[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <1745961770-7188-2-git-send-email-jasjivsingh@linux.microsoft.com>
Date: Tue, 29 Apr 2025 14:22:50 -0700
From: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
To: wufan@...nel.org,
paul@...l-moore.com,
jmorris@...ei.org,
serge@...lyn.com,
mic@...ikod.net
Cc: linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org,
jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>
Subject: [RFC PATCH v1 1/1] ipe: add script enforcement with BPRM check
From: jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>
Like direct file execution (e.g. ./script.sh), indirect file execution
(e.g. sh script.sh) needs to be enforce by IPE based on the rules.
Added a new security_bprm_creds_for_exec() hook to verify the indirect
file's integrity.
Signed-off-by: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
---
security/ipe/hooks.c | 23 +++++++++++++++++++++++
security/ipe/hooks.h | 2 ++
security/ipe/ipe.c | 1 +
3 files changed, 26 insertions(+)
diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c
index d0323b81cd8f..12713a0495cf 100644
--- a/security/ipe/hooks.c
+++ b/security/ipe/hooks.c
@@ -35,6 +35,29 @@ int ipe_bprm_check_security(struct linux_binprm *bprm)
return ipe_evaluate_event(&ctx);
}
+/**
+ * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check.
+ * @bprm: Supplies a pointer to a linux_binprm structure to source the file
+ * being evaluated.
+ *
+ * This LSM hook is called when a script is checked for execution through the
+ * execveat syscall with the AT_EXECVE_CHECK flag.
+ *
+ * Return:
+ * * %0 - Success
+ * * %-EACCES - Did not pass IPE policy
+ */
+int ipe_bprm_creds_for_exec(struct linux_binprm *bprm)
+{
+ struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT;
+
+ if (!bprm->is_check)
+ return 0;
+
+ ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, IPE_HOOK_BPRM_CHECK);
+ return ipe_evaluate_event(&ctx);
+}
+
/**
* ipe_mmap_file() - ipe security hook function for mmap check.
* @f: File being mmap'd. Can be NULL in the case of anonymous memory.
diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h
index 38d4a387d039..1c16a25d806e 100644
--- a/security/ipe/hooks.h
+++ b/security/ipe/hooks.h
@@ -24,6 +24,8 @@ enum ipe_hook_type {
int ipe_bprm_check_security(struct linux_binprm *bprm);
+int ipe_bprm_creds_for_exec(struct linux_binprm *bprm);
+
int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot,
unsigned long flags);
diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c
index 4317134cb0da..845e3fd7a345 100644
--- a/security/ipe/ipe.c
+++ b/security/ipe/ipe.c
@@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode)
static struct security_hook_list ipe_hooks[] __ro_after_init = {
LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security),
+ LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec),
LSM_HOOK_INIT(mmap_file, ipe_mmap_file),
LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect),
LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file),
--
2.34.1
Powered by blists - more mailing lists