Trusted Path Execution

Trusted Path Execution (TPE) prevents users from executing any binaries that are writable by any user other than root. This makes it far harder for unprivileged attackers to execute any of their own code.

There’s different ways this can be implemented. Grsecurity had a GRKERNSEC_TPE option and there is a kernel module that does this, somewhat similar to LKRG https://github.com/cormander/tpe-lkm

I don’t really like the look of tpe-lkm though as it’s only been tested on really old kernels and it adds a bunch of other extra, unrelated and poorly implemented features (e.g. restricting /proc/kallsyms, restricting /proc/modules, restricting ptrace etc.). The only potentially useful parts of the extra features are already part of the vanilla kernel.

I can maybe work on porting GRKERNSEC_TPE if you want as that seems to be the best approach. There was some work on that already https://github.com/AndroidHardeningArchive/linux-hardened/pull/32/commits/5af947c0a4c43256188c85f4220af145cb5d3d99

A huge issue with TPE in general though is interpreters as they can bypass the restrictions so we’d need “interpreter lock” https://phabricator.whonix.org/T941

Alternatively, see the shebang LSM to restrict interpreters.


I’ve ported GRKERNSEC_TPE but I haven’t tested it yet. I’ll create a PR to linux-hardened if it goes well.


Awesome. Looking forward to that.

1 Like

We need to decide how we’re going to configure TPE. It has multiple ways it can be used.

  1. The default: all users in the “untrusted” group are under the TPE restriction and can only execute files that are writable only by root.

  2. tpe_invert: the opposite of (1). Only users in the “trusted” group are exempt from the restriction. All other non-root users are under the TPE restriction. The trusted group can be left empty and we will have a system-wide TPE restriction.

  3. tpe_restrict_all: all non-root users will be covered under a weaker TPE restriction. This doesn’t have a trusted/untrusted group. All non-root users will only be allowed to execute files only they or root can write to i.e. they can execute their own and root’s files but not other users’ files.

The strictest configuration is (2) but we might not want it that strict.

All of this can be configured at runtime via the fs.tpe* sysctls.

1 Like
1 Like

It’s a bit early to tell. Can be tested once available. We can aim for
the strictest setting and then back down if required.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]