> You confirmed that hardened-sources-2.6.27-r7 without TOMOYO patch works fine. > Will you try hardened-sources-2.6.27-r7 with TOMOYO patch? > I think TOMOYO patch in ccs_hardened-sources r1 will be applicable for > hardened-sources-2.6.27-r7 too. Thanks, that partly works for me. If i'm booting and getting the login screen, and I start the virtual machine directly, getting again: PAX: kvm:6191, uid/euid: 0/0, attempted to modify kernel code BUG: unable to handle kernel paging request at ffffffff8059b040 IP: [<ffffffffa00394e9>] intel_iommu_found+0x4e9/0x440d [kvm_intel] PGD 591067 PUD 596063 PMD 4001e1 Oops: 0003 [1] SMP CPU 3 Modules linked in: kvm_intel kvm Pid: 6191, comm: kvm Not tainted 2.6.27-hardened-r7 #1 RIP: 0010:[<ffffffffa00394e9>] [<ffffffffa00394e9>] intel_iommu_found+0x4e9/0x440d [kvm_intel] RSP: 0018:ffff88012a53fd98 EFLAGS: 00010286 RAX: 8000898068402087 RBX: ffff880126c28040 RCX: ffffffff8059b000 RDX: 0000090000000000 RSI: ffff88012a53fde8 RDI: ffff880126c28040 RBP: 00000000fffffffc R08: 0000000000000001 R09: 0000000000000000 R10: ff2002ffff2002ff R11: ffffffffa003a119 R12: 00000000fffffffc R13: ffff8801281ee000 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000041b3f950(0063) GS:ffff88012badcdc0(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff8059b040 CR3: 00000001281df000 CR4: 00000000000026e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process kvm (pid: 6191, threadinfo ffff88012a53e000, task ffff88012a14ccb0) Stack: ffff8059b000007f 000000000000ffff ffff880126c28040 ffff880126c28040 00000000fffffffc ffffffffa0016749 ffff880126c28040 ffffffffa0013436 ffff880126c28040 ffffffffa001988f fffffffe7ffbfeff ffff8801279770c0 Call Trace: [<ffffffffa0016749>] ? kvm_arch_vcpu_put+0xe/0x218 [kvm] [<ffffffffa0013436>] ? vcpu_put+0x9/0x9d [kvm] [<ffffffffa001988f>] ? kvm_arch_vcpu_ioctl_run+0x687/0x691 [kvm] [<ffffffffa00147e5>] ? kvm_resched+0x1c5/0xff7 [kvm] [<ffffffff802655a7>] ? handle_mm_fault+0x387/0x6fb [<ffffffff8034a863>] ? ccs_capable+0x33/0x1a6 [<ffffffff8028a32e>] ? vfs_ioctl+0x46/0x8f [<ffffffff8028a5a0>] ? do_vfs_ioctl+0x229/0x235 [<ffffffff8028a5fd>] ? sys_ioctl+0x51/0x74 [<ffffffff8020250b>] ? system_call_fastpath+0x16/0x1b Code: c1 ea 20 0f 30 55 9d 0f 01 04 24 48 8b 4c 24 02 48 b8 ff ff ff ff ff f0 ff ff 48 ba 00 00 00 00 00 09 00 00 48 23 41 40 48 09 d0 <48> 89 41 40 0f 20 c2 48 89 d0 48 25 ff ff fe ff 0f 22 c0 b8 40 RIP [<ffffffffa00394e9>] intel_iommu_found+0x4e9/0x440d [kvm_intel] RSP <ffff88012a53fd98> CR2: ffffffff8059b040 ---[ end trace d815e3801e7de3a6 ]--- device tap1 entered promiscuous mode brlan: port 3(tap1) entering learning state TOMOYO-ERROR: Access 'read(open) /virt/images/gentoo.iso' denied for /usr/bin/kvm If i reboot and wait till i can connect over putty (maybe 10-20 seconds delayed, after login-screen on console): dmesg show me only this error: TOMOYO-ERROR: Access 'read(open) /virt/images/gentoo.iso' denied for /usr/bin/kvm I can add entries in ccs-editpolicy but ccs-audit still shows me: #2009-01-28 10:26:29# profile=3 mode=enforcing pid=6213 uid=0 gid=0 euid=0 egid= <kernel> /usr/sbin/sshd /bin/bash /usr/bin/kvm allow_read /virt/images/gentoo.iso See the picture: http://www.abload.de/image.php?img=tomoyo5jil.jpg > > allow read/write /virt/images/\*.img > Please use "allow_read/write", not "allow read/write". > Oh, you specified "allow_read/write" but it didn't work, right? > Then, it is TOMOYO's bug. Probably below patch will fix it. No > diff -urp 1.6.5/fs/tomoyo_file.c 1.6.5-hotfix/fs/tomoyo_file.c > --- 1.6.5/fs/tomoyo_file.c 2008-12-25 09:00:00.000000000 +0900 > +++ 1.6.5-hotfix/fs/tomoyo_file.c 2009-01-28 14:09:47.157039688 +0900 > @@ -1038,6 +1038,8 @@ static int update_single_path_acl(const > if (!acl) > goto out; > acl->perm = perm; > + if (perm == (1 << TYPE_READ_WRITE_ACL)) > + acl->perm |= rw_mask; > acl->u_is_group = is_group; > acl->u.filename = saved_filename; > error = ccs_add_domain_acl(domain, &acl->head); After adding this patch, I get again the dmesg from earlier postings (maybe I haven't waited long enough), so I've undone the patch. Tetsuo maybe you can install gentoo-hardened and create a working patch. Perhaps it's time for me to drop TOMOYO Linux and watch for a more stable solution. But if you have ideas i can test. Regards.
TOMOYO
Fork