[Devel] [PATCH vz10] ve/ptrace: apply vps_dumpable policy to tasks without an mm

Pavel Tikhomirov ptikhomirov at virtuozzo.com
Thu Jun 18 12:27:57 MSK 2026


Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>

On 6/17/26 23:14, Konstantin Khorenko wrote:
> The OpenVZ vps_dumpable ptrace/coredump gate in __ptrace_may_access() was
> guarded by "if (task->mm)", so a task whose mm had already been dropped in
> exit_mm() (a dying task) or a kernel thread escaped the policy: a process
> inside a Container could still inspect such a task - e.g. steal an fd via
> pidfd_getfd() - even though its vps_dumpable was not VD_PTRACE_COREDUMP.
> 
> Move the check into task_still_dumpable() and extend it to the no-mm case:
> inside a Container (non-super VE) a task is denied unless it still has an mm
> marked VD_PTRACE_COREDUMP. A task with no mm cannot have its vps_dumpable
> confirmed, so it is denied. On the host (super VE) the behaviour is
> unchanged, and for tasks that still have an mm the condition is identical
> to the removed one.
> 
> This mirrors the upstream CVE-2026-46333 fix 31e62c2ebbfd ("ptrace:
> slightly saner 'get_dumpable()' logic"), which already handles the generic
> no-mm case via the cached task->user_dumpable, and gives the VZ-specific
> vps_dumpable policy the same coverage.
> 
> Fixes: 78d55d9548cd ("ve/mm/trace: introduce vps_dumpable flag")
> https://virtuozzo.atlassian.net/browse/VSTOR-131873
> 
> Feature: trace: prohibit tracing sensitive tasks from CT
> Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
> ---
>  kernel/ptrace.c | 18 ++++++++++++++----
>  1 file changed, 14 insertions(+), 4 deletions(-)
> 
> diff --git a/kernel/ptrace.c b/kernel/ptrace.c
> index 9af98cab94b8d..faf60bb8ae2c9 100644
> --- a/kernel/ptrace.c
> +++ b/kernel/ptrace.c
> @@ -276,6 +276,20 @@ static bool ptrace_has_cap(struct user_namespace *ns, unsigned int mode)
>  static bool task_still_dumpable(struct task_struct *task, unsigned int mode)
>  {
>  	struct mm_struct *mm = task->mm;
> +
> +	/*
> +	 * Inside a Container the vps_dumpable policy takes precedence over the
> +	 * generic dumpability check: a task is only inspectable if its mm is
> +	 * marked VD_PTRACE_COREDUMP. A task with no mm - either a dying task
> +	 * whose mm was already dropped in exit_mm() or a kernel thread - cannot
> +	 * have its vps_dumpable confirmed, so deny it. This closes the window
> +	 * where a dying CT task could be inspected (e.g. an fd stolen via
> +	 * pidfd_getfd()) after exit_mm() cleared ->mm.
> +	 */
> +	if (!ve_is_super(get_exec_env()) &&
> +	    (!mm || mm->vps_dumpable != VD_PTRACE_COREDUMP))
> +		return false;
> +
>  	if (mm) {
>  		if (get_dumpable(mm) == SUID_DUMP_USER)
>  			return true;
> @@ -354,10 +368,6 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
>  	if (!task_still_dumpable(task, mode))
>  		return -EPERM;
>  
> -	if (task->mm && (task->mm->vps_dumpable != VD_PTRACE_COREDUMP) &&
> -	    !ve_is_super(get_exec_env()))
> -		return -EPERM;
> -
>  	return security_ptrace_access_check(task, mode);
>  }
>  

-- 
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.



More information about the Devel mailing list