CTSRD-CHERI · dpgao · Nov 1, 2023 · Jul 1, 2023 · Jul 6, 2023 · Sep 8, 2023
diff --git a/lib/libc/aarch64/gen/_setjmp.S b/lib/libc/aarch64/gen/_setjmp.S
@@ -33,13 +33,10 @@
 
 ENTRY(_setjmp)
 #if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
-	stp	REG(0), REGN(lr), [REGN(sp), #-(REG_WIDTH * 2)]!
-
 	/* Store Executive mode state */
+	str	REGN(lr), [REGN(sp), #-REG_WIDTH]!
 	bl	_rtld_setjmp
-	mov	c1, c0
-
-	ldp	REG(0), REGN(lr), [REGN(sp)], #(REG_WIDTH * 2)
+	ldr	REGN(lr), [REGN(sp)], #REG_WIDTH
 #endif
 
 	/* Store the magic value and stack pointer */
@@ -63,10 +60,6 @@ ENTRY(_setjmp)
 	stp	d14, d15, [REG(0)], #16
 #endif
 
-#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
-	str	c1, [REG(0)], #16
-#endif
-
 	/* Return value */
 	mov	x0, #0
 	RETURN
@@ -76,6 +69,11 @@ ENTRY(_setjmp)
 END(_setjmp)
 
 ENTRY(_longjmp)
+#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
+	/* Restore Executive mode state */
+	bl	_rtld_longjmp
+#endif
+
 	/* Check the magic value */
 	ldr	REG(8), [REG(0)], #(REG_WIDTH)
 	ldr	x9, .Lmagic
@@ -102,16 +100,6 @@ ENTRY(_longjmp)
 	ldp	d14, d15, [REG(0)], #16
 #endif
 
-#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
-	/* Restore Executive mode state */
-	stp	REG(1), REGN(lr), [REGN(sp), #-(REG_WIDTH * 2)]!
-
-	ldr	c0, [c0], #16
-	bl	_rtld_longjmp
-
-	ldp	REG(1), REGN(lr), [REGN(sp)], #(REG_WIDTH * 2)
-#endif
-
 	/* Load the return value */
 	cmp	x1, #0
 	csinc	x0, x1, xzr, ne

diff --git a/lib/libc/aarch64/gen/setjmp.S b/lib/libc/aarch64/gen/setjmp.S
@@ -53,15 +53,16 @@ ENTRY(setjmp)
 	mov	x0, #1				/* SIG_BLOCK */
 	bl	sigprocmask
 
+	ldp	REG(0), REGN(lr), [REGN(sp)]
+	add	REGN(sp), REGN(sp), #(REG_WIDTH * 2)
+
 #if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
 	/* Store Executive mode state */
+	str	REGN(lr), [REGN(sp), #-REG_WIDTH]!
 	bl	_rtld_setjmp
-	mov	c1, c0
+	ldr	REGN(lr), [REGN(sp)], #REG_WIDTH
 #endif
 
-	ldp	REG(0), REGN(lr), [REGN(sp)]
-	add	REGN(sp), REGN(sp), #(REG_WIDTH * 2)
-
 	/* Store the magic value and stack pointer */
 	ldr	x8, .Lmagic
 	mov	REG(9), REGN(sp)
@@ -81,11 +82,6 @@ ENTRY(setjmp)
 	stp	d12, d13, [REG(0)], #16
 	stp	d14, d15, [REG(0)], #16
 
-#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
-	/* Store Executive mode state */
-	str	c1, [REG(0)], #16
-#endif
-
 	/* Return value */
 	mov	x0, #0
 	RETURN
@@ -109,6 +105,11 @@ ENTRY(longjmp)
 	ldp	REG(0), REGN(lr), [REGN(sp)]
 	add	REGN(sp), REGN(sp), #(REG_WIDTH * 4)
 
+#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
+	/* Restore Executive mode state */
+	bl	_rtld_longjmp
+#endif
+
 	/* Check the magic value */
 	ldr	REG(8), [REG(0)], #(REG_WIDTH)
 	ldr	x9, .Lmagic
@@ -133,16 +134,6 @@ ENTRY(longjmp)
 	ldp	d12, d13, [REG(0)], #16
 	ldp	d14, d15, [REG(0)], #16
 
-#if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
-	/* Restore Executive mode state */
-	stp	REG(1), REGN(lr), [REGN(sp), #-(REG_WIDTH * 2)]!
-
-	ldr	c0, [c0], #16
-	bl	_rtld_longjmp
-
-	ldp	REG(1), REGN(lr), [REGN(sp)], #(REG_WIDTH * 2)
-#endif
-
 	/* Load the return value */
 	cmp	x1, #0
 	csinc	x0, x1, xzr, ne

diff --git a/lib/libc/aarch64/sys/Makefile.inc b/lib/libc/aarch64/sys/Makefile.inc
@@ -11,3 +11,8 @@ MDASM=	cerror.S \
 # Don't generate default code for these syscalls:
 NOASM+=	sbrk.o \
 	vfork.o
+
+.ifdef RTLD_SANDBOX
+SRCS+=	thr_exit.c
+PSEUDO+=	_thr_exit.o
+.endif
diff --git a/lib/libc/aarch64/sys/thr_exit.c b/lib/libc/aarch64/sys/thr_exit.c
@@ -0,0 +1,39 @@
+/*-
+ * SPDX-License-Identifier: BSD-2-Clause
+ *
+ * Copyright (c) 2023 Dapeng Gao
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+#include <sys/types.h>
+
+void thr_exit(long *);
+
+void _rtld_thr_exit(long *);
+
+void
+thr_exit(long *state)
+{
+	_rtld_thr_exit(state);
+}
diff --git a/lib/libc/gen/dlfcn.c b/lib/libc/gen/dlfcn.c
@@ -61,7 +61,7 @@ void _rtld_atfork_post(int *);
 
 #if defined(__CHERI_PURE_CAPABILITY__) && defined(RTLD_SANDBOX)
 void _rtld_thread_start_init(void (*)(struct pthread *));
-void _rtld_sighandler_init(void *);
+void _rtld_sighandler_init(void (*)(int, siginfo_t *, void *));
 #endif
 
 /*
@@ -205,7 +205,7 @@ _rtld_thread_start_init(void (*p)(struct pthread *) __unused)
 
 #pragma weak _rtld_sighandler_init
 void
-_rtld_sighandler_init(void *p __unused)
+_rtld_sighandler_init(void (*p)(int, siginfo_t *, void *) __unused)
 {
 }
 #endif

diff --git a/lib/libsysdecode/utrace.c b/lib/libsysdecode/utrace.c
@@ -192,6 +192,16 @@ print_utrace_rtld(FILE *fp, void *p)
 	case UTRACE_RTLD_ERROR:
 		fprintf(fp, "RTLD: error: %s\n", ut->name);
 		break;
+	case UTRACE_COMPARTMENT_ENTER:
+		fprintf(fp,
+		    "RTLD: c18n: enter %s from %s at [%zu] %s (%p)",
+		    ut->callee, ut->caller, ut->mapsize, ut->symbol, ut->handle);
+		break;
+	case UTRACE_COMPARTMENT_LEAVE:
+		fprintf(fp,
+		    "RTLD: c18n: leave %s to %s at [%zu] %s",
+		    ut->callee, ut->caller, ut->mapsize, ut->symbol);
+		break;
 
 	default:
 		return (0);

diff --git a/lib/libthr/Makefile b/lib/libthr/Makefile
@@ -43,7 +43,8 @@ CFLAGS.thr_symbols.c+=	-Wno-missing-variable-declarations
 CFLAGS.thr_sig.c+=	-fno-sanitize=address
 .endif
 
-.if ${MACHINE_CPUARCH} == "arm"
+.if ${MACHINE_CPUARCH} == "arm" || defined(RTLD_SANDBOX)
+# XXX: RTLD_SANDBOX currently does not support stack unwinding.
 NO_THREAD_UNWIND_STACK= yes
 .endif
 

diff --git a/libexec/rtld-elf/Makefile b/libexec/rtld-elf/Makefile
@@ -115,6 +115,10 @@ SRCS+=		cheri_reloc.c
 CFLAGS+=	-I${RTLD_ELF_DIR}/cheri
 .endif
 
+.ifdef RTLD_SANDBOX
+SRCS+=		rtld_c18n.c rtld_c18n_machdep.c rtld_c18n_asm.S
+.endif
+
 .if ${MACHINE_ABI:Mpurecap}
 .PATH: ${SRCTOP}/lib/libmalloc_simple
 SRCS+=		heap.c malloc.c

diff --git a/libexec/rtld-elf/Symbol-c18n.map b/libexec/rtld-elf/Symbol-c18n.map
@@ -1,8 +1,11 @@
 FBSDprivate_1.0 {
     _rtld_thread_start_init;
     _rtld_thread_start;
+    _rtld_thr_exit;
     _rtld_sighandler_init;
     _rtld_sighandler;
     _rtld_setjmp;
     _rtld_longjmp;
+    _rtld_safebox_code;
+    _rtld_sandbox_code;
 };