ipe/stable-6.19 PR 20251202

-----BEGIN PGP SIGNATURE----- iIcEABYIAC8WIQQzmBmZPBN6m/hUJmnyomI6a/yO7QUCaS+zQhEcd3VmYW5Aa2Vy bmVsLm9yZwAKCRDyomI6a/yO7TfdAP4ngYyNKMwefqmrwG7akL9sRCWEH4Y/ZM/Z ZwFw0waDkAEA5gV5LH6DJme9rBsXjC8wkOiiUOerqopIVKPMeYKCmAc= =sOI5 -----END PGP SIGNATURE----- Merge tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe Pull IPE udates from Fan Wu: "The primary change is the addition of support for the AT_EXECVE_CHECK flag. This allows interpreters to signal the kernel to perform IPE security checks on script files before execution, extending IPE enforcement to indirectly executed scripts. Update documentation for it, and also fix a comment" * tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: Update documentation for script enforcement ipe: Add AT_EXECVE_CHECK support for script enforcement ipe: Drop a duplicated CONFIG_ prefix in the ifdeffery
2025-12-03 11:19:34 -08:00 · 2025-12-03 11:19:34 -08:00 · c832183148
parent 777f817160 d7ba853c0e
commit c832183148
5 changed files with 47 additions and 4 deletions
--- a/Documentation/admin-guide/LSM/ipe.rst
+++ b/Documentation/admin-guide/LSM/ipe.rst
@ -95,7 +95,20 @@ languages when these scripts are invoked by passing these program files
 to the interpreter. This is because the way interpreters execute these
 files; the scripts themselves are not evaluated as executable code
 through one of IPE's hooks, but they are merely text files that are read
-(as opposed to compiled executables) [#interpreters]_.
+(as opposed to compiled executables). However, with the introduction of the
 ``AT_EXECVE_CHECK`` flag (:doc:`AT_EXECVE_CHECK </userspace-api/check_exec>`),
 interpreters can use it to signal the kernel that a script file will be executed,
 and request the kernel to perform LSM security checks on it.
 IPE's EXECUTE operation enforcement differs between compiled executables and
 interpreted scripts: For compiled executables, enforcement is triggered
 automatically by the kernel during ``execve()``, ``execveat()``, ``mmap()``
 and ``mprotect()`` syscalls when loading executable content. For interpreted
 scripts, enforcement requires explicit interpreter integration using
 ``execveat()`` with ``AT_EXECVE_CHECK`` flag. Unlike exec syscalls that IPE
 intercepts during the execution process, this mechanism needs the interpreter
 to take the initiative, and existing interpreters won't be automatically
 supported unless the signal call is added.
 Threat Model
 ------------
@ -806,8 +819,6 @@ A:
 .. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/
 .. [#interpreters] There is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_.
 .. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on
             this topic.
--- a/security/ipe/audit.c
+++ b/security/ipe/audit.c
@ -46,6 +46,7 @@ static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
 static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
 	"BPRM_CHECK",
 	"BPRM_CREDS_FOR_EXEC",
 	"MMAP",
 	"MPROTECT",
 	"KERNEL_READ",
--- a/security/ipe/hooks.c
+++ b/security/ipe/hooks.c
@ -35,6 +35,33 @@ int ipe_bprm_check_security(struct linux_binprm *bprm)
 	return ipe_evaluate_event(&ctx);
 }
 /**
 * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
 * @bprm: Supplies a pointer to a linux_binprm structure to source the file
 *	  being evaluated.
 *
 * This LSM hook is called when userspace signals the kernel to check a file
 * for execution through the execveat syscall with the AT_EXECVE_CHECK flag.
 * The hook triggers IPE policy evaluation on the script file and returns
 * the policy decision to userspace. The userspace program receives the
 * return code and can decide whether to proceed with script execution.
 *
 * Return:
 * * %0		- Success
 * * %-EACCES	- Did not pass IPE policy
 */
 int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
 {
 	struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
 	if (!bprm->is_check)
 		return 0;
 	ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC,
 			   IPE_HOOK_BPRM_CREDS_FOR_EXEC);
 	return ipe_evaluate_event(&ctx);
 }
 /**
 * ipe_mmap_file() - ipe security hook function for mmap check.
 * @f: File being mmap'd. Can be NULL in the case of anonymous memory.
@ -312,4 +339,4 @@ int ipe_inode_setintegrity(const struct inode *inode,
 	return -EINVAL;
 }
-#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
+#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */
--- a/security/ipe/hooks.h
+++ b/security/ipe/hooks.h
@ -13,6 +13,7 @@
 enum ipe_hook_type {
 	IPE_HOOK_BPRM_CHECK = 0,
 	IPE_HOOK_BPRM_CREDS_FOR_EXEC,
 	IPE_HOOK_MMAP,
 	IPE_HOOK_MPROTECT,
 	IPE_HOOK_KERNEL_READ,
@ -24,6 +25,8 @@ enum ipe_hook_type {
 int ipe_bprm_check_security(struct linux_binprm *bprm);
 int ipe_bprm_creds_for_exec(struct linux_binprm *bprm);
 int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
 		  unsigned long flags);
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode)
 static struct security_hook_list ipe_hooks[] __ro_after_init = {
 	LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
 	LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec),
 	LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
 	LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
 	LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),