| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" | 5 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| 6 #include "sandbox/linux/seccomp-bpf/verifier.h" | 6 #include "sandbox/linux/seccomp-bpf/verifier.h" |
| 7 | 7 |
| 8 | 8 |
| 9 namespace playground2 { | 9 namespace playground2 { |
| 10 | 10 |
| 11 bool Verifier::verifyBPF(const std::vector<struct sock_filter>& program, | 11 bool Verifier::verifyBPF(const std::vector<struct sock_filter>& program, |
| 12 const Sandbox::Evaluators& evaluators, | 12 const Sandbox::Evaluators& evaluators, |
| 13 const char **err) { | 13 const char **err) { |
| 14 *err = NULL; | 14 *err = NULL; |
| 15 if (evaluators.size() != 1) { | 15 if (evaluators.size() != 1) { |
| 16 *err = "Not implemented"; | 16 *err = "Not implemented"; |
| 17 return false; | 17 return false; |
| 18 } | 18 } |
| 19 Sandbox::EvaluateSyscall evaluateSyscall = evaluators.begin()->first; | 19 Sandbox::EvaluateSyscall evaluateSyscall = evaluators.begin()->first; |
| 20 for (int nr = MIN_SYSCALL-1; nr <= MAX_SYSCALL+1; ++nr) { | 20 for (int nr = MIN_SYSCALL-1; nr <= static_cast<int>(MAX_SYSCALL)+1; ++nr) { |
| 21 // We ideally want to iterate over the full system call range and values | 21 // We ideally want to iterate over the full system call range and values |
| 22 // just above and just below this range. This gives us the full result set | 22 // just above and just below this range. This gives us the full result set |
| 23 // of the "evaluators". | 23 // of the "evaluators". |
| 24 // On Intel systems, this can fail in a surprising way, as a cleared bit 30 | 24 // On Intel systems, this can fail in a surprising way, as a cleared bit 30 |
| 25 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And | 25 // indicates either i386 or x86-64; and a set bit 30 indicates x32. And |
| 26 // unless we pay attention to setting this bit correctly, an early check in | 26 // unless we pay attention to setting this bit correctly, an early check in |
| 27 // our BPF program will make us fail with a misleading error code. | 27 // our BPF program will make us fail with a misleading error code. |
| 28 #if defined(__i386__) || defined(__x86_64__) | 28 #if defined(__i386__) || defined(__x86_64__) |
| 29 #if defined(__x86_64__) && defined(__ILP32__) | 29 #if defined(__x86_64__) && defined(__ILP32__) |
| 30 int sysnum = nr | 0x40000000; | 30 int sysnum = nr | 0x40000000; |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 160 } else { | 160 } else { |
| 161 state->ip += insn.jf; | 161 state->ip += insn.jf; |
| 162 } | 162 } |
| 163 break; | 163 break; |
| 164 default: | 164 default: |
| 165 goto compilation_failure; | 165 goto compilation_failure; |
| 166 } | 166 } |
| 167 } | 167 } |
| 168 } | 168 } |
| 169 | 169 |
| 170 uint32_t Verifier::ret(State *state, const struct sock_filter& insn, | 170 uint32_t Verifier::ret(State *, const struct sock_filter& insn, |
| 171 const char **err) { | 171 const char **err) { |
| 172 if (BPF_SRC(insn.code) != BPF_K) { | 172 if (BPF_SRC(insn.code) != BPF_K) { |
| 173 *err = "Invalid BPF_RET instruction"; | 173 *err = "Invalid BPF_RET instruction"; |
| 174 return 0; | 174 return 0; |
| 175 } | 175 } |
| 176 return insn.k; | 176 return insn.k; |
| 177 } | 177 } |
| 178 | 178 |
| 179 } // namespace | 179 } // namespace |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10536048:
Instead of outputting one BPF check per possible system call. Coalesce (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src