Manifest definition to allow SIOCGIFCONF IOCTL

[paul-jubo]

Hi community,
I am trying to run a spring boot java app with gramine-direct.
I am getting the following error:

org.springframework.cloud.commons.util.InetUtils","message":"Cannot get first non-loopback address","context":"default","exception":"java.net.SocketException: Inappropriate ioctl for device (ioctl(SIOCGIFCONF) failed)\n\tat java.base/java.net.NetworkInterface.getAll(Native Method)

From that message, I concluded that it must be related to the allowed_ioctls parameter in the gramine manifest. I have found a test manifest in this repository, which contains an example of how to allow such an IOCTL:

gramine/libos/test/ltp/manifest.template

Line 56 in 36676a7

sys.allowed_ioctls = [

Since my understanding of IOCTL is very abstract, I copy-pasted the following snippet to my manifest:

sys.ioctl_structs.ifconf = [
  # When ifc_req is NULL, direction of ifc_len is out. Otherwise, direction is in.
  { size = 4, direction = "inout", name = "ifc_len" },  # ifc_len
  { size = 4, direction = "none" },                     # padding
  { ptr = [ { size = "ifc_len", direction = "in" } ] }, # ifc_req
]

sys.allowed_ioctls = [
  { request_code = 0x8912, struct = "ifconf" }, # SIOCGIFCONF
]

but now I am getting another error message during the start of the app:

"org.springframework.cloud.commons.util.InetUtils","message":"Cannot get first non-loopback address","context":"default","exception":"java.net.SocketException: Inappropriate ioctl for device (getFlags() failed)\n\tat java.base/java.net.NetworkInterface.isUp0(Native Method)

-> Now it does not name the SIOCGIFCONF ioctl anymore, but just states "inappropriate ioctl". This leads to the conclusion that my copy-paste strategy did not work out here. -> It seems to me that I need a different, device-specific struct definition and ioctl request code. Where would I find such info? In the code of the host system's linux kernel?
(Maybe I will better understand this issue after doing more research on IOCTL in general, but I thought this discussion would be very helpful to other users as well.)

Any thoughts highly appreciated!

[kailun-qin]

It seems to me that I need a different, device-specific struct definition and ioctl request code. Where would I find such info? In the code of the host system's linux kernel?

Taking IOCTLs on sockets as an example, you can obtain such info from the man page, kernel source and public docs.

You may also want to look into the source code of your application and/or w/ the help of error logs and strace to understand more about how your application uses IOCTLs exactly.

Inappropriate ioctl for device (getFlags() failed)\n\tat java.base/java.net.NetworkInterface.isUp0(Native Method)

getFlags() indicated that ^ error may come from ioctl(..., SIOCGIFFLAGS, ...). Looking into e.g. the source code of openjdk getFlags(), I think you may probably want to add sth. like below into Gramine manifest:

sys.ioctl_structs.ifreq = [
  { size = 16, direction = "out" }, # ifr_name
  { size = 2, direction = "in" },   # ifr_flags
]

sys.allowed_ioctls = [
  ...
  { request_code = 0x8913, struct = "ifreq" },  # SIOCGIFFLAGS
  ...
]

Pls also need read/follow carefully the allowed IOCTLs manifest syntax of Gramine, and consider adding hardening via sanitization.

[paul-jubo]

Awesome, your code snippet did the job perfectly.
I find it interesting that Gramine is sometimes able to give manifest suggestions at runtime, as in "your app tried to use eventfd but it needs to be activated in the manifest" while sometimes, like here, this is not the case.

Anyway thank you so much for your answer, really helped me out a lot, and also the explanation concerning strace was super useful. Cheers

[dimakuv]

I find it interesting that Gramine is sometimes able to give manifest suggestions at runtime, as in "your app tried to use eventfd but it needs to be activated in the manifest" while sometimes, like here, this is not the case.

That's mostly because in some cases, it is easy for Gramine to guess what goes wrong and print a suggestion. Whereas in other cases (like ioctls) it's very hard to come up with a nice suggestion message.