Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(700)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: sandbox/linux/seccomp-bpf/sandbox_bpf.h

Issue 10546041: Added a new Verifier class to the BPF compiler. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Update GYP file Created 8 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « sandbox/linux/seccomp-bpf/Makefile ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('j') | sandbox/linux/seccomp-bpf/verifier.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef SANDBOX_BPF_H__ 5 #ifndef SANDBOX_BPF_H__
6 #define SANDBOX_BPF_H__ 6 #define SANDBOX_BPF_H__
7 7
8 #include <endian.h> 8 #include <endian.h>
9 #include <errno.h> 9 #include <errno.h>
10 #include <fcntl.h> 10 #include <fcntl.h>
(...skipping 97 matching lines...) Expand 10 before | Expand all | Expand 10 after
108 #ifdef SECCOMP_BPF_STANDALONE 108 #ifdef SECCOMP_BPF_STANDALONE
109 #define arraysize(x) sizeof(x)/sizeof(*(x))) 109 #define arraysize(x) sizeof(x)/sizeof(*(x)))
110 #define HANDLE_EINTR TEMP_FAILURE_RETRY 110 #define HANDLE_EINTR TEMP_FAILURE_RETRY
111 #endif 111 #endif
112 112
113 113
114 namespace playground2 { 114 namespace playground2 {
115 115
116 class Sandbox { 116 class Sandbox {
117 friend class Util; 117 friend class Util;
118 friend class Verifier;
118 119
119 public: 120 public:
120 enum SandboxStatus { 121 enum SandboxStatus {
121 STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox() 122 STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox()
122 STATUS_UNSUPPORTED, // The kernel does not appear to support sandboxing 123 STATUS_UNSUPPORTED, // The kernel does not appear to support sandboxing
123 STATUS_UNAVAILABLE, // Currently unavailable but might work again later 124 STATUS_UNAVAILABLE, // Currently unavailable but might work again later
124 STATUS_AVAILABLE, // Sandboxing is available but not currently active 125 STATUS_AVAILABLE, // Sandboxing is available but not currently active
125 STATUS_ENABLED // The sandbox is now active 126 STATUS_ENABLED // The sandbox is now active
126 }; 127 };
127 128
(...skipping 18 matching lines...) Expand all
146 bool is32bit; 147 bool is32bit;
147 Operation op; 148 Operation op;
148 uint32_t value; 149 uint32_t value;
149 ErrorCode passed; 150 ErrorCode passed;
150 ErrorCode failed; 151 ErrorCode failed;
151 }; 152 };
152 153
153 typedef ErrorCode (*EvaluateSyscall)(int sysno); 154 typedef ErrorCode (*EvaluateSyscall)(int sysno);
154 typedef int (*EvaluateArguments)(int sysno, int arg, 155 typedef int (*EvaluateArguments)(int sysno, int arg,
155 Constraint *constraint); 156 Constraint *constraint);
157 typedef std::vector<std::pair<EvaluateSyscall,EvaluateArguments> >Evaluators;
156 158
157 // There are a lot of reasons why the Seccomp sandbox might not be available. 159 // There are a lot of reasons why the Seccomp sandbox might not be available.
158 // This could be because the kernel does not support Seccomp mode, or it 160 // This could be because the kernel does not support Seccomp mode, or it
159 // could be because another sandbox is already active. 161 // could be because another sandbox is already active.
160 // "proc_fd" should be a file descriptor for "/proc", or -1 if not 162 // "proc_fd" should be a file descriptor for "/proc", or -1 if not
161 // provided by the caller. 163 // provided by the caller.
162 static SandboxStatus supportsSeccompSandbox(int proc_fd); 164 static SandboxStatus supportsSeccompSandbox(int proc_fd);
163 165
164 // The sandbox needs to be able to access files in "/proc/self". If this 166 // The sandbox needs to be able to access files in "/proc/self". If this
165 // directory is not accessible when "startSandbox()" gets called, the caller 167 // directory is not accessible when "startSandbox()" gets called, the caller
(...skipping 62 matching lines...) Expand 10 before | Expand all | Expand 10 after
228 static bool kernelSupportSeccompBPF(int proc_fd); 230 static bool kernelSupportSeccompBPF(int proc_fd);
229 231
230 static bool isSingleThreaded(int proc_fd); 232 static bool isSingleThreaded(int proc_fd);
231 static bool disableFilesystem(); 233 static bool disableFilesystem();
232 static void installFilter(); 234 static void installFilter();
233 static void sigSys(int nr, siginfo_t *info, void *void_context); 235 static void sigSys(int nr, siginfo_t *info, void *void_context);
234 236
235 static bool suppressLogging_; 237 static bool suppressLogging_;
236 static SandboxStatus status_; 238 static SandboxStatus status_;
237 static int proc_fd_; 239 static int proc_fd_;
238 static std::vector<std::pair<EvaluateSyscall, 240 static Evaluators evaluators_;
239 EvaluateArguments> > evaluators_;
240 }; 241 };
241 242
242 } // namespace 243 } // namespace
243 244
244 #endif // SANDBOX_BPF_H__ 245 #endif // SANDBOX_BPF_H__
OLDNEW
« no previous file with comments | « sandbox/linux/seccomp-bpf/Makefile ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('j') | sandbox/linux/seccomp-bpf/verifier.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698