sandbox/linux: refactor bpf_dsl dependency on die.h

sandbox/linux/bpf_dsl/policy_compiler.cc

Index: sandbox/linux/bpf_dsl/policy_compiler.cc
diff --git a/sandbox/linux/bpf_dsl/policy_compiler.cc b/sandbox/linux/bpf_dsl/policy_compiler.cc
index f38232f85f929fd0ed2331bc248807c4cfd93b55..0e2458eee4d060fe4e6317f6a90c43d74214233b 100644
--- a/sandbox/linux/bpf_dsl/policy_compiler.cc
+++ b/sandbox/linux/bpf_dsl/policy_compiler.cc
@@ -56,6 +56,12 @@ bool HasExactlyOneBit(uint64_t x) {
   return x != 0 && (x & (x - 1)) == 0;
 }
 
+// The default Trap() handler for PolicyCompiler::Panic.
+intptr_t DefaultPanic(const struct arch_seccomp_data&, void* aux) {
+  LOG(FATAL) << "bpf_dsl panic: " << reinterpret_cast<const char*>(aux);

[rickyz (no longer on Chrome), 2015/08/19 23:25:10]

Should we default to something async signal safe like SANDBOX_DIE? Though at
that point, do we really need Panic to be overridable? All the usages would be
basically the same thing, right?

[mdempsky, 2015/08/19 23:33:31]

The problem with defaulting to SANDBOX_DIE is it's in seccomp-bpf, and the point
of this CL is breaking the dependency from bpf_dsl on seccomp-bpf.

We could move seccomp-bpf/die.h into bpf_dsl or services maybe, but it depends
on seccomp-bpf/syscall.h; so we'd need to move that too.

It would be nice to make it async signal safe though.  Maybe I should just
write() to STDERR_FILENO directly as the default instead of LOG(FATAL) (assuming
you don't have any good idea on using SANDBOX_DIE without cycles).

+  for (;;) _exit(1);
+}
+
 // A Trap() handler that returns an "errno" value. The value is encoded
 // in the "aux" parameter.
 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
@@ -88,6 +94,7 @@ PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
     : policy_(policy),
       registry_(registry),
       escapepc_(0),
+      panic_func_(DefaultPanic),
       conds_(),
       gen_(),
       has_unsafe_traps_(HasUnsafeTraps(policy_)) {
@@ -137,6 +144,10 @@ void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
   escapepc_ = escapepc;
 }
 
+void PolicyCompiler::SetPanicFunc(TrapRegistry::TrapFnc panic_func) {
+  panic_func_ = panic_func;
+}
+
 CodeGen::Node PolicyCompiler::AssemblePolicy() {
   // A compiled policy consists of three logical parts:
   //   1. Check that the "arch" field matches the expected architecture.
@@ -154,7 +165,7 @@ CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
       gen_.MakeInstruction(
           BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
-          CompileResult(Kill("Invalid audit architecture in BPF filter"))));
+          CompileResult(Panic("Invalid audit architecture in BPF filter"))));
 }
 
 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
@@ -209,7 +220,7 @@ CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
     // On Intel architectures, verify that system call numbers are in the
     // expected number range.
     CodeGen::Node invalidX32 =
-        CompileResult(Kill("Illegal mixing of system call ABIs"));
+        CompileResult(Panic("Illegal mixing of system call ABIs"));
     if (kIsX32) {
       // The newer x32 API always sets bit 30.
       return gen_.MakeInstruction(
@@ -445,7 +456,7 @@ CodeGen::Node PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
 }
 
 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
-  return Kill("Unexpected 64bit argument detected")->Compile(this);
+  return Panic("Unexpected 64bit argument detected")->Compile(this);
 }
 
 ErrorCode PolicyCompiler::Error(int err) {
@@ -495,5 +506,9 @@ ErrorCode PolicyCompiler::CondMaskedEqual(int argno,
                    &*conds_.insert(failed).first);
 }
 
+bpf_dsl::ResultExpr PolicyCompiler::Panic(const char* msg) {
+  return bpf_dsl::Trap(panic_func_, msg);
+}
+
 }  // namespace bpf_dsl
 }  // namespace sandbox