Revert "Change /dev to be mounted by default with /noexec"

mythi · mythi · commit 0524bb2cf613 · 2023-01-10T08:22:13.000+02:00
This reverts commit 09d837b. Mounting /dev with 'noexec' option triggers problems when containers try to create Intel SGX enclaves: ... ioctl(4, SGX_IOC_ENCLAVE_ADD_PAGES, 0x7ffd38e7bf90) = 0 mmap(0x7f36d9002000, 139264, PROT_READ|PROT_EXEC, MAP_SHARED|MAP_FIXED, 4, 0) = -1 EPERM (Operation not permitted) close(4) ... The issue where a device node is mmap()'d with PROT_EXEC has been discussed in length on Linux development mailing lists and with udev/systemd maintainers [1]. As a result of this conversation, systemd changed its defaults to mount /dev with 'exec' [2] and added ExecPaths= and NoExecPaths= [3] to let users to control the behavior. Change runtime-tools to follow the systemd default and to get the runtime behavior fixed for Intel SGX based confidential compute. [1] https://lore.kernel.org/linux-sgx/CALCETrWM2rGPRudtaQ=mn9MRsrbQqFfZDkOGsBbVMsk6mMw_+A@mail.gmail.com/ [2] systemd/systemd#17940 [3] systemd/systemd#17942 Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
diff --git a/generate/generate.go b/generate/generate.go
@@ -182,7 +182,7 @@ func New(os string) (generator Generator, err error) {
 				Destination: "/dev",
 				Type:        "tmpfs",
 				Source:      "tmpfs",
-				Options:     []string{"nosuid", "noexec", "strictatime", "mode=755", "size=65536k"},
+				Options:     []string{"nosuid", "strictatime", "mode=755", "size=65536k"},
 			},
 			{
 				Destination: "/dev/pts",

Original file line number	Diff line number	Diff line change
`@@ -182,7 +182,7 @@ func New(os string) (generator Generator, err error) {`
`182`	`182`	`Destination: "/dev",`
`183`	`183`	`Type: "tmpfs",`
`184`	`184`	`Source: "tmpfs",`
`185`		`- Options: []string{"nosuid", "noexec", "strictatime", "mode=755", "size=65536k"},`
	`185`	`+ Options: []string{"nosuid", "strictatime", "mode=755", "size=65536k"},`
`186`	`186`	`},`
`187`	`187`	`{`
`188`	`188`	`Destination: "/dev/pts",`