[Devel] [PATCH RHEL10 COMMIT] ve/ptrace: apply vps_dumpable policy to tasks without an mm

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 18 00:15:41 MSK 2026


The commit is pushed to "branch-rh10-6.12.0-211.16.1.12.x.vz10-ovz" and will appear at git at bitbucket.org:openvz/vzkernel.git
after rh10-6.12.0-211.16.1.12.2.vz10
------>
commit e9d258bbae715ad977aec7e444be75862108d108
Author: Konstantin Khorenko <khorenko at virtuozzo.com>
Date:   Wed Jun 17 23:13:30 2026 +0200

    ve/ptrace: apply vps_dumpable policy to tasks without an mm
    
    The OpenVZ vps_dumpable ptrace/coredump gate in __ptrace_may_access() was
    guarded by "if (task->mm)", so a task whose mm had already been dropped in
    exit_mm() (a dying task) or a kernel thread escaped the policy: a process
    inside a Container could still inspect such a task - e.g. steal an fd via
    pidfd_getfd() - even though its vps_dumpable was not VD_PTRACE_COREDUMP.
    
    Move the check into task_still_dumpable() and extend it to the no-mm case:
    inside a Container (non-super VE) a task is denied unless it still has an mm
    marked VD_PTRACE_COREDUMP. A task with no mm cannot have its vps_dumpable
    confirmed, so it is denied. On the host (super VE) the behaviour is
    unchanged, and for tasks that still have an mm the condition is identical
    to the removed one.
    
    This mirrors the upstream CVE-2026-46333 fix 31e62c2ebbfd ("ptrace:
    slightly saner 'get_dumpable()' logic"), which already handles the generic
    no-mm case via the cached task->user_dumpable, and gives the VZ-specific
    vps_dumpable policy the same coverage.
    
    Fixes: 78d55d9548cd ("ve/mm/trace: introduce vps_dumpable flag")
    https://virtuozzo.atlassian.net/browse/VSTOR-131873
    
    Feature: trace: prohibit tracing sensitive tasks from CT
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 kernel/ptrace.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/kernel/ptrace.c b/kernel/ptrace.c
index 9af98cab94b8d..faf60bb8ae2c9 100644
--- a/kernel/ptrace.c
+++ b/kernel/ptrace.c
@@ -276,6 +276,20 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
 static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
 {
 	struct mm_struct *mm = task->mm;
+
+	/*
+	 * Inside a Container the vps_dumpable policy takes precedence over the
+	 * generic dumpability check: a task is only inspectable if its mm is
+	 * marked VD_PTRACE_COREDUMP. A task with no mm - either a dying task
+	 * whose mm was already dropped in exit_mm() or a kernel thread - cannot
+	 * have its vps_dumpable confirmed, so deny it. This closes the window
+	 * where a dying CT task could be inspected (e.g. an fd stolen via
+	 * pidfd_getfd()) after exit_mm() cleared ->mm.
+	 */
+	if (!ve_is_super(get_exec_env()) &&
+	    (!mm || mm->vps_dumpable != VD_PTRACE_COREDUMP))
+		return false;
+
 	if (mm) {
 		if (get_dumpable(mm) == SUID_DUMP_USER)
 			return true;
@@ -354,10 +368,6 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
 	if (!task_still_dumpable(task, mode))
 		return -EPERM;
 
-	if (task->mm && (task->mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
-	    !ve_is_super(get_exec_env()))
-		return -EPERM;
-
 	return security_ptrace_access_check(task, mode);
 }
 


More information about the Devel mailing list