Ubiquitous compartmentalisation

ObsoleteFiles.inc

@@ -51,6 +51,10 @@
 #   xargs -n1 | sort | uniq -d;
 # done
 
+# 20240411: Removal of ld-elf*-c18n.so.1
+OLD_FILES+=libexec/ld-elf-c18n.so.1
+OLD_FILES+=libexec/ld-elf64cb-c18n.so.1
+
 # 20240114: Removal of geom_map(4)
 OLD_FILES+=usr/share/man/man4/geom_map.4
 

bin/cheribsdtest/Makefile.cheribsdtest

@@ -91,11 +91,7 @@ SRCS+=		cheribsdtest_tls_threads.c
 
 .ifdef CHERIBSD_C18N_TESTS
 CFLAGS+=	-DCHERIBSD_C18N_TESTS
-.if ${MACHINE_ABI:Mbenchmark}
-LDFLAGS+=	-Wl,--dynamic-linker=/libexec/ld-elf64cb-c18n.so.1
-.else
-LDFLAGS+=	-Wl,--dynamic-linker=/libexec/ld-elf-c18n.so.1
-.endif
+ELF_FEATURES+=	+cheric18n
 .endif
 
 .include <bsd.prog.mk>

bin/cheribsdtest/cheribsdtest.h

@@ -151,15 +151,6 @@ extern struct cheribsdtest_child_state *ccsp;
 #endif
 #endif
 
-#ifndef XFAIL_C18N_FPTR_CANON
-#ifdef CHERIBSD_C18N_TESTS
-#define	XFAIL_C18N_FPTR_CANON \
-    "function pointers are currently non-canonical with library-based compartmentalisation"
-#else
-#define	XFAIL_C18N_FPTR_CANON	NULL
-#endif
-#endif
-
 struct cheri_test {
 	const char	*ct_name;
 	const char	*ct_desc;

bin/cheribsdtest/cheribsdtest_fptr_canon.c

@@ -37,8 +37,7 @@
 #include "cheribsdtest.h"
 
 CHERIBSDTEST(fptr_canon_cross,
-    "Check that function pointers are canonical across objects",
-    .ct_xfail_reason = XFAIL_C18N_FPTR_CANON)
+    "Check that function pointers are canonical across objects")
 {
 	void (* volatile fptr_inside)(void);
 	void (* volatile fptr_outside)(void);
@@ -53,8 +52,7 @@ CHERIBSDTEST(fptr_canon_cross,
 }
 
 CHERIBSDTEST(fptr_canon_dlsym,
-    "Check that function pointers are canonical for dlsym",
-    .ct_xfail_reason = XFAIL_C18N_FPTR_CANON)
+    "Check that function pointers are canonical for dlsym")
 {
 	void (* volatile fptr_inside)(void);
 	void (* volatile fptr_dlsym)(void);
@@ -70,8 +68,7 @@ CHERIBSDTEST(fptr_canon_dlsym,
 }
 
 CHERIBSDTEST(fptr_canon_dlfunc,
-    "Check that function pointers are canonical for dlfunc",
-    .ct_xfail_reason = XFAIL_C18N_FPTR_CANON)
+    "Check that function pointers are canonical for dlfunc")
 {
 	void (* volatile fptr_inside)(void);
 	void (* volatile fptr_dlfunc)(void);

contrib/elftoolchain/readelf/readelf.c

@@ -3814,6 +3814,8 @@ static struct flag_desc note_feature_ctl_flags[] = {
 	{ NT_FREEBSD_FCTL_LA48,			"LA48" },
 	{ NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE,	"CHERI_REVOKE_DISABLE" },
 	{ NT_FREEBSD_FCTL_CHERI_REVOKE_ENABLE,	"CHERI_REVOKE_ENABLE" },
+	{ NT_FREEBSD_FCTL_CHERI_C18N_DISABLE,	"CHERI_C18N_DISABLE" },
+	{ NT_FREEBSD_FCTL_CHERI_C18N_ENABLE,	"CHERI_C18N_ENABLE" },
 	{ 0, NULL }
 };
 

lib/libc/aarch64/sys/Makefile.inc

@@ -4,10 +4,8 @@ SRCS+=	__vdso_gettc.c \
 	sched_getcpu_gen.c
 
 MDASM=	cerror.S \
-	syscall.S \
-	vfork.S
+	syscall.S
 
-.ifdef RTLD_SANDBOX
-SRCS+=	thr_exit.c
-PSEUDO+=	_thr_exit.o
+.ifndef RTLD_SANDBOX
+MDASM+=	vfork.S
 .endif

lib/libc/gen/posix_spawn.c

@@ -327,8 +327,12 @@ do_posix_spawn(pid_t *pid, const char *path,
 	 */
 	p = rfork_thread(RFSPAWN, stack + stacksz, _posix_spawn_thr, &psa);
 	free(stack);
+#else
+#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
+	p = __sys_rfork(RFSPAWN);
 #else
 	p = rfork(RFSPAWN);
+#endif
 	if (p == 0)
 		/* _posix_spawn_thr does not return */
 		_posix_spawn_thr(&psa);

lib/libc/include/libc_private.h

@@ -462,6 +462,7 @@ struct __nl_cat_d *__catopen_l(const char *name, int type,
 	    struct _xlocale *locale);
 
 #if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
+__pid_t		__sys_rfork(int);
 int	sigaction_c18n(int, const struct sigaction *, struct sigaction *);
 #endif
 

lib/libc/sys/Makefile.inc

@@ -46,6 +46,11 @@ SRCS+= POSIX2x_Fork.c
 
 SRCS+=	compat-stub.c
 
+.ifdef RTLD_SANDBOX
+SRCS+=	thr_exit_c18n.c	vfork_c18n.c	rfork_c18n.c
+NOASM+=	thr_exit.o	vfork.o
+.endif
+
 INTERPOSED = \
 	accept \
 	accept4 \

lib/libc/sys/procctl.2

@@ -756,6 +756,42 @@ If the currently executed image in the process itself has revocation enabled,
 the
 .Dv PROC_CHERI_REVOKE_ACTIVE
 flag is or-ed with the value listed above.
+.It Dv PROC_CHERI_C18N_CTL
+Controls the runtime hint to enable or disable library-based
+compartmentalisation in the program images created by
+.Xr execve 2
+in the specified process or its descendants that did not either change the
+control or modify it by other means.
+The default value is controlled by the
+.Dv security.cheri.lib_based_c18n_default
+sysctl and the corresponding bit in the ELF control note, see
+.Xr elfctl 1 .
+The
+.Fa data
+parameter must point to the integer variable holding one of the following
+values:
+.Bl -tag -width PROC_CHERI_C18N_FORCE_DISABLE
+.It Dv PROC_CHERI_C18N_FORCE_ENABLE
+Request that library-based compartmentalisation is enabled by the runtime of
+newly executed processes, even if it defaults to disabled system-wide.
+.It Dv PROC_CHERI_C18N_FORCE_DISABLE
+Request that library-based compartmentalisation is disabled by the runtime of
+newly executed processes, even if it defaults to enabled system-wide.
+.It Dv PROC_CHERI_C18N_NOFORCE
+Use the system-wide configured policy for library-based compartmentalisation.
+.El
+.It Dv PROC_CHERI_C18N_STATUS
+Returns the current status of library-based compartmentalisation enablement for
+the target process.
+The
+.Fa data
+parameter must point to the integer variable, where one of the
+following values is written:
+.Bl -tag -width PROC_CHERI_C18N_FORCE_DISABLE
+.It Dv PROC_CHERI_C18N_FORCE_ENABLE
+.It Dv PROC_CHERI_C18N_FORCE_DISABLE
+.It Dv PROC_CHERI_C18N_NOFORCE
+.El
 .Sh NOTES
 Disabling tracing on a process should not be considered a security
 feature, as it is bypassable both by the kernel and privileged processes,

lib/libc/sys/rfork_c18n.c

@@ -0,0 +1,50 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2024 Dapeng Gao
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include <errno.h>
+#include <unistd.h>
+
+#include "libc_private.h"
+
+/*
+ * All rfork flags that do not cause memory-sharing between the child and the
+ * parent. Use a positive list to err on the safe side.
+ */
+#define RFFLAGS_SAFE						\
+	(RFPROC | RFNOWAIT | RFFDG | RFCFDG | RFTHREAD |	\
+	RFTSIGZMB | RFLINUXTHPN | RFTSIGFLAGS(RFTSIGMASK))
+
+pid_t
+rfork(int flags)
+{
+	if ((flags & RFFLAGS_SAFE) == flags)
+		return (__sys_rfork(flags));
+	errno = EINVAL;
+	return (-1);
+}

lib/libc/sys/sigaction.c

@@ -39,8 +39,10 @@
 /*
  * These weak symbols will always be resolved at runtime.
  */
-#pragma weak _rtld_sighandler
-void _rtld_sighandler(int, siginfo_t *, void *);
+/*
+ * XXX: Explicit function pointer used so that RTLD can wrap it in trampoline.
+ */
+extern void (*_rtld_sighandler)(int, siginfo_t *, void *);
 
 #pragma weak _rtld_sigaction_begin
 void *_rtld_sigaction_begin(int, struct sigaction *);

lib/libc/aarch64/sys/thr_exit.c → lib/libc/sys/thr_exit_c18n.c

@@ -26,14 +26,14 @@
  */
 
 #include <sys/cdefs.h>
-#include <sys/types.h>
-
-void thr_exit(long *);
 
 void _rtld_thr_exit(long *);
 
+__weak_reference(__sys_thr_exit, thr_exit);
+__weak_reference(__sys_thr_exit, _thr_exit);
+
 void
-thr_exit(long *state)
+__sys_thr_exit(long *state)
 {
 	_rtld_thr_exit(state);
 }

lib/libc/sys/vfork_c18n.c

@@ -0,0 +1,42 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2024 Dapeng Gao
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/types.h>
+
+#include "libc_private.h"
+
+__weak_reference(__sys_vfork, vfork);
+__weak_reference(__sys_vfork, _vfork);
+
+pid_t
+__sys_vfork(void)
+{
+	/*
+	 * Use the raw syscall to avoid the interposing table.
+	 */
+	return (__sys_fork());
+}

lib/libthr/thread/thr_sig.c

@@ -76,11 +76,15 @@
 /*
  * These weak symbols will always be resolved at runtime.
  */
-#pragma weak _rtld_sighandler
-void _rtld_sighandler(int, siginfo_t *, void *);
+/*
+ * XXX: Explicit function pointer used so that RTLD can wrap it in trampoline.
+ */
+extern void (*_rtld_sighandler)(int, siginfo_t *, void *);
 
-#pragma weak _rtld_dispatch_signal
-void _rtld_dispatch_signal(int, siginfo_t *, void *);
+/*
+ * XXX: Explicit function pointer used so that RTLD can wrap it in trampoline.
+ */
+extern void (*_rtld_dispatch_signal)(int, siginfo_t *, void *);
 
 #pragma weak _rtld_sigaction_begin
 void *_rtld_sigaction_begin(int, struct sigaction *);

libexec/Makefile

@@ -84,9 +84,6 @@ _tftp-proxy=	tftp-proxy
 
 .if !defined(NO_PIC) && !defined(NO_RTLD)
 _rtld-elf=	rtld-elf rtld-elf-debug
-.if ${MACHINE_ABI:Mpurecap} && ${MACHINE_CPUARCH} == "aarch64"
-SUBDIR+=	rtld-elf-c18n rtld-elf64cb-c18n
-.endif
 .for LIBCOMPAT libcompat in ${_ALL_LIBCOMPATS_libcompats}
 SUBDIR.${MK_LIB${LIBCOMPAT}}+=	rtld-elf${libcompat}
 .if exists(${.CURDIR}/rtld-elf${libcompat}-debug)

libexec/rtld-elf/Makefile

@@ -29,11 +29,15 @@ MK_UBSAN=	no
 
 .include <bsd.compat.pre.mk>
 
+.if (${MACHINE_ABI:Mpurecap} && ${MACHINE_CPUARCH} == "aarch64")
+RTLD_SANDBOX=
+.endif
+
 .ifdef RTLD_SANDBOX
 CFLAGS+=-DRTLD_SANDBOX
 .endif
 
-.if !defined(NEED_COMPAT) && !defined(RTLD_SANDBOX)
+.if !defined(NEED_COMPAT)
 CONFS=		libmap.conf
 .endif
 PROG?=		ld-elf.so.1
@@ -116,7 +120,7 @@ CFLAGS+=	-I${RTLD_ELF_DIR}/cheri
 .ifdef RTLD_SANDBOX
 SRCS+= \
 	rtld_c18n.c \
-	rtld_c18n_policy.S \
+	rtld_c18n_mi.S \
 	rtld_c18n_machdep.c \
 	rtld_c18n_asm.S
 .endif