14. May 2024

[dimakuv]

Agenda

(please write your proposed agenda items in comments under this discussion)

• Release items for v1.8 (our roadmap)
• Dmitrii: X-Containers paper, Section 4.4: https://www.csl.cornell.edu/~delimitrou/papers/2019.asplos.xcontainer.pdf
  • how to binary-patch the syscall instruction and practical results
• Dmitrii: sys.disallowed_syscalls = [ ... ] feature ([LibOS] Add sys.debug__mock_syscalls = [ ... ] manifest option #1859), do we want this
• Dmitrii: random notes on gVisor
  • in particular, the systrap platform: https://gvisor.dev/blog/2023/04/28/systrap-release/

[Misc] Mona: Linux Foundation and the web site

Mona and Woju have an email thread with LF people who do the web design for the Gramine web site. The LF designers gave back some HTML pages. Woju will ask if the LF designers will additionally provide layout building blocks for a static renderer engine.

[Misc] Woju: matrix space (similar to discord "server")

Woju and Michal have an idea: there are many Gitter channels (including closed channels) on Gramine. We can do a single "matrix space", similar to how Discord does. From the GUI perspective, it's an additional level of nesting.

DECISION: Yes, proceed with this switch.

Release items for v1.8

[ working on the RoadMap view on GitHub: https://github.com/orgs/gramineproject/projects/1 ]

Mona: Maybe Michael Steiner (@g2flyer) must come and discuss the problem of dentries vs inodes (and e.g. file locks).

Dmitrii: sys.disallowed_syscalls = [ ... ] feature

See #1859

Michal and Woju: suggest the explicit return value:

sgx.hardcoded_syscalls = [
  { name = "sched_yield", return = 0 },
  { name = "eventfd2",    return = -38 },
]

Michal: add a note to documentation that this is for performance, this does NOT add sandboxing security guarantees.

For a proper sandbox tool, see e.g. https://github.com/google/nsjail

[woju]

• @woju: matrix space (similar to discord "server")