[GH-ISSUE #6982] Kernel 6.19 merged ipe check good for every container #3444

New issue

Closed

opened 2026-05-05 10:00:16 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:00:16 -06:00

Owner

Originally created by @osevan on GitHub (Dec 4, 2025).
Original GitHub issue: https://github.com/netblue30/firejail/issues/6982

Dear devs,
I hope i can give here as always newest security features for kernel - like I did with landlock .

New feature is ipe

Every container runtime can plant
execveat( ) and AT_EXECVE_CHECK for checking if ipe policy is active or not

https://docs.kernel.org/admin-guide/LSM/ipe.html
https://www.phoronix.com/news/Linux-6.19-IPE-AT_EXECVE_CHECK

Kernel ipe activating :

cat << 'EOF' > /tmp/ipe-policy.conf
policy ipe_test {
    default DENY
    allow EXECUTE path_prefix=/usr
}
EOF

sudo tee /sys/kernel/security/ipe/policy > /dev/null < /tmp/ipe-policy.conf

Simple c app example
Every elf binary or bash script or python script can go through
execveat( ) and AT_EXECVE_CHECK
And we have additional layer of defense .

cat << 'EOF' > /tmp/exec-check.c
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>

int main() {
    int fd = open("/tmp/testscript.sh", O_RDONLY);
    if (fd < 0) { perror("open"); return 1; }

    char *argv[] = { "/tmp/testscript.sh", NULL };
    char *envp[] = { NULL };

    // execveat with AT_EXECVE_CHECK (0x04000000)
    return execveat(fd, "", argv, envp, AT_EXECVE_CHECK);
}
EOF

Output in dmesg looks like this :

IPE: denied execution: path=/tmp/testscript.sh reason=integrity

Removing policy :

echo "" | sudo tee /sys/kernel/security/ipe/policy > /dev/null

I hope you can patch firejail with these feature or make configure option --with-ipe for testing .

3 minimum checks :
If kernel 6.19 running
If ipe policy set already
If profile file or argv got content "ipe-check" or --ipe-check when firejail started

Thanks and

Best regards

Originally created by @osevan on GitHub (Dec 4, 2025). Original GitHub issue: https://github.com/netblue30/firejail/issues/6982 Dear devs, I hope i can give here as always newest security features for kernel - like I did with landlock . New feature is ipe Every container runtime can plant execveat( ) and AT_EXECVE_CHECK for checking if ipe policy is active or not https://docs.kernel.org/admin-guide/LSM/ipe.html https://www.phoronix.com/news/Linux-6.19-IPE-AT_EXECVE_CHECK Kernel ipe activating : ``` cat << 'EOF' > /tmp/ipe-policy.conf policy ipe_test { default DENY allow EXECUTE path_prefix=/usr } EOF ``` sudo tee /sys/kernel/security/ipe/policy > /dev/null < /tmp/ipe-policy.conf Simple c app example Every elf binary or bash script or python script can go through execveat( ) and AT_EXECVE_CHECK And we have additional layer of defense . ``` cat << 'EOF' > /tmp/exec-check.c #define _GNU_SOURCE #include <unistd.h> #include <fcntl.h> #include <stdio.h> int main() { int fd = open("/tmp/testscript.sh", O_RDONLY); if (fd < 0) { perror("open"); return 1; } char *argv[] = { "/tmp/testscript.sh", NULL }; char *envp[] = { NULL }; // execveat with AT_EXECVE_CHECK (0x04000000) return execveat(fd, "", argv, envp, AT_EXECVE_CHECK); } EOF ``` Output in dmesg looks like this : IPE: denied execution: path=/tmp/testscript.sh reason=integrity Removing policy : echo "" | sudo tee /sys/kernel/security/ipe/policy > /dev/null I hope you can patch firejail with these feature or make configure option --with-ipe for testing . 3 minimum checks : If kernel 6.19 running If ipe policy set already If profile file or argv got content "ipe-check" or --ipe-check when firejail started Thanks and Best regards

gitea-mirror

2026-05-05 10:00:16 -06:00

closed this issue
added the
converted-to-discussion
label

gitea-mirror referenced this issue

2026-05-05 10:26:10 -06:00

[PR #3444] [MERGED] Set quiet in w3m profile #4765

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3444

No description provided.

Rows
Columns