Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-05 Thread Sean Christopherson
On Wed, Jun 05, 2019 at 06:10:18PM +0300, Jarkko Sakkinen wrote: > On Tue, Jun 04, 2019 at 01:25:10PM -0700, Andy Lutomirski wrote: > > On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen > > wrote: > > > > > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > > > Do not allow

Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-05 Thread Jarkko Sakkinen
On Tue, Jun 04, 2019 at 01:25:10PM -0700, Andy Lutomirski wrote: > On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen > wrote: > > > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > > Do not allow an enclave page to be mapped with PROT_EXEC if the source > > > page is backed

RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-04 Thread Xing, Cedric
> From: Andy Lutomirski [mailto:l...@kernel.org] > Sent: Tuesday, June 04, 2019 1:25 PM > To: Jarkko Sakkinen > > On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen > wrote: > > > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > > Do not allow an enclave page to be mapped

Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-04 Thread Sean Christopherson
On Tue, Jun 04, 2019 at 01:25:10PM -0700, Andy Lutomirski wrote: > On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen > wrote: > > > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > > Do not allow an enclave page to be mapped with PROT_EXEC if the source > > > page is backed

Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-04 Thread Andy Lutomirski
On Sun, Jun 2, 2019 at 11:29 PM Xing, Cedric wrote: > > > From: Christopherson, Sean J > > Sent: Friday, May 31, 2019 4:32 PM > > > > Do not allow an enclave page to be mapped with PROT_EXEC if the source page > > is backed by a > > file on a noexec file system. > > > > Signed-off-by: Sean

Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-04 Thread Andy Lutomirski
On Tue, Jun 4, 2019 at 9:26 AM Jarkko Sakkinen wrote: > > On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > > Do not allow an enclave page to be mapped with PROT_EXEC if the source > > page is backed by a file on a noexec file system. > > > > Signed-off-by: Sean

Re: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-04 Thread Jarkko Sakkinen
On Fri, May 31, 2019 at 04:31:57PM -0700, Sean Christopherson wrote: > Do not allow an enclave page to be mapped with PROT_EXEC if the source > page is backed by a file on a noexec file system. > > Signed-off-by: Sean Christopherson Why don't you just check in sgx_encl_add_page() that whether

RE: [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-06-03 Thread Xing, Cedric
> From: Christopherson, Sean J > Sent: Friday, May 31, 2019 4:32 PM > > Do not allow an enclave page to be mapped with PROT_EXEC if the source page > is backed by a > file on a noexec file system. > > Signed-off-by: Sean Christopherson > --- > arch/x86/kernel/cpu/sgx/driver/ioctl.c | 26

[RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves

2019-05-31 Thread Sean Christopherson
Do not allow an enclave page to be mapped with PROT_EXEC if the source page is backed by a file on a noexec file system. Signed-off-by: Sean Christopherson --- arch/x86/kernel/cpu/sgx/driver/ioctl.c | 26 -- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git