OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "sandbox/linux/bpf_dsl/verifier.h" | 5 #include "sandbox/linux/bpf_dsl/verifier.h" |
6 | 6 |
7 #include <string.h> | 7 #include <string.h> |
8 | 8 |
9 #include <limits> | 9 #include <limits> |
10 | 10 |
11 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" | 11 #include "sandbox/linux/bpf_dsl/bpf_dsl.h" |
12 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" | 12 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h" |
| 13 #include "sandbox/linux/bpf_dsl/errorcode.h" |
13 #include "sandbox/linux/bpf_dsl/policy.h" | 14 #include "sandbox/linux/bpf_dsl/policy.h" |
14 #include "sandbox/linux/bpf_dsl/policy_compiler.h" | 15 #include "sandbox/linux/bpf_dsl/policy_compiler.h" |
15 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" | 16 #include "sandbox/linux/bpf_dsl/seccomp_macros.h" |
16 #include "sandbox/linux/bpf_dsl/syscall_set.h" | 17 #include "sandbox/linux/bpf_dsl/syscall_set.h" |
17 #include "sandbox/linux/seccomp-bpf/errorcode.h" | |
18 #include "sandbox/linux/system_headers/linux_filter.h" | 18 #include "sandbox/linux/system_headers/linux_filter.h" |
19 #include "sandbox/linux/system_headers/linux_seccomp.h" | 19 #include "sandbox/linux/system_headers/linux_seccomp.h" |
20 | 20 |
21 namespace sandbox { | 21 namespace sandbox { |
22 namespace bpf_dsl { | 22 namespace bpf_dsl { |
23 | 23 |
24 namespace { | 24 namespace { |
25 | 25 |
26 const uint64_t kLower32Bits = std::numeric_limits<uint32_t>::max(); | 26 const uint64_t kLower32Bits = std::numeric_limits<uint32_t>::max(); |
27 const uint64_t kUpper32Bits = static_cast<uint64_t>(kLower32Bits) << 32; | 27 const uint64_t kUpper32Bits = static_cast<uint64_t>(kLower32Bits) << 32; |
(...skipping 333 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
361 switch (BPF_CLASS(insn.code)) { | 361 switch (BPF_CLASS(insn.code)) { |
362 case BPF_LD: | 362 case BPF_LD: |
363 Ld(&state, insn, err); | 363 Ld(&state, insn, err); |
364 break; | 364 break; |
365 case BPF_JMP: | 365 case BPF_JMP: |
366 Jmp(&state, insn, err); | 366 Jmp(&state, insn, err); |
367 break; | 367 break; |
368 case BPF_RET: { | 368 case BPF_RET: { |
369 uint32_t r = Ret(&state, insn, err); | 369 uint32_t r = Ret(&state, insn, err); |
370 switch (r & SECCOMP_RET_ACTION) { | 370 switch (r & SECCOMP_RET_ACTION) { |
| 371 case SECCOMP_RET_ALLOW: |
| 372 case SECCOMP_RET_ERRNO: |
| 373 case SECCOMP_RET_KILL: |
| 374 case SECCOMP_RET_TRACE: |
371 case SECCOMP_RET_TRAP: | 375 case SECCOMP_RET_TRAP: |
372 case SECCOMP_RET_ERRNO: | |
373 case SECCOMP_RET_TRACE: | |
374 case SECCOMP_RET_ALLOW: | |
375 break; | 376 break; |
376 case SECCOMP_RET_KILL: // We don't ever generate this | |
377 case SECCOMP_RET_INVALID: // Should never show up in BPF program | 377 case SECCOMP_RET_INVALID: // Should never show up in BPF program |
378 default: | 378 default: |
379 *err = "Unexpected return code found in BPF program"; | 379 *err = "Unexpected return code found in BPF program"; |
380 return 0; | 380 return 0; |
381 } | 381 } |
382 return r; | 382 return r; |
383 } | 383 } |
384 case BPF_ALU: | 384 case BPF_ALU: |
385 Alu(&state, insn, err); | 385 Alu(&state, insn, err); |
386 break; | 386 break; |
387 default: | 387 default: |
388 *err = "Unexpected instruction in BPF program"; | 388 *err = "Unexpected instruction in BPF program"; |
389 break; | 389 break; |
390 } | 390 } |
391 } | 391 } |
392 return 0; | 392 return 0; |
393 } | 393 } |
394 | 394 |
395 } // namespace bpf_dsl | 395 } // namespace bpf_dsl |
396 } // namespace sandbox | 396 } // namespace sandbox |
OLD | NEW |