Remove SandboxBPF's dependency on CompatibilityPolicy

sandbox/linux/seccomp-bpf/sandbox_bpf.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
 
 // Some headers on Android are missing cdefs: crbug.com/172337.
 // (We can't use OS_ANDROID here since build_config.h is not included).
 #if defined(ANDROID)
 #include <sys/cdefs.h>
 #endif
 
 #include <errno.h>
 #include <fcntl.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <sys/stat.h>
 #include <sys/syscall.h>
 #include <sys/types.h>
 #include <time.h>
 #include <unistd.h>
 
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 
 namespace sandbox {
 
 namespace {
 
 const int kExpectedExitCode = 100;
@@ skipping 11 matching lines @@
       "Failed to set up stderr: ";
   if (HANDLE_EINTR(write(out_fd, msg, sizeof(msg) - 1)) > 0 && error_string &&
       HANDLE_EINTR(write(out_fd, error_string, strlen(error_string))) > 0 &&
       HANDLE_EINTR(write(out_fd, "\n", 1))) {
   }
 }
 #endif  // !defined(NDEBUG)
 
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
-ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
-ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
-  switch (sysnum) {
-    case __NR_getpid:
-      // Return EPERM so that we can check that the filter actually ran.
-      return ErrorCode(EPERM);
-    case __NR_exit_group:
-      // Allow exit() with a non-default return code.
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
-    default:
-      // Make everything else fail in an easily recognizable way.
-      return ErrorCode(EINVAL);
+class ProbePolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
+    switch (sysnum) {
+      case __NR_getpid:
+        // Return EPERM so that we can check that the filter actually ran.
+        return ErrorCode(EPERM);
+      case __NR_exit_group:
+        // Allow exit() with a non-default return code.
+        return ErrorCode(ErrorCode::ERR_ALLOWED);
+      default:
+        // Make everything else fail in an easily recognizable way.
+        return ErrorCode(EINVAL);
+    }
   }
-}
+};
 
 void ProbeProcess(void) {
   if (syscall(__NR_getpid) < 0 && errno == EPERM) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
 
-ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
-  DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
-}
+class AllowAllPolicy : public SandboxBPFPolicy {
+ public:
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+};
 
 void TryVsyscallProcess(void) {
   time_t current_time;
   // time() is implemented as a vsyscall. With an older glibc, with
   // vsyscall=emulate and some versions of the seccomp BPF patch
   // we may get SIGKILL-ed. Detect this!
   if (time(&current_time) != static_cast<time_t>(-1)) {
     syscall(__NR_exit_group, static_cast<intptr_t>(kExpectedExitCode));
   }
 }
@@ skipping 137 matching lines @@
   if (conds_) {
     delete conds_;
   }
 }
 
 bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
   return SyscallIterator::IsValid(sysnum);
 }
 
 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
-                                     EvaluateSyscall syscall_evaluator,
-                                     void* aux) {
+                                     scoped_ptr<SandboxBPFPolicy> policy) {
   // Block all signals before forking a child process. This prevents an
   // attacker from manipulating our test by sending us an unexpected signal.
   sigset_t old_mask, new_mask;
   if (sigfillset(&new_mask) || sigprocmask(SIG_BLOCK, &new_mask, &old_mask)) {
     SANDBOX_DIE("sigprocmask() failed");
   }
   int fds[2];
   if (pipe2(fds, O_NONBLOCK | O_CLOEXEC)) {
     SANDBOX_DIE("pipe() failed");
   }
 
   if (fds[0] <= 2 || fds[1] <= 2) {
     SANDBOX_DIE("Process started without standard file descriptors");
   }
 
   // This code is using fork() and should only ever run single-threaded.
   // Most of the code below is "async-signal-safe" and only minor changes
   // would be needed to support threads.

[jln (very slow on Chromium), 2014/05/19 20:57:19]

It's still true that we can enable forking with threads with only minor changes
if needed (for Android) here, just wanted to call your attention to this.

But I think we might want to just completely remove this function. It used to be
that old glibc would still use vsyscall and not work with seccomp-bpf and there
were a few other things to test for. But I think we may be mature enough to
simply detect if seccomp-bpf is present in the kernel and expect it to work.

[mdempsky, 2014/05/19 21:01:28]

Noted.  I'll look into this as a followup cleanup.

   DCHECK(IsSingleThreaded(proc_fd_));
   pid_t pid = fork();
   if (pid < 0) {
     // Die if we cannot fork(). We would probably fail a little later
     // anyway, as the machine is likely very close to running out of
     // memory.
     // But what we don't want to do is return "false", as a crafty
     // attacker might cause fork() to fail at will and could trick us
     // into running without a sandbox.
     sigprocmask(SIG_SETMASK, &old_mask, NULL);  // OK, if it fails
@@ skipping 31 matching lines @@
     }
     if (IGNORE_EINTR(close(fds[1]))) {
       // This call to close() has been failing in strange ways. See
       // crbug.com/152530. So we only fail in debug mode now.
 #if !defined(NDEBUG)
       WriteFailedStderrSetupMessage(fds[1]);
       SANDBOX_DIE(NULL);
 #endif
     }
 
-    SetSandboxPolicyDeprecated(syscall_evaluator, aux);
+    SetSandboxPolicy(policy.release());
     if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
       SANDBOX_DIE(NULL);
     }
 
     // Run our code in the sandbox.
     code_in_sandbox();
 
     // code_in_sandbox() is not supposed to return here.
     SANDBOX_DIE(NULL);
   }
@@ skipping 28 matching lines @@
     }
   }
   if (IGNORE_EINTR(close(fds[0]))) {
     SANDBOX_DIE("close() failed");
   }
 
   return rc;
 }
 
 bool SandboxBPF::KernelSupportSeccompBPF() {
-  return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
-         RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
+  return RunFunctionInPolicy(ProbeProcess,
+                             scoped_ptr<SandboxBPFPolicy>(new ProbePolicy())) &&
+         RunFunctionInPolicy(
+             TryVsyscallProcess,
+             scoped_ptr<SandboxBPFPolicy>(new AllowAllPolicy()));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
   // It the sandbox is currently active, we clearly must have support for
   // sandboxing.
   if (status_ == STATUS_ENABLED) {
     return status_;
   }
 
   // Even if the sandbox was previously available, something might have
@@ skipping 94 matching lines @@
   return true;
 }
 
 void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
   if (!IsDenied(policy->InvalidSyscall(this))) {
     SANDBOX_DIE("Policies should deny invalid system calls.");
   }
   return;
 }
 
-// Deprecated API, supported with a wrapper to the new API.
-void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
-                                            void* aux) {
-  if (sandbox_has_started_ || !conds_) {
-    SANDBOX_DIE("Cannot change policy after sandbox has started");
-  }
-  SetSandboxPolicy(new CompatibilityPolicy<void>(syscall_evaluator, aux));
-}
-
 // Don't take a scoped_ptr here, polymorphism make their use awkward.
 void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) {
   DCHECK(!policy_);
   if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
   PolicySanityChecks(policy);
   policy_.reset(policy);
 }
 
@@ skipping 523 matching lines @@
                    &*conds_->insert(failed).first);
 }
 
 ErrorCode SandboxBPF::Kill(const char* msg) {
   return Trap(BPFFailure, const_cast<char*>(msg));
 }
 
 SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
 
 }  // namespace sandbox