From: Paolo Bonzini <pbonzini@redhat.com>
To: Christian Borntraeger <borntraeger@de.ibm.com>,
Stefano Garzarella <sgarzare@redhat.com>,
qemu-devel <qemu-devel@nongnu.org>,
Libvirt <libvir-list@redhat.com>,
Marc Hartmayer <mhartmay@linux.ibm.com>,
Claudio Imbrenda <imbrenda@linux.ibm.com>
Subject: Re: libvirt? qemu change that mmaps ELF files breaks libvirt svirt handling for os.kernel
Date: Fri, 4 Oct 2019 14:13:12 +0200 [thread overview]
Message-ID: <1dc0a320-b771-072d-d1f4-4eda2ab51a1f@redhat.com> (raw)
In-Reply-To: <d450afbe-06ae-f6f7-3bc0-f1a54c31907c@de.ibm.com>
On 04/10/19 14:03, Christian Borntraeger wrote:
> Stefano, Paolo,
>
> I have an interesting fail in QEMU
>
> 2019-10-04T12:00:32.675188Z qemu-system-s390x: GLib: g_mapped_file_unref: assertion 'file != NULL' failed
> that bisected to
> commit 816b9fe450220e19acb91a0ce4a8ade7000648d1 (refs/bisect/bad)
> elf-ops.h: Map into memory the ELF to load
>
> strace tells that I can read the ELF file, but not mmap
> strace:
> 214365 openat(AT_FDCWD, "/var/lib/libvirt/images/test_cpu_timer.elf", O_RDONLY) = 36
> 214365 read(46, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0", 16) = 16
> 214365 lseek(46, 0, SEEK_SET) = 0
> [...]
> 214365 fstat(46, {st_mode=S_IFREG|0755, st_size=168176, ...}) = 0
> 214365 mmap(NULL, 168176, PROT_READ|PROT_WRITE, MAP_PRIVATE, 46, 0) = -1 EACCES (Permission denied)
>
> So reading from /var/lib/libvirt/images/test_cpu_timer.elf does work, mmaping does not.
> setenforce 0 makes the problem go away.
>
> This might be more of an issue in libvirt, setting the svirt context too
> restrictive, but I am not too deep into the svirt part of libvirt.
> Reverting the qemu commit makes the problem go away.
Yes, the policy is too restrictive in my opinion.
Can you include the output of "audit2allow" and/or "audit2allow -R"?
Thanks,
Paolo
next prev parent reply other threads:[~2019-10-04 12:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-04 12:03 libvirt? qemu change that mmaps ELF files breaks libvirt svirt handling for os.kernel Christian Borntraeger
2019-10-04 12:13 ` Paolo Bonzini [this message]
2019-10-04 12:18 ` Christian Borntraeger
2019-10-04 12:36 ` Daniel P. Berrangé
2019-10-04 12:47 ` Christian Borntraeger
2019-10-04 16:41 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1dc0a320-b771-072d-d1f4-4eda2ab51a1f@redhat.com \
--to=pbonzini@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=imbrenda@linux.ibm.com \
--cc=libvir-list@redhat.com \
--cc=mhartmay@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=sgarzare@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.