On Wed, May 15, 2019 at 07:27:02AM -0700, Andy Lutomirski wrote: > > > On May 15, 2019, at 4:00 AM, Jarkko Sakkinen <jarkko.sakkinen@xxxxxxxxxxxxxxx> wrote: > > > >> On Wed, May 15, 2019 at 01:35:31PM +0300, Jarkko Sakkinen wrote: > >> This brings me to an open question in Andy's model: lets say that we > >> change the source for SIGSTRUCT from memory address to fd. How can the > >> policy prevent the use not creating a file containing a SIGSTRUCT and > >> passing fd of that to the EINIT ioctl? > > > > The policy will presumably check the label on the file that the fd points to. Right (checked SELinux documentation). Got one idea from this. Right now creation and initialization does not require any VMAs to be created (since v20). Requiring to map a VMA for copying the data would bring in my opinion a glitch to this model that we have done effort to build up. What if we similarly change EADD ioctl in a way that it'd take an fd and an offset? This way we can enforce policy to the source where the enclave data is loaded from. On the other hand, loading SIGSTRUCT from fd enforces a legit structure for the enclave. This would still allow to construct enclaves in VMA independent way. > > Also wondering if a path would be better than plain fd for defining a > > reasonable policy i.e. have sigstruct_path as part of the ioctl > > parameters and not sigstruct_fd. > > > > It would save two syscalls at the cost of a decent amount of complexity. And also using fd gives robustness because it allows SIGSTRUCT pulled from a file containing it (among other things). /Jarkko