Skip to content

Commit 9f0e1ac

Browse files
brooksdavisbrooksdavis
committed
minherit: limit INHERIT_SHARE
CheriABI: mostly disallow post-fork sharing via minherit(). Developers should use mmap and MAP_SHARED instead. Do allow no-op reqests and sharing of mappings that either have no capabilities or where objects have the OBJ_SHARECAP flag.
1 parent 19b23ee commit 9f0e1ac

File tree

2 files changed

+30
-4
lines changed

2 files changed

+30
-4
lines changed

bin/cheribsdtest/cheribsdtest_cheriabi.c

+7-2
Original file line numberDiff line numberDiff line change
@@ -389,11 +389,16 @@ CHERIBSDTEST(cheriabi_minherit_invalid_ptr,
389389
CHERIBSDTEST_CHECK_CALL_ERROR(minherit(mappings.middle + mappings.maplen,
390390
mappings.maplen, INHERIT_NONE), EPROT);
391391

392+
/*
393+
* minherit() should not be able to mark a MAP_ANON mapping shared
394+
* upless it was initially marked as shared.
395+
*/
396+
CHERIBSDTEST_CHECK_CALL_ERROR(minherit(mappings.middle, mappings.maplen,
397+
INHERIT_SHARE), EACCES);
398+
392399
/* Sanity check: minherit() on a valid capability should succeed. */
393400
CHERIBSDTEST_CHECK_SYSCALL(minherit(mappings.middle, mappings.maplen,
394401
INHERIT_NONE));
395-
CHERIBSDTEST_CHECK_SYSCALL(minherit(mappings.middle, mappings.maplen,
396-
INHERIT_SHARE));
397402

398403
/* Unmapping the original capabilities should succeed. */
399404
free_adjacent_mappings(&mappings);

sys/vm/vm_map.c

+23-2
Original file line numberDiff line numberDiff line change
@@ -3778,14 +3778,35 @@ vm_map_inherit(vm_map_t map, vm_offset_t start, vm_offset_t end,
37783778
}
37793779
}
37803780
#endif
3781-
if (new_inheritance == VM_INHERIT_COPY) {
3781+
if (new_inheritance == VM_INHERIT_COPY ||
3782+
new_inheritance == VM_INHERIT_SHARE) {
37823783
for (entry = start_entry; entry->start < end;
37833784
prev_entry = entry, entry = vm_map_entry_succ(entry)) {
3784-
if ((entry->eflags & MAP_ENTRY_SPLIT_BOUNDARY_MASK)
3785+
if (new_inheritance == VM_INHERIT_COPY &&
3786+
(entry->eflags & MAP_ENTRY_SPLIT_BOUNDARY_MASK)
37853787
!= 0) {
37863788
rv = KERN_INVALID_ARGUMENT;
37873789
goto unlock;
37883790
}
3791+
/*
3792+
* CheriABI: mostly disallow post-fork sharing via
3793+
* minherit(). Developers should use mmap and
3794+
* MAP_SHARED instead. Do allow no-op reqests
3795+
* and sharing of mappings that either have no
3796+
* capabilities or where objects have the
3797+
* OBJ_SHARECAP flag.
3798+
*/
3799+
if (new_inheritance == VM_INHERIT_SHARE &&
3800+
entry->inheritance != VM_INHERIT_SHARE &&
3801+
/* XXX: check reservations instead? */
3802+
SV_CURPROC_FLAG(SV_CHERI) &&
3803+
(entry->object.vm_object == NULL ||
3804+
(entry->object.vm_object->flags &
3805+
(OBJ_NOCAP | OBJ_SHARECAP)) == 0)) {
3806+
rv = KERN_PROTECTION_FAILURE;
3807+
goto unlock;
3808+
}
3809+
37893810
}
37903811
}
37913812
for (entry = start_entry; entry->start < end; prev_entry = entry,

0 commit comments

Comments
 (0)