SECCOMP-BPF: Refactor the BPF sandbox API to use fewer "static" fields and methods.

sandbox/linux/seccomp-bpf/demo.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <fcntl.h>
 #include <linux/unistd.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <netinet/udp.h>
 #include <pthread.h>
 #include <signal.h>
+#include <stdarg.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/ioctl.h>
 #include <sys/ipc.h>
 #include <sys/mman.h>
 #include <sys/prctl.h>
 #include <sys/resource.h>
 #include <sys/shm.h>
 #include <sys/socket.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/seccomp-bpf/util.h"
 
 using playground2::arch_seccomp_data;
 using playground2::ErrorCode;
 using playground2::Sandbox;
-using playground2::Util;
 
 #define ERR EPERM
 
 // We don't expect our sandbox to do anything useful yet. So, we will fail
 // almost immediately. For now, force the code to continue running. The
 // following line should be removed as soon as the sandbox is starting to
 // actually enforce restrictions in a meaningful way:
 #define _exit(x) do { } while (0)
 
+namespace {
+
+bool SendFds(int transport, const void *buf, size_t len, ...) {
+  int count = 0;
+  va_list ap;
+  va_start(ap, len);
+  while (va_arg(ap, int) >= 0) {
+    ++count;
+  }
+  va_end(ap);
+  if (!count) {
+    return false;
+  }
+  char cmsg_buf[CMSG_SPACE(count*sizeof(int))];
+  memset(cmsg_buf, 0, sizeof(cmsg_buf));
+  struct iovec  iov[2] = { { 0 } };
+  struct msghdr msg    = { 0 };
+  int dummy            = 0;
+  iov[0].iov_base      = &dummy;
+  iov[0].iov_len       = sizeof(dummy);
+  if (buf && len > 0) {
+    iov[1].iov_base    = const_cast<void *>(buf);
+    iov[1].iov_len     = len;
+  }
+  msg.msg_iov          = iov;
+  msg.msg_iovlen       = (buf && len > 0) ? 2 : 1;
+  msg.msg_control      = cmsg_buf;
+  msg.msg_controllen   = CMSG_LEN(count*sizeof(int));
+  struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+  cmsg->cmsg_level     = SOL_SOCKET;
+  cmsg->cmsg_type      = SCM_RIGHTS;
+  cmsg->cmsg_len       = CMSG_LEN(count*sizeof(int));
+  va_start(ap, len);
+  for (int i = 0, fd; (fd = va_arg(ap, int)) >= 0; ++i) {
+    (reinterpret_cast<int *>(CMSG_DATA(cmsg)))[i] = fd;
+  }
+  return sendmsg(transport, &msg, 0) ==
+      static_cast<ssize_t>(sizeof(dummy) + ((buf && len > 0) ? len : 0));
+}
+
+bool GetFds(int transport, void *buf, size_t *len, ...) {
+  int count = 0;
+  va_list ap;
+  va_start(ap, len);
+  for (int *fd; (fd = va_arg(ap, int *)) != NULL; ++count) {
+    *fd = -1;
+  }
+  va_end(ap);
+  if (!count) {
+    return false;
+  }
+  char cmsg_buf[CMSG_SPACE(count*sizeof(int))];
+  memset(cmsg_buf, 0, sizeof(cmsg_buf));
+  struct iovec iov[2] = { { 0 } };
+  struct msghdr msg   = { 0 };
+  int err;
+  iov[0].iov_base     = &err;
+  iov[0].iov_len      = sizeof(int);
+  if (buf && len && *len > 0) {
+    iov[1].iov_base   = buf;
+    iov[1].iov_len    = *len;
+  }
+  msg.msg_iov         = iov;
+  msg.msg_iovlen      = (buf && len && *len > 0) ? 2 : 1;
+  msg.msg_control     = cmsg_buf;
+  msg.msg_controllen  = CMSG_LEN(count*sizeof(int));
+  ssize_t bytes = recvmsg(transport, &msg, 0);
+  if (len) {
+    *len = bytes > static_cast<int>(sizeof(int)) ? bytes - sizeof(int) : 0;
+  }
+  if (bytes != static_cast<ssize_t>(sizeof(int) + iov[1].iov_len)) {
+    if (bytes >= 0) {
+      errno = 0;
+    }
+    return false;
+  }
+  if (err) {
+    // "err" is the first four bytes of the payload. If these are non-zero,
+    // the sender on the other side of the socketpair sent us an errno value.
+    // We don't expect to get any file handles in this case.
+    errno = err;
+    return false;
+  }
+  struct cmsghdr *cmsg = CMSG_FIRSTHDR(&msg);
+  if ((msg.msg_flags & (MSG_TRUNC|MSG_CTRUNC)) ||
+      !cmsg                                    ||
+      cmsg->cmsg_level != SOL_SOCKET           ||
+      cmsg->cmsg_type  != SCM_RIGHTS           ||
+      cmsg->cmsg_len   != CMSG_LEN(count*sizeof(int))) {
+    errno = EBADF;
+    return false;
+  }
+  va_start(ap, len);
+  for (int *fd, i = 0; (fd = va_arg(ap, int *)) != NULL; ++i) {
+    *fd = (reinterpret_cast<int *>(CMSG_DATA(cmsg)))[i];
+  }
+  va_end(ap);
+  return true;
+}
+
 
 // POSIX doesn't define any async-signal safe function for converting
 // an integer to ASCII. We'll have to define our own version.
 // itoa_r() converts a (signed) integer to ASCII. It returns "buf", if the
 // conversion was successful or NULL otherwise. It never writes more than "sz"
 // bytes. Output will be truncated as needed, and a NUL character is always
 // appended.
-static char *itoa_r(int i, char *buf, size_t sz) {
+char *itoa_r(int i, char *buf, size_t sz) {
   // Make sure we can write at least one NUL byte.
   size_t n = 1;
   if (n > sz) {
     return NULL;
   }
 
   // Handle negative numbers.
   char *start = buf;
   int minint = 0;
   if (i < 0) {
@@ skipping 47 matching lines @@
   }
   return buf;
 }
 
 // This handler gets called, whenever we encounter a system call that we
 // don't recognize explicitly. For the purposes of this program, we just
 // log the system call and then deny it. More elaborate sandbox policies
 // might try to evaluate the system call in user-space, instead.
 // The only notable complication is that this function must be async-signal
 // safe. This restricts the libary functions that we can call.
-static intptr_t defaultHandler(const struct arch_seccomp_data& data,
-                               void *) {
+intptr_t DefaultHandler(const struct arch_seccomp_data& data, void *) {
   static const char msg0[] = "Disallowed system call #";
   static const char msg1[] = "\n";
   char buf[sizeof(msg0) - 1 + 25 + sizeof(msg1)];
 
   *buf = '\000';
   strncat(buf, msg0, sizeof(buf));
 
   char *ptr = strrchr(buf, '\000');
   itoa_r(data.nr, ptr, sizeof(buf) - (ptr - buf));
 
   ptr = strrchr(ptr, '\000');
   strncat(ptr, msg1, sizeof(buf) - (ptr - buf));
 
   ptr = strrchr(ptr, '\000');
   if (HANDLE_EINTR(write(2, buf, ptr - buf))) { }
 
   return -ERR;
 }
 
-static ErrorCode evaluator(int sysno, void *) {
+ErrorCode Evaluator(Sandbox *sandbox, int sysno, void *) {
   switch (sysno) {
 #if defined(__NR_accept)
   case __NR_accept: case __NR_accept4:
 #endif
   case __NR_alarm:
   case __NR_brk:
   case __NR_clock_gettime:
   case __NR_close:
   case __NR_dup: case __NR_dup2:
   case __NR_epoll_create: case __NR_epoll_ctl: case __NR_epoll_wait:
@@ skipping 68 matching lines @@
 #if defined(__NR_socketpair)
   case __NR_socketpair:
 #endif
   case __NR_time:
   case __NR_uname:
   case __NR_write: case __NR_writev:
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 
   case __NR_prctl:
     // Allow PR_SET_DUMPABLE and PR_GET_DUMPABLE. Do not allow anything else.
-    return Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+    return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          PR_SET_DUMPABLE,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
-           Sandbox::Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
                          PR_GET_DUMPABLE,
                          ErrorCode(ErrorCode::ERR_ALLOWED),
-           Sandbox::Trap(defaultHandler, NULL)));
+           sandbox->Trap(DefaultHandler, NULL)));
 
   // The following system calls are temporarily permitted. This must be
   // tightened later. But we currently don't implement enough of the sandboxing
   // API to do so.
   // As is, this sandbox isn't exactly safe :-/
 #if defined(__NR_sendmsg)
   case __NR_sendmsg: case __NR_sendto:
   case __NR_recvmsg: case __NR_recvfrom:
   case __NR_getsockopt: case __NR_setsockopt:
 #elif defined(__NR_socketcall)
@@ skipping 14 matching lines @@
 #endif
   case __NR_getrlimit:
   case __NR_ioctl:
   case __NR_clone:
   case __NR_munmap: case __NR_mprotect: case __NR_madvise:
   case __NR_remap_file_pages:
     return ErrorCode(ErrorCode::ERR_ALLOWED);
 
   // Everything that isn't explicitly allowed is denied.
   default:
-    return Sandbox::Trap(defaultHandler, NULL);
+    return sandbox->Trap(DefaultHandler, NULL);
   }
 }
 
-static void *threadFnc(void *arg) {
+void *ThreadFnc(void *arg) {
   return arg;
 }
 
-static void *sendmsgStressThreadFnc(void *arg) {
+void *SendmsgStressThreadFnc(void *arg) {
   if (arg) { }
   static const int repetitions = 100;
   static const int kNumFds = 3;
   for (int rep = 0; rep < repetitions; ++rep) {
     int fds[2 + kNumFds];
     if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
       perror("socketpair()");
       _exit(1);
     }
     size_t len = 4;
     char buf[4];
-    if (!Util::SendFds(fds[0], "test", 4, fds[1], fds[1], fds[1], -1) ||
-        !Util::GetFds(fds[1], buf, &len, fds+2, fds+3, fds+4, NULL) ||
+    if (!SendFds(fds[0], "test", 4, fds[1], fds[1], fds[1], -1) ||
+        !GetFds(fds[1], buf, &len, fds+2, fds+3, fds+4, NULL) ||
         len != 4 ||
         memcmp(buf, "test", len) ||
         write(fds[2], "demo", 4) != 4 ||
         read(fds[0], buf, 4) != 4 ||
         memcmp(buf, "demo", 4)) {
       perror("sending/receiving of fds");
       _exit(1);
     }
     for (int i = 0; i < 2+kNumFds; ++i) {
       if (close(fds[i])) {
         perror("close");
         _exit(1);
       }
     }
   }
   return NULL;
 }
 
+}  // namespace
+
 int main(int argc, char *argv[]) {
   if (argc) { }
   if (argv) { }
   int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY);
   if (Sandbox::SupportsSeccompSandbox(proc_fd) !=
       Sandbox::STATUS_AVAILABLE) {
     perror("sandbox");
     _exit(1);
   }
-  Sandbox::set_proc_fd(proc_fd);
-  Sandbox::SetSandboxPolicy(evaluator, NULL);
-  Sandbox::StartSandbox();
+  Sandbox sandbox;
+  sandbox.set_proc_fd(proc_fd);
+  sandbox.SetSandboxPolicy(Evaluator, NULL);
+  sandbox.StartSandbox();
 
   // Check that we can create threads
   pthread_t thr;
-  if (!pthread_create(&thr, NULL, threadFnc,
+  if (!pthread_create(&thr, NULL, ThreadFnc,
                       reinterpret_cast<void *>(0x1234))) {
     void *ret;
     pthread_join(thr, &ret);
     if (ret != reinterpret_cast<void *>(0x1234)) {
       perror("clone() failed");
       _exit(1);
     }
   } else {
     perror("clone() failed");
     _exit(1);
@@ skipping 33 matching lines @@
   }
 
   // Check that we can send and receive file handles.
   int fds[3];
   if (socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
     perror("socketpair()");
     _exit(1);
   }
   size_t len = 4;
   char buf[4];
-  if (!Util::SendFds(fds[0], "test", 4, fds[1], -1) ||
-      !Util::GetFds(fds[1], buf, &len, fds+2, NULL) ||
+  if (!SendFds(fds[0], "test", 4, fds[1], -1) ||
+      !GetFds(fds[1], buf, &len, fds+2, NULL) ||
       len != 4 ||
       memcmp(buf, "test", len) ||
       write(fds[2], "demo", 4) != 4 ||
       read(fds[0], buf, 4) != 4 ||
       memcmp(buf, "demo", 4) ||
       close(fds[0]) ||
       close(fds[1]) ||
       close(fds[2])) {
     perror("sending/receiving of fds");
     _exit(1);
@@ skipping 12 matching lines @@
 
   // Print a message so that the user can see the sandbox is activated.
   time_t tm = time(NULL);
   printf("Sandbox has been started at %s", ctime(&tm));
 
   // Stress-test the sendmsg() code
   static const int kSendmsgStressNumThreads = 10;
   pthread_t sendmsgStressThreads[kSendmsgStressNumThreads];
   for (int i = 0; i < kSendmsgStressNumThreads; ++i) {
     if (pthread_create(sendmsgStressThreads + i, NULL,
-                       sendmsgStressThreadFnc, NULL)) {
+                       SendmsgStressThreadFnc, NULL)) {
       perror("pthread_create");
       _exit(1);
     }
   }
   for (int i = 0; i < kSendmsgStressNumThreads; ++i) {
     pthread_join(sendmsgStressThreads[i], NULL);
   }
 
   return 0;
 }