[rh7,6/8] proc/pid: Don't show kernel threads inside Containers

Submitted by Konstantin Khorenko on Feb. 21, 2020, 4:07 p.m.

Details

Message ID 20200221160731.16888-7-khorenko@virtuozzo.com
State New
Series "enable running Kubernetes inside a Container"
Headers show

Commit Message

Konstantin Khorenko Feb. 21, 2020, 4:07 p.m.
We have our home-brew security defence feature from ptrace-ing
processes entered a Container outside.
It's based on "vps_dumpable" field of task->mm and is checked in
__ptrace_may_access() in particular.
Same function __ptrace_may_access() is used when someone tries to
readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads because they
lack task->mm and thus "vps_dumpable" field and we really would like
people not to ptrace kernel threads from inside a Container.

We might enhance the security check, but decided just to make Container
kernel threads invisible (from inside a Container only of course).

https://jira.sw.ru/browse/PSBM-92107

Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 fs/proc/base.c | 4 ++++
 1 file changed, 4 insertions(+)

Patch hide | download patch | download mbox

diff --git a/fs/proc/base.c b/fs/proc/base.c
index dbf5a84b604f3..c5d316ae5631d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -907,6 +907,10 @@  static bool is_visible_task(struct pid_namespace *ns, struct task_struct *tsk)
 		return false;
 	if (!has_pid_permissions(ns, tsk, 2))
 		return false;
+
+	/* Don't show kthreads inside Containers. */
+	if (!tsk->mm && !ve_is_super(get_exec_env()))
+		return false;
 	return true;
 }
 

Comments

Kirill Tkhai Feb. 25, 2020, 8:26 a.m.
On 21.02.2020 19:07, Konstantin Khorenko wrote:
> We have our home-brew security defence feature from ptrace-ing
> processes entered a Container outside.
> It's based on "vps_dumpable" field of task->mm and is checked in
> __ptrace_may_access() in particular.
> Same function __ptrace_may_access() is used when someone tries to
> readlink /proc/$PID/ns/$SOMENS and gets -EPERM for kthreads because they
> lack task->mm and thus "vps_dumpable" field and we really would like
> people not to ptrace kernel threads from inside a Container.
> 
> We might enhance the security check, but decided just to make Container
> kernel threads invisible (from inside a Container only of course).
> 
> https://jira.sw.ru/browse/PSBM-92107
> 
> Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
> ---
>  fs/proc/base.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/fs/proc/base.c b/fs/proc/base.c
> index dbf5a84b604f3..c5d316ae5631d 100644
> --- a/fs/proc/base.c
> +++ b/fs/proc/base.c
> @@ -907,6 +907,10 @@ static bool is_visible_task(struct pid_namespace *ns, struct task_struct *tsk)
>  		return false;
>  	if (!has_pid_permissions(ns, tsk, 2))
>  		return false;
> +
> +	/* Don't show kthreads inside Containers. */
> +	if (!tsk->mm && !ve_is_super(get_exec_env()))

Since kernel threads can have mm, I'd used here !(tsk->flags & PF_KTHREAD) instead.

> +		return false;
>  	return true;
>  }

This is_visible_task() is used in proc_pid_readdir() only. I suspect, there are still possible
to dereferrence a kernel thread via ls /proc/2/ (direct lookup of specific pid). Could you
please check this?

Kirill