Re: Subject: [PATCH 0/1] SGX self test fails

From: Jarkko Sakkinen
Date: Mon May 03 2021 - 18:41:11 EST


On Mon, May 03, 2021 at 09:39:05AM -0700, Dave Hansen wrote:
> On 5/3/21 8:41 AM, Jarkko Sakkinen wrote:
> >> $ ls -l /dev/sgx_enclave
> >> crw------- 1 dave dave 10, 125 Apr 28 11:32 /dev/sgx_enclave
> >> $ ./test_sgx
> >> 0x0000000000000000 0x0000000000002000 0x03
> >> 0x0000000000002000 0x0000000000001000 0x05
> >> 0x0000000000003000 0x0000000000003000 0x03
> >> SUCCESS
> >>
> >> *But*, is that OK? Should we be happily creating a PROT_EXEC mapping on
> >> a ugo-x file? Why were we respecting noexec on the filesystem but not
> >> ugo-x on the file?
> > Yeah, this supports my earlier response:
> >
> > "EPERM The prot argument asks for PROT_EXEC but the mapped area
> > belongs to a file on a filesystem that was mounted no-exec."
> > https://man7.org/linux/man-pages/man2/mmap.2.html
> >
> > I guess the right model is to think just as "anonymous memory"
> > with equivalent access control semantics after succesfully
> > opened for read and write.
>
> I guess I'll answer my own question: The "x" bit on file permissions
> really only controls the ability for the file to be execve()'d, but has
> no bearing on the ability for an executable *mapping* to be created.
> This is existing VFS behavior and is not specific to SGX.

Yeah, that's nicely put it into one sentence :-)

> I think I'll just send a patch to pull that warning out.

/Jarkko