈubhÐ)”}”(hXu  As a result, IPE has addressed this problem through a concept of a "boot
policy". A boot policy is a minimal policy which is compiled into the
kernel. This policy is intended to get the system to a state where
userspace is set up and ready to receive commands, at which point a more
complex policy can be deployed via securityfs. The boot policy can be
specified via ``SECURITY_IPE_BOOT_POLICY`` config option, which accepts
a path to a plain-text version of the IPE policy to apply. This policy
will be compiled into the kernel. If not specified, IPE will be disabled
until a policy is deployed and activated through securityfs.”h]”(hXs  As a result, IPE has addressed this problem through a concept of a â€œboot
policyâ€. A boot policy is a minimal policy which is compiled into the
kernel. This policy is intended to get the system to a state where
userspace is set up and ready to receive commands, at which point a more
complex policy can be deployed via securityfs. The boot policy can be
specified via ”…””}”(hjE  hžhhŸNh Nubj`  )”}”(hŒ``SECURITY_IPE_BOOT_POLICY``”h]”hŒSECURITY_IPE_BOOT_POLICY”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjE  ubhŒê config option, which accepts
a path to a plain-text version of the IPE policy to apply. This policy
will be compiled into the kernel. If not specified, IPE will be disabled
until a policy is deployed and activated through securityfs.”…””}”(hjE  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÐhj~  hžhubhµ)”}”(hhh]”(hº)”}”(hŒDeploying Policies”h]”hŒDeploying Policies”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hje  hžhhŸh³h KÛubhÐ)”}”(hXA  Policies can be deployed from userspace through securityfs. These policies
are signed through the PKCS#7 message format to enforce some level of
authorization of the policies (prohibiting an attacker from gaining
unconstrained root, and deploying an "allow all" policy). These
policies must be signed by a certificate that chains to the
``SYSTEM_TRUSTED_KEYRING``, or to the secondary and/or platform keyrings if
``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING`` and/or
``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING`` are enabled, respectively.
With openssl, the policy can be signed by::”h]”(hXU  Policies can be deployed from userspace through securityfs. These policies
are signed through the PKCS#7 message format to enforce some level of
authorization of the policies (prohibiting an attacker from gaining
unconstrained root, and deploying an â€œallow allâ€ policy). These
policies must be signed by a certificate that chains to the
”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ``SYSTEM_TRUSTED_KEYRING``”h]”hŒSYSTEM_TRUSTED_KEYRING”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒ2, or to the secondary and/or platform keyrings if
”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ+``CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING``”h]”hŒ'CONFIG_IPE_POLICY_SIG_SECONDARY_KEYRING”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒ and/or
”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ*``CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING``”h]”hŒ&CONFIG_IPE_POLICY_SIG_PLATFORM_KEYRING”…””}”(hj¢  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒF are enabled, respectively.
With openssl, the policy can be signed by:”…””}”(hjv  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÝhje  hžhubj²  )”}”(hŒÀopenssl smime -sign \
   -in "$MY_POLICY" \
   -signer "$MY_CERTIFICATE" \
   -inkey "$MY_PRIVATE_KEY" \
   -noattr \
   -nodetach \
   -nosmimecap \
   -outform der \
   -out "$MY_POLICY.p7b"”h]”hŒÀopenssl smime -sign \
   -in "$MY_POLICY" \
   -signer "$MY_CERTIFICATE" \
   -inkey "$MY_PRIVATE_KEY" \
   -noattr \
   -nodetach \
   -nosmimecap \
   -outform der \
   -out "$MY_POLICY.p7b"”…””}”hjº  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Kçhje  hžhubhÐ)”}”(hŒ–Deploying the policies is done through securityfs, through the
``new_policy`` node. To deploy a policy, simply cat the file into the
securityfs node::”h]”(hŒ?Deploying the policies is done through securityfs, through the
”…””}”(hjÈ  hžhhŸNh Nubj`  )”}”(hŒ``new_policy``”h]”hŒ
new_policy”…””}”(hjÐ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÈ  ubhŒH node. To deploy a policy, simply cat the file into the
securityfs node:”…””}”(hjÈ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kñhje  hžhubj²  )”}”(hŒ:cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy”h]”hŒ:cat "$MY_POLICY.p7b" > /sys/kernel/security/ipe/new_policy”…””}”hjè  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Kõhje  hžhubhÐ)”}”(hX‘  Upon success, this will create one subdirectory under
``/sys/kernel/security/ipe/policies/``. The subdirectory will be the
``policy_name`` field of the policy deployed, so for the example above,
the directory will be ``/sys/kernel/security/ipe/policies/Ex_Policy``.
Within this directory, there will be seven files: ``pkcs7``, ``policy``,
``name``, ``version``, ``active``, ``update``, and ``delete``.”h]”(hŒ6Upon success, this will create one subdirectory under
”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ&``/sys/kernel/security/ipe/policies/``”h]”hŒ"/sys/kernel/security/ipe/policies/”…””}”(hjþ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ. The subdirectory will be the
”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ``policy_name``”h]”hŒpolicy_name”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒO field of the policy deployed, so for the example above,
the directory will be ”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ/``/sys/kernel/security/ipe/policies/Ex_Policy``”h]”hŒ+/sys/kernel/security/ipe/policies/Ex_Policy”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ4.
Within this directory, there will be seven files: ”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ	``pkcs7``”h]”hŒpkcs7”…””}”(hj4  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ, ”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ
``policy``”h]”hŒpolicy”…””}”(hjF  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ,
”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ``name``”h]”hŒname”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ, ”…””}”hjö  sbj`  )”}”(hŒ``version``”h]”hŒversion”…””}”(hjj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ, ”…””}”hjö  sbj`  )”}”(hŒ
``active``”h]”hŒactive”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ, ”…””}”hjö  sbj`  )”}”(hŒ
``update``”h]”hŒupdate”…””}”(hjŽ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ, and ”…””}”(hjö  hžhhŸNh Nubj`  )”}”(hŒ
``delete``”h]”hŒdelete”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjö  ubhŒ.”…””}”(hjö  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K÷hje  hžhubhÐ)”}”(hŒàThe ``pkcs7`` file is read-only. Reading it returns the raw PKCS#7 data
that was provided to the kernel, representing the policy. If the policy being
read is the boot policy, this will return ``ENOENT``, as it is not signed.”h]”(hŒThe ”…””}”(hj¸  hžhhŸNh Nubj`  )”}”(hŒ	``pkcs7``”h]”hŒpkcs7”…””}”(hjÀ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¸  ubhŒ³ file is read-only. Reading it returns the raw PKCS#7 data
that was provided to the kernel, representing the policy. If the policy being
read is the boot policy, this will return ”…””}”(hj¸  hžhhŸNh Nubj`  )”}”(hŒ
``ENOENT``”h]”hŒENOENT”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¸  ubhŒ, as it is not signed.”…””}”(hj¸  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kþhje  hžhubhÐ)”}”(hŒThe ``policy`` file is read only. Reading it returns the PKCS#7 inner
content of the policy, which will be the plain text policy.”h]”(hŒThe ”…””}”(hjê  hžhhŸNh Nubj`  )”}”(hŒ
``policy``”h]”hŒpolicy”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjê  ubhŒs file is read only. Reading it returns the PKCS#7 inner
content of the policy, which will be the plain text policy.”…””}”(hjê  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hXg  The ``active`` file is used to set a policy as the currently active policy.
This file is rw, and accepts a value of ``"1"`` to set the policy as active.
Since only a single policy can be active at one time, all other policies
will be marked inactive. The policy being marked active must have a policy
version greater or equal to the currently-running version.”h]”(hŒThe ”…””}”(hj
  hžhhŸNh Nubj`  )”}”(hŒ
``active``”h]”hŒactive”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj
  ubhŒf file is used to set a policy as the currently active policy.
This file is rw, and accepts a value of ”…””}”(hj
  hžhhŸNh Nubj`  )”}”(hŒ``"1"``”h]”hŒ"1"”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj
  ubhŒì to set the policy as active.
Since only a single policy can be active at one time, all other policies
will be marked inactive. The policy being marked active must have a policy
version greater or equal to the currently-running version.”…””}”(hj
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hX¥  The ``update`` file is used to update a policy that is already present
in the kernel. This file is write-only and accepts a PKCS#7 signed
policy. Two checks will always be performed on this policy: First, the
``policy_names`` must match with the updated version and the existing
version. Second the updated policy must have a policy version greater than
the currently-running version. This is to prevent rollback attacks.”h]”(hŒThe ”…””}”(hj<  hžhhŸNh Nubj`  )”}”(hŒ
``update``”h]”hŒupdate”…””}”(hjD  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj<  ubhŒÃ file is used to update a policy that is already present
in the kernel. This file is write-only and accepts a PKCS#7 signed
policy. Two checks will always be performed on this policy: First, the
”…””}”(hj<  hžhhŸNh Nubj`  )”}”(hŒ``policy_names``”h]”hŒpolicy_names”…””}”(hjV  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj<  ubhŒÄ must match with the updated version and the existing
version. Second the updated policy must have a policy version greater than
the currently-running version. This is to prevent rollback attacks.”…””}”(hj<  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hXH  The ``delete`` file is used to remove a policy that is no longer needed.
This file is write-only and accepts a value of ``1`` to delete the policy.
On deletion, the securityfs node representing the policy will be removed.
However, delete the current active policy is not allowed and will return
an operation not permitted error.”h]”(hŒThe ”…””}”(hjn  hžhhŸNh Nubj`  )”}”(hŒ
``delete``”h]”hŒdelete”…””}”(hjv  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjn  ubhŒj file is used to remove a policy that is no longer needed.
This file is write-only and accepts a value of ”…””}”(hjn  hžhhŸNh Nubj`  )”}”(hŒ``1``”h]”hŒ1”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjn  ubhŒË to delete the policy.
On deletion, the securityfs node representing the policy will be removed.
However, delete the current active policy is not allowed and will return
an operation not permitted error.”…””}”(hjn  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hX  Similarly, writing to both ``update`` and ``new_policy`` could result in
bad message(policy syntax error) or file exists error. The latter error happens
when trying to deploy a policy with a ``policy_name`` while the kernel already
has a deployed policy with the same ``policy_name``.”h]”(hŒSimilarly, writing to both ”…””}”(hj   hžhhŸNh Nubj`  )”}”(hŒ
``update``”h]”hŒupdate”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj   ubhŒ and ”…””}”(hj   hžhhŸNh Nubj`  )”}”(hŒ``new_policy``”h]”hŒ
new_policy”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj   ubhŒ‡ could result in
bad message(policy syntax error) or file exists error. The latter error happens
when trying to deploy a policy with a ”…””}”(hj   hžhhŸNh Nubj`  )”}”(hŒ``policy_name``”h]”hŒpolicy_name”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj   ubhŒ> while the kernel already
has a deployed policy with the same ”…””}”(hj   hžhhŸNh Nubj`  )”}”(hŒ``policy_name``”h]”hŒpolicy_name”…””}”(hjÞ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj   ubhŒ.”…””}”(hj   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hŒ©Deploying a policy will *not* cause IPE to start enforcing the policy. IPE will
only enforce the policy marked active. Note that only one policy can be active
at a time.”h]”(hŒDeploying a policy will ”…””}”(hjö  hžhhŸNh Nubjë  )”}”(hŒ*not*”h]”hŒnot”…””}”(hjþ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jê  hjö  ubhŒŒ cause IPE to start enforcing the policy. IPE will
only enforce the policy marked active. Note that only one policy can be active
at a time.”…””}”(hjö  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhje  hžhubhÐ)”}”(hŒ»Once deployment is successful, the policy can be activated, by writing file
``/sys/kernel/security/ipe/policies/$policy_name/active``.
For example, the ``Ex_Policy`` can be activated by::”h]”(hŒLOnce deployment is successful, the policy can be activated, by writing file
”…””}”(hj  hžhhŸNh Nubj`  )”}”(hŒ9``/sys/kernel/security/ipe/policies/$policy_name/active``”h]”hŒ5/sys/kernel/security/ipe/policies/$policy_name/active”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ.
For example, the ”…””}”(hj  hžhhŸNh Nubj`  )”}”(hŒ``Ex_Policy``”h]”hŒ	Ex_Policy”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ can be activated by:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M!hje  hžhubj²  )”}”(hŒ=echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"”h]”hŒ=echo 1 > "/sys/kernel/security/ipe/policies/Ex_Policy/active"”…””}”hjH  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M%hje  hžhubhÐ)”}”(hŒLFrom above point on, ``Ex_Policy`` is now the enforced policy on the
system.”h]”(hŒFrom above point on, ”…””}”(hjV  hžhhŸNh Nubj`  )”}”(hŒ``Ex_Policy``”h]”hŒ	Ex_Policy”…””}”(hj^  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjV  ubhŒ* is now the enforced policy on the
system.”…””}”(hjV  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M'hje  hžhubhÐ)”}”(hŒËIPE also provides a way to delete policies. This can be done via the
``delete`` securityfs node,
``/sys/kernel/security/ipe/policies/$policy_name/delete``.
Writing ``1`` to that file deletes the policy::”h]”(hŒEIPE also provides a way to delete policies. This can be done via the
”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ
``delete``”h]”hŒdelete”…””}”(hj~  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒ securityfs node,
”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ9``/sys/kernel/security/ipe/policies/$policy_name/delete``”h]”hŒ5/sys/kernel/security/ipe/policies/$policy_name/delete”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒ
.
Writing ”…””}”(hjv  hžhhŸNh Nubj`  )”}”(hŒ``1``”h]”hŒ1”…””}”(hj¢  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjv  ubhŒ! to that file deletes the policy:”…””}”(hjv  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M*hje  hžhubj²  )”}”(hŒ@echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"”h]”hŒ@echo 1 > "/sys/kernel/security/ipe/policies/$policy_name/delete"”…””}”hjº  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M/hje  hžhubhÐ)”}”(hŒ\There is only one requirement to delete a policy: the policy being deleted
must be inactive.”h]”hŒ\There is only one requirement to delete a policy: the policy being deleted
must be inactive.”…””}”(hjÈ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M1hje  hžhubhÊ)”}”(hŒ‚If a traditional MAC system is enabled (SELinux, apparmor, smack), all
writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”hÐ)”}”(hŒ‚If a traditional MAC system is enabled (SELinux, apparmor, smack), all
writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”(hŒrIf a traditional MAC system is enabled (SELinux, apparmor, smack), all
writes to ipeâ€™s securityfs nodes require ”…””}”(hjÚ  hžhhŸNh Nubj`  )”}”(hŒ``CAP_MAC_ADMIN``”h]”hŒCAP_MAC_ADMIN”…””}”(hjâ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÚ  ubhŒ.”…””}”(hjÚ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M6hjÖ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhje  hžhhŸh³h Nubeh}”(h]”Œdeploying-policies”ah ]”h"]”Œdeploying policies”ah$]”h&]”uh1h´hj~  hžhhŸh³h KÛubhµ)”}”(hhh]”(hº)”}”(hŒModes”h]”hŒModes”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj	  hžhhŸh³h M:ubhÐ)”}”(hX  IPE supports two modes of operation: permissive (similar to SELinux's
permissive mode) and enforced. In permissive mode, all events are
checked and policy violations are logged, but the policy is not really
enforced. This allows users to test policies before enforcing them.”h]”hX  IPE supports two modes of operation: permissive (similar to SELinuxâ€™s
permissive mode) and enforced. In permissive mode, all events are
checked and policy violations are logged, but the policy is not really
enforced. This allows users to test policies before enforcing them.”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M<hj	  hžhubhÐ)”}”(hŒ©The default mode is enforce, and can be changed via the kernel command
line parameter ``ipe.enforce=(0|1)``, or the securityfs node
``/sys/kernel/security/ipe/enforce``.”h]”(hŒVThe default mode is enforce, and can be changed via the kernel command
line parameter ”…””}”(hj'	  hžhhŸNh Nubj`  )”}”(hŒ``ipe.enforce=(0|1)``”h]”hŒipe.enforce=(0|1)”…””}”(hj/	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj'	  ubhŒ, or the securityfs node
”…””}”(hj'	  hžhhŸNh Nubj`  )”}”(hŒ$``/sys/kernel/security/ipe/enforce``”h]”hŒ /sys/kernel/security/ipe/enforce”…””}”(hjA	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj'	  ubhŒ.”…””}”(hj'	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MAhj	  hžhubhÊ)”}”(hŒŒIf a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”hÐ)”}”(hŒŒIf a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”(hŒ|If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipeâ€™s securityfs nodes require ”…””}”(hj]	  hžhhŸNh Nubj`  )”}”(hŒ``CAP_MAC_ADMIN``”h]”hŒCAP_MAC_ADMIN”…””}”(hje	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj]	  ubhŒ.”…””}”(hj]	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MGhjY	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhj	  hžhhŸh³h Nubeh}”(h]”Œmodes”ah ]”h"]”Œmodes”ah$]”h&]”uh1h´hj~  hžhhŸh³h M:ubhµ)”}”(hhh]”(hº)”}”(hŒAudit Events”h]”hŒAudit Events”…””}”(hjŽ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj‹	  hžhhŸh³h MKubhµ)”}”(hhh]”(hº)”}”(hŒ1420 AUDIT_IPE_ACCESS”h]”hŒ1420 AUDIT_IPE_ACCESS”…””}”(hjŸ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjœ	  hžhhŸh³h MNubhÐ)”}”(hŒEvent Examples::”h]”hŒEvent Examples:”…””}”(hj­	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MOhjœ	  hžhubj²  )”}”(hXw  type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-linux.so" path="/deny/lib/libc.so.6" dev="sda2" ino=14549020 rule="DEFAULT action=DENY"
type=1300 audit(1653364370.067:61): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.so" subj=unconfined key=(null)
type=1327 audit(1653364370.067:61): 707974686F6E3300746573742F6D61696E2E7079002D6E00

type=1420 audit(1653364735.161:64): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2472 comm="mmap_test" path=? dev=? ino=? rule="DEFAULT action=DENY"
type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=21 items=0 ppid=2219 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mmap_test" exe="/root/overlake_test/upstream_test/vol_fsverity/bin/mmap_test" subj=unconfined key=(null)
type=1327 audit(1653364735.161:64): 707974686F6E3300746573742F6D61696E2E7079002D6E00”h]”hXw  type=1420 audit(1653364370.067:61): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2241 comm="ld-linux.so" path="/deny/lib/libc.so.6" dev="sda2" ino=14549020 rule="DEFAULT action=DENY"
type=1300 audit(1653364370.067:61): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=7f1105a28000 a1=195000 a2=5 a3=812 items=0 ppid=2219 pid=2241 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ld-linux.so" exe="/tmp/ipe-test/lib/ld-linux.so" subj=unconfined key=(null)
type=1327 audit(1653364370.067:61): 707974686F6E3300746573742F6D61696E2E7079002D6E00

type=1420 audit(1653364735.161:64): ipe_op=EXECUTE ipe_hook=MMAP enforcing=1 pid=2472 comm="mmap_test" path=? dev=? ino=? rule="DEFAULT action=DENY"
type=1300 audit(1653364735.161:64): SYSCALL arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=1000 a2=4 a3=21 items=0 ppid=2219 pid=2472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="mmap_test" exe="/root/overlake_test/upstream_test/vol_fsverity/bin/mmap_test" subj=unconfined key=(null)
type=1327 audit(1653364735.161:64): 707974686F6E3300746573742F6D61696E2E7079002D6E00”…””}”hj»	  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MQhjœ	  hžhubhÐ)”}”(hŒžThis event indicates that IPE made an access control decision; the IPE
specific record (1420) is always emitted in conjunction with a
``AUDITSYSCALL`` record.”h]”(hŒ†This event indicates that IPE made an access control decision; the IPE
specific record (1420) is always emitted in conjunction with a
”…””}”(hjÉ	  hžhhŸNh Nubj`  )”}”(hŒ``AUDITSYSCALL``”h]”hŒAUDITSYSCALL”…””}”(hjÑ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÉ	  ubhŒ record.”…””}”(hjÉ	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MYhjœ	  hžhubhÐ)”}”(hŒDetermining whether IPE is in permissive or enforced mode can be derived
from ``success`` property and exit code of the ``AUDITSYSCALL`` record.”h]”(hŒNDetermining whether IPE is in permissive or enforced mode can be derived
from ”…””}”(hjé	  hžhhŸNh Nubj`  )”}”(hŒ``success``”h]”hŒsuccess”…””}”(hjñ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjé	  ubhŒ property and exit code of the ”…””}”(hjé	  hžhhŸNh Nubj`  )”}”(hŒ``AUDITSYSCALL``”h]”hŒAUDITSYSCALL”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjé	  ubhŒ record.”…””}”(hjé	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M]hjœ	  hžhubhÐ)”}”(hŒField descriptions:”h]”hŒField descriptions:”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mahjœ	  hžhubhŒtable”“”)”}”(hhh]”hŒtgroup”“”)”}”(hhh]”(hŒcolspec”“”)”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj0
  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj0
  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj0
  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”KQuh1j3
  hj0
  ubhŒthead”“”)”}”(hhh]”hŒrow”“”)”}”(hhh]”(hŒentry”“”)”}”(hhh]”hÐ)”}”(hŒField”h]”hŒField”…””}”(hjl
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mdhji
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjd
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ
Value Type”h]”hŒ
Value Type”…””}”(hjƒ
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mdhj€
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjd
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ	Optional?”h]”hŒ	Optional?”…””}”(hjš
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mdhj—
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjd
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒDescription of Value”h]”hŒDescription of Value”…””}”(hj±
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mdhj®
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjd
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj_
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]
  hj0
  ubhŒtbody”“”)”}”(hhh]”(jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒipe_op”h]”hŒipe_op”…””}”(hjÜ
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MfhjÙ
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÖ
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjó
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mfhjð
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÖ
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mfhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÖ
  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ.The IPE operation name associated with the log”h]”hŒ.The IPE operation name associated with the log”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mfhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÖ
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒipe_hook”h]”hŒipe_hook”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhhj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhhjU  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhhjl  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ5The name of the LSM hook that triggered the IPE event”h]”hŒ5The name of the LSM hook that triggered the IPE event”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhhjƒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒ	enforcing”h]”hŒ	enforcing”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mjhj£  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj   ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mjhjº  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj   ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MjhjÑ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj   ubjh
  )”}”(hhh]”hÐ)”}”(hŒOThe current IPE enforcing state 1 is in enforcing mode, 0 is in permissive mode”h]”hŒOThe current IPE enforcing state 1 is in enforcing mode, 0 is in permissive mode”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mjhjè  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj   ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒpid”h]”hŒpid”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mlhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mlhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mlhj6  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ4The pid of the process that triggered the IPE event.”h]”hŒ4The pid of the process that triggered the IPE event.”…””}”(hjP  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MlhjM  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒcomm”h]”hŒcomm”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mnhjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj‡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mnhj„  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjž  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mnhj›  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒIThe command line program name of the process that triggered the IPE event”h]”hŒIThe command line program name of the process that triggered the IPE event”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mnhj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒpath”h]”hŒpath”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MphjÒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÏ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mphjé  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÏ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mphj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÏ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ'The absolute path to the evaluated file”h]”hŒ'The absolute path to the evaluated file”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mphj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÏ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒino”h]”hŒino”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mrhj7  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj4  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MrhjN  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj4  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mrhje  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj4  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ&The inode number of the evaluated file”h]”hŒ&The inode number of the evaluated file”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mrhj|  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj4  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒdev”h]”hŒdev”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mthjœ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj™  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mthj³  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj™  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hjÍ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MthjÊ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj™  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ/The device name of the evaluated file, e.g. vda”h]”hŒ/The device name of the evaluated file, e.g. vda”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mthjá  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj™  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒrule”h]”hŒrule”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mvhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjþ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mvhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjþ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mvhj/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjþ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe matched policy rule”h]”hŒThe matched policy rule”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MvhjF  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjþ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjÓ
  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÑ
  hj0
  ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j.
  hj+
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j)
  hjœ	  hžhhŸh³h Nubeh}”(h]”Œaudit-ipe-access”ah ]”h"]”Œ1420 audit_ipe_access”ah$]”h&]”uh1h´hj‹	  hžhhŸh³h MNubhµ)”}”(hhh]”(hº)”}”(hŒ1421 AUDIT_IPE_CONFIG_CHANGE”h]”hŒ1421 AUDIT_IPE_CONFIG_CHANGE”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj~  hžhhŸh³h MzubhÐ)”}”(hŒEvent Example::”h]”hŒEvent Example:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M|hj~  hžhubj²  )”}”(hX  type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2”h]”hX  type=1421 audit(1653425583.136:54): old_active_pol_name="Allow_All" old_active_pol_version=0.0.0 old_policy_digest=sha256:E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 new_active_pol_name="boot_verified" new_active_pol_version=0.0.0 new_policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
type=1300 audit(1653425583.136:54): SYSCALL arch=c000003e syscall=1 success=yes exit=2 a0=3 a1=5596fcae1fb0 a2=2 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
type=1327 audit(1653425583.136:54): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M~hj~  hžhubhÐ)”}”(hX  This event indicates that IPE switched the active poliy from one to another
along with the version and the hash digest of the two policies.
Note IPE can only have one policy active at a time, all access decision
evaluation is based on the current active policy.
The normal procedure to deploy a new policy is loading the policy to deploy
into the kernel first, then switch the active policy to it.”h]”hX  This event indicates that IPE switched the active poliy from one to another
along with the version and the hash digest of the two policies.
Note IPE can only have one policy active at a time, all access decision
evaluation is based on the current active policy.
The normal procedure to deploy a new policy is loading the policy to deploy
into the kernel first, then switch the active policy to it.”…””•Q      }”(hj«  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M‚hj~  hžhubhÐ)”}”(hŒkThis record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.”h]”(hŒ9This record will always be emitted in conjunction with a ”…””}”(hj¹  hžhhŸNh Nubj`  )”}”(hŒ``AUDITSYSCALL``”h]”hŒAUDITSYSCALL”…””}”(hjÁ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¹  ubhŒ record for the ”…””}”(hj¹  hžhhŸNh Nubj`  )”}”(hŒ	``write``”h]”hŒwrite”…””}”(hjÓ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¹  ubhŒ	 syscall.”…””}”(hj¹  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M‰hj~  hžhubhÐ)”}”(hŒField descriptions:”h]”hŒField descriptions:”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M‹hj~  hžhubj*
  )”}”(hhh]”j/
  )”}”(hhh]”(j4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hjü  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hjü  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hjü  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K3uh1j3
  hjü  ubj^
  )”}”(hhh]”jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒField”h]”hŒField”…””}”(hj0  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MŽhj-  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj*  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ
Value Type”h]”hŒ
Value Type”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MŽhjD  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj*  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ	Optional?”h]”hŒ	Optional?”…””}”(hj^  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MŽhj[  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj*  ubjh
  )”}”(hhh]”hÐ)”}”(hŒDescription of Value”h]”hŒDescription of Value”…””}”(hju  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MŽhjr  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj*  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]
  hjü  ubjÒ
  )”}”(hhh]”(jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒold_active_pol_name”h]”hŒold_active_pol_name”…””}”(hjž  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj›  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj˜  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjµ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj˜  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjÉ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj˜  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ"The name of previous active policy”h]”hŒ"The name of previous active policy”…””}”(hjã  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhjà  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj˜  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒold_active_pol_version”h]”hŒold_active_pol_version”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M’hj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjý  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M’hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjý  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hj1  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M’hj.  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjý  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ%The version of previous active policy”h]”hŒ%The version of previous active policy”…””}”(hjH  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M’hjE  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjý  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒold_policy_digest”h]”hŒold_policy_digest”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M”hje  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjb  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M”hj|  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjb  ubjh
  )”}”(hhh]”hÐ)”}”(hŒYes”h]”hŒYes”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M”hj“  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjb  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ"The hash of previous active policy”h]”hŒ"The hash of previous active policy”…””}”(hj­  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M”hjª  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjb  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒnew_active_pol_name”h]”hŒnew_active_pol_name”…””}”(hjÍ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M–hjÊ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÇ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M–hjá  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÇ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjû  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M–hjø  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÇ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ!The name of current active policy”h]”hŒ!The name of current active policy”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M–hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÇ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒnew_active_pol_version”h]”hŒnew_active_pol_version”…””}”(hj2  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M˜hj/  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj,  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjI  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M˜hjF  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj,  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M˜hj]  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj,  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ$The version of current active policy”h]”hŒ$The version of current active policy”…””}”(hjw  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M˜hjt  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj,  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒnew_policy_digest”h]”hŒnew_policy_digest”…””}”(hj—  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mšhj”  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‘  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mšhj«  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‘  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjÅ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MšhjÂ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‘  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ!The hash of current active policy”h]”hŒ!The hash of current active policy”…””}”(hjÜ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MšhjÙ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‘  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒauid”h]”hŒauid”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mœhjù  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjö  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mœhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjö  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mœhj'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjö  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login user ID”h]”hŒThe login user ID”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mœhj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjö  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒses”h]”hŒses”…””}”(hja  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mžhj^  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj[  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mžhju  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj[  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MžhjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj[  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login session ID”h]”hŒThe login session ID”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mžhj£  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj[  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒlsm”h]”hŒlsm”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÀ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjÝ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hjÚ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÀ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjô  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hjñ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÀ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ&The lsm name associated with the event”h]”hŒ&The lsm name associated with the event”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjÀ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒres”h]”hŒres”…””}”(hj+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¢hj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj%  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjB  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¢hj?  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj%  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¢hjV  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj%  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ1The result of the audited operation(success/fail)”h]”hŒ1The result of the audited operation(success/fail)”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¢hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj•  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÑ
  hjü  ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j.
  hjù  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j)
  hj~  hžhhŸh³h Nubeh}”(h]”Œaudit-ipe-config-change”ah ]”h"]”Œ1421 audit_ipe_config_change”ah$]”h&]”uh1h´hj‹	  hžhhŸh³h Mzubhµ)”}”(hhh]”(hº)”}”(hŒ1422 AUDIT_IPE_POLICY_LOAD”h]”hŒ1422 AUDIT_IPE_POLICY_LOAD”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj¥  hžhhŸh³h M¦ubhÐ)”}”(hŒEvent Example::”h]”hŒEvent Example:”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¨hj¥  hžhubj²  )”}”(hXd  type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E”h]”hXd  type=1422 audit(1653425529.927:53): policy_name="boot_verified" policy_version=0.0.0 policy_digest=sha256:820EEA5B40CA42B51F68962354BA083122A20BB846F26765076DD8EED7B8F4DB auid=4294967295 ses=4294967295 lsm=ipe res=1
type=1300 audit(1653425529.927:53): arch=c000003e syscall=1 success=yes exit=2567 a0=3 a1=5596fcae1fb0 a2=a07 a3=2 items=0 ppid=184 pid=229 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="python3" exe="/usr/bin/python3.10" key=(null)
type=1327 audit(1653425529.927:53): PROCTITLE proctitle=707974686F6E3300746573742F6D61696E2E7079002D66002E2E”…””}”hjÄ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Mªhj¥  hžhubhÐ)”}”(hŒxThis record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash.”h]”hŒxThis record indicates a new policy has been loaded into the kernel with the policy name, policy version and policy hash.”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M®hj¥  hžhubhÐ)”}”(hŒkThis record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.”h]”(hŒ9This record will always be emitted in conjunction with a ”…””}”(hjà  hžhhŸNh Nubj`  )”}”(hŒ``AUDITSYSCALL``”h]”hŒAUDITSYSCALL”…””}”(hjè  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjà  ubhŒ record for the ”…””}”(hjà  hžhhŸNh Nubj`  )”}”(hŒ	``write``”h]”hŒwrite”…””}”(hjú  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjà  ubhŒ	 syscall.”…””}”(hjà  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M°hj¥  hžhubhÐ)”}”(hŒField descriptions:”h]”hŒField descriptions:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M²hj¥  hžhubj*
  )”}”(hhh]”j/
  )”}”(hhh]”(j4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj#  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj#  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj#  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”K3uh1j3
  hj#  ubj^
  )”}”(hhh]”jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒField”h]”hŒField”…””}”(hjW  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MµhjT  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjQ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ
Value Type”h]”hŒ
Value Type”…””}”(hjn  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mµhjk  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjQ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ	Optional?”h]”hŒ	Optional?”…””}”(hj…  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mµhj‚  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjQ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒDescription of Value”h]”hŒDescription of Value”…””}”(hjœ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mµhj™  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjQ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hjN  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]
  hj#  ubjÒ
  )”}”(hhh]”(jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒpolicy_name”h]”hŒpolicy_name”…””}”(hjÅ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M·hjÂ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¿  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjÜ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M·hjÙ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¿  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjó  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M·hjð  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¿  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe policy_name”h]”hŒThe policy_name”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M·hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¿  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒpolicy_version”h]”hŒpolicy_version”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¹hj'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj$  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¹hj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj$  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¹hjU  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj$  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe policy_version”h]”hŒThe policy_version”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¹hjl  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj$  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒpolicy_digest”h]”hŒpolicy_digest”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M»hjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‰  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj¦  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M»hj£  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‰  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M»hjº  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‰  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe policy hash”h]”hŒThe policy hash”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M»hjÑ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj‰  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒauid”h]”hŒauid”…””}”(hjô  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M½hjñ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjî  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M½hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjî  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M½hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjî  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login user ID”h]”hŒThe login user ID”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M½hj6  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjî  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒses”h]”hŒses”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¿hjV  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjS  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjp  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¿hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjS  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj‡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¿hj„  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjS  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login session ID”h]”hŒThe login session ID”…””}”(hjž  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¿hj›  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjS  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒlsm”h]”hŒlsm”…””}”(hj¾  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÁhj»  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¸  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÁhjÒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¸  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÁhjé  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¸  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ&The lsm name associated with the event”h]”hŒ&The lsm name associated with the event”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÁhj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¸  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒres”h]”hŒres”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÃhj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj:  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÃhj7  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjQ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÃhjN  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ1The result of the audited operation(success/fail)”h]”hŒ1The result of the audited operation(success/fail)”…””}”(hjh  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÃhje  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¼  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÑ
  hj#  ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j.
  hj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j)
  hj¥  hžhhŸh³h Nubeh}”(h]”Œaudit-ipe-policy-load”ah ]”h"]”Œ1422 audit_ipe_policy_load”ah$]”h&]”uh1h´hj‹	  hžhhŸh³h M¦ubhµ)”}”(hhh]”(hº)”}”(hŒ1404 AUDIT_MAC_STATUS”h]”hŒ1404 AUDIT_MAC_STATUS”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h MÈubhÐ)”}”(hŒEvent Examples::”h]”hŒEvent Examples:”…””}”(hj®  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÊhj  hžhubj²  )”}”(hXò  type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
type=1327 audit(1653425689.008:55): proctitle="-bash"

type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
type=1327 audit(1653425689.008:55): proctitle="-bash"”h]”hXò  type=1404 audit(1653425689.008:55): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
type=1327 audit(1653425689.008:55): proctitle="-bash"

type=1404 audit(1653425689.008:55): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=ipe res=1
type=1300 audit(1653425689.008:55): arch=c000003e syscall=1 success=yes exit=2 a0=1 a1=55c1065e5c60 a2=2 a3=0 items=0 ppid=405 pid=441 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=)
type=1327 audit(1653425689.008:55): proctitle="-bash"”…””}”hj¼  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MÌhj  hžhubhÐ)”}”(hŒkThis record will always be emitted in conjunction with a ``AUDITSYSCALL`` record for the ``write`` syscall.”h]”(hŒ9This record will always be emitted in conjunction with a ”…””}”(hjÊ  hžhhŸNh Nubj`  )”}”(hŒ``AUDITSYSCALL``”h]”hŒAUDITSYSCALL”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÊ  ubhŒ record for the ”…””}”(hjÊ  hžhhŸNh Nubj`  )”}”(hŒ	``write``”h]”hŒwrite”…””}”(hjä  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÊ  ubhŒ	 syscall.”…””}”(hjÊ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÔhj  hžhubhÐ)”}”(hŒField descriptions:”h]”hŒField descriptions:”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÖhj  hžhubj*
  )”}”(hhh]”j/
  )”}”(hhh]”(j4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kuh1j3
  hj  ubj4
  )”}”(hhh]”h}”(h]”h ]”h"]”h$]”h&]”Œcolwidth”Kauh1j3
  hj  ubj^
  )”}”(hhh]”jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒField”h]”hŒField”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÙhj>  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ
Value Type”h]”hŒ
Value Type”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÙhjU  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ	Optional?”h]”hŒ	Optional?”…””}”(hjo  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÙhjl  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubjh
  )”}”(hhh]”hÐ)”}”(hŒDescription of Value”h]”hŒDescription of Value”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÙhjƒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj;  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj8  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j]
  hj  ubjÒ
  )”}”(hhh]”(jc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒ	enforcing”h]”hŒ	enforcing”…””}”(hj¯  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÛhj¬  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj©  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÛhjÃ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj©  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjÝ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÛhjÚ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj©  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ]The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode”h]”hŒ]The enforcing state IPE is being switched to, 1 is in enforcing mode, 0 is in permissive mode”…””}”(hjô  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÛhjñ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj©  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒold_enforcing”h]”hŒold_enforcing”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÝhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj+  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÝhj(  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjB  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÝhj?  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ_The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode”h]”hŒ_The enforcing state IPE is being switched from, 1 is in enforcing mode, 0 is in permissive mode”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MÝhjV  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒauid”h]”hŒauid”…””}”(hjy  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mßhjv  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjs  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mßhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjs  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj§  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mßhj¤  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjs  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login user ID”h]”hŒThe login user ID”…””}”(hj¾  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mßhj»  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjs  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒses”h]”hŒses”…””}”(hjÞ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MáhjÛ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjØ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjõ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Máhjò  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjØ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Máhj	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjØ  ubjh
  )”}”(hhh]”hÐ)”}”(hŒThe login session ID”h]”hŒThe login session ID”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Máhj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjØ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒenabled”h]”hŒenabled”…””}”(hjC  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mãhj@  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj=  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hjZ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MãhjW  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj=  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mãhjn  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj=  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ!The new TTY audit enabled setting”h]”hŒ!The new TTY audit enabled setting”…””}”(hjˆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mãhj…  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj=  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒold-enabled”h]”hŒold-enabled”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Måhj¥  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¢  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj¿  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Måhj¼  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¢  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hjÖ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MåhjÓ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¢  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ!The old TTY audit enabled setting”h]”hŒ!The old TTY audit enabled setting”…””}”(hjí  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Måhjê  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj¢  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒlsm”h]”hŒlsm”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mçhj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒstring”h]”hŒstring”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mçhj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj;  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mçhj8  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ&The lsm name associated with the event”h]”hŒ&The lsm name associated with the event”…””}”(hjR  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MçhjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubjc
  )”}”(hhh]”(jh
  )”}”(hhh]”hÐ)”}”(hŒres”h]”hŒres”…””}”(hjr  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Méhjo  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjl  ubjh
  )”}”(hhh]”hÐ)”}”(hŒinteger”h]”hŒinteger”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Méhj†  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjl  ubjh
  )”}”(hhh]”hÐ)”}”(hŒNo”h]”hŒNo”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Méhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjl  ubjh
  )”}”(hhh]”hÐ)”}”(hŒ1The result of the audited operation(success/fail)”h]”hŒ1The result of the audited operation(success/fail)”…””}”(hj·  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Méhj´  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jg
  hjl  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb
  hj¦  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÑ
  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”Œcols”Kuh1j.
  hj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j)
  hj  hžhhŸh³h Nubeh}”(h]”Œaudit-mac-status”ah ]”h"]”Œ1404 audit_mac_status”ah$]”h&]”uh1h´hj‹	  hžhhŸh³h MÈubhµ)”}”(hhh]”(hº)”}”(hŒSuccess Auditing”h]”hŒSuccess Auditing”…””}”(hjï  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjì  hžhhŸh³h MîubhÐ)”}”(hX!  IPE supports success auditing. When enabled, all events that pass IPE
policy and are not blocked will emit an audit event. This is disabled by
default, and can be enabled via the kernel command line
``ipe.success_audit=(0|1)`` or
``/sys/kernel/security/ipe/success_audit`` securityfs file.”h]”(hŒÇIPE supports success auditing. When enabled, all events that pass IPE
policy and are not blocked will emit an audit event. This is disabled by
default, and can be enabled via the kernel command line
”…””}”(hjý  hžhhŸNh Nubj`  )”}”(hŒ``ipe.success_audit=(0|1)``”h]”hŒipe.success_audit=(0|1)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjý  ubhŒ or
”…””}”(hjý  hžhhŸNh Nubj`  )”}”(hŒ*``/sys/kernel/security/ipe/success_audit``”h]”hŒ&/sys/kernel/security/ipe/success_audit”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjý  ubhŒ securityfs file.”…””}”(hjý  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mðhjì  hžhubhÐ)”}”(hŒsThis is *very* noisy, as IPE will check every userspace binary on the
system, but is useful for debugging policies.”h]”(hŒThis is ”…””}”(hj/  hžhhŸNh Nubjë  )”}”(hŒ*very*”h]”hŒvery”…””}”(hj7  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jê  hj/  ubhŒe noisy, as IPE will check every userspace binary on the
system, but is useful for debugging policies.”…””}”(hj/  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Möhjì  hžhubhÊ)”}”(hŒŒIf a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”hÐ)”}”(hŒŒIf a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipe's securityfs nodes require ``CAP_MAC_ADMIN``.”h]”(hŒ|If a traditional MAC system is enabled (SELinux, apparmor, smack, etcetera),
all writes to ipeâ€™s securityfs nodes require ”…””}”(hjS  hžhhŸNh Nubj`  )”}”(hŒ``CAP_MAC_ADMIN``”h]”hŒCAP_MAC_ADMIN”…””}”(hj[  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjS  ubhŒ.”…””}”(hjS  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MûhjO  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhjì  hžhhŸh³h Nubeh}”(h]”Œsuccess-auditing”ah ]”h"]”Œsuccess auditing”ah$]”h&]”uh1h´hj‹	  hžhhŸh³h Mîubeh}”(h]”Œaudit-events”ah ]”h"]”Œaudit events”ah$]”h&]”uh1h´hj~  hžhhŸh³h MKubeh}”(h]”Œpolicy”ah ]”h"]”Œpolicy”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ
Properties”h]”hŒ
Properties”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj‘  hžhhŸh³h MÿubhÐ)”}”(hXÜ  As explained above, IPE properties are ``key=value`` pairs expressed in IPE
policy. Two properties are built-into the policy parser: 'op' and 'action'.
The other properties are used to restrict immutable security properties
about the files being evaluated. Currently those properties are:
'``boot_verified``', '``dmverity_signature``', '``dmverity_roothash``',
'``fsverity_signature``', '``fsverity_digest``'. A description of all
properties supported by IPE are listed below:”h]”(hŒ'As explained above, IPE properties are ”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``key=value``”h]”hŒ	key=value”…””}”(hjª  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒø pairs expressed in IPE
policy. Two properties are built-into the policy parser: â€˜opâ€™ and â€˜actionâ€™.
The other properties are used to restrict immutable security properties
about the files being evaluated. Currently those properties are:
â€˜”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``boot_verified``”h]”hŒboot_verified”…””}”(hj¼  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒâ€™, â€˜”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``dmverity_signature``”h]”hŒdmverity_signature”…””}”(hjÎ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒâ€™, â€˜”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``dmverity_roothash``”h]”hŒdmverity_roothash”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒâ€™,
â€˜”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``fsverity_signature``”h]”hŒfsverity_signature”…””}”(hjò  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒâ€™, â€˜”…””}”(hj¢  hžhhŸNh Nubj`  )”}”(hŒ``fsverity_digest``”h]”hŒfsverity_digest”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¢  ubhŒGâ€™. A description of all
properties supported by IPE are listed below:”…””}”(hj¢  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj‘  hžhubhµ)”}”(hhh]”(hº)”}”(hŒop”h]”hŒop”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h M
ubhÐ)”}”(hŒIndicates the operation for a rule to apply to. Must be in every rule,
as the first token. IPE supports the following operations:”h]”hŒIndicates the operation for a rule to apply to. Must be in every rule,
as the first token. IPE supports the following operations:”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj  hžhubhŒblock_quote”“”)”}”(hXE  ``EXECUTE``

   Pertains to any file attempting to be executed, or loaded as an
   executable.

``FIRMWARE``:

   Pertains to firmware being loaded via the firmware_class interface.
   This covers both the preallocated buffer and the firmware file
   itself.

``KMODULE``:

   Pertains to loading kernel modules via ``modprobe`` or ``insmod``.

``KEXEC_IMAGE``:

   Pertains to kernel images loading via ``kexec``.

``KEXEC_INITRAMFS``

   Pertains to initrd images loading via ``kexec --initrd``.

``POLICY``:

   Controls loading policies via reading a kernel-space initiated read.

   An example of such is loading IMA policies by writing the path
   to the policy file to ``$securityfs/ima/policy``

``X509_CERT``:

   Controls loading IMA certificates through the Kconfigs,
   ``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``.
”h]”(hÐ)”}”(hŒ``EXECUTE``”h]”j`  )”}”(hjC  h]”hŒEXECUTE”…””}”(hjE  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjA  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj=  ubj<  )”}”(hŒLPertains to any file attempting to be executed, or loaded as an
executable.
”h]”hÐ)”}”(hŒKPertains to any file attempting to be executed, or loaded as an
executable.”h]”hŒKPertains to any file attempting to be executed, or loaded as an
executable.”…””}”(hj\  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjX  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Mhj=  ubhÐ)”}”(hŒ``FIRMWARE``:”h]”(j`  )”}”(hŒ``FIRMWARE``”h]”hŒFIRMWARE”…””}”(hjt  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjp  ubhŒ:”…””}”(hjp  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj=  ubj<  )”}”(hŒ‹Pertains to firmware being loaded via the firmware_class interface.
This covers both the preallocated buffer and the firmware file
itself.
”h]”hÐ)”}”(hŒŠPertains to firmware being loaded via the firmware_class interface.
This covers both the preallocated buffer and the firmware file
itself.”h]”hŒŠPertains to firmware being loaded via the firmware_class interface.
This covers both the preallocated buffer and the firmware file
itself.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjŒ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Mhj=  ubhÐ)”}”(hŒ``KMODULE``:”h]”(j`  )”}”(hŒ``KMODULE``”h]”hŒKMODULE”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj¤  ubhŒ:”…””}”(hj¤  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj=  ubj<  )”}”(hŒCPertains to loading kernel modules via ``modprobe`` or ``insmod``.
”h]”hÐ)”}”(hŒBPertains to loading kernel modules via ``modprobe`` or ``insmod``.”h]”(hŒ'Pertains to loading kernel modules via ”…””}”(hjÄ  hžhhŸNh Nubj`  )”}”(hŒ``modprobe``”h]”hŒmodprobe”…””}”(hjÌ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÄ  ubhŒ or ”…””}”(hjÄ  hžhhŸNh Nubj`  )”}”(hŒ
``insmod``”h]”hŒinsmod”…””}”(hjÞ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÄ  ubhŒ.”…””}”(hjÄ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjÀ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Mhj=  ubhÐ)”}”(hŒ``KEXEC_IMAGE``:”h]”(j`  )”}”(hŒ``KEXEC_IMAGE``”h]”hŒKEXEC_IMAGE”…””}”(hj   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjü  ubhŒ:”…””}”(hjü  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj=  ubj<  )”}”(hŒ1Pertains to kernel images loading via ``kexec``.
”h]”hÐ)”}”(hŒ0Pertains to kernel images loading via ``kexec``.”h]”(hŒ&Pertains to kernel images loading via ”…””}”(hj  hžhhŸNh Nubj`  )”}”(hŒ	``kexec``”h]”hŒkexec”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M hj=  ubhÐ)”}”(hŒ``KEXEC_INITRAMFS``”h]”j`  )”}”(hjD  h]”hŒKEXEC_INITRAMFS”…””}”(hjF  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjB  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M"hj=  ubj<  )”}”(hŒ:Pertains to initrd images loading via ``kexec --initrd``.
”h]”hÐ)”}”(hŒ9Pertains to initrd images loading via ``kexec --initrd``.”h]”(hŒ&Pertains to initrd images loading via ”…””}”(hj]  hžhhŸNh Nubj`  )”}”(hŒ``kexec --initrd``”h]”hŒkexec --initrd”…””}”(hje  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj]  ubhŒ.”…””}”(hj]  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M$hjY  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M$hj=  ubhÐ)”}”(hŒ``POLICY``:”h]”(j`  )”}”(hŒ
``POLICY``”h]”hŒPOLICY”…””}”(hj‡  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjƒ  ubhŒ:”…””}”(hjƒ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M&hj=  ubj<  )”}”(hŒ¶Controls loading policies via reading a kernel-space initiated read.

An example of such is loading IMA policies by writing the path
to the policy file to ``$securityfs/ima/policy``
”h]”(hÐ)”}”(hŒDControls loading policies via reading a kernel-space initiated read.”h]”hŒDControls loading policies via reading a kernel-space initiated read.”…””}”(hj£  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M(hjŸ  ubhÐ)”}”(hŒoAn example of such is loading IMA policies by writing the path
to the policy file to ``$securityfs/ima/policy``”h]”(hŒUAn example of such is loading IMA policies by writing the path
to the policy file to ”…””}”(hj±  hžhhŸNh Nubj`  )”}”(hŒ``$securityfs/ima/policy``”h]”hŒ$securityfs/ima/policy”…””}”(hj¹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj±  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M*hjŸ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M(hj=  ubhÐ)”}”(hŒ``X509_CERT``:”h]”(j`  )”}”(hŒ``X509_CERT``”h]”hŒ	X509_CERT”…””}”(hj×  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÓ  ubhŒ:”…””}”(hjÓ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M-hj=  ubj<  )”}”(hŒoControls loading IMA certificates through the Kconfigs,
``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``.
”h]”hÐ)”}”(hŒnControls loading IMA certificates through the Kconfigs,
``CONFIG_IMA_X509_PATH`` and ``CONFIG_EVM_X509_PATH``.”h]”(hŒ8Controls loading IMA certificates through the Kconfigs,
”…””}”(hjó  hžhhŸNh Nubj`  )”}”(hŒ``CONFIG_IMA_X509_PATH``”h]”hŒCONFIG_IMA_X509_PATH”…””}”(hjû  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjó  ubhŒ and ”…””}”(hjó  hžhhŸNh Nubj`  )”}”(hŒ``CONFIG_EVM_X509_PATH``”h]”hŒCONFIG_EVM_X509_PATH”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjó  ubhŒ.”…””}”(hjó  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M/hjï  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M/hj=  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Mhj  hžhubeh}”(h]”Œop”ah ]”h"]”Œop”ah$]”h&]”uh1h´hj‘  hžhhŸh³h M
ubhµ)”}”(hhh]”(hº)”}”(hŒaction”h]”hŒaction”…””}”(hj<  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj9  hžhhŸh³h M3ubj<  )”}”(hXj  Determines what IPE should do when a rule matches. Must be in every
rule, as the final clause. Can be one of:

``ALLOW``:

   If the rule matches, explicitly allow access to the resource to proceed
   without executing any more rules.

``DENY``:

   If the rule matches, explicitly prohibit access to the resource to
   proceed without executing any more rules.
”h]”(hÐ)”}”(hŒmDetermines what IPE should do when a rule matches. Must be in every
rule, as the final clause. Can be one of:”h]”hŒmDetermines what IPE should do when a rule matches. Must be in every
rule, as the final clause. Can be one of:”…””}”(hjN  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M5hjJ  ubhÐ)”}”(hŒ
``ALLOW``:”h]”(j`  )”}”(hŒ	``ALLOW``”h]”hŒALLOW”…””}”(hj`  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj\  ubhŒ:”…””}”(hj\  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M8hjJ  ubj<  )”}”(hŒjIf the rule matches, explicitly allow access to the resource to proceed
without executing any more rules.
”h]”hÐ)”}”(hŒiIf the rule matches, explicitly allow access to the resource to proceed
without executing any more rules.”h]”hŒiIf the rule matches, explicitly allow access to the resource to proceed
without executing any more rules.”…””}”(hj|  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M:hjx  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M:hjJ  ubhÐ)”}”(hŒ	``DENY``:”h]”(j`  )”}”(hŒ``DENY``”h]”hŒDENY”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M=hjJ  ubj<  )”}”(hŒmIf the rule matches, explicitly prohibit access to the resource to
proceed without executing any more rules.
”h]”hÐ)”}”(hŒlIf the rule matches, explicitly prohibit access to the resource to
proceed without executing any more rules.”h]”hŒlIf the rule matches, explicitly prohibit access to the resource to
proceed without executing any more rules.”…””}”(hj°  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M?hj¬  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M?hjJ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M5hj9  hžhubeh}”(h]”Œaction”ah ]”h"]”Œaction”ah$]”h&]”uh1h´hj‘  hžhhŸh³h M3ubhµ)”}”(hhh]”(hº)”}”(hŒboot_verified”h]”hŒboot_verified”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÒ  hžhhŸh³h MCubj<  )”}”(hX  This property can be utilized for authorization of files from initramfs.
The format of this property is::

      boot_verified=(TRUE|FALSE)


.. WARNING::

   This property will trust files from initramfs(rootfs). It should
   only be used during early booting stage. Before mounting the real
   rootfs on top of the initramfs, initramfs script will recursively
   remove all files and directories on the initramfs. This is typically
   implemented by using switch_root(8) [#switch_root]_. Therefore the
   initramfs will be empty and not accessible after the real
   rootfs takes over. It is advised to switch to a different policy
   that doesn't rely on the property after this point.
   This ensures that the trust policies remain relevant and effective
   throughout the system's operation.
”h]”(hÐ)”}”(hŒiThis property can be utilized for authorization of files from initramfs.
The format of this property is::”h]”hŒhThis property can be utilized for authorization of files from initramfs.
The format of this property is:”…””}”(hjç  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MEhjã  ubj²  )”}”(hŒboot_verified=(TRUE|FALSE)”h]”hŒboot_verified=(TRUE|FALSE)”…””}”hjõ  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MHhjã  ubhŒwarning”“”)”}”(hXa  This property will trust files from initramfs(rootfs). It should
only be used during early booting stage. Before mounting the real
rootfs on top of the initramfs, initramfs script will recursively
remove all files and directories on the initramfs. This is typically
implemented by using switch_root(8) [#switch_root]_. Therefore the
initramfs will be empty and not accessible after the real
rootfs takes over. It is advised to switch to a different policy
that doesn't rely on the property after this point.
This ensures that the trust policies remain relevant and effective
throughout the system's operation.”h]”hÐ)”}”(hXa  This property will trust files from initramfs(rootfs). It should
only be used during early booting stage. Before mounting the real
rootfs on top of the initramfs, initramfs script will recursively
remove all files and directories on the initramfs. This is typically
implemented by using switch_root(8) [#switch_root]_. Therefore the
initramfs will be empty and not accessible after the real
rootfs takes over. It is advised to switch to a different policy
that doesn't rely on the property after this point.
This ensures that the trust policies remain relevant and effective
throughout the system's operation.”h]”(hX.  This property will trust files from initramfs(rootfs). It should
only be used during early booting stage. Before mounting the real
rootfs on top of the initramfs, initramfs script will recursively
remove all files and directories on the initramfs. This is typically
implemented by using switch_root(8) ”…””}”(hj	   hžhhŸNh NubjÚ  )”}”(hŒ[#switch_root]_”h]”hŒ4”…””}”(hj   hžhhŸNh Nubah}”(h]”Œid4”ah ]”h"]”h$]”h&]”jê  Kjë  Œswitch-root”jí  höuh1jÙ  hj	   jî  KubhX(  . Therefore the
initramfs will be empty and not accessible after the real
rootfs takes over. It is advised to switch to a different policy
that doesnâ€™t rely on the property after this point.
This ensures that the trust policies remain relevant and effective
throughout the systemâ€™s operation.”…””}”(hj	   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MMhj   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j   hjã  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h MEhjÒ  hžhubeh}”(h]”Œboot-verified”ah ]”h"]”Œboot_verified”ah$]”h&]”uh1h´hj‘  hžhhŸh³h MCubhµ)”}”(hhh]”(hº)”}”(hŒdmverity_roothash”h]”hŒdmverity_roothash”…””}”(hjB   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj?   hžhhŸh³h MYubj<  )”}”(hX  This property can be utilized for authorization or revocation of
specific dm-verity volumes, identified via their root hashes. It has a
dependency on the DM_VERITY module. This property is controlled by
the ``IPE_PROP_DM_VERITY`` config option, it will be automatically
selected when ``SECURITY_IPE`` and ``DM_VERITY`` are all enabled.
The format of this property is::

   dmverity_roothash=DigestName:HexadecimalString

The supported DigestNames for dmverity_roothash are [#dmveritydigests]_

   + blake2b-512
   + blake2s-256
   + sha256
   + sha384
   + sha512
   + sha3-224
   + sha3-256
   + sha3-384
   + sha3-512
   + sm3
   + rmd160
”h]”(hÐ)”}”(hXp  This property can be utilized for authorization or revocation of
specific dm-verity volumes, identified via their root hashes. It has a
dependency on the DM_VERITY module. This property is controlled by
the ``IPE_PROP_DM_VERITY`` config option, it will be automatically
selected when ``SECURITY_IPE`` and ``DM_VERITY`` are all enabled.
The format of this property is::”h]”(hŒÏThis property can be utilized for authorization or revocation of
specific dm-verity volumes, identified via their root hashes. It has a
dependency on the DM_VERITY module. This property is controlled by
the ”…””}”(hjT   hžhhŸNh Nubj`  )”}”(hŒ``IPE_PROP_DM_VERITY``”h]”hŒIPE_PROP_DM_VERITY”…””}”(hj\   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjT   ubhŒ7 config option, it will be automatically
selected when ”…””}”(hjT   hžhhŸNh Nubj`  )”}”(hŒ``SECURITY_IPE``”h]”hŒSECURITY_IPE”…””}”(hjn   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjT   ubhŒ and ”…””}”(hjT   hžhhŸNh Nubj`  )”}”(hŒ``DM_VERITY``”h]”hŒ	DM_VERITY”…””}”(hj€   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjT   ubhŒ1 are all enabled.
The format of this property is:”…””}”(hjT   hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M[hjP   ubj²  )”}”(hŒ.dmverity_roothash=DigestName:HexadecimalString”h]”hŒ.dmverity_roothash=DigestName:HexadecimalString”…””}”hj˜   sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MbhjP   ubhÐ)”}”(hŒGThe supported DigestNames for dmverity_roothash are [#dmveritydigests]_”h]”(hŒ4The supported DigestNames for dmverity_roothash are ”…””}”(hj¦   hžhhŸNh NubjÚ  )”}”(hŒ[#dmveritydigests]_”h]”hŒ5”…””}”(hj®   hžhhŸNh Nubah}”(h]”Œid5”ah ]”h"]”h$]”h&]”jê  Kjë  Œdmveritydigests”jí  höuh1jÙ  hj¦   jî  Kubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MdhjP   ubj<  )”}”(hŒr+ blake2b-512
+ blake2s-256
+ sha256
+ sha384
+ sha512
+ sha3-224
+ sha3-256
+ sha3-384
+ sha3-512
+ sm3
+ rmd160
”h]”j¸  )”}”(hhh]”(j½  )”}”(hŒblake2b-512”h]”hÐ)”}”(hjÍ   h]”hŒblake2b-512”…””}”(hjÏ   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MfhjË   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒblake2s-256”h]”hÐ)”}”(hjä   h]”hŒblake2s-256”…””}”(hjæ   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mghjâ   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha256”h]”hÐ)”}”(hjû   h]”hŒsha256”…””}”(hjý   hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhhjù   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha384”h]”hÐ)”}”(hj!  h]”hŒsha384”…””}”(hj!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mihj!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha512”h]”hÐ)”}”(hj)!  h]”hŒsha512”…””}”(hj+!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mjhj'!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha3-224”h]”hÐ)”}”(hj@!  h]”hŒsha3-224”…””}”(hjB!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mkhj>!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha3-256”h]”hÐ)”}”(hjW!  h]”hŒsha3-256”…””}”(hjY!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MlhjU!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha3-384”h]”hÐ)”}”(hjn!  h]”hŒsha3-384”…””}”(hjp!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mmhjl!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsha3-512”h]”hÐ)”}”(hj…!  h]”hŒsha3-512”…””}”(hj‡!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mnhjƒ!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒsm3”h]”hÐ)”}”(hjœ!  h]”hŒsm3”…””}”(hjž!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mohjš!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubj½  )”}”(hŒrmd160
”h]”hÐ)”}”(hŒrmd160”h]”hŒrmd160”…””}”(hjµ!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mphj±!  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hjÈ   ubeh}”(h]”h ]”h"]”h$]”h&]”jf  Œ+”uh1j·  hŸh³h MfhjÄ   ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h MfhjP   ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M[hj?   hžhubeh}”(h]”Œdmverity-roothash”ah ]”h"]”Œdmverity_roothash”ah$]”h&]”uh1h´hj‘  hžhhŸh³h MYubhµ)”}”(hhh]”(hº)”}”(hŒdmverity_signature”h]”hŒdmverity_signature”…””}”(hjç!  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjä!  hžhhŸh³h Msubj<  )”}”(hX0  This property can be utilized for authorization of all dm-verity
volumes that have a signed roothash that validated by a keyring
specified by dm-verity's configuration, either the system trusted
keyring, or the secondary keyring. It depends on
``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by
the ``IPE_PROP_DM_VERITY_SIGNATURE`` config option, it will be automatically
selected when ``SECURITY_IPE``, ``DM_VERITY`` and
``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled.
The format of this property is::

   dmverity_signature=(TRUE|FALSE)
”h]”(hÐ)”}”(hX  This property can be utilized for authorization of all dm-verity
volumes that have a signed roothash that validated by a keyring
specified by dm-verity's configuration, either the system trusted
keyring, or the secondary keyring. It depends on
``DM_VERITY_VERIFY_ROOTHASH_SIG`` config option and is controlled by
the ``IPE_PROP_DM_VERITY_SIGNATURE`` config option, it will be automatically
selected when ``SECURITY_IPE``, ``DM_VERITY`` and
``DM_VERITY_VERIFY_ROOTHASH_SIG`` are all enabled.
The format of this property is::”h]”(hŒöThis property can be utilized for authorization of all dm-verity
volumes that have a signed roothash that validated by a keyring
specified by dm-verityâ€™s configuration, either the system trusted
keyring, or the secondary keyring. It depends on
”…””}”(hjù!  hžhhŸNh Nubj`  )”}”(hŒ!``DM_VERITY_VERIFY_ROOTHASH_SIG``”h]”hŒDM_VERITY_VERIFY_ROOTHASH_SIG”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjù!  ubhŒ( config option and is controlled by
the ”…””}”(hjù!  hžhhŸNh Nubj`  )”}”(hŒ ``IPE_PROP_DM_VERITY_SIGNATURE``”h]”hŒIPE_PROP_DM_VERITY_SIGNATURE”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjù!  ubhŒ7 config option, it will be automatically
selected when ”…””}”(hjù!  hžhhŸNh Nubj`  )”}”(hŒ``SECURITY_IPE``”h]”hŒSECURITY_IPE”…””}”(hj%"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjù!  ubhŒ, ”…””}”(hjù!  hžhhŸNh Nubj`  )”}”(hŒ``DM_VERITY``”h]”hŒ	DM_VERITY”…””}”(hj7"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjù!  ubhŒ and
”…””}”(hjù!  hžhhŸNh Nubj`  )”}”(hŒ!``DM_VERITY_VERIFY_ROOTHASH_SIG``”h]”hŒDM_VERITY_VERIFY_ROOTHASH_SIG”…””}”(hjI"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjù!  ubhŒ1 are all enabled.
The format of this property is:”…””}”(hjù!  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Muhjõ!  ubj²  )”}”(hŒdmverity_signature=(TRUE|FALSE)”h]”hŒdmverity_signature=(TRUE|FALSE)”…””}”hja"  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Mhjõ!  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Muhjä!  hžhubeh}”(h]”Œdmverity-signature”ah ]”h"]”Œdmverity_signature”ah$]”h&]”uh1h´hj‘  hžhhŸh³h Msubhµ)”}”(hhh]”(hº)”}”(hŒfsverity_digest”h]”hŒfsverity_digest”…””}”(hj€"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj}"  hžhhŸh³h M‚ubj<  )”}”(hXð  This property can be utilized for authorization of specific fsverity
enabled files, identified via their fsverity digests.
It depends on ``FS_VERITY`` config option and is controlled by
the ``IPE_PROP_FS_VERITY`` config option, it will be automatically
selected when ``SECURITY_IPE`` and ``FS_VERITY`` are all enabled.
The format of this property is::

   fsverity_digest=DigestName:HexadecimalString

The supported DigestNames for fsverity_digest are [#fsveritydigest]_

   + sha256
   + sha512
”h]”(hÐ)”}”(hX_  This property can be utilized for authorization of specific fsverity
enabled files, identified via their fsverity digests.
It depends on ``FS_VERITY`` config option and is controlled by
the ``IPE_PROP_FS_VERITY`` config option, it will be automatically
selected when ``SECURITY_IPE`` and ``FS_VERITY`` are all enabled.
The format of this property is::”h]”(hŒ‰This property can be utilized for authorization of specific fsverity
enabled files, identified via their fsverity digests.
It depends on ”…””}”(hj’"  hžhhŸNh Nubj`  )”}”(hŒ``FS_VERITY``”h]”hŒ	FS_VERITY”…””}”(hjš"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj’"  ubhŒ( config option and is controlled by
the ”…””}”(hj’"  hžhhŸNh Nubj`  )”}”(hŒ``IPE_PROP_FS_VERITY``”h]”hŒIPE_PROP_FS_VERITY”…””}”(hj¬"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj’"  ubhŒ7 config option, it will be automatically
selected when ”…””}”(hj’"  hžhhŸNh Nubj`  )”}”(hŒ``SECURITY_IPE``”h]”hŒSECURITY_IPE”…””}”(hj¾"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj’"  ubhŒ and ”…””}”(hj’"  hžhhŸNh Nubj`  )”}”(hŒ``FS_VERITY``”h]”hŒ	FS_VERITY”…””}”(hjÐ"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj’"  ubhŒ1 are all enabled.
The format of this property is:”…””}”(hj’"  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M„hjŽ"  ubj²  )”}”(hŒ,fsverity_digest=DigestName:HexadecimalString”h]”hŒ,fsverity_digest=DigestName:HexadecimalString”…””}”hjè"  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M‹hjŽ"  ubhÐ)”}”(hŒDThe supported DigestNames for fsverity_digest are [#fsveritydigest]_”h]”(hŒ2The supported DigestNames for fsverity_digest are ”…””}”(hjö"  hžhhŸNh NubjÚ  )”}”(hŒ[#fsveritydigest]_”h]”hŒ6”…””}”(hjþ"  hžhhŸNh Nubah}”(h]”Œid6”ah ]”h"]”h$]”h&]”jê  Kjë  Œfsveritydigest”jí  höuh1jÙ  hjö"  jî  Kubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjŽ"  ubj<  )”}”(hŒ+ sha256
+ sha512
”h]”j¸  )”}”(hhh]”(j½  )”}”(hŒsha256”h]”hÐ)”}”(hj#  h]”hŒsha256”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj#  ubj½  )”}”(hŒsha512
”h]”hÐ)”}”(hŒsha512”h]”hŒsha512”…””}”(hj6#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj2#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj#  ubeh}”(h]”h ]”h"]”h$]”h&]”jf  jÏ!  uh1j·  hŸh³h Mhj#  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h MhjŽ"  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M„hj}"  hžhubeh}”(h]”Œfsverity-digest”ah ]”h"]”Œfsverity_digest”ah$]”h&]”uh1h´hj‘  hžhhŸh³h M‚ubhµ)”}”(hhh]”(hº)”}”(hŒfsverity_signature”h]”hŒfsverity_signature”…””}”(hjg#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjd#  hžhhŸh³h M“ubj<  )”}”(hX  This property is used to authorize all fs-verity enabled files that have
been verified by fs-verity's built-in signature mechanism. The signature
verification relies on a key stored within the ".fs-verity" keyring. It
depends on ``FS_VERITY_BUILTIN_SIGNATURES`` config option and
it is controlled by the ``IPE_PROP_FS_VERITY`` config option,
it will be automatically selected when ``SECURITY_IPE``, ``FS_VERITY``
and ``FS_VERITY_BUILTIN_SIGNATURES`` are all enabled.
The format of this property is::

   fsverity_signature=(TRUE|FALSE)
”h]”(hÐ)”}”(hXó  This property is used to authorize all fs-verity enabled files that have
been verified by fs-verity's built-in signature mechanism. The signature
verification relies on a key stored within the ".fs-verity" keyring. It
depends on ``FS_VERITY_BUILTIN_SIGNATURES`` config option and
it is controlled by the ``IPE_PROP_FS_VERITY`` config option,
it will be automatically selected when ``SECURITY_IPE``, ``FS_VERITY``
and ``FS_VERITY_BUILTIN_SIGNATURES`` are all enabled.
The format of this property is::”h]”(hŒëThis property is used to authorize all fs-verity enabled files that have
been verified by fs-verityâ€™s built-in signature mechanism. The signature
verification relies on a key stored within the â€œ.fs-verityâ€ keyring. It
depends on ”…””}”(hjy#  hžhhŸNh Nubj`  )”}”(hŒ ``FS_VERITY_BUILTIN_SIGNATURES``”h]”hŒFS_VERITY_BUILTIN_SIGNATURES”…””}”(hj#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjy#  ubhŒ+ config option and
it is controlled by the ”…””}”(hjy#  hžhhŸNh Nubj`  )”}”(hŒ``IPE_PROP_FS_VERITY``”h]”hŒIPE_PROP_FS_VERITY”…””}”(hj“#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjy#  ubhŒ7 config option,
it will be automatically selected when ”…””}”(hjy#  hžhhŸNh Nubj`  )”}”(hŒ``SECURITY_IPE``”h]”hŒSECURITY_IPE”…””}”(hj¥#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjy#  ubhŒ, ”…””}”(hjy#  hžhhŸNh Nubj`  )”}”(hŒ``FS_VERITY``”h]”hŒ	FS_VERITY”…””}”(hj·#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjy#  ubhŒ
and ”…””}”(hjy#  hžhhŸNh Nubj`  )”}”(hŒ ``FS_VERITY_BUILTIN_SIGNATURES``”h]”hŒFS_VERITY_BUILTIN_SIGNATURES”…””}”(hjÉ#  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjy#  ubhŒ1 are all enabled.
The format of this property is:”…””}”(hjy#  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M•hju#  ubj²  )”}”(hŒfsverity_signature=(TRUE|FALSE)”h]”hŒfsverity_signature=(TRUE|FALSE)”…””}”hjá#  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Mžhju#  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h M•hjd#  hžhubeh}”(h]”Œfsverity-signature”ah ]”h"]”Œfsverity_signature”ah$]”h&]”uh1h´hj‘  hžhhŸh³h M“ubeh}”(h]”Œ
properties”ah ]”h"]”Œ
properties”ah$]”h&]”uh1h´hh¶hžhhŸh³h Mÿubhµ)”}”(hhh]”(hº)”}”(hŒPolicy Examples”h]”hŒPolicy Examples”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj$  hžhhŸh³h M¡ubhµ)”}”(hhh]”(hº)”}”(hŒ	Allow all”h]”hŒ	Allow all”…””}”(hj$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj$  hžhhŸh³h M¤ubj²  )”}”(hŒ?policy_name=Allow_All policy_version=0.0.0
DEFAULT action=ALLOW”h]”hŒ?policy_name=Allow_All policy_version=0.0.0
DEFAULT action=ALLOW”…””}”hj'$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M¨hj$  hžhubeh}”(h]”Œ	allow-all”ah ]”h"]”Œ	allow all”ah$]”h&]”uh1h´hj$  hžhhŸh³h M¤ubhµ)”}”(hhh]”(hº)”}”(hŒAllow only initramfs”h]”hŒAllow only initramfs”…””}”(hj@$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj=$  hžhhŸh³h M¬ubj²  )”}”(hŒppolicy_name=Allow_Initramfs policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW”h]”hŒppolicy_name=Allow_Initramfs policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW”…””}”hjN$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h M°hj=$  hžhubeh}”(h]”Œallow-only-initramfs”ah ]”h"]”Œallow only initramfs”ah$]”h&]”uh1h´hj$  hžhhŸh³h M¬ubhµ)”}”(hhh]”(hº)”}”(hŒAAllow any signed and validated dm-verity volume and the initramfs”h]”hŒAAllow any signed and validated dm-verity volume and the initramfs”…””}”(hjg$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjd$  hžhhŸh³h M¶ubj²  )”}”(hŒ¯policy_name=Allow_Signed_DMV_And_Initramfs policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW”h]”hŒ¯policy_name=Allow_Signed_DMV_And_Initramfs policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW”…””}”hju$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Mºhjd$  hžhubeh}”(h]”ŒAallow-any-signed-and-validated-dm-verity-volume-and-the-initramfs”ah ]”h"]”ŒAallow any signed and validated dm-verity volume and the initramfs”ah$]”h&]”uh1h´hj$  hžhhŸh³h M¶ubhµ)”}”(hhh]”(hº)”}”(hŒ3Prohibit execution from a specific dm-verity volume”h]”hŒ3Prohibit execution from a specific dm-verity volume”…””}”(hjŽ$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj‹$  hžhhŸh³h MÁubj²  )”}”(hX  policy_name=Deny_DMV_By_Roothash policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW”h]”hX  policy_name=Deny_DMV_By_Roothash policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE dmverity_roothash=sha256:cd2c5bae7c6c579edaae4353049d58eb5f2e8be0244bf05345bc8e5ed257baff action=DENY

op=EXECUTE boot_verified=TRUE action=ALLOW
op=EXECUTE dmverity_signature=TRUE action=ALLOW”…””•{?      }”hjœ$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MÅhj‹$  hžhubeh}”(h]”Œ3prohibit-execution-from-a-specific-dm-verity-volume”ah ]”h"]”Œ3prohibit execution from a specific dm-verity volume”ah$]”h&]”uh1h´hj$  hžhhŸh³h MÁubhµ)”}”(hhh]”(hº)”}”(hŒ&Allow only a specific dm-verity volume”h]”hŒ&Allow only a specific dm-verity volume”…””}”(hjµ$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj²$  hžhhŸh³h MÎubj²  )”}”(hŒµpolicy_name=Allow_DMV_By_Roothash policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW”h]”hŒµpolicy_name=Allow_DMV_By_Roothash policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE dmverity_roothash=sha256:401fcec5944823ae12f62726e8184407a5fa9599783f030dec146938 action=ALLOW”…””}”hjÃ$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MÒhj²$  hžhubeh}”(h]”Œ&allow-only-a-specific-dm-verity-volume”ah ]”h"]”Œ&allow only a specific dm-verity volume”ah$]”h&]”uh1h´hj$  hžhhŸh³h MÎubhµ)”}”(hhh]”(hº)”}”(hŒ8Allow any fs-verity file with a valid built-in signature”h]”hŒ8Allow any fs-verity file with a valid built-in signature”…””}”(hjÜ$  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÙ$  hžhhŸh³h MØubj²  )”}”(hŒ‰policy_name=Allow_Signed_And_Validated_FSVerity policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE fsverity_signature=TRUE action=ALLOW”h]”hŒ‰policy_name=Allow_Signed_And_Validated_FSVerity policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE fsverity_signature=TRUE action=ALLOW”…””}”hjê$  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h MÜhjÙ$  hžhubeh}”(h]”Œ8allow-any-fs-verity-file-with-a-valid-built-in-signature”ah ]”h"]”Œ8allow any fs-verity file with a valid built-in signature”ah$]”h&]”uh1h´hj$  hžhhŸh³h MØubhµ)”}”(hhh]”(hº)”}”(hŒ,Allow execution of a specific fs-verity file”h]”hŒ,Allow execution of a specific fs-verity file”…””}”(hj%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj %  hžhhŸh³h Mâubj²  )”}”(hŒ¹policy_name=ALLOW_FSV_By_Digest policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=ALLOW”h]”hŒ¹policy_name=ALLOW_FSV_By_Digest policy_version=0.0.0
DEFAULT action=DENY

op=EXECUTE fsverity_digest=sha256:fd88f2b8824e197f850bf4c5109bea5cf0ee38104f710843bb72da796ba5af9e action=ALLOW”…””}”hj%  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j±  hŸh³h Mæhj %  hžhubeh}”(h]”Œ,allow-execution-of-a-specific-fs-verity-file”ah ]”h"]”Œ,allow execution of a specific fs-verity file”ah$]”h&]”uh1h´hj$  hžhhŸh³h Mâubeh}”(h]”Œpolicy-examples”ah ]”h"]”Œpolicy examples”ah$]”h&]”uh1h´hh¶hžhhŸh³h M¡ubhµ)”}”(hhh]”(hº)”}”(hŒAdditional Information”h]”hŒAdditional Information”…””}”(hj2%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj/%  hžhhŸh³h Mìubj¸  )”}”(hhh]”(j½  )”}”(hŒ7`Github Repository <https://github.com/microsoft/ipe>`_”h]”hÐ)”}”(hjE%  h]”(hŒ	reference”“”)”}”(hjE%  h]”hŒGithub Repository”…””}”(hjL%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒGithub Repository”Œrefuri”Œ https://github.com/microsoft/ipe”uh1jJ%  hjG%  ubhŒtarget”“”)”}”(hŒ# <https://github.com/microsoft/ipe>”h]”h}”(h]”Œgithub-repository”ah ]”h"]”Œgithub repository”ah$]”h&]”Œrefuri”j\%  uh1j]%  Œ
referenced”KhjG%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MîhjC%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj@%  hžhhŸh³h Nubj½  )”}”(hŒ9:doc:`Developer and design docs for IPE </security/ipe>`
”h]”hÐ)”}”(hŒ8:doc:`Developer and design docs for IPE </security/ipe>`”h]”h)”}”(hj%  h]”hÞ)”}”(hj%  h]”hŒ!Developer and design docs for IPE”…””}”(hj„%  hžhhŸNh Nubah}”(h]”h ]”(héŒstd”Œstd-doc”eh"]”h$]”h&]”uh1hÝhj%  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”höŒ	refdomain”jŽ%  Œreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆhüŒ/security/ipe”uh1hhŸh³h Mïhj}%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mïhjy%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¼  hj@%  hžhhŸh³h Nubeh}”(h]”h ]”h"]”h$]”h&]”jf  jg  uh1j·  hŸh³h Mîhj/%  hžhubeh}”(h]”Œadditional-information”ah ]”h"]”Œadditional information”ah$]”h&]”uh1h´hh¶hžhhŸh³h Mìubhµ)”}”(hhh]”(hº)”}”(hŒFAQ”h]”hŒFAQ”…””}”(hj½%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjº%  hžhhŸh³h MòubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hŒcQ:
What's the difference between other LSMs which provide a measure of
trust-based access control?
”h]”(hŒterm”“”)”}”(hŒQ:”h]”hŒQ:”…””}”(hjØ%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jÖ%  hŸh³h MöhjÒ%  ubhŒ
definition”“”)”}”(hhh]”hÐ)”}”(hŒ_What's the difference between other LSMs which provide a measure of
trust-based access control?”h]”hŒaWhatâ€™s the difference between other LSMs which provide a measure of
trust-based access control?”…””}”(hjë%  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mõhjè%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jæ%  hjÒ%  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jÐ%  hŸh³h MöhjÍ%  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jË%  hjº%  hžhhŸh³h NubhÐ)”}”(hŒA:”h]”hŒA:”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Møhjº%  hžhubj<  )”}”(hX$  In general, there's two other LSMs that can provide similar functionality:
IMA, and Loadpin.

IMA and IPE are functionally very similar. The significant difference between
the two is the policy. [#devdoc]_

Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's
kernel read operations, whereas IPE is capable of controlling execution
on top of kernel read. The trust model is also different; Loadpin roots its
trust in the initial super-block, whereas trust in IPE is stemmed from kernel
itself (via ``SYSTEM_TRUSTED_KEYS``).
”h]”(hÐ)”}”(hŒ\In general, there's two other LSMs that can provide similar functionality:
IMA, and Loadpin.”h]”hŒ^In general, thereâ€™s two other LSMs that can provide similar functionality:
IMA, and Loadpin.”…””}”(hj&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Múhj&  ubhÐ)”}”(hŒoIMA and IPE are functionally very similar. The significant difference between
the two is the policy. [#devdoc]_”h]”(hŒeIMA and IPE are functionally very similar. The significant difference between
the two is the policy. ”…””}”(hj+&  hžhhŸNh NubjÚ  )”}”(hŒ
[#devdoc]_”h]”hŒ3”…””}”(hj3&  hžhhŸNh Nubah}”(h]”Œid7”ah ]”h"]”h$]”h&]”jê  Kjë  j¦  jí  höuh1jÙ  hj+&  jî  Kubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mýhj&  ubhÐ)”}”(hXT  Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPE's
kernel read operations, whereas IPE is capable of controlling execution
on top of kernel read. The trust model is also different; Loadpin roots its
trust in the initial super-block, whereas trust in IPE is stemmed from kernel
itself (via ``SYSTEM_TRUSTED_KEYS``).”h]”(hX=  Loadpin and IPE differ fairly dramatically, as Loadpin only covers the IPEâ€™s
kernel read operations, whereas IPE is capable of controlling execution
on top of kernel read. The trust model is also different; Loadpin roots its
trust in the initial super-block, whereas trust in IPE is stemmed from kernel
itself (via ”…””}”(hjH&  hžhhŸNh Nubj`  )”}”(hŒ``SYSTEM_TRUSTED_KEYS``”h]”hŒSYSTEM_TRUSTED_KEYS”…””}”(hjP&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjH&  ubhŒ).”…””}”(hjH&  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M hj&  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j;  hŸh³h Múhjº%  hžhubhŒ
transition”“”)”}”(hŒ-----------”h]”h}”(h]”h ]”h"]”h$]”h&]”uh1jn&  hŸh³h Mhjº%  hžhubhŒfootnote”“”)”}”(hŒUhttps://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/
”h]”(hŒlabel”“”)”}”(hhh]”hŒ1”…””}”(hj‚&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hj|&  hžhhŸNh NubhÐ)”}”(hŒThttps://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/”h]”jK%  )”}”(hj‘&  h]”hŒThttps://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/”…””}”(hj“&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”j‘&  uh1jJ%  hj&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj|&  ubeh}”(h]”jì  ah ]”h"]”Œdigest_cache_lsm”ah$]”h&]”jå  ajê  Kjí  höuh1jz&  hŸh³h Mhjº%  hžhubj{&  )”}”(hŒyThere is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_.
”h]”(j&  )”}”(hhh]”hŒ2”…””}”(hj²&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hj®&  hžhhŸNh NubhÐ)”}”(hŒxThere is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_.”h]”(hŒ	There is ”…””}”(hj¿&  hžhhŸNh NubjK%  )”}”(hŒn`some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_”h]”hŒ#some interest in solving this issue”…””}”(hjÇ&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ#some interest in solving this issue”j[%  ŒEhttps://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/”uh1jJ%  hj¿&  ubj^%  )”}”(hŒH <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>”h]”h}”(h]”Œ#some-interest-in-solving-this-issue”ah ]”h"]”Œ#some interest in solving this issue”ah$]”h&]”Œrefuri”j×&  uh1j]%  jl%  Khj¿&  ubhŒ.”…””}”(hj¿&  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M
hj®&  ubeh}”(h]”j7  ah ]”h"]”Œinterpreters”ah$]”h&]”j2  ajê  Kjí  höuh1jz&  hŸh³h M
hjº%  hžhubj{&  )”}”(hŒJPlease see :doc:`the design docs </security/ipe>` for more on
this topic.
”h]”(j&  )”}”(hhh]”hŒ3”…””}”(hjú&  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hjö&  hžhhŸNh NubhÐ)”}”(hŒIPlease see :doc:`the design docs </security/ipe>` for more on
this topic.”h]”(hŒPlease see ”…””}”(hj'  hžhhŸNh Nubh)”}”(hŒ&:doc:`the design docs </security/ipe>`”h]”hÞ)”}”(hj'  h]”hŒthe design docs”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”(héŒstd”Œstd-doc”eh"]”h$]”h&]”uh1hÝhj'  ubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”höŒ	refdomain”j'  Œreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆhüŒ/security/ipe”uh1hhŸh³h Mhj'  ubhŒ for more on
this topic.”…””}”(hj'  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhjö&  ubeh}”(h]”j¦  ah ]”h"]”Œdevdoc”ah$]”h&]”(j¡  j=&  ejê  Kjí  höuh1jz&  hŸh³h Mhjº%  hžhubj{&  )”}”(hŒ9https://man7.org/linux/man-pages/man8/switch_root.8.html
”h]”(j&  )”}”(hhh]”hŒ4”…””}”(hjD'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hj@'  hžhhŸNh NubhÐ)”}”(hŒ8https://man7.org/linux/man-pages/man8/switch_root.8.html”h]”jK%  )”}”(hjS'  h]”hŒ8https://man7.org/linux/man-pages/man8/switch_root.8.html”…””}”(hjU'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”jS'  uh1jJ%  hjQ'  ubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj@'  ubeh}”(h]”j    ah ]”h"]”Œswitch_root”ah$]”h&]”j   ajê  Kjí  höuh1jz&  hŸh³h Mhjº%  hžhubj{&  )”}”(hŒµThese hash algorithms are based on values accepted by
the Linux crypto API; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.
”h]”(j&  )”}”(hhh]”hŒ5”…””}”(hjt'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hjp'  hžhhŸNh NubhÐ)”}”(hŒ´These hash algorithms are based on values accepted by
the Linux crypto API; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.”h]”hŒ´These hash algorithms are based on values accepted by
the Linux crypto API; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.”…””}”(hj'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhjp'  ubeh}”(h]”j½   ah ]”h"]”Œdmveritydigests”ah$]”h&]”j¸   ajê  Kjí  höuh1jz&  hŸh³h Mhjº%  hžhubj{&  )”}”(hŒ½These hash algorithms are based on values accepted by the
kernel's fsverity support; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.”h]”(j&  )”}”(hhh]”hŒ6”…””}”(hjš'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j€&  hj–'  hžhhŸNh NubhÐ)”}”(hŒ½These hash algorithms are based on values accepted by the
kernel's fsverity support; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.”h]”hŒ¿These hash algorithms are based on values accepted by the
kernelâ€™s fsverity support; IPE does not impose any
restrictions on the digest algorithm itself;
thus, this list may be out of date.”…””}”(hj§'  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj–'  ubeh}”(h]”j#  ah ]”h"]”Œfsveritydigest”ah$]”h&]”j#  ajê  Kjí  höuh1jz&  hŸh³h Mhjº%  hžhubeh}”(h]”Œfaq”ah ]”h"]”Œfaq”ah$]”h&]”uh1h´hh¶hžhhŸh³h Mòubeh}”(h]”Œ integrity-policy-enforcement-ipe”ah ]”h"]”Œ"integrity policy enforcement (ipe)”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”jg
  Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jî'  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œdigest_cache_lsm”]”jÛ  aŒinterpreters”]”j(  aŒdevdoc”]”(j—  j3&  eŒswitch_root”]”j   aŒdmveritydigests”]”j®   aŒfsveritydigest”]”jþ"  auŒrefids”}”(jì  ]”jÛ  aj7  ]”j(  aj¦  ]”(j—  j3&  ej    ]”j   aj½   ]”j®   aj#  ]”jþ"  auŒnameids”}”(jÉ'  jÆ'  j“  j  jþ  jû  jG  jD  j{  jx  jŽ  j‹  j	  j	  jˆ	  j…	  j†  jƒ  j{  jx  j¢  jŸ  jš  j—  jé  jæ  j~  j{  j$  jÿ#  j6  j3  jÏ  jÌ  j<   j9   já!  jÞ!  jz"  jw"  ja#  j^#  jú#  j÷#  j,%  j)%  j:$  j7$  ja$  j^$  jˆ$  j…$  j¯$  j¬$  jÖ$  jÓ$  jý$  jú$  j$%  j!%  j·%  j´%  jh%  je%  jÁ'  j¾'  j«&  jì  jó&  j7  já&  jÞ&  j='  j¦  jm'  j    j“'  j½   j¹'  j#  uŒ	nametypes”}”(jÉ'  ‰j“  ‰jþ  ‰jG  ‰j{  ‰jŽ  ‰j	  ‰jˆ	  ‰j†  ‰j{  ‰j¢  ‰jš  ‰jé  ‰j~  ‰j$  ‰j6  ‰jÏ  ‰j<   ‰já!  ‰jz"  ‰ja#  ‰jú#  ‰j,%  ‰j:$  ‰ja$  ‰jˆ$  ‰j¯$  ‰jÖ$  ‰jý$  ‰j$%  ‰j·%  ‰jh%  ˆjÁ'  ‰j«&  ˆjó&  ˆjá&  ˆj='  ˆjm'  ˆj“'  ˆj¹'  ˆuh}”(jÆ'  h¶j  j  jû  j–  jå  jÛ  jD  j  j2  j(  jx  jJ  j‹  j~  j¡  j—  j	  je  j…	  j	  jƒ  j‹	  jx  jœ	  jŸ  j~  j—  j¥  jæ  j  j{  jì  jÿ#  j‘  j3  j  jÌ  j9  j9   jÒ  j   j   jÞ!  j?   j¸   j®   jw"  jä!  j^#  j}"  j#  jþ"  j÷#  jd#  j)%  j$  j7$  j$  j^$  j=$  j…$  jd$  j¬$  j‹$  jÓ$  j²$  jú$  jÙ$  j!%  j %  j´%  j/%  je%  j_%  j¾'  jº%  j=&  j3&  jì  j|&  j7  j®&  jÞ&  jØ&  j¦  jö&  j    j@'  j½   jp'  j#  j–'  uŒfootnote_refs”}”(j.(  ]”jÛ  aj0(  ]”j(  aj2(  ]”(j—  j3&  ej4(  ]”j   aj6(  ]”j®   aj8(  ]”jþ"  auŒcitation_refs”}”Œautofootnotes”]”(j|&  j®&  jö&  j@'  jp'  j–'  eŒautofootnote_refs”]”(jÛ  j(  j—  j   j®   jþ"  j3&  eŒsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”jü'  Ks…”R”Œparse_messages”]”Œtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.