Update from https://crrev.com/306655

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <linux/filter.h>
 #include <sys/syscall.h>
 
@@ skipping 36 matching lines @@
 #if defined(__NR_sigreturn)
     __NR_sigreturn,
 #endif
 };
 
 bool HasExactlyOneBit(uint64_t x) {
   // Common trick; e.g., see http://stackoverflow.com/a/108329.
   return x != 0 && (x & (x - 1)) == 0;
 }
 
-bool IsDenied(const ErrorCode& code) {
-  return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
-         (code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
-          code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
-}
-
 // A Trap() handler that returns an "errno" value. The value is encoded
 // in the "aux" parameter.
 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
   // TrapFnc functions report error by following the native kernel convention
   // of returning an exit code in the range of -1..-4096. They do not try to
   // set errno themselves. The glibc wrapper that triggered the SIGSYS will
   // ultimately do so for us.
   int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
   return -err;
 }
 
-intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
-  SANDBOX_DIE(static_cast<char*>(aux));
-}
-
 bool HasUnsafeTraps(const Policy* policy) {
+  DCHECK(policy);
   for (uint32_t sysnum : SyscallSet::ValidOnly()) {
     if (policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
       return true;
     }
   }
   return policy->InvalidSyscall()->HasUnsafeTraps();
 }
 
 }  // namespace
 
 struct PolicyCompiler::Range {
-  Range(uint32_t f, const ErrorCode& e) : from(f), err(e) {}
   uint32_t from;
-  ErrorCode err;
+  CodeGen::Node node;
 };
 
 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
     : policy_(policy),
       registry_(registry),
       conds_(),
       gen_(),
       has_unsafe_traps_(HasUnsafeTraps(policy_)) {
+  DCHECK(policy);
 }
 
 PolicyCompiler::~PolicyCompiler() {
 }
 
 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
-  if (!IsDenied(policy_->InvalidSyscall()->Compile(this))) {
+  if (!policy_->InvalidSyscall()->IsDeny()) {
     SANDBOX_DIE("Policies should deny invalid system calls.");
   }
 
   // If our BPF program has unsafe traps, enable support for them.
   if (has_unsafe_traps_) {
     // As support for unsafe jumps essentially defeats all the security
     // measures that the sandbox provides, we print a big warning message --
     // and of course, we make sure to only ever enable this feature if it
     // is actually requested by the sandbox policy.
     if (Syscall::Call(-1) == -1 && errno == ENOSYS) {
       SANDBOX_DIE(
           "Support for UnsafeTrap() has not yet been ported to this "
           "architecture");
     }
 
     for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
-      if (!policy_->EvaluateSyscall(sysnum)->Compile(this)
-               .Equals(ErrorCode(ErrorCode::ERR_ALLOWED))) {
+      if (!policy_->EvaluateSyscall(sysnum)->IsAllow()) {
         SANDBOX_DIE(
             "Policies that use UnsafeTrap() must unconditionally allow all "
             "required system calls");
       }
     }
 
     if (!registry_->EnableUnsafeTraps()) {
       // We should never be able to get here, as UnsafeTrap() should never
       // actually return a valid ErrorCode object unless the user set the
       // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
@@ skipping 16 matching lines @@
   //      invoked by Syscall::Call, and then allow it unconditionally.
   //   3. Check the system call number and jump to the appropriate compiled
   //      system call policy number.
   return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
 }
 
 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   return gen_.MakeInstruction(
-      BPF_LD + BPF_W + BPF_ABS,
-      SECCOMP_ARCH_IDX,
+      BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
       gen_.MakeInstruction(
-          BPF_JMP + BPF_JEQ + BPF_K,
-          SECCOMP_ARCH,
-          passed,
-          RetExpression(Kill("Invalid audit architecture in BPF filter"))));
+          BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
+          CompileResult(Kill("Invalid audit architecture in BPF filter"))));
 }
 
 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
   // If no unsafe traps, then simply return |rest|.
   if (!has_unsafe_traps_) {
     return rest;
   }
 
   // Allow system calls, if they originate from our magic return address
   // (which we can query by calling Syscall::Call(-1)).
   uint64_t syscall_entry_point =
       static_cast<uint64_t>(static_cast<uintptr_t>(Syscall::Call(-1)));
   uint32_t low = static_cast<uint32_t>(syscall_entry_point);
   uint32_t hi = static_cast<uint32_t>(syscall_entry_point >> 32);
 
   // BPF cannot do native 64-bit comparisons, so we have to compare
   // both 32-bit halves of the instruction pointer. If they match what
   // we expect, we return ERR_ALLOWED. If either or both don't match,
   // we continue evalutating the rest of the sandbox policy.
   //
   // For simplicity, we check the full 64-bit instruction pointer even
   // on 32-bit architectures.
   return gen_.MakeInstruction(
-      BPF_LD + BPF_W + BPF_ABS,
-      SECCOMP_IP_LSB_IDX,
+      BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
       gen_.MakeInstruction(
-          BPF_JMP + BPF_JEQ + BPF_K,
-          low,
+          BPF_JMP + BPF_JEQ + BPF_K, low,
           gen_.MakeInstruction(
-              BPF_LD + BPF_W + BPF_ABS,
-              SECCOMP_IP_MSB_IDX,
-              gen_.MakeInstruction(
-                  BPF_JMP + BPF_JEQ + BPF_K,
-                  hi,
-                  RetExpression(ErrorCode(ErrorCode::ERR_ALLOWED)),
-                  rest)),
+              BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
+              gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hi,
+                                   CompileResult(Allow()), rest)),
           rest));
 }
 
 CodeGen::Node PolicyCompiler::DispatchSyscall() {
   // Evaluate all possible system calls and group their ErrorCodes into
   // ranges of identical codes.
   Ranges ranges;
   FindRanges(&ranges);
 
   // Compile the system call ranges to an optimized BPF jumptable
   CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
 
   // Grab the system call number, so that we can check it and then
   // execute the jump table.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
 }
 
 CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
   if (kIsIntel) {
     // On Intel architectures, verify that system call numbers are in the
     // expected number range.
     CodeGen::Node invalidX32 =
-        RetExpression(Kill("Illegal mixing of system call ABIs"));
+        CompileResult(Kill("Illegal mixing of system call ABIs"));
     if (kIsX32) {
       // The newer x32 API always sets bit 30.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
     } else {
       // The older i386 and x86-64 APIs clear bit 30 on all system calls.
       return gen_.MakeInstruction(
           BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
     }
   }
 
   // TODO(mdempsky): Similar validation for other architectures?
   return passed;
 }
 
 void PolicyCompiler::FindRanges(Ranges* ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
-  const ErrorCode invalid_err = policy_->InvalidSyscall()->Compile(this);
+  const CodeGen::Node invalid_node = CompileResult(policy_->InvalidSyscall());
   uint32_t old_sysnum = 0;
-  ErrorCode old_err = SyscallSet::IsValid(old_sysnum)
-                          ? policy_->EvaluateSyscall(old_sysnum)->Compile(this)
-                          : invalid_err;
+  CodeGen::Node old_node =
+      SyscallSet::IsValid(old_sysnum)
+          ? CompileResult(policy_->EvaluateSyscall(old_sysnum))
+          : invalid_node;
 
   for (uint32_t sysnum : SyscallSet::All()) {
-    ErrorCode err =
+    CodeGen::Node node =
         SyscallSet::IsValid(sysnum)
-            ? policy_->EvaluateSyscall(static_cast<int>(sysnum))->Compile(this)
-            : invalid_err;
-    if (!err.Equals(old_err)) {
-      ranges->push_back(Range(old_sysnum, old_err));
+            ? CompileResult(policy_->EvaluateSyscall(static_cast<int>(sysnum)))
+            : invalid_node;
+    // N.B., here we rely on CodeGen folding (i.e., returning the same
+    // node value for) identical code sequences, otherwise our jump
+    // table will blow up in size.
+    if (node != old_node) {
+      ranges->push_back(Range{old_sysnum, old_node});
       old_sysnum = sysnum;
-      old_err = err;
+      old_node = node;
     }
   }
-  ranges->push_back(Range(old_sysnum, old_err));
+  ranges->push_back(Range{old_sysnum, old_node});
 }
 
 CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
                                                 Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least one distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 0) {
     SANDBOX_DIE("Invalid set of system call ranges");
   } else if (stop - start == 1) {
     // If we have narrowed things down to a single range object, we can
     // return from the BPF filter program.
-    return RetExpression(start->err);
+    return start->node;
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
   Ranges::const_iterator mid = start + (stop - start) / 2;
 
   // Sub-divide the list of ranges and continue recursively.
   CodeGen::Node jf = AssembleJumpTable(start, mid);
   CodeGen::Node jt = AssembleJumpTable(mid, stop);
   return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
 }
 
+CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
+  return RetExpression(res->Compile(this));
+}
+
 CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
   switch (err.error_type()) {
     case ErrorCode::ET_COND:
       return CondExpression(err);
     case ErrorCode::ET_SIMPLE:
     case ErrorCode::ET_TRAP:
       return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
     default:
       SANDBOX_DIE("ErrorCode is not suitable for returning from a BPF program");
   }
@@ skipping 141 matching lines @@
       BPF_LD + BPF_W + BPF_ABS,
       idx,
       gen_.MakeInstruction(
           BPF_ALU + BPF_AND + BPF_K,
           mask,
           gen_.MakeInstruction(
               BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
 }
 
 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
-  return Kill("Unexpected 64bit argument detected");
+  return Kill("Unexpected 64bit argument detected")->Compile(this);
 }
 
 ErrorCode PolicyCompiler::Error(int err) {
   if (has_unsafe_traps_) {
     // When inside an UnsafeTrap() callback, we want to allow all system calls.
     // This means, we must conditionally disable the sandbox -- and that's not
     // something that kernel-side BPF filters can do, as they cannot inspect
     // any state other than the syscall arguments.
     // But if we redirect all error handlers to user-space, then we can easily
     // make this decision.
     // The performance penalty for this extra round-trip to user-space is not
     // actually that bad, as we only ever pay it for denied system calls; and a
     // typical program has very few of these.
-    return Trap(ReturnErrno, reinterpret_cast<void*>(err));
+    return Trap(ReturnErrno, reinterpret_cast<void*>(err), true);
   }
 
   return ErrorCode(err);
 }
 
-ErrorCode PolicyCompiler::MakeTrap(TrapRegistry::TrapFnc fnc,
-                                   const void* aux,
-                                   bool safe) {
+ErrorCode PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc,
+                               const void* aux,
+                               bool safe) {
   uint16_t trap_id = registry_->Add(fnc, aux, safe);
   return ErrorCode(trap_id, fnc, aux, safe);
 }
 
-ErrorCode PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc, const void* aux) {
-  return MakeTrap(fnc, aux, true /* Safe Trap */);
-}
-
-ErrorCode PolicyCompiler::UnsafeTrap(TrapRegistry::TrapFnc fnc,
-                                     const void* aux) {
-  return MakeTrap(fnc, aux, false /* Unsafe Trap */);
-}
-
 bool PolicyCompiler::IsRequiredForUnsafeTrap(int sysno) {
   for (size_t i = 0; i < arraysize(kSyscallsRequiredForUnsafeTraps); ++i) {
     if (sysno == kSyscallsRequiredForUnsafeTraps[i]) {
       return true;
     }
   }
   return false;
 }
 
 ErrorCode PolicyCompiler::CondMaskedEqual(int argno,
                                           ErrorCode::ArgType width,
                                           uint64_t mask,
                                           uint64_t value,
                                           const ErrorCode& passed,
                                           const ErrorCode& failed) {
   return ErrorCode(argno,
                    width,
                    mask,
                    value,
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
-ErrorCode PolicyCompiler::Kill(const char* msg) {
-  return Trap(BPFFailure, const_cast<char*>(msg));
-}
-
 }  // namespace bpf_dsl
 }  // namespace sandbox