From: Yanzhu Huang <yanzhuhuang@linux.microsoft.com>
To: wufan@kernel.org, paul@paul-moore.com, mic@digikod.net
Cc: jmorris@namei.org, serge@hallyn.com, corbet@lwn.net,
yanzhuhuang@linux.microsoft.com,
linux-security-module@vger.kernel.org, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH v2 0/2] ipe: add script enforcement mechanism with AT_EXECVE_CHECK
Date: Fri, 31 Oct 2025 10:16:58 +0000 [thread overview]
Message-ID: <20251031101700.694964-1-yanzhuhuang@linux.microsoft.com> (raw)
In-Reply-To: <20251023233656.661344-1-yanzhuhuang@linux.microsoft.com>
Indirect file execution through interpreters (e.g. python script.py, sh
script.sh) should have integrity policy enforced by IPE based on the
rules. Currently, IPE can only enforce policy on the interpreter binary
itself, but has no visibility into the scripts that the interpreter
executes.
Overview
--------
This patch series introduces script enforcement for IPE, allowing integrity
evaluation of indirectly executed scripts through the AT_EXECVE_CHECK flag.
Patch 1 adds the core implementation with ipe_bprm_creds_for_exec() hook
that integrates with the AT_EXECVE_CHECK mechanism.
Patch 2 updates admin guide documentation to explain the script enforcement
mechanism.
The IPE test suite has been updated to include script enforcement tests:
https://github.com/microsoft/ipe/pull/6
Yanzhu Huang (2):
ipe: Add AT_EXECVE_CHECK support for script enforcement
ipe: Update documentation for script enforcement
Documentation/admin-guide/LSM/ipe.rst | 17 ++++++++++++++---
security/ipe/audit.c | 1 +
security/ipe/hooks.c | 27 +++++++++++++++++++++++++++
security/ipe/hooks.h | 3 +++
security/ipe/ipe.c | 1 +
5 files changed, 46 insertions(+), 3 deletions(-)
--
2.43.0
next prev parent reply other threads:[~2025-10-31 10:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-23 23:36 [PATCH 0/2] ipe: add script enforcement mechanism with AT_EXECVE_CHECK Yanzhu Huang
2025-10-23 23:36 ` [PATCH 1/2] ipe: Add AT_EXECVE_CHECK support for script enforcement Yanzhu Huang
2025-10-23 23:36 ` [PATCH 2/2] ipe: Update documentation " Yanzhu Huang
2025-10-30 22:08 ` Fan Wu
2025-10-31 10:16 ` Yanzhu Huang [this message]
2025-10-31 10:16 ` [PATCH v2 1/2] ipe: Add AT_EXECVE_CHECK support " Yanzhu Huang
2025-10-31 10:17 ` [PATCH v2 2/2] ipe: Update documentation " Yanzhu Huang
2025-10-31 23:50 ` Fan Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251031101700.694964-1-yanzhuhuang@linux.microsoft.com \
--to=yanzhuhuang@linux.microsoft.com \
--cc=corbet@lwn.net \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=wufan@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox