[Devel] [PATCH RHEL COMMIT] ptrace: prevent tracing "init" from inside a CT
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Sep 22 14:50:59 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 0cc6a674fa2c6a4b058c938119a9adb3a5409605
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Wed Sep 22 14:50:59 2021 +0300
ptrace: prevent tracing "init" from inside a CT
Long time ago there was a bug in vzctl: it did not close some file
descriptors on entering CT.
vzctl has been fixed surely, and this patch is just a hardening
to prevent leaks in case we ever have that kind of bug.
This particular patch is for CT start only, entering inside a CT
is defended via "vps_dumpable" flag.
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
(cherry-picked from vz8 commit 73f7c6b9b4b7a75fe16b711ca2776ebcd8058e95)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
kernel/ptrace.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index f8589bf8d7dc..319857449599 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1287,6 +1287,10 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
goto out;
}
+ /* ptracing of init from inside CT is dangerous */
+ if (pid == 1 && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
child = find_get_task_by_vpid(pid);
if (!child) {
ret = -ESRCH;
@@ -1432,6 +1436,10 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
goto out;
}
+ /* ptracing of init from inside CT is dangerous */
+ if (pid == 1 && !capable(CAP_SYS_ADMIN))
+ return -EPERM;
+
child = find_get_task_by_vpid(pid);
if (!child) {
ret = -ESRCH;
More information about the Devel
mailing list