FreeBSD The Power to Serve

libsys

Contact: Brooks Davis <brooks@FreeBSD.org>

The libsys project removes direct system calls from libc.so and libpthread.so (aka libthr.so) to a separate libsys.so. This will:

  • Isolate language runtimes from the details of system call implementations.

  • Better support logging and replay frameworks for systems calls.

  • Support elimination of the ability to make system calls outside trusted code in the runtime linker and libsys.

This work was initially inspired by a compartmentalization prototype in CheriBSD in 2016. Ali Mashtizadeh and Tal Garfinkel picked that work up and attempted to upstream it (D14609). Unfortunately we could not figure out how to review and land the massive reorganization required through a phabricator review so it languished. Last year the CHERI project once again found a need for system call separation in a new library-based compartmentalization framework in CheriBSD so I rebuilt the patch from scratch, committing dozens of libc cleanups along the way. I landed the first batch of changes on February 5th. Since then I have made a number of refinements to the way we link libsys as well as which symbols are provided in which library.

Thanks to Konstantin Belousov for many rounds of review and feedback as well as runtime linker fixes. Thanks to Mark Johnston for runtime linker debugging and Dimitry Andric for sanitizer fixes. Thanks also to everyone who reported bugs and helped debug issues.

Known issues (as of the end of the reporting period)

  • The libsys ABI is not yet considered stable (it is safe to assume __sys_foo() will be supported so language runtimes can use it now).

  • Programs using the address sanitizer must be linked with -lsys (resolved in base at publication time).

TODO

  • Add a libsys.h. (See D44387 and other reviews in the stack.)

  • Update intro(2) for libsys.

  • Finalize the ABI. I am likely to reduce the set of _ (underscore) prefixed symbols we expose.

  • MFC the existence of libsys? It is not clear this is practical, but it might be possible to MFC something useful for language runtimes.

Help wanted

  • Port language runtimes that do not use libc to use libsys for system calls rather than rolling their own interfaces.

  • Explore limitations on where system calls can be made similar to OpenBSD’s msyscall(2) (now obsolete) and pinsyscalls(2) (not an obvious match to our libsys).

Sponsor: AFRL, DARPA

Last modified on: May 1, 2024 by Lorenzo Salvadore