[RFC PATCH v3 4/4] x86/sgx: Implement SGX specific hooks in SELinux
Xing, Cedric
cedric.xing at intel.com
Wed Jul 10 17:54:54 UTC 2019
On 7/10/2019 8:49 AM, Sean Christopherson wrote:
> On Sun, Jul 07, 2019 at 04:41:34PM -0700, Cedric Xing wrote:
>> selinux_enclave_init() determines if an enclave is allowed to launch, using the
>> criteria described earlier. This implementation does NOT accept SIGSTRUCT in
>> anonymous memory. The backing file is also cached in struct
>> file_security_struct and will serve as the base for decisions for anonymous
>> pages.
>
> Did we ever reach a consensus on whether sigstruct must reside in a file?
No. We reached the opposite agreement of *not* requiring sigstruct to
reside in a file at the interface level - i.e., security_enclave_init()
takes a VMA but *not* a file struct as input.
At the implementation level, an LSM may require sigstruct to reside in a
file. But that's a per-LSM decision.
>> + /* Store SIGSTRUCT file for future use */
>> + if (atomic_long_cmpxchg(&fsec->encl_ss, 0, (long)src->vm_file))
>> + return -EEXIST;
>> +
>> + get_file(src->vm_file);
>
> My understanding is that Andy is strongly against pinning a file for the
> duration of the enclave, has that changed?
I think everyone including Andy prefers not to pin any files. But it's a
trade-off among code simplicity, auditing accuracy and memory
consumption. I think the latest suggestion from Stephen was to keep
files open, for SELinux. Again, that's a per-LSM decision.
More information about the Linux-security-module-archive
mailing list