On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > Hi udev people- > > The upcoming Linux SGX driver has a device node /dev/sgx. User code > opens it, does various setup things, mmaps it, and needs to be able to > create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > noexec. > > Can udev arrange to make a device node executable on distros that make > /dev noexec? This could be done by bind-mounting from an exec tmpfs. > Alternatively, the kernel could probably learn to ignore noexec on > /dev/sgx, but that seems a little bit evil. I'd be inclined to simply drop noexec from /dev by default. We don't do noexec on either /tmp or /dev/shm (because that causes immediate problems with stuff like Java and cffi). And if you have those two at your disposal anyway, having noexec on /dev doesn't seem important. Afaik, the kernel would refuse execve() on a character or block device anyway. Thus noexec on /dev matters only for actual binaries copied to /dev, which requires root privileges in the first place. Zbyszek
