[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKtyLkGvcRP9f5gGhsSnEA28Nh0Udcq76ZZv0SA5Vko6w8R7qw@mail.gmail.com>
Date: Wed, 30 Apr 2025 16:24:43 -0700
From: Fan Wu <wufan@...nel.org>
To: Jasjiv Singh <jasjivsingh@...ux.microsoft.com>
Cc: wufan@...nel.org, paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
mic@...ikod.net, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check
On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@...ux.microsoft.com> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@...ux.microsoft.com>
>
> Currently, IPE only enforces the policy operations for direct
> file execution (e.g. ./script.sh). However, indirect file execution
> (e.g. sh script.sh) needs to be enforced by IPE based on the rules.
>
> Overview
> --------
>
> This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
> specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
> evaluate the `EXECUTE` operation policy for the script file during the
> check phase itself.
>
> [1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@digikod.net/
>
> Example
> --------
>
> ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
> path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
>
> the log message when the IPE policy denies the indirect script execution
> via the 'inc' test interpreter.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/tree/test-suite
Please use the PR link instead of the repo link.
-Fan
Powered by blists - more mailing lists