Modern operating systems provide powerful mandatory access control mechanisms, yet they largely reason about who executes code rather than how execution originates. As a result, processes launched remotely, locally, or by background services are often treated equivalently once privileges are obtained, complicating security reasoning and enabling post-compromise abuse of sensitive system interfaces. We introduce origin-aware mandatory access control (OAMAC), a kernel-level enforcement model that treats execution origin -- such as physical user presence, remote access, or service execution -- as a first-class security attribute. OAMAC mediates access to security-critical subsystems based on execution provenance rather than identity alone, enabling centralized governance over multiple attack surfaces while significantly reducing policy complexity. We present a deployable prototype implemented entirely using the Linux eBPF LSM framework, requiring no kernel modifications. OAMAC classifies execution origin using kernel-visible metadata, propagates origin across process creation, and enforces origin-aware policies on both sensitive filesystem interfaces and the kernel BPF control plane. Policies are maintained in kernel-resident eBPF maps and can be reconfigured at runtime via a minimal userspace tool. Our evaluation demonstrates that OAMAC effectively restricts common post-compromise actions available to remote attackers while preserving normal local administration and system stability. We argue that execution origin represents a missing abstraction in contemporary operating system security models, and that elevating it to a first-class concept enables practical attack surface reduction without requiring subsystem-specific expertise or heavyweight security frameworks.

翻译：现代操作系统提供了强大的强制访问控制机制，但这些机制主要关注代码执行者而非执行起源。因此，一旦获得权限，远程启动、本地启动或由后台服务启动的进程往往被等同对待，这既复杂化了安全推理，又使得攻击者在渗透后能够滥用敏感系统接口。我们提出起源感知强制访问控制（OAMAC），这是一种内核级执行模型，将执行起源（例如物理用户在场、远程访问或服务执行）视为首要安全属性。OAMAC基于执行溯源而非单一身份来仲裁对安全关键子系统的访问，从而实现对多个攻击面的集中管控，同时显著降低策略复杂性。我们展示了一个完全基于Linux eBPF LSM框架实现的可部署原型，无需修改内核。OAMAC利用内核可见元数据对执行起源进行分类，在进程创建过程中传播起源信息，并对敏感文件系统接口及内核BPF控制平面实施起源感知策略。策略保存在内核驻留的eBPF映射中，可通过轻量级用户空间工具在运行时重新配置。评估结果表明，OAMAC能有效限制远程攻击者常用的后渗透操作，同时保持正常的本地管理和系统稳定性。我们认为执行起源是当代操作系统安全模型中缺失的抽象概念，将其提升为首要概念能够在无需子系统专业知识或重型安全框架的前提下，实现切实有效的攻击面削减。