[Devel] [PATCH vz8 v5 4/5] trusted/ve/exec: Allow trusted exec change both on boot and on running system

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 8 19:31:29 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

By default the protection from "untrusted" binaries execution by VE0
processes is enabled.

The protection can be disabled via
 * setting "trusted_exec" kernel boot option
 * setting "fs.trusted_exec" sysctl to "1"

If the protection is disabled, "vz_trusted_exec" disk device attribute
value is ignored, the execution is allowed.

https://jira.sw.ru/browse/PSBM-98702

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>

https://jira.sw.ru/browse/PSBM-129741
Cherry-picked from vz7 commit dccfe19f93c4 ("ve/exec: allow trusted exec
change both on boot and on running system")

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 fs/exec.c              |  1 +
 include/linux/sysctl.h |  1 +
 kernel/sysctl.c        | 16 ++++++++++++++++
 kernel/ve/ve.c         |  4 ++++
 4 files changed, 22 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 0f4c741e19db..ff1dc9b40a2e 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -62,6 +62,7 @@
 #include <linux/oom.h>
 #include <linux/compat.h>
 #include <linux/vmalloc.h>
+#include <linux/sysctl.h>
 #include <linux/ve.h>
 
 #include <linux/uaccess.h>
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 4062812efc27..4e7aba846214 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -197,6 +197,7 @@ struct ctl_path {
 };
 
 extern int ve_allow_module_load;
+extern int trusted_exec;
 
 #ifdef CONFIG_SYSCTL
 
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 228dfb6d7609..7ec1f1e99431 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -119,6 +119,13 @@ extern int sysctl_nr_trim_pages;
 
 int ve_allow_module_load = 1;
 EXPORT_SYMBOL(ve_allow_module_load);
+int trusted_exec;
+static int __init set_trusted_exec(char *str)
+{
+	trusted_exec = 1;
+	return 1;
+}
+__setup("trusted_exec", set_trusted_exec);
 
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
@@ -1979,6 +1986,15 @@ static struct ctl_table fs_table[] = {
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= SYSCTL_ONE,
 	},
+	{
+		.procname	= "trusted_exec",
+		.data		= &trusted_exec,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_minmax,
+		.extra1		= &zero,
+		.extra2		= &one,
+	},
 	{ }
 };
 
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index aae5d6d7ddd7..1ff815f30a4d 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1789,6 +1789,10 @@ static bool ve_check_trusted_file(struct file *file)
 	bool exec_from_ct;
 	bool file_on_host_mount;
 
+	/* The trusted exec defense is globally off. */
+	if (trusted_exec)
+		return true;
+
 	/* The current process does not belong to ve0. */
 	exec_from_ct = !ve_is_super(get_exec_env());
 	if (exec_from_ct)
-- 
2.28.0

More information about the Devel mailing list