On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen <toiwoton@xxxxxxxxx> wrote: > > On 19.11.2020 18.32, Zbigniew Jędrzejewski-Szmek wrote: > > On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: > >> Hi udev people- > >> > >> The upcoming Linux SGX driver has a device node /dev/sgx. User code > >> opens it, does various setup things, mmaps it, and needs to be able to > >> create PROT_EXEC mappings. This gets quite awkward if /dev is mounted > >> noexec. > >> > >> Can udev arrange to make a device node executable on distros that make > >> /dev noexec? This could be done by bind-mounting from an exec tmpfs. > >> Alternatively, the kernel could probably learn to ignore noexec on > >> /dev/sgx, but that seems a little bit evil. > > > > I'd be inclined to simply drop noexec from /dev by default. > > We don't do noexec on either /tmp or /dev/shm (because that causes immediate > > problems with stuff like Java and cffi). And if you have those two at your > > disposal anyway, having noexec on /dev doesn't seem important. > > I'd propose to not enable exec globally, but if a service needs SGX, it > could use something like MountOptions=/dev:exec only in those cases > where it's needed. That way it's possible to disallow writable and > executable file systems for most services (which typically don't need > /tmp or /dev/shm either). Of course the opposite > (MountOptions=/dev:noexec) would be also possible, but I'd expect that > this would be needed to be used more often. > I imagine the opposite would be more sensible. It seems odd to me that we would want any SGX-using service to require both special mount options and regular ACL permissions. As a further argument, I just did this on a Fedora system: $ find /dev -perm /ugo+x -a \! -type d -a \! -type l No results. So making /dev noexec doesn't seem to have any benefit. _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: Creating executable device nodes in /dev?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: Creating executable device nodes in /dev?
- From: Andy Lutomirski <luto@xxxxxxxxxx>
- Date: Tue, 8 Dec 2020 10:07:17 -0800
- Cc: systemd Mailing List <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>, Haitao Huang <haitao.huang@xxxxxxxxxxxxxxx>, "Schlobohm, Bruce" <bruce.schlobohm@xxxxxxxxx>, Ben Hutchings <ben@xxxxxxxxxxxxxxx>, linux-hotplug@xxxxxxxxxxxxxxx, Jethro Beekman <jethro@xxxxxxxxxxxx>, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx>, "Svahn, Kai" <kai.svahn@xxxxxxxxx>, Andy Lutomirski <luto@xxxxxxxxxx>, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, Stephen Smalley <sds@xxxxxxxxxxxxx>, linux-sgx@xxxxxxxxxxxxxxx
- In-reply-to: <ff9aaf77-add3-dbeb-d05e-aedd93d41df0@gmail.com>
- References: <CALCETrWM2rGPRudtaQ=mn9MRsrbQqFfZDkOGsBbVMsk6mMw_+A@mail.gmail.com> <20201119163245.GN7348@in.waw.pl> <ff9aaf77-add3-dbeb-d05e-aedd93d41df0@gmail.com>
- Follow-Ups:
- Re: Creating executable device nodes in /dev?
- From: Jarkko Sakkinen
- Re: Creating executable device nodes in /dev?
- From: Topi Miettinen
- Re: Creating executable device nodes in /dev?
- References:
- Creating executable device nodes in /dev?
- From: Andy Lutomirski
- Re: Creating executable device nodes in /dev?
- From: Zbigniew Jędrzejewski-Szmek
- Re: Creating executable device nodes in /dev?
- From: Topi Miettinen
- Creating executable device nodes in /dev?
- Prev by Date: Re: mkosi question: third party repos + dnf modules
- Next by Date: Re: Creating executable device nodes in /dev?
- Previous by thread: Re: Creating executable device nodes in /dev?
- Next by thread: Re: Creating executable device nodes in /dev?
- Index(es):
 |