[CRIU] [PATCH] report the potential selinux problem if mmap_seized() fails

Pavel Emelyanov xemul at parallels.com
Wed Apr 22 02:39:49 PDT 2015


On 04/21/2015 08:16 PM, Oleg Nesterov wrote:
> selinux can deny mmap(PROT_WRITE | PROT_EXEC) and in this case it is
> not clear why CRIU fails, "Can't allocate memory for parasite blob"
> doesn't tell too much. Add a pr_warn() hint for the user.
> 
> Signed-off-by: Oleg Nesterov <oleg at redhat.com>
> ---
>  arch/x86/crtools.c |   11 +++++++++--
>  1 files changed, 9 insertions(+), 2 deletions(-)
> 
> diff --git a/arch/x86/crtools.c b/arch/x86/crtools.c
> index 02ce2e5..06d824a 100644
> --- a/arch/x86/crtools.c
> +++ b/arch/x86/crtools.c
> @@ -445,8 +445,15 @@ void *mmap_seized(struct parasite_ctl *ctl,
>  
>  	err = syscall_seized(ctl, __NR_mmap, &map,
>  			(unsigned long)addr, length, prot, flags, fd, offset);
> -	if (err < 0 || map > TASK_SIZE)
> -		map = 0;
> +	if (err < 0)
> +		return NULL;
> +
> +	if (IS_ERR_VALUE(map)) {

The IS_ERR_VALUE is only a subset of > TASK_SIZE, so this change is
not 100% correct. In particular the map > TASK_SIZE check was added 
for ARM and is important there.

> +		if (map == -EACCES && (prot & PROT_WRITE) && (prot & PROT_EXEC))
> +			pr_warn("mmap(PROT_WRITE | PROT_EXEC) failed for %d, "
> +				"check selinux execmem policy\n", ctl->pid.real);
> +		return NULL;
> +	}
>  
>  	return (void *)map;
>  }
> 



More information about the CRIU mailing list