On Fri, May 17, 2019 at 01:42:50PM -0400, Stephen Smalley wrote: > On 5/17/19 1:29 PM, Sean Christopherson wrote: > >AIUI, having FILE__WRITE and FILE__EXECUTE on /dev/sgx/enclave would allow > >*any* enclave/process to map EPC as RWX. Moving to anon inodes and thus > >PROCESS__EXECMEM achieves per-process granularity. > > > > No, FILE__WRITE and FILE__EXECUTE are a check between a process and a file, > so you can ensure that only whitelisted processes are allowed both to > /dev/sgx/enclave. Ah, so each process has its own FILE__* permissions for a specific set of files? Does that allow differentiating between a process making an EPC page RWX and a process making two separate EPC pages RW and RX?
