sandbox/linux/bpf_dsl/bpf_dsl.h - Issue 681713002: Update from chromium https://crrev.com/301315

Side by Side Diff: sandbox/linux/bpf_dsl/bpf_dsl.h

Issue 681713002: Update from chromium https://crrev.com/301315 (Closed) Base URL: https://github.com/domokit/mojo.git@master

Patch Set: Created 6 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_	5 #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

6 #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_	6 #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

7	7

8 #include <stdint.h>	8 #include <stdint.h>

9	9

10 #include <utility>	10 #include <utility>

11 #include <vector>	11 #include <vector>

12	12

13 #include "base/macros.h"	13 #include "base/macros.h"

14 #include "base/memory/ref_counted.h"	14 #include "base/memory/ref_counted.h"

	15 #include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"

15 #include "sandbox/linux/bpf_dsl/cons.h"	16 #include "sandbox/linux/bpf_dsl/cons.h"

16 #include "sandbox/linux/bpf_dsl/trap_registry.h"	17 #include "sandbox/linux/bpf_dsl/trap_registry.h"

17 #include "sandbox/sandbox_export.h"	18 #include "sandbox/sandbox_export.h"

18	19

19 // The sandbox::bpf_dsl namespace provides a domain-specific language	20 // The sandbox::bpf_dsl namespace provides a domain-specific language

20 // to make writing BPF policies more expressive. In general, the	21 // to make writing BPF policies more expressive. In general, the

21 // object types all have value semantics (i.e., they can be copied	22 // object types all have value semantics (i.e., they can be copied

22 // around, returned from or passed to function calls, etc. without any	23 // around, returned from or passed to function calls, etc. without any

23 // surprising side effects), though not all support assignment.	24 // surprising side effects), though not all support assignment.

24 //	25 //

25 // An idiomatic and demonstrative (albeit silly) example of this API	26 // An idiomatic and demonstrative (albeit silly) example of this API

26 // would be:	27 // would be:

27 //	28 //

28 // #include "sandbox/linux/bpf_dsl/bpf_dsl.h"	29 // #include "sandbox/linux/bpf_dsl/bpf_dsl.h"

29 //	30 //

30 // using namespace sandbox::bpf_dsl;	31 // using namespace sandbox::bpf_dsl;

31 //	32 //

32 // class SillyPolicy : public SandboxBPFDSLPolicy {	33 // class SillyPolicy : public Policy {

33 // public:	34 // public:

34 // SillyPolicy() {}	35 // SillyPolicy() {}

35 // virtual ~SillyPolicy() {}	36 // virtual ~SillyPolicy() {}

36 // virtual ResultExpr EvaluateSyscall(int sysno) const override {	37 // virtual ResultExpr EvaluateSyscall(int sysno) const override {

37 // if (sysno == __NR_fcntl) {	38 // if (sysno == __NR_fcntl) {

38 // Arg<int> fd(0), cmd(1);	39 // Arg<int> fd(0), cmd(1);

39 // Arg<unsigned long> flags(2);	40 // Arg<unsigned long> flags(2);

40 // const uint64_t kGoodFlags = O_ACCMODE \| O_NONBLOCK;	41 // const uint64_t kGoodFlags = O_ACCMODE \| O_NONBLOCK;

41 // return If(fd == 0 && cmd == F_SETFL && (flags & ~kGoodFlags) == 0,	42 // return If(fd == 0 && cmd == F_SETFL && (flags & ~kGoodFlags) == 0,

42 // Allow())	43 // Allow())

(...skipping 22 matching lines...) Expand all Loading...
65 // The semantics of each function and operator are intended to be	66 // The semantics of each function and operator are intended to be

66 // intuitive, but are described in more detail below.	67 // intuitive, but are described in more detail below.

67 //	68 //

68 // (Credit to Sean Parent's "Inheritance is the Base Class of Evil"	69 // (Credit to Sean Parent's "Inheritance is the Base Class of Evil"

69 // talk at Going Native 2013 for promoting value semantics via shared	70 // talk at Going Native 2013 for promoting value semantics via shared

70 // pointers to immutable state.)	71 // pointers to immutable state.)

71	72

72 namespace sandbox {	73 namespace sandbox {

73 namespace bpf_dsl {	74 namespace bpf_dsl {

74	75

75 // Forward declarations of classes; see below for proper documentation.

76 class Elser;

77 template <typename T>

78 class Caser;

79 namespace internal {

80 class ResultExprImpl;

81 class BoolExprImpl;

82 }

83

84 } // namespace bpf_dsl

85 } // namespace sandbox

86

87 extern template class SANDBOX_EXPORT

88 scoped_refptr<const sandbox::bpf_dsl::internal::BoolExprImpl>;

89 extern template class SANDBOX_EXPORT

90 scoped_refptr<const sandbox::bpf_dsl::internal::ResultExprImpl>;

91

92 namespace sandbox {

93 namespace bpf_dsl {

94

95 // ResultExpr is an opaque reference to an immutable result expression tree.	76 // ResultExpr is an opaque reference to an immutable result expression tree.

96 typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;	77 typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;

97	78

98 // BoolExpr is an opaque reference to an immutable boolean expression tree.	79 // BoolExpr is an opaque reference to an immutable boolean expression tree.

99 typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;	80 typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;

100	81

101 // Interface to implement to define a BPF sandbox policy.

102 // TODO(mdempsky): "sandbox::bpf_dsl::SandboxBPFDSLPolicy" is

103 // tediously repetitive; rename to just "Policy".

104 class SANDBOX_EXPORT SandboxBPFDSLPolicy {

105 public:

106 SandboxBPFDSLPolicy() {}

107 virtual ~SandboxBPFDSLPolicy() {}

108

109 // User extension point for writing custom sandbox policies.

110 // The returned ResultExpr will control how the kernel responds to the

111 // specified system call number.

112 virtual ResultExpr EvaluateSyscall(int sysno) const = 0;

113

114 // Optional overload for specifying alternate behavior for invalid

115 // system calls. The default is to return ENOSYS.

116 virtual ResultExpr InvalidSyscall() const;

117

118 // Helper method so policies can just write Trap(func, aux).

119 static ResultExpr Trap(TrapRegistry::TrapFnc trap_func, const void* aux);

120

121 private:

122 DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy);

123 };

124

125 // Allow specifies a result that the system call should be allowed to	82 // Allow specifies a result that the system call should be allowed to

126 // execute normally.	83 // execute normally.

127 SANDBOX_EXPORT ResultExpr Allow();	84 SANDBOX_EXPORT ResultExpr Allow();

128	85

129 // Error specifies a result that the system call should fail with	86 // Error specifies a result that the system call should fail with

130 // error number \|err\|. As a special case, Error(0) will result in the	87 // error number \|err\|. As a special case, Error(0) will result in the

131 // system call appearing to have succeeded, but without having any	88 // system call appearing to have succeeded, but without having any

132 // side effects.	89 // side effects.

133 SANDBOX_EXPORT ResultExpr Error(int err);	90 SANDBOX_EXPORT ResultExpr Error(int err);

134	91

(...skipping 216 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
351	308

352 template <typename T>	309 template <typename T>

353 ResultExpr Caser<T>::Default(ResultExpr result) const {	310 ResultExpr Caser<T>::Default(ResultExpr result) const {

354 return elser_.Else(result);	311 return elser_.Else(result);

355 }	312 }

356	313

357 } // namespace bpf_dsl	314 } // namespace bpf_dsl

358 } // namespace sandbox	315 } // namespace sandbox

359	316

360 #endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_	317 #endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

OLD	NEW

« no previous file with comments | « sandbox/linux/BUILD.gn ('k') | sandbox/linux/bpf_dsl/bpf_dsl.cc » ('j') | no next file with comments »