Fix.loader.dynamic

.github/workflows/ci.yml

@@ -9,6 +9,13 @@ on:
 
 jobs:
   test-on-pkru-enabled-host:
+    # Preserve the stable job key for downstream users, but surface matrix
+    # details (including libc-compartment on/off) in the Actions UI.
+    name: >-
+      tests (pkru) [${{ matrix.build-type }}, ${{ matrix.c_compiler }},
+      ${{ matrix.linker }},
+      ${{ matrix.ia2-libc == 'IA2_LIBC_COMPARTMENT=ON' && 'libc-on' || 'libc-off' }},
+      ${{ matrix.ia2-tracer }}, ${{ matrix.ia2-debug }}]
     runs-on: self-hosted
     timeout-minutes: 5
     continue-on-error: ${{ matrix.ia2-tracer == 'ON' }}
@@ -22,6 +29,16 @@ jobs:
         ia2-tracer: [IA2_TRACER=ON, IA2_TRACER=OFF]
         ia2-verbose: [IA2_VERBOSE=ON]
         ia2-debug-memory: [IA2_DEBUG_MEMORY=ON]
+        ia2-libc: [IA2_LIBC_COMPARTMENT=OFF]
+        include:
+          - build-type: Release
+            c_compiler: clang
+            linker: lld
+            ia2-debug: IA2_DEBUG=ON
+            ia2-tracer: IA2_TRACER=OFF
+            ia2-verbose: IA2_VERBOSE=ON
+            ia2-debug-memory: IA2_DEBUG_MEMORY=ON
+            ia2-libc: IA2_LIBC_COMPARTMENT=ON
     steps:
       - name: Setup Rust
         # We don't use actions-rust-lang/setup-rust-toolchain because it's slower
@@ -50,6 +67,7 @@ jobs:
             -D${{ matrix.ia2-tracer }}                                   \
             -D${{ matrix.ia2-verbose }}                                  \
             -D${{ matrix.ia2-debug-memory }}                             \
+            -D${{ matrix.ia2-libc }}                                     \
             -G Ninja
           ninja
           popd

CMakeLists.txt

@@ -5,6 +5,20 @@ project(IA2Phase2)
 option(IA2_DEBUG "Enable debug telemetry and runtime checks" OFF)
 option(IA2_LIBC_COMPARTMENT "Enable libc/ld.so compartmentalization and exit callgate support" OFF)
 
+# The libc compartment feature is currently x86_64-only. Force it off on
+# AArch64 to avoid building incomplete loader-gate support and the resulting
+# runtime crashes under QEMU.
+if(DEFINED LIBIA2_AARCH64 AND LIBIA2_AARCH64 AND IA2_LIBC_COMPARTMENT)
+    message(WARNING "IA2_LIBC_COMPARTMENT is not supported on AArch64 yet; disabling for this build.")
+    set(IA2_LIBC_COMPARTMENT OFF CACHE BOOL "Enable libc/ld.so compartmentalization and exit callgate support" FORCE)
+endif()
+# Also guard based on the configured target processor in case the toolchain
+# variable is missing. Any aarch64 target should disable the feature.
+if(IA2_LIBC_COMPARTMENT AND CMAKE_SYSTEM_PROCESSOR MATCHES "aarch64")
+    message(WARNING "IA2_LIBC_COMPARTMENT is not supported on AArch64 targets; forcing OFF.")
+    set(IA2_LIBC_COMPARTMENT OFF CACHE BOOL "Enable libc/ld.so compartmentalization and exit callgate support" FORCE)
+endif()
+
 if(IA2_DEBUG)
     message(STATUS "IA2: debug mode enabled")
 endif()
@@ -51,4 +65,5 @@ ExternalProject_Add(tools
         -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}
         -DClang_DIR=${Clang_DIR}
         -DLLVM_DIR=${LLVM_DIR}
+        -DIA2_LIBC_COMPARTMENT=${IA2_LIBC_COMPARTMENT}
     INSTALL_COMMAND "")

cmake/aarch64-toolchain.cmake

@@ -1,5 +1,9 @@
 set(LIBIA2_AARCH64 TRUE)
 
+# The libc/loader compartment feature is x86_64-only.  Force the option off
+# for all AArch64 builds to avoid pulling in incomplete loader PKRU paths.
+set(IA2_LIBC_COMPARTMENT OFF CACHE BOOL "Enable libc/ld.so compartmentalization and exit callgate support" FORCE)
+
 set(CMAKE_SYSTEM_NAME Linux)
 set(CMAKE_SYSTEM_PROCESSOR aarch64)
 

cmake/ia2.cmake

@@ -44,7 +44,8 @@ function(add_ia2_compartment NAME TYPE)
   endif()
 
   target_include_directories(${NAME} PRIVATE
-      ${CMAKE_SOURCE_DIR}/misc/test_runner/include)
+      ${CMAKE_SOURCE_DIR}/misc/test_runner/include
+      ${CMAKE_SOURCE_DIR}/tests/common)
   target_compile_definitions(${NAME} PRIVATE
     IA2_ENABLE=1
     PKEY=${ARG_PKEY}
@@ -154,7 +155,8 @@ function(create_compile_commands NAME TYPE)
   # the libraries defined by tests and instead just add the include flags for its
   # assertions
   target_include_directories(${COMPILE_COMMAND_TARGET} PRIVATE
-      ${CMAKE_SOURCE_DIR}/misc/test_runner/include)
+      ${CMAKE_SOURCE_DIR}/misc/test_runner/include
+      ${CMAKE_SOURCE_DIR}/tests/common)
   set(CMAKE_EXPORT_COMPILE_COMMANDS OFF)
 endfunction()
 

runtime/libia2/CMakeLists.txt

@@ -14,6 +14,24 @@ if(IA2_LIBC_COMPARTMENT)
     list(APPEND LIBIA2_SOURCES
         exit_callgates.c
     )
+    # Loader gate functionality uses x86-specific PKRU instructions
+    if(NOT LIBIA2_AARCH64)
+        list(APPEND LIBIA2_SOURCES
+            loader_gate.c
+            dlopen_wrapper.c
+            mmap_wrapper.c
+        )
+    else()
+        # AArch64 still needs the loader gate symbols even though PKRU gates are disabled
+        list(APPEND LIBIA2_SOURCES
+            loader_gate_stub.c
+        )
+    endif()
+else()
+    # Stub provides symbols when libc compartmentalization is disabled
+    list(APPEND LIBIA2_SOURCES
+        loader_gate_stub.c
+    )
 endif()
 
 add_library(libia2 ${LIBIA2_SOURCES})
@@ -50,6 +68,31 @@ target_link_options(libia2
         "-Wl,-z,relro"
 )
 
+# Loader gate wrap flags (x86-64 only, requires PKRU instructions)
+if(IA2_LIBC_COMPARTMENT AND NOT LIBIA2_AARCH64)
+    target_link_options(libia2
+        INTERFACE
+            # Loader entry point wrappers: interpose every libdl entry
+            # so the loader gate runs and keeps allocations on pkey 1
+            # for the threat model.
+            "-Wl,--wrap=dlopen"
+            "-Wl,--wrap=dlmopen"
+            "-Wl,--wrap=dlsym"
+            "-Wl,--wrap=dlvsym"
+            "-Wl,--wrap=dlclose"
+            "-Wl,--wrap=dladdr"
+            "-Wl,--wrap=dladdr1"
+            "-Wl,--wrap=dlinfo"
+            "-Wl,--wrap=dlerror"
+            "-Wl,--wrap=dl_iterate_phdr"
+
+            # Memory mapping wrappers (tag loader mmaps with pkey 1)
+            "-Wl,--wrap=mmap"
+            "-Wl,--wrap=mmap64"
+            "-Wl,--wrap=mremap"
+    )
+endif()
+
 if(CMAKE_BUILD_TYPE STREQUAL "Debug")
 set(CARGO_PROFILE "dev")
 set(CARGO_PROFILE_DIR "debug")

runtime/libia2/bootstrap_shim.version

@@ -0,0 +1,8 @@
+GLIBC_PRIVATE {
+  global:
+    __libc_dlopen_mode;
+    __libc_dlsym;
+    __libc_dlclose;
+  local:
+    *;
+};