diff options
Diffstat (limited to 'sandbox/linux/seccomp-bpf/errorcode.h')
-rw-r--r-- | sandbox/linux/seccomp-bpf/errorcode.h | 203 |
1 files changed, 0 insertions, 203 deletions
diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h deleted file mode 100644 index d88777313e..0000000000 --- a/sandbox/linux/seccomp-bpf/errorcode.h +++ /dev/null @@ -1,203 +0,0 @@ -// Copyright (c) 2012 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ -#define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ - -#include "sandbox/linux/seccomp-bpf/trap.h" -#include "sandbox/sandbox_export.h" - -namespace sandbox { -namespace bpf_dsl { -class PolicyCompiler; -} - -// This class holds all the possible values that can be returned by a sandbox -// policy. -// We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an -// errno value (in the range 0..4095), a pointer to a TrapFnc callback -// handling a SECCOMP_RET_TRAP trap, or a complex constraint. -// All of the commonly used values are stored in the "err_" field. So, code -// that is using the ErrorCode class typically operates on a single 32bit -// field. -// -// TODO(mdempsky): Nuke from orbit. The only reason this class still -// exists is for Verifier, which will eventually be replaced by a true -// BPF symbolic evaluator and constraint solver. -class SANDBOX_EXPORT ErrorCode { - public: - enum { - // Allow this system call. The value of ERR_ALLOWED is pretty much - // completely arbitrary. But we want to pick it so that is is unlikely - // to be passed in accidentally, when the user intended to return an - // "errno" (see below) value instead. - ERR_ALLOWED = 0x04000000, - - // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the - // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change - // or skip the system call. The lower 16 bits of err will be available to - // the tracer via PTRACE_GETEVENTMSG. - ERR_TRACE = 0x08000000, - - // Deny the system call with a particular "errno" value. - // N.B.: It is also possible to return "0" here. That would normally - // indicate success, but it won't actually run the system call. - // This is very different from return ERR_ALLOWED. - ERR_MIN_ERRNO = 0, -#if defined(__mips__) - // MIPS only supports errno up to 1133 - ERR_MAX_ERRNO = 1133, -#else - // TODO(markus): Android only supports errno up to 255 - // (crbug.com/181647). - ERR_MAX_ERRNO = 4095, -#endif - }; - - // While BPF filter programs always operate on 32bit quantities, the kernel - // always sees system call arguments as 64bit values. This statement is true - // no matter whether the host system is natively operating in 32bit or 64bit. - // The BPF compiler hides the fact that BPF instructions cannot directly - // access 64bit quantities. But policies are still advised to specify whether - // a system call expects a 32bit or a 64bit quantity. - enum ArgType { - // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that - // the conditional test should operate on the 32bit part of the system call - // argument. - // On 64bit architectures, this verifies that user space did not pass - // a 64bit value as an argument to the system call. If it did, that will be - // interpreted as an attempt at breaking the sandbox and results in the - // program getting terminated. - // In other words, only perform a 32bit test, if you are sure this - // particular system call would never legitimately take a 64bit - // argument. - // Implementation detail: TP_32BIT does two things. 1) it restricts the - // conditional test to operating on the LSB only, and 2) it adds code to - // the BPF filter program verifying that the MSB the kernel received from - // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit - // 31 was set in the system call argument. It deals with 32bit arguments - // having been sign extended. - TP_32BIT, - - // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that - // the conditional test should operate on the full 64bit argument. It is - // generally harmless to perform a 64bit test on 32bit systems, as the - // kernel will always see the top 32 bits of all arguments as zero'd out. - // This approach has the desirable property that for tests of pointer - // values, we can always use TP_64BIT no matter the host architecture. - // But of course, that also means, it is possible to write conditional - // policies that turn into no-ops on 32bit systems; this is by design. - TP_64BIT, - }; - - // Deprecated. - enum Operation { - // Test whether the system call argument is equal to the operand. - OP_EQUAL, - - // Tests a system call argument against a bit mask. - // The "ALL_BITS" variant performs this test: "arg & mask == mask" - // This implies that a mask of zero always results in a passing test. - // The "ANY_BITS" variant performs this test: "arg & mask != 0" - // This implies that a mask of zero always results in a failing test. - OP_HAS_ALL_BITS, - OP_HAS_ANY_BITS, - }; - - enum ErrorType { - ET_INVALID, - ET_SIMPLE, - ET_TRAP, - ET_COND, - }; - - // We allow the default constructor, as it makes the ErrorCode class - // much easier to use. But if we ever encounter an invalid ErrorCode - // when compiling a BPF filter, we deliberately generate an invalid - // program that will get flagged both by our Verifier class and by - // the Linux kernel. - ErrorCode(); - explicit ErrorCode(int err); - - // For all practical purposes, ErrorCodes are treated as if they were - // structs. The copy constructor and assignment operator are trivial and - // we do not need to explicitly specify them. - // Most notably, it is in fact perfectly OK to directly copy the passed_ and - // failed_ field. They only ever get set by our private constructor, and the - // callers handle life-cycle management for these objects. - - // Destructor - ~ErrorCode() {} - - bool Equals(const ErrorCode& err) const; - bool LessThan(const ErrorCode& err) const; - - uint32_t err() const { return err_; } - ErrorType error_type() const { return error_type_; } - - bool safe() const { return safe_; } - - uint64_t mask() const { return mask_; } - uint64_t value() const { return value_; } - int argno() const { return argno_; } - ArgType width() const { return width_; } - const ErrorCode* passed() const { return passed_; } - const ErrorCode* failed() const { return failed_; } - - struct LessThan { - bool operator()(const ErrorCode& a, const ErrorCode& b) const { - return a.LessThan(b); - } - }; - - private: - friend bpf_dsl::PolicyCompiler; - friend class CodeGen; - friend class SandboxBPF; - friend class Trap; - - // If we are wrapping a callback, we must assign a unique id. This id is - // how the kernel tells us which one of our different SECCOMP_RET_TRAP - // cases has been triggered. - ErrorCode(uint16_t trap_id, Trap::TrapFnc fnc, const void* aux, bool safe); - - // Some system calls require inspection of arguments. This constructor - // allows us to specify additional constraints. - ErrorCode(int argno, - ArgType width, - uint64_t mask, - uint64_t value, - const ErrorCode* passed, - const ErrorCode* failed); - - ErrorType error_type_; - - union { - // Fields needed for SECCOMP_RET_TRAP callbacks - struct { - Trap::TrapFnc fnc_; // Callback function and arg, if trap was - void* aux_; // triggered by the kernel's BPF filter. - bool safe_; // Keep sandbox active while calling fnc_() - }; - - // Fields needed when inspecting additional arguments. - struct { - uint64_t mask_; // Mask that we are comparing under. - uint64_t value_; // Value that we are comparing with. - int argno_; // Syscall arg number that we are inspecting. - ArgType width_; // Whether we are looking at a 32/64bit value. - const ErrorCode* passed_; // Value to be returned if comparison passed, - const ErrorCode* failed_; // or if it failed. - }; - }; - - // 32bit field used for all possible types of ErrorCode values. This is - // the value that uniquely identifies any ErrorCode and it (typically) can - // be emitted directly into a BPF filter program. - uint32_t err_; -}; - -} // namespace sandbox - -#endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ |