Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(416)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp/securemem.h

Issue 3225010: Pull seccomp-sandbox in via DEPS rather than using an in-tree copy... (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: '' Created 10 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/seccomp/seccomp.gyp ('k') | sandbox/linux/seccomp/securemem.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #ifndef SECURE_MEM_H__
6 #define SECURE_MEM_H__
7
8 #include <stdlib.h>
9 #include "linux_syscall_support.h"
10
11 namespace playground {
12
13 class SecureMem {
14 public:
15 // Each thread is associated with two memory pages (i.e. 8192 bytes). This
16 // memory is fully accessible by the trusted process, but in the trusted
17 // thread and the sandboxed thread, the first page is only mapped PROT_READ,
18 // and the second one is PROT_READ|PROT_WRITE.
19 //
20 // The first page can be modified by the trusted process and this is the
21 // main mechanism how it communicates with the trusted thread. After each
22 // update, it updates the "sequence" number. The trusted process must
23 // check the "sequence" number has the expected value, and only then can
24 // it trust the data in this page.
25 typedef struct Args {
26 union {
27 struct {
28 union {
29 struct {
30 struct Args* self;
31 long sequence;
32 long callType;
33 long syscallNum;
34 void* arg1;
35 void* arg2;
36 void* arg3;
37 void* arg4;
38 void* arg5;
39 void* arg6;
40
41 // Used by clone() to allow return from the syscall wrapper.
42 void* ret;
43 #if defined(__x86_64__)
44 void* rbp;
45 void* rbx;
46 void* rcx;
47 void* rdx;
48 void* rsi;
49 void* rdi;
50 void* r8;
51 void* r9;
52 void* r10;
53 void* r11;
54 void* r12;
55 void* r13;
56 void* r14;
57 void* r15;
58 #elif defined(__i386__)
59 void* ebp;
60 void* edi;
61 void* esi;
62 void* edx;
63 void* ecx;
64 void* ebx;
65 #else
66 #error Unsupported target platform
67 #endif
68
69 // Used by clone() to set up data for the new thread.
70 struct Args* newSecureMem;
71 int processFdPub;
72 int cloneFdPub;
73
74 // Set to non-zero, if in debugging mode
75 int allowAllSystemCalls;
76
77 // The most recent SysV SHM identifier returned by
78 // shmget(IPC_PRIVATE)
79 int shmId;
80
81 // The following entries make up the sandboxed thread's TLS
82 long long cookie;
83 long long threadId;
84 long long threadFdPub;
85 } __attribute__((packed));
86 char header[512];
87 };
88 // Used for calls such as open() and stat().
89 char pathname[4096 - 512];
90 } __attribute__((packed));
91 char securePage[4096];
92 };
93 union {
94 struct {
95 // This scratch space is used by the trusted thread to read parameters
96 // for unrestricted system calls.
97 int tmpSyscallNum;
98 void* tmpArg1;
99 void* tmpArg2;
100 void* tmpArg3;
101 void* tmpArg4;
102 void* tmpArg5;
103 void* tmpArg6;
104 void* tmpReturnValue;
105
106 // Scratch space used to return the result of a rdtsc instruction
107 int rdtscpEax;
108 int rdtscpEdx;
109 int rdtscpEcx;
110
111 // We often have long sequences of calls to gettimeofday(). This is
112 // needlessly expensive. Coalesce them into a single call.
113 int lastSyscallNum;
114 int gettimeofdayCounter;
115
116 // For debugging purposes, we want to be able to log messages. This can
117 // result in additional system calls. Make sure that we don't trigger
118 // logging of those recursive calls.
119 int recursionLevel;
120
121 // Computing the signal mask is expensive. Keep a cached copy.
122 kernel_sigset_t signalMask;
123
124 // Keep track of whether we are in a SEGV handler
125 int inSegvHandler;
126 } __attribute__((packed));
127 char scratchPage[4096];
128 };
129 } __attribute__((packed)) Args;
130
131 // Allows the trusted process to check whether the parent process still
132 // exists. If it doesn't, kill the trusted process.
133 static void dieIfParentDied(int parentProc);
134
135 // The trusted process received a system call that it intends to deny.
136 static void abandonSystemCall(int fd, int err);
137
138 // Acquires the syscall_mutex_ prior to making changes to the parameters in
139 // the secure memory page. Used by calls such as exit(), clone(), open(),
140 // socketcall(), and stat().
141 // After locking the mutex, it is no longer valid to abandon the system
142 // call!
143 static void lockSystemCall(int parentProc, Args* mem);
144
145 // Sends a system call to the trusted thread. If "locked" is true, the
146 // caller must first call lockSystemCall() and must also provide
147 // "parentProc". In locked mode, sendSystemCall() won't return until the
148 // trusted thread has completed processing.
149 // Use sparingly as it serializes the operation of the trusted process.
150 static void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
151 int syscallNum) {
152 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum);
153 }
154 template<class T1> static
155 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
156 int syscallNum, T1 arg1) {
157 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
158 (void*)arg1);
159 }
160 template<class T1, class T2> static
161 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
162 int syscallNum, T1 arg1, T2 arg2) {
163 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
164 (void*)arg1, (void*)arg2);
165 }
166 template<class T1, class T2, class T3> static
167 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
168 int syscallNum, T1 arg1, T2 arg2, T3 arg3) {
169 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
170 (void*)arg1, (void*)arg2, (void*)arg3);
171 }
172 template<class T1, class T2, class T3, class T4> static
173 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
174 int syscallNum, T1 arg1, T2 arg2, T3 arg3, T4 arg4) {
175 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
176 (void*)arg1, (void*)arg2, (void*)arg3, (void*)arg4);
177 }
178 template<class T1, class T2, class T3, class T4, class T5> static
179 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
180 int syscallNum, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
181 T5 arg5) {
182 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
183 (void*)arg1, (void*)arg2, (void*)arg3, (void*)arg4,
184 (void*)arg5);
185 }
186 template<class T1, class T2, class T3, class T4, class T5, class T6> static
187 void sendSystemCall(int fd, bool locked, int parentProc, Args* mem,
188 int syscallNum, T1 arg1, T2 arg2, T3 arg3, T4 arg4,
189 T5 arg5, T6 arg6) {
190 sendSystemCallInternal(fd, locked, parentProc, mem, syscallNum,
191 (void*)arg1, (void*)arg2, (void*)arg3, (void*)arg4,
192 (void*)arg5, (void*)arg6);
193 }
194
195 private:
196 static void sendSystemCallInternal(int fd, bool locked, int parentProc,
197 Args* mem, int syscallNum, void* arg1 = 0,
198 void* arg2 = 0, void* arg3 = 0,
199 void* arg4 = 0, void* arg5 = 0,
200 void* arg6 = 0);
201 };
202
203 } // namespace
204
205 #endif // SECURE_MEM_H__
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp/seccomp.gyp ('k') | sandbox/linux/seccomp/securemem.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698