Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Change /dev to be mounted by default with /noexec" #760

Merged
merged 1 commit into from
Jan 10, 2023

Conversation

mythi
Copy link
Contributor

@mythi mythi commented Jan 10, 2023

Closes: #759

This reverts commit 09d837b.

Mounting /dev with 'noexec' option triggers problems when containers try to create Intel SGX enclaves:

...
ioctl(4, SGX_IOC_ENCLAVE_ADD_PAGES, 0x7ffd38e7bf90) = 0 mmap(0x7f36d9002000, 139264, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, 4, 0) = -1 EPERM (Operation not permitted) close(4)
...

The issue where a device node is mmap()'d with PROT_EXEC has been discussed in length on Linux development mailing lists and with udev/systemd maintainers [1].

As a result of this conversation, systemd changed its defaults to mount /dev with 'exec' [2] and added ExecPaths= and NoExecPaths= [3] to let users to control the behavior.

Change runtime-tools to follow the systemd default and to get the runtime behavior fixed for Intel SGX based confidential compute.

[1] https://lore.kernel.org/linux-sgx/CALCETrWM2rGPRudtaQ=mn9MRsrbQqFfZDkOGsBbVMsk6mMw_+A@mail.gmail.com/
[2] systemd/systemd#17940
[3] systemd/systemd#17942

Signed-off-by: Mikko Ylinen [email protected]

This reverts commit 09d837b.

Mounting /dev with 'noexec' option triggers problems when
containers try to create Intel SGX enclaves:

...
ioctl(4, SGX_IOC_ENCLAVE_ADD_PAGES, 0x7ffd38e7bf90) = 0
mmap(0x7f36d9002000, 139264, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, 4, 0) = -1 EPERM (Operation not permitted)
close(4)
...

The issue where a device node is mmap()'d with PROT_EXEC has been
discussed in length on Linux development mailing lists and with
udev/systemd maintainers [1].

As a result of this conversation, systemd changed its defaults
to mount /dev with 'exec' [2] and added ExecPaths= and
NoExecPaths= [3] to let users to control the behavior.

Change runtime-tools to follow the systemd default and to get
the runtime behavior fixed for Intel SGX based confidential
compute.

[1] https://lore.kernel.org/linux-sgx/CALCETrWM2rGPRudtaQ=mn9MRsrbQqFfZDkOGsBbVMsk6mMw_+A@mail.gmail.com/
[2] systemd/systemd#17940
[3] systemd/systemd#17942

Signed-off-by: Mikko Ylinen <[email protected]>
@mythi mythi requested a review from a team as a code owner January 10, 2023 06:23
@rhatdan
Copy link
Contributor

rhatdan commented Jan 10, 2023

LGTM
Since systemd moved to this default, I do not see containers running differently.
@mrunalp @giuseppe @kolyshkin PTAL

Copy link
Member

@giuseppe giuseppe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@mrunalp mrunalp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mrunalp mrunalp merged commit a6a0738 into opencontainers:master Jan 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Do not mount /dev with /noexec by default
4 participants