squash! [LibOS] Add support for timerfd system calls

!TODO: use below commit msg: [LibOS] Add support for timerfd system calls This commit adds support for system calls that create and operate on a timer that delivers timer expiration notifications via a file descriptor, specifically: `timerfd_create()`, `timerfd_settime()` and `timerfd_gettime()`. The timerfd object is associated with a dummy eventfd created on the host to trigger notifications (e.g., in epoll). The object is created inside Gramine, with all its operations resolved entirely inside Gramine (note that the time source in Gramine SGX is still untrusted). The emulation is currently implemented at the level of a single process. All timerfds created in the parent process are marked as invalid in child processes. In multi-process applications, Gramine does not exit immediately after fork; it only exits if the application attempts to use timerfds in the child. Therefore, inter-process timing signals via timerfds are not allowed. LibOS regression tests are also added. Signed-off-by: Kailun Qin <[email protected]>
gramineproject · Aug 13, 2024 · dd9d90c · dd9d90c
1 parent 7223726
commit dd9d90c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/Documentation/devel/features.md b/Documentation/devel/features.md
@@ -2881,10 +2881,10 @@ of Service (DoS) attacks. `TFD_TIMER_CANCEL_ON_SET` is silently ignored because
 "discontinuous changes of time" in Gramine (via e.g., `settimeofday()`). `TFD_IOC_SET_TICKS` is not
 supported.
 
-The emulation is currently implemented at the level of a single process. The emulation *may* work
-for multi-process applications, e.g., if the child process inherits the timerfd object but doesn't
-use it. However, all timerfds created in the parent process are marked as invalid in child
-processes, i.e. inter-process timing signals via timerfds are not allowed.
+The emulation is currently implemented at the level of a single process. All timerfds created in the
+parent process are marked as invalid in child processes. In multi-process applications, Gramine does
+not exit immediately after fork; it only exits if the application attempts to use timerfds in the
+child. Therefore, inter-process timing signals via timerfds are not allowed.
 
 Gramine does *not* currently implement the POSIX per-process timer: `timer_create()`, etc. Gramine
 could implement it in the future, if need arises.

diff --git a/libos/src/sys/libos_timerfd.c b/libos/src/sys/libos_timerfd.c
@@ -12,10 +12,10 @@
  * the host. Since the host is used purely for notifications, a malicious host can only induce
  * Denial of Service (DoS) attacks.
  *
- * The emulation is currently implemented at the level of a single process. The emulation *may* work
- * for multi-process applications, e.g., if the child process inherits the timerfd object but
- * doesn't use it. However, all timerfds created in the parent process are marked as invalid in
- * child processes, i.e. inter-process timing signals via timerfds are not allowed.
+ * The emulation is currently implemented at the level of a single process. All timerfds created in
+ * the parent process are marked as invalid in child processes. In multi-process applications,
+ * Gramine does not exit immediately after fork; it only exits if the application attempts to use
+ * timerfds in the child. Therefore, inter-process timing signals via timerfds are not allowed.
  *
  * The host's eventfd object is "dummy" and used purely for notifications -- to unblock blocking
  * read/select/poll/epoll system calls. The read notify logic is already hardened, by