| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ | 5 #ifndef SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ |
| 6 #define SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ | 6 #define SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <map> | 10 #include <map> |
| (...skipping 16 matching lines...) Expand all Loading... |
| 27 // Linux kernel. | 27 // Linux kernel. |
| 28 class SANDBOX_EXPORT PolicyCompiler { | 28 class SANDBOX_EXPORT PolicyCompiler { |
| 29 public: | 29 public: |
| 30 PolicyCompiler(const Policy* policy, TrapRegistry* registry); | 30 PolicyCompiler(const Policy* policy, TrapRegistry* registry); |
| 31 ~PolicyCompiler(); | 31 ~PolicyCompiler(); |
| 32 | 32 |
| 33 // Compile registers any trap handlers needed by the policy and | 33 // Compile registers any trap handlers needed by the policy and |
| 34 // compiles the policy to a BPF program, which it returns. | 34 // compiles the policy to a BPF program, which it returns. |
| 35 scoped_ptr<CodeGen::Program> Compile(); | 35 scoped_ptr<CodeGen::Program> Compile(); |
| 36 | 36 |
| 37 // DangerousSetEscapePC sets the "escape PC" that is allowed to issue any | |
| 38 // system calls, regardless of policy. | |
| 39 void DangerousSetEscapePC(uint64_t escapepc); | |
| 40 | |
| 41 // Error returns an ErrorCode to indicate the system call should fail with | 37 // Error returns an ErrorCode to indicate the system call should fail with |
| 42 // the specified error number. | 38 // the specified error number. |
| 43 ErrorCode Error(int err); | 39 ErrorCode Error(int err); |
| 44 | 40 |
| 45 // Trap returns an ErrorCode to indicate the system call should | 41 // Trap returns an ErrorCode to indicate the system call should |
| 46 // instead invoke a trap handler. | 42 // instead invoke a trap handler. |
| 47 ErrorCode Trap(TrapRegistry::TrapFnc fnc, const void* aux, bool safe); | 43 ErrorCode Trap(TrapRegistry::TrapFnc fnc, const void* aux, bool safe); |
| 48 | 44 |
| 49 // UnsafeTraps require some syscalls to always be allowed. | 45 // UnsafeTraps require some syscalls to always be allowed. |
| 50 // This helper function returns true for these calls. | 46 // This helper function returns true for these calls. |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 85 | 81 |
| 86 // Compile the configured policy into a complete instruction sequence. | 82 // Compile the configured policy into a complete instruction sequence. |
| 87 CodeGen::Node AssemblePolicy(); | 83 CodeGen::Node AssemblePolicy(); |
| 88 | 84 |
| 89 // Return an instruction sequence that checks the | 85 // Return an instruction sequence that checks the |
| 90 // arch_seccomp_data's "arch" field is valid, and then passes | 86 // arch_seccomp_data's "arch" field is valid, and then passes |
| 91 // control to |passed| if so. | 87 // control to |passed| if so. |
| 92 CodeGen::Node CheckArch(CodeGen::Node passed); | 88 CodeGen::Node CheckArch(CodeGen::Node passed); |
| 93 | 89 |
| 94 // If |has_unsafe_traps_| is true, returns an instruction sequence | 90 // If |has_unsafe_traps_| is true, returns an instruction sequence |
| 95 // that allows all system calls from |escapepc_|, and otherwise | 91 // that allows all system calls from Syscall::Call(), and otherwise |
| 96 // passes control to |rest|. Otherwise, simply returns |rest|. | 92 // passes control to |rest|. Otherwise, simply returns |rest|. |
| 97 CodeGen::Node MaybeAddEscapeHatch(CodeGen::Node rest); | 93 CodeGen::Node MaybeAddEscapeHatch(CodeGen::Node rest); |
| 98 | 94 |
| 99 // Return an instruction sequence that loads and checks the system | 95 // Return an instruction sequence that loads and checks the system |
| 100 // call number, performs a binary search, and then dispatches to an | 96 // call number, performs a binary search, and then dispatches to an |
| 101 // appropriate instruction sequence compiled from the current | 97 // appropriate instruction sequence compiled from the current |
| 102 // policy. | 98 // policy. |
| 103 CodeGen::Node DispatchSyscall(); | 99 CodeGen::Node DispatchSyscall(); |
| 104 | 100 |
| 105 // Return an instruction sequence that checks the system call number | 101 // Return an instruction sequence that checks the system call number |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 137 | 133 |
| 138 // Returns a BPF program that evaluates half of a conditional expression; | 134 // Returns a BPF program that evaluates half of a conditional expression; |
| 139 // it should only ever be called from CondExpression(). | 135 // it should only ever be called from CondExpression(). |
| 140 CodeGen::Node CondExpressionHalf(const ErrorCode& cond, | 136 CodeGen::Node CondExpressionHalf(const ErrorCode& cond, |
| 141 ArgHalf half, | 137 ArgHalf half, |
| 142 CodeGen::Node passed, | 138 CodeGen::Node passed, |
| 143 CodeGen::Node failed); | 139 CodeGen::Node failed); |
| 144 | 140 |
| 145 const Policy* policy_; | 141 const Policy* policy_; |
| 146 TrapRegistry* registry_; | 142 TrapRegistry* registry_; |
| 147 uint64_t escapepc_; | |
| 148 | 143 |
| 149 Conds conds_; | 144 Conds conds_; |
| 150 CodeGen gen_; | 145 CodeGen gen_; |
| 151 bool has_unsafe_traps_; | 146 bool has_unsafe_traps_; |
| 152 | 147 |
| 153 DISALLOW_COPY_AND_ASSIGN(PolicyCompiler); | 148 DISALLOW_COPY_AND_ASSIGN(PolicyCompiler); |
| 154 }; | 149 }; |
| 155 | 150 |
| 156 } // namespace bpf_dsl | 151 } // namespace bpf_dsl |
| 157 } // namespace sandbox | 152 } // namespace sandbox |
| 158 | 153 |
| 159 #endif // SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ | 154 #endif // SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_ |
| OLD | NEW |