Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves
From: Andy Lutomirski
Date: Tue Jun 04 2019 - 16:36:32 EST
On Sun, Jun 2, 2019 at 11:29 PM Xing, Cedric <cedric.xing@xxxxxxxxx> wrote:
>
> > From: Christopherson, Sean J
> > Sent: Friday, May 31, 2019 4:32 PM
> >
> > Do not allow an enclave page to be mapped with PROT_EXEC if the source page is backed by a
> > file on a noexec file system.
> >
> > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
> > ---
> > arch/x86/kernel/cpu/sgx/driver/ioctl.c | 26 ++++++++++++++++++++++++--
> > 1 file changed, 24 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > index c30acd3fbbdd..5f71be7cbb01 100644
> > --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > @@ -576,6 +576,27 @@ static int __sgx_encl_add_page(struct sgx_encl *encl, unsigned long
> > addr,
> > return ret;
> > }
> >
> > +static int sgx_encl_page_protect(unsigned long src, unsigned long prot,
> > + unsigned long *allowed_prot)
> > +{
> > + struct vm_area_struct *vma;
> > +
> > + if (!(*allowed_prot & VM_EXEC))
> > + goto do_check;
> > +
> > + down_read(¤t->mm->mmap_sem);
> > + vma = find_vma(current->mm, src);
> > + if (!vma || (vma->vm_file && path_noexec(&vma->vm_file->f_path)))
> > + *allowed_prot &= ~VM_EXEC;
>
> Testing (vma->vm_flags & VM_MAYEXEC) == 0 should be a better approach.
I think I agree, although that would need a comment explaining why it works.