diff options
| -rw-r--r-- | Documentation/admin-guide/LSM/ipe.rst | 17 | ||||
| -rw-r--r-- | security/ipe/audit.c | 1 | ||||
| -rw-r--r-- | security/ipe/hooks.c | 29 | ||||
| -rw-r--r-- | security/ipe/hooks.h | 3 | ||||
| -rw-r--r-- | security/ipe/ipe.c | 1 |
5 files changed, 47 insertions, 4 deletions
diff --git a/Documentation/admin-guide/LSM/ipe.rst b/Documentation/admin-guide/LSM/ipe.rst index dc7088451f9d..a756d8158531 100644 --- a/Documentation/admin-guide/LSM/ipe.rst +++ b/Documentation/admin-guide/LSM/ipe.rst @@ -95,7 +95,20 @@ languages when these scripts are invoked by passing these program files to the interpreter. This is because the way interpreters execute these files; the scripts themselves are not evaluated as executable code through one of IPE's hooks, but they are merely text files that are read -(as opposed to compiled executables) [#interpreters]_. +(as opposed to compiled executables). However, with the introduction of the +``AT_EXECVE_CHECK`` flag (:doc:`AT_EXECVE_CHECK </userspace-api/check_exec>`), +interpreters can use it to signal the kernel that a script file will be executed, +and request the kernel to perform LSM security checks on it. + +IPE's EXECUTE operation enforcement differs between compiled executables and +interpreted scripts: For compiled executables, enforcement is triggered +automatically by the kernel during ``execve()``, ``execveat()``, ``mmap()`` +and ``mprotect()`` syscalls when loading executable content. For interpreted +scripts, enforcement requires explicit interpreter integration using +``execveat()`` with ``AT_EXECVE_CHECK`` flag. Unlike exec syscalls that IPE +intercepts during the execution process, this mechanism needs the interpreter +to take the initiative, and existing interpreters won't be automatically +supported unless the signal call is added. Threat Model ------------ @@ -806,8 +819,6 @@ A: .. [#digest_cache_lsm] https://lore.kernel.org/lkml/20240415142436.2545003-1-roberto.sassu@huaweicloud.com/ -.. [#interpreters] There is `some interest in solving this issue <https://lore.kernel.org/lkml/20220321161557.495388-1-mic@digikod.net/>`_. - .. [#devdoc] Please see :doc:`the design docs </security/ipe>` for more on this topic. diff --git a/security/ipe/audit.c b/security/ipe/audit.c index de5fed62592e..3f0deeb54912 100644 --- a/security/ipe/audit.c +++ b/security/ipe/audit.c @@ -46,6 +46,7 @@ static const char *const audit_op_names[__IPE_OP_MAX + 1] = { static const char *const audit_hook_names[__IPE_HOOK_MAX] = { "BPRM_CHECK", + "BPRM_CREDS_FOR_EXEC", "MMAP", "MPROTECT", "KERNEL_READ", diff --git a/security/ipe/hooks.c b/security/ipe/hooks.c index 1053a4acf589..603abdc9ce3b 100644 --- a/security/ipe/hooks.c +++ b/security/ipe/hooks.c @@ -36,6 +36,33 @@ int ipe_bprm_check_security(struct linux_binprm *bprm) } /** + * ipe_bprm_creds_for_exec() - ipe security hook function for bprm creds check. + * @bprm: Supplies a pointer to a linux_binprm structure to source the file + * being evaluated. + * + * This LSM hook is called when userspace signals the kernel to check a file + * for execution through the execveat syscall with the AT_EXECVE_CHECK flag. + * The hook triggers IPE policy evaluation on the script file and returns + * the policy decision to userspace. The userspace program receives the + * return code and can decide whether to proceed with script execution. + * + * Return: + * * %0 - Success + * * %-EACCES - Did not pass IPE policy + */ +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm) +{ + struct ipe_eval_ctx ctx = IPE_EVAL_CTX_INIT; + + if (!bprm->is_check) + return 0; + + ipe_build_eval_ctx(&ctx, bprm->file, IPE_OP_EXEC, + IPE_HOOK_BPRM_CREDS_FOR_EXEC); + return ipe_evaluate_event(&ctx); +} + +/** * ipe_mmap_file() - ipe security hook function for mmap check. * @f: File being mmap'd. Can be NULL in the case of anonymous memory. * @reqprot: The requested protection on the mmap, passed from usermode. @@ -312,4 +339,4 @@ int ipe_inode_setintegrity(const struct inode *inode, return -EINVAL; } -#endif /* CONFIG_CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ +#endif /* CONFIG_IPE_PROP_FS_VERITY_BUILTIN_SIG */ diff --git a/security/ipe/hooks.h b/security/ipe/hooks.h index 38d4a387d039..07db37332740 100644 --- a/security/ipe/hooks.h +++ b/security/ipe/hooks.h @@ -13,6 +13,7 @@ enum ipe_hook_type { IPE_HOOK_BPRM_CHECK = 0, + IPE_HOOK_BPRM_CREDS_FOR_EXEC, IPE_HOOK_MMAP, IPE_HOOK_MPROTECT, IPE_HOOK_KERNEL_READ, @@ -24,6 +25,8 @@ enum ipe_hook_type { int ipe_bprm_check_security(struct linux_binprm *bprm); +int ipe_bprm_creds_for_exec(struct linux_binprm *bprm); + int ipe_mmap_file(struct file *f, unsigned long reqprot, unsigned long prot, unsigned long flags); diff --git a/security/ipe/ipe.c b/security/ipe/ipe.c index 71644748ed56..495bb765de1b 100644 --- a/security/ipe/ipe.c +++ b/security/ipe/ipe.c @@ -47,6 +47,7 @@ struct ipe_inode *ipe_inode(const struct inode *inode) static struct security_hook_list ipe_hooks[] __ro_after_init = { LSM_HOOK_INIT(bprm_check_security, ipe_bprm_check_security), + LSM_HOOK_INIT(bprm_creds_for_exec, ipe_bprm_creds_for_exec), LSM_HOOK_INIT(mmap_file, ipe_mmap_file), LSM_HOOK_INIT(file_mprotect, ipe_file_mprotect), LSM_HOOK_INIT(kernel_read_file, ipe_kernel_read_file), |