On Fri, 24 Mar 2017 10:26:55 +0100
Thomas Huth <th...@redhat.com> wrote:
> When running QEMU with KVM under z/VM, the memory for the guest
> is allocated via legacy_s390_alloc() since the KVM_CAP_S390_COW
> extension is not supported on z/VM. legacy_s390_alloc() then uses
> mmap(... PROT_EXEC ...) for the guest memory - but this does not
> work when running with SELinux enabled, mmap() fails and QEMU aborts
> with the following error message:
>
> cannot set up guest memory 's390.ram': Permission denied
>
> Looking at the other allocator function qemu_anon_ram_alloc(), it
> seems like PROT_EXEC is normally not needed for allocating the
> guest RAM, and indeed, the guest also starts successfully under
> z/VM when we remove the PROT_EXEC from the legacy_s390_alloc()
> function. So let's get rid of that flag here to be able to run
> with SELinux under z/VM, too.
The root cause of this is lack of ESOP in the host.
>
> Signed-off-by: Thomas Huth <th...@redhat.com>
> ---
> target/s390x/kvm.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/target/s390x/kvm.c b/target/s390x/kvm.c
> index ac47154..5167436 100644
> --- a/target/s390x/kvm.c
> +++ b/target/s390x/kvm.c
> @@ -678,8 +678,7 @@ static void *legacy_s390_alloc(size_t size, uint64_t
> *align)
> {
> void *mem;
>
> - mem = mmap((void *) 0x800000000ULL, size,
> - PROT_EXEC|PROT_READ|PROT_WRITE,
> + mem = mmap((void *) 0x800000000ULL, size, PROT_READ | PROT_WRITE,
> MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
> return mem == MAP_FAILED ? NULL : mem;
> }
Wouldn't it be better to adapt the SELinux rules?
