On 5/3/21 8:41 AM, Jarkko Sakkinen wrote: >> $ ls -l /dev/sgx_enclave >> crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave >> $ ./test_sgx >> 0x0000000000000000 0x0000000000002000 0x03 >> 0x0000000000002000 0x0000000000001000 0x05 >> 0x0000000000003000 0x0000000000003000 0x03 >> SUCCESS >> >> *But*, is that OK? Should we be happily creating a PROT_EXEC mapping on >> a ugo-x file? Why were we respecting noexec on the filesystem but not >> ugo-x on the file? > Yeah, this supports my earlier response: > > "EPERM The prot argument asks for PROT_EXEC but the mapped area > belongs to a file on a filesystem that was mounted no-exec." > https://man7.org/linux/man-pages/man2/mmap.2.html > > I guess the right model is to think just as "anonymous memory" > with equivalent access control semantics after succesfully > opened for read and write. I guess I'll answer my own question: The "x" bit on file permissions really only controls the ability for the file to be execve()'d, but has no bearing on the ability for an executable *mapping* to be created. This is existing VFS behavior and is not specific to SGX. I think I'll just send a patch to pull that warning out.
