Pathtrust

Updated: October 26, 2022

The pathtrust feature prevents processes from executing untrusted code. If a process is compromised, pathtrust mitigates the threat of the system being further compromised by an attacker using chained-together exploits.

For example, pathtrust can mitigate a Return-Oriented Programming (ROP) attack that chains existing instructions to initiate a system call that points to an attacker's binary executable that is persisted somewhere on a non-trusted filesystem. (This filesystem is usually a read/write partition where data is stored.)

Actions managed by pathtrust

  • Binary execution — The process loader loads and executes a native binary.
  • Library loading — The process loader loads libraries when a native binary is executed or as a result of a dlopen() call.

How pathtrust works

The following diagram illustrates how pathtrust reacts when a process attempts one of the actions that pathtrust manages.

Pathtrust and setuid and setgid bits on the filesystem

When pathtrust is enabled, the setuid or setgid bits on untrusted files or files from untrusted filesystem resource managers are ignored. All untrusted filesystems are implicitly mounted with -o nosuid and a resource manager cannot provide a setuid binary unless it is authorized. (See mount in the Utilities Reference).

Using pathtrust on a system

The pathtrust feature requires the following configuration and settings:
Note: mkqnximage supports the --pathtrust option, which demonstrates how to enable this feature.

Selecting resources to trust

Use the following best practices for trusted processes and filesystems:

Example

# Mount the integrity protected partition that uses QNX Trusted Disk
mount -t qtd -o trusted,key=/path/to/public.pem /partition /qtd

# Mount the QNX6 filesystem protected by QTD
mount -t qnx6 -o ro,trusted /qtd /fs

Use the mount -f and df -g commands to display the 'trusted' mount option on mountpoints where it is enabled.