Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751173AbdFCKj1 (ORCPT ); Sat, 3 Jun 2017 06:39:27 -0400 Received: from mail-it0-f45.google.com ([209.85.214.45]:35184 "EHLO mail-it0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750832AbdFCKjZ (ORCPT ); Sat, 3 Jun 2017 06:39:25 -0400 MIME-Version: 1.0 In-Reply-To: <20170603055351.16080-1-matt@nmatt.com> References: <20170603055351.16080-1-matt@nmatt.com> From: Jann Horn Date: Sat, 3 Jun 2017 12:39:03 +0200 Message-ID: Subject: Re: [kernel-hardening] [PATCH v1 1/1] Add Trusted Path Execution as a stackable LSM To: Matt Brown Cc: james.l.morris@oracle.com, serge@hallyn.com, kernel list , linux-security-module@vger.kernel.org, Kernel Hardening Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 854 Lines: 21 On Sat, Jun 3, 2017 at 7:53 AM, Matt Brown wrote: > This patch was modified from Brad Spengler's Trusted Path Execution (TPE) > feature in Grsecurity and also incorporates logging ideas from > cormander's tpe-lkm. > > Modifications from the Grsecurity implementation of TPE were made to > turn it into a stackable LSM using the existing LSM hook bprm_set_creds. > Also, denial messages were improved by including the full path of the > disallowed program. (This idea was taken from cormander's tpe-lkm) [...] > Threat Models: [...] > 2. Attacker on system replaces binary used by a privileged user with a > malicious one > > * This situation arises when administrator of a system leaves a binary > as world writable. > > * TPE is very effective against this threat model How do you end up with world-writable binaries in $PATH?