ve_check_trusted_exec()/ve_check_trusted_mmap() fire WARN(1, ...) when a
process tries to exec/mmap a container (VEX) file it is not allowed to.
That path is triggerable by unprivileged container activity, so it taints
the kernel, emits a full backtrace and, under panic_on_warn, lets a
container DoS the host. The condition is an expected, handled policy
denial (the caller is SIGSEGV'd and false returned), not a kernel bug.

The block is already rate-limited via sigsegv_rs; keep the diagnostic and
the SIGSEGV but downgrade WARN() to pr_warn() so it no longer taints or
backtraces.

Fixes: aa60c6194cfd ("trusted/ve/mmap: Protect from unsecure library load from 
CT image")
Fixes: 2ae1bae0bd95 ("trusted/ve/fs/exec: Send SIGSEGV to a process trying to 
execute untrusted files")
Feature: security/fs: tructed exec feature
https://virtuozzo.atlassian.net/browse/VSTOR-137234
Signed-off-by: Konstantin Khorenko <[email protected]>
---
 kernel/ve/ve.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index e58ffb22da87..550fac57436b 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1739,8 +1739,8 @@ bool ve_check_trusted_mmap(struct file *file)
        if (file->f_path.dentry)
                filename = file->f_path.dentry->d_name.name;
 
-       WARN(1, "VE0 %s tried to map code from file '%s' from VEX\n",
-                       current->comm, filename);
+       pr_warn("VE0 %s tried to map code from file '%s' from VEX\n",
+               current->comm, filename);
        force_sigsegv(SIGSEGV);
        return false;
 }
@@ -1759,7 +1759,7 @@ bool ve_check_trusted_exec(struct file *file, struct 
filename *name)
        if (!__ratelimit(&sigsegv_rs))
                return false;
 
-       WARN(1, "VE0's %s tried to execute untrusted file %s from VEX\n",
+       pr_warn("VE0's %s tried to execute untrusted file %s from VEX\n",
                current->comm, name->name);
        force_sigsegv(SIGSEGV);
        return false;
-- 
2.47.1

_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to