sandbox_bpf: rework how unsafe traps are compiled/verified

sandbox/linux/seccomp-bpf/sandbox_bpf.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 #define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 73 matching lines @@
   // directory is not accessible when "startSandbox()" gets called, the caller
   // can provide an already opened file descriptor by calling "set_proc_fd()".
   // The sandbox becomes the new owner of this file descriptor and will
   // eventually close it when "StartSandbox()" executes.
   void set_proc_fd(int proc_fd);
 
   // Set the BPF policy as |policy|. Ownership of |policy| is transfered here
   // to the sandbox object.
   void SetSandboxPolicy(SandboxBPFPolicy* policy);
 
+  // Error returns an ErrorCode to indicate the system call should fail with
+  // the specified error number.
+  ErrorCode Error(int err);
+
   // We can use ErrorCode to request calling of a trap handler. This method
   // performs the required wrapping of the callback function into an
   // ErrorCode object.
   // The "aux" field can carry a pointer to arbitrary data. See EvaluateSyscall
   // for a description of how to pass data from SetSandboxPolicy() to a Trap()
   // handler.
   static ErrorCode Trap(Trap::TrapFnc fnc, const void* aux);
 
   // Calls a user-space trap handler and disables all sandboxing for system
   // calls made from this trap handler.
@@ skipping 117 matching lines @@
   bool KernelSupportSeccompBPF();
 
   // Verify that the current policy passes some basic sanity checks.
   void PolicySanityChecks(SandboxBPFPolicy* policy);
 
   // Assembles and installs a filter based on the policy that has previously
   // been configured with SetSandboxPolicy().
   void InstallFilter(bool must_sync_threads);
 
   // Compile the configured policy into a complete instruction sequence.
-  // (See MaybeAddEscapeHatch for |has_unsafe_traps|.)
-  Instruction* CompilePolicy(CodeGen* gen, bool* has_unsafe_traps);
+  Instruction* CompilePolicy(CodeGen* gen);
 
   // Return an instruction sequence that checks the
   // arch_seccomp_data's "arch" field is valid, and then passes
   // control to |passed| if so.
   Instruction* CheckArch(CodeGen* gen, Instruction* passed);
 
-  // If the |rest| instruction sequence contains any unsafe traps,
-  // then sets |*has_unsafe_traps| to true and returns an instruction
-  // sequence that allows all system calls from Syscall::Call(), and
-  // otherwise passes control to |rest|.
-  //
-  // If |rest| contains no unsafe traps, then |rest| is returned
-  // directly and |*has_unsafe_traps| is set to false.
+  // If |has_unsafe_traps_| is true, returns an instruction sequence
+  // that allows all system calls from Syscall::Call(), and otherwise
+  // passes control to |rest|. Otherwise, simply returns |rest|.
   Instruction* MaybeAddEscapeHatch(CodeGen* gen,
-                                   bool* has_unsafe_traps,
                                    Instruction* rest);
 
   // Return an instruction sequence that loads and checks the system
   // call number, performs a binary search, and then dispatches to an
   // appropriate instruction sequence compiled from the current
   // policy.
   Instruction* DispatchSyscall(CodeGen* gen);
 
   // Return an instruction sequence that checks the system call number
   // (expected to be loaded in register A) and if valid, passes
   // control to |passed| (with register A still valid).
   Instruction* CheckSyscallNumber(CodeGen* gen, Instruction* passed);
 
   // Verify the correctness of a compiled program by comparing it against the
   // current policy. This function should only ever be called by unit tests and
   // by the sandbox internals. It should not be used by production code.
-  void VerifyProgram(const Program& program, bool has_unsafe_traps);
+  void VerifyProgram(const Program& program);
 
   // Finds all the ranges of system calls that need to be handled. Ranges are
   // sorted in ascending order of system call numbers. There are no gaps in the
   // ranges. System calls with identical ErrorCodes are coalesced into a single
   // range.
   void FindRanges(Ranges* ranges);
 
   // Returns a BPF program snippet that implements a jump table for the
   // given range of system call numbers. This function runs recursively.
   Instruction* AssembleJumpTable(CodeGen* gen,
@@ skipping 21 matching lines @@
                                   Instruction* passed,
                                   Instruction* failed);
 
   static SandboxStatus status_;
 
   bool quiet_;
   int proc_fd_;
   scoped_ptr<const SandboxBPFPolicy> policy_;
   Conds* conds_;
   bool sandbox_has_started_;
+  bool has_unsafe_traps_;
 
   DISALLOW_COPY_AND_ASSIGN(SandboxBPF);
 };
 
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__