[Devel] [PATCH RH9 12/13] ptrace: prevent tracing "init" from inside a CT

[Pavel Tikhomirov]

From: Konstantin Khorenko <khorenko at virtuozzo.com>

Long time ago there was a bug in vzctl: it did not close some file
descriptors on entering CT.

vzctl has been fixed surely, and this patch is just a hardening
to prevent leaks in case we ever have that kind of bug.

This particular patch is for CT start only, entering inside a CT
is defended via "vps_dumpable" flag.

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

(cherry-picked from vz8 commit 73f7c6b9b4b7a75fe16b711ca2776ebcd8058e95)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/ptrace.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index f8589bf8d7dc..319857449599 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1287,6 +1287,10 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
 		goto out;
 	}
 
+	/* ptracing of init from inside CT is dangerous */
+	if (pid == 1 && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	child = find_get_task_by_vpid(pid);
 	if (!child) {
 		ret = -ESRCH;
@@ -1432,6 +1436,10 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
 		goto out;
 	}
 
+	/* ptracing of init from inside CT is dangerous */
+	if (pid == 1 && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	child = find_get_task_by_vpid(pid);
 	if (!child) {
 		ret = -ESRCH;
-- 
2.31.1