| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <26420c42-ac7c-e2d0-ee99-d186c918ae1e@tycho.nsa.gov>
Date: Tue, 11 Jun 2019 13:21:21 -0400
From: Stephen Smalley <sds@...ho.nsa.gov>
To: Andy Lutomirski <luto@...nel.org>,
Jarkko Sakkinen <jarkko.sakkinen@...ux.intel.com>
Cc: Sean Christopherson <sean.j.christopherson@...el.com>,
Cedric Xing <cedric.xing@...el.com>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>,
LSM List <linux-security-module@...r.kernel.org>,
Paul Moore <paul@...l-moore.com>,
Eric Paris <eparis@...isplace.org>, selinux@...r.kernel.org,
Jethro Beekman <jethro@...tanix.com>,
Dave Hansen <dave.hansen@...el.com>,
Thomas Gleixner <tglx@...utronix.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
LKML <linux-kernel@...r.kernel.org>, X86 ML <x86@...nel.org>,
linux-sgx@...r.kernel.org,
Andrew Morton <akpm@...ux-foundation.org>, nhorman@...hat.com,
npmccallum@...hat.com, Serge Ayoun <serge.ayoun@...el.com>,
Shay Katz-zamir <shay.katz-zamir@...el.com>,
Haitao Huang <haitao.huang@...el.com>,
Andy Shevchenko <andriy.shevchenko@...ux.intel.com>,
Kai Svahn <kai.svahn@...el.com>,
Borislav Petkov <bp@...en8.de>,
Josh Triplett <josh@...htriplett.org>,
Kai Huang <kai.huang@...el.com>,
David Rientjes <rientjes@...gle.com>,
William Roberts <william.c.roberts@...el.com>,
Philip Tricca <philip.b.tricca@...el.com>
Subject: Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction
for enclaves
On 6/10/19 12:44 PM, Andy Lutomirski wrote:
> On Mon, Jun 10, 2019 at 9:00 AM Jarkko Sakkinen
> <jarkko.sakkinen@...ux.intel.com> wrote:
>>
>> On Wed, Jun 05, 2019 at 07:11:43PM -0700, Sean Christopherson wrote:
>>> + goto out;
>>> + }
>>> +
>>> + /*
>>> + * Query VM_MAYEXEC as an indirect path_noexec() check (see do_mmap()),
>>> + * but with some future proofing against other cases that may deny
>>> + * execute permissions.
>>> + */
>>> + if (!(vma->vm_flags & VM_MAYEXEC)) {
>>> + ret = -EACCES;
>>> + goto out;
>>> + }
>>> +
>>> + if (copy_from_user(dst, (void __user *)src, PAGE_SIZE))
>>> + ret = -EFAULT;
>>> + else
>>> + ret = 0;
>>> +
>>> +out:
>>> + up_read(¤t->mm->mmap_sem);
>>> +
>>> + return ret;
>>> +}
>>
>> I would suggest to express the above instead like this for clarity
>> and consistency:
>>
>> goto err_map_sem;
>> }
>>
>> /* Query VM_MAYEXEC as an indirect path_noexec() check
>> * (see do_mmap()).
>> */
>> if (!(vma->vm_flags & VM_MAYEXEC)) {
>> ret = -EACCES;
>> goto err_mmap_sem;
>> }
>>
>> if (copy_from_user(dst, (void __user *)src, PAGE_SIZE)) {
>> ret = -EFAULT;
>> goto err_mmap_sem;
>> }
>>
>> return 0;
>>
>> err_mmap_sem:
>> up_read(¤t->mm->mmap_sem);
>> return ret;
>> }
>>
>> The comment about future proofing is unnecessary.
>>
>
> I'm also torn as to whether this patch is needed at all. If we ever
> get O_MAYEXEC, then enclave loaders should use it to enforce noexec in
> userspace. Otherwise I'm unconvinced it's that special.
What's a situation where we would want to allow this? Why is it
different than do_mmap()?
Powered by blists - more mailing lists