Revert "Change /dev to be mounted by default with /noexec" #760
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #759
This reverts commit 09d837b.
Mounting /dev with 'noexec' option triggers problems when containers try to create Intel SGX enclaves:
...
ioctl(4, SGX_IOC_ENCLAVE_ADD_PAGES, 0x7ffd38e7bf90) = 0 mmap(0x7f36d9002000, 139264, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, 4, 0) = -1 EPERM (Operation not permitted) close(4)
...
The issue where a device node is mmap()'d with PROT_EXEC has been discussed in length on Linux development mailing lists and with udev/systemd maintainers [1].
As a result of this conversation, systemd changed its defaults to mount /dev with 'exec' [2] and added ExecPaths= and NoExecPaths= [3] to let users to control the behavior.
Change runtime-tools to follow the systemd default and to get the runtime behavior fixed for Intel SGX based confidential compute.
[1] https://lore.kernel.org/linux-sgx/CALCETrWM2rGPRudtaQ=mn9MRsrbQqFfZDkOGsBbVMsk6mMw_+A@mail.gmail.com/
[2] systemd/systemd#17940
[3] systemd/systemd#17942
Signed-off-by: Mikko Ylinen [email protected]