#ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
#define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
-#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
#include "sandbox/linux/seccomp-bpf/trap.h"
+#include "sandbox/sandbox_export.h"
-namespace playground2 {
-
-struct arch_seccomp_data;
+namespace sandbox {
+namespace bpf_dsl {
+class PolicyCompiler;
+}
// This class holds all the possible values that can be returned by a sandbox
// policy.
// All of the commonly used values are stored in the "err_" field. So, code
// that is using the ErrorCode class typically operates on a single 32bit
// field.
-class ErrorCode {
+class SANDBOX_EXPORT ErrorCode {
public:
enum {
// Allow this system call. The value of ERR_ALLOWED is pretty much
// completely arbitrary. But we want to pick it so that is is unlikely
// to be passed in accidentally, when the user intended to return an
// "errno" (see below) value instead.
- ERR_ALLOWED = 0x04000000,
+ ERR_ALLOWED = 0x04000000,
+
+ // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the
+ // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change
+ // or skip the system call. The lower 16 bits of err will be available to
+ // the tracer via PTRACE_GETEVENTMSG.
+ ERR_TRACE = 0x08000000,
// Deny the system call with a particular "errno" value.
// N.B.: It is also possible to return "0" here. That would normally
// indicate success, but it won't actually run the system call.
// This is very different from return ERR_ALLOWED.
ERR_MIN_ERRNO = 0,
+#if defined(__mips__)
+ // MIPS only supports errno up to 1133
+ ERR_MAX_ERRNO = 1133,
+#else
// TODO(markus): Android only supports errno up to 255
// (crbug.com/181647).
ERR_MAX_ERRNO = 4095,
+#endif
};
// While BPF filter programs always operate on 32bit quantities, the kernel
// access 64bit quantities. But policies are still advised to specify whether
// a system call expects a 32bit or a 64bit quantity.
enum ArgType {
- // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that
+ // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that
// the conditional test should operate on the 32bit part of the system call
// argument.
// On 64bit architectures, this verifies that user space did not pass
// having been sign extended.
TP_32BIT,
- // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that
+ // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that
// the conditional test should operate on the full 64bit argument. It is
// generally harmless to perform a 64bit test on 32bit systems, as the
// kernel will always see the top 32 bits of all arguments as zero'd out.
TP_64BIT,
};
+ // Deprecated.
enum Operation {
// Test whether the system call argument is equal to the operand.
OP_EQUAL,
- // Test whether the system call argument is greater (or equal) to the
- // operand. Please note that all tests always operate on unsigned
- // values. You can generally emulate signed tests, if that's what you
- // need.
- // TODO(markus): Check whether we should automatically emulate signed
- // operations.
- OP_GREATER_UNSIGNED, OP_GREATER_EQUAL_UNSIGNED,
-
// Tests a system call argument against a bit mask.
// The "ALL_BITS" variant performs this test: "arg & mask == mask"
// This implies that a mask of zero always results in a passing test.
// The "ANY_BITS" variant performs this test: "arg & mask != 0"
// This implies that a mask of zero always results in a failing test.
- OP_HAS_ALL_BITS, OP_HAS_ANY_BITS,
-
- // Total number of operations.
- OP_NUM_OPS,
+ OP_HAS_ALL_BITS,
+ OP_HAS_ANY_BITS,
};
enum ErrorType {
- ET_INVALID, ET_SIMPLE, ET_TRAP, ET_COND,
+ ET_INVALID,
+ ET_SIMPLE,
+ ET_TRAP,
+ ET_COND,
};
// We allow the default constructor, as it makes the ErrorCode class
// when compiling a BPF filter, we deliberately generate an invalid
// program that will get flagged both by our Verifier class and by
// the Linux kernel.
- ErrorCode() :
- error_type_(ET_INVALID),
- err_(SECCOMP_RET_INVALID) {
- }
+ ErrorCode();
explicit ErrorCode(int err);
// For all practical purposes, ErrorCodes are treated as if they were
// callers handle life-cycle management for these objects.
// Destructor
- ~ErrorCode() { }
+ ~ErrorCode() {}
bool Equals(const ErrorCode& err) const;
bool LessThan(const ErrorCode& err) const;
bool safe() const { return safe_; }
+ uint64_t mask() const { return mask_; }
uint64_t value() const { return value_; }
int argno() const { return argno_; }
ArgType width() const { return width_; }
- Operation op() const { return op_; }
- const ErrorCode *passed() const { return passed_; }
- const ErrorCode *failed() const { return failed_; }
+ const ErrorCode* passed() const { return passed_; }
+ const ErrorCode* failed() const { return failed_; }
struct LessThan {
bool operator()(const ErrorCode& a, const ErrorCode& b) const {
};
private:
+ friend bpf_dsl::PolicyCompiler;
friend class CodeGen;
- friend class Sandbox;
+ friend class SandboxBPF;
friend class Trap;
// If we are wrapping a callback, we must assign a unique id. This id is
// how the kernel tells us which one of our different SECCOMP_RET_TRAP
// cases has been triggered.
- ErrorCode(Trap::TrapFnc fnc, const void *aux, bool safe, uint16_t id);
+ ErrorCode(uint16_t trap_id, Trap::TrapFnc fnc, const void* aux, bool safe);
// Some system calls require inspection of arguments. This constructor
// allows us to specify additional constraints.
- ErrorCode(int argno, ArgType width, Operation op, uint64_t value,
- const ErrorCode *passed, const ErrorCode *failed);
+ ErrorCode(int argno,
+ ArgType width,
+ uint64_t mask,
+ uint64_t value,
+ const ErrorCode* passed,
+ const ErrorCode* failed);
ErrorType error_type_;
union {
// Fields needed for SECCOMP_RET_TRAP callbacks
struct {
- Trap::TrapFnc fnc_; // Callback function and arg, if trap was
- void *aux_; // triggered by the kernel's BPF filter.
- bool safe_; // Keep sandbox active while calling fnc_()
+ Trap::TrapFnc fnc_; // Callback function and arg, if trap was
+ void* aux_; // triggered by the kernel's BPF filter.
+ bool safe_; // Keep sandbox active while calling fnc_()
};
// Fields needed when inspecting additional arguments.
struct {
- uint64_t value_; // Value that we are comparing with.
- int argno_; // Syscall arg number that we are inspecting.
- ArgType width_; // Whether we are looking at a 32/64bit value.
- Operation op_; // Comparison operation.
- const ErrorCode *passed_; // Value to be returned if comparison passed,
- const ErrorCode *failed_; // or if it failed.
+ uint64_t mask_; // Mask that we are comparing under.
+ uint64_t value_; // Value that we are comparing with.
+ int argno_; // Syscall arg number that we are inspecting.
+ ArgType width_; // Whether we are looking at a 32/64bit value.
+ const ErrorCode* passed_; // Value to be returned if comparison passed,
+ const ErrorCode* failed_; // or if it failed.
};
};
// the value that uniquely identifies any ErrorCode and it (typically) can
// be emitted directly into a BPF filter program.
uint32_t err_;
-
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__