[RFC PATCH v4 08/12] security/selinux: Require SGX_MAPWX to map enclave page WX
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 25 21:05:37 UTC 2019
On 6/21/19 1:09 PM, Xing, Cedric wrote:
>> From: Christopherson, Sean J
>> Sent: Wednesday, June 19, 2019 3:24 PM
>>
>> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
>> index 3ec702cf46ca..fc239e541b62 100644
>> --- a/security/selinux/hooks.c
>> +++ b/security/selinux/hooks.c
>> @@ -6726,6 +6726,23 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
>> }
>> #endif
>>
>> +#ifdef CONFIG_INTEL_SGX
>> +static int selinux_enclave_map(unsigned long prot)
>> +{
>> + const struct cred *cred = current_cred();
>> + u32 sid = cred_sid(cred);
>> +
>> + /* SGX is supported only in 64-bit kernels. */
>> + WARN_ON_ONCE(!default_noexec);
>> +
>> + if ((prot & PROT_EXEC) && (prot & PROT_WRITE))
>> + return avc_has_perm(&selinux_state, sid, sid,
>> + SECCLASS_PROCESS2, PROCESS2__SGX_MAPWX,
>> + NULL);
>
> Why isn't SGX_MAPWX enclave specific but process wide?
How would you tie it to a specific enclave? What's the object/target
SID? The SID of the enclave inode? Which one? The source vma file,
the /dev/sgx/enclave open instance, the sigstruct file, ...? If a
process can map one enclave WX, what's the benefit of preventing it from
doing likewise for any other enclave it can load?
More information about the Linux-security-module-archive
mailing list