On Fri, Jun 14, 2019 at 10:53:39AM -0700, Sean Christopherson wrote: > On Fri, Jun 14, 2019 at 10:45:56AM -0700, Sean Christopherson wrote: > > The state tracking of #2/#3 doesn't scare me, it's purely the auditing. > > Holding an audit message for an indeterminate amount of time is a > > nightmare. > > > > Here's a thought. What if we simply require FILE__EXECUTE or AA_EXEC_MAP > > to load any enclave page from a file? Alternatively, we could add an SGX > > specific file policity, e.g. FILE__ENCLAVELOAD and AA_MAY_LOAD_ENCLAVE. > > As in my other email, SELinux's W^X restrictions can be tied to the process, > > i.e. they can be checked at mmap()/mprotect() without throwing a wrench in > > auditing. > > We would also need to require VM_MAYEXEC on all enclave pages, or forego > enforcing path_noexec() for enclaves. Scratch that thought. Tying W^X restrictions to the process only works if its done at load time. E.g. If process A maps a page W and process B maps the same page X, then which process needs W^X depends on the order of mmap()/mprotect() between the two processes.
