[PAL] Purge the reference monitor loader code (move to EXPERIMENTAL)

This commit removes the following from the master Graphene branch (this
is now moved to the EXPERIMENTAL/linux-reference-monitor branch):
- Remove reference monitor loader code
- Remove sandboxing code and dependency to reference monitor code
- Remove Linux kernel changes for reference monitor
- Remove README instructions and scripts regarding reference monitor

Pal/Makefile

@@ -1,17 +1,5 @@
 include src/Makefile.Host
 
-ifeq ($(OS),Linux)
-	NPROCS ?= $(shell grep -c ^processor /proc/cpuinfo)
-else
-	NPROCS ?= 1
-endif
-
-ifeq ($(OS),Linux)
-	LINUX_GEN := 3.x
-	LINUX_SRC := linux-3.19
-	LINUX_KERNEL := $(LINUX_SRC)/arch/x86/boot/bzImage
-endif
-
 DIRS = src test regression
 
 .PHONY: all clean
@@ -21,48 +9,13 @@ all clean:
 		$(MAKE) -C $$d $@ || exit $?; \
 	done
 
-.PHONY: linux-kernel
-linux-kernel: $(LINUX_KERNEL)
-
-ifneq ($(LINUX_KERNEL),)
-$(LINUX_KERNEL): $(LINUX_SRC)/Makefile $(LINUX_SRC)/graphene $(LINUX_SRC)/.config
-	$(MAKE) -C $(LINUX_SRC) -j$(NPROCS)
-
-$(LINUX_SRC)/Makefile:
-	[ -f $(LINUX_SRC).tar.gz ] || \
-	wget https://www.kernel.org/pub/linux/kernel/v$(LINUX_GEN)/$(LINUX_SRC).tar.gz
-	tar -xzf $(LINUX_SRC).tar.gz
-	cd $(LINUX_SRC) && patch -p1 < ../$(LINUX_SRC).patch
-
-$(LINUX_SRC)/graphene: linux-kernel/graphene
-	cd $(LINUX_SRC) && ln -s ../linux-kernel/graphene graphene
-
-$(LINUX_SRC)/.config: $(LINUX_SRC)/Makefile
-	cd $(LINUX_SRC) && make menuconfig
-
-kernel_install: kernel
-	$(MAKE) -C $(LINUX_SRC) install modules_install headers_install
-
-linux-deb:
-	if [ ! -f $(LINUX_SRC)/.config ]; then \
-		cp /boot/config-$(shell uname -r) $(LINUX_SRC)/.config && \
-		cd $(LINUX_SRC) && $(MAKE) menuconfig; fi
-	cd $(LINUX_SRC) && \
-	CONCURRENCY_LEVEL=$(NPROCS) make-kpkg --rootcmd fakeroot \
-		--append-to-version -graphene --initrd \
-		kernel_image kernel_headers $(if $(DEBUG),kernel_debug,)
-else
-kernel_install:
-endif
-
 .PHONY: test
 test:
 	$(MAKE) -C test test
 
 .PHONY: format
 format:
-	clang-format -i $(shell find . -path ./linux-kernel -prune -o \
-	                               -path ./lib/crypto/mbedtls -prune -o \
+	clang-format -i $(shell find . -path ./lib/crypto/mbedtls -prune -o \
 	                               -path ./lib/crypto/udivmodti4.c -prune -o \
 	                               -path ./src/host/Linux-SGX/sgx-driver -prune -o \
 	                               -path ./src/security/Linux/bpf-helper.h -prune -o \

Pal/linux-3.14.patch

@@ -1,748 +0,0 @@
-diff --git a/Kconfig b/Kconfig
-index c13f48d..e18713e 100644
---- a/Kconfig
-+++ b/Kconfig
-@@ -9,3 +9,4 @@ config SRCARCH
- 	option env="SRCARCH"
- 
- source "arch/$SRCARCH/Kconfig"
-+source "graphene/Kconfig"
-diff --git a/Makefile b/Makefile
-index e5ac8a6..116ac82 100644
---- a/Makefile
-+++ b/Makefile
-@@ -779,7 +779,7 @@ export mod_sign_cmd
- 
- 
- ifeq ($(KBUILD_EXTMOD),)
--core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
-+core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ graphene/
- 
- vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
- 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-diff --git a/arch/Kconfig b/arch/Kconfig
-index 80bbb8c..ca9f9e7 100644
---- a/arch/Kconfig
-+++ b/arch/Kconfig
-@@ -336,6 +336,10 @@ config SECCOMP_FILTER
- 
- 	  See Documentation/prctl/seccomp_filter.txt for details.
- 
-+# Used by archs to tell that they support SECCOMP_FILTER_JIT
-+config HAVE_SECCOMP_FILTER_JIT
-+	bool
-+
- config HAVE_CC_STACKPROTECTOR
- 	bool
- 	help
-diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
-index 0af5250..0c4dfea 100644
---- a/arch/x86/Kconfig
-+++ b/arch/x86/Kconfig
-@@ -94,6 +94,7 @@ config X86
- 	select GENERIC_CLOCKEVENTS_MIN_ADJUST
- 	select IRQ_FORCED_THREADING
- 	select HAVE_BPF_JIT if X86_64
-+	select HAVE_SECCOMP_FILTER_JIT if X86_64
- 	select HAVE_ARCH_TRANSPARENT_HUGEPAGE
- 	select CLKEVT_I8253
- 	select ARCH_HAVE_NMI_SAFE_CMPXCHG
-@@ -1601,6 +1602,16 @@ config SECCOMP
- 
- 	  If unsure, say Y. Only embedded should say N here.
- 
-+if SECCOMP
-+config SECCOMP_FILTER_JIT
-+	bool "Enable seccomp filter Just In Time compiler"
-+	depends on HAVE_SECCOMP_FILTER_JIT
-+	depends on MODULES
-+	---help---
-+	  Like Berkeley Packet Filter, This option allows kernel to generate a
-+	  native code when seccomp filter is loaded in memory.
-+endif
-+
- source kernel/Kconfig.hz
- 
- config KEXEC
-diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
-index 4ed75dd..5768520 100644
---- a/arch/x86/net/bpf_jit_comp.c
-+++ b/arch/x86/net/bpf_jit_comp.c
-@@ -13,6 +13,7 @@
- #include <linux/filter.h>
- #include <linux/if_vlan.h>
- #include <linux/random.h>
-+#include <asm/syscall.h>
- 
- /*
-  * Conventions :
-@@ -108,9 +109,13 @@ do {								\
- 		goto cond_branch
- 
- 
--#define SEEN_DATAREF 1 /* might call external helpers */
--#define SEEN_XREG    2 /* ebx is used */
--#define SEEN_MEM     4 /* use mem[] for temporary storage */
-+#define SEEN_DATAREF (1 << 0) /* might call external skb helpers */
-+#define SEEN_XREG    (1 << 1) /* ebx is used */
-+#define SEEN_MEM     (1 << 2) /* use mem[] for temporary storage */
-+#define SEEN_SKBREF  (1 << 3) /* use pointer to skb */
-+#define SEEN_SECCOMP (1 << 4) /* seccomp filters */
-+
-+#define NEED_PERILOGUE(_seen) ((_seen) & (SEEN_XREG | SEEN_MEM | SEEN_DATAREF))
- 
- static inline void bpf_flush_icache(void *start, void *end)
- {
-@@ -122,6 +127,25 @@ static inline void bpf_flush_icache(void *start, void *end)
- 	set_fs(old_fs);
- }
- 
-+/* helper to find the offset in struct seccomp_data */
-+#define BPF_DATA(_name) offsetof(struct seccomp_data, _name)
-+
-+/* helper to find the negative offset from the end of struct pt_regs */
-+#define roffsetof(_type, _member) ((int)(offsetof(_type, _member) - sizeof(_type)))
-+#define PT_REGS(_name)  roffsetof(struct pt_regs, _name)
-+
-+#define EMIT_REGS_LOAD(offset)				\
-+do {							\
-+	if (is_imm8(offset)) {				\
-+		/* mov off8(%r8),%eax */		\
-+		EMIT4(0x41, 0x8b, 0x40, offset);	\
-+	} else {					\
-+		/* mov off32(%r8),%eax */		\
-+		EMIT3(0x41, 0x8b, 0x80);		\
-+		EMIT(offset, 4);			\
-+	}						\
-+} while (0)
-+
- #define CHOOSE_LOAD_FUNC(K, func) \
- 	((int)K < 0 ? ((int)K >= SKF_LL_OFF ? func##_negative_offset : func) : func##_positive_offset)
- 
-@@ -178,7 +202,7 @@ static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen,
- 	return header;
- }
- 
--void bpf_jit_compile(struct sk_filter *fp)
-+static void *__bpf_jit_compile(struct sock_filter *filter, unsigned int flen, u8 seen_all)
- {
- 	u8 temp[64];
- 	u8 *prog;
-@@ -192,15 +216,14 @@ void bpf_jit_compile(struct sk_filter *fp)
- 	int pc_ret0 = -1; /* bpf index of first RET #0 instruction (if any) */
- 	unsigned int cleanup_addr; /* epilogue code offset */
- 	unsigned int *addrs;
--	const struct sock_filter *filter = fp->insns;
--	int flen = fp->len;
-+	void *bpf_func = NULL;
- 
- 	if (!bpf_jit_enable)
--		return;
-+		return bpf_func;
- 
- 	addrs = kmalloc(flen * sizeof(*addrs), GFP_KERNEL);
- 	if (addrs == NULL)
--		return;
-+		return NULL;
- 
- 	/* Before first pass, make a rough estimation of addrs[]
- 	 * each bpf instruction is translated to less than 64 bytes
-@@ -212,12 +235,12 @@ void bpf_jit_compile(struct sk_filter *fp)
- 	cleanup_addr = proglen; /* epilogue address */
- 
- 	for (pass = 0; pass < 10; pass++) {
--		u8 seen_or_pass0 = (pass == 0) ? (SEEN_XREG | SEEN_DATAREF | SEEN_MEM) : seen;
-+		u8 seen_or_pass0 = (pass == 0) ? seen_all : seen;
- 		/* no prologue/epilogue for trivial filters (RET something) */
- 		proglen = 0;
- 		prog = temp;
- 
--		if (seen_or_pass0) {
-+		if (NEED_PERILOGUE(seen_or_pass0)) {
- 			EMIT4(0x55, 0x48, 0x89, 0xe5); /* push %rbp; mov %rsp,%rbp */
- 			EMIT4(0x48, 0x83, 0xec, 96);	/* subq  $96,%rsp	*/
- 			/* note : must save %rbx in case bpf_error is hit */
-@@ -260,6 +283,47 @@ void bpf_jit_compile(struct sk_filter *fp)
- 			}
- 		}
- 
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+		/* For seccomp filters, load :
-+		 *  r9  = current
-+		 *  r8  = current->thread.sp0
-+		 *  edi = task_thread_info(current)->status & TS_COMPAT
-+		 *
-+		 * r8 points to the end of struct pt_regs, task_pt_regs(current) + 1
-+		 */
-+		if (seen_or_pass0 & SEEN_SECCOMP) {
-+			/* seccomp filters: skb must be NULL */
-+			if (seen_or_pass0 & (SEEN_SKBREF | SEEN_DATAREF)) {
-+				pr_err_once("seccomp filters shouldn't use skb");
-+				goto out;
-+			}
-+			/* r9 = current */
-+			EMIT1(0x65);EMIT4(0x4c, 0x8b, 0x0c, 0x25); /* mov %gs:imm32,%r9 */
-+			EMIT((u32)(unsigned long)&current_task, 4);
-+
-+			/* r8 = current->thread.sp0 */
-+			EMIT3(0x4d, 0x8b, 0x81); /* mov off32(%r9),%r8 */
-+			EMIT(offsetof(struct task_struct, thread.sp0), 4);
-+
-+			/* edi = task_thread_info(current)->status & TS_COMPAT */
-+#ifdef CONFIG_IA32_EMULATION
-+			/* task_thread_info(current): current->stack */
-+			BUILD_BUG_ON(!is_imm8(offsetof(struct task_struct, stack)));
-+			/* mov off8(%r9),%rdi */
-+			EMIT4(0x49, 0x8b, 0x79, offsetof(struct task_struct, stack));
-+			/* task_thread_info(current)->status */
-+			BUILD_BUG_ON(!is_imm8(offsetof(struct thread_info, status)));
-+			BUILD_BUG_ON(FIELD_SIZEOF(struct thread_info, status) != 4);
-+			/* mov off8(%rdi),%edi */
-+			EMIT3(0x8b, 0x7f, offsetof(struct thread_info, status));
-+			/* task_thread_info(current)->status & TS_COMPAT */
-+			BUILD_BUG_ON(!is_imm8(TS_COMPAT));
-+			/* and imm8,%edi */
-+			EMIT3(0x83, 0xe7, TS_COMPAT);
-+#endif /* CONFIG_IA32_EMULATION */
-+		}
-+#endif /* CONFIG_SECCOMP_FILTER_JIT */
-+
- 		switch (filter[0].code) {
- 		case BPF_S_RET_K:
- 		case BPF_S_LD_W_LEN:
-@@ -272,6 +336,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 		case BPF_S_ANC_VLAN_TAG_PRESENT:
- 		case BPF_S_ANC_QUEUE:
- 		case BPF_S_ANC_PKTTYPE:
-+		case BPF_S_ANC_SECCOMP_LD_W:
- 		case BPF_S_LD_W_ABS:
- 		case BPF_S_LD_H_ABS:
- 		case BPF_S_LD_B_ABS:
-@@ -449,7 +514,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				}
- 				/* fallinto */
- 			case BPF_S_RET_A:
--				if (seen_or_pass0) {
-+				if (NEED_PERILOGUE(seen_or_pass0)) {
- 					if (i != flen - 1) {
- 						EMIT_JMP(cleanup_addr - addrs[i]);
- 						break;
-@@ -499,6 +564,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				break;
- 			case BPF_S_LD_W_LEN: /*	A = skb->len; */
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, len)))
- 					/* mov    off8(%rdi),%eax */
- 					EMIT3(0x8b, 0x47, offsetof(struct sk_buff, len));
-@@ -508,7 +574,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				}
- 				break;
- 			case BPF_S_LDX_W_LEN: /* X = skb->len; */
--				seen |= SEEN_XREG;
-+				seen |= SEEN_XREG | SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, len)))
- 					/* mov off8(%rdi),%ebx */
- 					EMIT3(0x8b, 0x5f, offsetof(struct sk_buff, len));
-@@ -519,6 +585,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				break;
- 			case BPF_S_ANC_PROTOCOL: /* A = ntohs(skb->protocol); */
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, protocol) != 2);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, protocol))) {
- 					/* movzwl off8(%rdi),%eax */
- 					EMIT4(0x0f, 0xb7, 0x47, offsetof(struct sk_buff, protocol));
-@@ -529,6 +596,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				EMIT2(0x86, 0xc4); /* ntohs() : xchg   %al,%ah */
- 				break;
- 			case BPF_S_ANC_IFINDEX:
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, dev))) {
- 					/* movq off8(%rdi),%rax */
- 					EMIT4(0x48, 0x8b, 0x47, offsetof(struct sk_buff, dev));
-@@ -544,6 +612,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				break;
- 			case BPF_S_ANC_MARK:
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, mark) != 4);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, mark))) {
- 					/* mov off8(%rdi),%eax */
- 					EMIT3(0x8b, 0x47, offsetof(struct sk_buff, mark));
-@@ -554,6 +623,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				break;
- 			case BPF_S_ANC_RXHASH:
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, rxhash) != 4);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, rxhash))) {
- 					/* mov off8(%rdi),%eax */
- 					EMIT3(0x8b, 0x47, offsetof(struct sk_buff, rxhash));
-@@ -564,6 +634,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 				break;
- 			case BPF_S_ANC_QUEUE:
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, queue_mapping) != 2);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, queue_mapping))) {
- 					/* movzwl off8(%rdi),%eax */
- 					EMIT4(0x0f, 0xb7, 0x47, offsetof(struct sk_buff, queue_mapping));
-@@ -583,6 +654,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 			case BPF_S_ANC_VLAN_TAG:
- 			case BPF_S_ANC_VLAN_TAG_PRESENT:
- 				BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, vlan_tci) != 2);
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(offsetof(struct sk_buff, vlan_tci))) {
- 					/* movzwl off8(%rdi),%eax */
- 					EMIT4(0x0f, 0xb7, 0x47, offsetof(struct sk_buff, vlan_tci));
-@@ -604,6 +676,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 
- 				if (off < 0)
- 					goto out;
-+				seen |= SEEN_SKBREF;
- 				if (is_imm8(off)) {
- 					/* movzbl off8(%rdi),%eax */
- 					EMIT4(0x0f, 0xb6, 0x47, off);
-@@ -617,7 +690,7 @@ void bpf_jit_compile(struct sk_filter *fp)
- 			}
- 			case BPF_S_LD_W_ABS:
- 				func = CHOOSE_LOAD_FUNC(K, sk_load_word);
--common_load:			seen |= SEEN_DATAREF;
-+common_load:			seen |= SEEN_SKBREF | SEEN_DATAREF;
- 				t_offset = func - (image + addrs[i]);
- 				EMIT1_off32(0xbe, K); /* mov imm32,%esi */
- 				EMIT1_off32(0xe8, t_offset); /* call */
-@@ -630,14 +703,14 @@ common_load:			seen |= SEEN_DATAREF;
- 				goto common_load;
- 			case BPF_S_LDX_B_MSH:
- 				func = CHOOSE_LOAD_FUNC(K, sk_load_byte_msh);
--				seen |= SEEN_DATAREF | SEEN_XREG;
-+				seen |= SEEN_XREG | SEEN_SKBREF | SEEN_DATAREF;
- 				t_offset = func - (image + addrs[i]);
- 				EMIT1_off32(0xbe, K);	/* mov imm32,%esi */
- 				EMIT1_off32(0xe8, t_offset); /* call sk_load_byte_msh */
- 				break;
- 			case BPF_S_LD_W_IND:
- 				func = sk_load_word;
--common_load_ind:		seen |= SEEN_DATAREF | SEEN_XREG;
-+common_load_ind:		seen |= SEEN_XREG | SEEN_SKBREF | SEEN_DATAREF;
- 				t_offset = func - (image + addrs[i]);
- 				if (K) {
- 					if (is_imm8(K)) {
-@@ -725,6 +798,72 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
- 				}
- 				EMIT_COND_JMP(f_op, f_offset);
- 				break;
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+			case BPF_S_ANC_SECCOMP_LD_W:
-+				seen |= SEEN_SECCOMP;
-+				if (K == BPF_DATA(nr)) {
-+					/* A = task_pt_regs(current)->orig_ax */
-+					EMIT_REGS_LOAD(PT_REGS(orig_ax));
-+					break;
-+				}
-+				if (K == BPF_DATA(arch)) {
-+					/* A = AUDIT_ARCH_X86_64 */
-+					EMIT1_off32(0xb8, AUDIT_ARCH_X86_64); /* mov imm32,%eax */
-+#ifdef CONFIG_IA32_EMULATION
-+					/* A = compat ? AUDIT_ARCH_I386 : AUDIT_ARCH_X86_64 */
-+					EMIT1_off32(0xb9, AUDIT_ARCH_I386); /* mov imm32,%ecx */
-+					EMIT2(0x85, 0xff); /* test %edi,%edi */
-+					EMIT3(0x0f, 0x45, 0xc1); /* cmovne %ecx,%eax*/
-+#endif /* CONFIG_IA32_EMULATION */
-+					break;
-+				}
-+				if (K >= BPF_DATA(args[0]) && K < BPF_DATA(args[6])) {
-+					int arg = (K - BPF_DATA(args[0])) / sizeof(u64);
-+					int off = K % sizeof(u64);
-+
-+					switch (arg) {
-+					case 0: off += PT_REGS(di); break;
-+					case 1: off += PT_REGS(si); break;
-+					case 2: off += PT_REGS(dx); break;
-+					case 3: off += PT_REGS(r10); break;
-+					case 4: off += PT_REGS(r8); break;
-+					case 5: off += PT_REGS(r9); break;
-+					}
-+					EMIT_REGS_LOAD(off);
-+#ifdef CONFIG_IA32_EMULATION
-+					off = K % sizeof(u64);
-+					switch (arg) {
-+					case 0: off += PT_REGS(bx); break;
-+					case 1: off += PT_REGS(cx); break;
-+					case 2: off += PT_REGS(dx); break;
-+					case 3: off += PT_REGS(si); break;
-+					case 4: off += PT_REGS(di); break;
-+					case 5: off += PT_REGS(bp); break;
-+					}
-+					if (is_imm8(off)) {
-+						/* mov off8(%r8),%ecx */
-+						EMIT4(0x41, 0x8b, 0x48, off);
-+					} else {
-+						/* mov off32(%r8),%ecx */
-+						EMIT3(0x41, 0x8b, 0x88);
-+						EMIT(off, 4);
-+					}
-+					EMIT2(0x85, 0xff); /* test %edi,%edi */
-+					EMIT3(0x0f, 0x45, 0xc1); /* cmovne %ecx,%eax*/
-+#endif /* CONFIG_IA32_EMULATION */
-+					break;
-+				}
-+				if (K == BPF_DATA(instruction_pointer)) {
-+					/* A = task_pt_regs(current)->ip */
-+					EMIT_REGS_LOAD(PT_REGS(ip));
-+					break;
-+				}
-+				if (K == BPF_DATA(instruction_pointer) + sizeof(u32)) {
-+					EMIT_REGS_LOAD(PT_REGS(ip) + 4);
-+					break;
-+				}
-+				goto out;
-+#endif /* CONFIG_SECCOMP_FILTER_JIT */
- 			default:
- 				/* hmm, too complex filter, give up with jit compiler */
- 				goto out;
-@@ -732,10 +871,9 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
- 			ilen = prog - temp;
- 			if (image) {
- 				if (unlikely(proglen + ilen > oldproglen)) {
--					pr_err("bpb_jit_compile fatal error\n");
--					kfree(addrs);
-+					pr_err("bpf_jit_compile fatal error\n");
- 					module_free(NULL, header);
--					return;
-+					goto out;
- 				}
- 				memcpy(image + proglen, temp, ilen);
- 			}
-@@ -747,7 +885,7 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
- 		 * use it to give the cleanup instruction(s) addr
- 		 */
- 		cleanup_addr = proglen - 1; /* ret */
--		if (seen_or_pass0)
-+		if (NEED_PERILOGUE(seen_or_pass0))
- 			cleanup_addr -= 1; /* leaveq */
- 		if (seen_or_pass0 & SEEN_XREG)
- 			cleanup_addr -= 4; /* mov  -8(%rbp),%rbx */
-@@ -771,11 +909,11 @@ cond_branch:			f_offset = addrs[i + filter[i].jf] - addrs[i];
- 	if (image) {
- 		bpf_flush_icache(header, image + proglen);
- 		set_memory_ro((unsigned long)header, header->pages);
--		fp->bpf_func = (void *)image;
-+		bpf_func = (void *)image;
- 	}
- out:
- 	kfree(addrs);
--	return;
-+	return bpf_func;
- }
- 
- static void bpf_jit_free_deferred(struct work_struct *work)
-@@ -798,3 +936,38 @@ void bpf_jit_free(struct sk_filter *fp)
- 		kfree(fp);
- 	}
- }
-+
-+void bpf_jit_compile(struct sk_filter *fp)
-+{
-+	u8 seen_all = SEEN_XREG | SEEN_MEM | SEEN_SKBREF | SEEN_DATAREF;
-+	void *bpf_func = __bpf_jit_compile(fp->insns, fp->len, seen_all);
-+
-+	if (bpf_func)
-+		fp->bpf_func = bpf_func;
-+}
-+
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+void seccomp_jit_compile(struct seccomp_filter *fp)
-+{
-+	struct sock_filter *filter = seccomp_filter_get_insns(fp);
-+	unsigned int flen = seccomp_filter_get_len(fp);
-+	u8 seen_all = SEEN_XREG | SEEN_MEM | SEEN_SECCOMP;
-+	void *bpf_func = __bpf_jit_compile(filter, flen, seen_all);
-+
-+	if (bpf_func)
-+		seccomp_filter_set_bpf_func(fp, bpf_func);
-+}
-+
-+void seccomp_jit_free(struct seccomp_filter *fp)
-+{
-+	void *bpf_func = seccomp_filter_get_bpf_func(fp);
-+
-+	if (bpf_func) {
-+		unsigned long addr = (unsigned long)bpf_func & PAGE_MASK;
-+		struct bpf_binary_header *header = (void *)addr;
-+
-+		set_memory_rw(addr, header->pages);
-+		module_free(NULL, header);
-+	}
-+}
-+#endif /* CONFIG_SECCOMP_FILTER_JIT */
-diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
-index 3737f72..f7a4aba 100644
---- a/include/linux/miscdevice.h
-+++ b/include/linux/miscdevice.h
-@@ -3,6 +3,7 @@
- #include <linux/major.h>
- #include <linux/list.h>
- #include <linux/types.h>
-+#include <../graphene/graphene.h>
- 
- /*
-  *	These allocations are managed by device@lanana.org. If you use an
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index a781dec..3381137 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -1161,6 +1161,11 @@ enum perf_event_task_context {
- 	perf_nr_task_contexts,
- };
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+struct graphene_struct;
-+#endif
-+
- struct task_struct {
- 	volatile long state;	/* -1 unrunnable, 0 runnable, >0 stopped */
- 	void *stack;
-@@ -1581,6 +1586,11 @@ struct task_struct {
- 	unsigned int	sequential_io;
- 	unsigned int	sequential_io_avg;
- #endif
-+
-+#ifdef CONFIG_GRAPHENE
-+	/* for graphene tasks */
-+	struct graphene_struct *graphene; /* structure to store graphene info */
-+#endif
- };
- 
- /* Future-safe accessor for struct task_struct's cpus_allowed. */
-diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
-index 6f19cfd..ed258f4 100644
---- a/include/linux/seccomp.h
-+++ b/include/linux/seccomp.h
-@@ -77,6 +77,14 @@ static inline int seccomp_mode(struct seccomp *s)
- extern void put_seccomp_filter(struct task_struct *tsk);
- extern void get_seccomp_filter(struct task_struct *tsk);
- extern u32 seccomp_bpf_load(int off);
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+struct sock_filter *seccomp_filter_get_insns(struct seccomp_filter *);
-+unsigned int seccomp_filter_get_len(struct seccomp_filter *);
-+void *seccomp_filter_get_bpf_func(struct seccomp_filter *);
-+void seccomp_filter_set_bpf_func(struct seccomp_filter *, void *);
-+void seccomp_jit_compile(struct seccomp_filter *fp);
-+void seccomp_jit_free(struct seccomp_filter *fp);
-+#endif
- #else  /* CONFIG_SECCOMP_FILTER */
- static inline void put_seccomp_filter(struct task_struct *tsk)
- {
-diff --git a/kernel/fork.c b/kernel/fork.c
-index a17621c..41d5958 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -11,6 +11,7 @@
-  * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
-  */
- 
-+#include <linux/version.h>
- #include <linux/slab.h>
- #include <linux/init.h>
- #include <linux/unistd.h>
-@@ -84,6 +85,10 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/task.h>
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+#endif
-+
- /*
-  * Protected counters by write_lock_irq(&tasklist_lock)
-  */
-@@ -242,6 +247,10 @@ void __put_task_struct(struct task_struct *tsk)
- 	delayacct_tsk_free(tsk);
- 	put_signal_struct(tsk->signal);
- 
-+#ifdef CONFIG_GRAPHENE
-+	put_graphene_struct(tsk);
-+#endif
-+
- 	if (!profile_handoff_task(tsk))
- 		free_task(tsk);
- }
-@@ -322,6 +331,16 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
- 	tsk->stack_canary = get_random_int();
- #endif
- 
-+#ifdef CONFIG_GRAPHENE
-+	err = dup_graphene_struct(tsk);
-+	if (err)
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
-+		goto free_ti;
-+#else
-+		goto out;
-+#endif
-+#endif
-+
- 	/*
- 	 * One for us, one for whoever does the "release_task()" (usually
- 	 * parent)
-diff --git a/kernel/seccomp.c b/kernel/seccomp.c
-index b7a1004..5def696 100644
---- a/kernel/seccomp.c
-+++ b/kernel/seccomp.c
-@@ -55,9 +55,34 @@ struct seccomp_filter {
- 	atomic_t usage;
- 	struct seccomp_filter *prev;
- 	unsigned short len;  /* Instruction count */
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+	void *bpf_func;
-+#endif
- 	struct sock_filter insns[];
- };
- 
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+struct sock_filter *seccomp_filter_get_insns(struct seccomp_filter *fp)
-+{
-+	return fp->insns;
-+}
-+
-+unsigned int seccomp_filter_get_len(struct seccomp_filter *fp)
-+{
-+	return fp->len;
-+}
-+
-+void *seccomp_filter_get_bpf_func(struct seccomp_filter *fp)
-+{
-+	return fp->bpf_func;
-+}
-+
-+void seccomp_filter_set_bpf_func(struct seccomp_filter *fp, void *bpf_func)
-+{
-+	fp->bpf_func = bpf_func;
-+}
-+#endif
-+
- /* Limit any path through the tree to 256KB worth of instructions. */
- #define MAX_INSNS_PER_PATH ((1 << 18) / sizeof(struct sock_filter))
- 
-@@ -213,7 +238,16 @@ static u32 seccomp_run_filters(int syscall)
- 	 * value always takes priority (ignoring the DATA).
- 	 */
- 	for (f = current->seccomp.filter; f; f = f->prev) {
--		u32 cur_ret = sk_run_filter(NULL, f->insns);
-+		u32 cur_ret;
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+		void * bpf_func = seccomp_filter_get_bpf_func(f);
-+		if (bpf_func)
-+			cur_ret = (*(unsigned int (*)(const struct sk_buff *,
-+					const struct sock_filter *))
-+					bpf_func) (NULL, f->insns);
-+		else
-+#endif
-+			cur_ret = sk_run_filter(NULL, f->insns);
- 		if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION))
- 			ret = cur_ret;
- 	}
-@@ -275,6 +309,10 @@ static long seccomp_attach_filter(struct sock_fprog *fprog)
- 	if (ret)
- 		goto fail;
- 
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+	seccomp_jit_compile(filter);
-+#endif
-+
- 	/*
- 	 * If there is an existing filter, make it the prev and don't drop its
- 	 * task reference.
-@@ -332,6 +370,9 @@ void put_seccomp_filter(struct task_struct *tsk)
- 	while (orig && atomic_dec_and_test(&orig->usage)) {
- 		struct seccomp_filter *freeme = orig;
- 		orig = orig->prev;
-+#ifdef CONFIG_SECCOMP_FILTER_JIT
-+		seccomp_jit_free(freeme);
-+#endif
- 		kfree(freeme);
- 	}
- }
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 4257b7e..b21c19d 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -36,6 +36,10 @@
- #include "include/policy.h"
- #include "include/procattr.h"
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+#endif
-+
- /* Flag indicating whether initialization completed */
- int apparmor_initialized __initdata;
- 
-@@ -165,6 +169,12 @@ static int common_perm(int op, struct path *path, u32 mask,
- 	struct aa_profile *profile;
- 	int error = 0;
- 
-+#ifdef CONFIG_GRAPHENE
-+	if (GRAPHENE_ENABLED() &&
-+	    (error = graphene_common_perm(op, path, mask)))
-+		return error;
-+#endif
-+
- 	profile = __aa_current_profile();
- 	if (!unconfined(profile))
- 		error = aa_path_perm(op, profile, path, 0, mask, cond);
-@@ -377,6 +387,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- {
- 	struct aa_file_cxt *fcxt = file->f_security;
- 	struct aa_profile *profile;
-+	u32 mask;
- 	int error = 0;
- 
- 	if (!mediated_filesystem(file_inode(file)))
-@@ -388,10 +399,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- 	 * actually execute the image.
- 	 */
- 	if (current->in_execve) {
-+#ifdef CONFIG_GRAPHENE
-+		if (GRAPHENE_ENABLED() && (error = graphene_execve_open(file)))
-+			return error;
-+#endif
- 		fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
- 		return 0;
- 	}
- 
-+#ifdef CONFIG_GRAPHENE
-+	mask = aa_map_file_to_perms(file);
-+	if (GRAPHENE_ENABLED() &&
-+	    (error = graphene_common_perm(OP_OPEN, &file->f_path, mask)))
-+		return error;
-+#endif
-+
- 	profile = aa_cred_profile(cred);
- 	if (!unconfined(profile)) {
- 		struct inode *inode = file_inode(file);
-@@ -647,6 +669,14 @@ static struct security_operations apparmor_ops = {
- 	.getprocattr =			apparmor_getprocattr,
- 	.setprocattr =			apparmor_setprocattr,
- 
-+#ifdef CONFIG_GRAPHENE
-+	.socket_bind =			graphene_socket_bind,
-+	.socket_listen =		graphene_socket_listen,
-+	.socket_connect =		graphene_socket_connect,
-+	.socket_sendmsg =		graphene_socket_sendmsg,
-+	.socket_recvmsg =		graphene_socket_recvmsg,
-+#endif
-+
- 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
- 	.cred_free =			apparmor_cred_free,
- 	.cred_prepare =			apparmor_cred_prepare,
-@@ -658,6 +688,10 @@ static struct security_operations apparmor_ops = {
- 	.bprm_secureexec =		apparmor_bprm_secureexec,
- 
- 	.task_setrlimit =		apparmor_task_setrlimit,
-+
-+#ifdef CONFIG_GRAPHENE
-+	.task_kill =			graphene_task_kill,
-+#endif
- };
- 
- /*

Pal/linux-3.19.patch

@@ -1,222 +0,0 @@
-diff --git a/Kconfig b/Kconfig
-index c13f48d..e18713e 100644
---- a/Kconfig
-+++ b/Kconfig
-@@ -9,3 +9,4 @@ config SRCARCH
- 	option env="SRCARCH"
- 
- source "arch/$SRCARCH/Kconfig"
-+source "graphene/Kconfig"
-diff --git a/Makefile b/Makefile
-index e5ac8a6..116ac82 100644
---- a/Makefile
-+++ b/Makefile
-@@ -779,7 +779,7 @@ export mod_sign_cmd
- 
- 
- ifeq ($(KBUILD_EXTMOD),)
--core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
-+core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ graphene/
- 
- vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
- 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
-diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
-index 3737f72..f7a4aba 100644
---- a/include/linux/miscdevice.h
-+++ b/include/linux/miscdevice.h
-@@ -3,6 +3,7 @@
- #include <linux/major.h>
- #include <linux/list.h>
- #include <linux/types.h>
-+#include <../graphene/graphene.h>
- 
- /*
-  *	These allocations are managed by device@lanana.org. If you use an
-diff --git a/include/linux/sched.h b/include/linux/sched.h
-index a781dec..3381137 100644
---- a/include/linux/sched.h
-+++ b/include/linux/sched.h
-@@ -1161,6 +1161,11 @@ enum perf_event_task_context {
- 	perf_nr_task_contexts,
- };
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+struct graphene_struct;
-+#endif
-+
- struct task_struct {
- 	volatile long state;	/* -1 unrunnable, 0 runnable, >0 stopped */
- 	void *stack;
-@@ -1581,6 +1586,11 @@ struct task_struct {
- 	unsigned int	sequential_io;
- 	unsigned int	sequential_io_avg;
- #endif
-+
-+#ifdef CONFIG_GRAPHENE
-+	/* for graphene tasks */
-+	struct graphene_struct *graphene; /* structure to store graphene info */
-+#endif
- };
- 
- /* Future-safe accessor for struct task_struct's cpus_allowed. */
-diff --git a/kernel/fork.c b/kernel/fork.c
-index a17621c..41d5958 100644
---- a/kernel/fork.c
-+++ b/kernel/fork.c
-@@ -11,6 +11,7 @@
-  * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
-  */
- 
-+#include <linux/version.h>
- #include <linux/slab.h>
- #include <linux/init.h>
- #include <linux/unistd.h>
-@@ -84,6 +85,10 @@
- #define CREATE_TRACE_POINTS
- #include <trace/events/task.h>
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+#endif
-+
- /*
-  * Protected counters by write_lock_irq(&tasklist_lock)
-  */
-@@ -242,6 +247,10 @@ void __put_task_struct(struct task_struct *tsk)
- 	delayacct_tsk_free(tsk);
- 	put_signal_struct(tsk->signal);
- 
-+#ifdef CONFIG_GRAPHENE
-+	put_graphene_struct(tsk);
-+#endif
-+
- 	if (!profile_handoff_task(tsk))
- 		free_task(tsk);
- }
-@@ -322,6 +331,16 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
- 	tsk->stack_canary = get_random_int();
- #endif
- 
-+#ifdef CONFIG_GRAPHENE
-+	err = dup_graphene_struct(tsk);
-+	if (err)
-+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
-+		goto free_ti;
-+#else
-+		goto out;
-+#endif
-+#endif
-+
- 	/*
- 	 * One for us, one for whoever does the "release_task()" (usually
- 	 * parent)
-diff -ruNp linux-3.19/mm/mmap.c linux-3.19.new/mm/mmap.c
---- linux-3.19/mm/mmap.c	2015-02-08 21:54:22.000000000 -0500
-+++ linux-3.19.new/mm/mmap.c	2016-08-23 22:15:18.387511888 -0400
-@@ -2000,6 +2000,10 @@ arch_get_unmapped_area_topdown(struct fi
- }
- #endif
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+#endif
-+
- unsigned long
- get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
- 		unsigned long pgoff, unsigned long flags)
-@@ -2018,6 +2022,10 @@ get_unmapped_area(struct file *file, uns
- 	get_area = current->mm->get_unmapped_area;
- 	if (file && file->f_op->get_unmapped_area)
- 		get_area = file->f_op->get_unmapped_area;
-+#ifdef CONFIG_GRAPHENE
-+	if (file && current->in_execve && GRAPHENE_ENABLED())
-+		get_area = graphene_execve_get_area;
-+#endif
- 	addr = get_area(file, addr, len, pgoff, flags);
- 	if (IS_ERR_VALUE(addr))
- 		return addr;
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 4257b7e..b21c19d 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -36,6 +36,10 @@
- #include "include/policy.h"
- #include "include/procattr.h"
- 
-+#ifdef CONFIG_GRAPHENE
-+# include <../graphene/graphene.h>
-+#endif
-+
- /* Flag indicating whether initialization completed */
- int apparmor_initialized __initdata;
- 
-@@ -165,6 +169,12 @@ static int common_perm(int op, struct path *path, u32 mask,
- 	struct aa_profile *profile;
- 	int error = 0;
- 
-+#ifdef CONFIG_GRAPHENE
-+	if (GRAPHENE_ENABLED() &&
-+	    (error = graphene_common_perm(op, path, mask)))
-+		return error;
-+#endif
-+
- 	profile = __aa_current_profile();
- 	if (!unconfined(profile))
- 		error = aa_path_perm(op, profile, path, 0, mask, cond);
-@@ -377,6 +387,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- {
- 	struct aa_file_cxt *fcxt = file->f_security;
- 	struct aa_profile *profile;
-+	u32 mask;
- 	int error = 0;
- 
- 	if (!mediated_filesystem(file_inode(file)))
-@@ -388,10 +399,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
- 	 * actually execute the image.
- 	 */
- 	if (current->in_execve) {
-+#ifdef CONFIG_GRAPHENE
-+		if (GRAPHENE_ENABLED() && (error = graphene_execve_open(file)))
-+			return error;
-+#endif
- 		fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
- 		return 0;
- 	}
- 
-+#ifdef CONFIG_GRAPHENE
-+	mask = aa_map_file_to_perms(file);
-+	if (GRAPHENE_ENABLED() &&
-+	    (error = graphene_common_perm(OP_OPEN, &file->f_path, mask)))
-+		return error;
-+#endif
-+
- 	profile = aa_cred_profile(cred);
- 	if (!unconfined(profile)) {
- 		struct inode *inode = file_inode(file);
-@@ -647,6 +669,14 @@ static struct security_operations apparmor_ops = {
- 	.getprocattr =			apparmor_getprocattr,
- 	.setprocattr =			apparmor_setprocattr,
- 
-+#ifdef CONFIG_GRAPHENE
-+	.socket_bind =			graphene_socket_bind,
-+	.socket_listen =		graphene_socket_listen,
-+	.socket_connect =		graphene_socket_connect,
-+	.socket_sendmsg =		graphene_socket_sendmsg,
-+	.socket_recvmsg =		graphene_socket_recvmsg,
-+#endif
-+
- 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
- 	.cred_free =			apparmor_cred_free,
- 	.cred_prepare =			apparmor_cred_prepare,
-@@ -658,6 +688,10 @@ static struct security_operations apparmor_ops = {
- 	.bprm_secureexec =		apparmor_bprm_secureexec,
- 
- 	.task_setrlimit =		apparmor_task_setrlimit,
-+
-+#ifdef CONFIG_GRAPHENE
-+	.task_kill =			graphene_task_kill,
-+#endif
- };
- 
- /*

Pal/linux-kernel/graphene/Kconfig

@@ -1,17 +0,0 @@
-menuconfig GRAPHENE
-	bool "Graphene support (EXPERIMENTAL)"
-	default y
-
-if GRAPHENE
-	config GRAPHENE_ISOLATE
-		bool "Graphene isolation support (EXPERIMENTAL)"
-		default y
-
-	config GRAPHENE_BULK_IPC
-		tristate "Graphene bulk IPC support (EXPERIMENTAL)"
-		default y
-
-	config GRAPHENE_DEBUG
-		bool "Graphene debug feature (EXPERIMENTAL)"
-		default n
-endif

Pal/linux-kernel/graphene/Makefile

@@ -1,2 +0,0 @@
-obj-$(CONFIG_GRAPHENE) += graphene.o
-obj-$(CONFIG_GRAPHENE_BULK_IPC) += graphene-ipc.o

Pal/linux-kernel/graphene/graphene-ipc.c

@@ -1 +0,0 @@
-../../ipc/linux/graphene-ipc.c

Pal/linux-kernel/graphene/graphene-ipc.h

@@ -1 +0,0 @@
-../../ipc/linux/graphene-ipc.h

Pal/linux-kernel/graphene/graphene.c

@@ -1,1529 +0,0 @@
-/*
- *  linux/graphene/graphene.c
- *
- *  Copyright (C) 2013-, Chia-Che Tsai, Bhushan Jain and Donald Porter
- *
- *  Manage the graphene information and security policies.
- */
-
-#include <linux/version.h>
-#include <linux/slab.h>
-#include <linux/sched.h>
-#include <linux/fs.h>
-#include <linux/file.h>
-#include <linux/fs_struct.h>
-#include <linux/fdtable.h>
-#include <linux/namei.h>
-#include <linux/dcache.h>
-#include <linux/mount.h>
-#include <linux/rcupdate.h>
-#include <linux/uaccess.h>
-#include <linux/un.h>
-#include <linux/net.h>
-#include <linux/atomic.h>
-#include <net/sock.h>
-#include <net/inet_sock.h>
-#include <net/tcp_states.h>
-#include <linux/pipe_fs_i.h>
-#include <../fs/internal.h>
-#include <../security/apparmor/include/audit.h>
-#include "graphene.h"
-#include "graphene-ipc.h"
-
-static atomic64_t unix_prefix_counter	= ATOMIC64_INIT(1);
-static atomic64_t gipc_session		= ATOMIC64_INIT(1);;
-
-int dup_graphene_struct(struct task_struct *tsk)
-{
-	struct graphene_struct *gs, *new;
-	struct graphene_info *gi;
-
-	if (!(tsk->graphene))
-		return 0;
-
-	if (tsk->group_leader != tsk) {
-		atomic_inc(&tsk->graphene->g_count);
-		return 0;
-	}
-
-	gs = tsk->graphene;
-	new = kmalloc(sizeof(struct graphene_struct), GFP_KERNEL);
-	if (!new)
-		return -ENOMEM;
-
-	spin_lock(&gs->g_lock);
-	gi = gs->g_info;
-	atomic_inc(&gi->gi_count);
-	new->g_info = gi;
-	spin_unlock(&gs->g_lock);
-
-	atomic_set(&new->g_count, 1);
-	spin_lock_init(&new->g_lock);
-	tsk->graphene = new;
-
-	return 0;
-}
-
-static void drop_graphene_info(struct graphene_info *info)
-{
-	struct graphene_path *p, *n;
-	int i;
-
-	list_for_each_entry_safe(p, n, &info->gi_paths, list) {
-		path_put(&p->path);
-		kfree(p);
-	}
-
-	list_for_each_entry_safe(p, n, &info->gi_rpaths, list) {
-		path_put(&p->path);
-		kfree(p);
-	}
-
-	if (info->gi_libexec.dentry)
-		path_put(&info->gi_libexec);
-
-	for (i = 0 ; i < 3 && info->gi_console[i].mnt ; i++)
-		path_put(&info->gi_console[i]);
-
-	if (info->gi_mcast_sock)
-		fput(info->gi_mcast_sock);
-
-	kfree(info);
-}
-
-static void put_graphene_info(struct graphene_info *info)
-{
-	if (!atomic_dec_return(&info->gi_count))
-		drop_graphene_info(info);
-}
-
-void put_graphene_struct(struct task_struct *tsk)
-{
-	struct graphene_struct *gs = tsk->graphene;
-	if (gs) {
-		tsk->graphene = NULL;
-		if (atomic_dec_return(&gs->g_count))
-			return;
-		put_graphene_info(gs->g_info);
-		kfree(gs);
-	}
-}
-
-static inline
-struct graphene_info *get_graphene_info(struct graphene_struct *gs)
-{
-	struct graphene_info *info;
-	if (!gs)
-		return NULL;
-	rcu_read_lock();
-	info = rcu_dereference_check(gs->g_info,
-				     lockdep_is_held(&gs->g_lock) ||
-				     atomic_read(&gs->g_count) == 1 ||
-				     rcu_my_thread_group_empty());
-	rcu_read_unlock();
-	return info;
-}
-
-#if 0
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
-# define FILE_INODE(file) ((file)->f_inode)
-#else
-# define FILE_INODE(file) ((file)->f_dentry->d_inode)
-#endif
-
-static loff_t graphene_lib_llseek(struct file *file, loff_t offset, int origin)
-{
-	struct inode *inode = FILE_INODE(file);
-
-	if (!inode)
-		return -EINVAL;
-	if (!inode->i_fop || !inode->i_fop->llseek)
-		return -EINVAL;
-
-	return inode->i_fop->llseek(file, offset, origin);
-}
-
-static ssize_t graphene_lib_read (struct file *file, char __user *buf,
-				  size_t len, loff_t *ppos)
-{
-	struct inode *inode = FILE_INODE(file);
-	const struct file_operations *fops;
-
-	if (!inode)
-		return -EINVAL;
-
-	fops = fops_get(inode->i_fop);
-	if (unlikely(!fops))
-		return -EINVAL;
-
-	return inode->i_fop->read(file, buf, len, ppos);
-}
-
-static ssize_t graphene_lib_aio_read (struct kiocb *iocb, const struct iovec *iov,
-				      unsigned long nr_segs, loff_t pos)
-{
-	struct inode *inode = FILE_INODE(iocb->ki_filp);
-
-	if (!inode)
-		return -EINVAL;
-	if (!inode->i_fop || !inode->i_fop->aio_read)
-		return -EINVAL;
-
-	return inode->i_fop->aio_read(iocb, iov, nr_segs, pos);
-}
-
-static int graphene_lib_mmap(struct file *file, struct vm_area_struct *vma)
-{
-	struct inode *inode = FILE_INODE(file);
-
-	if (!inode)
-		return -EINVAL;
-	if (!inode->i_fop || !inode->i_fop->mmap)
-		return -EINVAL;
-
-	return inode->i_fop->mmap(file, vma);
-}
-
-static int graphene_lib_release(struct inode *inode, struct file *file)
-{
-	if (!inode)
-		return -EINVAL;
-	if (!inode->i_fop || !inode->i_fop->release)
-		return -EINVAL;
-	return inode->i_fop->release(inode, file);
-}
-#endif
-
-#define DEFINE_PATH_BUFFER(kpath, max) char* kpath; int max;
-
-#define GET_PATH_BUFFER(kpath, max)					\
-	kpath = __getname();						\
-	max = PATH_MAX;
-
-
-#define DEFINE_PATH(dp, path, kpath, max)				\
-	DEFINE_PATH_BUFFER(kpath, max)					\
-	char *dp;							\
-	GET_PATH_BUFFER(kpath, max)					\
-	dp = d_path(path, kpath, max);
-
-#define PUT_PATH_BUFFER(kpath) __putname(kpath);
-
-#if 0
-static unsigned long
-graphene_lib_get_area(struct file *file, unsigned long addr, unsigned long len,
-		      unsigned long pgoff, unsigned long flags)
-{
-	struct task_struct *current_tsk = current;
-	struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
-	struct inode *inode = FILE_INODE(file);
-	unsigned long (*get_area) (struct file *, unsigned long, unsigned long,
-				   unsigned long, unsigned long);
-
-	if (!inode)
-		return -EINVAL;
-
-	if (gi->gi_libaddr) {
-		if (!path_equal(&file->f_path, &gi->gi_libexec))
-			BUG();
-
-		if (!addr)
-			addr = gi->gi_libaddr + pgoff * PAGE_SIZE;
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-		{
-			DEFINE_PATH(dp, &file->f_path, kpath, max)
-			if (!IS_ERR(dp))
-				printk(KERN_INFO "Graphene: PID %d MAP FILE %s"
-				       " OFF 0x%08lx AT 0x%016lx\n",
-				       current->pid, dp,
-				       pgoff * PAGE_SIZE, addr);
-			PUT_PATH_BUFFER(kpath)
-		}
-#endif
-		return addr;
-	}
-
-	get_area = (inode->i_fop && inode->i_fop->get_unmapped_area) ?
-		   inode->i_fop->get_unmapped_area :
-		   current_tsk->mm->get_unmapped_area;
-
-	return get_area(file, addr, len, pgoff, flags);
-}
-
-/* These are file oprations required for execve */
-static struct file_operations graphene_lib_operations = {
-	.llseek			= graphene_lib_llseek,
-	.read			= graphene_lib_read,
-	.aio_read		= graphene_lib_aio_read,
-	.mmap			= graphene_lib_mmap,
-	.get_unmapped_area	= graphene_lib_get_area,
-	.release		= graphene_lib_release,
-};
-#endif
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-static void print_path(const char * fmt, struct path *path)
-{
-	DEFINE_PATH(dp, path, kpath, max)
-	if (!IS_ERR(dp))
-		printk(fmt, current->pid, IS_ERR(dp) ? "(unknown)" : dp);
-	PUT_PATH_BUFFER(kpath)
-}
-#else
-# define print_path(...) do {} while (0)
-#endif
-
-int graphene_execve_open(struct file *file)
-{
-	struct task_struct *current_tsk = current;
-	struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
-
-	if (!current_tsk->in_execve)
-		BUG();
-
-	if (!path_equal(&file->f_path, &gi->gi_libexec)) {
-		print_path(KERN_INFO "Graphene: DENY EXEC PID %d PATH %s\n",
-			   &file->f_path);
-		return -EPERM;
-	}
-
-	if (!gi->gi_libaddr)
-		goto accepted;
-
-	//file->f_op = &graphene_lib_operations;
-accepted:
-	print_path(KERN_INFO "Graphene: ALLOW EXEC PID %d PATH %s\n",
-		   &file->f_path);
-	return 0;
-}
-
-unsigned long
-graphene_execve_get_area(struct file *file, unsigned long addr,
-			 unsigned long len, unsigned long pgoff,
-			 unsigned long flags)
-{
-	unsigned long (*get_area) (struct file *, unsigned long, unsigned long,
-				   unsigned long, unsigned long);
-
-	struct task_struct *current_tsk = current;
-	struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
-
-	BUG_ON(!file);
-
-	if (gi->gi_libaddr) {
-		if (!addr)
-			addr = gi->gi_libaddr + pgoff * PAGE_SIZE;
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-		{
-			DEFINE_PATH(dp, &file->f_path, kpath, max)
-			if (!IS_ERR(dp))
-				printk(KERN_INFO "Graphene: PID %d MAP FILE %s"
-				       " OFF 0x%08lx AT 0x%016lx\n",
-				       current->pid, dp,
-				       pgoff * PAGE_SIZE, addr);
-			PUT_PATH_BUFFER(kpath)
-		}
-#endif
-		return addr;
-	}
-
-	get_area = current_tsk->mm->get_unmapped_area;
-	if (file->f_op->get_unmapped_area)
-		get_area = file->f_op->get_unmapped_area;
-
-	return get_area(file, addr, len, pgoff, flags);
-}
-
-static int graphene_check_path(struct graphene_info *gi, int op, u32 mask,
-			       struct path *path, struct graphene_path *gp,
-			       int is_recursive)
-{
-	if (!path_equal(path, &gp->path))
-		return 0;
-
-	if (mask & (MAY_READ|MAY_EXEC|MAY_ACCESS|
-		    AA_MAY_META_READ|AA_EXEC_MMAP|AA_MAY_LINK)) {
-		if (!(gp->type & GRAPHENE_FS_READ))
-			return -EPERM;
-	}
-
-	if (mask & (MAY_WRITE|MAY_APPEND|
-		    AA_MAY_CREATE|AA_MAY_DELETE|AA_MAY_META_WRITE|
-		    AA_MAY_CHMOD|AA_MAY_CHOWN)) {
-		if (!(gp->type & GRAPHENE_FS_WRITE))
-			return -EPERM;
-	}
-
-	return 1;
-}
-
-static int __common_perm(struct graphene_info *gi, int op, struct path *target,
-			 u32 mask)
-{
-	struct graphene_path *p;
-	struct path root, path = *target;
-	struct qstr last;
-	int rv = 0, i;
-
-	BUG_ON(!path.dentry);
-	path_get(&path);
-
-	for (i = 0; i < 3 && gi->gi_console[i].mnt; i++)
-		if (path_equal(target, &gi->gi_console[i]))
-			goto out;
-
-	if (op == OP_OPEN) {
-		int minor = iminor(path.dentry->d_inode);
-		if (minor == GRAPHENE_MINOR)
-			goto out;
-		if (minor == GIPC_MINOR)
-			goto out;
-	}
-
-	rcu_read_lock();
-
-	list_for_each_entry_rcu(p, &gi->gi_paths, list) {
-		rv = graphene_check_path(gi, op, mask, &path, p, 0);
-		if (rv)
-			goto out;
-	}
-
-	if (gi->gi_libexec.mnt && path_equal(&path, &gi->gi_libexec)) {
-		rv = 0;
-		goto out;
-	}
-
-	get_fs_root(current->fs, &root);
-	last.len = 0;
-
-	while (!path_equal(&path, &root)) {
-		int is_recursive = 0;
-
-		list_for_each_entry_rcu(p, &gi->gi_rpaths, list) {
-			rv = graphene_check_path(gi, op, mask, &path, p,
-						 is_recursive);
-			if (rv)
-				goto out_root;
-		}
-
-		last = path.dentry->d_name;
-		while(1) {
-			struct dentry *old = path.dentry;
-
-			if (path_equal(&path, &root))
-				break;
-
-			if (path.dentry != path.mnt->mnt_root) {
-				path.dentry = dget_parent(path.dentry);
-				dput(old);
-				break;
-			}
-
-			if (!follow_up(&path))
-				break;
-		}
-		is_recursive = 1;
-	}
-
-	rv = -EPERM;
-out_root:
-	path_put(&root);
-out:
-	rcu_read_unlock();
-	path_put(&path);
-	if (rv >= 0) {
-		rv = 0;
-		print_path(KERN_INFO "Graphene: ALLOW PID %d PATH %s\n",
-			   target);
-	} else {
-		print_path(KERN_INFO "Graphene: DENY PID %d PATH %s\n",
-			   target);
-	}
-	return rv;
-}
-
-int graphene_common_perm(int op, struct path *path, u32 mask)
-{
-	struct graphene_info *gi = get_graphene_info(current->graphene);
-
-	if (!gi)
-		return 0;
-
-	return __common_perm(gi, op, path, mask);
-}
-
-static int __unix_perm(struct sockaddr *address, int addrlen)
-{
-	struct graphene_info *gi = get_graphene_info(current->graphene);
-	const char * sun_path =
-		((struct sockaddr_un *) address)->sun_path;
-
-	if (!gi->gi_unix[1])
-		return -EPERM;
-
-	if (!memcmp(sun_path, gi->gi_unix, sizeof(gi->gi_unix)))
-		return 0;
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-	printk(KERN_INFO "Graphene: DENY PID %d SOCKET %s\n",
-	       current->pid, sun_path);
-#endif
-	return -EPERM;
-}
-
-static int net_cmp(int family, bool addr_any, bool port_any,
-		   struct graphene_net_addr *ga,
-		   struct sockaddr *addr, int addrlen)
-{
-	switch(family) {
-	case AF_INET: {
-		struct sockaddr_in *a = (void *) addr;
-
-		if (!addr_any) {
-			if (a->sin_addr.s_addr != ga->addr.sin_addr.s_addr)
-				return 1;
-		}
-		if (!port_any) {
-			unsigned short port = ntohs(a->sin_port);
-			if (!(port >= ga->port_begin && port <= ga->port_end))
-				return 1;
-		}
-
-		break;
-	}
-#ifdef CONFIG_IPV6
-	case AF_INET6: {
-		struct sockaddr_in6 *a6 = (void *) addr;
-
-		if (!addr_any) {
-			if (memcmp(&a6->sin6_addr, &ga->addr.sin6_addr,
-				   sizeof(struct in6_addr)))
-				return 1;
-		}
-		if (!port_any) {
-			unsigned short port = ntohs(a6->sin6_port);
-			if (!(port >= ga->port_begin && port <= ga->port_end))
-				return 1;
-		}
-
-		break;
-	}
-#endif
-	}
-
-	return 0;
-}
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-static void print_net(int allow, int family, int op, struct sockaddr *addr,
-		      int addrlen)
-{
-	const char *allow_str = allow ? "ALLOW" : "DENY";
-	const char *op_str = "UNKNOWN OP";
-
-	switch(op) {
-		case OP_BIND:		op_str = "BIND";	break;
-		case OP_LISTEN:		op_str = "LISTEN";	break;
-		case OP_CONNECT:	op_str = "CONNECT";	break;
-		case OP_SENDMSG:	op_str = "SENDMSG";	break;
-		case OP_RECVMSG:	op_str = "RECVMSG";	break;
-	}
-
-	if (!addr) {
-		printk(KERN_INFO "Graphene: %s %s PID %d SOCKET\n",
-		       allow_str, op_str, current->pid);
-		return;
-	}
-
-	switch(family) {
-	case AF_INET: {
-		struct sockaddr_in *a = (void *) addr;
-		u8 *a1 = (u8 *) &a->sin_addr.s_addr;
-
-		printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
-		       "%d.%d.%d.%d:%d\n",
-		       allow_str, op_str, current->pid,
-		       a1[0], a1[1], a1[2], a1[3], ntohs(a->sin_port));
-		}
-		break;
-
-#ifdef CONFIG_IPV6
-	case AF_INET6: {
-		struct sockaddr_in6 *a = (void *) addr;
-		u16 *a1 = (u16 *) &a->sin6_addr.s6_addr;
-
-		printk(KERN_INFO "Graphene: %s %s PID %d SOCKET "
-		       "[%d.%d.%d.%d:%d:%d:%d:%d]:%d\n",
-		       allow_str, op_str, current->pid,
-		       a1[0], a1[1], a1[2], a1[3],
-		       a1[4], a1[5], a1[6], a1[7], ntohs(a->sin6_port));
-		}
-		break;
-#endif
-	}
-}
-#else
-# define print_net(...) do {} while (0)
-#endif
-
-/*
- * network rules:
- *    bind:
- *        input addr/port match bind addr/port
- *    listen:
- *        always allow
- *    connect:
- *        input addr/port match peer addr/port
- *    sendmsg:
- *        EITHER stream socket OR no input addr/port OR
- *        input addr/port match peer addr/port
- *    recvmsg:
- *        EITHER stream socket OR connected
- */
-static
-int __common_net_perm(struct graphene_info *gi, int op, struct socket *sock,
-		      struct sockaddr *address, int addrlen)
-{
-	struct sock *sk = sock->sk;
-	struct list_head *head;
-	struct graphene_net *gn;
-
-	if (sk->sk_type != SOCK_STREAM && sk->sk_type != SOCK_DGRAM)
-		return -EPERM;
-
-#ifdef CONFIG_IPV6
-	if (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)
-#else
-	if (sk->sk_family != AF_INET)
-#endif
-		return -EPERM;
-
-	switch(op) {
-		case OP_BIND:
-			head = &gi->gi_binds;
-			break;
-		case OP_CONNECT:
-		case OP_SENDMSG:
-			head = &gi->gi_peers;
-			break;
-		default:
-			print_net(1, sk->sk_family, op, address, addrlen);
-			return 0;
-	}
-
-	BUG_ON(!address);
-
-	if (list_empty(head))
-		goto no_rules;
-
-	list_for_each_entry(gn, head, list) {
-		if (gn->family != sk->sk_family)
-			continue;
-
-		if (net_cmp(sk->sk_family,
-			    gn->flags & ADDR_ANY, gn->flags & PORT_ANY,
-			    &gn->addr, address, addrlen))
-			continue;
-
-		print_net(1, sk->sk_family, op, address, addrlen);
-		return 0;
-	}
-
-no_rules:
-	if (gi->gi_mcast_port && sk->sk_family == AF_INET &&
-	    ((struct sockaddr_in *) address)->sin_port == gi->gi_mcast_port) {
-		print_net(1, AF_INET, op, address, addrlen);
-		return 0;
-	}
-
-	print_net(0, sk->sk_family, op, address, addrlen);
-	return -EPERM;
-}
-
-int graphene_socket_bind(struct socket *sock,
-			 struct sockaddr *address, int addrlen)
-{
-	if (GRAPHENE_ENABLED()) {
-		struct graphene_info *gi = get_graphene_info(current->graphene);
-
-		if (!sock || !sock->sk)
-			return 0;
-
-		if (sock->sk->sk_family == PF_UNIX) {
-			if (sock->sk->sk_type != SOCK_STREAM)
-				return -EPERM;
-
-			return __unix_perm(address, addrlen);
-		}
-
-		return __common_net_perm(gi, OP_BIND, sock, address, addrlen);
-	}
-	return 0;
-}
-
-int graphene_socket_listen(struct socket *sock, int backlog)
-{
-	if (GRAPHENE_ENABLED()) {
-		struct graphene_info *gi = get_graphene_info(current->graphene);
-
-		if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
-			return 0;
-
-		return __common_net_perm(gi, OP_LISTEN, sock, NULL, 0);
-	}
-	return 0;
-}
-
-int graphene_socket_connect(struct socket *sock,
-			    struct sockaddr *address, int addrlen)
-{
-	if (GRAPHENE_ENABLED()) {
-		struct graphene_info *gi = get_graphene_info(current->graphene);
-
-		if (!sock || !sock->sk)
-			return 0;
-
-		if (sock->sk->sk_family == PF_UNIX) {
-			if (sock->sk->sk_type != SOCK_STREAM)
-				return -EPERM;
-
-			return __unix_perm(address, addrlen);
-		}
-
-		return __common_net_perm(gi, OP_CONNECT, sock, address,
-					 addrlen);
-	}
-	return 0;
-}
-
-int graphene_socket_sendmsg(struct socket *sock,
-			    struct msghdr *msg, int size)
-{
-	if (GRAPHENE_ENABLED()) {
-		struct graphene_info *gi = get_graphene_info(current->graphene);
-
-		if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
-			return 0;
-
-		if (sock->sk->sk_type == SOCK_STREAM)
-			return 0;
-
-		if (!msg->msg_name)
-			return 0;
-
-
-		return __common_net_perm(gi, OP_SENDMSG, sock,
-					 msg->msg_name, msg->msg_namelen);
-	}
-	return 0;
-
-}
-
-int graphene_socket_recvmsg(struct socket *sock,
-			    struct msghdr *msg, int size, int flags)
-{
-	if (GRAPHENE_ENABLED()) {
-		struct graphene_info *gi = get_graphene_info(current->graphene);
-
-		if (!sock || !sock->sk || sock->sk->sk_family == PF_UNIX)
-			return 0;
-
-		if (sock->sk->sk_type == SOCK_STREAM)
-			return 0;
-
-		return __common_net_perm(gi, OP_RECVMSG, sock, NULL, 0);
-	}
-	return 0;
-}
-
-int graphene_task_kill(struct task_struct *tsk, struct siginfo *info,
-		       int sig, u32 secid)
-{
-	struct task_struct *current_tsk = current;
-
-	if (!current_tsk->graphene)
-		return 0;
-
-	if (sig != SIGCONT)
-		return -EPERM;
-
-	return (tsk->tgid == current_tsk->tgid) ? 0 : -EPERM;
-}
-
-static void get_console(struct graphene_info *gi, struct files_struct *files)
-{
-	struct fdtable *fdt;
-	unsigned long set;
-	int fd = 0, n = 0;
-
-	rcu_read_lock();
-	fdt = files_fdtable(files);
-	rcu_read_unlock();
-
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
-	set = fdt->open_fds[0];
-#else
-	set = fdt->open_fds->fds_bits[0];
-#endif
-
-	for (; fd < 3 && fd < fdt->max_fds && set ; fd++, set >>= 1) {
-		struct file *file;
-
-		if (!(set & 1))
-			continue;
-
-		file = ACCESS_ONCE(fdt->fd[fd]);
-		if (!file)
-			continue;
-
-		path_get(&file->f_path);
-		gi->gi_console[n++] = file->f_path;
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-		{
-			DEFINE_PATH(dp, &file->f_path, kpath, max)
-			if (!IS_ERR(dp))
-				printk(KERN_INFO "Graphene: "
-				       "PID %d CONSOLE %s\n",
-				       current->pid, dp);
-			PUT_PATH_BUFFER(kpath)
-		}
-#endif
-	}
-
-	for ( ; n < 3 ; n++)
-		gi->gi_console[n].mnt = NULL;
-}
-
-static int update_graphene(struct task_struct *current_tsk,
-			   struct graphene_info *gi);
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-static void print_net_rule(const char *fmt, struct graphene_net *n)
-{
-# ifdef CONFIG_IPV6
-#  define ADDR_STR_MAX	128
-# else
-#  define ADDR_STR_MAX	48
-# endif
-
-	char str[ADDR_STR_MAX];
-	int len = 0;
-
-	if (n->flags & ADDR_ANY) {
-		str[len++] = 'A';
-		str[len++] = 'N';
-		str[len++] = 'Y';
-		str[len++] = ':';
-	} else {
-		switch(n->family) {
-		case AF_INET: {
-			u8 *ip = (u8 *) &n->addr.addr.sin_addr.s_addr;
-			len += snprintf(str + len,
-					ADDR_STR_MAX - len,
-					"%u.%u.%u.%u:",
-					ip[0], ip[1], ip[2], ip[3]);
-			}
-			break;
-#ifdef CONFIG_IPV6
-		case AF_INET6: {
-			u16 *ip = (u16 *) &n->addr.addr.sin6_addr.s6_addr;
-			len += snprintf(str + len,
-					ADDR_STR_MAX - len,
-					"[%u:%u:%u:%u:%u:%u:%u:%u]:",
-					ip[0], ip[1], ip[2], ip[3],
-					ip[4], ip[5], ip[6], ip[7]);
-			}
-			break;
-#endif /* CONFIG_IPV6 */
-		}
-	}
-
-	if (n->flags & PORT_ANY) {
-		str[len++] = 'A';
-		str[len++] = 'N';
-		str[len++] = 'Y';
-	} else {
-		if (n->addr.port_begin == n->addr.port_end)
-			len += snprintf(str + len, ADDR_STR_MAX - len,
-					"%u", n->addr.port_begin);
-		else
-			len += snprintf(str + len, ADDR_STR_MAX - len,
-					"%u-%u",
-					n->addr.port_begin, n->addr.port_end);
-	}
-
-	BUG_ON(len >= ADDR_STR_MAX);
-	str[len] = 0;
-	printk(fmt, current->pid, str);
-}
-#else
-# define print_net_rule(...) do {} while (0)
-#endif
-
-static int set_net_rule(struct graphene_net_rule *nr, struct graphene_info *gi,
-			bool bind)
-{
-	struct graphene_net *n;
-
-#ifdef CONFIG_IPV6
-	if (nr->family != AF_INET && nr->family != AF_INET6)
-#else
-	if (nr->family != AF_INET)
-#endif
-		return -EINVAL;
-
-	n = kmalloc(sizeof(struct graphene_net), GFP_KERNEL);
-	if (!n)
-		return -ENOMEM;
-
-	n->family  = nr->family;
-	n->flags   = 0;
-	n->addr    = nr->addr;
-
-	switch(n->family) {
-	case AF_INET:
-		if (!n->addr.addr.sin_addr.s_addr)
-			n->flags |= ADDR_ANY;
-		break;
-#ifdef CONFIG_IPV6
-	case AF_INET6:
-		if (!memcmp(&n->addr.addr.sin6_addr.s6_addr, &in6addr_any, 16))
-			n->flags |= ADDR_ANY;
-		break;
-#endif /* CONFIG_IPV6 */
-	}
-
-	if (n->addr.port_begin == 0 && n->addr.port_end == 65535)
-		n->flags |= PORT_ANY;
-
-	INIT_LIST_HEAD(&n->list);
-	if (bind) {
-		list_add_tail(&n->list, &gi->gi_binds);
-		print_net_rule(KERN_INFO "Graphene: PID %d NET BIND %s\n", n);
-	} else {
-		list_add_tail(&n->list, &gi->gi_peers);
-		print_net_rule(KERN_INFO "Graphene: PID %d NET PEER %s\n", n);
-	}
-	return 0;
-}
-
-u64 gipc_get_session(struct task_struct *tsk)
-{
-	struct graphene_info *gi = get_graphene_info(tsk->graphene);
-	return gi ? gi->gi_gipc_session : 0;
-}
-
-int set_graphene(struct task_struct *current_tsk,
-		 const struct graphene_policies __user *gpolicies)
-{
-	int npolicies;
-	const struct graphene_user_policy __user *policies = gpolicies->policies;
-	struct graphene_info *gi;
-	struct graphene_user_policy ptmp;
-	struct graphene_path *p;
-	int i, rv = 0;
-	DEFINE_PATH_BUFFER(kpath, max)
-#ifdef CONFIG_GRAPHENE_DEBUG
-	char *dp;
-#endif
-
-	rv = copy_from_user(&npolicies, &gpolicies->npolicies, sizeof(int));
-	if (rv)
-		return -EFAULT;
-
-	if (npolicies && !policies)
-		return -EINVAL;
-
-#ifndef CONFIG_GRAPHENE_ISOLATE
-	if (current_tsk->graphene)
-		return -EAGAIN;
-
-	if (current_tsk != current_tsk->group_leader)
-		return -EPERM;
-#endif
-
-	gi = kmalloc(sizeof(struct graphene_info), GFP_KERNEL);
-	if (!gi)
-		return -ENOMEM;
-
-	GET_PATH_BUFFER(kpath, max)
-	memset(gi, 0, sizeof(struct graphene_info));
-	INIT_LIST_HEAD(&gi->gi_paths);
-	INIT_LIST_HEAD(&gi->gi_rpaths);
-	INIT_LIST_HEAD(&gi->gi_binds);
-	INIT_LIST_HEAD(&gi->gi_peers);
-	gi->gi_gipc_session = atomic64_inc_return(&gipc_session);
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-	printk(KERN_INFO "Graphene: PID %d GIPC SESSION %llu\n",
-	       current_tsk->pid, gi->gi_gipc_session);
-#endif
-
-	for (i = 0 ; i < npolicies ; i++) {
-		int type, flags;
-		rv = copy_from_user(&ptmp, policies + i,
-				    sizeof(struct graphene_user_policy));
-		if (rv) {
-			rv = -EFAULT;
-			goto err;
-		}
-
-		if (!ptmp.value) {
-			rv = -EINVAL;
-			goto err;
-		}
-
-		type = ptmp.type & GRAPHENE_POLICY_TYPES;
-		flags = ptmp.type & ~type;
-
-		switch(type) {
-		case GRAPHENE_LIB_NAME:
-			rv = strncpy_from_user(kpath, ptmp.value, max);
-			if (rv < 0)
-				goto err;
-
-			rv = kern_path(kpath, LOOKUP_FOLLOW, &gi->gi_libexec);
-			if (rv)
-				goto err;
-#ifdef CONFIG_GRAPHENE_DEBUG
-			dp = d_path(&gi->gi_libexec, kpath, max);
-			if (IS_ERR(dp)) {
-				rv = -EINVAL;
-				goto err;
-			}
-			printk(KERN_INFO "Graphene: PID %d LIB NAME %s\n",
-			       current_tsk->pid, dp);
-#endif
-			break;
-
-		case GRAPHENE_LIB_ADDR:
-			gi->gi_libaddr = (u64) ptmp.value;
-#ifdef CONFIG_GRAPHENE_DEBUG
-			printk(KERN_INFO "Graphene: PID %d LIB ADDR 0x%016llx\n",
-			       current_tsk->pid, gi->gi_libaddr);
-#endif
-			break;
-
-		case GRAPHENE_UNIX_PREFIX: {
-			unsigned long token =
-				atomic64_inc_return(&unix_prefix_counter);
-
-			gi->gi_unix[0] = '\0';
-			snprintf(gi->gi_unix + 1, sizeof(gi->gi_unix) - 1,
-				 GRAPHENE_UNIX_PREFIX_FMT, token);
-			gi->gi_unix[sizeof(gi->gi_unix) - 1] = '/';
-
-			rv = copy_to_user((void *) ptmp.value, &token,
-					  sizeof(unsigned long));
-			if (rv) {
-				rv = -EFAULT;
-				goto err;
-			}
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-			printk(KERN_INFO "Graphene: PID %d UNIX PREFIX %s\n",
-			       current_tsk->pid, kpath);
-#endif
-			break;
-		}
-
-		case GRAPHENE_MCAST_PORT: {
-			struct socket *sock;
-			struct sock *sk;
-			struct inet_sock *inet;
-			struct file *file;
-			unsigned short port;
-
-			rv = sock_create_kern(AF_INET, SOCK_DGRAM, 0, &sock);
-			if (rv)
-				goto err;
-
-			file = sock_alloc_file(sock, 0, NULL);
-			if (unlikely(IS_ERR(file))) {
-				sock_release(sock);
-				rv = PTR_ERR(file);
-				goto err;
-			}
-
-			sk = sock->sk;
-			lock_sock(sk);
-			inet = inet_sk(sk);
-			sk->sk_reuse = SK_CAN_REUSE;
-			if (sk->sk_prot->get_port(sk, 0)) {
-				release_sock(sk);
-				sock_release(sock);
-				rv = -EAGAIN;
-				goto err;
-			}
-			port = inet->inet_sport = htons(inet->inet_num);
-			release_sock(sk);
-			gi->gi_mcast_port = port;
-			gi->gi_mcast_sock = file;
-			port = ntohs(port);
-
-			rv = copy_to_user((void *) ptmp.value, &port,
-					  sizeof(unsigned short));
-			if (rv) {
-				rv = -EFAULT;
-				goto err;
-			}
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-			printk(KERN_INFO "Graphene: PID %d MCAST PORT %d\n",
-			       current_tsk->pid, port);
-#endif
-			break;
-		}
-
-		case GRAPHENE_NET_RULE: {
-			struct graphene_net_rule nr;
-
-			rv = copy_from_user(&nr, ptmp.value,
-					    sizeof(struct graphene_net_rule));
-			if (rv) {
-				rv = -EFAULT;
-				goto err;
-			}
-
-			rv = set_net_rule(&nr, gi, flags & GRAPHENE_NET_BIND);
-			if (rv < 0)
-				goto err;
-
-			break;
-		}
-
-		case GRAPHENE_FS_PATH:
-			rv = strncpy_from_user(kpath, ptmp.value, max);
-			if (rv < 0)
-				goto err;
-
-			p = kmalloc(sizeof(struct graphene_path),
-				    GFP_KERNEL);
-			if (!p) {
-				rv = -ENOMEM;
-				goto err;
-			}
-
-			rv = kern_path(kpath, LOOKUP_FOLLOW, &p->path);
-			if (rv) {
-				kfree(p);
-				goto err;
-			}
-
-#ifdef CONFIG_GRAPHENE_DEBUG
-			dp = d_path(&p->path, kpath, max);
-			if (IS_ERR(dp)) {
-				rv = -EINVAL;
-				kfree(p);
-				goto err;
-			}
-			printk(KERN_INFO "Graphene: PID %d PATH %s%s\n",
-			       current_tsk->pid, dp,
-			       type == GRAPHENE_FS_PATH ? "" :
-			       " (recursive)");
-#endif
-			p->type = flags;
-			INIT_LIST_HEAD(&p->list);
-			list_add_tail(&p->list,
-				      (flags & GRAPHENE_FS_RECURSIVE) ?
-				      &gi->gi_rpaths : &gi->gi_paths);
-			break;
-		}
-	}
-
-	if (!current_tsk->graphene) {
-		struct graphene_struct *gs;
-		get_console(gi, current_tsk->files);
-
-		gs = kmalloc(sizeof(struct graphene_struct), GFP_KERNEL);
-		if (!gs) {
-			rv = -ENOMEM;
-			goto err;
-		}
-
-		atomic_set(&gs->g_count, 1);
-		gs->g_info = gi;
-		spin_lock_init(&gs->g_lock);
-		current_tsk->graphene = gs;
-		printk(KERN_INFO "Graphene: PID %d registered\n",
-		       current_tsk->pid);
-	}
-#ifdef CONFIG_GRAPHENE_ISOLATE
-	else {
-		if ((rv = update_graphene(current_tsk, gi)) < 0) {
-			printk(KERN_INFO "Graphene: PID %d cannot be updated (%d)\n",
-			       current_tsk->pid, rv);
-			goto err;
-		}
-
-		printk(KERN_INFO "Graphene: PID %d updated\n",
-		       current_tsk->pid);
-	}
-#endif
-	rv = 0;
-	goto out;
-err:
-	drop_graphene_info(gi);
-out:
-	PUT_PATH_BUFFER(kpath)
-	return rv;
-}
-
-#ifdef CONFIG_GRAPHENE_ISOLATE
-static int do_close_sock(struct graphene_info *gi, struct socket *sock,
-			 int close_unix)
-{
-	struct sock *sk = sock->sk;
-	struct sockaddr_storage address;
-	struct sockaddr *addr = (void *) &address;
-	struct inet_sock *inet;
-	int len, err;
-
-	if (!sk)
-		return 0;
-
-	if (sk->sk_family == PF_UNIX)
-		return close_unix ? -EPERM : 0;
-
-	inet = inet_sk(sk);
-	if (inet->inet_dport) {
-		err = sock->ops->getname(sock, addr, &len, 1);
-		if (err)
-			return err;
-
-		/* give it a chance, check if it match one of the peers */
-		err = __common_net_perm(gi, OP_CONNECT, sock, addr, len);
-		if (!err)
-			return 0;
-	}
-
-	if (!inet->inet_num)
-		return 0;
-
-	err = sock->ops->getname(sock, addr, &len, 0);
-	if (err)
-		return err;
-
-	return __common_net_perm(gi, OP_BIND, sock, addr, len);
-}
-
-static int do_close_fds(struct graphene_info *gi, struct files_struct *files,
-			int close_unix)
-{
-	struct fdtable *fdt;
-	int fd, i = 0;
-
-	rcu_read_lock();
-	fdt = files_fdtable(files);
-	rcu_read_unlock();
-	for (;;) {
-		unsigned long set;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
-		fd = i * BITS_PER_LONG;
-#else
-		fd = i * __NFDBITS;
-#endif
-		if (fd >= fdt->max_fds)
-			break;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
-		set = fdt->open_fds[i++];
-#else
-		set = fdt->open_fds->fds_bits[i++];
-#endif
-		for ( ; set ; fd++, set >>= 1) {
-			struct socket *sock = NULL;
-			struct file *file;
-			int err;
-
-			if (!(set & 1))
-				continue;
-
-			file = xchg(&fdt->fd[fd], NULL);
-			if (!file)
-				continue;
-
-			if (get_pipe_info(file))
-				goto deny;
-
-			sock = sock_from_file(file, &err);
-			if (sock) {
-				err = do_close_sock(gi, sock, close_unix);
-				if (!err)
-					goto allow;
-				goto deny;
-			}
-
-			err = __common_perm(gi, OP_OPEN, &file->f_path,
-					    aa_map_file_to_perms(file));
-			if (err)
-				goto deny;
-
-allow:
-			xchg(&fdt->fd[fd], file);
-			continue;
-deny:
-			filp_close(file, files);
-			cond_resched();
-		}
-	}
-	return 0;
-}
-
-static
-int net_check (int family,
-	       int flags1, struct graphene_net_addr * addr1,
-	       int flags2, struct graphene_net_addr * addr2)
-{
-	if (flags2 & ADDR_ANY)
-		goto port;
-	if (flags1 & ADDR_ANY)
-		goto port;
-
-	switch (family) {
-	case AF_INET:
-		if (memcmp(&addr1->addr.sin_addr,
-			   &addr2->addr.sin_addr,
-			   sizeof(struct in_addr)))
-			return -EPERM;
-		break;
-	case AF_INET6:
-		if (memcmp(&addr1->addr.sin6_addr,
-			   &addr2->addr.sin6_addr,
-			   sizeof(struct in6_addr)))
-			return -EPERM;
-		break;
-	}
-
-port:
-	if (flags2 & PORT_ANY)
-		return 0;
-	if (flags1 & PORT_ANY)
-		return 0;
-
-	if (addr1->port_begin < addr2->port_begin ||
-	    addr1->port_end > addr2->port_end)
-		return -EPERM;
-
-	return 0;
-}
-
-static int net_check_fds(struct graphene_net *n, struct files_struct *files)
-{
-	struct fdtable *fdt;
-	int fd, i = 0;
-
-	rcu_read_lock();
-	fdt = files_fdtable(files);
-	for (;;) {
-		unsigned long set;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
-		fd = i * BITS_PER_LONG;
-#else
-		fd = i * __NFDBITS;
-#endif
-		if (fd >= fdt->max_fds)
-			break;
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
-		set = fdt->open_fds[i++];
-#else
-		set = fdt->open_fds->fds_bits[i++];
-#endif
-		for ( ; set ; fd++, set >>= 1) {
-			struct file *file;
-			struct socket *sock;
-			struct sock *sk;
-			struct inet_sock *inet;
-			struct sockaddr_storage address;
-			struct sockaddr *addr = (void *) &address;
-			int len, err;
-
-			if (!(set & 1))
-				continue;
-
-			file = rcu_dereference_raw(fdt->fd[fd]);
-			if (!file)
-				continue;
-
-			sock = sock_from_file(file, &err);
-			if (!sock)
-				continue;
-
-			if (!(sk = sock->sk) || sk->sk_family != n->family)
-				continue;
-
-			inet = inet_sk(sk);
-			if (!inet->inet_dport)
-				continue;
-
-			err = sock->ops->getname(sock, addr, &len, 1);
-			if (err)
-				continue;
-
-			if (!net_cmp(n->family, false, false,
-				     &n->addr, addr, len)) {
-				rcu_read_unlock();
-				return 1;
-			}
-		}
-	}
-	rcu_read_unlock();
-	return 0;
-}
-
-static int update_graphene(struct task_struct *current_tsk,
-			   struct graphene_info *new)
-{
-	struct graphene_struct *gs = current_tsk->graphene;
-	struct graphene_info *gi = get_graphene_info(gs);
-	struct graphene_path *p;
-	struct graphene_net *n1, *n2;
-	int i = 0, close_unix = 0;
-
-	for (i = 0 ; i < 3 && gi->gi_console[i].mnt ; i++) {
-		path_get(&gi->gi_console[i]);
-		new->gi_console[i] = gi->gi_console[i];
-	}
-
-	list_for_each_entry(p, &new->gi_paths, list) {
-		u32 mask = 0;
-		if (p->type & GRAPHENE_FS_READ)
-			mask |= MAY_READ;
-		if (p->type & GRAPHENE_FS_WRITE)
-			mask |= MAY_WRITE;
-		print_path(KERN_INFO "Graphene: PID %d CHECK RULE %s\n",
-			   &p->path);
-		if (__common_perm(gi, OP_OPEN, &p->path, mask) < 0)
-			return -EPERM;
-	}
-
-	list_for_each_entry(n1, &new->gi_binds, list) {
-		bool accepted = false;
-		print_net_rule(KERN_INFO
-			       "Graphene: PID %d CHECK RULE BIND %s\n",
-			       n1);
-
-		list_for_each_entry(n2, &gi->gi_binds, list) {
-			if (n1->family != n2->family)
-				continue;
-
-			if (net_check(n1->family,
-				      n1->flags, &n1->addr,
-				      n2->flags, &n2->addr) < 0)
-				continue;
-
-			accepted = true;
-			print_net_rule(KERN_INFO
-				       "Graphene: PID %d ALLOW BIND %s\n",
-				       n1);
-			break;
-		}
-
-		if (!accepted) {
-			print_net_rule(KERN_INFO
-				       "Graphene: PID %d DENY BIND %s\n",
-				       n1);
-			return -EPERM;
-		}
-	}
-
-	list_for_each_entry(n1, &new->gi_peers, list) {
-		bool accepted = false;
-		print_net_rule(KERN_INFO
-			       "Graphene: PID %d CHECK RULE CONNECT %s\n",
-			       n1);
-
-		list_for_each_entry(n2, &gi->gi_peers, list) {
-			if (n1->family != n2->family)
-				continue;
-
-			if (net_check(n1->family,
-				      n1->flags, &n1->addr,
-				      n2->flags, &n2->addr) < 0)
-				continue;
-
-			accepted = true;
-			print_net_rule(KERN_INFO
-				       "Graphene: PID %d ALLOW CONNECT %s\n",
-				       n1);
-			break;
-		}
-
-		if (!accepted && !(n1->flags & (ADDR_ANY|PORT_ANY)) &&
-		    net_check_fds(n1, current_tsk->files))
-			accepted = true;
-
-		if (!accepted) {
-			print_net_rule(KERN_INFO
-				       "Graphene: PID %d DENY CONNECT %s\n",
-				       n1);
-			return -EPERM;
-		}
-	}
-
-	if (!new->gi_unix[1] && gi->gi_unix[1])
-		memcpy(new->gi_unix, gi->gi_unix, sizeof(gi->gi_unix));
-
-	if (!new->gi_mcast_port)
-		new->gi_mcast_port = gi->gi_mcast_port;
-
-	if (!new->gi_mcast_sock && gi->gi_mcast_sock) {
-		atomic_long_inc(&gi->gi_mcast_sock->f_count);
-		new->gi_mcast_sock = gi->gi_mcast_sock;
-	}
-
-	spin_lock(&gs->g_lock);
-	put_graphene_info(gs->g_info);
-	gs->g_info = new;
-	spin_unlock(&gs->g_lock);
-
-	do_close_fds(new, current_tsk->files, close_unix);
-	return 0;
-}
-
-#endif /* CONFIG_GRAPHENE_ISOLATE */
-
-static long graphene_ioctl(struct file *file, unsigned int cmd,
-			   unsigned long arg)
-{
-	struct task_struct *current_tsk = current;
-
-	switch (cmd) {
-	case GRAPHENE_SET_TASK:
-		return set_graphene(current_tsk,
-			(const struct graphene_policies __user *) arg);
-	default:
-		return -ENOSYS;
-	}
-}
-
-static struct file_operations graphene_operations = {
-	.unlocked_ioctl	= graphene_ioctl,
-	.compat_ioctl	= graphene_ioctl,
-	.llseek		= noop_llseek,
-};
-
-static struct miscdevice graphene_dev = {
-	.minor		= GRAPHENE_MINOR,
-	.name		= "graphene",
-	.fops		= &graphene_operations,
-	.mode		= 0666,
-};
-
-static int __init graphene_init(void)
-{
-	int rv;
-
-	rv = misc_register(&graphene_dev);
-	if (rv) {
-		printk(KERN_ERR "Graphene error: "
-		       "failed to add a char device (rv=%d)\n", rv);
-		return rv;
-	}
-
-	return 0;
-}
-
-device_initcall(graphene_init);

Pal/linux-kernel/graphene/graphene.h

@@ -1,194 +0,0 @@
-#ifndef _LINUX_GRAPHENE_H
-#define _LINUX_GRAPHENE_H
-
-#include <linux/ioctl.h>
-#include <linux/in.h>
-#include <linux/in6.h>
-
-#define GRAPHENE_FILE   "/dev/graphene"
-#define GRAPHENE_MINOR		239
-
-#define GRAPHENE_UNIX_PREFIX_FMT	"/graphene/%016lx"
-#define GRAPHENE_MCAST_GROUP		"239.0.0.1"
-
-/* symbolic link this header file in include/linux */
-
-/* This header needs to be included in include/linux/sched.h */
-
-#ifndef __KERNEL__
-# ifdef __user
-#  undef __user
-# endif
-# define __user
-#endif
-
-#define GRAPHENE_LIB_NAME	0001
-#define GRAPHENE_LIB_ADDR	0002
-#define GRAPHENE_UNIX_PREFIX	0003
-#define GRAPHENE_MCAST_PORT	0004
-#define GRAPHENE_FS_PATH	0005
-#define GRAPHENE_NET_RULE	0006
-
-#define GRAPHENE_POLICY_TYPES	0007
-
-#define GRAPHENE_FS_RECURSIVE	0010
-#define GRAPHENE_FS_READ	0020
-#define GRAPHENE_FS_WRITE	0040
-
-#define GRAPHENE_NET_BIND	0100
-
-struct graphene_user_policy {
-	int			type;
-	const void __user *	value;
-};
-
-struct graphene_net_addr {
-	union {
-		struct in_addr 		sin_addr;
-		struct in6_addr		sin6_addr;
-	} addr;
-	unsigned short		port_begin;
-	unsigned short		port_end;
-};
-
-struct graphene_net_rule {
-	unsigned short			family;
-	struct graphene_net_addr	addr;
-};
-
-#define GRAPHENE_SET_TASK _IOW('k', 16, void*)
-
-struct graphene_policies {
-	int				npolicies;
-	struct graphene_user_policy	policies[];
-};
-
-#ifdef __KERNEL__
-
-#include <linux/types.h>
-#include <linux/sched.h>
-#include <linux/net.h>
-#include <linux/path.h>
-#include <linux/list.h>
-#include <linux/spinlock.h>
-#include <linux/dcache.h>
-#include <linux/rcupdate.h>
-
-struct task_struct;
-struct path;
-struct qstr;
-
-struct graphene_path {
-	struct list_head	list;
-	struct path		path;
-	int			type;
-};
-
-#define ADDR_ANY		0x1
-#define PORT_ANY		0x2
-
-struct graphene_net {
-	struct list_head	list;
-	short			family;
-	unsigned char		flags;
-	struct graphene_net_addr	addr;
-};
-
-struct graphene_unix {
-	atomic_t		count;
-	struct list_head	list;
-	struct path		root;
-	struct qstr		prefix;
-};
-
-/*
- * add the following line to struct task_struct (include/linux/sched.h):
- * 	struct graphene_struct *graphene;
- */
-struct graphene_info {
-	atomic_t		gi_count;
-	struct path		gi_libexec;
-	u64			gi_libaddr;
-	struct path		gi_console[3];
-	char			gi_unix[28];	/* fmt: @/graphene/%016lx/ */
-	struct list_head	gi_paths;
-	struct list_head	gi_rpaths;
-	struct list_head	gi_binds;
-	struct list_head	gi_peers;
-	unsigned short		gi_mcast_port;
-	struct file *		gi_mcast_sock;
-	u64			gi_gipc_session;
-};
-
-struct graphene_struct {
-	atomic_t g_count;
-	struct graphene_info __rcu *g_info;
-	spinlock_t g_lock ____cacheline_aligned_in_smp;
-};
-
-#define GRAPHENE_ENABLED()	(current->graphene != NULL)
-
-/* use this function in __put_task_struct (kernel/fork.c) */
-int dup_graphene_struct(struct task_struct *task);
-
-/* use this function in dup_task_struct (kernel/fork.c) */
-void put_graphene_struct(struct task_struct *task);
-
-/* add the following lines to common_perm (security/apparmor/lsm.c):
- * (when current->in_execve is true)
- * if (GRAPHNEE_ENABLED() && (error = graphene_execve_open(file))
- * 	return error;
- */
-int graphene_execve_open(struct file *file);
-
-unsigned long
-graphene_execve_get_area(struct file *file, unsigned long addr,
-			 unsigned long len, unsigned long pgoff,
-			 unsigned long flags);
-
-/*
- * add the following lines to common_perm (security/apparmor/lsm.c):
- * if (GRAPHENE_ENABLED() &&
- *     (error = graphene_common_perm(op, path, mask)))
- * 	return error;
- *
- * add the following lines to apparmor_dentry_open (security/apparmor/lsm.c):
- * if (GRAPHENE_ENABLED() &&
- *     (error = graphene_common_perm(OP_OPEN, &file->path, mask)))
- * 	return error;
- */
-int graphene_common_perm(int op, struct path *path, u32 mask);
-
-/*
- * add the following lines to the initializer of apparmor_ops
- * (security/apparmor/lsm.c):
- * 	task_kill =			graphene_task_kill,
- */
-int graphene_task_kill(struct task_struct *task, struct siginfo *info,
-		       int sig, u32 secid);
-
-/*
- * add the following lines to the initializer of apparmor_ops
- * (security/apparmor/lsm.c):
- * 	socket_bind =			graphene_socket_bind,
- * 	socket_listen =			graphene_socket_listen,
- * 	socket_connect =		graphene_socket_connect,
- * 	socket_sendmsg =		graphene_socket_sendmsg,
- * 	socket_recvmsg =		grapheen_socket_recvmsg,
- */
-int graphene_socket_bind(struct socket *sock,
-			 struct sockaddr *address, int addrlen);
-
-int graphene_socket_listen(struct socket *sock, int backlog);
-int graphene_socket_connect(struct socket *sock,
-			    struct sockaddr *address, int addrlen);
-int graphene_socket_sendmsg(struct socket *sock,
-			    struct msghdr *msg, int size);
-int graphene_socket_recvmsg(struct socket *sock,
-			    struct msghdr *msg, int size, int flags);
-
-u64 gipc_get_session(struct task_struct *tsk);
-
-#endif /* __KERNEL__ */
-
-#endif

Pal/src/Makefile

@@ -68,10 +68,6 @@ ifneq ($(pal_lib),)
 	runtime_lib += $(RUNTIME_DIR)/libpal-$(PAL_HOST)$(suffix $(pal_lib))
 endif
 
-ifneq ($(pal_sec),)
-	runtime_sec += $(RUNTIME_DIR)/pal_sec-$(PAL_HOST)
-endif
-
 ifneq ($(pal_gdb),)
 	runtime_gdb += $(RUNTIME_DIR)/pal_gdb-$(PAL_HOST)
 endif
@@ -90,7 +86,7 @@ $(LIB_DIR)/host_endian.h: $(HOST_DIR)/host_endian.h
 	@mkdir -p $(LIB_DIR)
 	$(call cmd,ln_sf)
 
-.PHONY: $(host_lib) $(graphene_lib) $(pal_lib) $(pal_sec)
+.PHONY: $(host_lib) $(graphene_lib) $(pal_lib)
 
 $(graphene_lib): $(LIB_DIR)/host_endian.h
 	$(MAKE) -C ../lib target=$(abspath $(LIB_DIR))/
@@ -98,7 +94,7 @@ $(graphene_lib): $(LIB_DIR)/host_endian.h
 $(host_lib): $(graphene_lib)
 	@[ ! -d host/$(PAL_HOST) ] || $(MAKE) -C host/$(PAL_HOST)
 
-$(pal_loader) $(pal_sec): $(host_lib)
+$(pal_loader): $(host_lib)
 
 $(runtime_loader): $(pal_loader)
 	$(call cmd,ln_sf)
@@ -112,14 +108,6 @@ $(runtime_lib): $(pal_lib)
 	$(call cmd,ln_sf)
 endif
 
-ifneq ($(pal_sec),)
-$(pal_sec): $(graphene_lib)
-	@[ ! -d security/$(PAL_HOST) ] || $(MAKE) -C security/$(PAL_HOST)
-
-$(runtime_sec): $(pal_sec)
-	$(call cmd,ln_sf)
-endif
-
 ifneq ($(pal_gdb),)
 $(runtime_gdb): $(pal_gdb)
 	$(call cmd,ln_sf)

Pal/src/host/FreeBSD/Makefile.am

@@ -15,7 +15,6 @@ CFLAGS += -Werror
 endif
 
 pal_loader = $(HOST_DIR)/libpal.so
-pal_sec =
 pal_lib = $(HOST_DIR)/libpal.so
 pal_lib_deps = $(HOST_DIR)/pal.map $(HOST_DIR)/pal.lds
 pal_lib_post =

Pal/src/host/Linux-SGX/Makefile.am

@@ -24,7 +24,6 @@ CFLAGS += -Werror
 endif
 
 pal_loader = $(HOST_DIR)/pal-sgx
-pal_sec =
 pal_lib = $(HOST_DIR)/libpal.so
 pal_lib_deps = $(HOST_DIR)/enclave.lds $(HOST_DIR)/pal.map
 pal_static = $(HOST_DIR)/libpal.a

Pal/src/host/Linux/Makefile

@@ -17,7 +17,7 @@ CFLAGS += $(defs)
 ASFLAGS += $(defs)
 objs	= $(addprefix db_,files devices pipes sockets streams memory threading \
 	    mutex events process object main rtld misc ipc \
-	    exception) manifest clone-x86_64 gettimeofday-x86_64
+	    exception) clone-x86_64 gettimeofday-x86_64
 graphene_lib = .lib/graphene-lib.a
 headers	= $(wildcard *.h) $(wildcard ../../*.h) $(wildcard ../../../lib/*.h)
 

Pal/src/host/Linux/Makefile.am

@@ -21,7 +21,6 @@ CFLAGS += -Werror
 endif
 
 pal_loader = $(HOST_DIR)/libpal.so
-pal_sec = $(SEC_DIR)/libpal_sec.so
 pal_lib = $(HOST_DIR)/libpal.so
 pal_lib_deps = $(HOST_DIR)/pal.map $(HOST_DIR)/pal.lds
 pal_lib_post =

Pal/src/host/Linux/db_pipes.c

@@ -30,7 +30,6 @@
 #include "pal_security.h"
 #include "pal_debug.h"
 #include "api.h"
-#include "graphene.h"
 
 #include <linux/types.h>
 typedef __kernel_pid_t pid_t;

Pal/src/host/Linux/db_process.c

@@ -34,7 +34,6 @@
 #include "pal_error.h"
 #include "pal_security.h"
 #include "pal_rtld.h"
-#include "graphene.h"
 #include "graphene-ipc.h"
 #include "api.h"
 
@@ -443,80 +442,10 @@ noreturn void _DkProcessExit (int exitcode)
     }
 }
 
-int ioctl_set_graphene (struct config_store * config, int ndefault,
-                        const struct graphene_user_policy * default_policies);
-
-static int set_graphene_task (const char * uri, int flags)
-{
-    PAL_HANDLE handle = NULL;
-    int ret;
-
-    if ((ret = _DkStreamOpen(&handle, uri, PAL_ACCESS_RDONLY, 0, 0, 0)) < 0)
-        return ret;
-
-    PAL_STREAM_ATTR attr;
-
-    if ((ret = _DkStreamAttributesQueryByHandle(handle, &attr)) < 0)
-        goto out;
-
-    void * addr = NULL;
-    size_t size = attr.pending_size;
-
-    if ((ret = _DkStreamMap(handle, &addr, PAL_PROT_READ, 0,
-                            ALLOC_ALIGNUP(size))) < 0)
-        goto out;
-
-    struct config_store sandbox_config;
-    sandbox_config.raw_data = addr;
-    sandbox_config.raw_size = size;
-    sandbox_config.malloc = malloc;
-    sandbox_config.free = free;
-
-    if ((ret = read_config(&sandbox_config, NULL, NULL)) < 0)
-        goto out_mem;
-
-    struct graphene_user_policy policies[5], * p = policies;
-
-    if (strpartcmp_static(uri, "file:")) {
-        p->type  = GRAPHENE_FS_PATH | GRAPHENE_FS_READ;
-        p->value = &uri[5];
-        p++;
-    }
-
-    if (flags & PAL_SANDBOX_PIPE) {
-        p->type  = GRAPHENE_UNIX_PREFIX;
-        p->value = &pal_sec.pipe_prefix_id;
-        p++;
-
-        p->type  = GRAPHENE_MCAST_PORT;
-        p->value = &pal_sec.mcast_port;
-        p++;
-    }
-
-    p->type  = GRAPHENE_FS_PATH | GRAPHENE_FS_READ;
-    p->value = "/proc/meminfo";
-    p++;
-
-    ret = ioctl_set_graphene(&sandbox_config, p - policies, policies);
-    if (ret < 0)
-        goto out_mem;
-
-    pal_state.manifest = uri;
-    _DkObjectClose(pal_state.manifest_handle);
-    pal_state.manifest_handle = handle;
-
-    free_config(&sandbox_config);
-out_mem:
-    _DkStreamUnmap(sandbox_config.raw_data,
-                   ALLOC_ALIGNUP(sandbox_config.raw_size));
-out:
-    _DkObjectClose(handle);
-    return ret;
-}
-
-int _DkProcessSandboxCreate (const char * manifest, int flags)
-{
-    return set_graphene_task(manifest, flags);
+int _DkProcessSandboxCreate(const char* manifest, int flags) {
+    __UNUSED(manifest);
+    __UNUSED(flags);
+    return -PAL_ERROR_NOTIMPLEMENTED;
 }
 
 static int64_t proc_read (PAL_HANDLE handle, uint64_t offset, uint64_t count,

Pal/src/host/Linux/db_sockets.c

@@ -30,7 +30,6 @@
 #include "pal_security.h"
 #include "pal_error.h"
 #include "api.h"
-#include "graphene.h"
 
 #include <linux/types.h>
 #include <linux/poll.h>

Pal/src/host/Linux/manifest.c

@@ -1 +0,0 @@
-../../security/Linux/manifest.c

Pal/src/host/Linux/pal_linux.h

@@ -39,6 +39,9 @@
 #define ERRNO INTERNAL_SYSCALL_ERRNO
 #define ERRNO_P INTERNAL_SYSCALL_ERRNO_P
 
+#define GRAPHENE_UNIX_PREFIX_FMT       "/graphene/%016lx"
+#define GRAPHENE_MCAST_GROUP           "239.0.0.1"
+
 struct timespec;
 struct timeval;
 

Pal/src/security/Linux/Makefile

@@ -1,37 +0,0 @@
-include ../../../../Makefile.configs
-
-CFLAGS	= -Wall -fPIC -O2 -std=c11 -Wall -U_FORTIFY_SOURCE \
-	  -fno-stack-protector -fno-builtin \
-	  -DRUNTIME_DIR=$(abspath $(RUNTIME_DIR)) \
-	  -I. -I../../host/Linux/include -I../.. -I../../../include -I../../host/Linux \
-	  -I../../../lib -I../../../linux-kernel/graphene
-LDFLAGS	= -shared -nostdlib -z combreloc -z defs --version-script pal-sec.map -e start
-
-objs	= bpf_helper filter main manifest printf
-graphene_lib = ../../host/Linux/.lib/graphene-lib.a
-
-.PHONY: all
-all: libpal_sec.so
-
-ifeq ($(DEBUG),1)
-CC += -g
-CFLAGS += -DDEBUG
-endif
-
-include ../../../../Makefile.rules
-
-libpal_sec.so: $(addsuffix .o,$(objs)) $(graphene_lib)
-	$(call cmd,ld_so_o)
-
-%.o: %.c
-	$(call cmd,cc_o_c)
-
-%.i: %.c
-	$(call cmd,cpp_i_o)
-
-%.s: %.c
-	$(call cmd,cc_s_c)
-
-.PHONY: clean
-clean:
-	rm -rf *.o libpal_sec.so

Pal/src/security/Linux/bpf-helper.h

@@ -1,284 +0,0 @@
-/*
- * Example wrapper around BPF macros.
- *
- * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
- * Author: Will Drewry <wad@chromium.org>
- *
- * The code may be used by anyone for any purpose,
- * and can serve as a starting point for developing
- * applications using prctl(PR_SET_SECCOMP, 2, ...).
- *
- * No guarantees are provided with respect to the correctness
- * or functionality of this code.
- */
-#ifndef __BPF_HELPER_H__
-#define __BPF_HELPER_H__
-
-#include <asm/bitsperlong.h>	/* for __BITS_PER_LONG */
-#include <endian.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>	/* for seccomp_data */
-#include <linux/types.h>
-#include <linux/unistd.h>
-#include <stddef.h>
-
-#define SECCOMP_RET_ISOLATE	0x00010000U /* redirect to appropriate handler.*/
-
-#define BPF_LABELS_MAX 256
-struct bpf_labels {
-	int count;
-	struct __bpf_label {
-		const char *label;
-		__u32 location;
-	} labels[BPF_LABELS_MAX];
-};
-
-int bpf_resolve_jumps(struct bpf_labels *labels,
-		      struct sock_filter *filter, int count);
-__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label);
-void seccomp_bpf_print(struct sock_filter *filter, int count);
-
-#define JUMP_JT 0xff
-#define JUMP_JF 0xff
-#define LABEL_JT 0xfe
-#define LABEL_JF 0xfe
-
-#define ALLOW \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
-#define ISOLATE \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ISOLATE)
-#define TRAP \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRAP)
-#define RET_ERRNO \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO)
-#define TRACE \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE)
-#define DENY \
-	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
-#define JUMP(labels, label) \
-	BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL(labels, label), \
-		 JUMP_JT, JUMP_JF)
-#define LABEL(labels, label) \
-	BPF_JUMP(BPF_JMP+BPF_JA, FIND_LABEL(labels, label), \
-		 LABEL_JT, LABEL_JF)
-#define SYSCALL(nr, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, nr, 0, 1), \
-	jt
-
-/* Lame, but just an example */
-#define FIND_LABEL(labels, label) seccomp_bpf_label(labels, #label)
-
-#define EXPAND(...) __VA_ARGS__
-
-#define LO_FLAG(flag) (flag & ((1 << sizeof(__u32)) - 1))
-#define HI_FLAG(flag) ((flag >> sizeof(__u32)) & ((1 << sizeof(__u32)) - 1))
-/* Ensure that we load the logically correct offset. */
-#if __BYTE_ORDER == __LITTLE_ENDIAN
-#define LO_ARG(idx) offsetof(struct seccomp_data, args[idx])
-#define LO_IP offsetof(struct seccomp_data, instruction_pointer)
-#elif __BYTE_ORDER == __BIG_ENDIAN
-#define LO_ARG(idx) offsetof(struct seccomp_data, args[idx]) + sizeof(__u32)
-#define LO_IP offsetof(struct seccomp_data, instruction_pointer) + sizeof(__u32)
-#else
-#error "Unknown endianness"
-#endif
-
-/* Map all width-sensitive operations */
-#if __BITS_PER_LONG == 32
-
-#define JEQ(x, jt) JEQ32(x, EXPAND(jt))
-#define JNE(x, jt) JNE32(x, EXPAND(jt))
-#define JGT(x, jt) JGT32(x, EXPAND(jt))
-#define JLT(x, jt) JLT32(x, EXPAND(jt))
-#define JGE(x, jt) JGE32(x, EXPAND(jt))
-#define JLE(x, jt) JLE32(x, EXPAND(jt))
-#define JA(x, jt) JA32(x, EXPAND(jt))
-#define ARG(i) ARG_32(i)
-#define ARG_FLAG(i, flag) ARG_FLAG_32(i, flag)
-
-#elif __BITS_PER_LONG == 64
-
-/* Ensure that we load the logically correct offset. */
-#if __BYTE_ORDER == __LITTLE_ENDIAN
-#define ENDIAN(_lo, _hi) _lo, _hi
-#define HI_ARG(idx) offsetof(struct seccomp_data, args[idx]) + sizeof(__u32)
-#define HI_IP offsetof(struct seccomp_data, instruction_pointer) + sizeof(__u32)
-#elif __BYTE_ORDER == __BIG_ENDIAN
-#define ENDIAN(_lo, _hi) _hi, _lo
-#define HI_ARG(idx) offsetof(struct seccomp_data, args[idx])
-#define HI_IP offsetof(struct seccomp_data, instruction_pointer)
-#endif
-
-union arg64 {
-	struct {
-		__u32 ENDIAN(lo32, hi32);
-	};
-	__u64 u64;
-};
-
-#define JEQ(x, jt) \
-	JEQ64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-#define JGT(x, jt) \
-	JGT64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-#define JGE(x, jt) \
-	JGE64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-#define JNE(x, jt) \
-	JNE64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-#define JLT(x, jt) \
-	JLT64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-#define JLE(x, jt) \
-	JLE64(((union arg64){.u64 = (x)}).lo32, \
-	      ((union arg64){.u64 = (x)}).hi32, \
-	      EXPAND(jt))
-
-#define JA(x, jt) \
-	JA64(((union arg64){.u64 = (x)}).lo32, \
-	       ((union arg64){.u64 = (x)}).hi32, \
-	       EXPAND(jt))
-#define ARG(i) ARG_64(i)
-#define ARG_FLAG(i, flag) ARG_FLAG_64(i, flag)
-#define IP IP_64
-
-#else
-#error __BITS_PER_LONG value unusable.
-#endif
-
-/* Loads the arg into A */
-#define ARG_32(idx) \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx))
-
-/* Loads the arg&flag into A */
-#define ARG_FLAG_32(idx, flag) \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
-	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, LO_FLAG(flag))
-
-/* Loads hi into A and lo in X */
-#define IP_64 \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_IP), \
-	BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, HI_IP), \
-	BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
-
-/* Loads hi into A and lo in X */
-#define ARG_64(idx) \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
-	BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, HI_ARG(idx)), \
-	BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
-
-/* Loads hi into A and lo in X */
-#define ARG_FLAG_64(idx, flag) \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
-	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, LO_FLAG(flag)), \
-	BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, HI_ARG(idx)), \
-	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, HI_FLAG(flag)), \
-	BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
-
-#define JEQ32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, value, 0, 1), \
-	jt
-
-#define JNE32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, value, 1, 0), \
-	jt
-
-/* Checks the lo, then swaps to check the hi. A=lo,X=hi */
-#define JEQ64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 0, 5),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, lo, 0, 2),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JNE64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 5, 0),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, lo, 2, 0),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JA32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, value, 0, 1), \
-	jt
-
-#define JA64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, hi, 3, 0),   \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JSET+BPF_K, lo, 0, 2),   \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JGE32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, value, 0, 1), \
-	jt
-
-#define JLT32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, value, 1, 0), \
-	jt
-
-/* Shortcut checking if hi > arg.hi. */
-#define JGE64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, hi, 4, 0),    \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 0, 5),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, lo, 0, 2),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JLT64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, hi, 0, 4),    \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 0, 5),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, lo, 2, 0),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JGT32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, value, 0, 1), \
-	jt
-
-#define JLE32(value, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, value, 1, 0), \
-	jt
-
-/* Check hi > args.hi first, then do the GE checking */
-#define JGT64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, hi, 4, 0),    \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 0, 5),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, lo, 0, 2),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define JLE64(lo, hi, jt) \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, hi, 6, 0),    \
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, hi, 0, 3),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 0), /* swap in lo */ \
-	BPF_JUMP(BPF_JMP+BPF_JGT+BPF_K, lo, 2, 0),    \
-	BPF_STMT(BPF_LD+BPF_MEM, 1), /* passed: swap hi back in */ \
-	jt,                                           \
-	BPF_STMT(BPF_LD+BPF_MEM, 1) /* failed: swap hi back in */
-
-#define LOAD_SYSCALL_NR \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
-		 offsetof(struct seccomp_data, nr))
-
-#endif  /* __BPF_HELPER_H__ */
-

Pal/src/security/Linux/bpf_helper.c

@@ -1,95 +0,0 @@
-/*
- * Seccomp BPF helper functions
- *
- * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
- * Author: Will Drewry <wad@chromium.org>
- *
- * The code may be used by anyone for any purpose,
- * and can serve as a starting point for developing
- * applications using prctl(PR_ATTACH_SECCOMP_FILTER).
- */
-
-#define _GNU_SOURCE 1
-#ifndef __GNUC__
-#define __GNUC__ 1
-#endif
-typedef __builtin_va_list __gnuc_va_list;
-
-#include "bpf-helper.h"
-#include "internal.h"
-
-int bpf_resolve_jumps(struct bpf_labels *labels,
-		      struct sock_filter *filter, int count)
-{
-	struct sock_filter *begin = filter;
-	__u8 insn = count - 1;
-
-	if (count < 1)
-		return -1;
-	/*
-	* Walk it once, backwards, to build the label table and do fixups.
-	* Since backward jumps are disallowed by BPF, this is easy.
-	*/
-	filter += insn;
-	for (; filter >= begin; --insn, --filter) {
-		if (filter->code != (BPF_JMP+BPF_JA))
-			continue;
-		switch ((filter->jt<<8)|filter->jf) {
-		case (JUMP_JT<<8)|JUMP_JF:
-			if (labels->labels[filter->k].location == 0xffffffff) {
-				printf("Unresolved label: '%s'\n",
-				       labels->labels[filter->k].label);
-				return 1;
-			}
-			filter->k = labels->labels[filter->k].location -
-				    (insn + 1);
-			filter->jt = 0;
-			filter->jf = 0;
-			continue;
-		case (LABEL_JT<<8)|LABEL_JF:
-			if (labels->labels[filter->k].location != 0xffffffff) {
-				printf("Duplicate label use: '%s'\n",
-				       labels->labels[filter->k].label);
-				return 1;
-			}
-			labels->labels[filter->k].location = insn;
-			filter->k = 0; /* fall through */
-			filter->jt = 0;
-			filter->jf = 0;
-			continue;
-		}
-	}
-	return 0;
-}
-
-/* Simple lookup table for labels. */
-__u32 seccomp_bpf_label(struct bpf_labels *labels, const char *label)
-{
-	struct __bpf_label *begin = labels->labels, *end;
-	int id;
-	if (labels->count == 0) {
-		begin->label = label;
-		begin->location = 0xffffffff;
-		labels->count++;
-		return 0;
-	}
-	int len = strlen(label);
-	end = begin + labels->count;
-	for (id = 0; begin < end; ++begin, ++id) {
-		if (!memcmp(label, begin->label, len + 1))
-			return id;
-	}
-	begin->label = label;
-	begin->location = 0xffffffff;
-	labels->count++;
-	return id;
-}
-
-void seccomp_bpf_print(struct sock_filter *filter, int count)
-{
-	struct sock_filter *end = filter + count;
-	for ( ; filter < end; ++filter)
-		printf("{ code=%u,jt=%u,jf=%u,k=%u },\n",
-		       filter->code, filter->jt, filter->jf, filter->k);
-}
-

Pal/src/security/Linux/filter.c

@@ -1,219 +0,0 @@
-typedef __builtin_va_list __gnuc_va_list;
-
-#include "pal_linux_defs.h"
-#include "bpf-helper.h"
-#include "internal.h"
-#include "graphene-ipc.h"
-#include "graphene.h"
-
-#include <linux/types.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
-#include <linux/unistd.h>
-#include <linux/limits.h>
-#include <linux/sched.h>
-#include <linux/prctl.h>
-#include <sys/socket.h>
-#include <asm/fcntl.h>
-#include <asm/mman.h>
-#include <asm/ioctls.h>
-
-#ifndef PR_SET_NO_NEW_PRIVS
-# define PR_SET_NO_NEW_PRIVS 38
-#endif
-
-#ifndef SYS_SECCOMP
-# define SYS_SECCOMP 1
-#endif
-
-#define SYSCALL_FILTERS                                  \
-    LOAD_SYSCALL_NR,                                     \
-                                                         \
-    SYSCALL(__NR_open,          ALLOW),                  \
-    SYSCALL(__NR_fstat,         ALLOW),                  \
-    SYSCALL(__NR_accept4,       ALLOW),                  \
-    SYSCALL(__NR_bind,          ALLOW),                  \
-    SYSCALL(__NR_clone,         ALLOW),                  \
-    SYSCALL(__NR_close,         ALLOW),                  \
-    SYSCALL(__NR_dup2,          ALLOW),                  \
-    SYSCALL(__NR_connect,       ALLOW),                  \
-    SYSCALL(__NR_execve,        ALLOW),                  \
-    SYSCALL(__NR_exit,          ALLOW),                  \
-    SYSCALL(__NR_exit_group,    ALLOW),                  \
-    SYSCALL(__NR_fchmod,        ALLOW),                  \
-    SYSCALL(__NR_fcntl,         JUMP(&labels, fcntl)),   \
-    SYSCALL(__NR_fsync,         ALLOW),                  \
-    SYSCALL(__NR_ftruncate,     ALLOW),                  \
-    SYSCALL(__NR_futex,         ALLOW),                  \
-    SYSCALL(__NR_getdents64,    ALLOW),                  \
-    SYSCALL(__NR_getsockname,   ALLOW),                  \
-    SYSCALL(__NR_getsockopt,    ALLOW),                  \
-    SYSCALL(__NR_ioctl,         JUMP(&labels, ioctl)),   \
-    SYSCALL(__NR_listen,        ALLOW),                  \
-    SYSCALL(__NR_lseek,         ALLOW),                  \
-    SYSCALL(__NR_mkdir,         ALLOW),                  \
-    SYSCALL(__NR_mmap,          JUMP(&labels, mmap)),    \
-    SYSCALL(__NR_mprotect,      ALLOW),                  \
-    SYSCALL(__NR_munmap,        ALLOW),                  \
-    SYSCALL(__NR_nanosleep,     ALLOW),                  \
-    SYSCALL(__NR_pipe2,         ALLOW),                  \
-    SYSCALL(__NR_ppoll,         ALLOW),                  \
-    SYSCALL(__NR_read,          ALLOW),                  \
-    SYSCALL(__NR_readlink,      ALLOW),                  \
-    SYSCALL(__NR_recvmsg,       ALLOW),                  \
-    SYSCALL(__NR_rename,        ALLOW),                  \
-    SYSCALL(__NR_rmdir,         ALLOW),                  \
-    SYSCALL(__NR_sched_yield,   ALLOW),                  \
-    SYSCALL(__NR_sendmsg,       ALLOW),                  \
-    SYSCALL(__NR_setsockopt,    ALLOW),                  \
-    SYSCALL(__NR_shutdown,      ALLOW),                  \
-    SYSCALL(__NR_socket,        ALLOW),                  \
-    SYSCALL(__NR_socketpair,    ALLOW),                  \
-    SYSCALL(__NR_stat,          ALLOW),                  \
-    SYSCALL(__NR_tgkill,        ALLOW),                  \
-    SYSCALL(__NR_unlink,        ALLOW),                  \
-    SYSCALL(__NR_vfork,         ALLOW),                  \
-    SYSCALL(__NR_wait4,         ALLOW),                  \
-    SYSCALL(__NR_write,         ALLOW),                  \
-                                                         \
-    SYSCALL_ARCH_FILTERS
-
-#ifdef __x86_64__
-# define SYSCALL_ARCH_FILTERS                            \
-    SYSCALL(__NR_arch_prctl,        ALLOW),              \
-    SYSCALL(__NR_rt_sigaction,      ALLOW),              \
-    SYSCALL(__NR_rt_sigprocmask,    ALLOW),              \
-    SYSCALL(__NR_rt_sigreturn,      ALLOW)
-#else
-# error "Unsupported architecture"
-#endif
-
-#ifndef SIGCHLD
-# define SIGCHLD 17
-#endif
-
-#define SYSCALL_ACTIONS                                  \
-    DENY,                                                \
-                                                         \
-    LABEL(&labels, ioctl),                               \
-    ARG(1),                                              \
-    JEQ(FIONREAD,       ALLOW),                          \
-    JEQ(GIPC_CREATE,    ALLOW),                          \
-    JEQ(GIPC_JOIN,      ALLOW),                          \
-    JEQ(GIPC_RECV,      ALLOW),                          \
-    JEQ(GIPC_SEND,      ALLOW),                          \
-    JEQ(GRAPHENE_SET_TASK,  ALLOW),                      \
-    DENY,                                                \
-                                                         \
-    LABEL(&labels, fcntl),                               \
-    ARG(1),                                              \
-    JEQ(F_SETFD,   ALLOW),                               \
-    JEQ(F_SETFL,   ALLOW),                               \
-    DENY,                                                \
-                                                         \
-    LABEL(&labels, mmap),                                \
-    ARG_FLAG(3, MAP_HUGETLB),                            \
-    JEQ(0, ALLOW),                                       \
-    DENY,                                                \
-                                                         \
-    LABEL(&labels, clone),                               \
-    ARG_FLAG(2, (CLONE_IO|CLONE_VM|CLONE_VFORK)),        \
-    JEQ(0, ALLOW),                                       \
-    JEQ(SIGCHLD, ALLOW),                                 \
-    DENY,                                                \
-                                                         \
-    LABEL(&labels, socket),                              \
-    ARG(0),                                              \
-    JEQ(AF_UNIX,    ALLOW),                              \
-    JEQ(AF_INET,    ALLOW),                              \
-    JEQ(AF_INET6,   ALLOW),                              \
-    DENY
-
-
-/* VERY IMPORTANT: This is the filter that gets applied to the startup code
- * before applying the real filter in the function install_syscall_filter. If
- * you face any issues, you may have to enable certain syscalls here to
- * successfully make changes to startup code. Also, all the syscalls allowed
- * in install_syscall_filter must be allowed in install_initial_syscall_filter
- * as well.
- */
-
-int install_initial_syscall_filter (void)
-{
-    int err = 0;
-    struct bpf_labels labels = { .count = 0 };
-
-    struct sock_filter filter[] = {
-        SYSCALL_FILTERS,
-
-#if USE_CLOCK_GETTIME == 1
-        SYSCALL(__NR_clock_gettime, ALLOW),
-#else
-        SYSCALL(__NR_gettimeofday,  ALLOW),
-#endif
-        SYSCALL(__NR_prctl,     JUMP(&labels, prctl)),
-
-        SYSCALL_ACTIONS,
-
-        LABEL(&labels, prctl),
-        ARG(0),
-        JEQ(PR_SET_SECCOMP,     ALLOW),
-        DENY,
-    };
-
-    struct sock_fprog prog = {
-        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
-        .filter = filter,
-    };
-
-    bpf_resolve_jumps(&labels, filter, prog.len);
-
-    err = INLINE_SYSCALL(prctl, 5, PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
-    if (IS_ERR(err))
-        goto failed;
-
-    err = INLINE_SYSCALL(prctl, 3, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
-                         &prog);
-    if (IS_ERR(err))
-        goto failed;
-
-    return 0;
-
-failed:
-    return -ERRNO(err);
-}
-
-int install_syscall_filter (void * code_start, void * code_end)
-{
-    int err = 0;
-    struct bpf_labels labels = { .count = 0 };
-
-    printf("set up filter in %p-%p\n", code_start, code_end);
-
-    struct sock_filter filter[] = {
-        IP,
-        JLT((unsigned long) code_start, DENY),
-        JGT((unsigned long) code_end,   DENY),
-
-        SYSCALL(__NR_prctl,     DENY),
-        ALLOW,
-    };
-
-    struct sock_fprog prog = {
-        .len = (unsigned short) (sizeof(filter) / sizeof(filter[0])),
-        .filter = filter,
-    };
-
-    bpf_resolve_jumps(&labels, filter, prog.len);
-
-    err = INLINE_SYSCALL(prctl, 3, PR_SET_SECCOMP, SECCOMP_MODE_FILTER,
-                         &prog);
-
-    if (IS_ERR(err))
-        goto failed;
-
-    return 0;
-
-failed:
-    return -ERRNO(err);
-}

Pal/src/security/Linux/internal.h

@@ -1,30 +0,0 @@
-#ifndef __INTERNAL_H__
-#define __INTERNAL_H__
-
-#include <stddef.h>
-#include <stdint.h>
-#include <stdarg.h>
-
-#include "api.h"
-
-/* RUNTIME_FILE() is defined in pal_internal.h, and including pal_internal.h
- * causes compile issue. So PAL_LOADER is defined without RUNTIME_FILE
- * as workaround. */
-#define PAL_LOADER  XSTRINGIFY(RUNTIME_DIR) "/pal-Linux"
-
-#ifdef __x86_64__
-# include "sysdep-x86_64.h"
-#else
-# error "unsupported architecture"
-#endif
-
-#define IS_ERR INTERNAL_SYSCALL_ERROR
-#define IS_ERR_P INTERNAL_SYSCALL_ERROR_P
-#define ERRNO INTERNAL_SYSCALL_ERRNO
-#define ERRNO_P INTERNAL_SYSCALL_ERRNO_P
-
-int printf (const char * fmt, ...) __attribute__ ((format(printf, 1, 2)));
-void * malloc (size_t size);
-void free (void * mem);
-
-#endif /* __INTERNAL_H__ */

Pal/src/security/Linux/main.c

@@ -1,602 +0,0 @@
-#define _GNU_SOURCE 1
-#ifndef __GNUC__
-#define __GNUC__ 1
-#endif
-
-#include <stdint.h>
-#include <stddef.h>
-#include <linux/unistd.h>
-#include <sys/socket.h>
-#include <linux/in.h>
-#include <linux/in6.h>
-#include <linux/fs.h>
-#include <asm/fcntl.h>
-#include <asm/mman.h>
-#include <asm/errno.h>
-#include <elf/elf.h>
-#include <sysdeps/generic/ldsodefs.h>
-
-#include "pal_security.h"
-#include "internal.h"
-#include "graphene.h"
-
-#define PRESET_PAGESIZE 4096UL
-
-unsigned long pagesize  = PRESET_PAGESIZE;
-unsigned long pageshift = PRESET_PAGESIZE - 1;
-unsigned long pagemask  = ~(PRESET_PAGESIZE - 1);
-
-#define POOL_SIZE (4096 * 64)
-static char mem_pool[POOL_SIZE];
-static char *bump = mem_pool;
-static char *mem_pool_end = &mem_pool[POOL_SIZE];
-
-void * malloc (size_t size)
-{
-    void * addr = (void *) bump;
-
-    bump += size;
-    if (bump >= mem_pool_end) {
-        printf("Pal reference monitor out of internal memory!\n");
-        INLINE_SYSCALL(exit_group, 1, -1);
-        return NULL;
-    }
-
-    return addr;
-}
-
-void free (void * mem)
-{
-    /* no freeing */
-}
-
-#if __WORDSIZE == 2
-# define FILEBUF_SIZE 512
-#else
-# define FILEBUF_SIZE 832
-#endif
-
-static void do_bootstrap (void * args, int * pargc, const char *** pargv,
-                          const char *** penvp, ElfW(auxv_t) ** pauxv,
-                          void ** baseaddr, const char ** program_name)
-{
-    const char ** all_args = (const char **) args;
-    int argc = (uintptr_t) all_args[0];
-    const char ** argv = &all_args[1];
-    const char ** envp = argv + argc + 1;
-    void * base = NULL;
-
-    /* fetch environment information from aux vectors */
-    void ** auxv = (void **) envp + 1;
-    for (; *(auxv - 1); auxv++);
-    ElfW(auxv_t) *av;
-    for (av = (ElfW(auxv_t) *) auxv ; av->a_type != AT_NULL ; av++)
-        switch (av->a_type) {
-            case AT_PAGESZ:
-                pagesize  = av->a_un.a_val;
-                pageshift = pagesize - 1;
-                pagemask  = ~pageshift;
-                break;
-            case AT_BASE:
-                base = (void *) av->a_un.a_val;
-                break;
-        }
-
-    if (!base) {
-        __asm__ ("leaq start(%%rip), %0\r\n"
-             "subq 1f(%%rip), %0\r\n"
-             ".section\t.data.rel.ro\r\n"
-             "1:\t.quad start\r\n"
-             ".previous\r\n"
-             : "=r" (base) : : "cc");
-    }
-
-    *program_name = *argv;
-    argv++;
-    argc--;
-    *pargc = argc;
-    *pargv = argv;
-    *penvp = envp;
-    *pauxv = (ElfW(auxv_t) *) auxv;
-    *baseaddr = base;
-}
-
-int open_manifest (const char ** argv)
-{
-    const char * manifest_name = *argv;
-    int ret, fd;
-
-    fd = INLINE_SYSCALL(open, 3, manifest_name, O_RDONLY, 0);
-    if (IS_ERR(fd))
-        return -ERRNO(fd);
-
-    /* check if the first argument is an executable. If its not,
-     * it must be a manifest */
-
-    char filebuf[4], elfmagic[4] = "\177ELF";
-    ret = INLINE_SYSCALL(read, 3, fd, filebuf, sizeof(filebuf));
-    if (IS_ERR(ret))
-        return -ERRNO(ret);
-
-    if (memcmp(filebuf, elfmagic, sizeof(filebuf)))
-        return fd;
-
-    INLINE_SYSCALL(close, 1, fd);
-
-    /* find a manifest file with the same name as executable */
-    int len = strlen(*argv);
-    manifest_name = __alloca(len + static_strlen(".manifest") + 1);
-    memcpy((void *) manifest_name, &argv, len);
-    memcpy((void *) manifest_name + len, ".manifest",
-           static_strlen(".manifest"));
-
-    fd = INLINE_SYSCALL(open, 3, manifest_name, O_RDONLY, 0);
-    if (!IS_ERR(fd))
-        return fd;
-
-    /* find "manifest" file */
-    fd = INLINE_SYSCALL(open, 3, "manifest", O_RDONLY, 0);
-    if (!IS_ERR(fd))
-        return fd;
-
-    return -ENOENT;
-}
-
-int load_manifest (int fd, struct config_store * config)
-{
-    int nbytes = INLINE_SYSCALL(lseek, 3, fd, 0, SEEK_END);
-
-    if (IS_ERR(nbytes))
-        return -ERRNO(nbytes);
-
-    void * config_raw = (void *)
-            INLINE_SYSCALL(mmap, 6, NULL, nbytes,
-                           PROT_READ, MAP_PRIVATE,
-                           fd, 0);
-
-    if (IS_ERR_P(config_raw))
-        return -ERRNO_P(config_raw);
-
-    config->raw_data = config_raw;
-    config->raw_size = nbytes;
-    config->malloc   = malloc;
-    config->free     = NULL;
-
-    const char * errstring = NULL;
-    int ret = read_config(config, NULL, &errstring);
-
-    if (ret < 0) {
-        printf("can't read manifest: %s\n", errstring);
-        return ret;
-    }
-
-    return 0;
-}
-
-static int do_relocate (ElfW(Dyn) * dyn, ElfW(Addr) addr)
-{
-    ElfW(Dyn) * dt_rela      = NULL;
-    ElfW(Dyn) * dt_relacount = NULL;
-
-    for ( ; dyn->d_tag != DT_NULL ; dyn++)
-        switch (dyn->d_tag) {
-            case DT_RELA:       dt_rela = dyn;      break;
-            case DT_RELACOUNT:  dt_relacount = dyn; break;
-        }
-
-    if (!dt_rela || !dt_relacount)
-        return -EINVAL;
-
-    ElfW(Rela) * r = (void *) (addr + dt_rela->d_un.d_ptr);
-    ElfW(Rela) * end = r + dt_relacount->d_un.d_val;
-
-    for ( ; r < end ; r++)
-        *(ElfW(Addr) *) (addr + r->r_offset) = addr + r->r_addend;
-
-     return 0;
-}
-
-static void *
-find_symbol (const ElfW(Dyn) * dyn, ElfW(Addr) addr, const char * name)
-{
-    const ElfW(Dyn) * dt_symtab    = NULL;
-    const ElfW(Dyn) * dt_strtab    = NULL;
-    const ElfW(Dyn) * dt_rela      = NULL;
-    const ElfW(Dyn) * dt_relasz    = NULL;
-    const ElfW(Dyn) * dt_relacount = NULL;
-
-    for ( ; dyn->d_tag != DT_NULL ; dyn++)
-        switch (dyn->d_tag) {
-            case DT_SYMTAB:     dt_symtab = dyn;    break;
-            case DT_STRTAB:     dt_strtab = dyn;    break;
-            case DT_RELA:       dt_rela = dyn;      break;
-            case DT_RELASZ:     dt_relasz = dyn;    break;
-            case DT_RELACOUNT:  dt_relacount = dyn; break;
-        }
-
-    if (!dt_symtab || !dt_strtab || !dt_rela || !dt_relasz || !dt_relacount)
-        return NULL;
-
-    ElfW(Sym) * symtab = (void *) (addr + dt_symtab->d_un.d_ptr);
-    const char * strtab = (void *) (addr + dt_strtab->d_un.d_ptr);
-    ElfW(Rela) * r = (void *) (addr + dt_rela->d_un.d_ptr);
-    ElfW(Rela) * rel = r + dt_relacount->d_un.d_val;
-    ElfW(Rela) * end = r + dt_relasz->d_un.d_val / sizeof(ElfW(Rela));
-    int len = strlen(name);
-
-    for (r = rel ; r < end ; r++) {
-        ElfW(Sym) * sym = &symtab[ELFW(R_SYM) (r->r_info)];
-        if (!sym->st_name)
-            continue;
-        if (!memcmp(strtab + sym->st_name, name, len + 1))
-            return (void *) addr + sym->st_value;
-    }
-
-    return NULL;
-}
-
-static int load_static (const char * filename, void ** load_addr,
-                        void ** entry, ElfW(Dyn) ** dyn,
-                        unsigned long * phoff, int * phnum)
-{
-    int ret = 0;
-
-    int fd = INLINE_SYSCALL(open, 2, filename, O_RDONLY|O_CLOEXEC);
-    if (IS_ERR(fd))
-        return -ERRNO(fd);
-
-    char filebuf[FILEBUF_SIZE];
-    ret = INLINE_SYSCALL(read, 3, fd, filebuf, FILEBUF_SIZE);
-    if (IS_ERR(ret)) {
-        ret = -ERRNO(ret);
-        goto out;
-    }
-
-    const ElfW(Ehdr) * header = (void *) filebuf;
-    const ElfW(Phdr) * phdr = (void *) filebuf + header->e_phoff;
-    const ElfW(Phdr) * ph;
-    ElfW(Addr) base = 0;
-
-    *phoff = header->e_phoff;
-    *phnum = header->e_phnum;
-
-    struct loadcmd {
-        ElfW(Addr) mapstart, mapend, dataend, allocend;
-        off_t mapoff;
-        int prot;
-    } loadcmds[16], *c;
-    int nloadcmds = 0;
-
-    for (ph = phdr ; ph < &phdr[header->e_phnum] ; ph++)
-        switch (ph->p_type) {
-            case PT_DYNAMIC:
-                *dyn = (void *) ph->p_vaddr;
-                break;
-
-            case PT_LOAD:
-                if (nloadcmds == 16) {
-                    ret = -EINVAL;
-                    goto out;
-                }
-
-                c = &loadcmds[nloadcmds++];
-                c->mapstart = ph->p_vaddr & pagemask;
-                c->mapend = (ph->p_vaddr + ph->p_filesz + pageshift) & pagemask;
-                c->dataend = ph->p_vaddr + ph->p_filesz;
-                c->allocend = ph->p_vaddr + ph->p_memsz;
-                c->mapoff = ph->p_offset & pagemask;
-                c->prot = (ph->p_flags & PF_R ? PROT_READ  : 0) |
-                          (ph->p_flags & PF_W ? PROT_WRITE : 0) |
-                          (ph->p_flags & PF_X ? PROT_EXEC  : 0);
-                break;
-        }
-
-    c = loadcmds;
-    int maplength = loadcmds[nloadcmds - 1].allocend - c->mapstart;
-
-    base = INLINE_SYSCALL(mmap, 6, NULL, maplength, c->prot,
-                          MAP_PRIVATE | MAP_FILE, fd, c->mapoff);
-
-    if (IS_ERR_P(base)) {
-        ret = -ERRNO_P(base);
-        goto out;
-    }
-
-    goto postmap;
-
-    for ( ; c < &loadcmds[nloadcmds] ; c++) {
-        ElfW(Addr) addr = INLINE_SYSCALL(mmap, 6, base + c->mapstart,
-                                         c->mapend - c->mapstart,
-                                         c->prot,
-                                         MAP_PRIVATE|MAP_FILE|MAP_FIXED,
-                                         fd, c->mapoff);
-        if (IS_ERR_P(addr)) {
-            ret = -ERRNO_P(addr);
-            goto out;
-        }
-
-postmap:
-        if (c == loadcmds)
-            INLINE_SYSCALL(munmap, 2, base + c->mapend, maplength - c->mapend);
-
-        if (c->allocend <= c->dataend)
-            continue;
-
-        ElfW(Addr) zero, zeroend, zeropage;
-
-        zero = base + c->dataend;
-        zeroend = (base + c->allocend + pageshift) & pagemask;
-        zeropage = (zero + pageshift) & pagemask;
-
-        if (zeroend < zeropage)
-            zeropage = zeroend;
-
-        if (zeropage > zero)
-            memset((void *) zero, 0, zeropage - zero);
-
-        if (zeroend <= zeropage)
-            continue;
-
-        addr = INLINE_SYSCALL(mmap, 6, zeropage, zeroend - zeropage, c->prot,
-                              MAP_PRIVATE|MAP_ANON|MAP_FIXED, -1, 0);
-        if (IS_ERR_P(addr)) {
-            ret = -ERRNO_P(addr);
-            goto out;
-        }
-    }
-
-    *dyn = (void *) (base + (ElfW(Addr)) *dyn);
-    *load_addr = (void *) base;
-    *entry = (void *) base + header->e_entry;
-
-out:
-    INLINE_SYSCALL(close, 1, fd);
-    return ret;
-}
-
-static int find_code_range (void * load_addr, void ** start, void ** end)
-{
-    const ElfW(Ehdr) * header = load_addr;
-    const ElfW(Phdr) * phdr = load_addr + header->e_phoff, * ph;
-
-    for (ph = phdr ; ph < &phdr[header->e_phnum] ; ph++)
-        if (ph->p_type == PT_LOAD && (ph->p_flags & PF_X)) {
-            *start = load_addr + ph->p_vaddr;
-            *end = load_addr + ph->p_vaddr + ph->p_filesz;
-            return 0;
-        }
-
-    return -ENOENT;
-}
-
-void __attribute__((noinline)) ___dl_debug_state (void) {}
-
-extern __typeof(___dl_debug_state) _dl_debug_state
-    __attribute ((alias ("___dl_debug_state")));
-
-struct link_map {
-    ElfW(Addr)        l_addr;
-    const char *      l_name;
-    const ElfW(Dyn) * l_ld;
-    struct link_map * l_next, * l_prev;
-};
-
-static struct link_map init_link_map;
-
-struct r_debug ___r_debug =
-    { 1, NULL, (ElfW(Addr)) &___dl_debug_state, RT_CONSISTENT, 0 };
-
-extern __typeof(___r_debug) _r_debug
-    __attribute ((alias ("___r_debug")));
-
-int ioctl_set_graphene (struct config_store * sandbox_config, int npolices,
-                        const struct graphene_user_policy * policies);
-
-int set_sandbox (struct config_store * sandbox_config,
-                 struct pal_sec * pal_sec_addr, void * pal_addr)
-{
-    struct graphene_user_policy policies[] = {
-        { .type = GRAPHENE_LIB_NAME,    .value = PAL_LOADER, },
-        { .type = GRAPHENE_LIB_ADDR,    .value = pal_addr, },
-        { .type = GRAPHENE_UNIX_PREFIX, .value = &pal_sec_addr->pipe_prefix_id, },
-        { .type = GRAPHENE_MCAST_PORT,  .value = &pal_sec_addr->mcast_port, },
-        { .type = GRAPHENE_FS_PATH | GRAPHENE_FS_READ,
-          .value = "/proc/meminfo", },
-    };
-
-    return ioctl_set_graphene(sandbox_config,
-                              sizeof(policies) / sizeof(policies[0]),
-                              policies);
-}
-
-int install_initial_syscall_filter (void);
-int install_syscall_filter (void * code_start, void * code_end);
-
-void start(void);
-
-__asm__ (".global start\r\n"
-     "  .type start,@function\r\n"
-     ".global main\r\n"
-     "  .type do_main,@function\r\n");
-
-/* At the begining of entry point, rsp starts at argc, then argvs,
-   envps and auxvs. Here we store rsp to rdi, so it will not be
-   messed up by function calls */
-__asm__ ("start:\r\n"
-     "  movq %rsp, %rdi\r\n"
-     "  andq $~0xF, %rsp\r\n"
-     "  call do_main\r\n");
-
-void do_main (void * args)
-{
-    const char * program_name;
-    int argc;
-    const char ** argv, ** envp;
-    ElfW(auxv_t) * auxv;
-    void * baseaddr;
-    unsigned long pid = INLINE_SYSCALL(getpid, 0);
-    int ret = 0;
-
-    do_bootstrap(args, &argc, &argv, &envp, &auxv, &baseaddr, &program_name);
-
-    /* VERY IMPORTANT: This is the filter that gets applied to the startup code
-     * before applying the real filter in the function install_syscall_filter.
-     * If you face any issues, you may have to enable certain syscalls here to
-     * successfully make changes to startup code. */
-
-    ret = install_initial_syscall_filter();
-    if (ret < 0) {
-        printf("Unable to install initial system call filter\n");
-        goto exit;
-    }
-
-    /* occupy PAL_INIT_FD */
-    INLINE_SYSCALL(dup2, 2, 0, PROC_INIT_FD);
-
-    ElfW(Dyn) * dyn = (ElfW(Dyn) *) (baseaddr + (ElfW(Addr)) &_DYNAMIC);
-    do_relocate(dyn, (ElfW(Addr)) baseaddr);
-
-    init_link_map.l_addr = (ElfW(Addr)) baseaddr;
-    init_link_map.l_ld   = dyn;
-    init_link_map.l_name = program_name;
-    ___r_debug.r_map     = &init_link_map;
-    ___r_debug.r_ldbase  = (ElfW(Addr)) baseaddr;
-
-    int manifest;
-    if (!argc || (manifest = open_manifest(argv)) < 0) {
-        printf("USAGE: %s [executable|manifest] args ...\n", program_name);
-        goto exit;
-    }
-
-    struct config_store sandbox_config;
-    ret = load_manifest(manifest, &sandbox_config);
-    if (ret < 0)
-        goto exit;
-
-    void *        pal_addr  = NULL;
-    void *        pal_entry = NULL;
-    ElfW(Dyn) *   pal_dyn   = NULL;
-    unsigned long pal_phoff = 0;
-    int           pal_phnum = 0;
-
-    ret = load_static(PAL_LOADER, &pal_addr, &pal_entry, &pal_dyn,
-                      &pal_phoff, &pal_phnum);
-
-    if (ret < 0) {
-        printf("Unable to load PAL loader\n");
-        goto exit;
-    }
-
-    int rand_gen = INLINE_SYSCALL(open, 3, RANDGEN_DEVICE, O_RDONLY, 0);
-    if (IS_ERR(rand_gen)) {
-        printf("Unable to open random generator device\n");
-        goto exit;
-    }
-
-    struct pal_sec * pal_sec_addr =
-                find_symbol(pal_dyn, (ElfW(Addr)) pal_addr, "pal_sec");
-    if (!pal_sec_addr) {
-        printf("Unable to find 'pal_sec' in PAL loader\n");
-        goto exit;
-    }
-
-    unsigned short mcast_port = 0;
-    ret = INLINE_SYSCALL(read, 3, rand_gen, &mcast_port, sizeof(mcast_port));
-    if (IS_ERR(ret)) {
-        ret = -ERRNO(ret);
-        goto exit;
-    }
-
-    pal_sec_addr->process_id      = pid;
-    pal_sec_addr->random_device   = rand_gen;
-    pal_sec_addr->pipe_prefix_id  = 0;
-    pal_sec_addr->mcast_port      = mcast_port % (65536 - 1024) + 1024;
-    pal_sec_addr->_dl_debug_state = &___dl_debug_state;
-    pal_sec_addr->_r_debug        = &___r_debug;
-
-    ret = set_sandbox(&sandbox_config, pal_sec_addr, pal_addr);
-    if (ret < 0) {
-        printf("Unable to load sandbox policies\n");
-        goto exit;
-    }
-
-    /* free PAL_INIT_FD */
-    INLINE_SYSCALL(close, 1, PROC_INIT_FD);
-
-    void * code_start = NULL;
-    void * code_end   = NULL;
-    ret = find_code_range(pal_addr, &code_start, &code_end);
-    if (ret < 0) {
-        printf("Unable to find a code segment\n");
-        goto exit;
-    }
-
-    ret = install_syscall_filter(code_start, code_end);
-    if (ret < 0) {
-        printf("Unable to install system call filter\n");
-        goto exit;
-    }
-
-    /* after installing syscall, you can't execute any system call */
-    const char ** new_envp, ** new_argv;
-    ElfW(auxv_t) * new_auxv;
-    int envc = 1, auxc = 1;
-    for (const char ** e = envp ; *e ; e++, envc++);
-    for (ElfW(auxv_t) * av = auxv ; av->a_type != AT_NULL ; av++, auxc++);
-
-    /* skip 1024 bytes as a red zone */
-    void * stack = __alloca(sizeof(unsigned long) +
-                            sizeof(char *) * (argc + 2) +
-                            sizeof(char *) * envc +
-                            sizeof(ElfW(auxv_t)) * auxc);
-
-    *(unsigned long *) stack = argc + 1;
-    new_argv = stack + sizeof(unsigned long *);
-    new_envp = (void *) &new_argv[argc + 2];
-    new_auxv = (void *) &new_envp[envc + 1];
-    new_argv[0] = PAL_LOADER;
-    memcpy(&new_argv[1], argv, sizeof(char *) * (argc + 1));
-    memcpy(new_envp, envp, sizeof(char *) * envc);
-    memcpy(new_auxv, auxv, sizeof(ElfW(auxv_t)) * auxc);
-
-    for (ElfW(auxv_t) * av = new_auxv ; av->a_type != AT_NULL ; av++)
-        switch (av->a_type) {
-            case AT_ENTRY:
-                av->a_un.a_val = (unsigned long) pal_entry;
-                break;
-            case AT_BASE:
-                av->a_un.a_val = (unsigned long) pal_addr;
-                break;
-            case AT_PHDR:
-                av->a_un.a_val = (unsigned long) pal_addr + pal_phoff;
-                break;
-            case AT_PHNUM:
-                av->a_un.a_val = pal_phnum;
-                break;
-        }
-
-    __asm__ volatile ("xorq %%rsp, %%rsp\r\n"
-                  "movq %0, %%rsp\r\n"
-                  "jmpq *%1\r\n"
-                  :: "r"(stack), "r"(pal_entry) : "memory");
-
-exit:
-    INLINE_SYSCALL(exit_group, 1, ret);
-}
-
-/* This does not return */
-noreturn void __abort(void) {
-    INLINE_SYSCALL(exit_group, 1, -1);
-    while (true) {
-        /* nothing */;
-    }
-}
-
-void warn (const char *format, ...)
-{
-    va_list args;
-    va_start (args, format);
-    printf(format, args);
-    va_end (args);
-}
-

Pal/src/security/Linux/manifest.c

@@ -1,362 +0,0 @@
-#define _GNU_SOURCE 1
-#ifndef __GNUC__
-#define __GNUC__ 1
-#endif
-
-#ifdef IN_PAL
-# include "pal_defs.h"
-# include "pal_linux_defs.h"
-# include "pal.h"
-# include "pal_internal.h"
-# include "pal_linux.h"
-# include "pal_debug.h"
-# include "pal_error.h"
-#else
-# include "internal.h"
-#endif
-
-#include "graphene.h"
-#include "pal_security.h"
-#include "api.h"
-
-#include <sys/socket.h>
-#include <linux/unistd.h>
-#include <asm/fcntl.h>
-#include <asm/mman.h>
-#include <asm/errno.h>
-
-static inline int is_file_uri (const char * uri)
-{
-    return strpartcmp_static(uri, "file:");
-}
-
-static inline const char * file_uri_to_path (const char * uri, int len)
-{
-    int prefix_len = static_strlen("file:");
-    char * path;
-
-    if (len == prefix_len) {
-        path = malloc(2);
-        if (!path)
-            return NULL;
-
-        path[0] = '.';
-        path[1] = 0;
-        return path;
-    }
-
-    path = malloc(len - prefix_len + 1);
-    if (!path)
-        return NULL;
-
-    memcpy(path, uri + prefix_len, len - prefix_len + 1);
-    return path;
-}
-
-
-static const char * __get_path (struct config_store * config, const char * key)
-{
-    char uri[CONFIG_MAX];
-
-    if (get_config(config, key, uri, CONFIG_MAX) <= 0 ||
-        !is_file_uri(uri))
-        return NULL;
-
-    return file_uri_to_path(uri, strlen(uri));
-}
-
-#define PRELOAD_MAX     16
-
-int get_preload_paths (struct config_store * config, const char *** paths)
-{
-    char cfgbuf[CONFIG_MAX];
-
-    if (get_config(config, "loader.preload", cfgbuf, CONFIG_MAX) <= 0)
-        return 0;
-
-    const char * p = cfgbuf, * n;
-    const char * preload_paths[PRELOAD_MAX];
-    int npreload = 0;
-
-    while (*p && npreload < PRELOAD_MAX) {
-        for (n = p ; *n && *n != ',' ; n++);
-
-        if (!is_file_uri(p))
-            goto next;
-
-        if (!(preload_paths[npreload++] = file_uri_to_path(p, n - p)))
-            return -ENOMEM;
-next:
-        p = *n ? n + 1 : n;
-    }
-
-    *paths = malloc(sizeof(const char *) * npreload);
-    if (!(*paths))
-        return -ENOMEM;
-
-    memcpy((*paths), preload_paths, sizeof(const char *) * npreload);
-    return npreload;
-}
-
-int get_fs_paths (struct config_store * config, const char *** paths)
-{
-    char * keys;
-    size_t nkeys;
-    ssize_t cfgsize;
-    int ret;
-
-    cfgsize = get_config_entries_size(config, "fs.mount");
-    if (cfgsize)
-        return 0;
-
-    keys = __alloca(cfgsize);
-    if ((ret = get_config_entries(config, "fs.mount", keys, cfgsize)) < 0)
-        nkeys = 0;
-    else
-        nkeys = (size_t)ret;
-
-    *paths = malloc(sizeof(const char *) * (1 + nkeys));
-    if (!(*paths))
-        return -ENOMEM;
-
-    (*paths)[0] = ".";
-    int npaths = 1;
-
-    if (!nkeys)
-        goto out;
-
-    char key[CONFIG_MAX], * k = keys, * n;
-    char * tmp;
-
-    tmp = strcpy_static(key, "fs.mount.", (size_t)CONFIG_MAX);
-
-    for (size_t i = 0 ; i < nkeys ; i++) {
-        for (n = k ; *n ; n++);
-        size_t len = n - k;
-        memcpy(tmp, k, len);
-        strcpy_static(tmp + len, ".uri", (size_t)((key + CONFIG_MAX) - (tmp + len)));
-
-        const char * path = __get_path(config, key);
-        if (path)
-            (*paths)[npaths++] = path;
-        k = n + 1;
-    }
-out:
-    return npaths;
-}
-
-int get_net_rules (struct config_store * config,
-                   struct graphene_net_rule ** net_rules,
-                   int * nbind_rules)
-{
-    char * binds, * peers;
-    int nbinds, npeers;
-    int nrules = 0;
-    ssize_t cfgsize;
-
-    cfgsize = get_config_entries_size(config, "net.allow_bind");
-    if (cfgsize < 0)
-        return 0;
-
-    binds = __alloca(cfgsize);
-    if ((nbinds = get_config_entries(config, "net.allow_bind", binds, cfgsize)) < 0)
-        return 0;
-
-    cfgsize = get_config_entries_size(config, "net.allow_peer");
-    if (cfgsize < 0)
-        return 0;
-
-    peers = __alloca(cfgsize);
-    if ((npeers = get_config_entries(config, "net.allow_peer", peers, cfgsize)) < 0)
-        return 0;
-
-    struct graphene_net_rule * rules =
-            malloc(sizeof(struct graphene_net_rule) * (nbinds + npeers));
-
-    if (!rules)
-        return -ENOMEM;
-
-    for (int t = 0 ; t < 2 ; t ++) {
-        char key[CONFIG_MAX], * k, * n;
-        char * tmp;
-        int nadded;
-
-        if (t == 0) {
-            if (!nbinds)
-                continue;
-            k = binds;
-            nadded = nbinds;
-            tmp = strcpy_static(key, "net.allow_bind.", CONFIG_MAX);
-        } else {
-            if (!npeers)
-                continue;
-            k = peers;
-            nadded = npeers;
-            tmp = strcpy_static(key, "net.allow_peer.", CONFIG_MAX);
-        }
-
-        for (int i = 0 ; i < nadded ; i++) {
-            struct graphene_net_rule * r = &rules[nrules];
-            char cfgbuf[CONFIG_MAX];
-
-            for (n = k ; *n ; n++);
-            int len = n - k;
-            memcpy(tmp, k, len + 1);
-            tmp[len] = 0;
-
-            ssize_t cfglen = get_config(config, key, cfgbuf, CONFIG_MAX);
-            if (cfglen <= 0)
-                goto next;
-
-            char * c = cfgbuf, * end = cfgbuf + cfglen;
-            char * addr = c, * num;
-            int addrlen;
-            r->family = AF_INET;
-
-            if (*c == '[') {
-                r->family = AF_INET6;
-                addr++;
-                for ( ; c < end && *c != ']' ; c++);
-                if (c == end)
-                    goto next;
-                addrlen = c - addr;
-                c++;
-                if (c == end || *c != ':')
-                    goto next;
-            } else {
-                for ( ; c < end && *c != ':' ; c++);
-                if (c == end)
-                    goto next;
-                addrlen = c - addr;
-            }
-            c++;
-
-            if (c == end)
-                goto next;
-
-            num = c;
-            for ( ; c < end && *c >= '0' && *c <= '9' ; c++);
-            if (c == num)
-                goto next;
-            r->addr.port_end = r->addr.port_begin = atoi(num);
-
-            if (c < end && *c == '-') {
-                num = (++c);
-                for ( ; c < end && *c >= '0' && *c <= '9' ; c++);
-                if (c == num)
-                    goto next;
-                r->addr.port_end = atoi(num);
-            }
-
-            if (r->family == AF_INET) {
-                if (!inet_pton4(addr, addrlen, &r->addr.addr))
-                    goto next;
-            } else {
-                if (!inet_pton6(addr, addrlen, &r->addr.addr))
-                    goto next;
-            }
-
-            nrules++;
-next:
-            k = n + 1;
-        }
-
-        if (t == 0)
-            *nbind_rules = nrules;
-    }
-
-    *net_rules = rules;
-    return nrules;
-}
-
-int ioctl_set_graphene (struct config_store * config, int ndefault,
-                        const struct graphene_user_policy * default_policies)
-{
-    int ro = GRAPHENE_FS_READ, rw = ro | GRAPHENE_FS_WRITE;
-    int ret = 0;
-    const char ** preload_paths = NULL;
-    const char ** fs_paths = NULL;
-    struct graphene_net_rule * net_rules = NULL;
-    int npreload = 0, nfs = 0, net = 0, bind_rules = 0;
-    int fd = -1;
-    int n = 0;
-
-    npreload = get_preload_paths(config, &preload_paths);
-    if (npreload < 0) {
-        ret = npreload;
-        goto out;
-    }
-
-    nfs = get_fs_paths(config, &fs_paths);
-    if (nfs < 0) {
-        ret = nfs;
-        goto out;
-    }
-
-    net = get_net_rules(config, &net_rules, &bind_rules);
-    if (net < 0) {
-        ret = net;
-        goto out;
-    }
-
-    struct graphene_policies * p =
-                __alloca(sizeof(struct graphene_policies) +
-                         sizeof(struct graphene_user_policy) *
-                         (ndefault + npreload + nfs + net));
-
-    memcpy(&p->policies[n], default_policies,
-           sizeof(struct graphene_user_policy) * ndefault);
-    n += ndefault;
-
-    for (int i = 0 ; i < npreload ; i++) {
-        p->policies[n].type = GRAPHENE_FS_PATH | ro;
-        p->policies[n].value = preload_paths[i];
-        n++;
-    }
-
-    for (int i = 0 ; i < nfs ; i++) {
-        p->policies[n].type = GRAPHENE_FS_PATH | GRAPHENE_FS_RECURSIVE | rw;
-        p->policies[n].value = fs_paths[i];
-        n++;
-    }
-
-    for (int i = 0 ; i < net ; i++) {
-        p->policies[n].type = GRAPHENE_NET_RULE;
-        if (i < bind_rules)
-            p->policies[n].type |= GRAPHENE_NET_BIND;
-        p->policies[n].value = &net_rules[i];
-        n++;
-    }
-
-    p->npolicies = n;
-
-    fd = INLINE_SYSCALL(open, 3, GRAPHENE_FILE, O_RDONLY, 0);
-    if (IS_ERR(fd)) {
-        ret = -ERRNO(fd);
-        goto out;
-    }
-
-    ret = INLINE_SYSCALL(ioctl, 3, fd, GRAPHENE_SET_TASK, p);
-    ret = IS_ERR(ret) ? -ERRNO(ret) : 0;
-
-out:
-    if (fd != -1)
-        INLINE_SYSCALL(close, 1, fd);
-
-    if (preload_paths) {
-        for (int i = 0 ; i < npreload ; i++)
-            free((void *) preload_paths[i]);
-        free(preload_paths);
-    }
-
-    if (fs_paths) {
-        for (int i = 0 ; i < nfs ; i++)
-            free((void *) fs_paths[i]);
-        free(fs_paths);
-    }
-
-    if (net_rules)
-        free(net_rules);
-
-    return ret;
-}

Pal/src/security/Linux/pal-sec.map

@@ -1,9 +0,0 @@
-PAL {
-    global:
-        _r_debug;
-    local: *;
-};
-PAL_PRIVATE {
-    global:
-        _dl_debug_state;
-};

Pal/src/security/Linux/printf.c

@@ -1,69 +0,0 @@
-// Implementation of cprintf console output for user environments,
-// based on printfmt() and the sys_cputs() system call.
-//
-// cprintf is a debugging statement, not a generic output statement.
-// It is very important that it always go to the console, especially when
-// debugging file descriptor code!
-
-#include <linux/unistd.h>
-#include "internal.h"
-
-// Collect up to PRINTBUF_SIZE characters into a buffer
-// and perform ONE system call to print all of them,
-// in order to make the lines output to the console atomic
-// and prevent interrupts from causing context switches
-// in the middle of a console output line and such.
-
-#define PRINTBUF_SIZE 64
-
-struct printbuf {
-	int idx;	// current buffer index
-	int cnt;	// total bytes printed so far
-	char buf[PRINTBUF_SIZE];
-};
-
-struct sprintbuf {
-	char *buf;
-	char *ebuf;
-	int cnt;
-};
-
-#define sys_cputs(fd, bf, cnt) INLINE_SYSCALL(write, 3, fd, bf, cnt)
-
-static int
-fputch(int fd, int ch, struct printbuf *b)
-{
-	b->buf[b->idx++] = ch;
-	if (b->idx == PRINTBUF_SIZE - 1) {
-		sys_cputs(fd, b->buf, b->idx);
-		b->idx = 0;
-	}
-	b->cnt++;
-	return 0;
-}
-
-static int
-vprintf(const char *fmt, va_list ap)
-{
-	struct printbuf b;
-
-	b.idx = 0;
-	b.cnt = 0;
-	vfprintfmt((void *) &fputch, (void *) 1, &b, fmt, ap);
-	sys_cputs(1, b.buf, b.idx);
-
-	return b.cnt;
-}
-
-int
-printf(const char *fmt, ...)
-{
-	va_list ap;
-	int cnt;
-
-	va_start(ap, fmt);
-	cnt = vprintf(fmt, ap);
-	va_end(ap);
-
-	return cnt;
-}

README.md

@@ -35,8 +35,6 @@ Graphene Library OS is consist of five parts:
   - Instrumented GNU Library C
   - LibOS (a shared library named "libsysdb.so")
   - PAL, a.k.a Platform Adaption Layer (a shared library named "libpal.so")
-  - Reference monitor (a shared library named "libpal_sec.so")
-  - Minor kernel customization and kernel modules
 
 Graphene Library OS currently only works on x86_64 architecture.
 
@@ -73,36 +71,7 @@ To build with "-Werror", run "make WERROR=1".
 
 ### 2.1. BUILD WITH KERNEL-LEVEL SANDBOXING (OPTIONAL)
 
-__** Note: this step is optional. **__
-
-__** Note: for building with Intel:registered: SGX support, skip this step, go to section 2.2 **__
-
-__** Disclaimer: this feature is experimental and may contain bugs. Please do
-   no use in production system before further assessment.__
-
-To enable sandboxing, a customized Linux kernel is needed. Note that
-this feature is optional and completely unnecessary for running on SGX.
-To build the Graphene Linux kernel, do the following steps:
-
-    cd Pal/linux-3.19
-    make menuconfig
-    make
-    make install
-    (Add Graphene kernel as a boot option by commands like "update-grub")
-    (reboot and choose the Graphene kernel)
-
-Please note that the building process may pause before building the Linux
-kernel, because it requires you to provide a sensible configuration file
-(.config). The Graphene kernel requires the following options to be enabled
-in the configuration:
-
-  - CONFIG_GRAPHENE=y
-  - CONFIG_GRAPHENE_BULK_IPC=y
-  - CONFIG_GRAPHENE_ISOLATE=y
-
-For more details about the building and installation, see the Graphene github
-Wiki page: <https://github.com/oscarlab/graphene/wiki>.
-
+This feature is marked as EXPERIMENTAL and no longer exists in the mainstream code.
 
 ### 2.2 BUILD WITH INTEL:registered: SGX SUPPORT
 
@@ -211,27 +180,6 @@ specifying the programs and manifest files:
     [PATH TO MANIFEST]/[MANIFEST] [ARGUMENTS]...
     (Manifest must have "#![PATH_TO_PAL]/libpal.so" as the first line)
 
-Using "libpal.so" as loader to start Graphene will not attach the applications
-to the Graphene reference monitor. The applications will have better
-performance, but no strong security isolation. To attach the applications to
-the Graphene reference monitor, Graphene must be started with the PAL
-reference monitor loader (libpal_sec.so). Graphene provides three options for
-specifying the programs and manifest files to the loader:
-
-   - option 4: (automatic manifest - with reference monitor)
-
-    SEC=1 [PATH TO Runtime]/pal_loader [PROGRAM] [ARGUMENTS]...
-    (Manifest file: "[PROGRAM].manifest" or "manifest")
-
-   - option 5: (given manifest - with reference monitor)
-
-    SEC=1 [PATH TO Pal/src]/pal_loader [MANIFEST] [ARGUMENTS]...
-
-   - option 6: (manifest as a script - with reference monitor)
-
-    SEC=1 [PATH TO MANIFEST]/[MANIFEST] [ARGUMENTS]...
-    (Manifest must have "#![PATH TO Pal/src]/pal_sec" as the first line)
-
 Although manifest files are optional for Graphene, running an application
 usually requires some minimal configuration in its manifest file. A
 sensible manifest file will include paths to the library OS and GNU

Runtime/pal_loader

@@ -41,11 +41,6 @@ if [ "$MEMUSG" == "1" ]; then
 	PREFIX="$RUNTIME_DIR/../Scripts/memusg"
 fi
 
-if [ "$SEC" == "1" ]; then
-	echo "Use reference monitor"
-	PAL_CMD=$RUNTIME_DIR/pal_sec-$PAL_HOST
-fi
-
 while [ "$1" != "" ];
 do
 	if [ "$MANIFEST" == "" ]; then