Reviewed-by: Pavel Tikhomirov <[email protected]>
On 08.06.2021 19:31, Konstantin Khorenko wrote:
The patchset ports ve_trusted_exec functionality from VZ7.
The functionality is reworked and enhanced comparing to VZ7 version:
1. The challenge of porting it to VZ8 is that there is no
PLOOP_DEV_MAJOR anymore, which was an important part of container
block device detection. Instead we have to implement vz_trusted_exec
flag in struct genhd.
2. The security check has been also added to mmap() to cover shared
libraries case.
https://jira.sw.ru/browse/PSBM-129741
Signed-off-by: Valeriy Vdovin <[email protected]>
Reviewed-by: Pavel Tikhomirov <[email protected]>
Reviewed-by: Konstantin Khorenko <[email protected]>
Pavel Tikhomirov (3):
trusted/ve/fs/exec: Don't allow a privileged user to execute untrusted
files
trusted/ve/fs/exec: Send SIGSEGV to a process trying to execute
untrusted files
trusted/ve/exec: Allow trusted exec change both on boot and on running
system
Valeriy Vdovin (2):
trusted/block: Added trusted flag to struct genhd
trusted/ve/mmap: Protect from unsecure library load from CT image
block/genhd.c | 39 ++++++++++++++++++++
fs/exec.c | 17 +++++++--
include/linux/genhd.h | 4 +++
include/linux/sysctl.h | 1 +
include/linux/ve.h | 2 ++
kernel/sysctl.c | 16 +++++++++
kernel/ve/ve.c | 82 ++++++++++++++++++++++++++++++++++++++++++
mm/util.c | 5 +++
8 files changed, 164 insertions(+), 2 deletions(-)
--
Best regards, Tikhomirov Pavel
Software Developer, Virtuozzo.
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
