Add a platform-specific syscall number iterator.

sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc

Index: sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index 1422b5918d9a2d875bd5366a30f27a365995ac16..1079a4fa81a5d0f578e573954619059b8b1bcb21 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -41,11 +41,11 @@ SANDBOX_TEST(SandboxBpf, CallSupportsTwice) {
 // A simple blacklist test
 
 ErrorCode BlacklistNanosleepPolicy(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
+
   switch (sysno) {
     case __NR_nanosleep:
       return ErrorCode(EACCES);
@@ -100,11 +100,11 @@ intptr_t EnomemHandler(const struct arch_seccomp_data& args, void *aux) {
 }
 
 ErrorCode BlacklistNanosleepPolicySigsys(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
+
   switch (sysno) {
     case __NR_nanosleep:
       return Sandbox::Trap(EnomemHandler,
@@ -148,16 +148,16 @@ int SysnoToRandomErrno(int sysno) {
 }
 
 ErrorCode SyntheticPolicy(int sysno) {
-  if (sysno < static_cast<int>(MIN_SYSCALL) ||
-      sysno > static_cast<int>(MAX_SYSCALL)) {
-    // FIXME: we should really not have to do that in a trivial policy.
+  if (!Sandbox::isValidSyscallNumber(sysno)) {
+    // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
   }
 
-  // TODO(jorgelo): remove this restriction once crbug.com/141694 is fixed.
+// TODO(jorgelo): remove this once the new code generator lands.
 #if defined(__arm__)
-  if (sysno > kArmPublicSysnoCeiling)
+  if (sysno > static_cast<int>(MAX_PUBLIC_SYSCALL)) {
     return ErrorCode(ENOSYS);
+  }
 #endif
 
   // TODO(markus): allow calls to write(). This should start working as soon
@@ -177,17 +177,10 @@ BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) {
   // overflow.
   BPF_ASSERT(
    std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
-   static_cast<int>(MAX_SYSCALL));
-
-  // TODO(jorgelo): remove this limit once crbug.com/141694 is fixed.
-#if defined(__arm__)
-  const int sysno_ceiling = kArmPublicSysnoCeiling;
-#else
-  const int sysno_ceiling = static_cast<int>(MAX_SYSCALL);
-#endif
+   static_cast<int>(MAX_PUBLIC_SYSCALL));
 
   for (int syscall_number =  static_cast<int>(MIN_SYSCALL);
-           syscall_number <= sysno_ceiling;
+           syscall_number <= static_cast<int>(MAX_PUBLIC_SYSCALL);
          ++syscall_number) {
     if (syscall_number == __NR_exit_group ||
         syscall_number == __NR_write) {
@@ -200,4 +193,44 @@ BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) {
   }
 }
 
+#if defined(__arm__)
+// A simple policy that tests whether ARM private system calls are supported
+// by our BPF compiler and by the BPF interpreter in the kernel.
+
+// For ARM private system calls, return an errno equal to their offset from
+// __ARM_NR_BASE plus 1 (to avoid NUL errno).

[jln (very slow on Chromium), 2012/10/12 20:26:52]

You mean offset from MIN_PRIVATE_SYSCALL, no ?

[Jorge Lucangeli Obes, 2012/10/13 01:39:30]

It's the same thing:
#define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE)

But I agree it's confusing.

Done.

+int ArmPrivateSysnoToErrno(int sysno) {
+  if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
+      sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
+    return (sysno - MIN_PRIVATE_SYSCALL) + 1;
+  } else {
+    return ENOSYS;
+  }
+}
+
+ErrorCode ArmPrivatePolicy(int sysno) {

[jln (very slow on Chromium), 2012/10/12 20:26:52]

I'm a bit worried that this wouldn't be a viable policy. Does it work if you
blow it up on purpose ?

On error, BPF_ASSERT etc could end-up needing something such as set_tls or
cacheflush().

Perhaps you could start doing that after the last known private syscall only
(for which we don't have a good symbolic name, but since this is a test,
NR_set_tls + 1 wouldn't be horrifying) ?

You could even try calling cacheflush(), it should never do any harm.

[Jorge Lucangeli Obes, 2012/10/13 01:39:30]

Done.

+  if (!Sandbox::isValidSyscallNumber(sysno)) {
+    // FIXME: we should really not have to do that in a trivial policy.
+    return ErrorCode(ENOSYS);
+  }
+
+  if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
+      sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
+    return ErrorCode(ArmPrivateSysnoToErrno(sysno));
+  } else {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) {
+  for (int syscall_number =  static_cast<int>(MIN_PRIVATE_SYSCALL);
+           syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
+         ++syscall_number) {
+    errno = 0;
+    BPF_ASSERT(syscall(syscall_number) == -1);
+    BPF_ASSERT(errno == ArmPrivateSysnoToErrno(syscall_number));
+  }
+}
+#endif  // defined(__arm__)
+
 } // namespace