Added a new Verifier class to the BPF compiler.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 773a47141252d173ff09240b4dd9489f331b51cc..573d86e10c606e717b6b06fa16ac9a04decb9e32 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -3,6 +3,7 @@
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/verifier.h"
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
 // This is version 2 of the playground; version 1 was built on top of
@@ -48,7 +49,7 @@ bool Sandbox::kernelSupportSeccompBPF(int proc_fd) {
   if (!pid) {
     // Test a very simple sandbox policy to verify that we can
     // successfully turn on sandboxing.
-    suppressLogging_ = true;
+    // suppressLogging_ = true;
     evaluators_.clear();
     setSandboxPolicy(probeEvaluator, NULL);
     setProcFd(proc_fd);
@@ -255,7 +256,7 @@ void Sandbox::installFilter() {
   // O(log_2(M)) with M being the number of system calls that need special
   // treatment.
   EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
-  for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL; ++sysnum) {
+  for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL+1; ++sysnum) {
     ErrorCode err = evaluateSyscall(sysnum);
     int ret;
     switch (err) {
@@ -278,17 +279,26 @@ void Sandbox::installFilter() {
       }
       break;
     }
-    program.push_back((struct sock_filter)
-      BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
+    if (sysnum <= MAX_SYSCALL) {
+      // We compute the default behavior (e.g. fail open or fail closed) by
+      // calling the system call evaluator with a system call bigger than
+      // MAX_SYSCALL.
+      // In other words, the very last iteration in our loop becomes the
+      // fallback case and we don't need to do any comparisons.
+      program.push_back((struct sock_filter)
+        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1));
+    }
     program.push_back((struct sock_filter)
       BPF_STMT(BPF_RET+BPF_K, ret));
   }
 
-  // Everything that isn't allowed is forbidden. Eventually, we would
-  // like to have a way to log forbidden calls, when in debug mode.
-  // TODO: raise a suitable SIGSYS signal
-  program.push_back((struct sock_filter)
-    BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL));
+  // Make sure compilation resulted in BPF program that executes
+  // correctly. Otherwise, there is an internal error in our BPF compiler.
+  // There is really nothing the caller can do until the bug is fixed.
+  const char *err;
+  if (!Verifier::verifyBPF(program, evaluators_, &err)) {
+    die(err);

[jln (very slow on Chromium), 2012/06/08 19:28:22]

I don't like it when functions have u needed side effects, but it's consistent
with the rest of the function, so fine.

[Markus (顧孟勤), 2012/06/08 20:04:24]

There actually is something slightly sub-optimal with error reporting right now.
I'll send you another CL shortly to hopefully make you happier.

+  }
 
   // Install BPF filter program
   const struct sock_fprog prog = { program.size(), &program[0] };
@@ -334,7 +344,6 @@ void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
 bool Sandbox::suppressLogging_          = false;
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
-std::vector<std::pair<Sandbox::EvaluateSyscall,
-                      Sandbox::EvaluateArguments> > Sandbox::evaluators_;
+Sandbox::Evaluators Sandbox::evaluators_;
 
 }  // namespace