€•      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ /translations/zh_CN/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/zh_TW/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/it_IT/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/ja_JP/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/ko_KR/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ /translations/sp_SP/security/ipe”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh£sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1h¡hhhžhhŸŒ:/var/lib/git/docbuild/linux/Documentation/security/ipe.rst”h KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ9Integrity Policy Enforcement (IPE) - Kernel Documentation”h]”hŒ9Integrity Policy Enforcement (IPE) - Kernel Documentation”…””}”(hh»hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hh¶hžhhŸh³h KubhŒnote”“”)”}”(hŒ»This is documentation targeted at developers, instead of administrators.
If you're looking for documentation on the usage of IPE, please see
:doc:`IPE admin guide </admin-guide/LSM/ipe>`.”h]”hŒ	paragraph”“”)”}”(hŒ»This is documentation targeted at developers, instead of administrators.
If you're looking for documentation on the usage of IPE, please see
:doc:`IPE admin guide </admin-guide/LSM/ipe>`.”h]”(hŒThis is documentation targeted at developers, instead of administrators.
If youâ€™re looking for documentation on the usage of IPE, please see
”…””}”(hhÑhžhhŸNh Nubh)”}”(hŒ-:doc:`IPE admin guide </admin-guide/LSM/ipe>`”h]”hŒinline”“”)”}”(hhÛh]”hŒIPE admin guide”…””}”(hhßhžhhŸNh Nubah}”(h]”h ]”(Œxref”Œstd”Œstd-doc”eh"]”h$]”h&]”uh1hÝhhÙubah}”(h]”h ]”h"]”h$]”h&]”Œrefdoc”Œsecurity/ipe”Œ	refdomain”hêŒreftype”Œdoc”Œrefexplicit”ˆŒrefwarn”ˆŒ	reftarget”Œ/admin-guide/LSM/ipe”uh1hhŸh³h KhhÑubhŒ.”…””}”(hhÑhžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KhhËubah}”(h]”h ]”h"]”h$]”h&]”uh1hÉhh¶hžhhŸh³h Nubhµ)”}”(hhh]”(hº)”}”(hŒHistorical Motivation”h]”hŒHistorical Motivation”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj  hžhhŸh³h KubhÐ)”}”(hX’  The original issue that prompted IPE's implementation was the creation
of a locked-down system. This system would be born-secure, and have
strong integrity guarantees over both the executable code, and specific
*data files* on the system, that were critical to its function. These
specific data files would not be readable unless they passed integrity
policy. A mandatory access control system would be present, and
as a result, xattrs would have to be protected. This lead to a selection
of what would provide the integrity claims. At the time, there were two
main mechanisms considered that could guarantee integrity for the system
with these requirements:”h]”(hŒÕThe original issue that prompted IPEâ€™s implementation was the creation
of a locked-down system. This system would be born-secure, and have
strong integrity guarantees over both the executable code, and specific
”…””}”(hj  hžhhŸNh NubhŒemphasis”“”)”}”(hŒ*data files*”h]”hŒ
data files”…””}”(hj)  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj  ubhX³   on the system, that were critical to its function. These
specific data files would not be readable unless they passed integrity
policy. A mandatory access control system would be present, and
as a result, xattrs would have to be protected. This lead to a selection
of what would provide the integrity claims. At the time, there were two
main mechanisms considered that could guarantee integrity for the system
with these requirements:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj  hžhubhŒblock_quote”“”)”}”(hŒ%1. IMA + EVM Signatures
2. DM-Verity
”h]”hŒenumerated_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒIMA + EVM Signatures”h]”hÐ)”}”(hjP  h]”hŒIMA + EVM Signatures”…””}”(hjR  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KhjN  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjI  ubjM  )”}”(hŒ
DM-Verity
”h]”hÐ)”}”(hŒ	DM-Verity”h]”hŒ	DM-Verity”…””}”(hji  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khje  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjI  ubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1jG  hjC  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h Khj  hžhubhÐ)”}”(hŒ´Both options were carefully considered, however the choice to use DM-Verity
over IMA+EVM as the *integrity mechanism* in the original use case of IPE
was due to three main reasons:”h]”(hŒ`Both options were carefully considered, however the choice to use DM-Verity
over IMA+EVM as the ”…””}”(hjŽ  hžhhŸNh Nubj(  )”}”(hŒ*integrity mechanism*”h]”hŒintegrity mechanism”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hjŽ  ubhŒ? in the original use case of IPE
was due to three main reasons:”…””}”(hjŽ  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khj  hžhubjB  )”}”(hXî  1. Protection of additional attack vectors:

  * With IMA+EVM, without an encryption solution, the system is vulnerable
    to offline attack against the aforementioned specific data files.

    Unlike executables, read operations (like those on the protected data
    files), cannot be enforced to be globally integrity verified. This means
    there must be some form of selector to determine whether a read should
    enforce the integrity policy, or it should not.

    At the time, this was done with mandatory access control labels. An IMA
    policy would indicate what labels required integrity verification, which
    presented an issue: EVM would protect the label, but if an attacker could
    modify filesystem offline, the attacker could wipe all the xattrs -
    including the SELinux labels that would be used to determine whether the
    file should be subject to integrity policy.

    With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
    offline mount occurs against the filesystem protected by dm-verity, the
    checksum no longer matches and the file fails to be read.

  * As userspace binaries are paged in Linux, dm-verity also offers the
    additional protection against a hostile block device. In such an attack,
    the block device reports the appropriate content for the IMA hash
    initially, passing the required integrity check. Then, on the page fault
    that accesses the real data, will report the attacker's payload. Since
    dm-verity will check the data when the page fault occurs (and the disk
    access), this attack is mitigated.

2. Performance:

  * dm-verity provides integrity verification on demand as blocks are
    read versus requiring the entire file being read into memory for
    validation.

3. Simplicity of signing:

  * No need for two signatures (IMA, then EVM): one signature covers
    an entire block device.
  * Signatures can be stored externally to the filesystem metadata.
  * The signature supports an x.509-based signing infrastructure.
”h]”(jH  )”}”(hhh]”jM  )”}”(hŒ)Protection of additional attack vectors:
”h]”hÐ)”}”(hŒ(Protection of additional attack vectors:”h]”hŒ(Protection of additional attack vectors:”…””}”(hj¹  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K!hjµ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj²  ubah}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hj®  ubjB  )”}”(hXå  * With IMA+EVM, without an encryption solution, the system is vulnerable
  to offline attack against the aforementioned specific data files.

  Unlike executables, read operations (like those on the protected data
  files), cannot be enforced to be globally integrity verified. This means
  there must be some form of selector to determine whether a read should
  enforce the integrity policy, or it should not.

  At the time, this was done with mandatory access control labels. An IMA
  policy would indicate what labels required integrity verification, which
  presented an issue: EVM would protect the label, but if an attacker could
  modify filesystem offline, the attacker could wipe all the xattrs -
  including the SELinux labels that would be used to determine whether the
  file should be subject to integrity policy.

  With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
  offline mount occurs against the filesystem protected by dm-verity, the
  checksum no longer matches and the file fails to be read.

* As userspace binaries are paged in Linux, dm-verity also offers the
  additional protection against a hostile block device. In such an attack,
  the block device reports the appropriate content for the IMA hash
  initially, passing the required integrity check. Then, on the page fault
  that accesses the real data, will report the attacker's payload. Since
  dm-verity will check the data when the page fault occurs (and the disk
  access), this attack is mitigated.
”h]”hŒbullet_list”“”)”}”(hhh]”(jM  )”}”(hXï  With IMA+EVM, without an encryption solution, the system is vulnerable
to offline attack against the aforementioned specific data files.

Unlike executables, read operations (like those on the protected data
files), cannot be enforced to be globally integrity verified. This means
there must be some form of selector to determine whether a read should
enforce the integrity policy, or it should not.

At the time, this was done with mandatory access control labels. An IMA
policy would indicate what labels required integrity verification, which
presented an issue: EVM would protect the label, but if an attacker could
modify filesystem offline, the attacker could wipe all the xattrs -
including the SELinux labels that would be used to determine whether the
file should be subject to integrity policy.

With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
offline mount occurs against the filesystem protected by dm-verity, the
checksum no longer matches and the file fails to be read.
”h]”(hÐ)”}”(hŒˆWith IMA+EVM, without an encryption solution, the system is vulnerable
to offline attack against the aforementioned specific data files.”h]”hŒˆWith IMA+EVM, without an encryption solution, the system is vulnerable
to offline attack against the aforementioned specific data files.”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K#hjÜ  ubhÐ)”}”(hX  Unlike executables, read operations (like those on the protected data
files), cannot be enforced to be globally integrity verified. This means
there must be some form of selector to determine whether a read should
enforce the integrity policy, or it should not.”h]”hX  Unlike executables, read operations (like those on the protected data
files), cannot be enforced to be globally integrity verified. This means
there must be some form of selector to determine whether a read should
enforce the integrity policy, or it should not.”…””}”(hjî  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K&hjÜ  ubhÐ)”}”(hX“  At the time, this was done with mandatory access control labels. An IMA
policy would indicate what labels required integrity verification, which
presented an issue: EVM would protect the label, but if an attacker could
modify filesystem offline, the attacker could wipe all the xattrs -
including the SELinux labels that would be used to determine whether the
file should be subject to integrity policy.”h]”hX“  At the time, this was done with mandatory access control labels. An IMA
policy would indicate what labels required integrity verification, which
presented an issue: EVM would protect the label, but if an attacker could
modify filesystem offline, the attacker could wipe all the xattrs -
including the SELinux labels that would be used to determine whether the
file should be subject to integrity policy.”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K+hjÜ  ubhÐ)”}”(hŒÈWith DM-Verity, as the xattrs are saved as part of the Merkel tree, if
offline mount occurs against the filesystem protected by dm-verity, the
checksum no longer matches and the file fails to be read.”h]”hŒÈWith DM-Verity, as the xattrs are saved as part of the Merkel tree, if
offline mount occurs against the filesystem protected by dm-verity, the
checksum no longer matches and the file fails to be read.”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K2hjÜ  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjÙ  ubjM  )”}”(hXÉ  As userspace binaries are paged in Linux, dm-verity also offers the
additional protection against a hostile block device. In such an attack,
the block device reports the appropriate content for the IMA hash
initially, passing the required integrity check. Then, on the page fault
that accesses the real data, will report the attacker's payload. Since
dm-verity will check the data when the page fault occurs (and the disk
access), this attack is mitigated.
”h]”hÐ)”}”(hXÈ  As userspace binaries are paged in Linux, dm-verity also offers the
additional protection against a hostile block device. In such an attack,
the block device reports the appropriate content for the IMA hash
initially, passing the required integrity check. Then, on the page fault
that accesses the real data, will report the attacker's payload. Since
dm-verity will check the data when the page fault occurs (and the disk
access), this attack is mitigated.”h]”hXÊ  As userspace binaries are paged in Linux, dm-verity also offers the
additional protection against a hostile block device. In such an attack,
the block device reports the appropriate content for the IMA hash
initially, passing the required integrity check. Then, on the page fault
that accesses the real data, will report the attackerâ€™s payload. Since
dm-verity will check the data when the page fault occurs (and the disk
access), this attack is mitigated.”…””}”(hj"  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K6hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjÙ  ubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ*”uh1j×  hŸh³h K#hjÓ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K#hj®  ubjH  )”}”(hhh]”jM  )”}”(hŒPerformance:
”h]”hÐ)”}”(hŒPerformance:”h]”hŒPerformance:”…””}”(hjK  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K>hjG  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjD  ubah}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  Œstart”Kuh1jG  hj®  ubjB  )”}”(hŒ•* dm-verity provides integrity verification on demand as blocks are
  read versus requiring the entire file being read into memory for
  validation.
”h]”jØ  )”}”(hhh]”jM  )”}”(hŒdm-verity provides integrity verification on demand as blocks are
read versus requiring the entire file being read into memory for
validation.
”h]”hÐ)”}”(hŒŽdm-verity provides integrity verification on demand as blocks are
read versus requiring the entire file being read into memory for
validation.”h]”hŒŽdm-verity provides integrity verification on demand as blocks are
read versus requiring the entire file being read into memory for
validation.”…””}”(hjq  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K@hjm  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjj  ubah}”(h]”h ]”h"]”h$]”h&]”j<  j=  uh1j×  hŸh³h K@hjf  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K@hj®  ubjH  )”}”(hhh]”jM  )”}”(hŒSimplicity of signing:
”h]”hÐ)”}”(hŒSimplicity of signing:”h]”hŒSimplicity of signing:”…””}”(hj˜  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KDhj”  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj‘  ubah}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  je  Kuh1jG  hj®  ubjB  )”}”(hŒß* No need for two signatures (IMA, then EVM): one signature covers
  an entire block device.
* Signatures can be stored externally to the filesystem metadata.
* The signature supports an x.509-based signing infrastructure.
”h]”jØ  )”}”(hhh]”(jM  )”}”(hŒXNo need for two signatures (IMA, then EVM): one signature covers
an entire block device.”h]”hÐ)”}”(hŒXNo need for two signatures (IMA, then EVM): one signature covers
an entire block device.”h]”hŒXNo need for two signatures (IMA, then EVM): one signature covers
an entire block device.”…””}”(hj½  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KFhj¹  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj¶  ubjM  )”}”(hŒ?Signatures can be stored externally to the filesystem metadata.”h]”hÐ)”}”(hjÓ  h]”hŒ?Signatures can be stored externally to the filesystem metadata.”…””}”(hjÕ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KHhjÑ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj¶  ubjM  )”}”(hŒ>The signature supports an x.509-based signing infrastructure.
”h]”hÐ)”}”(hŒ=The signature supports an x.509-based signing infrastructure.”h]”hŒ=The signature supports an x.509-based signing infrastructure.”…””}”(hjì  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KIhjè  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj¶  ubeh}”(h]”h ]”h"]”h$]”h&]”j<  j=  uh1j×  hŸh³h KFhj²  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h KFhj®  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K!hj  hžhubhÐ)”}”(hŒxThe next step was to choose a *policy* to enforce the integrity mechanism.
The minimum requirements for the policy were:”h]”(hŒThe next step was to choose a ”…””}”(hj  hžhhŸNh Nubj(  )”}”(hŒ*policy*”h]”hŒpolicy”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj  ubhŒR to enforce the integrity mechanism.
The minimum requirements for the policy were:”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KKhj  hžhubjB  )”}”(hXË  1. The policy itself must be integrity verified (preventing trivial
   attack against it).
2. The policy itself must be resistant to rollback attacks.
3. The policy enforcement must have a permissive-like mode.
4. The policy must be able to be updated, in its entirety, without
   a reboot.
5. Policy updates must be atomic.
6. The policy must support *revocations* of previously authored
   components.
7. The policy must be auditable, at any point-of-time.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒTThe policy itself must be integrity verified (preventing trivial
attack against it).”h]”hÐ)”}”(hŒTThe policy itself must be integrity verified (preventing trivial
attack against it).”h]”hŒTThe policy itself must be integrity verified (preventing trivial
attack against it).”…””}”(hj=  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KNhj9  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒ8The policy itself must be resistant to rollback attacks.”h]”hÐ)”}”(hjS  h]”hŒ8The policy itself must be resistant to rollback attacks.”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KPhjQ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒ8The policy enforcement must have a permissive-like mode.”h]”hÐ)”}”(hjj  h]”hŒ8The policy enforcement must have a permissive-like mode.”…””}”(hjl  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KQhjh  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒIThe policy must be able to be updated, in its entirety, without
a reboot.”h]”hÐ)”}”(hŒIThe policy must be able to be updated, in its entirety, without
a reboot.”h]”hŒIThe policy must be able to be updated, in its entirety, without
a reboot.”…””}”(hjƒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KRhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒPolicy updates must be atomic.”h]”hÐ)”}”(hj™  h]”hŒPolicy updates must be atomic.”…””}”(hj›  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KThj—  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒHThe policy must support *revocations* of previously authored
components.”h]”hÐ)”}”(hŒHThe policy must support *revocations* of previously authored
components.”h]”(hŒThe policy must support ”…””}”(hj²  hžhhŸNh Nubj(  )”}”(hŒ*revocations*”h]”hŒrevocations”…””}”(hjº  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj²  ubhŒ# of previously authored
components.”…””}”(hj²  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KUhj®  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubjM  )”}”(hŒ4The policy must be auditable, at any point-of-time.
”h]”hÐ)”}”(hŒ3The policy must be auditable, at any point-of-time.”h]”hŒ3The policy must be auditable, at any point-of-time.”…””}”(hjÜ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KWhjØ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj6  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hj2  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h KNhj  hžhubhÐ)”}”(hX  IMA, as the only integrity policy mechanism at the time, was
considered against these list of requirements, and did not fulfill
all of the minimum requirements. Extending IMA to cover these
requirements was considered, but ultimately discarded for a
two reasons:”h]”hX  IMA, as the only integrity policy mechanism at the time, was
considered against these list of requirements, and did not fulfill
all of the minimum requirements. Extending IMA to cover these
requirements was considered, but ultimately discarded for a
two reasons:”…””}”(hjü  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KYhj  hžhubjB  )”}”(hXQ  1. Regression risk; many of these changes would result in
   dramatic code changes to IMA, which is already present in the
   kernel, and therefore might impact users.

2. IMA was used in the system for measurement and attestation;
   separation of measurement policy from local integrity policy
   enforcement was considered favorable.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒŸRegression risk; many of these changes would result in
dramatic code changes to IMA, which is already present in the
kernel, and therefore might impact users.
”h]”hÐ)”}”(hŒžRegression risk; many of these changes would result in
dramatic code changes to IMA, which is already present in the
kernel, and therefore might impact users.”h]”hŒžRegression risk; many of these changes would result in
dramatic code changes to IMA, which is already present in the
kernel, and therefore might impact users.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K_hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubjM  )”}”(hŒŸIMA was used in the system for measurement and attestation;
separation of measurement policy from local integrity policy
enforcement was considered favorable.
”h]”hÐ)”}”(hŒžIMA was used in the system for measurement and attestation;
separation of measurement policy from local integrity policy
enforcement was considered favorable.”h]”hŒžIMA was used in the system for measurement and attestation;
separation of measurement policy from local integrity policy
enforcement was considered favorable.”…””}”(hj-  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kchj)  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hj
  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K_hj  hžhubhÐ)”}”(hŒ‘Due to these reasons, it was decided that a new LSM should be created,
whose responsibility would be only the local integrity policy enforcement.”h]”hŒ‘Due to these reasons, it was decided that a new LSM should be created,
whose responsibility would be only the local integrity policy enforcement.”…””}”(hjM  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kghj  hžhubeh}”(h]”Œhistorical-motivation”ah ]”h"]”Œhistorical motivation”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒRole and Scope”h]”hŒRole and Scope”…””}”(hjf  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjc  hžhhŸh³h KkubhÐ)”}”(hXÑ  IPE, as its name implies, is fundamentally an integrity policy enforcement
solution; IPE does not mandate how integrity is provided, but instead
leaves that decision to the system administrator to set the security bar,
via the mechanisms that they select that suit their individual needs.
There are several different integrity solutions that provide a different
level of security guarantees; and IPE allows sysadmins to express policy for
theoretically all of them.”h]”hXÑ  IPE, as its name implies, is fundamentally an integrity policy enforcement
solution; IPE does not mandate how integrity is provided, but instead
leaves that decision to the system administrator to set the security bar,
via the mechanisms that they select that suit their individual needs.
There are several different integrity solutions that provide a different
level of security guarantees; and IPE allows sysadmins to express policy for
theoretically all of them.”…””}”(hjt  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kmhjc  hžhubhÐ)”}”(hX.  IPE does not have an inherent mechanism to ensure integrity on its own.
Instead, there are more effective layers available for building systems that
can guarantee integrity. It's important to note that the mechanism for proving
integrity is independent of the policy for enforcing that integrity claim.”h]”hX0  IPE does not have an inherent mechanism to ensure integrity on its own.
Instead, there are more effective layers available for building systems that
can guarantee integrity. Itâ€™s important to note that the mechanism for proving
integrity is independent of the policy for enforcing that integrity claim.”…””}”(hj‚  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kuhjc  hžhubhÐ)”}”(hŒ#Therefore, IPE was designed around:”h]”hŒ#Therefore, IPE was designed around:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kzhjc  hžhubjB  )”}”(hŒe1. Easy integrations with integrity providers.
2. Ease of use for platform administrators/sysadmins.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒ+Easy integrations with integrity providers.”h]”hÐ)”}”(hj§  h]”hŒ+Easy integrations with integrity providers.”…””}”(hj©  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K|hj¥  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj¢  ubjM  )”}”(hŒ3Ease of use for platform administrators/sysadmins.
”h]”hÐ)”}”(hŒ2Ease of use for platform administrators/sysadmins.”h]”hŒ2Ease of use for platform administrators/sysadmins.”…””}”(hjÀ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K}hj¼  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj¢  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hjž  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K|hjc  hžhubeh}”(h]”Œrole-and-scope”ah ]”h"]”Œrole and scope”ah$]”h&]”uh1h´hh¶hžhhŸh³h Kkubhµ)”}”(hhh]”(hº)”}”(hŒDesign Rationale:”h]”hŒDesign Rationale:”…””}”(hjë  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjè  hžhhŸh³h K€ubhÐ)”}”(hŒÁIPE was designed after evaluating existing integrity policy solutions
in other operating systems and environments. In this survey of other
implementations, there were a few pitfalls identified:”h]”hŒÁIPE was designed after evaluating existing integrity policy solutions
in other operating systems and environments. In this survey of other
implementations, there were a few pitfalls identified:”…””}”(hjù  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K‚hjè  hžhubjB  )”}”(hXZ  1. Policies were not readable by humans, usually requiring a binary
   intermediary format.
2. A single, non-customizable action was implicitly taken as a default.
3. Debugging the policy required manual steps to determine what rule was violated.
4. Authoring a policy required an in-depth knowledge of the larger system,
   or operating system.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒUPolicies were not readable by humans, usually requiring a binary
intermediary format.”h]”hÐ)”}”(hŒUPolicies were not readable by humans, usually requiring a binary
intermediary format.”h]”hŒUPolicies were not readable by humans, usually requiring a binary
intermediary format.”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K†hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubjM  )”}”(hŒDA single, non-customizable action was implicitly taken as a default.”h]”hÐ)”}”(hj(  h]”hŒDA single, non-customizable action was implicitly taken as a default.”…””}”(hj*  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kˆhj&  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubjM  )”}”(hŒODebugging the policy required manual steps to determine what rule was violated.”h]”hÐ)”}”(hj?  h]”hŒODebugging the policy required manual steps to determine what rule was violated.”…””}”(hjA  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K‰hj=  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubjM  )”}”(hŒ]Authoring a policy required an in-depth knowledge of the larger system,
or operating system.
”h]”hÐ)”}”(hŒ\Authoring a policy required an in-depth knowledge of the larger system,
or operating system.”h]”hŒ\Authoring a policy required an in-depth knowledge of the larger system,
or operating system.”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KŠhjT  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h K†hjè  hžhubhÐ)”}”(hŒ,IPE attempts to avoid all of these pitfalls.”h]”hŒ,IPE attempts to avoid all of these pitfalls.”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Khjè  hžhubhµ)”}”(hhh]”(hº)”}”(hŒPolicy”h]”hŒPolicy”…””}”(hj‰  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj†  hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒ
Plain Text”h]”hŒ
Plain Text”…””}”(hjš  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj—  hžhhŸh³h K“ubhÐ)”}”(hŒ¼IPE's policy is plain-text. This introduces slightly larger policy files than
other LSMs, but solves two major problems that occurs with some integrity policy
solutions on other platforms.”h]”hŒ¾IPEâ€™s policy is plain-text. This introduces slightly larger policy files than
other LSMs, but solves two major problems that occurs with some integrity policy
solutions on other platforms.”…””}”(hj¨  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K•hj—  hžhubhÐ)”}”(hXå  The first issue is one of code maintenance and duplication. To author policies,
the policy has to be some form of string representation (be it structured,
through XML, JSON, YAML, etcetera), to allow the policy author to understand
what is being written. In a hypothetical binary policy design, a serializer
is necessary to write the policy from the human readable form, to the binary
form, and a deserializer is needed to interpret the binary form into a data
structure in the kernel.”h]”hXå  The first issue is one of code maintenance and duplication. To author policies,
the policy has to be some form of string representation (be it structured,
through XML, JSON, YAML, etcetera), to allow the policy author to understand
what is being written. In a hypothetical binary policy design, a serializer
is necessary to write the policy from the human readable form, to the binary
form, and a deserializer is needed to interpret the binary form into a data
structure in the kernel.”…””}”(hj¶  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K™hj—  hžhubhÐ)”}”(hXa  Eventually, another deserializer will be needed to transform the binary from
back into the human-readable form with as much information preserved. This is because a
user of this access control system will have to keep a lookup table of a checksum
and the original file itself to try to understand what policies have been deployed
on this system and what policies have not. For a single user, this may be alright,
as old policies can be discarded almost immediately after the update takes hold.
For users that manage computer fleets in the thousands, if not hundreds of thousands,
with multiple different operating systems, and multiple different operational needs,
this quickly becomes an issue, as stale policies from years ago may be present,
quickly resulting in the need to recover the policy or fund extensive infrastructure
to track what each policy contains.”h]”hXa  Eventually, another deserializer will be needed to transform the binary from
back into the human-readable form with as much information preserved. This is because a
user of this access control system will have to keep a lookup table of a checksum
and the original file itself to try to understand what policies have been deployed
on this system and what policies have not. For a single user, this may be alright,
as old policies can be discarded almost immediately after the update takes hold.
For users that manage computer fleets in the thousands, if not hundreds of thousands,
with multiple different operating systems, and multiple different operational needs,
this quickly becomes an issue, as stale policies from years ago may be present,
quickly resulting in the need to recover the policy or fund extensive infrastructure
to track what each policy contains.”…””}”(hjÄ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K¡hj—  hžhubhÐ)”}”(hX  With now three separate serializer/deserializers, maintenance becomes costly. If the
policy avoids the binary format, there is only one required serializer: from the
human-readable form to the data structure in kernel, saving on code maintenance,
and retaining operability.”h]”hX  With now three separate serializer/deserializers, maintenance becomes costly. If the
policy avoids the binary format, there is only one required serializer: from the
human-readable form to the data structure in kernel, saving on code maintenance,
and retaining operability.”…””}”(hjÒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K­hj—  hžhubhÐ)”}”(hX¯  The second issue with a binary format is one of transparency. As IPE controls
access based on the trust of the system's resources, it's policy must also be
trusted to be changed. This is done through signatures, resulting in needing
signing as a process. Signing, as a process, is typically done with a
high security bar, as anything signed can be used to attack integrity
enforcement systems. It is also important that, when signing something, that
the signer is aware of what they are signing. A binary policy can cause
obfuscation of that fact; what signers see is an opaque binary blob. A
plain-text policy, on the other hand, the signers see the actual policy
submitted for signing.”h]”hX³  The second issue with a binary format is one of transparency. As IPE controls
access based on the trust of the systemâ€™s resources, itâ€™s policy must also be
trusted to be changed. This is done through signatures, resulting in needing
signing as a process. Signing, as a process, is typically done with a
high security bar, as anything signed can be used to attack integrity
enforcement systems. It is also important that, when signing something, that
the signer is aware of what they are signing. A binary policy can cause
obfuscation of that fact; what signers see is an opaque binary blob. A
plain-text policy, on the other hand, the signers see the actual policy
submitted for signing.”…””}”(hjà  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h K²hj—  hžhubeh}”(h]”Œ
plain-text”ah ]”h"]”Œ
plain text”ah$]”h&]”uh1h´hj†  hžhhŸh³h K“ubeh}”(h]”Œpolicy”ah ]”h"]”Œpolicy”ah$]”h&]”uh1h´hjè  hžhhŸh³h Kubhµ)”}”(hhh]”(hº)”}”(hŒBoot Policy”h]”hŒBoot Policy”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjþ  hžhhŸh³h K¾ubhÐ)”}”(hX  IPE, if configured appropriately, is able to enforce a policy as soon as a
kernel is booted and usermode starts. That implies some level of storage
of the policy to apply the minute usermode starts. Generally, that storage
can be handled in one of three ways:”h]”hX  IPE, if configured appropriately, is able to enforce a policy as soon as a
kernel is booted and usermode starts. That implies some level of storage
of the policy to apply the minute usermode starts. Generally, that storage
can be handled in one of three ways:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÀhjþ  hžhubjB  )”}”(hXS  1. The policy file(s) live on disk and the kernel loads the policy prior
   to an code path that would result in an enforcement decision.
2. The policy file(s) are passed by the bootloader to the kernel, who
   parses the policy.
3. There is a policy file that is compiled into the kernel that is
   parsed and enforced on initialization.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒƒThe policy file(s) live on disk and the kernel loads the policy prior
to an code path that would result in an enforcement decision.”h]”hÐ)”}”(hŒƒThe policy file(s) live on disk and the kernel loads the policy prior
to an code path that would result in an enforcement decision.”h]”hŒƒThe policy file(s) live on disk and the kernel loads the policy prior
to an code path that would result in an enforcement decision.”…””}”(hj(  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÅhj$  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj!  ubjM  )”}”(hŒUThe policy file(s) are passed by the bootloader to the kernel, who
parses the policy.”h]”hÐ)”}”(hŒUThe policy file(s) are passed by the bootloader to the kernel, who
parses the policy.”h]”hŒUThe policy file(s) are passed by the bootloader to the kernel, who
parses the policy.”…””}”(hj@  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÇhj<  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj!  ubjM  )”}”(hŒgThere is a policy file that is compiled into the kernel that is
parsed and enforced on initialization.
”h]”hÐ)”}”(hŒfThere is a policy file that is compiled into the kernel that is
parsed and enforced on initialization.”h]”hŒfThere is a policy file that is compiled into the kernel that is
parsed and enforced on initialization.”…””}”(hjX  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÉhjT  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hj!  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h KÅhjþ  hžhubhÐ)”}”(hŒ€The first option has problems: the kernel reading files from userspace
is typically discouraged and very uncommon in the kernel.”h]”hŒ€The first option has problems: the kernel reading files from userspace
is typically discouraged and very uncommon in the kernel.”…””}”(hjx  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÌhjþ  hžhubhÐ)”}”(hX#  The second option also has problems: Linux supports a variety of bootloaders
across its entire ecosystem - every bootloader would have to support this
new methodology or there must be an independent source. It would likely
result in more drastic changes to the kernel startup than necessary.”h]”hX#  The second option also has problems: Linux supports a variety of bootloaders
across its entire ecosystem - every bootloader would have to support this
new methodology or there must be an independent source. It would likely
result in more drastic changes to the kernel startup than necessary.”…””}”(hj†  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÏhjþ  hžhubhÐ)”}”(hXD  The third option is the best but it's important to be aware that the policy
will take disk space against the kernel it's compiled in. It's important to
keep this policy generalized enough that userspace can load a new, more
complicated policy, but restrictive enough that it will not overauthorize
and cause security issues.”h]”hXJ  The third option is the best but itâ€™s important to be aware that the policy
will take disk space against the kernel itâ€™s compiled in. Itâ€™s important to
keep this policy generalized enough that userspace can load a new, more
complicated policy, but restrictive enough that it will not overauthorize
and cause security issues.”…””}”(hj”  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÔhjþ  hžhubhÐ)”}”(hX…  The initramfs provides a way that this bootup path can be established. The
kernel starts with a minimal policy, that trusts the initramfs only. Inside
the initramfs, when the real rootfs is mounted, but not yet transferred to,
it deploys and activates a policy that trusts the new root filesystem.
This prevents overauthorization at any step, and keeps the kernel policy
to a minimal size.”h]”hX…  The initramfs provides a way that this bootup path can be established. The
kernel starts with a minimal policy, that trusts the initramfs only. Inside
the initramfs, when the real rootfs is mounted, but not yet transferred to,
it deploys and activates a policy that trusts the new root filesystem.
This prevents overauthorization at any step, and keeps the kernel policy
to a minimal size.”…””}”(hj¢  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h KÚhjþ  hžhubhµ)”}”(hhh]”(hº)”}”(hŒStartup”h]”hŒStartup”…””}”(hj³  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj°  hžhhŸh³h KâubhÐ)”}”(hXb  Not every system, however starts with an initramfs, so the startup policy
compiled into the kernel will need some flexibility to express how trust
is established for the next phase of the bootup. To this end, if we just
make the compiled-in policy a full IPE policy, it allows system builders
to express the first stage bootup requirements appropriately.”h]”hXb  Not every system, however starts with an initramfs, so the startup policy
compiled into the kernel will need some flexibility to express how trust
is established for the next phase of the bootup. To this end, if we just
make the compiled-in policy a full IPE policy, it allows system builders
to express the first stage bootup requirements appropriately.”…””}”(hjÁ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kähj°  hžhubeh}”(h]”Œstartup”ah ]”h"]”Œstartup”ah$]”h&]”uh1h´hjþ  hžhhŸh³h Kâubeh}”(h]”Œboot-policy”ah ]”h"]”Œboot policy”ah$]”h&]”uh1h´hjè  hžhhŸh³h K¾ubhµ)”}”(hhh]”(hº)”}”(hŒUpdatable, Rebootless Policy”h]”hŒUpdatable, Rebootless Policy”…””}”(hjâ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjß  hžhhŸh³h KëubhÐ)”}”(hXý  As requirements change over time (vulnerabilities are found in previously
trusted applications, keys roll, etcetera). Updating a kernel to change the
meet those security goals is not always a suitable option, as updates are not
always risk-free, and blocking a security update leaves systems vulnerable.
This means IPE requires a policy that can be completely updated (allowing
revocations of existing policy) from a source external to the kernel (allowing
policies to be updated without updating the kernel).”h]”hXý  As requirements change over time (vulnerabilities are found in previously
trusted applications, keys roll, etcetera). Updating a kernel to change the
meet those security goals is not always a suitable option, as updates are not
always risk-free, and blocking a security update leaves systems vulnerable.
This means IPE requires a policy that can be completely updated (allowing
revocations of existing policy) from a source external to the kernel (allowing
policies to be updated without updating the kernel).”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kíhjß  hžhubhÐ)”}”(hŒÁAdditionally, since the kernel is stateless between invocations, and reading
policy files off the disk from kernel space is a bad idea(tm), then the
policy updates have to be done rebootlessly.”h]”hŒÁAdditionally, since the kernel is stateless between invocations, and reading
policy files off the disk from kernel space is a bad idea(tm), then the
policy updates have to be done rebootlessly.”…””}”(hjþ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kõhjß  hžhubhÐ)”}”(hXÕ  To allow an update from an external source, it could be potentially malicious,
so this policy needs to have a way to be identified as trusted. This is
done via a signature chained to a trust source in the kernel. Arbitrarily,
this is  the ``SYSTEM_TRUSTED_KEYRING``, a keyring that is initially
populated at kernel compile-time, as this matches the expectation that the
author of the compiled-in policy described above is the same entity that can
deploy policy updates.”h]”(hŒïTo allow an update from an external source, it could be potentially malicious,
so this policy needs to have a way to be identified as trusted. This is
done via a signature chained to a trust source in the kernel. Arbitrarily,
this is  the ”…””}”(hj  hžhhŸNh NubhŒliteral”“”)”}”(hŒ``SYSTEM_TRUSTED_KEYRING``”h]”hŒSYSTEM_TRUSTED_KEYRING”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒÌ, a keyring that is initially
populated at kernel compile-time, as this matches the expectation that the
author of the compiled-in policy described above is the same entity that can
deploy policy updates.”…””}”(hj  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Kùhjß  hžhubeh}”(h]”Œupdatable-rebootless-policy”ah ]”h"]”Œupdatable, rebootless policy”ah$]”h&]”uh1h´hjè  hžhhŸh³h Këubhµ)”}”(hhh]”(hº)”}”(hŒAnti-Rollback / Anti-Replay”h]”hŒAnti-Rollback / Anti-Replay”…””}”(hj9  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj6  hžhhŸh³h MubhÐ)”}”(hŒúOver time, vulnerabilities are found and trusted resources may not be
trusted anymore. IPE's policy has no exception to this. There can be
instances where a mistaken policy author deploys an insecure policy,
before correcting it with a secure policy.”h]”hŒüOver time, vulnerabilities are found and trusted resources may not be
trusted anymore. IPEâ€™s policy has no exception to this. There can be
instances where a mistaken policy author deploys an insecure policy,
before correcting it with a secure policy.”…””}”(hjG  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj6  hžhubhÐ)”}”(hŒÆAssuming that as soon as the insecure policy is signed, and an attacker
acquires the insecure policy, IPE needs a way to prevent rollback
from the secure policy update to the insecure policy update.”h]”hŒÆAssuming that as soon as the insecure policy is signed, and an attacker
acquires the insecure policy, IPE needs a way to prevent rollback
from the secure policy update to the insecure policy update.”…””}”(hjU  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M	hj6  hžhubhÐ)”}”(hŒÅInitially, IPE's policy can have a policy_version that states the
minimum required version across all policies that can be active on
the system. This will prevent rollback while the system is live.”h]”hŒÇInitially, IPEâ€™s policy can have a policy_version that states the
minimum required version across all policies that can be active on
the system. This will prevent rollback while the system is live.”…””}”(hjc  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj6  hžhubhŒwarning”“”)”}”(hX@  However, since the kernel is stateless across boots, this policy
version will be reset to 0.0.0 on the next boot. System builders
need to be aware of this, and ensure the new secure policies are
deployed ASAP after a boot to ensure that the window of
opportunity is minimal for an attacker to deploy the insecure policy.”h]”hÐ)”}”(hX@  However, since the kernel is stateless across boots, this policy
version will be reset to 0.0.0 on the next boot. System builders
need to be aware of this, and ensure the new secure policies are
deployed ASAP after a boot to ensure that the window of
opportunity is minimal for an attacker to deploy the insecure policy.”h]”hX@  However, since the kernel is stateless across boots, this policy
version will be reset to 0.0.0 on the next boot. System builders
need to be aware of this, and ensure the new secure policies are
deployed ASAP after a boot to ensure that the window of
opportunity is minimal for an attacker to deploy the insecure policy.”…””}”(hjw  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhjs  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jq  hj6  hžhhŸh³h Nubeh}”(h]”Œanti-rollback-anti-replay”ah ]”h"]”Œanti-rollback / anti-replay”ah$]”h&]”uh1h´hjè  hžhhŸh³h Mubhµ)”}”(hhh]”(hº)”}”(hŒImplicit Actions:”h]”hŒImplicit Actions:”…””}”(hj–  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj“  hžhhŸh³h MubhÐ)”}”(hXq  The issue of implicit actions only becomes visible when you consider
a mixed level of security bars across multiple operations in a system.
For example, consider a system that has strong integrity guarantees
over both the executable code, and specific *data files* on the system,
that were critical to its function. In this system, three types of policies
are possible:”h]”(hŒüThe issue of implicit actions only becomes visible when you consider
a mixed level of security bars across multiple operations in a system.
For example, consider a system that has strong integrity guarantees
over both the executable code, and specific ”…””}”(hj¤  hžhhŸNh Nubj(  )”}”(hŒ*data files*”h]”hŒ
data files”…””}”(hj¬  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j'  hj¤  ubhŒi on the system,
that were critical to its function. In this system, three types of policies
are possible:”…””}”(hj¤  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj“  hžhubjB  )”}”(hX1  1. A policy in which failure to match any rules in the policy results
   in the action being denied.
2. A policy in which failure to match any rules in the policy results
   in the action being allowed.
3. A policy in which the action taken when no rules are matched is
   specified by the policy author.
”h]”jH  )”}”(hhh]”(jM  )”}”(hŒ^A policy in which failure to match any rules in the policy results
in the action being denied.”h]”hÐ)”}”(hŒ^A policy in which failure to match any rules in the policy results
in the action being denied.”h]”hŒ^A policy in which failure to match any rules in the policy results
in the action being denied.”…””}”(hjÏ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M#hjË  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjÈ  ubjM  )”}”(hŒ_A policy in which failure to match any rules in the policy results
in the action being allowed.”h]”hÐ)”}”(hŒ_A policy in which failure to match any rules in the policy results
in the action being allowed.”h]”hŒ_A policy in which failure to match any rules in the policy results
in the action being allowed.”…””}”(hjç  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M%hjã  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjÈ  ubjM  )”}”(hŒ`A policy in which the action taken when no rules are matched is
specified by the policy author.
”h]”hÐ)”}”(hŒ_A policy in which the action taken when no rules are matched is
specified by the policy author.”h]”hŒ_A policy in which the action taken when no rules are matched is
specified by the policy author.”…””}”(hjÿ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M'hjû  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jL  hjÈ  ubeh}”(h]”h ]”h"]”h$]”h&]”jƒ  j„  j…  hj†  j‡  uh1jG  hjÄ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jA  hŸh³h M#hj“  hžhubhÐ)”}”(hŒ0The first option could make a policy like this::”h]”hŒ/The first option could make a policy like this:”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M*hj“  hžhubhŒliteral_block”“”)”}”(hŒ.op=EXECUTE integrity_verified=YES action=ALLOW”h]”hŒ.op=EXECUTE integrity_verified=YES action=ALLOW”…””}”hj/  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h M,hj“  hžhubhÐ)”}”(hX!  In the example system, this works well for the executables, as all
executables should have integrity guarantees, without exception. The
issue becomes with the second requirement about specific data files.
This would result in a policy like this (assuming each line is
evaluated in order)::”h]”hX   In the example system, this works well for the executables, as all
executables should have integrity guarantees, without exception. The
issue becomes with the second requirement about specific data files.
This would result in a policy like this (assuming each line is
evaluated in order):”…””}”(hj=  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M.hj“  hžhubj.  )”}”(hŒop=EXECUTE integrity_verified=YES action=ALLOW

op=READ integrity_verified=NO label=critical_t action=DENY
op=READ action=ALLOW”h]”hŒop=EXECUTE integrity_verified=YES action=ALLOW

op=READ integrity_verified=NO label=critical_t action=DENY
op=READ action=ALLOW”…””}”hjK  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h M4hj“  hžhubhÐ)”}”(hX2  This is somewhat clear if you read the docs, understand the policy
is executed in order and that the default is a denial; however, the
last line effectively changes that default to an ALLOW. This is
required, because in a realistic system, there are some unverified
reads (imagine appending to a log file).”h]”hX2  This is somewhat clear if you read the docs, understand the policy
is executed in order and that the default is a denial; however, the
last line effectively changes that default to an ALLOW. This is
required, because in a realistic system, there are some unverified
reads (imagine appending to a log file).”…””}”(hjY  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M9hj“  hžhubhÐ)”}”(hŒbThe second option, matching no rules results in an allow, is clearer
for the specific data files::”h]”hŒaThe second option, matching no rules results in an allow, is clearer
for the specific data files:”…””}”(hjg  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M?hj“  hžhubj.  )”}”(hŒ:op=READ integrity_verified=NO label=critical_t action=DENY”h]”hŒ:op=READ integrity_verified=NO label=critical_t action=DENY”…””}”hju  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h MBhj“  hžhubhÐ)”}”(hŒrAnd, like the first option, falls short with the execution scenario,
effectively needing to override the default::”h]”hŒqAnd, like the first option, falls short with the execution scenario,
effectively needing to override the default:”…””}”(hjƒ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MDhj“  hžhubj.  )”}”(hŒop=EXECUTE integrity_verified=YES action=ALLOW
op=EXECUTE action=DENY

op=READ integrity_verified=NO label=critical_t action=DENY”h]”hŒop=EXECUTE integrity_verified=YES action=ALLOW
op=EXECUTE action=DENY

op=READ integrity_verified=NO label=critical_t action=DENY”…””}”hj‘  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h MGhj“  hžhubhÐ)”}”(hŒßThis leaves the third option. Instead of making users be clever
and override the default with an empty rule, force the end-user
to consider what the appropriate default should be for their
scenario and explicitly state it::”h]”hŒÞThis leaves the third option. Instead of making users be clever
and override the default with an empty rule, force the end-user
to consider what the appropriate default should be for their
scenario and explicitly state it:”…””}”(hjŸ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MLhj“  hžhubj.  )”}”(hŒ¦DEFAULT op=EXECUTE action=DENY
op=EXECUTE integrity_verified=YES action=ALLOW

DEFAULT op=READ action=ALLOW
op=READ integrity_verified=NO label=critical_t action=DENY”h]”hŒ¦DEFAULT op=EXECUTE action=DENY
op=EXECUTE integrity_verified=YES action=ALLOW

DEFAULT op=READ action=ALLOW
op=READ integrity_verified=NO label=critical_t action=DENY”…””}”hj­  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h MQhj“  hžhubeh}”(h]”Œimplicit-actions”ah ]”h"]”Œimplicit actions:”ah$]”h&]”uh1h´hjè  hžhhŸh³h Mubhµ)”}”(hhh]”(hº)”}”(hŒPolicy Debugging:”h]”hŒPolicy Debugging:”…””}”(hjÆ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjÃ  hžhhŸh³h MXubhÐ)”}”(hX›  When developing a policy, it is useful to know what line of the policy
is being violated to reduce debugging costs; narrowing the scope of the
investigation to the exact line that resulted in the action. Some integrity
policy systems do not provide this information, instead providing the
information that was used in the evaluation. This then requires a correlation
with the policy to evaluate what went wrong.”h]”hX›  When developing a policy, it is useful to know what line of the policy
is being violated to reduce debugging costs; narrowing the scope of the
investigation to the exact line that resulted in the action. Some integrity
policy systems do not provide this information, instead providing the
information that was used in the evaluation. This then requires a correlation
with the policy to evaluate what went wrong.”…””}”(hjÔ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MZhjÃ  hžhubhÐ)”}”(hX1  Instead, IPE just emits the rule that was matched. This limits the scope
of the investigation to the exact policy line (in the case of a specific
rule), or the section (in the case of a DEFAULT). This decreases iteration
and investigation times when policy failures are observed while evaluating
policies.”h]”hX1  Instead, IPE just emits the rule that was matched. This limits the scope
of the investigation to the exact policy line (in the case of a specific
rule), or the section (in the case of a DEFAULT). This decreases iteration
and investigation times when policy failures are observed while evaluating
policies.”…””}”(hjâ  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MahjÃ  hžhubhÐ)”}”(hX  IPE's policy engine is also designed in a way that it makes it obvious to
a human of how to investigate a policy failure. Each line is evaluated in
the sequence that is written, so the algorithm is very simple to follow
for humans to recreate the steps and could have caused the failure. In other
surveyed systems, optimizations occur (sorting rules, for instance) when loading
the policy. In those systems, it requires multiple steps to debug, and the
algorithm may not always be clear to the end-user without reading the code first.”h]”hX  IPEâ€™s policy engine is also designed in a way that it makes it obvious to
a human of how to investigate a policy failure. Each line is evaluated in
the sequence that is written, so the algorithm is very simple to follow
for humans to recreate the steps and could have caused the failure. In other
surveyed systems, optimizations occur (sorting rules, for instance) when loading
the policy. In those systems, it requires multiple steps to debug, and the
algorithm may not always be clear to the end-user without reading the code first.”…””}”(hjð  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MghjÃ  hžhubeh}”(h]”Œpolicy-debugging”ah ]”h"]”Œpolicy debugging:”ah$]”h&]”uh1h´hjè  hžhhŸh³h MXubhµ)”}”(hhh]”(hº)”}”(hŒSimplified Policy:”h]”hŒSimplified Policy:”…””}”(hj		  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj	  hžhhŸh³h MpubhÐ)”}”(hX~  Finally, IPE's policy is designed for sysadmins, not kernel developers. Instead
of covering individual LSM hooks (or syscalls), IPE covers operations. This means
instead of sysadmins needing to know that the syscalls ``mmap``, ``mprotect``,
``execve``, and ``uselib`` must have rules protecting them, they must simple know
that they want to restrict code execution. This limits the amount of bypasses that
could occur due to a lack of knowledge of the underlying system; whereas the
maintainers of IPE, being kernel developers can make the correct choice to determine
whether something maps to these operations, and under what conditions.”h]”(hŒÛFinally, IPEâ€™s policy is designed for sysadmins, not kernel developers. Instead
of covering individual LSM hooks (or syscalls), IPE covers operations. This means
instead of sysadmins needing to know that the syscalls ”…””}”(hj	  hžhhŸNh Nubj  )”}”(hŒ``mmap``”h]”hŒmmap”…””}”(hj	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhŒ, ”…””}”(hj	  hžhhŸNh Nubj  )”}”(hŒ``mprotect``”h]”hŒmprotect”…””}”(hj1	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhŒ,
”…””}”(hj	  hžhhŸNh Nubj  )”}”(hŒ
``execve``”h]”hŒexecve”…””}”(hjC	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhŒ, and ”…””}”(hj	  hžhhŸNh Nubj  )”}”(hŒ
``uselib``”h]”hŒuselib”…””}”(hjU	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhXs   must have rules protecting them, they must simple know
that they want to restrict code execution. This limits the amount of bypasses that
could occur due to a lack of knowledge of the underlying system; whereas the
maintainers of IPE, being kernel developers can make the correct choice to determine
whether something maps to these operations, and under what conditions.”…””}”(hj	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mrhj	  hžhubeh}”(h]”Œsimplified-policy”ah ]”h"]”Œsimplified policy:”ah$]”h&]”uh1h´hjè  hžhhŸh³h Mpubeh}”(h]”Œdesign-rationale”ah ]”h"]”Œdesign rationale:”ah$]”h&]”uh1h´hh¶hžhhŸh³h K€ubhµ)”}”(hhh]”(hº)”}”(hŒImplementation Notes”h]”hŒImplementation Notes”…””}”(hj€	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj}	  hžhhŸh³h M|ubhµ)”}”(hhh]”(hº)”}”(hŒAnonymous Memory”h]”hŒAnonymous Memory”…””}”(hj‘	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hjŽ	  hžhhŸh³h MubhÐ)”}”(hXŸ  Anonymous memory isn't treated any differently from any other access in IPE.
When anonymous memory is mapped with ``+X``, it still comes into the ``file_mmap``
or ``file_mprotect`` hook, but with a ``NULL`` file object. This is submitted to
the evaluation, like any other file. However, all current trust properties will
evaluate to false, as they are all file-based and the operation is not
associated with a file.”h]”(hŒtAnonymous memory isnâ€™t treated any differently from any other access in IPE.
When anonymous memory is mapped with ”…””}”(hjŸ	  hžhhŸNh Nubj  )”}”(hŒ``+X``”h]”hŒ+X”…””}”(hj§	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ	  ubhŒ, it still comes into the ”…””}”(hjŸ	  hžhhŸNh Nubj  )”}”(hŒ``file_mmap``”h]”hŒ	file_mmap”…””}”(hj¹	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ	  ubhŒ
or ”…””}”(hjŸ	  hžhhŸNh Nubj  )”}”(hŒ``file_mprotect``”h]”hŒfile_mprotect”…””}”(hjË	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ	  ubhŒ hook, but with a ”…””}”(hjŸ	  hžhhŸNh Nubj  )”}”(hŒ``NULL``”h]”hŒNULL”…””}”(hjÝ	  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjŸ	  ubhŒÑ file object. This is submitted to
the evaluation, like any other file. However, all current trust properties will
evaluate to false, as they are all file-based and the operation is not
associated with a file.”…””}”(hjŸ	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MhjŽ	  hžhubjr  )”}”(hŒÕThis also occurs with the ``kernel_load_data`` hook, when the kernel is
loading data from a userspace buffer that is not backed by a file. In this
scenario all current trust properties will also evaluate to false.”h]”hÐ)”}”(hŒÕThis also occurs with the ``kernel_load_data`` hook, when the kernel is
loading data from a userspace buffer that is not backed by a file. In this
scenario all current trust properties will also evaluate to false.”h]”(hŒThis also occurs with the ”…””}”(hjù	  hžhhŸNh Nubj  )”}”(hŒ``kernel_load_data``”h]”hŒkernel_load_data”…””}”(hj
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjù	  ubhŒ§ hook, when the kernel is
loading data from a userspace buffer that is not backed by a file. In this
scenario all current trust properties will also evaluate to false.”…””}”(hjù	  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h MŠhjõ	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jq  hjŽ	  hžhhŸh³h Nubeh}”(h]”Œanonymous-memory”ah ]”h"]”Œanonymous memory”ah$]”h&]”uh1h´hj}	  hžhhŸh³h Mubhµ)”}”(hhh]”(hº)”}”(hŒSecurityfs Interface”h]”hŒSecurityfs Interface”…””}”(hj*
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj'
  hžhhŸh³h MubhÐ)”}”(hŒgThe per-policy securityfs tree is somewhat unique. For example, for
a standard securityfs policy tree::”h]”hŒfThe per-policy securityfs tree is somewhat unique. For example, for
a standard securityfs policy tree:”…””}”(hj8
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M‘hj'
  hžhubj.  )”}”(hŒZMyPolicy
  |- active
  |- delete
  |- name
  |- pkcs7
  |- policy
  |- update
  |- version”h]”hŒZMyPolicy
  |- active
  |- delete
  |- name
  |- pkcs7
  |- policy
  |- update
  |- version”…””}”hjF
  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h M”hj'
  hžhubhÐ)”}”(hŒGThe policy is stored in the ``->i_private`` data of the MyPolicy inode.”h]”(hŒThe policy is stored in the ”…””}”(hjT
  hžhhŸNh Nubj  )”}”(hŒ``->i_private``”h]”hŒ->i_private”…””}”(hj\
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjT
  ubhŒ data of the MyPolicy inode.”…””}”(hjT
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h Mhj'
  hžhubeh}”(h]”Œsecurityfs-interface”ah ]”h"]”Œsecurityfs interface”ah$•Ö      ]”h&]”uh1h´hj}	  hžhhŸh³h Mubeh}”(h]”Œimplementation-notes”ah ]”h"]”Œimplementation notes”ah$]”h&]”uh1h´hh¶hžhhŸh³h M|ubhµ)”}”(hhh]”(hº)”}”(hŒTests”h]”hŒTests”…””}”(hj‡
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1h¹hj„
  hžhhŸh³h M ubhÐ)”}”(hŒDIPE has KUnit Tests for the policy parser. Recommended kunitconfig::”h]”hŒCIPE has KUnit Tests for the policy parser. Recommended kunitconfig:”…””}”(hj•
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¢hj„
  hžhubj.  )”}”(hX  CONFIG_KUNIT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_SYSTEM_DATA_VERIFICATION=y
CONFIG_FS_VERITY=y
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
CONFIG_BLOCK=y
CONFIG_MD=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_NET=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_BLK_DEV_INITRD=y

CONFIG_SECURITY_IPE=y
CONFIG_IPE_PROP_DM_VERITY=y
CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
CONFIG_IPE_PROP_FS_VERITY=y
CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
CONFIG_SECURITY_IPE_KUNIT_TEST=y”h]”hX  CONFIG_KUNIT=y
CONFIG_SECURITY=y
CONFIG_SECURITYFS=y
CONFIG_PKCS7_MESSAGE_PARSER=y
CONFIG_SYSTEM_DATA_VERIFICATION=y
CONFIG_FS_VERITY=y
CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y
CONFIG_BLOCK=y
CONFIG_MD=y
CONFIG_BLK_DEV_DM=y
CONFIG_DM_VERITY=y
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_NET=y
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_BLK_DEV_INITRD=y

CONFIG_SECURITY_IPE=y
CONFIG_IPE_PROP_DM_VERITY=y
CONFIG_IPE_PROP_DM_VERITY_SIGNATURE=y
CONFIG_IPE_PROP_FS_VERITY=y
CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG=y
CONFIG_SECURITY_IPE_KUNIT_TEST=y”…””}”hj£
  sbah}”(h]”h ]”h"]”h$]”h&]”h±h²uh1j-  hŸh³h M¤hj„
  hžhubhÐ)”}”(hŒ´In addition, IPE has a python based integration
`test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that
can test both user interfaces and enforcement functionalities.”h]”(hŒ0In addition, IPE has a python based integration
”…””}”(hj±
  hžhhŸNh NubhŒ	reference”“”)”}”(hŒ@`test suite <https://github.com/microsoft/ipe/tree/test-suite>`_”h]”hŒ
test suite”…””}”(hj»
  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”Œ
test suite”Œrefuri”Œ0https://github.com/microsoft/ipe/tree/test-suite”uh1j¹
  hj±
  ubhŒtarget”“”)”}”(hŒ3 <https://github.com/microsoft/ipe/tree/test-suite>”h]”h}”(h]”Œ
test-suite”ah ]”h"]”Œ
test suite”ah$]”h&]”Œrefuri”jÌ
  uh1jÍ
  Œ
referenced”Khj±
  ubhŒD that
can test both user interfaces and enforcement functionalities.”…””}”(hj±
  hžhhŸNh Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÏhŸh³h M¼hj„
  hžhubeh}”(h]”Œtests”ah ]”h"]”Œtests”ah$]”h&]”uh1h´hh¶hžhhŸh³h M ubeh}”(h]”Œ5integrity-policy-enforcement-ipe-kernel-documentation”ah ]”h"]”Œ9integrity policy enforcement (ipe) - kernel documentation”ah$]”h&]”uh1h´hhhžhhŸh³h Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”h³uh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(h¹NŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”j  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”h³Œ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”Œrefids”}”Œnameids”}”(jô
  jñ
  j`  j]  jå  jâ  jz	  jw	  jû  jø  jó  jð  jÜ  jÙ  jÔ  jÑ  j3  j0  j  j  jÀ  j½  j	  j 	  jr	  jo	  j
  j~
  j$
  j!
  jy
  jv
  jì
  jé
  jØ
  jÕ
  uŒ	nametypes”}”(jô
  ‰j`  ‰jå  ‰jz	  ‰jû  ‰jó  ‰jÜ  ‰jÔ  ‰j3  ‰j  ‰jÀ  ‰j	  ‰jr	  ‰j
  ‰j$
  ‰jy
  ‰jì
  ‰jØ
  ˆuh}”(jñ
  h¶j]  j  jâ  jc  jw	  jè  jø  j†  jð  j—  jÙ  jþ  jÑ  j°  j0  jß  j  j6  j½  j“  j 	  jÃ  jo	  j	  j~
  j}	  j!
  jŽ	  jv
  j'
  jé
  j„
  jÕ
  jÏ
  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”…”R”Œparse_messages”]”(hŒsystem_message”“”)”}”(hhh]”hÐ)”}”(hŒ:Enumerated list start value not ordinal-1: "2" (ordinal 2)”h]”hŒ>Enumerated list start value not ordinal-1: â€œ2â€ (ordinal 2)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhj~  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”ŒINFO”Œsource”h³Œline”Kuh1j|  hj®  ubj}  )”}”(hhh]”hÐ)”}”(hŒ:Enumerated list start value not ordinal-1: "3" (ordinal 3)”h]”hŒ>Enumerated list start value not ordinal-1: â€œ3â€ (ordinal 3)”…””}”(hj  hžhhŸNh Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÏhjš  ubah}”(h]”h ]”h"]”h$]”h&]”Œlevel”KŒtype”j—  Œsource”h³Œline”Kuh1j|  hj®  ubeŒtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nhžhub.