Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect()

[RFC PATCH v2 0/5] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-10
RE: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-10
RE: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Xing, Cedric <hidden> · 2019-06-10
[RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-10
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Stephen Smalley <hidden> · 2019-06-11
[RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-07
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Jarkko Sakkinen <hidden> · 2019-06-10
[RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Stephen Smalley <hidden> · 2019-06-07
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Jarkko Sakkinen <hidden> · 2019-06-17
[RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-12
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Andy Lutomirski <luto@kernel.org> · 2019-06-10
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Andy Lutomirski <luto@amacapital.net> · 2019-06-12
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-12
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-12
[RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks · Cedric Xing <hidden> · 2019-06-10
[RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Cedric Xing <hidden> · 2019-06-10
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-16
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-17
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-17
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-18
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-16
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-14
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
[RFC PATCH v1 3/3] LSM/x86/sgx: Call new LSM hooks from SGX subsystem · Cedric Xing <hidden> · 2019-06-10
[RFC PATCH v1 1/3] LSM/x86/sgx: Add SGX specific LSM hooks · Cedric Xing <hidden> · 2019-06-10
Re: [RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks · Jarkko Sakkinen <hidden> · 2019-06-10

From: Sean Christopherson <hidden>
Date: 2019-06-10 19:49:43
Also in: lkml, selinux

On Mon, Jun 10, 2019 at 10:47:52AM -0700, Xing, Cedric wrote:

quoted

From: Christopherson, Sean J
Sent: Monday, June 10, 2019 8:56 AM

quoted

As a result, LSM policies cannot be meaningfully applied, e.g. an
LSM can deny access to the EPC as a whole, but can't deny PROT_EXEC
on page that originated in a non-EXECUTE file (which is long gone by
the time
mprotect() is called).

I have hard time following what is paragraph is trying to say.

quoted

By hooking mprotect(), SGX can make explicit LSM upcalls while an
enclave is being built, i.e. when the kernel has a handle to origin
of each enclave page, and enforce the result of the LSM policy
whenever userspace maps the enclave page in the future.

"LSM policy whenever calls mprotect()"? I'm no sure why you mean by
mapping here and if there is any need to talk about future. Isn't this
needed now?

Future is referring to the timeline of a running kernel, not the future
of the kernel code.

Rather than trying to explain all of the above with words, I'll provide
code examples to show how ->may_protect() will be used by SGX and why it
is the preferred solution.

The LSM concept is to separate security policy enforcement from the rest of
the kernel. For modules, the "official" way is to use VM_MAY* flags to limit
allowable permissions, while LSM uses security_file_mprotect().
I guess that's why we didn't have .may_mprotect() in the first place.

Heh, so I've typed up about five different responses to this comment.  In
doing so, I think I've convinced myself that ->may_mprotect() is
unnecessary.  Rther than hook mprotect(), simply update the VM_MAY* flags
during mmap(), with all bits cleared if there isn't an associated enclave
page.  IIRC, the need to add ->may_protect() came about when we were
exploring more dynamic interplay between SGX and LSMs.

What you are doing is enforcing some security policy outside of LSM, which
is dirty from architecture perspective.

No, the enclave page protections are enforced regardless of LSM policy,
and in v2 those protections are immutable.  Yes, the explicit enclave
page protection bits are being added primarily for LSMs, but they don't
impact functionality other than at the security_enclave_load() touchpoint.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help