[Devel] [PATCH vz10] ve/ptrace: apply vps_dumpable policy to tasks without an mm
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Jun 18 12:27:57 MSK 2026
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 6/17/26 23:14, Konstantin Khorenko wrote:
> The OpenVZ vps_dumpable ptrace/coredump gate in __ptrace_may_access() was
> guarded by "if (task->mm)", so a task whose mm had already been dropped in
> exit_mm() (a dying task) or a kernel thread escaped the policy: a process
> inside a Container could still inspect such a task - e.g. steal an fd via
> pidfd_getfd() - even though its vps_dumpable was not VD_PTRACE_COREDUMP.
>
> Move the check into task_still_dumpable() and extend it to the no-mm case:
> inside a Container (non-super VE) a task is denied unless it still has an mm
> marked VD_PTRACE_COREDUMP. A task with no mm cannot have its vps_dumpable
> confirmed, so it is denied. On the host (super VE) the behaviour is
> unchanged, and for tasks that still have an mm the condition is identical
> to the removed one.
>
> This mirrors the upstream CVE-2026-46333 fix 31e62c2ebbfd ("ptrace:
> slightly saner 'get_dumpable()' logic"), which already handles the generic
> no-mm case via the cached task->user_dumpable, and gives the VZ-specific
> vps_dumpable policy the same coverage.
>
> Fixes: 78d55d9548cd ("ve/mm/trace: introduce vps_dumpable flag")
> https://virtuozzo.atlassian.net/browse/VSTOR-131873
>
> Feature: trace: prohibit tracing sensitive tasks from CT
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
> kernel/ptrace.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 9af98cab94b8d..faf60bb8ae2c9 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -276,6 +276,20 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
> static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
> {
> struct mm_struct *mm = task->mm;
> +
> + /*
> + * Inside a Container the vps_dumpable policy takes precedence over the
> + * generic dumpability check: a task is only inspectable if its mm is
> + * marked VD_PTRACE_COREDUMP. A task with no mm - either a dying task
> + * whose mm was already dropped in exit_mm() or a kernel thread - cannot
> + * have its vps_dumpable confirmed, so deny it. This closes the window
> + * where a dying CT task could be inspected (e.g. an fd stolen via
> + * pidfd_getfd()) after exit_mm() cleared ->mm.
> + */
> + if (!ve_is_super(get_exec_env()) &&
> + (!mm || mm->vps_dumpable != VD_PTRACE_COREDUMP))
> + return false;
> +
> if (mm) {
> if (get_dumpable(mm) == SUID_DUMP_USER)
> return true;
> @@ -354,10 +368,6 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
> if (!task_still_dumpable(task, mode))
> return -EPERM;
>
> - if (task->mm && (task->mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
> - !ve_is_super(get_exec_env()))
> - return -EPERM;
> -
> return security_ptrace_access_check(task, mode);
> }
>
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list