Add a platform-specific syscall number iterator.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <time.h>
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
 // This is version 2 of the playground; version 1 was built on top of
 // pre-BPF seccomp mode.
 namespace playground2 {
 
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
 ErrorCode Sandbox::probeEvaluator(int signo) {
   switch (signo) {
   case __NR_getpid:
     // Return EPERM so that we can check that the filter actually ran.
     return ErrorCode(EPERM);
   case __NR_exit_group:
     // Allow exit() with a non-default return code.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   default:
     // Make everything else fail in an easily recognizable way.
     return ErrorCode(EINVAL);
   }
 }
 
 void Sandbox::probeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, (intptr_t)100);
   }
 }
 
-ErrorCode Sandbox::allowAllEvaluator(int signo) {
-  if (signo < static_cast<int>(MIN_SYSCALL) ||
-      signo > static_cast<int>(MAX_SYSCALL)) {
+bool Sandbox::isArmPrivateSyscall(int sysnum) {
+  return SyscallIterator::IsArmPrivate(sysnum);
+}
+
+ErrorCode Sandbox::allowAllEvaluator(int sysnum) {
+  if (sysnum < static_cast<int>(MIN_SYSCALL) ||
+      sysnum > static_cast<int>(MAX_SYSCALL)) {
     return ErrorCode(ENOSYS);
   }
+#if defined(__arm__)
+  if (!isArmPrivateSyscall(sysnum)) {
+    return ErrorCode(ENOSYS);
+  }
+#endif
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
 void Sandbox::tryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     syscall(__NR_exit_group, (intptr_t)100);
@@ skipping 213 matching lines @@
 }
 
 bool Sandbox::isDenied(const ErrorCode& code) {
   return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
          (code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
           code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
 }
 
 void Sandbox::policySanityChecks(EvaluateSyscall syscallEvaluator,
                                  EvaluateArguments) {
-  // Do some sanity checks on the policy. This will warn users if they do
-  // things that are likely unsafe and unintended.
-  // We also have similar checks later, when we actually compile the BPF
-  // program. That catches problems with incorrectly stacked evaluators.
-  if (!isDenied(syscallEvaluator(-1))) {
-    SANDBOX_DIE("Negative system calls should always be disallowed by policy");
-  }
-#ifndef NDEBUG
-#if defined(__i386__) || defined(__x86_64__)
-#if defined(__x86_64__) && defined(__ILP32__)
-  for (unsigned int sysnum = MIN_SYSCALL & ~0x40000000u;
-       sysnum <= (MAX_SYSCALL & ~0x40000000u);
-       ++sysnum) {
+  for (SyscallIterator iter(true); !iter.Done(); ) {

[jln (very slow on Chromium), 2012/10/11 22:42:00]

We still have the same problem as before on ARM.
We iterate over every invalid syscall number here.

[Jorge Lucangeli Obes, 2012/10/12 17:58:23]

Confirmed that we don't.

+    uint32_t sysnum = iter.Next();
     if (!isDenied(syscallEvaluator(sysnum))) {
-      SANDBOX_DIE("In x32 mode, you should not allow any non-x32 "
-                  "system calls");
+      SANDBOX_DIE("Policies should deny system calls that are outside the "
+                  "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
     }
   }
-#else
-  for (unsigned int sysnum = MIN_SYSCALL | 0x40000000u;
-       sysnum <= (MAX_SYSCALL | 0x40000000u);
-       ++sysnum) {
-    if (!isDenied(syscallEvaluator(sysnum))) {
-      SANDBOX_DIE("x32 system calls should be explicitly disallowed");
-    }
-  }
-#endif
-#endif
-#endif
-  // Check interesting boundary values just outside of the valid system call
-  // range: 0x7FFFFFFF, 0x80000000, 0xFFFFFFFF, MIN_SYSCALL-1, MAX_SYSCALL+1.
-  // They all should be denied.
-  if (!isDenied(syscallEvaluator(std::numeric_limits<int>::max())) ||
-      !isDenied(syscallEvaluator(std::numeric_limits<int>::min())) ||
-      !isDenied(syscallEvaluator(-1)) ||
-      !isDenied(syscallEvaluator(static_cast<int>(MIN_SYSCALL) - 1)) ||
-      !isDenied(syscallEvaluator(static_cast<int>(MAX_SYSCALL) + 1))) {
-    SANDBOX_DIE("Even for default-allow policies, you must never allow system "
-                "calls outside of the standard system call range");
-  }
   return;
 }
 
 void Sandbox::setSandboxPolicy(EvaluateSyscall syscallEvaluator,
                                EvaluateArguments argumentEvaluator) {
   if (status_ == STATUS_ENABLED) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   policySanityChecks(syscallEvaluator, argumentEvaluator);
   evaluators_.push_back(std::make_pair(syscallEvaluator, argumentEvaluator));
@@ skipping 132 matching lines @@
 
 void Sandbox::findRanges(Ranges *ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
   EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
   uint32_t oldSysnum              = 0;
   ErrorCode oldErr                = evaluateSyscall(oldSysnum);
-  for (uint32_t sysnum = std::max(1u, MIN_SYSCALL);
-       sysnum <= MAX_SYSCALL + 1;
-       ++sysnum) {
+  ErrorCode invalidErr            = evaluateSyscall(MIN_SYSCALL-1);
+  for (SyscallIterator iter(false); !iter.Done(); ) {
+    uint32_t sysnum = iter.Next();
     ErrorCode err = evaluateSyscall(static_cast<int>(sysnum));
-    if (!err.Equals(oldErr)) {
+    if (!iter.IsValid(sysnum) && !invalidErr.Equals(err)) {
+      // A proper sandbox policy should always treat system calls outside of
+      // the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
+      // "false" for SyscallIterator::IsValid()) identically. Typically, all
+      // of these system calls would be denied with the same ErrorCode.
+      SANDBOX_DIE("Invalid seccomp policy");
+    }
+    if (!err.Equals(oldErr) || iter.Done()) {
       ranges->push_back(Range(oldSysnum, sysnum-1, oldErr));
       oldSysnum = sysnum;
       oldErr    = err;
     }
   }
-
-  // As we looped all the way past the valid system calls (i.e. MAX_SYSCALL+1),
-  // "oldErr" should at this point be the "default" policy for all system  call
-  // numbers that don't have an explicit handler in the system call evaluator.
-  // But as we are quite paranoid, we perform some more sanity checks to verify
-  // that there actually is a consistent "default" policy in the first place.
-  // We don't actually iterate over all possible 2^32 values, though. We just
-  // perform spot checks at the boundaries.
-  // The cases that we test are:  0x7FFFFFFF, 0x80000000, 0xFFFFFFFF.
-  if (!oldErr.Equals(evaluateSyscall(std::numeric_limits<int>::max())) ||
-      !oldErr.Equals(evaluateSyscall(std::numeric_limits<int>::min())) ||
-      !oldErr.Equals(evaluateSyscall(-1))) {
-    SANDBOX_DIE("Invalid seccomp policy");
-  }
-  ranges->push_back(
-    Range(oldSysnum, std::numeric_limits<unsigned>::max(), oldErr));
 }
 
 void Sandbox::emitJumpStatements(Program *program, RetInsns *rets,
                                  Ranges::const_iterator start,
                                  Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least two distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 1) {
@@ skipping 213 matching lines @@
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
 int    Sandbox::proc_fd_                = -1;
 Sandbox::Evaluators Sandbox::evaluators_;
 Sandbox::ErrMap Sandbox::errMap_;
 Sandbox::Traps *Sandbox::traps_         = NULL;
 Sandbox::TrapIds Sandbox::trapIds_;
 ErrorCode *Sandbox::trapArray_          = NULL;
 size_t Sandbox::trapArraySize_          = 0;
 
 }  // namespace