On 2019-04-19 13:46, Jethro Beekman wrote: > On 2019-04-19 13:39, Thomas Gleixner wrote: >> On Fri, 19 Apr 2019, Jethro Beekman wrote: >> >>> On 2019-04-19 08:27, Andy Lutomirski wrote: >>>> There are many, >>>> many Linux systems that enforce a policy that *all* executable text >>>> needs to come from a verified source. On these systems, you can't >>>> mmap some writable memory, write to it, and then change it to >>>> executable. >>> >>> How is this implemented on those systems? AFAIK there's no kernel config >>> option that changes the semantics of mmap as you describe. >> >> That has nothing to do with mmap() semantics. You mmap() writeable memory >> and then you change the permissions via mprotect(). mprotect() calls into >> LSM and depending on policy and security model this will reject the >> request. >> >> Andy was pointing out that the SGX ioctl bypasses the LSM mechanics which >> is obviously a bad thing. > > We could modify the driver such that when you call ioctl EADD, the page > table permissions need to be the PAGEINFO.SECINFO.FLAGS | PROT_WRITE, > otherwise you get EPERM or so. After EADD, if you want, you can restrict Actually, I don't think you even need to include PAGEINFO.SECINFO.FLAGS, you just need to ensure PROT_WRITE. Regular page table checks take care of PAGEINFO.SECINFO.FLAGS. -- Jethro Beekman | Fortanix
