Without disable MPROTECT the following error is shown: --- Could not allocate dynamic translator buffer --- And at kernel: --- [738274.706816] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-x86:27572] uid/euid:1000/1000 gid/egid:1001/1001, parent /usr/bin/qemu-system-x86_64[qemu-system-x86:27571] uid/euid:1000/1000 gid/egid:1001/1001 ---
BTW: It is working soooooo slow.... kvm on x86_64 running with hardened-sources.... regression from 1.3... not sure why... had to downgrade.
What exactly do you want added to the ebuild?
(In reply to comment #2) > What exactly do you want added to the ebuild? I guess a pax-mark, but since the current stable works, I'd like to know what break.
(In reply to comment #3) > (In reply to comment #2) > > What exactly do you want added to the ebuild? > > I guess a pax-mark, but since the current stable works, I'd like to know > what break. The disable MPROTECT is an addition to 1.4 1.3, 1.2 work with: - PaX flags: -------x-e-- [/usr/bin/qemu-system-x86_64] RANDEXEC is disabled EMUTRAMP is disabled
But I am unsure this is all, as something is clearly not working correctly, as it runs so slow, but at least it runs...
OK, found it... This new qemu does not use kvm unless "-machine accel=kvm" is provided. If kvm is not used the mprotect must be disabled. If kvm is used then the current settings are OK. I am unsure if you like to solve this or not... but with this statement all is working OK.
I have the same problem: --- Could not allocate dynamic translator buffer --- dmesg: [90184.443451] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-arm[qemu-system-arm:8977] uid/euid:12345/12345 gid/egid:12345/12345, parent /home/XXX/boot-vexpress+x[boot-vexpress+x:8976] uid/euid:12345/12345 gid/egid:12345/12345
Also problem with qemu-1.2.2-r3 (hardened kernel 3.2.37-r2) virsh # start G64Hard error: Failed to start domain G64Hard error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1 qemu: warning: error ramblock '0000:00:03.0/rtl8139.rom' length 131072 != 65536. Did you change the ROM/BIOS or RAM size between restarts? qemu: warning: error while loading state for instance 0x0 of device 'ram' load of migration failed 2013-02-28T22:36:27.901577+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-i386[qemu-system-i3 id/egid:0/0 2013-02-28T22:36:28.145590+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-kvm:244 id:0/0 2013-02-28T22:36:28.405591+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system- gid/egid:0/0 Workaround - downgrade qemu to version 1.1.1-r1 - libvirtd restart - virsh# start vm - virsh# destroy vm - up qemu version to 1.2.2-r3 - libvirtd restart
It's curiously enough =) Even with paxctl -m /usr/bin/qemu-system-* i've expirienced a medium slowdown of all my qemu viruals. Moreover, a half of my VM's inaccessible now, because SATA emulation is not working anymore O_o for example virsh # start gentoo-builder error: Failed to start domain gentoo-builder error: unsupported configuration: SATA is not supported with this QEMU binary It seems, there are some problems with intel hd audio too, but i guess it's libvirt related, not qemu-1.4.0 In my configuration libvirt cannot be started or stopped until _all_ qemu processes will be killed manualy, it's very strange, but need more deep testing for me. No one else experienced something like this? Please, let me know. qlist -I -v -C libvirt app-emulation/libvirt-1.0.2-r2 qlist -I -v -C qemu app-emulation/qemu-1.4.0 emerge -pv libvirt [ebuild R ] app-emulation/libvirt-1.0.2-r2 USE="audit caps libvirtd lvm lxc macvtap nls pcap python qemu sasl udev vepa virt-network virtualbox -avahi -firewalld -iscsi -nfs -numa -openvz -parted -phyp -policykit -rbd (-selinux) -uml -xen" emerge -pv qemu [ebuild R ] app-emulation/qemu-1.4.0 USE="aio alsa bluetooth caps curl filecaps jpeg ncurses opengl png sasl sdl seccomp threads tls usbredir uuid vde vhost-net vnc xattr -brltty -debug -doc -fdt -mixemu -pulseaudio -python -rbd (-selinux) -smartcard -spice -static -static-softmmu -static-user -systemtap -tci -virtfs -xen -xfs" QEMU_SOFTMMU_TARGETS="alpha arm i386 m68k microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sparc sparc64 x86_64 -cris -lm32 -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="alpha arm armeb i386 m68k microblaze mips mipsel ppc ppc64 ppc64abi32 sparc sparc32plus sparc64 x86_64 -cris -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32"
(In reply to comment #9) > It's curiously enough =) Even with paxctl -m /usr/bin/qemu-system-* i've > expirienced a medium slowdown of all my qemu viruals. Moreover, a half of my > VM's inaccessible now, because SATA emulation is not working anymore O_o > > for example > virsh # start gentoo-builder > error: Failed to start domain gentoo-builder > error: unsupported configuration: SATA is not supported with this QEMU binary > > It seems, there are some problems with intel hd audio too, but i guess it's > libvirt related, not qemu-1.4.0 > > In my configuration libvirt cannot be started or stopped until _all_ qemu > processes will be killed manualy, it's very strange, but need more deep > testing for me. No one else experienced something like this? Please, let me > know. > > qlist -I -v -C libvirt > app-emulation/libvirt-1.0.2-r2 > > qlist -I -v -C qemu > app-emulation/qemu-1.4.0 > > emerge -pv libvirt > [ebuild R ] app-emulation/libvirt-1.0.2-r2 USE="audit caps libvirtd > lvm lxc macvtap nls pcap python qemu sasl udev vepa virt-network virtualbox > -avahi -firewalld -iscsi -nfs -numa -openvz -parted -phyp -policykit -rbd > (-selinux) -uml -xen" > > emerge -pv qemu > [ebuild R ] app-emulation/qemu-1.4.0 USE="aio alsa bluetooth caps curl > filecaps jpeg ncurses opengl png sasl sdl seccomp threads tls usbredir uuid > vde vhost-net vnc xattr -brltty -debug -doc -fdt -mixemu -pulseaudio -python > -rbd (-selinux) -smartcard -spice -static -static-softmmu -static-user > -systemtap -tci -virtfs -xen -xfs" QEMU_SOFTMMU_TARGETS="alpha arm i386 m68k > microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sparc sparc64 x86_64 > -cris -lm32 -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32 -xtensa > -xtensaeb" QEMU_USER_TARGETS="alpha arm armeb i386 m68k microblaze mips > mipsel ppc ppc64 ppc64abi32 sparc sparc32plus sparc64 x86_64 -cris > -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32" Sounds like probing is either broken or you have the wrong emulator set in your XML files and aren't using KVM.
(In reply to comment #10) > Sounds like probing is either broken or you have the wrong emulator set in > your XML files and aren't using KVM. thank you for quick answer =) kvm and kvm_intel modules loaded, VMs started with "-machine accel=kvm" option and with qemu-1.2.2-r3 all libvirt stuff running flawlessly. in XML configs domain type, emulator and sata seems configured properly: <domain type='kvm'> <emulator>/usr/bin/qemu-kvm</emulator> <disk type='file' device='disk'> <driver name='qemu' type='qcow2'/> <source file='/home/neuromancer/kvm/gentoo-builder.img'/> <target dev='sda' bus='sata'/> <address type='drive' controller='0' bus='0' target='0' unit='0'/> </disk> nevertheless after a few experiments, i think it's libvirt problem, not (directly) qemu, will dig into it =)
Well let me know what you find.
(In reply to Doug Goldstein from comment #12) > Well let me know what you find. Hi, I do not see anything relevant in the diff... $ qemu-system-mips -nographic -drive if=pflash,file=/tmp/flash -m 256 Could not allocate dynamic translator buffer # paxctl -m /usr/bin/qemu-system-mips Makes it work.
Created attachment 349768 [details] strace.log
maybe the hardened team can suggest a patch for the ebuild
should be all set now in the tree; thanks for the report! Commit message: Disable mprotect on qemu binaries http://sources.gentoo.org/app-emulation/qemu/qemu-2.0.0-r1.ebuild?r1=1.4&r2=1.5 http://sources.gentoo.org/app-emulation/qemu/qemu-2.0.0.ebuild?r1=1.12&r2=1.13 http://sources.gentoo.org/app-emulation/qemu/qemu-9999.ebuild?r1=1.74&r2=1.75
pax marking in src_install is too late: tests fail on hardened, see bug #515550