Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(36)

Side by Side Diff: sandbox/linux/seccomp-bpf/verifier.cc

Issue 101773003: Linux sandbox: cleanup sandbox-bpf naming. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address namespace sandbox nits. Created 7 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/seccomp-bpf/verifier.h ('k') | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include <string.h> 5 #include <string.h>
6 6
7 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" 7 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
8 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" 8 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
9 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" 9 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
10 #include "sandbox/linux/seccomp-bpf/verifier.h" 10 #include "sandbox/linux/seccomp-bpf/verifier.h"
11 11
12
13 namespace sandbox {
14
12 namespace { 15 namespace {
13 16
14 using playground2::ErrorCode;
15 using playground2::Sandbox;
16 using playground2::Verifier;
17 using playground2::arch_seccomp_data;
18
19 struct State { 17 struct State {
20 State(const std::vector<struct sock_filter>& p, 18 State(const std::vector<struct sock_filter>& p,
21 const struct arch_seccomp_data& d) 19 const struct arch_seccomp_data& d)
22 : program(p), data(d), ip(0), accumulator(0), acc_is_valid(false) {} 20 : program(p), data(d), ip(0), accumulator(0), acc_is_valid(false) {}
23 const std::vector<struct sock_filter>& program; 21 const std::vector<struct sock_filter>& program;
24 const struct arch_seccomp_data& data; 22 const struct arch_seccomp_data& data;
25 unsigned int ip; 23 unsigned int ip;
26 uint32_t accumulator; 24 uint32_t accumulator;
27 bool acc_is_valid; 25 bool acc_is_valid;
28 26
29 private: 27 private:
30 DISALLOW_IMPLICIT_CONSTRUCTORS(State); 28 DISALLOW_IMPLICIT_CONSTRUCTORS(State);
31 }; 29 };
32 30
33 uint32_t EvaluateErrorCode(Sandbox* sandbox, 31 uint32_t EvaluateErrorCode(SandboxBPF* sandbox,
34 const ErrorCode& code, 32 const ErrorCode& code,
35 const struct arch_seccomp_data& data) { 33 const struct arch_seccomp_data& data) {
36 if (code.error_type() == ErrorCode::ET_SIMPLE || 34 if (code.error_type() == ErrorCode::ET_SIMPLE ||
37 code.error_type() == ErrorCode::ET_TRAP) { 35 code.error_type() == ErrorCode::ET_TRAP) {
38 return code.err(); 36 return code.err();
39 } else if (code.error_type() == ErrorCode::ET_COND) { 37 } else if (code.error_type() == ErrorCode::ET_COND) {
40 if (code.width() == ErrorCode::TP_32BIT && 38 if (code.width() == ErrorCode::TP_32BIT &&
41 (data.args[code.argno()] >> 32) && 39 (data.args[code.argno()] >> 32) &&
42 (data.args[code.argno()] & 0xFFFFFFFF80000000ull) != 40 (data.args[code.argno()] & 0xFFFFFFFF80000000ull) !=
43 0xFFFFFFFF80000000ull) { 41 0xFFFFFFFF80000000ull) {
(...skipping 27 matching lines...) Expand all
71 : *code.failed(), 69 : *code.failed(),
72 data); 70 data);
73 default: 71 default:
74 return SECCOMP_RET_INVALID; 72 return SECCOMP_RET_INVALID;
75 } 73 }
76 } else { 74 } else {
77 return SECCOMP_RET_INVALID; 75 return SECCOMP_RET_INVALID;
78 } 76 }
79 } 77 }
80 78
81 bool VerifyErrorCode(Sandbox* sandbox, 79 bool VerifyErrorCode(SandboxBPF* sandbox,
82 const std::vector<struct sock_filter>& program, 80 const std::vector<struct sock_filter>& program,
83 struct arch_seccomp_data* data, 81 struct arch_seccomp_data* data,
84 const ErrorCode& root_code, 82 const ErrorCode& root_code,
85 const ErrorCode& code, 83 const ErrorCode& code,
86 const char** err) { 84 const char** err) {
87 if (code.error_type() == ErrorCode::ET_SIMPLE || 85 if (code.error_type() == ErrorCode::ET_SIMPLE ||
88 code.error_type() == ErrorCode::ET_TRAP) { 86 code.error_type() == ErrorCode::ET_TRAP) {
89 uint32_t computed_ret = Verifier::EvaluateBPF(program, *data, err); 87 uint32_t computed_ret = Verifier::EvaluateBPF(program, *data, err);
90 if (*err) { 88 if (*err) {
91 return false; 89 return false;
(...skipping 263 matching lines...) Expand 10 before | Expand all | Expand 10 after
355 break; 353 break;
356 default: 354 default:
357 *err = "Invalid operator in arithmetic operation"; 355 *err = "Invalid operator in arithmetic operation";
358 break; 356 break;
359 } 357 }
360 } 358 }
361 } 359 }
362 360
363 } // namespace 361 } // namespace
364 362
365 namespace playground2 { 363 bool Verifier::VerifyBPF(SandboxBPF* sandbox,
366
367 bool Verifier::VerifyBPF(Sandbox* sandbox,
368 const std::vector<struct sock_filter>& program, 364 const std::vector<struct sock_filter>& program,
369 const SandboxBpfPolicy& policy, 365 const SandboxBPFPolicy& policy,
370 const char** err) { 366 const char** err) {
371 *err = NULL; 367 *err = NULL;
372 for (SyscallIterator iter(false); !iter.Done();) { 368 for (SyscallIterator iter(false); !iter.Done();) {
373 uint32_t sysnum = iter.Next(); 369 uint32_t sysnum = iter.Next();
374 // We ideally want to iterate over the full system call range and values 370 // We ideally want to iterate over the full system call range and values
375 // just above and just below this range. This gives us the full result set 371 // just above and just below this range. This gives us the full result set
376 // of the "evaluators". 372 // of the "evaluators".
377 // On Intel systems, this can fail in a surprising way, as a cleared bit 30 373 // On Intel systems, this can fail in a surprising way, as a cleared bit 30
378 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And 374 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And
379 // unless we pay attention to setting this bit correctly, an early check in 375 // unless we pay attention to setting this bit correctly, an early check in
(...skipping 60 matching lines...) Expand 10 before | Expand all | Expand 10 after
440 Alu(&state, insn, err); 436 Alu(&state, insn, err);
441 break; 437 break;
442 default: 438 default:
443 *err = "Unexpected instruction in BPF program"; 439 *err = "Unexpected instruction in BPF program";
444 break; 440 break;
445 } 441 }
446 } 442 }
447 return 0; 443 return 0;
448 } 444 }
449 445
450 } // namespace 446 } // namespace sandbox
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf/verifier.h ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698