Pipe/Socketpair Protection

The use of file-descriptor pairs created with pipe/pipe2 or socketpair can be restricted by either denying the usage entirely, allowing simple event notification, or allowing any message to be sent. (This feature is available starting SCONE 7.0)

By default simple event notification is allowed.

Configuration

The following configuration options are available.

Value	Description
`deny`	Deny usage completely. Calling `pipe`/`pipe2` or `socketpair` returns `EACCES`.
`allow-events`	Allow the pair to be used for delivering notification events by repeatedly sending a specific byte (taken from the first message sent on the pair). Any subsequent messages that contain additional data will be blocked. This heuristic is applied to the write end of each file-descriptor pair and enforced with the following writing syscalls: `write`, `sendto`, `writev`, `sendmsg`, and `sendmmsg`.
`allow`	Permits unrestricted use of pipe/socketpair (legacy behavior).

The protection can be configured through environment variables defined within the policy of a confidential application.

Variable	Description
`SCONE_PIPE`	Determines mode of operation of file-descriptor pairs created with `pipe`/`pipe2`. Allowed values are `deny`, `allow-events`, `allow`. The default is `allow-events`.
`SCONE_SOCKETPAIR`	Determines mode of operation of file-descriptor pairs created with `socketpair`. Allowed values are `deny`, `allow-events`, `allow`. The default is `allow-events`.

Example 1

The following configuration example allows unrestricted use of pipe/pipe2 and restricts socketpair to be used for event notification:

(...)
services:
   - name: my_service
     mrenclaves: [$MRENCLAVE]
     environment:
        - SCONE_PIPE="allow"
        - SCONE_SOCKETPAIR="allow-events"
(...)

Example 2

In this configuration example we deny the usage of pipe/pipe2 and socketpair entirely:

(...)
services:
   - name: my_service
     mrenclaves: [$MRENCLAVE]
     environment:
        - SCONE_PIPE="deny"
        - SCONE_SOCKETPAIR="deny"
(...)