bpf_dsl: switch PolicyCompiler from seccomp-bpf/die.h to base/logging.h

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <linux/filter.h>
 #include <sys/syscall.h>
 
 #include <limits>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
 #include "sandbox/linux/bpf_dsl/codegen.h"
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
 #include "sandbox/linux/bpf_dsl/syscall_set.h"
-#include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/linux/system_headers/linux_seccomp.h"
 
 namespace sandbox {
 namespace bpf_dsl {
 
 namespace {
 
 #if defined(__i386__) || defined(__x86_64__)
 const bool kIsIntel = true;
@@ skipping 57 matching lines @@
       conds_(),
       gen_(),
       has_unsafe_traps_(HasUnsafeTraps(policy_)) {
   DCHECK(policy);
 }
 
 PolicyCompiler::~PolicyCompiler() {
 }
 
 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
-  if (!policy_->InvalidSyscall()->IsDeny()) {
-    SANDBOX_DIE("Policies should deny invalid system calls.");
-  }
+  CHECK(policy_->InvalidSyscall()->IsDeny())
+      << "Policies should deny invalid system calls";
 
   // If our BPF program has unsafe traps, enable support for them.
   if (has_unsafe_traps_) {
-    // As support for unsafe jumps essentially defeats all the security
-    // measures that the sandbox provides, we print a big warning message --
-    // and of course, we make sure to only ever enable this feature if it
-    // is actually requested by the sandbox policy.
-
     CHECK_NE(0U, escapepc_) << "UnsafeTrap() requires a valid escape PC";
 
     for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
-      if (!policy_->EvaluateSyscall(sysnum)->IsAllow()) {
-        SANDBOX_DIE(
-            "Policies that use UnsafeTrap() must unconditionally allow all "
-            "required system calls");
-      }
+      CHECK(policy_->EvaluateSyscall(sysnum)->IsAllow())
+          << "Policies that use UnsafeTrap() must unconditionally allow all "
+             "required system calls";
     }
 
-    if (!registry_->EnableUnsafeTraps()) {
-      // We should never be able to get here, as UnsafeTrap() should never
-      // actually return a valid ErrorCode object unless the user set the
-      // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
-      // "has_unsafe_traps" would always be false. But better double-check
-      // than enabling dangerous code.
-      SANDBOX_DIE("We'd rather die than enable unsafe traps");
-    }
+    CHECK(registry_->EnableUnsafeTraps())
+        << "We'd rather die than enable unsafe traps";
   }
 
   // Assemble the BPF filter program.
   scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
   gen_.Compile(AssemblePolicy(), program.get());
   return program.Pass();
 }
 
 void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
   escapepc_ = escapepc;
@@ skipping 116 matching lines @@
   }
   ranges->push_back(Range{old_sysnum, old_node});
 }
 
 CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
                                                 Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least one distinct ranges for us
   // to be able to build a jump table.
-  if (stop - start <= 0) {
-    SANDBOX_DIE("Invalid set of system call ranges");
-  } else if (stop - start == 1) {
+  CHECK(start < stop) << "Invalid iterator range";
+  const auto n = stop - start;
+  if (n == 1) {
     // If we have narrowed things down to a single range object, we can
     // return from the BPF filter program.
     return start->node;
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
-  Ranges::const_iterator mid = start + (stop - start) / 2;
+  Ranges::const_iterator mid = start + n / 2;
 
   // Sub-divide the list of ranges and continue recursively.
   CodeGen::Node jf = AssembleJumpTable(start, mid);
   CodeGen::Node jt = AssembleJumpTable(mid, stop);
   return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
 }
 
 CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
   return RetExpression(res->Compile(this));
 }
 
 CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
   switch (err.error_type()) {
     case ErrorCode::ET_COND:
       return CondExpression(err);
     case ErrorCode::ET_SIMPLE:
     case ErrorCode::ET_TRAP:
       return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
     default:
-      SANDBOX_DIE("ErrorCode is not suitable for returning from a BPF program");
+      LOG(FATAL)
+          << "ErrorCode is not suitable for returning from a BPF program";
+      return CodeGen::kNullNode;
   }
 }
 
 CodeGen::Node PolicyCompiler::CondExpression(const ErrorCode& cond) {
   // Sanity check that |cond| makes sense.
-  if (cond.argno_ < 0 || cond.argno_ >= 6) {
-    SANDBOX_DIE("sandbox_bpf: invalid argument number");
+  CHECK(cond.argno_ >= 0 && cond.argno_ < 6) << "Invalid argument number "
+                                             << cond.argno_;
+  CHECK(cond.width_ == ErrorCode::TP_32BIT ||
+        cond.width_ == ErrorCode::TP_64BIT)
+      << "Invalid argument width " << cond.width_;
+  CHECK_NE(0U, cond.mask_) << "Zero mask is invalid";
+  CHECK_EQ(cond.value_, cond.value_ & cond.mask_)
+      << "Value contains masked out bits";
+  if (sizeof(void*) == 4) {
+    CHECK_EQ(ErrorCode::TP_32BIT, cond.width_)
+        << "Invalid width on 32-bit platform";
   }
-  if (cond.width_ != ErrorCode::TP_32BIT &&
-      cond.width_ != ErrorCode::TP_64BIT) {
-    SANDBOX_DIE("sandbox_bpf: invalid argument width");
+  if (cond.width_ == ErrorCode::TP_32BIT) {
+    CHECK_EQ(0U, cond.mask_ >> 32) << "Mask exceeds argument size";
+    CHECK_EQ(0U, cond.value_ >> 32) << "Value exceeds argument size";
   }
-  if (cond.mask_ == 0) {
-    SANDBOX_DIE("sandbox_bpf: zero mask is invalid");
-  }
-  if ((cond.value_ & cond.mask_) != cond.value_) {
-    SANDBOX_DIE("sandbox_bpf: value contains masked out bits");
-  }
-  if (cond.width_ == ErrorCode::TP_32BIT &&
-      ((cond.mask_ >> 32) != 0 || (cond.value_ >> 32) != 0)) {
-    SANDBOX_DIE("sandbox_bpf: test exceeds argument size");
-  }
-  // TODO(mdempsky): Reject TP_64BIT on 32-bit platforms. For now we allow it
-  // because some SandboxBPF unit tests exercise it.

[jln (very slow on Chromium), 2015/02/20 07:00:44]

So these disappeared? Cool, but I don't remember :)

 
   CodeGen::Node passed = RetExpression(*cond.passed_);
   CodeGen::Node failed = RetExpression(*cond.failed_);
 
   // We want to emit code to check "(arg & mask) == value" where arg, mask, and
   // value are 64-bit values, but the BPF machine is only 32-bit. We implement
   // this by independently testing the upper and lower 32-bits and continuing to
   // |passed| if both evaluate true, or to |failed| if either evaluate false.
   return CondExpressionHalf(cond,
                             UpperHalf,
@@ skipping 160 matching lines @@
   return ErrorCode(argno,
                    width,
                    mask,
                    value,
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
 }  // namespace bpf_dsl
 }  // namespace sandbox