Re: [RFC PATCH v1 0/1] ipe: added script enforcement with BPRM check

From: Fan Wu
Date: Wed Apr 30 2025 - 19:25:07 EST


On Tue, Apr 29, 2025 at 2:23 PM Jasjiv Singh
<jasjivsingh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> From: jasjivsingh_microsoft <jasjivsingh@xxxxxxxxxxxxxxxxxxx>
>
> Currently, IPE only enforces the policy operations for direct
> file execution (e.g. ./script.sh). However, indirect file execution
> (e.g. sh script.sh) needs to be enforced by IPE based on the rules.
>
> Overview
> --------
>
> This patch introduces the `ipe_bprm_creds_for_exec` LSM hook. This hook
> specifically targets the `AT_EXECVE_CHECK` scenario [1], allowing IPE to
> evaluate the `EXECUTE` operation policy for the script file during the
> check phase itself.
>
> [1] https://lore.kernel.org/linux-security-module/20241212174223.389435-1-mic@xxxxxxxxxxx/
>
> Example
> --------
>
> ipe_op=EXECUTE ipe_hook=BPRM_CHECK enforcing=1 pid=18571 comm="inc"
> path="/tmp/script/hello.inc" dev="tmpfs" ino=24 rule="DEFAULT action=DENY"
>
> the log message when the IPE policy denies the indirect script execution
> via the 'inc' test interpreter.
>
> The IPE test suite has been updated to include script enforcement tests:
> https://github.com/microsoft/ipe/tree/test-suite

Please use the PR link instead of the repo link.

-Fan