SECCOMP-BPF: Added supported for inspection system call arguments from BPF filters.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.h
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index 0e781ea7f4d7bc152e79e20a97ac733ea23f5468..848a0916cab0afb409a599eef483f6282ccca487 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -37,6 +37,7 @@
 #include <algorithm>
 #include <limits>
 #include <map>
+#include <set>
 #include <utility>
 #include <vector>
 
@@ -69,11 +70,11 @@
 #define SECCOMP_MODE_STRICT           1
 #define SECCOMP_MODE_FILTER           2  // User user-supplied filter
 #define SECCOMP_RET_KILL    0x00000000U  // Kill the task immediately
+#define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value

[jln (very slow on Chromium), 2012/12/06 00:35:00]

Maybe make it clear that's it's not an upstream value ?

Also why does this work? linux/seccomp.h is commented above, is that why ?

Shouldn't you uncomment it and put this one out of the #ifdef ? (Which should be
a #if !defined() btw).

[Markus (顧孟勤), 2012/12/12 20:54:35]

We cannot uncomment the include statement, as the code will then not compile on
our older build bots. Unfortunately, there is no way in C to say "try to include
this file, iff it exists".

So, for now, we just document that we would like to include it. But we don't do
so ... yet. If our build bots are updated at some point, we can revisit that
decision -- but overall, it is harmless to leave it commented out.

What I expect to happen is that in the future, when we refactor this whole file,
we will have a "ports.h" file that makes all of this a lot clearer. That's what
we have traditionally been doing both in Google3 and in other open source
projects released by Google.

On 2012/12/06 00:35:00, Julien Tinnes wrote:

 #define SECCOMP_RET_TRAP    0x00030000U  // Disallow and force a SIGSYS
 #define SECCOMP_RET_ERRNO   0x00050000U  // Returns an errno
 #define SECCOMP_RET_TRACE   0x7ff00000U  // Pass to a tracer or disallow
 #define SECCOMP_RET_ALLOW   0x7fff0000U  // Allow
-#define SECCOMP_RET_INVALID 0x8f8f8f8fU  // Illegal return value
 #define SECCOMP_RET_ACTION  0xffff0000U  // Masks for the return value
 #define SECCOMP_RET_DATA    0x0000ffffU  //   sections
 #endif
@@ -220,20 +221,6 @@ class Sandbox {
   // be undone afterwards.
   typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void *aux);
 
-  enum Operation {
-    OP_NOP, OP_EQUAL, OP_NOTEQUAL, OP_LESS,
-    OP_LESS_EQUAL, OP_GREATER, OP_GREATER_EQUAL,
-    OP_HAS_BITS, OP_DOES_NOT_HAVE_BITS
-  };
-
-  struct Constraint {
-    bool      is32bit;
-    Operation op;
-    uint32_t  value;
-    ErrorCode passed;
-    ErrorCode failed;
-  };
-
   // When calling setSandboxPolicy(), the caller can provide an arbitrary
   // pointer. This pointer will then be forwarded to the sandbox policy
   // each time a call is made through an EvaluateSyscall function pointer.
@@ -245,21 +232,21 @@ class Sandbox {
   // Checks whether a particular system call number is valid on the current
   // architecture. E.g. on ARM there's a non-contiguous range of private
   // system calls.
-  static bool isValidSyscallNumber(int sysnum);
+  static bool IsValidSyscallNumber(int sysnum);
 
   // There are a lot of reasons why the Seccomp sandbox might not be available.
   // This could be because the kernel does not support Seccomp mode, or it
   // could be because another sandbox is already active.
   // "proc_fd" should be a file descriptor for "/proc", or -1 if not
   // provided by the caller.
-  static SandboxStatus supportsSeccompSandbox(int proc_fd);
+  static SandboxStatus SupportsSeccompSandbox(int proc_fd);
 
   // The sandbox needs to be able to access files in "/proc/self". If this
   // directory is not accessible when "startSandbox()" gets called, the caller
   // can provide an already opened file descriptor by calling "setProcFd()".
   // The sandbox becomes the new owner of this file descriptor and will
   // eventually close it when "startSandbox()" executes.
-  static void setProcFd(int proc_fd);
+  static void SetProcFd(int proc_fd);
 
   // The system call evaluator function is called with the system
   // call number. It can decide to allow the system call unconditionally
@@ -272,7 +259,7 @@ class Sandbox {
   // handler. In this case, of course, the data that is pointed to must remain
   // valid for the entire time that Trap() handlers can be called; typically,
   // this would be the lifetime of the program.
-  static void setSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux);
+  static void SetSandboxPolicy(EvaluateSyscall syscallEvaluator, void *aux);
 
   // We can use ErrorCode to request calling of a trap handler. This method
   // performs the required wrapping of the callback function into an
@@ -301,18 +288,33 @@ class Sandbox {
   // directly suitable as a return value for a trap handler.
   static intptr_t ForwardSyscall(const struct arch_seccomp_data& args);
 
+  // We can also use ErrorCode to request evaluation of a conditional
+  // statement based on inspection of system call parameters.
+  // This method wrap an ErrorCode object around the conditional statement.
+  // Argument "argno" (1..6) will be compared to "value" using comparator
+  // "op". If the condition is true "passed" will be returned, otherwise
+  // "failed".
+  // If "is32bit" is set, the argument must in the range of 0x0..(1u << 32 - 1)
+  // If it is outside this range, the sandbox treats the system call just
+  // the same as any other ABI violation (i.e. it aborts with an error
+  // message).
+  static ErrorCode Cond(int argno, ErrorCode::ArgType is_32bit,
+                        ErrorCode::Operation op,
+                        uint64_t value, const ErrorCode& passed,
+                        const ErrorCode& failed);
+
   // Kill the program and print an error message.
   static ErrorCode Kill(const char *msg);
 
   // This is the main public entry point. It finds all system calls that
   // need rewriting, sets up the resources needed by the sandbox, and
   // enters Seccomp mode.
-  static void startSandbox() { startSandboxInternal(false); }
+  static void StartSandbox() { StartSandboxInternal(false); }
 
  private:
-  friend class ErrorCode;
   friend class CodeGen;
   friend class SandboxUnittestHelper;
+  friend class ErrorCode;
   friend class Util;
   friend class Verifier;
 
@@ -342,24 +344,25 @@ class Sandbox {
   typedef std::map<uint32_t, ErrorCode> ErrMap;
   typedef std::vector<ErrorCode> Traps;
   typedef std::map<TrapKey, uint16_t> TrapIds;
+  typedef std::set<ErrorCode, struct ErrorCode::LessThan> Conds;
 
   // Get a file descriptor pointing to "/proc", if currently available.
-  static int proc_fd() { return proc_fd_; }
+  static int ProcFd() { return proc_fd_; }
 
-  static ErrorCode probeEvaluator(int sysnum, void *) __attribute__((const));
-  static void      probeProcess(void);
-  static ErrorCode allowAllEvaluator(int sysnum, void *aux);
-  static void      tryVsyscallProcess(void);
-  static bool      kernelSupportSeccompBPF(int proc_fd);
+  static ErrorCode ProbeEvaluator(int sysnum, void *) __attribute__((const));
+  static void      ProbeProcess(void);
+  static ErrorCode AllowAllEvaluator(int sysnum, void *aux);
+  static void      TryVsyscallProcess(void);
+  static bool      KernelSupportSeccompBPF(int proc_fd);
   static bool      RunFunctionInPolicy(void (*function)(),
-                                       EvaluateSyscall syscallEvaluator,
+                                       EvaluateSyscall syscall_evaluator,
                                        void *aux,
                                        int proc_fd);
-  static void      startSandboxInternal(bool quiet);
-  static bool      isSingleThreaded(int proc_fd);
-  static bool      isDenied(const ErrorCode& code);
-  static bool      disableFilesystem();
-  static void      policySanityChecks(EvaluateSyscall syscallEvaluator,
+  static void      StartSandboxInternal(bool quiet);
+  static bool      IsSingleThreaded(int proc_fd);
+  static bool      IsDenied(const ErrorCode& code);
+  static bool      DisableFilesystem();
+  static void      PolicySanityChecks(EvaluateSyscall syscall_evaluator,
                                       void *aux);
 
   // Function that can be passed as a callback function to CodeGen::Traverse().
@@ -379,29 +382,32 @@ class Sandbox {
   // evaluator.
   static ErrorCode RedirectToUserspaceEvalWrapper(int sysnum, void *aux);
 
-  static void      installFilter(bool quiet);
-  static void      findRanges(Ranges *ranges);
-  static Instruction *assembleJumpTable(CodeGen *gen,
+  static void      InstallFilter(bool quiet);
+  static void      FindRanges(Ranges *ranges);
+  static Instruction *AssembleJumpTable(CodeGen *gen,
                                         Ranges::const_iterator start,
                                         Ranges::const_iterator stop);
-  static void      sigSys(int nr, siginfo_t *info, void *void_context);
+  static Instruction *RetExpression(CodeGen *gen, const ErrorCode& cond);
+  static Instruction *CondExpression(CodeGen *gen, const ErrorCode& cond);
+  static void      SigSys(int nr, siginfo_t *info, void *void_context);
   static ErrorCode MakeTrap(ErrorCode::TrapFnc fn, const void *aux, bool safe);
 
   // A Trap() handler that returns an "errno" value. The value is encoded
   // in the "aux" parameter.
   static intptr_t  ReturnErrno(const struct arch_seccomp_data&, void *aux);
 
-  static intptr_t  bpfFailure(const struct arch_seccomp_data& data, void *aux);
-  static int       getTrapId(TrapFnc fnc, const void *aux);
+  static intptr_t  BpfFailure(const struct arch_seccomp_data& data, void *aux);
 
   static SandboxStatus status_;
   static int           proc_fd_;
   static Evaluators    evaluators_;
   static Traps         *traps_;
-  static TrapIds       trapIds_;
-  static ErrorCode     *trapArray_;
-  static size_t        trapArraySize_;
+  static TrapIds       trap_ids_;
+  static ErrorCode     *trap_array_;
+  static size_t        trap_array_size_;
   static bool          has_unsafe_traps_;
+  static Conds         conds_;
+
   DISALLOW_IMPLICIT_CONSTRUCTORS(Sandbox);
 };