lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1745961770-7188-1-git-send-email-jasjivsingh@linux.microsoft.com>
Date: Tue, 29 Apr 2025 14:22:49 -0700
From: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
To: wufan@...nel.org,
	paul@...l-moore.com,
	jmorris@...ei.org,
	serge@...lyn.com,
	mic@...ikod.net
Cc: linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>
Subject: [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check

From: jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>

Currently, IPE only enforces the policy operations for direct
file execution (e.g. ./script.sh). However, indirect file execution
(e.g. sh script.sh) needs to be enforced by IPE based on the rules.

Overview
--------

This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
evaluate the `EXECUTE` operation policy for the script file during the
check phase itself.

[1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/

Example
--------

ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc" 
path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"

the log message when the IPE policy denies the indirect script execution 
via the 'inc' test interpreter.

The IPE test suite has been updated to include script enforcement tests:
https://github.com/microsoft/ipe/tree/test-suite

jasjivsingh_microsoft (1):
  ipe: add script enforcement with BPRM check

 security/ipe/hooks.c | 23 +++++++++++++++++++++++
 security/ipe/hooks.h |  2 ++
 security/ipe/ipe.c   |  1 +
 3 files changed, 26 insertions(+)

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ