vm: Refactor vm_map_prot2perms.

qwattash · qwattash · commit f5bd85c05c42 · 2026-02-19T15:00:12.000Z
Remove the definition indirection via CHERI_PERMS_PROT2PERM_*; instead,
make vm_map_prot2perms fully machine-dependent.

Add a base_perms argument to vm_map_prot2perms. This removes the use
of CHERI_PROT2PERM_MASK and make it clearer that the permission mask
is inherited from a base permission bitmask that is altered according
to VM_PROT_*.
diff --git a/sys/arm64/arm64/pmap.c b/sys/arm64/arm64/pmap.c
@@ -2541,12 +2541,15 @@ pmap_kremove_device(vm_offset_t sva, vm_size_t size)
 vm_pointer_t
 pmap_map(vm_pointer_t *virt, vm_paddr_t start, vm_paddr_t end, int prot)
 {
+	vm_pointer_t p;
+
+	p = PHYS_TO_DMAP(start);
 #ifdef __CHERI_PURE_CAPABILITY__
-	return cheri_perms_and(cheri_bounds_set(PHYS_TO_DMAP(start), end - start),
-	    vm_map_prot2perms(prot));
-#else
-	return PHYS_TO_DMAP(start);
+	p = cheri_bounds_set(p, end - start);
+	p = cheri_perms_and(p, vm_map_prot2perms(cheri_perms_get(p), prot));
 #endif
+
+	return (p);
 }
 
 /*
diff --git a/sys/arm64/cheri/cheri_machdep.c b/sys/arm64/cheri/cheri_machdep.c
@@ -34,6 +34,7 @@
 #include <sys/kernel.h>
 #include <sys/devmap.h>
 #include <sys/proc.h>
+#include <vm/vm.h>
 
 #include <cheri/cheri.h>
 #include <cheri/cheric.h>
@@ -127,3 +128,37 @@ hybridabi_thread_setregs(struct thread *td, unsigned long entry_addr)
 	    td, CHERI_CAP_USER_CODE_PERMS, CHERI_CAP_USER_CODE_BASE,
 	    CHERI_CAP_USER_CODE_LENGTH, entry_addr));
 }
+
+int
+vm_map_prot2perms(int base, vm_prot_t prot)
+{
+	int perms = 0;
+
+	if (prot & (VM_PROT_CAP | VM_PROT_NO_IMPLY_CAP)) {
+		if (prot & (VM_PROT_READ | VM_PROT_COPY))
+			perms |= CHERI_PERM_LOAD;
+		if (VM_PROT_HAS_READ_CAP(prot))
+			perms |= CHERI_PERM_LOAD_CAP | CHERI_PERM_MUTABLE_LOAD;
+		if (prot & VM_PROT_WRITE)
+			perms |= CHERI_PERM_STORE;
+		if (VM_PROT_HAS_WRITE_CAP(prot))
+			perms |= CHERI_PERM_STORE_CAP |
+			    CHERI_PERM_STORE_LOCAL_CAP;
+	} else {
+		if (prot & (VM_PROT_READ | VM_PROT_COPY))
+			perms |= CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP |
+			    CHERI_PERM_MUTABLE_LOAD;
+		if (prot & VM_PROT_WRITE)
+			perms |= CHERI_PERM_STORE | CHERI_PERM_STORE_CAP |
+			    CHERI_PERM_STORE_LOCAL_CAP;
+	}
+	if (prot & VM_PROT_EXECUTE)
+		perms |= CHERI_PERM_EXECUTE | CHERI_PERM_EXECUTIVE |
+		    CHERI_PERM_LOAD;
+
+	base &= ~(CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP | CHERI_PERM_MUTABLE_LOAD |
+	    CHERI_PERM_STORE | CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP |
+	    CHERI_PERM_EXECUTE | CHERI_PERM_EXECUTIVE);
+
+	return (base | perms);
+}
diff --git a/sys/arm64/include/cherireg.h b/sys/arm64/include/cherireg.h
@@ -112,21 +112,6 @@
 
 /* TODO #define CHERI_PERMS_HWALL_CID	(CHERI_PERM_SETCID) */
 
-/*
- * vm_prot_t to capability permission bits
- */
-#define	CHERI_PERMS_PROT2PERM_READ					\
-	CHERI_PERM_LOAD
-#define	CHERI_PERMS_PROT2PERM_READ_CAP					\
-	(CHERI_PERM_LOAD_CAP | CHERI_PERM_MUTABLE_LOAD)
-#define	CHERI_PERMS_PROT2PERM_WRITE					\
-	CHERI_PERM_STORE
-#define	CHERI_PERMS_PROT2PERM_WRITE_CAP					\
-	(CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP)
-#define	CHERI_PERMS_PROT2PERM_EXEC					\
-	(CHERI_PERM_EXECUTE | CHERI_PERM_EXECUTIVE |			\
-	 CHERI_PERMS_PROT2PERM_READ)
-
 /*
  * Basic userspace permission mask; CHERI_PERM_EXECUTE will be added for
  * executable capabilities (pcc); CHERI_PERM_STORE, CHERI_PERM_STORE_CAP,
diff --git a/sys/cheri/cherireg.h b/sys/cheri/cherireg.h
@@ -104,19 +104,6 @@
     (CHERI_OTYPE_USER_MAX - CHERI_OTYPE_USER_MIN + 1)
 #define	CHERI_SEALCAP_USERSPACE_OFFSET	0x0
 
-/*
- * Definition for mapping vm_prot_t to capability permission
- */
-#define	CHERI_PROT2PERM_READ_PERMS	CHERI_PERMS_PROT2PERM_READ
-#define	CHERI_PROT2PERM_READ_CAP_PERMS	CHERI_PERMS_PROT2PERM_READ_CAP
-#define	CHERI_PROT2PERM_WRITE_PERMS	CHERI_PERMS_PROT2PERM_WRITE
-#define	CHERI_PROT2PERM_WRITE_CAP_PERMS	CHERI_PERMS_PROT2PERM_WRITE_CAP
-#define	CHERI_PROT2PERM_EXEC_PERMS	CHERI_PERMS_PROT2PERM_EXEC
-#define	CHERI_PROT2PERM_MASK						\
-    (CHERI_PROT2PERM_READ_PERMS | CHERI_PROT2PERM_WRITE_PERMS |		\
-    CHERI_PROT2PERM_READ_CAP_PERMS | CHERI_PROT2PERM_WRITE_CAP_PERMS |	\
-    CHERI_PROT2PERM_EXEC_PERMS)
-
 /*
  * Root sealing capability for kernel managed objects.
  */
diff --git a/sys/compat/linuxkpi/common/src/linux_page.c b/sys/compat/linuxkpi/common/src/linux_page.c
@@ -240,7 +240,7 @@ __get_user_pages_fast(void * __capability addr, int nr_pages, int write,
 	prot = write ? (VM_PROT_READ | VM_PROT_WRITE) : VM_PROT_READ;
 	len = ptoa((vm_offset_t)nr_pages);
 #if __has_feature(capabilities)
-	if (!cheri_can_access(addr, vm_map_prot2perms(prot), len))
+	if (!cheri_can_access(addr, vm_map_prot2perms(0, prot), len))
 		return (-1);
 #endif
 	MPASS(pages != NULL);
diff --git a/sys/dev/pci/pci_user.c b/sys/dev/pci/pci_user.c
@@ -1022,7 +1022,7 @@ pci_bar_mmap(device_t pcidev, struct pci_bar_mmap *pbm)
 	}
 #if __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__)
 	pbm->pbm_map_base = cheri_capability_build_user_data(
-	    vm_map_prot2perms(prot), addr, plen, 0);
+	    vm_map_prot2perms(0, prot), addr, plen, 0);
 #else
 	pbm->pbm_map_base = (void *)addr;
 #endif
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
@@ -1311,8 +1311,7 @@ exec_map_stack(struct image_params *imgp)
 	}
 
 #if __has_feature(capabilities)
-	perms = (~CHERI_PROT2PERM_MASK | vm_map_prot2perms(stack_prot)) &
-	    CHERI_CAP_USER_DATA_PERMS;
+        perms = vm_map_prot2perms(CHERI_CAP_USER_DATA_PERMS, stack_prot);
 #ifdef __CHERI_PURE_CAPABILITY__
 	imgp->stack = (void *)cheri_perms_and(stack_top, perms);
 #else
diff --git a/sys/riscv/cheri/cheri_machdep.c b/sys/riscv/cheri/cheri_machdep.c
@@ -34,6 +34,7 @@
 #include <sys/kernel.h>
 #include <sys/devmap.h>
 #include <sys/proc.h>
+#include <vm/vm.h>
 
 #include <cheri/cheri.h>
 #include <cheri/cheric.h>
@@ -100,6 +101,38 @@ hybridabi_thread_setregs(struct thread *td, unsigned long entry_addr)
 	    td, CHERI_CAP_USER_CODE_PERMS, CHERI_CAP_USER_CODE_BASE,
 	    CHERI_CAP_USER_CODE_LENGTH, entry_addr);
 }
+
+int
+vm_map_prot2perms(int base, vm_prot_t prot)
+{
+	int perms = 0;
+
+	if (prot & (VM_PROT_CAP | VM_PROT_NO_IMPLY_CAP)) {
+		if (prot & (VM_PROT_READ | VM_PROT_COPY))
+			perms |= CHERI_PERM_LOAD;
+		if (VM_PROT_HAS_READ_CAP(prot))
+			perms |= CHERI_PERM_LOAD_CAP;
+		if (prot & VM_PROT_WRITE)
+			perms |= CHERI_PERM_STORE;
+		if (VM_PROT_HAS_WRITE_CAP(prot))
+			perms |= CHERI_PERM_STORE_CAP |
+			    CHERI_PERM_STORE_LOCAL_CAP;
+	} else {
+		if (prot & (VM_PROT_READ | VM_PROT_COPY))
+			perms |= CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP;
+		if (prot & VM_PROT_WRITE)
+			perms |= CHERI_PERM_STORE | CHERI_PERM_STORE_CAP |
+			    CHERI_PERM_STORE_LOCAL_CAP;
+	}
+	if (prot & VM_PROT_EXECUTE)
+		perms |= CHERI_PERM_EXECUTE | CHERI_PERM_LOAD;
+
+	base &= ~(CHERI_PERM_LOAD | CHERI_PERM_LOAD_CAP | CHERI_PERM_STORE |
+	    CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP |
+	    CHERI_PERM_EXECUTE);
+
+	return (base | perms);
+}
 // CHERI CHANGES START
 // {
 //   "updated": 20230509,
diff --git a/sys/riscv/include/cherireg.h b/sys/riscv/include/cherireg.h
@@ -96,20 +96,6 @@
 	CHERI_PERM_SEAL | CHERI_PERM_INVOKE | CHERI_PERM_UNSEAL |	\
 	CHERI_PERM_SYSTEM_REGS | CHERI_PERM_SET_CID)
 
-/*
- * vm_prot_t to capability permission bits
- */
-#define	CHERI_PERMS_PROT2PERM_READ					\
-	CHERI_PERM_LOAD
-#define	CHERI_PERMS_PROT2PERM_READ_CAP					\
-	CHERI_PERM_LOAD_CAP
-#define	CHERI_PERMS_PROT2PERM_WRITE					\
-	CHERI_PERM_STORE
-#define	CHERI_PERMS_PROT2PERM_WRITE_CAP					\
-	(CHERI_PERM_STORE_CAP | CHERI_PERM_STORE_LOCAL_CAP)
-#define	CHERI_PERMS_PROT2PERM_EXEC					\
-	(CHERI_PERM_EXECUTE | CHERI_PERMS_PROT2PERM_READ)
-
 /*
  * Hardware defines a kind of tripartite taxonomy: memory, type, and CID.
  * They're all squished together in the permission bits, so define masks
diff --git a/sys/riscv/riscv/pmap.c b/sys/riscv/riscv/pmap.c
@@ -1375,9 +1375,10 @@ pmap_map(vm_pointer_t *virt, vm_paddr_t start, vm_paddr_t end, int prot)
 	vm_pointer_t p;
 
 	p = PHYS_TO_DMAP(start);
-	p = cheri_kern_bounds_set(p, end - start);
-	p = cheri_kern_perms_and(p, vm_map_prot2perms(prot) |
-	    ~CHERI_PROT2PERM_MASK);
+#ifdef __CHERI_PURE_CAPABILITY__
+	p = cheri_bounds_set(p, end - start);
+	p = cheri_perms_and(p, vm_map_prot2perms(cheri_perms_get(p), prot));
+#endif
 
 	return (p);
 }
diff --git a/sys/vm/vm.h b/sys/vm/vm.h
@@ -205,6 +205,10 @@ extern struct kva_md_info	kmi;
 extern int old_mlock;
 extern int vm_ndomains;
 extern int vm_overcommit;
+
+#if __has_feature(capabilities)
+int vm_map_prot2perms(int base, vm_prot_t prot);
+#endif
 #endif				/* _KERNEL */
 
 #endif				/* VM_H */
diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c
@@ -2366,7 +2366,7 @@ vm_fault_quick_hold_pages(vm_map_t map, void * __capability addr, vm_size_t len,
 	if (len == 0)
 		return (0);
 #if __has_feature(capabilities)
-	if (!cheri_can_access(addr, vm_map_prot2perms(prot), len))
+	if (!cheri_can_access(addr, vm_map_prot2perms(0, prot), len))
 		return (-1);
 #endif
 	start = (__cheri_addr vm_offset_t)trunc_page(addr);
diff --git a/sys/vm/vm_glue.c b/sys/vm/vm_glue.c
@@ -171,7 +171,7 @@ useracc(void * __capability cap, int len, int rw)
 	    ("illegal ``rw'' argument to useracc (%x)\n", rw));
 	prot = rw;
 #if __has_feature(capabilities)
-	if (!cheri_can_access(cap, vm_map_prot2perms(prot), len))
+	if (!cheri_can_access(cap, vm_map_prot2perms(0, prot), len))
 		return (false);
 #endif
 	addr = (__cheri_addr vm_offset_t)cap;
@@ -195,7 +195,7 @@ vslock(void * __capability addr, size_t len, vm_prot_t prot __unused)
 
 #if __has_feature(capabilities)
 	if (!cheri_can_access(addr,
-	    vm_map_prot2perms(prot | VM_PROT_NO_IMPLY_CAP), len))
+	    vm_map_prot2perms(0, prot | VM_PROT_NO_IMPLY_CAP), len))
 		return (EPROT);
 #endif
 	vaddr = (__cheri_addr vm_offset_t)addr;
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
@@ -6158,36 +6158,6 @@ vm_map_reservation_init_entry(vm_map_entry_t new_entry)
 }
 
 #if __has_feature(capabilities)
-/*
- * Convert vm_prot_t to capability permission bits.
- */
-int
-vm_map_prot2perms(vm_prot_t prot)
-{
-	int perms = 0;
-
-	if (prot & (VM_PROT_CAP | VM_PROT_NO_IMPLY_CAP)) {
-		if (prot & (VM_PROT_READ | VM_PROT_COPY))
-			perms |= CHERI_PROT2PERM_READ_PERMS;
-		if (VM_PROT_HAS_READ_CAP(prot))
-			perms |= CHERI_PROT2PERM_READ_CAP_PERMS;
-		if (prot & VM_PROT_WRITE)
-			perms |= CHERI_PROT2PERM_WRITE_PERMS;
-		if (VM_PROT_HAS_WRITE_CAP(prot))
-			perms |= CHERI_PROT2PERM_WRITE_CAP_PERMS;
-	} else {
-		if (prot & (VM_PROT_READ | VM_PROT_COPY))
-			perms |= CHERI_PROT2PERM_READ_PERMS |
-			    CHERI_PROT2PERM_READ_CAP_PERMS;
-		if (prot & VM_PROT_WRITE)
-			perms |= CHERI_PROT2PERM_WRITE_PERMS |
-			    CHERI_PROT2PERM_WRITE_CAP_PERMS;
-	}
-	if (prot & VM_PROT_EXECUTE)
-		perms |= CHERI_PROT2PERM_EXEC_PERMS;
-
-	return (perms);
-}
 
 /*
  * Create a capability for the given map, derived from the map root
@@ -6198,10 +6168,10 @@ _vm_map_buildcap(vm_map_t map, vm_offset_t addr, vm_size_t length,
     vm_prot_t prot)
 {
 	uintcap_t retcap;
-	int perms = ~CHERI_PROT2PERM_MASK | vm_map_prot2perms(prot);
+        uintcap_t rootcap = vm_map_rootcap(map);
+	int perms = vm_map_prot2perms(cheri_perms_get(rootcap), prot);
 
-	retcap = cheri_bounds_set(
-	    cheri_address_set(vm_map_rootcap(map), addr), length);
+	retcap = cheri_bounds_set(cheri_address_set(rootcap, addr), length);
 
 	return (cheri_perms_and(retcap, perms));
 }
diff --git a/sys/vm/vm_map.h b/sys/vm/vm_map.h
@@ -599,10 +599,7 @@ int vm_map_reservation_create(vm_map_t, vm_pointer_t *, vm_size_t, vm_offset_t,
 int vm_map_reservation_create_locked(vm_map_t, vm_pointer_t *, vm_size_t, vm_prot_t);
 int vm_map_reservation_get(vm_map_t, vm_offset_t, vm_size_t, vm_offset_t *);
 #if __has_feature(capabilities)
-int vm_map_prot2perms(vm_prot_t prot);
 void * __capability vm_map_reservation_cap(vm_map_t, vm_offset_t);
-#endif
-#if __has_feature(capabilities)
 uintcap_t _vm_map_buildcap(vm_map_t map, vm_offset_t addr, vm_size_t length,
     vm_prot_t prot);
 #define	vm_map_buildcap(map, addr, length, prot)	\
diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
@@ -209,7 +209,7 @@ mmap_retcap(struct thread *td, vm_pointer_t addr,
 	 * Set the permissions to PROT_MAX to allow a full
 	 * range of access subject to page permissions.
 	 */
-	perms = ~CHERI_PROT2PERM_MASK | vm_map_prot2perms(cap_prot);
+	perms = vm_map_prot2perms(cheri_perms_get(newcap), cap_prot);
 	newcap = cheri_perms_and(newcap, perms);
 
 	return (newcap);
@@ -376,7 +376,7 @@ sys_mmap(struct thread *td, struct mmap_args *uap)
 	}
 
 	perms = cheri_perms_get(source_cap);
-	reqperms = vm_map_prot2perms(uap->prot);
+	reqperms = vm_map_prot2perms(0, uap->prot);
 #ifdef CHERI_PERM_EXECUTIVE
 	if ((flags & MAP_FIXED) && (perms & CHERI_PERM_EXECUTIVE) == 0)
 		/*

Original file line number	Diff line number	Diff line change
`@@ -1022,7 +1022,7 @@ pci_bar_mmap(device_t pcidev, struct pci_bar_mmap *pbm)`
`1022`	`1022`	`}`
`1023`	`1023`	`#if __has_feature(capabilities) && !defined(__CHERI_PURE_CAPABILITY__)`
`1024`	`1024`	`pbm->pbm_map_base = cheri_capability_build_user_data(`
`1025`		`- vm_map_prot2perms(prot), addr, plen, 0);`
	`1025`	`+ vm_map_prot2perms(0, prot), addr, plen, 0);`
`1026`	`1026`	`#else`
`1027`	`1027`	`pbm->pbm_map_base = (void *)addr;`
`1028`	`1028`	`#endif`
Original file line number	Diff line number	Diff line change
`@@ -1311,8 +1311,7 @@ exec_map_stack(struct image_params *imgp)`
`1311`	`1311`	`}`
`1312`	`1312`
`1313`	`1313`	`#if __has_feature(capabilities)`
`1314`		`- perms = (~CHERI_PROT2PERM_MASK \| vm_map_prot2perms(stack_prot)) &`
`1315`		`- CHERI_CAP_USER_DATA_PERMS;`
	`1314`	`+ perms = vm_map_prot2perms(CHERI_CAP_USER_DATA_PERMS, stack_prot);`
`1316`	`1315`	`#ifdef __CHERI_PURE_CAPABILITY__`
`1317`	`1316`	`imgp->stack = (void *)cheri_perms_and(stack_top, perms);`
`1318`	`1317`	`#else`