[Devel] [PATCH RHEL COMMIT] ptrace: prevent tracing "init" from inside a CT

Konstantin Khorenko khorenko at virtuozzo.com
Wed Sep 22 14:50:59 MSK 2021


The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 0cc6a674fa2c6a4b058c938119a9adb3a5409605
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Wed Sep 22 14:50:59 2021 +0300

    ptrace: prevent tracing "init" from inside a CT
    
    Long time ago there was a bug in vzctl: it did not close some file
    descriptors on entering CT.
    
    vzctl has been fixed surely, and this patch is just a hardening
    to prevent leaks in case we ever have that kind of bug.
    
    This particular patch is for CT start only, entering inside a CT
    is defended via "vps_dumpable" flag.
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
    
    (cherry-picked from vz8 commit 73f7c6b9b4b7a75fe16b711ca2776ebcd8058e95)
    Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
 kernel/ptrace.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index f8589bf8d7dc..319857449599 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -1287,6 +1287,10 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
 		goto out;
 	}
 
+	/* ptracing of init from inside CT is dangerous */
+	if (pid == 1 && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	child = find_get_task_by_vpid(pid);
 	if (!child) {
 		ret = -ESRCH;
@@ -1432,6 +1436,10 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
 		goto out;
 	}
 
+	/* ptracing of init from inside CT is dangerous */
+	if (pid == 1 && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+
 	child = find_get_task_by_vpid(pid);
 	if (!child) {
 		ret = -ESRCH;


More information about the Devel mailing list