[RFC PATCH v4 07/12] LSM: x86/sgx: Introduce ->enclave_map() hook for Intel SGX
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 25 20:48:27 UTC 2019
On 6/21/19 12:54 PM, Xing, Cedric wrote:
>> From: Christopherson, Sean J
>> Sent: Wednesday, June 19, 2019 3:24 PM
>>
>> diff --git a/security/security.c b/security/security.c
>> index 613a5c00e602..03951e08bdfc 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -2359,3 +2359,10 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux)
>> call_void_hook(bpf_prog_free_security, aux);
>> }
>> #endif /* CONFIG_BPF_SYSCALL */
>> +
>> +#ifdef CONFIG_INTEL_SGX
>> +int security_enclave_map(unsigned long prot)
>> +{
>> + return call_int_hook(enclave_map, 0, prot);
>> +}
>> +#endif /* CONFIG_INTEL_SGX */
>
> Why is this new security_enclave_map() necessary while security_mmap_file() will also be invoked?
security_mmap_file() doesn't know about enclaves. It will just end up
checking FILE__READ, FILE__WRITE, and FILE__EXECUTE to /dev/sgx/enclave.
This was noted in the patch description.
More information about the Linux-security-module-archive
mailing list