[RFC PATCH v4 05/12] x86/sgx: Enforce noexec filesystem restriction for enclaves
Sean Christopherson
sean.j.christopherson at intel.com
Sun Jul 7 19:03:12 UTC 2019
On Fri, Jun 21, 2019 at 04:26:54AM +0300, Jarkko Sakkinen wrote:
> On Wed, Jun 19, 2019 at 03:23:54PM -0700, Sean Christopherson wrote:
> > Do not allow an enclave page to be mapped with PROT_EXEC if the source
> > vma does not have VM_MAYEXEC. This effectively enforces noexec as
> > do_mmap() clears VM_MAYEXEC if the vma is being loaded from a noexec
> > path, i.e. prevents executing a file by loading it into an enclave.
> >
> > Signed-off-by: Sean Christopherson <sean.j.christopherson at intel.com>
> > ---
> > arch/x86/kernel/cpu/sgx/driver/ioctl.c | 42 +++++++++++++++++++++++---
> > 1 file changed, 37 insertions(+), 5 deletions(-)
> >
> > diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > index e18d2afd2aad..1fca70a36ce3 100644
> > --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > @@ -564,6 +564,39 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr,
> > return ret;
> > }
> >
> > +static int sgx_encl_page_copy(void *dst, unsigned long src, unsigned long prot)
>
> I will probably forget the context with this name after this has been
> merged :-) So many functions dealing with enclave pages. Two
> alternatives that come up to my mind:
>
> 1. sgx_encl_page_user_import()
> 2. sgx_encl_page_user_copy_from()
What about sgx_encl_page_copy_from_user() to align with copy_from_user()?
> Not saying that they are beatiful names but at least you immediately
> know the context.
>
> > +{
> > + struct vm_area_struct *vma;
> > + int ret;
> > +
> > + /* Hold mmap_sem across copy_from_user() to avoid a TOCTOU race. */
> > + down_read(¤t->mm->mmap_sem);
> > +
> > + /* Query vma's VM_MAYEXEC as an indirect path_noexec() check. */
> > + if (prot & PROT_EXEC) {
> > + vma = find_vma(current->mm, src);
> > + if (!vma) {
> > + ret = -EFAULT;
> > + goto out;
>
> Should this be -EINVAL instead?
copy_from_user() failure is handled via -EFAULT, this is effectively an
equivalent check.
More information about the Linux-security-module-archive
mailing list