[Devel] [PATCH RHEL COMMIT] trusted/ve/exec: Allow trusted exec change both on boot and on running system

Konstantin Khorenko khorenko at virtuozzo.com
Mon Oct 4 21:41:01 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 7db0de7e3053b272295867ddc848c6073ccde783
Author: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Date:   Mon Oct 4 21:41:01 2021 +0300

    trusted/ve/exec: Allow trusted exec change both on boot and on running system
    
    By default the protection from "untrusted" binaries execution by VE0
    processes is enabled.
    
    The protection can be disabled via
     * setting "trusted_exec" kernel boot option
     * setting "fs.trusted_exec" sysctl to "1"
    
    If the protection is disabled, "vz_trusted_exec" disk device attribute
    value is ignored, the execution is allowed.
    
    https://jira.sw.ru/browse/PSBM-98702
    
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    
    Acked-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    https://jira.sw.ru/browse/PSBM-129741
    Cherry-picked from vz7 commit dccfe19f93c4 ("ve/exec: allow trusted exec
    change both on boot and on running system")
    
    Signed-off-by: Valeriy Vdovin <valeriy.vdovin at virtuozzo.com>
    
    Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
    Reviewed-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    (cherry picked from vz8 commit 4d7f46beaf9265a0bb1ed57d7e387d838adcd9f8)
    Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/exec.c              |  1 +
 include/linux/sysctl.h |  2 ++
 kernel/sysctl.c        | 17 +++++++++++++++++
 kernel/ve/ve.c         |  4 ++++
 4 files changed, 24 insertions(+)

diff --git a/fs/exec.c b/fs/exec.c
index 15c3c62cbe23..79a3e0fff4d9 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -65,6 +65,7 @@
 #include <linux/vmalloc.h>
 #include <linux/io_uring.h>
 #include <linux/syscall_user_dispatch.h>
+#include <linux/sysctl.h>
 #include <linux/ve.h>
 
 #include <linux/uaccess.h>
diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
index 4c9efe69e435..3c59f962f3f6 100644
--- a/include/linux/sysctl.h
+++ b/include/linux/sysctl.h
@@ -185,6 +185,8 @@ struct ctl_path {
 	const char *procname;
 };
 
+extern int trusted_exec;
+
 #ifdef CONFIG_SYSCTL
 
 void proc_sys_poll_notify(struct ctl_table_poll *poll);
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index 55054f136f68..e50829903763 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -109,6 +109,14 @@
 
 #if defined(CONFIG_SYSCTL)
 
+int trusted_exec;
+static int __init set_trusted_exec(char *str)
+{
+	trusted_exec = 1;
+	return 1;
+}
+__setup("trusted_exec", set_trusted_exec);
+
 /* Constants used for minimum and  maximum */
 #ifdef CONFIG_LOCKUP_DETECTOR
 static int sixty = 60;
@@ -3479,6 +3487,15 @@ static struct ctl_table fs_table[] = {
 		.proc_handler	= proc_dointvec_minmax,
 		.extra1		= SYSCTL_ONE,
 	},
+	{
+		.procname	= "trusted_exec",
+		.data		= &trusted_exec,
+		.maxlen		= sizeof(int),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec_minmax,
+		.extra1		= SYSCTL_ZERO,
+		.extra2		= SYSCTL_ONE,
+	},
 	{ }
 };
 
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 4123a1bb2136..4d6366925396 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1273,6 +1273,10 @@ static bool ve_check_trusted_file(struct file *file)
 	bool exec_from_ct;
 	bool file_on_host_mount;
 
+	/* The trusted exec defense is globally off. */
+	if (trusted_exec)
+		return true;
+
 	/* The current process does not belong to ve0. */
 	exec_from_ct = !ve_is_super(get_exec_env());
 	if (exec_from_ct)


More information about the Devel mailing list