[RFC PATCH v3 4/4] x86/sgx: Implement SGX specific hooks in SELinux
Sean Christopherson
sean.j.christopherson at intel.com
Wed Jul 10 15:49:15 UTC 2019
On Sun, Jul 07, 2019 at 04:41:34PM -0700, Cedric Xing wrote:
> selinux_enclave_init() determines if an enclave is allowed to launch, using the
> criteria described earlier. This implementation does NOT accept SIGSTRUCT in
> anonymous memory. The backing file is also cached in struct
> file_security_struct and will serve as the base for decisions for anonymous
> pages.
Did we ever reach a consensus on whether sigstruct must reside in a file?
> + /* Store SIGSTRUCT file for future use */
> + if (atomic_long_cmpxchg(&fsec->encl_ss, 0, (long)src->vm_file))
> + return -EEXIST;
> +
> + get_file(src->vm_file);
My understanding is that Andy is strongly against pinning a file for the
duration of the enclave, has that changed?
More information about the Linux-security-module-archive
mailing list