Pathtrust option

Updated: April 19, 2023

The --pathtrust option allows you to ensure that no untrusted binaries can be executed or shared libraries loaded. By default, only the IFS is trusted. By using the --qtd option, the system partition is made into a read-only integrity protected file system that is mounted as trusted. This gives much more flexibility in how a system is configured.

To build an image with both these options, run:

mkqnximage --pathtrust=yes --qtd=yes 

The main change made for pathtrust is the addition of the -qt option for procnto. When not used, all files are treated as trusted. By including it, only selected file systems have trusted files. By also including the --qtd option, the system partition is trusted as well.

When running with both the pathtrust and QTD options, if you run the command mount -f, you get the following output:

ifs on / type ifs (rdonly,trusted)  

/data/var/pps on /pps type PPS  

/dev/hd0t177 on /boot type qnx6  

/dev/hd0t179 on /data type qnx6 (sync=optional)  

/dev/hd0t185-qnx6/ on /system type qnx6 (noatime,rdonly,trusted,sync=optional) 

Showing that only two file systems are trusted: the IFS mounted at / and the system partition mounted at /system.

To show what pathtrust does, first copy the echo binary to /data:

# cp /proc/boot/echo /data 

This can be run as usual, for example:

# /data/echo Hello 

Hello 

You can, however, create a shell that lacks the ability PROCMGR_AID_UNTRUSTED_EXEC, which is the ability required to run untrusted binaries. If you do, the original echo binary from /proc/boot can be run but the copy that is in /data cannot:

# on -A deny,all,inherit,untrusted_exec ksh 

# /proc/boot/echo Hello 

Hello 

# /data/echo Hello 

ksh: /data/echo: Operation not permitted 

The other effect of pathtrust is that when you enable it, the setuid bit on binaries is ignored. It has the same effect as mounting all untrusted file systems with the nosuid option. For example, copy the id binary to /data and make it setuid root:

# cp /system/xbin/id /data 

# chmod u+s /data/id

Then, create a non-root shell and execute this binary:

# on -u 100 ksh 

$ /data/id 

uid=100 gid=0(root) groups=0(root) 

This shows that when id is run, it is still user ID (UID) 100. If this same sequence of commands is executed on an image not using pathtrust, the output is instead:

$ /data/id  

uid=100 gid=0(root) euid=0(root) groups=0(root) 

In this case, while it still shows the real UID is 100, the effective UID has become 0, or root.