mystikos
mystikos copied to clipboard
deislabs
Implement identity syscalls and authentication
Types if IDs: Read, effective, saved, fs, associated groups as well as supplemental groups Config to set starting IDs permission checks ID mapping between enclave and host for SGX There are also capabilities that govern what can and cannot be done too that are specific to these syscalls.
Implement following APIs to track IDs on thread
| API | done |
|---|---|
| get/set uid/gid | x |
| get euid/egid | x |
| set reuid/regid | x |
| get/set resuid/resgid | x |
| set fsuid/fsgid | x |
| get/set groups | x |
Propagation of ID's for filesystem operations
| description | ramfs | ext2 | hostfs |
|---|---|---|---|
| file creation IDs for creating files | x | x | x |
| access check file creation | x | ||
| access check stat | x | ||
| access check utimenstat | x | ||
| everything else |
Propagation of IDs for socket operations
| description | done |
|---|---|
| everything else |
Access checks within kernel
| description | done |
|---|---|
| everything else |
Need many more propagations for file access permissions across all filesystems Need propagations and access checks for sockets
#261 implements get and set APIs with propagation through to lower layers to enable LTP tests for these APIs
An initial check-in is complete with the set/get ID syscalls, and the enabling of most of the relevant to those APIs. a few require fork which we dont have yet. Future work is to plumb IDs through to the lower layers of filesystems to do access checks, same for sockets, and implement access checks within other syscalls that are required.
