Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(557)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf/errorcode.h

Issue 101773003: Linux sandbox: cleanup sandbox-bpf naming. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address namespace sandbox nits. Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/seccomp-bpf/die.cc ('k') | sandbox/linux/seccomp-bpf/errorcode.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
7 7
8 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" 8 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
9 #include "sandbox/linux/seccomp-bpf/trap.h" 9 #include "sandbox/linux/seccomp-bpf/trap.h"
10 10
11 namespace playground2 { 11 namespace sandbox {
12 12
13 struct arch_seccomp_data; 13 struct arch_seccomp_data;
14 14
15 // This class holds all the possible values that can be returned by a sandbox 15 // This class holds all the possible values that can be returned by a sandbox
16 // policy. 16 // policy.
17 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an 17 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an
18 // errno value (in the range 0..4095), a pointer to a TrapFnc callback 18 // errno value (in the range 0..4095), a pointer to a TrapFnc callback
19 // handling a SECCOMP_RET_TRAP trap, or a complex constraint. 19 // handling a SECCOMP_RET_TRAP trap, or a complex constraint.
20 // All of the commonly used values are stored in the "err_" field. So, code 20 // All of the commonly used values are stored in the "err_" field. So, code
21 // that is using the ErrorCode class typically operates on a single 32bit 21 // that is using the ErrorCode class typically operates on a single 32bit
(...skipping 17 matching lines...) Expand all
39 ERR_MAX_ERRNO = 4095, 39 ERR_MAX_ERRNO = 4095,
40 }; 40 };
41 41
42 // While BPF filter programs always operate on 32bit quantities, the kernel 42 // While BPF filter programs always operate on 32bit quantities, the kernel
43 // always sees system call arguments as 64bit values. This statement is true 43 // always sees system call arguments as 64bit values. This statement is true
44 // no matter whether the host system is natively operating in 32bit or 64bit. 44 // no matter whether the host system is natively operating in 32bit or 64bit.
45 // The BPF compiler hides the fact that BPF instructions cannot directly 45 // The BPF compiler hides the fact that BPF instructions cannot directly
46 // access 64bit quantities. But policies are still advised to specify whether 46 // access 64bit quantities. But policies are still advised to specify whether
47 // a system call expects a 32bit or a 64bit quantity. 47 // a system call expects a 32bit or a 64bit quantity.
48 enum ArgType { 48 enum ArgType {
49 // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that 49 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that
50 // the conditional test should operate on the 32bit part of the system call 50 // the conditional test should operate on the 32bit part of the system call
51 // argument. 51 // argument.
52 // On 64bit architectures, this verifies that user space did not pass 52 // On 64bit architectures, this verifies that user space did not pass
53 // a 64bit value as an argument to the system call. If it did, that will be 53 // a 64bit value as an argument to the system call. If it did, that will be
54 // interpreted as an attempt at breaking the sandbox and results in the 54 // interpreted as an attempt at breaking the sandbox and results in the
55 // program getting terminated. 55 // program getting terminated.
56 // In other words, only perform a 32bit test, if you are sure this 56 // In other words, only perform a 32bit test, if you are sure this
57 // particular system call would never legitimately take a 64bit 57 // particular system call would never legitimately take a 64bit
58 // argument. 58 // argument.
59 // Implementation detail: TP_32BIT does two things. 1) it restricts the 59 // Implementation detail: TP_32BIT does two things. 1) it restricts the
60 // conditional test to operating on the LSB only, and 2) it adds code to 60 // conditional test to operating on the LSB only, and 2) it adds code to
61 // the BPF filter program verifying that the MSB the kernel received from 61 // the BPF filter program verifying that the MSB the kernel received from
62 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit 62 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit
63 // 31 was set in the system call argument. It deals with 32bit arguments 63 // 31 was set in the system call argument. It deals with 32bit arguments
64 // having been sign extended. 64 // having been sign extended.
65 TP_32BIT, 65 TP_32BIT,
66 66
67 // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that 67 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that
68 // the conditional test should operate on the full 64bit argument. It is 68 // the conditional test should operate on the full 64bit argument. It is
69 // generally harmless to perform a 64bit test on 32bit systems, as the 69 // generally harmless to perform a 64bit test on 32bit systems, as the
70 // kernel will always see the top 32 bits of all arguments as zero'd out. 70 // kernel will always see the top 32 bits of all arguments as zero'd out.
71 // This approach has the desirable property that for tests of pointer 71 // This approach has the desirable property that for tests of pointer
72 // values, we can always use TP_64BIT no matter the host architecture. 72 // values, we can always use TP_64BIT no matter the host architecture.
73 // But of course, that also means, it is possible to write conditional 73 // But of course, that also means, it is possible to write conditional
74 // policies that turn into no-ops on 32bit systems; this is by design. 74 // policies that turn into no-ops on 32bit systems; this is by design.
75 TP_64BIT, 75 TP_64BIT,
76 }; 76 };
77 77
(...skipping 63 matching lines...) Expand 10 before | Expand all | Expand 10 after
141 const ErrorCode* failed() const { return failed_; } 141 const ErrorCode* failed() const { return failed_; }
142 142
143 struct LessThan { 143 struct LessThan {
144 bool operator()(const ErrorCode& a, const ErrorCode& b) const { 144 bool operator()(const ErrorCode& a, const ErrorCode& b) const {
145 return a.LessThan(b); 145 return a.LessThan(b);
146 } 146 }
147 }; 147 };
148 148
149 private: 149 private:
150 friend class CodeGen; 150 friend class CodeGen;
151 friend class Sandbox; 151 friend class SandboxBPF;
152 friend class Trap; 152 friend class Trap;
153 153
154 // If we are wrapping a callback, we must assign a unique id. This id is 154 // If we are wrapping a callback, we must assign a unique id. This id is
155 // how the kernel tells us which one of our different SECCOMP_RET_TRAP 155 // how the kernel tells us which one of our different SECCOMP_RET_TRAP
156 // cases has been triggered. 156 // cases has been triggered.
157 ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe, uint16_t id); 157 ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe, uint16_t id);
158 158
159 // Some system calls require inspection of arguments. This constructor 159 // Some system calls require inspection of arguments. This constructor
160 // allows us to specify additional constraints. 160 // allows us to specify additional constraints.
161 ErrorCode(int argno, 161 ErrorCode(int argno,
(...skipping 23 matching lines...) Expand all
185 const ErrorCode* failed_; // or if it failed. 185 const ErrorCode* failed_; // or if it failed.
186 }; 186 };
187 }; 187 };
188 188
189 // 32bit field used for all possible types of ErrorCode values. This is 189 // 32bit field used for all possible types of ErrorCode values. This is
190 // the value that uniquely identifies any ErrorCode and it (typically) can 190 // the value that uniquely identifies any ErrorCode and it (typically) can
191 // be emitted directly into a BPF filter program. 191 // be emitted directly into a BPF filter program.
192 uint32_t err_; 192 uint32_t err_;
193 }; 193 };
194 194
195 } // namespace 195 } // namespace sandbox
196 196
197 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 197 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf/die.cc ('k') | sandbox/linux/seccomp-bpf/errorcode.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698