[RH7,2/2] ve: don't allow a privileged user to execute untrusted files

Submitted by Pavel Tikhomirov on Sept. 25, 2019, 9:53 a.m.


Message ID 20190925095332.17201-2-ptikhomirov@virtuozzo.com
State New
Series "Series without cover letter"
Headers show

Commit Message

Pavel Tikhomirov Sept. 25, 2019, 9:53 a.m.
If we run some binary (exploit) from CT on host, it can easily give a
user in these CT an ability to do anything on host sending commands
through unix socket to the exploit. Such an exploit can mimic to bash,
ip, systemd, ping or some other "trusted" utility.

I've tested with these patch that we don't call from VE0 any binaries
from CT-fs on start, stop, enter, suspend, resume or migration. But to
be on the safe side, so that in future we don't become affected, lets
prohibit running any binary from ploop disks if the caller is from VE0.

Also we protect admins of our customer from unintentionally calling such
an exploit:

[root@kuchy ~]# strace -e trace=execve /vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls
execve("/vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls", ["/vz/root/58a2c524-b486-42c8-849b"...], [/* 27 vars */]) = -1 EACCES (Permission denied)
strace: exec: Permission denied
+++ exited with 1 +++

Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
 fs/exec.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Patch hide | download patch | download mbox

diff --git a/fs/exec.c b/fs/exec.c
index a5eb08ecc9ec..842b37bd54b2 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -57,6 +57,7 @@ 
 #include <linux/pipe_fs_i.h>
 #include <linux/oom.h>
 #include <linux/compat.h>
+#include <linux/ploop/ploop.h>
 #include <bc/vmpages.h>
@@ -848,6 +849,16 @@  static struct file *do_open_exec(struct filename *name)
 	if (path_noexec(&file->f_path))
 		goto exit;
+	/*
+	 * We don't want a VE0-privileged user intentionaly or by mistake
+	 * to execute files of container, these files are untrusted.
+	 */
+	if (ve_is_super(get_exec_env())) {
+		struct block_device *bdev = file->f_inode->i_sb->s_bdev;
+		if (bdev && bdev->bd_disk->major == PLOOP_DEVICE_MAJOR)
+			goto exit;
+	}
 	err = deny_write_access(file);