Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux

[RFC PATCH v2 0/5] security: x86/sgx: SGX vs. LSM · Sean Christopherson <hidden> · 2019-06-06
[RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-10
RE: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Sean Christopherson <hidden> · 2019-06-10
RE: [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() · Xing, Cedric <hidden> · 2019-06-10
[RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Andy Lutomirski <luto@kernel.org> · 2019-06-10
Re: [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves · Stephen Smalley <hidden> · 2019-06-11
[RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Stephen Smalley <hidden> · 2019-06-07
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX · Jarkko Sakkinen <hidden> · 2019-06-10
[RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Stephen Smalley <hidden> · 2019-06-07
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation · Jarkko Sakkinen <hidden> · 2019-06-17
[RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-06
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Jarkko Sakkinen <hidden> · 2019-06-12
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Andy Lutomirski <luto@kernel.org> · 2019-06-10
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-10
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Andy Lutomirski <luto@amacapital.net> · 2019-06-12
Re: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Sean Christopherson <hidden> · 2019-06-12
RE: [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits · Xing, Cedric <hidden> · 2019-06-12
[RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks · Cedric Xing <hidden> · 2019-06-10
[RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Cedric Xing <hidden> · 2019-06-10
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-12
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-16
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-17
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-17
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-18
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Andy Lutomirski <luto@kernel.org> · 2019-06-16
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Dr. Greg <hidden> · 2019-06-14
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-11
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Stephen Smalley <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
RE: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Xing, Cedric <hidden> · 2019-06-13
Re: [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux · Sean Christopherson <hidden> · 2019-06-14
[RFC PATCH v1 3/3] LSM/x86/sgx: Call new LSM hooks from SGX subsystem · Cedric Xing <hidden> · 2019-06-10
[RFC PATCH v1 1/3] LSM/x86/sgx: Add SGX specific LSM hooks · Cedric Xing <hidden> · 2019-06-10
Re: [RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks · Jarkko Sakkinen <hidden> · 2019-06-10

From: Sean Christopherson <hidden>
Date: 2019-06-14 00:38:02
Also in: lkml, selinux

On Thu, Jun 13, 2019 at 02:00:29PM -0400, Stephen Smalley wrote:

On 6/11/19 6:55 PM, Xing, Cedric wrote:

quoted

*_noaudit() is exactly what I wanted. But I couldn't find
selinux_file_mprotect_noaudit()/file_has_perm_noaudit(), and I'm reluctant
to duplicate code. Any suggestions?

I would have no objection to adding _noaudit() variants of these, either
duplicating code (if sufficiently small/simple) or creating a common helper
with a bool audit flag that gets used for both. But the larger issue would
be to resolve how to ultimately ensure that a denial is audited later if the
denied permission is actually requested and blocked via sgxsec_mprotect().

I too would like to see a solution to the auditing issue.  I wrongly
assumed Cedric's approach (option #3) didn't suffer the same auditing
problem as Andy's dynamic tracking proposal (option #2).  After reading
through the code more carefully (trying to steal ideas to finish off an
implementation of #2), I've come to realize options #2 (Andy) and #3
(Cedric) are basically identical concepts, the only difference being who
tracks state.

We can use the f_security blob sizes to identify which LSM denied
something, but I haven't the faintest idea how to track the auditing
information in a sane fashion.  We'd basically have to do a deep copy on
struct common_audit_data, or pre-generate and store the audit message.
For SELinux, a deep copy is somewhat feasible because selinux_audit_data
distills everything down to basic types.  AppArmor on the other hand has
'struct aa_label *label', which at a glance all but requires pre-generating
the audit message, and since AppArmor logs denials from every profile, it's 
possible the "sgx audit blob" will consume a non-trivial amount of data.

Even if we figure out a way to store the audit messages without exploding
memory consumption or making things horrendously complex, we still have a
problem of reporting state info.  Any number of things could be removed or
modified by the time the audit is actually triggered, e.g. files removed,
AppArmor profiles modified, etc...  Any such change means we're logging
garbage.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help