Add a platform-specific syscall number iterator.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 
 #include <endian.h>
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 69 matching lines @@
 #ifndef SYS_SECCOMP
 #define SYS_SECCOMP                   1
 #endif
 
 // Impose some reasonable maximum BPF program size. Realistically, the
 // kernel probably has much lower limits. But by limiting to less than
 // 30 bits, we can ease requirements on some of our data types.
 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
 
 #if defined(__i386__)
-#define MIN_SYSCALL  0u
-#define MAX_SYSCALL  1024u
+#define MIN_SYSCALL         0u
+#define MAX_PUBLIC_SYSCALL  1024u
+#define MAX_SYSCALL         MAX_PUBLIC_SYSCALL
 #define SECCOMP_ARCH AUDIT_ARCH_I386
 
 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_EAX)
 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_EAX)
 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_EIP)
 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_EBX)
 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_ECX)
 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_EDX)
 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_ESI)
 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_EDI)
 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_EBP)
 
 #elif defined(__x86_64__)
-#define MIN_SYSCALL  0u
-#define MAX_SYSCALL  1024u
+#define MIN_SYSCALL         0u
+#define MAX_PUBLIC_SYSCALL  1024u
+#define MAX_SYSCALL         MAX_PUBLIC_SYSCALL
 #define SECCOMP_ARCH AUDIT_ARCH_X86_64
 
 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_RAX)
 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_RAX)
 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_RIP)
 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_RDI)
 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_RSI)
 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_RDX)
 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_R10)
 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_R8)
 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_R9)
 
 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
 // ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
 // and a "ghost syscall private to the kernel", cmpxchg,
 // at |__ARM_NR_BASE+0x00fff0|.
 // See </arch/arm/include/asm/unistd.h> in the Linux kernel.
-#define MIN_SYSCALL  ((unsigned int)__NR_SYSCALL_BASE)
-#define MAX_SYSCALL  ((unsigned int)__ARM_NR_BASE + 0x00ffffu)
+#define MIN_SYSCALL         ((unsigned int)__NR_SYSCALL_BASE)
+#define MAX_PUBLIC_SYSCALL  (MIN_SYSCALL + 1024u)
+#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)
+#define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u)
+#define MIN_GHOST_SYSCALL   (MIN_PRIVATE_SYSCALL + 0xfff0u)
+#define MAX_SYSCALL         (MIN_GHOST_SYSCALL + 8u)
 // <linux/audit.h> includes <linux/elf-em.h>, which does not define EM_ARM.
 // <linux/elf.h> only includes <asm/elf.h> if we're in the kernel.
 # if !defined(EM_ARM)
 # define EM_ARM 40
 # endif
 #define SECCOMP_ARCH AUDIT_ARCH_ARM
 
 // ARM sigcontext_t is different from i386/x86_64.
 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
 // ARM EABI syscall convention.
 #define SECCOMP_RESULT(_ctx)     SECCOMP_REG(_ctx, r0)
 #define SECCOMP_SYSCALL(_ctx)    SECCOMP_REG(_ctx, r7)
 #define SECCOMP_IP(_ctx)         SECCOMP_REG(_ctx, pc)
 #define SECCOMP_PARM1(_ctx)      SECCOMP_REG(_ctx, r0)
 #define SECCOMP_PARM2(_ctx)      SECCOMP_REG(_ctx, r1)
 #define SECCOMP_PARM3(_ctx)      SECCOMP_REG(_ctx, r2)
 #define SECCOMP_PARM4(_ctx)      SECCOMP_REG(_ctx, r3)
 #define SECCOMP_PARM5(_ctx)      SECCOMP_REG(_ctx, r4)
 #define SECCOMP_PARM6(_ctx)      SECCOMP_REG(_ctx, r5)
 
 #else
 #error Unsupported target platform
 
 #endif
 
+#if defined(SECCOMP_BPF_STANDALONE)
+#define arraysize(x) sizeof(x)/sizeof(*(x)))
+#define HANDLE_EINTR TEMP_FAILURE_RETRY
+#define DISALLOW_IMPLICIT_CONSTRUCTORS(TypeName) \
+  TypeName();                                    \
+  TypeName(const TypeName&);                     \
+  void operator=(const TypeName&)
+#endif
+
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 
 namespace playground2 {
 
 struct arch_seccomp_data {
   int      nr;
   uint32_t arch;
   uint64_t instruction_pointer;
   uint64_t args[6];
 };
 
 struct arch_sigsys {
   void         *ip;
   int          nr;
   unsigned int arch;
 };
 
-#if defined(SECCOMP_BPF_STANDALONE)
-#define arraysize(x) sizeof(x)/sizeof(*(x)))
-#define HANDLE_EINTR TEMP_FAILURE_RETRY
-#define DISALLOW_IMPLICIT_CONSTRUCTORS(TypeName) \
-  TypeName();                                    \
-  TypeName(const TypeName&);                     \
-  void operator=(const TypeName&)
-#endif
-
 class Sandbox {
  public:
   enum SandboxStatus {
     STATUS_UNKNOWN,      // Status prior to calling supportsSeccompSandbox()
     STATUS_UNSUPPORTED,  // The kernel does not appear to support sandboxing
     STATUS_UNAVAILABLE,  // Currently unavailable but might work again later
     STATUS_AVAILABLE,    // Sandboxing is available but not currently active
     STATUS_ENABLED       // The sandbox is now active
   };
 
@@ skipping 19 matching lines @@
     uint32_t  value;
     ErrorCode passed;
     ErrorCode failed;
   };
 
   typedef ErrorCode (*EvaluateSyscall)(int sysno);
   typedef int       (*EvaluateArguments)(int sysno, int arg,
                                          Constraint *constraint);
   typedef std::vector<std::pair<EvaluateSyscall,EvaluateArguments> >Evaluators;
 
+  // ARM has a non-contiguous range of "private" system calls.
+  // Checks whether a particular system call number falls in that range.
+  static bool isArmPrivateSyscall(int sysnum);

[jln (very slow on Chromium), 2012/10/11 22:42:00]

This is not a good interface for the Sandbox class.

Instead the interface should be something more generic, such as
"IsValidSysCallNumber()" or something like this.

In turn, the implementation should request this to the syscall iterator class
(which could also expose a IsValidSyscallNumber() method), and in its
implementation, something such as IsArmPrivateSyscall could be used.

[Jorge Lucangeli Obes, 2012/10/12 17:58:23]

Done.

+
   // There are a lot of reasons why the Seccomp sandbox might not be available.
   // This could be because the kernel does not support Seccomp mode, or it
   // could be because another sandbox is already active.
   // "proc_fd" should be a file descriptor for "/proc", or -1 if not
   // provided by the caller.
   static SandboxStatus supportsSeccompSandbox(int proc_fd);
 
   // The sandbox needs to be able to access files in "/proc/self". If this
   // directory is not accessible when "startSandbox()" gets called, the caller
   // can provide an already opened file descriptor by calling "setProcFd()".
@@ skipping 54 matching lines @@
   typedef std::vector<struct sock_filter> Program;
   typedef std::map<uint32_t, ErrorCode> ErrMap;
   typedef std::vector<ErrorCode> Traps;
   typedef std::map<std::pair<TrapFnc, const void *>, int> TrapIds;
 
   // Get a file descriptor pointing to "/proc", if currently available.
   static int proc_fd() { return proc_fd_; }
 
   static ErrorCode probeEvaluator(int signo) __attribute__((const));
   static void      probeProcess(void);
-  static ErrorCode allowAllEvaluator(int signo);
+  static ErrorCode allowAllEvaluator(int sysnum);
   static void      tryVsyscallProcess(void);
   static bool      kernelSupportSeccompBPF(int proc_fd);
   static bool      RunFunctionInPolicy(void (*function)(),
                                        EvaluateSyscall syscallEvaluator,
                                        int proc_fd);
   static void      startSandboxInternal(bool quiet);
   static bool      isSingleThreaded(int proc_fd);
   static bool      isDenied(const ErrorCode& code);
   static bool      disableFilesystem();
   static void      policySanityChecks(EvaluateSyscall syscallEvaluator,
@@ skipping 15 matching lines @@
   static Traps         *traps_;
   static TrapIds       trapIds_;
   static ErrorCode     *trapArray_;
   static size_t        trapArraySize_;
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };
 
 }  // namespace
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__