Permalink
Browse files

Implement "hardcoded_path" feature

  • Loading branch information...
cormander committed Dec 1, 2011
1 parent 0a5c8cb commit c25c258aebbb11e52136e49e609c9094b96912fb
Showing with 54 additions and 0 deletions.
  1. +17 −0 FAQ
  2. +3 −0 README
  3. +22 −0 core.c
  4. +2 −0 module.h
  5. +10 −0 sysctl.c
View
17 FAQ
@@ -1,4 +1,21 @@
* What exactly is the "hardcoded_path" option?
It's for the extremely paranoid, and must be used with caution. When set,
everything outsdie of that path will be denied execution when execve(), mmap(),
or mprotect() is called on the given file, regardless of the file/directory
ownership or permissions, though those are still enforced. When combined with
the "paranoid" option, even root and the admin/trusted gids are restricted to
this path.
Run the script "scripts/generate_hardcoded_path.sh" to get a starting point for
setting this option. It walks down your path and determines all the directories
in which shared libraries are used.
This path may contain up to 1024 characters. If you need a higher limit,
increase the value of TPE_HARDCODED_PATH_LEN in module.h and recompile. Also,
no single directory can be more than 256 characters in length (MAX_FILE_LEN).
* Is this module compatible with my LSM? (SELinux, AppArmor, etc)
Yes, it is.
View
3 README
@@ -65,6 +65,9 @@ log_max - maximun parent processes in a single log entry. default 50
log_floodburst - number of log entries before logging is disabled. default 5
log_floodtime - seconds until re-enabling logging after floodburst. default 5
paranoid - denies execs for root of files not owned by root. default off
hardcoded_path - use with caution! a list of directories, seperated by colons,
that the trusted path will be restricted to; nothing outside
this path may be executed/mmaped. default to empty (off)
trusted_gid - gid of "trusted users" who TPE is not enforced. default 1337
admin_gid - files belonging to this group are treated as if they're owned
by root; TPE is not enforced on them. default 0 (off)
View
22 core.c
@@ -168,6 +168,28 @@ int tpe_allow_file(const struct file *file, const char *method) {
(tpe_check_file && (!INODE_IS_TRUSTED(inode) || INODE_IS_WRITABLE(inode))))
) {
return log_denied_exec(file, method);
} else
// if hardcoded_path is non-empty, deny exec if the file is outside of any of those directories
// if paranoid is enabled, enforce it on root and trusted_gid as well
if (strlen(tpe_hardcoded_path) && (tpe_paranoid || (!tpe_paranoid && uid && !in_group_p(tpe_trusted_gid)))) {
char filename[MAX_FILE_LEN];
char path[TPE_HARDCODED_PATH_LEN];
char *f, *p, *c;
p = path;
strncpy(p, tpe_hardcoded_path, TPE_HARDCODED_PATH_LEN);
f = tpe_d_path(file, filename, MAX_FILE_LEN);
// TODO: check "f" after "strlen(c)" for any "/" characters
while ((c = strsep(&p, ":"))) {
if (!strncmp(c, f, strlen(c)))
return 0;
}
return log_denied_exec(file, method);
}
return 0;
View
@@ -21,6 +21,7 @@
#define MODULE_NAME "tpe"
#define PKPRE "[" MODULE_NAME "] "
#define MAX_FILE_LEN 256
#define TPE_HARDCODED_PATH_LEN 1024
#define TPE_TRUSTED_GID 1337
@@ -90,6 +91,7 @@ extern int tpe_dmz_gid;
extern int tpe_strict;
extern int tpe_check_file;
extern int tpe_paranoid;
extern char tpe_hardcoded_path[];
extern int tpe_kill;
extern int tpe_log;
extern int tpe_log_max;
View
@@ -8,6 +8,7 @@ int tpe_dmz_gid = 0;
int tpe_strict = 1;
int tpe_check_file = 1;
int tpe_paranoid = 0;
char tpe_hardcoded_path[TPE_HARDCODED_PATH_LEN] = "";
int tpe_kill = 0;
int tpe_log = 1;
int tpe_log_max = 50;
@@ -121,6 +122,15 @@ static ctl_table tpe_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "hardcoded_path",
.data = &tpe_hardcoded_path,
.maxlen = TPE_HARDCODED_PATH_LEN,
.mode = 0644,
.proc_handler = &proc_dostring,
.strategy = &sysctl_string,
},
{
.ctl_name = CTL_UNNUMBERED,
.procname = "kill",

0 comments on commit c25c258

Please sign in to comment.