On Thu, Nov 19, 2020 at 06:41:44PM +0200, Jarkko Sakkinen wrote:
As Topi (the Debian developer who did this change) stated in the thread, the threat scenario is that someone could create executable files to /dev if it isn't noexec. It's not about the permissions of device files per se.
Aha, makes sense.
The problem with anonymous inode is that LSM's cannot label it easily like you can a non-anonymous inode.
There's a patch set for secure anonymous inodes but it hasn't landed yet and I think it would make the whole security model somewhat more complicated [1].
More complicated is never good.
- You can always create a separate tmpfs and create enclave nodes and even bind mount them (proposed by Andy) to /dev.
- It would be possible (given how Topi described the threat scenario) implement "noexec_dev" mount option that would allow 'x' for dev's but not for anything else (proposed by me).
To summarize, I would not change the SGX code for this but apply either (1) and (2) when deploying SGX.
Both sound ok to me, especially 1 since you can do that now, without any changes needed.
Anything else means adding more code which for distros and people using older kernels means, more backporting and more verif.
But WTH do I know...