sandbox/linux/bpf_dsl/errorcode.h - Issue 1309963002: sandbox/linux/bpf_dsl: remove ErrorCode intermediary representation

Side by Side Diff: sandbox/linux/bpf_dsl/errorcode.h

Issue 1309963002: sandbox/linux/bpf_dsl: remove ErrorCode intermediary representation (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@rm-verifier

Patch Set: Sync Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__	5 #ifndef SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__

6 #define SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__	6 #define SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__

7	7

8 #include "sandbox/linux/bpf_dsl/trap_registry.h"	8 #include "base/macros.h"

9 #include "sandbox/sandbox_export.h"	9 #include "sandbox/sandbox_export.h"

10	10

11 namespace sandbox {	11 namespace sandbox {

12 namespace bpf_dsl {	12 namespace bpf_dsl {

13	13

14 // This class holds all the possible values that can be returned by a sandbox	14 // TODO(mdempsky): Find a proper home for ERR_{MIN,MAX}_ERRNO and

15 // policy.	15 // remove this header.

16 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an

17 // errno value (in the range 0..4095), a pointer to a TrapFnc callback

18 // handling a SECCOMP_RET_TRAP trap, or a complex constraint.

19 // All of the commonly used values are stored in the "err_" field. So, code

20 // that is using the ErrorCode class typically operates on a single 32bit

21 // field.

22 //

23 // TODO(mdempsky): Nuke from orbit. The only reason this class still

24 // exists is for Verifier, which will eventually be replaced by a true

25 // BPF symbolic evaluator and constraint solver.

26 class SANDBOX_EXPORT ErrorCode {	16 class SANDBOX_EXPORT ErrorCode {

27 public:	17 public:

28 enum {	18 enum {

29 // Allow this system call. The value of ERR_ALLOWED is pretty much

30 // completely arbitrary. But we want to pick it so that is is unlikely

31 // to be passed in accidentally, when the user intended to return an

32 // "errno" (see below) value instead.

33 ERR_ALLOWED = 0x04000000,

34

35 // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the

36 // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change

37 // or skip the system call. The lower 16 bits of err will be available to

38 // the tracer via PTRACE_GETEVENTMSG.

39 ERR_TRACE = 0x08000000,

40

41 // Kill the process immediately.

42 ERR_KILL = 0x10000000,

43

44 // Deny the system call with a particular "errno" value.

45 // N.B.: It is also possible to return "0" here. That would normally

46 // indicate success, but it won't actually run the system call.

47 // This is very different from return ERR_ALLOWED.

48 ERR_MIN_ERRNO = 0,	19 ERR_MIN_ERRNO = 0,

49 #if defined(__mips__)	20 #if defined(__mips__)

50 // MIPS only supports errno up to 1133	21 // MIPS only supports errno up to 1133

51 ERR_MAX_ERRNO = 1133,	22 ERR_MAX_ERRNO = 1133,

52 #else	23 #else

53 // TODO(markus): Android only supports errno up to 255	24 // TODO(markus): Android only supports errno up to 255

54 // (crbug.com/181647).	25 // (crbug.com/181647).

55 ERR_MAX_ERRNO = 4095,	26 ERR_MAX_ERRNO = 4095,

56 #endif	27 #endif

57 };	28 };

58	29

59 // While BPF filter programs always operate on 32bit quantities, the kernel

60 // always sees system call arguments as 64bit values. This statement is true

61 // no matter whether the host system is natively operating in 32bit or 64bit.

62 // The BPF compiler hides the fact that BPF instructions cannot directly

63 // access 64bit quantities. But policies are still advised to specify whether

64 // a system call expects a 32bit or a 64bit quantity.

65 enum ArgType {

66 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that

67 // the conditional test should operate on the 32bit part of the system call

68 // argument.

69 // On 64bit architectures, this verifies that user space did not pass

70 // a 64bit value as an argument to the system call. If it did, that will be

71 // interpreted as an attempt at breaking the sandbox and results in the

72 // program getting terminated.

73 // In other words, only perform a 32bit test, if you are sure this

74 // particular system call would never legitimately take a 64bit

75 // argument.

76 // Implementation detail: TP_32BIT does two things. 1) it restricts the

77 // conditional test to operating on the LSB only, and 2) it adds code to

78 // the BPF filter program verifying that the MSB the kernel received from

79 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit

80 // 31 was set in the system call argument. It deals with 32bit arguments

81 // having been sign extended.

82 TP_32BIT,

83

84 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that

85 // the conditional test should operate on the full 64bit argument. It is

86 // generally harmless to perform a 64bit test on 32bit systems, as the

87 // kernel will always see the top 32 bits of all arguments as zero'd out.

88 // This approach has the desirable property that for tests of pointer

89 // values, we can always use TP_64BIT no matter the host architecture.

90 // But of course, that also means, it is possible to write conditional

91 // policies that turn into no-ops on 32bit systems; this is by design.

92 TP_64BIT,

93 };

94

95 // Deprecated.

96 enum Operation {

97 // Test whether the system call argument is equal to the operand.

98 OP_EQUAL,

99

100 // Tests a system call argument against a bit mask.

101 // The "ALL_BITS" variant performs this test: "arg & mask == mask"

102 // This implies that a mask of zero always results in a passing test.

103 // The "ANY_BITS" variant performs this test: "arg & mask != 0"

104 // This implies that a mask of zero always results in a failing test.

105 OP_HAS_ALL_BITS,

106 OP_HAS_ANY_BITS,

107 };

108

109 enum ErrorType {

110 ET_INVALID,

111 ET_SIMPLE,

112 ET_TRAP,

113 ET_COND,

114 };

115

116 // We allow the default constructor, as it makes the ErrorCode class

117 // much easier to use. But if we ever encounter an invalid ErrorCode

118 // when compiling a BPF filter, we deliberately generate an invalid

119 // program that will get flagged both by our Verifier class and by

120 // the Linux kernel.

121 ErrorCode();

122 explicit ErrorCode(int err);

123

124 // For all practical purposes, ErrorCodes are treated as if they were

125 // structs. The copy constructor and assignment operator are trivial and

126 // we do not need to explicitly specify them.

127 // Most notably, it is in fact perfectly OK to directly copy the passed_ and

128 // failed_ field. They only ever get set by our private constructor, and the

129 // callers handle life-cycle management for these objects.

130

131 // Destructor

132 ~ErrorCode() {}

133

134 bool Equals(const ErrorCode& err) const;

135 bool LessThan(const ErrorCode& err) const;

136

137 uint32_t err() const { return err_; }

138 ErrorType error_type() const { return error_type_; }

139

140 bool safe() const { return safe_; }

141

142 uint64_t mask() const { return mask_; }

143 uint64_t value() const { return value_; }

144 int argno() const { return argno_; }

145 ArgType width() const { return width_; }

146 const ErrorCode* passed() const { return passed_; }

147 const ErrorCode* failed() const { return failed_; }

148

149 struct LessThan {

150 bool operator()(const ErrorCode& a, const ErrorCode& b) const {

151 return a.LessThan(b);

152 }

153 };

154

155 private:	30 private:

156 friend class PolicyCompiler;	31 DISALLOW_IMPLICIT_CONSTRUCTORS(ErrorCode);

157

158 // If we are wrapping a callback, we must assign a unique id. This id is

159 // how the kernel tells us which one of our different SECCOMP_RET_TRAP

160 // cases has been triggered.

161 ErrorCode(uint16_t trap_id,

162 TrapRegistry::TrapFnc fnc,

163 const void* aux,

164 bool safe);

165

166 // Some system calls require inspection of arguments. This constructor

167 // allows us to specify additional constraints.

168 ErrorCode(int argno,

169 ArgType width,

170 uint64_t mask,

171 uint64_t value,

172 const ErrorCode* passed,

173 const ErrorCode* failed);

174

175 ErrorType error_type_;

176

177 union {

178 // Fields needed for SECCOMP_RET_TRAP callbacks

179 struct {

180 TrapRegistry::TrapFnc fnc_; // Callback function and arg, if trap was

181 void* aux_; // triggered by the kernel's BPF filter.

182 bool safe_; // Keep sandbox active while calling fnc_()

183 };

184

185 // Fields needed when inspecting additional arguments.

186 struct {

187 uint64_t mask_; // Mask that we are comparing under.

188 uint64_t value_; // Value that we are comparing with.

189 int argno_; // Syscall arg number that we are inspecting.

190 ArgType width_; // Whether we are looking at a 32/64bit value.

191 const ErrorCode* passed_; // Value to be returned if comparison passed,

192 const ErrorCode* failed_; // or if it failed.

193 };

194 };

195

196 // 32bit field used for all possible types of ErrorCode values. This is

197 // the value that uniquely identifies any ErrorCode and it (typically) can

198 // be emitted directly into a BPF filter program.

199 uint32_t err_;

200 };	32 };

201	33

202 } // namespace bpf_dsl	34 } // namespace bpf_dsl

203 } // namespace sandbox	35 } // namespace sandbox

204	36

205 #endif // SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__	37 #endif // SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__

OLD	NEW

« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl_impl.h ('k') | sandbox/linux/bpf_dsl/errorcode.cc » ('j') | sandbox/linux/bpf_dsl/policy_compiler.cc » ('J')