From 7b256e5fa18107f009354a735713d219fc700665 Mon Sep 17 00:00:00 2001 From: Dapeng Gao Date: Fri, 15 Mar 2024 19:45:39 +0000 Subject: [PATCH] c18n: Add sysctl controls for compartmentalisation --- sys/cheri/cheri.h | 3 +++ sys/cheri/cheri_sysctl.c | 11 +++++++++++ sys/kern/imgact_elf.c | 5 +++-- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/sys/cheri/cheri.h b/sys/cheri/cheri.h index 313d5df034b6..f4f783b2e168 100644 --- a/sys/cheri/cheri.h +++ b/sys/cheri/cheri.h @@ -168,6 +168,9 @@ extern u_int security_cheri_debugger_on_sandbox_syscall; extern u_int security_cheri_syscall_violations; extern u_int security_cheri_bound_legacy_capabilities; extern u_int cheri_cloadtags_stride; +#ifdef __aarch64__ +extern bool security_cheri_lib_based_c18n_default; +#endif #ifdef __CHERI_PURE_CAPABILITY__ /* diff --git a/sys/cheri/cheri_sysctl.c b/sys/cheri/cheri_sysctl.c index e8828d2fda41..0818d99caa8d 100644 --- a/sys/cheri/cheri_sysctl.c +++ b/sys/cheri/cheri_sysctl.c @@ -70,6 +70,17 @@ SYSCTL_INT(_security_cheri, OID_AUTO, bound_legacy_capabilities, CTLFLAG_RWTUN, &security_cheri_bound_legacy_capabilities, 0, "Set bounds on userspace capabilities created by legacy ABIs."); +#ifdef __aarch64__ +/* + * Set the default state of library-based compartmentalisation (c18n) in + * userspace. + */ +bool security_cheri_lib_based_c18n_default = false; +SYSCTL_BOOL(_security_cheri, OID_AUTO, lib_based_c18n_default, CTLFLAG_RWTUN, + &security_cheri_lib_based_c18n_default, 0, + "Userspace library-based compartmentalisation default"); +#endif + #ifdef CHERI_CAPREVOKE /* * Set the default state of revocation in userspace. This is used to diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c index d1d4a59ec48e..025f6442c7de 100644 --- a/sys/kern/imgact_elf.c +++ b/sys/kern/imgact_elf.c @@ -1849,7 +1849,7 @@ __elfN(freebsd_copyout_auxargs)(struct image_params *imgp, uintcap_t base) * ELF_BSDF_CHERI_C18N tells the runtime linker to enable library-based * compartmentalisation. * - * Precedence: procctl, ELF note. + * Precedence: procctl, ELF note, system default. * In case of conflicting flags, disable wins. */ if ((imgp->proc->p_flag2 & P2_CHERI_C18N_MASK) != 0) { @@ -1860,7 +1860,8 @@ __elfN(freebsd_copyout_auxargs)(struct image_params *imgp, uintcap_t base) if ((imgp->proc->p_fctl0 & NT_FREEBSD_FCTL_CHERI_C18N_DISABLE) == 0) bsdflags |= ELF_BSDF_CHERI_C18N; - } + } else if (security_cheri_lib_based_c18n_default) + bsdflags |= ELF_BSDF_CHERI_C18N; #endif #if defined(__ELF_CHERI) && defined(CHERI_CAPREVOKE) /*