[Devel] [PATCH RHEL COMMIT] trusted/ve/exec: Allow trusted exec change both on boot and on running system
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Oct 4 21:41:01 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 7db0de7e3053b272295867ddc848c6073ccde783
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date: Mon Oct 4 21:41:01 2021 +0300
trusted/ve/exec: Allow trusted exec change both on boot and on running system
By default the protection from "untrusted" binaries execution by VE0
processes is enabled.
The protection can be disabled via
* setting "trusted_exec" kernel boot option
* setting "fs.trusted_exec" sysctl to "1"
If the protection is disabled, "vz_trusted_exec" disk device attribute
value is ignored, the execution is allowed.
https://jira.sw.ru/browse/PSBM-98702
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
https://jira.sw.ru/browse/PSBM-129741
Cherry-picked from vz7 commit dccfe19f93c4 ("ve/exec: allow trusted exec
change both on boot and on running system")
Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
(cherry picked from vz8 commit 4d7f46beaf9265a0bb1ed57d7e387d838adcd9f8)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
fs/exec.c | 1 +
include/linux/sysctl.h | 2 ++
kernel/sysctl.c | 17 +++++++++++++++++
kernel/ve/ve.c | 4 ++++
4 files changed, 24 insertions(+)
diff --git a/fs/exec.c b/fs/exec.c
index 15c3c62cbe23..79a3e0fff4d9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -65,6 +65,7 @@
#include <linux/vmalloc.h>
#include <linux/io_uring.h>
#include <linux/syscall_user_dispatch.h>
+#include <linux/sysctl.h>
#include <linux/ve.h>
#include <linux/uaccess.h>
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 4c9efe69e435..3c59f962f3f6 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -185,6 +185,8 @@ struct ctl_path {
const char *procname;
};
+extern int trusted_exec;
+
#ifdef CONFIG_SYSCTL
void proc_sys_poll_notify(struct ctl_table_poll *poll);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 55054f136f68..e50829903763 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -109,6 +109,14 @@
#if defined(CONFIG_SYSCTL)
+int trusted_exec;
+static int __init set_trusted_exec(char *str)
+{
+ trusted_exec = 1;
+ return 1;
+}
+__setup("trusted_exec", set_trusted_exec);
+
/* Constants used for minimum and maximum */
#ifdef CONFIG_LOCKUP_DETECTOR
static int sixty = 60;
@@ -3479,6 +3487,15 @@ static struct ctl_table fs_table[] = {
.proc_handler = proc_dointvec_minmax,
.extra1 = SYSCTL_ONE,
},
+ {
+ .procname = "trusted_exec",
+ .data = &trusted_exec,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
{ }
};
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 4123a1bb2136..4d6366925396 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1273,6 +1273,10 @@ static bool ve_check_trusted_file(struct file *file)
bool exec_from_ct;
bool file_on_host_mount;
+ /* The trusted exec defense is globally off. */
+ if (trusted_exec)
+ return true;
+
/* The current process does not belong to ve0. */
exec_from_ct = !ve_is_super(get_exec_env());
if (exec_from_ct)
More information about the Devel
mailing list