Add SandboxBPFPolicy::InvalidSyscall() to simplify writing policies

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
@@ skipping 61 matching lines @@
   }
 }
 
 void ProbeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
 ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysnum)) {
-    return ErrorCode(ENOSYS);
-  }
+  DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 void TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
@@ skipping 86 matching lines @@
       const SandboxBPFPolicy* wrapped_policy)
       : wrapped_policy_(wrapped_policy) {
     DCHECK(wrapped_policy_);
   }
 
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE {
     ErrorCode err =
         wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number);
     if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
-      return sandbox_compiler->Trap(
-          ReturnErrno, reinterpret_cast<void*>(err.err() & SECCOMP_RET_DATA));
+      return ReturnErrnoViaTrap(sandbox_compiler, err.err() & SECCOMP_RET_DATA);
     }
     return err;
   }
 
+  virtual ErrorCode InvalidSyscall(
+      SandboxBPF* sandbox_compiler) const OVERRIDE {
+    return ReturnErrnoViaTrap(sandbox_compiler, ENOSYS);
+  }
+
  private:
+  ErrorCode ReturnErrnoViaTrap(SandboxBPF* sandbox_compiler, int err) const {
+    return sandbox_compiler->Trap(ReturnErrno, reinterpret_cast<void*>(err));
+  }
+
   const SandboxBPFPolicy* wrapped_policy_;
   DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper);
 };
 
 intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
   SANDBOX_DIE(static_cast<char*>(aux));
 }
 
 }  // namespace
 
@@ skipping 248 matching lines @@
   // Install the filters.
   InstallFilter(thread_state);
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 
   return true;
 }
 
 void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
-  for (SyscallIterator iter(true); !iter.Done();) {
-    uint32_t sysnum = iter.Next();
-    if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) {
-      SANDBOX_DIE(
-          "Policies should deny system calls that are outside the "
-          "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
-    }
+  if (!IsDenied(policy->InvalidSyscall(this))) {
+    SANDBOX_DIE("Policies should deny invalid system calls.");
   }
   return;
 }
 
 // Deprecated API, supported with a wrapper to the new API.
 void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
                                             void* aux) {
   if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
@@ skipping 255 matching lines @@
     SANDBOX_DIE(err);
   }
 }
 
 void SandboxBPF::FindRanges(Ranges* ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
+  const ErrorCode invalid_err = policy_->InvalidSyscall(this);
   uint32_t old_sysnum = 0;
-  ErrorCode old_err = policy_->EvaluateSyscall(this, old_sysnum);
-  ErrorCode invalid_err = policy_->EvaluateSyscall(this, MIN_SYSCALL - 1);
+  ErrorCode old_err = IsValidSyscallNumber(old_sysnum)
+                          ? policy_->EvaluateSyscall(this, old_sysnum)
+                          : invalid_err;
 
   for (SyscallIterator iter(false); !iter.Done();) {
     uint32_t sysnum = iter.Next();
-    ErrorCode err = policy_->EvaluateSyscall(this, static_cast<int>(sysnum));
-    if (!iter.IsValid(sysnum) && !invalid_err.Equals(err)) {
-      // A proper sandbox policy should always treat system calls outside of
-      // the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
-      // "false" for SyscallIterator::IsValid()) identically. Typically, all
-      // of these system calls would be denied with the same ErrorCode.
-      SANDBOX_DIE("Invalid seccomp policy");
-    }
+    ErrorCode err =
+        IsValidSyscallNumber(sysnum)
+            ? policy_->EvaluateSyscall(this, static_cast<int>(sysnum))
+            : invalid_err;
     if (!err.Equals(old_err) || iter.Done()) {
       ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
       old_sysnum = sysnum;
       old_err = err;
     }
   }
 }
 
 Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen,
                                            Ranges::const_iterator start,
@@ skipping 249 matching lines @@
                    &*conds_->insert(failed).first);
 }
 
 ErrorCode SandboxBPF::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
 }  // namespace sandbox