76 lines
2.9 KiB
Diff
76 lines
2.9 KiB
Diff
|
From f01098bb86c12f485895f38f7a24170ec84b60b6 Mon Sep 17 00:00:00 2001
|
||
|
From: Greg Kurz <gkurz@redhat.com>
|
||
|
Date: Mon, 8 Jun 2020 16:25:21 -0400
|
||
|
Subject: [PATCH 42/42] vfio/nvlink: Remove exec permission to avoid SELinux
|
||
|
AVCs
|
||
|
MIME-Version: 1.0
|
||
|
Content-Type: text/plain; charset=UTF-8
|
||
|
Content-Transfer-Encoding: 8bit
|
||
|
|
||
|
RH-Author: Greg Kurz <gkurz@redhat.com>
|
||
|
Message-id: <20200608162521.382858-2-gkurz@redhat.com>
|
||
|
Patchwork-id: 97459
|
||
|
O-Subject: [RHEL-8.3.0 qemu-kvm PATCH 1/1] vfio/nvlink: Remove exec permission to avoid SELinux AVCs
|
||
|
Bugzilla: 1823275
|
||
|
RH-Acked-by: David Gibson <dgibson@redhat.com>
|
||
|
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
|
||
|
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
|
||
|
|
||
|
From: Leonardo Bras <leobras.c@gmail.com>
|
||
|
|
||
|
If SELinux is setup without 'execmem' permission for qemu, all mmap
|
||
|
with (PROT_WRITE | PROT_EXEC) will fail and print a warning in
|
||
|
SELinux log.
|
||
|
|
||
|
If "nvlink2-mr" memory allocation fails (fist diff), it will cause
|
||
|
guest NUMA nodes to not be correctly configured (V100 memory will
|
||
|
not be visible for guest, nor its NUMA nodes).
|
||
|
|
||
|
Not having 'execmem' permission is intesting for virtual machines to
|
||
|
avoid buffer-overflow based attacks, and it's adopted in distros
|
||
|
like RHEL.
|
||
|
|
||
|
So, removing the PROT_EXEC flag seems the right thing to do.
|
||
|
|
||
|
Browsing some other code that mmaps memory for usage with
|
||
|
memory_region_init_ram_device_ptr, I could notice it's usual to
|
||
|
not have PROT_EXEC (only PROT_READ | PROT_WRITE), so it should be
|
||
|
no problem around this.
|
||
|
|
||
|
Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
|
||
|
Message-Id: <20200501055448.286518-1-leobras.c@gmail.com>
|
||
|
Acked-by: Alex Williamson <alex.williamson@redhat.com>
|
||
|
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
|
||
|
(cherry picked from commit 9c7c0407028355ca83349b8a60fddfad46f2ebd8)
|
||
|
Signed-off-by: Greg Kurz <groug@kaod.org>
|
||
|
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
|
||
|
---
|
||
|
hw/vfio/pci-quirks.c | 4 ++--
|
||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
|
||
|
index 4505ffe48a..1c5fe014cf 100644
|
||
|
--- a/hw/vfio/pci-quirks.c
|
||
|
+++ b/hw/vfio/pci-quirks.c
|
||
|
@@ -2237,7 +2237,7 @@ int vfio_pci_nvidia_v100_ram_init(VFIOPCIDevice *vdev, Error **errp)
|
||
|
}
|
||
|
cap = (void *) hdr;
|
||
|
|
||
|
- p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
|
||
|
+ p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE,
|
||
|
MAP_SHARED, vdev->vbasedev.fd, nv2reg->offset);
|
||
|
if (p == MAP_FAILED) {
|
||
|
ret = -errno;
|
||
|
@@ -2297,7 +2297,7 @@ int vfio_pci_nvlink2_init(VFIOPCIDevice *vdev, Error **errp)
|
||
|
|
||
|
/* Some NVLink bridges may not have assigned ATSD */
|
||
|
if (atsdreg->size) {
|
||
|
- p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
|
||
|
+ p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE,
|
||
|
MAP_SHARED, vdev->vbasedev.fd, atsdreg->offset);
|
||
|
if (p == MAP_FAILED) {
|
||
|
ret = -errno;
|
||
|
--
|
||
|
2.27.0
|
||
|
|