caprevoke: rework the enablement of revocation

bin/cheribsdtest/cheribsdtest.c

@@ -58,6 +58,7 @@
 #include <fcntl.h>
 #include <fnmatch.h>
 #include <inttypes.h>
+#include <malloc_np.h>
 #include <signal.h>
 #include <stdbool.h>
 #include <stdio.h>
@@ -96,6 +97,11 @@ static int sleep_after_test;
 static int coredump_enabled;
 static int debugger_enabled;
 
+#ifdef __CHERI_PURE_CAPABILITY__
+/* Ask MRS to quarantine despite the system default. */
+const int malloc_revocation = MR_ENABLE;
+#endif
+
 int verbose;
 
 static void

bin/cheribsdtest/cheribsdtest_malloc.c

@@ -36,19 +36,17 @@
 
 #include "cheribsdtest.h"
 
-bool malloc_is_quarantining(void);
-
 static const char *
-skip_malloc_not_quarantining(const char *name __unused)
+skip_malloc_not_revoking(const char *name __unused)
 {
-	if (malloc_is_quarantining())
+	if (malloc_is_revoking())
 		return (NULL);
-	return ("malloc is not quarantining");
+	return ("malloc is not revoking");
 }
 
 CHERIBSDTEST(malloc_revoke_basic,
     "verify that a free'd pointer is revoked by malloc_revoke",
-    .ct_check_skip = skip_malloc_not_quarantining)
+    .ct_check_skip = skip_malloc_not_revoking)
 {
 	volatile void *ptr __unused;
 
@@ -66,7 +64,7 @@ CHERIBSDTEST(malloc_revoke_basic,
 }
 
 CHERIBSDTEST(malloc_revoke_twice, "revoke twice back to back",
-    .ct_check_skip = skip_malloc_not_quarantining)
+    .ct_check_skip = skip_malloc_not_revoking)
 {
 	malloc_revoke();
 	malloc_revoke();

bin/cheribsdtest/cheribsdtest_vm.c

@@ -1388,7 +1388,7 @@ CHERIBSDTEST(cheri_revoke_lightly, "A gentle test of capability revocation")
 	mb = CHERIBSDTEST_CHECK_SYSCALL(
 	    mmap(0, PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANON, -1, 0));
 	CHERIBSDTEST_CHECK_SYSCALL(
-	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMMAP, mb, &sh));
+	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMEM, mb, &sh));
 
 	CHERIBSDTEST_CHECK_SYSCALL(cheri_revoke_get_shadow(
 	    CHERI_REVOKE_SHADOW_INFO_STRUCT, NULL, __DEQUALIFY(void **, &cri)));
@@ -1480,7 +1480,7 @@ CHERIBSDTEST(cheri_revoke_loadside, "Test load-side revoker")
 	mb = CHERIBSDTEST_CHECK_SYSCALL(
 	    mmap(0, asz, PROT_READ | PROT_WRITE, MAP_ANON, -1, 0));
 	CHERIBSDTEST_CHECK_SYSCALL(
-	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMMAP, mb, &sh));
+	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMEM, mb, &sh));
 
 	CHERIBSDTEST_CHECK_SYSCALL(cheri_revoke_get_shadow(
 	    CHERI_REVOKE_SHADOW_INFO_STRUCT, NULL,
@@ -1619,15 +1619,15 @@ cheribsdtest_cheri_revoke_lib_init(size_t bigblock_caps, void *** obigblock,
 	    MAP_ANON, -1, 0));
 
 	for (size_t ix = 0; ix < bigblock_caps; ix++) {
-		/* Create self-referential VMMAP-free capabilities */
+		/* Create self-referential SW_VMEM-free capabilities */
 
 		bigblock[ix] = cheri_andperm(cheri_setbounds(&bigblock[ix], 16),
 		    ~CHERI_PERM_SW_VMEM);
 	}
 	*obigblock = bigblock;
 
 	CHERIBSDTEST_CHECK_SYSCALL(
-	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMMAP, bigblock,
+	    cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMEM, bigblock,
 	    oshadow));
 
 	CHERIBSDTEST_CHECK_SYSCALL(

include/malloc_np.h

@@ -70,6 +70,19 @@ struct extent_hooks_s {
 	extent_merge_t		*merge;
 };
 
+#ifdef __CHERI_PURE_CAPABILITY__
+#define	MR_SYSTEM_DEFAULT	0x0
+#define	MR_DISABLE		0x1
+#define	MR_ENABLE		0x2
+#define	_MR_FORCED		0x4
+#define	MR_DISABLE_FORCED	(MR_DISABLE | _MR_FORCED)
+#define	MR_ENABLE_FORCED	(MR_ENABLE | _MR_FORCED)
+
+extern const int malloc_revocation;
+#endif
+
+__MyBool malloc_is_revoking(void);
+
 size_t	malloc_usable_size(const void *ptr);
 
 void	malloc_stats_print(void (*write_cb)(void *, const char *),

lib/libc/gen/tls_malloc.c

@@ -451,7 +451,7 @@ find_overhead(void * cp)
 	 * __tls_malloc_aligned.  In that case we need to get back to the
 	 * real overhead pointer.  To make sure we aren't tricked, the
 	 * pointer must:
-	 *  - Be an internal allocator pointer (have the VMMAP permision).
+	 *  - Be an internal allocator pointer (have the SW_VMEM permision).
 	 *  - Point somewhere before us and within the current pagepool.
 	 */
 	if (cheri_gettag(op->ov_real_allocation) &&
@@ -491,7 +491,7 @@ paint_shadow(void *mem, size_t size)
 	 * need it.
 	 */
 	if (pp->ph_shadow == NULL)
-		if (cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMMAP, pp,
+		if (cheri_revoke_get_shadow(CHERI_REVOKE_SHADOW_NOVMEM, pp,
 		    &pp->ph_shadow) != 0)
 			abort();
 	caprev_shadow_nomap_set_raw(cri->base_mem_nomap, pp->ph_shadow,

lib/libc/stdlib/malloc/Makefile.inc

@@ -2,9 +2,9 @@
 
 SYM_MAPS+=${LIBC_SRCTOP}/stdlib/malloc/Symbol.map
 
+.if ${MK_MALLOC_REVOCATION_SHIM} == no || !${MACHINE_ABI:Mpurecap}
 MAN+=		malloc_revoke.3
 
-.if ${MK_MALLOC_REVOCATION_SHIM} == no || !${MACHINE_ABI:Mpurecap}
 MISRCS+=	malloc_revoke.c
 .endif
 

lib/libc/stdlib/malloc/Symbol.map

@@ -11,7 +11,7 @@ FBSD_1.0 {
 	free;
 	malloc_usable_size;
 	malloc_revoke;
-	malloc_is_quarantining;
+	malloc_is_revoking;
 };
 
 FBSD_1.3 {

lib/libc/stdlib/malloc/jemalloc/Makefile.inc

@@ -28,13 +28,17 @@ CLEANFILES+=jemalloc.3
 jemalloc.3: ${SRCTOP}/contrib/jemalloc/doc/jemalloc.3 .NOMETA
 	ln -sf ${.ALLSRC} ${.TARGET}
 
+.if ${MK_MALLOC_REVOCATION_SHIM} == no || !${MACHINE_ABI:Mpurecap}
 MLINKS+= \
 	jemalloc.3 malloc.3 \
 	jemalloc.3 calloc.3 \
 	jemalloc.3 posix_memalign.3 \
 	jemalloc.3 aligned_alloc.3 \
 	jemalloc.3 realloc.3 \
-	jemalloc.3 free.3 \
+	jemalloc.3 free.3
+.endif
+
+MLINKS+= \
 	jemalloc.3 malloc_usable_size.3 \
 	jemalloc.3 malloc_stats_print.3 \
 	jemalloc.3 mallctl.3 \

lib/libc/stdlib/malloc/malloc_revoke.c

@@ -42,9 +42,9 @@ malloc_revoke(void)
 {
 }
 
-bool malloc_is_quarantining(void);
+bool malloc_is_revoking(void);
 bool
-malloc_is_quarantining(void)
+malloc_is_revoking(void)
 {
 	return (false);
 }

lib/libc/stdlib/malloc/mrs/Makefile.inc

@@ -2,6 +2,17 @@
 
 MISRCS+=	mrs.c
 
+MAN+=	mrs.3
+MLINKS+= \
+	mrs.3 malloc.3 \
+	mrs.3 calloc.3 \
+	mrs.3 posix_memalign.3 \
+	mrs.3 aligned_alloc.3 \
+	mrs.3 realloc.3 \
+	mrs.3 free.3 \
+	mrs.3 malloc_revoke.3 \
+	mrs.3 malloc_is_revoking.3
+
 CFLAGS.mrs.c+=-Wno-error=gnu-folding-constant
 
 # Allow quarantine to be enabled/disabled during program startup