Commits
Pavel Tikhomirov authored and Konstantin Khorenko committed d85a5b7c31b
ve/fs/exec: don't allow a privileged user to execute untrusted files If we run some binary (exploit) from CT on host, it can easily give a user in these CT an ability to do anything on host sending commands through unix socket to the exploit. Such an exploit can mimic to bash, ip, systemd, ping or some other "trusted" utility. I've tested with these patch that we don't call from VE0 any binaries from CT-fs on start, stop, enter, suspend, resume or migration. But to be on the safe side, so that in future we don't become affected, lets prohibit running any binary from ploop disks and from CT mounts if the caller is from VE0. Also we protect admins of our customer from unintentionally calling such an exploit: [root@kuchy ~]# strace -e trace=execve /vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls execve("/vz/root/58a2c524-b486-42c8-849b-c659bf165a91/bin/ls", ["/vz/root/58a2c524-b486-42c8-849b"...], [/* 27 vars */]) = -1 EACCES (Permission denied) strace: exec: Permission denied +++ exited with 1 +++ We need same check in sys_uselib as process from host can also try to load shared library from the file in CT's ploop, which cannot be trusted too. https://jira.sw.ru/browse/PSBM-98094 Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Acked-by: Konstantin Khorenko <khorenko@virtuozzo.com>