From mboxrd@z Thu Jan 1 00:00:00 1970 From: Topi Miettinen Date: Tue, 08 Dec 2020 20:45:45 +0000 Subject: Re: Creating executable device nodes in /dev? Message-Id: <0f17eade-5e99-be29-fd09-2d0a1949ac7f@gmail.com> List-Id: References: <20201119163245.GN7348@in.waw.pl> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable To: Andy Lutomirski Cc: =?UTF-8?Q?Zbigniew_J=c4=99drzejewski-Szmek?= , linux-hotplug@vger.kernel.org, systemd Mailing List , Jarkko Sakkinen , Jethro Beekman , Casey Schaufler , linux-sgx@vger.kernel.org, "Svahn, Kai" , "Schlobohm, Bruce" , Stephen Smalley , Haitao Huang , Ben Hutchings On 8.12.2020 20.07, Andy Lutomirski wrote: > On Thu, Nov 19, 2020 at 10:05 AM Topi Miettinen wrot= e: >> >> On 19.11.2020 18.32, Zbigniew J=C4=99drzejewski-Szmek wrote: >>> On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote: >>>> Hi udev people- >>>> >>>> The upcoming Linux SGX driver has a device node /dev/sgx. User code >>>> opens it, does various setup things, mmaps it, and needs to be able to >>>> create PROT_EXEC mappings. This gets quite awkward if /dev is mounted >>>> noexec. >>>> >>>> Can udev arrange to make a device node executable on distros that make >>>> /dev noexec? This could be done by bind-mounting from an exec tmpfs. >>>> Alternatively, the kernel could probably learn to ignore noexec on >>>> /dev/sgx, but that seems a little bit evil. >>> >>> I'd be inclined to simply drop noexec from /dev by default. >>> We don't do noexec on either /tmp or /dev/shm (because that causes imme= diate >>> problems with stuff like Java and cffi). And if you have those two at y= our >>> disposal anyway, having noexec on /dev doesn't seem important. >> >> I'd propose to not enable exec globally, but if a service needs SGX, it >> could use something like MountOptions=3D/dev:exec only in those cases >> where it's needed. That way it's possible to disallow writable and >> executable file systems for most services (which typically don't need >> /tmp or /dev/shm either). Of course the opposite >> (MountOptions=3D/dev:noexec) would be also possible, but I'd expect that >> this would be needed to be used more often. >> >=20 > I imagine the opposite would be more sensible. It seems odd to me > that we would want any SGX-using service to require both special mount > options and regular ACL permissions. How common are thes SGX-using services? Will every service start using=20 it without any special measures taken on it's behalf, or perhaps only a=20 special SGX control tool needs access? What about unprivileged user=20 applications, do they ever want to access SGX? Could something like=20 Widevine deep in a browser need to talk to SGX in a DRM scheme? > As a further argument, I just did this on a Fedora system: >=20 > $ find /dev -perm /ugo+x -a \! -type d -a \! -type l >=20 > No results. So making /dev noexec doesn't seem to have any benefit. It's no surprise that there aren't any executables in /dev since=20 removing MAKEDEV ages ago. That's not the issue, which is that /dev is a=20 writable directory (for UID=3D0 but no capabilities are needed) and thus a = potential location for constructing unapproved executables if it is also=20 mounted exec (W^X). -Topi