linux-toradex.git/security/ipe, branch v6.19 Linux kernel for Apalis and Colibri modules Merge tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe 2025-12-03T19:19:34+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-03T19:19:34+00:00 c8321831480d80af01ce001bd6626fc130fd13b1 Pull IPE udates from Fan Wu: "The primary change is the addition of support for the AT_EXECVE_CHECK flag. This allows interpreters to signal the kernel to perform IPE security checks on script files before execution, extending IPE enforcement to indirectly executed scripts. Update documentation for it, and also fix a comment" * tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: Update documentation for script enforcement ipe: Add AT_EXECVE_CHECK support for script enforcement ipe: Drop a duplicated CONFIG_ prefix in the ifdeffery 
Pull IPE udates from Fan Wu:
 "The primary change is the addition of support for the AT_EXECVE_CHECK
  flag. This allows interpreters to signal the kernel to perform IPE
  security checks on script files before execution, extending IPE
  enforcement to indirectly executed scripts.

  Update documentation for it, and also fix a comment"

* tag 'ipe-pr-20251202' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  ipe: Update documentation for script enforcement
  ipe: Add AT_EXECVE_CHECK support for script enforcement
  ipe: Drop a duplicated CONFIG_ prefix in the ifdeffery
Merge tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity 2025-12-03T19:08:03+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-03T19:08:03+00:00 777f8171602d5954cac024b66afa1b5b030641a4 Pull integrity updates from Mimi Zohar: "Bug fixes: - defer credentials checking from the bprm_check_security hook to the bprm_creds_from_file security hook - properly ignore IMA policy rules based on undefined SELinux labels IMA policy rule extensions: - extend IMA to limit including file hashes in the audit logs (dont_audit action) - define a new filesystem subtype policy option (fs_subtype) Misc: - extend IMA to support in-kernel module decompression by deferring the IMA signature verification in kernel_read_file() to after the kernel module is decompressed" * tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: Handle error code returned by ima_filter_rule_match() ima: Access decompressed kernel module to verify appended signature ima: add fs_subtype condition for distinguishing FUSE instances ima: add dont_audit action to suppress audit actions ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook 
Pull integrity updates from Mimi Zohar:
 "Bug fixes:

   - defer credentials checking from the bprm_check_security hook to the
     bprm_creds_from_file security hook

   - properly ignore IMA policy rules based on undefined SELinux labels

  IMA policy rule extensions:

   - extend IMA to limit including file hashes in the audit logs
     (dont_audit action)

   - define a new filesystem subtype policy option (fs_subtype)

  Misc:

   - extend IMA to support in-kernel module decompression by deferring
     the IMA signature verification in kernel_read_file() to after the
     kernel module is decompressed"

* tag 'integrity-v6.19' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: Handle error code returned by ima_filter_rule_match()
  ima: Access decompressed kernel module to verify appended signature
  ima: add fs_subtype condition for distinguishing FUSE instances
  ima: add dont_audit action to suppress audit actions
  ima: Attach CREDS_CHECK IMA hook to bprm_creds_from_file LSM hook
ipe: Add AT_EXECVE_CHECK support for script enforcement 2025-12-03T03:37:01+00:00 Yanzhu Huang yanzhuhuang@linux.microsoft.com 2025-11-05T23:26:14+00:00 67678189e492dc119b91c30beccd12cdbb32350e This patch adds a new ipe_bprm_creds_for_exec() hook that integrates with the AT_EXECVE_CHECK mechanism. To enable script enforcement, interpreters need to incorporate the AT_EXECVE_CHECK flag when calling execveat() on script files before execution. When a userspace interpreter calls execveat() with the AT_EXECVE_CHECK flag, this hook triggers IPE policy evaluation on the script file. The hook only triggers IPE when bprm->is_check is true, ensuring it's being called from an AT_EXECVE_CHECK context. It then builds an evaluation context for an IPE_OP_EXEC operation and invokes IPE policy. The kernel returns the policy decision to the interpreter, which can then decide whether to proceed with script execution. This extends IPE enforcement to indirectly executed scripts, permitting trusted scripts to execute while denying untrusted ones. Signed-off-by: Yanzhu Huang <yanzhuhuang@linux.microsoft.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
This patch adds a new ipe_bprm_creds_for_exec() hook that integrates
with the AT_EXECVE_CHECK mechanism. To enable script enforcement,
interpreters need to incorporate the AT_EXECVE_CHECK flag when
calling execveat() on script files before execution.

When a userspace interpreter calls execveat() with the AT_EXECVE_CHECK
flag, this hook triggers IPE policy evaluation on the script file. The
hook only triggers IPE when bprm->is_check is true, ensuring it's
being called from an AT_EXECVE_CHECK context. It then builds an
evaluation context for an IPE_OP_EXEC operation and invokes IPE policy.
The kernel returns the policy decision to the interpreter, which can
then decide whether to proceed with script execution.

This extends IPE enforcement to indirectly executed scripts, permitting
trusted scripts to execute while denying untrusted ones.

Signed-off-by: Yanzhu Huang <yanzhuhuang@linux.microsoft.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: Drop a duplicated CONFIG_ prefix in the ifdeffery 2025-12-03T03:29:21+00:00 Borislav Petkov (AMD) bp@alien8.de 2025-10-09T15:45:25+00:00 864468ae309943fc9a1067606098b30959e4db33 Looks like it got added by mistake, perhaps editor auto-completion artifact. Drop it. No functional changes. Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de> Signed-off-by: Fan Wu <wufan@kernel.org> 
Looks like it got added by mistake, perhaps editor auto-completion
artifact. Drop it.

No functional changes.

Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Signed-off-by: Fan Wu <wufan@kernel.org>
ima: Access decompressed kernel module to verify appended signature 2025-11-19T14:19:42+00:00 Coiby Xu coxu@redhat.com 2025-11-19T14:03:25+00:00 c200892b46ba3df3dd210b7117a463ec283600c3 Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS) is enabled, IMA has no way to verify the appended module signature as it can't decompress the module. Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so IMA can calculate the compressed kernel module data hash on READING_MODULE_COMPRESSED and defer appraising/measuring it until on READING_MODULE when the module has been decompressed. Before enabling in-kernel module decompression, a kernel module in initramfs can still be loaded with ima_policy=secure_boot. So adjust the kernel module rule in secure_boot policy to allow either an IMA signature OR an appended signature i.e. to use "appraise func=MODULE_CHECK appraise_type=imasig|modsig". Reported-by: Karel Srot <ksrot@redhat.com> Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Suggested-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Coiby Xu <coxu@redhat.com> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> 
Currently, when in-kernel module decompression (CONFIG_MODULE_DECOMPRESS)
is enabled, IMA has no way to verify the appended module signature as it
can't decompress the module.

Define a new kernel_read_file_id enumerate READING_MODULE_COMPRESSED so
IMA can calculate the compressed kernel module data hash on
READING_MODULE_COMPRESSED and defer appraising/measuring it until on
READING_MODULE when the module has been decompressed.

Before enabling in-kernel module decompression, a kernel module in
initramfs can still be loaded with ima_policy=secure_boot. So adjust the
kernel module rule in secure_boot policy to allow either an IMA
signature OR an appended signature i.e. to use
"appraise func=MODULE_CHECK appraise_type=imasig|modsig".

Reported-by: Karel Srot <ksrot@redhat.com>
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
ipe: move initcalls to the LSM framework 2025-10-22T23:24:25+00:00 Paul Moore paul@paul-moore.com 2025-02-18T22:13:08+00:00 d934f97db827ac44a84edf399d6b7a3946fe1cf1 Reviewed-by: Kees Cook <kees@kernel.org> Tested-by: Fan Wu <wufan@kernel.org> Acked-by: Fan Wu <wufan@kernel.org> Reviewed-by: John Johansen <john.johhansen@canonical.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Reviewed-by: Kees Cook <kees@kernel.org>
Tested-by: Fan Wu <wufan@kernel.org>
Acked-by: Fan Wu <wufan@kernel.org>
Reviewed-by: John Johansen <john.johhansen@canonical.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
lsm: replace the name field with a pointer to the lsm_id struct 2025-10-22T23:24:18+00:00 Paul Moore paul@paul-moore.com 2025-02-12T19:45:06+00:00 9f9dc69e06ecbc61e7a50b823b82a78daf130dc0 Reduce the duplication between the lsm_id struct and the DEFINE_LSM() definition by linking the lsm_id struct directly into the individual LSM's DEFINE_LSM() instance. Linking the lsm_id into the LSM definition also allows us to simplify the security_add_hooks() function by removing the code which populates the lsm_idlist[] array and moving it into the normal LSM startup code where the LSM list is parsed and the individual LSMs are enabled, making for a cleaner implementation with less overhead at boot. Reviewed-by: Kees Cook <kees@kernel.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Paul Moore <paul@paul-moore.com> 
Reduce the duplication between the lsm_id struct and the DEFINE_LSM()
definition by linking the lsm_id struct directly into the individual
LSM's DEFINE_LSM() instance.

Linking the lsm_id into the LSM definition also allows us to simplify
the security_add_hooks() function by removing the code which populates
the lsm_idlist[] array and moving it into the normal LSM startup code
where the LSM list is parsed and the individual LSMs are enabled,
making for a cleaner implementation with less overhead at boot.

Reviewed-by: Kees Cook <kees@kernel.org>
Reviewed-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Merge tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe 2025-07-31T16:42:20+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-07-31T16:42:20+00:00 b4efd62564e96d1edb99eb00dd0ff620dbd1afab Pull ipe update from Fan Wu: "A single commit from Eric Biggers to simplify the IPE (Integrity Policy Enforcement) policy audit with the SHA-256 library API" * tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe: ipe: use SHA-256 library API instead of crypto_shash API 
Pull ipe update from Fan Wu:
 "A single commit from Eric Biggers to simplify the IPE (Integrity
  Policy Enforcement) policy audit with the SHA-256 library API"

* tag 'ipe-pr-20250728' of git://git.kernel.org/pub/scm/linux/kernel/git/wufan/ipe:
  ipe: use SHA-256 library API instead of crypto_shash API
ipe: use SHA-256 library API instead of crypto_shash API 2025-07-29T01:54:18+00:00 Eric Biggers ebiggers@google.com 2025-05-14T05:05:46+00:00 b90bb6dbf1d60d70969f8f8f2f30033f49711594 audit_policy() does not support any other algorithm, so the crypto_shash abstraction provides no value. Just use the SHA-256 library API instead, which is much simpler and easier to use. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Fan Wu <wufan@kernel.org> 
audit_policy() does not support any other algorithm, so the crypto_shash
abstraction provides no value.  Just use the SHA-256 library API
instead, which is much simpler and easier to use.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Fan Wu <wufan@kernel.org>
ipe: don't bother with removal of files in directory we'll be removing 2025-06-17T22:10:53+00:00 Al Viro viro@zeniv.linux.org.uk 2025-06-11T23:08:12+00:00 5be998a218f7db74bcb26accdfcb9fe2d0c18b75 ... and use securityfs_remove() instead of securityfs_recursive_remove() Acked-by: Fan Wu <wufan@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
... and use securityfs_remove() instead of securityfs_recursive_remove()

Acked-by: Fan Wu <wufan@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>