bpf_dsl: decouple PolicyCompiler from Syscall

sandbox/linux/bpf_dsl/policy_compiler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
 
 #include <errno.h>
 #include <linux/filter.h>
 #include <sys/syscall.h>
 
 #include <limits>
 
 #include "base/logging.h"
 #include "base/macros.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
 #include "sandbox/linux/bpf_dsl/codegen.h"
 #include "sandbox/linux/bpf_dsl/policy.h"
 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
 #include "sandbox/linux/bpf_dsl/syscall_set.h"
 #include "sandbox/linux/seccomp-bpf/die.h"
 #include "sandbox/linux/seccomp-bpf/errorcode.h"
-#include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/system_headers/linux_seccomp.h"
 
 namespace sandbox {
 namespace bpf_dsl {
 
 namespace {
 
 #if defined(__i386__) || defined(__x86_64__)
 const bool kIsIntel = true;
 #else
@@ skipping 45 matching lines @@
 }  // namespace
 
 struct PolicyCompiler::Range {
   uint32_t from;
   CodeGen::Node node;
 };
 
 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
     : policy_(policy),
       registry_(registry),
+      escapepc_(0),
       conds_(),
       gen_(),
       has_unsafe_traps_(HasUnsafeTraps(policy_)) {
   DCHECK(policy);
 }
 
 PolicyCompiler::~PolicyCompiler() {
 }
 
 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
   if (!policy_->InvalidSyscall()->IsDeny()) {
     SANDBOX_DIE("Policies should deny invalid system calls.");
   }
 
   // If our BPF program has unsafe traps, enable support for them.
   if (has_unsafe_traps_) {
     // As support for unsafe jumps essentially defeats all the security
     // measures that the sandbox provides, we print a big warning message --
     // and of course, we make sure to only ever enable this feature if it
     // is actually requested by the sandbox policy.
-    if (Syscall::Call(-1) == -1 && errno == ENOSYS) {
-      SANDBOX_DIE(
-          "Support for UnsafeTrap() has not yet been ported to this "
-          "architecture");
-    }
+
+    CHECK_NE(0U, escapepc_) << "UnsafeTrap() requires a valid escape PC";
 
     for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
       if (!policy_->EvaluateSyscall(sysnum)->IsAllow()) {
         SANDBOX_DIE(
             "Policies that use UnsafeTrap() must unconditionally allow all "
             "required system calls");
       }
     }
 
     if (!registry_->EnableUnsafeTraps()) {
       // We should never be able to get here, as UnsafeTrap() should never
       // actually return a valid ErrorCode object unless the user set the
       // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
       // "has_unsafe_traps" would always be false. But better double-check
       // than enabling dangerous code.
       SANDBOX_DIE("We'd rather die than enable unsafe traps");
     }
   }
 
   // Assemble the BPF filter program.
   scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
   gen_.Compile(AssemblePolicy(), program.get());
   return program.Pass();
 }
 
+void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
+  escapepc_ = escapepc;
+}
+
 CodeGen::Node PolicyCompiler::AssemblePolicy() {
   // A compiled policy consists of three logical parts:
   //   1. Check that the "arch" field matches the expected architecture.
   //   2. If the policy involves unsafe traps, check if the syscall was
   //      invoked by Syscall::Call, and then allow it unconditionally.
   //   3. Check the system call number and jump to the appropriate compiled
   //      system call policy number.
   return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
 }
 
 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
   // If the architecture doesn't match SECCOMP_ARCH, disallow the
   // system call.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
       gen_.MakeInstruction(
           BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
           CompileResult(Kill("Invalid audit architecture in BPF filter"))));
 }
 
 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
   // If no unsafe traps, then simply return |rest|.
   if (!has_unsafe_traps_) {
     return rest;
   }
 
-  // Allow system calls, if they originate from our magic return address
-  // (which we can query by calling Syscall::Call(-1)).
-  uint64_t syscall_entry_point =
-      static_cast<uint64_t>(static_cast<uintptr_t>(Syscall::Call(-1)));
-  uint32_t low = static_cast<uint32_t>(syscall_entry_point);
-  uint32_t hi = static_cast<uint32_t>(syscall_entry_point >> 32);
+  // We already enabled unsafe traps in Compile, but enable them again to give
+  // the trap registry a second chance to complain before we add the backdoor.
+  CHECK(registry_->EnableUnsafeTraps());
+
+  // Allow system calls, if they originate from our magic return address.
+  const uint32_t lopc = static_cast<uint32_t>(escapepc_);
+  const uint32_t hipc = static_cast<uint32_t>(escapepc_ >> 32);
 
   // BPF cannot do native 64-bit comparisons, so we have to compare
   // both 32-bit halves of the instruction pointer. If they match what
   // we expect, we return ERR_ALLOWED. If either or both don't match,
   // we continue evalutating the rest of the sandbox policy.
   //
   // For simplicity, we check the full 64-bit instruction pointer even
   // on 32-bit architectures.
   return gen_.MakeInstruction(
       BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
       gen_.MakeInstruction(
-          BPF_JMP + BPF_JEQ + BPF_K, low,
+          BPF_JMP + BPF_JEQ + BPF_K, lopc,
           gen_.MakeInstruction(
               BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
-              gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hi,
+              gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hipc,
                                    CompileResult(Allow()), rest)),
           rest));
 }
 
 CodeGen::Node PolicyCompiler::DispatchSyscall() {
   // Evaluate all possible system calls and group their ErrorCodes into
   // ranges of identical codes.
   Ranges ranges;
   FindRanges(&ranges);
 
@@ skipping 293 matching lines @@
   return ErrorCode(argno,
                    width,
                    mask,
                    value,
                    &*conds_.insert(passed).first,
                    &*conds_.insert(failed).first);
 }
 
 }  // namespace bpf_dsl
 }  // namespace sandbox