c18n: Add ELF note controls for compartmentalisation

And teach readelf about it.
CTSRD-CHERI · Mar 21, 2024 · e7ddc4a · e7ddc4a
1 parent a7d415a
commit e7ddc4a
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 0 deletions.
diff --git a/contrib/elftoolchain/readelf/readelf.c b/contrib/elftoolchain/readelf/readelf.c
@@ -3814,6 +3814,8 @@ static struct flag_desc note_feature_ctl_flags[] = {
 	{ NT_FREEBSD_FCTL_LA48,			"LA48" },
 	{ NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE,	"CHERI_REVOKE_DISABLE" },
 	{ NT_FREEBSD_FCTL_CHERI_REVOKE_ENABLE,	"CHERI_REVOKE_ENABLE" },
+	{ NT_FREEBSD_FCTL_CHERI_C18N_DISABLE,	"CHERI_C18N_DISABLE" },
+	{ NT_FREEBSD_FCTL_CHERI_C18N_ENABLE,	"CHERI_C18N_ENABLE" },
 	{ 0, NULL }
 };
 

diff --git a/sys/kern/imgact_elf.c b/sys/kern/imgact_elf.c
@@ -1849,11 +1849,17 @@ __elfN(freebsd_copyout_auxargs)(struct image_params *imgp, uintcap_t base)
 	 * ELF_BSDF_CHERI_C18N tells the runtime linker to enable library-based
 	 * compartmentalisation.
 	 *
+	 * Precedence: procctl, ELF note.
 	 * In case of conflicting flags, disable wins.
 	 */
 	if ((imgp->proc->p_flag2 & P2_CHERI_C18N_MASK) != 0) {
 		if ((imgp->proc->p_flag2 & P2_CHERI_C18N_DISABLE) == 0)
 			bsdflags |= ELF_BSDF_CHERI_C18N;
+	} else if ((imgp->proc->p_fctl0 &
+	    NT_FREEBSD_FCTL_CHERI_C18N_MASK) != 0) {
+		if ((imgp->proc->p_fctl0 &
+		    NT_FREEBSD_FCTL_CHERI_C18N_DISABLE) == 0)
+			bsdflags |= ELF_BSDF_CHERI_C18N;
 	}
 #endif
 #if defined(__ELF_CHERI) && defined(CHERI_CAPREVOKE)

diff --git a/sys/sys/elf_common.h b/sys/sys/elf_common.h
@@ -816,10 +816,14 @@ typedef struct {
 #define	NT_FREEBSD_FCTL_WXNEEDED	0x00000008
 #define	NT_FREEBSD_FCTL_LA48		0x00000010
 #define	NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE	0x00000020 /* was ASG_DISABLE */
+#define	NT_FREEBSD_FCTL_CHERI_C18N_DISABLE	0x20000000
+#define	NT_FREEBSD_FCTL_CHERI_C18N_ENABLE	0x40000000
 #define	NT_FREEBSD_FCTL_CHERI_REVOKE_ENABLE	0x80000000
 
 #define NT_FREEBSD_FCTL_CHERI_REVOKE_MASK \
     (NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE | NT_FREEBSD_FCTL_CHERI_REVOKE_ENABLE)
+#define	NT_FREEBSD_FCTL_CHERI_C18N_MASK	\
+    (NT_FREEBSD_FCTL_CHERI_C18N_DISABLE | NT_FREEBSD_FCTL_CHERI_C18N_ENABLE)
 
 /* Values for n_type.  Used in core files. */
 #define	NT_PRSTATUS	1	/* Process status. */

diff --git a/usr.bin/elfctl/elfctl.c b/usr.bin/elfctl/elfctl.c
@@ -72,6 +72,10 @@ static struct ControlFeatures featurelist[] = {
 	    "Force Enable CHERI revocation" },
 	{ "nocherirevoke", NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE,
 	    "Force Disable CHERI revocation" },
+	{ "cheric18n", NT_FREEBSD_FCTL_CHERI_C18N_ENABLE,
+	    "Force Enable CHERI library-based compartmentalisation" },
+	{ "nocheric18n", NT_FREEBSD_FCTL_CHERI_C18N_DISABLE,
+	    "Force Disable CHERI library-based compartmentalisation" },
 };
 
 static struct option long_opts[] = {