From: Pavel Tikhomirov <[email protected]> By default the protection from "untrusted" binaries execution by VE0 processes is enabled.
The protection can be disabled via * setting "trusted_exec" kernel boot option * setting "fs.trusted_exec" sysctl to "1" If the protection is disabled, "vz_trusted_exec" disk device attribute value is ignored, the execution is allowed. https://jira.sw.ru/browse/PSBM-98702 Signed-off-by: Pavel Tikhomirov <[email protected]> Acked-by: Konstantin Khorenko <[email protected]> https://jira.sw.ru/browse/PSBM-129741 Cherry-picked from vz7 commit dccfe19f93c4 ("ve/exec: allow trusted exec change both on boot and on running system") Signed-off-by: Valeriy Vdovin <[email protected]> Reviewed-by: Pavel Tikhomirov <[email protected]> Reviewed-by: Konstantin Khorenko <[email protected]> --- fs/exec.c | 1 + include/linux/sysctl.h | 1 + kernel/sysctl.c | 16 ++++++++++++++++ kernel/ve/ve.c | 3 +++ 4 files changed, 21 insertions(+) diff --git a/fs/exec.c b/fs/exec.c index 0f4c741e19db..ff1dc9b40a2e 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -62,6 +62,7 @@ #include <linux/oom.h> #include <linux/compat.h> #include <linux/vmalloc.h> +#include <linux/sysctl.h> #include <linux/ve.h> #include <linux/uaccess.h> diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h index 4062812efc27..4e7aba846214 100644 --- a/include/linux/sysctl.h +++ b/include/linux/sysctl.h @@ -197,6 +197,7 @@ struct ctl_path { }; extern int ve_allow_module_load; +extern int trusted_exec; #ifdef CONFIG_SYSCTL diff --git a/kernel/sysctl.c b/kernel/sysctl.c index 228dfb6d7609..7ec1f1e99431 100644 --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -119,6 +119,13 @@ extern int sysctl_nr_trim_pages; int ve_allow_module_load = 1; EXPORT_SYMBOL(ve_allow_module_load); +int trusted_exec; +static int __init set_trusted_exec(char *str) +{ + trusted_exec = 1; + return 1; +} +__setup("trusted_exec", set_trusted_exec); /* Constants used for minimum and maximum */ #ifdef CONFIG_LOCKUP_DETECTOR @@ -1979,6 +1986,15 @@ static struct ctl_table fs_table[] = { .proc_handler = proc_dointvec_minmax, .extra1 = SYSCTL_ONE, }, + { + .procname = "trusted_exec", + .data = &trusted_exec, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = &proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, + }, { } }; diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c index feb25ed2ecda..ed46584ac871 100644 --- a/kernel/ve/ve.c +++ b/kernel/ve/ve.c @@ -1788,6 +1788,9 @@ static bool ve_check_trusted_file(struct file *file) bool exec_from_ct = !ve_is_super(get_exec_env()); bool file_on_trusted_disk = true; + if (trusted_exec) + return true; + if (exec_from_ct) return true; -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
