[Devel] [PATCH RH8 10/10] ve: prohibit opening proc/self/exe from VE for VD_VE_ENTER_TASK

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Wed May 26 17:56:18 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

The task having task->mm->vps_dumpable == VD_VE_ENTER_TASK is a task
which entered container's ve cgroup and not yet called exec until:

sys_execve
 do_execve
  do_execve_common	[1]
   exec_binprm
    search_binary_handler
     load_elf_binary
      flush_old_exec
       exec_mmap	<- here

So after the patch the task which entered the container will not be able
to exec on /proc/self/exe as trying to do_open_exec() on it we will see
VD_VE_ENTER_TASK and fail the check in:

do_execve_common	[1]
 do_open_exec
  do_filp_open
   path_openat
    proc_pid_follow_link
     proc_exe_link

Note: if we try to exec self via /proc/self/exe, do_execve_common()->...->
proc_exe_link() is done before exec_mmap() which updates .vps_dumpable.

After task called exec on some other binary inside the VE it would be
able to exec on /proc/self/exe (e.g. docker/runc needs these) as it
become VD_PTRACE_COREDUMP. That is safe as the link already points
on the file inside the VE.

Need to revert 44d26f1f3dcd ("proc/self/exe link validation")

https://jira.sw.ru/browse/PSBM-91689
https://jira.sw.ru/browse/PSBM-91042

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Vasily Averin <vvs at virtuozzo.com>

vvs@: here we don't check if current == task and this is fine:
if current tries to open exe file of another task with
vps_dumpable = VD_VE_ENTER_TASK, it should be blocked on fd open because of
vps_dumpable check and we will not reach proc_exe_link() anyway.

khorenko@: check for ve_is_super() is required here to allow /proc/pid/exe
link examination if we debug process entered the CT from the host.

(cherry-picked from 942ebd0c9cc870901eeaaf245efaca22ead9f540)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>

diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4860efc..870ffdd 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1694,6 +1694,17 @@ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
 	task = get_proc_task(d_inode(dentry));
 	if (!task)
 		return -ENOENT;
+
+	if (!ve_is_super(get_exec_env())) {
+		task_lock(task);
+		if (task->mm && task->mm->vps_dumpable == VD_VE_ENTER_TASK) {
+			task_unlock(task);
+			put_task_struct(task);
+			return -EPERM;
+		}
+		task_unlock(task);
+	}
+
 	exe_file = get_task_exe_file(task);
 	put_task_struct(task);
 	if (exe_file) {
-- 
1.8.3.1

More information about the Devel mailing list