Trusted Path Execution

madaidan · February 11, 2020, 6:43pm

Trusted Path Execution (TPE) prevents users from executing any binaries that are writable by any user other than root. This makes it far harder for unprivileged attackers to execute any of their own code.

There’s different ways this can be implemented. Grsecurity had a GRKERNSEC_TPE option and there is a kernel module that does this, somewhat similar to LKRG GitHub - cormander/tpe-lkm: Trusted Path Execution (TPE) Linux Kernel Module

I don’t really like the look of tpe-lkm though as it’s only been tested on really old kernels and it adds a bunch of other extra, unrelated and poorly implemented features (e.g. restricting /proc/kallsyms, restricting /proc/modules, restricting ptrace etc.). The only potentially useful parts of the extra features are already part of the vanilla kernel.

I can maybe work on porting GRKERNSEC_TPE if you want as that seems to be the best approach. There was some work on that already https://github.com/AndroidHardeningArchive/linux-hardened/pull/32/commits/5af947c0a4c43256188c85f4220af145cb5d3d99

A huge issue with TPE in general though is interpreters as they can bypass the restrictions so we’d need “interpreter lock” ⚓ T941 lock down interpreters / compilers (interpreter lock) (compiler lock)

Alternatively, see the shebang LSM to restrict interpreters.

madaidan · February 11, 2020, 10:04pm

I’ve ported GRKERNSEC_TPE but I haven’t tested it yet. I’ll create a PR to linux-hardened if it goes well.

HulaHoop · February 12, 2020, 3:11pm

Awesome. Looking forward to that.

madaidan · February 12, 2020, 10:07pm

We need to decide how we’re going to configure TPE. It has multiple ways it can be used.

The default: all users in the “untrusted” group are under the TPE restriction and can only execute files that are writable only by root.
tpe_invert: the opposite of (1). Only users in the “trusted” group are exempt from the restriction. All other non-root users are under the TPE restriction. The trusted group can be left empty and we will have a system-wide TPE restriction.
tpe_restrict_all: all non-root users will be covered under a weaker TPE restriction. This doesn’t have a trusted/untrusted group. All non-root users will only be allowed to execute files only they or root can write to i.e. they can execute their own and root’s files but not other users’ files.

The strictest configuration is (2) but we might not want it that strict.

All of this can be configured at runtime via the fs.tpe* sysctls.

madaidan · February 12, 2020, 11:16pm

github.com/anthraxx/linux-hardened

Implement Trusted Path Execution

anthraxx:master ← madaidan:tpe

opened 11:14PM - 12 Feb 20 UTC

madaidan

+249 -1

Trusted Path Execution (TPE) will restrict certain users so they are only able t…o execute files in root-owned directories writable only by root. This makes it far harder for an attacker to execute their own code. By default, only users of the "untrusted" group will be under TPE restrictions. This adds 4 sysctls. `fs.tpe` to enable/disable TPE, `fs.tpe_restrict_all` to cover all non-root users under a weaker TPE restriction (they will only be allowed to execute files in directories they own that aren't group/world-writable, or in directories owned by root and writable only by root), `fs.tpe_invert` to turn the "untrusted" group into a "trusted" group (only users in that group are exempt from the restriction and all other non-root users are restricted) and `fs.tpe_gid` to configure the GID of the trusted/untrusted group. There are kconfig options to set the defaults of all of these. This is disabled by default as it could break many of the user's own programs. This is based on GRKERNSEC_TPE.

Patrick · February 13, 2020, 6:30pm

It’s a bit early to tell. Can be tested once available. We can aim for
the strictest setting and then back down if required.