bpf_dsl: decouple PolicyCompiler from Syscall

sandbox/linux/bpf_dsl/policy_compiler.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
 #define SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
 
 #include <stdint.h>
 
 #include <map>
 #include <set>
 #include <vector>
 
 #include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
 #include "sandbox/linux/bpf_dsl/codegen.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
 #include "sandbox/sandbox_export.h"
 
 namespace sandbox {
 namespace bpf_dsl {
 class Policy;
 
 // PolicyCompiler implements the bpf_dsl compiler, allowing users to
 // transform bpf_dsl policies into BPF programs to be executed by the
 // Linux kernel.
 class SANDBOX_EXPORT PolicyCompiler {
  public:
-  PolicyCompiler(const Policy* policy, TrapRegistry* registry);
+  PolicyCompiler(const Policy* policy,
+                 TrapRegistry* registry,
+                 uint64_t escapepc = 0);

[jln (very slow on Chromium), 2015/02/19 19:49:14]

I'm worried about making it too easy to inject a backdoor.

How about:

1. Instead of a constructor parameter, we require calling a clear
DangerousSetBackdoorEscapePC() API?

2. CHECK that kSandboxDebuggingEnv is set before calling
DangerousSetBackdoorEscapePC().

3. I would even add the same CHECK to MaybeAddEscapeHatch() for good measure.

[mdempsky, 2015/02/20 03:20:32]

FWIW, this just lets the "user" control what PC is used for the escape hatch. 
All of the same safe guards to prevent unsafe traps in production still existed,
even if someone accidentally passes a bogus PC value here.
Done.
Done.
I added an extra call to registry_->EnableUnsafeTraps(), since I don't want
bpf_dsl::PolicyCompiler to depend on the specifics of kSandboxDebuggingEnv.

   ~PolicyCompiler();
 
   // Compile registers any trap handlers needed by the policy and
   // compiles the policy to a BPF program, which it returns.
   scoped_ptr<CodeGen::Program> Compile();
 
   // Error returns an ErrorCode to indicate the system call should fail with
   // the specified error number.
   ErrorCode Error(int err);
 
@@ skipping 40 matching lines @@
 
   // Compile the configured policy into a complete instruction sequence.
   CodeGen::Node AssemblePolicy();
 
   // Return an instruction sequence that checks the
   // arch_seccomp_data's "arch" field is valid, and then passes
   // control to |passed| if so.
   CodeGen::Node CheckArch(CodeGen::Node passed);
 
   // If |has_unsafe_traps_| is true, returns an instruction sequence
-  // that allows all system calls from Syscall::Call(), and otherwise
+  // that allows all system calls from |escapepc_|, and otherwise
   // passes control to |rest|. Otherwise, simply returns |rest|.
   CodeGen::Node MaybeAddEscapeHatch(CodeGen::Node rest);
 
   // Return an instruction sequence that loads and checks the system
   // call number, performs a binary search, and then dispatches to an
   // appropriate instruction sequence compiled from the current
   // policy.
   CodeGen::Node DispatchSyscall();
 
   // Return an instruction sequence that checks the system call number
@@ skipping 31 matching lines @@
 
   // Returns a BPF program that evaluates half of a conditional expression;
   // it should only ever be called from CondExpression().
   CodeGen::Node CondExpressionHalf(const ErrorCode& cond,
                                    ArgHalf half,
                                    CodeGen::Node passed,
                                    CodeGen::Node failed);
 
   const Policy* policy_;
   TrapRegistry* registry_;
+  uint64_t escapepc_;
 
   Conds conds_;
   CodeGen gen_;
   bool has_unsafe_traps_;
 
   DISALLOW_COPY_AND_ASSIGN(PolicyCompiler);
 };
 
 }  // namespace bpf_dsl
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_