caprevoke: rework the enablement of revocation #1901
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Now would be the ideal time to bike shed the names of various knobs. cc @rwatson |
bsdjhb
reviewed
Oct 18, 2023
jrtc27
reviewed
Oct 18, 2023
brooksdavis
force-pushed
the
revocation-management
branch
3 times, most recently
from
91ac08b to
3a475cc
Compare
rwatson
reviewed
Oct 20, 2023
bsdjhb
reviewed
Oct 20, 2023
brooksdavis
force-pushed
the
revocation-management
branch
3 times, most recently
from
ff5868d to
a528b3f
Compare
jrtc27
reviewed
Oct 20, 2023
brooksdavis
force-pushed
the
revocation-management
branch
from
a528b3f to
f27196c
Compare
|
Also "cheribsdtest: request that malloc revoking" is missing some words |
brooksdavis
force-pushed
the
revocation-management
branch
from
f27196c to
d8073d4
Compare
jrtc27
reviewed
Oct 20, 2023
AT_BSDFLAGS shouldn't be sign extended on 64-bit systems so use a uint32_t instead of an int.
Rename CHERI_REVOKE_SHADOW_NOVMMAP(_ENTIRE) to CHERI_REVOKE_SHADOW_NOVMEM(_ENTIRE) following the rename of CHERI_PERM_CHERIABI_VMMAP to CHERI_PERM_SW_VMEM in 00d71bd. Fix up a number of comments where VMMAP was still used. This is a mix of revocation related bits and other stale comments missed in prior sweeps. Fix up a number of stale comments
This avoids a syscall during startup and will allow further controls via procctl and ELF note flags. Rename security.cheri.runtime_quarantining_default to security.cheri.runtime_revocation_default. Quarantining without revocation doesn't make sense to just refer to the latter.
Add flag bits for both enable and disable since the system default is configurable at runtime and we want to be able to express all three of enable, disable, and system-default. If both are set, disable wins.
brooksdavis
force-pushed
the
revocation-management
branch
2 times, most recently
from
78337e4 to
2939b17
Compare
Controls are tri-state as usual allowing revocation to be forcably enabled or disabled, or for the system default to be used.
If ELF_BSDF_CHERI_REVOKE_FORCED is set in AT_BSDFLAGS then the presence or absense of ELF_BSDF_CHERI_REVOKE was caused explicit action from proccontrol or elfctl, not the system-wide default.
Add a weak symbol (malloc_revocation) which a program can override in order to change revocation behavior. By default, the system behavior is is used, but if a symbol is provided it can be used to change the default or even completely ignore proccontrol or ELF note overrides.
We want to be able to test malloc_revoke() even if the system default is off the request that it be turned on, but don't force it to allow testing with revocation administratively disabled.
Generally depend on the underlying allocator for documentation of standard malloc(3) and non-standard jemalloc(3) interfaces. Document how MRS revocation can be controlled by the programmer, user, and administrator. Error on the side of providing a complete picture rather than documenting non-MRS specific kernel bits elsewhere. Install MLINKS as appropriate for standard interfaces so users can learn about MRS.
Settle on "revoking" for public APIs. Quarantining makes no sense without revocation and other APIs generally mention revocation.
In dynamically linked programs, malloc_revoke isn't sufficently preempted when the init() constructor is run so does not work. Document this to allow the rest of the patch to land.
brooksdavis
force-pushed
the
revocation-management
branch
from
2939b17 to
7691622
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implement procctl (settable with proccontrol) and ELF note (settable with elfctl) values to override the system default revocation hint. These values are now presented as a pair of flags in the AT_BSDFLAGS ELF auxargs variable. One flag indicates that revocation is enabled or disabled and the other indicates if it was set by procctl/elf note (forced) or if it is the default value. On top of these, add a
malloc_quarantingweak global variable which can be set to override the global default or completely ignore management interfaces. In order of increasing precedence the priority of these options is:malloc_quaranting(MQ_ENABLE and MQ_DISABLE)malloc_quaranting(MQ_ENABLE_FORCED and MQ_DISABLE_FORCED)