[Devel] [PATCH rh7 6/8] proc/pid: Don't show kernel threads inside Containers
Kirill Tkhai
ktkhai at virtuozzo.com
Tue Feb 25 11:26:37 MSK 2020
On 21.02.2020 19:07, Konstantin Khorenko wrote:
> We have our home-brew security defence feature from ptrace-ing
> processes entered a Container outside.
> It's based on "vps_dumpable" field of task->mm and is checked in
> __ptrace_may_access() in particular.
> Same function __ptrace_may_access() is used when someone tries to
> readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads because they
> lack task->mm and thus "vps_dumpable" field and we really would like
> people not to ptrace kernel threads from inside a Container.
>
> We might enhance the security check, but decided just to make Container
> kernel threads invisible (from inside a Container only of course).
>
> https://jira.sw.ru/browse/PSBM-92107
>
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
> fs/proc/base.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index dbf5a84b604f3..c5d316ae5631d 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -907,6 +907,10 @@ static bool is_visible_task(struct pid_namespace *ns, struct task_struct *tsk)
> return false;
> if (!has_pid_permissions(ns, tsk, 2))
> return false;
> +
> + /* Don't show kthreads inside Containers. */
> + if (!tsk->mm && !ve_is_super(get_exec_env()))
Since kernel threads can have mm, I'd used here !(tsk->flags & PF_KTHREAD) instead.
> + return false;
> return true;
> }
This is_visible_task() is used in proc_pid_readdir() only. I suspect, there are still possible
to dereferrence a kernel thread via ls /proc/2/ (direct lookup of specific pid). Could you
please check this?
Kirill
More information about the Devel
mailing list