Warning: file_map does not currently support writable pass-through mappings on SGX

[tiagorvmartins]

Hello!
Currently facing an issue and would like to understand if there is any workaround for it.
The binary I am trying to run in gramine-sgx writes to a specific folder that is allowed on the manifest, however I still get permission denied.

In order to better understand the problem, I did build a debug sgx enclave, and notice the following log output:

(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- openat(AT_FDCWD, "/root/.ethereum/.ethash/cache/cache-R23-0000000000000000", O_RDONLY|0x80000, 0644) = -2
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- clock_gettime(0, 0xe2de8e40) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- clock_gettime(1, 0xe2de8e30) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- newfstatat(AT_FDCWD, "/root/.ethereum/.ethash/cache", 0xec37e2a8, 0) = -2
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- newfstatat(AT_FDCWD, "/root/.ethereum/.ethash", 0xec37e448, 0) = -2
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- newfstatat(AT_FDCWD, "/root/.ethereum", 0xec37e788, 0) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- mkdirat(AT_FDCWD, "/root/.ethereum/.ethash", 493) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- mkdirat(AT_FDCWD, "/root/.ethereum/.ethash/cache", 493) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- openat(AT_FDCWD, "/root/.ethereum/.ethash/cache/cache-R23-0000000000000000.3571035715345690970", O_RDWR|O_CREAT|O_TRUNC|0x80000, 0666) = 0x24
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fcntl(36, F_GETFL, 0) = 0x80242
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fcntl(36, F_SETFL, 0x80a42) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- epoll_ctl(4, ADD, 36, {.events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, .data=0xf003d508}) = -1
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fcntl(36, F_GETFL, 0) = 0x80a42
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fcntl(36, F_SETFL, 0x80242) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fallocate(36, 0, 0x0, 0xfffec8) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- fstat(36, 0xec37e858) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- mmap(0, 0xfffec8, PROT_READ|PROT_WRITE, MAP_SHARED, 36, 0x0) ...
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(pal_files.c:264:file_map) warning: file_map does not currently support writable pass-through mappings on SGX. You may add the PAL_PROT_WRITECOPY (MAP_PRIVATE) flag to your file mapping to keep the writes inside the enclave but they won't be reflected outside of the enclave.
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- return from mmap(...) = -13
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- close(36) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- return from nanosleep(...) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- unlinkat(AT_FDCWD, "/root/.ethereum/.ethash/cache/cache-R23-0000000000000000.3571035715345690970", 0) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- clock_gettime(1, 0xebde9d80) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- clock_gettime(0, 0xe2de8e40) = 0x0
(libos_parser.c:1658:buf_write_all) [P2:T33:geth] trace: ---- nanosleep([0,20000], 0) ...
(libos_parser.c:1658:buf_write_all) [P2:T34:geth] trace: ---- clock_gettime(1, 0xe2de8e30) = 0x0
ERROR[11-03|15:29:11.043] Failed to generate mapped ethash cache   epoch=0 err="permission denied"

Above is the relevant log section, and the error I guess is related with this line:
(pal_files.c:264:file_map) warning: file_map does not currently support writable pass-through mappings on SGX. You may add the PAL_PROT_WRITECOPY (MAP_PRIVATE) flag to your file mapping to keep the writes inside the enclave but they won't be reflected outside of the enclave.

And here is the manifest section with the allowed path:

sgx.allowed_files = [
  "file:/root/.ethereum/.ethash"
]

Is there any way to solve the problem?
Or any clues on what might be happening, what I am missing here?
Thank you!

[dimakuv]

The warning says it all: Gramine currently does not allow writable pass-through mappings on allowed files.

First of all, you need to investigate why your application (or the dependent library) wants a shared file-backed mapping. Typically this is done for seamless and fast dumping of the file contents to the underlying storage, or for shared memory between processes. Both these approaches are insecure, and thus Gramine disallows such mappings.

There are several ways to circumvent this:

• If you don't need to persist these file contents on the disk, then mount this directory as tmpfs: fs.mounts = { type="tmpfs", path="/root/.ehtereum/.ethash", ... }
• If you need to persist these file contents on the disk, then you need to ask yourself -- surely these contents must be protected/encrypted? In this case, you need to mount this directory as Encrypted Files: fs.mounts = { type="encrypted", path="/root/.ehtereum/.ethash", ... }

Finally, you can modify your application's source code to not use MAP_SHARED. Again, you need first to investigate what is this directory is used for, and think about security implications.

[tiagorvmartins]

Thank you!
Managed to understand what was the directory being used for, applied one of the solutions proposed and it did fixed the issue!