Gentwo Git Trees - linux/.git/commit

author	Yanzhu Huang <yanzhuhuang@linux.microsoft.com>
	Wed, 5 Nov 2025 23:26:14 +0000 (23:26 +0000)
committer	Fan Wu <wufan@kernel.org>
	Wed, 3 Dec 2025 03:37:01 +0000 (19:37 -0800)
commit	67678189e492dc119b91c30beccd12cdbb32350e
tree	9f65194f51dee2c178e88a4d730dda576a084458	tree \| snapshot
parent	864468ae309943fc9a1067606098b30959e4db33	commit \| diff

ipe: Add AT_EXECVE_CHECK support for script enforcement

This patch adds a new ipe_bprm_creds_for_exec() hook that integrates
with the AT_EXECVE_CHECK mechanism. To enable script enforcement,
interpreters need to incorporate the AT_EXECVE_CHECK flag when
calling execveat() on script files before execution.

When a userspace interpreter calls execveat() with the AT_EXECVE_CHECK
flag, this hook triggers IPE policy evaluation on the script file. The
hook only triggers IPE when bprm->is_check is true, ensuring it's
being called from an AT_EXECVE_CHECK context. It then builds an
evaluation context for an IPE_OP_EXEC operation and invokes IPE policy.
The kernel returns the policy decision to the interpreter, which can
then decide whether to proceed with script execution.

This extends IPE enforcement to indirectly executed scripts, permitting
trusted scripts to execute while denying untrusted ones.

Signed-off-by: Yanzhu Huang <yanzhuhuang@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@kernel.org>

security/ipe/audit.c		diff \| blob \| blame \| history
security/ipe/hooks.c		diff \| blob \| blame \| history
security/ipe/hooks.h		diff \| blob \| blame \| history
security/ipe/ipe.c		diff \| blob \| blame \| history