On 7/10/2019 8:49 AM, Sean Christopherson wrote:
On Sun, Jul 07, 2019 at 04:41:34PM -0700, Cedric Xing wrote:
selinux_enclave_init() determines if an enclave is allowed to launch, using the
criteria described earlier. This implementation does NOT accept SIGSTRUCT in
anonymous memory. The backing file is also cached in struct
file_security_struct and will serve as the base for decisions for anonymous
pages.
Did we ever reach a consensus on whether sigstruct must reside in a file?
No. We reached the opposite agreement of *not* requiring sigstruct to
reside in a file at the interface level - i.e., security_enclave_init()
takes a VMA but *not* a file struct as input.
At the implementation level, an LSM may require sigstruct to reside in a
file. But that's a per-LSM decision.
+ /* Store SIGSTRUCT file for future use */
+ if (atomic_long_cmpxchg(&fsec->encl_ss, 0, (long)src->vm_file))
+ return -EEXIST;
+
+ get_file(src->vm_file);
My understanding is that Andy is strongly against pinning a file for the
duration of the enclave, has that changed?
I think everyone including Andy prefers not to pin any files. But it's a
trade-off among code simplicity, auditing accuracy and memory
consumption. I think the latest suggestion from Stephen was to keep
files open, for SELinux. Again, that's a per-LSM decision.
