Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 459348 - app-emulation/qemu: ebuild should `paxctl -m` all binaries
Summary: app-emulation/qemu: ebuild should `paxctl -m` all binaries
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Doug Goldstein (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-02-26 19:17 UTC by Alon Bar-Lev (RETIRED)
Modified: 2019-04-26 02:40 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
strace.log (strace.log,31.73 KB, text/plain)
2013-05-31 22:04 UTC, iGentoo
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 19:17:29 UTC
Without disable MPROTECT the following error is shown:

---
Could not allocate dynamic translator buffer
---

And at kernel:
---
[738274.706816] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-x86:27572] uid/euid:1000/1000 gid/egid:1001/1001, parent /usr/bin/qemu-system-x86_64[qemu-system-x86:27571] uid/euid:1000/1000 gid/egid:1001/1001
---
Comment 1 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 19:59:16 UTC
BTW: It is working soooooo slow.... kvm on x86_64 running with hardened-sources.... regression from 1.3... not sure why... had to downgrade.
Comment 2 Doug Goldstein (RETIRED) gentoo-dev 2013-02-26 20:29:55 UTC
What exactly do you want added to the ebuild?
Comment 3 Agostino Sarubbo gentoo-dev 2013-02-26 20:33:46 UTC
(In reply to comment #2)
> What exactly do you want added to the ebuild?

I guess a pax-mark, but since the current stable works, I'd like to know what break.
Comment 4 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 20:37:22 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > What exactly do you want added to the ebuild?
> 
> I guess a pax-mark, but since the current stable works, I'd like to know
> what break.

The disable MPROTECT is an addition to 1.4

1.3, 1.2 work with:
- PaX flags: -------x-e-- [/usr/bin/qemu-system-x86_64]
        RANDEXEC is disabled
        EMUTRAMP is disabled
Comment 5 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 20:40:42 UTC
But I am unsure this is all, as something is clearly not working correctly, as it runs so slow, but at least it runs...
Comment 6 Alon Bar-Lev (RETIRED) gentoo-dev 2013-02-26 20:49:15 UTC
OK, found it...

This new qemu does not use kvm unless "-machine accel=kvm" is provided.

If kvm is not used the mprotect must be disabled.
If kvm is used then the current settings are OK.

I am unsure if you like to solve this or not... but with this statement all is working OK.
Comment 7 iGentoo 2013-02-27 09:46:54 UTC
I have the same problem:

---
Could not allocate dynamic translator buffer
---

dmesg:
[90184.443451] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-arm[qemu-system-arm:8977] uid/euid:12345/12345 gid/egid:12345/12345, parent /home/XXX/boot-vexpress+x[boot-vexpress+x:8976] uid/euid:12345/12345 gid/egid:12345/12345
Comment 8 Alexandr Tiurin 2013-02-28 21:52:59 UTC
Also problem with qemu-1.2.2-r3 (hardened kernel 3.2.37-r2) 

virsh # start G64Hard
error: Failed to start domain G64Hard
error: internal error process exited while connecting to monitor: char device redirected to /dev/pts/1
qemu: warning: error ramblock '0000:00:03.0/rtl8139.rom' length 131072 != 65536. Did you change the ROM/BIOS or RAM size between restarts?
qemu: warning: error while loading state for instance 0x0 of device 'ram'
load of migration failed

2013-02-28T22:36:27.901577+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-i386[qemu-system-i3
id/egid:0/0
2013-02-28T22:36:28.145590+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-kvm:244
id:0/0
2013-02-28T22:36:28.405591+04:00 miniatx kernel: grsec: From 172.21.21.20: denied RWX mmap of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-
 gid/egid:0/0



Workaround
- downgrade qemu to version 1.1.1-r1
- libvirtd restart
- virsh# start vm
- virsh# destroy vm
- up qemu version to 1.2.2-r3 
- libvirtd restart
Comment 9 Alex D-Bug 2013-03-04 01:08:38 UTC
It's curiously enough =) Even with paxctl -m /usr/bin/qemu-system-* i've expirienced a medium slowdown of all my qemu viruals. Moreover, a half of my VM's inaccessible now, because SATA emulation is not working anymore O_o

for example
virsh # start gentoo-builder
error: Failed to start domain gentoo-builder
error: unsupported configuration: SATA is not supported with this QEMU binary

It seems, there are some problems with intel hd audio too, but i guess it's libvirt related, not qemu-1.4.0

In my configuration libvirt cannot be started or stopped until _all_ qemu processes will be killed manualy, it's very strange, but need more deep testing for me. No one else experienced something like this? Please, let me know.

qlist -I -v -C libvirt
app-emulation/libvirt-1.0.2-r2

qlist -I -v -C qemu
app-emulation/qemu-1.4.0

emerge -pv libvirt
[ebuild   R    ] app-emulation/libvirt-1.0.2-r2  USE="audit caps libvirtd lvm lxc macvtap nls pcap python qemu sasl udev vepa virt-network virtualbox -avahi -firewalld -iscsi -nfs -numa -openvz -parted -phyp -policykit -rbd (-selinux) -uml -xen"

emerge -pv qemu
[ebuild   R    ] app-emulation/qemu-1.4.0  USE="aio alsa bluetooth caps curl filecaps jpeg ncurses opengl png sasl sdl seccomp threads tls usbredir uuid vde vhost-net vnc xattr -brltty -debug -doc -fdt -mixemu -pulseaudio -python -rbd (-selinux) -smartcard -spice -static -static-softmmu -static-user -systemtap -tci -virtfs -xen -xfs" QEMU_SOFTMMU_TARGETS="alpha arm i386 m68k microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sparc sparc64 x86_64 -cris -lm32 -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32 -xtensa -xtensaeb" QEMU_USER_TARGETS="alpha arm armeb i386 m68k microblaze mips mipsel ppc ppc64 ppc64abi32 sparc sparc32plus sparc64 x86_64 -cris -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32"
Comment 10 Doug Goldstein (RETIRED) gentoo-dev 2013-03-04 01:52:19 UTC
(In reply to comment #9)
> It's curiously enough =) Even with paxctl -m /usr/bin/qemu-system-* i've
> expirienced a medium slowdown of all my qemu viruals. Moreover, a half of my
> VM's inaccessible now, because SATA emulation is not working anymore O_o
> 
> for example
> virsh # start gentoo-builder
> error: Failed to start domain gentoo-builder
> error: unsupported configuration: SATA is not supported with this QEMU binary
> 
> It seems, there are some problems with intel hd audio too, but i guess it's
> libvirt related, not qemu-1.4.0
> 
> In my configuration libvirt cannot be started or stopped until _all_ qemu
> processes will be killed manualy, it's very strange, but need more deep
> testing for me. No one else experienced something like this? Please, let me
> know.
> 
> qlist -I -v -C libvirt
> app-emulation/libvirt-1.0.2-r2
> 
> qlist -I -v -C qemu
> app-emulation/qemu-1.4.0
> 
> emerge -pv libvirt
> [ebuild   R    ] app-emulation/libvirt-1.0.2-r2  USE="audit caps libvirtd
> lvm lxc macvtap nls pcap python qemu sasl udev vepa virt-network virtualbox
> -avahi -firewalld -iscsi -nfs -numa -openvz -parted -phyp -policykit -rbd
> (-selinux) -uml -xen"
> 
> emerge -pv qemu
> [ebuild   R    ] app-emulation/qemu-1.4.0  USE="aio alsa bluetooth caps curl
> filecaps jpeg ncurses opengl png sasl sdl seccomp threads tls usbredir uuid
> vde vhost-net vnc xattr -brltty -debug -doc -fdt -mixemu -pulseaudio -python
> -rbd (-selinux) -smartcard -spice -static -static-softmmu -static-user
> -systemtap -tci -virtfs -xen -xfs" QEMU_SOFTMMU_TARGETS="alpha arm i386 m68k
> microblaze mips mips64 mips64el mipsel ppc ppc64 ppcemb sparc sparc64 x86_64
> -cris -lm32 -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32 -xtensa
> -xtensaeb" QEMU_USER_TARGETS="alpha arm armeb i386 m68k microblaze mips
> mipsel ppc ppc64 ppc64abi32 sparc sparc32plus sparc64 x86_64 -cris
> -microblazeel -or32 -s390x -sh4 -sh4eb -unicore32"

Sounds like probing is either broken or you have the wrong emulator set in your XML files and aren't using KVM.
Comment 11 Alex D-Bug 2013-03-04 10:34:48 UTC
(In reply to comment #10)
 
> Sounds like probing is either broken or you have the wrong emulator set in
> your XML files and aren't using KVM.

thank you for quick answer =)
kvm and kvm_intel modules loaded, VMs started with "-machine accel=kvm" option and with qemu-1.2.2-r3 all libvirt stuff running flawlessly.

in XML configs domain type, emulator and sata seems configured properly:
<domain type='kvm'>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
      <driver name='qemu' type='qcow2'/>
      <source file='/home/neuromancer/kvm/gentoo-builder.img'/>
      <target dev='sda' bus='sata'/>
      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
</disk>

nevertheless after a few experiments, i think it's libvirt problem, not (directly) qemu, will dig into it =)
Comment 12 Doug Goldstein (RETIRED) gentoo-dev 2013-05-30 02:39:36 UTC
Well let me know what you find.
Comment 13 Alon Bar-Lev (RETIRED) gentoo-dev 2013-05-31 13:04:21 UTC
(In reply to Doug Goldstein from comment #12)
> Well let me know what you find.

Hi,

I do not see anything relevant in the diff...

$ qemu-system-mips -nographic -drive if=pflash,file=/tmp/flash -m 256
Could not allocate dynamic translator buffer

# paxctl -m /usr/bin/qemu-system-mips

Makes it work.
Comment 14 iGentoo 2013-05-31 22:04:48 UTC
Created attachment 349768 [details]
strace.log
Comment 15 SpanKY gentoo-dev 2014-04-19 17:02:52 UTC
maybe the hardened team can suggest a patch for the ebuild
Comment 17 Nikoli 2014-06-27 20:34:54 UTC
pax marking in src_install is too late: tests fail on hardened, see bug #515550