[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PULL 15/15] vfio/nvlink: Remove exec permission to avoid SELinux AVCs
From: |
David Gibson |
Subject: |
[PULL 15/15] vfio/nvlink: Remove exec permission to avoid SELinux AVCs |
Date: |
Wed, 27 May 2020 15:38:09 +1000 |
From: Leonardo Bras <address@hidden>
If SELinux is setup without 'execmem' permission for qemu, all mmap
with (PROT_WRITE | PROT_EXEC) will fail and print a warning in
SELinux log.
If "nvlink2-mr" memory allocation fails (fist diff), it will cause
guest NUMA nodes to not be correctly configured (V100 memory will
not be visible for guest, nor its NUMA nodes).
Not having 'execmem' permission is intesting for virtual machines to
avoid buffer-overflow based attacks, and it's adopted in distros
like RHEL.
So, removing the PROT_EXEC flag seems the right thing to do.
Browsing some other code that mmaps memory for usage with
memory_region_init_ram_device_ptr, I could notice it's usual to
not have PROT_EXEC (only PROT_READ | PROT_WRITE), so it should be
no problem around this.
Signed-off-by: Leonardo Bras <address@hidden>
Message-Id: <address@hidden>
Acked-by: Alex Williamson <address@hidden>
Signed-off-by: David Gibson <address@hidden>
---
hw/vfio/pci-quirks.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/hw/vfio/pci-quirks.c b/hw/vfio/pci-quirks.c
index 3bd05fed12..f2155ddb1d 100644
--- a/hw/vfio/pci-quirks.c
+++ b/hw/vfio/pci-quirks.c
@@ -1620,7 +1620,7 @@ int vfio_pci_nvidia_v100_ram_init(VFIOPCIDevice *vdev,
Error **errp)
}
cap = (void *) hdr;
- p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
+ p = mmap(NULL, nv2reg->size, PROT_READ | PROT_WRITE,
MAP_SHARED, vdev->vbasedev.fd, nv2reg->offset);
if (p == MAP_FAILED) {
ret = -errno;
@@ -1680,7 +1680,7 @@ int vfio_pci_nvlink2_init(VFIOPCIDevice *vdev, Error
**errp)
/* Some NVLink bridges may not have assigned ATSD */
if (atsdreg->size) {
- p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE | PROT_EXEC,
+ p = mmap(NULL, atsdreg->size, PROT_READ | PROT_WRITE,
MAP_SHARED, vdev->vbasedev.fd, atsdreg->offset);
if (p == MAP_FAILED) {
ret = -errno;
--
2.26.2
- [PULL 02/15] ppc/spapr: add a POWER10 CPU model, (continued)
- [PULL 02/15] ppc/spapr: add a POWER10 CPU model, David Gibson, 2020/05/27
- [PULL 10/15] target/ppc: Fix arguments to ppc_radix64_partition_scoped_xlate(), David Gibson, 2020/05/27
- [PULL 07/15] target/ppc: Pass const pointer to ppc_radix64_get_fully_qualified_addr(), David Gibson, 2020/05/27
- [PULL 06/15] target/ppc: Pass const pointer to ppc_radix64_get_prot_amr(), David Gibson, 2020/05/27
- [PULL 12/15] hw/pci-bridge/dec: Remove dead debug code, David Gibson, 2020/05/27
- [PULL 04/15] target/ppc: Add support for scv and rfscv instructions, David Gibson, 2020/05/27
- [PULL 09/15] target/ppc: Add missing braces in ppc_radix64_partition_scoped_xlate(), David Gibson, 2020/05/27
- [PULL 11/15] target/ppc: Don't update radix PTE R/C bits with gdbstub, David Gibson, 2020/05/27
- [PULL 14/15] target/ppc: Fix argument to ppc_radix64_partition_scoped_xlate() again, David Gibson, 2020/05/27
- [PULL 13/15] hw/nvram/mac_nvram: Convert debug printf()s to trace events, David Gibson, 2020/05/27
- [PULL 15/15] vfio/nvlink: Remove exec permission to avoid SELinux AVCs,
David Gibson <=
- Re: [PULL 00/15] ppc-for-5.1 queue 20200527, no-reply, 2020/05/27
- Re: [PULL 00/15] ppc-for-5.1 queue 20200527, Peter Maydell, 2020/05/28