SECCOMP-BPF: Refactor the BPF sandbox API to use fewer "static" fields and methods.

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
 #endif
 
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
 #include <sys/prctl.h>
+#include <sys/stat.h>
 #include <sys/syscall.h>
+#include <sys/types.h>
+#include <time.h>
+#include <unistd.h>
 
 #ifndef SECCOMP_BPF_STANDALONE
 #include "base/logging.h"
 #include "base/posix/eintr_wrapper.h"
 #endif
 
 #include "sandbox/linux/seccomp-bpf/codegen.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 namespace {
 
-void WriteFailedStderrSetupMessage(int out_fd) {
-  const char* error_string = strerror(errno);
-  static const char msg[] = "You have reproduced a puzzling issue.\n"
-                            "Please, report to crbug.com/152530!\n"
-                            "Failed to set up stderr: ";
-  if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg)-1)) > 0 && error_string &&
-      HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
-      HANDLE_EINTR(write(out_fd, "\n", 1))) {
-  }
-}
+using playground2::ErrorCode;
+using playground2::Instruction;
+using playground2::Sandbox;
+using playground2::Trap;
+using playground2::arch_seccomp_data;
+
+const int kExpectedExitCode = 100;
 
 template<class T> int popcount(T x);
 template<> int popcount<unsigned int>(unsigned int x) {
   return __builtin_popcount(x);
 }
 template<> int popcount<unsigned long>(unsigned long x) {
   return __builtin_popcountl(x);
 }
 template<> int popcount<unsigned long long>(unsigned long long x) {
   return __builtin_popcountll(x);
 }
 
-}  // namespace
-
-// The kernel gives us a sandbox, we turn it into a playground :-)
-// This is version 2 of the playground; version 1 was built on top of
-// pre-BPF seccomp mode.
-namespace playground2 {
-
-const int kExpectedExitCode = 100;
+void WriteFailedStderrSetupMessage(int out_fd) {
+  const char* error_string = strerror(errno);
+  static const char msg[] = "You have reproduced a puzzling issue.\n"
+                            "Please, report to crbug.com/152530!\n"
+                            "Failed to set up stderr: ";
+  if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg)-1)) > 0 && error_string &&
+      HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
+      HANDLE_EINTR(write(out_fd, "\n", 1))) {
+  }
+}
 
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
-ErrorCode Sandbox::ProbeEvaluator(int sysnum, void *) {
+ErrorCode ProbeEvaluator(Sandbox *, int sysnum, void *) __attribute__((const));
+ErrorCode ProbeEvaluator(Sandbox *, int sysnum, void *) {
   switch (sysnum) {
   case __NR_getpid:
     // Return EPERM so that we can check that the filter actually ran.
     return ErrorCode(EPERM);
   case __NR_exit_group:
     // Allow exit() with a non-default return code.
     return ErrorCode(ErrorCode::ERR_ALLOWED);
   default:
     // Make everything else fail in an easily recognizable way.
     return ErrorCode(EINVAL);
   }
 }
 
-void Sandbox::ProbeProcess(void) {
+void ProbeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
-bool Sandbox::IsValidSyscallNumber(int sysnum) {
-  return SyscallIterator::IsValid(sysnum);
-}
-
-ErrorCode Sandbox::AllowAllEvaluator(int sysnum, void *) {
-  if (!IsValidSyscallNumber(sysnum)) {
+ErrorCode AllowAllEvaluator(Sandbox *, int sysnum, void *) {
+  if (!Sandbox::IsValidSyscallNumber(sysnum)) {
     return ErrorCode(ENOSYS);
   }
   return ErrorCode(ErrorCode::ERR_ALLOWED);
 }
 
-void Sandbox::TryVsyscallProcess(void) {
+void TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
+bool IsSingleThreaded(int proc_fd) {
+  if (proc_fd < 0) {
+    // Cannot determine whether program is single-threaded. Hope for
+    // the best...
+    return true;
+  }
+
+  struct stat sb;
+  int task = -1;
+  if ((task = openat(proc_fd, "self/task", O_RDONLY|O_DIRECTORY)) < 0 ||
+      fstat(task, &sb) != 0 ||
+      sb.st_nlink != 3 ||
+      HANDLE_EINTR(close(task))) {
+    if (task >= 0) {
+      if (HANDLE_EINTR(close(task))) { }
+    }
+    return false;
+  }
+  return true;
+}
+
+bool IsDenied(const ErrorCode& code) {
+  return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
+         (code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
+          code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
+}
+
+// Function that can be passed as a callback function to CodeGen::Traverse().
+// Checks whether the "insn" returns an UnsafeTrap() ErrorCode. If so, it
+// sets the "bool" variable pointed to by "aux".
+void CheckForUnsafeErrorCodes(Instruction *insn, void *aux) {
+  bool *is_unsafe = static_cast<bool *>(aux);
+  if (!*is_unsafe) {
+    if (BPF_CLASS(insn->code) == BPF_RET &&
+        insn->k > SECCOMP_RET_TRAP &&
+        insn->k - SECCOMP_RET_TRAP <= SECCOMP_RET_DATA) {
+      const ErrorCode& err =
+        Trap::ErrorCodeFromTrapId(insn->k & SECCOMP_RET_DATA);
+      if (err.error_type() != ErrorCode::ET_INVALID && !err.safe()) {
+        *is_unsafe = true;
+      }
+    }
+  }
+}
+
+// A Trap() handler that returns an "errno" value. The value is encoded
+// in the "aux" parameter.
+intptr_t ReturnErrno(const struct arch_seccomp_data&, void *aux) {
+  // TrapFnc functions report error by following the native kernel convention
+  // of returning an exit code in the range of -1..-4096. They do not try to
+  // set errno themselves. The glibc wrapper that triggered the SIGSYS will
+  // ultimately do so for us.
+  int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
+  return -err;
+}
+
+// Function that can be passed as a callback function to CodeGen::Traverse().
+// Checks whether the "insn" returns an errno value from a BPF filter. If so,
+// it rewrites the instruction to instead call a Trap() handler that does
+// the same thing. "aux" is ignored.
+void RedirectToUserspace(Instruction *insn, void *aux) {
+  // When inside an UnsafeTrap() callback, we want to allow all system calls.
+  // This means, we must conditionally disable the sandbox -- and that's not
+  // something that kernel-side BPF filters can do, as they cannot inspect
+  // any state other than the syscall arguments.
+  // But if we redirect all error handlers to user-space, then we can easily
+  // make this decision.
+  // The performance penalty for this extra round-trip to user-space is not
+  // actually that bad, as we only ever pay it for denied system calls; and a
+  // typical program has very few of these.
+  Sandbox *sandbox = static_cast<Sandbox *>(aux);
+  if (BPF_CLASS(insn->code) == BPF_RET &&
+      (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
+    insn->k = sandbox->Trap(ReturnErrno,
+                   reinterpret_cast<void *>(insn->k & SECCOMP_RET_DATA)).err();
+  }
+}
+
+// Stackable wrapper around an Evaluators handler. Changes ErrorCodes
+// returned by a system call evaluator to match the changes made by
+// RedirectToUserspace(). "aux" should be pointer to wrapped system call
+// evaluator.
+ErrorCode RedirectToUserspaceEvalWrapper(Sandbox *sandbox, int sysnum,
+                                         void *aux) {
+  // We need to replicate the behavior of RedirectToUserspace(), so that our
+  // Verifier can still work correctly.
+  Sandbox::Evaluators *evaluators =
+    reinterpret_cast<Sandbox::Evaluators *>(aux);
+  const std::pair<Sandbox::EvaluateSyscall, void *>& evaluator =
+    *evaluators->begin();
+
+  ErrorCode err = evaluator.first(sandbox, sysnum, evaluator.second);
+  if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
+    return sandbox->Trap(ReturnErrno,
+                       reinterpret_cast<void *>(err.err() & SECCOMP_RET_DATA));
+  }
+  return err;
+}
+
+intptr_t BpfFailure(const struct arch_seccomp_data&, void *aux) {
+  SANDBOX_DIE(static_cast<char *>(aux));
+}
+
+}  // namespace
+
+// The kernel gives us a sandbox, we turn it into a playground :-)
+// This is version 2 of the playground; version 1 was built on top of
+// pre-BPF seccomp mode.
+namespace playground2 {
+
+Sandbox::Sandbox()
+    : quiet_(false),
+      proc_fd_(-1),
+      evaluators_(new Evaluators),
+      conds_(new Conds) {
+}
+
+Sandbox::~Sandbox() {
+  // It is generally unsafe to call any memory allocator operations or to even
+  // call arbitrary destructors after having installed a new policy. We just
+  // have no way to tell whether this policy would allow the system calls that
+  // the constructors can trigger.
+  // So, we normally destroy all of our complex state prior to starting the
+  // sandbox. But this won't happen, if the Sandbox object was created and
+  // never actually used to set up a sandbox. So, just in case, we are
+  // destroying any remaining state.
+  // The "if ()" statements are technically superfluous. But let's be explicit
+  // that we really don't want to run any code, when we already destroyed
+  // objects before setting up the sandbox.
+  if (evaluators_) {
+    delete evaluators_;
+  }
+  if (conds_) {
+    delete conds_;
+  }
+}
+
+bool Sandbox::IsValidSyscallNumber(int sysnum) {
+  return SyscallIterator::IsValid(sysnum);
+}
+
+
 bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(),
-                                  EvaluateSyscall syscall_evaluator,
-                                  void *aux,
-                                  int proc_fd) {
+                                  Sandbox::EvaluateSyscall syscall_evaluator,
+                                  void *aux) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t old_mask, new_mask;
   if (sigfillset(&new_mask) ||
       sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK|O_CLOEXEC)) {
     SANDBOX_DIE("pipe() failed");
@@ skipping 46 matching lines @@
     }
     if (HANDLE_EINTR(close(fds[1]))) {
       // This call to close() has been failing in strange ways. See
       // crbug.com/152530. So we only fail in debug mode now.
 #if !defined(NDEBUG)
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
 #endif
     }
 
-    evaluators_.clear();
     SetSandboxPolicy(syscall_evaluator, aux);
-    set_proc_fd(proc_fd);
-
-    // By passing "quiet=true" to "startSandboxInternal()" we suppress
-    // messages for expected and benign failures (e.g. if the current
-    // kernel lacks support for BPF filters).
-    StartSandboxInternal(true);
+    StartSandbox();
 
     // Run our code in the sandbox.
     code_in_sandbox();
 
     // code_in_sandbox() is not supposed to return here.
     SANDBOX_DIE(NULL);
   }
 
   // In the parent process.
   if (HANDLE_EINTR(close(fds[1]))) {
@@ skipping 24 matching lines @@
       SANDBOX_DIE(buf);
     }
   }
   if (HANDLE_EINTR(close(fds[0]))) {
     SANDBOX_DIE("close() failed");
   }
 
   return rc;
 }
 
-bool Sandbox::KernelSupportSeccompBPF(int proc_fd) {
+bool Sandbox::KernelSupportSeccompBPF() {
   return
-    RunFunctionInPolicy(ProbeProcess, Sandbox::ProbeEvaluator, 0, proc_fd) &&
-    RunFunctionInPolicy(TryVsyscallProcess, Sandbox::AllowAllEvaluator, 0,
-                        proc_fd);
+    RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
+    RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
 }
 
 Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
@@ skipping 14 matching lines @@
     // STATUS_UNAVAILABLE state, it is safe to assume that sandboxing is
     // actually available.
     status_ = STATUS_AVAILABLE;
     return status_;
   }
 
   // If we have not previously checked for availability of the sandbox or if
   // we otherwise don't believe to have a good cached value, we have to
   // perform a thorough check now.
   if (status_ == STATUS_UNKNOWN) {
-    status_ = KernelSupportSeccompBPF(proc_fd)
+    // We create our own private copy of a "Sandbox" object. This ensures that
+    // the object does not have any policies configured, that might interfere
+    // with the tests done by "KernelSupportSeccompBPF()".
+    Sandbox sandbox;
+
+    // By setting "quiet_ = true" we suppress messages for expected and benign
+    // failures (e.g. if the current kernel lacks support for BPF filters).
+    sandbox.quiet_ = true;
+    sandbox.set_proc_fd(proc_fd);
+    status_ = sandbox.KernelSupportSeccompBPF()
       ? STATUS_AVAILABLE : STATUS_UNSUPPORTED;
 
     // As we are performing our tests from a child process, the run-time
     // environment that is visible to the sandbox is always guaranteed to be
     // single-threaded. Let's check here whether the caller is single-
     // threaded. Otherwise, we mark the sandbox as temporarily unavailable.
     if (status_ == STATUS_AVAILABLE && !IsSingleThreaded(proc_fd)) {
       status_ = STATUS_UNAVAILABLE;
     }
   }
   return status_;
 }
 
 void Sandbox::set_proc_fd(int proc_fd) {
   proc_fd_ = proc_fd;
 }
 
-void Sandbox::StartSandboxInternal(bool quiet) {
+void Sandbox::StartSandbox() {
   if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
     SANDBOX_DIE("Trying to start sandbox, even though it is known to be "
                 "unavailable");
-  } else if (status_ == STATUS_ENABLED) {
-    SANDBOX_DIE("Cannot start sandbox recursively. Use multiple calls to "
-                "setSandboxPolicy() to stack policies instead");
+  } else if (!evaluators_ || !conds_) {
+    SANDBOX_DIE("Cannot repeatedly start sandbox. Create a separate Sandbox "
+                "object instead.");
   }
   if (proc_fd_ < 0) {
     proc_fd_ = open("/proc", O_RDONLY|O_DIRECTORY);
   }
   if (proc_fd_ < 0) {
     // For now, continue in degraded mode, if we can't access /proc.
     // In the future, we might want to tighten this requirement.
   }
   if (!IsSingleThreaded(proc_fd_)) {
     SANDBOX_DIE("Cannot start sandbox, if process is already multi-threaded");
   }
 
   // We no longer need access to any files in /proc. We want to do this
   // before installing the filters, just in case that our policy denies
   // close().
   if (proc_fd_ >= 0) {
     if (HANDLE_EINTR(close(proc_fd_))) {
       SANDBOX_DIE("Failed to close file descriptor for /proc");
     }
     proc_fd_ = -1;
   }
 
   // Install the filters.
-  InstallFilter(quiet);
+  InstallFilter();
 
   // We are now inside the sandbox.
   status_ = STATUS_ENABLED;
 }
 
-bool Sandbox::IsSingleThreaded(int proc_fd) {
-  if (proc_fd < 0) {
-    // Cannot determine whether program is single-threaded. Hope for
-    // the best...
-    return true;
-  }
-
-  struct stat sb;
-  int task = -1;
-  if ((task = openat(proc_fd, "self/task", O_RDONLY|O_DIRECTORY)) < 0 ||
-      fstat(task, &sb) != 0 ||
-      sb.st_nlink != 3 ||
-      HANDLE_EINTR(close(task))) {
-    if (task >= 0) {
-      if (HANDLE_EINTR(close(task))) { }
-    }
-    return false;
-  }
-  return true;
-}
-
-bool Sandbox::IsDenied(const ErrorCode& code) {
-  return (code.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP ||
-         (code.err() >= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MIN_ERRNO) &&
-          code.err() <= (SECCOMP_RET_ERRNO + ErrorCode::ERR_MAX_ERRNO));
-}
-
 void Sandbox::PolicySanityChecks(EvaluateSyscall syscall_evaluator,
                                  void *aux) {
   for (SyscallIterator iter(true); !iter.Done(); ) {
     uint32_t sysnum = iter.Next();
-    if (!IsDenied(syscall_evaluator(sysnum, aux))) {
+    if (!IsDenied(syscall_evaluator(this, sysnum, aux))) {
       SANDBOX_DIE("Policies should deny system calls that are outside the "
                   "expected range (typically MIN_SYSCALL..MAX_SYSCALL)");
     }
   }
   return;
 }
 
-void Sandbox::CheckForUnsafeErrorCodes(Instruction *insn, void *aux) {
-  bool *is_unsafe = static_cast<bool *>(aux);
-  if (!*is_unsafe) {
-    if (BPF_CLASS(insn->code) == BPF_RET &&
-        insn->k > SECCOMP_RET_TRAP &&
-        insn->k - SECCOMP_RET_TRAP <= SECCOMP_RET_DATA) {
-      const ErrorCode& err =
-        Trap::ErrorCodeFromTrapId(insn->k & SECCOMP_RET_DATA);
-      if (err.error_type_ != ErrorCode::ET_INVALID && !err.safe_) {
-        *is_unsafe = true;
-      }
-    }
-  }
-}
-
-void Sandbox::RedirectToUserspace(Instruction *insn, void *) {
-  // When inside an UnsafeTrap() callback, we want to allow all system calls.
-  // This means, we must conditionally disable the sandbox -- and that's not
-  // something that kernel-side BPF filters can do, as they cannot inspect
-  // any state other than the syscall arguments.
-  // But if we redirect all error handlers to user-space, then we can easily
-  // make this decision.
-  // The performance penalty for this extra round-trip to user-space is not
-  // actually that bad, as we only ever pay it for denied system calls; and a
-  // typical program has very few of these.
-  if (BPF_CLASS(insn->code) == BPF_RET &&
-      (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
-    insn->k = Trap(ReturnErrno,
-                   reinterpret_cast<void *>(insn->k & SECCOMP_RET_DATA)).err();
-  }
-}
-
-ErrorCode Sandbox::RedirectToUserspaceEvalWrapper(int sysnum, void *aux) {
-  // We need to replicate the behavior of RedirectToUserspace(), so that our
-  // Verifier can still work correctly.
-  Evaluators *evaluators = reinterpret_cast<Evaluators *>(aux);
-  const std::pair<EvaluateSyscall, void *>& evaluator = *evaluators->begin();
-  ErrorCode err = evaluator.first(sysnum, evaluator.second);
-  if ((err.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
-    return Trap(ReturnErrno,
-                reinterpret_cast<void *>(err.err() & SECCOMP_RET_DATA));
-  }
-  return err;
-}
-
 void Sandbox::SetSandboxPolicy(EvaluateSyscall syscall_evaluator, void *aux) {
-  if (status_ == STATUS_ENABLED) {
+  if (!evaluators_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   PolicySanityChecks(syscall_evaluator, aux);
-  evaluators_.push_back(std::make_pair(syscall_evaluator, aux));
+  evaluators_->push_back(std::make_pair(syscall_evaluator, aux));
 }
 
-void Sandbox::InstallFilter(bool quiet) {
+void Sandbox::InstallFilter() {
   // We want to be very careful in not imposing any requirements on the
   // policies that are set with SetSandboxPolicy(). This means, as soon as
   // the sandbox is active, we shouldn't be relying on libraries that could
   // be making system calls. This, for example, means we should avoid
   // using the heap and we should avoid using STL functions.
   // Temporarily copy the contents of the "program" vector into a
   // stack-allocated array; and then explicitly destroy that object.
   // This makes sure we don't ex- or implicitly call new/delete after we
   // installed the BPF filter program in the kernel. Depending on the
   // system memory allocator that is in effect, these operators can result
   // in system calls to things like munmap() or brk().
   Program *program = AssembleFilter(false /* force_verification */);
 
   struct sock_filter bpf[program->size()];
   const struct sock_fprog prog = {
     static_cast<unsigned short>(program->size()), bpf };
   memcpy(bpf, &(*program)[0], sizeof(bpf));
   delete program;
 
   // Release memory that is no longer needed
-  evaluators_.clear();
-  conds_.clear();
+  delete evaluators_;
+  delete conds_;
+  evaluators_ = NULL;
+  conds_      = NULL;
 
   // Install BPF filter program
   if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
-    SANDBOX_DIE(quiet ? NULL : "Kernel refuses to enable no-new-privs");
+    SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to enable no-new-privs");
   } else {
     if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
-      SANDBOX_DIE(quiet ? NULL : "Kernel refuses to turn on BPF filters");
+      SANDBOX_DIE(quiet_ ? NULL : "Kernel refuses to turn on BPF filters");
     }
   }
 
   return;
 }
 
 Sandbox::Program *Sandbox::AssembleFilter(bool force_verification) {
 #if !defined(NDEBUG)
   force_verification = true;
 #endif
 
   // Verify that the user pushed a policy.
-  if (evaluators_.empty()) {
+  if (evaluators_->empty()) {
     SANDBOX_DIE("Failed to configure system call filters");
   }
 
   // We can't handle stacked evaluators, yet. We'll get there eventually
   // though. Hang tight.
-  if (evaluators_.size() != 1) {
+  if (evaluators_->size() != 1) {
     SANDBOX_DIE("Not implemented");
   }
 
   // Assemble the BPF filter program.
   CodeGen *gen = new CodeGen();
   if (!gen) {
     SANDBOX_DIE("Out of memory");
   }
 
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
@@ skipping 35 matching lines @@
     // As support for unsafe jumps essentially defeats all the security
     // measures that the sandbox provides, we print a big warning message --
     // and of course, we make sure to only ever enable this feature if it
     // is actually requested by the sandbox policy.
     if (has_unsafe_traps) {
       if (SandboxSyscall(-1) == -1 && errno == ENOSYS) {
         SANDBOX_DIE("Support for UnsafeTrap() has not yet been ported to this "
                     "architecture");
       }
 
-      EvaluateSyscall evaluateSyscall = evaluators_.begin()->first;
-      void *aux                       = evaluators_.begin()->second;
-      if (!evaluateSyscall(__NR_rt_sigprocmask, aux).
+      EvaluateSyscall evaluateSyscall = evaluators_->begin()->first;
+      void *aux                       = evaluators_->begin()->second;
+      if (!evaluateSyscall(this, __NR_rt_sigprocmask, aux).
             Equals(ErrorCode(ErrorCode::ERR_ALLOWED)) ||
-          !evaluateSyscall(__NR_rt_sigreturn, aux).
+          !evaluateSyscall(this, __NR_rt_sigreturn, aux).
             Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
 #if defined(__NR_sigprocmask)
-       || !evaluateSyscall(__NR_sigprocmask, aux).
+       || !evaluateSyscall(this, __NR_sigprocmask, aux).
             Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
 #endif
 #if defined(__NR_sigreturn)
-       || !evaluateSyscall(__NR_sigreturn, aux).
+       || !evaluateSyscall(this, __NR_sigreturn, aux).
             Equals(ErrorCode(ErrorCode::ERR_ALLOWED))
 #endif
           ) {
         SANDBOX_DIE("Invalid seccomp policy; if using UnsafeTrap(), you must "
                     "unconditionally allow sigreturn() and sigprocmask()");
       }
 
       if (!Trap::EnableUnsafeTrapsInSigSysHandler()) {
         // We should never be able to get here, as UnsafeTrap() should never
         // actually return a valid ErrorCode object unless the user set the
         // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
         // "has_unsafe_traps" would always be false. But better double-check
         // than enabling dangerous code.
         SANDBOX_DIE("We'd rather die than enable unsafe traps");
       }
-      gen->Traverse(jumptable, RedirectToUserspace, NULL);
+      gen->Traverse(jumptable, RedirectToUserspace, this);
 
       // Allow system calls, if they originate from our magic return address
       // (which we can query by calling SandboxSyscall(-1)).
       uintptr_t syscall_entry_point =
         static_cast<uintptr_t>(SandboxSyscall(-1));
       uint32_t low = static_cast<uint32_t>(syscall_entry_point);
 #if __SIZEOF_POINTER__ > 4
       uint32_t hi  = static_cast<uint32_t>(syscall_entry_point >> 32);
 #endif
 
@@ skipping 58 matching lines @@
   return program;
 }
 
 void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) {
   // If we previously rewrote the BPF program so that it calls user-space
   // whenever we return an "errno" value from the filter, then we have to
   // wrap our system call evaluator to perform the same operation. Otherwise,
   // the verifier would also report a mismatch in return codes.
   Evaluators redirected_evaluators;
   redirected_evaluators.push_back(
-      std::make_pair(RedirectToUserspaceEvalWrapper, &evaluators_));
+      std::make_pair(RedirectToUserspaceEvalWrapper, evaluators_));
 
   const char *err = NULL;
   if (!Verifier::VerifyBPF(
+                       this,
                        program,
-                       has_unsafe_traps ? redirected_evaluators : evaluators_,
+                       has_unsafe_traps ? redirected_evaluators : *evaluators_,
                        &err)) {
     CodeGen::PrintProgram(program);
     SANDBOX_DIE(err);
   }
 }
 
 void Sandbox::FindRanges(Ranges *ranges) {
   // Please note that "struct seccomp_data" defines system calls as a signed
   // int32_t, but BPF instructions always operate on unsigned quantities. We
   // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
   // and then verifying that the rest of the number range (both positive and
   // negative) all return the same ErrorCode.
-  EvaluateSyscall evaluate_syscall = evaluators_.begin()->first;
-  void *aux                        = evaluators_.begin()->second;
+  EvaluateSyscall evaluate_syscall = evaluators_->begin()->first;
+  void *aux                        = evaluators_->begin()->second;
   uint32_t old_sysnum              = 0;
-  ErrorCode old_err                = evaluate_syscall(old_sysnum, aux);
-  ErrorCode invalid_err            = evaluate_syscall(MIN_SYSCALL - 1, aux);
+  ErrorCode old_err                = evaluate_syscall(this, old_sysnum, aux);
+  ErrorCode invalid_err            = evaluate_syscall(this, MIN_SYSCALL - 1,
+                                                      aux);
   for (SyscallIterator iter(false); !iter.Done(); ) {
     uint32_t sysnum = iter.Next();
-    ErrorCode err = evaluate_syscall(static_cast<int>(sysnum), aux);
+    ErrorCode err = evaluate_syscall(this, static_cast<int>(sysnum), aux);
     if (!iter.IsValid(sysnum) && !invalid_err.Equals(err)) {
       // A proper sandbox policy should always treat system calls outside of
       // the range MIN_SYSCALL..MAX_SYSCALL (i.e. anything that returns
       // "false" for SyscallIterator::IsValid()) identically. Typically, all
       // of these system calls would be denied with the same ErrorCode.
       SANDBOX_DIE("Invalid seccomp policy");
     }
     if (!err.Equals(old_err) || iter.Done()) {
       ranges->push_back(Range(old_sysnum, sysnum - 1, old_err));
       old_sysnum = sysnum;
@@ skipping 229 matching lines @@
 intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) {
   return SandboxSyscall(args.nr,
                         static_cast<intptr_t>(args.args[0]),
                         static_cast<intptr_t>(args.args[1]),
                         static_cast<intptr_t>(args.args[2]),
                         static_cast<intptr_t>(args.args[3]),
                         static_cast<intptr_t>(args.args[4]),
                         static_cast<intptr_t>(args.args[5]));
 }
 
-intptr_t Sandbox::ReturnErrno(const struct arch_seccomp_data&, void *aux) {
-  // TrapFnc functions report error by following the native kernel convention
-  // of returning an exit code in the range of -1..-4096. They do not try to
-  // set errno themselves. The glibc wrapper that triggered the SIGSYS will
-  // ultimately do so for us.
-  int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
-  return -err;
-}
-
 ErrorCode Sandbox::Cond(int argno, ErrorCode::ArgType width,
                         ErrorCode::Operation op, uint64_t value,
                         const ErrorCode& passed, const ErrorCode& failed) {
   return ErrorCode(argno, width, op, value,
-                   &*conds_.insert(passed).first,
-                   &*conds_.insert(failed).first);
-}
-
-intptr_t Sandbox::BpfFailure(const struct arch_seccomp_data&, void *aux) {
-  SANDBOX_DIE(static_cast<char *>(aux));
+                   &*conds_->insert(passed).first,
+                   &*conds_->insert(failed).first);
 }
 
 ErrorCode Sandbox::Kill(const char *msg) {
   return Trap(BpfFailure, const_cast<char *>(msg));
 }
 
 Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
-int Sandbox::proc_fd_                   = -1;
-Sandbox::Evaluators Sandbox::evaluators_;
-Sandbox::Conds Sandbox::conds_;
 
 }  // namespace