| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_BPF_H__ | 5 #ifndef SANDBOX_BPF_H__ |
| 6 #define SANDBOX_BPF_H__ | 6 #define SANDBOX_BPF_H__ |
| 7 | 7 |
| 8 #include <endian.h> | 8 #include <endian.h> |
| 9 #include <errno.h> | 9 #include <errno.h> |
| 10 #include <fcntl.h> | 10 #include <fcntl.h> |
| (...skipping 15 matching lines...) Expand all Loading... |
| 26 #include <sys/mman.h> | 26 #include <sys/mman.h> |
| 27 #include <sys/prctl.h> | 27 #include <sys/prctl.h> |
| 28 #include <sys/shm.h> | 28 #include <sys/shm.h> |
| 29 #include <sys/stat.h> | 29 #include <sys/stat.h> |
| 30 #include <sys/types.h> | 30 #include <sys/types.h> |
| 31 #include <sys/uio.h> | 31 #include <sys/uio.h> |
| 32 #include <sys/wait.h> | 32 #include <sys/wait.h> |
| 33 #include <unistd.h> | 33 #include <unistd.h> |
| 34 | 34 |
| 35 #include <algorithm> | 35 #include <algorithm> |
| 36 #include <limits> |
| 36 #include <utility> | 37 #include <utility> |
| 37 #include <vector> | 38 #include <vector> |
| 38 | 39 |
| 39 #ifndef SECCOMP_BPF_STANDALONE | 40 #ifndef SECCOMP_BPF_STANDALONE |
| 40 #include "base/basictypes.h" | 41 #include "base/basictypes.h" |
| 41 #include "base/eintr_wrapper.h" | 42 #include "base/eintr_wrapper.h" |
| 42 #include "base/logging.h" | 43 #include "base/logging.h" |
| 43 #endif | 44 #endif |
| 44 | 45 |
| 45 // The Seccomp2 kernel ABI is not part of older versions of glibc. | 46 // The Seccomp2 kernel ABI is not part of older versions of glibc. |
| (...skipping 18 matching lines...) Expand all Loading... |
| 64 #define SECCOMP_RET_ALLOW 0x7fff0000U // Allow | 65 #define SECCOMP_RET_ALLOW 0x7fff0000U // Allow |
| 65 #define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value | 66 #define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value |
| 66 #define SECCOMP_RET_DATA 0x0000ffffU // sections | 67 #define SECCOMP_RET_DATA 0x0000ffffU // sections |
| 67 #endif | 68 #endif |
| 68 #define SECCOMP_DENY_ERRNO EPERM | 69 #define SECCOMP_DENY_ERRNO EPERM |
| 69 #ifndef SYS_SECCOMP | 70 #ifndef SYS_SECCOMP |
| 70 #define SYS_SECCOMP 1 | 71 #define SYS_SECCOMP 1 |
| 71 #endif | 72 #endif |
| 72 | 73 |
| 73 #if defined(__i386__) | 74 #if defined(__i386__) |
| 74 #define MIN_SYSCALL 0 | 75 #define MIN_SYSCALL 0u |
| 75 #define MAX_SYSCALL 1024 | 76 #define MAX_SYSCALL 1024u |
| 76 #define SECCOMP_ARCH AUDIT_ARCH_I386 | 77 #define SECCOMP_ARCH AUDIT_ARCH_I386 |
| 77 #define REG_RESULT REG_EAX | 78 #define REG_RESULT REG_EAX |
| 78 #define REG_SYSCALL REG_EAX | 79 #define REG_SYSCALL REG_EAX |
| 79 #define REG_PARM1 REG_EBX | 80 #define REG_PARM1 REG_EBX |
| 80 #define REG_PARM2 REG_ECX | 81 #define REG_PARM2 REG_ECX |
| 81 #define REG_PARM3 REG_EDX | 82 #define REG_PARM3 REG_EDX |
| 82 #define REG_PARM4 REG_ESI | 83 #define REG_PARM4 REG_ESI |
| 83 #define REG_PARM5 REG_EDI | 84 #define REG_PARM5 REG_EDI |
| 84 #define REG_PARM6 REG_EBP | 85 #define REG_PARM6 REG_EBP |
| 85 #elif defined(__x86_64__) | 86 #elif defined(__x86_64__) |
| 86 #define MIN_SYSCALL 0 | 87 #define MIN_SYSCALL 0u |
| 87 #define MAX_SYSCALL 1024 | 88 #define MAX_SYSCALL 1024u |
| 88 #define SECCOMP_ARCH AUDIT_ARCH_X86_64 | 89 #define SECCOMP_ARCH AUDIT_ARCH_X86_64 |
| 89 #define REG_RESULT REG_RAX | 90 #define REG_RESULT REG_RAX |
| 90 #define REG_SYSCALL REG_RAX | 91 #define REG_SYSCALL REG_RAX |
| 91 #define REG_PARM1 REG_RDI | 92 #define REG_PARM1 REG_RDI |
| 92 #define REG_PARM2 REG_RSI | 93 #define REG_PARM2 REG_RSI |
| 93 #define REG_PARM3 REG_RDX | 94 #define REG_PARM3 REG_RDX |
| 94 #define REG_PARM4 REG_R10 | 95 #define REG_PARM4 REG_R10 |
| 95 #define REG_PARM5 REG_R8 | 96 #define REG_PARM5 REG_R8 |
| 96 #define REG_PARM6 REG_R9 | 97 #define REG_PARM6 REG_R9 |
| 97 #else | 98 #else |
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 132 | 133 |
| 133 enum ErrorCode { | 134 enum ErrorCode { |
| 134 SB_TRAP = -1, | 135 SB_TRAP = -1, |
| 135 SB_ALLOWED = 0x0000, | 136 SB_ALLOWED = 0x0000, |
| 136 SB_INSPECT_ARG_1 = 0x8001, | 137 SB_INSPECT_ARG_1 = 0x8001, |
| 137 SB_INSPECT_ARG_2 = 0x8002, | 138 SB_INSPECT_ARG_2 = 0x8002, |
| 138 SB_INSPECT_ARG_3 = 0x8004, | 139 SB_INSPECT_ARG_3 = 0x8004, |
| 139 SB_INSPECT_ARG_4 = 0x8008, | 140 SB_INSPECT_ARG_4 = 0x8008, |
| 140 SB_INSPECT_ARG_5 = 0x8010, | 141 SB_INSPECT_ARG_5 = 0x8010, |
| 141 SB_INSPECT_ARG_6 = 0x8020 | 142 SB_INSPECT_ARG_6 = 0x8020 |
| 143 |
| 144 // Also, any errno value is valid when cast to ErrorCode. |
| 142 }; | 145 }; |
| 143 | 146 |
| 144 enum Operation { | 147 enum Operation { |
| 145 OP_NOP, OP_EQUAL, OP_NOTEQUAL, OP_LESS, | 148 OP_NOP, OP_EQUAL, OP_NOTEQUAL, OP_LESS, |
| 146 OP_LESS_EQUAL, OP_GREATER, OP_GREATER_EQUAL, | 149 OP_LESS_EQUAL, OP_GREATER, OP_GREATER_EQUAL, |
| 147 OP_HAS_BITS, OP_DOES_NOT_HAVE_BITS | 150 OP_HAS_BITS, OP_DOES_NOT_HAVE_BITS |
| 148 }; | 151 }; |
| 149 | 152 |
| 150 struct Constraint { | 153 struct Constraint { |
| 151 bool is32bit; | 154 bool is32bit; |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 230 // notice and file a bug... | 233 // notice and file a bug... |
| 231 syscall(__NR_exit_group, 1); | 234 syscall(__NR_exit_group, 1); |
| 232 _exit(1); | 235 _exit(1); |
| 233 } | 236 } |
| 234 } | 237 } |
| 235 | 238 |
| 236 // Get a file descriptor pointing to "/proc", if currently available. | 239 // Get a file descriptor pointing to "/proc", if currently available. |
| 237 static int getProcFd() { return proc_fd_; } | 240 static int getProcFd() { return proc_fd_; } |
| 238 | 241 |
| 239 private: | 242 private: |
| 243 struct Range { |
| 244 Range(uint32_t f, uint32_t t, ErrorCode e) : |
| 245 from(f), |
| 246 to(t), |
| 247 err(e) { |
| 248 } |
| 249 uint32_t from, to; |
| 250 ErrorCode err; |
| 251 }; |
| 252 typedef std::vector<Range> Ranges; |
| 240 typedef std::vector<struct sock_filter> Program; | 253 typedef std::vector<struct sock_filter> Program; |
| 241 | 254 |
| 242 static ErrorCode probeEvaluator(int signo); | 255 static ErrorCode probeEvaluator(int signo) __attribute__((const)); |
| 243 static bool kernelSupportSeccompBPF(int proc_fd); | 256 static bool kernelSupportSeccompBPF(int proc_fd); |
| 244 static bool isSingleThreaded(int proc_fd); | 257 static bool isSingleThreaded(int proc_fd); |
| 245 static bool disableFilesystem(); | 258 static bool disableFilesystem(); |
| 259 static void policySanityChecks(EvaluateSyscall syscallEvaluator, |
| 260 EvaluateArguments argumentEvaluator); |
| 246 static void installFilter(); | 261 static void installFilter(); |
| 262 static void findRanges(Ranges *ranges); |
| 263 static void rangesToBPF(Program *program, const Ranges& ranges); |
| 247 static void sigSys(int nr, siginfo_t *info, void *void_context); | 264 static void sigSys(int nr, siginfo_t *info, void *void_context); |
| 248 | 265 |
| 249 static bool dryRun_; | 266 static bool dryRun_; |
| 250 static SandboxStatus status_; | 267 static SandboxStatus status_; |
| 251 static int proc_fd_; | 268 static int proc_fd_; |
| 252 static Evaluators evaluators_; | 269 static Evaluators evaluators_; |
| 253 }; | 270 }; |
| 254 | 271 |
| 255 } // namespace | 272 } // namespace |
| 256 | 273 |
| 257 #endif // SANDBOX_BPF_H__ | 274 #endif // SANDBOX_BPF_H__ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10536048:
Instead of outputting one BPF check per possible system call. Coalesce (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src