[Devel] [PATCH RHEL8 COMMIT] ve: prohibit opening proc/self/exe from VE for VD_VE_ENTER_TASK

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 1 20:35:09 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.34
------>
commit 13a7b7ce8eb67070cf94f9d2277be77430425f6b
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Tue Jun 1 20:35:09 2021 +0300

    ve: prohibit opening proc/self/exe from VE for VD_VE_ENTER_TASK
    
    The task having task->mm->vps_dumpable == VD_VE_ENTER_TASK is a task
    which entered container's ve cgroup and not yet called exec until:
    
    sys_execve
     do_execve
      do_execve_common      [1]
       exec_binprm
        search_binary_handler
         load_elf_binary
          flush_old_exec
           exec_mmap        <- here
    
    So after the patch the task which entered the container will not be able
    to exec on /proc/self/exe as trying to do_open_exec() on it we will see
    VD_VE_ENTER_TASK and fail the check in:
    
    do_execve_common        [1]
     do_open_exec
      do_filp_open
       path_openat
        proc_pid_follow_link
         proc_exe_link
    
    Note: if we try to exec self via /proc/self/exe, do_execve_common()->...->
    proc_exe_link() is done before exec_mmap() which updates .vps_dumpable.
    
    After task called exec on some other binary inside the VE it would be
    able to exec on /proc/self/exe (e.g. docker/runc needs these) as it
    become VD_PTRACE_COREDUMP. That is safe as the link already points
    on the file inside the VE.
    
    Need to revert 44d26f1f3dcd ("proc/self/exe link validation")
    
    https://jira.sw.ru/browse/PSBM-91689
    https://jira.sw.ru/browse/PSBM-91042
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Reviewed-by: Vasily Averin <vvs at virtuozzo.com>
    
    vvs@: here we don't check if current == task and this is fine:
    if current tries to open exe file of another task with
    vps_dumpable = VD_VE_ENTER_TASK, it should be blocked on fd open because of
    vps_dumpable check and we will not reach proc_exe_link() anyway.
    
    khorenko@: check for ve_is_super() is required here to allow /proc/pid/exe
    link examination if we debug process entered the CT from the host.
    
    (cherry-picked from vz7 commit 942ebd0c9cc8 ("ve: prohibit opening proc/self/exe
    from VE for VD_VE_ENTER_TASK"))
    
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/proc/base.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4860efc2d509..870ffdd1ed9b 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1694,6 +1694,17 @@ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
 	task = get_proc_task(d_inode(dentry));
 	if (!task)
 		return -ENOENT;
+
+	if (!ve_is_super(get_exec_env())) {
+		task_lock(task);
+		if (task->mm && task->mm->vps_dumpable == VD_VE_ENTER_TASK) {
+			task_unlock(task);
+			put_task_struct(task);
+			return -EPERM;
+		}
+		task_unlock(task);
+	}
+
 	exe_file = get_task_exe_file(task);
 	put_task_struct(task);
 	if (exe_file) {

More information about the Devel mailing list