[RFC PATCH v4 00/12] security: x86/sgx: SGX vs. LSM

Jarkko Sakkinen jarkko.sakkinen at linux.intel.com
Wed Jul 10 20:19:30 UTC 2019


On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote:
> On Tue, Jul 09, 2019 at 07:22:03PM +0300, Jarkko Sakkinen wrote:
> > On Mon, Jul 08, 2019 at 10:29:30AM -0700, Sean Christopherson wrote:
> > > On Fri, Jul 05, 2019 at 07:05:49PM +0300, Jarkko Sakkinen wrote:
> > > > On Wed, Jun 19, 2019 at 03:23:49PM -0700, Sean Christopherson wrote:
> > > > 
> > > > I still don't get why we need this whole mess and do not simply admit
> > > > that there are two distinct roles:
> > > > 
> > > > 1. Creator
> > > > 2. User
> > > 
> > > Because SELinux has existing concepts of EXECMEM and EXECMOD.
> > 
> > What is the official documentation for those? I've only found some
> > explanations from discussions and some RHEL sysadmin guides.
> 
> No clue.  My knowledge was gleaned from the code and from Stephen's
> feedback.

OK, thanks for elaboration. Got nailed some details I was missing :-)

Anyway, to accompany your code changes I'm eager to document this not
least because it is a good peer test that this all make sense (you
cannot "unit test" a security model so that is the next best thing).

Still, we need a documentation reference to reflect the narrative
for these changes, seriously. It cannot be that SELinux is widely
deployed and it completely lacks documentation for its basic
objects, can it?

/Jarkko



More information about the Linux-security-module-archive mailing list