Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

F40 backports #2343

Open
wants to merge 4 commits into
base: f40
Choose a base branch
from
Open

F40 backports #2343

wants to merge 4 commits into from

Commits on Aug 8, 2024

  1. Support SGX devices 

    Software Guard eXtensions (SGX) hardware enables for user space
applications to set aside private memory regions of code and data.
These memory regions are called enclaves.

The support can be determined by

    grep sgx /proc/cpuinfo

SGX must both be supported in the processor and enabled by the BIOS.

This commit labels 3 device nodes with a new label for each device type.

/dev/sgx_enclave can be used by any application (not only virt-related)
to create and interact with an SGX enclave through SGX kernel driver.
Each enclave is contained in an Enclave Page Cache (EPC).

/dev/sgx_vepc can be used by a hypervisor (e.g. qemu) to create an EPC
(without creating an enclave in it) that can be passed to a guest, so
the applications running in the guest system can create SGX enclaves.

/dev/sgx_provision is used to set PROVISION_KEY flag on the enclave
by calling an ioctl() on the enclave with fd to /dev/sgx_provision
as another argument. QEMU does open this file, perhaps also some other
processes can.

https://www.kernel.org/doc/html/latest/arch/x86/sgx.html
https://lkml.iu.edu/hypermail/linux/kernel/2103.0/00223.html

Resolves: rhbz#2299130
    @zpytela
    zpytela committed Aug 8, 2024
    Configuration menu
    Copy the full SHA
    7a063c2 View commit details
    Browse the repository at this point in the history

Commits on Sep 4, 2024

  1. Allow nut-upsmon read systemd-logind session files 

    The commit addresses the following AVC denial example:
type=AVC msg=audit(08/25/24 15:08:31.976:201) : avc:  denied  { read } for  pid=6543 comm=wall name=sessions dev="tmpfs" ino=1257 scontext=system_u:system_r:nut_upsmon_t:s0 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=dir permissive=1

Resolves: rhbz#2297933
    @zpytela
    zpytela committed Sep 4, 2024
    Configuration menu
    Copy the full SHA
    9180dba View commit details
    Browse the repository at this point in the history

  2. Allow samba use the io_uring API 

    The commit addresses the following AVC denial example:
type=AVC msg=audit(08/25/2024 22:56:47.375:253) : avc:  denied  { create } for  pid=1244 comm=smbd[127.0.0.1] anonclass=[io_uring] scontext=system_u:system_r:smbd_t:s0 tcontext=system_u:object_r:io_uring_t:s0 tclass=anon_inode permissive=1

Resolves: rhbz#2307812
    @zpytela
    zpytela committed Sep 4, 2024
    Configuration menu
    Copy the full SHA
    396b7d4 View commit details
    Browse the repository at this point in the history

  3. Allow thumb_t map dri devices 

    The commit addresses the following AVC denial:
type=AVC msg=audit(1710140836.332:583): avc:  denied  { map } for  pid=1093967 comm="gst-plugin-scan" path="/dev/dri/renderD128" dev="devtmpfs" ino=458 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dri_device_t:s0 tclass=chr_file permissive=1

Resolves: rhbz#2268960
    @zpytela
    zpytela committed Sep 4, 2024
    Configuration menu
    Copy the full SHA
    20be306 View commit details
    Browse the repository at this point in the history