On Fri, Apr 03, 2020 at 07:35:16AM -0700, Casey Schaufler wrote: > > On 4/2/2020 11:56 PM, Jarkko Sakkinen wrote: > > On Thu, Apr 02, 2020 at 02:41:39PM -0700, Andy Lutomirski wrote: > >> On Tue, Mar 31, 2020 at 5:24 PM Sean Christopherson > >> <sean.j.christopherson@xxxxxxxxx> wrote: > >>> On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: > >>> > >>> If EXECMEM is a sticking point, one way to dodge it would be to add a > >>> helper to allow SELinux to detect enclave files. It'd be ugly, but simple. > >>> That doesn't solve the generic labeling issue though. It also begs the > >>> question of why hacking SELinux but not do_mmap() would be acceptable. > >>> > >>> If you have any ideas for fixing the noexec issue without resorting to an > >>> anon inode, we're all ears. > >> Hmm. Maybe teach udev to put /dev/sgx on a different fs and > >> bind-mount it? Or make /dev/sgx be an actual filesystem? Or just > >> mount /dev with exec enabled? > > I'm not forseeing how the last option could work out as it is distro's > > choice. > > > > Casey, do you think we could use securityfs for this or do you have some > > other recommendation? I'm just asking you because you've used securityfs > > a lot. > > I don't know how well securityfs works when mounted in a container, > but otherwise it would seem like a viable option. On the other hand, > pseudo filesystems are pretty easy to write, so /sys/fs/sgxfs wouldn't > be a bad choice, either. Ugh, sorry, forgot for a while that smackfs is independent fs. How does smackfs interact with namespaces? /Jarkko
