Kernel 6.19 merged ipe check good for every container #6982
Description
Dear devs,
I hope i can give here as always newest security features for kernel - like I did with landlock .
New feature is ipe
Every container runtime can plant
execveat( ) and AT_EXECVE_CHECK for checking if ipe policy is active or not
https://docs.kernel.org/admin-guide/LSM/ipe.html
https://www.phoronix.com/news/Linux-6.19-IPE-AT_EXECVE_CHECK
Kernel ipe activating :
cat << 'EOF' > /tmp/ipe-policy.conf
policy ipe_test {
default DENY
allow EXECUTE path_prefix=/usr
}
EOF
sudo tee /sys/kernel/security/ipe/policy > /dev/null < /tmp/ipe-policy.conf
Simple c app example
Every elf binary or bash script or python script can go through
execveat( ) and AT_EXECVE_CHECK
And we have additional layer of defense .
cat << 'EOF' > /tmp/exec-check.c
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>
int main() {
int fd = open("/tmp/testscript.sh", O_RDONLY);
if (fd < 0) { perror("open"); return 1; }
char *argv[] = { "/tmp/testscript.sh", NULL };
char *envp[] = { NULL };
// execveat with AT_EXECVE_CHECK (0x04000000)
return execveat(fd, "", argv, envp, AT_EXECVE_CHECK);
}
EOF
Output in dmesg looks like this :
IPE: denied execution: path=/tmp/testscript.sh reason=integrity
Removing policy :
echo "" | sudo tee /sys/kernel/security/ipe/policy > /dev/null
I hope you can patch firejail with these feature or make configure option --with-ipe for testing .
3 minimum checks :
If kernel 6.19 running
If ipe policy set already
If profile file or argv got content "ipe-check" or --ipe-check when firejail started
Thanks and
Best regards