Trusted Path Execution (TPE) is an old and simple concept. It dates back to at least 1998 with route's Phrack 62 article linked below. The goal of TPE is to provide an easily-configurable and generally software compatible method of preventing unprivileged users from executing binaries they create. Grsecurity extends the idea of TPE a bit and resolves some vulnerabilities in the original design in the process (for instance, TPE is not bypassed via ld.so under grsecurity). --https://grsecurity.net/features.php
TPE (Trusted Path Execution, 可信路径执行) 用来限制一些恶意程序的执行,它定义了一个可信路径,满足可信条件的路径可以执行,否则被认为是恶意的(不可信的),就不能执行。 这里的关键就是定义这个可信条件,并且完美的实现!
什么样的路径被认为是可信的?
root所拥有的,且非root不可改写的。
下面看看两个不同的实现:
Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user. --grsecurity
规则:拒绝执行非root用户拥有的程序,或者全局可写的二进制程序。
实现:在加载可执行程序时检查程序文件的拥有者(属主owner),以及程序文件的权限,GROUP 和 OTHER 是否可写?
TPE只是grsecurity在文件系统上的一个安全特性,它是通过LSM(Linux Security Module)实现的。
Trusted Path Execution is a security feature that denies users from executing programs that are not owned by root, or are writable.
规则:只有root拥有的不可写程序才是可信的(uid=0 && not writable),不可写确保该程序不能被非root用户恶意替换!
该条件都是针对非root用户设定的,root可以执行任何程序;
判断的不是root用户,所以是否writable是判断程序文件的组权限和其他用户权限,即
(inode->i_mode & S_IWOTH) ||(inode->i_mode & S_IWGRP)
关于i_mode参考here
TPE-LSM的实现没有用LSM,而是直接劫持内核函数(如do_execve),来实现hook。