Convert sandbox_bpf_unittest.cc to use bpf_dsl

sandbox/linux/bpf_dsl/bpf_dsl_more_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <errno.h>
 #include <pthread.h>
 #include <sched.h>
 #include <signal.h>
 #include <sys/prctl.h>
 #include <sys/ptrace.h>
@@ skipping 13 matching lines @@
 #include <ostream>
 
 #include "base/bind.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/thread.h"
 #include "build/build_config.h"
+#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/linux/seccomp-bpf/verifier.h"
 #include "sandbox/linux/services/broker_process.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 #include "sandbox/linux/tests/scoped_temporary_file.h"
 #include "sandbox/linux/tests/unit_tests.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 // Workaround for Android's prctl.h file.
 #ifndef PR_GET_ENDIAN
 #define PR_GET_ENDIAN 19
 #endif
 #ifndef PR_CAPBSET_READ
 #define PR_CAPBSET_READ 23
 #define PR_CAPBSET_DROP 24
 #endif
 
 namespace sandbox {
+namespace bpf_dsl {
 
 namespace {
 
 const int kExpectedReturnValue = 42;
 const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
 
 // Set the global environment to allow the use of UnsafeTrap() policies.
 void EnableUnsafeTraps() {
   // The use of UnsafeTrap() causes us to print a warning message. This is
   // generally desirable, but it results in the unittest failing, as it doesn't
@@ skipping 32 matching lines @@
 // and it helps us accidentally forgetting any of the crucial steps in
 // setting up the sandbox. But it wouldn't hurt to have at least one test
 // that explicitly walks through all these steps.
 
 intptr_t IncreaseCounter(const struct arch_seccomp_data& args, void* aux) {
   BPF_ASSERT(aux);
   int* counter = static_cast<int*>(aux);
   return (*counter)++;
 }
 
-class VerboseAPITestingPolicy : public SandboxBPFPolicy {
+class VerboseAPITestingPolicy : public SandboxBPFDSLPolicy {
  public:
   VerboseAPITestingPolicy(int* counter_ptr) : counter_ptr_(counter_ptr) {}
+  virtual ~VerboseAPITestingPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     if (sysno == __NR_uname) {
-      return sandbox->Trap(IncreaseCounter, counter_ptr_);
+      return Trap(IncreaseCounter, counter_ptr_);
     }
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+    return Allow();
   }
 
  private:
   int* counter_ptr_;
+
   DISALLOW_COPY_AND_ASSIGN(VerboseAPITestingPolicy);
 };
 
 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
   if (SandboxBPF::SupportsSeccompSandbox(-1) ==
       sandbox::SandboxBPF::STATUS_AVAILABLE) {
     static int counter = 0;
 
     SandboxBPF sandbox;
     sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&counter));
     BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
 
     BPF_ASSERT_EQ(0, counter);
     BPF_ASSERT_EQ(0, syscall(__NR_uname, 0));
     BPF_ASSERT_EQ(1, counter);
     BPF_ASSERT_EQ(1, syscall(__NR_uname, 0));
     BPF_ASSERT_EQ(2, counter);
   }
 }
 
 // A simple blacklist test
 
-class BlacklistNanosleepPolicy : public SandboxBPFPolicy {
+class BlacklistNanosleepPolicy : public SandboxBPFDSLPolicy {
  public:
   BlacklistNanosleepPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+  virtual ~BlacklistNanosleepPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     switch (sysno) {
       case __NR_nanosleep:
-        return ErrorCode(EACCES);
+        return Error(EACCES);
       default:
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
     }
   }
 
   static void AssertNanosleepFails() {
     const struct timespec ts = {0, 0};
     errno = 0;
     BPF_ASSERT_EQ(-1, HANDLE_EINTR(syscall(__NR_nanosleep, &ts, NULL)));
     BPF_ASSERT_EQ(EACCES, errno);
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(BlacklistNanosleepPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 }
 
 // Now do a simple whitelist test
 
-class WhitelistGetpidPolicy : public SandboxBPFPolicy {
+class WhitelistGetpidPolicy : public SandboxBPFDSLPolicy {
  public:
   WhitelistGetpidPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+  virtual ~WhitelistGetpidPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     switch (sysno) {
       case __NR_getpid:
       case __NR_exit_group:
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
       default:
-        return ErrorCode(ENOMEM);
+        return Error(ENOMEM);
     }
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(WhitelistGetpidPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
   // getpid() should be allowed
   errno = 0;
@@ skipping 39 matching lines @@
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == ENOMEM);
 
   // We expect the signal handler to modify AuxData
   BPF_ASSERT(*BPF_AUX == kExpectedReturnValue);
 }
 
 // A simple test that verifies we can return arbitrary errno values.
 
-class ErrnoTestPolicy : public SandboxBPFPolicy {
+class ErrnoTestPolicy : public SandboxBPFDSLPolicy {
  public:
   ErrnoTestPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE;
+  virtual ~ErrnoTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ErrnoTestPolicy);
 };
 
-ErrorCode ErrnoTestPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const {
+ResultExpr ErrnoTestPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   switch (sysno) {
-    case __NR_dup3:    // dup2 is a wrapper of dup3 in android
+    case __NR_dup3:  // dup2 is a wrapper of dup3 in android
 #if defined(__NR_dup2)
     case __NR_dup2:
 #endif
       // Pretend that dup2() worked, but don't actually do anything.
-      return ErrorCode(0);
+      return Error(0);
     case __NR_setuid:
 #if defined(__NR_setuid32)
     case __NR_setuid32:
 #endif
       // Return errno = 1.
-      return ErrorCode(1);
+      return Error(1);
     case __NR_setgid:
 #if defined(__NR_setgid32)
     case __NR_setgid32:
 #endif
       // Return maximum errno value (typically 4095).
-      return ErrorCode(ErrorCode::ERR_MAX_ERRNO);
+      return Error(ErrorCode::ERR_MAX_ERRNO);
     case __NR_uname:
       // Return errno = 42;
-      return ErrorCode(42);
+      return Error(42);
     default:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
   }
 }
 
 BPF_TEST_C(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
   // Verify that dup2() returns success, but doesn't actually run.
   int fds[4];
   BPF_ASSERT(pipe(fds) == 0);
   BPF_ASSERT(pipe(fds + 2) == 0);
   BPF_ASSERT(dup2(fds[2], fds[0]) == 0);
   char buf[1] = {};
@@ skipping 25 matching lines @@
 
   // Finally, test an errno in between the minimum and maximum.
   errno = 0;
   struct utsname uts_buf;
   BPF_ASSERT(uname(&uts_buf) == -1);
   BPF_ASSERT(errno == 42);
 }
 
 // Testing the stacking of two sandboxes
 
-class StackingPolicyPartOne : public SandboxBPFPolicy {
+class StackingPolicyPartOne : public SandboxBPFDSLPolicy {
  public:
   StackingPolicyPartOne() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ~StackingPolicyPartOne() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     switch (sysno) {
-      case __NR_getppid:
-        return sandbox->Cond(0,
-                             ErrorCode::TP_32BIT,
-                             ErrorCode::OP_EQUAL,
-                             0,
-                             ErrorCode(ErrorCode::ERR_ALLOWED),
-                             ErrorCode(EPERM));
+      case __NR_getppid: {
+        const Arg<int> arg(0);
+        return If(arg == 0, Allow()).Else(Error(EPERM));
+      }
       default:
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
     }
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartOne);
 };
 
-class StackingPolicyPartTwo : public SandboxBPFPolicy {
+class StackingPolicyPartTwo : public SandboxBPFDSLPolicy {
  public:
   StackingPolicyPartTwo() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ~StackingPolicyPartTwo() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     switch (sysno) {
-      case __NR_getppid:
-        return sandbox->Cond(0,
-                             ErrorCode::TP_32BIT,
-                             ErrorCode::OP_EQUAL,
-                             0,
-                             ErrorCode(EINVAL),
-                             ErrorCode(ErrorCode::ERR_ALLOWED));
+      case __NR_getppid: {
+        const Arg<int> arg(0);
+        return If(arg == 0, Error(EINVAL)).Else(Allow());
+      }
       default:
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
     }
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartTwo);
 };
 
 BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
   errno = 0;
   BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
@@ skipping 24 matching lines @@
 // We try to make sure we exercise optimizations in the BPF compiler. We make
 // sure that the compiler can have an opportunity to coalesce syscalls with
 // contiguous numbers and we also make sure that disjoint sets can return the
 // same errno.
 int SysnoToRandomErrno(int sysno) {
   // Small contiguous sets of 3 system calls return an errno equal to the
   // index of that set + 1 (so that we never return a NUL errno).
   return ((sysno & ~3) >> 2) % 29 + 1;
 }
 
-class SyntheticPolicy : public SandboxBPFPolicy {
+class SyntheticPolicy : public SandboxBPFDSLPolicy {
  public:
   SyntheticPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+  virtual ~SyntheticPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     if (sysno == __NR_exit_group || sysno == __NR_write) {
       // exit_group() is special, we really need it to work.
       // write() is needed for BPF_ASSERT() to report a useful error message.
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
     }
-    return ErrorCode(SysnoToRandomErrno(sysno));
+    return Error(SysnoToRandomErrno(sysno));
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(SyntheticPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, SyntheticPolicy, SyntheticPolicy) {
   // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
   // overflow.
   BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
@@ skipping 20 matching lines @@
 // MIN_PRIVATE_SYSCALL plus 1 (to avoid NUL errno).
 int ArmPrivateSysnoToErrno(int sysno) {
   if (sysno >= static_cast<int>(MIN_PRIVATE_SYSCALL) &&
       sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
     return (sysno - MIN_PRIVATE_SYSCALL) + 1;
   } else {
     return ENOSYS;
   }
 }
 
-class ArmPrivatePolicy : public SandboxBPFPolicy {
+class ArmPrivatePolicy : public SandboxBPFDSLPolicy {
  public:
   ArmPrivatePolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysno) const OVERRIDE {
+  virtual ~ArmPrivatePolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     // Start from |__ARM_NR_set_tls + 1| so as not to mess with actual
     // ARM private system calls.
     if (sysno >= static_cast<int>(__ARM_NR_set_tls + 1) &&
         sysno <= static_cast<int>(MAX_PRIVATE_SYSCALL)) {
-      return ErrorCode(ArmPrivateSysnoToErrno(sysno));
+      return Error(ArmPrivateSysnoToErrno(sysno));
     }
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+    return Allow();
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ArmPrivatePolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) {
   for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1);
        syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
        ++syscall_number) {
@@ skipping 71 matching lines @@
 intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) {
   if (args.args[0] == PR_CAPBSET_DROP && static_cast<int>(args.args[1]) == -1) {
     // prctl(PR_CAPBSET_DROP, -1) is never valid. The kernel will always
     // return an error. But our handler allows this call.
     return 0;
   } else {
     return SandboxBPF::ForwardSyscall(args);
   }
 }
 
-class PrctlPolicy : public SandboxBPFPolicy {
+class PrctlPolicy : public SandboxBPFDSLPolicy {
  public:
   PrctlPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ~PrctlPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     setenv(kSandboxDebuggingEnv, "t", 0);
     Die::SuppressInfoMessages(true);
 
     if (sysno == __NR_prctl) {
       // Handle prctl() inside an UnsafeTrap()
-      return sandbox->UnsafeTrap(PrctlHandler, NULL);
+      return UnsafeTrap(PrctlHandler, NULL);
     }
 
     // Allow all other system calls.
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+    return Allow();
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(PrctlPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, ForwardSyscall, PrctlPolicy) {
   // This call should never be allowed. But our policy will intercept it and
   // let it pass successfully.
   BPF_ASSERT(
@@ skipping 17 matching lines @@
   // unaffected by our policy.
   struct utsname uts = {};
   BPF_ASSERT(!uname(&uts));
   BPF_ASSERT(!strcmp(uts.sysname, "Linux"));
 }
 
 intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) {
   return SandboxBPF::ForwardSyscall(args);
 }
 
-class RedirectAllSyscallsPolicy : public SandboxBPFPolicy {
+class RedirectAllSyscallsPolicy : public SandboxBPFDSLPolicy {
  public:
   RedirectAllSyscallsPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~RedirectAllSyscallsPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(RedirectAllSyscallsPolicy);
 };
 
-ErrorCode RedirectAllSyscallsPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                     int sysno) const {
+ResultExpr RedirectAllSyscallsPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   setenv(kSandboxDebuggingEnv, "t", 0);
   Die::SuppressInfoMessages(true);
 
   // Some system calls must always be allowed, if our policy wants to make
   // use of UnsafeTrap()
   if (SandboxBPF::IsRequiredForUnsafeTrap(sysno))
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
-  return sandbox->UnsafeTrap(AllowRedirectedSyscall, NULL);
+    return Allow();
+  return UnsafeTrap(AllowRedirectedSyscall, NULL);
 }
 
 int bus_handler_fd_ = -1;
 
 void SigBusHandler(int, siginfo_t* info, void* void_context) {
   BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
 }
 
 BPF_TEST_C(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) {
   // We use the SIGBUS bit in the signal mask as a thread-local boolean
@@ skipping 63 matching lines @@
   // would make system calls, but it allows us to verify that we don't
   // accidentally mess with errno, when we shouldn't.
   errno = 0;
   struct arch_seccomp_data args = {};
   args.nr = __NR_close;
   args.args[0] = -1;
   BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF);
   BPF_ASSERT(errno == 0);
 }
 
-bool NoOpCallback() { return true; }
+bool NoOpCallback() {
+  return true;
+}
 
 // Test a trap handler that makes use of a broker process to open().
 
 class InitializedOpenBroker {
  public:
   InitializedOpenBroker() : initialized_(false) {
     std::vector<std::string> allowed_files;
     allowed_files.push_back("/proc/allowed");
     allowed_files.push_back("/proc/cpuinfo");
 
@@ skipping 11 matching lines @@
   bool initialized_;
   scoped_ptr<class BrokerProcess> broker_process_;
   DISALLOW_COPY_AND_ASSIGN(InitializedOpenBroker);
 };
 
 intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,
                                void* aux) {
   BPF_ASSERT(aux);
   BrokerProcess* broker_process = static_cast<BrokerProcess*>(aux);
   switch (args.nr) {
-    case __NR_faccessat:    // access is a wrapper of faccessat in android
+    case __NR_faccessat:  // access is a wrapper of faccessat in android
       BPF_ASSERT(static_cast<int>(args.args[0]) == AT_FDCWD);
       return broker_process->Access(reinterpret_cast<const char*>(args.args[1]),
                                     static_cast<int>(args.args[2]));
 #if defined(__NR_access)
     case __NR_access:
       return broker_process->Access(reinterpret_cast<const char*>(args.args[0]),
                                     static_cast<int>(args.args[1]));
 #endif
 #if defined(__NR_open)
     case __NR_open:
@@ skipping 79 matching lines @@
   int cpu_info_access = access("/proc/cpuinfo", R_OK);
   BPF_ASSERT(cpu_info_access == 0);
   int cpu_info_fd = open("/proc/cpuinfo", O_RDONLY);
   BPF_ASSERT(cpu_info_fd >= 0);
   char buf[1024];
   BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
 }
 
 // Simple test demonstrating how to use SandboxBPF::Cond()
 
-class SimpleCondTestPolicy : public SandboxBPFPolicy {
+class SimpleCondTestPolicy : public SandboxBPFDSLPolicy {
  public:
   SimpleCondTestPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~SimpleCondTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(SimpleCondTestPolicy);
 };
 
-ErrorCode SimpleCondTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                int sysno) const {
+ResultExpr SimpleCondTestPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 
   // We deliberately return unusual errno values upon failure, so that we
   // can uniquely test for these values. In a "real" policy, you would want
   // to return more traditional values.
   int flags_argument_position = -1;
   switch (sysno) {
 #if defined(__NR_open)
     case __NR_open:
       flags_argument_position = 1;
 #endif
-    case __NR_openat:  // open can be a wrapper for openat(2).
+    case __NR_openat: {  // open can be a wrapper for openat(2).
       if (sysno == __NR_openat)
         flags_argument_position = 2;
 
       // Allow opening files for reading, but don't allow writing.
       COMPILE_ASSERT(O_RDONLY == 0, O_RDONLY_must_be_all_zero_bits);
-      return sandbox->Cond(flags_argument_position,
-                           ErrorCode::TP_32BIT,
-                           ErrorCode::OP_HAS_ANY_BITS,
-                           O_ACCMODE /* 0x3 */,
-                           ErrorCode(EROFS),
-                           ErrorCode(ErrorCode::ERR_ALLOWED));
-    case __NR_prctl:
+      const Arg<int> flags(flags_argument_position);
+      return If((flags & O_ACCMODE) != 0, Error(EROFS)).Else(Allow());
+    }
+    case __NR_prctl: {
       // Allow prctl(PR_SET_DUMPABLE) and prctl(PR_GET_DUMPABLE), but
       // disallow everything else.
-      return sandbox->Cond(0,
-                           ErrorCode::TP_32BIT,
-                           ErrorCode::OP_EQUAL,
-                           PR_SET_DUMPABLE,
-                           ErrorCode(ErrorCode::ERR_ALLOWED),
-                           sandbox->Cond(0,
-                                         ErrorCode::TP_32BIT,
-                                         ErrorCode::OP_EQUAL,
-                                         PR_GET_DUMPABLE,
-                                         ErrorCode(ErrorCode::ERR_ALLOWED),
-                                         ErrorCode(ENOMEM)));
+      const Arg<int> option(0);
+      return If(option == PR_SET_DUMPABLE || option == PR_GET_DUMPABLE, Allow())
+          .Else(Error(ENOMEM));
+    }
     default:
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
   }
 }
 
 BPF_TEST_C(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) {
   int fd;
   BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1);
   BPF_ASSERT(errno == EROFS);
   BPF_ASSERT((fd = open("/proc/self/comm", O_RDONLY)) >= 0);
   close(fd);
 
@@ skipping 316 matching lines @@
   return aux->Policy(sandbox, sysno);
 }
 
 BPF_TEST(SandboxBPF,
          EqualityTests,
          EqualityStressTestPolicy,
          EqualityStressTest /* (*BPF_AUX) */) {
   BPF_AUX->VerifyFilter();
 }
 
-class EqualityArgumentWidthPolicy : public SandboxBPFPolicy {
+class EqualityArgumentWidthPolicy : public SandboxBPFDSLPolicy {
  public:
   EqualityArgumentWidthPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~EqualityArgumentWidthPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(EqualityArgumentWidthPolicy);
 };
 
-ErrorCode EqualityArgumentWidthPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                       int sysno) const {
+ResultExpr EqualityArgumentWidthPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   if (sysno == __NR_uname) {
-    return sandbox->Cond(
-        0,
-        ErrorCode::TP_32BIT,
-        ErrorCode::OP_EQUAL,
-        0,
-        sandbox->Cond(1,
-                      ErrorCode::TP_32BIT,
-                      ErrorCode::OP_EQUAL,
-                      0x55555555,
-                      ErrorCode(1),
-                      ErrorCode(2)),
-        // The BPF compiler and the BPF interpreter in the kernel are
-        // (mostly) agnostic of the host platform's word size. The compiler
-        // will happily generate code that tests a 64bit value, and the
-        // interpreter will happily perform this test.
-        // But unless there is a kernel bug, there is no way for us to pass
-        // in a 64bit quantity on a 32bit platform. The upper 32bits should
-        // always be zero. So, this test should always evaluate as false on
-        // 32bit systems.
-        sandbox->Cond(1,
-                      ErrorCode::TP_64BIT,
-                      ErrorCode::OP_EQUAL,
-                      0x55555555AAAAAAAAULL,
-                      ErrorCode(1),
-                      ErrorCode(2)));
+    const Arg<int> option(0);
+    const Arg<uint32_t> arg32(1);
+    const Arg<uint64_t> arg64(1);
+    return Switch(option)
+        .Case(0, If(arg32 == 0x55555555, Error(1)).Else(Error(2)))
+#if __SIZEOF_POINTER__ > 4
+        .Case(1, If(arg64 == 0x55555555AAAAAAAAULL, Error(1)).Else(Error(2)))
+#endif
+        .Default(Error(3));
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+  return Allow();
 }
 
 BPF_TEST_C(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
   BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0x55555555) == -1);
   BPF_ASSERT(Syscall::Call(__NR_uname, 0, 0xAAAAAAAA) == -2);
 #if __SIZEOF_POINTER__ > 4
   // On 32bit machines, there is no way to pass a 64bit argument through the
   // syscall interface. So, we have to skip the part of the test that requires
   // 64bit arguments.
   BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555AAAAAAAAULL) == -1);
   BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555500000000ULL) == -2);
   BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x5555555511111111ULL) == -2);
   BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x11111111AAAAAAAAULL) == -2);
-#else
-  BPF_ASSERT(Syscall::Call(__NR_uname, 1, 0x55555555) == -2);

[jln (very slow on Chromium), 2014/09/12 23:52:57]

Why removed?

[mdempsky, 2014/09/13 00:20:24]

This assert was testing TP_64BIT on a 32-bit system.  Since bpf_dsl doesn't
support 64-bit arguments on 32-bit systems anymore (and thus the #if
__SIZEOF_POINTER__ > 4 in EqualityArgumentWidthPolicy::EvaluateSyscall), the
assert isn't meaningful anymore.

 #endif
 }
 
 #if __SIZEOF_POINTER__ > 4
 // On 32bit machines, there is no way to pass a 64bit argument through the
 // syscall interface. So, we have to skip the part of the test that requires
 // 64bit arguments.
 BPF_DEATH_TEST_C(SandboxBPF,
                  EqualityArgumentUnallowed64bit,
                  DEATH_MESSAGE("Unexpected 64bit argument detected"),
                  EqualityArgumentWidthPolicy) {
   Syscall::Call(__NR_uname, 0, 0x5555555555555555ULL);
 }
 #endif
 
-class EqualityWithNegativeArgumentsPolicy : public SandboxBPFPolicy {
+class EqualityWithNegativeArgumentsPolicy : public SandboxBPFDSLPolicy {
  public:
   EqualityWithNegativeArgumentsPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ~EqualityWithNegativeArgumentsPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     if (sysno == __NR_uname) {
-      return sandbox->Cond(0,
-                           ErrorCode::TP_32BIT,
-                           ErrorCode::OP_EQUAL,
-                           0xFFFFFFFF,
-                           ErrorCode(1),
-                           ErrorCode(2));
+      // TODO(mdempsky): This currently can't be Arg<int> because then
+      // 0xFFFFFFFF will be treated as a (signed) int, and then when
+      // Arg::EqualTo casts it to uint64_t, it will be sign extended.
+      const Arg<unsigned> arg(0);
+      return If(arg == 0xFFFFFFFF, Error(1)).Else(Error(2));
     }
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+    return Allow();
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(EqualityWithNegativeArgumentsPolicy);
 };
 
 BPF_TEST_C(SandboxBPF,
            EqualityWithNegativeArguments,
            EqualityWithNegativeArgumentsPolicy) {
   BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF) == -1);
   BPF_ASSERT(Syscall::Call(__NR_uname, -1) == -1);
   BPF_ASSERT(Syscall::Call(__NR_uname, -1LL) == -1);
 }
 
 #if __SIZEOF_POINTER__ > 4
 BPF_DEATH_TEST_C(SandboxBPF,
                  EqualityWithNegative64bitArguments,
                  DEATH_MESSAGE("Unexpected 64bit argument detected"),
                  EqualityWithNegativeArgumentsPolicy) {
   // When expecting a 32bit system call argument, we look at the MSB of the
   // 64bit value and allow both "0" and "-1". But the latter is allowed only
   // iff the LSB was negative. So, this death test should error out.
   BPF_ASSERT(Syscall::Call(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
 }
 #endif
-class AllBitTestPolicy : public SandboxBPFPolicy {
+
+class AllBitTestPolicy : public SandboxBPFDSLPolicy {
  public:
   AllBitTestPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~AllBitTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
+  static ResultExpr HasAllBits32(uint32_t bits);
+  static ResultExpr HasAllBits64(uint64_t bits);
+
   DISALLOW_COPY_AND_ASSIGN(AllBitTestPolicy);
 };
 
-ErrorCode AllBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                            int sysno) const {
+ResultExpr AllBitTestPolicy::HasAllBits32(uint32_t bits) {
+  if (bits == 0) {
+    return Error(1);
+  }
+  const Arg<uint32_t> arg(1);
+  return If((arg & bits) == bits, Error(1)).Else(Error(0));
+}
+
+ResultExpr AllBitTestPolicy::HasAllBits64(uint64_t bits) {
+  if (bits == 0) {
+    return Error(1);
+  }
+  const Arg<uint64_t> arg(1);
+  return If((arg & bits) == bits, Error(1)).Else(Error(0));
+}
+
+ResultExpr AllBitTestPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
-  // Test the OP_HAS_ALL_BITS conditional test operator with a couple of
-  // different bitmasks. We try to find bitmasks that could conceivably
+  // Test masked-equality cases that should trigger the "has all bits"
+  // peephole optimizations. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
   if (sysno == __NR_uname) {
-    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x0,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x1,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x3,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x80000000,
-                         ErrorCode(1), ErrorCode(0)),
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x0,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x1,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x3,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x80000000,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x100000000ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x300000000ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         0x100000001ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-                         sandbox->Kill("Invalid test case number"))))))))))));
+    const Arg<int> option(0);
+    return Switch(option)
+        .Case(0, HasAllBits32(0x0))
+        .Case(1, HasAllBits32(0x1))
+        .Case(2, HasAllBits32(0x3))
+        .Case(3, HasAllBits32(0x80000000))
+#if __SIZEOF_POINTER__ > 4
+        .Case(4, HasAllBits64(0x0))
+        .Case(5, HasAllBits64(0x1))
+        .Case(6, HasAllBits64(0x3))
+        .Case(7, HasAllBits64(0x80000000))
+        .Case(8, HasAllBits64(0x100000000ULL))
+        .Case(9, HasAllBits64(0x300000000ULL))
+        .Case(10, HasAllBits64(0x100000001ULL))
+#endif
+        .Default(Kill("Invalid test case number"));
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+  return Allow();
 }
 
 // Define a macro that performs tests using our test policy.
 // NOTE: Not all of the arguments in this macro are actually used!
 //       They are here just to serve as documentation of the conditions
 //       implemented in the test policy.
 //       Most notably, "op" and "mask" are unused by the macro. If you want
 //       to make changes to these values, you will have to edit the
 //       test policy instead.
 #define BITMASK_TEST(testcase, arg, op, mask, expected_value) \
@@ skipping 32 matching lines @@
   BITMASK_TEST( 2,                   3, ALLBITS32,        0x3, EXPECT_SUCCESS);
   BITMASK_TEST( 2,                   7, ALLBITS32,        0x3, EXPECT_SUCCESS);
 
   // 32bit test: all of 0x80000000
   BITMASK_TEST( 3,                   0, ALLBITS32, 0x80000000, EXPECT_FAILURE);
   BITMASK_TEST( 3,         0x40000000U, ALLBITS32, 0x80000000, EXPECT_FAILURE);
   BITMASK_TEST( 3,         0x80000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
   BITMASK_TEST( 3,         0xC0000000U, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
   BITMASK_TEST( 3,       -0x80000000LL, ALLBITS32, 0x80000000, EXPECT_SUCCESS);
 
+#if __SIZEOF_POINTER__ > 4
   // 64bit test: all of 0x0 (should always be true)
   BITMASK_TEST( 4,                   0, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,                   1, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,                   3, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,         0xFFFFFFFFU, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,       0x100000000LL, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,       0x300000000LL, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,0x8000000000000000LL, ALLBITS64,          0, EXPECT_SUCCESS);
   BITMASK_TEST( 4,                -1LL, ALLBITS64,          0, EXPECT_SUCCESS);
 
@@ skipping 53 matching lines @@
   BITMASK_TEST( 9,       0x300000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
   BITMASK_TEST( 9,       0x700000001LL, ALLBITS64,0x300000000, EXPT64_SUCCESS);
 
   // 64bit test: all of 0x100000001
   BITMASK_TEST(10,       0x000000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x000000001LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000000LL, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,       0x100000001LL, ALLBITS64,0x100000001, EXPT64_SUCCESS);
   BITMASK_TEST(10,         0xFFFFFFFFU, ALLBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST(10,                 -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
+#endif
 }
 
-class AnyBitTestPolicy : public SandboxBPFPolicy {
+class AnyBitTestPolicy : public SandboxBPFDSLPolicy {
  public:
   AnyBitTestPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~AnyBitTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
+  static ResultExpr HasAnyBits32(uint32_t);
+  static ResultExpr HasAnyBits64(uint64_t);
+
   DISALLOW_COPY_AND_ASSIGN(AnyBitTestPolicy);
 };
 
-ErrorCode AnyBitTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                            int sysno) const {
+ResultExpr AnyBitTestPolicy::HasAnyBits32(uint32_t bits) {
+  if (bits == 0) {
+    return Error(0);
+  }
+  const Arg<uint32_t> arg(1);
+  return If((arg & bits) != 0, Error(1)).Else(Error(0));
+}
+
+ResultExpr AnyBitTestPolicy::HasAnyBits64(uint64_t bits) {
+  if (bits == 0) {
+    return Error(0);
+  }
+  const Arg<uint64_t> arg(1);
+  return If((arg & bits) != 0, Error(1)).Else(Error(0));
+}
+
+ResultExpr AnyBitTestPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
-  // Test the OP_HAS_ANY_BITS conditional test operator with a couple of
-  // different bitmasks. We try to find bitmasks that could conceivably
+  // Test masked-equality cases that should trigger the "has any bits"
+  // peephole optimizations. We try to find bitmasks that could conceivably
   // touch corner cases.
   // For all of these tests, we override the uname(). We can make use with
   // a single system call number, as we use the first system call argument to
   // select the different bit masks that we want to test against.
   if (sysno == __NR_uname) {
-    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 0,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x0,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 1,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x1,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 2,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x3,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 3,
-           sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x80000000,
-                         ErrorCode(1), ErrorCode(0)),
-
-           // All the following tests don't really make much sense on 32bit
-           // systems. They will always evaluate as false.
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 4,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x0,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 5,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x1,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 6,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x3,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 7,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x80000000,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 8,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x100000000ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 9,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x300000000ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, 10,
-           sandbox->Cond(1, ErrorCode::TP_64BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         0x100000001ULL,
-                         ErrorCode(1), ErrorCode(0)),
-
-                         sandbox->Kill("Invalid test case number"))))))))))));
+    const Arg<int> option(0);
+    return Switch(option)
+        .Case(0, HasAnyBits32(0x0))
+        .Case(1, HasAnyBits32(0x1))
+        .Case(2, HasAnyBits32(0x3))
+        .Case(3, HasAnyBits32(0x80000000))
+#if __SIZEOF_POINTER__ > 4
+        .Case(4, HasAnyBits64(0x0))
+        .Case(5, HasAnyBits64(0x1))
+        .Case(6, HasAnyBits64(0x3))
+        .Case(7, HasAnyBits64(0x80000000))
+        .Case(8, HasAnyBits64(0x100000000ULL))
+        .Case(9, HasAnyBits64(0x300000000ULL))
+        .Case(10, HasAnyBits64(0x100000001ULL))
+#endif
+        .Default(Kill("Invalid test case number"));
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+  return Allow();
 }
 
 BPF_TEST_C(SandboxBPF, AnyBitTests, AnyBitTestPolicy) {
   // 32bit test: any of 0x0 (should always be false)
   BITMASK_TEST( 0,                   0, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   1, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                   3, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,         0xFFFFFFFFU, ANYBITS32,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 0,                -1LL, ANYBITS32,        0x0, EXPECT_FAILURE);
 
@@ skipping 10 matching lines @@
   BITMASK_TEST( 2,                   3, ANYBITS32,        0x3, EXPECT_SUCCESS);
   BITMASK_TEST( 2,                   7, ANYBITS32,        0x3, EXPECT_SUCCESS);
 
   // 32bit test: any of 0x80000000
   BITMASK_TEST( 3,                   0, ANYBITS32, 0x80000000, EXPECT_FAILURE);
   BITMASK_TEST( 3,         0x40000000U, ANYBITS32, 0x80000000, EXPECT_FAILURE);
   BITMASK_TEST( 3,         0x80000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
   BITMASK_TEST( 3,         0xC0000000U, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
   BITMASK_TEST( 3,       -0x80000000LL, ANYBITS32, 0x80000000, EXPECT_SUCCESS);
 
+#if __SIZEOF_POINTER__ > 4
   // 64bit test: any of 0x0 (should always be false)
   BITMASK_TEST( 4,                   0, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,                   1, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,                   3, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,         0xFFFFFFFFU, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,       0x100000000LL, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,       0x300000000LL, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,0x8000000000000000LL, ANYBITS64,        0x0, EXPECT_FAILURE);
   BITMASK_TEST( 4,                -1LL, ANYBITS64,        0x0, EXPECT_FAILURE);
 
@@ skipping 53 matching lines @@
   BITMASK_TEST( 9,       0x300000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
   BITMASK_TEST( 9,       0x700000001LL, ANYBITS64,0x300000000, EXPT64_SUCCESS);
 
   // 64bit test: any of 0x100000001
   BITMASK_TEST( 10,      0x000000000LL, ANYBITS64,0x100000001, EXPECT_FAILURE);
   BITMASK_TEST( 10,      0x000000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);
   BITMASK_TEST( 10,      0x100000000LL, ANYBITS64,0x100000001, EXPT64_SUCCESS);
   BITMASK_TEST( 10,      0x100000001LL, ANYBITS64,0x100000001, EXPECT_SUCCESS);
   BITMASK_TEST( 10,        0xFFFFFFFFU, ANYBITS64,0x100000001, EXPECT_SUCCESS);
   BITMASK_TEST( 10,                -1L, ANYBITS64,0x100000001, EXPECT_SUCCESS);
+#endif
 }
 
-class MaskedEqualTestPolicy : public SandboxBPFPolicy {
+class MaskedEqualTestPolicy : public SandboxBPFDSLPolicy {
  public:
   MaskedEqualTestPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~MaskedEqualTestPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
-  struct Rule {
-    ErrorCode::ArgType arg_type;
-    uint64_t mask;
-    uint64_t value;
-  };
-
-  static Rule rules[];
+  static ResultExpr MaskedEqual32(uint32_t mask, uint32_t value);
+  static ResultExpr MaskedEqual64(uint64_t mask, uint64_t value);
 
   DISALLOW_COPY_AND_ASSIGN(MaskedEqualTestPolicy);
 };
 
-MaskedEqualTestPolicy::Rule MaskedEqualTestPolicy::rules[] = {
-    /* 0 = */ {ErrorCode::TP_32BIT, 0x0000000000ff00ff, 0x00000000005500aa},
+ResultExpr MaskedEqualTestPolicy::MaskedEqual32(uint32_t mask, uint32_t value) {
+  const Arg<uint32_t> arg(1);
+  return If((arg & mask) == value, Error(1)).Else(Error(0));
+}
 
-#if __SIZEOF_POINTER__ > 4
-    /* 1 = */ {ErrorCode::TP_64BIT, 0x00ff00ff00000000, 0x005500aa00000000},
-    /* 2 = */ {ErrorCode::TP_64BIT, 0x00ff00ff00ff00ff, 0x005500aa005500aa},
-#endif
-};
+ResultExpr MaskedEqualTestPolicy::MaskedEqual64(uint64_t mask, uint64_t value) {
+  const Arg<uint64_t> arg(1);
+  return If((arg & mask) == value, Error(1)).Else(Error(0));
+}
 
-ErrorCode MaskedEqualTestPolicy::EvaluateSyscall(SandboxBPF* sandbox,
-                                                 int sysno) const {
+ResultExpr MaskedEqualTestPolicy::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
 
   if (sysno == __NR_uname) {
-    ErrorCode err = sandbox->Kill("Invalid test case number");
-    for (size_t i = 0; i < arraysize(rules); i++) {
-      err = sandbox->Cond(0,
-                          ErrorCode::TP_32BIT,
-                          ErrorCode::OP_EQUAL,
-                          i,
-                          sandbox->CondMaskedEqual(1,
-                                                   rules[i].arg_type,
-                                                   rules[i].mask,
-                                                   rules[i].value,
-                                                   ErrorCode(1),
-                                                   ErrorCode(0)),
-                          err);
-    }
-    return err;
+    const Arg<int> option(0);
+    return Switch(option)
+        .Case(0, MaskedEqual32(0x00ff00ff, 0x005500aa))
+#if __SIZEOF_POINTER__ > 4
+        .Case(1, MaskedEqual64(0x00ff00ff00000000, 0x005500aa00000000))
+        .Case(2, MaskedEqual64(0x00ff00ff00ff00ff, 0x005500aa005500aa))
+#endif
+        .Default(Kill("Invalid test case number"));
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+
+  return Allow();
 }
 
 #define MASKEQ_TEST(rulenum, arg, expected_result) \
   BPF_ASSERT(Syscall::Call(__NR_uname, (rulenum), (arg)) == (expected_result))
 
 BPF_TEST_C(SandboxBPF, MaskedEqualTests, MaskedEqualTestPolicy) {
   // Allowed:    0x__55__aa
   MASKEQ_TEST(0, 0x00000000, EXPECT_FAILURE);
   MASKEQ_TEST(0, 0x00000001, EXPECT_FAILURE);
   MASKEQ_TEST(0, 0x00000003, EXPECT_FAILURE);
@@ skipping 68 matching lines @@
         (long long)args.args[1],
         (long long)args.args[2],
         (long long)args.args[3],
         (long long)args.args[4],
         (long long)args.args[5],
         msg);
   }
   return -EPERM;
 }
 
-class PthreadPolicyEquality : public SandboxBPFPolicy {
+class PthreadPolicyEquality : public SandboxBPFDSLPolicy {
  public:
   PthreadPolicyEquality() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~PthreadPolicyEquality() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(PthreadPolicyEquality);
 };
 
-ErrorCode PthreadPolicyEquality::EvaluateSyscall(SandboxBPF* sandbox,
-                                                 int sysno) const {
+ResultExpr PthreadPolicyEquality::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
   if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // More recent versions of Android don't set CLONE_DETACHED anymore, so
     // the last case accounts for that.
     // The following policy is very strict. It only allows the exact masks
     // that we have seen in known implementations. It is probably somewhat
     // stricter than what we would want to do.
-    const uint64_t kGlibcCloneMask =
-        CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
-        CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
-        CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-    const uint64_t kBaseAndroidCloneMask =
-        CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
-        CLONE_THREAD | CLONE_SYSVSEM;
-    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
-                         kGlibcCloneMask,
-                         ErrorCode(ErrorCode::ERR_ALLOWED),
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
-                         kBaseAndroidCloneMask | CLONE_DETACHED,
-                         ErrorCode(ErrorCode::ERR_ALLOWED),
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
-                         kBaseAndroidCloneMask,
-                         ErrorCode(ErrorCode::ERR_ALLOWED),
-                         sandbox->Trap(PthreadTrapHandler, "Unknown mask"))));
+    const uint64_t kGlibcCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+                                     CLONE_SIGHAND | CLONE_THREAD |
+                                     CLONE_SYSVSEM | CLONE_SETTLS |
+                                     CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+    const uint64_t kBaseAndroidCloneMask = CLONE_VM | CLONE_FS | CLONE_FILES |
+                                           CLONE_SIGHAND | CLONE_THREAD |
+                                           CLONE_SYSVSEM;
+    const Arg<unsigned long> flags(0);
+    return If(flags == kGlibcCloneMask ||
+                  flags == (kBaseAndroidCloneMask | CLONE_DETACHED) ||
+                  flags == kBaseAndroidCloneMask,
+              Allow()).Else(Trap(PthreadTrapHandler, "Unknown mask"));
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+
+  return Allow();
 }
 
-class PthreadPolicyBitMask : public SandboxBPFPolicy {
+class PthreadPolicyBitMask : public SandboxBPFDSLPolicy {
  public:
   PthreadPolicyBitMask() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE;
+  virtual ~PthreadPolicyBitMask() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE;
 
  private:
+  static BoolExpr HasAnyBits(const Arg<unsigned long>& arg, unsigned long bits);
+  static BoolExpr HasAllBits(const Arg<unsigned long>& arg, unsigned long bits);
+
   DISALLOW_COPY_AND_ASSIGN(PthreadPolicyBitMask);
 };
 
-ErrorCode PthreadPolicyBitMask::EvaluateSyscall(SandboxBPF* sandbox,
-                                                int sysno) const {
+BoolExpr PthreadPolicyBitMask::HasAnyBits(const Arg<unsigned long>& arg,
+                                          unsigned long bits) {
+  return (arg & bits) != 0;
+}
+
+BoolExpr PthreadPolicyBitMask::HasAllBits(const Arg<unsigned long>& arg,
+                                          unsigned long bits) {
+  return (arg & bits) == bits;
+}
+
+ResultExpr PthreadPolicyBitMask::EvaluateSyscall(int sysno) const {
   DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
   // This policy allows creating threads with pthread_create(). But it
   // doesn't allow any other uses of clone(). Most notably, it does not
   // allow callers to implement fork() or vfork() by passing suitable flags
   // to the clone() system call.
   if (sysno == __NR_clone) {
     // We have seen two different valid combinations of flags. Glibc
     // uses the more modern flags, sets the TLS from the call to clone(), and
     // uses futexes to monitor threads. Android's C run-time library, doesn't
     // do any of this, but it sets the obsolete (and no-op) CLONE_DETACHED.
     // The following policy allows for either combination of flags, but it
     // is generally a little more conservative than strictly necessary. We
     // err on the side of rather safe than sorry.
     // Very noticeably though, we disallow fork() (which is often just a
     // wrapper around clone()).
-    return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         ~uint32(CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
-                                 CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|
-                                 CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID|
-                                 CLONE_DETACHED),
-                         sandbox->Trap(PthreadTrapHandler,
-                                       "Unexpected CLONE_XXX flag found"),
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|
-                         CLONE_THREAD|CLONE_SYSVSEM,
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ALL_BITS,
-                         CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
-                         ErrorCode(ErrorCode::ERR_ALLOWED),
-           sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
-                         CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID,
-                         sandbox->Trap(PthreadTrapHandler,
-                                       "Must set either all or none of the TLS"
-                                       " and futex bits in call to clone()"),
-                         ErrorCode(ErrorCode::ERR_ALLOWED))),
-                         sandbox->Trap(PthreadTrapHandler,
-                                       "Missing mandatory CLONE_XXX flags "
-                                       "when creating new thread")));
+    const unsigned long kMandatoryFlags = CLONE_VM | CLONE_FS | CLONE_FILES |
+                                          CLONE_SIGHAND | CLONE_THREAD |
+                                          CLONE_SYSVSEM;
+    const unsigned long kFutexFlags =
+        CLONE_SETTLS | CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
+    const unsigned long kNoopFlags = CLONE_DETACHED;
+    const unsigned long kKnownFlags =
+        kMandatoryFlags | kFutexFlags | kNoopFlags;
+
+    const Arg<unsigned long> flags(0);
+    return If(HasAnyBits(flags, ~kKnownFlags),
+              Trap(PthreadTrapHandler, "Unexpected CLONE_XXX flag found"))
+        .ElseIf(!HasAllBits(flags, kMandatoryFlags),
+                Trap(PthreadTrapHandler,
+                     "Missing mandatory CLONE_XXX flags "
+                     "when creating new thread"))
+        .ElseIf(
+             !HasAllBits(flags, kFutexFlags) && HasAnyBits(flags, kFutexFlags),
+             Trap(PthreadTrapHandler,
+                  "Must set either all or none of the TLS and futex bits in "
+                  "call to clone()"))
+        .Else(Allow());
   }
-  return ErrorCode(ErrorCode::ERR_ALLOWED);
+
+  return Allow();
 }
 
 static void* ThreadFnc(void* arg) {
   ++*reinterpret_cast<int*>(arg);
   Syscall::Call(__NR_futex, arg, FUTEX_WAKE, 1, 0, 0, 0);
   return NULL;
 }
 
 static void PthreadTest() {
   // Attempt to start a joinable thread. This should succeed.
@@ skipping 86 matching lines @@
   // PTRACE_SET_SYSCALL may not be in the enum.
   return syscall(__NR_ptrace, PTRACE_SET_SYSCALL, pid, NULL, syscall_number);
 #endif
 
   SECCOMP_PT_SYSCALL(*regs) = syscall_number;
   return 0;
 }
 
 const uint16_t kTraceData = 0xcc;
 
-class TraceAllPolicy : public SandboxBPFPolicy {
+class TraceAllPolicy : public SandboxBPFDSLPolicy {
  public:
   TraceAllPolicy() {}
   virtual ~TraceAllPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE {
-    return ErrorCode(ErrorCode::ERR_TRACE + kTraceData);
+  virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE {
+    return Trace(kTraceData);
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(TraceAllPolicy);
 };
 
 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(SeccompRetTrace)) {
   if (SandboxBPF::SupportsSeccompSandbox(-1) !=
       sandbox::SandboxBPF::STATUS_AVAILABLE) {
     return;
@@ skipping 34 matching lines @@
     syscall(__NR_kill, my_pid, SIGKILL);
 
     // Should not be reached.
     BPF_ASSERT(false);
   }
 
   int status;
   BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, WUNTRACED)) != -1);
   BPF_ASSERT(WIFSTOPPED(status));
 
-  BPF_ASSERT_NE(-1, ptrace(PTRACE_SETOPTIONS, pid, NULL,
-                           reinterpret_cast<void*>(PTRACE_O_TRACESECCOMP)));
+  BPF_ASSERT_NE(-1,
+                ptrace(PTRACE_SETOPTIONS,
+                       pid,
+                       NULL,
+                       reinterpret_cast<void*>(PTRACE_O_TRACESECCOMP)));
   BPF_ASSERT_NE(-1, ptrace(PTRACE_CONT, pid, NULL, NULL));
   while (true) {
     BPF_ASSERT(HANDLE_EINTR(waitpid(pid, &status, 0)) != -1);
     if (WIFEXITED(status) || WIFSIGNALED(status)) {
       BPF_ASSERT(WIFEXITED(status));
       BPF_ASSERT_EQ(kExpectedReturnValue, WEXITSTATUS(status));
       break;
     }
 
     if (!WIFSTOPPED(status) || WSTOPSIG(status) != SIGTRAP ||
@@ skipping 60 matching lines @@
     }
     count -= transfered;
     buffer += transfered;
     offset += transfered;
   }
   return true;
 }
 
 bool pread_64_was_forwarded = false;
 
-class TrapPread64Policy : public SandboxBPFPolicy {
+class TrapPread64Policy : public SandboxBPFDSLPolicy {
  public:
   TrapPread64Policy() {}
   virtual ~TrapPread64Policy() {}
 
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE {
+  virtual ResultExpr EvaluateSyscall(int system_call_number) const OVERRIDE {
     // Set the global environment for unsafe traps once.
     if (system_call_number == MIN_SYSCALL) {
       EnableUnsafeTraps();
     }
 
     if (system_call_number == __NR_pread64) {
-      return sandbox_compiler->UnsafeTrap(ForwardPreadHandler, NULL);
+      return UnsafeTrap(ForwardPreadHandler, NULL);
     }
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+    return Allow();
   }
 
  private:
   static intptr_t ForwardPreadHandler(const struct arch_seccomp_data& args,
                                       void* aux) {
     BPF_ASSERT(args.nr == __NR_pread64);
     pread_64_was_forwarded = true;
 
     return SandboxBPF::ForwardSyscall(args);
   }
+
   DISALLOW_COPY_AND_ASSIGN(TrapPread64Policy);
 };
 
 // pread(2) takes a 64 bits offset. On 32 bits systems, it will be split
 // between two arguments. In this test, we make sure that ForwardSyscall() can
 // forward it properly.
 BPF_TEST_C(SandboxBPF, Pread64, TrapPread64Policy) {
   ScopedTemporaryFile temp_file;
   const uint64_t kLargeOffset = (static_cast<uint64_t>(1) << 32) | 0xBEEF;
   const char kTestString[] = "This is a test!";
@@ skipping 21 matching lines @@
 
   BPF_ASSERT(event->IsSignaled());
 
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 
   return NULL;
 }
 
 SANDBOX_TEST(SandboxBPF, Tsync) {
   if (SandboxBPF::SupportsSeccompThreadFilterSynchronization() !=
-          SandboxBPF::STATUS_AVAILABLE) {
+      SandboxBPF::STATUS_AVAILABLE) {
     return;
   }
 
   base::WaitableEvent event(true, false);
 
   // Create a thread on which to invoke the blocked syscall.
   pthread_t thread;
-  BPF_ASSERT_EQ(0,
-      pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
+  BPF_ASSERT_EQ(
+      0, pthread_create(&thread, NULL, &TsyncApplyToTwoThreadsFunc, &event));
 
   // Test that nanoseelp success.
   const struct timespec ts = {0, 0};
   BPF_ASSERT_EQ(0, HANDLE_EINTR(syscall(__NR_nanosleep, &ts, NULL)));
 
   // Engage the sandbox.
   SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(new BlacklistNanosleepPolicy());
   BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
 
   // This thread should have the filter applied as well.
   BlacklistNanosleepPolicy::AssertNanosleepFails();
 
   // Signal the condition to invoke the system call.
   event.Signal();
 
   // Wait for the thread to finish.
   BPF_ASSERT_EQ(0, pthread_join(thread, NULL));
 }
 
-class AllowAllPolicy : public SandboxBPFPolicy {
+class AllowAllPolicy : public SandboxBPFDSLPolicy {
  public:
-  AllowAllPolicy() : SandboxBPFPolicy() {}
+  AllowAllPolicy() {}
   virtual ~AllowAllPolicy() {}
 
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
-    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
+    return Allow();
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
 };
 
-SANDBOX_DEATH_TEST(SandboxBPF, StartMultiThreadedAsSingleThreaded,
+SANDBOX_DEATH_TEST(
+    SandboxBPF,
+    StartMultiThreadedAsSingleThreaded,
     DEATH_MESSAGE("Cannot start sandbox; process is already multi-threaded")) {
   base::Thread thread("sandbox.linux.StartMultiThreadedAsSingleThreaded");
   BPF_ASSERT(thread.Start());
 
   SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(new AllowAllPolicy());
   BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
 }
 
 // http://crbug.com/407357
 #if !defined(THREAD_SANITIZER)
-SANDBOX_DEATH_TEST(SandboxBPF, StartSingleThreadedAsMultiThreaded,
-    DEATH_MESSAGE("Cannot start sandbox; process may be single-threaded when "
-                  "reported as not")) {
+SANDBOX_DEATH_TEST(
+    SandboxBPF,
+    StartSingleThreadedAsMultiThreaded,
+    DEATH_MESSAGE(
+        "Cannot start sandbox; process may be single-threaded when "
+        "reported as not")) {
   SandboxBPF sandbox;
   sandbox.SetSandboxPolicy(new AllowAllPolicy());
   BPF_ASSERT(!sandbox.StartSandbox(SandboxBPF::PROCESS_MULTI_THREADED));
 }
 #endif  // !defined(THREAD_SANITIZER)
 
 // A stub handler for the UnsafeTrap. Never called.
 intptr_t NoOpHandler(const struct arch_seccomp_data& args, void*) {
   return -1;
 }
 
-class UnsafeTrapWithCondPolicy : public SandboxBPFPolicy {
+class UnsafeTrapWithCondPolicy : public SandboxBPFDSLPolicy {
  public:
   UnsafeTrapWithCondPolicy() {}
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-                                    int sysno) const OVERRIDE {
+  virtual ~UnsafeTrapWithCondPolicy() {}
+
+  virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
     DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
     setenv(kSandboxDebuggingEnv, "t", 0);
     Die::SuppressInfoMessages(true);
 
     if (SandboxBPF::IsRequiredForUnsafeTrap(sysno))
-      return ErrorCode(ErrorCode::ERR_ALLOWED);
+      return Allow();
 
     switch (sysno) {
-      case __NR_uname:
-        return sandbox->Cond(0,
-                             ErrorCode::TP_32BIT,
-                             ErrorCode::OP_EQUAL,
-                             0,
-                             ErrorCode(ErrorCode::ERR_ALLOWED),
-                             ErrorCode(EPERM));
-      case __NR_setgid:
-        return sandbox->Cond(0,
-                             ErrorCode::TP_32BIT,
-                             ErrorCode::OP_EQUAL,
-                             100,
-                             ErrorCode(ErrorCode(ENOMEM)),
-                             sandbox->Cond(0,
-                                           ErrorCode::TP_32BIT,
-                                           ErrorCode::OP_EQUAL,
-                                           200,
-                                           ErrorCode(ENOSYS),
-                                           ErrorCode(EPERM)));
+      case __NR_uname: {
+        const Arg<uint32_t> arg(0);
+        return If(arg == 0, Allow()).Else(Error(EPERM));
+      }
+      case __NR_setgid: {
+        const Arg<uint32_t> arg(0);
+        return Switch(arg)
+            .Case(100, Error(ENOMEM))
+            .Case(200, Error(ENOSYS))
+            .Default(Error(EPERM));
+      }
       case __NR_close:
       case __NR_exit_group:
       case __NR_write:
-        return ErrorCode(ErrorCode::ERR_ALLOWED);
+        return Allow();
       case __NR_getppid:
-        return sandbox->UnsafeTrap(NoOpHandler, NULL);
+        return UnsafeTrap(NoOpHandler, NULL);
       default:
-        return ErrorCode(EPERM);
+        return Error(EPERM);
     }
   }
 
  private:
   DISALLOW_COPY_AND_ASSIGN(UnsafeTrapWithCondPolicy);
 };
 
 BPF_TEST_C(SandboxBPF, UnsafeTrapWithCond, UnsafeTrapWithCondPolicy) {
   BPF_ASSERT_EQ(-1, syscall(__NR_uname, 0));
   BPF_ASSERT_EQ(EFAULT, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_uname, 1));
   BPF_ASSERT_EQ(EPERM, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 100));
   BPF_ASSERT_EQ(ENOMEM, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 200));
   BPF_ASSERT_EQ(ENOSYS, errno);
 
   BPF_ASSERT_EQ(-1, syscall(__NR_setgid, 300));
   BPF_ASSERT_EQ(EPERM, errno);
 }
 
 }  // namespace
 
+}  // namespace bpf_dsl
 }  // namespace sandbox