bugfix: process forking in LibOS

experiment: make Apache, Lighttpd and GCC work with SGX

LibOS/shim/src/bookkeep/shim_vma.c

@@ -38,8 +38,7 @@
 
 unsigned long mem_max_npages __attribute_migratable = DEFAULT_MEM_MAX_NPAGES;
 
-static void * heap_top    __attribute_migratable;
-static void * heap_bottom __attribute_migratable;
+static void * heap_top, * heap_bottom;
 
 #define VMA_MGR_ALLOC   64
 #define PAGE_SIZE       allocsize
@@ -98,8 +97,10 @@ static void __set_heap_top (void * bottom, void * top);
 
 int init_vma (void)
 {
-    if (!(vma_mgr = create_mem_mgr(init_align_up(VMA_MGR_ALLOC))))
+    if (!(vma_mgr = create_mem_mgr(init_align_up(VMA_MGR_ALLOC)))) {
+        debug("failed allocating VMAs\n");
         return -ENOMEM;
+    }
 
     heap_bottom = (void *) PAL_CB(user_address.start);
     if (heap_bottom + DEFAULT_HEAP_MIN_SIZE > PAL_CB(executable_range.start) &&

LibOS/shim/src/shim_checkpoint.c

@@ -1089,9 +1089,22 @@ int do_migration (struct newproc_cp_header * hdr, void ** cpptr)
 
         SAVE_PROFILE_INTERVAL(child_load_checkpoint_by_gipc);
     } else {
-        if (!(mapaddr = DkVirtualMemoryAlloc(mapaddr, mapsize, 0,
-                                             PAL_PROT_READ|PAL_PROT_WRITE)))
-            return -PAL_ERRNO;
+        void * mapped = NULL;
+
+        for (int tries = 3 ; tries ; tries--) {
+            if ((mapped = DkVirtualMemoryAlloc(mapaddr, mapsize, 0,
+                                               PAL_PROT_READ|PAL_PROT_WRITE)))
+                break;
+
+            debug("cannot map address %p-%p\n", mapaddr, mapaddr + mapsize);
+            ret =-PAL_ERRNO;
+            mapaddr = NULL;
+        }
+
+        if (!mapped)
+            return ret;
+
+        mapaddr = mapped;
     }
 
     bkeep_mmap((void *) mapaddr, mapsize,

LibOS/shim/src/shim_init.c

@@ -641,8 +641,7 @@ DEFINE_PROFILE_INTERVAL(init_signal,                init);
     do {                                                                \
         int _err = CALL_INIT(func, ##__VA_ARGS__);                      \
         if (_err < 0) {                                                 \
-            sys_printf("shim initialization failed in " #func " (%d)",  \
-                       _err);                                           \
+            debug("initialization failed in " #func " (%d)\n", _err);   \
             shim_terminate();                                           \
         }                                                               \
         SAVE_PROFILE_INTERVAL(func);                                    \
@@ -823,6 +822,7 @@ static int name_pipe (char * uri, size_t size, void * id)
     int len;
     if (getrand(&pipeid, sizeof(IDTYPE)) < sizeof(IDTYPE))
         return -EACCES;
+    debug("creating pipe: pipe.srv:%u\n", pipeid);
     if ((len = snprintf(uri, size, "pipe.srv:%u", pipeid)) == size)
         return -ERANGE;
     *((IDTYPE *) id) = pipeid;

LibOS/shim/src/shim_random.c

@@ -30,19 +30,21 @@
 #include <pal.h>
 
 static LOCKTYPE randgen_lock;
-static unsigned long randval __attribute_migratable;
+static unsigned long randval;
 
 int init_randgen (void)
 {
     if (DkRandomBitsRead (&randval, sizeof(randval)) < sizeof(randval))
         return -EACCES;
 
+    debug("initial random value: %08llx\n", randval);
     create_lock(randgen_lock);
     return 0;
 }
 
 int getrand (void * buffer, size_t size)
 {
+    unsigned long old_randval = randval;
     int bytes = 0;
     lock(randgen_lock);
 

LibOS/shim/test/apps/apache/Makefile

@@ -101,14 +101,15 @@ build-conf:
 </IfModule>\n" >> $(INSTALL_DIR)/conf/httpd.conf.new
 	cd $(INSTALL_DIR)/conf && ln -sf httpd.conf.new httpd.conf
 
+
 start-native-server:
 	@echo "Listen on $(HOST):$(PORT)"
-	$(PREFIX) $(INSTALL_DIR)/bin/httpd -D FOREGROUND -C "Listen $(HOST):$(PORT)" -C "PidFile logs/httpd-$(HOST)-$(PORT).pid"
+	$(PREFIX) $(INSTALL_DIR)/bin/httpd -D FOREGROUND -C "ServerName $(HOST)" -C "Listen $(HOST):$(PORT)" -C "PidFile logs/httpd-$(HOST)-$(PORT).pid"
 
 start-graphene-server:
 	rm -rf httpd-$(HOST)-$(PORT).pid
 	@echo "Listen on $(HOST):$(PORT)"
-	$(PREFIX) ../pal_loader $(INSTALL_DIR)/bin/httpd -D FOREGROUND -C "Listen $(HOST):$(PORT)" -C "PidFile logs/httpd-$(HOST)-$(PORT).pid"
+	$(PREFIX) ../pal_loader httpd.manifest.sgx -D FOREGROUND -C "ServerName $(HOST)" -C "Listen $(HOST):$(PORT)" -C "PidFile logs/httpd-$(HOST)-$(PORT).pid"
 
 random-data = $(foreach n,1 2 3 4 5 6 7 8 9 10,2K.$n.html) \
 	      $(foreach n,1 2 3 4 5,10K.$n.html) \

LibOS/shim/test/apps/apache/httpd.manifest.template

@@ -23,13 +23,17 @@ fs.mount.cwd.path = $(PWD)
 fs.mount.cwd.uri = file:
 
 # allow to bind on port for listening
-net.rules.1 = $(HOST):$(PORT):0.0.0.0:0-65535
+net.allow_bind.1 = $(HOST):$(PORT)
 
 sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
 sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
 sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
 sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
 sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+sgx.trusted_files.libnssdns = file:/lib/x86_64-linux-gnu/libnss_dns.so.2
+sgx.trusted_files.libnssfiles = file:/lib/x86_64-linux-gnu/libnss_files.so.2
+sgx.trusted_files.libnsscompact = file:/lib/x86_64-linux-gnu/libnss_compat.so.2
+sgx.trusted_files.libnssnis = file:/lib/x86_64-linux-gnu/libnss_nis.so.2
 sgx.trusted_files.libpcre = file:/lib/x86_64-linux-gnu/libpcre.so.3
 sgx.trusted_files.libapr = file:obj/lib/libapr-1.so.0
 sgx.trusted_files.libaprutil = file:obj/lib/libaprutil-1.so.0
@@ -39,6 +43,7 @@ sgx.trusted_files.libresolv = file:/lib/x86_64-linux-gnu/libresolv.so.2
 sgx.trusted_files.libxml2 = file:/usr/lib/x86_64-linux-gnu/libxml2.so.2
 sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
 sgx.trusted_files.liblzma = file:/lib/x86_64-linux-gnu/liblzma.so.5
+sgx.trusted_files.libnsl = file:/lib/x86_64-linux-gnu/libnsl.so.1
 
 sgx.allowed_files.modules = file:obj/modules
 sgx.allowed_files.conf = file:obj/conf

LibOS/shim/test/apps/gcc/Makefile

@@ -1,8 +1,16 @@
-exec_target = $(addsuffix .manifest,gcc g++ gcc-huge g++-huge)
+test_files = test_files
+
+exec_target = $(addsuffix .manifest,gcc as ld cc1 collect2)
 
 clean-extra = clean-garbages
 
-extra_rules = -e 's:\$$(PAL):../pal_loader:g'
+huge_rule = sys.stack.size = 64M\nsys.brk.size = 256M\nglibc.heap_size = 16M\nsgx.enclave_size = 2G
+
+extra_rules = \
+	-e 's:\$$(PAL):../pal_loader:g' \
+	-e 's:\$$(DEBUGTYPE):$(if $(DEBUG),inline,none):g' \
+	-e 's:\$$(GCCDIR):$(patsubst %/cc1,%,$(shell gcc -print-file-name=cc1)):g' \
+	-e 's:\$$(HUGERULE):$(if $(HUGE),$(huge_rule),):g'
 
 level = ../../
 include ../../Makefile
@@ -86,27 +94,6 @@ src/$(MPC_SRC): $(MPC_SRC).tar.gz src
 src:
 	mkdir -p src
 
-test-native:
-	echo "Result for helloworld(native)" >> result
-	/usr/bin/time -a -o result -p gcc helloworld.c
-	echo "Result for gzip.c(native)" >> result
-	/usr/bin/time -a -o result -p gcc gzip.c
-	echo "Result for oggenc.m.c(native)" >> result
-	/usr/bin/time -a -o result -p gcc oggenc.m.c -lm
-	echo "Result for single-gcc.c(native)" >> result
-	/usr/bin/time -a -o result -p gcc single-gcc.c
-
-
-test-graphene:
-	echo "Result for helloworld(graphene)" >> result
-	/usr/bin/time -a -o result -p ./gcc.manifest helloworld.c
-	echo "Result for gzip.c(graphene)" >> result
-	/usr/bin/time -a -o result -p ./gcc-huge.manifest gzip.c
-	echo "Result for oggenc.m.c(graphene)" >> result
-	/usr/bin/time -a -o result -p ./gcc-huge.manifest oggenc.m.c -lm
-	echo "Result for single-gcc.c(graphene)" >> result
-	/usr/bin/time -a -o result -p ./gcc-huge.manifest single-gcc.c
-
 distclean: clean
 	rm -rf src obj
 

LibOS/shim/test/apps/gcc/as.manifest.template

@@ -0,0 +1,36 @@
+#!$(PAL)
+
+loader.preload = file:$(SHIMPATH)
+loader.exec = file:/usr/bin/as
+loader.execname = /usr/bin/as
+loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
+loader.env.PATH = /bin:/usr/bin
+loader.debug_type = $(DEBUGTYPE)
+
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
+
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
+
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
+
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
+
+sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
+sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
+sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
+sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
+sgx.trusted_files.libopcodes = file:/usr/lib/libopcodes-2.24-system.so
+sgx.trusted_files.libbfd = file:/usr/lib/libbfd-2.24-system.so
+
+sgx.allowed_files.tmp = file:/tmp
+sgx.allowed_files.test_files = file:test_files

LibOS/shim/test/apps/gcc/cc1.manifest.template

@@ -0,0 +1,44 @@
+#!$(PAL)
+
+loader.preload = file:$(SHIMPATH)
+loader.exec = file:$(GCCDIR)/cc1
+loader.execname = cc1
+loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
+loader.env.PATH = /bin:/usr/bin
+loader.debug_type = $(DEBUGTYPE)
+
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
+
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
+
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
+
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
+
+$(HUGERULE)
+
+sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
+sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
+sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
+sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
+sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+sgx.trusted_files.cloog = file:/usr/lib/x86_64-linux-gnu/libcloog-isl.so.4
+sgx.trusted_files.isl = file:/usr/lib/x86_64-linux-gnu/libisl.so.10
+sgx.trusted_files.mpc = file:/usr/lib/x86_64-linux-gnu/libmpc.so.3
+sgx.trusted_files.mpfr = file:/usr/lib/x86_64-linux-gnu/libmpfr.so.4
+sgx.trusted_files.gmp = file:/usr/lib/x86_64-linux-gnu/libgmp.so.10
+
+sgx.allowed_files.tmp = file:/tmp
+sgx.allowed_files.test_files = file:test_files
+sgx.allowed_files.inc = file:/usr/include
+sgx.allowed_files.gccinc = file:$(GCCDIR)/include
+sgx.allowed_files.gccincfixed = file:$(GCCDIR)/include-fixed

LibOS/shim/test/apps/gcc/collect2.manifest.template

@@ -0,0 +1,37 @@
+#!$(PAL)
+
+loader.preload = file:$(SHIMPATH)
+loader.exec = file:$(GCCDIR)/collect2
+loader.execname = collect2
+loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
+loader.env.PATH = /bin:/usr/bin
+loader.debug_type = $(DEBUGTYPE)
+
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
+
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
+
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
+
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
+
+sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
+sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
+sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
+sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+
+sgx.trusted_files.linker = file:/usr/bin/ld
+
+sgx.allowed_files.tmp = file:/tmp
+sgx.allowed_files.test_files = file:test_files
+
+sgx.trusted_children.linker = file:ld.sig

LibOS/shim/test/apps/gcc/g++-huge.manifest.template

@@ -1,23 +0,0 @@
-#!$(PAL)
-
-loader.preload = file:$(SHIMPATH)
-loader.exec = file:/usr/bin/g++
-loader.execname = /usr/bin/g++
-loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
-loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
-
-fs.mount.lib1.type = chroot
-fs.mount.lib1.path = /lib
-fs.mount.lib1.uri = file:$(LIBCDIR)
-
-fs.mount.lib2.type = chroot
-fs.mount.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
-
-fs.mount.usr.type = chroot
-fs.mount.usr.path = /usr
-fs.mount.usr.uri = file:/usr
-
-sys.stack.size = 64MB
-sys.brk.size = 256MB

LibOS/shim/test/apps/gcc/g++.manifest.template

@@ -1,23 +0,0 @@
-#!$(PAL)
-
-loader.preload = file:$(SHIMPATH)
-loader.exec = file:/usr/bin/g++
-loader.execname = /usr/bin/g++
-loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
-loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
-
-fs.mount.root.type = chroot
-fs.mount.root.uri = file:
-
-fs.mount.other.lib1.type = chroot
-fs.mount.other.lib1.path = /lib
-fs.mount.other.lib1.uri = file:$(GLIBCDIR)
-
-fs.mount.other.lib2.type = chroot
-fs.mount.other.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.other.lib2.uri = file:/lib/x86_64-linux-gnu
-
-fs.mount.other.usr.type = chroot
-fs.mount.other.usr.path = /usr
-fs.mount.other.usr.uri = file:/usr

LibOS/shim/test/apps/gcc/gcc-huge.manifest.template

@@ -1,23 +0,0 @@
-#!$(PAL)
-
-loader.preload = file:$(SHIMPATH)
-loader.exec = file:/usr/bin/gcc
-loader.execname = /usr/bin/gcc
-loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
-loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
-
-fs.mount.lib1.type = chroot
-fs.mount.lib1.path = /lib
-fs.mount.lib1.uri = file:$(LIBCDIR)
-
-fs.mount.lib2.type = chroot
-fs.mount.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
-
-fs.mount.usr.type = chroot
-fs.mount.usr.path = /usr
-fs.mount.usr.uri = file:/usr
-
-sys.stack.size = 64MB
-sys.brk.size = 256MB

LibOS/shim/test/apps/gcc/gcc.manifest.template

@@ -5,19 +5,37 @@ loader.exec = file:/usr/bin/gcc
 loader.execname = /usr/bin/gcc
 loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
 loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
+loader.debug_type = $(DEBUGTYPE)
 
-fs.mount.root.type = chroot
-fs.mount.root.uri = file:
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
 
-fs.mount.other.lib1.type = chroot
-fs.mount.other.lib1.path = /lib
-fs.mount.other.lib1.uri = file:$(GLIBCDIR)
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
 
-fs.mount.other.lib2.type = chroot
-fs.mount.other.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.other.lib2.uri = file:/lib/x86_64-linux-gnu
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
 
-fs.mount.other.usr.type = chroot
-fs.mount.other.usr.path = /usr
-fs.mount.other.usr.uri = file:/usr
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
+
+sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
+sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
+sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
+sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+
+sgx.trusted_files.cc1 = file:$(GCCDIR)/cc1
+sgx.trusted_files.collect2 = file:$(GCCDIR)/collect2
+sgx.trusted_files.as = file:/usr/bin/as
+
+sgx.allowed_files.tmp = file:/tmp
+sgx.allowed_files.test_files = file:test_files
+
+sgx.trusted_children.cc1 = file:cc1.sig
+sgx.trusted_children.collect2 = file:collect2.sig
+sgx.trusted_children.as = file:as.sig

LibOS/shim/test/apps/gcc/ld.manifest.template

@@ -0,0 +1,46 @@
+#!$(PAL)
+
+loader.preload = file:$(SHIMPATH)
+loader.exec = file:/usr/bin/ld
+loader.execname = /usr/bin/ld
+loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
+loader.env.PATH = /bin:/usr/bin
+loader.debug_type = $(DEBUGTYPE)
+
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
+
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
+
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
+
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
+
+sgx.enclave_size = 512M
+
+sgx.trusted_files.ld = file:$(LIBCDIR)/ld-linux-x86-64.so.2
+sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
+sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
+sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
+sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+sgx.trusted_files.libz = file:/lib/x86_64-linux-gnu/libz.so.1
+sgx.trusted_files.libbfd = file:/usr/lib/libbfd-2.24-system.so
+sgx.trusted_files.libgcc = file:$(GCCDIR)/libgcc_s.so
+sgx.trusted_files.libgcca = file:$(GCCDIR)/libgcc.a
+sgx.trusted_files.crtend = file:$(GCCDIR)/crtend.o
+sgx.trusted_files.crtbegin = file:$(GCCDIR)/crtbegin.o
+
+sgx.allowed_files.tmp = file:/tmp
+sgx.allowed_files.test_files = file:test_files
+sgx.allowed_files.aout = file:a.out
+
+sgx.allowed_files.hostdebug = file:/usr/lib/debug/usr/lib/x86_64-linux-gnu
+sgx.allowed_files.hostusrlib = file:/usr/lib/x86_64-linux-gnu
+sgx.allowed_files.hostlib = file:/lib/x86_64-linux-gnu

LibOS/shim/test/apps/lighttpd/Makefile

@@ -55,7 +55,7 @@ start-multithreaded-native-server:
                 $(if $(CONF),$(CONF),lighttpd-multithreaded.conf)
 
 start-graphene-server:
-	$(PREFIX) ../pal_loader build/sbin/lighttpd -D -m /lighttpd -f \
+	$(PREFIX) ./lighttpd.manifest.sgx -D -m /lighttpd -f \
 		$(if $(CONF),$(CONF),lighttpd.conf)
 
 start-multithreaded-graphene-server:

LibOS/shim/test/apps/lighttpd/lighttpd.manifest.template

@@ -26,7 +26,7 @@ fs.mount.tmp.path = /tmp
 fs.mount.tmp.uri = file:/tmp
 
 # allow to bind on port for listening
-net.rules.1 = $(HOST):$(PORT):0.0.0.0:0-65535
+net.allow_bind.1 = $(HOST):$(PORT)
 
 sys.stack.size = 256K
 sys.brk.size = 4M

LibOS/shim/test/apps/lmbench/Makefile.lmbench

@@ -4,7 +4,7 @@ lmbench_tests = lat_syscall lat_connect lat_fcntl \
 		lat_tcp lat_udp lat_unix_connect lat_pagefault \
 		bw_tcp bw_mem bw_unix lat_proc lat_ctx lat_rpc \
 		lat_unix lat_sig lat_http lat_pipe \
-		bw_pipe bw_file_rd bw_mmap_rd lmhttp lmdd
+		bw_pipe bw_file_rd bw_mmap_rd lmhttp lmdd sh.manifest
 
 exec_target = $(lmbench_tests)
 target = $(lmbench_tests) $(manifests) pal_loader

LibOS/shim/test/apps/lmbench/lmbench-2.5/src/bench.h

@@ -155,7 +155,7 @@ int getbenchtimeofday(struct timeval *tv);
 #define	LONGER		 7500000	/* for networking data transfers */
 #define	ENOUGH		REAL_SHORT
 
-#define	TRIES		60
+#define	TRIES		10
 
 typedef struct {
 	int	N;

LibOS/shim/test/apps/lmbench/manifest.template

@@ -40,4 +40,5 @@ sgx.allowed_files.tmp1 = file:/tmp
 sgx.allowed_files.tmp2 = file:/var/tmp
 sgx.allowed_files.inc = file:/usr/include/x86_64-linux-gnu/sys/types.h
 
+sgx.trusted_children.hello = file:hello.sig
 sgx.trusted_children.sh = file:sh.sig

LibOS/shim/test/apps/lmbench/sh.manifest.template

@@ -1,7 +1,7 @@
 loader.preload = file:$(SHIMPATH)
 loader.exec = file:/bin/sh
 loader.env.LD_LIBRARY_PATH = /lib:/lib64
-loader.debug_type = none
+loader.debug_type = inline
 
 fs.mount.tmp1.type = chroot
 fs.mount.tmp1.path = /tmp
@@ -15,14 +15,6 @@ fs.mount.lib.type = chroot
 fs.mount.lib.path = /lib
 fs.mount.lib.uri = file:$(LIBCDIR)
 
-fs.mount.inc.type = chroot
-fs.mount.inc.path = /usr/include/x86_64-linux-gnu/sys/types.h
-fs.mount.inc.uri = file:/usr/include/x86_64-linux-gnu/sys/types.h
-
-net.allow_bind.1 = 0.0.0.0:31233-31237
-net.allow_bind.2 = 0.0.0.0:34297-34298
-net.allow_peer.1 = 127.0.0.1:0-65535
-
 sys.brk.size = 32M
 sys.stack.size = 4M
 
@@ -31,3 +23,5 @@ sgx.trusted_files.libc = file:$(LIBCDIR)/libc.so.6
 sgx.trusted_files.libdl = file:$(LIBCDIR)/libdl.so.2
 sgx.trusted_files.libm = file:$(LIBCDIR)/libm.so.6
 sgx.trusted_files.libpthread = file:$(LIBCDIR)/libpthread.so.0
+
+sgx.trusted_children.hello = file:hello.sig

LibOS/shim/test/apps/make/Makefile

@@ -1,4 +1,4 @@
-manifests = make.manifest make-huge.manifest
+manifests = make.manifest
 
 graphene_dirs = LibOS/shim/src LibOS/shim/include Pal/lib Pal/include Pal/src
 graphene_target = $(addprefix graphene/,$(graphene_dirs))
@@ -9,6 +9,14 @@ exec_target = $(manifests)
 
 clean-extra = clean-tests
 
+huge_rule = sys.stack.size = 64M\nsys.brk.size = 256M\nglibc.heap_size = 16M\nsgx.enclave_size = 2G
+
+extra_rules = \
+	-e 's:\$$(PAL):../pal_loader:g' \
+	-e 's:\$$(DEBUGTYPE):$(if $(DEBUG),inline,none):g' \
+	-e 's:\$$(GCCDIR):$(patsubst %/cc1,%,$(shell gcc -print-file-name=cc1)):g' \
+	-e 's:\$$(HUGERULE):$(if $(HUGE),$(huge_rule),):g'
+
 level = ../../
 include ../../Makefile
 

LibOS/shim/test/apps/make/make-huge.manifest.template

@@ -1,39 +0,0 @@
-#!$(PAL)
-
-loader.preload = file:$(SHIMPATH)
-loader.exec = file:/usr/bin/make
-loader.execname = make
-loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
-loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
-
-fs.start_dir = $(PWD)
-
-fs.mount.root.type = chroot
-fs.mount.root.uri = file:
-
-fs.mount.other.lib1.type = chroot
-fs.mount.other.lib1.path = /lib
-fs.mount.other.lib1.uri = file:$(GLIBCDIR)
-
-fs.mount.other.lib2.type = chroot
-fs.mount.other.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.other.lib2.uri = file:/lib/x86_64-linux-gnu
-
-fs.mount.other.bin.type = chroot
-fs.mount.other.bin.path = /bin
-fs.mount.other.bin.uri = file:/bin
-
-fs.mount.other.usr.type = chroot
-fs.mount.other.usr.path = /usr
-fs.mount.other.usr.uri = file:/usr
-
-fs.mount.other.tmp.type = chroot
-fs.mount.other.tmp.path = /tmp
-fs.mount.other.tmp.uri = file:/tmp
-
-fs.mount.other.pwd.type = chroot
-fs.mount.other.pwd.path = $(PWD)
-fs.mount.other.pwd.uri = file:
-
-sys.brk.size = 16777216   # 16MB

LibOS/shim/test/apps/make/make.manifest.template

@@ -5,35 +5,30 @@ loader.exec = file:/usr/bin/make
 loader.execname = make
 loader.env.LD_LIBRARY_PATH = /lib:/lib/x86_64-linux-gnu:/usr/lib:/usr/lib/x86_64-linux-gnu
 loader.env.PATH = /bin:/usr/bin
-loader.debug_type = none
+loader.debug_type = $(DEBUGTYPE)
 
 fs.start_dir = $(PWD)
 
-fs.mount.root.type = chroot
-fs.mount.root.uri = file:
+fs.mount.lib1.type = chroot
+fs.mount.lib1.path = /lib
+fs.mount.lib1.uri = file:$(LIBCDIR)
 
-fs.mount.other.lib1.type = chroot
-fs.mount.other.lib1.path = /lib
-fs.mount.other.lib1.uri = file:$(GLIBCDIR)
+fs.mount.lib2.type = chroot
+fs.mount.lib2.path = /lib/x86_64-linux-gnu
+fs.mount.lib2.uri = file:/lib/x86_64-linux-gnu
 
-fs.mount.other.lib2.type = chroot
-fs.mount.other.lib2.path = /lib/x86_64-linux-gnu
-fs.mount.other.lib2.uri = file:/lib/x86_64-linux-gnu
+fs.mount.bin.type = chroot
+fs.mount.bin.path = /bin
+fs.mount.bin.uri = file:/bin
 
-fs.mount.other.bin.type = chroot
-fs.mount.other.bin.path = /bin
-fs.mount.other.bin.uri = file:/bin
+fs.mount.usr.type = chroot
+fs.mount.usr.path = /usr
+fs.mount.usr.uri = file:/usr
 
-fs.mount.other.usr.type = chroot
-fs.mount.other.usr.path = /usr
-fs.mount.other.usr.uri = file:/usr
+fs.mount.tmp.type = chroot
+fs.mount.tmp.path = /tmp
+fs.mount.tmp.uri = file:/tmp
 
-fs.mount.other.tmp.type = chroot
-fs.mount.other.tmp.path = /tmp
-fs.mount.other.tmp.uri = file:/tmp
-
-fs.mount.other.pwd.type = chroot
-fs.mount.other.pwd.path = $(PWD)
-fs.mount.other.pwd.uri = file:$(PWD)
-
-sys.brk.size = 524288   # 512KB
+fs.mount.pwd.type = chroot
+fs.mount.pwd.path = $(PWD)
+fs.mount.pwd.uri = file:$(PWD)

LibOS/shim/test/apps/pal_loader

@@ -18,6 +18,7 @@ if [ "$GDB" != "" ] && [ "$GDB" != "0" ]; then
 fi
 
 if [ "$SEC" == "1" ]; then
+	echo "Use reference monitor"
 	PAL_CMD=$PAL_SEC
 fi
 
@@ -49,4 +50,6 @@ if [ ! -f "$PAL_CMD" ]; then
 	exit 1
 fi
 
+set -x
+
 exec $GDB_CMD $PAL_CMD $MANIFEST "$@"

Pal/Makefile

@@ -8,7 +8,7 @@ endif
 
 ifeq ($(OS),Linux)
 	LINUX_GEN := 3.x
-	LINUX_SRC := linux-3.14
+	LINUX_SRC := linux-3.19
 	LINUX_KERNEL := $(LINUX_SRC)/arch/x86/boot/bzImage
 endif
 
@@ -26,8 +26,8 @@ install:
 	[ -f ../Runtime/pal ] || ln -sf ../Pal/src/pal ../Runtime/pal
 	[ -f ../Runtime/pal_sec ] || ln -sf ../Pal/src/pal_sec ../Runtime/pal_sec
 
-.PHONY: kernel
-kernel: $(LINUX_KERNEL)
+.PHONY: linux-kernel
+linux-kernel: $(LINUX_KERNEL)
 
 ifneq ($(LINUX_KERNEL),)
 $(LINUX_KERNEL): $(LINUX_SRC)/Makefile $(LINUX_SRC)/graphene $(LINUX_SRC)/.config
@@ -55,7 +55,7 @@ linux-deb:
 	cd $(LINUX_SRC) && \
 	CONCURRENCY_LEVEL=$(NPROCS) make-kpkg --rootcmd fakeroot \
 		--append-to-version -graphene --initrd \
-		kernel_image kernel_debug kernel_headers
+		kernel_image kernel_headers $(if $(DEBUG),kernel_debug,)
 else
 kernel_install:
 endif

Pal/linux-3.19.patch

@@ -0,0 +1,222 @@
+diff --git a/Kconfig b/Kconfig
+index c13f48d..e18713e 100644
+--- a/Kconfig
++++ b/Kconfig
+@@ -9,3 +9,4 @@ config SRCARCH
+ 	option env="SRCARCH"
+ 
+ source "arch/$SRCARCH/Kconfig"
++source "graphene/Kconfig"
+diff --git a/Makefile b/Makefile
+index e5ac8a6..116ac82 100644
+--- a/Makefile
++++ b/Makefile
+@@ -779,7 +779,7 @@ export mod_sign_cmd
+ 
+ 
+ ifeq ($(KBUILD_EXTMOD),)
+-core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/
++core-y		+= kernel/ mm/ fs/ ipc/ security/ crypto/ block/ graphene/
+ 
+ vmlinux-dirs	:= $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
+ 		     $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
+diff --git a/include/linux/miscdevice.h b/include/linux/miscdevice.h
+index 3737f72..f7a4aba 100644
+--- a/include/linux/miscdevice.h
++++ b/include/linux/miscdevice.h
+@@ -3,6 +3,7 @@
+ #include <linux/major.h>
+ #include <linux/list.h>
+ #include <linux/types.h>
++#include <../graphene/graphene.h>
+ 
+ /*
+  *	These allocations are managed by device@lanana.org. If you use an
+diff --git a/include/linux/sched.h b/include/linux/sched.h
+index a781dec..3381137 100644
+--- a/include/linux/sched.h
++++ b/include/linux/sched.h
+@@ -1161,6 +1161,11 @@ enum perf_event_task_context {
+ 	perf_nr_task_contexts,
+ };
+ 
++#ifdef CONFIG_GRAPHENE
++# include <../graphene/graphene.h>
++struct graphene_struct;
++#endif
++
+ struct task_struct {
+ 	volatile long state;	/* -1 unrunnable, 0 runnable, >0 stopped */
+ 	void *stack;
+@@ -1581,6 +1586,11 @@ struct task_struct {
+ 	unsigned int	sequential_io;
+ 	unsigned int	sequential_io_avg;
+ #endif
++
++#ifdef CONFIG_GRAPHENE
++	/* for graphene tasks */
++	struct graphene_struct *graphene; /* structure to store graphene info */
++#endif
+ };
+ 
+ /* Future-safe accessor for struct task_struct's cpus_allowed. */
+diff --git a/kernel/fork.c b/kernel/fork.c
+index a17621c..41d5958 100644
+--- a/kernel/fork.c
++++ b/kernel/fork.c
+@@ -11,6 +11,7 @@
+  * management can be a bitch. See 'mm/memory.c': 'copy_page_range()'
+  */
+ 
++#include <linux/version.h>
+ #include <linux/slab.h>
+ #include <linux/init.h>
+ #include <linux/unistd.h>
+@@ -84,6 +85,10 @@
+ #define CREATE_TRACE_POINTS
+ #include <trace/events/task.h>
+ 
++#ifdef CONFIG_GRAPHENE
++# include <../graphene/graphene.h>
++#endif
++
+ /*
+  * Protected counters by write_lock_irq(&tasklist_lock)
+  */
+@@ -242,6 +247,10 @@ void __put_task_struct(struct task_struct *tsk)
+ 	delayacct_tsk_free(tsk);
+ 	put_signal_struct(tsk->signal);
+ 
++#ifdef CONFIG_GRAPHENE
++	put_graphene_struct(tsk);
++#endif
++
+ 	if (!profile_handoff_task(tsk))
+ 		free_task(tsk);
+ }
+@@ -322,6 +331,16 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
+ 	tsk->stack_canary = get_random_int();
+ #endif
+ 
++#ifdef CONFIG_GRAPHENE
++	err = dup_graphene_struct(tsk);
++	if (err)
++#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 6, 0)
++		goto free_ti;
++#else
++		goto out;
++#endif
++#endif
++
+ 	/*
+ 	 * One for us, one for whoever does the "release_task()" (usually
+ 	 * parent)
+diff -ruNp linux-3.19/mm/mmap.c linux-3.19.new/mm/mmap.c
+--- linux-3.19/mm/mmap.c	2015-02-08 21:54:22.000000000 -0500
++++ linux-3.19.new/mm/mmap.c	2016-08-23 22:15:18.387511888 -0400
+@@ -2000,6 +2000,10 @@ arch_get_unmapped_area_topdown(struct fi
+ }
+ #endif
+ 
++#ifdef CONFIG_GRAPHENE
++# include <../graphene/graphene.h>
++#endif
++
+ unsigned long
+ get_unmapped_area(struct file *file, unsigned long addr, unsigned long len,
+ 		unsigned long pgoff, unsigned long flags)
+@@ -2018,6 +2022,10 @@ get_unmapped_area(struct file *file, uns
+ 	get_area = current->mm->get_unmapped_area;
+ 	if (file && file->f_op->get_unmapped_area)
+ 		get_area = file->f_op->get_unmapped_area;
++#ifdef CONFIG_GRAPHENE
++	if (file && current->in_execve && GRAPHENE_ENABLED())
++		get_area = graphene_execve_get_area;
++#endif
+ 	addr = get_area(file, addr, len, pgoff, flags);
+ 	if (IS_ERR_VALUE(addr))
+ 		return addr;
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 4257b7e..b21c19d 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -36,6 +36,10 @@
+ #include "include/policy.h"
+ #include "include/procattr.h"
+ 
++#ifdef CONFIG_GRAPHENE
++# include <../graphene/graphene.h>
++#endif
++
+ /* Flag indicating whether initialization completed */
+ int apparmor_initialized __initdata;
+ 
+@@ -165,6 +169,12 @@ static int common_perm(int op, struct path *path, u32 mask,
+ 	struct aa_profile *profile;
+ 	int error = 0;
+ 
++#ifdef CONFIG_GRAPHENE
++	if (GRAPHENE_ENABLED() &&
++	    (error = graphene_common_perm(op, path, mask)))
++		return error;
++#endif
++
+ 	profile = __aa_current_profile();
+ 	if (!unconfined(profile))
+ 		error = aa_path_perm(op, profile, path, 0, mask, cond);
+@@ -377,6 +387,7 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
+ {
+ 	struct aa_file_cxt *fcxt = file->f_security;
+ 	struct aa_profile *profile;
++	u32 mask;
+ 	int error = 0;
+ 
+ 	if (!mediated_filesystem(file_inode(file)))
+@@ -388,10 +399,21 @@ static int apparmor_file_open(struct file *file, const struct cred *cred)
+ 	 * actually execute the image.
+ 	 */
+ 	if (current->in_execve) {
++#ifdef CONFIG_GRAPHENE
++		if (GRAPHENE_ENABLED() && (error = graphene_execve_open(file)))
++			return error;
++#endif
+ 		fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
+ 		return 0;
+ 	}
+ 
++#ifdef CONFIG_GRAPHENE
++	mask = aa_map_file_to_perms(file);
++	if (GRAPHENE_ENABLED() &&
++	    (error = graphene_common_perm(OP_OPEN, &file->f_path, mask)))
++		return error;
++#endif
++
+ 	profile = aa_cred_profile(cred);
+ 	if (!unconfined(profile)) {
+ 		struct inode *inode = file_inode(file);
+@@ -647,6 +669,14 @@ static struct security_operations apparmor_ops = {
+ 	.getprocattr =			apparmor_getprocattr,
+ 	.setprocattr =			apparmor_setprocattr,
+ 
++#ifdef CONFIG_GRAPHENE
++	.socket_bind =			graphene_socket_bind,
++	.socket_listen =		graphene_socket_listen,
++	.socket_connect =		graphene_socket_connect,
++	.socket_sendmsg =		graphene_socket_sendmsg,
++	.socket_recvmsg =		graphene_socket_recvmsg,
++#endif
++
+ 	.cred_alloc_blank =		apparmor_cred_alloc_blank,
+ 	.cred_free =			apparmor_cred_free,
+ 	.cred_prepare =			apparmor_cred_prepare,
+@@ -658,6 +688,10 @@ static struct security_operations apparmor_ops = {
+ 	.bprm_secureexec =		apparmor_bprm_secureexec,
+ 
+ 	.task_setrlimit =		apparmor_task_setrlimit,
++
++#ifdef CONFIG_GRAPHENE
++	.task_kill =			graphene_task_kill,
++#endif
+ };
+ 
+ /*

Pal/linux-kernel/graphene/graphene.c

@@ -124,6 +124,7 @@ struct graphene_info *get_graphene_info(struct graphene_struct *gs)
 	return info;
 }
 
+#if 0
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
 # define FILE_INODE(file) ((file)->f_inode)
 #else
@@ -146,10 +147,13 @@ static ssize_t graphene_lib_read (struct file *file, char __user *buf,
 				  size_t len, loff_t *ppos)
 {
 	struct inode *inode = FILE_INODE(file);
+	const struct file_operations *fops;
 
 	if (!inode)
 		return -EINVAL;
-	if (!inode->i_fop || !inode->i_fop->read)
+
+	fops = fops_get(inode->i_fop);
+	if (unlikely(!fops))
 		return -EINVAL;
 
 	return inode->i_fop->read(file, buf, len, ppos);
@@ -188,6 +192,7 @@ static int graphene_lib_release(struct inode *inode, struct file *file)
 		return -EINVAL;
 	return inode->i_fop->release(inode, file);
 }
+#endif
 
 #define DEFINE_PATH_BUFFER(kpath, max) char * kpath; int max;
 
@@ -204,6 +209,7 @@ static int graphene_lib_release(struct inode *inode, struct file *file)
 
 #define PUT_PATH_BUFFER(kpath) __putname(kpath);
 
+#if 0
 static unsigned long
 graphene_lib_get_area(struct file *file, unsigned long addr, unsigned long len,
 		      unsigned long pgoff, unsigned long flags)
@@ -254,6 +260,7 @@ static struct file_operations graphene_lib_operations = {
 	.get_unmapped_area	= graphene_lib_get_area,
 	.release		= graphene_lib_release,
 };
+#endif
 
 #ifdef CONFIG_GRAPHENE_DEBUG
 static void print_path(const char * fmt, struct path *path)
@@ -284,13 +291,51 @@ int graphene_execve_open(struct file *file)
 	if (!gi->gi_libaddr)
 		goto accepted;
 
-	file->f_op = &graphene_lib_operations;
+	//file->f_op = &graphene_lib_operations;
 accepted:
 	print_path(KERN_INFO "Graphene: ALLOW EXEC PID %d PATH %s\n",
 		   &file->f_path);
 	return 0;
 }
 
+unsigned long
+graphene_execve_get_area(struct file *file, unsigned long addr,
+			 unsigned long len, unsigned long pgoff,
+			 unsigned long flags)
+{
+	unsigned long (*get_area) (struct file *, unsigned long, unsigned long,
+				   unsigned long, unsigned long);
+
+	struct task_struct *current_tsk = current;
+	struct graphene_info *gi = get_graphene_info(current_tsk->graphene);
+
+	BUG_ON(!file);
+
+	if (gi->gi_libaddr) {
+		if (!addr)
+			addr = gi->gi_libaddr + pgoff * PAGE_SIZE;
+
+#ifdef CONFIG_GRAPHENE_DEBUG
+		{
+			DEFINE_PATH(dp, &file->f_path, kpath, max)
+			if (!IS_ERR(dp))
+				printk(KERN_INFO "Graphene: PID %d MAP FILE %s"
+				       " OFF 0x%08lx AT 0x%016lx\n",
+				       current->pid, dp,
+				       pgoff * PAGE_SIZE, addr);
+			PUT_PATH_BUFFER(kpath)
+		}
+#endif
+		return addr;
+	}
+
+	get_area = current_tsk->mm->get_unmapped_area;
+	if (file->f_op->get_unmapped_area)
+		get_area = file->f_op->get_unmapped_area;
+
+	return get_area(file, addr, len, pgoff, flags);
+}
+
 static int graphene_check_path(struct graphene_info *gi, int op, u32 mask,
 			       struct path *path, struct graphene_path *gp,
 			       int is_recursive)

Pal/linux-kernel/graphene/graphene.h

@@ -141,6 +141,11 @@ void put_graphene_struct(struct task_struct *task);
  */
 int graphene_execve_open(struct file *file);
 
+unsigned long
+graphene_execve_get_area(struct file *file, unsigned long addr,
+			 unsigned long len, unsigned long pgoff,
+			 unsigned long flags);
+
 /*
  * add the following lines to common_perm (security/apparmor/lsm.c):
  * if (GRAPHENE_ENABLED() &&

Pal/src/host/Linux-SGX/db_files.c

@@ -89,6 +89,9 @@ static int file_read (PAL_HANDLE handle, int offset, int count,
     unsigned int total = handle->file.total;
     int ret;
 
+    if (offset >= total)
+        return 0;
+
     unsigned long end = (offset + count > total) ? total : offset + count;
     unsigned long map_start, map_end;
 

Pal/src/host/Linux-SGX/db_main.c

@@ -82,6 +82,7 @@ PAL_NUM _DkGetHostId (void)
 void setup_pal_map (struct link_map * map);
 static struct link_map pal_map;
 
+int init_untrusted_slab_mgr (int pagesize);
 int init_enclave (void);
 int init_child_process (PAL_HANDLE * parent_handle);
 
@@ -118,15 +119,15 @@ static int loader_filter (const char * key, int len)
     return 1;
 }
 
-void pal_linux_main(int argc, const char ** argv, const char ** envp,
+void pal_linux_main(const char ** arguments, const char ** environments,
                     struct pal_sec * sec_info)
 {
     PAL_HANDLE parent = NULL;
     unsigned long start_time = _DkSystemTimeQuery();
 
     /* relocate PAL itself */
-    pal_map.l_addr = elf_machine_load_address();
-    pal_map.l_name = pal_sec.enclave_image;
+    pal_map.l_addr = sec_info->enclave_addr;
+    pal_map.l_name = sec_info->enclave_image;
     elf_get_dynamic_info((void *) pal_map.l_addr + elf_machine_dynamic(),
                          pal_map.l_info, pal_map.l_addr);
 
@@ -136,6 +137,7 @@ void pal_linux_main(int argc, const char ** argv, const char ** envp,
 
     /* set up page allocator and slab manager */
     init_slab_mgr(pagesz);
+    init_untrusted_slab_mgr(pagesz);
     init_pages();
 
     /* now we can add a link map for PAL itself */
@@ -200,8 +202,9 @@ void pal_linux_main(int argc, const char ** argv, const char ** envp,
     ENCLAVE_TLS(thread) = __pal_control.first_thread = first_thread;
 
     /* call main function */
-    pal_main(pal_sec.instance_id, manifest, exec, pal_sec.exec_addr,
-             parent, first_thread, argv, envp);
+    pal_main(pal_sec.instance_id, manifest, exec,
+             pal_sec.exec_addr, parent, first_thread,
+             arguments, environments);
 }
 
 /* the following code is borrowed from CPUID */

Pal/src/host/Linux-SGX/db_pipes.c

@@ -355,7 +355,7 @@ static int pipe_attrsetbyhdl (PAL_HANDLE handle, PAL_STREAM_ATTR * attr)
                             &handle->pipe.nonblocking;
 
     if (attr->nonblocking != *nonblocking) {
-        int ret = ocall_fsetnonblock(HANDLE_HDR(handle)->fds[0], *nonblocking);
+        int ret = ocall_fsetnonblock(HANDLE_HDR(handle)->fds[0], attr->nonblocking);
         if (ret < 0)
             return ret;
 

Pal/src/host/Linux-SGX/debugger/gdb

@@ -1,7 +1,9 @@
 #!/bin/bash
 
 DIR=$(dirname $(readlink -f ${BASH_SOURCE[0]}))
-GDB_SCRIPT=$DIR/../pal-gdb.py
+GDB_SCRIPT=$DIR/pal-gdb.py
 GDB_SO=$DIR/sgx_gdb.so
 
-LD_PRELOAD=$GDB_SO gdb -iex "set auto-load safe-path $GDB_SCRIPT" $@
+set -x
+
+LD_PRELOAD=$GDB_SO gdb -iex "set auto-load safe-path $GDB_SCRIPT" "$@"

Pal/src/host/Linux-SGX/ecall_types.h

@@ -16,9 +16,8 @@ typedef struct {
 struct pal_sec;
 
 typedef struct {
-    int ms_argc;
-    const char ** ms_argv;
-    const char ** ms_envp;
+    const char ** ms_arguments;
+    const char ** ms_environments;
     void * ms_addr;
     struct pal_sec * ms_sec_info;
     void * ms_enclave_base;

Pal/src/host/Linux-SGX/enclave_ecalls.c

@@ -11,7 +11,7 @@
 
 extern void * enclave_base, * enclave_top;
 
-void pal_linux_main (int argc, const char ** argv, const char ** envp,
+void pal_linux_main (const char ** arguments, const char ** environments,
                      struct pal_sec * sec_info);
 
 int enclave_ecall_pal_main (void * pms)
@@ -23,8 +23,8 @@ int enclave_ecall_pal_main (void * pms)
     enclave_base = ms->ms_enclave_base;
     enclave_top = ms->ms_enclave_base + ms->ms_enclave_size;
 
-    pal_linux_main(ms->ms_argc, ms->ms_argv,
-                   ms->ms_envp,
+    pal_linux_main(ms->ms_arguments,
+                   ms->ms_environments,
                    ms->ms_sec_info);
 
     ocall_exit();

Pal/src/host/Linux-SGX/enclave_untrusted.c

@@ -25,12 +25,13 @@
 
 #include "enclave_ocalls.h"
 
-#define allocator pal_sec.untrusted_allocator
-#define untrusted_slabmgr (allocator.slabmgr)
-#define system_lock()   _DkMutexLock(allocator.lock)
-#define system_unlock() _DkMutexUnlock(allocator.lock)
+static PAL_LOCK malloc_lock = LOCK_INIT;
+static int pagesize = PRESET_PAGESIZE;
 
-#define PAGE_SIZE (allocator.alignment)
+#define system_lock()   _DkSpinLock(&malloc_lock)
+#define system_unlock() _DkSpinUnlock(&malloc_lock)
+
+#define PAGE_SIZE pagesize
 
 static inline void * __malloc (int size)
 {
@@ -51,6 +52,18 @@ static inline void __free (void * addr, int size)
 
 #include "slabmgr.h"
 
+static SLAB_MGR untrusted_slabmgr = NULL;
+
+void init_untrusted_slab_mgr (int pagesize)
+{
+    if (untrusted_slabmgr)
+        return;
+
+    untrusted_slabmgr = create_slab_mgr();
+    if (!untrusted_slabmgr)
+        init_fail(PAL_ERROR_NOMEM, "cannot initialize slab manager");
+}
+
 void * malloc_untrusted (int size)
 {
     void * ptr = slab_alloc(untrusted_slabmgr, size);

Pal/src/host/Linux-SGX/pal_security.h

@@ -31,6 +31,7 @@ struct pal_sec {
     PAL_IDX         ppid, pid, uid, gid;
 
     /* file name of enclave image */
+    PAL_PTR         enclave_addr;
     PAL_SEC_STR     enclave_image;
 
     /* enclave information */
@@ -60,13 +61,6 @@ struct pal_sec {
     PAL_SEC_STR     pipe_prefix;
     PAL_IDX         mcast_port, mcast_srv, mcast_cli;
 
-    /* an untrusted allocator shared with enclave */
-    struct {
-        unsigned int alignment;
-        void * slabmgr;
-        struct mutex_handle * lock;
-    } untrusted_allocator;
-
 #ifdef DEBUG
     PAL_BOL         in_gdb;
 #endif

Pal/src/host/Linux-SGX/sgx_enclave.c

@@ -697,14 +697,13 @@ void * ocall_table[OCALL_NR] = {
 
 #define EDEBUG(code, ms) do {} while (0)
 
-int ecall_pal_main (int argc, const char ** argv, const char ** envp)
+int ecall_pal_main (const char ** arguments, const char ** environments)
 {
     struct pal_enclave * enclave = current_enclave;
     ms_ecall_pal_main_t ms;
 
-    ms.ms_argc = argc;
-    ms.ms_argv = argv;
-    ms.ms_envp = envp;
+    ms.ms_arguments = arguments;
+    ms.ms_environments = environments;
     ms.ms_sec_info = PAL_SEC();
     ms.ms_enclave_base = (void *) enclave->baseaddr;
     ms.ms_enclave_size = enclave->size;

Pal/src/host/Linux-SGX/sgx_enclave.h

@@ -7,7 +7,7 @@
 #define assert(cond) \
     do { if (!(cond)) INLINE_SYSCALL(exit_group, 1, 0); } while (0);
 
-int ecall_pal_main (int argc, const char ** argv, const char ** envp);
+int ecall_pal_main (const char ** arguments, const char ** environments);
 
 int ecall_thread_start (void (*func) (void *, void *),
                         void * args, unsigned int * child_tid,

Pal/src/host/Linux-SGX/sgx_graphene.c

@@ -27,146 +27,6 @@
 
 #include "sgx_internal.h"
 
-#define MUTEX_SPINLOCK_TIMES    20
-
-static int _DkMutexLock (struct mutex_handle * mut)
-{
-    int i, c = 0;
-    int ret;
-    struct atomic_int * m = &mut->value;
-
-    /* Spin and try to take lock */
-    for (i = 0; i < MUTEX_SPINLOCK_TIMES; i++) {
-        c = atomic_dec_and_test(m);
-        if (c)
-            goto success;
-        cpu_relax();
-    }
-
-    /* The lock is now contended */
-
-    while (!c) {
-        int val = atomic_read(m);
-        if (val == 1)
-            goto again;
-
-        ret = INLINE_SYSCALL(futex, 6, m, FUTEX_WAIT, val, NULL, NULL, 0);
-
-        if (IS_ERR(ret) &&
-            ERRNO(ret) != EWOULDBLOCK &&
-            ERRNO(ret) != EINTR) {
-            ret = -PAL_ERROR_DENIED;
-            goto out;
-        }
-
-again:
-        /* Upon wakeup, we still need to check whether mutex is unlocked or
-         * someone else took it.
-         * If c==0 upon return from xchg (i.e., the older value of m==0), we
-         * will exit the loop. Else, we sleep again (through a futex call).
-         */
-        c = atomic_dec_and_test(m);
-    }
-
-success:
-    ret = 0;
-out:
-    return ret;
-}
-
-static int _DkMutexUnlock (struct mutex_handle * mut)
-{
-    int ret = 0;
-    int must_wake = 0;
-    struct atomic_int * m = &mut->value;
-
-    /* Unlock, and if not contended then exit. */
-    if (atomic_read(m) < 0)
-        must_wake = 1;
-
-    atomic_set(m, 1);
-
-    if (must_wake) {
-        /* We need to wake someone up */
-        ret = INLINE_SYSCALL(futex, 6, m, FUTEX_WAKE, 1, NULL, NULL, 0);
-    }
-
-    if (IS_ERR(ret)) {
-        ret = -PAL_ERROR_TRYAGAIN;
-        goto out;
-    }
-
-    ret = 0;
-out:
-    return ret;
-}
-
-static struct mutex_handle slabmgr_lock;
-static void * untrusted_slabmgr = NULL;
-
-#define system_lock()   _DkMutexLock(&slabmgr_lock)
-#define system_unlock() _DkMutexUnlock(&slabmgr_lock)
-
-#define PAGE_SIZE (pagesize)
-
-#define STARTUP_SIZE    8
-
-static inline void * __malloc (int size)
-{
-    void * addr = NULL;
-    addr = (void *) INLINE_SYSCALL(mmap, 6, NULL, size,
-                                   PROT_READ | PROT_WRITE,
-                                   MAP_PRIVATE | MAP_ANONYMOUS,
-                                   -1, 0);
-    if (IS_ERR_P(addr))
-        return NULL;
-    return addr;
-}
-
-#define system_malloc(size) __malloc(size)
-
-static inline void __free (void * addr, int size)
-{
-    INLINE_SYSCALL(munmap, 2, addr, size);
-}
-
-#define system_free(addr, size) __free(addr, size)
-
-#include "slabmgr.h"
-
-int init_untrusted_allocator (struct pal_sec * pal_sec)
-{
-    if (!untrusted_slabmgr) {
-        untrusted_slabmgr = create_slab_mgr();
-        if (!untrusted_slabmgr)
-            return -PAL_ERROR_NOMEM;
-    }
-
-    pal_sec->untrusted_allocator.alignment = pagesize;
-    pal_sec->untrusted_allocator.slabmgr = untrusted_slabmgr;
-    pal_sec->untrusted_allocator.lock = &slabmgr_lock;
-    return 0;
-}
-
-void * malloc_untrusted (int size)
-{
-    void * ptr = slab_alloc((SLAB_MGR) untrusted_slabmgr, size);
-
-    /* the slab manger will always remain at least one byte of padding,
-       so we can feel free to assign an offset at the byte prior to
-       the pointer */
-    if (ptr)
-        *(((unsigned char *) ptr) - 1) = 0;
-
-    return ptr;
-}
-
-void free_untrusted (void * ptr)
-{
-    ptr -= *(((unsigned char *) ptr) - 1);
-    slab_free((SLAB_MGR) untrusted_slabmgr, ptr);
-}
-
 int _DkEventSet (PAL_HANDLE event, int wakeup)
 {
     int ret = 0;
@@ -230,15 +90,16 @@ struct printbuf {
     char buf[PRINTBUF_SIZE];
 };
 
-static void
+static int
 fputch(void * f, int ch, struct printbuf * b)
 {
     b->buf[b->idx++] = ch;
-    if (b->idx == PRINTBUF_SIZE-1) {
+    if (b->idx == PRINTBUF_SIZE - 1) {
         INLINE_SYSCALL(write, 3, 2, b->buf, b->idx);
         b->idx = 0;
     }
     b->cnt++;
+    return 0;
 }
 
 static int

Pal/src/host/Linux-SGX/sgx_internal.h

@@ -134,6 +134,4 @@ void sgx_edbgwr (void * addr, uint64_t data);
 int sgx_init_child_process (struct pal_sec * pal_sec);
 int sgx_signal_setup (void);
 
-int init_untrusted_allocator (struct pal_sec * pal_sec);
-
 #endif

Pal/src/host/Linux-SGX/sgx_main.c

@@ -365,7 +365,6 @@ int initialize_enclave (struct pal_enclave * enclave)
     }
 
     enclave_entry_addr += pal_area->addr;
-    unsigned long heap_max = populating;
 
     if (exec_area) {
         if (exec_area->addr + exec_area->size > pal_area->addr)
@@ -402,12 +401,15 @@ int initialize_enclave (struct pal_enclave * enclave)
 
             for (int t = 0 ; t < enclave->thread_num ; t++) {
                 struct enclave_tls * gs = data + pagesize * t;
-                gs->self = (void *) tls_area->addr + pagesize * t;
+                gs->self = (void *) tls_area->addr + pagesize * t +
+                    enclave_secs.baseaddr;
                 gs->initial_stack = (void *)
-                    stack_areas[t].addr + ENCLAVE_STACK_SIZE;
+                    stack_areas[t].addr + ENCLAVE_STACK_SIZE +
+                    enclave_secs.baseaddr;
                 gs->ssaframesize = enclave->ssaframesize;
                 gs->ssa = (void *) ssa_area->addr +
-                    enclave->ssaframesize * SSAFRAMENUM * t;
+                    enclave->ssaframesize * SSAFRAMENUM * t +
+                    enclave_secs.baseaddr;
                 gs->gpr = gs->ssa +
                     enclave->ssaframesize - sizeof(sgx_arch_gpr_t);
                 enclave_thread_gprs[t] = (unsigned long) gs->gpr;
@@ -425,13 +427,11 @@ int initialize_enclave (struct pal_enclave * enclave)
                 sgx_arch_tcs_t * tcs = data + pagesize * t;
                 memset(tcs, 0, pagesize);
                 tcs->ossa = ssa_area->addr +
-                    enclave->ssaframesize * SSAFRAMENUM * t -
-                    enclave->baseaddr;
+                    enclave->ssaframesize * SSAFRAMENUM * t;
                 tcs->nssa = 2;
-                tcs->oentry = enclave_entry_addr - enclave->baseaddr;
+                tcs->oentry = enclave_entry_addr;
                 tcs->ofsbasgx = 0;
-                tcs->ogsbasgx = tls_area->addr + t * pagesize -
-                    enclave->baseaddr;
+                tcs->ogsbasgx = tls_area->addr + t * pagesize;
                 tcs->fslimit = 0xfff;
                 tcs->gslimit = 0xfff;
             }
@@ -457,19 +457,22 @@ add_pages:
 
     TRY(init_enclave, &enclave_secs, &enclave_sigstruct, &enclave_token);
 
-    create_tcs_mapper((void *) tcs_area->addr, enclave->thread_num);
+    create_tcs_mapper((void *) enclave_secs.baseaddr + tcs_area->addr,
+                      enclave->thread_num);
 
     struct pal_sec * pal_sec = &enclave->pal_sec;
 
-    pal_sec->heap_min = (void *) ENCLAVE_MIN_ADDR;
-    pal_sec->heap_max = (void *) heap_max;
+    pal_sec->enclave_addr = (PAL_PTR) (enclave_secs.baseaddr + pal_area->addr);
+
+    pal_sec->heap_min = (void *) enclave_secs.baseaddr + ENCLAVE_MIN_ADDR;
+    pal_sec->heap_max = (void *) enclave_secs.baseaddr + pal_area->addr - MEMORY_GAP;
 
     if (exec_area) {
-        pal_sec->exec_addr = (void *) exec_area->addr;
+        pal_sec->exec_addr = (void *) enclave_secs.baseaddr + exec_area->addr;
         pal_sec->exec_size = exec_area->size;
     }
 
-    pal_sec->manifest_addr = (void *) manifest_area->addr;
+    pal_sec->manifest_addr = (void *) enclave_secs.baseaddr + manifest_area->addr;
     pal_sec->manifest_size = manifest_size;
 
     memcpy(pal_sec->mrenclave, enclave_secs.mrenclave,
@@ -697,8 +700,7 @@ int load_manifest (int fd, struct config_store ** config_ptr)
 static int load_enclave (struct pal_enclave * enclave,
                          const char * manifest_uri,
                          const char * exec_uri,
-                         const char * pal_loader,
-                         int argc, const char ** argv, const char ** envp)
+                         const char ** arguments, const char ** environments)
 {
     struct pal_sec * pal_sec = &enclave->pal_sec;
     int ret;
@@ -728,7 +730,7 @@ static int load_enclave (struct pal_enclave * enclave,
     pal_sec->gid = INLINE_SYSCALL(getgid, 0);
 
 #ifdef DEBUG
-    for (const char ** e = envp ; *e ; e++) {
+    for (const char ** e = environments ; *e ; e++) {
         if (strcmp_static(*e, "IN_GDB=1")) {
             SGX_DBG(DBG_I, "being GDB'ed!!!\n");
             pal_sec->in_gdb = true;
@@ -814,6 +816,15 @@ static int load_enclave (struct pal_enclave * enclave,
     if (ret < 0)
         return ret;
 
+    snprintf(pal_sec->enclave_image,  sizeof(PAL_SEC_STR), "%s",
+             ENCLAVE_FILENAME);
+
+    if (!pal_sec->instance_id)
+        create_instance(&enclave->pal_sec);
+
+    pal_sec->manifest_fd = enclave->manifest;
+    memcpy(pal_sec->manifest_name, manifest_uri, strlen(manifest_uri) + 1);
+
     if (enclave->exec == -1) {
         pal_sec->exec_fd = PAL_IDX_POISON;
         memset(pal_sec->exec_name, 0, sizeof(PAL_SEC_STR));
@@ -822,15 +833,6 @@ static int load_enclave (struct pal_enclave * enclave,
         memcpy(pal_sec->exec_name, exec_uri, strlen(exec_uri) + 1);
     }
 
-    pal_sec->manifest_fd = enclave->manifest;
-    memcpy(pal_sec->manifest_name, manifest_uri, strlen(manifest_uri) + 1);
-
-    if (!pal_sec->instance_id)
-        create_instance(&enclave->pal_sec);
-
-    snprintf(pal_sec->enclave_image,  sizeof(PAL_SEC_STR), "%s",
-             ENCLAVE_FILENAME);
-
     if (!pal_sec->mcast_port) {
         unsigned short mcast_port;
         getrand(&mcast_port, sizeof(unsigned short));
@@ -847,10 +849,6 @@ static int load_enclave (struct pal_enclave * enclave,
         }
     }
 
-    ret = init_untrusted_allocator(pal_sec);
-    if (ret < 0)
-        return ret;
-
     /* setup signal handling */
     ret = sgx_signal_setup();
     if (ret < 0)
@@ -860,7 +858,7 @@ static int load_enclave (struct pal_enclave * enclave,
     map_tcs(INLINE_SYSCALL(gettid, 0));
 
     /* start running trusted PAL */
-    ecall_pal_main(argc, argv, envp);
+    ecall_pal_main(arguments, environments);
 
     unmap_tcs();
     exit_process(0);
@@ -878,6 +876,8 @@ int main (int argc, const char ** argv, const char ** envp)
     if (!enclave)
         return -ENOMEM;
 
+    memset(enclave, 0, sizeof(struct pal_enclave));
+
     int is_child = sgx_init_child_process(&enclave->pal_sec);
     if (is_child < 0)
         return is_child;
@@ -932,8 +932,7 @@ int main (int argc, const char ** argv, const char ** envp)
         SGX_DBG(DBG_I, "manifest file: %s\n", manifest_uri);
     }
 
-    return load_enclave(enclave, manifest_uri, exec_uri, pal_loader,
-                        argc, argv, envp);
+    return load_enclave(enclave, manifest_uri, exec_uri, argv, envp);
 
 usage:
     SGX_DBG(DBG_E, "USAGE: %s [executable|manifest] args ...\n", pal_loader);
@@ -942,8 +941,7 @@ usage:
 
 int pal_init_enclave (const char * manifest_uri,
                       const char * exec_uri,
-                      const char * pal_loader,
-                      int argc, const char ** argv, const char ** envp)
+                      const char ** arguments, const char ** environments)
 {
     if (!manifest_uri)
         return -PAL_ERROR_INVAL;
@@ -952,8 +950,10 @@ int pal_init_enclave (const char * manifest_uri,
     if (!enclave)
         return -PAL_ERROR_NOMEM;
 
-    return load_enclave(enclave, manifest_uri, exec_uri, pal_loader,
-                        argc, argv, envp);
+    memset(enclave, 0, sizeof(struct pal_enclave));
+
+    return load_enclave(enclave, manifest_uri, exec_uri,
+                        arguments, environments);
 }
 
 void exit_process (int status)

Pal/src/host/Linux-SGX/sgx_rtld.c

@@ -31,7 +31,7 @@
 
 asm (".pushsection \".debug_gdb_scripts\", \"MS\",@progbits,1\r\n"
      ".byte 1\r\n"
-     ".asciz \"" PAL_FILE("host/Linux-SGX/pal-gdb.py") "\"\r\n"
+     ".asciz \"" PAL_FILE("host/Linux-SGX/debugger/pal-gdb.py") "\"\r\n"
      ".popsection\r\n");
 
 void load_gdb_command (const char * command)

Pal/src/host/Linux-SGX/signer/pal-sgx-sign

@@ -360,7 +360,10 @@ def populate_memory_areas(manifest, attr, areas):
         area.addr = populating - area.size
         if area.addr < ENCLAVE_HEAP_MIN:
             raise Exception("Enclave size is not large enough")
-        populating = area.addr - MEMORY_GAP
+        if area.desc == 'exec':
+            populating = area.addr;
+        else:
+            populating = area.addr - MEMORY_GAP
 
     free_areas = []
     for area in areas:
@@ -678,7 +681,7 @@ if __name__ == "__main__":
     args['root'] = os.path.dirname(os.path.abspath(args['output']))
 
     if 'sgx.sigfile' in manifest:
-        args['sigfile'] = resolve_uri(manifest['sgx.sigfile'])
+        args['sigfile'] = resolve_uri(manifest['sgx.sigfile'], False)
     else:
         sigfile = args['output']
         for ext in ['.manifest.sgx', '.manifest']:

Pal/src/host/Linux/db_pipes.c

@@ -556,7 +556,7 @@ static int pipe_attrsetbyhdl (PAL_HANDLE handle, PAL_STREAM_ATTR * attr)
 
     if (attr->nonblocking != *nonblocking) {
         ret = INLINE_SYSCALL(fcntl, 3, HANDLE_HDR(handle)->fds[0], F_SETFL,
-                             *nonblocking ? O_NONBLOCK : 0);
+                             attr->nonblocking ? O_NONBLOCK : 0);
 
         if (IS_ERR(ret))
             return unix_to_pal_error(ERRNO(ret));

Pal/src/security/Linux/Makefile

@@ -3,7 +3,7 @@ LD	= ld
 
 CFLAGS	= -Wall -fPIC -O2 -std=gnu99 -fgnu89-inline -Wall -U_FORTIFY_SOURCE \
 	  -fno-stack-protector -fno-builtin \
-	  -DPAL_LOADER_PATH="$(shell readlink -f ../../pal)" \
+	  -DPAL_LOADER_PATH="$(abspath ../../libpal.so)" \
 	  -I. -I../../host/Linux/include -I../.. -I../../../include -I../../host/Linux \
 	  -I../../../lib -I../../../linux-kernel/graphene
 LDFLAGS	= -shared -nostdlib -z combreloc -z defs --version-script pal-sec.map -e start

Pal/src/security/Linux/bpf-helper.h

@@ -146,7 +146,7 @@ union arg64 {
 	       ((union arg64){.u64 = (x)}).hi32, \
 	       EXPAND(jt))
 #define ARG(i) ARG_64(i)
-#define ARG_FLAG(i,flag) ARG_FLAG_64(i,flag)
+#define ARG_FLAG(i, flag) ARG_FLAG_64(i, flag)
 #define IP IP_64
 
 #else
@@ -177,7 +177,7 @@ union arg64 {
 	BPF_STMT(BPF_ST, 1) /* hi -> M[1] */
 
 /* Loads hi into A and lo in X */
-#define ARG_FLAG_64(idx,flag) \
+#define ARG_FLAG_64(idx, flag) \
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(idx)), \
 	BPF_STMT(BPF_ALU+BPF_AND+BPF_K, LO_FLAG(flag)), \
 	BPF_STMT(BPF_ST, 0), /* lo -> M[0] */ \

Pal/src/security/Linux/filter.c

@@ -91,6 +91,10 @@ typedef __builtin_va_list __gnuc_va_list;
 # error "Unsupported architecture"
 #endif
 
+#ifndef SIGCHLD
+# define SIGCHLD 17
+#endif
+
 #define SYSCALL_ACTIONS                                  \
     DENY,                                                \
                                                          \
@@ -116,8 +120,9 @@ typedef __builtin_va_list __gnuc_va_list;
     DENY,                                                \
                                                          \
     LABEL(&labels, clone),                               \
-    ARG_FLAG(2, CLONE_IO),                               \
+    ARG_FLAG(2, (CLONE_IO|CLONE_VM|CLONE_VFORK)),        \
     JEQ(0, ALLOW),                                       \
+    JEQ(SIGCHLD, ALLOW),                                 \
     DENY,                                                \
                                                          \
     LABEL(&labels, socket),                              \
@@ -149,7 +154,6 @@ int install_initial_syscall_filter (void)
 #else
         SYSCALL(__NR_gettimeofday,  ALLOW),
 #endif
-
         SYSCALL(__NR_prctl,     JUMP(&labels, prctl)),
 
         SYSCALL_ACTIONS,
@@ -187,6 +191,8 @@ int install_syscall_filter (void * code_start, void * code_end)
     int err = 0;
     struct bpf_labels labels = { .count = 0 };
 
+    printf("set up filter in %p-%p\n", code_start, code_end);
+
     struct sock_filter filter[] = {
         IP,
         JLT((unsigned long) code_start, DENY),