[Devel] [PATCH rh7 6/8] proc/pid: Don't show kernel threads inside Containers

[Konstantin Khorenko]

We have our home-brew security defence feature from ptrace-ing
processes entered a Container outside.
It's based on "vps_dumpable" field of task->mm and is checked in
__ptrace_may_access() in particular.
Same function __ptrace_may_access() is used when someone tries to
readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads because they
lack task->mm and thus "vps_dumpable" field and we really would like
people not to ptrace kernel threads from inside a Container.

We might enhance the security check, but decided just to make Container
kernel threads invisible (from inside a Container only of course).

https://jira.sw.ru/browse/PSBM-92107

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 fs/proc/base.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index dbf5a84b604f3..c5d316ae5631d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -907,6 +907,10 @@ static bool is_visible_task(struct pid_namespace *ns, struct task_struct *tsk)
 		return false;
 	if (!has_pid_permissions(ns, tsk, 2))
 		return false;
+
+	/* Don't show kthreads inside Containers. */
+	if (!tsk->mm && !ve_is_super(get_exec_env()))
+		return false;
 	return true;
 }
 
-- 
2.15.1