Lines Matching +full:critical +full:- +full:action
1 .. SPDX-License-Identifier: GPL-2.0
3 Integrity Policy Enforcement (IPE) - Kernel Documentation
10 :doc:`IPE admin guide </admin-guide/LSM/ipe>`.
13 ---------------------
16 of a locked-down system. This system would be born-secure, and have
18 *data files* on the system, that were critical to its function. These
27 2. DM-Verity
29 Both options were carefully considered, however the choice to use DM-Verity
46 modify filesystem offline, the attacker could wipe all the xattrs -
50 With DM-Verity, as the xattrs are saved as part of the Merkel tree, if
51 offline mount occurs against the filesystem protected by dm-verity, the
54 * As userspace binaries are paged in Linux, dm-verity also offers the
59 dm-verity will check the data when the page fault occurs (and the disk
64 * dm-verity provides integrity verification on demand as blocks are
73 * The signature supports an x.509-based signing infrastructure.
81 3. The policy enforcement must have a permissive-like mode.
87 7. The policy must be auditable, at any point-of-time.
107 --------------
128 -----------------
136 2. A single, non-customizable action was implicitly taken as a default.
138 4. Authoring a policy required an in-depth knowledge of the larger system,
149 IPE's policy is plain-text. This introduces slightly larger policy files than
162 back into the human-readable form with as much information preserved. This is because a
175 human-readable form to the data structure in kernel, saving on code maintenance,
186 plain-text policy, on the other hand, the signers see the actual policy
208 across its entire ecosystem - every bootloader would have to support this
231 make the compiled-in policy a full IPE policy, it allows system builders
240 always risk-free, and blocking a security update leaves systems vulnerable.
253 populated at kernel compile-time, as this matches the expectation that the
254 author of the compiled-in policy described above is the same entity that can
257 Anti-Rollback / Anti-Replay
288 that were critical to its function. In this system, three types of policies
292 in the action being denied.
294 in the action being allowed.
295 3. A policy in which the action taken when no rules are matched is
300 op=EXECUTE integrity_verified=YES action=ALLOW
308 op=EXECUTE integrity_verified=YES action=ALLOW
310 op=READ integrity_verified=NO label=critical_t action=DENY
311 op=READ action=ALLOW
322 op=READ integrity_verified=NO label=critical_t action=DENY
327 op=EXECUTE integrity_verified=YES action=ALLOW
328 op=EXECUTE action=DENY
330 op=READ integrity_verified=NO label=critical_t action=DENY
333 and override the default with an empty rule, force the end-user
337 DEFAULT op=EXECUTE action=DENY
338 op=EXECUTE integrity_verified=YES action=ALLOW
340 DEFAULT op=READ action=ALLOW
341 op=READ integrity_verified=NO label=critical_t action=DENY
348 investigation to the exact line that resulted in the action. Some integrity
365 algorithm may not always be clear to the end-user without reading the code first.
380 --------------------
389 evaluate to false, as they are all file-based and the operation is not
401 The per-policy securityfs tree is somewhat unique. For example, for
405 |- active
406 |- delete
407 |- name
408 |- pkcs7
409 |- policy
410 |- update
411 |- version
413 The policy is stored in the ``->i_private`` data of the MyPolicy inode.
416 -----
445 `test suite <https://github.com/microsoft/ipe/tree/test-suite>`_ that