sandbox/linux/bpf_dsl/bpf_dsl.cc - Issue 628823003: sandbox_bpf: rework how unsafe traps are compiled/verified

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: sandbox/linux/bpf_dsl/bpf_dsl.cc

Issue 628823003: sandbox_bpf: rework how unsafe traps are compiled/verified (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@policies

Patch Set: Sync Created 6 years, 2 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: sandbox/linux/bpf_dsl/bpf_dsl.cc

diff --git a/sandbox/linux/bpf_dsl/bpf_dsl.cc b/sandbox/linux/bpf_dsl/bpf_dsl.cc

index 8144d805490722e9806d85d3e079f0154a322696..983c9056397e1661a92325fa45d23f10d74dd377 100644

--- a/sandbox/linux/bpf_dsl/bpf_dsl.cc

+++ b/sandbox/linux/bpf_dsl/bpf_dsl.cc

@@ -12,6 +12,7 @@

#include "base/memory/ref_counted.h"

#include "sandbox/linux/seccomp-bpf/errorcode.h"

#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"

+#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"

namespace sandbox {

namespace bpf_dsl {

@@ -38,7 +39,7 @@ class ErrorResultExprImpl : public internal::ResultExprImpl {

}

virtual ErrorCode Compile(SandboxBPF* sb) const OVERRIDE {

- return ErrorCode(err_);

+ return sb->Error(err_);

}

private:

@@ -112,6 +113,8 @@ class UnsafeTrapResultExprImpl : public internal::ResultExprImpl {

return sb->UnsafeTrap(func_, arg_);

}

+ virtual bool HasUnsafeTraps() const OVERRIDE { return true; }

private:

virtual ~UnsafeTrapResultExprImpl() {}

@@ -133,6 +136,10 @@ class IfThenResultExprImpl : public internal::ResultExprImpl {

sb, then_result_->Compile(sb), else_result_->Compile(sb));

}

+ virtual bool HasUnsafeTraps() const OVERRIDE {

+ return then_result_->HasUnsafeTraps() || else_result_->HasUnsafeTraps();

+ }

private:

virtual ~IfThenResultExprImpl() {}

@@ -249,6 +256,10 @@ class OrBoolExprImpl : public internal::BoolExprImpl {

namespace internal {

+bool ResultExprImpl::HasUnsafeTraps() const {

+ return false;

uint64_t DefaultMask(size_t size) {

switch (size) {

case 4:

@@ -376,6 +387,16 @@ ErrorCode SandboxBPFDSLPolicy::InvalidSyscall(SandboxBPF* sb) const {

return InvalidSyscall()->Compile(sb);

}

+bool SandboxBPFDSLPolicy::HasUnsafeTraps() const {

+ for (SyscallIterator iter(false); !iter.Done();) {

+ uint32_t sysnum = iter.Next();

+ if (SyscallIterator::IsValid(sysnum) &&

+ EvaluateSyscall(sysnum)->HasUnsafeTraps())

jln (very slow on Chromium) 2014/10/08 17:31:32 Nit: {}

mdempsky 2014/10/08 17:34:19 Done.

+ return true;

+ }

+ return InvalidSyscall()->HasUnsafeTraps();

ResultExpr SandboxBPFDSLPolicy::Trap(Trap::TrapFnc trap_func, const void* aux) {

return bpf_dsl::Trap(trap_func, aux);

}

« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl.h ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('j') | no next file with comments »