[Devel] [PATCH RH9 02/10] ve: prohibit opening proc/self/exe from VE for VD_VE_ENTER_TASK
Cyrill Gorcunov
gorcunov at gmail.com
Sun Oct 10 21:17:57 MSK 2021
From: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
The task having task->mm->vps_dumpable == VD_VE_ENTER_TASK is a task
which entered container's ve cgroup and not yet called exec until:
sys_execve
do_execve
do_execve_common [1]
exec_binprm
search_binary_handler
load_elf_binary
flush_old_exec
exec_mmap <- here
So after the patch the task which entered the container will not be able
to exec on /proc/self/exe as trying to do_open_exec() on it we will see
VD_VE_ENTER_TASK and fail the check in:
do_execve_common [1]
do_open_exec
do_filp_open
path_openat
proc_pid_follow_link
proc_exe_link
Note: if we try to exec self via /proc/self/exe, do_execve_common()->...->
proc_exe_link() is done before exec_mmap() which updates .vps_dumpable.
After task called exec on some other binary inside the VE it would be
able to exec on /proc/self/exe (e.g. docker/runc needs these) as it
become VD_PTRACE_COREDUMP. That is safe as the link already points
on the file inside the VE.
Need to revert 44d26f1f3dcd ("proc/self/exe link validation")
https://jira.sw.ru/browse/PSBM-91689
https://jira.sw.ru/browse/PSBM-91042
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
Reviewed-by: Vasily Averin <vvs at virtuozzo.com>
vvs@: here we don't check if current == task and this is fine:
if current tries to open exe file of another task with
vps_dumpable = VD_VE_ENTER_TASK, it should be blocked on fd open because of
vps_dumpable check and we will not reach proc_exe_link() anyway.
khorenko@: check for ve_is_super() is required here to allow /proc/pid/exe
link examination if we debug process entered the CT from the host.
(cherry-picked from vz7 commit 942ebd0c9cc8 ("ve: prohibit opening proc/self/exe
from VE for VD_VE_ENTER_TASK"))
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
fs/proc/base.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 550866ddf55e..a02acdaa3ca5 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1738,6 +1738,17 @@ static int proc_exe_link(struct dentry *dentry, struct path *exe_path)
task = get_proc_task(d_inode(dentry));
if (!task)
return -ENOENT;
+
+ if (!ve_is_super(get_exec_env())) {
+ task_lock(task);
+ if (task->mm && task->mm->vps_dumpable == VD_VE_ENTER_TASK) {
+ task_unlock(task);
+ put_task_struct(task);
+ return -EPERM;
+ }
+ task_unlock(task);
+ }
+
exe_file = get_task_exe_file(task);
put_task_struct(task);
if (exe_file) {
--
2.31.1
More information about the Devel
mailing list