Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp1961368yba;
        Fri, 17 May 2019 08:11:35 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxJq01p8xaK13OE6NcVLbLZ2iIZtVhk4UDXGEbLqXSntEDS0w/4pxVhJUuTyPkvsE93OouE
X-Received: by 2002:a65:6449:: with SMTP id s9mr55616344pgv.90.1558105895698;
        Fri, 17 May 2019 08:11:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1558105895; cv=none;
        d=google.com; s=arc-20160816;
        b=DoFjqvHdolFR1Iehsfr3GLuT2aZIuIuHDxbwo2+M+n76K+ANBdI8iJU6KVFttBwilb
         9IkRHY7TOgjXXrwmIFseczT8TpNo3V59nbFtfMpq5CxKRMzItJYC63u8X3HebT3iP71b
         lpkS6w+UqxAp3A93SaYMoEFzLkMhvpZoGA110JFnbyMwphZ2AMFkSgQiyhqWIq3nLy+G
         aDQACSnij2ovUhfGsMRSPqxv/ddS9ilGuffS5MIWkLqXnxsIDZkh+iinFwz4sYQrzpSE
         Y/qegiS5kUAo3hVO0Bbjt+Jb8n9jAp+50jAs3POMP6O+gcgI1NX5Xpj04tCdvE+7OMt6
         KccQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=8mvfadQ1orVj3QnXwo5JPUinCp5n6Uyr3zPslFBUn3c=;
        b=gx9HU2BA6AHZTiw9YwDVcVA3FMPFESY935vLuPHdSkYghWyFoPig2mTG4Roa7ldWne
         OHcJ5N0m5GjlI+IdQ6voKW4b9bOiW0U1YjcPz5WTUCCJpxUf+CQJLNLa5zoJCPwsg9O/
         /CIWXcgjAKaxnODWK2H14e8oTKq1n0mdWgSJWbQ5JNevAIkvPyrbHbibJDr2Cn5KNHM8
         AjrBPOhuE1p4HwUHWeLnPl1EMPYh+VfAmX2KZgVfP+OTO6FG4eD2u89+89i7sg0xT7LM
         lmFqTZgU3be+ujfhYrr7tiqnaso2TX0lvwrsH0Dmnc9L1jwiOjnDeCDDXisb28ex/8J4
         zLjA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 8si8242725pgp.80.2019.05.17.08.11.14;
        Fri, 17 May 2019 08:11:35 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729207AbfEQPJv (ORCPT <rfc822;hououinredflag@gmail.com>
        + 99 others); Fri, 17 May 2019 11:09:51 -0400
Received: from mga12.intel.com ([192.55.52.136]:20328 "EHLO mga12.intel.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729162AbfEQPJu (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 17 May 2019 11:09:50 -0400
X-Amp-Result: UNKNOWN
X-Amp-Original-Verdict: FILE UNKNOWN
X-Amp-File-Uploaded: False
Received: from fmsmga006.fm.intel.com ([10.253.24.20])
  by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 May 2019 08:09:49 -0700
X-ExtLoop1: 1
Received: from sjchrist-coffee.jf.intel.com (HELO linux.intel.com) ([10.54.74.36])
  by fmsmga006.fm.intel.com with ESMTP; 17 May 2019 08:09:48 -0700
Date:   Fri, 17 May 2019 08:09:48 -0700
From:   Sean Christopherson <sean.j.christopherson@intel.com>
To:     Stephen Smalley <sds@tycho.nsa.gov>
Cc:     "Xing, Cedric" <cedric.xing@intel.com>,
        Andy Lutomirski <luto@kernel.org>,
        James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        LSM List <linux-security-module@vger.kernel.org>,
        Paul Moore <paul@paul-moore.com>,
        Eric Paris <eparis@parisplace.org>,
        "selinux@vger.kernel.org" <selinux@vger.kernel.org>,
        Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>,
        Jethro Beekman <jethro@fortanix.com>,
        "Hansen, Dave" <dave.hansen@intel.com>,
        Thomas Gleixner <tglx@linutronix.de>,
        "Dr. Greg" <greg@enjellic.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        LKML <linux-kernel@vger.kernel.org>, X86 ML <x86@kernel.org>,
        "linux-sgx@vger.kernel.org" <linux-sgx@vger.kernel.org>,
        Andrew Morton <akpm@linux-foundation.org>,
        "nhorman@redhat.com" <nhorman@redhat.com>,
        "npmccallum@redhat.com" <npmccallum@redhat.com>,
        "Ayoun, Serge" <serge.ayoun@intel.com>,
        "Katz-zamir, Shay" <shay.katz-zamir@intel.com>,
        "Huang, Haitao" <haitao.huang@intel.com>,
        Andy Shevchenko <andriy.shevchenko@linux.intel.com>,
        "Svahn, Kai" <kai.svahn@intel.com>, Borislav Petkov <bp@alien8.de>,
        Josh Triplett <josh@joshtriplett.org>,
        "Huang, Kai" <kai.huang@intel.com>,
        David Rientjes <rientjes@google.com>
Subject: Re: SGX vs LSM (Re: [PATCH v20 00/28] Intel SGX1 support)
Message-ID: <20190517150948.GA15632@linux.intel.com>
References: <20190515013031.GF1977@linux.intel.com>
 <CALCETrXf8mSK45h7sTK5Wf+pXLVn=Bjsc_RLpgO-h-qdzBRo5Q@mail.gmail.com>
 <alpine.LRH.2.21.1905160543070.19802@namei.org>
 <CALCETrX_Q6qwNRNF0TL2tgfm1j6DKLX7NVHHmWbMFtk3WnHDKw@mail.gmail.com>
 <alpine.LRH.2.21.1905160844130.29250@namei.org>
 <CALCETrX2ovRx3Rre+1_xC-q6CiybyLjQ-gmB4FZF_qCZ-Qd+4A@mail.gmail.com>
 <960B34DE67B9E140824F1DCDEC400C0F654E38CD@ORSMSX116.amr.corp.intel.com>
 <CALCETrUfmyQ7ivNzQic0FyPXe1fmAnoK093jnz0i8DRn2LvdSA@mail.gmail.com>
 <960B34DE67B9E140824F1DCDEC400C0F654E3FB9@ORSMSX116.amr.corp.intel.com>
 <6a97c099-2f42-672e-a258-95bc09152363@tycho.nsa.gov>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <6a97c099-2f42-672e-a258-95bc09152363@tycho.nsa.gov>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, May 17, 2019 at 09:53:06AM -0400, Stephen Smalley wrote:
> On 5/16/19 6:23 PM, Xing, Cedric wrote:
> >I thought EXECMOD applied to files (and memory mappings backed by them) but
> >I was probably wrong. It sounds like EXECMOD applies to the whole process so
> >would allow all pages within a process's address space to be modified then
> >executed, regardless the backing files. Am I correct this time?
> 
> No, you were correct the first time I think; EXECMOD is used to control
> whether a process can make executable a private file mapping that has
> previously been modified (e.g. text relocation); it is a special case to
> support text relocations without having to allow full EXECMEM (i.e. execute
> arbitrary memory).
> 
> SELinux checks relevant to W^X include:
> 
> - EXECMEM: mmap/mprotect PROT_EXEC an anonymous mapping (regardless of
> PROT_WRITE, since we know the content has to have been written at some
> point) or a private file mapping that is also PROT_WRITE.
> - EXECMOD: mprotect PROT_EXEC a private file mapping that has been
> previously modified, typically for text relocations,
> - FILE__WRITE: mmap/mprotect PROT_WRITE a shared file mapping,
> - FILE__EXECUTE: mmap/mprotect PROT_EXEC a file mapping.
> 
> (ignoring EXECSTACK and EXECHEAP here since they aren't really relevant to
> this discussion)
> 
> So if you want to ensure W^X, then you wouldn't allow EXECMEM for the
> process, EXECMOD by the process to any file, and the combination of both
> FILE__WRITE and FILE__EXECUTE by the process to any file.
> 
> If the /dev/sgx/enclave mappings are MAP_SHARED and you aren't using an
> anonymous inode, then I would expect that only the FILE__WRITE and
> FILE__EXECUTE checks are relevant.

Yep, I was just typing this up in a different thread:

I think we may want to change the SGX API to alloc an anon inode for each
enclave instead of hanging every enclave off of the /dev/sgx/enclave inode.
Because /dev/sgx/enclave is NOT private, SELinux's file_map_prot_check()
will only require FILE__WRITE and FILE__EXECUTE to mprotect() enclave VMAs
to RWX.  Backing each enclave with an anon inode will make SELinux treat
EPC memory like anonymous mappings, which is what we want (I think), e.g.
making *any* EPC page executable will require PROCESS__EXECMEM (SGX is
64-bit only at this point, so SELinux will always have default_noexec).