Linux sandbox: cleanup sandbox-bpf naming.

content/common/sandbox_seccomp_bpf_linux.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <asm/unistd.h>
 #include <dlfcn.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/net.h>
 #include <signal.h>
@@ skipping 28 matching lines @@
 #include "base/posix/eintr_wrapper.h"
 #include "content/common/sandbox_bpf_base_policy_linux.h"
 #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
 #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 
-using playground2::arch_seccomp_data;
-using playground2::ErrorCode;
-using playground2::Sandbox;
+using sandbox::arch_seccomp_data;
+using sandbox::ErrorCode;
+using sandbox::SandboxBPF;

[Robert Sesek, 2013/12/10 15:07:46]

nit: alphabetize

[jln (very slow on Chromium), 2013/12/10 18:43:47]

Done.

 using sandbox::BrokerProcess;
 using sandbox::BaselinePolicy;
 using sandbox::SyscallSets;
 
 namespace content {
 
 namespace {
 
-void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy);
+void StartSandboxWithPolicy(sandbox::SandboxBpfPolicy* policy);
 
 inline bool IsChromeOS() {
 #if defined(OS_CHROMEOS)
   return true;
 #else
   return false;
 #endif
 }
 
 inline bool IsArchitectureX86_64() {
@@ skipping 69 matching lines @@
       return -ENOSYS;
   }
 }
 
 class GpuProcessPolicy : public SandboxBpfBasePolicy {
  public:
   explicit GpuProcessPolicy(void* broker_process)
       : broker_process_(broker_process) {}
   virtual ~GpuProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   const void* broker_process_;  // Non-owning pointer.
   DISALLOW_COPY_AND_ASSIGN(GpuProcessPolicy);
 };
 
 // Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy.
-ErrorCode GpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox, int sysno) const {
+ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
+                                            int sysno) const {
   switch (sysno) {
     case __NR_ioctl:
 #if defined(__i386__) || defined(__x86_64__)
     // The Nvidia driver uses flags not in the baseline policy
     // (MAP_LOCKED | MAP_EXECUTABLE | MAP_32BIT)
     case __NR_mmap:
 #endif
     // We also hit this on the linux_chromeos bot but don't yet know what
     // weird flags were involved.
     case __NR_mprotect:
@@ skipping 12 matching lines @@
       // Default on the baseline policy.
       return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class GpuBrokerProcessPolicy : public GpuProcessPolicy {
  public:
   GpuBrokerProcessPolicy() : GpuProcessPolicy(NULL) {}
   virtual ~GpuBrokerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(GpuBrokerProcessPolicy);
 };
 
 // x86_64/i386.
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                   int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class ArmGpuProcessPolicy : public GpuProcessPolicy {
  public:
   explicit ArmGpuProcessPolicy(void* broker_process, bool allow_shmat)
       : GpuProcessPolicy(broker_process), allow_shmat_(allow_shmat) {}
   virtual ~ArmGpuProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   const bool allow_shmat_;  // Allow shmat(2).
   DISALLOW_COPY_AND_ASSIGN(ArmGpuProcessPolicy);
 };
 
 // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy.
-ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                int sysno) const {
 #if defined(__arm__)
   if (allow_shmat_ && sysno == __NR_shmat)
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 #endif  // defined(__arm__)
 
   switch (sysno) {
 #if defined(__arm__)
     // ARM GPU sandbox is started earlier so we need to allow networking
     // in the sandbox.
@@ skipping 18 matching lines @@
       // Default to the generic GPU policy.
       return GpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy {
  public:
   ArmGpuBrokerProcessPolicy() : ArmGpuProcessPolicy(NULL, false) {}
   virtual ~ArmGpuBrokerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ArmGpuBrokerProcessPolicy);
 };
 
 // A GPU broker policy is the same as a GPU policy with open and
 // openat allowed.
-ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                      int sysno) const {
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return ArmGpuProcessPolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 // Policy for renderer and worker processes.
 // TODO(jln): move to renderer/
 
 class RendererOrWorkerProcessPolicy : public SandboxBpfBasePolicy {
  public:
   RendererOrWorkerProcessPolicy() {}
   virtual ~RendererOrWorkerProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(RendererOrWorkerProcessPolicy);
 };
 
-ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                          int sysno) const {
   switch (sysno) {
     case __NR_clone:
       return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_ioctl:
       return sandbox::RestrictIoctl(sandbox);
     case __NR_prctl:
       return sandbox::RestrictPrctl(sandbox);
     // Allow the system calls below.
     case __NR_fdatasync:
@@ skipping 38 matching lines @@
   }
 }
 
 // Policy for PPAPI plugins.
 // TODO(jln): move to ppapi_plugin/.
 class FlashProcessPolicy : public SandboxBpfBasePolicy {
  public:
   FlashProcessPolicy() {}
   virtual ~FlashProcessPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(FlashProcessPolicy);
 };
 
-ErrorCode FlashProcessPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode FlashProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                               int sysno) const {
   switch (sysno) {
     case __NR_clone:
       return sandbox::RestrictCloneToThreadsAndEPERMFork(sandbox);
     case __NR_pread64:
     case __NR_pwrite64:
     case __NR_sched_get_priority_max:
     case __NR_sched_get_priority_min:
     case __NR_sched_getaffinity:
     case __NR_sched_getparam:
@@ skipping 18 matching lines @@
       // Default on the baseline policy.
       return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno);
   }
 }
 
 class BlacklistDebugAndNumaPolicy : public SandboxBpfBasePolicy {
  public:
   BlacklistDebugAndNumaPolicy() {}
   virtual ~BlacklistDebugAndNumaPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy);
 };
 
-ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(Sandbox* sandbox,
+ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox,
                                                        int sysno) const {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   }
   if (SyscallSets::IsDebug(sysno) || SyscallSets::IsNuma(sysno))
     return sandbox->Trap(sandbox::CrashSIGSYS_Handler, NULL);
 
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 class AllowAllPolicy : public SandboxBpfBasePolicy {
  public:
   AllowAllPolicy() {}
   virtual ~AllowAllPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
 };
 
 // Allow all syscalls.
 // This will still deny x32 or IA32 calls in 64 bits mode or
 // 64 bits system calls in compatibility mode.
-ErrorCode AllowAllPolicy::EvaluateSyscall(Sandbox*, int sysno) const {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // TODO(jln) we should not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 // If a BPF policy is engaged for |process_type|, run a few sanity checks.
 void RunSandboxSanityChecks(const std::string& process_type) {
   if (process_type == switches::kRendererProcess ||
@@ skipping 212 matching lines @@
   scoped_ptr<SandboxBpfBasePolicy> gpu_policy;
   if (chromeos_arm_gpu) {
     gpu_policy.reset(new ArmGpuProcessPolicy(broker_process, allow_sysv_shm));
   } else {
     gpu_policy.reset(new GpuProcessPolicy(broker_process));
   }
   StartSandboxWithPolicy(gpu_policy.release());
 }
 
 // This function takes ownership of |policy|.
-void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy) {
+void StartSandboxWithPolicy(sandbox::SandboxBpfPolicy* policy) {
   // Starting the sandbox is a one-way operation. The kernel doesn't allow
   // us to unload a sandbox policy after it has been started. Nonetheless,
   // in order to make the use of the "Sandbox" object easier, we allow for
   // the object to be destroyed after the sandbox has been started. Note that
   // doing so does not stop the sandbox.
-  Sandbox sandbox;
+  SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(policy);
   sandbox.StartSandbox();
 }
 
 void StartNonGpuSandbox(const std::string& process_type) {
   scoped_ptr<SandboxBpfBasePolicy> policy;
 
   if (process_type == switches::kRendererProcess ||
       process_type == switches::kWorkerProcess) {
     policy.reset(new RendererOrWorkerProcessPolicy);
@@ skipping 47 matching lines @@
 
   return true;
 #endif  // SECCOMP_BPF_SANDBOX
   return false;
 }
 
 bool SandboxSeccompBpf::SupportsSandbox() {
 #if defined(SECCOMP_BPF_SANDBOX)
   // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton
   // here.
-  Sandbox::SandboxStatus bpf_sandbox_status =
-      Sandbox::SupportsSeccompSandbox(-1);
+  SandboxBPF::SandboxStatus bpf_sandbox_status =
+      SandboxBPF::SupportsSeccompSandbox(-1);
   // Kernel support is what we are interested in here. Other status
   // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support.
   // We make this a negative check, since if there is a bug, we would rather
   // "fail closed" (expect a sandbox to be available and try to start it).
-  if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) {
+  if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) {
     return true;
   }
 #endif
   return false;
 }
 
 bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) {
 #if defined(SECCOMP_BPF_SANDBOX)
   const CommandLine& command_line = *CommandLine::ForCurrentProcess();
 
   if (IsSeccompBpfDesired() &&  // Global switches policy.
       ShouldEnableSeccompBpf(process_type) &&  // Process-specific policy.
       SupportsSandbox()) {
     // If the kernel supports the sandbox, and if the command line says we
     // should enable it, enable it or die.
     bool started_sandbox = StartBpfSandbox(command_line, process_type);
     CHECK(started_sandbox);
     return true;
   }
 #endif
   return false;
 }
 
 bool SandboxSeccompBpf::StartSandboxWithExternalPolicy(
-    scoped_ptr<playground2::SandboxBpfPolicy> policy) {
+    scoped_ptr<sandbox::SandboxBpfPolicy> policy) {
 #if defined(SECCOMP_BPF_SANDBOX)
   if (IsSeccompBpfDesired() && SupportsSandbox()) {
     CHECK(policy);
     StartSandboxWithPolicy(policy.release());
     return true;
   }
 #endif  // defined(SECCOMP_BPF_SANDBOX)
   return false;
 }
 
-scoped_ptr<playground2::SandboxBpfPolicy>
+scoped_ptr<sandbox::SandboxBpfPolicy>
 SandboxSeccompBpf::GetBaselinePolicy() {
 #if defined(SECCOMP_BPF_SANDBOX)
-  return scoped_ptr<playground2::SandboxBpfPolicy>(new BaselinePolicy);
+  return scoped_ptr<sandbox::SandboxBpfPolicy>(new BaselinePolicy);
 #else
-  return scoped_ptr<playground2::SandboxBpfPolicy>();
+  return scoped_ptr<sandbox::SandboxBpfPolicy>();
 #endif  // defined(SECCOMP_BPF_SANDBOX)
 }
 
 }  // namespace content