The commit is pushed to "branch-rh9-5.14.vz9.1.x-ovz" and will appear at
https://src.openvz.org/scm/ovz/vzkernel.git
after ark-5.14
------>
commit 2efe76c734eb009a64e57a4b677331758a7f0504
Author: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Date: Tue Oct 12 16:18:21 2021 +0300
ve: prohibit opening proc/self/exe from VE for VD_VE_ENTER_TASK
The task having task->mm->vps_dumpable == VD_VE_ENTER_TASK is a task
which entered container's ve cgroup and not yet called exec until:
sys_execve
do_execve
do_execve_common [1]
exec_binprm
search_binary_handler
load_elf_binary
flush_old_exec
exec_mmap <- here
So after the patch the task which entered the container will not be able
to exec on /proc/self/exe as trying to do_open_exec() on it we will see
VD_VE_ENTER_TASK and fail the check in:
do_execve_common [1]
do_open_exec
do_filp_open
path_openat
proc_pid_follow_link
proc_exe_link
Note: if we try to exec self via /proc/self/exe, do_execve_common()->...->
proc_exe_link() is done before exec_mmap() which updates .vps_dumpable.
After task called exec on some other binary inside the VE it would be
able to exec on /proc/self/exe (e.g. docker/runc needs these) as it
become VD_PTRACE_COREDUMP. That is safe as the link already points
on the file inside the VE.
Need to revert 44d26f1f3dcd ("proc/self/exe link validation")
https://jira.sw.ru/browse/PSBM-91689
https://jira.sw.ru/browse/PSBM-91042
Signed-off-by: Pavel Tikhomirov <ptikhomi...@virtuozzo.com>
Reviewed-by: Vasily Averin <v...@virtuozzo.com>
vvs@: here we don't check if current == task and this is fine:
if current tries to open exe file of another task with
vps_dumpable = VD_VE_ENTER_TASK, it should be blocked on fd open because of
vps_dumpable check and we will not reach proc_exe_link() anyway.
khorenko@: check for ve_is_super() is required here to allow /proc/pid/exe
link examination if we debug process entered the CT from the host.
(cherry-picked from vz7 commit 942ebd0c9cc8 ("ve: prohibit opening
proc/self/exe
from VE for VD_VE_ENTER_TASK"))
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
fs/proc/base.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 550866ddf55e..a02acdaa3ca5 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1738,6 +1738,17 @@ static int proc_exe_link(struct dentry *dentry, struct
path *exe_path)
task = get_proc_task(d_inode(dentry));
if (!task)
return -ENOENT;
+
+ if (!ve_is_super(get_exec_env())) {
+ task_lock(task);
+ if (task->mm && task->mm->vps_dumpable == VD_VE_ENTER_TASK) {
+ task_unlock(task);
+ put_task_struct(task);
+ return -EPERM;
+ }
+ task_unlock(task);
+ }
+
exe_file = get_task_exe_file(task);
put_task_struct(task);
if (exe_file) {
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
