Hi,
This short series takes care of restricting capabilities in a couple of cases that previous series didn't handle. This addresses a few TODOs and brings us closer to full alignment with the PCuABI spec.
This series depends on the latest reservations series [1].
Thanks, Kevin
[1] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/...
Kevin Brodsky (2): arm64: morello: Restrict CLR on signal delivery in PCuABI aio: Restrict ctx_id capability in PCuABI
arch/arm64/kernel/morello.c | 22 ++++++++++++++++++++-- fs/aio.c | 9 +++++---- 2 files changed, 25 insertions(+), 6 deletions(-)
mm->context.vdso now holds a capability with bounds matching the vDSO's, so we can easily use it to set CLR to an appropriate sentry when setting up the signal return in PCuABI.
Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- arch/arm64/kernel/morello.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/morello.c b/arch/arm64/kernel/morello.c index a445d3aca710..da9d8b1f2578 100644 --- a/arch/arm64/kernel/morello.c +++ b/arch/arm64/kernel/morello.c @@ -20,6 +20,11 @@ #include <asm/cpufeature.h> #include <asm/morello.h> #include <asm/ptrace.h> +#include <asm/vdso.h> + +#ifdef CONFIG_CHERI_PURECAP_UABI +#include <generated/vdso-purecap-offsets.h> +#endif
static uintcap_t morello_sentry_unsealcap __ro_after_init;
@@ -66,6 +71,18 @@ static void set_creg_user_ptr(struct pt_regs *regs, int r, void __user *val) regs->regs[r] = user_ptr_addr(val); regs->cregs[r] = (uintcap_t)val; } + +static user_uintptr_t make_purecap_signal_return_clr(void) +{ + user_uintptr_t clr = current->mm->context.vdso; + + clr = cheri_perms_and(clr, CHERI_PERM_GLOBAL | + CHERI_PERMS_READ | CHERI_PERMS_EXEC); + clr = cheri_address_set(clr, VDSO_SYMBOL(clr, sigtramp)); + clr = cheri_sentry_create(clr); + + return clr; +} #endif
void morello_cap_get_val_tag(uintcap_t cap, __uint128_t *val, u8 *tag) @@ -262,13 +279,14 @@ void morello_setup_signal_return(struct pt_regs *regs) update_regs_c64(regs, regs->pc);
if (is_pure_task()) { +#ifdef CONFIG_CHERI_PURECAP_UABI /* Unseal if the pcc has sentry object type */ if (cheri_is_sentry(regs->pcc)) regs->pcc = cheri_unseal(regs->pcc, morello_sentry_unsealcap);
- /* TODO [PCuABI] - Adjust the bounds/permissions properly */ - regs->cregs[30] = cheri_user_root_cap; + regs->cregs[30] = make_purecap_signal_return_clr(); +#endif } else /* Hybrid */ { regs->pcc = cheri_user_root_allperms_cap;
Now that all mappings are backed by a reservation of the appropriate size and permissions, we can easily provide a capability with restricted bounds and permissions on io_setup().
mremap() will take care of creating a capability with updated bounds if needed; ctx->user_id is updated accordingly in aio_ring_mremap(), so that aio_ctx_id_is_same() doesn't reject the new capability obtained from mremap().
Signed-off-by: Kevin Brodsky kevin.brodsky@arm.com --- fs/aio.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/aio.c b/fs/aio.c index bb4fcb46c182..43bebe6fb3a3 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -42,6 +42,7 @@ #include <linux/percpu-refcount.h> #include <linux/mount.h> #include <linux/pseudo_fs.h> +#include <linux/mm_reserv.h>
#include <linux/uaccess.h> #include <linux/nospec.h> @@ -471,8 +472,8 @@ static int aio_ring_mremap(struct vm_area_struct *vma) if (ctx && ctx->aio_ring_file == file) { if (!atomic_read(&ctx->dead)) { ctx->mmap_base = vma->vm_start; - /* TODO [PCuABI] - derive proper capability */ - ctx->user_id = uaddr_to_user_ptr_safe(ctx->mmap_base); + ctx->user_id = (aio_context_t) + reserv_vma_make_user_ptr_owning(vma); res = 0; } break; @@ -674,8 +675,8 @@ static int aio_setup_ring(struct kioctx *ctx, unsigned int nr_events)
pr_debug("mmap address: 0x%08lx\n", ctx->mmap_base);
- /* TODO [PCuABI] - derive proper capability */ - ctx->user_id = uaddr_to_user_ptr_safe(ctx->mmap_base); + ctx->user_id = (aio_context_t) + reserv_make_user_ptr_owning(ctx->mmap_base, false); ctx->nr_events = nr_events; /* trusted copy */
ctx->ring = vmap(ctx->ring_pages, nr_pages, VM_MAP, PAGE_KERNEL);
On 25/04/2024 13:28, Kevin Brodsky wrote:
Hi,
This short series takes care of restricting capabilities in a couple of cases that previous series didn't handle. This addresses a few TODOs and brings us closer to full alignment with the PCuABI spec.
This series depends on the latest reservations series [1].
Thanks, Kevin
[1] https://op-lists.linaro.org/archives/list/linux-morello@op-lists.linaro.org/...
Kevin Brodsky (2): arm64: morello: Restrict CLR on signal delivery in PCuABI aio: Restrict ctx_id capability in PCuABI
Applied on next.
Kevin
arch/arm64/kernel/morello.c | 22 ++++++++++++++++++++-- fs/aio.c | 9 +++++---- 2 files changed, 25 insertions(+), 6 deletions(-)
linux-morello@op-lists.linaro.org
-
Kevin Brodsky