From owner-p4-projects@FreeBSD.ORG Fri Nov 9 19:18:02 2012 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 1A79AE32; Fri, 9 Nov 2012 19:18:02 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C8224E30 for ; Fri, 9 Nov 2012 19:18:01 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from skunkworks.freebsd.org (skunkworks.freebsd.org [IPv6:2001:4f8:fff6::2d]) by mx1.freebsd.org (Postfix) with ESMTP id 941B78FC0A for ; Fri, 9 Nov 2012 19:18:01 +0000 (UTC) Received: from skunkworks.freebsd.org (localhost [127.0.0.1]) by skunkworks.freebsd.org (8.14.5/8.14.5) with ESMTP id qA9JI1Ds013398 for ; Fri, 9 Nov 2012 19:18:01 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by skunkworks.freebsd.org (8.14.5/8.14.5/Submit) id qA9JI1wD013395 for perforce@freebsd.org; Fri, 9 Nov 2012 19:18:01 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Fri, 9 Nov 2012 19:18:01 GMT Message-Id: <201211091918.qA9JI1wD013395@skunkworks.freebsd.org> X-Authentication-Warning: skunkworks.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson Subject: PERFORCE change 219707 for review To: Perforce Change Reviews Precedence: bulk X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.14 List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2012 19:18:02 -0000 http://p4web.freebsd.org/@@219707?ac=10 Change 219707 by rwatson@rwatson_svr_ctsrd_mipsbuild on 2012/11/09 19:17:32 Teach CheriBSD to check $C0 on system call enter to determine whether the system call is being made by a userspace sandbox. In the future we will surely do something more mature, but this will be fine in the mean time. Affected files ... .. //depot/projects/ctsrd/cheribsd/src/sys/kern/subr_syscall.c#5 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#7 edit .. //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#12 edit Differences ... ==== //depot/projects/ctsrd/cheribsd/src/sys/kern/subr_syscall.c#5 (text+ko) ==== @@ -52,6 +52,10 @@ #endif #include +#ifdef CPU_CHERI +#include +#endif + static inline int syscallenter(struct thread *td, struct syscall_args *sa) { @@ -72,6 +76,17 @@ PROC_UNLOCK(p); } else traced = 0; + +#ifdef CPU_CHERI + /* + * Constrain code that can originate system calls if userspace + * sandboxing is available. + */ + error = cheri_syscall_authorize(td); + if (error) + goto retval; +#endif + error = (p->p_sysent->sv_fetch_syscall_args)(td, sa); #ifdef KTRACE if (KTRPOINT(td, KTR_SYSCALL)) ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/cheri/cheri.c#7 (text+ko) ==== @@ -283,6 +283,34 @@ CHERI_REG_PRINT(c, ctag, 31); } +/* + * Only allow system calls from sandboxes that hold ambient authority in + * userspace. + */ +int +cheri_syscall_authorize(struct thread *td) +{ + struct chericap c; + + /* + * Check whether userspace holds the rights defined in + * cheri_capability_set_user() in $C0. We might also consider + * checking $PCC here. + * + * XXXRW: Possibly ENOSYS should be EPROT or ESANDBOX? + */ + intr_disable(); + CHERI_CLC(CHERI_CR_KR1C, CHERI_CR_KDC, + &td->td_pcb->pcb_cheriframe.cf_c0, 0); + CHERI_GETCAPREG(CHERI_CR_KR1C, c); + intr_enable(); + if (c.c_perms != CHERI_CAP_USER_PERMS || + c.c_base != CHERI_CAP_USER_BASE || + c.c_length != CHERI_CAP_USER_LENGTH) + return (ENOSYS); + return (0); +} + #ifdef DDB #define DB_CHERI_REG_PRINT_NUM(crn, num) do { \ struct chericap c; \ ==== //depot/projects/ctsrd/cheribsd/src/sys/mips/include/cheri.h#12 (text+ko) ==== @@ -301,6 +301,7 @@ struct cheri_frame *cf_srcp); void cheri_exec_setregs(struct thread *td); void cheri_log_exception(struct trapframe *frame, int trap_type); +int cheri_syscall_authorize(struct thread *td); #endif #endif /* _MIPS_INCLUDE_CHERI_H_ */