Add PROT_CAP and PROT_NO_CAP

[paulmetzger]

CHERI Linux currently lacks mmap() protection flags to control whether capabilities may be written to or read from the mapped pages. CheriBSD has the protection flags PROT_CAP and PROT_NO_CAP for this. They are documented in CheriBSD's mmap() man page, including when each is implied automatically: https://man.cheribsd.org/cgi-bin/man.cgi/release-25.03/mmap.2

It would also be useful for CHERI Linux to add the signal codes SEGV_LOADTAG and SEGV_STORETAG, which indicate faults that occur when a loading or storing a capability fails due to insufficient page permissions.

@chrehrhardt had at least one case in the past that required user space modifications because these flags were missing.

[davidalide]

Does this mean the "use after free" protection scheme isn't supported in cheri linux currently? its my understanding that this scheme used they page protection flags to isolate freed pointers.

[chrehrhardt]

Indeed the temporal safety mechanisms are not implemented in cherry linux as of today. Which is why there is no real need for SEGV_LOADTAG and SEGV_STORETAG at the moment.

The PROT_CAP and PROT_NO_CAP bits are a diffent story and more generally useful. These should probably implemented independent of temporal safety.

[jrtc27]

PROT_(NO_)CAP and SEGV_(LOAD|STORE)TAG are not for temporal safety.

[scosu]

I will be working on this next.

[paul-metzger]

@scosu have you had a chance to work on this?

[scosu]

Yes, I did, I have an implementation that doesn't work. It clears PTE.CW but it isn't enforced, I am still debugging to find the issue.

[paul-metzger]

Ok, thanks for the update!