policy: add policy-integrity to mitigate policy tampering

PR-URL: https://github.com/nodejs/node/pull/28734 Reviewed-By: Gus Caplan <me@gus.host> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Guy Bedford <guybedford@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com>
author: Bradley Farias <bradley.meck@gmail.com> 2019-06-05 21:33:07 +0300
committer: Rich Trott <rtrott@gmail.com> 2019-07-20 23:24:58 +0300
commit: 6c288a704453ec7319928495efd0d3c482bcf754 (patch)
tree: 45793ed29535a70e9af1511111b47ac35702bb4f /doc/api/policy.md
parent: 0df3ea09faccd04dc0f0c3022e970e60403b9a6b (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/doc/api/policy.md b/doc/api/policy.md
index be7ea3480b7..a1955f2b3ee 100644
--- a/doc/api/policy.md
+++ b/doc/api/policy.md
@@ -38,6 +38,15 @@ node --experimental-policy=policy.json app.js
 The policy manifest will be used to enforce constraints on code loaded by
 Node.js.
 
+In order to mitigate tampering with policy files on disk, an integrity for
+the policy file itself may be provided via `--policy-integrity`.
+This allows running `node` and asserting the policy file contents
+even if the file is changed on disk.
+
+```sh
+node --experimental-policy=policy.json --policy-integrity="sha384-SggXRQHwCG8g+DktYYzxkXRIkTiEYWBHqev0xnpCxYlqMBufKZHAHQM3/boDaI/0" app.js
+```
+
 ## Features
 
 ### Error Behavior
author	Bradley Farias <bradley.meck@gmail.com>	2019-06-05 21:33:07 +0300
committer	Rich Trott <rtrott@gmail.com>	2019-07-20 23:24:58 +0300
commit	6c288a704453ec7319928495efd0d3c482bcf754 (patch)
tree	45793ed29535a70e9af1511111b47ac35702bb4f /doc/api/policy.md
parent	0df3ea09faccd04dc0f0c3022e970e60403b9a6b (diff)