OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <string.h> | 5 #include <string.h> |
6 | 6 |
7 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 7 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
8 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" | 8 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" |
9 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" | 9 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" |
10 #include "sandbox/linux/seccomp-bpf/verifier.h" | 10 #include "sandbox/linux/seccomp-bpf/verifier.h" |
11 | 11 |
| 12 |
| 13 namespace sandbox { |
| 14 |
12 namespace { | 15 namespace { |
13 | 16 |
14 using playground2::ErrorCode; | |
15 using playground2::Sandbox; | |
16 using playground2::Verifier; | |
17 using playground2::arch_seccomp_data; | |
18 | |
19 struct State { | 17 struct State { |
20 State(const std::vector<struct sock_filter>& p, | 18 State(const std::vector<struct sock_filter>& p, |
21 const struct arch_seccomp_data& d) | 19 const struct arch_seccomp_data& d) |
22 : program(p), data(d), ip(0), accumulator(0), acc_is_valid(false) {} | 20 : program(p), data(d), ip(0), accumulator(0), acc_is_valid(false) {} |
23 const std::vector<struct sock_filter>& program; | 21 const std::vector<struct sock_filter>& program; |
24 const struct arch_seccomp_data& data; | 22 const struct arch_seccomp_data& data; |
25 unsigned int ip; | 23 unsigned int ip; |
26 uint32_t accumulator; | 24 uint32_t accumulator; |
27 bool acc_is_valid; | 25 bool acc_is_valid; |
28 | 26 |
29 private: | 27 private: |
30 DISALLOW_IMPLICIT_CONSTRUCTORS(State); | 28 DISALLOW_IMPLICIT_CONSTRUCTORS(State); |
31 }; | 29 }; |
32 | 30 |
33 uint32_t EvaluateErrorCode(Sandbox* sandbox, | 31 uint32_t EvaluateErrorCode(SandboxBPF* sandbox, |
34 const ErrorCode& code, | 32 const ErrorCode& code, |
35 const struct arch_seccomp_data& data) { | 33 const struct arch_seccomp_data& data) { |
36 if (code.error_type() == ErrorCode::ET_SIMPLE || | 34 if (code.error_type() == ErrorCode::ET_SIMPLE || |
37 code.error_type() == ErrorCode::ET_TRAP) { | 35 code.error_type() == ErrorCode::ET_TRAP) { |
38 return code.err(); | 36 return code.err(); |
39 } else if (code.error_type() == ErrorCode::ET_COND) { | 37 } else if (code.error_type() == ErrorCode::ET_COND) { |
40 if (code.width() == ErrorCode::TP_32BIT && | 38 if (code.width() == ErrorCode::TP_32BIT && |
41 (data.args[code.argno()] >> 32) && | 39 (data.args[code.argno()] >> 32) && |
42 (data.args[code.argno()] & 0xFFFFFFFF80000000ull) != | 40 (data.args[code.argno()] & 0xFFFFFFFF80000000ull) != |
43 0xFFFFFFFF80000000ull) { | 41 0xFFFFFFFF80000000ull) { |
(...skipping 27 matching lines...) Expand all Loading... |
71 : *code.failed(), | 69 : *code.failed(), |
72 data); | 70 data); |
73 default: | 71 default: |
74 return SECCOMP_RET_INVALID; | 72 return SECCOMP_RET_INVALID; |
75 } | 73 } |
76 } else { | 74 } else { |
77 return SECCOMP_RET_INVALID; | 75 return SECCOMP_RET_INVALID; |
78 } | 76 } |
79 } | 77 } |
80 | 78 |
81 bool VerifyErrorCode(Sandbox* sandbox, | 79 bool VerifyErrorCode(SandboxBPF* sandbox, |
82 const std::vector<struct sock_filter>& program, | 80 const std::vector<struct sock_filter>& program, |
83 struct arch_seccomp_data* data, | 81 struct arch_seccomp_data* data, |
84 const ErrorCode& root_code, | 82 const ErrorCode& root_code, |
85 const ErrorCode& code, | 83 const ErrorCode& code, |
86 const char** err) { | 84 const char** err) { |
87 if (code.error_type() == ErrorCode::ET_SIMPLE || | 85 if (code.error_type() == ErrorCode::ET_SIMPLE || |
88 code.error_type() == ErrorCode::ET_TRAP) { | 86 code.error_type() == ErrorCode::ET_TRAP) { |
89 uint32_t computed_ret = Verifier::EvaluateBPF(program, *data, err); | 87 uint32_t computed_ret = Verifier::EvaluateBPF(program, *data, err); |
90 if (*err) { | 88 if (*err) { |
91 return false; | 89 return false; |
(...skipping 263 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
355 break; | 353 break; |
356 default: | 354 default: |
357 *err = "Invalid operator in arithmetic operation"; | 355 *err = "Invalid operator in arithmetic operation"; |
358 break; | 356 break; |
359 } | 357 } |
360 } | 358 } |
361 } | 359 } |
362 | 360 |
363 } // namespace | 361 } // namespace |
364 | 362 |
365 namespace playground2 { | 363 bool Verifier::VerifyBPF(SandboxBPF* sandbox, |
366 | |
367 bool Verifier::VerifyBPF(Sandbox* sandbox, | |
368 const std::vector<struct sock_filter>& program, | 364 const std::vector<struct sock_filter>& program, |
369 const SandboxBpfPolicy& policy, | 365 const SandboxBPFPolicy& policy, |
370 const char** err) { | 366 const char** err) { |
371 *err = NULL; | 367 *err = NULL; |
372 for (SyscallIterator iter(false); !iter.Done();) { | 368 for (SyscallIterator iter(false); !iter.Done();) { |
373 uint32_t sysnum = iter.Next(); | 369 uint32_t sysnum = iter.Next(); |
374 // We ideally want to iterate over the full system call range and values | 370 // We ideally want to iterate over the full system call range and values |
375 // just above and just below this range. This gives us the full result set | 371 // just above and just below this range. This gives us the full result set |
376 // of the "evaluators". | 372 // of the "evaluators". |
377 // On Intel systems, this can fail in a surprising way, as a cleared bit 30 | 373 // On Intel systems, this can fail in a surprising way, as a cleared bit 30 |
378 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And | 374 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And |
379 // unless we pay attention to setting this bit correctly, an early check in | 375 // unless we pay attention to setting this bit correctly, an early check in |
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
440 Alu(&state, insn, err); | 436 Alu(&state, insn, err); |
441 break; | 437 break; |
442 default: | 438 default: |
443 *err = "Unexpected instruction in BPF program"; | 439 *err = "Unexpected instruction in BPF program"; |
444 break; | 440 break; |
445 } | 441 } |
446 } | 442 } |
447 return 0; | 443 return 0; |
448 } | 444 } |
449 | 445 |
450 } // namespace | 446 } // namespace sandbox |
OLD | NEW |