From: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
To: Topi Miettinen <toiwoton@gmail.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Jethro Beekman <jethro@fortanix.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Andy Lutomirski <luto@kernel.org>,
casey.schaufler@intel.com,
Sean Christopherson <sean.j.christopherson@intel.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Haitao Huang <haitao.huang@linux.intel.com>,
ben@decadent.org.uk
Subject: Re: [PATCH 2/4] x86/sgx: Put enclaves into anonymous files
Date: Tue, 7 Apr 2020 19:52:08 +0300 [thread overview]
Message-ID: <20200407165208.GA14223@linux.intel.com> (raw)
In-Reply-To: <4768f3fd-74fa-3581-5cda-8c09b4ddc3f2@gmail.com>
On Tue, Apr 07, 2020 at 11:48:10AM +0300, Topi Miettinen wrote:
> On 7.4.2020 0.24, Jarkko Sakkinen wrote:
> > In my opinion udev defining the whole /dev as noexec has zero technical
> > merits. It is same as they would say that "we don't trust our own
> > database". There are no real security benefits as long as dev nodes are
> > configured correctly.
>
> The threat is not that the device nodes would have execute permissions, but
> that a malicious entity with write access to /dev would create a new
> executable and run it, or rather, trick another (perhaps more privileged or
> more vulnerable) entity to do so. The malicious entity does not need any
> capabilities and it can be constrained by any number of typical seccomp
> filters which just don't block such basic system calls as open(), write(),
> [f]chmod() and close(). It simply needs to have UID 0 (possibly something
> else, like suitable GID could also be sufficient for some subdirectories)
> and write access to /dev (or its subdirectories) in its mount namespace.
>
> My philosophy is that "trust" means confidence that an action will not be
> done even when there's no control over it. "Control" means that it's
> possible to make active decision on whether the action can or cannot be
> allowed to be done. Trust in security mindset is a weak thing, control is
> stronger, but the strongest case is when you don't need trust nor control:
> the action simply can't ever happen because it's impossible or always
> forbidden. This idea is shown in such famous principles as "least
> privilege", "need to know" or compartmentalization. If the additional
> privilege of exec is not needed, it should not exist.
>
> -Topi
I get the threat scenario, thanks.
The problem (as Jethro correctly pointed out) with noexec /dev is
somewhat broad.
Thank you anyway for taking time describing the threat scenario.
/Jarkko
next prev parent reply other threads:[~2020-04-07 16:52 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 11:44 [PATCH 0/4] Migrate enclave mapping to an anonymous inode Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 1/4] x86/sgx: Remove PROT_NONE branch from sgx_encl_may_map() Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 2/4] x86/sgx: Put enclaves into anonymous files Jarkko Sakkinen
2020-03-31 17:39 ` Andy Lutomirski
2020-04-01 0:24 ` Sean Christopherson
2020-04-02 21:41 ` Andy Lutomirski
2020-04-03 6:56 ` Jarkko Sakkinen
2020-04-03 6:59 ` Jarkko Sakkinen
2020-04-03 14:35 ` Casey Schaufler
2020-04-03 15:30 ` Jarkko Sakkinen
2020-04-03 15:50 ` Casey Schaufler
2020-04-03 22:08 ` Jarkko Sakkinen
2020-04-04 3:54 ` Andy Lutomirski
2020-04-04 5:46 ` Jethro Beekman
2020-04-04 7:27 ` Topi Miettinen
2020-04-04 9:20 ` Jarkko Sakkinen
2020-04-06 6:42 ` Jethro Beekman
2020-04-06 11:01 ` Topi Miettinen
2020-04-06 16:44 ` Andy Lutomirski
2020-04-06 17:17 ` Jethro Beekman
2020-04-06 18:55 ` Jarkko Sakkinen
2020-04-06 19:01 ` Jarkko Sakkinen
2020-04-06 19:53 ` Andy Lutomirski
2020-04-06 21:24 ` Jarkko Sakkinen
2020-04-06 23:18 ` Andy Lutomirski
2020-04-06 23:48 ` Jarkko Sakkinen
2020-04-07 7:15 ` Jethro Beekman
2020-04-07 8:48 ` Topi Miettinen
2020-04-07 16:52 ` Jarkko Sakkinen [this message]
2020-04-07 9:04 ` Topi Miettinen
2020-04-07 16:57 ` Jarkko Sakkinen
2020-04-07 16:59 ` Jarkko Sakkinen
2020-04-07 18:04 ` Jarkko Sakkinen
2020-04-07 19:54 ` Topi Miettinen
2020-04-08 13:40 ` Jarkko Sakkinen
2020-04-08 14:56 ` Sean Christopherson
2020-04-09 18:39 ` Jarkko Sakkinen
2020-04-08 21:15 ` Topi Miettinen
2020-04-08 21:29 ` Sean Christopherson
2020-11-19 7:23 ` Jethro Beekman
2020-11-19 16:09 ` Andy Lutomirski
2020-04-06 18:47 ` Jarkko Sakkinen
2020-04-04 9:22 ` Jarkko Sakkinen
2020-04-01 8:45 ` Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 3/4] x86/sgx: Move mmap() to the anonymous enclave file Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 4/4] x86/sgx: Hand over the enclave file to the user space Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200407165208.GA14223@linux.intel.com \
--to=jarkko.sakkinen@linux.intel.com \
--cc=ben@decadent.org.uk \
--cc=bruce.schlobohm@intel.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=haitao.huang@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=kai.svahn@intel.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=sean.j.christopherson@intel.com \
--cc=toiwoton@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.