1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
8 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
9 #include "sandbox/linux/seccomp-bpf/trap.h"
11 namespace playground2 {
13 struct arch_seccomp_data;
15 // This class holds all the possible values that can be returned by a sandbox
17 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an
18 // errno value (in the range 0..4095), a pointer to a TrapFnc callback
19 // handling a SECCOMP_RET_TRAP trap, or a complex constraint.
20 // All of the commonly used values are stored in the "err_" field. So, code
21 // that is using the ErrorCode class typically operates on a single 32bit
26 // Allow this system call. The value of ERR_ALLOWED is pretty much
27 // completely arbitrary. But we want to pick it so that is is unlikely
28 // to be passed in accidentally, when the user intended to return an
29 // "errno" (see below) value instead.
30 ERR_ALLOWED = 0x04000000,
32 // Deny the system call with a particular "errno" value.
33 // N.B.: It is also possible to return "0" here. That would normally
34 // indicate success, but it won't actually run the system call.
35 // This is very different from return ERR_ALLOWED.
37 // TODO(markus): Android only supports errno up to 255
38 // (crbug.com/181647).
42 // While BPF filter programs always operate on 32bit quantities, the kernel
43 // always sees system call arguments as 64bit values. This statement is true
44 // no matter whether the host system is natively operating in 32bit or 64bit.
45 // The BPF compiler hides the fact that BPF instructions cannot directly
46 // access 64bit quantities. But policies are still advised to specify whether
47 // a system call expects a 32bit or a 64bit quantity.
49 // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that
50 // the conditional test should operate on the 32bit part of the system call
52 // On 64bit architectures, this verifies that user space did not pass
53 // a 64bit value as an argument to the system call. If it did, that will be
54 // interpreted as an attempt at breaking the sandbox and results in the
55 // program getting terminated.
56 // In other words, only perform a 32bit test, if you are sure this
57 // particular system call would never legitimately take a 64bit
59 // Implementation detail: TP_32BIT does two things. 1) it restricts the
60 // conditional test to operating on the LSB only, and 2) it adds code to
61 // the BPF filter program verifying that the MSB the kernel received from
62 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit
63 // 31 was set in the system call argument. It deals with 32bit arguments
64 // having been sign extended.
67 // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that
68 // the conditional test should operate on the full 64bit argument. It is
69 // generally harmless to perform a 64bit test on 32bit systems, as the
70 // kernel will always see the top 32 bits of all arguments as zero'd out.
71 // This approach has the desirable property that for tests of pointer
72 // values, we can always use TP_64BIT no matter the host architecture.
73 // But of course, that also means, it is possible to write conditional
74 // policies that turn into no-ops on 32bit systems; this is by design.
79 // Test whether the system call argument is equal to the operand.
82 // Test whether the system call argument is greater (or equal) to the
83 // operand. Please note that all tests always operate on unsigned
84 // values. You can generally emulate signed tests, if that's what you
86 // TODO(markus): Check whether we should automatically emulate signed
88 OP_GREATER_UNSIGNED, OP_GREATER_EQUAL_UNSIGNED,
90 // Tests a system call argument against a bit mask.
91 // The "ALL_BITS" variant performs this test: "arg & mask == mask"
92 // This implies that a mask of zero always results in a passing test.
93 // The "ANY_BITS" variant performs this test: "arg & mask != 0"
94 // This implies that a mask of zero always results in a failing test.
95 OP_HAS_ALL_BITS, OP_HAS_ANY_BITS,
97 // Total number of operations.
102 ET_INVALID, ET_SIMPLE, ET_TRAP, ET_COND,
105 // We allow the default constructor, as it makes the ErrorCode class
106 // much easier to use. But if we ever encounter an invalid ErrorCode
107 // when compiling a BPF filter, we deliberately generate an invalid
108 // program that will get flagged both by our Verifier class and by
111 error_type_(ET_INVALID),
112 err_(SECCOMP_RET_INVALID) {
114 explicit ErrorCode(int err);
116 // For all practical purposes, ErrorCodes are treated as if they were
117 // structs. The copy constructor and assignment operator are trivial and
118 // we do not need to explicitly specify them.
119 // Most notably, it is in fact perfectly OK to directly copy the passed_ and
120 // failed_ field. They only ever get set by our private constructor, and the
121 // callers handle life-cycle management for these objects.
126 bool Equals(const ErrorCode& err) const;
127 bool LessThan(const ErrorCode& err) const;
129 uint32_t err() const { return err_; }
130 ErrorType error_type() const { return error_type_; }
132 bool safe() const { return safe_; }
134 uint64_t value() const { return value_; }
135 int argno() const { return argno_; }
136 ArgType width() const { return width_; }
137 Operation op() const { return op_; }
138 const ErrorCode *passed() const { return passed_; }
139 const ErrorCode *failed() const { return failed_; }
142 bool operator()(const ErrorCode& a, const ErrorCode& b) const {
143 return a.LessThan(b);
148 friend class CodeGen;
149 friend class Sandbox;
152 // If we are wrapping a callback, we must assign a unique id. This id is
153 // how the kernel tells us which one of our different SECCOMP_RET_TRAP
154 // cases has been triggered.
155 ErrorCode(Trap::TrapFnc fnc, const void *aux, bool safe, uint16_t id);
157 // Some system calls require inspection of arguments. This constructor
158 // allows us to specify additional constraints.
159 ErrorCode(int argno, ArgType width, Operation op, uint64_t value,
160 const ErrorCode *passed, const ErrorCode *failed);
162 ErrorType error_type_;
165 // Fields needed for SECCOMP_RET_TRAP callbacks
167 Trap::TrapFnc fnc_; // Callback function and arg, if trap was
168 void *aux_; // triggered by the kernel's BPF filter.
169 bool safe_; // Keep sandbox active while calling fnc_()
172 // Fields needed when inspecting additional arguments.
174 uint64_t value_; // Value that we are comparing with.
175 int argno_; // Syscall arg number that we are inspecting.
176 ArgType width_; // Whether we are looking at a 32/64bit value.
177 Operation op_; // Comparison operation.
178 const ErrorCode *passed_; // Value to be returned if comparison passed,
179 const ErrorCode *failed_; // or if it failed.
183 // 32bit field used for all possible types of ErrorCode values. This is
184 // the value that uniquely identifies any ErrorCode and it (typically) can
185 // be emitted directly into a BPF filter program.
192 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__