forked from cormander/tpe-lkm
Trusted Path Execution (TPE) Linux Kernel Module
License
b3h3moth/tpe-lkm
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
=============================================================================== Trusted Path Execution (TPE) Linux Kernel Module =============================================================================== About this module Trusted Path Execution is a security feature that denies users from executing programs that are not owned by root, or are writable. This closes the door on a whole category of exploits where a malicious user tries to execute his or her own code to attack the system. Since this module doesn't use any kind of ACLs, it works out of the box with no configuration. It isn't complicated to test or deploy to current production systems. Just install it and you're done! =============================================================================== WARNING! Use at your own risk! Although stable on tested systems, I have never used your system before. I can not guarantee that it won't crash your system, melt your hard drive, get you fired from your job, and/or any other horrible event. Use at your own risk. =============================================================================== Features In addition to implementing trusted path execution, this module also has a modest list of "extras", freatures ported over from the grsecurity project. While not TPE related, they add additional security to your system. See the "Configuration" section below for how to enable them. =============================================================================== Installation See the INSTALL file for installation instructions. =============================================================================== FAQ See the FAQ file for frequently asked questions. =============================================================================== Configuration Although most people will find they don't need to change the default values, you have the option to configure various things in this module at runtime using the sysctl interface to tighten or lax the TPE restrictions. You can see the values in this proc directory: /proc/sys/tpe/ softmode - log what would be denied, but dont actually deny. default off strict - enforce some TPE features even on trusted users. default on check_file - check file owner/mode in addition to directory. default on kill - kill the offending process and its parent when it gets denied execution from TPE, unless it's root. default off log - whether to log denied execs to the ring buffer. default on log_max - maximun parent processes in a single log entry. default 50 log_floodburst - number of log entries before logging is disabled. default 5 log_floodtime - seconds until re-enabling logging after floodburst. default 5 paranoid - enforce trusted path restrictions on the root. default off hardcoded_path - use with caution! a list of directories, seperated by colons, that the trusted path will be restricted to; nothing outside this path may be executed/mmaped. default to empty (off) trusted_gid - gid of trusted users who TPE is not enforced. default 0 (off) admin_gid - files belonging to this group are treated as if they're owned by root; TPE is not enforced on them. default 0 (off) dmz_gid - users in this gid can't exec anything at all. default 0 (off) lock - when enabled, these sysctl entries can no longer be changed. extras/ - directory for additional protections that aren't TPE related. These protections are all off by default, and are as follows: dmesg - denies non-root users from viewing the kernel ring buffer lsmod - denies non-root users from viewing loaded kernel modules proc_kallsyms - denies non-root users from viewing /proc/kallsyms ps - denies non-root users from viewing processes they don't own ps_gid - gid of users who aren't restricted by ps. default 0 (off) Use your system's /etc/sysctl.conf file to change the defaults of these various features. I highly recommend that you turn on the "extras" where possible. =============================================================================== Supported Kernels This has been tested on the following systems (x86, both 32 and 64bit): - RHEL/CentOS 5 (linux-2.6.18) - RHEL/CentOS 6 (linux-2.6.32) - RHEL/Centos Xen, both xenU (el5) and pvops (el6) - RHEL/CentOS KVM** - Ubuntu 10.04 LTS (linux-2.6.32) - Ubuntu 11.04 (linux-2.6.38) This module *should* work on most 2.6 linux kernels, but has only been verified on the above systems. It hasn't been tested with linux 3.0 or higher yet, and preliminary peek reveals changes to the do_execve ABI. I'll likely make the effort to port it when a major distribution using that kernel comes out. ** See the BUGS section for some information about tpe with KVM =============================================================================== Compatibility Issues Test this module before deploying to a critical system, especially if you're not using a kernel in the above "Supported Kernels" list. Trusted Path Execution will cause some programs to stop functioning correctly. If it doesn't result in a kernel BUG or other stack-trace to show up in dmesg, it's the program that needs fixing, not this module. A way to work around this problem is adding the uid of the user these broken programs run as to the "Trusted GID" group, so TPE is not enforced on them. You can set this group id in /proc/sys/tpe/trusted_gid This module will not work on systems where loadable kernel module support is disabled at compile time (CONFIG_MODULES not being set). If you custom compile your own kernel and want TPE, consider using grsecurity instead of this module. This module may conflict with ksplice, but I've never actually tested that theory. If you use that software, let me know whether or not you run into problems when using this module. =============================================================================== TPE Coverage This code was stared as a "proof of concept" and turned into a useable security tool. It may not cover all entry points that TPE needs to cover. If you find a way to bypass the trusted path, let me know, and I'll update this code. =============================================================================== BUGS This is a list of known bugs: * KVM virtual machine crash on module load Some KVM virtual machines crash when tpe is loaded. If this affects you, apply the kvm_fix.patch and recompile, and the problem should go away. More information about this bug is contained in the header of that patch file. =============================================================================== Acknowledgements - memset http://memset.wordpress.com/2010/12/03/syscall-hijacking-kernel-2-6-systems/ With that I learned how to hijack system calls and bypass the "general protection fault" which has previously been blocking me from doing this. - Eugene Shatokhin There were a few not-so-minor bugs in this module, and I asked this question on Stack Overflow: http://stackoverflow.com/questions/6434701/having-trouble-wrapping-functions-in-the-linux-kernel Eugene helped me out and shared code which is now in use by this module, which has made it stable. - Brad Spengler - http://grsecurity.net/ Trusted Path Execution, and the "extra" features in this module are all features of grsecurity, and I originally pulled code from that project to make this module. This module's TPE code has since evolved to cover much more than grsecurity's TPE feature; however, anything in this module beyond grsecurity's TPE can be done with grsecurity's RBAC system, so it is no subsitute. =============================================================================== About the Author website: http://cormander.com/ github: https://github.com/cormander/ email: corman /AT/ cormander /DOT/ com ===============================================================================
About
Trusted Path Execution (TPE) Linux Kernel Module
Resources
License
Security policy
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published