1. Patchew
  2. linux
  3. View series

[RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check

Jasjiv Singh posted 1 patch 9 months, 1 week ago 
security/ipe/hooks.c | 23 +++++++++++++++++++++++
security/ipe/hooks.h |  2 ++
security/ipe/ipe.c   |  1 +
3 files changed, 26 insertions(+)
[RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
Posted by Jasjiv Singh 9 months, 1 week ago 
From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>

Currently, IPE only enforces the policy operations for direct
file execution (e.g. ./script.sh). However, indirect file execution
(e.g. sh script.sh) needs to be enforced by IPE based on the rules.

Overview
--------

This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
evaluate the `EXECUTE` operation policy for the script file during the
check phase itself.

[1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/

Example
--------

ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc" 
path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"

the log message when the IPE policy denies the indirect script execution 
via the 'inc' test interpreter.

The IPE test suite has been updated to include script enforcement tests:
https://github.com/microsoft/ipe/tree/test-suite

jasjivsingh_microsoft (1):
  ipe: add script enforcement with BPRM check

 security/ipe/hooks.c | 23 +++++++++++++++++++++++
 security/ipe/hooks.h |  2 ++
 security/ipe/ipe.c   |  1 +
 3 files changed, 26 insertions(+)

-- 
2.34.1
Re: [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
Posted by Fan Wu 9 months, 1 week ago 
On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@linux.microsoft.com> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>
>
> Currently, IPE only enforces the policy operations for direct
> file execution (e.g. ./script.sh). However, indirect file execution
> (e.g. sh script.sh) needs to be enforced by IPE based on the rules.
>
> Overview
> --------
>
> This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
> specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
> evaluate the `EXECUTE` operation policy for the script file during the
> check phase itself.
>
> [1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/
>
> Example
> --------
>
> ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
> path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
>
> the log message when the IPE policy denies the indirect script execution
> via the 'inc' test interpreter.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/tree/test-suite

Please use the PR link instead of the repo link.

-Fan

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.