On Thu, Jul 11, 2019 at 09:51:19AM -0400, Stephen Smalley wrote: > I'd also feel better if there was clear consensus among all of the > @intel.com participants that this is the right approach. To date that has > seemed elusive. That's a very kind way to phrase things :-) For initial upstreaming, we've agreed that there is no need to extend the uapi, i.e. we can punt on deciding between on-the-fly tracking and having userspace specify maximal permissions until we add SGX2 support. The last open (knock on wood) for initial upstreaming is whether SELinux would prefer to have new enclave specific permissions or reuse the existing PROCESS__EXECMEM, FILE__EXECUTE and FILE__EXECMOD permissions. My understanding is that enclave specific permissions are preferred.
