Re: [kernel-hardening] [PATCH v1 1/1] Add Trusted Path Execution as a stackable LSM

[Matt Brown]

On 06/03/2017 06:39 AM, Jann Horn wrote:
> On Sat, Jun 3, 2017 at 7:53 AM, Matt Brown <matt@xxxxxxxxx> wrote:
> > This patch was modified from Brad Spengler's Trusted Path Execution (TPE)
> > feature in Grsecurity and also incorporates logging ideas from
> > cormander's tpe-lkm.
> >
> > Modifications from the Grsecurity implementation of TPE were made to
> > turn it into a stackable LSM using the existing LSM hook bprm_set_creds.
> > Also, denial messages were improved by including the full path of the
> > disallowed program. (This idea was taken from cormander's tpe-lkm)
> [...]
> > Threat Models:
> [...]
> > 2. Attacker on system replaces binary used by a privileged user with a
> >    malicious one
> >
> > *  This situation arises when administrator of a system leaves a binary
> >    as world writable.
> >
> > *  TPE is very effective against this threat model
>
> How do you end up with world-writable binaries in $PATH?

Sys Admin screw up. It also protects against world-writable binaries
anywhere on the system, not just in $PATH.