On 4/3/2020 8:30 AM, Jarkko Sakkinen wrote: > On Fri, Apr 03, 2020 at 07:35:16AM -0700, Casey Schaufler wrote: >> On 4/2/2020 11:56 PM, Jarkko Sakkinen wrote: >>> On Thu, Apr 02, 2020 at 02:41:39PM -0700, Andy Lutomirski wrote: >>>> On Tue, Mar 31, 2020 at 5:24 PM Sean Christopherson >>>> <sean.j.christopherson@xxxxxxxxx> wrote: >>>>> On Tue, Mar 31, 2020 at 10:39:38AM -0700, Andy Lutomirski wrote: >>>>> >>>>> If EXECMEM is a sticking point, one way to dodge it would be to add a >>>>> helper to allow SELinux to detect enclave files. It'd be ugly, but simple. >>>>> That doesn't solve the generic labeling issue though. It also begs the >>>>> question of why hacking SELinux but not do_mmap() would be acceptable. >>>>> >>>>> If you have any ideas for fixing the noexec issue without resorting to an >>>>> anon inode, we're all ears. >>>> Hmm. Maybe teach udev to put /dev/sgx on a different fs and >>>> bind-mount it? Or make /dev/sgx be an actual filesystem? Or just >>>> mount /dev with exec enabled? >>> I'm not forseeing how the last option could work out as it is distro's >>> choice. >>> >>> Casey, do you think we could use securityfs for this or do you have some >>> other recommendation? I'm just asking you because you've used securityfs >>> a lot. >> I don't know how well securityfs works when mounted in a container, >> but otherwise it would seem like a viable option. On the other hand, >> pseudo filesystems are pretty easy to write, so /sys/fs/sgxfs wouldn't >> be a bad choice, either. > Ugh, sorry, forgot for a while that smackfs is independent fs. > > How does smackfs interact with namespaces? Smack attributes are global. Aside from privilege issues, namespaces ignore and are ignored by Smack. > > /Jarkko
