[RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
Jasjiv Singh
jasjivsingh at linux.microsoft.com
Tue Apr 29 21:22:49 UTC 2025
From: jasjivsingh_microsoft <jasjivsingh at linux.microsoft.com>
Currently, IPE only enforces the policy operations for direct
file execution (e.g. ./script.sh). However, indirect file execution
(e.g. sh script.sh) needs to be enforced by IPE based on the rules.
Overview
--------
This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
evaluate the `EXECUTE` operation policy for the script file during the
check phase itself.
[1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/
Example
--------
ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
the log message when the IPE policy denies the indirect script execution
via the 'inc' test interpreter.
The IPE test suite has been updated to include script enforcement tests:
https://github.com/microsoft/ipe/tree/test-suite
jasjivsingh_microsoft (1):
ipe: add script enforcement with BPRM check
security/ipe/hooks.c | 23 +++++++++++++++++++++++
security/ipe/hooks.h | 2 ++
security/ipe/ipe.c | 1 +
3 files changed, 26 insertions(+)
--
2.34.1
More information about the Linux-security-module-archive
mailing list