[Devel] [PATCH RH9 5/6] trusted/ve/exec: Allow trusted exec change both on boot and on running system

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Mon Oct 4 17:42:55 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

By default the protection from "untrusted" binaries execution by VE0
processes is enabled.

The protection can be disabled via
 * setting "trusted_exec" kernel boot option
 * setting "fs.trusted_exec" sysctl to "1"

If the protection is disabled, "vz_trusted_exec" disk device attribute
value is ignored, the execution is allowed.

https://jira.sw.ru/browse/PSBM-98702

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>

https://jira.sw.ru/browse/PSBM-129741
Cherry-picked from vz7 commit dccfe19f93c4 ("ve/exec: allow trusted exec
change both on boot and on running system")

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>

Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>

(cherry picked from vz8 commit 4d7f46beaf9265a0bb1ed57d7e387d838adcd9f8)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/exec.c              |  1 +
 include/linux/sysctl.h |  2 ++
 kernel/sysctl.c        | 17 +++++++++++++++++
 kernel/ve/ve.c         |  4 ++++
 4 files changed, 24 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 15c3c62..79a3e0f 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -65,6 +65,7 @@
 #include <linux/vmalloc.h>
 #include <linux/io_uring.h>
 #include <linux/syscall_user_dispatch.h>
+#include <linux/sysctl.h>
 #include <linux/ve.h>
 
 #include <linux/uaccess.h>
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 4c9efe6..3c59f962 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -185,6 +185,8 @@ struct ctl_path {
 	const char *procname;
 };
 
+extern int trusted_exec;
+
 #ifdef CONFIG_SYSCTL
 
 void proc_sys_poll_notify(struct ctl_table_poll *poll);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 9321aa7..f1983e8 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -109,6 +109,14 @@
 
 #if defined(CONFIG_SYSCTL)
 
+int trusted_exec;
+static int __init set_trusted_exec(char *str)
+{
+	trusted_exec = 1;
+	return 1;
+}
+__setup("trusted_exec", set_trusted_exec);
+
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
 static int sixty = 60;
@@ -3472,6 +3480,15 @@ int proc_do_static_key(struct ctl_table *table, int write,
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= SYSCTL_ONE,
 	},
+	{
+		.procname	= "trusted_exec",
+		.data		= &trusted_exec,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 	{ }
 };
 
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index bb662e4..19a3265 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1344,6 +1344,10 @@ static bool ve_check_trusted_file(struct file *file)
 	bool exec_from_ct;
 	bool file_on_host_mount;
 
+	/* The trusted exec defense is globally off. */
+	if (trusted_exec)
+		return true;
+
 	/* The current process does not belong to ve0. */
 	exec_from_ct = !ve_is_super(get_exec_env());
 	if (exec_from_ct)
-- 
1.8.3.1

More information about the Devel mailing list