ve_check_trusted_exec()/ve_check_trusted_mmap() fire WARN(1, ...) when a
process tries to exec/mmap a container (VEX) file it is not allowed to.
That path is triggerable by unprivileged container activity, so it taints
the kernel, emits a full backtrace and, under panic_on_warn, lets a
container DoS the host. The condition is an expected, handled policy
denial (the caller is SIGSEGV'd and false returned), not a kernel bug.
The block is already rate-limited via sigsegv_rs; keep the diagnostic and
the SIGSEGV but downgrade WARN() to pr_warn() so it no longer taints or
backtraces.
Fixes: aa60c6194cfd ("trusted/ve/mmap: Protect from unsecure library load from
CT image")
Fixes: 2ae1bae0bd95 ("trusted/ve/fs/exec: Send SIGSEGV to a process trying to
execute untrusted files")
Feature: security/fs: tructed exec feature
https://virtuozzo.atlassian.net/browse/VSTOR-137234
Signed-off-by: Konstantin Khorenko <[email protected]>
---
kernel/ve/ve.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index e58ffb22da87..550fac57436b 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -1739,8 +1739,8 @@ bool ve_check_trusted_mmap(struct file *file)
if (file->f_path.dentry)
filename = file->f_path.dentry->d_name.name;
- WARN(1, "VE0 %s tried to map code from file '%s' from VEX\n",
- current->comm, filename);
+ pr_warn("VE0 %s tried to map code from file '%s' from VEX\n",
+ current->comm, filename);
force_sigsegv(SIGSEGV);
return false;
}
@@ -1759,7 +1759,7 @@ bool ve_check_trusted_exec(struct file *file, struct
filename *name)
if (!__ratelimit(&sigsegv_rs))
return false;
- WARN(1, "VE0's %s tried to execute untrusted file %s from VEX\n",
+ pr_warn("VE0's %s tried to execute untrusted file %s from VEX\n",
current->comm, name->name);
force_sigsegv(SIGSEGV);
return false;
--
2.47.1
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel