[Devel] [VZ8 PATCH 3/4] ve/exec: allow trusted exec change both on boot and on running system
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Fri May 28 14:55:28 MSK 2021
On 28.05.2021 14:07, Valeriy Vdovin wrote:
> From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>
> Can be configured either with no_trusted_exec boot option of via
> /proc/sys/fs/trusted_exec sysctl, by default it is enabled.
> (When "fs.trusted_exec" is enabled (==1) it means, the defense is "on").
>
> https://jira.sw.ru/browse/PSBM-98702
>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
>
> +++
> ve/exec: reverse the meaning of trusted_exec variable
>
> Now trusted_exec == 1 means that we trust the host, and if someone
> executes container binaries from host he knows what he's doing
> (the defense is "off").
> By default trusted_exec == 0 and the defense is "on".
>
> Sysfs option to disable defence on boot is now called "trusted_exec".
>
> These way it is more consistent with ve_exec_trusted function name and
> the semantics of ptune/trusted sysfs entry.
>
> https://jira.sw.ru/browse/PSBM-98702
>
> mFixes: 761c2dfe68e7 ("ve/exec: allow trusted exec change both on boot
> and on running system")
>
> Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
> Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
>
> https://jira.sw.ru/browse/PSBM-129741
> Cherry-picked from dccfe19f93c46aa1886403c93fc0987830765922
> Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
> ---
> fs/exec.c | 4 ++++
> include/linux/sysctl.h | 1 +
> kernel/sysctl.c | 16 ++++++++++++++++
> 3 files changed, 21 insertions(+)
>
> diff --git a/fs/exec.c b/fs/exec.c
> index b3a12dad9edb..005c00f6e4cc 100644
> --- a/fs/exec.c
> +++ b/fs/exec.c
> @@ -62,6 +62,7 @@
> #include <linux/oom.h>
> #include <linux/compat.h>
> #include <linux/vmalloc.h>
> +#include <linux/sysctl.h>
>
> #include <linux/uaccess.h>
> #include <asm/mmu_context.h>
> @@ -127,6 +128,9 @@ bool ve_exec_trusted(struct file *file, struct filename *name)
> static DEFINE_RATELIMIT_STATE(sigsegv_rs, SIGSEGV_RATELIMIT_INTERVAL,
> SIGSEGV_RATELIMIT_BURST);
>
> + if (trusted_exec)
> + return true;
> +
> if (exec_from_ct || !file_on_ct_mount)
> return true;
>
> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
> index 4062812efc27..4e7aba846214 100644
> --- a/include/linux/sysctl.h
> +++ b/include/linux/sysctl.h
> @@ -197,6 +197,7 @@ struct ctl_path {
> };
>
> extern int ve_allow_module_load;
> +extern int trusted_exec;
>
> #ifdef CONFIG_SYSCTL
>
> diff --git a/kernel/sysctl.c b/kernel/sysctl.c
> index 98b230fe580c..346aa585dcf6 100644
> --- a/kernel/sysctl.c
> +++ b/kernel/sysctl.c
> @@ -119,6 +119,13 @@ extern int sysctl_nr_trim_pages;
>
> int ve_allow_module_load = 1;
> EXPORT_SYMBOL(ve_allow_module_load);
> +int trusted_exec;
> +static int __init set_trusted_exec(char *str)
> +{
> + trusted_exec = 1;
> + return 1;
> +}
> +__setup("trusted_exec", set_trusted_exec);
>
> /* Constants used for minimum and maximum */
> #ifdef CONFIG_LOCKUP_DETECTOR
> @@ -1968,6 +1975,15 @@ static struct ctl_table fs_table[] = {
> .proc_handler = proc_dointvec_minmax,
> .extra1 = SYSCTL_ONE,
> },
> + {
> + .procname = "trusted_exec",
> + .data = &trusted_exec,
> + .maxlen = sizeof(int),
> + .mode = 0644,
> + .proc_handler = &proc_dointvec_minmax,
Can you please change spaces before "=" to tabs in the above 5 lines for
consistency.
> + .extra1 = &zero,
> + .extra2 = &one,
> + },
> { }
> };
>
>
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
More information about the Devel
mailing list