sandbox/linux/seccomp-bpf/sandbox_bpf.h - Issue 10536048: Instead of outputting one BPF check per possible system call. Coalesce

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/seccomp-bpf/sandbox_bpf.h

Issue 10536048: Instead of outputting one BPF check per possible system call. Coalesce (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Moved checking of policies into a separate method Created 8 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.h

diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h

index 0d8b754c1044fe80b025de9aca52c479b56bd640..886311b76f640130a908e67c7b3f1100a6fb373d 100644

--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h

+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h

@@ -33,6 +33,7 @@

#include <unistd.h>

#include <algorithm>

+#include <limits>

#include <utility>

#include <vector>

@@ -71,8 +72,8 @@

#endif

#if defined(__i386__)

-#define MIN_SYSCALL 0

-#define MAX_SYSCALL 1024

+#define MIN_SYSCALL 0u

+#define MAX_SYSCALL 1024u

#define SECCOMP_ARCH AUDIT_ARCH_I386

#define REG_RESULT REG_EAX

#define REG_SYSCALL REG_EAX

@@ -83,8 +84,8 @@

#define REG_PARM5 REG_EDI

#define REG_PARM6 REG_EBP

#elif defined(__x86_64__)

-#define MIN_SYSCALL 0

-#define MAX_SYSCALL 1024

+#define MIN_SYSCALL 0u

+#define MAX_SYSCALL 1024u

#define SECCOMP_ARCH AUDIT_ARCH_X86_64

#define REG_RESULT REG_RAX

#define REG_SYSCALL REG_RAX

@@ -139,6 +140,8 @@ class Sandbox {

SB_INSPECT_ARG_4 = 0x8008,

SB_INSPECT_ARG_5 = 0x8010,

SB_INSPECT_ARG_6 = 0x8020

+ // Also, any errno value is valid when cast to ErrorCode.

};

enum Operation {

@@ -230,13 +233,28 @@ class Sandbox {

static int getProcFd() { return proc_fd_; }

private:

- static ErrorCode probeEvaluator(int signo);

- static bool kernelSupportSeccompBPF(int proc_fd);

+ struct Range {

+ Range(uint32_t f, uint32_t t, ErrorCode e) :

+ from(f),

+ to(t),

+ err(e) {

+ }

+ uint32_t from, to;

+ ErrorCode err;

+ };

+ typedef std::vector<Range> Ranges;

+ typedef std::vector<struct sock_filter> Program;

- static bool isSingleThreaded(int proc_fd);

- static bool disableFilesystem();

- static void installFilter();

- static void sigSys(int nr, siginfo_t *info, void *void_context);

+ static ErrorCode probeEvaluator(int signo) __attribute__((const));

+ static bool kernelSupportSeccompBPF(int proc_fd);

+ static bool isSingleThreaded(int proc_fd);

+ static bool disableFilesystem();

+ static void policySanityChecks(EvaluateSyscall syscallEvaluator,

+ EvaluateArguments argumentEvaluator);

+ static void installFilter();

+ static void findRanges(Ranges *ranges);

+ static void rangesToBPF(Program *program, const Ranges& ranges);

+ static void sigSys(int nr, siginfo_t *info, void *void_context);

static bool suppressLogging_;

static SandboxStatus status_;

« no previous file with comments | « no previous file | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('j') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('J')