[PATCH v3 0/2] ipe: add script enforcement mechanism with AT_EXECVE_CHECK

[Fan Wu]

On Wed, Nov 5, 2025 at 3:26 PM Yanzhu Huang
<yanzhuhuang at linux.microsoft.com> wrote:
>
> Indirect file execution through interpreters (e.g. python script.py, sh
> script.sh) should have integrity policy enforced by IPE based on the
> rules. Currently, IPE can only enforce policy on the interpreter binary
> itself, but has no visibility into the scripts that the interpreter
> executes.
>
> Overview
> --------
>
> This patch series introduces script enforcement for IPE, allowing integrity
> evaluation of indirectly executed scripts through the AT_EXECVE_CHECK flag.
>
> Patch 1 adds the core implementation with ipe_bprm_creds_for_exec() hook
> that integrates with the AT_EXECVE_CHECK mechanism.
>
> Patch 2 updates admin guide documentation to explain the script enforcement
> mechanism.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/pull/6
>
> Changes since v2:
> - update AT_EXECVE_CHECK reference
>
> Changes since v1:
> - update the interpreters reference
>
> Yanzhu Huang (2):
>   ipe: Add AT_EXECVE_CHECK support for script enforcement
>   ipe: Update documentation for script enforcement
>
>  Documentation/admin-guide/LSM/ipe.rst | 17 ++++++++++++++---
>  security/ipe/audit.c                  |  1 +
>  security/ipe/hooks.c                  | 27 +++++++++++++++++++++++++++
>  security/ipe/hooks.h                  |  3 +++
>  security/ipe/ipe.c                    |  1 +
>  5 files changed, 46 insertions(+), 3 deletions(-)
>
> --
> 2.43.0
>

Thanks, applied to ipe/next.

-Fan