From: matt@nmatt.com (Matt Brown)
To: linux-security-module@vger.kernel.org
Subject: [PATCH v2 0/1] Add Trusted Path Execution as a stackable LSM
Date: Wed, 7 Jun 2017 23:43:48 -0400 [thread overview]
Message-ID: <20170608034349.31876-1-matt@nmatt.com> (raw)
Trusted Path Execution (TPE)
Patch Versions:
v1:
* initial patch introduction
v2:
* included copyright notice from Brad Spengler and Corey Henderson
* reversed the invert_gid logic. tpe.gid now defaults to being the
trusted group rather than the untrusted group.
* fixed race condition by taking reference to the parent dentry
* added sysctl tpe.restrict_root that includes the root user in TPE checks
* added mprotect and mmap restrictions from Corey Henderson tpe-lkm
project
* added documentation file
This patch was modified from Brad Spengler's Trusted Path Execution (TPE)
feature. It also adds features and config options that were found in Corey
Henderson's tpe-lkm project.
Modifications from Brad Spengler's implementation of TPE were made to
turn it into a stackable LSM using the existing LSM hook bprm_set_creds.
Also, a new denial logging function was used to simplify printing messages
to the kernel log. Additionally, mmap and mprotect restrictions were
taken from Corey Henderson's tpe-lkm project and implemented using the
LSM hooks mmap_file and file_mprotect.
Trusted Path Execution is not a new idea:
http://phrack.org/issues/52/6.html#article
| A trusted path is one that is inside a root owned directory that
| is not group or world writable. /bin, /usr/bin, /usr/local/bin, are
| (under normal circumstances) considered trusted. Any non-root
| users home directory is not trusted, nor is /tmp.
To be clear, Trusted Path Execution is no replacement for a MAC system
like SELinux, SMACK, or AppArmor. This LSM is designed to be good enough
without requiring a userland utility to configure policies. The fact
that TPE only requires the user to turn on a few sysctl options lowers
the barrier to implementing a security framework substantially.
Threat Models:
1. Attacker on system executing exploit on system vulnerability
* If attacker uses a binary as a part of their system exploit, TPE can
frustrate their efforts
* This protection can be more effective when an attacker does not yet
have an interactive shell on a system
* Issues:
* Can be bypassed by interpreted languages such as python. You can run
malicious code by doing: python -c 'evil code'
2. Attacker on system replaces binary used by a privileged user with a
malicious one
* This situation arises when the administrator of a system leaves a
binary as world writable.
* TPE is very effective against this threat model
Documentation/security/tpe.txt | 59 +++++++++++
MAINTAINERS | 5 +
include/linux/lsm_hooks.h | 5 +
security/Kconfig | 1 +
security/Makefile | 2 +
security/security.c | 1 +
security/tpe/Kconfig | 64 ++++++++++++
security/tpe/Makefile | 3 +
security/tpe/tpe_lsm.c | 218 +++++++++++++++++++++++++++++++++++++++++
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2017-06-08 3:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-08 3:43 Matt Brown [this message]
2017-06-08 3:43 ` [PATCH v2 1/1] Add Trusted Path Execution as a stackable LSM Matt Brown
2017-06-09 2:38 ` Kees Cook
2017-06-09 3:50 ` Matt Brown
2017-06-09 10:18 ` Mimi Zohar
2017-06-09 12:55 ` Kees Cook
2017-06-09 13:15 ` Matt Brown
2017-06-09 13:16 ` Mimi Zohar
2017-06-09 13:18 ` [kernel-hardening] " Matt Brown
2017-06-09 13:44 ` Mimi Zohar
2017-06-16 2:25 ` kbuild test robot
2017-06-16 2:25 ` [RFC PATCH] print_tpe_error() can be static kbuild test robot
2017-06-08 18:37 ` [PATCH v2 0/1] Add Trusted Path Execution as a stackable LSM Alan Cox
2017-06-08 19:01 ` Matt Brown
2017-06-08 19:23 ` Alan Cox
[not found] ` <9d175249-c9f3-daba-bae4-f60dc97795e6@digikod.net>
2017-06-12 0:04 ` Matt Brown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170608034349.31876-1-matt@nmatt.com \
--to=matt@nmatt.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).