[Devel] [PATCH RH9 3/6] trusted/ve/fs/exec: Don't allow a privileged user to execute untrusted files

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Mon Oct 4 17:42:53 MSK 2021 

From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

If we run some binary (exploit) from CT on host, it can easily give a
user in these CT an ability to do anything on host sending commands
through unix socket to the exploit. Such an exploit can mimic to bash,
ip, systemd, ping or some other "trusted" utility.

I've tested with these patch that we don't call from VE0 any binaries
from CT-fs on start, stop, enter, suspend, resume or migration. But to
be on the safe side, so that in future we don't become affected, lets
prohibit running any binary from ploop disks and from CT mounts if the
caller is from VE0.

Also we protect admins of our customer from unintentionally calling such
an exploit:

[root at kuchy ~]# strace -e trace=execve /vz/root/58a2c524-b486-42c8-849\
  b-c659bf165a91/bin/ls
execve("/vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls",\
  ["/vz/root/58a2c524-b486-42c8-849b"...], [/* 27 vars */]) = -1\
  EACCES (Permission denied)
strace: exec: Permission denied
+++ exited with 1 +++

We need same check in sys_uselib as process from host can also try to
load shared library from the file in CT's ploop, which cannot be trusted
too.

https://jira.sw.ru/browse/PSBM-98094

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>

https://jira.sw.ru/browse/PSBM-129741

Based on vz7 commit 29154b5e5af9 ("ve/fs/exec: don't allow a privileged
user to execute untrusted files")

Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>

(cherry picked from vz8 commit 6b90a0e83276d4fca203eabc732178d67315503a)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/exec.c          | 16 ++++++++++++++--
 include/linux/ve.h |  1 +
 kernel/ve/ve.c     | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/fs/exec.c b/fs/exec.c
index 67dab3c..15c3c62 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -65,6 +65,7 @@
 #include <linux/vmalloc.h>
 #include <linux/io_uring.h>
 #include <linux/syscall_user_dispatch.h>
+#include <linux/ve.h>
 
 #include <linux/uaccess.h>
 #include <asm/mmu_context.h>
@@ -136,10 +137,9 @@ bool path_noexec(const struct path *path)
 		goto out;
 
 	file = do_filp_open(AT_FDCWD, tmp, &uselib_flags);
-	putname(tmp);
 	error = PTR_ERR(file);
 	if (IS_ERR(file))
-		goto out;
+		goto put;
 
 	/*
 	 * may_open() has already checked for this, so it should be
@@ -151,6 +151,12 @@ bool path_noexec(const struct path *path)
 			 path_noexec(&file->f_path)))
 		goto exit;
 
+	if (!ve_check_trusted_exec(file, tmp))
+		goto exit;
+
+	putname(tmp);
+	tmp = NULL;
+
 	fsnotify_open(file);
 
 	error = -ENOEXEC;
@@ -171,6 +177,9 @@ bool path_noexec(const struct path *path)
 	read_unlock(&binfmt_lock);
 exit:
 	fput(file);
+put:
+	if (tmp)
+		putname(tmp);
 out:
   	return error;
 }
@@ -921,6 +930,9 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
 			 path_noexec(&file->f_path)))
 		goto exit;
 
+	if (!ve_check_trusted_exec(file, name))
+		goto exit;
+
 	err = deny_write_access(file);
 	if (err)
 		goto exit;
diff --git a/include/linux/ve.h b/include/linux/ve.h
index 32c2ffb..c295112d 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -108,6 +108,7 @@ struct ve_devmnt {
 
 void ve_stop_ns(struct pid_namespace *ns);
 void ve_exit_ns(struct pid_namespace *ns);
+bool ve_check_trusted_exec(struct file *file, struct filename *name);
 
 static inline struct ve_struct *css_to_ve(struct cgroup_subsys_state *css)
 {
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 3a53e6d..16100a4 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -24,9 +24,12 @@
 #include <linux/kthread.h>
 #include <linux/nsproxy.h>
 #include <linux/fs_struct.h>
+#include <linux/genhd.h>
+
 #include <uapi/linux/vzcalluser.h>
 #include <net/rtnetlink.h>
 
+#include "../fs/mount.h"
 #include "../cgroup/cgroup-internal.h" /* For cgroup_task_count() */
 
 extern struct kmapset_set sysfs_ve_perms_set;
@@ -1335,6 +1338,51 @@ static int __init ve_subsys_init(void)
 }
 late_initcall(ve_subsys_init);
 
+static bool ve_check_trusted_file(struct file *file)
+{
+	struct block_device *bdev;
+	bool exec_from_ct;
+	bool file_on_host_mount;
+
+	/* The current process does not belong to ve0. */
+	exec_from_ct = !ve_is_super(get_exec_env());
+	if (exec_from_ct)
+		return true;
+
+	/* The current process belongs to ve0. */
+	bdev = file->f_inode->i_sb->s_bdev;
+	if (bdev) {
+		/* The file to execute is stored on trusted block device. */
+		if (bdev->bd_disk->vz_trusted_exec)
+			return true;
+	} else {
+		/*
+		 * bdev can be NULL if the file is on tmpfs, for example.
+		 * If this is a host's tmpfs - execution is allowed.
+		 */
+		file_on_host_mount = ve_is_super(
+				     real_mount(file->f_path.mnt)->ve_owner);
+		if (file_on_host_mount)
+			return true;
+	}
+
+	return false;
+}
+
+/*
+ * We don't want a VE0-privileged user intentionally or by mistake
+ * to execute files of container, these files are untrusted.
+ */
+bool ve_check_trusted_exec(struct file *file, struct filename *name)
+{
+	if (ve_check_trusted_file(file))
+		return true;
+
+	WARN_ONCE(1, "VE0's %s tried to execute untrusted file %s from VEX\n",
+		     current->comm, name->name);
+	return false;
+}
+
 #ifdef CONFIG_CGROUP_SCHED
 int cpu_cgroup_proc_loadavg(struct cgroup_subsys_state *css,
 			    struct seq_file *p);
-- 
1.8.3.1

More information about the Devel mailing list