bpf_dsl: move more implementation details out of bpf_dsl.h

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <linux/filter.h>
 #include <sys/syscall.h>
 
 #include <limits>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
+#include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/seccomp-bpf/instruction.h"
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 
 namespace sandbox {
 namespace bpf_dsl {
@@ skipping 41 matching lines @@
   // set errno themselves. The glibc wrapper that triggered the SIGSYS will
   // ultimately do so for us.
   int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
   return -err;
 }
 
 intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
   SANDBOX_DIE(static_cast<char*>(aux));
 }
 
+bool HasUnsafeTraps(const SandboxBPFDSLPolicy* policy) {
+  for (SyscallIterator iter(false); !iter.Done();) {
+    uint32_t sysnum = iter.Next();
+    if (SyscallIterator::IsValid(sysnum) &&
+        policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
+      return true;
+    }
+  }
+  return policy->InvalidSyscall()->HasUnsafeTraps();
+}
+
 }  // namespace
 
 struct PolicyCompiler::Range {
   Range(uint32_t f, uint32_t t, const ErrorCode& e) : from(f), to(t), err(e) {}
   uint32_t from, to;
   ErrorCode err;
 };
 
 PolicyCompiler::PolicyCompiler(const SandboxBPFDSLPolicy* policy,
                                TrapRegistry* registry)
     : policy_(policy),
       registry_(registry),
       conds_(),
       gen_(),
-      has_unsafe_traps_(policy_->HasUnsafeTraps()) {
+      has_unsafe_traps_(HasUnsafeTraps(policy_)) {
 }
 
 PolicyCompiler::~PolicyCompiler() {
 }
 
 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
-  if (!IsDenied(policy_->InvalidSyscall(this))) {
+  if (!IsDenied(policy_->InvalidSyscall()->Compile(this))) {
     SANDBOX_DIE("Policies should deny invalid system calls.");
   }
 
   // If our BPF program has unsafe traps, enable support for them.
   if (has_unsafe_traps_) {
     // As support for unsafe jumps essentially defeats all the security
     // measures that the sandbox provides, we print a big warning message --
     // and of course, we make sure to only ever enable this feature if it
     // is actually requested by the sandbox policy.
     if (Syscall::Call(-1) == -1 && errno == ENOSYS) {
       SANDBOX_DIE(
           "Support for UnsafeTrap() has not yet been ported to this "
           "architecture");
     }
 
     for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
-      if (!policy_->EvaluateSyscall(this, sysnum)
+      if (!policy_->EvaluateSyscall(sysnum)->Compile(this)
                .Equals(ErrorCode(ErrorCode::ERR_ALLOWED))) {
         SANDBOX_DIE(
             "Policies that use UnsafeTrap() must unconditionally allow all "
             "required system calls");
       }
     }
 
     if (!registry_->EnableUnsafeTraps()) {
       // We should never be able to get here, as UnsafeTrap() should never
       // actually return a valid ErrorCode object unless the user set the
@@ skipping 105 matching lines @@
   // TODO(mdempsky): Similar validation for other architectures?
   return passed;
 }
 
 void PolicyCompiler::FindRanges(Ranges* ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
-  const ErrorCode invalid_err = policy_->InvalidSyscall(this);
+  const ErrorCode invalid_err = policy_->InvalidSyscall()->Compile(this);
   uint32_t old_sysnum = 0;
   ErrorCode old_err = SyscallIterator::IsValid(old_sysnum)
-                          ? policy_->EvaluateSyscall(this, old_sysnum)
+                          ? policy_->EvaluateSyscall(old_sysnum)->Compile(this)
                           : invalid_err;
 
   for (SyscallIterator iter(false); !iter.Done();) {
     uint32_t sysnum = iter.Next();
     ErrorCode err =
         SyscallIterator::IsValid(sysnum)
-            ? policy_->EvaluateSyscall(this, static_cast<int>(sysnum))
+            ? policy_->EvaluateSyscall(static_cast<int>(sysnum))->Compile(this)
             : invalid_err;
     if (!err.Equals(old_err) || iter.Done()) {
       ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
       old_sysnum = sysnum;
       old_err = err;
     }
   }
 }
 
 Instruction* PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
@@ skipping 241 matching lines @@
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
 ErrorCode PolicyCompiler::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 }  // namespace bpf_dsl
 }  // namespace sandbox