Chromium Code Reviews Chromium Code Reviews
Issue 559653004:
Convert sandbox_bpf_unittest.cc to use bpf_dsl (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ | 5 #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ |
| 6 #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ | 6 #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ |
| 7 | 7 |
| 8 #include <stdint.h> | 8 #include <stdint.h> |
| 9 | 9 |
| 10 #include <utility> | 10 #include <utility> |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 53 // return Allow(); | 53 // return Allow(); |
| 54 // } | 54 // } |
| 55 // } | 55 // } |
| 56 // | 56 // |
| 57 // private: | 57 // private: |
| 58 // DISALLOW_COPY_AND_ASSIGN(SillyPolicy); | 58 // DISALLOW_COPY_AND_ASSIGN(SillyPolicy); |
| 59 // }; | 59 // }; |
| 60 // | 60 // |
| 61 // More generally, the DSL currently supports the following grammar: | 61 // More generally, the DSL currently supports the following grammar: |
| 62 // | 62 // |
| 63 // result = Allow() | Error(errno) | Trap(trap_func, aux) | 63 // result = Allow() | Error(errno) | Kill(msg) | Trace(aux) |
| 64 // | Trap(trap_func, aux) | UnsafeTrap(trap_func, aux) | |
| 64 // | If(bool, result)[.ElseIf(bool, result)].Else(result) | 65 // | If(bool, result)[.ElseIf(bool, result)].Else(result) |
| 65 // | Switch(arg)[.Case(val, result)].Default(result) | 66 // | Switch(arg)[.Case(val, result)].Default(result) |
| 66 // bool = BoolConst(boolean) | !bool | bool && bool | bool || bool | 67 // bool = BoolConst(boolean) | !bool | bool && bool | bool || bool |
| 67 // | arg == val | 68 // | arg == val | arg != val |
|
jln (very slow on Chromium)
2014/09/12 23:52:57
Please add a small test for this one.
mdempsky
2014/09/13 00:20:24
Done.
| |
| 68 // arg = Arg<T>(num) | arg & mask | 69 // arg = Arg<T>(num) | arg & mask |
| 69 // | 70 // |
| 70 // The semantics of each function and operator are intended to be | 71 // The semantics of each function and operator are intended to be |
| 71 // intuitive, but are described in more detail below. | 72 // intuitive, but are described in more detail below. |
| 72 // | 73 // |
| 73 // (Credit to Sean Parent's "Inheritance is the Base Class of Evil" | 74 // (Credit to Sean Parent's "Inheritance is the Base Class of Evil" |
| 74 // talk at Going Native 2013 for promoting value semantics via shared | 75 // talk at Going Native 2013 for promoting value semantics via shared |
| 75 // pointers to immutable state.) | 76 // pointers to immutable state.) |
| 76 | 77 |
| 77 namespace sandbox { | 78 namespace sandbox { |
| (...skipping 28 matching lines...) Expand all Loading... | |
| 106 virtual ResultExpr InvalidSyscall() const; | 107 virtual ResultExpr InvalidSyscall() const; |
| 107 | 108 |
| 108 // Override implementations from SandboxBPFPolicy. Marked as FINAL | 109 // Override implementations from SandboxBPFPolicy. Marked as FINAL |
| 109 // to prevent mixups with child classes accidentally overloading | 110 // to prevent mixups with child classes accidentally overloading |
| 110 // these instead of the above methods. | 111 // these instead of the above methods. |
| 111 virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, | 112 virtual ErrorCode EvaluateSyscall(SandboxBPF* sb, |
| 112 int sysno) const OVERRIDE FINAL; | 113 int sysno) const OVERRIDE FINAL; |
| 113 virtual ErrorCode InvalidSyscall(SandboxBPF* sb) const OVERRIDE FINAL; | 114 virtual ErrorCode InvalidSyscall(SandboxBPF* sb) const OVERRIDE FINAL; |
| 114 | 115 |
| 115 // Helper method so policies can just write Trap(func, aux). | 116 // Helper method so policies can just write Trap(func, aux). |
| 116 static ResultExpr Trap(Trap::TrapFnc trap_func, void* aux); | 117 static ResultExpr Trap(Trap::TrapFnc trap_func, const void* aux); |
| 117 | 118 |
| 118 private: | 119 private: |
| 119 DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy); | 120 DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy); |
| 120 }; | 121 }; |
| 121 | 122 |
| 122 // Allow specifies a result that the system call should be allowed to | 123 // Allow specifies a result that the system call should be allowed to |
| 123 // execute normally. | 124 // execute normally. |
| 124 SANDBOX_EXPORT ResultExpr Allow(); | 125 SANDBOX_EXPORT ResultExpr Allow(); |
| 125 | 126 |
| 126 // Error specifies a result that the system call should fail with | 127 // Error specifies a result that the system call should fail with |
| 127 // error number |err|. As a special case, Error(0) will result in the | 128 // error number |err|. As a special case, Error(0) will result in the |
| 128 // system call appearing to have succeeded, but without having any | 129 // system call appearing to have succeeded, but without having any |
| 129 // side effects. | 130 // side effects. |
| 130 SANDBOX_EXPORT ResultExpr Error(int err); | 131 SANDBOX_EXPORT ResultExpr Error(int err); |
| 131 | 132 |
| 133 // Kill specifies a result to kill the program and print an error message. | |
| 134 SANDBOX_EXPORT ResultExpr Kill(const char* msg); | |
| 135 | |
| 136 // Trace specifies a result to notify a tracing process via the | |
| 137 // PTRACE_EVENT_SECCOMP event and allow it to change or skip the system call. | |
| 138 // The value of |aux| will be available to the tracer via PTRACE_GETEVENTMSG. | |
| 139 SANDBOX_EXPORT ResultExpr Trace(uint16_t aux); | |
| 140 | |
| 132 // Trap specifies a result that the system call should be handled by | 141 // Trap specifies a result that the system call should be handled by |
| 133 // trapping back into userspace and invoking |trap_func|, passing | 142 // trapping back into userspace and invoking |trap_func|, passing |
| 134 // |aux| as the second parameter. | 143 // |aux| as the second parameter. |
| 135 SANDBOX_EXPORT ResultExpr Trap(Trap::TrapFnc trap_func, void* aux); | 144 SANDBOX_EXPORT ResultExpr Trap(Trap::TrapFnc trap_func, const void* aux); |
| 145 | |
| 146 // UnsafeTrap is like Trap, except the policy is marked as "unsafe" | |
| 147 // and allowed to use SandboxSyscall to invoke any system call. | |
| 148 // | |
| 149 // NOTE: This feature, by definition, disables all security features of | |
| 150 // the sandbox. It should never be used in production, but it can be | |
| 151 // very useful to diagnose code that is incompatible with the sandbox. | |
| 152 // If even a single system call returns "UnsafeTrap", the security of | |
| 153 // entire sandbox should be considered compromised. | |
| 154 SANDBOX_EXPORT ResultExpr UnsafeTrap(Trap::TrapFnc trap_func, const void* aux); | |
| 155 | |
| 156 // BoolConst converts a bool value into a BoolExpr. | |
| 157 SANDBOX_EXPORT BoolExpr BoolConst(bool value); | |
| 158 | |
| 159 // Various ways to combine boolean expressions into more complex expressions. | |
| 160 // They follow standard boolean algebra laws. | |
| 161 SANDBOX_EXPORT BoolExpr operator!(const BoolExpr& cond); | |
| 162 SANDBOX_EXPORT BoolExpr operator&&(const BoolExpr& lhs, const BoolExpr& rhs); | |
| 163 SANDBOX_EXPORT BoolExpr operator||(const BoolExpr& lhs, const BoolExpr& rhs); | |
| 136 | 164 |
| 137 template <typename T> | 165 template <typename T> |
| 138 class SANDBOX_EXPORT Arg { | 166 class SANDBOX_EXPORT Arg { |
| 139 public: | 167 public: |
| 140 // Initializes the Arg to represent the |num|th system call | 168 // Initializes the Arg to represent the |num|th system call |
| 141 // argument (indexed from 0), which is of type |T|. | 169 // argument (indexed from 0), which is of type |T|. |
| 142 explicit Arg(int num); | 170 explicit Arg(int num); |
| 143 | 171 |
| 144 Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {} | 172 Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {} |
| 145 | 173 |
| 146 // Returns an Arg representing the current argument, but after | 174 // Returns an Arg representing the current argument, but after |
| 147 // bitwise-and'ing it with |rhs|. | 175 // bitwise-and'ing it with |rhs|. |
| 148 friend Arg operator&(const Arg& lhs, uint64_t rhs) { | 176 friend Arg operator&(const Arg& lhs, uint64_t rhs) { |
| 149 return Arg(lhs.num_, lhs.mask_ & rhs); | 177 return Arg(lhs.num_, lhs.mask_ & rhs); |
| 150 } | 178 } |
| 151 | 179 |
| 152 // Returns a boolean expression comparing whether the system call | 180 // Returns a boolean expression comparing whether the system call argument |
| 153 // argument (after applying any bitmasks, if appropriate) equals |rhs|. | 181 // (after applying any bitmasks, if appropriate) equals |rhs|. |
| 154 friend BoolExpr operator==(const Arg& lhs, T rhs) { return lhs.EqualTo(rhs); } | 182 friend BoolExpr operator==(const Arg& lhs, T rhs) { return lhs.EqualTo(rhs); } |
| 155 | 183 |
| 184 // Returns a boolean expression comparing whether the system call argument | |
| 185 // (after applying any bitmasks, if appropriate) does not equal |rhs|. | |
| 186 friend BoolExpr operator!=(const Arg& lhs, T rhs) { return !(lhs == rhs); } | |
| 187 | |
| 156 private: | 188 private: |
| 157 Arg(int num, uint64_t mask) : num_(num), mask_(mask) {} | 189 Arg(int num, uint64_t mask) : num_(num), mask_(mask) {} |
| 158 | 190 |
| 159 BoolExpr EqualTo(T val) const; | 191 BoolExpr EqualTo(T val) const; |
| 160 | 192 |
| 161 int num_; | 193 int num_; |
| 162 uint64_t mask_; | 194 uint64_t mask_; |
| 163 | 195 |
| 164 DISALLOW_ASSIGN(Arg); | 196 DISALLOW_ASSIGN(Arg); |
| 165 }; | 197 }; |
| 166 | 198 |
| 167 // Convert a bool value into a BoolExpr. | |
| 168 SANDBOX_EXPORT BoolExpr BoolConst(bool value); | |
| 169 | |
| 170 // Various ways to combine boolean expressions into more complex expressions. | |
| 171 // They follow standard boolean algebra laws. | |
| 172 SANDBOX_EXPORT BoolExpr operator!(const BoolExpr& cond); | |
| 173 SANDBOX_EXPORT BoolExpr operator&&(const BoolExpr& lhs, const BoolExpr& rhs); | |
| 174 SANDBOX_EXPORT BoolExpr operator||(const BoolExpr& lhs, const BoolExpr& rhs); | |
| 175 | |
| 176 // If begins a conditional result expression predicated on the | 199 // If begins a conditional result expression predicated on the |
| 177 // specified boolean expression. | 200 // specified boolean expression. |
| 178 SANDBOX_EXPORT Elser If(const BoolExpr& cond, const ResultExpr& then_result); | 201 SANDBOX_EXPORT Elser If(const BoolExpr& cond, const ResultExpr& then_result); |
| 179 | 202 |
| 180 class SANDBOX_EXPORT Elser { | 203 class SANDBOX_EXPORT Elser { |
| 181 public: | 204 public: |
| 182 Elser(const Elser& elser); | 205 Elser(const Elser& elser); |
| 183 ~Elser(); | 206 ~Elser(); |
| 184 | 207 |
| 185 // ElseIf extends the conditional result expression with another | 208 // ElseIf extends the conditional result expression with another |
| (...skipping 171 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 357 | 380 |
| 358 template <typename T> | 381 template <typename T> |
| 359 ResultExpr Caser<T>::Default(ResultExpr result) const { | 382 ResultExpr Caser<T>::Default(ResultExpr result) const { |
| 360 return elser_.Else(result); | 383 return elser_.Else(result); |
| 361 } | 384 } |
| 362 | 385 |
| 363 } // namespace bpf_dsl | 386 } // namespace bpf_dsl |
| 364 } // namespace sandbox | 387 } // namespace sandbox |
| 365 | 388 |
| 366 #endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ | 389 #endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_ |
| OLD | NEW |
