examples/enforce_load_policy.py
2.1 KB · 70 lines · python Raw
1 """Enforce a LoadPolicy across trusted and untrusted signers.
2
3 Run:
4 python examples/enforce_load_policy.py
5 """
6
7 from __future__ import annotations
8
9 from quantumshield.identity.agent import AgentIdentity
10
11 from pqc_ebpf_attestation import (
12 AttestationLog,
13 BPFProgram,
14 BPFProgramMetadata,
15 BPFProgramType,
16 BPFSigner,
17 LoadPolicy,
18 PolicyRule,
19 )
20
21
22 def main() -> None:
23 # Three signing identities. Only the first two are on the allow-list.
24 trusted_a = AgentIdentity.create("trusted-signer-a", capabilities=["sign"])
25 trusted_b = AgentIdentity.create("trusted-signer-b", capabilities=["sign"])
26 untrusted = AgentIdentity.create("rogue-signer", capabilities=["sign"])
27
28 # The program itself is identical bytecode; each identity signs it independently.
29 metadata = BPFProgramMetadata(
30 name="kprobe_do_sys_openat2",
31 program_type=BPFProgramType.KPROBE,
32 license="GPL",
33 author="ops",
34 attach_point="do_sys_openat2",
35 )
36 bytecode = b"\x7fELF" + b"\xaa" * 512
37
38 program = BPFProgram.from_bytes(metadata, bytecode)
39 signed_by = {
40 "trusted-a": BPFSigner(trusted_a).sign(program),
41 "trusted-b": BPFSigner(trusted_b).sign(program),
42 "untrusted": BPFSigner(untrusted).sign(program),
43 }
44
45 # Policy: KPROBE programs must be signed by trusted_a or trusted_b.
46 policy = LoadPolicy().add_rule(
47 PolicyRule(
48 program_types=(BPFProgramType.KPROBE,),
49 allowed_signers=frozenset({trusted_a.did, trusted_b.did}),
50 )
51 )
52
53 log = AttestationLog()
54 print(f"{'signer':<12} {'decision':<6} reason")
55 print("-" * 72)
56 for label, signed in signed_by.items():
57 decision, reason = policy.evaluate(signed)
58 log.log(signed, decision, reason, actor=f"load:{label}")
59 print(f"{label:<12} {decision.value:<6} {reason}")
60
61 print()
62 print("Audit log (most recent first):")
63 for entry in log.entries():
64 short_did = entry.signer_did.split(":")[-1][:12]
65 print(f" {entry.timestamp} {entry.decision:<5} signer={short_did} {entry.reason}")
66
67
68 if __name__ == "__main__":
69 main()
70