Linux’s Integrity Policy Enforcement “IPE” module is gaining a useful addition with the in-development Linux 6.19 kernel.
The Linux Integrity Policy Enforcement now honors the “AT_EXECVE_CHECK” flag so user-space interpreters can signal to the kernel to perform IPE security checks on script files before execution. This functionality with AT_EXECVE_CHECK extends IPE enforcement now to indirectly-executed scripts on the system.
The updated Linux IPE documentation further explains of the new AT_EXECVE_CHECK behavior for scripts:
“With the introduction of the AT_EXECVE_CHECK flag, interpreters can use it to signal the kernel that a script file will be executed, and request the kernel to perform LSM security checks on it.
IPE’s EXECUTE operation enforcement differs between compiled executables and interpreted scripts: For compiled executables, enforcement is triggered automatically by the kernel during execve(), execveat(), mmap() and mprotect() syscalls when loading executable content. For interpreted scripts, enforcement requires explicit interpreter integration using execveat() with AT_EXECVE_CHECK flag. Unlike exec syscalls that IPE intercepts during the execution process, this mechanism needs the interpreter to take the initiative, and existing interpreters won’t be automatically supported unless the signal call is added.”
This security contribution from Microsoft’s Linux team extends IPE enforcement to indirectly executed scripts so that trusted scripts can execute while denying untrusted scripts.
More details for those interested via the IPE merge for the Linux 6.19 kernel.
