On Fri, May 17, 2019 at 01:42:50PM -0400, Stephen Smalley wrote:
On 5/17/19 1:29 PM, Sean Christopherson wrote:
AIUI, having FILE__WRITE and FILE__EXECUTE on /dev/sgx/enclave would allow
*any* enclave/process to map EPC as RWX. Moving to anon inodes and thus
PROCESS__EXECMEM achieves per-process granularity.
No, FILE__WRITE and FILE__EXECUTE are a check between a process and a file,
so you can ensure that only whitelisted processes are allowed both to
/dev/sgx/enclave.
Ah, so each process has its own FILE__* permissions for a specific set of
files?
Does that allow differentiating between a process making an EPC page RWX
and a process making two separate EPC pages RW and RX?