From: Sean Christopherson <sean.j.christopherson@intel.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Xing, Cedric" <cedric.xing@intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
Andy Lutomirski <luto@kernel.org>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
LSM List <linux-security-module@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
Jethro Beekman <jethro@fortanix.com>,
"Hansen, Dave" <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
"linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>,
"nhorman@redhat.com" <nhorman@redhat.com>,
"npmccallum@redhat.com" <npmccallum@redhat.com>,
"Ayoun, Serge" <serge.ayoun@intel.com>,
"Katz-zamir, Shay" <shay.katz-zamir@intel.com>,
"Huang, Haitao" <haitao.huang@intel.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
"Svahn, Kai" <kai.svahn@intel.com>,
Borislav Petkov <bp@alien8.de>,
Josh Triplett <josh@joshtriplett.org>,
"Huang, Kai" <kai.huang@intel.com>,
David Rientjes <rientjes@google.com>,
"Roberts, William C" <william.c.roberts@intel.com>,
"Tricca, Philip B" <philip.b.tricca@intel.com>
Subject: Re: [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM
Date: Tue, 4 Jun 2019 09:30:50 -0700 [thread overview]
Message-ID: <20190604163050.GA32350@linux.intel.com> (raw)
In-Reply-To: <10a49f97-b3be-ed09-2821-68157f01aebe@tycho.nsa.gov>
On Tue, Jun 04, 2019 at 11:33:44AM -0400, Stephen Smalley wrote:
> The RFC series seemed to dispense with the use of the sigstruct file and
> just used the source file throughout IIUC. That allowed for reuse of
> FILE__* permissions without ambiguity rather than introducing separate
> ENCLAVE__* permissions or using /dev/sgx/enclave inode as the target of all
> checks.
Drat, I meant to explicitly call that out in the cover letter. Yes, the
concept of using sigstruct as a proxy was dropped for this RFC. The
primary motivation was to avoid having to take a hold a reference to the
sigstruct file for the lifetime of the enclave, and in general so that
userspace isn't forced to put sigstruct into a file.
> Regardless, IIUC, your approach requires that we always check FILE__EXECMOD,
> and FILE__EXECUTE up front during security_enclave_load() irrespective of
> prot so that we can save the result in the f_security for later use by the
> mprotect hook.
Correct, this approach requires up front checks.
> This may generate many spurious audit messages for cases
> where PROT_EXEC will never be requested, and users will be prone to just
> always allowing it since they cannot tell when it was actually needed.
Userspace will be able to understand when PROT_EXEC is actually needed
as mprotect() will (eventually) fail. Of course that assumes userspace
is being intelligent and isn't blindly declaring permissions they don't
need, e.g. declaring RWX on all pages even though the enclave never
actually maps a RWX or RW->RX page.
One thought for handling this in a more user friendly fashion would be
to immediately return -EACCES instead of modifying @allowed_prot. An
enclave that truly needs the permission would fail immediately.
An enclave loader that wants/needs to speculatively declare PROT_EXEC,
e.g. because the exact requirements of the enclave are unknown, could
handle -EACCESS gracefully by retrying the SGX ioctl() with different
@allowed_prot, e.g.:
region.flags = SGX_ALLOW_READ | SGX_ALLOW_WRITE | SGX_ALLOW_EXEC;
ret = ioctl(fd, SGX_IOC_ENCLAVE_ADD_REGION, ®ion);
if (ret && errno == EACCES && !(prot & PROT_EXEC)) {
region.flags &= ~SGX_ALLOW_EXEC;
ret = ioctl(fd, SGX_IOC_ENCLAVE_ADD_REGION, ®ion);
}
This type of enclave loader would still generate spurious audit messages,
but the spurious messages would be limited to enclave loaders that are
deliberately probing the allowed permissions.
> >The noexec case should be addressed in IOC_ADD_PAGES by testing
> >@source_vma->vm_flags & VM_MAYEXEC.
> >
> >>
> >>>* In hook security_file_free(), if @file is an enclave, free storage
> >>> allocated for WRITTEN flags.
>
next prev parent reply other threads:[~2019-06-04 16:30 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-31 23:31 [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM Sean Christopherson
2019-05-31 23:31 ` [RFC PATCH 1/9] x86/sgx: Remove unused local variable in sgx_encl_release() Sean Christopherson
2019-06-04 11:41 ` Jarkko Sakkinen
2019-05-31 23:31 ` [RFC PATCH 2/9] x86/sgx: Do not naturally align MAP_FIXED address Sean Christopherson
2019-06-04 11:49 ` Jarkko Sakkinen
2019-06-04 20:16 ` Andy Lutomirski
2019-06-04 22:10 ` Xing, Cedric
2019-06-05 14:08 ` Sean Christopherson
2019-06-05 15:17 ` Jarkko Sakkinen
2019-06-05 20:14 ` Andy Lutomirski
2019-06-06 15:37 ` Jarkko Sakkinen
2019-06-13 13:48 ` Jarkko Sakkinen
2019-06-13 16:47 ` Xing, Cedric
2019-06-13 17:14 ` Sean Christopherson
2019-06-14 15:18 ` Jarkko Sakkinen
2019-06-05 15:15 ` Jarkko Sakkinen
2019-05-31 23:31 ` [RFC PATCH 3/9] x86/sgx: Allow userspace to add multiple pages in single ioctl() Sean Christopherson
2019-06-03 6:26 ` Xing, Cedric
2019-06-03 20:08 ` Sean Christopherson
2019-06-03 20:39 ` Sean Christopherson
2019-06-03 23:45 ` Xing, Cedric
2019-06-04 0:54 ` Sean Christopherson
2019-06-04 20:18 ` Andy Lutomirski
2019-06-04 22:02 ` Xing, Cedric
2019-06-03 20:14 ` Dave Hansen
2019-06-03 20:37 ` Sean Christopherson
2019-06-03 20:39 ` Dave Hansen
2019-06-03 23:48 ` Xing, Cedric
2019-06-04 0:55 ` Sean Christopherson
2019-06-04 11:55 ` Jarkko Sakkinen
2019-05-31 23:31 ` [RFC PATCH 4/9] mm: Introduce vm_ops->mprotect() Sean Christopherson
2019-06-03 6:27 ` Xing, Cedric
2019-06-04 12:24 ` Jarkko Sakkinen
2019-06-04 14:51 ` Andy Lutomirski
2019-05-31 23:31 ` [RFC PATCH 5/9] x86/sgx: Restrict mapping without an enclave page to PROT_NONE Sean Christopherson
2019-06-03 6:28 ` Xing, Cedric
2019-06-04 15:32 ` Jarkko Sakkinen
2019-05-31 23:31 ` [RFC PATCH 6/9] x86/sgx: Require userspace to provide allowed prots to ADD_PAGES Sean Christopherson
2019-06-03 6:28 ` Xing, Cedric
2019-06-04 16:23 ` Jarkko Sakkinen
2019-06-04 16:45 ` Sean Christopherson
2019-06-05 15:06 ` Jarkko Sakkinen
2019-06-04 20:23 ` Andy Lutomirski
2019-06-05 11:10 ` Ayoun, Serge
2019-06-05 23:58 ` Sean Christopherson
2019-05-31 23:31 ` [RFC PATCH 7/9] x86/sgx: Enforce noexec filesystem restriction for enclaves Sean Christopherson
2019-06-03 6:29 ` Xing, Cedric
2019-06-04 20:26 ` Andy Lutomirski
2019-06-04 16:25 ` Jarkko Sakkinen
2019-06-04 20:25 ` Andy Lutomirski
2019-06-04 20:34 ` Sean Christopherson
2019-06-04 21:54 ` Xing, Cedric
2019-06-05 15:10 ` Jarkko Sakkinen
2019-06-06 1:01 ` Sean Christopherson
2019-05-31 23:31 ` [RFC PATCH 8/9] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX Sean Christopherson
2019-06-03 6:28 ` Xing, Cedric
2019-06-03 14:19 ` Stephen Smalley
2019-06-03 14:42 ` Sean Christopherson
2019-06-03 18:38 ` Stephen Smalley
2019-06-03 18:45 ` Dave Hansen
2019-06-04 20:29 ` Andy Lutomirski
2019-06-04 20:36 ` Sean Christopherson
2019-06-04 21:43 ` Xing, Cedric
2019-06-06 2:04 ` Sean Christopherson
2019-05-31 23:31 ` [RFC PATCH 9/9] security/selinux: Add enclave_load() implementation Sean Christopherson
2019-06-03 15:01 ` Stephen Smalley
2019-06-03 15:50 ` Sean Christopherson
2019-06-02 7:29 ` [RFC PATCH 0/9] security: x86/sgx: SGX vs. LSM Xing, Cedric
2019-06-03 17:15 ` Sean Christopherson
2019-06-03 18:30 ` Xing, Cedric
2019-06-04 1:36 ` Sean Christopherson
2019-06-04 15:33 ` Stephen Smalley
2019-06-04 16:30 ` Sean Christopherson [this message]
2019-06-04 21:38 ` Xing, Cedric
2019-06-03 17:47 ` Stephen Smalley
2019-06-03 18:02 ` Xing, Cedric
2019-06-04 11:15 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190604163050.GA32350@linux.intel.com \
--to=sean.j.christopherson@intel.com \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=eparis@parisplace.org \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=jmorris@namei.org \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=paul@paul-moore.com \
--cc=philip.b.tricca@intel.com \
--cc=rientjes@google.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
--cc=serge.ayoun@intel.com \
--cc=serge@hallyn.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=william.c.roberts@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).