From: Topi Miettinen <toiwoton@gmail.com>
To: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Andy Lutomirski <luto@amacapital.net>
Cc: Jethro Beekman <jethro@fortanix.com>,
Casey Schaufler <casey@schaufler-ca.com>,
Andy Lutomirski <luto@kernel.org>,
casey.schaufler@intel.com,
Sean Christopherson <sean.j.christopherson@intel.com>,
linux-sgx@vger.kernel.org, "Svahn, Kai" <kai.svahn@intel.com>,
"Schlobohm, Bruce" <bruce.schlobohm@intel.com>,
Stephen Smalley <sds@tycho.nsa.gov>,
Haitao Huang <haitao.huang@linux.intel.com>,
ben@decadent.org.uk
Subject: Re: [PATCH 2/4] x86/sgx: Put enclaves into anonymous files
Date: Tue, 7 Apr 2020 11:48:10 +0300 [thread overview]
Message-ID: <4768f3fd-74fa-3581-5cda-8c09b4ddc3f2@gmail.com> (raw)
In-Reply-To: <20200406212434.GA34134@linux.intel.com>
On 7.4.2020 0.24, Jarkko Sakkinen wrote:
> In my opinion udev defining the whole /dev as noexec has zero technical
> merits. It is same as they would say that "we don't trust our own
> database". There are no real security benefits as long as dev nodes are
> configured correctly.
The threat is not that the device nodes would have execute permissions,
but that a malicious entity with write access to /dev would create a new
executable and run it, or rather, trick another (perhaps more privileged
or more vulnerable) entity to do so. The malicious entity does not need
any capabilities and it can be constrained by any number of typical
seccomp filters which just don't block such basic system calls as
open(), write(), [f]chmod() and close(). It simply needs to have UID 0
(possibly something else, like suitable GID could also be sufficient for
some subdirectories) and write access to /dev (or its subdirectories) in
its mount namespace.
My philosophy is that "trust" means confidence that an action will not
be done even when there's no control over it. "Control" means that it's
possible to make active decision on whether the action can or cannot be
allowed to be done. Trust in security mindset is a weak thing, control
is stronger, but the strongest case is when you don't need trust nor
control: the action simply can't ever happen because it's impossible or
always forbidden. This idea is shown in such famous principles as "least
privilege", "need to know" or compartmentalization. If the additional
privilege of exec is not needed, it should not exist.
-Topi
next prev parent reply other threads:[~2020-04-07 8:48 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-31 11:44 [PATCH 0/4] Migrate enclave mapping to an anonymous inode Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 1/4] x86/sgx: Remove PROT_NONE branch from sgx_encl_may_map() Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 2/4] x86/sgx: Put enclaves into anonymous files Jarkko Sakkinen
2020-03-31 17:39 ` Andy Lutomirski
2020-04-01 0:24 ` Sean Christopherson
2020-04-02 21:41 ` Andy Lutomirski
2020-04-03 6:56 ` Jarkko Sakkinen
2020-04-03 6:59 ` Jarkko Sakkinen
2020-04-03 14:35 ` Casey Schaufler
2020-04-03 15:30 ` Jarkko Sakkinen
2020-04-03 15:50 ` Casey Schaufler
2020-04-03 22:08 ` Jarkko Sakkinen
2020-04-04 3:54 ` Andy Lutomirski
2020-04-04 5:46 ` Jethro Beekman
2020-04-04 7:27 ` Topi Miettinen
2020-04-04 9:20 ` Jarkko Sakkinen
2020-04-06 6:42 ` Jethro Beekman
2020-04-06 11:01 ` Topi Miettinen
2020-04-06 16:44 ` Andy Lutomirski
2020-04-06 17:17 ` Jethro Beekman
2020-04-06 18:55 ` Jarkko Sakkinen
2020-04-06 19:01 ` Jarkko Sakkinen
2020-04-06 19:53 ` Andy Lutomirski
2020-04-06 21:24 ` Jarkko Sakkinen
2020-04-06 23:18 ` Andy Lutomirski
2020-04-06 23:48 ` Jarkko Sakkinen
2020-04-07 7:15 ` Jethro Beekman
2020-04-07 8:48 ` Topi Miettinen [this message]
2020-04-07 16:52 ` Jarkko Sakkinen
2020-04-07 9:04 ` Topi Miettinen
2020-04-07 16:57 ` Jarkko Sakkinen
2020-04-07 16:59 ` Jarkko Sakkinen
2020-04-07 18:04 ` Jarkko Sakkinen
2020-04-07 19:54 ` Topi Miettinen
2020-04-08 13:40 ` Jarkko Sakkinen
2020-04-08 14:56 ` Sean Christopherson
2020-04-09 18:39 ` Jarkko Sakkinen
2020-04-08 21:15 ` Topi Miettinen
2020-04-08 21:29 ` Sean Christopherson
2020-11-19 7:23 ` Jethro Beekman
2020-11-19 16:09 ` Andy Lutomirski
2020-04-06 18:47 ` Jarkko Sakkinen
2020-04-04 9:22 ` Jarkko Sakkinen
2020-04-01 8:45 ` Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 3/4] x86/sgx: Move mmap() to the anonymous enclave file Jarkko Sakkinen
2020-03-31 11:44 ` [PATCH 4/4] x86/sgx: Hand over the enclave file to the user space Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4768f3fd-74fa-3581-5cda-8c09b4ddc3f2@gmail.com \
--to=toiwoton@gmail.com \
--cc=ben@decadent.org.uk \
--cc=bruce.schlobohm@intel.com \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=haitao.huang@linux.intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=kai.svahn@intel.com \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=luto@kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=sean.j.christopherson@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).