On 6/21/19 12:54 PM, Xing, Cedric wrote:
From: Christopherson, Sean J Sent: Wednesday, June 19, 2019 3:24 PM diff --git a/security/security.c b/security/security.c index 613a5c00e602..03951e08bdfc 100644 --- a/security/security.c +++ b/security/security.c @@ -2359,3 +2359,10 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) call_void_hook(bpf_prog_free_security, aux); } #endif /* CONFIG_BPF_SYSCALL */ + +#ifdef CONFIG_INTEL_SGX +int security_enclave_map(unsigned long prot) +{ + return call_int_hook(enclave_map, 0, prot); +} +#endif /* CONFIG_INTEL_SGX */Why is this new security_enclave_map() necessary while security_mmap_file() will also be invoked?
security_mmap_file() doesn't know about enclaves. It will just end up checking FILE__READ, FILE__WRITE, and FILE__EXECUTE to /dev/sgx/enclave. This was noted in the patch description.
