-
Notifications
You must be signed in to change notification settings - Fork 196
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC: Sanitization of /etc/
files
#689
Comments
This is a wrong/misleading term, as Gramine is not overriding anything. It's a separate operating system, and the plan is to emulate these files based on whatever we gathered on the host (which may not even be Linux in theory).
It would be easier if these were from a special kernel fs, like sysfs, but since this isn't the case we can either:
|
Ok, fixed the wording.
I don't like this at all. This sets a bad precedence of creating random FSes for a couple files (and diverging from how Linux does it).
Yeah, probably just this. |
Maybe |
Could you expand what exactly this option is supposed to do? Is it a boolean? Does it only pertain to the |
Yes
What others? Is anything needed beside this file? I think everything works with just this one |
|
What these files have to do with dockers |
Yes, and this updates the IP mapping info in the |
[[sgx.trusted_files]]
uri = "file:/etc/resolv.conf"
content = """\
nameserver 1.1.1.1
nameserver 8.8.8.8
search domain.example
""" |
Apparently docker mount binds them from host then. Anyway, my point was not to use them at all, so there would be no measurement errors. |
Hmm, I think I like the (a bit unrelated) idea of supporting inlining of small files into manifests, but we should probably discuss it more, there may be reasons against it. |
Can we close this in the core meeting pls? Time is tissue. |
Discussion notes in the core meeting: Woju's proposal of hard-coded
Borys's proposal to require to run a DNS server alongside Gramine is also rejected:
Borys mentions that there must be a way for some apps to:
Agreed solution: introduce a new manifest option
|
Wait, it wasn't rejected overall, it's just completely unrelated to this specific issue, and it was rejected as a solution for it. But we may want to implement it someday for other purposes.
Not sure about this, the option is already super explicit and it seems that this warning will spam too many users (which want to mount the whole OS image from Docker, but override these three files). |
I can look into this. |
The proposal:The important note is that we will follow a guideline from RFC2181 that the entire domain name is limited to 255 octets (including separators).
|
Why do we need a new function for this? Why cannot it be static information set at the startup?
Please no. Configuring networking from withing Gramine is not supported and I would prefer to leave it this way.
I would make all the arrays allocated separately and keep pointers to them (instead of inlining them in the struct). Is there any disadvantage of this? Do you think it's worth implementing so many options initially? I would say most common ones ( |
Also, on the security of this:
|
The reason was that the name can be changed from Gramine. See below.
We actually have a gramine/libos/src/sys/libos_uname.c Line 43 in 74e74a8
I have chosen the ones that make the most sens for me - but I'm open for discussion. |
But it's a dummy implementation, which does not propagate the change neither to other in-Gramine processes, nor to the host OS.
Going this way everything is important - if something uses it, then it might be requires for correct operation. We just want to make sure that it's a common option that will be actually used. |
+1 to @boryspoplawski. This is not needed, let's just have a static info. The fact that we implement
I cannot parse this paragraph... Why shouldn't we propagate |
My understanding was that with Gramine we target running a trusted process on untrusted server. So if you want to have your own |
All of this doesn't really matter, host OS can e.g. change dest and src IP addresses as it wishes. |
What does it mean exactly, "be a part of the application itself"? Why can't the application rely on
Yes, of course, but this can be said about any file that we want to sanitize here... The point is not to make |
Yes, I know. I was responding to @oshogbo that we trust (or actually need other countermeasures) the server in this regard anyway. |
@oshogbo completed all the required tasks, closing this meta-issue. |
How do you solve the docker case with
|
@haraldh The currently recommended way is like we have in the Python example:
I'm not familiar with |
|
I still think this is a legitimate use case. What is your suggestion for |
Hm, I can't come up with an elegant way right now. A workaround would be to have a immutable |
I can imagine a synthesized sanitized |
Another option could be an env variable and a "pre-exec" which creates and provides /etc/sgx_default_qcnl.conf somehow |
Description of the problem
Currently we put files like
/etc/resolv.conf
in thesgx.allowed_files
list for simplicity. Example:gramine/CI-Examples/redis/redis-server.manifest.template
Lines 130 to 142 in f7eae7e
Having these files under
sgx.allowed_files
is not secure. They are read by e.g. Glibc which doesn't expect them to be ill-formatted or maliciously modified.The current consensus (see #687) is: Gramine should read the set of network-related files under
/etc/
(when specified in the manifest file), sanitize/verify them and expose to the user app./etc/
should be sanitized like this./etc/passwd
. This file should be in thesgx.trusted_files
list.Things to be done as part of this effort
/etc/
that needs sanitization./etc/resolv.conf
) should go. Do they just "appear" to the in-Gramine app? Or they need to be put in one of the lists?The text was updated successfully, but these errors were encountered: