[Devel] [PATCH vz8 v5 0/5] trusted/ve/exec: Introduce ve trusted execution feature

[Pavel Tikhomirov]

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

On 08.06.2021 19:31, Konstantin Khorenko wrote:
> The patchset ports ve_trusted_exec functionality from VZ7.
> 
> The functionality is reworked and enhanced comparing to VZ7 version:
> 
>   1. The challenge of porting it to VZ8 is that there is no
>      PLOOP_DEV_MAJOR anymore, which was an important part of container
>      block device detection. Instead we have to implement vz_trusted_exec
>      flag in struct genhd.
> 
>   2. The security check has been also added to mmap() to cover shared
>      libraries case.
> 
> https://jira.sw.ru/browse/PSBM-129741
> 
> Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
> Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> 
> Pavel Tikhomirov (3):
>    trusted/ve/fs/exec: Don't allow a privileged user to execute untrusted
>      files
>    trusted/ve/fs/exec: Send SIGSEGV to a process trying to execute
>      untrusted files
>    trusted/ve/exec: Allow trusted exec change both on boot and on running
>      system
> 
> Valeriy Vdovin (2):
>    trusted/block: Added trusted flag to struct genhd
>    trusted/ve/mmap: Protect from unsecure library load from CT image
> 
>   block/genhd.c          | 39 ++++++++++++++++++++
>   fs/exec.c              | 17 +++++++--
>   include/linux/genhd.h  |  4 +++
>   include/linux/sysctl.h |  1 +
>   include/linux/ve.h     |  2 ++
>   kernel/sysctl.c        | 16 +++++++++
>   kernel/ve/ve.c         | 82 ++++++++++++++++++++++++++++++++++++++++++
>   mm/util.c              |  5 +++
>   8 files changed, 164 insertions(+), 2 deletions(-)
> 

-- 
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.