[RFC PATCH v4 05/12] x86/sgx: Enforce noexec filesystem restriction for enclaves

Fri Jun 21 01:26:54 UTC 2019

On Wed, Jun 19, 2019 at 03:23:54PM -0700, Sean Christopherson wrote:
> Do not allow an enclave page to be mapped with PROT_EXEC if the source
> vma does not have VM_MAYEXEC.  This effectively enforces noexec as
> do_mmap() clears VM_MAYEXEC if the vma is being loaded from a noexec
> path, i.e. prevents executing a file by loading it into an enclave.
> 
> Signed-off-by: Sean Christopherson <sean.j.christopherson at intel.com>
> ---
>  arch/x86/kernel/cpu/sgx/driver/ioctl.c | 42 +++++++++++++++++++++++---
>  1 file changed, 37 insertions(+), 5 deletions(-)
> 
> diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> index e18d2afd2aad..1fca70a36ce3 100644
> --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> @@ -564,6 +564,39 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr,
>  	return ret;
>  }
>  
> +static int sgx_encl_page_copy(void *dst, unsigned long src, unsigned long prot)

I will probably forget the context with this name after this has been
merged :-) So many functions dealing with enclave pages. Two
alternatives that come up to my mind:

1. sgx_encl_page_user_import()
2. sgx_encl_page_user_copy_from()

Not saying that they are beatiful names but at least you immediately
know the context.

> +{
> +	struct vm_area_struct *vma;
> +	int ret;
> +
> +	/* Hold mmap_sem across copy_from_user() to avoid a TOCTOU race. */
> +	down_read(&current->mm->mmap_sem);
> +
> +	/* Query vma's VM_MAYEXEC as an indirect path_noexec() check. */
> +	if (prot & PROT_EXEC) {
> +		vma = find_vma(current->mm, src);
> +		if (!vma) {
> +			ret = -EFAULT;
> +			goto out;

Should this be -EINVAL instead?

/Jarkko