From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Thomas Huth <thuth@redhat.com>, qemu-devel@nongnu.org
Cc: Cornelia Huck <cohuck@redhat.com>
Subject: Re: [Qemu-devel] [PATCH] target/s390x/kvm: Fix problem when running with SELinux under z/VM
Date: Mon, 18 Sep 2017 09:43:49 +0200 [thread overview]
Message-ID: <004effcd-142f-d667-3f14-c77c211cd219@de.ibm.com> (raw)
In-Reply-To: <169bbaaf-3212-ce1d-a0db-6edede5b481d@redhat.com>
On 09/15/2017 04:36 PM, Thomas Huth wrote:
> On 29.03.2017 16:25, Christian Borntraeger wrote:
>> On 03/29/2017 04:21 PM, Thomas Huth wrote:
>>> On 24.03.2017 10:39, Christian Borntraeger wrote:
>>>> On 03/24/2017 10:26 AM, Thomas Huth wrote:
>>>>> When running QEMU with KVM under z/VM, the memory for the guest
>>>>> is allocated via legacy_s390_alloc() since the KVM_CAP_S390_COW
>>>>> extension is not supported on z/VM. legacy_s390_alloc() then uses
>>>>> mmap(... PROT_EXEC ...) for the guest memory - but this does not
>>>>> work when running with SELinux enabled, mmap() fails and QEMU aborts
>>>>> with the following error message:
>>>>>
>>>>> cannot set up guest memory 's390.ram': Permission denied
>>>>>
>>>>> Looking at the other allocator function qemu_anon_ram_alloc(), it
>>>>> seems like PROT_EXEC is normally not needed for allocating the
>>>>> guest RAM, and indeed, the guest also starts successfully under
>>>>> z/VM when we remove the PROT_EXEC from the legacy_s390_alloc()
>>>>> function. So let's get rid of that flag here to be able to run
>>>>> with SELinux under z/VM, too.
>>>>
>>>> Older z/VM versions do not provide the enhanced suppression on protection
>>>> facility, which would result in guest failures as soon as the kernel
>>>> starts dirty pages tracking by write protecting the pages via the page
>>>> table. Some kernel release back (last time I checked) the PROT_EXEC was
>>>> necessary to prevent the dirty pages tracking from taking place. So this
>>>> patch would break KVM in that case.
>>>>
>>>> Newer z/VMs (e.g. 6.3) do provide ESOP. SO the question is,
>>>> why is KVM_CAP_S390_COW not set?
>>>
>>> I now had another look at this, and seems like the ESOP bit is indeed
>>> not set in S390_lowcore.machine_flags here. According to /proc/sysinfo,
>>> z/VM is version 6.1.0 here, so I guess that's just too old for ESOP?
>>
>> Yes, this was introduced with z/VM 6.3
>
> FWIW, the last version without ESOP, z/VM 6.2, is now end of life,
> according to: http://www.vm.ibm.com/techinfo/lpmigr/vmleos.html
> ... so I guess we could remove the legacy_s390_alloc() function now?
I recently learned that you can buy some extended z/VM support not sure how
long this will be available. In addition, ESOP was added with z10, so
if we still care about z9 and older then this would break things on
very very old boxes.
The pain/risk-to-break ratio seems to suggest to keep this "hack"
for a while.
next prev parent reply other threads:[~2017-09-18 7:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-24 9:26 [Qemu-devel] [PATCH] target/s390x/kvm: Fix problem when running with SELinux under z/VM Thomas Huth
2017-03-24 9:38 ` Cornelia Huck
2017-03-24 9:53 ` Thomas Huth
2017-03-24 9:39 ` Christian Borntraeger
2017-03-24 10:00 ` Thomas Huth
2017-03-29 14:21 ` Thomas Huth
2017-03-29 14:25 ` Christian Borntraeger
2017-09-15 14:36 ` Thomas Huth
2017-09-18 7:43 ` Christian Borntraeger [this message]
2017-09-19 12:38 ` David Hildenbrand
2017-09-19 12:48 ` Thomas Huth
2017-09-19 13:03 ` David Hildenbrand
2017-09-19 13:12 ` Thomas Huth
2017-09-19 13:14 ` David Hildenbrand
2017-09-19 13:15 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=004effcd-142f-d667-3f14-c77c211cd219@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).