-
Notifications
You must be signed in to change notification settings - Fork 204
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[LibOS] Add
sys.debug__mock_syscalls = [ ... ]
manifest option
This commit adds manifest syntax `sys.debug__mock_syscalls = [ ... ]` to specify system calls that will be mocked when executed in Gramine (i.e. return a specified value without any other side effects). This may be particularly important for cases where the overhead of invoking a system call on the host (e.g. exiting the SGX enclave) becomes a performance bottleneck, and it is more beneficial to disable or no-op the syscall in the first place; `sched_yield()` is an example. Another example may be disabling certain functionalities for security reasons. For example, one may want to disable `eventfd()` and `eventfd2()` to forbid creation of eventfd objects. Signed-off-by: Dmitrii Kuvaiskii <[email protected]>
- Loading branch information
Dmitrii Kuvaiskii
committed
Jul 2, 2024
1 parent
ac61ae1
commit afb8a35
Showing
14 changed files
with
284 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
/* SPDX-License-Identifier: LGPL-3.0-or-later */ | ||
/* Copyright (C) 2024 Intel Corporation | ||
* Dmitrii Kuvaiskii <[email protected]> | ||
*/ | ||
|
||
#define _GNU_SOURCE | ||
#include <err.h> | ||
#include <errno.h> | ||
#include <sched.h> | ||
#include <stdint.h> | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <sys/eventfd.h> | ||
#include <sys/types.h> | ||
#include <unistd.h> | ||
|
||
int main(void) { | ||
int ret; | ||
|
||
errno = 0; | ||
ret = eventfd(0, 0); | ||
if (ret != -1 && errno != ENOSYS) | ||
errx(1, "expected eventfd to fail with -ENOSYS but it returned ret=%d errno=%d", ret, | ||
errno); | ||
|
||
errno = 0; | ||
ret = fork(); | ||
if (ret != -1 && errno != ENOSYS) | ||
errx(1, "expected fork to fail with -ENOSYS but it returned ret=%d errno=%d", ret, errno); | ||
|
||
errno = 0; | ||
ret = getpid(); | ||
if (ret < 0) | ||
errx(1, "expected getpid to succeed but it returned ret=%d errno=%d", ret, errno); | ||
|
||
errno = 0; | ||
ret = getppid(); | ||
if (ret < 0) | ||
errx(1, "expected getppid to succeed but it returned ret=%d errno=%d", ret, errno); | ||
|
||
/* sched_yield must *not* appear in strace on the host; this case is added for manual testing */ | ||
for (int i = 0; i < 100; i++) { | ||
errno = 0; | ||
ret = sched_yield(); | ||
if (ret < 0) { | ||
errx(1, "expected sched_yield to succeed (no-op) but it returned ret=%d errno=%d", | ||
ret, errno); | ||
} | ||
} | ||
|
||
/* vhangup was chosen as a syscall that will most certainly not be implemented in Gramine */ | ||
errno = 0; | ||
ret = vhangup(); | ||
if (ret != 123) | ||
errx(1, "expected vhangup to succeed (as a no-op, with dummy return value 123) but it " | ||
"returned ret=%d errno=%d", ret, errno); | ||
|
||
puts("TEST OK"); | ||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
loader.entrypoint = "file:{{ gramine.libos }}" | ||
libos.entrypoint = "{{ entrypoint }}" | ||
|
||
loader.log_level = "trace" | ||
|
||
loader.env.LD_LIBRARY_PATH = "/lib" | ||
|
||
fs.mounts = [ | ||
{ path = "/lib", uri = "file:{{ gramine.runtimedir(libc) }}" }, | ||
{ path = "/{{ entrypoint }}", uri = "file:{{ binary_dir }}/{{ entrypoint }}" }, | ||
] | ||
|
||
sys.debug__mock_syscalls = [ | ||
# sched_yield is mocked as no-op (`return = 0` by default), sometimes useful for performance; | ||
# this no-op behavior should be evident from strace on the host | ||
{ name = "sched_yield" }, | ||
|
||
# vhangup is not implemented in Gramine but here mocked as no-op with a dummy return value | ||
{ name = "vhangup", return = 123 }, | ||
|
||
# even though glibc wrapper is called eventfd, glibc translates it into eventfd2; | ||
# we specify both syscall variants to be on the safe side | ||
{ name = "eventfd", return = -38 }, | ||
{ name = "eventfd2", return = -38 }, | ||
|
||
# even though glibc wrapper is called fork, glibc translates it into clone; at the same time, musl | ||
# uses fork syscall; we specify all syscall variants to be on the safe side | ||
{ name = "fork", return = -38 }, | ||
{ name = "vfork", return = -38 }, | ||
{ name = "clone", return = -38 }, | ||
{ name = "clone3", return = -38 }, | ||
] | ||
|
||
sgx.debug = true | ||
sgx.edmm_enable = {{ 'true' if env.get('EDMM', '0') == '1' else 'false' }} | ||
|
||
sgx.trusted_files = [ | ||
"file:{{ gramine.libos }}", | ||
"file:{{ gramine.runtimedir(libc) }}/", | ||
"file:{{ binary_dir }}/{{ entrypoint }}", | ||
] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.