From patchwork Wed Sep 25 10:48:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [RH7, 2/2] ve: don't allow a privileged user to execute untrusted files From: Pavel Tikhomirov X-Patchwork-Id: 11344 Message-Id: <20190925104804.8615-1-ptikhomirov@virtuozzo.com> To: Konstantin Khorenko Cc: devel@openvz.org Date: Wed, 25 Sep 2019 13:48:04 +0300 If we run some binary (exploit) from CT on host, it can easily give a user in these CT an ability to do anything on host sending commands through unix socket to the exploit. Such an exploit can mimic to bash, ip, systemd, ping or some other "trusted" utility. I've tested with these patch that we don't call from VE0 any binaries from CT-fs on start, stop, enter, suspend, resume or migration. But to be on the safe side, so that in future we don't become affected, lets prohibit running any binary from ploop disks if the caller is from VE0. Also we protect admins of our customer from unintentionally calling such an exploit: [root@kuchy ~]# strace -e trace=execve /vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls execve("/vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls", ["/vz/root/58a2c524-b486-42c8-849b"...], [/* 27 vars */]) = -1 EACCES (Permission denied) strace: exec: Permission denied +++ exited with 1 +++ After adding a warning, it wass hit on CT migration: [root@kuchy ~]# prlctl migrate test taveren.qa.sw.ru ... [root@kuchy ~]# dmesg | grep "VE0 tried to execute untrusted file" [ 97.086543] The process nsenter from VE0 tried to execute untrusted file /bin/readlink from VEX v2: add warning Signed-off-by: Pavel Tikhomirov --- fs/exec.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index a5eb08ecc9ec..15601e69c261 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -57,6 +57,7 @@ #include #include #include +#include #include @@ -848,6 +849,19 @@ static struct file *do_open_exec(struct filename *name) if (path_noexec(&file->f_path)) goto exit; + /* + * We don't want a VE0-privileged user intentionaly or by mistake + * to execute files of container, these files are untrusted. + */ + if (ve_is_super(get_exec_env())) { + struct block_device *bdev = file->f_inode->i_sb->s_bdev; + if (bdev && bdev->bd_disk->major == PLOOP_DEVICE_MAJOR) { + WARN_ONCE(1, "The process %s from VE0 tried to execute untrusted file %s from VEX\n", + current->comm, name->name); + goto exit; + } + } + fsnotify_open(file); err = deny_write_access(file);