yeahuh / rpms / qemu-kvm

Forked from rpms/qemu-kvm 2 years ago
Clone

Blame SOURCES/kvm-vfio-nvlink-Remove-exec-permission-to-avoid-SELinux-.patch

77c23f
From f01098bb86c12f485895f38f7a24170ec84b60b6 Mon Sep 17 00:00:00 2001
77c23f
From: Greg Kurz <gkurz@redhat.com>
77c23f
Date: Mon, 8 Jun 2020 16:25:21 -0400
77c23f
Subject: [PATCH 42/42] vfio/nvlink: Remove exec permission to avoid SELinux
77c23f
 AVCs
77c23f
MIME-Version: 1.0
77c23f
Content-Type: text/plain; charset=UTF-8
77c23f
Content-Transfer-Encoding: 8bit
77c23f
77c23f
RH-Author: Greg Kurz <gkurz@redhat.com>
77c23f
Message-id: <20200608162521.382858-2-gkurz@redhat.com>
77c23f
Patchwork-id: 97459
77c23f
O-Subject: [RHEL-8.3.0 qemu-kvm PATCH 1/1] vfio/nvlink: Remove exec permission to avoid SELinux AVCs
77c23f
Bugzilla: 1823275
77c23f
RH-Acked-by: David Gibson <dgibson@redhat.com>
77c23f
RH-Acked-by: Laurent Vivier <lvivier@redhat.com>
77c23f
RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
77c23f
77c23f
From: Leonardo Bras <leobras.c@gmail.com>
77c23f
77c23f
If SELinux is setup without 'execmem' permission for qemu, all mmap
77c23f
with (PROT_WRITE | PROT_EXEC) will fail and print a warning in
77c23f
SELinux log.
77c23f
77c23f
If "nvlink2-mr" memory allocation fails (fist diff), it will cause
77c23f
guest NUMA nodes to not be correctly configured (V100 memory will
77c23f
not be visible for guest, nor its NUMA nodes).
77c23f
77c23f
Not having 'execmem' permission is intesting for virtual machines to
77c23f
avoid buffer-overflow based attacks, and it's adopted in distros
77c23f
like RHEL.
77c23f
77c23f
So, removing the PROT_EXEC flag seems the right thing to do.
77c23f
77c23f
Browsing some other code that mmaps memory for usage with
77c23f
memory_region_init_ram_device_ptr, I could notice it's usual to
77c23f
not have PROT_EXEC (only PROT_READ | PROT_WRITE), so it should be
77c23f
no problem around this.
77c23f
77c23f
Signed-off-by: Leonardo Bras <leobras.c@gmail.com>
77c23f
Message-Id: <20200501055448.286518-1-leobras.c@gmail.com>
77c23f
Acked-by: Alex Williamson <alex.williamson@redhat.com>
77c23f
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
77c23f
(cherry picked from commit 9c7c0407028355ca83349b8a60fddfad46f2ebd8)
77c23f
Signed-off-by: Greg Kurz <groug@kaod.org>
77c23f
Signed-off-by: Danilo C. L. de Paula <ddepaula@redhat.com>
77c23f
---
77c23f
 hw/vfio/pci-quirks.c | 4 ++--
77c23f
 1 file changed, 2 insertions(+), 2 deletions(-)
77c23f
77c23f
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
77c23f
index 4505ffe48a..1c5fe014cf 100644
77c23f
--- a/hw/vfio/pci-quirks.c
77c23f
+++ b/hw/vfio/pci-quirks.c
77c23f
@@ -2237,7 +2237,7 @@ int vfio_pci_nvidia_v100_ram_init(VFIOPCIDevice *vdev, Error **errp)
77c23f
     }
77c23f
     cap = (void *) hdr;
77c23f
 
77c23f
-    p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
77c23f
+    p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE,
77c23f
              MAP_SHARED, vdev->vbasedev.fd, nv2reg->offset);
77c23f
     if (p == MAP_FAILED) {
77c23f
         ret = -errno;
77c23f
@@ -2297,7 +2297,7 @@ int vfio_pci_nvlink2_init(VFIOPCIDevice *vdev, Error **errp)
77c23f
 
77c23f
     /* Some NVLink bridges may not have assigned ATSD */
77c23f
     if (atsdreg->size) {
77c23f
-        p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
77c23f
+        p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE,
77c23f
                  MAP_SHARED, vdev->vbasedev.fd, atsdreg->offset);
77c23f
         if (p == MAP_FAILED) {
77c23f
             ret = -errno;
77c23f
-- 
77c23f
2.27.0
77c23f