PERFORCE change 219706 for review
Robert Watson
rwatson at FreeBSD.org
Fri Nov 9 19:17:01 UTC 2012
http://p4web.freebsd.org/@@219706?ac=10
Change 219706 by rwatson at rwatson_svr_ctsrd_mipsbuild on 2012/11/09 19:16:20
Add new cheritest commands: sandbox, unsandbox, and yieldtest,
which are intended to help validate that the kernel is correctly
preventing sandboxed userspace code from performing system calls.
"sandboxed" in this case simply means a minor adjustment to $C0
that won't affect actual code execution, just the kernel's
gating of system calls. Hopefully.
Affected files ...
.. //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#5 edit
Differences ...
==== //depot/projects/ctsrd/cheribsd/src/bin/cheritest/cheritest.c#5 (text+ko) ====
@@ -31,8 +31,11 @@
#include <sys/types.h>
#include <machine/cheri.h>
+#include <machine/cpuregs.h>
+#include <err.h>
#include <inttypes.h>
+#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -64,7 +67,10 @@
fprintf(stderr, "cheritest copyregs\n");
fprintf(stderr, "cheritest listregs\n");
fprintf(stderr, "cheritest overrun\n");
+ fprintf(stderr, "cheritest sandbox\n");
fprintf(stderr, "cheritest sleep\n");
+ fprintf(stderr, "cheritest unsandbox\n");
+ fprintf(stderr, "cheritest yieldtest\n");
exit(EX_USAGE);
}
@@ -86,7 +92,6 @@
cheritest_copyregs(void)
{
- CHERI_CMOVE(1, 0);
CHERI_CMOVE(2, 0);
CHERI_CMOVE(3, 0);
CHERI_CMOVE(4, 0);
@@ -133,6 +138,42 @@
CHERI_CAPREG_PRINT(26);
}
+static void
+cheritest_sandbox(void)
+{
+
+ /*
+ * Install a limited C0 so that the kernel will no longer accept
+ * system calls.
+ */
+ CHERI_CSETLEN(0, 1, CHERI_CAP_USER_LENGTH - 1);
+
+}
+
+static void
+cheritest_unsandbox(void)
+{
+
+ /*
+ * Restore a more privielged C0 so that the kernel will accept system
+ * calls again.
+ */
+ CHERI_CSETLEN(0, 1, CHERI_CAP_USER_LENGTH);
+}
+
+static void
+cheritest_yieldtest(void)
+{
+ int ret;
+
+ cheritest_sandbox();
+ ret = sched_yield();
+ cheritest_unsandbox();
+ if (ret)
+ err(1, "sched_yield");
+
+}
+
int
main(__unused int argc, __unused char *argv[])
{
@@ -149,6 +190,9 @@
if (argc == 0)
usage();
+ /* Save original C0 in C1 for later use. */
+ CHERI_CMOVE(1, 0);
+
for (i = 0; i < argc; i++) {
if (strcmp(argv[0], "listregs") == 0)
cheritest_listregs();
@@ -156,8 +200,14 @@
cheritest_copyregs();
else if (strcmp(argv[0], "overrun") == 0)
cheritest_overrun();
+ else if (strcmp(argv[0], "sandbox") == 0)
+ cheritest_sandbox();
else if (strcmp(argv[0], "sleep") == 0)
sleep(10);
+ else if (strcmp(argv[0], "unsandbox") == 0)
+ cheritest_unsandbox();
+ else if (strcmp(argv[0], "yieldtest") == 0)
+ cheritest_yieldtest();
else
usage();
}
More information about the p4-projects
mailing list