GitLab

Change-Id: Ib85d4570950cc8be76c93aeaccafa010c1f030e6

The previous value (#64) will be used for AT_CHERI_STACK_CAP.

Change-Id: I643a418f89c1108c8bf9c1050c1b2873f78f1caa

It is getting harder and harder to maintain several
syscall descriptions. Use only one while maintaining
the existing flexibility.

The new, but backwards compatible descriptor format
adds 'libc' and 'arch' fields. The former filters
libc, the latter architectures. An empty list means
no filtering.

Note that only bionic, where wrappers are generated,
uses 'aliases' and 'symbol' field.

Change-Id: I3ab2d567377b7175a17ddd8bc91a70afd5eb011d

Multi-target rules are executed per target.
Use target group (&:) to say that the rule is
expected to create all the targets at once.

The ordering rule was also behaving incorrectly
in the new setup.

Change-Id: I60dbdfee7a308d3af6f00bf40ac04e4ec63e471d

The new configuration option LIBSHIM_CANCELLATION_POINTS
enables or disables support for cancellation points.

The new argument "cg" is an int*: if it is non-null and
the pointed value is not zero the system call is cancelled.

This is basically just some labels which can be used to
check whether a PC is within a range. In addition, a test
helper is also available: if __shim_pause_in_cp is implemented
and it returns nonzero, the current system call will busy-wait
forever. This can be used to test cancellation integration with
libc: a thread can be stopped reliably within the cancellable
region.

Wrappers do not support cancellation points.

Change-Id: I40bf2fcb3119fef7b60eda6c8079854eb7f442bd

With cancellation support there will be more logic,
and we will need to export some symbols. Header
inclusion prevents developing cancellation points.

Change-Id: I792aa88a0944f630b5d892ce187238f0ad003902

Change-Id: I8c0895bac582448e4c90a9234e751ea2fa247528

Change-Id: I83ae508b02af4664c9cb6f23257e7252c0db975c

Change-Id: Ib99384bf25534ddfdc9c4fc902dca95ae7094031

Change-Id: Ib1dcba6fcd15bbe938fa91ce7f2eea66f5dd96cf

Change-Id: Ie5281d3afd692df6328b81b00cb4832fe8009ae8

Change-Id: Ia8ed7b35e94c6052b5c22806b0ffcfcef2b25863

This function returns true if libshim was compiled
for pure-capability ABI, otherwise false.

Change-Id: I91659f7901ac11ccdbddce4ae5636100686592d3

This change adds a high-level implementation of arguments
marshaling. It is meant to be a long-term replacement of
the assembly implementation. The benefit is that this
code uses cheriintrin.h and so it is architecture
independent.

Change-Id: Ia9889d7e23d434f931d64b365106fa2e59d423ac

Change-Id: I060ca69b59964c6444783212bea6fff5db1364b8

Change-Id: I69c91ebb394bd4e9c41640073112d80fdc602473

Change-Id: I050049f18ac3738d5d6d0e3c0d20c03f471b3499

Change-Id: Id580aa29478975c38d5bea8f3301c4d135e9b458

Change-Id: I92464b95ccf73b78ee4be0d21d90df4933fc0d02

Change-Id: I26d46a80191b83ae5068f94c829c5e6517bd4622

CHERIseed will transform parameters such that right before
the actual system call all arguments should be "peeked" using
'__builtin_cheri_address_get' builtin.

This is due to the behaviour of the sanitizer: an int-to-ptr
operation creates a new capability on stack and sets its value
to the integer value.

Change-Id: Ie1025ab580fd9d7bcfb82d4b540001d92a07390b

CHERIseed targets capability-unaware architectures
and so there is no such register as Morello's 'ctpidr_el0'.

Change-Id: I8ff5e5ba8467006550b362a75c75560c37a45c2d

__SANITIZE_CHERISEED__ is defined to '1', if libshim is
compiled with '-fsanitize=cheriseed', otherwise it is
undefined.

Change-Id: I9ed8505ba5610b0376dc84a6573c625883bfcb0f

Libshim has some assembly snippets but all of them
have been reviewed for CHERIseed, therefore all of
them are safe. There is no need to emit warnings
during build.

Change-Id: I0cdcec05193efc99b1b52df6acd4973ccc37ffd1

Marshalling this member of ucontext depends on the architecture,
therefore it is now extracted into a separate file.

Change-Id: I827f7128517096da5233551a9c09c45351298420

This change extends the list of system calls libshim
is aware of.

Change-Id: I432326cfe096e361bbf85a1d0ce46ad8aad9a308

Change-Id: I88a67cf3d8be8c8b510904ca5db52ac7a54537b2

The sockaddr struct in the bind() and connect() syscalls are const, see:
https://man7.org/linux/man-pages/man2/bind.2.html
https://man7.org/linux/man-pages/man2/connect.2.html

Change-Id: I3dc8815326b5057b081b59bedb2432c175eeac39

Each element of argv and envp gets its bounds set based on
the strlen result for it: the resulting capability length
will cover the entire string plus null character at the end.

This patch also sets permissions of argv and envp elements.

Change-Id: I370d0bc016eb6adfd2d9d84e0958b04e2514f175

It is used only at one place and the same results can be
achieved with no inline asm.

Change-Id: Ic438ecb4786adfb66b31b66d3e1e08136837b088

Change-Id: I92e66f4b0fcac299e97d657b8e6504a96af6cf9e

Change argument check from pointer to struct sigaction to pointer to
local_sigaction_t.
The kernel ABI sigaction struct is not guaranteed to match the libc ABI
sigaction struct. In Musl, these (struct k_sigaction and struct
sigaction, respectively) are different sizes and previously the libshim
check on rt_sigaction would fail.
Signed-off-by: Jack Bond-Preston <jack.bond-preston@arm.com>
Change-Id: Ifb91a54e4054477cf4633b5547a69c1aa56f7814

A set of experimental auxv members are defined to provide root RX, RW
and sealing capabilities. These are derived from DDC with appropriate
permissions. Bounds are unchanged for RX/RW and set to max object type
value for sealing. These bounds should ideally be narrower to include
only the writable range for RW, only the executable range for RX, and
the required range for sealing.

Change-Id: If65eb32d7e4e4efca04c9cb85cc57ee72ef506c5

Currently pure-cap signal handlers cannot directly access the
ucontext pointer argument because libshim just passes it through.

This change fixes this by transforming the ucontext argument like
the info argument: the pointer itself is transformed as usual, and
the struct it points to (ucontext_t) also needs to be transformed
as it contains a few pointers. The layout of ucontext_t is highly
architecture-dependent, so its transformation must be special-cased
for each architecture (currently aarch64 and x86_64).

Change-Id: Ied0f59845d2634b6428b5882fec7ac029d8e462e

When LIBSHIM_ZERO_DDC is enabled and targeting pure capability ABI,
do_raw_args_marshalling() saves the original value of DDC and then
clears it. This is meant to prevent deriving tagged capabilities
from that point onwards using the original DDC value outside
libshim.

This change also removes 'rootcap' usages from libshim.

Built and tested on FVP.

Change-Id: I4cae99095f96999f5052ba83e43469168f7495cb

Add missing ramdisk_available properties to support full
Android R build.

Change-Id: Iba0a07e465d60d443c0fb2fda450145d4e16a6c9

Static libc should contain all the symbols necessary to run
an application. Dynamic libc, however, should only contain
symbols which are not "duplicated" in the dynamic linker.

So far both the dynamic linker and the shared libc had all
the libshim symbols. This proved to be working correctly,
however, having a fully singleton libshim is desirable.

From now on only symbols which are mandatory for libc are
provided, all the other libshim-internal symbols are weak.
Because the dynamic linker has the strong alternatives of
these symbols, linker will resolve these weak symbols so
that they come from the linker. This allows implementation
of a singleton pattern for libshim.

Built and tested on FVP.

Change-Id: I071ca7e23488293425990ead2c9261497c96786c

Change-Id: Ic25018dc121d21cb9906ad65e62d7cc2609bb432

Change-Id: I8487acb86f4f9258dc0668dc98de9713d0ee7a58

To ease debugging, this change adds support to make a difference
between system calls that are called best-effort and calls which
actually failed when the related message gets printed.

Change-Id: I05fd769ed2fcc391e8ce2ce823b0bcdf86a21e9e