Trusted Path Execution (TPE) Linux Kernel Module
C Shell
Latest commit 4762907 Aug 27, 2014 @cormander Cut release for version 1.1.0
Going from version 1.0.3 to version 1.1.0 due to changes that I consider big enough that this isn't just a small release. Here's a quick summary;

* add support for EL7 and Ubuntu 14 LTS (linux 3.10 and 3.13)
* dropping support for 32bit EL5
* harden link support for EL6 (already upstream in EL7)
* restrict setuid support in EL6 and up
* added "trusted_invert" sysctl option
* better optimized code flow
* a simple suite for regression testing

Have a nice day!



Trusted Path Execution (TPE) Linux Kernel Module


About this module

Trusted Path Execution is a security feature that denies users from executing
programs that are not owned by root, or are writable. This closes the door on a
whole category of exploits where a malicious user tries to execute his or her
own code to attack the system.

Since this module doesn't use any kind of ACLs, it works out of the box with no
configuration. It isn't complicated to test or deploy to current production
systems. Just install it and you're done!


WARNING! Use at your own risk!

Although stable on tested systems, I have never used your system before. I can
not guarantee that it won't crash your system, melt your hard drive, get you
fired from your job, and/or any other horrible event. Use at your own risk.


Supported Kernels

This has been tested on the following systems (x86, both 32 and 64bit):

 - RHEL/CentOS 5 (linux-2.6.18) - 32bit no longer supported
 - RHEL/CentOS 6 (linux-2.6.32)
 - RHEL/CentOS 7 (linux-3.10.0)
 - RHEL/CentOS Xen, both xenU (el5) and pvops (el6)
 - Ubuntu 12.04 LTS (linux-3.2.0)
 - Ubuntu 14.04 LTS (linux-3.13.0)

This module *should* work on most linux kernels version 2.6 and above, but has
only been verified on the above systems. If you get a compile error or a kernel
oops, please contact this module's author.



* Trusted Path Execution; deny execution of non-root owned or writable binaries

  $ gcc -o exploit exploit.c
  $ chmod 755 exploit
  $ ./exploit
  -bash: ./exploit: Permission denied

  $ dmesg | tail -n1
  [tpe] Denied untrusted exec of /home/corey/exploit (uid:500) by /bin/bash
  (uid:500), parents: /usr/sbin/sshd (uid:500), /usr/sbin/sshd (uid:0),
  /sbin/init (uid:0). Deny reason: directory uid not trusted

Extras, also ported from grsecurity (but not tpe related):

* Restrict non-root users from viewing loaded kernel modules

  $ cat /proc/modules 
  cat: /proc/modules: Operation not permitted

* Restrict non-root users from viewing the kernel symbol table

  $ cat /proc/kallsyms 
  cat: /proc/kallsyms: Operation not permitted

* Restrict non-root users from viewing processes they don't own

  $ ps auxf
  corey    22450  0.0  0.7  97780  1804 ?        S    14:12   0:00 sshd: corey @pts/1
  corey    22451  0.0  0.7 108288  1884 pts/1    Ss   14:12   0:00  \_ -bash
  corey    22474  0.0  0.4 110184  1044 pts/1    R+   14:12   0:00      \_ ps auxf

See the "Configuration" section below for how to enable these extras.



See the INSTALL file for installation instructions.



See the FAQ file for frequently asked questions.



Although most people will find they don't need to change the default values,
you have the option to configure various things in this module at runtime using
the sysctl interface to tighten or lax the TPE restrictions. You can see the
values in this proc directory:


softmode	- log what would be denied but don't actually deny. default off
strict		- enforce some TPE features even on trusted users. default on
check_file	- check file owner/mode in addition to directory. default on
group_writable  - check if the file/directory is group writable. default on
kill		- kill the offending process and its parent when it gets denied
		  execution from TPE, unless it's root. default off
log		- whether to log denied execs to the ring buffer. default on
log_max		- maximun parent processes in a single log entry. default 50
log_floodburst	- number of log entries before logging is disabled. default 5
log_floodtime	- seconds until re-enabling logging after floodburst. default 5
paranoid	- enforce the trusted path restrictions root too. default off
hardcoded_path	- use with caution! a list of directories, separated by colons,
		  that the trusted path will be restricted to; nothing outside
		  this path may be executed/mmaped. default to empty (off)
trusted_gid	- gid of trusted users who TPE is not enforced. default 0 (off)
trusted_invert	- changes what "trusted_gid" means; if set, users in the gid
		  will be the only ones whom TPE is enforced. default 0 (off)
admin_gid	- files belonging to this group are treated as if they're owned
		  by root; TPE is not enforced on them. default 0 (off)
dmz_gid		- users in this gid can't exec anything at all. default 0 (off)
lock		- when enabled, these sysctl entries can no longer be changed.

extras/		- directory for additional protections that aren't TPE related.
		  These protections are all off by default, and are as follows:

lsmod		- denies non-root users from viewing loaded kernel modules
proc_kallsyms	- denies non-root users from viewing /proc/kallsyms
ps		- denies non-root users from viewing processes they don't own
ps_gid		- gid of users who aren't restricted by ps. default 0 (off)
restrict_setuid - users not in the trusted_gid are denied calls to setuid()
harden_symlink	- denies non-root users from following symlinks to files owned
		  by a different user (like grsecurity's GRKERNSEC_SYMLINKOWN)
harden_hardlinks - denies non-root users from creating hardlinks to files owned
		  by a different user, denies non-root users from hardlinking
		  to special files (device nodes, etc)

Edit the /etc/sysctl.d/tpe.conf file to change the defaults of these various
features. I highly recommend that you turn on the "extras" where possible.

Some sysctl options my not exist due to them not being possible on the kernel,
or the feature was pushed upstream. Notable examples are the link setuid and
link hardening. We used to do dmesg_restrict too, but have since removed it due
to it being in recent versions of all the supported kernels.


Compatibility Issues

Test this module before deploying to a critical system, especially if you're
not using a kernel in the above "Supported Kernels" list.

Trusted Path Execution will cause some programs to stop functioning correctly.
If it doesn't result in a kernel BUG or other stack-trace to show up in dmesg,
it's the program that needs fixing, not this module. A way to work around this
problem is adding the uid of the user these broken programs run as to the
"Trusted GID" group, so TPE is not enforced on them. You can set this group id
in /proc/sys/tpe/trusted_gid 

List of programs known to fail while TPE is active for the user running it:

* wine
* dropbox

This module will not work on systems where loadable kernel module support is
disabled at compile time (CONFIG_MODULES not being set).

This module requires many LSM hooks in order to work, and will error out when
security is disabled at compile time (CONFIG_SECURITY not being set).

If you custom compile your own kernel and want TPE, consider using grsecurity
instead of this module.

This module may conflict with ksplice, but I've never actually tested that
theory. If you use that software, let me know whether or not you run into
problems when using this module.


TPE Coverage

This code was stared as a "proof of concept" and turned into a usable security
tool. It may not cover all entry points that TPE needs to cover. If you find a
way to bypass the trusted path, let me know, and I'll update this code.



There are currently no known bugs. If you discover one, please report it to the

If your system crashes as a result of TPE, consider setting the following:

sudo sysctl kernel.panic_on_oops=0

This will give you a chance to capture the kernel errors in your system logs.



 - memset

With that I learnt how to hijack system calls and bypass the "general
protection fault" which has previously been blocking me from doing this.

 - Eugene Shatokhin

There were a few not-so-minor bugs in this module, and I asked this question on
Stack Overflow:

Eugene helped me out and shared code which is now in use by this module, which
has made it stable.

 - Brad Spengler -

Trusted Path Execution, and the "extra" features in this module are all
features of grsecurity, and I originally pulled code from that project to make
this module. This module's TPE code has since evolved to cover much more than
grsecurity's TPE feature; however, anything in this module beyond grsecurity's
TPE can be done with grsecurity's RBAC system, so it is no substitute.


About the Author

email: corman /AT/ cormander /DOT/ com