Reviewed-by: Bamvor Zhang bamvor.zhang@suse.com
在 2/18/22 4:16 PM, Laibin Qiu 写道:
From: Dave Hansen dave.hansen@linux.intel.com
mainline inclusion from mainline-v5.14-rc1 commit 4896df9d53ae5521f3ce83751e828ad70bc65c80 category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4SIGI CVE: NA
The SGX selftests can fail for a bunch of non-obvious reasons like 'noexec' permissions on /dev (which is the default *EVERYWHERE* it seems).
A new test mistakenly also looked for +x permission on the /dev/sgx_enclave. File execute permissions really only apply to the ability of execve() to work on a file, *NOT* on the ability for an application to map the file with PROT_EXEC. SGX needs to mmap(PROT_EXEC), but doesn't need to execve() the device file.
Remove the check.
Intel-SIG: commit 4896df9d53ae selftests/sgx: remove checks for file execute permissions Backport for SGX Foundations support
Fixes: 4284f7acb78b ("selftests/sgx: Improve error detection and messages") Reported-by: Tim Gardner tim.gardner@canonical.com Cc: Jarkko Sakkinen jarkko@kernel.org Cc: Reinette Chatre reinette.chatre@intel.com Cc: Dave Hansen dave.hansen@linux.intel.com Cc: Shuah Khan shuah@kernel.org Cc: linux-sgx@vger.kernel.org Cc: linux-kselftest@vger.kernel.org Cc: linux-kernel@vger.kernel.org Tested-by: Reinette Chatre reinette.chatre@intel.com Signed-off-by: Dave Hansen dave.hansen@linux.intel.com Reviewed-by: Jarkko Sakkinen jarkko@kernel.org Signed-off-by: Shuah Khan skhan@linuxfoundation.org Signed-off-by: Fan Du fan.du@intel.com #openEuler_contributor Signed-off-by: Laibin Qiu qiulaibin@huawei.com
tools/testing/selftests/sgx/load.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/tools/testing/selftests/sgx/load.c b/tools/testing/selftests/sgx/load.c index 00928be57fc4..3ebe5d1fe337 100644 --- a/tools/testing/selftests/sgx/load.c +++ b/tools/testing/selftests/sgx/load.c @@ -150,16 +150,6 @@ bool encl_load(const char *path, struct encl *encl) goto err; }
- /*
* This just checks if the /dev file has these permission
* bits set. It does not check that the current user is
* the owner or in the owning group.
*/
- if (!(sb.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) {
fprintf(stderr, "no execute permissions on device file %s\n", device_path);
goto err;
- }
- ptr = mmap(NULL, PAGE_SIZE, PROT_READ, MAP_SHARED, fd, 0); if (ptr == (void *)-1) { perror("mmap for read");
@@ -169,13 +159,13 @@ bool encl_load(const char *path, struct encl *encl)
#define ERR_MSG \ "mmap() succeeded for PROT_READ, but failed for PROT_EXEC.\n" \ -" Check that current user has execute permissions on %s and \n" \ -" that /dev does not have noexec set: mount | grep "/dev .*noexec"\n" \ +" Check that /dev does not have noexec set:\n" \ +" \tmount | grep "/dev .*noexec"\n" \ " If so, remount it executable: mount -o remount,exec /dev\n\n"
ptr = mmap(NULL, PAGE_SIZE, PROT_EXEC, MAP_SHARED, fd, 0); if (ptr == (void *)-1) {
fprintf(stderr, ERR_MSG, device_path);
goto err; } munmap(ptr, PAGE_SIZE);fprintf(stderr, ERR_MSG);