Added a new Verifier class to the BPF compiler.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/verifier.h"
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
 // This is version 2 of the playground; version 1 was built on top of
 // pre-BPF seccomp mode.
 namespace playground2 {
 
 Sandbox::ErrorCode Sandbox::probeEvaluator(int signo) {
   switch (signo) {
   case __NR_getpid:
     // Return EPERM so that we can check that the filter actually ran.
@@ skipping 25 matching lines @@
     // attacker might cause fork() to fail at will and could trick us
     // into running without a sandbox.
     sigprocmask(SIG_SETMASK, &oldMask, NULL);  // OK, if it fails
     die("fork() failed unexpectedly");
   }
 
   // In the child process
   if (!pid) {
     // Test a very simple sandbox policy to verify that we can
     // successfully turn on sandboxing.
-    suppressLogging_ = true;
+    // suppressLogging_ = true;
     evaluators_.clear();
     setSandboxPolicy(probeEvaluator, NULL);
     setProcFd(proc_fd);
     startSandbox();
     if (syscall(__NR_getpid) < 0 && errno == EPERM) {
       syscall(__NR_exit_group, (intptr_t)100);
     }
     die(NULL);
   }
 
@@ skipping 186 matching lines @@
 
   // Evaluate all possible system calls and depending on their
   // exit codes generate a BPF filter.
   // This is very inefficient right now. We need to be much smarter
   // eventually.
   // We currently incur a O(N) overhead on each system call, with N
   // being the number of system calls. It is easy to get this down to
   // O(log_2(M)) with M being the number of system calls that need special
   // treatment.
   EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
-  for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL; ++sysnum) {
+  for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL+1; ++sysnum) {
     ErrorCode err = evaluateSyscall(sysnum);
     int ret;
     switch (err) {
     case SB_INSPECT_ARG_1...SB_INSPECT_ARG_6:
       die("Not implemented");
     case SB_TRAP:
       ret = SECCOMP_RET_TRAP;
       break;
     case SB_ALLOWED:
       ret = SECCOMP_RET_ALLOW;
       break;
     default:
       if (err >= static_cast<ErrorCode>(1) &&
           err <= static_cast<ErrorCode>(4096)) {
         // We limit errno values to a reasonable range. In fact, the Linux ABI
         // doesn't support errno values outside of this range.
         ret = SECCOMP_RET_ERRNO + err;
       } else {
         die("Invalid ErrorCode reported by sandbox system call evaluator");
       }
       break;
     }
-    program.push_back((struct sock_filter)
-      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
+    if (sysnum <= MAX_SYSCALL) {
+      // We compute the default behavior (e.g. fail open or fail closed) by
+      // calling the system call evaluator with a system call bigger than
+      // MAX_SYSCALL.
+      // In other words, the very last iteration in our loop becomes the
+      // fallback case and we don't need to do any comparisons.
+      program.push_back((struct sock_filter)
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
+    }
     program.push_back((struct sock_filter)
       BPF_STMT(BPF_RET+BPF_K, ret));
   }
 
-  // Everything that isn't allowed is forbidden. Eventually, we would
-  // like to have a way to log forbidden calls, when in debug mode.
-  // TODO: raise a suitable SIGSYS signal
-  program.push_back((struct sock_filter)
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
+  // Make sure compilation resulted in BPF program that executes
+  // correctly. Otherwise, there is an internal error in our BPF compiler.
+  // There is really nothing the caller can do until the bug is fixed.
+  const char *err;
+  if (!Verifier::verifyBPF(program, evaluators_, &err)) {
+    die(err);

[jln (very slow on Chromium), 2012/06/08 19:28:22]

I don't like it when functions have u needed side effects, but it's consistent
with the rest of the function, so fine.

[Markus (顧孟勤), 2012/06/08 20:04:24]

There actually is something slightly sub-optimal with error reporting right now.
I'll send you another CL shortly to hopefully make you happier.

+  }
 
   // Install BPF filter program
   const struct sock_fprog prog = { program.size(), &program[0] };
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
       prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
     goto filter_failed;
   }
 
   return;
 }
@@ skipping 25 matching lines @@
 
   ctx->uc_mcontext.gregs[REG_RESULT] = reinterpret_cast<greg_t>(rc);
   errno                              = old_errno;
   return;
 }
 
 
 bool Sandbox::suppressLogging_          = false;
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
-std::vector<std::pair<Sandbox::EvaluateSyscall,
-                      Sandbox::EvaluateArguments> > Sandbox::evaluators_;
+Sandbox::Evaluators Sandbox::evaluators_;
 
 }  // namespace