[Devel] [PATCH RH9 13/13] ve/mm/trace: introduce vps_dumpable flag

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Tue Sep 21 19:04:31 MSK 2021 

From: Konstantin Khorenko <khorenko at virtuozzo.com>

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

+++
mm/vps_dumpable: naming and description for task->mm->vps_dumpable values

We have task->mm->vps_dumpable field that has magic values. It's time to name
them and describe. This patch does this conversion:

vps_dumpable=0 -> VD_VE_ENTER_TASK	- mark tasks entered to VE from host,
					  no ptrace and no coredump allowed
vps_dumpable=1 -> VD_PTRACE_COREDUMP	- mark tasks with ptrace and
					  coredump allowed
vps_dumpable=2 -> VD_LICDATA_ACCESS	- mark tasks that accesses container
					  license sensitive information,
					  ptrace and coredump prohibited

Changes v3:
More readable defines comments.
Check ->vps_dumpable first to avoid releasing creds in do_coredump().

Changes v2:
Moved vps_dumpable values below struct mm_struct.

https://jira.sw.ru/browse/PSBM-20666

Signed-off-by: Andrey Smetanin <asmetanin at parallels.com>

(cherry picked from commit 58ae02c036f8550051359b043ada22b05a789c0c)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

+++
ve/mm/trace: Improve vps_dumpable check in __ptrace_may_access()

__ptrace_may_access() is used when someone tries to
readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads
because they lack task->mm and thus "vps_dumpable" field.

Let's return error only for non-kernel threads and follow usual
restrictions for kernel threads.

https://jira.sw.ru/browse/PSBM-92107
Signed-off-by: Vasily Averin <vvs at virtuozzo.com>

Rebase to vz8:

- Lets remove excess vps_dumpable variable.
- Also do the same mm precheck for vps_dumpable use in ptrace_attach(),
  with also replacing EACCES with more suitable EPERM.
- Note that we don't have mm for zombies too, but it looks like there is
  no point to prohibit access to them via proc, and we can't ptrace dead
  tasks anyway.

(cherry-picked from vz7 commit 5f24adbea638 ("Improve vps_dumpable check in
__ptrace_may_access()"))
mFixes: 8e582a4301dfc ("ve/mm/trace: introduce vps_dumpable flag")

https://jira.sw.ru/browse/PSBM-127780

Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

(cherry-picked from vz8 commit 4ee7b4fb0da5fec5aef969cdbed4aa59afc66463)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 fs/coredump.c            | 3 +++
 fs/exec.c                | 1 +
 include/linux/mm_types.h | 7 +++++++
 kernel/ptrace.c          | 9 +++++++++
 kernel/ve/ve.c           | 4 ++++
 5 files changed, 24 insertions(+)

diff --git a/fs/coredump.c b/fs/coredump.c
index 07afb5ddb1c4..ae25d8b7a07b 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -610,6 +610,9 @@ void do_coredump(const kernel_siginfo_t *siginfo)
 	if (!__get_dumpable(cprm.mm_flags))
 		goto fail;
 
+	/* Avoid dumping sensitive tasks */
+	if (mm->vps_dumpable != VD_PTRACE_COREDUMP)
+		goto fail;
 	cred = prepare_creds();
 	if (!cred)
 		goto fail;
diff --git a/fs/exec.c b/fs/exec.c
index 38f63451b928..67dab3cf3edd 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -998,6 +998,7 @@ static int exec_mmap(struct mm_struct *mm)
 		}
 	}
 
+	mm->vps_dumpable = VD_PTRACE_COREDUMP;
 	task_lock(tsk);
 	membarrier_exec_mmap(mm);
 
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 52bbd2b7cb46..8c73935c4e66 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -510,6 +510,7 @@ struct mm_struct {
 
 		unsigned long flags; /* Must use atomic bitops to access */
 
+		unsigned int vps_dumpable:2;
 		struct core_state *core_state; /* coredumping support */
 
 #ifdef CONFIG_AIO
@@ -583,6 +584,12 @@ struct mm_struct {
 
 extern struct mm_struct init_mm;
 
+#define VD_VE_ENTER_TASK	0/* tasks entered to VE from host, no ptrace,
+				  * or coredump or licdata access allowed */
+#define VD_PTRACE_COREDUMP	1/* tasks with ptrace and coredump allowed */
+#define VD_LICDATA_ACCESS	2/* tasks accessed containers license data,
+				  * no ptrace and no coredump allowed */
+
 /* Pointer magic because the dynamic array size confuses some compilers. */
 static inline void mm_init_cpumask(struct mm_struct *mm)
 {
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 319857449599..787ab8e67fa2 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -32,6 +32,7 @@
 #include <linux/compat.h>
 #include <linux/sched/signal.h>
 #include <linux/minmax.h>
+#include <linux/ve.h>
 
 #include <asm/syscall.h>	/* for syscall_get_* */
 
@@ -359,6 +360,10 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	     !ptrace_has_cap(mm->user_ns, mode)))
 	    return -EPERM;
 
+	if (mm && (mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
+	    !ve_is_super(get_exec_env()))
+		return -EPERM;
+
 	return security_ptrace_access_check(task, mode);
 }
 
@@ -408,6 +413,10 @@ static int ptrace_attach(struct task_struct *task, long request,
 
 	task_lock(task);
 	retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
+	if (!retval) {
+		if (task->mm && task->mm->vps_dumpable == VD_LICDATA_ACCESS)
+			retval = -EPERM;
+	}
 	task_unlock(task);
 	if (retval)
 		goto unlock_creds;
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index f87e3fd53ec7..1cce1a51b2ee 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -458,6 +458,10 @@ static void ve_attach(struct cgroup_taskset *tset)
 	cgroup_taskset_for_each(task, css, tset) {
 		struct ve_struct *ve = css_to_ve(css);
 
+		/* this probihibts ptracing of task entered to VE from host system */
+		if (ve->is_running && task->mm)
+			task->mm->vps_dumpable = VD_VE_ENTER_TASK;
+
 		/* Drop OOM protection. */
 		task->signal->oom_score_adj = 0;
 		task->signal->oom_score_adj_min = 0;
-- 
2.31.1

More information about the Devel mailing list