* [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
@ 2025-04-29 21:22 Jasjiv Singh
2025-04-29 21:22 ` [RFC PATCH v1 1/1] ipe: add " Jasjiv Singh
2025-04-30 23:24 ` [RFC PATCH v1 0/1] ipe: added " Fan Wu
0 siblings, 2 replies; 4+ messages in thread
From: Jasjiv Singh @ 2025-04-29 21:22 UTC (permalink / raw)
To: wufan, paul, jmorris, serge, mic
Cc: linux-security-module, linux-kernel, jasjivsingh_microsoft
From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>
Currently, IPE only enforces the policy operations for direct
file execution (e.g. ./script.sh). However, indirect file execution
(e.g. sh script.sh) needs to be enforced by IPE based on the rules.
Overview
--------
This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
evaluate the `EXECUTE` operation policy for the script file during the
check phase itself.
[1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/
Example
--------
ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
the log message when the IPE policy denies the indirect script execution
via the 'inc' test interpreter.
The IPE test suite has been updated to include script enforcement tests:
https://github.com/microsoft/ipe/tree/test-suite
jasjivsingh_microsoft (1):
ipe: add script enforcement with BPRM check
security/ipe/hooks.c | 23 +++++++++++++++++++++++
security/ipe/hooks.h | 2 ++
security/ipe/ipe.c | 1 +
3 files changed, 26 insertions(+)
--
2.34.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC PATCH v1 1/1] ipe: add script enforcement with BPRM check
2025-04-29 21:22 [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check Jasjiv Singh
@ 2025-04-29 21:22 ` Jasjiv Singh
2025-04-30 23:29 ` Fan Wu
2025-04-30 23:24 ` [RFC PATCH v1 0/1] ipe: added " Fan Wu
1 sibling, 1 reply; 4+ messages in thread
From: Jasjiv Singh @ 2025-04-29 21:22 UTC (permalink / raw)
To: wufan, paul, jmorris, serge, mic
Cc: linux-security-module, linux-kernel, jasjivsingh_microsoft
From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>
Like direct file execution (e.g. ./script.sh), indirect file execution
(e.g. sh script.sh) needs to be enforce by IPE based on the rules.
Added a new security_bprm_creds_for_exec() hook to verify the indirect
file's integrity.
Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
---
security/ipe/hooks.c | 23 +++++++++++++++++++++++
security/ipe/hooks.h | 2 ++
security/ipe/ipe.c | 1 +
3 files changed, 26 insertions(+)
diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
index d0323b81cd8f..12713a0495cf 100644
--- a/security/ipe/hooks.c
+++ b/security/ipe/hooks.c
@@ -35,6 +35,29 @@ int ipe_bprm_check_security(struct linux_binprm *bprm)
return ipe_evaluate_event(&ctx);
}
+/**
+ * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
+ * @bprm: Supplies a pointer to a linux_binprm structure to source the file
+ * being evaluated.
+ *
+ * This LSM hook is called when a script is checked for execution through the
+ * execveat syscall with the AT_EXECVE_CHECK flag.
+ *
+ * Return:
+ * * %0 - Success
+ * * %-EACCES - Did not pass IPE policy
+ */
+int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
+{
+ struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
+
+ if (!bprm->is_check)
+ return 0;
+
+ ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
+ return ipe_evaluate_event(&ctx);
+}
+
/**
* ipe_mmap_file() - ipe security hook function for mmap check.
* @f: File being mmap'd. Can be NULL in the case of anonymous memory.
diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
index 38d4a387d039..1c16a25d806e 100644
--- a/security/ipe/hooks.h
+++ b/security/ipe/hooks.h
@@ -24,6 +24,8 @@ enum ipe_hook_type {
int ipe_bprm_check_security(struct linux_binprm *bprm);
+int ipe_bprm_creds_for_exec(struct linux_binprm *bprm);
+
int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
unsigned long flags);
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 4317134cb0da..845e3fd7a345 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode)
static struct security_hook_list ipe_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
+ LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec),
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
2025-04-29 21:22 [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check Jasjiv Singh
2025-04-29 21:22 ` [RFC PATCH v1 1/1] ipe: add " Jasjiv Singh
@ 2025-04-30 23:24 ` Fan Wu
1 sibling, 0 replies; 4+ messages in thread
From: Fan Wu @ 2025-04-30 23:24 UTC (permalink / raw)
To: Jasjiv Singh
Cc: wufan, paul, jmorris, serge, mic, linux-security-module,
linux-kernel
On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@linux.microsoft.com> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>
>
> Currently, IPE only enforces the policy operations for direct
> file execution (e.g. ./script.sh). However, indirect file execution
> (e.g. sh script.sh) needs to be enforced by IPE based on the rules.
>
> Overview
> --------
>
> This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
> specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
> evaluate the `EXECUTE` operation policy for the script file during the
> check phase itself.
>
> [1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/
>
> Example
> --------
>
> ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
> path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
>
> the log message when the IPE policy denies the indirect script execution
> via the 'inc' test interpreter.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/tree/test-suite
Please use the PR link instead of the repo link.
-Fan
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [RFC PATCH v1 1/1] ipe: add script enforcement with BPRM check
2025-04-29 21:22 ` [RFC PATCH v1 1/1] ipe: add " Jasjiv Singh
@ 2025-04-30 23:29 ` Fan Wu
0 siblings, 0 replies; 4+ messages in thread
From: Fan Wu @ 2025-04-30 23:29 UTC (permalink / raw)
To: Jasjiv Singh
Cc: wufan, paul, jmorris, serge, mic, linux-security-module,
linux-kernel
On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@linux.microsoft.com> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@linux.microsoft.com>
>
> Like direct file execution (e.g. ./script.sh), indirect file execution
> (e.g. sh script.sh) needs to be enforce by IPE based on the rules.
> Added a new security_bprm_creds_for_exec() hook to verify the indirect
> file's integrity.
>
> Signed-off-by: Jasjiv Singh <jasjivsingh@linux.microsoft.com>
> ---
> security/ipe/hooks.c | 23 +++++++++++++++++++++++
> security/ipe/hooks.h | 2 ++
> security/ipe/ipe.c | 1 +
> 3 files changed, 26 insertions(+)
>
> diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
> index d0323b81cd8f..12713a0495cf 100644
> --- a/security/ipe/hooks.c
> +++ b/security/ipe/hooks.c
> @@ -35,6 +35,29 @@ int ipe_bprm_check_security(struct linux_binprm *bprm)
> return ipe_evaluate_event(&ctx);
> }
>
> +/**
> + * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
> + * @bprm: Supplies a pointer to a linux_binprm structure to source the file
> + * being evaluated.
> + *
> + * This LSM hook is called when a script is checked for execution through the
> + * execveat syscall with the AT_EXECVE_CHECK flag.
I remember the script is only one case, user space can add this flag
for other cases.
> + *
> + * Return:
> + * * %0 - Success
> + * * %-EACCES - Did not pass IPE policy
> + */
> +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
> +{
> + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
> +
> + if (!bprm->is_check)
> + return 0;
> +
> + ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
A new enum needs to be added to audit this new hook in the audit
event. Please create something like IPE_HOOK_BPRM_CREDS_FOR_EXEC.
-Fan
> + return ipe_evaluate_event(&ctx);
> +}
> +
> /**
> * ipe_mmap_file() - ipe security hook function for mmap check.
> * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
> diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
> index 38d4a387d039..1c16a25d806e 100644
> --- a/security/ipe/hooks.h
> +++ b/security/ipe/hooks.h
> @@ -24,6 +24,8 @@ enum ipe_hook_type {
>
> int ipe_bprm_check_security(struct linux_binprm *bprm);
>
> +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm);
> +
> int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
> unsigned long flags);
>
> diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
> index 4317134cb0da..845e3fd7a345 100644
> --- a/security/ipe/ipe.c
> +++ b/security/ipe/ipe.c
> @@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode)
>
> static struct security_hook_list ipe_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
> + LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec),
> LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
> LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
> LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
> --
> 2.34.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-04-30 23:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-29 21:22 [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check Jasjiv Singh
2025-04-29 21:22 ` [RFC PATCH v1 1/1] ipe: add " Jasjiv Singh
2025-04-30 23:29 ` Fan Wu
2025-04-30 23:24 ` [RFC PATCH v1 0/1] ipe: added " Fan Wu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).