On Wed, 2020-12-09 at 07:14 -0800, Andy Lutomirski wrote:
> On Dec 9, 2020, at 12:58 AM, Topi Miettinen <toiwoton@xxxxxxxxx> wrote:
[...]
> > I think we agree that there's a need for either way to allow SGX
> > (if default is hardened) or a hardening option (in the opposite
> > case). For systemd I see two approaches:
> >
> > 1. Default noexec /dev, override with something like
> > - ExecPaths=/dev
> > - MountOptions=/dev:rw,exec,dev,nosuid
> > - or even MountOptions=/dev/sgx:rw,exec,dev,nosuid
> > - ProtectDev=no
> > - AllowSGX=yes
> >
> > 2. Default exec /dev, override with
> > - NoExecPaths=/dev
> > - MountOptions=/dev:rw,noexec,dev,nosuid
> > - ProtectDev=yes
> > - DenySGX=yes
> >
> > I'd prefer 1. but of course 2. would be reasonable.
>
> I would argue for 2, for the following reason. I absolutely agree
> that hardening a system by making it impossible to create executable
> code dynamically is valuable, but I don’t think it’s a good default.
> By default, programs like gcc and clang should work, but so should
> JITs, and JITs are getting more popular and powerful all the time.
> In a default setting that allows JITs, etc, I see no benefit at all
> to making /dev noexec. To the contrary, making /dev noexec seems like
> plugging a little restricted corner of code creation (because it
> requires UID=0) while allowing the easy ways (/tmp, /home, /dev/shm,
> unshare(2), mmap(), etc). By all means let admins harden this, but I
> see no reason to apply some of the hardening when the rest is
> disabled.
[...]
I'm convinced. I've committed a change to initramfs-tools that removes
the noexec mount option again.
Ben.
--
Ben Hutchings
It is a miracle that curiosity survives formal education.
- Albert Einstein
Attachment:
signature.asc
Description: This is a digitally signed message part
