lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 4 May 2021 01:37:01 +0300
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Dave Hansen <dave.hansen@...el.com>
Cc:     Tim Gardner <tim.gardner@...onical.com>,
        dave.hansen@...ux.intel.com, shuah@...nel.org,
        linux-sgx@...r.kernel.org, linux-kselftest@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: Subject: [PATCH 0/1] SGX self test fails

On Mon, May 03, 2021 at 09:39:05AM -0700, Dave Hansen wrote:
> On 5/3/21 8:41 AM, Jarkko Sakkinen wrote:
> >> $ ls -l /dev/sgx_enclave
> >> crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave
> >> $ ./test_sgx
> >> 0x0000000000000000 0x0000000000002000 0x03
> >> 0x0000000000002000 0x0000000000001000 0x05
> >> 0x0000000000003000 0x0000000000003000 0x03
> >> SUCCESS
> >>
> >> *But*, is that OK?  Should we be happily creating a PROT_EXEC mapping on
> >> a ugo-x file?  Why were we respecting noexec on the filesystem but not
> >> ugo-x on the file?
> > Yeah, this supports my earlier response:
> > 
> > "EPERM  The prot argument asks for PROT_EXEC but the mapped area
> >  belongs to a file on a filesystem that was mounted no-exec."
> > https://man7.org/linux/man-pages/man2/mmap.2.html
> > 
> > I guess the right model is to think just as "anonymous memory"
> > with equivalent access control semantics after succesfully
> > opened for read and write.
> 
> I guess I'll answer my own question: The "x" bit on file permissions
> really only controls the ability for the file to be execve()'d, but has
> no bearing on the ability for an executable *mapping* to be created.
> This is existing VFS behavior and is not specific to SGX.

Yeah, that's nicely put it into one sentence :-)

> I think I'll just send a patch to pull that warning out.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ