Chromium Code Reviews Chromium Code Reviews
Issue 101773003:
Linux sandbox: cleanup sandbox-bpf naming. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| index b598d769ba15b6f251a3f724f83c2033ab91d0b8..a86c8668691f12786771c02341d38cef1a3e147e 100644 |
| --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| @@ -30,7 +30,7 @@ |
| #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" |
| #include "sandbox/linux/seccomp-bpf/verifier.h" |
| -namespace playground2 { |
| +namespace sandbox { |
| namespace { |
| @@ -56,8 +56,8 @@ void WriteFailedStderrSetupMessage(int out_fd) { |
| // We define a really simple sandbox policy. It is just good enough for us |
| // to tell that the sandbox has actually been activated. |
| -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) __attribute__((const)); |
| -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) { |
| +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const)); |
| +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) { |
| switch (sysnum) { |
| case __NR_getpid: |
| // Return EPERM so that we can check that the filter actually ran. |
| @@ -77,8 +77,8 @@ void ProbeProcess(void) { |
| } |
| } |
| -ErrorCode AllowAllEvaluator(Sandbox*, int sysnum, void*) { |
| - if (!Sandbox::IsValidSyscallNumber(sysnum)) { |
| +ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) { |
| + if (!SandboxBPF::IsValidSyscallNumber(sysnum)) { |
| return ErrorCode(ENOSYS); |
| } |
| return ErrorCode(ErrorCode::ERR_ALLOWED); |
| @@ -162,7 +162,7 @@ void RedirectToUserspace(Instruction* insn, void* aux) { |
| // The performance penalty for this extra round-trip to user-space is not |
| // actually that bad, as we only ever pay it for denied system calls; and a |
| // typical program has very few of these. |
| - Sandbox* sandbox = static_cast<Sandbox*>(aux); |
| + SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux); |
| if (BPF_CLASS(insn->code) == BPF_RET && |
| (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) { |
| insn->k = sandbox->Trap(ReturnErrno, |
| @@ -182,7 +182,7 @@ class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy { |
| DCHECK(wrapped_policy_); |
| } |
| - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, |
| + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const OVERRIDE { |
| ErrorCode err = |
| wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number); |
| @@ -205,31 +205,31 @@ intptr_t BpfFailure(const struct arch_seccomp_data&, void* aux) { |
| // This class allows compatibility with the old, deprecated SetSandboxPolicy. |
| class CompatibilityPolicy : public SandboxBpfPolicy { |
| public: |
| - CompatibilityPolicy(Sandbox::EvaluateSyscall syscall_evaluator, void* aux) |
| + CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux) |
| : syscall_evaluator_(syscall_evaluator), aux_(aux) { |
| DCHECK(syscall_evaluator_); |
| } |
| - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, |
| + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, |
| int system_call_number) const OVERRIDE { |
| return syscall_evaluator_(sandbox_compiler, system_call_number, aux_); |
| } |
| private: |
| - Sandbox::EvaluateSyscall syscall_evaluator_; |
| + SandboxBPF::EvaluateSyscall syscall_evaluator_; |
| void* aux_; |
| DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy); |
| }; |
| } // namespace |
| -Sandbox::Sandbox() |
| +SandboxBPF::SandboxBPF() |
| : quiet_(false), |
| proc_fd_(-1), |
| conds_(new Conds), |
| sandbox_has_started_(false) {} |
| -Sandbox::~Sandbox() { |
| +SandboxBPF::~SandboxBPF() { |
| // It is generally unsafe to call any memory allocator operations or to even |
| // call arbitrary destructors after having installed a new policy. We just |
| // have no way to tell whether this policy would allow the system calls that |
| @@ -246,12 +246,12 @@ Sandbox::~Sandbox() { |
| } |
| } |
| -bool Sandbox::IsValidSyscallNumber(int sysnum) { |
| +bool SandboxBPF::IsValidSyscallNumber(int sysnum) { |
| return SyscallIterator::IsValid(sysnum); |
| } |
| -bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), |
| - Sandbox::EvaluateSyscall syscall_evaluator, |
| +bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(), |
| + SandboxBPF::EvaluateSyscall syscall_evaluator, |
|
Robert Sesek
2013/12/10 15:07:46
nit: alignment. Since this won't fit in 80cols, ju
jln (very slow on Chromium)
2013/12/10 18:43:47
Done. (Removed useless SandboxBPF::)
|
| void* aux) { |
| // Block all signals before forking a child process. This prevents an |
| // attacker from manipulating our test by sending us an unexpected signal. |
| @@ -364,12 +364,12 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), |
| return rc; |
| } |
| -bool Sandbox::KernelSupportSeccompBPF() { |
| +bool SandboxBPF::KernelSupportSeccompBPF() { |
| return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) && |
| RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0); |
| } |
| -Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { |
| +SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) { |
| // It the sandbox is currently active, we clearly must have support for |
| // sandboxing. |
| if (status_ == STATUS_ENABLED) { |
| @@ -404,7 +404,7 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { |
| // We create our own private copy of a "Sandbox" object. This ensures that |
| // the object does not have any policies configured, that might interfere |
| // with the tests done by "KernelSupportSeccompBPF()". |
| - Sandbox sandbox; |
| + SandboxBPF sandbox; |
| // By setting "quiet_ = true" we suppress messages for expected and benign |
| // failures (e.g. if the current kernel lacks support for BPF filters). |
| @@ -424,9 +424,9 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { |
| return status_; |
| } |
| -void Sandbox::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } |
| +void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } |
| -void Sandbox::StartSandbox() { |
| +void SandboxBPF::StartSandbox() { |
| if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) { |
| SANDBOX_DIE( |
| "Trying to start sandbox, even though it is known to be " |
| @@ -464,7 +464,7 @@ void Sandbox::StartSandbox() { |
| status_ = STATUS_ENABLED; |
| } |
| -void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { |
| +void SandboxBPF::PolicySanityChecks(SandboxBpfPolicy* policy) { |
| for (SyscallIterator iter(true); !iter.Done();) { |
| uint32_t sysnum = iter.Next(); |
| if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) { |
| @@ -477,7 +477,7 @@ void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { |
| } |
| // Deprecated API, supported with a wrapper to the new API. |
| -void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, |
| +void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, |
| void* aux) { |
|
Robert Sesek
2013/12/10 15:07:46
nit: alignment
jln (very slow on Chromium)
2013/12/10 18:43:47
Done.
|
| if (sandbox_has_started_ || !conds_) { |
| SANDBOX_DIE("Cannot change policy after sandbox has started"); |
| @@ -486,7 +486,7 @@ void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, |
| } |
| // Don't take a scoped_ptr here, polymorphism make their use awkward. |
| -void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { |
| +void SandboxBPF::SetSandboxPolicy(SandboxBpfPolicy* policy) { |
| DCHECK(!policy_); |
| if (sandbox_has_started_ || !conds_) { |
| SANDBOX_DIE("Cannot change policy after sandbox has started"); |
| @@ -495,7 +495,7 @@ void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { |
| policy_.reset(policy); |
| } |
| -void Sandbox::InstallFilter() { |
| +void SandboxBPF::InstallFilter() { |
| // We want to be very careful in not imposing any requirements on the |
| // policies that are set with SetSandboxPolicy(). This means, as soon as |
| // the sandbox is active, we shouldn't be relying on libraries that could |
| @@ -536,7 +536,7 @@ void Sandbox::InstallFilter() { |
| return; |
| } |
| -Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { |
| +SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) { |
| #if !defined(NDEBUG) |
| force_verification = true; |
| #endif |
| @@ -709,7 +709,7 @@ Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { |
| return program; |
| } |
| -void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { |
| +void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) { |
| // If we previously rewrote the BPF program so that it calls user-space |
| // whenever we return an "errno" value from the filter, then we have to |
| // wrap our system call evaluator to perform the same operation. Otherwise, |
| @@ -727,7 +727,7 @@ void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { |
| } |
| } |
| -void Sandbox::FindRanges(Ranges* ranges) { |
| +void SandboxBPF::FindRanges(Ranges* ranges) { |
| // Please note that "struct seccomp_data" defines system calls as a signed |
| // int32_t, but BPF instructions always operate on unsigned quantities. We |
| // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL, |
| @@ -755,7 +755,7 @@ void Sandbox::FindRanges(Ranges* ranges) { |
| } |
| } |
| -Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, |
| +Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen, |
| Ranges::const_iterator start, |
| Ranges::const_iterator stop) { |
| // We convert the list of system call ranges into jump table that performs |
| @@ -782,7 +782,7 @@ Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, |
| return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf); |
| } |
| -Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { |
| +Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) { |
| if (err.error_type_ == ErrorCode::ET_COND) { |
| return CondExpression(gen, err); |
| } else { |
| @@ -790,7 +790,7 @@ Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { |
| } |
| } |
| -Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { |
| +Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) { |
| // We can only inspect the six system call arguments that are passed in |
| // CPU registers. |
| if (cond.argno_ < 0 || cond.argno_ >= 6) { |
| @@ -973,19 +973,19 @@ Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { |
| return msb_head; |
| } |
| -ErrorCode Sandbox::Unexpected64bitArgument() { |
| +ErrorCode SandboxBPF::Unexpected64bitArgument() { |
| return Kill("Unexpected 64bit argument detected"); |
| } |
| -ErrorCode Sandbox::Trap(Trap::TrapFnc fnc, const void* aux) { |
| +ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) { |
| return Trap::MakeTrap(fnc, aux, true /* Safe Trap */); |
| } |
| -ErrorCode Sandbox::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { |
| +ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { |
| return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */); |
| } |
| -intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { |
| +intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) { |
| return SandboxSyscall(args.nr, |
| static_cast<intptr_t>(args.args[0]), |
| static_cast<intptr_t>(args.args[1]), |
| @@ -995,7 +995,7 @@ intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { |
| static_cast<intptr_t>(args.args[5])); |
| } |
| -ErrorCode Sandbox::Cond(int argno, |
| +ErrorCode SandboxBPF::Cond(int argno, |
| ErrorCode::ArgType width, |
|
Robert Sesek
2013/12/10 15:07:46
nit: alignment
jln (very slow on Chromium)
2013/12/10 18:43:47
Done.
|
| ErrorCode::Operation op, |
| uint64_t value, |
| @@ -1009,10 +1009,10 @@ ErrorCode Sandbox::Cond(int argno, |
| &*conds_->insert(failed).first); |
| } |
| -ErrorCode Sandbox::Kill(const char* msg) { |
| +ErrorCode SandboxBPF::Kill(const char* msg) { |
| return Trap(BpfFailure, const_cast<char*>(msg)); |
| } |
| -Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; |
| +SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; |
| -} // namespace playground2 |
| +} // namespace sandbox |
