OAMAC: Origin-Aware Mandatory Access Control for Practical Post-Compromise Attack Surface Reduction

TL;DR

OAMAC introduces an origin-aware mandatory access control system that enhances OS security by considering execution provenance, effectively reducing attack surfaces post-compromise without kernel modifications.

Contribution

This paper presents a kernel-level, deployable OAMAC framework that classifies execution origins and enforces origin-aware policies using Linux eBPF, improving security and policy simplicity.

Findings

Effectively restricts post-compromise actions by remote attackers

Preserves local system administration and stability

Enables runtime policy reconfiguration

Abstract

Modern operating systems provide powerful mandatory access control mechanisms, yet they largely reason about who executes code rather than how execution originates. As a result, processes launched remotely, locally, or by background services are often treated equivalently once privileges are obtained, complicating security reasoning and enabling post-compromise abuse of sensitive system interfaces. We introduce origin-aware mandatory access control (OAMAC), a kernel-level enforcement model that treats execution origin -- such as physical user presence, remote access, or service execution -- as a first-class security attribute. OAMAC mediates access to security-critical subsystems based on execution provenance rather than identity alone, enabling centralized governance over multiple attack surfaces while significantly reducing policy complexity. We present a deployable prototype implemented entirely using the Linux eBPF LSM framework, requiring no kernel modifications. OAMAC classifies execution origin using kernel-visible metadata, propagates origin across process creation, and enforces origin-aware policies on both sensitive filesystem interfaces and the kernel BPF control plane. Policies are maintained in kernel-resident eBPF maps and can be reconfigured at runtime via a minimal userspace tool. Our evaluation demonstrates that OAMAC effectively restricts common post-compromise actions available to remote attackers while preserving normal local administration and system stability. We argue that execution origin represents a missing abstraction in contemporary operating system security models, and that elevating it to a first-class concept enables practical attack surface reduction without requiring subsystem-specific expertise or heavyweight security frameworks.