CHERIABI_VMMAP -> SW_VMEM

Rename to CHERI_PERM_SW_VMEM and make CHERI_PERM_CHERIABI_VMMAP expand
to include a warning to give out-of-tree users a chance to migrate
before removing the old define.

This permission applies to both the mmap family of APIs and shmdt so
VMMAP is not the right name. Additionally, the permission isn't strictly
tied to CheriABI (in a hybrid world were not all of VA is part of DDC,
we would want to use this permission for the APIs that manage VA outside
DDC.)

Resolves #1062

bin/cheribsdtest/cheribsdtest_registers.c

@@ -227,10 +227,10 @@ check_initreg_code(void * __capability c)
 		cheribsdtest_failure_errx("perms %jx (system_regs present)", v);
 
 	if ((v & CHERI_PERMS_SWALL) !=
-	    (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))
+	    (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM))
 		cheribsdtest_failure_errx("swperms %jx (expected swperms %x)",
 		    v & CHERI_PERMS_SWALL,
-		    (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP));
+		    (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM));
 
 	/* Check that the raw permission bits match the kernel header: */
 	if (v != CHERI_CAP_USER_CODE_PERMS)
@@ -272,10 +272,10 @@ check_initreg_data_full_addrspace(void * __capability c)
 
 	/* Permissions. */
 	v = cheri_getperm(c);
-	if (v != (CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_CHERIABI_VMMAP))
+	if (v != (CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_SW_VMEM))
 		cheribsdtest_failure_errx("perms %jx (expected %jx)", v,
 		    (uintmax_t)CHERI_CAP_USER_DATA_PERMS |
-		    CHERI_PERM_CHERIABI_VMMAP);
+		    CHERI_PERM_SW_VMEM);
 
 	/*
 	 * More overt tests for permissions that should -- or should not -- be
@@ -373,10 +373,10 @@ CHERIBSDTEST(test_initregs_stack_user_perms,
 
 	v = cheri_getperm(cheri_getstack());
 	if ((v & CHERI_PERMS_SWALL) !=
-	    (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))
+	    (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM))
 		cheribsdtest_failure_errx("swperms %jx (expected swperms %x)",
 		    v & CHERI_PERMS_SWALL,
-		    (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP));
+		    (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM));
 	cheribsdtest_success();
 }
 

bin/cheribsdtest/cheribsdtest_vm.c

@@ -992,8 +992,8 @@ CHERIBSDTEST(cheribsdtest_vm_reservation_mmap_fixed_insert,
 	    PROT_MAX(PROT_READ | PROT_WRITE), MAP_GUARD, -1, 0));
 	CHERIBSDTEST_VERIFY2(cheri_gettag(map) != 0,
 	    "mmap failed to return valid capability");
-	CHERIBSDTEST_VERIFY2(cheri_getperm(map) & CHERI_PERM_CHERIABI_VMMAP,
-	    "mmap failed to return capability with CHERIABI_VMMAP perm");
+	CHERIBSDTEST_VERIFY2(cheri_getperm(map) & CHERI_PERM_SW_VMEM,
+	    "mmap failed to return capability with VMEM perm");
 
 	CHERIBSDTEST_CHECK_SYSCALL(mmap((char *)(map) + PAGE_SIZE, PAGE_SIZE,
 	    PROT_READ | PROT_WRITE, MAP_ANON | MAP_FIXED, -1, 0));
@@ -1019,16 +1019,16 @@ CHERIBSDTEST(cheribsdtest_vm_reservation_mmap_fixed_insert_noperm,
 	    PROT_MAX(PROT_READ | PROT_WRITE), MAP_GUARD, -1, 0));
 	CHERIBSDTEST_VERIFY2(cheri_gettag(map) != 0,
 	    "mmap failed to return valid capability");
-	CHERIBSDTEST_VERIFY2(cheri_getperm(map) & CHERI_PERM_CHERIABI_VMMAP,
-	    "mmap failed to return capability with CHERIABI_VMMAP perm");
+	CHERIBSDTEST_VERIFY2(cheri_getperm(map) & CHERI_PERM_SW_VMEM,
+	    "mmap failed to return capability with VMEM perm");
 
-	not_enough_perm = cheri_andperm(map, ~CHERI_PERM_CHERIABI_VMMAP);
+	not_enough_perm = cheri_andperm(map, ~CHERI_PERM_SW_VMEM);
 	map2 = mmap((char *)(not_enough_perm) + PAGE_SIZE, PAGE_SIZE,
 	    PROT_READ | PROT_WRITE, MAP_ANON | MAP_FIXED, -1, 0);
 	CHERIBSDTEST_VERIFY2(map2 == MAP_FAILED,
-	    "mmap fixed with capability missing VM_MAP perms succeeds");
+	    "mmap fixed with capability missing VMEM perm succeeds");
 	CHERIBSDTEST_VERIFY2(errno == EACCES,
-	    "mmap fixed with capability missing VM_MAP perms failed "
+	    "mmap fixed with capability missing VMEM perm failed "
 	    "with %d instead of EACCES", errno);
 
 	cheribsdtest_success();

contrib/jemalloc/include/jemalloc/internal/jemalloc_internal_macros.h

@@ -118,7 +118,7 @@ JEMALLOC_DIAGNOSTIC_DISABLE_SPURIOUS
 #define	BOUND_PTR(ptr, size)						\
     ((ptr == NULL) ? NULL :						\
 	 cheri_andperm(cheri_setboundsexact((ptr), (size)),		\
-	     CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_CHERIABI_VMMAP))
+	     CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_SW_VMEM))
 
 /*
  * XXX-BD: In theory this poses an overflow risk.  Its overflow

lib/libc/gen/tls_malloc.c

@@ -76,7 +76,7 @@
 #define	cheri_setbounds(ptr, size)	((void *)(ptr))
 #define	cheri_andperm(ptr, size)	((void *)(ptr))
 #define	CHERI_PERMS_USERSPACE_DATA	0
-#define	CHERI_PERM_CHERIABI_VMMAP	0
+#define	CHERI_PERM_SW_VMEM		0
 #endif
 
 static spinlock_t tls_malloc_lock = _SPINLOCK_INITIALIZER;
@@ -222,7 +222,7 @@ bound_ptr(void *mem, size_t nbytes)
 
 	ptr = cheri_setbounds(mem, nbytes);
 	ptr = cheri_andperm(ptr,
-	    CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_CHERIABI_VMMAP);
+	    CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_SW_VMEM);
 	return (ptr);
 }
 
@@ -367,7 +367,7 @@ find_overhead(void * cp)
 	 *  - Point somewhere before us and within the current pagepool.
 	 */
 	if (cheri_gettag(op->ov_next) &&
-	    (cheri_getperm(op->ov_next) & CHERI_PERM_CHERIABI_VMMAP) != 0) {
+	    (cheri_getperm(op->ov_next) & CHERI_PERM_SW_VMEM) != 0) {
 		vaddr_t base, pp_base;
 
 		pp_base = cheri_getbase(op);

lib/libmalloc_simple/malloc.c

@@ -127,7 +127,7 @@ bound_ptr(void *mem, size_t nbytes)
 
 	ptr = cheri_setbounds(mem, nbytes);
 	ptr = cheri_andperm(ptr,
-	    CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_CHERIABI_VMMAP);
+	    CHERI_PERMS_USERSPACE_DATA & ~CHERI_PERM_SW_VMEM);
 	return (ptr);
 }
 
@@ -301,7 +301,7 @@ find_overhead(void * cp)
 	 *  - Point somewhere before us and within the current pagepool.
 	 */
 	if (cheri_gettag(op->ov_next) &&
-	    (cheri_getperm(op->ov_next) & CHERI_PERM_CHERIABI_VMMAP) != 0) {
+	    (cheri_getperm(op->ov_next) & CHERI_PERM_SW_VMEM) != 0) {
 		vaddr_t base, pp_base;
 
 		pp_base = cheri_getbase(op);

sys/arm64/cheri/cheri_machdep.c

@@ -58,7 +58,7 @@ cheri_init_capabilities(void * __capability kroot)
 	ctemp = cheri_setaddress(kroot, CHERI_CAP_USER_DATA_BASE);
 	ctemp = cheri_setbounds(ctemp, CHERI_CAP_USER_DATA_LENGTH);
 	ctemp = cheri_andperm(ctemp, CHERI_CAP_USER_DATA_PERMS |
-	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_CHERIABI_VMMAP);
+	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_SW_VMEM);
 	userspace_root_cap = ctemp;
 
 	ctemp = cheri_setaddress(kroot, CHERI_SEALCAP_USERSPACE_BASE);
@@ -93,7 +93,7 @@ hybridabi_thread_setregs(struct thread *td, unsigned long entry_addr)
 
 	/* Set DDC to full user privilege. */
 	tf->tf_ddc = (uintcap_t)cheri_capability_build_user_rwx(
-	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_CHERIABI_VMMAP,
+	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_SW_VMEM,
 	    CHERI_CAP_USER_DATA_BASE, CHERI_CAP_USER_DATA_LENGTH,
 	    CHERI_CAP_USER_DATA_OFFSET);
 

sys/arm64/include/cherireg.h

@@ -102,7 +102,7 @@
 #define	CHERI_PERMS_USERSPACE						\
 	(CHERI_PERM_GLOBAL | CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP |	\
 	CHERI_PERM_BRANCH_SEALED_PAIR |					\
-	(CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))
+	(CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM))
 
 #define	CHERI_PERMS_USERSPACE_CODE					\
 	(CHERI_PERMS_USERSPACE | CHERI_PERM_EXECUTE |			\

sys/cheri/cherireg.h

@@ -60,8 +60,13 @@
  * the page mapping underlying a capability.  This can't be the same
  * permission bit as CHERI_PERM_SYSCALL because $pcc should not confer the
  * right rewrite or remap executable memory.
+ *
+ * This permission was historically named CHERI_PERM_CHERIABI_VMMAP.
  */
-#define	CHERI_PERM_CHERIABI_VMMAP		CHERI_PERM_SW1
+#define	CHERI_PERM_SW_VMEM			CHERI_PERM_SW1
+#define	CHERI_PERM_CHERIABI_VMMAP \
+    _Pragma("GCC warning \"CHERI_PERM_CHERIABI_VMMAP is deprecated, use CHERI_PERM_SW_VMEM\"") \
+    CHERI_PERM_SW_VMEM
 
 /*
  * Definition for a highly privileged kernel capability able to name the

sys/dev/pci/pci_user.c

@@ -1000,7 +1000,7 @@ pci_bar_mmap(device_t pcidev, struct pci_bar_mmap *pbm)
 		if ((pbm->pbm_flags & PCIIO_BAR_MMAP_FIXED) == 0)
 			return (EPROT);
 		if ((cheri_getperm(pbm->pbm_map_base) &
-		    CHERI_PERM_CHERIABI_VMMAP) == 0)
+		    CHERI_PERM_SW_VMEM) == 0)
 			return (EACCES);
 	} else {
 		if (!cheri_is_null_derived(pbm->pbm_map_base))

sys/kern/imgact_elf.c

@@ -1723,7 +1723,7 @@ __elfN(freebsd_copyout_auxargs)(struct image_params *imgp, uintcap_t base)
 	 * setting bounds.  Needs VMMAP so relro pages can be made RO.
 	 */
 	AUXARGS_ENTRY_PTR(pos, AT_PHDR, cheri_setaddress(prog_cap(imgp,
-	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_CHERIABI_VMMAP),
+	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_SW_VMEM),
 	    args->phdr));
 #else
 	AUXARGS_ENTRY(pos, AT_PHDR, args->phdr);

sys/kern/sysv_shm.c

@@ -408,7 +408,7 @@ sys_shmdt(struct thread *td, struct shmdt_args *uap)
 	 */
 	if (shmaddr != NULL &&
 	    (!cheri_gettag(shmaddr) || cheri_getsealed(shmaddr) ||
-	    (cheri_getperm(shmaddr) & CHERI_PERM_CHERIABI_VMMAP) == 0))
+	    (cheri_getperm(shmaddr) & CHERI_PERM_SW_VMEM) == 0))
 		return (EPROT);
 #endif
 	return (kern_shmdt(td, shmaddr));
@@ -631,7 +631,7 @@ sys_shmat(struct thread *td, struct shmat_args *uap)
 	 */
 	if (!cheri_is_null_derived(shmaddr) &&
 	    (!cheri_gettag(shmaddr) || cheri_getsealed(shmaddr) ||
-	    (cheri_getperm(shmaddr) & CHERI_PERM_CHERIABI_VMMAP) == 0))
+	    (cheri_getperm(shmaddr) & CHERI_PERM_SW_VMEM) == 0))
 		return (EPROT);
 #endif
 	return (kern_shmat(td, uap->shmid, shmaddr, uap->shmflg));

sys/mips/cheri/cheri.c

@@ -127,7 +127,7 @@ cheri_init_capabilities(void * __capability kroot)
 	ctemp = cheri_setaddress(kroot, CHERI_CAP_USER_DATA_BASE);
 	ctemp = cheri_setbounds(ctemp, CHERI_CAP_USER_DATA_LENGTH);
 	ctemp = cheri_andperm(ctemp, CHERI_CAP_USER_DATA_PERMS |
-	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_CHERIABI_VMMAP);
+	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_SW_VMEM);
 	userspace_root_cap = ctemp;
 
 	ctemp = cheri_setaddress(kroot, CHERI_SEALCAP_KERNEL_BASE);

sys/mips/cheri/hybridabi_machdep.c

@@ -38,7 +38,7 @@ void * __capability
 hybridabi_user_ddc(void)
 {
 	return (cheri_capability_build_user_rwx(
-	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_CHERIABI_VMMAP,
+	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_SW_VMEM,
 	    CHERI_CAP_USER_DATA_BASE, CHERI_CAP_USER_DATA_LENGTH,
 	    CHERI_CAP_USER_DATA_OFFSET));
 }

sys/mips/include/cherireg.h

@@ -103,14 +103,14 @@
  * and CHERI_PERM_STORE_LOCAL_CAP will be added for data permissions ($ddc).
  *
  * All user software permissions are included along with
- * CHERI_PERM_SYSCALL.  CHERI_PERM_CHERIABI_VMMAP will be added for
+ * CHERI_PERM_SYSCALL.  CHERI_PERM_SW_VMEM will be added for
  * permissions returned from mmap().
  *
  * No variation required between 256-bit and 128-bit CHERI.
  */
 #define	CHERI_PERMS_USERSPACE						\
 	(CHERI_PERM_GLOBAL | CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP |	\
-	CHERI_PERM_CCALL | (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))
+	CHERI_PERM_CCALL | (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM))
 
 #define	CHERI_PERMS_USERSPACE_CODE					\
 	(CHERI_PERMS_USERSPACE | CHERI_PERM_EXECUTE)

sys/mips/mips/locore.S

@@ -181,7 +181,7 @@ VECTOR(_locore, unknown)
 	csetoffset	CHERI_REG_C27, CHERI_REG_C27, t0
 	REG_LI	t0, CHERI_CAP_USER_DATA_LENGTH
 	csetbounds	CHERI_REG_C27, CHERI_REG_C27, t0
-	REG_LI	t0, CHERI_CAP_USER_DATA_PERMS | CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_CHERIABI_VMMAP
+	REG_LI	t0, CHERI_CAP_USER_DATA_PERMS | CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_SW_VMEM
 	candperm	CHERI_REG_C27, CHERI_REG_C27, t0
 	PTR_LA	t0, _C_LABEL(userspace_root_cap)
 	csc	CHERI_REG_C27, t0, 0($ddc)

sys/riscv/cheri/cheri_machdep.c

@@ -58,7 +58,7 @@ cheri_init_capabilities(void * __capability kroot)
 	ctemp = cheri_setaddress(kroot, CHERI_CAP_USER_DATA_BASE);
 	ctemp = cheri_setbounds(ctemp, CHERI_CAP_USER_DATA_LENGTH);
 	ctemp = cheri_andperm(ctemp, CHERI_CAP_USER_DATA_PERMS |
-	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_CHERIABI_VMMAP);
+	    CHERI_CAP_USER_CODE_PERMS | CHERI_PERM_SW_VMEM);
 	userspace_root_cap = ctemp;
 
 	ctemp = cheri_setaddress(kroot, CHERI_SEALCAP_USERSPACE_BASE);
@@ -88,7 +88,7 @@ hybridabi_thread_setregs(struct thread *td, unsigned long entry_addr)
 
 	/* Set DDC to full user privilege. */
 	tf->tf_ddc = (uintcap_t)cheri_capability_build_user_rwx(
-	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_CHERIABI_VMMAP,
+	    CHERI_CAP_USER_DATA_PERMS | CHERI_PERM_SW_VMEM,
 	    CHERI_CAP_USER_DATA_BASE, CHERI_CAP_USER_DATA_LENGTH,
 	    CHERI_CAP_USER_DATA_OFFSET);
 

sys/riscv/include/cherireg.h

@@ -101,12 +101,12 @@
  * and CHERI_PERM_STORE_LOCAL_CAP will be added for data permissions ($dcc).
  *
  * All user software permissions are included along with
- * CHERI_PERM_SYSCALL.  CHERI_PERM_CHERIABI_VMMAP will be added for
+ * CHERI_PERM_SYSCALL.  CHERI_PERM_SW_VMEM will be added for
  * permissions returned from mmap().
  */
 #define	CHERI_PERMS_USERSPACE						\
 	(CHERI_PERM_GLOBAL | CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP |	\
-	CHERI_PERM_CCALL | (CHERI_PERMS_SWALL & ~CHERI_PERM_CHERIABI_VMMAP))
+	CHERI_PERM_CCALL | (CHERI_PERMS_SWALL & ~CHERI_PERM_SW_VMEM))
 
 #define	CHERI_PERMS_USERSPACE_CODE					\
 	(CHERI_PERMS_USERSPACE | CHERI_PERM_EXECUTE)

sys/vm/vm_mmap.c

@@ -345,7 +345,7 @@ sys_mmap(struct thread *td, struct mmap_args *uap)
 	if (cheri_gettag(uap->addr)) {
 		if ((flags & MAP_FIXED) == 0)
 			return (EPROT);
-		else if ((cheri_getperm(uap->addr) & CHERI_PERM_CHERIABI_VMMAP))
+		else if ((cheri_getperm(uap->addr) & CHERI_PERM_SW_VMEM))
 			source_cap = uap->addr;
 		else
 			return (EACCES);
@@ -987,7 +987,7 @@ sys_munmap(struct thread *td, struct munmap_args *uap)
 #if __has_feature(capabilities)
 	if (cap_covers_pages(uap->addr, uap->len) == 0)
 		return (EPROT);
-	if ((cheri_getperm(uap->addr) & CHERI_PERM_CHERIABI_VMMAP) == 0)
+	if ((cheri_getperm(uap->addr) & CHERI_PERM_SW_VMEM) == 0)
 		return (EPROT);
 #endif
 
@@ -1073,7 +1073,7 @@ sys_mprotect(struct thread *td, struct mprotect_args *uap)
 #if __has_feature(capabilities)
 	if (cap_covers_pages(uap->addr, uap->len) == 0)
 		return (EPROT);
-	if ((cheri_getperm(uap->addr) & CHERI_PERM_CHERIABI_VMMAP) == 0)
+	if ((cheri_getperm(uap->addr) & CHERI_PERM_SW_VMEM) == 0)
 		return (EPROT);
 #endif
 
@@ -1149,7 +1149,7 @@ sys_minherit(struct thread *td, struct minherit_args *uap)
 #if __has_feature(capabilities)
 	if (cap_covers_pages(uap->addr, uap->len) == 0)
 		return (EPROT);
-	if ((cheri_getperm(uap->addr) & CHERI_PERM_CHERIABI_VMMAP) == 0)
+	if ((cheri_getperm(uap->addr) & CHERI_PERM_SW_VMEM) == 0)
 		return (EPROT);
 #endif
 	return (kern_minherit(td, (uintptr_t)(uintcap_t)uap->addr, uap->len,
@@ -1202,10 +1202,10 @@ sys_madvise(struct thread *td, struct madvise_args *uap)
 
 	/*
 	 * MADV_FREE may change the page contents so require
-	 * CHERI_PERM_CHERIABI_VMMAP.
+	 * CHERI_PERM_SW_VMEM.
 	 */
 	if (uap->behav == MADV_FREE &&
-	    (cheri_getperm(uap->addr) & CHERI_PERM_CHERIABI_VMMAP) == 0)
+	    (cheri_getperm(uap->addr) & CHERI_PERM_SW_VMEM) == 0)
 		return (EPROT);
 #endif