[RFC PATCH v4 05/12] x86/sgx: Enforce noexec filesystem restriction for enclaves

Sean Christopherson sean.j.christopherson at intel.com
Sun Jul 7 19:03:12 UTC 2019 

On Fri, Jun 21, 2019 at 04:26:54AM +0300, Jarkko Sakkinen wrote:
> On Wed, Jun 19, 2019 at 03:23:54PM -0700, Sean Christopherson wrote:
> > Do not allow an enclave page to be mapped with PROT_EXEC if the source
> > vma does not have VM_MAYEXEC.  This effectively enforces noexec as
> > do_mmap() clears VM_MAYEXEC if the vma is being loaded from a noexec
> > path, i.e. prevents executing a file by loading it into an enclave.
> > 
> > Signed-off-by: Sean Christopherson <sean.j.christopherson at intel.com>
> > ---
> >  arch/x86/kernel/cpu/sgx/driver/ioctl.c | 42 +++++++++++++++++++++++---
> >  1 file changed, 37 insertions(+), 5 deletions(-)
> > 
> > diff --git a/arch/x86/kernel/cpu/sgx/driver/ioctl.c b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > index e18d2afd2aad..1fca70a36ce3 100644
> > --- a/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > +++ b/arch/x86/kernel/cpu/sgx/driver/ioctl.c
> > @@ -564,6 +564,39 @@ static int sgx_encl_add_page(struct sgx_encl *encl, unsigned long addr,
> >  	return ret;
> >  }
> >  
> > +static int sgx_encl_page_copy(void *dst, unsigned long src, unsigned long prot)
> 
> I will probably forget the context with this name after this has been
> merged :-) So many functions dealing with enclave pages. Two
> alternatives that come up to my mind:
> 
> 1. sgx_encl_page_user_import()
> 2. sgx_encl_page_user_copy_from()

What about sgx_encl_page_copy_from_user() to align with copy_from_user()?
 
> Not saying that they are beatiful names but at least you immediately
> know the context.
> 
> > +{
> > +	struct vm_area_struct *vma;
> > +	int ret;
> > +
> > +	/* Hold mmap_sem across copy_from_user() to avoid a TOCTOU race. */
> > +	down_read(&current->mm->mmap_sem);
> > +
> > +	/* Query vma's VM_MAYEXEC as an indirect path_noexec() check. */
> > +	if (prot & PROT_EXEC) {
> > +		vma = find_vma(current->mm, src);
> > +		if (!vma) {
> > +			ret = -EFAULT;
> > +			goto out;
> 
> Should this be -EINVAL instead?

copy_from_user() failure is handled via -EFAULT, this is effectively an
equivalent check.

More information about the Linux-security-module-archive mailing list