-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rework shared memory in light of revocation and explicit mmap permissions #2225
base: dev
Are you sure you want to change the base?
Commits on Sep 27, 2024
-
Configuration menu - View commit details
-
Copy full SHA for 3943ea7 - Browse repository at this point
Copy the full SHA 3943ea7View commit details -
cheribsdtest: prefer mmap(MAP_SHARED) to minherit(INHERIT_SHARE)
While here, explicitly request PROT_CAP permissions. In purecap compilations of the test suite we store a full capability for faulting addresses and thus need the ability to share them.
Configuration menu - View commit details
-
Copy full SHA for c41bc99 - Browse repository at this point
Copy the full SHA c41bc99View commit details -
cheribsdtest: make vm_shm_open_anon_unix_surprise worse
Alter the child side to use MAP_PRIVATE which can still leak capabilities into the address space, just not back the other way.
Configuration menu - View commit details
-
Copy full SHA for 7b2c630 - Browse repository at this point
Copy the full SHA 7b2c630View commit details -
cheribsdtest: better error handling in vm_shm_open_anon_unix_surprise
Differentiate between system calls failing (e.g., due to ABI changes) and tags being transfered. Syscalls wrapped with cheribsdtest CHERI/VERIFY macros exit with EX_SOFTWARE where success or tag transfer now returns 0 or 1 respectively.
Configuration menu - View commit details
-
Copy full SHA for ced1e56 - Browse repository at this point
Copy the full SHA ced1e56View commit details -
libsysdecode: add sysdecode_shm_open_flags
This uses a new shm_open_flags table which is positively defined to the list of allowed flags as the majority of open(2) flags don't apply to shm_open(2) or memfd_create(2). This will permit shm-specific O_ flags which reuse otherwise irrelevant values (e.g., O_DIRECTORY or O_EXEC) to avoid consuming scarce O_ values.
Configuration menu - View commit details
-
Copy full SHA for b18edf8 - Browse repository at this point
Copy the full SHA b18edf8View commit details -
posix shm: rework capability support
In order to preserve provenance and prevent colluding proceses from hiding capabilities from the revoker, we must not share capabilities across address spaces. However, doing so is often useful and some existing code makes use of of this functionality in relatively safe ways. As a compromise, allow sharing, but only if the programmer makes their intent clear by making the following changes: - Require that PROT_CAP be requested explicitly in mmap to allow load or store of capabilities. - By default, attach each share memory object to the first address space (vmspace) that opens it and allow only that address space to map the object with PROT_CAP. On fork, remove capability permissions from the mapping. - Add an O_SHARECAP flag for shm_open2 (aka shm_open and memfd_create) which allows sharing capabilities across address spaces, overriding the default.
Configuration menu - View commit details
-
Copy full SHA for fdaf7b3 - Browse repository at this point
Copy the full SHA fdaf7b3View commit details -
Allow vm entries to be created with VM_INHERIT_NONE. To be used in a future commit which maps objects during a revocation pass.
Configuration menu - View commit details
-
Copy full SHA for 9cd8a64 - Browse repository at this point
Copy the full SHA 9cd8a64View commit details -
posix shm: revoke local objects
During revocation, map all local shm objects into the address space to ensure that they are scanned even when they are not (fully) mapped. Mappings created with O_SHARECAP aren't mapped as revocation on them is unreliable by design. I had originally envisioned a model were we maintained a mapping of only pages not currently mapped in the address space, but the required bookkeeping seems quite complex and there isn't obvious machinery to handle it.
Configuration menu - View commit details
-
Copy full SHA for 8b9adac - Browse repository at this point
Copy the full SHA 8b9adacView commit details -
Rework MAP_ANON|MAP_SHARED and shmat cap support
mmap(..., MAP_ANON|MAP_SHARED, ...): Require PROT_CAP explicitly to enable capability support in shared, anonymous mappings. When specified, set the MAP_SHARECAP cow flag which causes a backing object to be allocated and the OBJ_SHARECAP flag set to allow sharing capabilities across address spaces. shmat: Always set OBJ_SHARECAP on SysV shared memory objects. Use of them is straightforwardly auditable. We might want to add an explict SHM_SHARECAP flag at some point rather than making this universal, but shmat is probably best left in the dustbin of history.
Configuration menu - View commit details
-
Copy full SHA for 2f64b49 - Browse repository at this point
Copy the full SHA 2f64b49View commit details
Commits on Oct 1, 2024
-
CheriABI: mostly disallow post-fork sharing via minherit(). Developers should use mmap and MAP_SHARED instead. Do allow no-op reqests and sharing of mappings that either have no capabilities or where objects have the OBJ_SHARECAP flag.
Configuration menu - View commit details
-
Copy full SHA for 2671dad - Browse repository at this point
Copy the full SHA 2671dadView commit details