This is needed to make sure build system detects changes in the file.

Change-Id: I7e5651c2ed6508cbf2f473c30833b1c1398f3f05

Change-Id: I21c838adbdd7543648243fface993a96624935dc

See the comment in the change.

Change-Id: Idf822d2b7b3114fdb643bf77c777061a81e038ff

Balaji Anandapadmanaban authored Nov 10, 2022 and Oliver Swede committed Dec 15, 2022

Change-Id: I0f6d85c39333421ac1a5a1597f41f25002298132

Change-Id: I90e69ee8359e7ba678d566ff0fde37a1af6233e3

Balaji Anandapadmanaban authored Sep 28, 2022 and Oliver Swede committed Dec 15, 2022

Unit testcases to test the VMem permission functionality added in this commit.

Change-Id: I851ac1340e7bbf8015436f455fc31baee5743436

Change-Id: Id3e304e7ae67988217e5cda0b1d80881817b8c60

Name the remaining arguments to the system call, and separate out the
pure-cap implementation. Also replace a manual upwards-alignment with
the corresponding builtin.

Change-Id: Iac429ae7eb94d1d9ccda7ce0ac8b806351183383

Balaji Anandapadmanaban authored Nov 04, 2022 and Oliver Swede committed Dec 15, 2022

Implement CapabilityOwnsRange which is described as below in the
Pure-Cap ABI document.

CapabilityOwnsRange(cap, start_addr, length)
Returns true if cap is a valid unsealed capability with the following
properties:
  - Its bounds include AlignedRange(start_addr, length).
  - Its permissions include Global and VMem.

This check is added to every relevant syscall other than mmap and shmdt
which will be added later with their dependencies.

The VMem permission will be added in another commit.
https://git.morello-project.org/morello/kernel/linux/-/wikis/Morello-pure-capability-kernel-user-Linux-ABI-specification#address-space-management-syscalls

Co-authored-by: Oliver Swede <oli.swede@arm.com>
Change-Id: Ia206ddb534c4a6a73807b670b8fb75a3f09fc597

Fail with -ENOSYS for Pure-cap.

Also remove fixups specified for the syscall that are ignored due to
presence of existing custom definition.

Change-Id: Iad153bc87c043cab18c4f4644eee826a54013ea4

Mark the locations where checks will need to be added on address space
management syscalls in order for them to conform to the spec.

Add custom definitions where not already present, carrying forward
specifiers from the previous fixups where appropriate. Assume they will
all require customs for now, they vary in complexity depending on the
syscall and can be replaced with fixups later if suitable.

Exclude the updates to checks on input capabilities for now until
relevant facilities (such as CapabilityOwnsRange/CapabilityMaySetProt
helpers, reservation handling, VMem ownership, protection flags etc.)
are available.

Change-Id: I37852788fdd325ce0e128065d1a5efe094d08be4

Change-Id: I16efdd3490d9cae286bbffaf39d979ce7f8b6143

Tamas Petz authored Sep 30, 2022 and Tamas Petz committed Oct 27, 2022

This is to avoid going through the GOT.

Change-Id: I6feabeeb15baf06b3d49b08494b4c708bac03f18

Tamas Petz authored Oct 18, 2022 and Tamas Petz committed Oct 18, 2022

Change-Id: I897ac70bc012defc3a1158ad604a2b69553f215a

Change-Id: I981b43a12ddf2e07a6e1ed1112baa12abe74e87f

Sealing is unsupported in CHERIseed.

Change-Id: Ia6d4b95126cef1f2ec379fc1a4e345011b41eca8

Arnold Gabriel Benedict authored Aug 15, 2022 and Ruben committed Sep 27, 2022

Change-Id: I51aa4c0be0fe4a60db60e7b3ecc04862691dd579

Oliver Swede authored Sep 08, 2022 and Ruben committed Sep 21, 2022

Change-Id: I81eb0186e3b73ba23f7aca520d332d2e86fda3ca

Co-authored-by: Oliver Swede <oli.swede@arm.com>
Change-Id: If377c7b7d81d89dfee5c4e68f2f38dcde29e47bb

Oliver Swede authored Sep 05, 2022 and Ruben committed Sep 21, 2022

Change-Id: I0aa1bede481b8cfa32a0192a2ca312f45362a92b

Change-Id: I8ed74834a6fa5cfec8cd51f241202269deb8f0aa

Change-Id: I7bcb986ffb1f29e3d4fe0afd4c4a56527212a7c6

Tamas Petz authored Aug 18, 2022 and Tamas Petz committed Sep 20, 2022

Typo: '8' should be '0'. The code popped the wrong register from the
pair pushed to stack.

Change-Id: Ic4721b41a9377a2f9605b1f4dd55bbdd425d3328

Cross-compilation roots have the same layout on Arch Linux as on
Ubuntu/Debian so adding support for Arch is straightforward.

Change-Id: I2afcbbf90ed8abc6cd3f8c7d19546cf50e587316

Limit PCC bounds/permissions as specified
by the Linux Pure-cap kernel-user ABI.

Change-Id: I304e67a218cd29ce4e3585e2afdd6ea2b16c4cdd

To reflect that these interfaces aren't only moving or transforming
data but also adding some new required values e.g. AT_CHERI_EXEC_RX_CAP,
rename:
 - move_auxv to prepare_auxv
 - move_arguments_impl to prepare_arguments
 - __shim_move_arguments to __shim_prepare_environment

Change-Id: I2dd6498c0118f2a3f5e32045123281135bd8fac4

Oliver Swede authored Sep 01, 2022 and Ruben committed Sep 02, 2022

The capability for a region passed to prctl can be read-only in the
PR_SET_VMA_ANON_NAME case. Change the check accordingly.

Also remove an unused check for the PR_SET_MEM case.

Change-Id: I7448cc3fdef325cc409eba20304f901181114fb0

Oliver Swede authored Sep 01, 2022 and Ruben committed Sep 02, 2022

To indicate there is no vDSO with libshim, we can use the null capability.

Change-Id: I2b8b0ff6fc67fe9934b3d6022b0dd3fc91092589

Oliver Swede authored Jul 26, 2022 and Ruben committed Sep 02, 2022

Change-Id: I1e86433d470ba2e058d4dd6e87d06c45bb740844

Oliver Swede authored Jul 21, 2022 and Ruben committed Sep 02, 2022

Change-Id: I7c54f2ec828faa9b24339a5ca92939eecfbc20c9

Oliver Swede authored Jul 29, 2022 and Ruben committed Sep 01, 2022

Change-Id: I308922114bcdc2102c24bd0ed023352772097c48

With the Pure-cap ABI these areas are no longer located on stack. Instead,
they're allocated in separate memory regions pointed to by the values supplied
to the executable in the argc/argv/envp/auxv quadruple.

Also implement few early helpers for invoking system calls. libc
functions can't be invoked from libc_support.cpp as libc isn't
initialized yet and dynamic linkage hasn't happened. Instead,
implementing this early execution stage helpers which can be invoked
independently although don't provide full semantics of the main shim
handlers for these system calls.

Change-Id: I79ebc7c5bc7670bd992eac387446c7c6237424c1

Split the function into few steps and corresponding helpers:
 - find_arguments
 - move_argv_or_envp - invoked for both argv and envp
 - move_auxv

Also extract common part (independent of __SANITIZE_CHERISEED__)
of the two versions of the function into move_arguments_impl.

Change-Id: Iadc577b3ef867a548703cf7d100ef4a3b1a36041

The system call wrappers have only been used by Bionic, and effectively
should have been part of Bionic. Instead of generating Bionic wrappers
in libshim, generate wrapper aliases which can be called from the system
call sequences generated in Bionic when libshim is used.

The wrapper aliases (unlike the earlier wrappers) have function
prototypes as specified by LIBSHIM_FN_C. The cancellation points
via the aliases are not supported, however Bionic doesn't require
the support.

Change-Id: Iaaa2c725d72ee8d7f4940c399c93041c757886b8

libshim system call handlers return error to the caller like the kernel
would, however not updating the errno - errno should be updated by the
standard library when required.

Change-Id: I5733ea3967c6806d549c27a5b5b398983214fdf0

Tamas Petz authored Aug 17, 2022 and Ruben committed Aug 19, 2022

Only Bionic sets errno at libshim level, but musl-libc and glibc
don't. There were two issues:
 - Checking for '-1' only works for Bionic.
 - Returning '-1' only works for Bionic.

For all other libcs we have to check against maximum errno and
return an appropriate error value, currently -EFAULT.
Co-authored-by: Arnold Gabriel Benedict <arnoldgabriel.benedict@arm.com>
Co-authored-by: Tamas Petz <tamas.petz@arm.com>

Change-Id: Idb9e3f33656c3fe50b51585e08ef51f23d777a61

Enable LIBSHIM_TRANSITION_SWITCH_ARGC_ARGV_ENVP_AUXV_QUADRUPLE for
Android.

Change-Id: I9d481c5d18f5423606db1b9b62c40752be69ce33

With the new Linux Pure-cap kernel-user ABI, C0-C3 should be:
 C0 = argc
 C1 = capability for argv
 C2 = capability for envp
 C3 = capability for auxv

Unlike with the actual kernel, in libshim these values are supplied on
stack and are supposed to be loaded to c0-c3 by the _start routine of
the standard C library after the call to __shim_marshal_program_arguments.

For CHERIseed, the _start or subsequent routines will be able to access
these values from stack.

Change-Id: I7cbae51d8fc48eb4680c9e596caf12e43a1c52b6

Tamas Petz authored Jun 13, 2022 and Tamas Petz committed Jul 12, 2022

This change removes do_raw_args_marshalling.S in favour
of a C++ implementation of the same. The expectation is
that the higher level code is more easy to maintain on
the long term.

Downside is that temporary CSP and DDC are potentially
spilled to the stack.

The new call is __shim_marshal_program_arguments(),
which is meant to be a drop-in replacement of
do_raw_args_marshalling(). During a transitioning
period both symbols are available.

Change-Id: I11c10dff919bd6ef4d135b69d17103297c823518

Tamas Petz authored Jul 11, 2022 and Tamas Petz committed Jul 12, 2022

Ensure that Makefile path uses at least as strict
flags as the Android build system use.

This change also fixes two conversions marked by
the new '-Wcheri-pedantic' flag.

Change-Id: I578a31d3e4808b51a629dd2b32a45cb277d37882