[RFC PATCH v4 08/12] security/selinux: Require SGX_MAPWX to map enclave page WX
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 25 20:19:35 UTC 2019
On 6/19/19 6:23 PM, Sean Christopherson wrote:
> Hook enclave_map() to require a new per-process capability, SGX_MAPWX,
> when mapping an enclave as simultaneously writable and executable.
> Note, @prot contains the actual protection bits that will be set by the
> kernel, not the maximal protection bits specified by userspace when the
> page was first loaded into the enclave.
>
> Signed-off-by: Sean Christopherson <sean.j.christopherson at intel.com>
> ---
> security/selinux/hooks.c | 21 +++++++++++++++++++++
> security/selinux/include/classmap.h | 3 ++-
> 2 files changed, 23 insertions(+), 1 deletion(-)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3ec702cf46ca..fc239e541b62 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6726,6 +6726,23 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
> }
> #endif
>
> +#ifdef CONFIG_INTEL_SGX
> +static int selinux_enclave_map(unsigned long prot)
> +{
> + const struct cred *cred = current_cred();
> + u32 sid = cred_sid(cred);
> +
> + /* SGX is supported only in 64-bit kernels. */
> + WARN_ON_ONCE(!default_noexec);
> +
> + if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
> + return avc_has_perm(&selinux_state, sid, sid,
> + SECCLASS_PROCESS2, PROCESS2__SGX_MAPWX,
> + NULL);
Possibly we should use a slightly more general name for the permission
to allow reusing it in the future if/when another architecture
introduces a similar construct under a different branding? ENCLAVE_*
seems slightly more generic than SGX_*.
I was interested in testing this code but sadly the driver reports the
following on my development workstation:
[ 1.644191] sgx: The launch control MSRs are not writable
[ 1.695477] sgx: EPC section 0x70200000-0x75f7ffff
[ 1.771760] sgx: The public key MSRs are not writable
I guess I'm out of luck until/unless I get a NUC or server class
hardware that supports flexible launch control? Seems developer unfriendly.
> + return 0;
> +}
> +#endif
> +
> struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
> .lbs_cred = sizeof(struct task_security_struct),
> .lbs_file = sizeof(struct file_security_struct),
> @@ -6968,6 +6985,10 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
> LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
> #endif
> +
> +#ifdef CONFIG_INTEL_SGX
> + LSM_HOOK_INIT(enclave_map, selinux_enclave_map),
> +#endif
> };
>
> static __init int selinux_init(void)
> diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
> index 201f7e588a29..cfd91e879bdf 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -51,7 +51,8 @@ struct security_class_mapping secclass_map[] = {
> "execmem", "execstack", "execheap", "setkeycreate",
> "setsockcreate", "getrlimit", NULL } },
> { "process2",
> - { "nnp_transition", "nosuid_transition", NULL } },
> + { "nnp_transition", "nosuid_transition",
> + "sgx_mapwx", NULL } },
> { "system",
> { "ipc_info", "syslog_read", "syslog_mod",
> "syslog_console", "module_request", "module_load", NULL } },
>
More information about the Linux-security-module-archive
mailing list