SECCOMP-BPF: Added supported for inspection system call arguments from BPF filters.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 
 #include <endian.h>
 #include <errno.h>
 #include <fcntl.h>
@@ skipping 19 matching lines @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/uio.h>
 #include <sys/wait.h>
 #include <time.h>
 #include <unistd.h>
 
 #include <algorithm>
 #include <limits>
 #include <map>
+#include <set>
 #include <utility>
 #include <vector>
 
 #ifndef SECCOMP_BPF_STANDALONE
 #include "base/basictypes.h"
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #endif
 
 #if defined(SECCOMP_BPF_VALGRIND_HACKS)
@@ skipping 12 matching lines @@
 #define PR_GET_NO_NEW_PRIVS          39
 #endif
 #ifndef IPC_64
 #define IPC_64                   0x0100
 #endif
 #ifndef SECCOMP_MODE_FILTER
 #define SECCOMP_MODE_DISABLED         0
 #define SECCOMP_MODE_STRICT           1
 #define SECCOMP_MODE_FILTER           2  // User user-supplied filter
 #define SECCOMP_RET_KILL    0x00000000U  // Kill the task immediately
+#define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value

[jln (very slow on Chromium), 2012/12/06 00:35:00]

Maybe make it clear that's it's not an upstream value ?

Also why does this work? linux/seccomp.h is commented above, is that why ?

Shouldn't you uncomment it and put this one out of the #ifdef ? (Which should be
a #if !defined() btw).

[Markus (顧孟勤), 2012/12/12 20:54:35]

We cannot uncomment the include statement, as the code will then not compile on
our older build bots. Unfortunately, there is no way in C to say "try to include
this file, iff it exists".

So, for now, we just document that we would like to include it. But we don't do
so ... yet. If our build bots are updated at some point, we can revisit that
decision -- but overall, it is harmless to leave it commented out.

What I expect to happen is that in the future, when we refactor this whole file,
we will have a "ports.h" file that makes all of this a lot clearer. That's what
we have traditionally been doing both in Google3 and in other open source
projects released by Google.

On 2012/12/06 00:35:00, Julien Tinnes wrote:

 #define SECCOMP_RET_TRAP    0x00030000U  // Disallow and force a SIGSYS
 #define SECCOMP_RET_ERRNO   0x00050000U  // Returns an errno
 #define SECCOMP_RET_TRACE   0x7ff00000U  // Pass to a tracer or disallow
 #define SECCOMP_RET_ALLOW   0x7fff0000U  // Allow
-#define SECCOMP_RET_INVALID 0x8f8f8f8fU  // Illegal return value
 #define SECCOMP_RET_ACTION  0xffff0000U  // Masks for the return value
 #define SECCOMP_RET_DATA    0x0000ffffU  //   sections
 #endif
 #define SECCOMP_DENY_ERRNO  EPERM
 #ifndef SYS_SECCOMP
 #define SYS_SECCOMP                   1
 #endif
 
 // Impose some reasonable maximum BPF program size. Realistically, the
 // kernel probably has much lower limits. But by limiting to less than
@@ skipping 126 matching lines @@
   // Please note that TrapFnc is executed from signal context and must be
   // async-signal safe:
   // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
   // Also note that it follows the calling convention of native system calls.
   // In other words, it reports an error by returning an exit code in the
   // range -1..-4096. It should not set errno when reporting errors; on the
   // other hand, accidentally modifying errno is harmless and the changes will
   // be undone afterwards.
   typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void *aux);
 
-  enum Operation {
-    OP_NOP, OP_EQUAL, OP_NOTEQUAL, OP_LESS,
-    OP_LESS_EQUAL, OP_GREATER, OP_GREATER_EQUAL,
-    OP_HAS_BITS, OP_DOES_NOT_HAVE_BITS
-  };
-
-  struct Constraint {
-    bool      is32bit;
-    Operation op;
-    uint32_t  value;
-    ErrorCode passed;
-    ErrorCode failed;
-  };
-
   // When calling setSandboxPolicy(), the caller can provide an arbitrary
   // pointer. This pointer will then be forwarded to the sandbox policy
   // each time a call is made through an EvaluateSyscall function pointer.
   // One common use case would be to pass the "aux" pointer as an argument
   // to Trap() functions.
   typedef ErrorCode (*EvaluateSyscall)(int sysnum, void *aux);
   typedef std::vector<std::pair<EvaluateSyscall, void *> >Evaluators;
 
   // Checks whether a particular system call number is valid on the current
   // architecture. E.g. on ARM there's a non-contiguous range of private
   // system calls.
-  static bool isValidSyscallNumber(int sysnum);
+  static bool IsValidSyscallNumber(int sysnum);
 
   // There are a lot of reasons why the Seccomp sandbox might not be available.
   // This could be because the kernel does not support Seccomp mode, or it
   // could be because another sandbox is already active.
   // "proc_fd" should be a file descriptor for "/proc", or -1 if not
   // provided by the caller.
-  static SandboxStatus supportsSeccompSandbox(int proc_fd);
+  static SandboxStatus SupportsSeccompSandbox(int proc_fd);
 
   // The sandbox needs to be able to access files in "/proc/self". If this
   // directory is not accessible when "startSandbox()" gets called, the caller
   // can provide an already opened file descriptor by calling "setProcFd()".
   // The sandbox becomes the new owner of this file descriptor and will
   // eventually close it when "startSandbox()" executes.
-  static void setProcFd(int proc_fd);
+  static void SetProcFd(int proc_fd);
 
   // The system call evaluator function is called with the system
   // call number. It can decide to allow the system call unconditionally
   // by returning ERR_ALLOWED; it can deny the system call unconditionally by
   // returning an appropriate "errno" value; or it can request inspection
   // of system call argument(s) by returning a suitable ErrorCode.
   // The "aux" parameter can be used to pass optional data to the system call
   // evaluator. There are different possible uses for this data, but one of the
   // use cases would be for the policy to then forward this pointer to a Trap()
   // handler. In this case, of course, the data that is pointed to must remain
   // valid for the entire time that Trap() handlers can be called; typically,
   // this would be the lifetime of the program.
-  static void setSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux);
+  static void SetSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux);
 
   // We can use ErrorCode to request calling of a trap handler. This method
   // performs the required wrapping of the callback function into an
   // ErrorCode object.
   // The "aux" field can carry a pointer to arbitrary data. See EvaluateSyscall
   // for a description of how to pass data from setSandboxPolicy() to a Trap()
   // handler.
   static ErrorCode Trap(ErrorCode::TrapFnc fnc, const void *aux);
 
   // Calls a user-space trap handler and disables all sandboxing for system
   // calls made from this trap handler.
   // NOTE: This feature, by definition, disables all security features of
   //   the sandbox. It should never be used in production, but it can be
   //   very useful to diagnose code that is incompatible with the sandbox.
   //   If even a single system call returns "UnsafeTrap", the security of
   //   entire sandbox should be considered compromised.
   static ErrorCode UnsafeTrap(ErrorCode::TrapFnc fnc, const void *aux);
 
   // From within an UnsafeTrap() it is often useful to be able to execute
   // the system call that triggered the trap. The ForwardSyscall() method
   // makes this easy. It is more efficient than calling glibc's syscall()
   // function, as it avoid the extra round-trip to the signal handler. And
   // it automatically does the correct thing to report kernel-style error
   // conditions, rather than setting errno. See the comments for TrapFnc for
   // details. In other words, the return value from ForwardSyscall() is
   // directly suitable as a return value for a trap handler.
   static intptr_t ForwardSyscall(const struct arch_seccomp_data& args);
 
+  // We can also use ErrorCode to request evaluation of a conditional
+  // statement based on inspection of system call parameters.
+  // This method wrap an ErrorCode object around the conditional statement.
+  // Argument "argno" (1..6) will be compared to "value" using comparator
+  // "op". If the condition is true "passed" will be returned, otherwise
+  // "failed".
+  // If "is32bit" is set, the argument must in the range of 0x0..(1u << 32 - 1)
+  // If it is outside this range, the sandbox treats the system call just
+  // the same as any other ABI violation (i.e. it aborts with an error
+  // message).
+  static ErrorCode Cond(int argno, ErrorCode::ArgType is_32bit,
+                        ErrorCode::Operation op,
+                        uint64_t value, const ErrorCode& passed,
+                        const ErrorCode& failed);
+
   // Kill the program and print an error message.
   static ErrorCode Kill(const char *msg);
 
   // This is the main public entry point. It finds all system calls that
   // need rewriting, sets up the resources needed by the sandbox, and
   // enters Seccomp mode.
-  static void startSandbox() { startSandboxInternal(false); }
+  static void StartSandbox() { StartSandboxInternal(false); }
 
  private:
-  friend class ErrorCode;
   friend class CodeGen;
   friend class SandboxUnittestHelper;
+  friend class ErrorCode;
   friend class Util;
   friend class Verifier;
 
   typedef std::vector<struct sock_filter> Program;
 
   struct Range {
     Range(uint32_t f, uint32_t t, const ErrorCode& e)
         : from(f),
           to(t),
           err(e) {
     }
     uint32_t  from, to;
     ErrorCode err;
   };
   struct TrapKey {
     TrapKey(TrapFnc f, const void *a, bool s)
         : fnc(f),
           aux(a),
           safe(s) {
     }
     TrapFnc    fnc;
     const void *aux;
     bool       safe;
     bool operator<(const TrapKey&) const;
   };
   typedef std::vector<Range> Ranges;
   typedef std::map<uint32_t, ErrorCode> ErrMap;
   typedef std::vector<ErrorCode> Traps;
   typedef std::map<TrapKey, uint16_t> TrapIds;
+  typedef std::set<ErrorCode, struct ErrorCode::LessThan> Conds;
 
   // Get a file descriptor pointing to "/proc", if currently available.
-  static int proc_fd() { return proc_fd_; }
+  static int ProcFd() { return proc_fd_; }
 
-  static ErrorCode probeEvaluator(int sysnum, void *) __attribute__((const));
-  static void      probeProcess(void);
-  static ErrorCode allowAllEvaluator(int sysnum, void *aux);
-  static void      tryVsyscallProcess(void);
-  static bool      kernelSupportSeccompBPF(int proc_fd);
+  static ErrorCode ProbeEvaluator(int sysnum, void *) __attribute__((const));
+  static void      ProbeProcess(void);
+  static ErrorCode AllowAllEvaluator(int sysnum, void *aux);
+  static void      TryVsyscallProcess(void);
+  static bool      KernelSupportSeccompBPF(int proc_fd);
   static bool      RunFunctionInPolicy(void (*function)(),
-                                       EvaluateSyscall syscallEvaluator,
+                                       EvaluateSyscall syscall_evaluator,
                                        void *aux,
                                        int proc_fd);
-  static void      startSandboxInternal(bool quiet);
-  static bool      isSingleThreaded(int proc_fd);
-  static bool      isDenied(const ErrorCode& code);
-  static bool      disableFilesystem();
-  static void      policySanityChecks(EvaluateSyscall syscallEvaluator,
+  static void      StartSandboxInternal(bool quiet);
+  static bool      IsSingleThreaded(int proc_fd);
+  static bool      IsDenied(const ErrorCode& code);
+  static bool      DisableFilesystem();
+  static void      PolicySanityChecks(EvaluateSyscall syscall_evaluator,
                                       void *aux);
 
   // Function that can be passed as a callback function to CodeGen::Traverse().
   // Checks whether the "insn" returns an UnsafeTrap() ErrorCode. If so, it
   // sets the "bool" variable pointed to by "aux".
   static void      CheckForUnsafeErrorCodes(Instruction *insn, void *aux);
 
   // Function that can be passed as a callback function to CodeGen::Traverse().
   // Checks whether the "insn" returns an errno value from a BPF filter. If so,
   // it rewrites the instruction to instead call a Trap() handler that does
   // the same thing. "aux" is ignored.
   static void      RedirectToUserspace(Instruction *insn, void *aux);
 
   // Stackable wrapper around an Evaluators handler. Changes ErrorCodes
   // returned by a system call evaluator to match the changes made by
   // RedirectToUserspace(). "aux" should be pointer to wrapped system call
   // evaluator.
   static ErrorCode RedirectToUserspaceEvalWrapper(int sysnum, void *aux);
 
-  static void      installFilter(bool quiet);
-  static void      findRanges(Ranges *ranges);
-  static Instruction *assembleJumpTable(CodeGen *gen,
+  static void      InstallFilter(bool quiet);
+  static void      FindRanges(Ranges *ranges);
+  static Instruction *AssembleJumpTable(CodeGen *gen,
                                         Ranges::const_iterator start,
                                         Ranges::const_iterator stop);
-  static void      sigSys(int nr, siginfo_t *info, void *void_context);
+  static Instruction *RetExpression(CodeGen *gen, const ErrorCode& cond);
+  static Instruction *CondExpression(CodeGen *gen, const ErrorCode& cond);
+  static void      SigSys(int nr, siginfo_t *info, void *void_context);
   static ErrorCode MakeTrap(ErrorCode::TrapFnc fn, const void *aux, bool safe);
 
   // A Trap() handler that returns an "errno" value. The value is encoded
   // in the "aux" parameter.
   static intptr_t  ReturnErrno(const struct arch_seccomp_data&, void *aux);
 
-  static intptr_t  bpfFailure(const struct arch_seccomp_data& data, void *aux);
-  static int       getTrapId(TrapFnc fnc, const void *aux);
+  static intptr_t  BpfFailure(const struct arch_seccomp_data& data, void *aux);
 
   static SandboxStatus status_;
   static int           proc_fd_;
   static Evaluators    evaluators_;
   static Traps         *traps_;
-  static TrapIds       trapIds_;
-  static ErrorCode     *trapArray_;
-  static size_t        trapArraySize_;
+  static TrapIds       trap_ids_;
+  static ErrorCode     *trap_array_;
+  static size_t        trap_array_size_;
   static bool          has_unsafe_traps_;
+  static Conds         conds_;
+
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };
 
 }  // namespace
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__