search

opencontainers / runtime-tools

OCI Runtime Tools
https://www.opencontainers.org/
Apache License 2.0
434 stars 141 forks source link

Do not mount /dev with /noexec by default #759

Closed mythi closed 1 year ago

mythi commented 1 year ago

725 added noexec to default /dev mount options but this triggers problems when containers try to create Intel SGX enclaves:

...
ioctl(4, SGX_IOC_ENCLAVE_ADD_PAGES, 0x7ffd38e7bf90) = 0
mmap(0x7f36d9002000, 139264, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, 4, 0) = -1 EPERM (Operation not permitted)
close(4)

The issue where a dev node is mmap()'d with PROT_EXEC has been discussed in length on LKML and in systemd github:

systemd now allows this to be configured using ExecPaths= and NoExecPaths= but noexec is not added by default.

I've only tested this using CRI-O where containers with SGX enclaves cannot be launched with CRI-O v1.25+. This is the release where CRI-O pulled in #725 from runtime-tools.

/cc @rhatdan @mrunalp @haircommander

rhatdan commented 1 year ago

Since systemd changed its default, I see no reason for us not to chnage.

@mythi Want to open a PR?

mythi commented 1 year ago

@rhatdan yes I will submit the PR on Tue

mythi commented 12 months ago

@rhatdan wanted to check here first but I believe I should submit a podman issue about this:

I tried to try podman rootless containers with SGX and I believe it still suffers the same issue:

$ podman run -it --rm --device /dev/sgx_enclave  --group-add keep-groups --workdir /opt/intel/sgx-sample-app   --entrypoint /bin/bash localhost/intel/sgx-sdk-demo:devel
# mount|grep sgx_enclave
devtmpfs on /dev/sgx_enclave type devtmpfs (rw,nosuid,noexec,relatime,size=1997876k,nr_inodes=499469,mode=755)

I'm on Ubuntu 22.04 with:

$ podman version
Version:      3.4.4
API Version:  3.4.4
Go Version:   go1.18.1
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64
rhatdan commented 12 months ago

I would prefer you try this on a much more up 2 date version of Podman.

mythi commented 12 months ago

I would prefer you try this on a much more up 2 date version of Podman.

ouch, sorry! I can update to the Kubic releases but they only give me 4.6.2 and noexec is still there:

$ podman version
Client:       Podman Engine
Version:      4.6.2
API Version:  4.6.2
Go Version:   go1.18.1
Built:        Thu Jan  1 00:00:00 1970
OS/Arch:      linux/amd64
$ podman run -it --rm --device /dev/sgx_enclave  --group-add keep-groups --workdir /opt/intel/sgx-sample-app --entrypoint /bin/bash localhost/intel/sgx-sdk-demo:devel
root@4910ac608090:/opt/intel/sgx-sample-app# ./sgx-sample-app 
Error: Unexpected error occurred.
Enter a character before exit ...

root@4910ac608090:/opt/intel/sgx-sample-app# mount|grep sgx_encl
devtmpfs on /dev/sgx_enclave type devtmpfs (rw,nosuid,noexec,relatime,size=1997876k,nr_inodes=499469,mode=755)
mythi commented 12 months ago

ouch, sorry! I can update to the Kubic releases but they only give me 4.6.2 and noexec is still there:

the fixed version of runtime-tools was pulled to podman in April so something else triggers that