Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619898 - libvirt qemu domains not booting with hardened Linux
Summary: libvirt qemu domains not booting with hardened Linux
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-27 22:15 UTC by Jared B.
Modified: 2019-08-07 23:53 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jared B. 2017-05-27 22:15:23 UTC 
I have a server using kvm to boot multiple guest machines.  server is currently running hardend-sources 4.7.10 (newer versions installed, but I haven't rebooted the server in a while) and qemu 2.9.0-r2.  I recently restarted one of VMs and received this error message:

# virsh start dev.c1pher.com
error: Failed to start domain dev.c1pher.com
error: unsupported configuration: QEMU 2.9.0 is too new for help parsing

At first I thought it was a QEMU issue, so I tried downgrading to 2.8.1, but still received the same error.  I then found this in the kernel log:

May 27 16:51:12 c2 kernel: [17956773.881279] grsec: denied RWX mprotect of <anonymous mapping> by /usr/bin/qemu-system-x86_64[qemu-system-x86:5560] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0
May 27 16:51:12 c2 kernel: [17956773.881317] grsec: Segmentation fault occurred at 00007571a0bbb000 in /usr/bin/qemu-system-x86_64[qemu-system-x86:5560] uid/euid:77/77 gid/egid:77/77, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0

After some digging and experimenting, I found that this fixed the issue:

# Convert PAX flags to current format
paxctl -c /usr/bin/qemu-system-x86_64

# Disable MEMPROTECT
paxctl -m /usr/bin/qemu-system-x86_64

# For reference, output list of current flags
paxctl -v /usr/bin/qemu-system-x86_64 
PaX control v0.9

- PaX flags: -----m-x-e-- [/usr/bin/qemu-system-x86_64]
        MPROTECT is disabled
        RANDEXEC is disabled
        EMUTRAMP is disabled

VM started fine after that.  I upgraded to QEMU 2.9.0 and it broke again, but after running the above once more I was able to start it up.

I'm nowhere near knowledgeable enough about this stuff to state that this is a gentoo problem and not an issue with my particular server, but based on current observations it appears that the correct flags are not being set on the QEMU binaries by portage, and each upgrade effectively breaks my VMs.

Would appreciate someone looking into this.  I'm happy to provide more info or test anything - just let me know what you'd like.  Thanks.
Comment 1 Alexander Tsoy 2017-06-06 23:39:30 UTC 
PT PaX marking was dropped from binutils. You should switch to XATTR PaX marking.
https://wiki.gentoo.org/wiki/Hardened/PaX_flag_migration_from_PT_PAX_to_XATTR_PAX
Comment 2 Alexander Tsoy 2017-06-06 23:46:10 UTC 
(In reply to Alexander Tsoy from comment #1)
> PT PaX marking was dropped from binutils.
Sorry, wording is incorrect. I mean binutils no longer create PT_PAX_FLAGS program header. pax-mark() from pax-utils.eclass also no longer try to create/convert PT_PAX_FLAGS header.
Comment 3 Magnus Granberg gentoo-dev 2019-08-07 23:53:40 UTC 
Hardened-sources no longer in the tree