Linux sandbox: cleanup sandbox-bpf naming.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
@@ skipping 12 matching lines @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
-namespace playground2 {
+namespace sandbox {
 
 namespace {
 
 const int kExpectedExitCode = 100;
 
 int popcount(uint32_t x) {
   return __builtin_popcount(x);
 }
 
 #if !defined(NDEBUG)
 void WriteFailedStderrSetupMessage(int out_fd) {
   const char* error_string = strerror(errno);
   static const char msg[] =
       "You have reproduced a puzzling issue.\n"
       "Please, report to crbug.com/152530!\n"
       "Failed to set up stderr: ";
   if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg) - 1)) > 0 && error_string &&
       HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
       HANDLE_EINTR(write(out_fd, "\n", 1))) {
   }
 }
 #endif  // !defined(NDEBUG)
 
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
-ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) __attribute__((const));
-ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) {
+ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
+ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
   switch (sysnum) {
     case __NR_getpid:
       // Return EPERM so that we can check that the filter actually ran.
       return ErrorCode(EPERM);
     case __NR_exit_group:
       // Allow exit() with a non-default return code.
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       // Make everything else fail in an easily recognizable way.
       return ErrorCode(EINVAL);
   }
 }
 
 void ProbeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
-ErrorCode AllowAllEvaluator(Sandbox*, int sysnum, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysnum)) {
+ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysnum)) {
     return ErrorCode(ENOSYS);
   }
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 void TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
@@ skipping 63 matching lines @@
 void RedirectToUserspace(Instruction* insn, void* aux) {
   // When inside an UnsafeTrap() callback, we want to allow all system calls.
   // This means, we must conditionally disable the sandbox -- and that's not
   // something that kernel-side BPF filters can do, as they cannot inspect
   // any state other than the syscall arguments.
   // But if we redirect all error handlers to user-space, then we can easily
   // make this decision.
   // The performance penalty for this extra round-trip to user-space is not
   // actually that bad, as we only ever pay it for denied system calls; and a
   // typical program has very few of these.
-  Sandbox* sandbox = static_cast<Sandbox*>(aux);
+  SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux);
   if (BPF_CLASS(insn->code) == BPF_RET &&
       (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
     insn->k = sandbox->Trap(ReturnErrno,
         reinterpret_cast<void*>(insn->k & SECCOMP_RET_DATA)).err();
   }
 }
 
 // This wraps an existing policy and changes its behavior to match the changes
 // made by RedirectToUserspace(). This is part of the framework that allows BPF
 // evaluation in userland.
 // TODO(markus): document the code inside better.
 class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy {
  public:
   explicit RedirectToUserSpacePolicyWrapper(
       const SandboxBpfPolicy* wrapped_policy)
       : wrapped_policy_(wrapped_policy) {
     DCHECK(wrapped_policy_);
   }
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE {
     ErrorCode err =
         wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number);
     if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
       return sandbox_compiler->Trap(
           ReturnErrno, reinterpret_cast<void*>(err.err() & SECCOMP_RET_DATA));
     }
     return err;
   }
 
  private:
   const SandboxBpfPolicy* wrapped_policy_;
   DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper);
 };
 
 intptr_t BpfFailure(const struct arch_seccomp_data&, void* aux) {
   SANDBOX_DIE(static_cast<char*>(aux));
 }
 
 // This class allows compatibility with the old, deprecated SetSandboxPolicy.
 class CompatibilityPolicy : public SandboxBpfPolicy {
  public:
-  CompatibilityPolicy(Sandbox::EvaluateSyscall syscall_evaluator, void* aux)
+  CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux)
       : syscall_evaluator_(syscall_evaluator), aux_(aux) {
     DCHECK(syscall_evaluator_);
   }
 
-  virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
                                     int system_call_number) const OVERRIDE {
     return syscall_evaluator_(sandbox_compiler, system_call_number, aux_);
   }
 
  private:
-  Sandbox::EvaluateSyscall syscall_evaluator_;
+  SandboxBPF::EvaluateSyscall syscall_evaluator_;
   void* aux_;
   DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy);
 };
 
 }  // namespace
 
-Sandbox::Sandbox()
+SandboxBPF::SandboxBPF()
     : quiet_(false),
       proc_fd_(-1),
       conds_(new Conds),
       sandbox_has_started_(false) {}
 
-Sandbox::~Sandbox() {
+SandboxBPF::~SandboxBPF() {
   // It is generally unsafe to call any memory allocator operations or to even
   // call arbitrary destructors after having installed a new policy. We just
   // have no way to tell whether this policy would allow the system calls that
   // the constructors can trigger.
   // So, we normally destroy all of our complex state prior to starting the
   // sandbox. But this won't happen, if the Sandbox object was created and
   // never actually used to set up a sandbox. So, just in case, we are
   // destroying any remaining state.
   // The "if ()" statements are technically superfluous. But let's be explicit
   // that we really don't want to run any code, when we already destroyed
   // objects before setting up the sandbox.
   if (conds_) {
     delete conds_;
   }
 }
 
-bool Sandbox::IsValidSyscallNumber(int sysnum) {
+bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
   return SyscallIterator::IsValid(sysnum);
 }
 
-bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(),
-                                  Sandbox::EvaluateSyscall syscall_evaluator,
+bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
+                                  SandboxBPF::EvaluateSyscall syscall_evaluator,

[Robert Sesek, 2013/12/10 15:07:46]

nit: alignment. Since this won't fit in 80cols, just indent 4

[jln (very slow on Chromium), 2013/12/10 18:43:47]

Done. (Removed useless SandboxBPF::)

                                   void* aux) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t old_mask, new_mask;
   if (sigfillset(&new_mask) || sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK | O_CLOEXEC)) {
     SANDBOX_DIE("pipe() failed");
@@ skipping 92 matching lines @@
       SANDBOX_DIE(buf);
     }
   }
   if (IGNORE_EINTR(close(fds[0]))) {
     SANDBOX_DIE("close() failed");
   }
 
   return rc;
 }
 
-bool Sandbox::KernelSupportSeccompBPF() {
+bool SandboxBPF::KernelSupportSeccompBPF() {
   return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
          RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
 }
 
-Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) {
+SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
   // changed in our run-time environment. Check one more time.
   if (status_ == STATUS_AVAILABLE) {
     if (!IsSingleThreaded(proc_fd)) {
@@ skipping 14 matching lines @@
     return status_;
   }
 
   // If we have not previously checked for availability of the sandbox or if
   // we otherwise don't believe to have a good cached value, we have to
   // perform a thorough check now.
   if (status_ == STATUS_UNKNOWN) {
     // We create our own private copy of a "Sandbox" object. This ensures that
     // the object does not have any policies configured, that might interfere
     // with the tests done by "KernelSupportSeccompBPF()".
-    Sandbox sandbox;
+    SandboxBPF sandbox;
 
     // By setting "quiet_ = true" we suppress messages for expected and benign
     // failures (e.g. if the current kernel lacks support for BPF filters).
     sandbox.quiet_ = true;
     sandbox.set_proc_fd(proc_fd);
     status_ = sandbox.KernelSupportSeccompBPF() ? STATUS_AVAILABLE
                                                 : STATUS_UNSUPPORTED;
 
     // As we are performing our tests from a child process, the run-time
     // environment that is visible to the sandbox is always guaranteed to be
     // single-threaded. Let's check here whether the caller is single-
     // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
     if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
-void Sandbox::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
+void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
 
-void Sandbox::StartSandbox() {
+void SandboxBPF::StartSandbox() {
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE(
         "Trying to start sandbox, even though it is known to be "
         "unavailable");
   } else if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE(
         "Cannot repeatedly start sandbox. Create a separate Sandbox "
         "object instead.");
   }
   if (proc_fd_ < 0) {
@@ skipping 17 matching lines @@
     proc_fd_ = -1;
   }
 
   // Install the filters.
   InstallFilter();
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 }
 
-void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) {
+void SandboxBPF::PolicySanityChecks(SandboxBpfPolicy* policy) {
   for (SyscallIterator iter(true); !iter.Done();) {
     uint32_t sysnum = iter.Next();
     if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) {
       SANDBOX_DIE(
           "Policies should deny system calls that are outside the "
           "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
     }
   }
   return;
 }
 
 // Deprecated API, supported with a wrapper to the new API.
-void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
+void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
                                          void* aux) {

[Robert Sesek, 2013/12/10 15:07:46]

nit: alignment

[jln (very slow on Chromium), 2013/12/10 18:43:47]

Done.

   if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   SetSandboxPolicy(new CompatibilityPolicy(syscall_evaluator, aux));
 }
 
 // Don't take a scoped_ptr here, polymorphism make their use awkward.
-void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) {
+void SandboxBPF::SetSandboxPolicy(SandboxBpfPolicy* policy) {
   DCHECK(!policy_);
   if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   PolicySanityChecks(policy);
   policy_.reset(policy);
 }
 
-void Sandbox::InstallFilter() {
+void SandboxBPF::InstallFilter() {
   // We want to be very careful in not imposing any requirements on the
   // policies that are set with SetSandboxPolicy(). This means, as soon as
   // the sandbox is active, we shouldn't be relying on libraries that could
   // be making system calls. This, for example, means we should avoid
   // using the heap and we should avoid using STL functions.
   // Temporarily copy the contents of the "program" vector into a
   // stack-allocated array; and then explicitly destroy that object.
   // This makes sure we don't ex- or implicitly call new/delete after we
   // installed the BPF filter program in the kernel. Depending on the
   // system memory allocator that is in effect, these operators can result
@@ skipping 20 matching lines @@
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
       SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
     }
   }
 
   sandbox_has_started_ = true;
 
   return;
 }
 
-Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) {
+SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
 #if !defined(NDEBUG)
   force_verification = true;
 #endif
 
   // Verify that the user pushed a policy.
   DCHECK(policy_);
 
   // Assemble the BPF filter program.
   CodeGen* gen = new CodeGen();
   if (!gen) {
@@ skipping 152 matching lines @@
   if (force_verification) {
     // Verification is expensive. We only perform this step, if we are
     // compiled in debug mode, or if the caller explicitly requested
     // verification.
     VerifyProgram(*program, has_unsafe_traps);
   }
 
   return program;
 }
 
-void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) {
+void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) {
   // If we previously rewrote the BPF program so that it calls user-space
   // whenever we return an "errno" value from the filter, then we have to
   // wrap our system call evaluator to perform the same operation. Otherwise,
   // the verifier would also report a mismatch in return codes.
   scoped_ptr<const RedirectToUserSpacePolicyWrapper> redirected_policy(
       new RedirectToUserSpacePolicyWrapper(policy_.get()));
 
   const char* err = NULL;
   if (!Verifier::VerifyBPF(this,
                            program,
                            has_unsafe_traps ? *redirected_policy : *policy_,
                            &err)) {
     CodeGen::PrintProgram(program);
     SANDBOX_DIE(err);
   }
 }
 
-void Sandbox::FindRanges(Ranges* ranges) {
+void SandboxBPF::FindRanges(Ranges* ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
   uint32_t old_sysnum = 0;
   ErrorCode old_err = policy_->EvaluateSyscall(this, old_sysnum);
   ErrorCode invalid_err = policy_->EvaluateSyscall(this, MIN_SYSCALL - 1);
 
   for (SyscallIterator iter(false); !iter.Done();) {
     uint32_t sysnum = iter.Next();
     ErrorCode err = policy_->EvaluateSyscall(this, static_cast<int>(sysnum));
     if (!iter.IsValid(sysnum) && !invalid_err.Equals(err)) {
       // A proper sandbox policy should always treat system calls outside of
       // the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
       // "false" for SyscallIterator::IsValid()) identically. Typically, all
       // of these system calls would be denied with the same ErrorCode.
       SANDBOX_DIE("Invalid seccomp policy");
     }
     if (!err.Equals(old_err) || iter.Done()) {
       ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
       old_sysnum = sysnum;
       old_err = err;
     }
   }
 }
 
-Instruction* Sandbox::AssembleJumpTable(CodeGen* gen,
+Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen,
                                         Ranges::const_iterator start,
                                         Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least one distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 0) {
     SANDBOX_DIE("Invalid set of system call ranges");
   } else if (stop - start == 1) {
     // If we have narrowed things down to a single range object, we can
     // return from the BPF filter program.
     return RetExpression(gen, start->err);
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
   Ranges::const_iterator mid = start + (stop - start) / 2;
 
   // Sub-divide the list of ranges and continue recursively.
   Instruction* jf = AssembleJumpTable(gen, start, mid);
   Instruction* jt = AssembleJumpTable(gen, mid, stop);
   return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
 }
 
-Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) {
+Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) {
   if (err.error_type_ == ErrorCode::ET_COND) {
     return CondExpression(gen, err);
   } else {
     return gen->MakeInstruction(BPF_RET + BPF_K, err);
   }
 }
 
-Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) {
+Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) {
   // We can only inspect the six system call arguments that are passed in
   // CPU registers.
   if (cond.argno_ < 0 || cond.argno_ >= 6) {
     SANDBOX_DIE(
         "Internal compiler error; invalid argument number "
         "encountered");
   }
 
   // BPF programs operate on 32bit entities. Load both halfs of the 64bit
   // system call argument and then generate suitable conditional statements.
@@ skipping 162 matching lines @@
 #endif
     gen->JoinInstructions(
         msb_tail,
         gen->MakeInstruction(
             BPF_JMP + BPF_JEQ + BPF_K, 0, lsb_head, invalid_64bit));
   }
 
   return msb_head;
 }
 
-ErrorCode Sandbox::Unexpected64bitArgument() {
+ErrorCode SandboxBPF::Unexpected64bitArgument() {
   return Kill("Unexpected 64bit argument detected");
 }
 
-ErrorCode Sandbox::Trap(Trap::TrapFnc fnc, const void* aux) {
+ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) {
   return Trap::MakeTrap(fnc, aux, true /* Safe Trap */);
 }
 
-ErrorCode Sandbox::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) {
+ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) {
   return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */);
 }
 
-intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) {
+intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
   return SandboxSyscall(args.nr,
                         static_cast<intptr_t>(args.args[0]),
                         static_cast<intptr_t>(args.args[1]),
                         static_cast<intptr_t>(args.args[2]),
                         static_cast<intptr_t>(args.args[3]),
                         static_cast<intptr_t>(args.args[4]),
                         static_cast<intptr_t>(args.args[5]));
 }
 
-ErrorCode Sandbox::Cond(int argno,
+ErrorCode SandboxBPF::Cond(int argno,
                         ErrorCode::ArgType width,

[Robert Sesek, 2013/12/10 15:07:46]

nit: alignment

[jln (very slow on Chromium), 2013/12/10 18:43:47]

Done.

                         ErrorCode::Operation op,
                         uint64_t value,
                         const ErrorCode& passed,
                         const ErrorCode& failed) {
   return ErrorCode(argno,
                    width,
                    op,
                    value,
                    &*conds_->insert(passed).first,
                    &*conds_->insert(failed).first);
 }
 
-ErrorCode Sandbox::Kill(const char* msg) {
+ErrorCode SandboxBPF::Kill(const char* msg) {
   return Trap(BpfFailure, const_cast<char*>(msg));
 }
 
-Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
+SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
-}  // namespace playground2
+}  // namespace sandbox