Implement Trusted Path Execution

[madaidan]

Trusted Path Execution (TPE) will restrict certain users so they are only able to execute files in root-owned directories writable only by root. This makes it far harder for an attacker to execute their own code.

By default, only users of the "untrusted" group will be under TPE restrictions.

This adds 4 sysctls. fs.tpe to enable/disable TPE, fs.tpe_restrict_all to cover all non-root users under a weaker TPE restriction (they will only be allowed to execute files in directories they own that aren't group/world-writable, or in directories owned by root and writable only by root), fs.tpe_invert to turn the "untrusted" group into a "trusted" group (only users in that group are exempt from the restriction and all other non-root users are restricted) and fs.tpe_gid to configure the GID of the trusted/untrusted group. There are kconfig options to set the defaults of all of these.

This is disabled by default as it could break many of the user's own programs.

This is based on GRKERNSEC_TPE.

[tsautereau-anssi]

Thanks for the pull-request.

I've only taken a quick look but can't this be easily bypassed with PROT_EXEC memory mappings? By the way, have you looked at past upstream submissions of LSM-based equivalents for grsecurity's TPE, for instance this one?

[madaidan]

I've only taken a quick look but can't this be easily bypassed with PROT_EXEC memory mappings?

Executable memory mappings are a big issue but I don't think it should be solved in TPE. Other things like PAX_MPROTECT, S.A.R.A. LSM or SELinux's memory protections can solve this by preventing memory mappings from being writable and executable.

By the way, have you looked at past upstream submissions of LSM-based equivalents for grsecurity's TPE, for instance this one?

I've briefly looked over them.