Allow enclave-host communication via a UDS created in the host

[jxyang]

The current Unix Domain Socket (UDS), a.k.a, AF_LOCAL, allows communication inside the enclave only. Kubernest allows a UDS created by a daemon to be mapped into a pod and communicate with containers inside it. The path to the UDS is specified in the job description yaml file.

We should further map the UDS path into the enclave so the enclave application could communicate with, e.g., write logs to, the outside world. We can minimize the security implications by whitelisting the UDS path in config.json.

[vtikoo]

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

[jxyang]

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

Yes. UDS in this case is created by a Kubernetes daemon.

[mikbras]

Maybe we can write down some assumptions about the use case.

• is the Mystikos app a client or a server
• if the Mystikos app is a server does it attempt to create a UDS path with mknod or with bind?
• if the Mystikos app does a mknod(), then this feature will be used in conjunction with mounting of hostfs.