From 31f08ab11cdef0ab1123ff3c8eebb90148c1693b Mon Sep 17 00:00:00 2001 From: Dmitrii Kuvaiskii Date: Tue, 9 Feb 2021 05:29:33 -0800 Subject: [PATCH] [GSC] Always use absolute paths inside the Docker container Previously, some GSC templates and scripts that execute inside Docker containers contained relative file paths. This led to failures if a base Docker image contained WORKDIR different from root (`/`), since all GSC scripts put Graphene-related files under root dir. Signed-off-by: Dmitrii Kuvaiskii --- Tools/gsc/finalize_manifest.py | 2 +- .../templates/Dockerfile.ubuntu18.04.build.template | 13 +++++++------ Tools/gsc/templates/apploader.template | 6 +++--- Tools/gsc/templates/entrypoint.manifest.template | 4 ++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Tools/gsc/finalize_manifest.py b/Tools/gsc/finalize_manifest.py index 01ddc8cc2b..697103fea9 100755 --- a/Tools/gsc/finalize_manifest.py +++ b/Tools/gsc/finalize_manifest.py @@ -84,7 +84,7 @@ def main(args=None): if not os.path.isdir(args.dir): argparser.error(f'\t[from inside Docker container] Could not find directory `{args.dir}`.') - env = jinja2.Environment(loader=jinja2.FileSystemLoader('.')) + env = jinja2.Environment(loader=jinja2.FileSystemLoader('/')) env.globals.update({'library_paths': generate_library_paths(), 'env_path': os.getenv('PATH')}) manifest = 'entrypoint.manifest' diff --git a/Tools/gsc/templates/Dockerfile.ubuntu18.04.build.template b/Tools/gsc/templates/Dockerfile.ubuntu18.04.build.template index cdac1cdd12..83cc472631 100644 --- a/Tools/gsc/templates/Dockerfile.ubuntu18.04.build.template +++ b/Tools/gsc/templates/Dockerfile.ubuntu18.04.build.template @@ -56,17 +56,18 @@ COPY entrypoint.manifest / # Generate trusted arguments if required {% if not insecure_args %} -RUN /graphene/Tools/argv_serializer {{binary}} {{binary_arguments}} "{{"\" \"".join(cmd)}}" > trusted_argv +RUN /graphene/Tools/argv_serializer {{binary}} {{binary_arguments}} "{{"\" \"".join(cmd)}}" > /trusted_argv {% endif %} # Docker entrypoint/cmd typically contains only the basename of the executable so create a symlink -RUN which {{binary}} | xargs ln -s || true +RUN cd / \ + && which {{binary}} | xargs ln -s || true # Mark apploader.sh executable, finalize manifest, and remove intermediate scripts -RUN chmod u+x apploader.sh \ - && python3 -B finalize_manifest.py \ - && rm -f finalize_manifest.py +RUN chmod u+x /apploader.sh \ + && python3 -B /finalize_manifest.py \ + && rm -f /finalize_manifest.py # Define default command -ENTRYPOINT ["/bin/bash", "./apploader.sh"] +ENTRYPOINT ["/bin/bash", "/apploader.sh"] CMD [{% if insecure_args %} "{{'", "'.join(cmd)}}" {% endif %}] diff --git a/Tools/gsc/templates/apploader.template b/Tools/gsc/templates/apploader.template index 818005139d..29311c956c 100644 --- a/Tools/gsc/templates/apploader.template +++ b/Tools/gsc/templates/apploader.template @@ -6,8 +6,8 @@ set -ex if [ -z "$GSC_PAL" ] || [ "$GSC_PAL" == "Linux-SGX" ] then GSC_PAL=Linux-SGX - /graphene/python/graphene-sgx-get-token -output entrypoint.token -sig entrypoint.sig - /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init entrypoint {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %} + /graphene/python/graphene-sgx-get-token -output /entrypoint.token -sig /entrypoint.sig + /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init /entrypoint {% if insecure_args %}{{binary_arguments}} "${@}"{% endif %} else - /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init entrypoint {{binary_arguments}} "${@}" + /graphene/Runtime/pal-$GSC_PAL /graphene/Runtime/libpal-$GSC_PAL.so init /entrypoint {{binary_arguments}} "${@}" fi diff --git a/Tools/gsc/templates/entrypoint.manifest.template b/Tools/gsc/templates/entrypoint.manifest.template index f83207dcbd..ab2f191e5b 100644 --- a/Tools/gsc/templates/entrypoint.manifest.template +++ b/Tools/gsc/templates/entrypoint.manifest.template @@ -21,8 +21,8 @@ sgx.nonpie_binary = 1 loader.arg0_override = "{{binary}}" loader.insecure__use_cmdline_argv = 1 {% else %} -loader.argv_src_file = "file:trusted_argv" -sgx.trusted_files.trusted_argv = "file:trusted_argv" +loader.argv_src_file = "file:/trusted_argv" +sgx.trusted_files.trusted_argv = "file:/trusted_argv" {% endif %} # All trusted files and the user defined manifest specifications should be after this line