[Devel] [PATCH vz8 v4 0/5] trusted/ve/exec: Introduce ve trusted execution feature

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 8 14:40:48 MSK 2021


The patchset ports ve_trusted_exec functionality from VZ7.

The functionality is reworked and enhanced comparing to VZ7 version:

 1. The challenge of porting it to VZ8 is that there is no
    PLOOP_DEV_MAJOR anymore, which was an important part of container
    block device detection. Instead we have to implement vz_trusted_exec
    flag in struct genhd.

 2. The security check has been also added to mmap() to cover shared
    libraries case.

Note: this version of the patchset does not cover untrusted binaries
execution protection for files which reside on mounts done from inside a
Container. This is to be addressed by later patches.

https://jira.sw.ru/browse/PSBM-129741

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>

Pavel Tikhomirov (3):
  trusted/ve/fs/exec: Don't allow a privileged user to execute untrusted
    files
  trusted/ve/fs/exec: Send SIGSEGV to a process trying to execute
    untrusted files
  trusted/ve/exec: Allow trusted exec change both on boot and on running
    system

Valeriy Vdovin (2):
  trusted/block: Added trusted flag to struct genhd
  trusted/ve/mmap: Protect from unsecure library load from CT image

 block/genhd.c          | 39 ++++++++++++++++++++++++
 fs/exec.c              | 17 +++++++++--
 include/linux/genhd.h  |  4 +++
 include/linux/sysctl.h |  1 +
 include/linux/ve.h     |  2 ++
 kernel/sysctl.c        | 16 ++++++++++
 kernel/ve/ve.c         | 67 ++++++++++++++++++++++++++++++++++++++++++
 mm/util.c              |  5 ++++
 8 files changed, 149 insertions(+), 2 deletions(-)

-- 
2.28.0



More information about the Devel mailing list