Add domain-specific language for BPF policies

sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BPF_DSL_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BPF_DSL_H_
+
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+#include "sandbox/sandbox_export.h"
+
+namespace sandbox {
+class SandboxBPF;
+}
+
+namespace sandbox {
+
+namespace bpfdsl {
+
+class CondImpl : public base::RefCounted<CondImpl> {

[mdempsky, 2014/05/20 23:26:29]

I really want to change this to

    class CondImpl;
    typedef scoped_refptr<const CondImpl> Cond;
    extern template class scoped_refptr<const CondImpl>;

so I can keep CondImpl opaque to users, but Clang then complains that CondImpl
is an incomplete type in bpf_dsl_unittest.cc:

In file included from
../../sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc:5:
In file included from ../../sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h:11:
../../base/memory/ref_counted.h:289:11: error: member access into incomplete
type 'const sandbox::bpfdsl::CondImpl'
      ptr_->Release();
          ^
../../sandbox/linux/seccomp-bpf-helpers/bpf_dsl_unittest.cc:26:15: note: in
instantiation of member function 'scoped_refptr<const
sandbox::bpfdsl::CondImpl>::~scoped_refptr' requested here
          .If(pid == 0).Then(
              ^
../../sandbox/linux/seccomp-bpf-helpers/bpf_dsl.h:23:7: note: forward
declaration of 'sandbox::bpfdsl::CondImpl'
class CondImpl;
      ^

I would think the "extern template" would let the compiler just trust there will
be an appropriate instantiation for scoped_refptr<const CondImpl> in another
translation unit, at least in this case because scoped_refptr doesn't have any
partial specializations that could cause ambiguity.

Is there a way to workaround this?  Is this any better in C++11?

+ public:
+  CondImpl() {}
+  virtual ErrorCode Compile(SandboxBPF* sb,
+                            ErrorCode true_ec,
+                            ErrorCode false_ec) const = 0;
+
+ protected:
+  friend class base::RefCounted<CondImpl>;
+  virtual ~CondImpl() {}
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(CondImpl);
+};
+
+typedef scoped_refptr<const CondImpl> Cond;
+
+SANDBOX_EXPORT Cond operator&&(Cond lhs, Cond rhs);
+SANDBOX_EXPORT Cond operator||(Cond lhs, Cond rhs);
+
+class Iffer;
+class Thener;
+class Elser;
+
+class SANDBOX_EXPORT Iffer {
+ public:
+  // TODO(mdempsky): Make private?
+  explicit Iffer(SandboxBPF* sb);
+  Iffer(const Iffer& iffer);
+  Thener If(Cond cond) const;
+
+ private:
+  SandboxBPF* sb_;
+  DISALLOW_ASSIGN(Iffer);
+};
+
+class SANDBOX_EXPORT Thener {
+ public:
+  ~Thener();
+  Elser Then(ErrorCode ec) const;
+
+ private:
+  Thener(SandboxBPF* sb, Cond cond);
+  SandboxBPF* sb_;
+  Cond cond_;
+  friend class Iffer;
+  friend class Elser;
+  DISALLOW_COPY_AND_ASSIGN(Thener);
+};
+
+class SANDBOX_EXPORT Elser {
+ public:
+  ~Elser();
+  ErrorCode Else(ErrorCode ec) const;
+
+ private:
+  Elser(SandboxBPF* sb, Cond cond, ErrorCode true_ec);
+  SandboxBPF* sb_;
+  Cond cond_;
+  ErrorCode true_ec_;
+  friend class Iffer;
+  friend class Thener;
+  DISALLOW_COPY_AND_ASSIGN(Elser);
+};
+
+}  // namespace bpfdsl
+
+SANDBOX_EXPORT bpfdsl::Iffer DSL(SandboxBPF* sb);
+
+template <typename T>
+class SANDBOX_EXPORT Arg {
+ public:
+  explicit Arg(int num);
+  bpfdsl::Cond operator==(const T& rhs) const;
+
+ private:
+  int num_;
+  DISALLOW_COPY_AND_ASSIGN(Arg);
+};
+
+extern template class Arg<int>;
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BPF_DSL_H_