Chromium Code Reviews Chromium Code Reviews
Issue 10546041:
Added a new Verifier class to the BPF compiler. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| index 773a47141252d173ff09240b4dd9489f331b51cc..f2e5bbdf1b08125678b8a3206b32ae80c2865456 100644 |
| --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc |
| @@ -3,6 +3,7 @@ |
| // found in the LICENSE file. |
| #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" |
| +#include "sandbox/linux/seccomp-bpf/verifier.h" |
| // The kernel gives us a sandbox, we turn it into a playground :-) |
| // This is version 2 of the playground; version 1 was built on top of |
| @@ -255,7 +256,7 @@ void Sandbox::installFilter() { |
| // O(log_2(M)) with M being the number of system calls that need special |
| // treatment. |
| EvaluateSyscall evaluateSyscall = evaluators_.begin()->first; |
| - for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL; ++sysnum) { |
| + for (int sysnum = MIN_SYSCALL; sysnum <= MAX_SYSCALL+1; ++sysnum) { |
|
Chris Evans
2012/06/11 19:20:41
Should sysnum be signed?
Markus (顧孟勤)
2012/06/11 20:58:43
Yes, a future change list is actually changing it
|
| ErrorCode err = evaluateSyscall(sysnum); |
| int ret; |
| switch (err) { |
| @@ -278,17 +279,26 @@ void Sandbox::installFilter() { |
| } |
| break; |
| } |
| - program.push_back((struct sock_filter) |
| - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1)); |
| + if (sysnum <= MAX_SYSCALL) { |
| + // We compute the default behavior (e.g. fail open or fail closed) by |
| + // calling the system call evaluator with a system call bigger than |
| + // MAX_SYSCALL. |
| + // In other words, the very last iteration in our loop becomes the |
| + // fallback case and we don't need to do any comparisons. |
| + program.push_back((struct sock_filter) |
| + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, sysnum, 0, 1)); |
| + } |
| program.push_back((struct sock_filter) |
| BPF_STMT(BPF_RET+BPF_K, ret)); |
| } |
| - // Everything that isn't allowed is forbidden. Eventually, we would |
| - // like to have a way to log forbidden calls, when in debug mode. |
| - // TODO: raise a suitable SIGSYS signal |
| - program.push_back((struct sock_filter) |
| - BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)); |
| + // Make sure compilation resulted in BPF program that executes |
| + // correctly. Otherwise, there is an internal error in our BPF compiler. |
| + // There is really nothing the caller can do until the bug is fixed. |
| + const char *err; |
|
Chris Evans
2012/06/11 19:20:41
Initialize to NULL for safety, since it's a pointe
Markus (顧孟勤)
2012/06/11 20:58:43
Done.
|
| + if (!Verifier::verifyBPF(program, evaluators_, &err)) { |
|
Chris Evans
2012/06/11 19:20:41
I think we should only do this step under #ifdef D
Markus (顧孟勤)
2012/06/11 20:58:43
I am on the fence. Execution time various somewher
|
| + die(err); |
| + } |
| // Install BPF filter program |
| const struct sock_fprog prog = { program.size(), &program[0] }; |
| @@ -334,7 +344,6 @@ void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) { |
| bool Sandbox::suppressLogging_ = false; |
| Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; |
| int Sandbox::proc_fd_ = -1; |
| -std::vector<std::pair<Sandbox::EvaluateSyscall, |
| - Sandbox::EvaluateArguments> > Sandbox::evaluators_; |
| +Sandbox::Evaluators Sandbox::evaluators_; |
| } // namespace |
