sandbox/linux/seccomp-bpf/sandbox_bpf.h - Issue 530133003: bpf_dsl: support arbitrary (arg & mask) == val expressions

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/seccomp-bpf/sandbox_bpf.h

Issue 530133003: bpf_dsl: support arbitrary (arg & mask) == val expressions (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Reorder function definitions slightly Created 6 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.h

diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h

index 870e8a0d9cabde1bdfa159bb6dec19662e9f0775..a85c7ac84b7d36317292917a766cb6e2038df4a5 100644

--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h

+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h

@@ -147,13 +147,21 @@ class SANDBOX_EXPORT SandboxBPF {

// We can also use ErrorCode to request evaluation of a conditional

// statement based on inspection of system call parameters.

// This method wrap an ErrorCode object around the conditional statement.

- // Argument "argno" (1..6) will be compared to "value" using comparator

- // "op". If the condition is true "passed" will be returned, otherwise

- // "failed".

+ // Argument "argno" (1..6) will be bitwise-AND'd with "mask" and compared

+ // to "value"; if equal, then "passed" will be returned, otherwise "failed".

// If "is32bit" is set, the argument must in the range of 0x0..(1u << 32 - 1)

// If it is outside this range, the sandbox treats the system call just

// the same as any other ABI violation (i.e. it aborts with an error

// message).

+ ErrorCode CondMaskedEqual(int argno,

+ ErrorCode::ArgType is_32bit,

+ uint64_t mask,

+ uint64_t value,

+ const ErrorCode& passed,

+ const ErrorCode& failed);

+ // Legacy variant of CondMaskedEqual that supports a few comparison

+ // operations, which get converted into masked-equality comparisons.

ErrorCode Cond(int argno,

ErrorCode::ArgType is_32bit,

ErrorCode::Operation op,

@@ -209,6 +217,13 @@ class SANDBOX_EXPORT SandboxBPF {

typedef std::map<uint32_t, ErrorCode> ErrMap;

typedef std::set<ErrorCode, struct ErrorCode::LessThan> Conds;

+ // Used by CondExpressionHalf to track which half of the argument it's

+ // emitting instructions for.

+ enum ArgHalf {

+ LowerHalf,

+ UpperHalf,

+ };

// Get a file descriptor pointing to "/proc", if currently available.

int proc_fd() { return proc_fd_; }

@@ -261,6 +276,14 @@ class SANDBOX_EXPORT SandboxBPF {

// called from RetExpression().

Instruction* CondExpression(CodeGen* gen, const ErrorCode& cond);

+ // Returns a BPF program that evaluates half of a conditional expression;

+ // it should only ever be called from CondExpression().

+ Instruction* CondExpressionHalf(CodeGen* gen,

+ const ErrorCode& cond,

+ ArgHalf half,

+ Instruction* passed,

+ Instruction* failed);

static SandboxStatus status_;

bool quiet_;

« no previous file with comments | « sandbox/linux/seccomp-bpf/errorcode.cc ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('j') | sandbox/linux/seccomp-bpf/sandbox_bpf.cc » ('J')