| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ |
| 6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ |
| 7 |
| 8 #include <signal.h> |
| 9 #include <stdint.h> |
| 10 |
| 11 #include <map> |
| 12 |
| 13 #include "base/macros.h" |
| 14 #include "sandbox/linux/bpf_dsl/trap_registry.h" |
| 15 #include "sandbox/sandbox_export.h" |
| 16 |
| 17 namespace sandbox { |
| 18 |
| 19 // The Trap class allows a BPF filter program to branch out to user space by |
| 20 // raising a SIGSYS signal. |
| 21 // N.B.: This class does not perform any synchronization operations. If |
| 22 // modifications are made to any of the traps, it is the caller's |
| 23 // responsibility to ensure that this happens in a thread-safe fashion. |
| 24 // Preferably, that means that no other threads should be running at that |
| 25 // time. For the purposes of our sandbox, this assertion should always be |
| 26 // true. Threads are incompatible with the seccomp sandbox anyway. |
| 27 class SANDBOX_EXPORT Trap : public bpf_dsl::TrapRegistry { |
| 28 public: |
| 29 virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override; |
| 30 |
| 31 virtual bool EnableUnsafeTraps() override; |
| 32 |
| 33 // Registry returns the trap registry used by Trap's SIGSYS handler, |
| 34 // creating it if necessary. |
| 35 static bpf_dsl::TrapRegistry* Registry(); |
| 36 |
| 37 // Registers a new trap handler and sets up the appropriate SIGSYS handler |
| 38 // as needed. |
| 39 // N.B.: This makes a permanent state change. Traps cannot be unregistered, |
| 40 // as that would break existing BPF filters that are still active. |
| 41 // TODO(mdempsky): Deprecated; remove. |
| 42 static uint16_t MakeTrap(TrapFnc fnc, const void* aux, bool safe); |
| 43 |
| 44 // Enables support for unsafe traps in the SIGSYS signal handler. This is a |
| 45 // one-way fuse. It works in conjunction with the BPF compiler emitting code |
| 46 // that unconditionally allows system calls, if they have a magic return |
| 47 // address (i.e. SandboxSyscall(-1)). |
| 48 // Once unsafe traps are enabled, the sandbox is essentially compromised. |
| 49 // But this is still a very useful feature for debugging purposes. Use with |
| 50 // care. This feature is availably only if enabled by the user (see above). |
| 51 // Returns "true", if unsafe traps were turned on. |
| 52 // TODO(mdempsky): Deprecated; remove. |
| 53 static bool EnableUnsafeTrapsInSigSysHandler(); |
| 54 |
| 55 private: |
| 56 struct TrapKey { |
| 57 TrapKey() : fnc(NULL), aux(NULL), safe(false) {} |
| 58 TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {} |
| 59 TrapFnc fnc; |
| 60 const void* aux; |
| 61 bool safe; |
| 62 bool operator<(const TrapKey&) const; |
| 63 }; |
| 64 typedef std::map<TrapKey, uint16_t> TrapIds; |
| 65 |
| 66 // Our constructor is private. A shared global instance is created |
| 67 // automatically as needed. |
| 68 Trap(); |
| 69 |
| 70 // The destructor is unimplemented. Don't ever attempt to destruct this |
| 71 // object. It'll break subsequent system calls that trigger a SIGSYS. |
| 72 ~Trap(); |
| 73 |
| 74 static void SigSysAction(int nr, siginfo_t* info, void* void_context); |
| 75 |
| 76 // Make sure that SigSys is not inlined in order to get slightly better crash |
| 77 // dumps. |
| 78 void SigSys(int nr, siginfo_t* info, void* void_context) |
| 79 __attribute__((noinline)); |
| 80 bool SandboxDebuggingAllowedByUser() const; |
| 81 |
| 82 // We have a global singleton that handles all of our SIGSYS traps. This |
| 83 // variable must never be deallocated after it has been set up initially, as |
| 84 // there is no way to reset in-kernel BPF filters that generate SIGSYS |
| 85 // events. |
| 86 static Trap* global_trap_; |
| 87 |
| 88 TrapIds trap_ids_; // Maps from TrapKeys to numeric ids |
| 89 TrapKey* trap_array_; // Array of TrapKeys indexed by ids |
| 90 size_t trap_array_size_; // Currently used size of array |
| 91 size_t trap_array_capacity_; // Currently allocated capacity of array |
| 92 bool has_unsafe_traps_; // Whether unsafe traps have been enabled |
| 93 |
| 94 // Copying and assigning is unimplemented. It doesn't make sense for a |
| 95 // singleton. |
| 96 DISALLOW_COPY_AND_ASSIGN(Trap); |
| 97 }; |
| 98 |
| 99 } // namespace sandbox |
| 100 |
| 101 #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 670183003:
Update from chromium 62675d9fb31fb8cedc40f68e78e8445a74f362e7 (Closed)
Base URL: git@github.com:domokit/mojo.git@master