Some LSM and SGX remarks before parting of for two weeks
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Fri Jul 12 05:14:49 UTC 2019
On Fri, Jul 12, 2019 at 01:12:23PM +1000, James Morris wrote:
> On Fri, 12 Jul 2019, Jarkko Sakkinen wrote:
>
> > Before going to a two week vacation (sending v21 today), I'll make some
> > remarks on SGX and LSM's:
> >
> > 1. Currently all patch sets proposing LSM changes are missing a problem
> > statement and describe a solution to an undescribed problem.
> > 2. When speaking of SELinux I haven't seen any draft's on how would
> > define a policy module with the new constructs. Does not have to
> > be a full policy modules but more like snippets demosntrating that
> > "this would work".
> > 3. All the SELinux discussion is centered on type based policies.
> > Potentially one could isolate enclaves with some UBAC or RBAC
> > based model. That could be good first step and might not even
> > require LSM changes.
>
> Unless I misunderstand what you mean here, RBAC and UBAC in SELinux still
> require LSM hooks, and are typically integrated with Type Enforcement.
OK, I was thinking something like with normal DAC just to have SGID
for enclaves. Just learning basic SELinux concepts. Still quite alien
world to me.
/Jarkko
More information about the Linux-security-module-archive
mailing list