| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKtyLkHVQuR+5N5qimAb=+GpGFpDt7YRq+jYC07R4wfRE6xUgg@mail.gmail.com> Date: Thu, 30 Oct 2025 15:08:42 -0700 From: Fan Wu <wufan@...nel.org> To: Yanzhu Huang <yanzhuhuang@...ux.microsoft.com> Cc: wufan@...nel.org, paul@...l-moore.com, mic@...ikod.net, jmorris@...ei.org, serge@...lyn.com, corbet@....net, linux-security-module@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] ipe: Update documentation for script enforcement On Thu, Oct 23, 2025 at 4:37 PM Yanzhu Huang <yanzhuhuang@...ux.microsoft.com> wrote: > > This patch adds explanation of script enforcement mechanism in admin > guide documentation. Describes how IPE supports integrity enforcement > for indirectly executed scripts through the AT_EXECVE_CHECK flag, and > how this differs from kernel enforcement for compiled executables. > > Signed-off-by: Yanzhu Huang <yanzhuhuang@...ux.microsoft.com> > --- > Documentation/admin-guide/LSM/ipe.rst | 15 ++++++++++++++- > 1 file changed, 14 insertions(+), 1 deletion(-) > > diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst > index dc7088451f9d..1063256559a8 100644 > --- a/Documentation/admin-guide/LSM/ipe.rst > +++ b/Documentation/admin-guide/LSM/ipe.rst > @@ -95,7 +95,20 @@ languages when these scripts are invoked by passing these program files > to the interpreter. This is because the way interpreters execute these > files; the scripts themselves are not evaluated as executable code > through one of IPE's hooks, but they are merely text files that are read > -(as opposed to compiled executables) [#interpreters]_. > +(as opposed to compiled executables) [#interpreters]_. However, with the All looks good to me, however, we could also update the [#interpreters] reference to userspace-api/check_exec. -Fan > +introduction of the ``AT_EXECVE_CHECK`` flag, interpreters can use it to > +signal the kernel that a script file will be executed, and request the > +kernel to perform LSM security checks on it. > + > +IPE's EXECUTE operation enforcement differs between compiled executables and > +interpreted scripts: For compiled executables, enforcement is triggered > +automatically by the kernel during ``execve()``, ``execveat()``, ``mmap()`` > +and ``mprotect()`` syscalls when loading executable content. For interpreted > +scripts, enforcement requires explicit interpreter integration using > +``execveat()`` with ``AT_EXECVE_CHECK`` flag. Unlike exec syscalls that IPE > +intercepts during the execution process, this mechanism needs the interpreter > +to take the initiative, and existing interpreters won't be automatically > +supported unless the signal call is added. > > Threat Model > ------------ > -- > 2.43.0 >
Powered by blists - more mailing lists