WIP: Implement seccomp-bpf sandbox for nacl_helper_nonsfi.

sandbox/linux/seccomp-bpf/trap.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/trap.h"
 
 #include <errno.h>
-#include <signal.h>
 #include <string.h>
 #include <sys/syscall.h>
 
 #include <algorithm>
 #include <limits>
 
 #include "base/logging.h"
 #include "build/build_config.h"
 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
+#include "sandbox/linux/services/syscall_wrappers.h"
 #include "sandbox/linux/system_headers/linux_seccomp.h"
+#include "sandbox/linux/system_headers/linux_signal.h"
 
 // Android's signal.h doesn't define ucontext etc.
-#if defined(OS_ANDROID)
+#if defined(OS_ANDROID) || defined(OS_NACL_NONSFI)
 #include "sandbox/linux/system_headers/android_ucontext.h"
 #endif
 
 namespace {
 
-struct arch_sigsys {
-  void* ip;
-  int nr;
-  unsigned int arch;
-};
+// TODO: Where is the best place to put these?
+int linux_sigemptyset(linux_sigset_t* sigset) {
+  memset(sigset, 0, sizeof(*sigset));
+  return 0;
+}
+
+// TODO: do we need to support 64-bits?
+int linux_sigaddset(linux_sigset_t* sigset, int signum) {
+  sigset->sig[0] |= (1 << (signum - 1));
+  return 0;
+}
+
+// TODO: do we need to support 64-bits?
+int linux_sigismember(const linux_sigset_t *sigset, int signum) {
+  return (sigset->sig[0] >> (signum - 1)) & 1;
+}
 
 const int kCapacityIncrement = 20;
 
 // Unsafe traps can only be turned on, if the user explicitly allowed them
 // by setting the CHROME_SANDBOX_DEBUGGING environment variable.
 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
 
 // We need to tell whether we are performing a "normal" callback, or
 // whether we were called recursively from within a UnsafeTrap() callback.
 // This is a little tricky to do, because we need to somehow get access to
 // per-thread data from within a signal context. Normal TLS storage is not
 // safely accessible at this time. We could roll our own, but that involves
 // a lot of complexity. Instead, we co-opt one bit in the signal mask.
 // If BUS is blocked, we assume that we have been called recursively.
 // There is a possibility for collision with other code that needs to do
 // this, but in practice the risks are low.
 // If SIGBUS turns out to be a problem, we could instead co-opt one of the
 // realtime signals. There are plenty of them. Unfortunately, there is no
 // way to mark a signal as allocated. So, the potential for collision is
 // possibly even worse.
 bool GetIsInSigHandler(const ucontext_t* ctx) {
-  // Note: on Android, sigismember does not take a pointer to const.
-  return sigismember(const_cast<sigset_t*>(&ctx->uc_sigmask), SIGBUS);
+  return linux_sigismember(
+      reinterpret_cast<const linux_sigset_t*>(&ctx->uc_sigmask),
+      LINUX_SIGBUS);
 }
 
 void SetIsInSigHandler() {
-  sigset_t mask;
-  if (sigemptyset(&mask) || sigaddset(&mask, SIGBUS) ||
-      sigprocmask(SIG_BLOCK, &mask, NULL)) {
+  linux_sigset_t mask;
+  if (linux_sigemptyset(&mask) || linux_sigaddset(&mask, LINUX_SIGBUS) ||
+      sandbox::sys_sigprocmask(LINUX_SIG_BLOCK, &mask, NULL)) {
     SANDBOX_DIE("Failed to block SIGBUS");
   }
 }
 
-bool IsDefaultSignalAction(const struct sigaction& sa) {
-  if (sa.sa_flags & SA_SIGINFO || sa.sa_handler != SIG_DFL) {
+bool IsDefaultSignalAction(const struct linux_sigaction& sa) {
+  if (sa.sa_flags & LINUX_SA_SIGINFO || sa.sa_handler_ != LINUX_SIG_DFL) {
     return false;
   }
   return true;
 }
 
 }  // namespace
 
 namespace sandbox {
 
 Trap::Trap()
     : trap_array_(NULL),
       trap_array_size_(0),
       trap_array_capacity_(0),
       has_unsafe_traps_(false) {
   // Set new SIGSYS handler
-  struct sigaction sa = {};
-  sa.sa_sigaction = SigSysAction;
-  sa.sa_flags = SA_SIGINFO | SA_NODEFER;
-  struct sigaction old_sa;
-  if (sigaction(SIGSYS, &sa, &old_sa) < 0) {
+  struct linux_sigaction sa = {};
+  sa.sa_sigaction_ = SigSysAction;
+  sa.sa_flags = LINUX_SA_SIGINFO | LINUX_SA_NODEFER;
+  struct linux_sigaction old_sa;
+  if (sys_sigaction(LINUX_SIGSYS, &sa, &old_sa) < 0) {
     SANDBOX_DIE("Failed to configure SIGSYS handler");
   }
 
   if (!IsDefaultSignalAction(old_sa)) {
     static const char kExistingSIGSYSMsg[] =
         "Existing signal handler when trying to install SIGSYS. SIGSYS needs "
         "to be reserved for seccomp-bpf.";
     DLOG(FATAL) << kExistingSIGSYSMsg;
     LOG(ERROR) << kExistingSIGSYSMsg;
   }
 
   // Unmask SIGSYS
-  sigset_t mask;
-  if (sigemptyset(&mask) || sigaddset(&mask, SIGSYS) ||
-      sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
+  linux_sigset_t mask;
+  if (linux_sigemptyset(&mask) || linux_sigaddset(&mask, SIGSYS) ||
+      sys_sigprocmask(LINUX_SIG_UNBLOCK, &mask, NULL)) {
     SANDBOX_DIE("Failed to configure SIGSYS handler");
   }
 }
 
 bpf_dsl::TrapRegistry* Trap::Registry() {
   // Note: This class is not thread safe. It is the caller's responsibility
   // to avoid race conditions. Normally, this is a non-issue as the sandbox
   // can only be initialized if there are no other threads present.
   // Also, this is not a normal singleton. Once created, the global trap
   // object must never be destroyed again.
   if (!global_trap_) {
     global_trap_ = new Trap();
     if (!global_trap_) {
       SANDBOX_DIE("Failed to allocate global trap handler");
     }
   }
   return global_trap_;
 }
 
-void Trap::SigSysAction(int nr, siginfo_t* info, void* void_context) {
+void Trap::SigSysAction(int nr, linux_siginfo_t* info, void* void_context) {
   if (!global_trap_) {
     RAW_SANDBOX_DIE(
         "This can't happen. Found no global singleton instance "
         "for Trap() handling.");
   }
   global_trap_->SigSys(nr, info, void_context);
 }
 
-void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
+void Trap::SigSys(int nr, linux_siginfo_t* info, void* void_context) {
   // Signal handlers should always preserve "errno". Otherwise, we could
   // trigger really subtle bugs.
   const int old_errno = errno;
 
   // Various sanity checks to make sure we actually received a signal
   // triggered by a BPF filter. If something else triggered SIGSYS
   // (e.g. kill()), there is really nothing we can do with this signal.
-  if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
+  if (nr != LINUX_SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
       info->si_errno <= 0 ||
       static_cast<size_t>(info->si_errno) > trap_array_size_) {
     // ATI drivers seem to send SIGSYS, so this cannot be FATAL.
     // See crbug.com/178166.
     // TODO(jln): add a DCHECK or move back to FATAL.
     RAW_LOG(ERROR, "Unexpected SIGSYS received.");
     errno = old_errno;
     return;
   }
 
@@ skipping 221 matching lines @@
           "CHROME_SANDBOX_DEBUGGING is turned on first");
     }
   }
   // Returns the, possibly updated, value of has_unsafe_traps_.
   return has_unsafe_traps_;
 }
 
 Trap* Trap::global_trap_;
 
 }  // namespace sandbox