[systemd-devel] Creating executable device nodes in /dev?
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Thu Nov 19 16:32:45 UTC 2020
On Thu, Nov 19, 2020 at 08:17:08AM -0800, Andy Lutomirski wrote:
> Hi udev people-
>
> The upcoming Linux SGX driver has a device node /dev/sgx. User code
> opens it, does various setup things, mmaps it, and needs to be able to
> create PROT_EXEC mappings. This gets quite awkward if /dev is mounted
> noexec.
>
> Can udev arrange to make a device node executable on distros that make
> /dev noexec? This could be done by bind-mounting from an exec tmpfs.
> Alternatively, the kernel could probably learn to ignore noexec on
> /dev/sgx, but that seems a little bit evil.
I'd be inclined to simply drop noexec from /dev by default.
We don't do noexec on either /tmp or /dev/shm (because that causes immediate
problems with stuff like Java and cffi). And if you have those two at your
disposal anyway, having noexec on /dev doesn't seem important.
Afaik, the kernel would refuse execve() on a character or block device
anyway. Thus noexec on /dev matters only for actual binaries copied to
/dev, which requires root privileges in the first place.
Zbyszek
More information about the systemd-devel
mailing list