On Wed, Jun 05, 2019 at 07:11:45PM -0700, Sean Christopherson wrote: > The goal of selinux_enclave_load() is to provide a facsimile of the > existing selinux_file_mprotect() and file_map_prot_check() policies, > but tailored to the unique properties of SGX. > > For example, an enclave page is technically backed by a MAP_SHARED file, > but the "file" is essentially shared memory that is never persisted > anywhere and also requires execute permissions (for some pages). > > The basic concept is to require appropriate execute permissions on the > source of the enclave for pages that are requesting PROT_EXEC, e.g. if > an enclave page is being loaded from a regular file, require > FILE__EXECUTE and/or FILE__EXECMOND, and if it's coming from an > anonymous/private mapping, require PROCESS__EXECMEM since the process > is essentially executing from the mapping, albeit in a roundabout way. > > Note, FILE__READ and FILE__WRITE are intentionally not required even if > the source page is backed by a regular file. Writes to the enclave page > are contained to the EPC, i.e. never hit the original file, and read > permissions have already been vetted (or the VMA doesn't have PROT_READ, > in which case loading the page into the enclave will fail). > > Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx> In the end of the day, the main problem with this patch is that the existing LSM hooks are generic. I don't we can have specific hooks for proprietary hardware. /Jarkko
