On 09/01/2024 13:04, Chaitanya S Prakash wrote:
Syscalls operating on memory mappings manage their address space via owning capabilities. They must adhere to a certain set of rules[1] in order to ensure memory safety. Address space management syscalls are only allowed to manipulate mappings that are within the range of the owning capability and have appropriate permissions.
Tests to validate the capability's tag, bounds, range as well as permissions have been added. Finally, as certain flags and syscalls conflict with the reservation model or lack implementation, a check to verify appropriate handling of the same has also been added.
Well done, I think these tests are in a pretty good shape. Considering certain issues that I found while reviewing Amit's latest series, I would suggest adding the following tests (where you see fit):
- Ensuring that mmap(owning_cap, ..., MAP_FIXED) fails if the underlying reservation has been destroyed. The lifetime of reservations is generally undefined so this is hard to test if we only follow the spec, but it would make sense to have one test that relies on what we currently implement, i.e. the reservation is destroyed as soon as the last mapping is unmapped. So in practice something like ptr = mmap(...); munmap(ptr); mmap(ptr, ..., MAP_FIXED).
- Checking all capability permissions. I particular, special permissions like System are provided or not based on the caller's PCC, so it would be nice to check that removing System from PCC removes it from what mmap() returns too. Changing permissions in PCC is most easily done by adding a helper, creating a pointer to it, removing some permissions then calling that function pointer.
Kevin