On 6/21/19 1:09 PM, Xing, Cedric wrote:
From: Christopherson, Sean J Sent: Wednesday, June 19, 2019 3:24 PM diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 3ec702cf46ca..fc239e541b62 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -6726,6 +6726,23 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux) } #endif +#ifdef CONFIG_INTEL_SGX +static int selinux_enclave_map(unsigned long prot) +{ + const struct cred *cred = current_cred(); + u32 sid = cred_sid(cred); + + /* SGX is supported only in 64-bit kernels. */ + WARN_ON_ONCE(!default_noexec); + + if ((prot & PROT_EXEC) && (prot & PROT_WRITE)) + return avc_has_perm(&selinux_state, sid, sid, + SECCLASS_PROCESS2, PROCESS2__SGX_MAPWX, + NULL);Why isn't SGX_MAPWX enclave specific but process wide?
How would you tie it to a specific enclave? What's the object/target SID? The SID of the enclave inode? Which one? The source vma file, the /dev/sgx/enclave open instance, the sigstruct file, ...? If a process can map one enclave WX, what's the benefit of preventing it from doing likewise for any other enclave it can load?
