On Fri, Apr 03, 2020 at 09:56:32AM +0300, Jarkko Sakkinen wrote: > On Thu, Apr 02, 2020 at 02:41:39PM -0700, Andy Lutomirski wrote: > > On Tue, Mar 31, 2020 at 5:24 PM Sean Christopherson > > <sean.j.christopherson@xxxxxxxxx> wrote: > > > > > > On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: > > > > > > If EXECMEM is a sticking point, one way to dodge it would be to add a > > > helper to allow SELinux to detect enclave files. It'd be ugly, but simple. > > > That doesn't solve the generic labeling issue though. It also begs the > > > question of why hacking SELinux but not do_mmap() would be acceptable. > > > > > > If you have any ideas for fixing the noexec issue without resorting to an > > > anon inode, we're all ears. > > > > Hmm. Maybe teach udev to put /dev/sgx on a different fs and > > bind-mount it? Or make /dev/sgx be an actual filesystem? Or just > > mount /dev with exec enabled? > > I'm not forseeing how the last option could work out as it is distro's > choice. > > Casey, do you think we could use securityfs for this or do you have some > other recommendation? I'm just asking you because you've used securityfs > a lot. I'll squash 1/4 from this patch set since it is purely a fix. /Jarkko
