SECCOMP-BPF: Added supported for inspection system call arguments from BPF filters.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <endian.h>
 #if __BYTE_ORDER == __BIG_ENDIAN
 // The BPF "struct seccomp_data" layout has to deal with storing 64bit
 // values that need to be inspected by a virtual machine that only ever
 // operates on 32bit values. The kernel developers decided how values
 // should be split into two 32bit words to achieve this goal. But at this
@@ skipping 54 matching lines @@
 
 // The kernel gives us a sandbox, we turn it into a playground :-)
 // This is version 2 of the playground; version 1 was built on top of
 // pre-BPF seccomp mode.
 namespace playground2 {
 
 const int kExpectedExitCode = 100;
 
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
-ErrorCode Sandbox::probeEvaluator(int sysnum, void *) {
+ErrorCode Sandbox::ProbeEvaluator(int sysnum, void *) {
   switch (sysnum) {
   case __NR_getpid:
     // Return EPERM so that we can check that the filter actually ran.
     return ErrorCode(EPERM);
   case __NR_exit_group:
     // Allow exit() with a non-default return code.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   default:
     // Make everything else fail in an easily recognizable way.
     return ErrorCode(EINVAL);
   }
 }
 
-void Sandbox::probeProcess(void) {
+void Sandbox::ProbeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
-bool Sandbox::isValidSyscallNumber(int sysnum) {
+bool Sandbox::IsValidSyscallNumber(int sysnum) {
   return SyscallIterator::IsValid(sysnum);
 }
 
-ErrorCode Sandbox::allowAllEvaluator(int sysnum, void *) {
-  if (!isValidSyscallNumber(sysnum)) {
+ErrorCode Sandbox::AllowAllEvaluator(int sysnum, void *) {
+  if (!IsValidSyscallNumber(sysnum)) {
     return ErrorCode(ENOSYS);
   }
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-void Sandbox::tryVsyscallProcess(void) {
+void Sandbox::TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
-bool Sandbox::RunFunctionInPolicy(void (*CodeInSandbox)(),
-                                  EvaluateSyscall syscallEvaluator,
+bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(),
+                                  EvaluateSyscall syscall_evaluator,
                                   void *aux,
                                   int proc_fd) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
-  sigset_t oldMask, newMask;
-  if (sigfillset(&newMask) ||
-      sigprocmask(SIG_BLOCK, &newMask, &oldMask)) {
+  sigset_t old_mask, new_mask;
+  if (sigfillset(&new_mask) ||
+      sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK|O_CLOEXEC)) {
     SANDBOX_DIE("pipe() failed");
   }
 
   if (fds[0] <= 2 || fds[1] <= 2) {
     SANDBOX_DIE("Process started without standard file descriptors");
   }
 
   pid_t pid = fork();
   if (pid < 0) {
     // Die if we cannot fork(). We would probably fail a little later
     // anyway, as the machine is likely very close to running out of
     // memory.
     // But what we don't want to do is return "false", as a crafty
     // attacker might cause fork() to fail at will and could trick us
     // into running without a sandbox.
-    sigprocmask(SIG_SETMASK, &oldMask, NULL);  // OK, if it fails
+    sigprocmask(SIG_SETMASK, &old_mask, NULL);  // OK, if it fails
     SANDBOX_DIE("fork() failed unexpectedly");
   }
 
   // In the child process
   if (!pid) {
     // Test a very simple sandbox policy to verify that we can
     // successfully turn on sandboxing.
     Die::EnableSimpleExit();
 
     if (HANDLE_EINTR(close(fds[0]))) {
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
     }
     if (HANDLE_EINTR(dup2(fds[1], 2)) != 2) {
       // Stderr could very well be a file descriptor to .xsession-errors, or
       // another file, which could be backed by a file system that could cause
       // dup2 to fail while trying to close stderr. It's important that we do
       // not fail on trying to close stderr.
       // If dup2 fails here, we will continue normally, this means that our
       // parent won't cause a fatal failure if something writes to stderr in
       // this child.
     }
     if (HANDLE_EINTR(close(fds[1]))) {
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
     }
 
     evaluators_.clear();
-    setSandboxPolicy(syscallEvaluator, aux);
-    setProcFd(proc_fd);
+    SetSandboxPolicy(syscall_evaluator, aux);
+    SetProcFd(proc_fd);
 
     // By passing "quiet=true" to "startSandboxInternal()" we suppress
     // messages for expected and benign failures (e.g. if the current
     // kernel lacks support for BPF filters).
-    startSandboxInternal(true);
+    StartSandboxInternal(true);
 
     // Run our code in the sandbox.
-    CodeInSandbox();
+    code_in_sandbox();
 
-    // CodeInSandbox() is not supposed to return here.
+    // code_in_sandbox() is not supposed to return here.
     SANDBOX_DIE(NULL);
   }
 
   // In the parent process.
   if (HANDLE_EINTR(close(fds[1]))) {
     SANDBOX_DIE("close() failed");
   }
-  if (sigprocmask(SIG_SETMASK, &oldMask, NULL)) {
+  if (sigprocmask(SIG_SETMASK, &old_mask, NULL)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int status;
   if (HANDLE_EINTR(waitpid(pid, &status, 0)) != pid) {
     SANDBOX_DIE("waitpid() failed unexpectedly");
   }
   bool rc = WIFEXITED(status) && WEXITSTATUS(status) == kExpectedExitCode;
 
   // If we fail to support sandboxing, there might be an additional
   // error message. If so, this was an entirely unexpected and fatal
@@ skipping 11 matching lines @@
       SANDBOX_DIE(buf);
     }
   }
   if (HANDLE_EINTR(close(fds[0]))) {
     SANDBOX_DIE("close() failed");
   }
 
   return rc;
 }
 
-bool Sandbox::kernelSupportSeccompBPF(int proc_fd) {
+bool Sandbox::KernelSupportSeccompBPF(int proc_fd) {
 #if defined(SECCOMP_BPF_VALGRIND_HACKS)
   if (RUNNING_ON_VALGRIND) {
     // Valgrind doesn't like our run-time test. Disable testing and assume we
     // always support sandboxing. This feature should only ever be enabled when
     // debugging.
     return true;
   }
 #endif
 
   return
-    RunFunctionInPolicy(probeProcess, Sandbox::probeEvaluator, 0, proc_fd) &&
-    RunFunctionInPolicy(tryVsyscallProcess, Sandbox::allowAllEvaluator, 0,
+    RunFunctionInPolicy(ProbeProcess, Sandbox::ProbeEvaluator, 0, proc_fd) &&
+    RunFunctionInPolicy(TryVsyscallProcess, Sandbox::AllowAllEvaluator, 0,
                         proc_fd);
 }
 
-Sandbox::SandboxStatus Sandbox::supportsSeccompSandbox(int proc_fd) {
+Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
   // changed in our run-time environment. Check one more time.
   if (status_ == STATUS_AVAILABLE) {
-    if (!isSingleThreaded(proc_fd)) {
+    if (!IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
     return status_;
   }
 
-  if (status_ == STATUS_UNAVAILABLE && isSingleThreaded(proc_fd)) {
+  if (status_ == STATUS_UNAVAILABLE && IsSingleThreaded(proc_fd)) {
     // All state transitions resulting in STATUS_UNAVAILABLE are immediately
     // preceded by STATUS_AVAILABLE. Furthermore, these transitions all
     // happen, if and only if they are triggered by the process being multi-
     // threaded.
     // In other words, if a single-threaded process is currently in the
     // STATUS_UNAVAILABLE state, it is safe to assume that sandboxing is
     // actually available.
     status_ = STATUS_AVAILABLE;
     return status_;
   }
 
   // If we have not previously checked for availability of the sandbox or if
   // we otherwise don't believe to have a good cached value, we have to
   // perform a thorough check now.
   if (status_ == STATUS_UNKNOWN) {
-    status_ = kernelSupportSeccompBPF(proc_fd)
+    status_ = KernelSupportSeccompBPF(proc_fd)
       ? STATUS_AVAILABLE : STATUS_UNSUPPORTED;
 
     // As we are performing our tests from a child process, the run-time
     // environment that is visible to the sandbox is always guaranteed to be
     // single-threaded. Let's check here whether the caller is single-
     // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
-    if (status_ == STATUS_AVAILABLE && !isSingleThreaded(proc_fd)) {
+    if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
-void Sandbox::setProcFd(int proc_fd) {
+void Sandbox::SetProcFd(int proc_fd) {
   proc_fd_ = proc_fd;
 }
 
-void Sandbox::startSandboxInternal(bool quiet) {
+void Sandbox::StartSandboxInternal(bool quiet) {
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE("Trying to start sandbox, even though it is known to be "
                 "unavailable");
   } else if (status_ == STATUS_ENABLED) {
     SANDBOX_DIE("Cannot start sandbox recursively. Use multiple calls to "
                 "setSandboxPolicy() to stack policies instead");
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY|O_DIRECTORY);
   }
   if (proc_fd_ < 0) {
     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
-  if (!isSingleThreaded(proc_fd_)) {
+  if (!IsSingleThreaded(proc_fd_)) {
     SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
   if (proc_fd_ >= 0) {
     if (HANDLE_EINTR(close(proc_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
     }
     proc_fd_ = -1;
   }
 
   // Install the filters.
-  installFilter(quiet);
+  InstallFilter(quiet);
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 }
 
-bool Sandbox::isSingleThreaded(int proc_fd) {
+bool Sandbox::IsSingleThreaded(int proc_fd) {
   if (proc_fd < 0) {
     // Cannot determine whether program is single-threaded. Hope for
     // the best...
     return true;
   }
 
   struct stat sb;
   int task = -1;
   if ((task = openat(proc_fd, "self/task", O_RDONLY|O_DIRECTORY)) < 0 ||
       fstat(task, &sb) != 0 ||
       sb.st_nlink != 3 ||
       HANDLE_EINTR(close(task))) {
     if (task >= 0) {
       if (HANDLE_EINTR(close(task))) { }
     }
     return false;
   }
   return true;
 }
 
-bool Sandbox::isDenied(const ErrorCode& code) {
+bool Sandbox::IsDenied(const ErrorCode& code) {
   return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
          (code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
           code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
 }
 
-void Sandbox::policySanityChecks(EvaluateSyscall syscallEvaluator,
+void Sandbox::PolicySanityChecks(EvaluateSyscall syscall_evaluator,
                                  void *aux) {
   for (SyscallIterator iter(true); !iter.Done(); ) {
     uint32_t sysnum = iter.Next();
-    if (!isDenied(syscallEvaluator(sysnum, aux))) {
+    if (!IsDenied(syscall_evaluator(sysnum, aux))) {
       SANDBOX_DIE("Policies should deny system calls that are outside the "
                   "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
     }
   }
   return;
 }
 
 void Sandbox::CheckForUnsafeErrorCodes(Instruction *insn, void *aux) {
   if (BPF_CLASS(insn->code) == BPF_RET &&
       insn->k >  SECCOMP_RET_TRAP &&
-      insn->k - SECCOMP_RET_TRAP <= trapArraySize_) {
-    const ErrorCode& err = trapArray_[insn->k - SECCOMP_RET_TRAP - 1];
+      insn->k - SECCOMP_RET_TRAP <= trap_array_size_) {
+    const ErrorCode& err = trap_array_[insn->k - SECCOMP_RET_TRAP - 1];
     if (!err.safe_) {
       bool *is_unsafe = static_cast<bool *>(aux);
       *is_unsafe = true;
     }
   }
 }
 
-void Sandbox::RedirectToUserspace(Instruction *insn, void *aux) {
+void Sandbox::RedirectToUserspace(Instruction *insn, void *) {
   // When inside an UnsafeTrap() callback, we want to allow all system calls.
   // This means, we must conditionally disable the sandbox -- and that's not
   // something that kernel-side BPF filters can do, as they cannot inspect
   // any state other than the syscall arguments.
   // But if we redirect all error handlers to user-space, then we can easily
   // make this decision.
   // The performance penalty for this extra round-trip to user-space is not
   // actually that bad, as we only ever pay it for denied system calls; and a
   // typical program has very few of these.
   if (BPF_CLASS(insn->code) == BPF_RET &&
       (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
     insn->k = Trap(ReturnErrno,
                    reinterpret_cast<void *>(insn->k & SECCOMP_RET_DATA)).err();
   }
 }
 
 ErrorCode Sandbox::RedirectToUserspaceEvalWrapper(int sysnum, void *aux) {
   // We need to replicate the behavior of RedirectToUserspace(), so that our
   // Verifier can still work correctly.
   Evaluators *evaluators = reinterpret_cast<Evaluators *>(aux);
   const std::pair<EvaluateSyscall, void *>& evaluator = *evaluators->begin();
   ErrorCode err = evaluator.first(sysnum, evaluator.second);
   if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
     return Trap(ReturnErrno,
                 reinterpret_cast<void *>(err.err() & SECCOMP_RET_DATA));
   }
   return err;
 }
 
-void Sandbox::setSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux) {
+void Sandbox::SetSandboxPolicy(EvaluateSyscall syscall_evaluator, void *aux) {
   if (status_ == STATUS_ENABLED) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
-  policySanityChecks(syscallEvaluator, aux);
-  evaluators_.push_back(std::make_pair(syscallEvaluator, aux));
+  PolicySanityChecks(syscall_evaluator, aux);
+  evaluators_.push_back(std::make_pair(syscall_evaluator, aux));
 }
 
-void Sandbox::installFilter(bool quiet) {
+void Sandbox::InstallFilter(bool quiet) {
   // Verify that the user pushed a policy.
   if (evaluators_.empty()) {
   filter_failed:
     SANDBOX_DIE("Failed to configure system call filters");
   }
 
   // Set new SIGSYS handler
   struct sigaction sa;
   memset(&sa, 0, sizeof(sa));
-  sa.sa_sigaction = sigSys;
+  sa.sa_sigaction = SigSys;
   sa.sa_flags = SA_SIGINFO | SA_NODEFER;
   if (sigaction(SIGSYS, &sa, NULL) < 0) {
     goto filter_failed;
   }
 
   // Unmask SIGSYS
   sigset_t mask;
   if (sigemptyset(&mask) ||
       sigaddset(&mask, SIGSYS) ||
       sigprocmask(SIG_UNBLOCK, &mask, NULL)) {
@@ skipping 15 matching lines @@
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   Instruction *tail;
   Instruction *head =
     gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
                          offsetof(struct arch_seccomp_data, arch),
   tail =
     gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K, SECCOMP_ARCH,
                          NULL,
     gen->MakeInstruction(BPF_RET+BPF_K,
-                         Kill(
-                           "Invalid audit architecture in BPF filter").err_)));
+                         Kill("Invalid audit architecture in BPF filter"))));
 
   {
     // Evaluate all possible system calls and group their ErrorCodes into
     // ranges of identical codes.
     Ranges ranges;
-    findRanges(&ranges);
+    FindRanges(&ranges);
 
     // Compile the system call ranges to an optimized BPF jumptable
     Instruction *jumptable =
-      assembleJumpTable(gen, ranges.begin(), ranges.end());
+      AssembleJumpTable(gen, ranges.begin(), ranges.end());
 
     // If there is at least one UnsafeTrap() in our program, the entire sandbox
     // is unsafe. We need to modify the program so that all non-
     // SECCOMP_RET_ALLOW ErrorCodes are handled in user-space. This will then
     // allow us to temporarily disable sandboxing rules inside of callbacks to
     // UnsafeTrap().
     has_unsafe_traps_ = false;
     gen->Traverse(jumptable, CheckForUnsafeErrorCodes, &has_unsafe_traps_);
 
     // Grab the system call number, so that we can implement jump tables.
@@ skipping 135 matching lines @@
   // system memory allocator that is in effect, these operators can result
   // in system calls to things like munmap() or brk().
   struct sock_filter bpf[program->size()];
   const struct sock_fprog prog = {
     static_cast<unsigned short>(program->size()), bpf };
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Release memory that is no longer needed
   evaluators_.clear();
+  conds_.clear();
 
 #if defined(SECCOMP_BPF_VALGRIND_HACKS)
   // Valgrind is really not happy about our sandbox. Disable it when running
   // in Valgrind. This feature is dangerous and should never be enabled by
   // default. We protect it behind a pre-processor option.
   if (!RUNNING_ON_VALGRIND)
 #endif
   {
     // Install BPF filter program
     if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
       SANDBOX_DIE(quiet ? NULL : "Kernel refuses to enable no-new-privs");
     } else {
       if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
         SANDBOX_DIE(quiet ? NULL : "Kernel refuses to turn on BPF filters");
       }
     }
   }
 
   return;
 }
 
-void Sandbox::findRanges(Ranges *ranges) {
+void Sandbox::FindRanges(Ranges *ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
-  EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
-  void *aux                       = evaluators_.begin()->second;
-  uint32_t oldSysnum              = 0;
-  ErrorCode oldErr                = evaluateSyscall(oldSysnum, aux);
-  ErrorCode invalidErr            = evaluateSyscall(MIN_SYSCALL - 1, aux);
+  EvaluateSyscall evaluate_syscall = evaluators_.begin()->first;
+  void *aux                        = evaluators_.begin()->second;
+  uint32_t old_sysnum              = 0;
+  ErrorCode old_err                = evaluate_syscall(old_sysnum, aux);
+  ErrorCode invalid_err            = evaluate_syscall(MIN_SYSCALL - 1, aux);
   for (SyscallIterator iter(false); !iter.Done(); ) {
     uint32_t sysnum = iter.Next();
-    ErrorCode err = evaluateSyscall(static_cast<int>(sysnum), aux);
-    if (!iter.IsValid(sysnum) && !invalidErr.Equals(err)) {
+    ErrorCode err = evaluate_syscall(static_cast<int>(sysnum), aux);
+    if (!iter.IsValid(sysnum) && !invalid_err.Equals(err)) {
       // A proper sandbox policy should always treat system calls outside of
       // the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
       // "false" for SyscallIterator::IsValid()) identically. Typically, all
       // of these system calls would be denied with the same ErrorCode.
       SANDBOX_DIE("Invalid seccomp policy");
     }
-    if (!err.Equals(oldErr) || iter.Done()) {
-      ranges->push_back(Range(oldSysnum, sysnum - 1, oldErr));
-      oldSysnum = sysnum;
-      oldErr    = err;
+    if (!err.Equals(old_err) || iter.Done()) {
+      ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
+      old_sysnum = sysnum;
+      old_err    = err;
     }
   }
 }
 
-Instruction *Sandbox::assembleJumpTable(CodeGen *gen,
+Instruction *Sandbox::AssembleJumpTable(CodeGen *gen,
                                         Ranges::const_iterator start,
                                         Ranges::const_iterator stop) {
   // We convert the list of system call ranges into jump table that performs
   // a binary search over the ranges.
   // As a sanity check, we need to have at least one distinct ranges for us
   // to be able to build a jump table.
   if (stop - start <= 0) {
     SANDBOX_DIE("Invalid set of system call ranges");
   } else if (stop - start == 1) {
     // If we have narrowed things down to a single range object, we can
     // return from the BPF filter program.
-    return gen->MakeInstruction(BPF_RET+BPF_K, start->err);
+    return RetExpression(gen, start->err);
   }
 
   // Pick the range object that is located at the mid point of our list.
   // We compare our system call number against the lowest valid system call
   // number in this range object. If our number is lower, it is outside of
   // this range object. If it is greater or equal, it might be inside.
   Ranges::const_iterator mid = start + (stop - start)/2;
 
   // Sub-divide the list of ranges and continue recursively.
-  Instruction *jf = assembleJumpTable(gen, start, mid);
-  Instruction *jt = assembleJumpTable(gen, mid, stop);
+  Instruction *jf = AssembleJumpTable(gen, start, mid);
+  Instruction *jt = AssembleJumpTable(gen, mid, stop);
   return gen->MakeInstruction(BPF_JMP+BPF_JGE+BPF_K, mid->from, jt, jf);
 }
 
-void Sandbox::sigSys(int nr, siginfo_t *info, void *void_context) {
+Instruction *Sandbox::RetExpression(CodeGen *gen, const ErrorCode& cond) {
+  if (cond.error_type_ == ErrorCode::ET_COND) {
+    return CondExpression(gen, cond);
+  } else {
+    return gen->MakeInstruction(BPF_RET+BPF_K, cond);
+  }
+}
+
+Instruction *Sandbox::CondExpression(CodeGen *gen, const ErrorCode& cond) {
+  // We can only inspect the six system call arguments that are passed in
+  // CPU registers.

[jln (very slow on Chromium), 2012/12/06 00:35:00]

It's even worse than that and is architecture dependent.

On IA32, the sixth argument is on the stack.

[Markus (顧孟勤), 2012/12/12 20:54:35]

I am almost certain this is a red herring. Yes, for SYSENTER, the argument is
placed on the stack. But the kernel then quickly retrieves it from there and the
rest of the code path is identical to what we are doing for "int $0x80". This
all happens before BPF filters come into play. So, no risk of any race
conditions.

On 2012/12/06 00:35:00, Julien Tinnes wrote:

+  if (cond.argno_ < 0 || cond.argno_ >= 6) {
+    SANDBOX_DIE("Internal compiler error; invalid argument number "
+                "encountered");
+  }
+
+  // BPF programs operate on 32bit entities. Load both halfs of the 64bit
+  // system call argument and then generate suitable conditional statements.
+  Instruction *msb = gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
+    offsetof(struct arch_seccomp_data, args) +
+    cond.argno_ * sizeof(uint64_t) +
+    (__BYTE_ORDER == __BIG_ENDIAN ? 0 : 4));  // Most significant bits
+  Instruction *lsb = gen->MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
+    offsetof(struct arch_seccomp_data, args) +
+    cond.argno_ * sizeof(uint64_t) +
+    (__BYTE_ORDER == __BIG_ENDIAN ? 4 : 0));  // Least significant bits
+
+  // Emit a suitable comparison statement.
+  switch (cond.op_) {
+  case ErrorCode::OP_EQUAL:
+    // Compare the least significant bits for equality
+    gen->JoinInstructions(lsb,
+      gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K,
+                           static_cast<uint32_t>(cond.value_),
+                           RetExpression(gen, *cond.passed_),
+                           RetExpression(gen, *cond.failed_)));
+
+    // If we are looking at a 64bit argument, we need to also compare the
+    // most significant bits.
+    if (cond.width_ == ErrorCode::TP_64BIT) {
+      lsb = gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K,
+                                 static_cast<uint32_t>(cond.value_ >> 32),
+                                 lsb,
+                                 RetExpression(gen, *cond.failed_));
+    }
+    break;
+  default:
+    // TODO(markus): We can only check for equality so far.
+    SANDBOX_DIE("Not implemented");
+    break;
+  }
+
+  // Ensure that we never pass a 64bit value, when we only expect a 32bit
+  // value.
+  if (cond.width_ == ErrorCode::TP_32BIT) {
+    gen->JoinInstructions(msb,
+      gen->MakeInstruction(BPF_JMP+BPF_JEQ+BPF_K, 0, lsb,
+        RetExpression(gen, Kill("Unexpected 64bit argument detected"))));
+  } else {
+    gen->JoinInstructions(msb, lsb);
+  }
+
+  return msb;
+}
+
+void Sandbox::SigSys(int nr, siginfo_t *info, void *void_context) {
   // Various sanity checks to make sure we actually received a signal
   // triggered by a BPF filter. If something else triggered SIGSYS
   // (e.g. kill()), there is really nothing we can do with this signal.
   if (nr != SIGSYS || info->si_code != SYS_SECCOMP || !void_context ||
       info->si_errno <= 0 ||
-      static_cast<size_t>(info->si_errno) > trapArraySize_) {
+      static_cast<size_t>(info->si_errno) > trap_array_size_) {
     // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal
     // safe and can lead to bugs. We should eventually implement a different
     // logging and reporting mechanism that is safe to be called from
     // the sigSys() handler.
     // TODO: If we feel confident that our code otherwise works correctly, we
     //       could actually make an argument that spurious SIGSYS should
     //       just get silently ignored. TBD
   sigsys_err:
     SANDBOX_DIE("Unexpected SIGSYS received");
   }
@@ skipping 23 matching lines @@
   if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) {
     errno = old_errno;
     if (sigsys.nr == __NR_clone) {
       SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler");
     }
     rc = SandboxSyscall(sigsys.nr,
                         SECCOMP_PARM1(ctx), SECCOMP_PARM2(ctx),
                         SECCOMP_PARM3(ctx), SECCOMP_PARM4(ctx),
                         SECCOMP_PARM5(ctx), SECCOMP_PARM6(ctx));
   } else {
-    const ErrorCode& err = trapArray_[info->si_errno - 1];
+    const ErrorCode& err = trap_array_[info->si_errno - 1];
     if (!err.safe_) {
       SetIsInSigHandler();
     }
 
     // Copy the seccomp-specific data into a arch_seccomp_data structure. This
     // is what we are showing to TrapFnc callbacks that the system call
     // evaluator registered with the sandbox.
     struct arch_seccomp_data data = {
       sigsys.nr,
       SECCOMP_ARCH,
@@ skipping 30 matching lines @@
   } else {
     return safe < o.safe;
   }
 }
 
 ErrorCode Sandbox::MakeTrap(ErrorCode::TrapFnc fnc, const void *aux,
                             bool safe) {
   // Each unique pair of TrapFnc and auxiliary data make up a distinct instance
   // of a SECCOMP_RET_TRAP.
   TrapKey key(fnc, aux, safe);
-  TrapIds::const_iterator iter = trapIds_.find(key);
+  TrapIds::const_iterator iter = trap_ids_.find(key);
   uint16_t id;
-  if (iter != trapIds_.end()) {
+  if (iter != trap_ids_.end()) {
     // We have seen this pair before. Return the same id that we assigned
     // earlier.
     id = iter->second;
   } else {
     // This is a new pair. Remember it and assign a new id.
     // Please note that we have to store traps in memory that doesn't get
     // deallocated when the program is shutting down. A memory leak is
     // intentional, because we might otherwise not be able to execute
     // system calls part way through the program shutting down
     if (!traps_) {
       traps_ = new Traps();
     }
     if (traps_->size() >= SECCOMP_RET_DATA) {
       // In practice, this is pretty much impossible to trigger, as there
       // are other kernel limitations that restrict overall BPF program sizes.
       SANDBOX_DIE("Too many SECCOMP_RET_TRAP callback instances");
     }
     id = traps_->size() + 1;
 
     traps_->push_back(ErrorCode(fnc, aux, safe, id));
-    trapIds_[key] = id;
+    trap_ids_[key] = id;
 
     // We want to access the traps_ vector from our signal handler. But
     // we are not assured that doing so is async-signal safe. On the other
     // hand, C++ guarantees that the contents of a vector is stored in a
     // contiguous C-style array.
     // So, we look up the address and size of this array outside of the
     // signal handler, where we can safely do so.
-    trapArray_     = &(*traps_)[0];
-    trapArraySize_ = id;
+    trap_array_      = &(*traps_)[0];
+    trap_array_size_ = id;
     return traps_->back();
   }
 
   return ErrorCode(fnc, aux, safe, id);
 }
 
 ErrorCode Sandbox::Trap(ErrorCode::TrapFnc fnc, const void *aux) {
   return MakeTrap(fnc, aux, true /* Safe Trap */);
 }
 
@@ skipping 13 matching lines @@
 
 intptr_t Sandbox::ReturnErrno(const struct arch_seccomp_data&, void *aux) {
   // TrapFnc functions report error by following the native kernel convention
   // of returning an exit code in the range of -1..-4096. They do not try to
   // set errno themselves. The glibc wrapper that triggered the SIGSYS will
   // ultimately do so for us.
   int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
   return -err;
 }
 
-intptr_t Sandbox::bpfFailure(const struct arch_seccomp_data&, void *aux) {
+ErrorCode Sandbox::Cond(int argno, ErrorCode::ArgType width,
+                        ErrorCode::Operation op, uint64_t value,
+                        const ErrorCode& passed, const ErrorCode& failed) {
+  return ErrorCode(argno, width, op, value,
+                   &*conds_.insert(passed).first,
+                   &*conds_.insert(failed).first);
+}
+
+intptr_t Sandbox::BpfFailure(const struct arch_seccomp_data&, void *aux) {
   SANDBOX_DIE(static_cast<char *>(aux));
 }
 
 ErrorCode Sandbox::Kill(const char *msg) {
-  return Trap(bpfFailure, const_cast<char *>(msg));
+  return Trap(BpfFailure, const_cast<char *>(msg));
 }
 
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
-int    Sandbox::proc_fd_                = -1;
+int Sandbox::proc_fd_                   = -1;
 Sandbox::Evaluators Sandbox::evaluators_;
 Sandbox::Traps *Sandbox::traps_         = NULL;
-Sandbox::TrapIds Sandbox::trapIds_;
-ErrorCode *Sandbox::trapArray_          = NULL;
-size_t Sandbox::trapArraySize_          = 0;
+Sandbox::TrapIds Sandbox::trap_ids_;
+ErrorCode *Sandbox::trap_array_         = NULL;
+size_t Sandbox::trap_array_size_        = 0;
   bool Sandbox::has_unsafe_traps_       = false;
+Sandbox::Conds Sandbox::conds_;
 
 }  // namespace