From: Stephen Smalley <sds@tycho.nsa.gov>
To: Sean Christopherson <sean.j.christopherson@intel.com>,
Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Cc: Andy Lutomirski <luto@kernel.org>,
Cedric Xing <cedric.xing@intel.com>,
James Morris <jmorris@namei.org>,
"Serge E . Hallyn" <serge@hallyn.com>,
LSM List <linux-security-module@vger.kernel.org>,
Paul Moore <paul@paul-moore.com>,
Eric Paris <eparis@parisplace.org>,
selinux@vger.kernel.org, Jethro Beekman <jethro@fortanix.com>,
Dave Hansen <dave.hansen@intel.com>,
Thomas Gleixner <tglx@linutronix.de>,
Linus Torvalds <torvalds@linux-foundation.org>,
LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
linux-sgx@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>,
nhorman@redhat.com, npmccallum@redhat.com,
Serge Ayoun <serge.ayoun@intel.com>,
Shay Katz-zamir <shay.katz-zamir@intel.com>,
Haitao Huang <haitao.huang@intel.com>,
Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
Kai Svahn <kai.svahn@intel.com>, Borislav Petkov <bp@alien8.de>,
Josh Triplett <josh@joshtriplett.org>,
Kai Huang <kai.huang@intel.com>,
David Rientjes <rientjes@google.com>,
William Roberts <william.c.roberts@intel.com>,
Philip Tricca <philip.b.tricca@intel.com>
Subject: Re: [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation
Date: Fri, 7 Jun 2019 17:16:01 -0400 [thread overview]
Message-ID: <ca77e597-69de-9db4-f88a-26881ab53680@tycho.nsa.gov> (raw)
In-Reply-To: <20190606021145.12604-6-sean.j.christopherson@intel.com>
On 6/5/19 10:11 PM, Sean Christopherson wrote:
> The goal of selinux_enclave_load() is to provide a facsimile of the
> existing selinux_file_mprotect() and file_map_prot_check() policies,
> but tailored to the unique properties of SGX.
>
> For example, an enclave page is technically backed by a MAP_SHARED file,
> but the "file" is essentially shared memory that is never persisted
> anywhere and also requires execute permissions (for some pages).
>
> The basic concept is to require appropriate execute permissions on the
> source of the enclave for pages that are requesting PROT_EXEC, e.g. if
> an enclave page is being loaded from a regular file, require
> FILE__EXECUTE and/or FILE__EXECMOND, and if it's coming from an
> anonymous/private mapping, require PROCESS__EXECMEM since the process
> is essentially executing from the mapping, albeit in a roundabout way.
>
> Note, FILE__READ and FILE__WRITE are intentionally not required even if
> the source page is backed by a regular file. Writes to the enclave page
> are contained to the EPC, i.e. never hit the original file, and read
> permissions have already been vetted (or the VMA doesn't have PROT_READ,
> in which case loading the page into the enclave will fail).
>
> Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
> ---
> security/selinux/hooks.c | 69 ++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 69 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 3ec702cf46ca..3c5418edf51c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -6726,6 +6726,71 @@ static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
> }
> #endif
>
> +#ifdef CONFIG_INTEL_SGX
> +int selinux_enclave_load(struct vm_area_struct *vma, unsigned long prot)
> +{
> + const struct cred *cred = current_cred();
> + u32 sid = cred_sid(cred);
> + int ret;
> +
> + /* SGX is supported only in 64-bit kernels. */
> + WARN_ON_ONCE(!default_noexec);
> +
> + /* Only executable enclave pages are restricted in any way. */
> + if (!(prot & PROT_EXEC))
> + return 0;
prot/PROT_EXEC or vmflags/VM_EXEC
> +
> + /*
> + * The source page is exectuable, i.e. has already passed SELinux's
executable
> + * checks, and userspace is not requesting RW->RX capabilities.
Is it requesting W->X or WX?
> + */
> + if ((vma->vm_flags & VM_EXEC) && !(prot & PROT_WRITE))
> + return 0;
> +
> + /*
> + * The source page is not executable, or userspace is requesting the
> + * ability to do a RW->RX conversion. Permissions are required as
> + * follows, in order of increasing privelege:
> + *
> + * EXECUTE - Load an executable enclave page without RW->RX intent from
> + * a non-executable vma that is backed by a shared mapping to
> + * a regular file that has not undergone COW.
Shared mapping or unmodified private file mapping
> + *
> + * EXECMOD - Load an executable enclave page without RW->RX intent from
> + * a non-executable vma that is backed by a shared mapping to
> + * a regular file that *has* undergone COW.
modified private file mapping (write to shared mapping won't trigger
COW; it would have been checked by FILE__WRITE earlier)
> + *
> + * - Load an enclave page *with* RW->RX intent from a shared
> + * mapping to a regular file.
> + *
> + * EXECMEM - Load an exectuable enclave page from an anonymous mapping.
executable
> + *
> + * - Load an exectuable enclave page from a private file, e.g.
executable
> + * from a shared mapping to a hugetlbfs file.
> + *
> + * - Load an enclave page *with* RW->RX intent from a private
W->X or WX?
> + * mapping to a regular file.
> + *
> + * Note, this hybrid EXECMOD and EXECMEM behavior is intentional and
> + * reflects the nature of enclaves and the EPC, e.g. EPC is effectively
> + * a non-persistent shared file, but each enclave is a private domain
> + * within that shared file, so delegate to the source of the enclave.
> + */
> + if (vma->vm_file && !IS_PRIVATE(file_inode(vma->vm_file) &&
> + ((vma->vm_flags & VM_SHARED) || !(prot & PROT_WRITE)))) {
> + if (!vma->anon_vma && !(prot & PROT_WRITE))
> + ret = file_has_perm(cred, vma->vm_file, FILE__EXECUTE);
> + else
> + ret = file_has_perm(cred, vma->vm_file, FILE__EXECMOD);
> + } else {
> + ret = avc_has_perm(&selinux_state,
> + sid, sid, SECCLASS_PROCESS,
> + PROCESS__EXECMEM, NULL);
> + }
> + return ret;
> +}
> +#endif
> +
> struct lsm_blob_sizes selinux_blob_sizes __lsm_ro_after_init = {
> .lbs_cred = sizeof(struct task_security_struct),
> .lbs_file = sizeof(struct file_security_struct),
> @@ -6968,6 +7033,10 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
> LSM_HOOK_INIT(bpf_prog_free_security, selinux_bpf_prog_free),
> #endif
> +
> +#ifdef CONFIG_INTEL_SGX
> + LSM_HOOK_INIT(enclave_load, selinux_enclave_load),
> +#endif
> };
>
> static __init int selinux_init(void)
>
next prev parent reply other threads:[~2019-06-07 21:16 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-06 2:11 [RFC PATCH v2 0/5] security: x86/sgx: SGX vs. LSM Sean Christopherson
2019-06-06 2:11 ` [RFC PATCH v2 1/5] mm: Introduce vm_ops->may_mprotect() Sean Christopherson
2019-06-10 15:06 ` Jarkko Sakkinen
2019-06-10 15:55 ` Sean Christopherson
2019-06-10 17:47 ` Xing, Cedric
2019-06-10 19:49 ` Sean Christopherson
2019-06-10 22:06 ` Xing, Cedric
2019-06-06 2:11 ` [RFC PATCH v2 2/5] x86/sgx: Require userspace to define enclave pages' protection bits Sean Christopherson
2019-06-10 15:27 ` Jarkko Sakkinen
2019-06-10 16:15 ` Sean Christopherson
2019-06-10 17:45 ` Jarkko Sakkinen
2019-06-10 18:17 ` Sean Christopherson
2019-06-12 19:26 ` Jarkko Sakkinen
2019-06-10 18:29 ` Xing, Cedric
2019-06-10 19:15 ` Andy Lutomirski
2019-06-10 22:28 ` Xing, Cedric
2019-06-12 0:09 ` Andy Lutomirski
2019-06-12 14:34 ` Sean Christopherson
2019-06-12 18:20 ` Xing, Cedric
2019-06-06 2:11 ` [RFC PATCH v2 3/5] x86/sgx: Enforce noexec filesystem restriction for enclaves Sean Christopherson
2019-06-10 16:00 ` Jarkko Sakkinen
2019-06-10 16:44 ` Andy Lutomirski
2019-06-11 17:21 ` Stephen Smalley
2019-06-06 2:11 ` [RFC PATCH v2 4/5] LSM: x86/sgx: Introduce ->enclave_load() hook for Intel SGX Sean Christopherson
2019-06-07 19:58 ` Stephen Smalley
2019-06-10 16:21 ` Sean Christopherson
2019-06-10 16:05 ` Jarkko Sakkinen
2019-06-06 2:11 ` [RFC PATCH v2 5/5] security/selinux: Add enclave_load() implementation Sean Christopherson
2019-06-07 21:16 ` Stephen Smalley [this message]
2019-06-10 16:46 ` Sean Christopherson
2019-06-17 16:38 ` Jarkko Sakkinen
2019-06-10 7:03 ` [RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks Cedric Xing
2019-06-10 7:03 ` [RFC PATCH v1 1/3] LSM/x86/sgx: Add " Cedric Xing
2019-06-10 7:03 ` [RFC PATCH v1 2/3] LSM/x86/sgx: Implement SGX specific hooks in SELinux Cedric Xing
2019-06-11 13:40 ` Stephen Smalley
2019-06-11 22:02 ` Sean Christopherson
2019-06-12 9:32 ` Dr. Greg
2019-06-12 14:25 ` Sean Christopherson
2019-06-13 7:25 ` Dr. Greg
2019-06-12 19:30 ` Andy Lutomirski
2019-06-12 22:02 ` Sean Christopherson
2019-06-13 0:10 ` Xing, Cedric
2019-06-13 1:02 ` Xing, Cedric
2019-06-13 17:02 ` Stephen Smalley
2019-06-13 23:03 ` Xing, Cedric
2019-06-13 23:17 ` Sean Christopherson
2019-06-14 0:31 ` Xing, Cedric
2019-06-14 0:46 ` Sean Christopherson
2019-06-14 15:38 ` Sean Christopherson
2019-06-16 22:14 ` Andy Lutomirski
2019-06-17 16:49 ` Sean Christopherson
2019-06-17 17:08 ` Andy Lutomirski
2019-06-18 15:40 ` Dr. Greg
2019-06-14 17:16 ` Xing, Cedric
2019-06-14 17:45 ` Sean Christopherson
2019-06-14 17:53 ` Sean Christopherson
2019-06-14 20:01 ` Sean Christopherson
2019-06-16 22:16 ` Andy Lutomirski
2019-06-14 23:19 ` Dr. Greg
2019-06-11 22:55 ` Xing, Cedric
2019-06-13 18:00 ` Stephen Smalley
2019-06-13 19:48 ` Sean Christopherson
2019-06-13 21:09 ` Xing, Cedric
2019-06-13 21:02 ` Xing, Cedric
2019-06-14 0:37 ` Sean Christopherson
2019-06-10 7:03 ` [RFC PATCH v1 3/3] LSM/x86/sgx: Call new LSM hooks from SGX subsystem Cedric Xing
2019-06-10 17:36 ` [RFC PATCH v1 0/3] security/x86/sgx: SGX specific LSM hooks Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ca77e597-69de-9db4-f88a-26881ab53680@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=akpm@linux-foundation.org \
--cc=andriy.shevchenko@linux.intel.com \
--cc=bp@alien8.de \
--cc=cedric.xing@intel.com \
--cc=dave.hansen@intel.com \
--cc=eparis@parisplace.org \
--cc=haitao.huang@intel.com \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=jethro@fortanix.com \
--cc=jmorris@namei.org \
--cc=josh@joshtriplett.org \
--cc=kai.huang@intel.com \
--cc=kai.svahn@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-sgx@vger.kernel.org \
--cc=luto@kernel.org \
--cc=nhorman@redhat.com \
--cc=npmccallum@redhat.com \
--cc=paul@paul-moore.com \
--cc=philip.b.tricca@intel.com \
--cc=rientjes@google.com \
--cc=sean.j.christopherson@intel.com \
--cc=selinux@vger.kernel.org \
--cc=serge.ayoun@intel.com \
--cc=serge@hallyn.com \
--cc=shay.katz-zamir@intel.com \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=william.c.roberts@intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).