lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAKtyLkHfW=cOryV9T4D=RA9-C=cea5DcH9U8jMn8OKAS30PHzA@mail.gmail.com>
Date: Wed, 5 Nov 2025 15:39:28 -0800
From: Fan Wu <wufan@...nel.org>
To: Yanzhu Huang <yanzhuhuang@...ux.microsoft.com>
Cc: wufan@...nel.org, paul@...l-moore.com, mic@...ikod.net, jmorris@...ei.org, 
	serge@...lyn.com, corbet@....net, linux-security-module@...r.kernel.org, 
	linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 0/2] ipe: add script enforcement mechanism with AT_EXECVE_CHECK

On Wed, Nov 5, 2025 at 3:26 PM Yanzhu Huang
<yanzhuhuang@...ux.microsoft.com> wrote:
>
> Indirect file execution through interpreters (e.g. python script.py, sh
> script.sh) should have integrity policy enforced by IPE based on the
> rules. Currently, IPE can only enforce policy on the interpreter binary
> itself, but has no visibility into the scripts that the interpreter
> executes.
>
> Overview
> --------
>
> This patch series introduces script enforcement for IPE, allowing integrity
> evaluation of indirectly executed scripts through the AT_EXECVE_CHECK flag.
>
> Patch 1 adds the core implementation with ipe_bprm_creds_for_exec() hook
> that integrates with the AT_EXECVE_CHECK mechanism.
>
> Patch 2 updates admin guide documentation to explain the script enforcement
> mechanism.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/pull/6
>
> Changes since v2:
> - update AT_EXECVE_CHECK reference
>
> Changes since v1:
> - update the interpreters reference
>
> Yanzhu Huang (2):
>   ipe: Add AT_EXECVE_CHECK support for script enforcement
>   ipe: Update documentation for script enforcement
>
>  Documentation/admin-guide/LSM/ipe.rst | 17 ++++++++++++++---
>  security/ipe/audit.c                  |  1 +
>  security/ipe/hooks.c                  | 27 +++++++++++++++++++++++++++
>  security/ipe/hooks.h                  |  3 +++
>  security/ipe/ipe.c                    |  1 +
>  5 files changed, 46 insertions(+), 3 deletions(-)
>
> --
> 2.43.0
>

Thanks, applied to ipe/next.

-Fan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ