enable TPE only for some role?

Discuss and suggest new grsecurity features

enable TPE only for some role?

Postby mnalis » Wed Sep 14, 2011 11:21 am

Would it be possible to enable TPE only for some or some subject?

For example, I run apache with suexec to host dozens of potentially problematic websites and want to minimize exploits.
I cannot enable full TPE for that group of users (as suexec will fail to execute their CGI scripts).

I might be able to enable partial TPE for all users, but it helps almost nothing in my case, as the users could download rootkits in their homedirs (writeable only by them) and then execute them.

So I would need something like:

Code: Select all
role webusers g
subject /
   -TPE_FULL
   / r
   /usr/bin/pgp-cgi rx

subject /usr/bin/php-cgi
   / rx
   +TPE_FULL



that is, I want no TPE restrictions until PHP interpreter runs, after which I want full TPE (only able to execute root owned binaries, and not it's own binaries) - thus restricting any PHP call of system(), popen(), etc...

Is that currently possible to do, or would it be good idea to implement?
mnalis
 
Posts: 57
Joined: Fri Sep 29, 2006 11:23 am

Return to grsecurity development

cron