Chromium Code Reviews Chromium Code Reviews
Issue 657893006:
SyscallSet: add ValidOnly (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: sandbox/linux/seccomp-bpf/syscall_iterator.cc |
| diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.cc b/sandbox/linux/seccomp-bpf/syscall_iterator.cc |
| index 1b4e0678ab7b0fced954fa3c4291cbd456b5198b..a92d9b0412b10961c92cd62bcf3c441f168ceb25 100644 |
| --- a/sandbox/linux/seccomp-bpf/syscall_iterator.cc |
| +++ b/sandbox/linux/seccomp-bpf/syscall_iterator.cc |
| @@ -39,37 +39,6 @@ const SyscallRange kValidSyscallRanges[] = { |
| #endif |
| }; |
| -// NextSyscall returns the next system call in the specified system |
| -// call set after |cur|, or 0 if no such system call exists. |
| -uint32_t NextSyscall(uint32_t cur, bool invalid_only) { |
| - for (const SyscallRange& range : kValidSyscallRanges) { |
| - if (range.first > 0 && cur < range.first - 1) { |
| - return range.first - 1; |
| - } |
| - if (cur <= range.last) { |
| - if (invalid_only) { |
| - return range.last + 1; |
| - } |
| - return cur + 1; |
| - } |
| - } |
| - |
| - // BPF programs only ever operate on unsigned quantities. So, that's how |
| - // we iterate; we return values from 0..0xFFFFFFFFu. But there are places, |
| - // where the kernel might interpret system call numbers as signed |
| - // quantities, so the boundaries between signed and unsigned values are |
| - // potential problem cases. We want to explicitly return these values from |
| - // our iterator. |
| - if (cur < 0x7FFFFFFFu) |
| - return 0x7FFFFFFFu; |
| - if (cur < 0x80000000u) |
| - return 0x80000000u; |
| - |
| - if (cur < 0xFFFFFFFFu) |
| - return 0xFFFFFFFFu; |
| - return 0; |
| -} |
| - |
| } // namespace |
| SyscallSet::Iterator SyscallSet::begin() const { |
| @@ -95,7 +64,7 @@ bool operator==(const SyscallSet& lhs, const SyscallSet& rhs) { |
| SyscallSet::Iterator::Iterator(Set set, bool done) |
| : set_(set), done_(done), num_(0) { |
| - if (set_ == Set::INVALID_ONLY && !done_ && IsValid(num_)) { |
| + if (!done && set_ == (IsValid(num_) ? Set::INVALID_ONLY : Set::VALID_ONLY)) { |
| ++*this; |
|
rickyz (no longer on Chrome)
2014/10/24 20:17:16
This took me a little bit to wrap my head around -
mdempsky
2014/10/24 21:49:56
Done.
|
| } |
| } |
| @@ -108,7 +77,7 @@ uint32_t SyscallSet::Iterator::operator*() const { |
| SyscallSet::Iterator& SyscallSet::Iterator::operator++() { |
| DCHECK(!done_); |
| - num_ = NextSyscall(num_, set_ == Set::INVALID_ONLY); |
| + num_ = NextSyscall(); |
| if (num_ == 0) { |
| done_ = true; |
| } |
| @@ -116,6 +85,47 @@ SyscallSet::Iterator& SyscallSet::Iterator::operator++() { |
| return *this; |
| } |
| +// NextSyscall returns the next system call in the iterated system |
| +// call set after |num_|, or 0 if no such system call exists. |
| +uint32_t SyscallSet::Iterator::NextSyscall() const { |
| + const bool want_valid = (set_ != Set::INVALID_ONLY); |
| + const bool want_invalid = (set_ != Set::VALID_ONLY); |
| + |
| + for (const SyscallRange& range : kValidSyscallRanges) { |
| + if (want_invalid && range.first > 0 && num_ < range.first - 1) { |
|
rickyz (no longer on Chrome)
2014/10/24 20:17:17
Might be good to comment that we're intentionally
mdempsky
2014/10/24 21:49:56
Done.
|
| + return range.first - 1; |
| + } |
| + if (want_valid && num_ < range.first) { |
| + return range.first; |
| + } |
| + if (want_valid && num_ < range.last) { |
| + return num_ + 1; |
| + } |
| + if (want_invalid && num_ <= range.last) { |
| + return range.last + 1; |
| + } |
| + } |
| + |
| + if (want_invalid) { |
| + // BPF programs only ever operate on unsigned quantities. So, |
| + // that's how we iterate; we return values from |
| + // 0..0xFFFFFFFFu. But there are places, where the kernel might |
| + // interpret system call numbers as signed quantities, so the |
| + // boundaries between signed and unsigned values are potential |
| + // problem cases. We want to explicitly return these values from |
| + // our iterator. |
| + if (num_ < 0x7FFFFFFFu) |
| + return 0x7FFFFFFFu; |
| + if (num_ < 0x80000000u) |
| + return 0x80000000u; |
| + |
| + if (num_ < 0xFFFFFFFFu) |
| + return 0xFFFFFFFFu; |
| + } |
| + |
| + return 0; |
| +} |
| + |
| bool operator==(const SyscallSet::Iterator& lhs, |
| const SyscallSet::Iterator& rhs) { |
| DCHECK(lhs.set_ == rhs.set_); |
