Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
Subject: Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>
Date: Tue, 4 Jun 2019 19:25:55 +0300
Cc: Andy Lutomirski <luto@xxxxxxxxxx>, Cedric Xing <cedric.xing@xxxxxxxxx>, Stephen Smalley <sds@xxxxxxxxxxxxx>, James Morris <jmorris@xxxxxxxxx>, "Serge E . Hallyn" <serge@xxxxxxxxxx>, LSM List <linux-security-module@xxxxxxxxxxxxxxx>, Paul Moore <paul@xxxxxxxxxxxxxx>, Eric Paris <eparis@xxxxxxxxxxxxxx>, selinux@xxxxxxxxxxxxxxx, Jethro Beekman <jethro@xxxxxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxx>, Thomas Gleixner <tglx@xxxxxxxxxxxxx>, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, LKML <linux-kernel@xxxxxxxxxxxxxxx>, X86 ML <x86@xxxxxxxxxx>, linux-sgx@xxxxxxxxxxxxxxx, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>, nhorman@xxxxxxxxxx, npmccallum@xxxxxxxxxx, Serge Ayoun <serge.ayoun@xxxxxxxxx>, Shay Katz-zamir <shay.katz-zamir@xxxxxxxxx>, Haitao Huang <haitao.huang@xxxxxxxxx>, Andy Shevchenko <andriy.shevchenko@xxxxxxxxxxxxxxx>, Kai Svahn <kai.svahn@xxxxxxxxx>, Borislav Petkov <bp@xxxxxxxxx>, Josh Triplett <josh@xxxxxxxxxxxxxxxx>, Kai Huang <kai.huang@xxxxxxxxx>, David Rientjes <rientjes@xxxxxxxxxx>, William Roberts <william.c.roberts@xxxxxxxxx>, Philip Tricca <philip.b.tricca@xxxxxxxxx>
In-reply-to: <20190531233159.30992-8-sean.j.christopherson@intel.com>
Organization: Intel Finland Oy - BIC 0357606-4 - Westendinkatu 7, 02160 Espoo
References: <20190531233159.30992-1-sean.j.christopherson@intel.com> <20190531233159.30992-8-sean.j.christopherson@intel.com>
User-agent: Mutt/1.10.1 (2018-07-13)

On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote:
> Do not allow an enclave page to be mapped with PROT_EXEC if the source
> page is backed by a file on a noexec file system.
> 
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>

Why don't you just check in sgx_encl_add_page() that whether the path
comes from noexec and deny if SECINFO contains X?

/Jarkko

Follow-Ups:
- Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
  - From: Andy Lutomirski

References:
- [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM
  - From: Sean Christopherson
- [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
  - From: Sean Christopherson

Prev by Date: Re: [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES
Next by Date: Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM
Previous by thread: Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
Next by thread: Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
Index(es):
- Date
- Thread

[Index of Archives] [AMD Graphics] [Linux USB Devel] [Linux Audio Users] [Yosemite News] [Linux Kernel] [Linux SCSI]