[MIPS] Add seccomp bpf support

sandbox/linux/seccomp-bpf/trap.cc

Index: sandbox/linux/seccomp-bpf/trap.cc
diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc
index f8b64c991b0f591c4d82bbb196e22acba7e96ece..3d88701083af14a66ac48c948df2bf43be8ee7aa 100644
--- a/sandbox/linux/seccomp-bpf/trap.cc
+++ b/sandbox/linux/seccomp-bpf/trap.cc
@@ -159,7 +159,15 @@ void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
     // safe and can lead to bugs. We should eventually implement a different
     // logging and reporting mechanism that is safe to be called from
     // the sigSys() handler.
+#if defined (__mips__)

[jln (very slow on Chromium), 2014/05/02 20:42:04]

style: #if defined(), no space.

[nedeljko, 2014/05/07 15:40:05]

Done.

+    // When indirect syscall (syscall(__NR_foo, ...)) is made on Mips, number
+    // in register SECCOMP_SYSCALL(ctx) is always __NR_syscall and real
+    // number of a syscall (__NR_foo) is in SECCOMP_PARM1(ctx)
+    if (sigsys.nr != static_cast<int>(SECCOMP_PARM1(ctx)))
+      RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS.");

[jln (very slow on Chromium), 2014/05/02 20:42:04]

I don't think this is correct. The code is no longer dying if "sigsys.arch !=
SECCOMP_ARCH" for instance.

do something like:

bool sigsys_nr_is_correct = false;
#if defined(__mips__)
sigsys_nr_is_correct = sigsys.nr == static_cast<int>(SECCOMP_PARM1(ctx)
#else
sigsys_nr == static_cast<int>(SECCOMP_SYSCALL(ctx))
#endif

And use this bool in the if()

[nedeljko, 2014/05/07 15:40:05]

Done.

+#else
     RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS.");
+#endif
   }
 
   intptr_t rc;
@@ -168,7 +176,7 @@ void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
     if (sigsys.nr == __NR_clone) {
       RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler.");
     }
-    rc = SandboxSyscall(sigsys.nr,
+    rc = SandboxSyscall(SECCOMP_SYSCALL(ctx),
                         SECCOMP_PARM1(ctx),
                         SECCOMP_PARM2(ctx),
                         SECCOMP_PARM3(ctx),
@@ -185,7 +193,8 @@ void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
     // is what we are showing to TrapFnc callbacks that the system call
     // evaluator registered with the sandbox.
     struct arch_seccomp_data data = {
-        sigsys.nr, SECCOMP_ARCH, reinterpret_cast<uint64_t>(sigsys.ip),
+        static_cast<int>SECCOMP_SYSCALL(ctx), SECCOMP_ARCH,
+        reinterpret_cast<uint64_t>(sigsys.ip),
         {static_cast<uint64_t>(SECCOMP_PARM1(ctx)),
          static_cast<uint64_t>(SECCOMP_PARM2(ctx)),
          static_cast<uint64_t>(SECCOMP_PARM3(ctx)),
@@ -198,6 +207,18 @@ void Trap::SigSys(int nr, siginfo_t* info, void* void_context) {
     rc = err.fnc_(data, err.aux_);
   }
 
+#if defined(__mips__)
+  // Mips ABI states that on error a3 CPU register should be set to one
+  // and if there is no error, it should be zero.
+  // The other difference from Intel and Arm is in that on error kernel
+  // returns positive value of errno.
+  if(rc < 0) {
+    rc = -rc;

[jln (very slow on Chromium), 2014/05/02 20:42:04]

Let's use a wrapper for this (see comment in other files).

[nedeljko, 2014/05/07 15:40:05]

Done.

+    SECCOMP_PARM4(ctx) = 1;
+  } else {
+    SECCOMP_PARM4(ctx) = 0;
+  }
+#endif
   // Update the CPU register that stores the return code of the system call
   // that we just handled, and restore "errno" to the value that it had
   // before entering the signal handler.