Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(364)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 628823003: sandbox_bpf: rework how unsafe traps are compiled/verified (Closed)

Created:
6 years, 2 months ago by mdempsky
Modified:
6 years, 2 months ago
CC:
chromium-reviews, jln+watch_chromium.org
Base URL:
https://chromium.googlesource.com/chromium/src.git@policies
Project:
chromium
Visibility:
Public.

Description

sandbox_bpf: rework how unsafe traps are compiled/verified One tricky quirk of unsafe traps is we can't use SECCOMP_RET_ERROR, otherwise the unsafe trap handlers won't be able to make use of the filtered system calls. To workaround this, when unsafe traps are enabled, we use a "ReturnErrno" trap instead of SECCOMP_RET_ERROR, and the SIGSYS signal handler instead decides whether to allow the system call or run the trap handler (i.e., return an error). Currently, SandboxBPF implements this in a very roundabout manner though: it compiles the policy normally, searches the compiled instructions for any trap returns that corresponded to an unsafe trap, then rewrites any error instructions to also use traps. This is further complicated by the verifier, because it then needs a policy wrapper so the verifier wouldn't be surprised when an "error" was actually compiled as a "trap". (That policy wrapper is also the last SandboxBPFPolicy, and not amenable to conversion to use bpf_dsl.) This CL changes things to upfront check if the policy uses any unsafe traps; and if so, it directly compiles "Error(x)" into a trap instead of using SECCOMP_RET_ERROR. BUG=414363 Committed: https://crrev.com/6c20e4dde6b5c8d7594d3576ed1bbbe97586fb58 Cr-Commit-Position: refs/heads/master@{#298763}

Patch Set 1 #

Patch Set 2 : Sync #

Total comments: 2

Patch Set 3 : Respond to jln feedback #

Patch Set 4 : Sync #

Unified diffs Side-by-side diffs Delta from patch set Stats (+98 lines, -179 lines) Patch
M sandbox/linux/bpf_dsl/bpf_dsl.h View 1 2 3 2 chunks +2 lines, -0 lines 0 comments Download
M sandbox/linux/bpf_dsl/bpf_dsl.cc View 1 2 3 6 chunks +23 lines, -1 line 0 comments Download
M sandbox/linux/seccomp-bpf/sandbox_bpf.h View 4 chunks +10 lines, -11 lines 0 comments Download
M sandbox/linux/seccomp-bpf/sandbox_bpf.cc View 1 2 3 8 chunks +60 lines, -156 lines 0 comments Download
M sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h View 1 chunk +3 lines, -0 lines 0 comments Download
M sandbox/linux/seccomp-bpf/trap.h View 1 chunk +0 lines, -4 lines 0 comments Download
M sandbox/linux/seccomp-bpf/trap.cc View 1 chunk +0 lines, -7 lines 0 comments Download

Messages

Total messages: 13 (4 generated)
mdempsky
6 years, 2 months ago (2014-10-04 01:00:47 UTC) #2
rickyz (no longer on Chrome)
lgtm Ah yeah, I remember noticing that the scope of the rewriting changed on that ...
6 years, 2 months ago (2014-10-07 00:29:05 UTC) #3
jln (very slow on Chromium)
lgtm, much better! :) https://chromiumcodereview.appspot.com/628823003/diff/20001/sandbox/linux/bpf_dsl/bpf_dsl.cc File sandbox/linux/bpf_dsl/bpf_dsl.cc (right): https://chromiumcodereview.appspot.com/628823003/diff/20001/sandbox/linux/bpf_dsl/bpf_dsl.cc#newcode394 sandbox/linux/bpf_dsl/bpf_dsl.cc:394: EvaluateSyscall(sysnum)->HasUnsafeTraps()) Nit: {}
6 years, 2 months ago (2014-10-08 17:31:32 UTC) #4
mdempsky
Thanks guys! https://codereview.chromium.org/628823003/diff/20001/sandbox/linux/bpf_dsl/bpf_dsl.cc File sandbox/linux/bpf_dsl/bpf_dsl.cc (right): https://codereview.chromium.org/628823003/diff/20001/sandbox/linux/bpf_dsl/bpf_dsl.cc#newcode394 sandbox/linux/bpf_dsl/bpf_dsl.cc:394: EvaluateSyscall(sysnum)->HasUnsafeTraps()) On 2014/10/08 17:31:32, jln (slow on ...
6 years, 2 months ago (2014-10-08 17:34:19 UTC) #5
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/628823003/40001
6 years, 2 months ago (2014-10-08 17:34:50 UTC) #7
commit-bot: I haz the power
Try jobs failed on following builders: linux_gpu on tryserver.chromium.gpu (http://build.chromium.org/p/tryserver.chromium.gpu/builders/linux_gpu/builds/76673) mac_gpu on tryserver.chromium.gpu (http://build.chromium.org/p/tryserver.chromium.gpu/builders/mac_gpu/builds/66058) win_gpu ...
6 years, 2 months ago (2014-10-08 17:39:37 UTC) #9
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/628823003/60001
6 years, 2 months ago (2014-10-08 17:52:55 UTC) #11
commit-bot: I haz the power
Committed patchset #4 (id:60001) as d26e8ecfb2b4e8cadda954a32d869efa53097d71
6 years, 2 months ago (2014-10-09 04:34:34 UTC) #12
commit-bot: I haz the power
6 years, 2 months ago (2014-10-09 04:35:50 UTC) #13
Message was sent while issue was closed. 
Patchset 4 (id:??) landed as
https://crrev.com/6c20e4dde6b5c8d7594d3576ed1bbbe97586fb58
Cr-Commit-Position: refs/heads/master@{#298763}

Powered by Google App Engine
This is Rietveld 408576698