Linux 6.19 Will Allow Enforcing IPE Security Checks On Indirectly Executed Scripts

Written by Michael Larabel in Linux Security on 4 December 2025 at 06:07 AM EST. 2 Comments

Linux's Integrity Policy Enforcement "IPE" module is gaining a useful addition with the in-development Linux 6.19 kernel.

The Linux Integrity Policy Enforcement now honors the "AT_EXECVE_CHECK" flag so user-space interpreters can signal to the kernel to perform IPE security checks on script files before execution. This functionality with AT_EXECVE_CHECK extends IPE enforcement now to indirectly-executed scripts on the system.

The updated Linux IPE documentation further explains of the new AT_EXECVE_CHECK behavior for scripts:

"With the introduction of the AT_EXECVE_CHECK flag, interpreters can use it to signal the kernel that a script file will be executed, and request the kernel to perform LSM security checks on it.

IPE's EXECUTE operation enforcement differs between compiled executables and interpreted scripts: For compiled executables, enforcement is triggered automatically by the kernel during execve(), execveat(), mmap() and mprotect() syscalls when loading executable content. For interpreted scripts, enforcement requires explicit interpreter integration using execveat() with AT_EXECVE_CHECK flag. Unlike exec syscalls that IPE intercepts during the execution process, this mechanism needs the interpreter to take the initiative, and existing interpreters won't be automatically supported unless the signal call is added."

This security contribution from Microsoft's Linux team extends IPE enforcement to indirectly executed scripts so that trusted scripts can execute while denying untrusted scripts.

More details for those interested via the IPE merge for the Linux 6.19 kernel.

2 Comments

ML-KEM + X-Wing Patches Posted For Linux To Help With Post-Quantum Security

Linux AF_ALG Crypto Code Removing Zero-Copy Support Out Of Security Concerns

Dirty Frag Vulnerability Made Public Early: Root Privilege On All Distributions

Linux Out-Of-Bounds Access Fixed For Unprivileged Users With Specially Crafted Certs

AppArmor Enhancements Merged For Linux 7.0

Linux 7.0 Lands ML-DSA Quantum-Resistant Signature Support

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Arch Linux Now Believes Malware Incident Under Control: More Than 1,500 Affected Packages

ReactOS "Open-Source Windows" Reaches The Milestone Of Being Able To Run Half-Life

macOS 27 Beta Breaks The Ability To Boot Asahi Linux

Arch Linux's AUR Sees More Than 400 Packages Compromised With Malware

Arch Linux AUR Hit By Another Wave Of Now More Sophisticated Malware Attack

Russian Spam & Profanities Are Now Plaguing The Arch Linux AUR

YSERVER: Modern X11 Server Written In Rust With The Help Of Claude Code

AMD Opens Pre-Orders For The Linux-Friendly Ryzen AI Halo Developer Platform

Support Phoronix
While Having Ad-Free Browsing,
Single-Page Article Viewing

Legal Disclaimer, Privacy Policy, Cookies | | Contact

URL: https://www.phoronix.com/news/Linux-6.19-IPE-AT_EXECVE_CHECK

⇱ Linux 6.19 Will Allow Enforcing IPE Security Checks On Indirectly Executed Scripts - Phoronix

Linux 6.19 Will Allow Enforcing IPE Security Checks On Indirectly Executed Scripts