Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

From: Jarkko Sakkinen
Date: Tue Jun 04 2019 - 12:30:07 EST

Next message: Gustavo A. R. Silva: "[PATCH] afs: security: Use struct_size() in kzalloc()"
Previous message: Alexander Duyck: "Re: [RFC][Patch v10 1/2] mm: page_hinting: core infrastructure"
In reply to: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Next in thread: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote:
> Do not allow an enclave page to be mapped with PROT_EXEC if the source
> page is backed by a file on a noexec file system.
>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>

Why don't you just check in sgx_encl_add_page() that whether the path
comes from noexec and deny if SECINFO contains X?

/Jarkko

Next message: Gustavo A. R. Silva: "[PATCH] afs: security: Use struct_size() in kzalloc()"
Previous message: Alexander Duyck: "Re: [RFC][Patch v10 1/2] mm: page_hinting: core infrastructure"
In reply to: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Next in thread: Andy Lutomirski: "Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]