bpf_dsl: support Switch/Case expressions

sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
 
 #include <errno.h>
 #include <fcntl.h>
 #include <fcntl.h>
 #include <linux/futex.h>
@@ skipping 58 matching lines @@
 inline bool IsArchitectureMips() {
 #if defined(__mips__)
   return true;
 #else
   return false;
 #endif
 }
 
 }  // namespace.
 
+#define CASES SANDBOX_BPF_DSL_CASES
+
 using sandbox::bpf_dsl::Allow;
 using sandbox::bpf_dsl::Arg;
 using sandbox::bpf_dsl::BoolExpr;
 using sandbox::bpf_dsl::Error;
 using sandbox::bpf_dsl::If;
 using sandbox::bpf_dsl::ResultExpr;
 
 // TODO(mdempsky): Make BoolExpr a standalone class so these operators can
 // be resolved via argument-dependent lookup.
 using sandbox::bpf_dsl::operator||;
@@ skipping 24 matching lines @@
 
   return If(IsAndroid() ? android_test : glibc_test, Allow())
       .ElseIf((flags & (CLONE_VM | CLONE_THREAD)) == 0, Error(EPERM))
       .Else(CrashSIGSYSClone());
 }
 
 ResultExpr RestrictPrctl() {
   // Will need to add seccomp compositing in the future. PR_SET_PTRACER is
   // used by breakpad but not needed anymore.
   const Arg<int> option(0);
-  return If(option == PR_GET_NAME || option == PR_SET_NAME ||
-                option == PR_GET_DUMPABLE || option == PR_SET_DUMPABLE,
-            Allow()).Else(CrashSIGSYSPrctl());
+  return Switch(option)
+      .CASES((PR_GET_NAME, PR_SET_NAME, PR_GET_DUMPABLE, PR_SET_DUMPABLE),
+             Allow())
+      .Default(CrashSIGSYSPrctl());
 }
 
 ResultExpr RestrictIoctl() {
   const Arg<int> request(1);
-  return If(request == TCGETS || request == FIONREAD, Allow())
-      .Else(CrashSIGSYSIoctl());
+  return Switch(request).CASES((TCGETS, FIONREAD), Allow()).Default(
+      CrashSIGSYSIoctl());
 }
 
 ResultExpr RestrictMmapFlags() {
   // The flags you see are actually the allowed ones, and the variable is a
   // "denied" mask because of the negation operator.
   // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
   // MAP_POPULATE.
   // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
   const uint32_t denied_mask =
       ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | MAP_STACK | MAP_NORESERVE |
@@ skipping 20 matching lines @@
   // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
   int kOLargeFileFlag = O_LARGEFILE;
   if (IsArchitectureX86_64() || IsArchitectureI386() || IsArchitectureMips())
     kOLargeFileFlag = 0100000;
 
   const Arg<int> cmd(1);
   const Arg<long> long_arg(2);
 
   unsigned long denied_mask = ~(O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC |
                                 kOLargeFileFlag | O_CLOEXEC | O_NOATIME);
-  return If(cmd == F_GETFL || cmd == F_GETFD || cmd == F_SETFD ||
-                cmd == F_SETLK || cmd == F_SETLKW || cmd == F_GETLK ||
-                cmd == F_DUPFD || cmd == F_DUPFD_CLOEXEC ||
-                (cmd == F_SETFL && (long_arg & denied_mask) == 0),
-            Allow()).Else(CrashSIGSYS());
+  return Switch(cmd)
+      .CASES((F_GETFL,
+              F_GETFD,
+              F_SETFD,
+              F_SETLK,
+              F_SETLKW,
+              F_GETLK,
+              F_DUPFD,
+              F_DUPFD_CLOEXEC),
+             Allow())
+      .Case(F_SETFL,
+            If((long_arg & denied_mask) == 0, Allow()).Else(CrashSIGSYS()))
+      .Default(CrashSIGSYS());
 }
 
 #if defined(__i386__) || defined(__mips__)
 ResultExpr RestrictSocketcallCommand() {
   // Unfortunately, we are unable to restrict the first parameter to
   // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
   // few protocols actually support socketpair(2). The scary call that we're
   // worried about, socket(2), remains blocked.
   const Arg<int> call(0);
-  return If(call == SYS_SOCKETPAIR || call == SYS_SHUTDOWN ||
-                call == SYS_RECV || call == SYS_SEND ||
-                call == SYS_RECVFROM || call == SYS_SENDTO ||
-                call == SYS_RECVMSG || call == SYS_SENDMSG,
-            Allow()).Else(Error(EPERM));
+  return Switch(call)
+      .CASES((SYS_SOCKETPAIR,
+              SYS_SHUTDOWN,
+              SYS_RECV,
+              SYS_SEND,
+              SYS_RECVFROM,
+              SYS_SENDTO,
+              SYS_RECVMSG,
+              SYS_SENDMSG),
+             Allow())
+      .Default(Error(EPERM));
 }
 #endif
 
 ResultExpr RestrictKillTarget(pid_t target_pid, int sysno) {
   switch (sysno) {
     case __NR_kill:
     case __NR_tgkill: {
       const Arg<pid_t> pid(0);
       return If(pid == target_pid, Allow()).Else(CrashSIGSYSKill());
     }
     case __NR_tkill:
       return CrashSIGSYSKill();
     default:
       NOTREACHED();
       return CrashSIGSYS();
   }
 }
 
 ResultExpr RestrictFutex() {
   // In futex.c, the kernel does "int cmd = op & FUTEX_CMD_MASK;". We need to
   // make sure that the combination below will cover every way to get
   // FUTEX_CMP_REQUEUE_PI.
   const int kBannedFutexBits =
       ~(FUTEX_CMD_MASK | FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME);
   COMPILE_ASSERT(0 == kBannedFutexBits,
                  need_to_explicitly_blacklist_more_bits);
 
   const Arg<int> op(1);
-  return If(op == FUTEX_CMP_REQUEUE_PI || op == FUTEX_CMP_REQUEUE_PI_PRIVATE ||
-                op == (FUTEX_CMP_REQUEUE_PI | FUTEX_CLOCK_REALTIME) ||
-                op == (FUTEX_CMP_REQUEUE_PI_PRIVATE | FUTEX_CLOCK_REALTIME),
-            CrashSIGSYSFutex()).Else(Allow());
+  return Switch(op)
+      .CASES((FUTEX_CMP_REQUEUE_PI,
+              FUTEX_CMP_REQUEUE_PI_PRIVATE,
+              (FUTEX_CMP_REQUEUE_PI | FUTEX_CLOCK_REALTIME),
+              (FUTEX_CMP_REQUEUE_PI_PRIVATE | FUTEX_CLOCK_REALTIME)),
+             CrashSIGSYSFutex())
+      .Default(Allow());
 }
 
 }  // namespace sandbox.