Living without fdpass / SCM_RIGHTS

Dengler, Gabriel gabriel.dengler at fau.de
Tue Jan 10 01:22:03 UTC 2023


Hello everyone,

I wanted to run Dovecot inside Gramine [1]. Gramine is a tool to let 
normal Linux binaries run with the help of the Intel Software Guard 
Extensions (SGX) technology [2] in a secure enclave to which the 
operating system doesn't have an access to.

Most parts of Dovecot now run fine, however, Dovecot uses the SCM_RIGHTS 
flag for the sendmsg system call to exchange file descriptors over Unix 
sockets [3]. Normally, this feature is available in every Unix, but in 
Gramine, this is currently not supported [4]. So, according to the logs, 
the authentication works, but after that, the imap-login process cannot 
exchange the file descriptor with the imap process.

Therefore I wanted to ask if there is a possibility to make Dovecot work 
without this feature or if this would need fundamental changes in the 
code structure.

Thanks for your help in advance!

Best regards,
Gabriel

References:
[1] https://gramineproject.io/
[2] https://de.wikipedia.org/wiki/Software_Guard_Extensions
[3] https://github.com/dovecot/core/blob/main/src/lib/fdpass.c#L128
[4] 
https://github.com/gramineproject/gramine/discussions/1013#discussioncomment-4571427


More information about the dovecot mailing list