On Wed, Nov 5, 2025 at 3:26 PM Yanzhu Huang
<yanzhuhuang@linux.microsoft.com> wrote:
>
> Indirect file execution through interpreters (e.g. python script.py, sh
> script.sh) should have integrity policy enforced by IPE based on the
> rules. Currently, IPE can only enforce policy on the interpreter binary
> itself, but has no visibility into the scripts that the interpreter
> executes.
>
> Overview
> --------
>
> This patch series introduces script enforcement for IPE, allowing integrity
> evaluation of indirectly executed scripts through the AT_EXECVE_CHECK flag.
>
> Patch 1 adds the core implementation with ipe_bprm_creds_for_exec() hook
> that integrates with the AT_EXECVE_CHECK mechanism.
>
> Patch 2 updates admin guide documentation to explain the script enforcement
> mechanism.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/pull/6
>
> Changes since v2:
> - update AT_EXECVE_CHECK reference
>
> Changes since v1:
> - update the interpreters reference
>
> Yanzhu Huang (2):
> ipe: Add AT_EXECVE_CHECK support for script enforcement
> ipe: Update documentation for script enforcement
>
> Documentation/admin-guide/LSM/ipe.rst | 17 ++++++++++++++---
> security/ipe/audit.c | 1 +
> security/ipe/hooks.c | 27 +++++++++++++++++++++++++++
> security/ipe/hooks.h | 3 +++
> security/ipe/ipe.c | 1 +
> 5 files changed, 46 insertions(+), 3 deletions(-)
>
> --
> 2.43.0
>
Thanks, applied to ipe/next.
-Fan