Linux sandbox: change seccomp detection and initialization.

sandbox/linux/seccomp-bpf/sandbox_bpf.h

Index: sandbox/linux/seccomp-bpf/sandbox_bpf.h
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index 895c659f698541c1e1440991574245e6f43f7658..4a6c06c6a56143cc538d1a7546683a20bf93d9a0 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -21,36 +21,16 @@ class Policy;
 
 class SANDBOX_EXPORT SandboxBPF {
  public:
-  enum SandboxStatus {
-    STATUS_UNKNOWN,      // Status prior to calling supportsSeccompSandbox()
-    STATUS_UNSUPPORTED,  // The kernel does not appear to support sandboxing
-    STATUS_UNAVAILABLE,  // Currently unavailable but might work again later
-    STATUS_AVAILABLE,    // Sandboxing is available but not currently active
-    STATUS_ENABLED       // The sandbox is now active
-  };
-
-  // Depending on the level of kernel support, seccomp-bpf may require the
-  // process to be single-threaded in order to enable it. When calling
-  // StartSandbox(), the program should indicate whether or not the sandbox
-  // should try and engage with multi-thread support.
-  enum SandboxThreadState {
-    PROCESS_INVALID,
-    PROCESS_SINGLE_THREADED,  // The program is currently single-threaded.
-    // Note: PROCESS_MULTI_THREADED requires experimental kernel support that
-    // has not been contributed to upstream Linux.
-    PROCESS_MULTI_THREADED,   // The program may be multi-threaded.
+  enum SeccompLevel {

[jln (very slow on Chromium), 2014/11/25 01:24:29]

I considered making this an enum class, but since these are the bits of a
bitmask, the lack of implicit conversion to int was problematic.


Let me know what you think.

[mdempsky, 2014/11/25 03:14:06]

One solution might be to change "int SupportsSeccompSandbox();" into "bool
SupportsSeccompSandbox(SeccompLevel seccomp_level);", and then the callers just
need to check the level(s) they're interested in.

Minor bonus: You avoid making system calls to check for support the caller
doesn't care about.

[jln (very slow on Chromium), 2014/11/25 03:36:01]

I considered that, but in practice in content:: the Status should only be
checked once and I would rather only have to make one call to that function
rather than as many calls as there are sandbox types.

But maybe it's worth it just to use an enum class and because a bitmask is a
little error prone as well.

+    SECCOMP_NONE = 0,
+    SECCOMP_SINGLE_THREADED = 1 << 0,
+    SECCOMP_MULTI_THREADED = 1 << 1,
   };
 
   // Constructors and destructors.
   // NOTE: Setting a policy and starting the sandbox is a one-way operation.
-  //       The kernel does not provide any option for unloading a loaded
-  //       sandbox. Strictly speaking, that means we should disallow calling
-  //       the destructor, if StartSandbox() has ever been called. In practice,
-  //       this makes it needlessly complicated to operate on "Sandbox"
-  //       objects. So, we instead opted to allow object destruction. But it
-  //       should be noted that during its lifetime, the object probably made
-  //       irreversible state changes to the runtime environment. These changes
-  //       stay in effect even after the destructor has been run.
+  // The kernel does not provide any option for unloading a loaded sandbox. The
+  // sandbox remains engaged even when the object is destructed.
   SandboxBPF();
   ~SandboxBPF();
 
@@ -59,14 +39,9 @@ class SANDBOX_EXPORT SandboxBPF {
   // system calls.
   static bool IsValidSyscallNumber(int sysnum);
 
-  // Detect if the kernel supports the seccomp sandbox. The result of calling
-  // this function will be cached. The first time this function is called, the
-  // running process must be unsandboxed (able to use /proc) and monothreaded.
-  static SandboxStatus SupportsSeccompSandbox();
-
-  // Determines if the kernel has support for the seccomp() system call to
-  // synchronize BPF filters across a thread group.
-  static SandboxStatus SupportsSeccompThreadFilterSynchronization();
+  // Detect if the kernel supports the seccomp sandbox. Returns a bitmask
+  // of values in SeccompLevel.
+  static int SupportsSeccompSandbox();
 
   // The sandbox needs to be able to access files in "/proc/self/tasks/". If
   // this
@@ -94,11 +69,10 @@ class SANDBOX_EXPORT SandboxBPF {
   // directly suitable as a return value for a trap handler.
   static intptr_t ForwardSyscall(const struct arch_seccomp_data& args);
 
-  // This is the main public entry point. It finds all system calls that
-  // need rewriting, sets up the resources needed by the sandbox, and
-  // enters Seccomp mode.
-  // The calling process must specify its current SandboxThreadState, as a way
-  // to tell the sandbox which type of kernel support it should engage.
+  // This is the main public entry point. It sets up the resources needed by
+  // the sandbox, and enters Seccomp mode.
+  // The calling process must a |seccomp_level| to tell the sandbox which type
+  // of kernel support it should engage.
   // It is possible to stack multiple sandboxes by creating separate "Sandbox"
   // objects and calling "StartSandbox()" on each of them. Please note, that
   // this requires special care, though, as newly stacked sandboxes can never
@@ -107,7 +81,7 @@ class SANDBOX_EXPORT SandboxBPF {
   // disallowed.
   // Finally, stacking does add more kernel overhead than having a single
   // combined policy. So, it should only be used if there are no alternatives.
-  bool StartSandbox(SandboxThreadState thread_state) WARN_UNUSED_RESULT;
+  bool StartSandbox(SeccompLevel seccomp_level) WARN_UNUSED_RESULT;
 
   // Assembles a BPF filter program from the current policy. After calling this
   // function, you must not call any other sandboxing function.
@@ -129,12 +103,6 @@ class SANDBOX_EXPORT SandboxBPF {
   bool RunFunctionInPolicy(void (*code_in_sandbox)(),
                            scoped_ptr<bpf_dsl::Policy> policy);
 
-  // Performs a couple of sanity checks to verify that the kernel supports the
-  // features that we need for successful sandboxing.
-  // The caller has to make sure that "this" has not yet been initialized with
-  // any other policies.
-  bool KernelSupportSeccompBPF();
-
   // Assembles and installs a filter based on the policy that has previously
   // been configured with SetSandboxPolicy().
   void InstallFilter(bool must_sync_threads);
@@ -144,8 +112,6 @@ class SANDBOX_EXPORT SandboxBPF {
   // by the sandbox internals. It should not be used by production code.
   void VerifyProgram(const CodeGen::Program& program);
 
-  static SandboxStatus status_;
-
   bool quiet_;
   int proc_task_fd_;
   bool sandbox_has_started_;