Add domain-specific language for BPF policies

sandbox/linux/seccomp-bpf-helpers/bpf_dsl.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h"
+
+#include "base/logging.h"
+#include "base/memory/ref_counted.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+namespace sandbox {
+
+namespace bpfdsl {
+
+namespace {
+
+class BasicCondImpl : public CondImpl {
+ public:
+  BasicCondImpl(int argno,
+                ErrorCode::ArgType is_32bit,
+                ErrorCode::Operation op,
+                uint64_t value)
+      : argno_(argno), is_32bit_(is_32bit), op_(op), value_(value) {}
+  virtual ErrorCode Compile(SandboxBPF* sb,
+                            ErrorCode true_ec,
+                            ErrorCode false_ec) const OVERRIDE {
+    return sb->Cond(argno_, is_32bit_, op_, value_, true_ec, false_ec);
+  }
+
+ private:
+  virtual ~BasicCondImpl() {}
+  int argno_;
+  ErrorCode::ArgType is_32bit_;
+  ErrorCode::Operation op_;
+  uint64_t value_;
+  DISALLOW_COPY_AND_ASSIGN(BasicCondImpl);
+};
+
+class AndCondImpl : public CondImpl {
+ public:
+  AndCondImpl(Cond lhs, Cond rhs) : lhs_(lhs), rhs_(rhs) {}
+  virtual ErrorCode Compile(SandboxBPF* sb,
+                            ErrorCode true_ec,
+                            ErrorCode false_ec) const OVERRIDE {
+    return lhs_->Compile(sb, rhs_->Compile(sb, true_ec, false_ec), false_ec);
+  }
+
+ private:
+  virtual ~AndCondImpl() {}
+  Cond lhs_, rhs_;
+  DISALLOW_COPY_AND_ASSIGN(AndCondImpl);
+};
+
+class OrCondImpl : public CondImpl {
+ public:
+  OrCondImpl(Cond lhs, Cond rhs) : lhs_(lhs), rhs_(rhs) {}
+  virtual ErrorCode Compile(SandboxBPF* sb,
+                            ErrorCode true_ec,
+                            ErrorCode false_ec) const OVERRIDE {
+    return lhs_->Compile(sb, true_ec, rhs_->Compile(sb, true_ec, false_ec));
+  }
+
+ private:
+  virtual ~OrCondImpl() {}
+  Cond lhs_, rhs_;
+  DISALLOW_COPY_AND_ASSIGN(OrCondImpl);
+};
+
+}  // namespace
+
+Cond operator&&(Cond lhs, Cond rhs) {
+  return Cond(new AndCondImpl(lhs, rhs));
+}
+
+Cond operator||(Cond lhs, Cond rhs) {
+  return Cond(new OrCondImpl(lhs, rhs));
+}
+
+Iffer::Iffer(SandboxBPF* sb) : sb_(sb) {
+  DCHECK(sb);
+}
+
+Iffer::Iffer(const Iffer& iffer) : sb_(iffer.sb_) {
+}
+
+Thener Iffer::If(Cond cond) const {
+  return Thener(sb_, cond);
+}
+
+Thener::Thener(SandboxBPF* sb, Cond cond) : sb_(sb), cond_(cond) {
+}
+
+Thener::~Thener() {}
+
+Elser Thener::Then(ErrorCode true_ec) const {
+  return Elser(sb_, cond_, true_ec);
+}
+
+Elser::Elser(SandboxBPF* sb, Cond cond, ErrorCode true_ec)
+    : sb_(sb), cond_(cond), true_ec_(true_ec) {
+}
+
+Elser::~Elser() {}
+
+ErrorCode Elser::Else(ErrorCode false_ec) const {
+  return cond_->Compile(sb_, true_ec_, false_ec);
+}
+
+}  // namespace bpfdsl
+
+bpfdsl::Iffer DSL(SandboxBPF* sb) {
+  return bpfdsl::Iffer(sb);
+}
+
+template <typename T>
+Arg<T>::Arg(int num)
+    : num_(num) {
+  DCHECK(num >= 0 && num < 6);
+}
+
+template <typename T>
+bpfdsl::Cond Arg<T>::operator==(const T& rhs) const {
+  const ErrorCode::ArgType arg_type =
+      (sizeof(T) <= 4) ? ErrorCode::TP_32BIT : ErrorCode::TP_64BIT;
+  return bpfdsl::Cond(
+      new bpfdsl::BasicCondImpl(num_, arg_type, ErrorCode::OP_EQUAL, rhs));
+}
+
+template class Arg<int>;
+
+}  // sandbox