[CRIU] [PATCH] report the potential selinux problem if mmap_seized() fails
Pavel Emelyanov
xemul at parallels.com
Wed Apr 22 02:39:49 PDT 2015
On 04/21/2015 08:16 PM, Oleg Nesterov wrote:
> selinux can deny mmap(PROT_WRITE | PROT_EXEC) and in this case it is
> not clear why CRIU fails, "Can't allocate memory for parasite blob"
> doesn't tell too much. Add a pr_warn() hint for the user.
>
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> ---
> arch/x86/crtools.c | 11 +++++++++--
> 1 files changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/crtools.c b/arch/x86/crtools.c
> index 02ce2e5..06d824a 100644
> --- a/arch/x86/crtools.c
> +++ b/arch/x86/crtools.c
> @@ -445,8 +445,15 @@ void *mmap_seized(struct parasite_ctl *ctl,
>
> err = syscall_seized(ctl, __NR_mmap, &map,
> (unsigned long)addr, length, prot, flags, fd, offset);
> - if (err < 0 || map > TASK_SIZE)
> - map = 0;
> + if (err < 0)
> + return NULL;
> +
> + if (IS_ERR_VALUE(map)) {
The IS_ERR_VALUE is only a subset of > TASK_SIZE, so this change is
not 100% correct. In particular the map > TASK_SIZE check was added
for ARM and is important there.
> + if (map == -EACCES && (prot & PROT_WRITE) && (prot & PROT_EXEC))
> + pr_warn("mmap(PROT_WRITE | PROT_EXEC) failed for %d, "
> + "check selinux execmem policy\n", ctl->pid.real);
> + return NULL;
> + }
>
> return (void *)map;
> }
>
More information about the CRIU
mailing list