NAME
compartmentalization,
c18n —
library-based software
compartmentalization
DESCRIPTION
This document contains instructions for using the library-based compartmentalization (c18n) prototype.
Library-based compartmentalization contains a set of features provided by rtld(1) and other system libraries that enhances the security of existing dynamically-linked pure-capability programs.
A new process inherits the compartmentalization setting of its parent. To enable c18n for all new processes across the entire system, run
sysctl
security.cheri.lib_based_c18n_default=1To override this and permanently enable or disable c18n for a particular executable, use the elfctl(1) tool to write the setting into the executable.
To override this and temporarily enable or disable c18n for a particular executable, run
proccontrol -m cheric18n -s enable
executableproccontrol -m cheric18n -s disable
executableOverriding this still are the environment variables
LD_COMPARTMENT_ENABLE and
LD_COMPARTMENT_DISABLE. If both environtment
variables are set, c18n is disabled. Note that environment variables are not
reliable inherited when processes fork.
rtld(1) automatically searches from this path first when c18n is
enabled.
COMPARTMENT TRANSITION TRACING
Compartment transitions can be traced with the
ktrace(1) facility. To generate a trace, set the environment
variable LD_UTRACE_COMPARTMENT and invoke the
executable with
ktrace(1).
CAUTION: Compartment transition tracing is only intended for debugging and analysis purposes. Turning it on will reduce security.
COMPARTMENT TRANSITION OVERHEAD SIMULATION
To simulate the overhead of making a system call during each
compartment transition, set the environment variable
LD_COMPARTMENT_OVERHEAD and invoke the executable.
Each compartment transition will then make a
getpid(2) system call.
CAUTION: Compartment transition overhead simulation is only intended for performance analysis purposes. Turning it on will reduce security.
BENCHMARK ABI VARIANT
The benchmark ABI variant of the runtime linker also supports c18n. Note that environment variables recognized by this variant need to be prefixed with LD_64CB_ instead of LD_.
NOTE: Because the purecap variant uses some of Morello's architectural features that are unavailable under the benchmark ABI, the benchmark ABI variant is not a mere translation of the purecap variant but has a slightly different implementation. The best effort has been made to ensure that such a divergence does not bias performance estimates under almost all circumstances.
COMPATIBILITY
- Calling vfork(2) is identical to calling fork(2), that is, no memory sharing will take place between the parent and child processes.
- Calling
rfork(2) with flags
RFMEMorRFSIGSHAREwill return -1. - sigaltstack(2) does not work as expected. This impacts some applications that use an alternative stack to handle stack-overflow exceptions.
- getcontext(3), setcontext(3), and related functions do not work as expected. This impacts certain threading and coroutine libraries.
SECURITY
This work is of an experimental nature. It does not provide complete isolation between compartments. For example, they are allowed to make arbitrary system calls to obtain privileges and access other compartments' thread local data even when said data has static linkage. Calling function pointers in other compartments may also unexpectedly leak capabilities.
AUTHORS
Dapeng Gao <dapeng.gao@cl.cam.ac.uk>