To illustrate, assume we're talking about /tmp (world writable with the sticky bit set) and we're operating under TPE_ALL.
- TPE allows a user to execute /tmp/my_dir/my_prog if /tmp/my_dir and /tmp/my_dir/my_prog is owned by root or the current user.
- TPE does not allow the user to execute /tmp/my_prog.
However, both of these cases have equivalent security because the sticky bit ensures that both /tmp/my_dir/ and /tmp/my_prog...
- ...must have been linked-in to /tmp by the file's owner or root,
- cannot be replaced/unlinked by anyone but the file's owner or root.
On another note, grsecurity should probably be checking parent directories recursively... As is, checking the parent directory but not higher level directories seems ineffective.