The patchset ports ve_trusted_exec functionality from VZ7.
The functionality is reworked and enhanced comparing to VZ7 version:
1. The challenge of porting it to VZ8 is that there is no
PLOOP_DEV_MAJOR anymore, which was an important part of container
block device detection. Instead we have to implement vz_trusted_exec
flag in struct genhd.
2. The security check has been also added to mmap() to cover shared
libraries case.
Note: this version of the patchset does not cover untrusted binaries
execution protection for files which reside on mounts done from inside a
Container. This is to be addressed by later patches.
https://jira.sw.ru/browse/PSBM-129741
Signed-off-by: Valeriy Vdovin <[email protected]>
Reviewed-by: Pavel Tikhomirov <[email protected]>
Reviewed-by: Konstantin Khorenko <[email protected]>
Pavel Tikhomirov (3):
trusted/ve/fs/exec: Don't allow a privileged user to execute untrusted
files
trusted/ve/fs/exec: Send SIGSEGV to a process trying to execute
untrusted files
trusted/ve/exec: Allow trusted exec change both on boot and on running
system
Valeriy Vdovin (2):
trusted/block: Added trusted flag to struct genhd
trusted/ve/mmap: Protect from unsecure library load from CT image
block/genhd.c | 39 ++++++++++++++++++++++++
fs/exec.c | 17 +++++++++--
include/linux/genhd.h | 4 +++
include/linux/sysctl.h | 1 +
include/linux/ve.h | 2 ++
kernel/sysctl.c | 16 ++++++++++
kernel/ve/ve.c | 67 ++++++++++++++++++++++++++++++++++++++++++
mm/util.c | 5 ++++
8 files changed, 149 insertions(+), 2 deletions(-)
--
2.28.0
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
