Capsicum-like syscall set for unprivileged CHERI compartments

[davidchisnall]

The set of syscalls permitted for Capsicum compartments includes several things that should not be permitted for unprivileged compartments. These include (but are not limited to):

• File descriptor operations (e.g. read, write) that take a (forgeable) integer rather than a capability.
• Virtual address space modification functions (e.g. mmap, mprotect), which should not be permitted as they can be used to break CoW guarantees for sandboxes
• Signal handling functions, which could allow the sandbox to provide code to run with elevated privilege.

A modified libsyscall should allow banned syscalls to be issued as methods on the system object.

[rwatson]

A few thoughts on this item (I was under the impression I'd previously opened a TODO on this as well, but clearly not!):

This will depend on a lot more work on #15 before it becomes practical, as well as (ideally) #14, although you could imagine scraping by without it.

I think we may find that the vast majority of "safe" system calls from Capsicum are not considered safe in CHERI. One view is that might want to prefer directing many through kernel-intercepted CCalls rather than the classic system-call mechanism. However, there will be a quite useful subset that can be allowed -- especially, calls to set the time of day, retrieve random numbers, etc.