On Fri, Apr 03, 2020 at 08:50:08AM -0700, Casey Schaufler wrote: > > How does smackfs interact with namespaces? > > Smack attributes are global. Aside from privilege issues, namespaces > ignore and are ignored by Smack. Okay. For SGX, I foresee things as: 1. Existing files are global. 2. If a policy of any kind is ever added it needs to be *per container*. I'm not sure whether PID or user namespace is the right choice here, but does not matter right now as the feature is not in the queue. To summarize: 1. We have a heterogeneous set of files (i.e. 'enclave' and 'provision' are not "different sames"). 2. The files probably will have heterogeneous visibility requirements. I think based on these premises own file system would be a more decent choice than populating /dev. Beside, SGX hasn't been a driver for a while. Andy, what do you think of this? /Jarkko
