[RFC PATCH v4 00/12] security: x86/sgx: SGX vs. LSM
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Wed Jul 10 22:16:38 UTC 2019
Just some questions on these.
On Tue, Jul 09, 2019 at 10:09:17AM -0700, Sean Christopherson wrote:
> - FILE__ENCLAVE_EXECUTE: equivalent to FILE__EXECUTE, required to gain X
> on an enclave page loaded from a regular file
One thing that I have hard time to perceive is that whether the process
or the target object has them. So would this be in the files extended
attribute or does process need to possess this or both?
> - PROCESS2__ENCLAVE_EXECDIRTY: hybrid of EXECMOD and EXECUTE+WRITE,
> required to gain W->X on an enclave page
Still puzzling with EXECMOD given that how it is documented in
https://selinuxproject.org/page/ObjectClassesPerms. If anything in that
document is out of date, would be nice if it was updated.
> - PROCESS2__ENCLAVE_EXECANON: subset of EXECMEM, required to gain X on
> an enclave page that is loaded from an
> anonymous mapping
>
> - PROCESS2__ENCLAVE_MAPWX: subset of EXECMEM, required to gain WX on an
> enclave page
I guess these three belong to the process and are not attached to file.
How in SELinux anyway process in the first place acquires any SELinux
permissions? I guess getty or whatever login process can set its perms
before setuid() et al somehow (I don't know how) because they run as
root?
/Jarkko
More information about the Linux-security-module-archive
mailing list