Linux sandbox: cleanup sandbox-bpf naming.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
 #include <sys/time.h>
@@ skipping 22 matching lines @@
 
 // Workaround for Android's prctl.h file.
 #ifndef PR_GET_ENDIAN
 #define PR_GET_ENDIAN 19
 #endif
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23
 #define PR_CAPBSET_DROP 24
 #endif
 
-using namespace playground2;
-using sandbox::BrokerProcess;
+namespace sandbox {
 
 namespace {
 
 const int kExpectedReturnValue = 42;
 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
 
 // This test should execute no matter whether we have kernel support. So,
 // we make it a TEST() instead of a BPF_TEST().
 TEST(SandboxBpf, CallSupports) {
   // We check that we don't crash, but it's ok if the kernel doesn't
   // support it.
   bool seccomp_bpf_supported =
-      Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE;
+      SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE;
   // We want to log whether or not seccomp BPF is actually supported
   // since actual test coverage depends on it.
   RecordProperty("SeccompBPFSupported",
                  seccomp_bpf_supported ? "true." : "false.");
   std::cout << "Seccomp BPF supported: "
             << (seccomp_bpf_supported ? "true." : "false.") << "\n";
   RecordProperty("PointerSize", sizeof(void*));
   std::cout << "Pointer size: " << sizeof(void*) << "\n";
 }
 
 SANDBOX_TEST(SandboxBpf, CallSupportsTwice) {
-  Sandbox::SupportsSeccompSandbox(-1);
-  Sandbox::SupportsSeccompSandbox(-1);
+  SandboxBPF::SupportsSeccompSandbox(-1);
+  SandboxBPF::SupportsSeccompSandbox(-1);
 }
 
 // BPF_TEST does a lot of the boiler-plate code around setting up a
 // policy and optional passing data between the caller, the policy and
 // any Trap() handlers. This is great for writing short and concise tests,
 // and it helps us accidentally forgetting any of the crucial steps in
 // setting up the sandbox. But it wouldn't hurt to have at least one test
 // that explicitly walks through all these steps.
 
 intptr_t FakeGetPid(const struct arch_seccomp_data& args, void* aux) {
   BPF_ASSERT(aux);
   pid_t* pid_ptr = static_cast<pid_t*>(aux);
   return (*pid_ptr)++;
 }
 
-ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode VerboseAPITestingPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_getpid) {
     return sandbox->Trap(FakeGetPid, aux);
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) {
-  if (Sandbox::SupportsSeccompSandbox(-1) ==
-      playground2::Sandbox::STATUS_AVAILABLE) {
+  if (SandboxBPF::SupportsSeccompSandbox(-1) ==
+      sandbox::SandboxBPF::STATUS_AVAILABLE) {
     pid_t test_var = 0;
-    Sandbox sandbox;
+    SandboxBPF sandbox;
     sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var);
     sandbox.StartSandbox();
 
     BPF_ASSERT(test_var == 0);
     BPF_ASSERT(syscall(__NR_getpid) == 0);
     BPF_ASSERT(test_var == 1);
     BPF_ASSERT(syscall(__NR_getpid) == 1);
     BPF_ASSERT(test_var == 2);
 
     // N.B.: Any future call to getpid() would corrupt the stack.
     //       This is OK. The SANDBOX_TEST() macro is guaranteed to
     //       only ever call _exit() after the test completes.
   }
 }
 
 // A simple blacklist test
 
-ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_nanosleep:
       return ErrorCode(EACCES);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   // nanosleep() should be denied
   const struct timespec ts = {0, 0};
   errno = 0;
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == EACCES);
 }
 
 // Now do a simple whitelist test
 
-ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) {
+ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) {
   switch (sysno) {
     case __NR_getpid:
     case __NR_exit_group:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     default:
       return ErrorCode(ENOMEM);
   }
 }
 
 BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
   // getpid() should be allowed
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // getpgid() should be denied
   BPF_ASSERT(getpgid(0) == -1);
   BPF_ASSERT(errno == ENOMEM);
 }
 
 // A simple blacklist policy, with a SIGSYS handler
 
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
   *(static_cast<int*>(aux)) = kExpectedReturnValue;
   return -ENOMEM;
 }
 
-ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox,
+ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
                                          int sysno,
                                          void* aux) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_nanosleep:
       return sandbox->Trap(EnomemHandler, aux);
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
@@ skipping 13 matching lines @@
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == ENOMEM);
 
   // We expect the signal handler to modify AuxData
   BPF_ASSERT(BPF_AUX == kExpectedReturnValue);
 }
 
 // A simple test that verifies we can return arbitrary errno values.
 
-ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_dup2:
       // Pretend that dup2() worked, but don't actually do anything.
       return ErrorCode(0);
     case __NR_setuid:
 #if defined(__NR_setuid32)
@@ skipping 50 matching lines @@
 
   // Finally, test an errno in between the minimum and maximum.
   errno = 0;
   struct utsname uts_buf;
   BPF_ASSERT(uname(&uts_buf) == -1);
   BPF_ASSERT(errno == 42);
 }
 
 // Testing the stacking of two sandboxes
 
-ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_getppid:
       return sandbox->Cond(0,
                            ErrorCode::TP_32BIT,
                            ErrorCode::OP_EQUAL,
                            0,
                            ErrorCode(ErrorCode::ERR_ALLOWED),
                            ErrorCode(EPERM));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_getppid:
       return sandbox->Cond(0,
                            ErrorCode::TP_32BIT,
                            ErrorCode::OP_EQUAL,
                            0,
                            ErrorCode(EINVAL),
                            ErrorCode(ErrorCode::ERR_ALLOWED));
     default:
       return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
 BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) {
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
   BPF_ASSERT(errno == 0);
 
   BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
   BPF_ASSERT(errno == EPERM);
 
   // Stack a second sandbox with its own policy. Verify that we can further
   // restrict filters, but we cannot relax existing filters.
-  Sandbox sandbox;
+  SandboxBPF sandbox;
   sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL);
   sandbox.StartSandbox();
 
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) == -1);
   BPF_ASSERT(errno == EINVAL);
 
   BPF_ASSERT(syscall(__NR_getppid, 1) == -1);
   BPF_ASSERT(errno == EPERM);
 }
 
 // A more complex, but synthetic policy. This tests the correctness of the BPF
 // program by iterating through all syscalls and checking for an errno that
 // depends on the syscall number. Unlike the Verifier, this exercises the BPF
 // interpreter in the kernel.
 
 // We try to make sure we exercise optimizations in the BPF compiler. We make
 // sure that the compiler can have an opportunity to coalesce syscalls with
 // contiguous numbers and we also make sure that disjoint sets can return the
 // same errno.
 int SysnoToRandomErrno(int sysno) {
   // Small contiguous sets of 3 system calls return an errno equal to the
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
-ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode SyntheticPolicy(SandboxBPF*, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
 // TODO(jorgelo): remove this once the new code generator lands.
 #if defined(__arm__)
   if (sysno > static_cast<int>(MAX_PUBLIC_SYSCALL)) {
     return ErrorCode(ENOSYS);
   }
 #endif
@@ skipping 34 matching lines @@
 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno).
 int ArmPrivateSysnoToErrno(int sysno) {
   if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return (sysno - MIN_PRIVATE_SYSCALL) + 1;
   } else {
     return ENOSYS;
   }
 }
 
-ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode ArmPrivatePolicy(SandboxBPF*, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy.
     return ErrorCode(ENOSYS);
   }
 
   // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
   // ARM private system calls.
   if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return ErrorCode(ArmPrivateSysnoToErrno(sysno));
   } else {
@@ skipping 15 matching lines @@
 intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) {
   // Count all invocations of our callback function.
   ++*reinterpret_cast<int*>(aux);
 
   // Verify that within the callback function all filtering is temporarily
   // disabled.
   BPF_ASSERT(syscall(__NR_getpid) > 1);
 
   // Verify that we can now call the underlying system call without causing
   // infinite recursion.
-  return Sandbox::ForwardSyscall(args);
+  return SandboxBPF::ForwardSyscall(args);
 }
 
-ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   // The use of UnsafeTrap() causes us to print a warning message. This is
   // generally desirable, but it results in the unittest failing, as it doesn't
   // expect any messages on "stderr". So, temporarily disable messages. The
   // BPF_TEST() is guaranteed to turn messages back on, after the policy
   // function has completed.
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn
 #if defined(__NR_sigprocmask)
       ||
       sysno == __NR_sigprocmask
 #endif
 #if defined(__NR_sigreturn)
       ||
       sysno == __NR_sigreturn
 #endif
       ) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else if (sysno == __NR_getpid) {
     // Disallow getpid()
     return ErrorCode(EPERM);
-  } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
     // Allow (and count) all other system calls.
     return sandbox->UnsafeTrap(CountSyscalls, aux);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) {
   BPF_ASSERT(syscall(__NR_getpid) == -1);
   BPF_ASSERT(errno == EPERM);
@@ skipping 23 matching lines @@
   setenv(kSandboxDebuggingEnv, "t", 1);
   SANDBOX_ASSERT(Trap::EnableUnsafeTrapsInSigSysHandler() == true);
 }
 
 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) {
   if (args.args[0] == PR_CAPBSET_DROP && static_cast<int>(args.args[1]) == -1) {
     // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always
     // return an error. But our handler allows this call.
     return 0;
   } else {
-    return Sandbox::ForwardSyscall(args);
+    return SandboxBPF::ForwardSyscall(args);
   }
 }
 
-ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PrctlPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   if (sysno == __NR_prctl) {
     // Handle prctl() inside an UnsafeTrap()
     return sandbox->UnsafeTrap(PrctlHandler, NULL);
-  } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
     // Allow all other system calls.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) {
   // This call should never be allowed. But our policy will intercept it and
   // let it pass successfully.
@@ skipping 15 matching lines @@
   BPF_ASSERT(*name);
 
   // Finally, verify that system calls other than prctl() are completely
   // unaffected by our policy.
   struct utsname uts = {};
   BPF_ASSERT(!uname(&uts));
   BPF_ASSERT(!strcmp(uts.sysname, "Linux"));
 }
 
 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) {
-  return Sandbox::ForwardSyscall(args);
+  return SandboxBPF::ForwardSyscall(args);
 }
 
-ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode RedirectAllSyscallsPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (sysno == __NR_rt_sigprocmask || sysno == __NR_rt_sigreturn
 #if defined(__NR_sigprocmask)
       ||
       sysno == __NR_sigprocmask
 #endif
 #if defined(__NR_sigreturn)
       ||
       sysno == __NR_sigreturn
 #endif
       ) {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
-  } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+  } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
     return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux);
   } else {
     return ErrorCode(ENOSYS);
   }
 }
 
 int bus_handler_fd_ = -1;
 
 void SigBusHandler(int, siginfo_t* info, void* void_context) {
   BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
@@ skipping 63 matching lines @@
   BPF_ASSERT(close(-1) == -1);
   BPF_ASSERT(errno == EBADF);
 
   // Explicitly avoid the glibc wrapper. This is not normally the way anybody
   // would make system calls, but it allows us to verify that we don't
   // accidentally mess with errno, when we shouldn't.
   errno = 0;
   struct arch_seccomp_data args = {};
   args.nr = __NR_close;
   args.args[0] = -1;
-  BPF_ASSERT(Sandbox::ForwardSyscall(args) == -EBADF);
+  BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF);
   BPF_ASSERT(errno == 0);
 }
 
 // Test a trap handler that makes use of a broker process to open().
 
 class InitializedOpenBroker {
  public:
   InitializedOpenBroker() : initialized_(false) {
     std::vector<std::string> allowed_files;
     allowed_files.push_back("/proc/allowed");
@@ skipping 31 matching lines @@
       // the openat() system call.
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Open(reinterpret_cast<const char*>(args.args[1]),
                                   static_cast<int>(args.args[2]));
     default:
       BPF_ASSERT(false);
       return -ENOSYS;
   }
 }
 
-ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux);
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
 
   switch (sysno) {
     case __NR_access:
     case __NR_open:
     case __NR_openat:
       // We get a InitializedOpenBroker class, but our trap handler wants
       // the BrokerProcess object.
       return ErrorCode(
@@ skipping 43 matching lines @@
 
   // This is also white listed and does exist.
   int cpu_info_access = access("/proc/cpuinfo", R_OK);
   BPF_ASSERT(cpu_info_access == 0);
   int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
   BPF_ASSERT(cpu_info_fd >= 0);
   char buf[1024];
   BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
 }
 
-// Simple test demonstrating how to use Sandbox::Cond()
+// Simple test demonstrating how to use SandboxBPF::Cond()
 
-ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
   // We deliberately return unusual errno values upon failure, so that we
   // can uniquely test for these values. In a "real" policy, you would want
   // to return more traditional values.
   switch (sysno) {
     case __NR_open:
       // Allow opening files for reading, but don't allow writing.
@@ skipping 30 matching lines @@
   BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0);
   close(fd);
 
   int ret;
   BPF_ASSERT((ret = prctl(PR_GET_DUMPABLE)) >= 0);
   BPF_ASSERT(prctl(PR_SET_DUMPABLE, 1 - ret) == 0);
   BPF_ASSERT(prctl(PR_GET_ENDIAN, &ret) == -1);
   BPF_ASSERT(errno == ENOMEM);
 }
 
-// This test exercises the Sandbox::Cond() method by building a complex
+// This test exercises the SandboxBPF::Cond() method by building a complex
 // tree of conditional equality operations. It then makes system calls and
 // verifies that they return the values that we expected from our BPF
 // program.
 class EqualityStressTest {
  public:
   EqualityStressTest() {
     // We want a deterministic test
     srand(0);
 
     // Iterates over system call numbers and builds a random tree of
@@ skipping 19 matching lines @@
   }
 
   ~EqualityStressTest() {
     for (std::vector<ArgValue*>::iterator iter = arg_values_.begin();
          iter != arg_values_.end();
          ++iter) {
       DeleteArgValue(*iter);
     }
   }
 
-  ErrorCode Policy(Sandbox* sandbox, int sysno) {
-    if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  ErrorCode Policy(SandboxBPF* sandbox, int sysno) {
+    if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
       // FIXME: we should really not have to do that in a trivial policy
       return ErrorCode(ENOSYS);
     } else if (sysno < 0 || sysno >= (int)arg_values_.size() ||
                IsReservedSyscall(sysno)) {
       // We only return ErrorCode values for the system calls that
       // are part of our test data. Every other system call remains
       // allowed.
       return ErrorCode(ErrorCode::ERR_ALLOWED);
     } else {
       // ToErrorCode() turns an ArgValue object into an ErrorCode that is
@@ skipping 138 matching lines @@
         }
         delete[] arg_value->tests;
       }
       if (!arg_value->err) {
         DeleteArgValue(arg_value->arg_value);
       }
       delete arg_value;
     }
   }
 
-  ErrorCode ToErrorCode(Sandbox* sandbox, ArgValue* arg_value) {
+  ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) {
     // Compute the ErrorCode that should be returned, if none of our
     // tests succeed (i.e. the system call parameter doesn't match any
     // of the values in arg_value->tests[].k_value).
     ErrorCode err;
     if (arg_value->err) {
       // If this was a leaf node, return the errno value that we expect to
       // return from the BPF filter program.
       err = ErrorCode(arg_value->err);
     } else {
       // If this wasn't a leaf node yet, recursively descend into the rest
-      // of the tree. This will end up adding a few more Sandbox::Cond()
+      // of the tree. This will end up adding a few more SandboxBPF::Cond()
       // tests to our ErrorCode.
       err = ToErrorCode(sandbox, arg_value->arg_value);
     }
 
     // Now, iterate over all the test cases that we want to compare against.
-    // This builds a chain of Sandbox::Cond() tests
+    // This builds a chain of SandboxBPF::Cond() tests
     // (aka "if ... elif ... elif ... elif ... fi")
     for (int n = arg_value->size; n-- > 0;) {
       ErrorCode matched;
       // Again, we distinguish between leaf nodes and subtrees.
       if (arg_value->tests[n].err) {
         matched = ErrorCode(arg_value->tests[n].err);
       } else {
         matched = ToErrorCode(sandbox, arg_value->tests[n].arg_value);
       }
       // For now, all of our tests are limited to 32bit.
@@ skipping 63 matching lines @@
   std::vector<ArgValue*> arg_values_;
 
   // Don't increase these values. We are pushing the limits of the maximum
   // BPF program that the kernel will allow us to load. If the values are
   // increased too much, the test will start failing.
   static const int kNumTestCases = 40;
   static const int kMaxFanOut = 3;
   static const int kMaxArgs = 6;
 };
 
-ErrorCode EqualityStressTestPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   return reinterpret_cast<EqualityStressTest*>(aux)->Policy(sandbox, sysno);
 }
 
 BPF_TEST(SandboxBpf,
          EqualityTests,
          EqualityStressTestPolicy,
          EqualityStressTest /* BPF_AUX */) {
   BPF_AUX.VerifyFilter();
 }
 
-ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
     return sandbox->Cond(
         0,
         ErrorCode::TP_32BIT,
         ErrorCode::OP_EQUAL,
         0,
         sandbox->Cond(1,
                       ErrorCode::TP_32BIT,
@@ skipping 41 matching lines @@
 // syscall interface. So, we have to skip the part of the test that requires
 // 64bit arguments.
 BPF_DEATH_TEST(SandboxBpf,
                EqualityArgumentUnallowed64bit,
                DEATH_MESSAGE("Unexpected 64bit argument detected"),
                EqualityArgumentWidthPolicy) {
   SandboxSyscall(__NR_uname, 0, 0x5555555555555555ULL);
 }
 #endif
 
-ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox,
+ErrorCode EqualityWithNegativeArgumentsPolicy(SandboxBPF* sandbox,
                                               int sysno,
                                               void*) {
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
     return sandbox->Cond(0,
                          ErrorCode::TP_32BIT,
                          ErrorCode::OP_EQUAL,
                          0xFFFFFFFF,
                          ErrorCode(1),
                          ErrorCode(2));
   } else {
@@ skipping 13 matching lines @@
 BPF_DEATH_TEST(SandboxBpf,
                EqualityWithNegative64bitArguments,
                DEATH_MESSAGE("Unexpected 64bit argument detected"),
                EqualityWithNegativeArgumentsPolicy) {
   // When expecting a 32bit system call argument, we look at the MSB of the
   // 64bit value and allow both "0" and "-1". But the latter is allowed only
   // iff the LSB was negative. So, this death test should error out.
   BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
 }
 #endif
-ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) {
+ErrorCode AllBitTestPolicy(SandboxBPF* sandbox, int sysno, void *) {
   // Test the OP_HAS_ALL_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
@@ skipping 168 matching lines @@
 
   // 64bit test: all of 0x100000001
   BITMASK_TEST(10,       0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS);
   BITMASK_TEST(10,         0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,                 -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
 }
 
-ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) {
+ErrorCode AnyBitTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
   // Test the OP_HAS_ANY_BITS conditional test operator with a couple of
   // different bitmasks. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_uname) {
     return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
                          0x0,
                          ErrorCode(1), ErrorCode(0)),
 
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
            sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
@@ skipping 176 matching lines @@
         (long long)args.args[0],
         (long long)args.args[1],
         (long long)args.args[2],
         (long long)args.args[3],
         (long long)args.args[4],
         (long long)args.args[5],
         msg);
   }
   return -EPERM;
 }
-ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PthreadPolicyEquality(SandboxBPF* sandbox, int sysno, void* aux) {
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // More recent versions of Android don't set CLONE_DETACHED anymore, so
     // the last case accounts for that.
     // The following policy is very strict. It only allows the exact masks
@@ skipping 14 matching lines @@
                          ErrorCode(ErrorCode::ERR_ALLOWED),
            sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          kBaseAndroidCloneMask,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
                          sandbox->Trap(PthreadTrapHandler, "Unknown mask"))));
   } else {
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   }
 }
 
-ErrorCode PthreadPolicyBitMask(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PthreadPolicyBitMask(SandboxBPF* sandbox, int sysno, void* aux) {
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
-  if (!Sandbox::IsValidSyscallNumber(sysno)) {
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   } else if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // The following policy allows for either combination of flags, but it
     // is generally a little more conservative than strictly necessary. We
     // err on the side of rather safe than sorry.
@@ skipping 62 matching lines @@
                             CLONE_CHILD_CLEARTID | CLONE_CHILD_SETTID | SIGCHLD,
                             0,
                             0,
                             &pid) == -EPERM);
 }
 
 BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); }
 
 BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); }
 
-} // namespace
+}  // namespace.

[Robert Sesek, 2013/12/10 15:07:46]

nit: no period

[jln (very slow on Chromium), 2013/12/10 18:43:47]

Done.

+
+}  // namespace sandbox.