[Devel] [PATCH RHEL COMMIT] ve/mm/trace: introduce vps_dumpable flag
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Sep 22 14:51:00 MSK 2021
The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 62d30b77c99fe5afdd28781fe85ab5693599b7c0
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date: Wed Sep 22 14:51:00 2021 +0300
ve/mm/trace: introduce vps_dumpable flag
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
+++
mm/vps_dumpable: naming and description for task->mm->vps_dumpable values
We have task->mm->vps_dumpable field that has magic values. It's time to name
them and describe. This patch does this conversion:
vps_dumpable=0 -> VD_VE_ENTER_TASK - mark tasks entered to VE from host,
no ptrace and no coredump allowed
vps_dumpable=1 -> VD_PTRACE_COREDUMP - mark tasks with ptrace and
coredump allowed
vps_dumpable=2 -> VD_LICDATA_ACCESS - mark tasks that accesses container
license sensitive information,
ptrace and coredump prohibited
Changes v3:
More readable defines comments.
Check ->vps_dumpable first to avoid releasing creds in do_coredump().
Changes v2:
Moved vps_dumpable values below struct mm_struct.
https://jira.sw.ru/browse/PSBM-20666
Signed-off-by: Andrey Smetanin <asmetanin at parallels.com>
(cherry picked from commit 58ae02c036f8550051359b043ada22b05a789c0c)
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
+++
ve/mm/trace: Improve vps_dumpable check in __ptrace_may_access()
__ptrace_may_access() is used when someone tries to
readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads
because they lack task->mm and thus "vps_dumpable" field.
Let's return error only for non-kernel threads and follow usual
restrictions for kernel threads.
https://jira.sw.ru/browse/PSBM-92107
Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
Rebase to vz8:
- Lets remove excess vps_dumpable variable.
- Also do the same mm precheck for vps_dumpable use in ptrace_attach(),
with also replacing EACCES with more suitable EPERM.
- Note that we don't have mm for zombies too, but it looks like there is
no point to prohibit access to them via proc, and we can't ptrace dead
tasks anyway.
(cherry-picked from vz7 commit 5f24adbea638 ("Improve vps_dumpable check in
__ptrace_may_access()"))
mFixes: 8e582a4301dfc ("ve/mm/trace: introduce vps_dumpable flag")
https://jira.sw.ru/browse/PSBM-127780
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
(cherry-picked from vz8 commit 4ee7b4fb0da5fec5aef969cdbed4aa59afc66463)
Signed-off-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
---
fs/coredump.c | 3 +++
fs/exec.c | 1 +
include/linux/mm_types.h | 7 +++++++
kernel/ptrace.c | 9 +++++++++
kernel/ve/ve.c | 4 ++++
5 files changed, 24 insertions(+)
diff --git a/fs/coredump.c b/fs/coredump.c
index 07afb5ddb1c4..ae25d8b7a07b 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -610,6 +610,9 @@ void do_coredump(const kernel_siginfo_t *siginfo)
if (!__get_dumpable(cprm.mm_flags))
goto fail;
+ /* Avoid dumping sensitive tasks */
+ if (mm->vps_dumpable != VD_PTRACE_COREDUMP)
+ goto fail;
cred = prepare_creds();
if (!cred)
goto fail;
diff --git a/fs/exec.c b/fs/exec.c
index 38f63451b928..67dab3cf3edd 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -998,6 +998,7 @@ static int exec_mmap(struct mm_struct *mm)
}
}
+ mm->vps_dumpable = VD_PTRACE_COREDUMP;
task_lock(tsk);
membarrier_exec_mmap(mm);
diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
index 52bbd2b7cb46..8c73935c4e66 100644
--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -510,6 +510,7 @@ struct mm_struct {
unsigned long flags; /* Must use atomic bitops to access */
+ unsigned int vps_dumpable:2;
struct core_state *core_state; /* coredumping support */
#ifdef CONFIG_AIO
@@ -583,6 +584,12 @@ struct mm_struct {
extern struct mm_struct init_mm;
+#define VD_VE_ENTER_TASK 0/* tasks entered to VE from host, no ptrace,
+ * or coredump or licdata access allowed */
+#define VD_PTRACE_COREDUMP 1/* tasks with ptrace and coredump allowed */
+#define VD_LICDATA_ACCESS 2/* tasks accessed containers license data,
+ * no ptrace and no coredump allowed */
+
/* Pointer magic because the dynamic array size confuses some compilers. */
static inline void mm_init_cpumask(struct mm_struct *mm)
{
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 319857449599..787ab8e67fa2 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -32,6 +32,7 @@
#include <linux/compat.h>
#include <linux/sched/signal.h>
#include <linux/minmax.h>
+#include <linux/ve.h>
#include <asm/syscall.h> /* for syscall_get_* */
@@ -359,6 +360,10 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
!ptrace_has_cap(mm->user_ns, mode)))
return -EPERM;
+ if (mm && (mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
+ !ve_is_super(get_exec_env()))
+ return -EPERM;
+
return security_ptrace_access_check(task, mode);
}
@@ -408,6 +413,10 @@ static int ptrace_attach(struct task_struct *task, long request,
task_lock(task);
retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH_REALCREDS);
+ if (!retval) {
+ if (task->mm && task->mm->vps_dumpable == VD_LICDATA_ACCESS)
+ retval = -EPERM;
+ }
task_unlock(task);
if (retval)
goto unlock_creds;
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index f87e3fd53ec7..1cce1a51b2ee 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -458,6 +458,10 @@ static void ve_attach(struct cgroup_taskset *tset)
cgroup_taskset_for_each(task, css, tset) {
struct ve_struct *ve = css_to_ve(css);
+ /* this probihibts ptracing of task entered to VE from host system */
+ if (ve->is_running && task->mm)
+ task->mm->vps_dumpable = VD_VE_ENTER_TASK;
+
/* Drop OOM protection. */
task->signal->oom_score_adj = 0;
task->signal->oom_score_adj_min = 0;
More information about the Devel
mailing list