clearlinux/graphene
2
0
Fork 0
mirror of https://github.com/clearlinux/graphene.git synced 2026-06-29 09:25:59 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e3d9ac87e715543d0cf7f13986485302cc3f94f
graphene/Examples/python-scipy-insecure/python.manifest.template
T
Michał Kowalczyk 7e3d9ac87e [Pal] Protect argv from untrusted world
2020-06-16 03:18:47 +02:00

111 lines
4.1 KiB
Plaintext
Raw Blame History

# Python3 manifest example
#
# This manifest was prepared and tested on Ubuntu 16.04.
#
# Python must be run with the pal_loader:
#
# ./pal_loader python.manifest <script>
# The executable to load in Graphene. By default, PYTHONHOME points to the
# system installation. To run Python from a local installation, specify PYTHONHOME
# when running `make` in this directory.
loader.exec = file:$(PYTHONEXEC)
# Graphene environment, including the path of the library OS and the debug
# option (inline/none).
loader.preload = file:$(GRAPHENEDIR)/Runtime/libsysdb.so
loader.debug_type = $(GRAPHENEDEBUG)
# Read application arguments directly from the command line. Don't use this on production!
loader.insecure__use_cmdline_argv = 1
# Environment variables for Python
loader.env.LD_LIBRARY_PATH = $(PYTHONHOME)/lib:/lib:$(ARCH_LIBDIR):/usr/lib:/usr/$(ARCH_LIBDIR)
loader.env.PATH = $(PYTHONHOME)/bin:/usr/bin:/bin
loader.env.PYTHONHOME = $(PYTHONHOME)
loader.env.PYTHONPATH = $(PYTHONHOME):$(PYTHONHOME)/plat-$(SYS):$(PYTHONDISTHOME):$(PYTHONHOME)/lib-dynload
# Mounted FSes. The following "chroot" FSes mount a part of the host FS into the
# guest. Other parts of the host FS will not be available in the guest.
# Default glibc files, mounted from the Runtime directory in GRAPHENEDIR.
fs.mount.lib.type = chroot
fs.mount.lib.path = /lib
fs.mount.lib.uri = file:$(GRAPHENEDIR)/Runtime
# Host-level libraries (e.g., /lib/x86_64-linux-gnu) required by the Python executable
fs.mount.lib2.type = chroot
fs.mount.lib2.path = $(ARCH_LIBDIR)
fs.mount.lib2.uri = file:$(ARCH_LIBDIR)
# Host-level directory (/usr) required by the Python executable
fs.mount.usr.type = chroot
fs.mount.usr.path = /usr
fs.mount.usr.uri = file:/usr
# Mount $PYTHONHOME
fs.mount.pyhome.type = chroot
fs.mount.pyhome.path = $(PYTHONHOME)
fs.mount.pyhome.uri = file:$(PYTHONHOME)
# Mount $PYTHONDISTHOME
fs.mount.pydisthome.type = chroot
fs.mount.pydisthome.path = $(PYTHONDISTHOME)
fs.mount.pydisthome.uri = file:$(PYTHONDISTHOME)
# Mount /tmp
fs.mount.tmp.type = chroot
fs.mount.tmp.path = /tmp
fs.mount.tmp.uri = file:/tmp
# Mount /etc
fs.mount.etc.type = chroot
fs.mount.etc.path = /etc
fs.mount.etc.uri = file:/etc
# Graphene general options
# Graphene creates stacks of 256KB by default. It is not enough for SciPy/NumPy
# packages, e.g., libopenblas dependency assumes more than 512KB-sized stacks.
sys.stack.size = 2M
# SGX general options
# Set the virtual memory size of the SGX enclave. For SGX v1, the enclave
# size must be specified during signing. If Python needs more virtual memory
# than the enclave size, Graphene will not be able to allocate it.
sgx.enclave_size = 1G
# Set the maximum number of enclave threads. For SGX v1, the number of enclave
# TCSes must be specified during signing, so the application cannot use more
# threads than the number of TCSes. Note that Graphene also creates an internal
# thread for handling inter-process communication (IPC), and potentially another
# thread for asynchronous events. Therefore, the actual number of threads that
# the application can create is (sgx.thread_num - 2).
sgx.thread_num = 32
# SGX trusted libraries
# Glibc libraries
sgx.trusted_files.ld = file:$(GRAPHENEDIR)/Runtime/ld-linux-x86-64.so.2
sgx.trusted_files.libc = file:$(GRAPHENEDIR)/Runtime/libc.so.6
sgx.trusted_files.libm = file:$(GRAPHENEDIR)/Runtime/libm.so.6
sgx.trusted_files.libdl = file:$(GRAPHENEDIR)/Runtime/libdl.so.2
sgx.trusted_files.librt = file:$(GRAPHENEDIR)/Runtime/librt.so.1
sgx.trusted_files.libutil = file:$(GRAPHENEDIR)/Runtime/libutil.so.1
sgx.trusted_files.libpthread = file:$(GRAPHENEDIR)/Runtime/libpthread.so.0
# Other libraries
sgx.trusted_files.libz = file:$(ARCH_LIBDIR)/libz.so.1
sgx.trusted_files.libbz2 = file:$(ARCH_LIBDIR)/libbz2.so.1.0
sgx.trusted_files.liblzma = file:$(ARCH_LIBDIR)/liblzma.so.5
sgx.trusted_files.libexpat = file:$(ARCH_LIBDIR)/libexpat.so.1
$(PYTHON_TRUSTED_LIBS)
# SGX untrusted (allowed) files/directories
sgx.allowed_files.scripts = file:scripts
sgx.allowed_files.tmp = file:/tmp
sgx.allowed_files.etc = file:/etc
sgx.allowed_files.pyhome = file:$(PYTHONHOME)
sgx.allowed_files.pydisthome = file:$(PYTHONDISTHOME)
Reference in New Issue View Git Blame Copy Permalink