From 67678189e492dc119b91c30beccd12cdbb32350e Mon Sep 17 00:00:00 2001 From: Yanzhu Huang Date: Wed, 5 Nov 2025 23:26:14 +0000 Subject: ipe: Add AT_EXECVE_CHECK support for script enforcement This patch adds a new ipe_bprm_creds_for_exec() hook that integrates with the AT_EXECVE_CHECK mechanism. To enable script enforcement, interpreters need to incorporate the AT_EXECVE_CHECK flag when calling execveat() on script files before execution. When a userspace interpreter calls execveat() with the AT_EXECVE_CHECK flag, this hook triggers IPE policy evaluation on the script file. The hook only triggers IPE when bprm->is_check is true, ensuring it's being called from an AT_EXECVE_CHECK context. It then builds an evaluation context for an IPE_OP_EXEC operation and invokes IPE policy. The kernel returns the policy decision to the interpreter, which can then decide whether to proceed with script execution. This extends IPE enforcement to indirectly executed scripts, permitting trusted scripts to execute while denying untrusted ones. Signed-off-by: Yanzhu Huang Signed-off-by: Fan Wu --- security/ipe/audit.c | 1 + 1 file changed, 1 insertion(+) (limited to 'security/ipe/audit.c') diff --git a/security/ipe/audit.c b/security/ipe/audit.c index de5fed62592e..3f0deeb54912 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -46,6 +46,7 @@ static const char *const audit_op_names[__IPE_OP_MAX + 1] = { static const char *const audit_hook_names[__IPE_HOOK_MAX] = { "BPRM_CHECK", + "BPRM_CREDS_FOR_EXEC", "MMAP", "MPROTECT", "KERNEL_READ", -- cgit