From f01098bb86c12f485895f38f7a24170ec84b60b6 Mon Sep 17 00:00:00 2001 From: Greg Kurz Date: Mon, 8 Jun 2020 16:25:21 -0400 Subject: [PATCH 42/42] vfio/nvlink: Remove exec permission to avoid SELinux AVCs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RH-Author: Greg Kurz Message-id: <20200608162521.382858-2-gkurz@redhat.com> Patchwork-id: 97459 O-Subject: [RHEL-8.3.0 qemu-kvm PATCH 1/1] vfio/nvlink: Remove exec permission to avoid SELinux AVCs Bugzilla: 1823275 RH-Acked-by: David Gibson RH-Acked-by: Laurent Vivier RH-Acked-by: Philippe Mathieu-Daudé From: Leonardo Bras If SELinux is setup without 'execmem' permission for qemu, all mmap with (PROT_WRITE | PROT_EXEC) will fail and print a warning in SELinux log. If "nvlink2-mr" memory allocation fails (fist diff), it will cause guest NUMA nodes to not be correctly configured (V100 memory will not be visible for guest, nor its NUMA nodes). Not having 'execmem' permission is intesting for virtual machines to avoid buffer-overflow based attacks, and it's adopted in distros like RHEL. So, removing the PROT_EXEC flag seems the right thing to do. Browsing some other code that mmaps memory for usage with memory_region_init_ram_device_ptr, I could notice it's usual to not have PROT_EXEC (only PROT_READ | PROT_WRITE), so it should be no problem around this. Signed-off-by: Leonardo Bras Message-Id: <20200501055448.286518-1-leobras.c@gmail.com> Acked-by: Alex Williamson Signed-off-by: David Gibson (cherry picked from commit 9c7c0407028355ca83349b8a60fddfad46f2ebd8) Signed-off-by: Greg Kurz Signed-off-by: Danilo C. L. de Paula --- hw/vfio/pci-quirks.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c index 4505ffe48a..1c5fe014cf 100644 --- a/hw/vfio/pci-quirks.c +++ b/hw/vfio/pci-quirks.c @@ -2237,7 +2237,7 @@ int vfio_pci_nvidia_v100_ram_init(VFIOPCIDevice *vdev, Error **errp) } cap = (void *) hdr; - p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE | PROT_EXEC, + p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE, MAP_SHARED, vdev->vbasedev.fd, nv2reg->offset); if (p == MAP_FAILED) { ret = -errno; @@ -2297,7 +2297,7 @@ int vfio_pci_nvlink2_init(VFIOPCIDevice *vdev, Error **errp) /* Some NVLink bridges may not have assigned ATSD */ if (atsdreg->size) { - p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE | PROT_EXEC, + p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE, MAP_SHARED, vdev->vbasedev.fd, atsdreg->offset); if (p == MAP_FAILED) { ret = -errno; -- 2.27.0