On 6/19/19 6:23 PM, Sean Christopherson wrote:
Hook enclave_map() to require a new per-process capability, SGX_MAPWX,
when mapping an enclave as simultaneously writable and executable.
Note, @prot contains the actual protection bits that will be set by the
kernel, not the maximal protection bits specified by userspace when the
page was first loaded into the enclave.
Signed-off-by: Sean Christopherson <sean.j.christopherson@xxxxxxxxx>
---
security/selinux/hooks.c | 21 +++++++++++++++++++++
security/selinux/include/classmap.h | 3 ++-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 3ec702cf46ca..fc239e541b62 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6726,6 +6726,23 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
}
#endif
+#ifdef CONFIG_INTEL_SGX
+static int selinux_enclave_map(unsigned long prot)
+{
+ const struct cred *cred = current_cred();
+ u32 sid = cred_sid(cred);
+
+ /* SGX is supported only in 64-bit kernels. */
+ WARN_ON_ONCE(!default_noexec);
+
+ if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
+ return avc_has_perm(&selinux_state, sid, sid,
+ SECCLASS_PROCESS2, PROCESS2__SGX_MAPWX,
+ NULL);
Possibly we should use a slightly more general name for the permission
to allow reusing it in the future if/when another architecture
introduces a similar construct under a different branding? ENCLAVE_*
seems slightly more generic than SGX_*.
I was interested in testing this code but sadly the driver reports the
following on my development workstation:
[ 1.644191] sgx: The launch control MSRs are not writable
[ 1.695477] sgx: EPC section 0x70200000-0x75f7ffff
[ 1.771760] sgx: The public key MSRs are not writable
I guess I'm out of luck until/unless I get a NUC or server class
hardware that supports flexible launch control? Seems developer unfriendly.
+ return 0;
+}
+#endif
+
struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
.lbs_cred = sizeof(struct task_security_struct),
.lbs_file = sizeof(struct file_security_struct),
@@ -6968,6 +6985,10 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
#endif
+
+#ifdef CONFIG_INTEL_SGX
+ LSM_HOOK_INIT(enclave_map, selinux_enclave_map),
+#endif
};
static __init int selinux_init(void)
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index 201f7e588a29..cfd91e879bdf 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -51,7 +51,8 @@ struct security_class_mapping secclass_map[] = {
"execmem", "execstack", "execheap", "setkeycreate",
"setsockcreate", "getrlimit", NULL } },
{ "process2",
- { "nnp_transition", "nosuid_transition", NULL } },
+ { "nnp_transition", "nosuid_transition",
+ "sgx_mapwx", NULL } },
{ "system",
{ "ipc_info", "syslog_read", "syslog_mod",
"syslog_console", "module_request", "module_load", NULL } },
