diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2025-12-03 11:19:34 -0800 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2025-12-03 11:19:34 -0800 |
| commit | c8321831480d80af01ce001bd6626fc130fd13b1 (patch) | |
| tree | 76813b3d8be7d156dfe58526961a0c7beb87d42a /security/ipe/hooks.c | |
| parent | 777f8171602d5954cac024b66afa1b5b030641a4 (diff) | |
| parent | d7ba853c0e47d57805181f5269ba250270d2adde (diff) | |
Merge tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe
Pull IPE udates from Fan Wu:
"The primary change is the addition of support for the AT_EXECVE_CHECK
flag. This allows interpreters to signal the kernel to perform IPE
security checks on script files before execution, extending IPE
enforcement to indirectly executed scripts.
Update documentation for it, and also fix a comment"
* tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
ipe: Update documentation for script enforcement
ipe: Add AT_EXECVE_CHECK support for script enforcement
ipe: Drop a duplicated CONFIG_ prefix in the ifdeffery
Diffstat (limited to 'security/ipe/hooks.c')
| -rw-r--r-- | security/ipe/hooks.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index 1053a4acf589..603abdc9ce3b 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -36,6 +36,33 @@ int ipe_bprm_check_security(struct linux_binprm *bprm) } /** + * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check. + * @bprm: Supplies a pointer to a linux_binprm structure to source the file + * being evaluated. + * + * This LSM hook is called when userspace signals the kernel to check a file + * for execution through the execveat syscall with the AT_EXECVE_CHECK flag. + * The hook triggers IPE policy evaluation on the script file and returns + * the policy decision to userspace. The userspace program receives the + * return code and can decide whether to proceed with script execution. + * + * Return: + * * %0 - Success + * * %-EACCES - Did not pass IPE policy + */ +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm) +{ + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + if (!bprm->is_check) + return 0; + + ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, + IPE_HOOK_BPRM_CREDS_FOR_EXEC); + return ipe_evaluate_event(&ctx); +} + +/** * ipe_mmap_file() - ipe security hook function for mmap check. * @f: File being mmap'd. Can be NULL in the case of anonymous memory. * @reqprot: The requested protection on the mmap, passed from usermode. @@ -312,4 +339,4 @@ int ipe_inode_setintegrity(const struct inode *inode, return -EINVAL; } -#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ |