On 4/2/2020 11:56 PM, Jarkko Sakkinen wrote: > On Thu, Apr 02, 2020 at 02:41:39PM -0700, Andy Lutomirski wrote: >> On Tue, Mar 31, 2020 at 5:24 PM Sean Christopherson >> <sean.j.christopherson@xxxxxxxxx> wrote: >>> On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: >>> >>> If EXECMEM is a sticking point, one way to dodge it would be to add a >>> helper to allow SELinux to detect enclave files. It'd be ugly, but simple. >>> That doesn't solve the generic labeling issue though. It also begs the >>> question of why hacking SELinux but not do_mmap() would be acceptable. >>> >>> If you have any ideas for fixing the noexec issue without resorting to an >>> anon inode, we're all ears. >> Hmm. Maybe teach udev to put /dev/sgx on a different fs and >> bind-mount it? Or make /dev/sgx be an actual filesystem? Or just >> mount /dev with exec enabled? > I'm not forseeing how the last option could work out as it is distro's > choice. > > Casey, do you think we could use securityfs for this or do you have some > other recommendation? I'm just asking you because you've used securityfs > a lot. I don't know how well securityfs works when mounted in a container, but otherwise it would seem like a viable option. On the other hand, pseudo filesystems are pretty easy to write, so /sys/fs/sgxfs wouldn't be a bad choice, either. > > /Jarkko
