sandbox/linux: refactor bpf_dsl dependency on die.h

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <sys/syscall.h>
 
 #include <limits>
@@ skipping 38 matching lines @@
 #if defined(__NR_sigreturn)
     __NR_sigreturn,
 #endif
 };
 
 bool HasExactlyOneBit(uint64_t x) {
   // Common trick; e.g., see http://stackoverflow.com/a/108329.
   return x != 0 && (x & (x - 1)) == 0;
 }
 
+// The default Trap() handler for PolicyCompiler::Panic.
+intptr_t DefaultPanic(const struct arch_seccomp_data&, void* aux) {
+  LOG(FATAL) << "bpf_dsl panic: " << reinterpret_cast<const char*>(aux);

[rickyz (no longer on Chrome), 2015/08/19 23:25:10]

Should we default to something async signal safe like SANDBOX_DIE? Though at
that point, do we really need Panic to be overridable? All the usages would be
basically the same thing, right?

[mdempsky, 2015/08/19 23:33:31]

The problem with defaulting to SANDBOX_DIE is it's in seccomp-bpf, and the point
of this CL is breaking the dependency from bpf_dsl on seccomp-bpf.

We could move seccomp-bpf/die.h into bpf_dsl or services maybe, but it depends
on seccomp-bpf/syscall.h; so we'd need to move that too.

It would be nice to make it async signal safe though.  Maybe I should just
write() to STDERR_FILENO directly as the default instead of LOG(FATAL) (assuming
you don't have any good idea on using SANDBOX_DIE without cycles).

+  for (;;) _exit(1);
+}
+
 // A Trap() handler that returns an "errno" value. The value is encoded
 // in the "aux" parameter.
 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
   // TrapFnc functions report error by following the native kernel convention
   // of returning an exit code in the range of -1..-4096. They do not try to
   // set errno themselves. The glibc wrapper that triggered the SIGSYS will
   // ultimately do so for us.
   int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
   return -err;
 }
@@ skipping 12 matching lines @@
 
 struct PolicyCompiler::Range {
   uint32_t from;
   CodeGen::Node node;
 };
 
 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
     : policy_(policy),
       registry_(registry),
       escapepc_(0),
+      panic_func_(DefaultPanic),
       conds_(),
       gen_(),
       has_unsafe_traps_(HasUnsafeTraps(policy_)) {
   DCHECK(policy);
 }
 
 PolicyCompiler::~PolicyCompiler() {
 }
 
 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile(bool verify) {
@@ skipping 29 matching lines @@
     }
   }
 
   return program.Pass();
 }
 
 void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
   escapepc_ = escapepc;
 }
 
+void PolicyCompiler::SetPanicFunc(TrapRegistry::TrapFnc panic_func) {
+  panic_func_ = panic_func;
+}
+
 CodeGen::Node PolicyCompiler::AssemblePolicy() {
   // A compiled policy consists of three logical parts:
   //   1. Check that the "arch" field matches the expected architecture.
   //   2. If the policy involves unsafe traps, check if the syscall was
   //      invoked by Syscall::Call, and then allow it unconditionally.
   //   3. Check the system call number and jump to the appropriate compiled
   //      system call policy number.
   return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
 }
 
 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
       gen_.MakeInstruction(
           BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
-          CompileResult(Kill("Invalid audit architecture in BPF filter"))));
+          CompileResult(Panic("Invalid audit architecture in BPF filter"))));
 }
 
 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
   // If no unsafe traps, then simply return |rest|.
   if (!has_unsafe_traps_) {
     return rest;
   }
 
   // We already enabled unsafe traps in Compile, but enable them again to give
   // the trap registry a second chance to complain before we add the backdoor.
@@ skipping 34 matching lines @@
   // execute the jump table.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
 }
 
 CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
   if (kIsIntel) {
     // On Intel architectures, verify that system call numbers are in the
     // expected number range.
     CodeGen::Node invalidX32 =
-        CompileResult(Kill("Illegal mixing of system call ABIs"));
+        CompileResult(Panic("Illegal mixing of system call ABIs"));
     if (kIsX32) {
       // The newer x32 API always sets bit 30.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
     } else {
       // The older i386 and x86-64 APIs clear bit 30 on all system calls.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
     }
   }
@@ skipping 215 matching lines @@
       BPF_LD + BPF_W + BPF_ABS,
       idx,
       gen_.MakeInstruction(
           BPF_ALU + BPF_AND + BPF_K,
           mask,
           gen_.MakeInstruction(
               BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
 }
 
 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
-  return Kill("Unexpected 64bit argument detected")->Compile(this);
+  return Panic("Unexpected 64bit argument detected")->Compile(this);
 }
 
 ErrorCode PolicyCompiler::Error(int err) {
   if (has_unsafe_traps_) {
     // When inside an UnsafeTrap() callback, we want to allow all system calls.
     // This means, we must conditionally disable the sandbox -- and that's not
     // something that kernel-side BPF filters can do, as they cannot inspect
     // any state other than the syscall arguments.
     // But if we redirect all error handlers to user-space, then we can easily
     // make this decision.
@@ skipping 29 matching lines @@
                                           const ErrorCode& passed,
                                           const ErrorCode& failed) {
   return ErrorCode(argno,
                    width,
                    mask,
                    value,
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
+bpf_dsl::ResultExpr PolicyCompiler::Panic(const char* msg) {
+  return bpf_dsl::Trap(panic_func_, msg);
+}
+
 }  // namespace bpf_dsl
 }  // namespace sandbox