Etusivu Tutki Apua
Kirjaudu sisään
miti
/
graphene
1
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Selaa lähdekoodia

[Pal/{Linux,Linux-SGX,FreeBSD}] Replace pipe() with socketpair()

Graphene already emulates pipes via UNIX domain socketpairs. The only
place where Graphene still uses host pipes is in DkCreateProcess(),
for communication and checkpoint send/receive between parent and child.

UNIX domain socketpairs are more convenient than pipes and allow
bidirectional communication, which is useful for IPC encryption via
SSL/TLS. This commit replaces all lingering uses of pipes with
socketpairs.
Dmitrii Kuvaiskii 4 vuotta sitten
vanhempi
eda813ec47
commit
8a7c8bdceb
4 muutettua tiedostoa jossa 27 lisäystä ja 26 poistoa
Jaettu näkymä Näytä diff tilastot
  1. 7 7
      Pal/src/host/FreeBSD/db_process.c
  2. 10 8
      Pal/src/host/Linux-SGX/sgx_platform.c
  3. 5 5
      Pal/src/host/Linux-SGX/sgx_process.c
  4. 5 6
      Pal/src/host/Linux/db_process.c

+ 7 - 7
Pal/src/host/FreeBSD/db_process.c
Näytä tiedosto 

@@ -53,13 +53,12 @@ static inline int create_process_handle (PAL_HANDLE * parent,
 
 {
 
     PAL_HANDLE phdl = NULL, chdl = NULL;
 
     int fds[6] = { -1, -1, -1, -1, -1, -1 };
 
+    int socktype = SOCK_STREAM | SOCK_CLOEXEC;
 
     int ret;
 
 
-    if (IS_ERR((ret = INLINE_SYSCALL(pipe2, 2, &fds[0], O_CLOEXEC))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(pipe2, 2, &fds[2], O_CLOEXEC))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX,
 
-                                     SOCK_STREAM|SOCK_CLOEXEC,
 
-                                     0, &fds[4])))) {
 
+    if (IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[0]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[2]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[4])))) {
 
         ret = -PAL_ERROR_DENIED;
 
         goto out;
 
     }
 
@@ -139,9 +138,10 @@ static int child_process (void * param)
 
     if (IS_ERR(ret))
 
         goto failed;
 
 
-    handle_set_cloexec(proc_param->parent, false);
 
+    if (proc_param->parent)
 
+        handle_set_cloexec(proc_param->parent,   false);
 
     if (proc_param->exec)
 
-        handle_set_cloexec(proc_param->exec, false);
 
+        handle_set_cloexec(proc_param->exec,     false);
 
     if (proc_param->manifest)
 
         handle_set_cloexec(proc_param->manifest, false);

+ 10 - 8
Pal/src/host/Linux-SGX/sgx_platform.c
Näytä tiedosto 

@@ -177,7 +177,7 @@ int contact_intel_attest_service(const char* subkey, const sgx_quote_nonce_t* no
 
     ssize_t https_output_len = 0;
 
     int header_fd = -1;
 
     int output_fd = -1;
 
-    int pipefds[2] = { -1, -1 };
 
+    int fds[2] = {-1, -1};
 
 
     header_fd = mkstemp(https_header_path);
 
     if (header_fd < 0)
 
@@ -187,7 +187,7 @@ int contact_intel_attest_service(const char* subkey, const sgx_quote_nonce_t* no
 
     if (output_fd < 0)
 
         goto failed;
 
 
-    ret = INLINE_SYSCALL(pipe, 1, pipefds);
 
+    ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, &fds[0]);
 
     if (IS_ERR(ret))
 
         goto failed;
 
 
@@ -198,11 +198,11 @@ int contact_intel_attest_service(const char* subkey, const sgx_quote_nonce_t* no
 
                                  "{\"isvEnclaveQuote\":\"%s\",\"nonce\":\"%s\"}",
 
                                  quote_str, nonce_str);
 
 
-    ret = INLINE_SYSCALL(write, 3, pipefds[1], https_request, https_request_len);
 
+    ret = INLINE_SYSCALL(write, 3, fds[1], https_request, https_request_len);
 
     if (IS_ERR(ret))
 
         goto failed;
 
-    INLINE_SYSCALL(close, 1, pipefds[1]);
 
-    pipefds[1] = -1;
 
+    INLINE_SYSCALL(close, 1, fds[1]);
 
+    fds[1] = -1;
 
 
     char subscription_header[64];
 
     snprintf(subscription_header, 64, "Ocp-Apim-Subscription-Key: %s", subkey);
 
@@ -221,7 +221,7 @@ int contact_intel_attest_service(const char* subkey, const sgx_quote_nonce_t* no
 
         goto failed;
 
 
     if (!pid) {
 
-        INLINE_SYSCALL(dup2, 2, pipefds[0], 0);
 
+        INLINE_SYSCALL(dup2, 2, fds[0], 0);
 
         extern char** environ;
 
         INLINE_SYSCALL(execve, 3, https_client_args[0], https_client_args, environ);
 
 
@@ -374,8 +374,10 @@ done:
 
         INLINE_SYSCALL(munmap, 2, https_header, ALLOC_ALIGN_UP(https_header_len));
 
     if (https_output)
 
         INLINE_SYSCALL(munmap, 2, https_output, ALLOC_ALIGN_UP(https_output_len));
 
-    if (pipefds[0] != -1) INLINE_SYSCALL(close, 1, pipefds[0]);
 
-    if (pipefds[1] != -1) INLINE_SYSCALL(close, 1, pipefds[1]);
 
+    if (fds[0] != -1)
 
+        INLINE_SYSCALL(close, 1, fds[0]);
 
+    if (fds[1] != -1)
 
+        INLINE_SYSCALL(close, 1, fds[1]);
 
     if (header_fd != -1) {
 
         INLINE_SYSCALL(close,  1, header_fd);
 
         INLINE_SYSCALL(unlink, 1, https_header_path);

+ 5 - 5
Pal/src/host/Linux-SGX/sgx_process.c
Näytä tiedosto 

@@ -57,7 +57,7 @@ struct proc_args {
 
  * NOTE: more tricks may be needed to prevent unexpected optimization for
 
  * future compiler.
 
  */
 
-int __attribute_noinline
 
+static int __attribute_noinline
 
 vfork_exec(int pipe_input, int proc_fds[3], const char** argv)
 
 {
 
     int ret = ARCH_VFORK();
 
@@ -87,10 +87,10 @@ int sgx_create_process(const char* uri, int nargs, const char** args, int * retf
 
     if (!uri || !strstartswith_static(uri, "file:"))
 
         return -EINVAL;
 
 
-    if (IS_ERR((ret = INLINE_SYSCALL(pipe, 1, &fds[0]))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(pipe, 1, &fds[2]))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, SOCK_STREAM,
 
-                                     0, &fds[4]))))
 
+    int socktype = SOCK_STREAM;
 
+    if (IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[0]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[2]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[4]))))
 
         goto out;
 
 
     int proc_fds[2][3] = {

+ 5 - 6
Pal/src/host/Linux/db_process.c
Näytä tiedosto 

@@ -52,13 +52,12 @@ static inline int create_process_handle (PAL_HANDLE * parent,
 
 {
 
     PAL_HANDLE phdl = NULL, chdl = NULL;
 
     int fds[6] = { -1, -1, -1, -1, -1, -1 };
 
+    int socktype = SOCK_STREAM | SOCK_CLOEXEC;
 
     int ret;
 
 
-    if (IS_ERR((ret = INLINE_SYSCALL(pipe2, 2, &fds[0], O_CLOEXEC))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(pipe2, 2, &fds[2], O_CLOEXEC))) ||
 
-        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX,
 
-                                     SOCK_STREAM|SOCK_CLOEXEC,
 
-                                     0, &fds[4])))) {
 
+    if (IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[0]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[2]))) ||
 
+        IS_ERR((ret = INLINE_SYSCALL(socketpair, 4, AF_UNIX, socktype, 0, &fds[4])))) {
 
         ret = -PAL_ERROR_DENIED;
 
         goto out;
 
     }
 
@@ -144,7 +143,7 @@ struct proc_args {
 
  * NOTE: more tricks may be needed to prevent unexpected optimization for
 
  * future compiler.
 
  */
 
-int __attribute_noinline
 
+static int __attribute_noinline
 
 child_process (struct proc_param * proc_param)
 
 {
 
     int ret = ARCH_VFORK();