| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ | |
| 6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ | |
| 7 | |
| 8 #include "sandbox/linux/seccomp-bpf/trap.h" | |
| 9 #include "sandbox/sandbox_export.h" | |
| 10 | |
| 11 namespace sandbox { | |
| 12 namespace bpf_dsl { | |
| 13 class PolicyCompiler; | |
| 14 } | |
| 15 | |
| 16 // This class holds all the possible values that can be returned by a sandbox | |
| 17 // policy. | |
| 18 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an | |
| 19 // errno value (in the range 0..4095), a pointer to a TrapFnc callback | |
| 20 // handling a SECCOMP_RET_TRAP trap, or a complex constraint. | |
| 21 // All of the commonly used values are stored in the "err_" field. So, code | |
| 22 // that is using the ErrorCode class typically operates on a single 32bit | |
| 23 // field. | |
| 24 // | |
| 25 // TODO(mdempsky): Nuke from orbit. The only reason this class still | |
| 26 // exists is for Verifier, which will eventually be replaced by a true | |
| 27 // BPF symbolic evaluator and constraint solver. | |
| 28 class SANDBOX_EXPORT ErrorCode { | |
| 29 public: | |
| 30 enum { | |
| 31 // Allow this system call. The value of ERR_ALLOWED is pretty much | |
| 32 // completely arbitrary. But we want to pick it so that is is unlikely | |
| 33 // to be passed in accidentally, when the user intended to return an | |
| 34 // "errno" (see below) value instead. | |
| 35 ERR_ALLOWED = 0x04000000, | |
| 36 | |
| 37 // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the | |
| 38 // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change | |
| 39 // or skip the system call. The lower 16 bits of err will be available to | |
| 40 // the tracer via PTRACE_GETEVENTMSG. | |
| 41 ERR_TRACE = 0x08000000, | |
| 42 | |
| 43 // Kill the process immediately. | |
| 44 ERR_KILL = 0x10000000, | |
| 45 | |
| 46 // Deny the system call with a particular "errno" value. | |
| 47 // N.B.: It is also possible to return "0" here. That would normally | |
| 48 // indicate success, but it won't actually run the system call. | |
| 49 // This is very different from return ERR_ALLOWED. | |
| 50 ERR_MIN_ERRNO = 0, | |
| 51 #if defined(__mips__) | |
| 52 // MIPS only supports errno up to 1133 | |
| 53 ERR_MAX_ERRNO = 1133, | |
| 54 #else | |
| 55 // TODO(markus): Android only supports errno up to 255 | |
| 56 // (crbug.com/181647). | |
| 57 ERR_MAX_ERRNO = 4095, | |
| 58 #endif | |
| 59 }; | |
| 60 | |
| 61 // While BPF filter programs always operate on 32bit quantities, the kernel | |
| 62 // always sees system call arguments as 64bit values. This statement is true | |
| 63 // no matter whether the host system is natively operating in 32bit or 64bit. | |
| 64 // The BPF compiler hides the fact that BPF instructions cannot directly | |
| 65 // access 64bit quantities. But policies are still advised to specify whether | |
| 66 // a system call expects a 32bit or a 64bit quantity. | |
| 67 enum ArgType { | |
| 68 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that | |
| 69 // the conditional test should operate on the 32bit part of the system call | |
| 70 // argument. | |
| 71 // On 64bit architectures, this verifies that user space did not pass | |
| 72 // a 64bit value as an argument to the system call. If it did, that will be | |
| 73 // interpreted as an attempt at breaking the sandbox and results in the | |
| 74 // program getting terminated. | |
| 75 // In other words, only perform a 32bit test, if you are sure this | |
| 76 // particular system call would never legitimately take a 64bit | |
| 77 // argument. | |
| 78 // Implementation detail: TP_32BIT does two things. 1) it restricts the | |
| 79 // conditional test to operating on the LSB only, and 2) it adds code to | |
| 80 // the BPF filter program verifying that the MSB the kernel received from | |
| 81 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit | |
| 82 // 31 was set in the system call argument. It deals with 32bit arguments | |
| 83 // having been sign extended. | |
| 84 TP_32BIT, | |
| 85 | |
| 86 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that | |
| 87 // the conditional test should operate on the full 64bit argument. It is | |
| 88 // generally harmless to perform a 64bit test on 32bit systems, as the | |
| 89 // kernel will always see the top 32 bits of all arguments as zero'd out. | |
| 90 // This approach has the desirable property that for tests of pointer | |
| 91 // values, we can always use TP_64BIT no matter the host architecture. | |
| 92 // But of course, that also means, it is possible to write conditional | |
| 93 // policies that turn into no-ops on 32bit systems; this is by design. | |
| 94 TP_64BIT, | |
| 95 }; | |
| 96 | |
| 97 // Deprecated. | |
| 98 enum Operation { | |
| 99 // Test whether the system call argument is equal to the operand. | |
| 100 OP_EQUAL, | |
| 101 | |
| 102 // Tests a system call argument against a bit mask. | |
| 103 // The "ALL_BITS" variant performs this test: "arg & mask == mask" | |
| 104 // This implies that a mask of zero always results in a passing test. | |
| 105 // The "ANY_BITS" variant performs this test: "arg & mask != 0" | |
| 106 // This implies that a mask of zero always results in a failing test. | |
| 107 OP_HAS_ALL_BITS, | |
| 108 OP_HAS_ANY_BITS, | |
| 109 }; | |
| 110 | |
| 111 enum ErrorType { | |
| 112 ET_INVALID, | |
| 113 ET_SIMPLE, | |
| 114 ET_TRAP, | |
| 115 ET_COND, | |
| 116 }; | |
| 117 | |
| 118 // We allow the default constructor, as it makes the ErrorCode class | |
| 119 // much easier to use. But if we ever encounter an invalid ErrorCode | |
| 120 // when compiling a BPF filter, we deliberately generate an invalid | |
| 121 // program that will get flagged both by our Verifier class and by | |
| 122 // the Linux kernel. | |
| 123 ErrorCode(); | |
| 124 explicit ErrorCode(int err); | |
| 125 | |
| 126 // For all practical purposes, ErrorCodes are treated as if they were | |
| 127 // structs. The copy constructor and assignment operator are trivial and | |
| 128 // we do not need to explicitly specify them. | |
| 129 // Most notably, it is in fact perfectly OK to directly copy the passed_ and | |
| 130 // failed_ field. They only ever get set by our private constructor, and the | |
| 131 // callers handle life-cycle management for these objects. | |
| 132 | |
| 133 // Destructor | |
| 134 ~ErrorCode() {} | |
| 135 | |
| 136 bool Equals(const ErrorCode& err) const; | |
| 137 bool LessThan(const ErrorCode& err) const; | |
| 138 | |
| 139 uint32_t err() const { return err_; } | |
| 140 ErrorType error_type() const { return error_type_; } | |
| 141 | |
| 142 bool safe() const { return safe_; } | |
| 143 | |
| 144 uint64_t mask() const { return mask_; } | |
| 145 uint64_t value() const { return value_; } | |
| 146 int argno() const { return argno_; } | |
| 147 ArgType width() const { return width_; } | |
| 148 const ErrorCode* passed() const { return passed_; } | |
| 149 const ErrorCode* failed() const { return failed_; } | |
| 150 | |
| 151 struct LessThan { | |
| 152 bool operator()(const ErrorCode& a, const ErrorCode& b) const { | |
| 153 return a.LessThan(b); | |
| 154 } | |
| 155 }; | |
| 156 | |
| 157 private: | |
| 158 friend bpf_dsl::PolicyCompiler; | |
| 159 friend class CodeGen; | |
| 160 friend class SandboxBPF; | |
| 161 friend class Trap; | |
| 162 | |
| 163 // If we are wrapping a callback, we must assign a unique id. This id is | |
| 164 // how the kernel tells us which one of our different SECCOMP_RET_TRAP | |
| 165 // cases has been triggered. | |
| 166 ErrorCode(uint16_t trap_id, Trap::TrapFnc fnc, const void* aux, bool safe); | |
| 167 | |
| 168 // Some system calls require inspection of arguments. This constructor | |
| 169 // allows us to specify additional constraints. | |
| 170 ErrorCode(int argno, | |
| 171 ArgType width, | |
| 172 uint64_t mask, | |
| 173 uint64_t value, | |
| 174 const ErrorCode* passed, | |
| 175 const ErrorCode* failed); | |
| 176 | |
| 177 ErrorType error_type_; | |
| 178 | |
| 179 union { | |
| 180 // Fields needed for SECCOMP_RET_TRAP callbacks | |
| 181 struct { | |
| 182 Trap::TrapFnc fnc_; // Callback function and arg, if trap was | |
| 183 void* aux_; // triggered by the kernel's BPF filter. | |
| 184 bool safe_; // Keep sandbox active while calling fnc_() | |
| 185 }; | |
| 186 | |
| 187 // Fields needed when inspecting additional arguments. | |
| 188 struct { | |
| 189 uint64_t mask_; // Mask that we are comparing under. | |
| 190 uint64_t value_; // Value that we are comparing with. | |
| 191 int argno_; // Syscall arg number that we are inspecting. | |
| 192 ArgType width_; // Whether we are looking at a 32/64bit value. | |
| 193 const ErrorCode* passed_; // Value to be returned if comparison passed, | |
| 194 const ErrorCode* failed_; // or if it failed. | |
| 195 }; | |
| 196 }; | |
| 197 | |
| 198 // 32bit field used for all possible types of ErrorCode values. This is | |
| 199 // the value that uniquely identifies any ErrorCode and it (typically) can | |
| 200 // be emitted directly into a BPF filter program. | |
| 201 uint32_t err_; | |
| 202 }; | |
| 203 | |
| 204 } // namespace sandbox | |
| 205 | |
| 206 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1292753009:
sandbox/linux: move ErrorCode into bpf_dsl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@bpf_dsl-deps