[tomoyo-users-en 44] Re: ccs_hardened-sources updates and kvm virtualization notworking

Tue, 27 Jan 2009 04:18:13 -0800 

Hello.

Vadim Korschok wrote:
> PAX: kvm:6209, uid/euid: 0/0, attempted to modify kernel code
> BUG: unable to handle kernel paging request at ffffffff8059b040
> IP: [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel]

I see. That function is not TOMOYO related.

> Call Trace:
>  [<ffffffffa0016b9b>] ? kvm_arch_vcpu_put+0xe/0x218 [kvm]
>  [<ffffffffa001313d>] ? vcpu_put+0x9/0x9d [kvm]
>  [<ffffffffa00196d1>] ? kvm_arch_vcpu_ioctl_run+0x5df/0x5ea [kvm]
>  [<ffffffffa001474b>] ? kvm_resched+0x1c5/0x1048 [kvm]
>  [<ffffffff8034a8f1>] ? ccs_capable+0xe1/0x1a6
>  [<ffffffff8028a2a6>] ? vfs_ioctl+0x46/0x8f
>  [<ffffffff8028a518>] ? do_vfs_ioctl+0x229/0x235
>  [<ffffffff8028a575>] ? sys_ioctl+0x51/0x74
>  [<ffffffff8020250b>] ? system_call_fastpath+0x16/0x1b

But ccs_capable() in vfs_ioctl() may be triggering this problem.

Will you backup /etc/ccs/profile.conf and /etc/ccs/domain_policy.conf in
kvm environment and overwrite as shown below and reboot the kvm?

  # echo '0-COMMENT=dummy' > /etc/ccs/profile.conf
  # : > /etc/ccs/domain_policy.conf

These configuration files will disable TOMOYO Linux.



If above configuration files solve this problem, please also try below steps.

ccs_capable() may sleep. I think it is safe to call function which may sleep
inside vfs_ioctl(), for "f_op->poll is the only vfs operation which is not
allowed to sleep".

Please restore /etc/ccs/profile.conf and /etc/ccs/domain_policy.conf and
apply below patch with "patch -p1 -R" and recompile and reboot.

--- linux-2.6.27.10.orig/fs/ioctl.c
+++ linux-2.6.27.10/fs/ioctl.c
@@ -35,6 +38,10 @@ static long vfs_ioctl(struct file *filp,
 
        if (!filp->f_op)
                goto out;
+       /***** TOMOYO Linux start. *****/
+       if (!ccs_capable(TOMOYO_SYS_IOCTL))
+               return -EPERM;
+       /***** TOMOYO Linux end. *****/
 
        if (filp->f_op->unlocked_ioctl) {
                error = filp->f_op->unlocked_ioctl(filp, cmd, arg);

If ccs_capable() in vfs_ioctl() is the bug, this patch will solve the bug.

Regards.

_______________________________________________
tomoyo-users-en mailing list
[email protected]
http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en

Reply via email to