Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(587)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/linux/bpf_dsl/bpf_dsl.cc

Issue 628823003: sandbox_bpf: rework how unsafe traps are compiled/verified (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@policies
Patch Set: Sync Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl.h ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/linux/bpf_dsl/bpf_dsl.cc
diff --git a/sandbox/linux/bpf_dsl/bpf_dsl.cc b/sandbox/linux/bpf_dsl/bpf_dsl.cc
index 8b343f981103b47d64898ecba448b9c3c9ca94bc..dd8eab6c140137217500e64fc32ac415a5ab1afb 100644
--- a/sandbox/linux/bpf_dsl/bpf_dsl.cc
+++ b/sandbox/linux/bpf_dsl/bpf_dsl.cc
@@ -12,6 +12,7 @@
#include "base/memory/ref_counted.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
namespace sandbox {
namespace bpf_dsl {
@@ -38,7 +39,7 @@ class ErrorResultExprImpl : public internal::ResultExprImpl {
}
virtual ErrorCode Compile(SandboxBPF* sb) const override {
- return ErrorCode(err_);
+ return sb->Error(err_);
}
private:
@@ -112,6 +113,8 @@ class UnsafeTrapResultExprImpl : public internal::ResultExprImpl {
return sb->UnsafeTrap(func_, arg_);
}
+ virtual bool HasUnsafeTraps() const override { return true; }
+
private:
virtual ~UnsafeTrapResultExprImpl() {}
@@ -133,6 +136,10 @@ class IfThenResultExprImpl : public internal::ResultExprImpl {
sb, then_result_->Compile(sb), else_result_->Compile(sb));
}
+ virtual bool HasUnsafeTraps() const override {
+ return then_result_->HasUnsafeTraps() || else_result_->HasUnsafeTraps();
+ }
+
private:
virtual ~IfThenResultExprImpl() {}
@@ -249,6 +256,10 @@ class OrBoolExprImpl : public internal::BoolExprImpl {
namespace internal {
+bool ResultExprImpl::HasUnsafeTraps() const {
+ return false;
+}
+
uint64_t DefaultMask(size_t size) {
switch (size) {
case 4:
@@ -376,6 +387,17 @@ ErrorCode SandboxBPFDSLPolicy::InvalidSyscall(SandboxBPF* sb) const {
return InvalidSyscall()->Compile(sb);
}
+bool SandboxBPFDSLPolicy::HasUnsafeTraps() const {
+ for (SyscallIterator iter(false); !iter.Done();) {
+ uint32_t sysnum = iter.Next();
+ if (SyscallIterator::IsValid(sysnum) &&
+ EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
+ return true;
+ }
+ }
+ return InvalidSyscall()->HasUnsafeTraps();
+}
+
ResultExpr SandboxBPFDSLPolicy::Trap(Trap::TrapFnc trap_func, const void* aux) {
return bpf_dsl::Trap(trap_func, aux);
}
« no previous file with comments | « sandbox/linux/bpf_dsl/bpf_dsl.h ('k') | sandbox/linux/seccomp-bpf/sandbox_bpf.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698