bpf_dsl: support arbitrary (arg & mask) == val expressions

sandbox/linux/seccomp-bpf/errorcode.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
 
 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/sandbox_export.h"
@@ skipping 69 matching lines @@
     // the conditional test should operate on the full 64bit argument. It is
     // generally harmless to perform a 64bit test on 32bit systems, as the
     // kernel will always see the top 32 bits of all arguments as zero'd out.
     // This approach has the desirable property that for tests of pointer
     // values, we can always use TP_64BIT no matter the host architecture.
     // But of course, that also means, it is possible to write conditional
     // policies that turn into no-ops on 32bit systems; this is by design.
     TP_64BIT,
   };
 
+  // Deprecated.
   enum Operation {
     // Test whether the system call argument is equal to the operand.
     OP_EQUAL,
 
-    // Test whether the system call argument is greater (or equal) to the
-    // operand. Please note that all tests always operate on unsigned
-    // values. You can generally emulate signed tests, if that's what you
-    // need.
-    // TODO(markus): Check whether we should automatically emulate signed
-    //               operations.
-    OP_GREATER_UNSIGNED,
-    OP_GREATER_EQUAL_UNSIGNED,
-
     // Tests a system call argument against a bit mask.
     // The "ALL_BITS" variant performs this test: "arg & mask == mask"
     // This implies that a mask of zero always results in a passing test.
     // The "ANY_BITS" variant performs this test: "arg & mask != 0"
     // This implies that a mask of zero always results in a failing test.
     OP_HAS_ALL_BITS,
     OP_HAS_ANY_BITS,
-
-    // Total number of operations.
-    OP_NUM_OPS,
   };
 
   enum ErrorType {
     ET_INVALID,
     ET_SIMPLE,
     ET_TRAP,
     ET_COND,
   };
 
   // We allow the default constructor, as it makes the ErrorCode class
@@ skipping 15 matching lines @@
   ~ErrorCode() {}
 
   bool Equals(const ErrorCode& err) const;
   bool LessThan(const ErrorCode& err) const;
 
   uint32_t err() const { return err_; }
   ErrorType error_type() const { return error_type_; }
 
   bool safe() const { return safe_; }
 
+  uint64_t mask() const { return mask_; }
   uint64_t value() const { return value_; }
   int argno() const { return argno_; }
   ArgType width() const { return width_; }
-  Operation op() const { return op_; }
   const ErrorCode* passed() const { return passed_; }
   const ErrorCode* failed() const { return failed_; }
 
   struct LessThan {
     bool operator()(const ErrorCode& a, const ErrorCode& b) const {
       return a.LessThan(b);
     }
   };
 
  private:
   friend class CodeGen;
   friend class SandboxBPF;
   friend class Trap;
 
   // If we are wrapping a callback, we must assign a unique id. This id is
   // how the kernel tells us which one of our different SECCOMP_RET_TRAP
   // cases has been triggered.
   ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe, uint16_t id);
 
   // Some system calls require inspection of arguments. This constructor
   // allows us to specify additional constraints.
   ErrorCode(int argno,
             ArgType width,
-            Operation op,
+            uint64_t mask,
             uint64_t value,
             const ErrorCode* passed,
             const ErrorCode* failed);
 
   ErrorType error_type_;
 
   union {
     // Fields needed for SECCOMP_RET_TRAP callbacks
     struct {
       Trap::TrapFnc fnc_;  // Callback function and arg, if trap was
       void* aux_;          //   triggered by the kernel's BPF filter.
       bool safe_;          // Keep sandbox active while calling fnc_()
     };
 
     // Fields needed when inspecting additional arguments.
     struct {
+      uint64_t mask_;            // Mask that we are comparing under.
       uint64_t value_;           // Value that we are comparing with.
       int argno_;                // Syscall arg number that we are inspecting.
       ArgType width_;            // Whether we are looking at a 32/64bit value.
-      Operation op_;             // Comparison operation.
       const ErrorCode* passed_;  // Value to be returned if comparison passed,
       const ErrorCode* failed_;  //   or if it failed.
     };
   };
 
   // 32bit field used for all possible types of ErrorCode values. This is
   // the value that uniquely identifies any ErrorCode and it (typically) can
   // be emitted directly into a BPF filter program.
   uint32_t err_;
 };
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__