On 04.10.19 14:13, Paolo Bonzini wrote:
On 04/10/19 14:03, Christian Borntraeger wrote:
Stefano, Paolo,
I have an interesting fail in QEMU
2019-10-04T12:00:32.675188Z qemu-system-s390x: GLib: g_mapped_file_unref: assertion 'file != NULL' failed that bisected to commit 816b9fe450220e19acb91a0ce4a8ade7000648d1 (refs/bisect/bad) elf-ops.h: Map into memory the ELF to load
strace tells that I can read the ELF file, but not mmap strace: 214365 openat(AT_FDCWD, "/var/lib/libvirt/images/test_cpu_timer.elf", O_RDONLY) = 36 214365 read(46, "\177ELF\2\2\1\0\0\0\0\0\0\0\0\0", 16) = 16 214365 lseek(46, 0, SEEK_SET) = 0 [...] 214365 fstat(46, {st_mode=S_IFREG|0755, st_size=168176, ...}) = 0 214365 mmap(NULL, 168176, PROT_READ|PROT_WRITE, MAP_PRIVATE, 46, 0) = -1 EACCES (Permission denied)
So reading from /var/lib/libvirt/images/test_cpu_timer.elf does work, mmaping does not. setenforce 0 makes the problem go away.
This might be more of an issue in libvirt, setting the svirt context too restrictive, but I am not too deep into the svirt part of libvirt. Reverting the qemu commit makes the problem go away.
Yes, the policy is too restrictive in my opinion.
Can you include the output of "audit2allow" and/or "audit2allow -R"?
Thanks,
Paolo
require { type unconfined_t; type virt_content_t; type svirt_t; type systemd_tmpfiles_t; type user_home_t; type NetworkManager_t; class file { entrypoint execute ioctl lock map open read write }; class bpf prog_run; } #============= svirt_t ============== allow svirt_t user_home_t:file { entrypoint execute ioctl lock open read write }; #!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' allow svirt_t virt_content_t:file map; corecmd_bin_entry_type(svirt_t) userdom_manage_user_home_content_dirs(svirt_t) userdom_map_user_home_files(svirt_t) virt_rw_svirt_image(svirt_t) #============= systemd_tmpfiles_t ============== kernel_read_usermodehelper_state(systemd_tmpfiles_t) #============= unconfined_t ============== allow unconfined_t NetworkManager_t:bpf prog_run;