[Devel] [PATCH vz10] ve/ptrace: apply vps_dumpable policy to tasks without an mm
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jun 18 00:14:47 MSK 2026
The OpenVZ vps_dumpable ptrace/coredump gate in __ptrace_may_access() was
guarded by "if (task->mm)", so a task whose mm had already been dropped in
exit_mm() (a dying task) or a kernel thread escaped the policy: a process
inside a Container could still inspect such a task - e.g. steal an fd via
pidfd_getfd() - even though its vps_dumpable was not VD_PTRACE_COREDUMP.
Move the check into task_still_dumpable() and extend it to the no-mm case:
inside a Container (non-super VE) a task is denied unless it still has an mm
marked VD_PTRACE_COREDUMP. A task with no mm cannot have its vps_dumpable
confirmed, so it is denied. On the host (super VE) the behaviour is
unchanged, and for tasks that still have an mm the condition is identical
to the removed one.
This mirrors the upstream CVE-2026-46333 fix 31e62c2ebbfd ("ptrace:
slightly saner 'get_dumpable()' logic"), which already handles the generic
no-mm case via the cached task->user_dumpable, and gives the VZ-specific
vps_dumpable policy the same coverage.
Fixes: 78d55d9548cd ("ve/mm/trace: introduce vps_dumpable flag")
https://virtuozzo.atlassian.net/browse/VSTOR-131873
Feature: trace: prohibit tracing sensitive tasks from CT
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
kernel/ptrace.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 9af98cab94b8d..faf60bb8ae2c9 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -276,6 +276,20 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
{
struct mm_struct *mm = task->mm;
+
+ /*
+ * Inside a Container the vps_dumpable policy takes precedence over the
+ * generic dumpability check: a task is only inspectable if its mm is
+ * marked VD_PTRACE_COREDUMP. A task with no mm - either a dying task
+ * whose mm was already dropped in exit_mm() or a kernel thread - cannot
+ * have its vps_dumpable confirmed, so deny it. This closes the window
+ * where a dying CT task could be inspected (e.g. an fd stolen via
+ * pidfd_getfd()) after exit_mm() cleared ->mm.
+ */
+ if (!ve_is_super(get_exec_env()) &&
+ (!mm || mm->vps_dumpable != VD_PTRACE_COREDUMP))
+ return false;
+
if (mm) {
if (get_dumpable(mm) == SUID_DUMP_USER)
return true;
@@ -354,10 +368,6 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
if (!task_still_dumpable(task, mode))
return -EPERM;
- if (task->mm && (task->mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
- !ve_is_super(get_exec_env()))
- return -EPERM;
-
return security_ptrace_access_check(task, mode);
}
--
2.43.0
More information about the Devel
mailing list