[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: libvirt? qemu change that mmaps ELF files breaks libvirt svirt handl
From: |
Paolo Bonzini |
Subject: |
Re: libvirt? qemu change that mmaps ELF files breaks libvirt svirt handling for os.kernel |
Date: |
Fri, 4 Oct 2019 14:13:12 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 |
On 04/10/19 14:03, Christian Borntraeger wrote:
> Stefano, Paolo,
>
> I have an interesting fail in QEMU
>
> 2019-10-04T12:00:32.675188Z qemu-system-s390x: GLib: g_mapped_file_unref:
> assertion 'file != NULL' failed
> that bisected to
> commit 816b9fe450220e19acb91a0ce4a8ade7000648d1 (refs/bisect/bad)
> elf-ops.h: Map into memory the ELF to load
>
> strace tells that I can read the ELF file, but not mmap
> strace:
> 214365 openat(AT_FDCWD, "/var/lib/libvirt/images/test_cpu_timer.elf",
> O_RDONLY) = 36
> 214365 read(46, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0", 16) = 16
> 214365 lseek(46, 0, SEEK_SET) = 0
> [...]
> 214365 fstat(46, {st_mode=S_IFREG|0755, st_size=168176, ...}) = 0
> 214365 mmap(NULL, 168176, PROT_READ|PROT_WRITE, MAP_PRIVATE, 46, 0) = -1
> EACCES (Permission denied)
>
> So reading from /var/lib/libvirt/images/test_cpu_timer.elf does work, mmaping
> does not.
> setenforce 0 makes the problem go away.
>
> This might be more of an issue in libvirt, setting the svirt context too
> restrictive, but I am not too deep into the svirt part of libvirt.
> Reverting the qemu commit makes the problem go away.
Yes, the policy is too restrictive in my opinion.
Can you include the output of "audit2allow" and/or "audit2allow -R"?
Thanks,
Paolo