Kernel 6.19 merged ipe check good for every container #6983

osevan · 2025-12-04T13:59:13Z

osevan
Dec 4, 2025

Dear devs,
I hope i can give here as always newest security features for kernel - like I did with landlock .

New feature is ipe

Every container runtime can plant
execveat( ) and AT_EXECVE_CHECK for checking if ipe policy is active or not

https://docs.kernel.org/admin-guide/LSM/ipe.html
https://www.phoronix.com/news/Linux-6.19-IPE-AT_EXECVE_CHECK

Kernel ipe activating :

cat << 'EOF' > /tmp/ipe-policy.conf
policy ipe_test {
    default DENY
    allow EXECUTE path_prefix=/usr
}
EOF

sudo tee /sys/kernel/security/ipe/policy > /dev/null < /tmp/ipe-policy.conf

Simple c app example
Every elf binary or bash script or python script can go through
execveat( ) and AT_EXECVE_CHECK
And we have additional layer of defense .

cat << 'EOF' > /tmp/exec-check.c
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <stdio.h>

int main() {
    int fd = open("/tmp/testscript.sh", O_RDONLY);
    if (fd < 0) { perror("open"); return 1; }

    char *argv[] = { "/tmp/testscript.sh", NULL };
    char *envp[] = { NULL };

    // execveat with AT_EXECVE_CHECK (0x04000000)
    return execveat(fd, "", argv, envp, AT_EXECVE_CHECK);
}
EOF

Output in dmesg looks like this :

IPE: denied execution: path=/tmp/testscript.sh reason=integrity

Removing policy :

echo "" | sudo tee /sys/kernel/security/ipe/policy > /dev/null

I hope you can patch firejail with these feature or make configure option --with-ipe for testing .

3 minimum checks :
If kernel 6.19 running
If ipe policy set already
If profile file or argv got content "ipe-check" or --ipe-check when firejail started

Thanks and

Best regards

netblue30 · 2025-12-12T14:10:45Z

netblue30
Dec 12, 2025
Maintainer

Thanks @osevan, I'll definitely integrate it into firejail. It is a more elegant solution than what we have now.

By May 2026 kernel 6.19 will be at least in Arch and Ubuntu. Currently we have:

Debian 13 (Aug 2025) kernel 6.12
Ubuntu 25.10 (Oct 2025) kernel 6.17
Fedora 43 (Oct 2025) kernel 6.17

0 replies

osevan · 2025-12-12T17:54:46Z

osevan
Dec 12, 2025
Author

Not to forget: this should be as additional layer of defense .
Not replacing completely what you wrote already well inside firejail .

Like landlock and apparmor lsm it should work as additional layer of defense .

Thanks and

Best regards

0 replies

netblue30 · 2025-12-19T13:51:58Z

netblue30
Dec 19, 2025
Maintainer

By default we try not to replace it, and just layer it on top of what we have.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Kernel 6.19 merged ipe check good for every container #6983

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 3 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Kernel 6.19 merged ipe check good for every container #6983

Uh oh!

Uh oh!

osevan Dec 4, 2025

Replies: 3 comments

Uh oh!

netblue30 Dec 12, 2025 Maintainer

Uh oh!

osevan Dec 12, 2025 Author

Uh oh!

netblue30 Dec 19, 2025 Maintainer

osevan
Dec 4, 2025

netblue30
Dec 12, 2025
Maintainer

osevan
Dec 12, 2025
Author

netblue30
Dec 19, 2025
Maintainer