From 32e6af3c36c71456cdc16c161caac4c87fd80ca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 9 Jun 2025 13:29:32 +0100 Subject: [PATCH] Adapt qgs.service for SELinux policy and sock perms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes to qgs.service to make it more amenable to writing a strict SELinux policy. Also add patch to allow control over socket perms so QEMU can get access to the socket. Related: https://issues.redhat.com/browse/RHELPLAN-171792 Signed-off-by: Daniel P. Berrangé --- ...rop-use-of-bundled-pre-built-openssl.patch | 4 +- ...mprove-debuggability-of-build-system.patch | 4 +- ...me-setting-of-enclave-load-directory.patch | 4 +- ...ed-sgx_urts-library-in-PCKRetrievalT.patch | 4 +- 0104-Don-t-import-pypac-in-pccsadmin.patch | 4 +- ...-PCKRetrievalTool-config-file-in-etc.patch | 4 +- ...XFLAGS-LDFLAGS-for-various-tools-and.patch | 4 +- ...tween-program-name-first-arg-in-usag.patch | 4 +- ...nst-format-strings-in-QL-log-message.patch | 4 +- ...d-debug-parameter-to-control-logging.patch | 12 +- ...-leftover-debugging-print-args-state.patch | 6 +- ...sion-for-libsgx_qe3_logic.so-library.patch | 6 +- 0112-Workaround-broken-GCC-15.patch | 6 +- ...-Don-t-disable-cf-protection-for-qgs.patch | 6 +- ...ecks-for-GCC-version-that-break-fsta.patch | 6 +- ...se-distro-provided-rapidjson-package.patch | 6 +- 0116-Don-t-stomp-on-VERBOSE-variable.patch | 6 +- ...-MODE-parameter-for-UNIX-socket-mode.patch | 103 ++++++++++++++++++ linux-sgx.spec | 3 +- qgs.service | 8 +- qgs.sysconfig | 1 + 21 files changed, 153 insertions(+), 52 deletions(-) create mode 100644 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch diff --git a/0100-Drop-use-of-bundled-pre-built-openssl.patch b/0100-Drop-use-of-bundled-pre-built-openssl.patch index 6e4e61a..cbf7d78 100644 --- a/0100-Drop-use-of-bundled-pre-built-openssl.patch +++ b/0100-Drop-use-of-bundled-pre-built-openssl.patch @@ -1,7 +1,7 @@ From d70390caa01c88dd681e6ce68f850d26a33bb838 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 100/116] Drop use of bundled pre-built openssl +Subject: [PATCH 100/117] Drop use of bundled pre-built openssl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -188,5 +188,5 @@ index a20a3cd..c8e1d01 100644 debug: $(PCKCERTSEL_VERBOSE)$(MAKE) DEBUG=1 all -- -2.48.1 +2.49.0 diff --git a/0101-Improve-debuggability-of-build-system.patch b/0101-Improve-debuggability-of-build-system.patch index 295414e..c5c871b 100644 --- a/0101-Improve-debuggability-of-build-system.patch +++ b/0101-Improve-debuggability-of-build-system.patch @@ -1,7 +1,7 @@ From b4d3b1401e16a557bcba1fe02b525bd5c26ee532 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 1 Mar 2024 12:05:01 +0000 -Subject: [PATCH 101/116] Improve debuggability of build system +Subject: [PATCH 101/117] Improve debuggability of build system MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -128,5 +128,5 @@ index fba7f43..5979699 100644 .PHONY: qal qal: -- -2.48.1 +2.49.0 diff --git a/0102-Support-build-time-setting-of-enclave-load-directory.patch b/0102-Support-build-time-setting-of-enclave-load-directory.patch index bffa974..eea8b4f 100644 --- a/0102-Support-build-time-setting-of-enclave-load-directory.patch +++ b/0102-Support-build-time-setting-of-enclave-load-directory.patch @@ -1,7 +1,7 @@ From edcd2d044a8e20cf8d2e1cebba7f74f2573c9ae5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 102/116] Support build time setting of enclave load directory +Subject: [PATCH 102/117] Support build time setting of enclave load directory MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -259,5 +259,5 @@ index d9c2bac..1065949 100644 App_Link_Flags += -lcurl -ldl -lpthread ifeq ($(STANDALONE), 1) -- -2.48.1 +2.49.0 diff --git a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch index 079f3dc..c9f6b57 100644 --- a/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch +++ b/0103-Look-for-versioned-sgx_urts-library-in-PCKRetrievalT.patch @@ -1,7 +1,7 @@ From 3cbab8069678b15276d7a8d2d0c7aa34532ad4af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Feb 2024 15:46:41 +0000 -Subject: [PATCH 103/116] Look for versioned sgx_urts library in +Subject: [PATCH 103/117] Look for versioned sgx_urts library in PCKRetrievalTool MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -40,5 +40,5 @@ index d77a6eb..d195717 100644 } #endif -- -2.48.1 +2.49.0 diff --git a/0104-Don-t-import-pypac-in-pccsadmin.patch b/0104-Don-t-import-pypac-in-pccsadmin.patch index 0e94942..dbe5e30 100644 --- a/0104-Don-t-import-pypac-in-pccsadmin.patch +++ b/0104-Don-t-import-pypac-in-pccsadmin.patch @@ -1,7 +1,7 @@ From 2609841a9ddedd4c3f22778bff0aa399ce6d4f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Feb 2024 20:28:24 +0000 -Subject: [PATCH 104/116] Don't import pypac in pccsadmin +Subject: [PATCH 104/117] Don't import pypac in pccsadmin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -29,5 +29,5 @@ index 9f1d224..af1e78e 100644 from lib.intelsgx.credential import Credentials from requests.adapters import HTTPAdapter -- -2.48.1 +2.49.0 diff --git a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch index c8fda25..8155454 100644 --- a/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch +++ b/0105-Look-for-PCKRetrievalTool-config-file-in-etc.patch @@ -1,7 +1,7 @@ From eb1018b10a5adedcdc1ae3cf8f5d8be6de5b7d6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 29 Feb 2024 14:21:36 +0000 -Subject: [PATCH 105/116] Look for PCKRetrievalTool config file in /etc/ +Subject: [PATCH 105/117] Look for PCKRetrievalTool config file in /etc/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -39,5 +39,5 @@ index e423f38..36f219b 100644 if(strnlen(local_configuration_file_path ,MAX_PATH)+strnlen(LOCAL_NETWORK_SETTING,MAX_PATH)+sizeof(char) > MAX_PATH) { return false; -- -2.48.1 +2.49.0 diff --git a/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch b/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch index 4d232ed..8436fa0 100644 --- a/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch +++ b/0106-Honour-CFLAGS-CXXFLAGS-LDFLAGS-for-various-tools-and.patch @@ -1,7 +1,7 @@ From c1773ce8ab60a0d887a52b821de28d6fd996b7f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 28 Mar 2025 16:00:27 +0000 -Subject: [PATCH 106/116] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and +Subject: [PATCH 106/117] Honour CFLAGS/CXXFLAGS/LDFLAGS for various tools and libraries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -205,5 +205,5 @@ index 4937fe9..83aefee 100644 LDFLAGS += '-Wl,-rpath,$$ORIGIN' CXXFLAGS += '-DSTANDALONE' -- -2.48.1 +2.49.0 diff --git a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch index 61db7f3..52ec735 100644 --- a/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch +++ b/0107-qgs-add-space-between-program-name-first-arg-in-usag.patch @@ -1,7 +1,7 @@ From a74ede38e306ff82ddbaf094d6148dc1bf9e524c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 14:42:29 +0100 -Subject: [PATCH 107/116] qgs: add space between program name & first arg in +Subject: [PATCH 107/117] qgs: add space between program name & first arg in usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -35,5 +35,5 @@ index 478dbfe..3618b5a 100644 exit(1); } -- -2.48.1 +2.49.0 diff --git a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch index d75bdee..efb8b4f 100644 --- a/0108-qgs-protect-against-format-strings-in-QL-log-message.patch +++ b/0108-qgs-protect-against-format-strings-in-QL-log-message.patch @@ -1,7 +1,7 @@ From 1e760dc7a67d601121b625e0d2bd7b2fe8b7b042 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 4 Oct 2024 09:43:17 +0100 -Subject: [PATCH 108/116] qgs: protect against format strings in QL log +Subject: [PATCH 108/117] qgs: protect against format strings in QL log messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -35,5 +35,5 @@ index 77838c3..1e97b58 100644 } -- -2.48.1 +2.49.0 diff --git a/0109-qgs-add-debug-parameter-to-control-logging.patch b/0109-qgs-add-debug-parameter-to-control-logging.patch index 9c512b7..f637a94 100644 --- a/0109-qgs-add-debug-parameter-to-control-logging.patch +++ b/0109-qgs-add-debug-parameter-to-control-logging.patch @@ -1,7 +1,7 @@ -From ddd7a6a15ed433b1bd75c620f3c075609d5f3c94 Mon Sep 17 00:00:00 2001 +From d43ef4cac2c2c022b89b0938be71a9b36b9a1923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Oct 2024 16:57:35 +0100 -Subject: [PATCH 109/116] qgs: add --debug parameter to control logging +Subject: [PATCH 109/117] qgs: add --debug parameter to control logging MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -90,7 +90,7 @@ index 1e97b58..db642f7 100644 QGS_LOG_WARN("Failed to set logging callback for the quote provider library.\n"); } diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp -index 3618b5a..a65a985 100644 +index 3618b5a..47f6c26 100644 --- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp @@ -75,7 +75,7 @@ int main(int argc, const char* argv[]) @@ -106,10 +106,10 @@ index 3618b5a..a65a985 100644 << endl; no_daemon = true; continue; -+ } else if (strcmp(argv[i], "--debug") == 0) { ++ } else if (strcmp(argv[i], "--debug") == 0) { + qgs_verbose = qgs_debug = true; + continue; -+ } else if (strcmp(argv[i], "--verbose") == 0) { ++ } else if (strcmp(argv[i], "--verbose") == 0) { + qgs_verbose = true; + continue; } else if (strncmp(argv[i], "-p=", 3 ) == 0) { @@ -125,5 +125,5 @@ index 3618b5a..a65a985 100644 exit(1); } -- -2.48.1 +2.49.0 diff --git a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch index aa25999..473cfd6 100644 --- a/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch +++ b/0110-pccsadmin-remove-leftover-debugging-print-args-state.patch @@ -1,7 +1,7 @@ -From d4fa45636b1a58cf832fd7b955ef1b3f2368d526 Mon Sep 17 00:00:00 2001 +From d375ba770975e565850ac12392bbc44807f28f75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 8 Oct 2024 10:13:02 +0100 -Subject: [PATCH 110/116] pccsadmin: remove leftover debugging 'print(args)' +Subject: [PATCH 110/117] pccsadmin: remove leftover debugging 'print(args)' statement MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -29,5 +29,5 @@ index ffee326..8e447c5 100755 if args.command == 'put' and args.url and args.url.endswith("/appraisalpolicy"): if not args.fmspc or not args.input_file: -- -2.48.1 +2.49.0 diff --git a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch index f63acb0..bf66d08 100644 --- a/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch +++ b/0111-Fix-soname-version-for-libsgx_qe3_logic.so-library.patch @@ -1,7 +1,7 @@ -From d9b93bb6836027b94ba93980002d7f2f7cc81415 Mon Sep 17 00:00:00 2001 +From 1db2f71aead55201fcd82efa7d1ee99c9fa006b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Fri, 17 Jan 2025 15:39:39 +0000 -Subject: [PATCH 111/116] Fix soname version for libsgx_qe3_logic.so library +Subject: [PATCH 111/117] Fix soname version for libsgx_qe3_logic.so library MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -51,5 +51,5 @@ index 9b8c936..c92d782 100644 $(BUILD_DIR): -- -2.48.1 +2.49.0 diff --git a/0112-Workaround-broken-GCC-15.patch b/0112-Workaround-broken-GCC-15.patch index a1a5bfb..54cfd14 100644 --- a/0112-Workaround-broken-GCC-15.patch +++ b/0112-Workaround-broken-GCC-15.patch @@ -1,7 +1,7 @@ -From a3858a707f3f37722d5b851f89cfd61bd9361343 Mon Sep 17 00:00:00 2001 +From 9c8155bb1b2928390a21408944fd876f40c281e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 6 Feb 2025 20:08:59 +0000 -Subject: [PATCH 112/116] Workaround broken GCC 15 +Subject: [PATCH 112/117] Workaround broken GCC 15 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -36,5 +36,5 @@ index 15fbdd4..4400544 100644 private: struct alignas(A)_T_instantiator_ -- -2.48.1 +2.49.0 diff --git a/0113-Don-t-disable-cf-protection-for-qgs.patch b/0113-Don-t-disable-cf-protection-for-qgs.patch index 2da50f1..40e1c88 100644 --- a/0113-Don-t-disable-cf-protection-for-qgs.patch +++ b/0113-Don-t-disable-cf-protection-for-qgs.patch @@ -1,7 +1,7 @@ -From 9a9cee8d5535320ab7f52388d8cd832c50bd100e Mon Sep 17 00:00:00 2001 +From c4a2855d01b06e1da960a677379c55a5b31b427c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 2 Apr 2025 18:39:31 +0100 -Subject: [PATCH 113/116] Don't disable cf-protection for qgs +Subject: [PATCH 113/117] Don't disable cf-protection for qgs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -27,5 +27,5 @@ index 8228bdf..5116d85 100644 DEPENDS = ${QGS_OBJS test_client.o:.o=.d} -- -2.48.1 +2.49.0 diff --git a/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch b/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch index 7e21e61..05b2090 100644 --- a/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch +++ b/0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch @@ -1,7 +1,7 @@ -From c765d43c957cb18c7614883b3a4043fed22b8e92 Mon Sep 17 00:00:00 2001 +From 3bcde80a8e81c6f9992085f5a924544fb6082d79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Thu, 3 Apr 2025 17:44:48 +0100 -Subject: [PATCH 114/116] Delete broken checks for GCC version that break +Subject: [PATCH 114/117] Delete broken checks for GCC version that break -fstack-protector-strong MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -201,5 +201,5 @@ index b6968c6..1d2106b 100644 ifdef DEBUG COMMON_FLAGS += -O0 -ggdb -DDEBUG -UNDEBUG -- -2.48.1 +2.49.0 diff --git a/0115-Use-distro-provided-rapidjson-package.patch b/0115-Use-distro-provided-rapidjson-package.patch index 61c8b8a..45123cc 100644 --- a/0115-Use-distro-provided-rapidjson-package.patch +++ b/0115-Use-distro-provided-rapidjson-package.patch @@ -1,7 +1,7 @@ -From 9588a9e5e730e31773437d96fdb1b4e8c1dfc55f Mon Sep 17 00:00:00 2001 +From e7afd8a28400d47b3864514fde5c2ce62d3937ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Mon, 26 Feb 2024 12:19:51 +0000 -Subject: [PATCH 115/116] Use distro provided rapidjson package +Subject: [PATCH 115/117] Use distro provided rapidjson package MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -170,5 +170,5 @@ index c8e1d01..6f1440a 100644 # the library shared object name LIB_NAME := libPCKCertSelection.a -- -2.48.1 +2.49.0 diff --git a/0116-Don-t-stomp-on-VERBOSE-variable.patch b/0116-Don-t-stomp-on-VERBOSE-variable.patch index 57c135e..281ae8d 100644 --- a/0116-Don-t-stomp-on-VERBOSE-variable.patch +++ b/0116-Don-t-stomp-on-VERBOSE-variable.patch @@ -1,7 +1,7 @@ -From 35efa4bf39f88b0fe172b43e6c8ce81f4bb40dfc Mon Sep 17 00:00:00 2001 +From 224d1fe828bc4fcaa0861c3b59ddcc0c979fc2d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Wed, 16 Apr 2025 11:48:52 +0100 -Subject: [PATCH 116/116] Don't stomp on "VERBOSE" variable +Subject: [PATCH 116/117] Don't stomp on "VERBOSE" variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -97,5 +97,5 @@ index 3d474bb..0f593f5 100644 - $(VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL) + $(CMD_VERBOSE) rm -vrf $(TARGET) $(SIGNING_MATERIAL) -- -2.48.1 +2.49.0 diff --git a/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch b/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch new file mode 100644 index 0000000..399e653 --- /dev/null +++ b/0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch @@ -0,0 +1,103 @@ +From 8ded27dcf0c5a02c7869568bd1cafd5c2d15c0b0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Fri, 2 May 2025 14:48:24 +0100 +Subject: [PATCH 117/117] qgs: add -m=MODE parameter for UNIX socket mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The UNIX socket mode default is controlled by the process umask, but it +can be desirable to override this to open up the socket mode, while +keeping the umask restrictive. + +Signed-off-by: Daniel P. Berrangé +--- + .../quote_wrapper/qgs/server_main.cpp | 35 +++++++++++++++++-- + 1 file changed, 32 insertions(+), 3 deletions(-) + +diff --git a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +index 47f6c26..4628b18 100644 +--- a/QuoteGeneration/quote_wrapper/qgs/server_main.cpp ++++ b/QuoteGeneration/quote_wrapper/qgs/server_main.cpp +@@ -73,9 +73,10 @@ int main(int argc, const char* argv[]) + bool no_daemon = false; + unsigned long int port = 0; + unsigned long int num_threads = 0; ++ unsigned long int mode = 0; + char *endptr = NULL; + if (argc > 4) { +- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-m=unix_socket_mode] [-n=number_threads] [--verbose] [--debug]" + << endl; + exit(1); + } +@@ -106,6 +107,19 @@ int main(int argc, const char* argv[]) + } + cout << "port number [" << port << "] found in cmdline" << endl; + continue; ++ } else if (strncmp(argv[i], "-m=", 3 ) == 0) { ++ if (strspn(argv[i] + 3, "0123456789") != strlen(argv[i] + 3)) { ++ cout << "Please input valid socket mode" << endl; ++ exit(1); ++ } ++ errno = 0; ++ mode = strtoul(argv[i] + 3, &endptr, 8); ++ if (errno || strlen(endptr) || (mode > UINT_MAX) ) { ++ cout << "Please input valid socket mode" << endl; ++ exit(1); ++ } ++ cout << "socket mode [" << oct << mode << dec << "] found in cmdline" << endl; ++ continue; + } else if (strncmp(argv[i], "-n=", 3) == 0) { + if (strspn(argv[i] + 3, "0123456789") != strlen(argv[i] + 3)) { + cout << "Please input valid thread number" << endl; +@@ -120,7 +134,7 @@ int main(int argc, const char* argv[]) + cout << "thread number [" << num_threads << "] found in cmdline" << endl; + continue; + } else { +- cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-n=number_threads] [--verbose] [--debug]" ++ cout << "Usage: " << argv[0] << " [--no-daemon] [-p=port_number] [-m=unix_socket_mode] [-n=number_threads] [--verbose] [--debug]" + << endl; + exit(1); + } +@@ -129,7 +143,7 @@ int main(int argc, const char* argv[]) + + // Use the port number in QGS_CONFIG_FILE if no valid port number on + // command line +- if (port == 0 || num_threads == 0) { ++ if (port == 0 || num_threads == 0 || mode == 0) { + ifstream config_file(QGS_CONFIG_FILE); + if (config_file.is_open()) { + string line; +@@ -161,6 +175,15 @@ int main(int argc, const char* argv[]) + << QGS_CONFIG_FILE << endl; + exit(1); + } ++ } else if (!mode && name.compare("socket_mode") == 0) { ++ errno = 0; ++ endptr = NULL; ++ mode = strtoul(value, &endptr, 8); ++ if (errno || strlen(endptr) || (mode > UINT_MAX)) { ++ cout << "Please input valid socket mode in " ++ << QGS_CONFIG_FILE << endl; ++ exit(1); ++ } + } else if (!num_threads && name.compare("number_threads") == 0) { + errno = 0; + endptr = NULL; +@@ -212,6 +235,12 @@ int main(int argc, const char* argv[]) + } + QGS_LOG_INFO("About to create QgsServer with num_thread = %d\n", (uint8_t)num_threads); + server = new QgsServer(io_service, ep, (uint8_t)num_threads); ++ /* Allow mode to be determined by umask by default, ++ * overriding only if an explicit mode is requested ++ */ ++ if (!port && mode != 0) { ++ chmod(QGS_UNIX_SOCKET_FILE, mode); ++ } + QGS_LOG_INFO("About to start main loop\n"); + io_service.run(); + QGS_LOG_INFO("Quit main loop\n"); +-- +2.49.0 + diff --git a/linux-sgx.spec b/linux-sgx.spec index a416d35..b5a0726 100644 --- a/linux-sgx.spec +++ b/linux-sgx.spec @@ -341,6 +341,7 @@ Patch0113: 0113-Don-t-disable-cf-protection-for-qgs.patch Patch0114: 0114-Delete-broken-checks-for-GCC-version-that-break-fsta.patch #Patch0115: 0115-Use-distro-provided-rapidjson-package.patch Patch0116: 0116-Don-t-stomp-on-VERBOSE-variable.patch +Patch0117: 0117-qgs-add-m-MODE-parameter-for-UNIX-socket-mode.patch # 0200-0299 -> against intel-sgx-ssl.git Patch0200: 0200-Enable-pointing-sgxssl-build-to-alternative-glibc-he.patch @@ -1542,7 +1543,7 @@ ln -s libsgx_qe3_logic.so.1 %{buildroot}%{_libdir}/libsgx_qe3_logic.so %config(noreplace) %{_sysconfdir}/qgs.conf %{_sysusersdir}/qgs.conf %attr(0700,qgs,qgs) %dir %{_sharedstatedir}/qgs -%attr(0700,qgs,qgs) %dir %{_rundir}/tdx-qgs +%ghost %attr(0755,qgs,qgs) %dir %{_rundir}/tdx-qgs %files -n tdx-attest-libs diff --git a/qgs.service b/qgs.service index 7abd008..4be4a62 100644 --- a/qgs.service +++ b/qgs.service @@ -8,16 +8,12 @@ Requires=mpa_registration.service Type=simple User=qgs EnvironmentFile=-/etc/sysconfig/qgs -ExecStartPre=+mkdir -p /var/run/tdx-qgs -ExecStartPre=+chown qgs.qgs /var/run/tdx-qgs -ExecStart=/usr/sbin/qgs --no-daemon $QGS_ARGS -# qgs fails to delete the socket on stop and -# won't delete it on startup either :-( -ExecStopPost=rm -f /var/run/tdx-qgs/qgs.socket +ExecStart=/usr/sbin/qgs --no-daemon -m=0666 $QGS_ARGS ExecReload=/bin/kill -SIGHUP $MAINPID Restart=on-failure RestartSec=15s +RuntimeDirectory=tdx-qgs WorkingDirectory=/var/lib/qgs InaccessibleDirectories=/home DevicePolicy=closed diff --git a/qgs.sysconfig b/qgs.sysconfig index fe16f79..c1fcd1a 100644 --- a/qgs.sysconfig +++ b/qgs.sysconfig @@ -1,4 +1,5 @@ # To enable QGS verbose mode, or debugging (implies verbose), # uncomment one of these: +QGS_ARGS= #QGS_ARGS=--debug #QGS_ARGS=--verbose