Re: Subject: [PATCH 0/1] SGX self test fails
From: Dave Hansen
Date: Mon May 03 2021 - 12:44:47 EST
On 5/3/21 8:41 AM, Jarkko Sakkinen wrote:
>> $ ls -l /dev/sgx_enclave
>> crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave
>> $ ./test_sgx
>> 0x0000000000000000 0x0000000000002000 0x03
>> 0x0000000000002000 0x0000000000001000 0x05
>> 0x0000000000003000 0x0000000000003000 0x03
>> SUCCESS
>>
>> *But*, is that OK? Should we be happily creating a PROT_EXEC mapping on
>> a ugo-x file? Why were we respecting noexec on the filesystem but not
>> ugo-x on the file?
> Yeah, this supports my earlier response:
>
> "EPERM The prot argument asks for PROT_EXEC but the mapped area
> belongs to a file on a filesystem that was mounted no-exec."
> https://man7.org/linux/man-pages/man2/mmap.2.html
>
> I guess the right model is to think just as "anonymous memory"
> with equivalent access control semantics after succesfully
> opened for read and write.
I guess I'll answer my own question: The "x" bit on file permissions
really only controls the ability for the file to be execve()'d, but has
no bearing on the ability for an executable *mapping* to be created.
This is existing VFS behavior and is not specific to SGX.
I think I'll just send a patch to pull that warning out.