On Tue, Mar 31, 2020 at 5:24 PM Sean Christopherson <sean.j.christopherson@xxxxxxxxx> wrote: > > On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: > > If EXECMEM is a sticking point, one way to dodge it would be to add a > helper to allow SELinux to detect enclave files. It'd be ugly, but simple. > That doesn't solve the generic labeling issue though. It also begs the > question of why hacking SELinux but not do_mmap() would be acceptable. > > If you have any ideas for fixing the noexec issue without resorting to an > anon inode, we're all ears. Hmm. Maybe teach udev to put /dev/sgx on a different fs and bind-mount it? Or make /dev/sgx be an actual filesystem? Or just mount /dev with exec enabled?
