)]}'
{
  "commit": "67678189e492dc119b91c30beccd12cdbb32350e",
  "tree": "9f65194f51dee2c178e88a4d730dda576a084458",
  "parents": [
    "864468ae309943fc9a1067606098b30959e4db33"
  ],
  "author": {
    "name": "Yanzhu Huang",
    "email": "yanzhuhuang@linux.microsoft.com",
    "time": "Wed Nov 05 23:26:14 2025 +0000"
  },
  "committer": {
    "name": "Fan Wu",
    "email": "wufan@kernel.org",
    "time": "Tue Dec 02 19:37:01 2025 -0800"
  },
  "message": "ipe: Add AT_EXECVE_CHECK support for script enforcement\n\nThis patch adds a new ipe_bprm_creds_for_exec() hook that integrates\nwith the AT_EXECVE_CHECK mechanism. To enable script enforcement,\ninterpreters need to incorporate the AT_EXECVE_CHECK flag when\ncalling execveat() on script files before execution.\n\nWhen a userspace interpreter calls execveat() with the AT_EXECVE_CHECK\nflag, this hook triggers IPE policy evaluation on the script file. The\nhook only triggers IPE when bprm-\u003eis_check is true, ensuring it\u0027s\nbeing called from an AT_EXECVE_CHECK context. It then builds an\nevaluation context for an IPE_OP_EXEC operation and invokes IPE policy.\nThe kernel returns the policy decision to the interpreter, which can\nthen decide whether to proceed with script execution.\n\nThis extends IPE enforcement to indirectly executed scripts, permitting\ntrusted scripts to execute while denying untrusted ones.\n\nSigned-off-by: Yanzhu Huang \u003cyanzhuhuang@linux.microsoft.com\u003e\nSigned-off-by: Fan Wu \u003cwufan@kernel.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "de5fed62592e1d06089c3b078b5e4b73e24730ac",
      "old_mode": 33188,
      "old_path": "security/ipe/audit.c",
      "new_id": "3f0deeb54912730d9acf5e021a4a0cb29a34e982",
      "new_mode": 33188,
      "new_path": "security/ipe/audit.c"
    },
    {
      "type": "modify",
      "old_id": "42857c2ea2a582ad32c484588234c7580da455e2",
      "old_mode": 33188,
      "old_path": "security/ipe/hooks.c",
      "new_id": "2e3dc4ab22aebf96e18de74404909110a1ad2e77",
      "new_mode": 33188,
      "new_path": "security/ipe/hooks.c"
    },
    {
      "type": "modify",
      "old_id": "38d4a387d039f99db46cc987e80ac3d9ff7664a0",
      "old_mode": 33188,
      "old_path": "security/ipe/hooks.h",
      "new_id": "07db373327402881b887d0ae25ab4c662f434478",
      "new_mode": 33188,
      "new_path": "security/ipe/hooks.h"
    },
    {
      "type": "modify",
      "old_id": "4317134cb0da1f03a98691f3f613db216a4cc934",
      "old_mode": 33188,
      "old_path": "security/ipe/ipe.c",
      "new_id": "845e3fd7a345da4639a89dd6a43a9a0df404ebbc",
      "new_mode": 33188,
      "new_path": "security/ipe/ipe.c"
    }
  ]
}
