Add new group_writable option to sysctl

Enabled by default, this check determines whether to deny execution based on a file/directory being writable by the group.
cormander · May 30, 2012 · 1ac064a · 1ac064a
1 parent a9239a7
commit 1ac064a
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 1 deletion.
diff --git a/README b/README
@@ -103,6 +103,7 @@ values in this proc directory:
 softmode	- log what would be denied but don't actually deny. default off
 strict		- enforce some TPE features even on trusted users. default on
 check_file	- check file owner/mode in addition to directory. default on
+group_writable  - check if the file/directory is group writable. default on
 kill		- kill the offending process and its parent when it gets denied
 		  execution from TPE, unless it's root. default off
 log		- whether to log denied execs to the ring buffer. default on

diff --git a/core.c b/core.c
@@ -137,7 +137,7 @@ int log_denied_exec(const struct file *file, const char *method, const char *rea
 // get down to business and check that this file is allowed to be executed
 
 #define UID_IS_TRUSTED(uid) (uid == 0 || in_group_p(tpe_trusted_gid))
-#define INODE_IS_WRITABLE(inode) ((inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))
+#define INODE_IS_WRITABLE(inode) ((inode->i_mode & S_IWOTH) || (tpe_group_writable && inode->i_mode & S_IWGRP))
 #define INODE_IS_TRUSTED(inode) \
 	(inode->i_uid == 0 || \
 	(tpe_admin_gid && inode->i_gid == tpe_admin_gid) || \

diff --git a/module.h b/module.h
@@ -93,6 +93,7 @@ extern int tpe_admin_gid;
 extern int tpe_dmz_gid;
 extern int tpe_strict;
 extern int tpe_check_file;
+extern int tpe_group_writable;
 extern int tpe_paranoid;
 extern char tpe_hardcoded_path[];
 extern int tpe_kill;

diff --git a/sysctl.c b/sysctl.c
@@ -7,6 +7,7 @@ int tpe_admin_gid = 0;
 int tpe_dmz_gid = 0;
 int tpe_strict = 1;
 int tpe_check_file = 1;
+int tpe_group_writable = 1;
 int tpe_paranoid = 0;
 char tpe_hardcoded_path[TPE_HARDCODED_PATH_LEN] = "";
 int tpe_kill = 0;
@@ -126,6 +127,16 @@ static ctl_table tpe_table[] = {
 		.proc_handler	= &proc_dointvec,
 	},
 	{
+	#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
+		.ctl_name	= CTL_UNNUMBERED,
+#endif
+		.procname	= "group_writable",
+		.data		= &tpe_group_writable,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
+	{
 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
 		.ctl_name	= CTL_UNNUMBERED,
 #endif