> Vadim Korschok wrote: > PAX: kvm:6209, uid/euid: 0/0, attempted to modify kernel code > BUG: unable to handle kernel paging request at ffffffff8059b040 > IP: [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel]
> I see. That function is not TOMOYO related. > Call Trace: > [<ffffffffa0016b9b>] ? kvm_arch_vcpu_put+0xe/0x218 [kvm] > [<ffffffffa001313d>] ? vcpu_put+0x9/0x9d [kvm] > [<ffffffffa00196d1>] ? kvm_arch_vcpu_ioctl_run+0x5df/0x5ea [kvm] > [<ffffffffa001474b>] ? kvm_resched+0x1c5/0x1048 [kvm] > [<ffffffff8034a8f1>] ? ccs_capable+0xe1/0x1a6 > [<ffffffff8028a2a6>] ? vfs_ioctl+0x46/0x8f > [<ffffffff8028a518>] ? do_vfs_ioctl+0x229/0x235 > [<ffffffff8028a575>] ? sys_ioctl+0x51/0x74 > [<ffffffff8020250b>] ? system_call_fastpath+0x16/0x1b > But ccs_capable() in vfs_ioctl() may be triggering this problem. > Will you backup /etc/ccs/profile.conf and /etc/ccs/domain_policy.conf in >kvm environment and overwrite as shown below and reboot the kvm? > # echo '0-COMMENT=dummy' > /etc/ccs/profile.conf > # : > /etc/ccs/domain_policy.conf > These configuration files will disable TOMOYO Linux. Still not working after disable TOMOYO Linux, dmesg output: Calling /sbin/ccs-init to load policy. Please wait. Allow mount proc on /proc/ with options 0xE. Allow mount sysfs on /sys/ with options 0xE. Allow mount tmpfs on /dev/ with options 0x2. Allow mount devpts on /dev/pts/ with options 0xA. Allow remount / with options 0x400. Allow mount -t ext3 /dev/hda1 /boot/ with options 0x400. Allow mount usbfs on /proc/bus/usb/ with options 0xA. Allow mount securityfs on /sys/kernel/security/ with options 0xE. Allow chroot() to /var/empty/ Allow chroot() to /root/test/ Allow chroot() to / SAKURA: 1.6.5 2008/11/11 TOMOYO: 1.6.5+ 2008/12/10 Mandatory Access Control activated. udev: renamed network interface eth2 to eth0 udev: renamed network interface eth0_rename to eth2 EXT3 FS on hda3, internal journal loaded kvm module (kvm-81) kjournald starting. Commit interval 5 seconds EXT3 FS on hda1, internal journal EXT3-fs: mounted filesystem with ordered data mode. Adding 2008116k swap on /dev/hda2. Priority:-1 extents:1 across:2008116k device eth0 entered promiscuous mode 0000:00:19.0: eth0: Link is Up 100 Mbps Full Duplex, Flow Control: RX/TX 0000:00:19.0: eth0: 10/100 speed: disabling TSO brlan: port 1(eth0) entering learning state brlan: topology change detected, propagating brlan: port 1(eth0) entering forwarding state device tap0 entered promiscuous mode brlan: port 2(tap0) entering learning state kvm: 6100: cpu0 unhandled wrmsr: 0xc0010117 data 0 PAX: kvm:6107, uid/euid: 0/0, attempted to modify kernel code BUG: unable to handle kernel paging request at ffffffff80598040 IP: [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel] PGD 591067 PUD 596063 PMD 4001e1 Oops: 0003 [1] SMP CPU 0 Modules linked in: kvm_intel kvm Pid: 6107, comm: kvm Not tainted 2.6.27-ccs_hardened-r1 #3 RIP: 0010:[<ffffffffa00394d3>] [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel] RSP: 0018:ffff880128175d98 EFLAGS: 00010286 RAX: 8000898000002087 RBX: ffff880127c08040 RCX: ffffffff80598000 RDX: 0000090000000000 RSI: ffff880128175de8 RDI: ffff880127c08040 RBP: 00000000fffffffc R08: 0000000000000001 R09: 0000000000000000 R10: ff2002ffff2002ff R11: ffffffffa003a128 R12: 00000000fffffffc R13: ffff8801281c4000 R14: 0000000000000000 R15: 0000000000000000 FS: 00000000426a0950(0063) GS:ffffffff808cf600(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff80598040 CR3: 00000001288d3000 CR4: 00000000000026e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kvm (pid: 6107, threadinfo ffff880128174000, task ffff88012a700150) Stack: ffff80598000007f 000000000000ffff ffff880127c08040 ffff880127c08040 00000000fffffffc ffffffffa0016b9b ffff880127c08040 ffffffffa001313d ffff880127c08040 ffffffffa00196d1 fffffffe7ffbfeff ffff8801288a2900 Call Trace: [<ffffffffa0016b9b>] ? kvm_arch_vcpu_put+0xe/0x218 [kvm] [<ffffffffa001313d>] ? vcpu_put+0x9/0x9d [kvm] [<ffffffffa00196d1>] ? kvm_arch_vcpu_ioctl_run+0x5df/0x5ea [kvm] [<ffffffffa001474b>] ? kvm_resched+0x1c5/0x1048 [kvm] [<ffffffff802444e1>] ? do_futex+0xb0/0x79f [<ffffffff80265533>] ? handle_mm_fault+0x387/0x6fb [<ffffffff8034a843>] ? ccs_capable+0x33/0x1a6 [<ffffffff8028a2a6>] ? vfs_ioctl+0x46/0x8f [<ffffffff8028a518>] ? do_vfs_ioctl+0x229/0x235 [<ffffffff8028a575>] ? sys_ioctl+0x51/0x74 [<ffffffff8020250b>] ? system_call_fastpath+0x16/0x1b Code: c1 ea 20 0f 30 55 9d 0f 01 04 24 48 8b 4c 24 02 48 b8 ff ff ff ff ff f0 ff ff 48 ba 00 00 00 00 00 09 00 00 48 23 41 40 48 09 d0 <48> 89 41 40 0f 20 c2 48 89 d0 48 25 ff ff fe ff 0f 22 c0 b8 40 RIP [<ffffffffa00394d3>] intel_iommu_found+0x4d3/0x4075 [kvm_intel] RSP <ffff880128175d98> CR2: ffffffff80598040 ---[ end trace cb5af8e4edf37bd0 ]--- > If above configuration files solve this problem, please also try below steps. > ccs_capable() may sleep. I think it is safe to call function which may sleep > inside vfs_ioctl(), for "f_op->poll is the only vfs operation which is not > allowed to sleep". > Please restore /etc/ccs/profile.conf and /etc/ccs/domain_policy.conf and > apply below patch with "patch -p1 -R" and recompile and reboot. haven't tested the patch, because the first step dont work. Btw. i'm testing with ccs-sources currently: i have allowed the Domain /usr/bin/kvm to: allow read/write /virt/images/\*.img then after starting the machine (running in enforced-Mode) ccs-audit tells me: #2009-01-27 13:40:56# profile=3 mode=enforcing pid=6210 uid=0 gid=0 euid=0 egid=0 suid=0 sgid=0 fsuid=0 fsgid=0 state[0]=0 state[1]=0 state[2]=0 <kernel> /usr/sbin/sshd /bin/bash /usr/bin/kvm allow_read /virt/images/test.img after adding allow_read /virt/images/test.img it works. Is my syntax wrong "\*.img" ? localhost ~ # ccs-pathmatch '/virt/images/\*.img' /virt/images/test.img Regards and thanks for help. _______________________________________________ tomoyo-users-en mailing list [email protected] http://lists.sourceforge.jp/mailman/listinfo/tomoyo-users-en
