Thread (67 messages) 67 messages, 7 authors, 2019-06-18

RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux

From: Xing, Cedric <hidden>
Date: 2019-06-14 00:31:30
Also in: lkml, selinux 

From: Christopherson, Sean J
Sent: Thursday, June 13, 2019 4:18 PM

On Thu, Jun 13, 2019 at 04:03:24PM -0700, Xing, Cedric wrote:
quoted
quoted
From: Stephen Smalley [mailto:sds@tycho.nsa.gov]
Sent: Thursday, June 13, 2019 10:02 AM
quoted
My RFC series[1] implements #1.  My understanding is that Andy
(Lutomirski) prefers #2.  Cedric's RFC series implements #3.

Perhaps the easiest way to make forward progress is to rule out
the
quoted
quoted
quoted
options we absolutely *don't* want by focusing on the potentially
blocking issue with each option:

   #1 - SGX UAPI funkiness

   #2 - Auditing complexity, potential enclave lock contention

   #3 - Pushing SGX details into LSMs and complexity of kernel
implementation


[1]
https://lkml.kernel.org/r/20190606021145.12604-1-
sean.j.christopherson
quoted
quoted
quoted
@intel.com
Given the complexity tradeoff, what is the clear motivating example
for
quoted
quoted
why #1 isn't the obvious choice? That the enclave loader has no way
of
quoted
quoted
knowing a priori whether the enclave will require W->X or WX?  But
aren't we better off requiring enclaves to be explicitly marked as
needing such so that we can make a more informed decision about
whether
quoted
quoted
to load them in the first place?
Are you asking this question at a) page granularity, b) file
granularity or
quoted
c) enclave (potentially comprised of multiple executable files)
granularity?
quoted
#b is what we have on regular executable files and shared objects (i.e.
FILE__EXECMOD). We all know how to do that.

#c is kind of new but could be done via some proxy file (e.g.
sigstruct file)
quoted
hence reduced to #b.

#a is problematic. It'd require compilers/linkers to generate such
information, and proper executable image file format to carry that
information, to be eventually picked up the loader. SELinux doesn't
have
quoted
PAGE__EXECMOD I guess is because it is generally considered
impractical.
quoted
Option #1 however requires #a because the driver doesn't track which
page was
quoted
loaded from which file, otherwise it can no longer be qualified
"simple". Or
quoted
we could just implement #c, which will make all options simpler. But I
guess
quoted
#b is still preferred, to be aligned with what SELinux is enforcing
today on
quoted
regular memory pages.o
Option #1 doesn't require (a).  The checks will happen for every page,
but in the RFCs I sent, the policies are still attached to files and
processes, i.e. (b).
I was talking at the UAPI level - i.e. your ioctl requires ALLOW_* at page granularity, hence #a.
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help