Rewrite all BPF policies to use DSL API

content/common/sandbox_linux/bpf_gpu_policy_linux.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/common/sandbox_linux/bpf_gpu_policy_linux.h"
 
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <sys/socket.h>
@@ skipping 12 matching lines @@
 #include "build/build_config.h"
 #include "content/common/sandbox_linux/sandbox_bpf_base_policy_linux.h"
 #include "content/common/sandbox_linux/sandbox_seccomp_bpf_linux.h"
 #include "content/common/set_process_title.h"
 #include "content/public/common/content_switches.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
+using namespace sandbox::bpf_dsl;
 using sandbox::BrokerProcess;
-using sandbox::ErrorCode;
-using sandbox::SandboxBPF;
 using sandbox::SyscallSets;
 using sandbox::arch_seccomp_data;
 
 namespace content {
 
 namespace {
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
@@ skipping 62 matching lines @@
   }
 }
 
 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
  public:
   static sandbox::SandboxBPFPolicy* Create() {
     return new GpuBrokerProcessPolicy();
   }
   virtual ~GpuBrokerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE;
+  virtual sandbox::bpf_dsl::ResultExpr EvaluateSyscall(
+      int sysno) const OVERRIDE;
 
  private:
   GpuBrokerProcessPolicy() {}
   DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
 };
 
 // x86_64/i386 or desktop ARM.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                  int sysno) const {
+ResultExpr GpuBrokerProcessPolicy::EvaluateSyscall(int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
     default:
-      return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
+      return GpuProcessPolicy::EvaluateSyscall(sysno);
   }
 }
 
 void UpdateProcessTypeToGpuBroker() {
   CommandLine::StringVector exec = CommandLine::ForCurrentProcess()->GetArgs();
   CommandLine::Reset();
   CommandLine::Init(0, NULL);
   CommandLine::ForCurrentProcess()->InitFromArgv(exec);
   CommandLine::ForCurrentProcess()->AppendSwitchASCII(switches::kProcessType,
                                                       "gpu-broker");
@@ skipping 12 matching lines @@
       make_scoped_ptr(broker_sandboxer_allocator()));
 }
 
 }  // namespace
 
 GpuProcessPolicy::GpuProcessPolicy() : broker_process_(NULL) {}
 
 GpuProcessPolicy::~GpuProcessPolicy() {}
 
 // Main policy for x86_64/i386. Extended by CrosArmGpuProcessPolicy.
-ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                            int sysno) const {
+ResultExpr GpuProcessPolicy::EvaluateSyscall(int sysno) const {
   switch (sysno) {
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
     case __NR_sched_getaffinity:
     case __NR_sched_setaffinity:
     case __NR_setpriority:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       DCHECK(broker_process_);
-      return sandbox->Trap(GpuSIGSYS_Handler, broker_process_);
+      return Trap(GpuSIGSYS_Handler, broker_process_);
     default:
       if (SyscallSets::IsEventFd(sysno))
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
 
       // Default on the baseline policy.
-      return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno);
+      return SandboxBPFBasePolicy::EvaluateSyscall(sysno);
   }
 }
 
 bool GpuProcessPolicy::PreSandboxHook() {
   // Warm up resources needed by the policy we're about to enable and
   // eventually start a broker process.
   const bool chromeos_arm_gpu = IsChromeOS() && IsArchitectureArm();
   // This policy is for x86 or Desktop.
   DCHECK(!chromeos_arm_gpu);
 
@@ skipping 53 matching lines @@
   broker_process_ = new BrokerProcess(GetFSDeniedErrno(),
                                       read_whitelist,
                                       write_whitelist);
   // The initialization callback will perform generic initialization and then
   // call broker_sandboxer_callback.
   CHECK(broker_process_->Init(base::Bind(&UpdateProcessTypeAndEnableSandbox,
                                          broker_sandboxer_allocator)));
 }
 
 }  // namespace content