Merge from Chromium at DEPS revision 240154
This commit was generated by merge_to_master.py.
Change-Id: I8f2ba858cf0e7f413dddedc2ae91dc37f7136c2e
diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi
index abbf32e..c20ab04 100644
--- a/sandbox/linux/sandbox_linux.gypi
+++ b/sandbox/linux/sandbox_linux.gypi
@@ -58,6 +58,7 @@
[ 'compile_seccomp_bpf==1', {
'dependencies': [
'seccomp_bpf',
+ 'seccomp_bpf_helpers',
],
}],
],
@@ -108,7 +109,6 @@
'seccomp-bpf/sandbox_bpf.cc',
'seccomp-bpf/sandbox_bpf.h',
'seccomp-bpf/sandbox_bpf_policy.h',
- 'seccomp-bpf/sandbox_bpf_policy_forward.h',
'seccomp-bpf/syscall.cc',
'seccomp-bpf/syscall.h',
'seccomp-bpf/syscall_iterator.cc',
@@ -127,6 +127,25 @@
],
},
{
+ 'target_name': 'seccomp_bpf_helpers',
+ 'type': 'static_library',
+ 'sources': [
+ 'seccomp-bpf-helpers/baseline_policy.cc',
+ 'seccomp-bpf-helpers/baseline_policy.h',
+ 'seccomp-bpf-helpers/sigsys_handlers.cc',
+ 'seccomp-bpf-helpers/sigsys_handlers.h',
+ 'seccomp-bpf-helpers/syscall_parameters_restrictions.cc',
+ 'seccomp-bpf-helpers/syscall_parameters_restrictions.h',
+ 'seccomp-bpf-helpers/syscall_sets.cc',
+ 'seccomp-bpf-helpers/syscall_sets.h',
+ ],
+ 'dependencies': [
+ ],
+ 'include_dirs': [
+ '../..',
+ ],
+ },
+ {
# A demonstration program for the seccomp-bpf sandbox.
'target_name': 'seccomp_bpf_demo',
'conditions': [
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
new file mode 100644
index 0000000..d0e53e3
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -0,0 +1,175 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h"
+
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include "base/logging.h"
+#include "build/build_config.h"
+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+#include "sandbox/linux/services/linux_syscalls.h"
+
+// Changing this implementation will have an effect on *all* policies.
+// Currently this means: Renderer/Worker, GPU, Flash and NaCl.
+
+namespace sandbox {
+
+namespace {
+
+bool IsBaselinePolicyAllowed(int sysno) {
+ return SyscallSets::IsAllowedAddressSpaceAccess(sysno) ||
+ SyscallSets::IsAllowedBasicScheduler(sysno) ||
+ SyscallSets::IsAllowedEpoll(sysno) ||
+ SyscallSets::IsAllowedFileSystemAccessViaFd(sysno) ||
+ SyscallSets::IsAllowedGeneralIo(sysno) ||
+ SyscallSets::IsAllowedGetOrModifySocket(sysno) ||
+ SyscallSets::IsAllowedGettime(sysno) ||
+ SyscallSets::IsAllowedPrctl(sysno) ||
+ SyscallSets::IsAllowedProcessStartOrDeath(sysno) ||
+ SyscallSets::IsAllowedSignalHandling(sysno) ||
+ SyscallSets::IsFutex(sysno) ||
+ SyscallSets::IsGetSimpleId(sysno) ||
+ SyscallSets::IsKernelInternalApi(sysno) ||
+#if defined(__arm__)
+ SyscallSets::IsArmPrivate(sysno) ||
+#endif
+ SyscallSets::IsKill(sysno) ||
+ SyscallSets::IsAllowedOperationOnFd(sysno);
+}
+
+// System calls that will trigger the crashing SIGSYS handler.
+bool IsBaselinePolicyWatched(int sysno) {
+ return SyscallSets::IsAdminOperation(sysno) ||
+ SyscallSets::IsAdvancedScheduler(sysno) ||
+ SyscallSets::IsAdvancedTimer(sysno) ||
+ SyscallSets::IsAsyncIo(sysno) ||
+ SyscallSets::IsDebug(sysno) ||
+ SyscallSets::IsEventFd(sysno) ||
+ SyscallSets::IsExtendedAttributes(sysno) ||
+ SyscallSets::IsFaNotify(sysno) ||
+ SyscallSets::IsFsControl(sysno) ||
+ SyscallSets::IsGlobalFSViewChange(sysno) ||
+ SyscallSets::IsGlobalProcessEnvironment(sysno) ||
+ SyscallSets::IsGlobalSystemStatus(sysno) ||
+ SyscallSets::IsInotify(sysno) ||
+ SyscallSets::IsKernelModule(sysno) ||
+ SyscallSets::IsKeyManagement(sysno) ||
+ SyscallSets::IsMessageQueue(sysno) ||
+ SyscallSets::IsMisc(sysno) ||
+#if defined(__x86_64__)
+ SyscallSets::IsNetworkSocketInformation(sysno) ||
+#endif
+ SyscallSets::IsNuma(sysno) ||
+ SyscallSets::IsProcessGroupOrSession(sysno) ||
+ SyscallSets::IsProcessPrivilegeChange(sysno) ||
+#if defined(__i386__)
+ SyscallSets::IsSocketCall(sysno) ||
+#endif
+#if defined(__arm__)
+ SyscallSets::IsArmPciConfig(sysno) ||
+#endif
+ SyscallSets::IsTimer(sysno);
+}
+
+// |fs_denied_errno| is the errno return for denied filesystem access.
+ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox,
+ int sysno) {
+ if (IsBaselinePolicyAllowed(sysno)) {
+ return ErrorCode(ErrorCode::ERR_ALLOWED);
+ }
+
+#if defined(__x86_64__) || defined(__arm__)
+ if (sysno == __NR_socketpair) {
+ // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
+ COMPILE_ASSERT(AF_UNIX == PF_UNIX, af_unix_pf_unix_different);
+ return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, AF_UNIX,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Trap(CrashSIGSYS_Handler, NULL));
+ }
+#endif
+
+ if (sysno == __NR_madvise) {
+ // Only allow MADV_DONTNEED (aka MADV_FREE).
+ return sandbox->Cond(2, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, MADV_DONTNEED,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ ErrorCode(EPERM));
+ }
+
+#if defined(__i386__) || defined(__x86_64__)
+ if (sysno == __NR_mmap)
+ return RestrictMmapFlags(sandbox);
+#endif
+
+#if defined(__i386__) || defined(__arm__)
+ if (sysno == __NR_mmap2)
+ return RestrictMmapFlags(sandbox);
+#endif
+
+ if (sysno == __NR_mprotect)
+ return RestrictMprotectFlags(sandbox);
+
+ if (sysno == __NR_fcntl)
+ return RestrictFcntlCommands(sandbox);
+
+#if defined(__i386__) || defined(__arm__)
+ if (sysno == __NR_fcntl64)
+ return RestrictFcntlCommands(sandbox);
+#endif
+
+ if (SyscallSets::IsFileSystem(sysno) ||
+ SyscallSets::IsCurrentDirectory(sysno)) {
+ return ErrorCode(fs_denied_errno);
+ }
+
+ if (SyscallSets::IsAnySystemV(sysno)) {
+ return ErrorCode(EPERM);
+ }
+
+ if (SyscallSets::IsUmask(sysno) ||
+ SyscallSets::IsDeniedFileSystemAccessViaFd(sysno) ||
+ SyscallSets::IsDeniedGetOrModifySocket(sysno)) {
+ return ErrorCode(EPERM);
+ }
+
+#if defined(__i386__)
+ if (SyscallSets::IsSocketCall(sysno))
+ return RestrictSocketcallCommand(sandbox);
+#endif
+
+ if (IsBaselinePolicyWatched(sysno)) {
+ // Previously unseen syscalls. TODO(jln): some of these should
+ // be denied gracefully right away.
+ return sandbox->Trap(CrashSIGSYS_Handler, NULL);
+ }
+ // In any other case crash the program with our SIGSYS handler.
+ return sandbox->Trap(CrashSIGSYS_Handler, NULL);
+}
+
+} // namespace.
+
+// Unfortunately C++03 doesn't allow delegated constructors.
+// Call other constructor when C++11 lands.
+BaselinePolicy::BaselinePolicy()
+ : fs_denied_errno_(EPERM) {}
+
+BaselinePolicy::BaselinePolicy(int fs_denied_errno)
+ : fs_denied_errno_(fs_denied_errno) {}
+
+BaselinePolicy::~BaselinePolicy() {}
+
+ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox,
+ int sysno) const {
+ return EvaluateSyscallImpl(fs_denied_errno_, sandbox, sysno);
+}
+
+} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
new file mode 100644
index 0000000..1dfd137
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h
@@ -0,0 +1,43 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
+
+#include "sandbox/linux/seccomp-bpf/errorcode.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+
+namespace sandbox {
+
+class SandboxBPF;
+class SandboxBPFPolicy;
+
+// This is a helper to build seccomp-bpf policies, i.e. policies for a sandbox
+// that reduces the Linux kernel's attack surface. Given its nature, it doesn't
+// have a clear semantics and is mostly "implementation-defined".
+//
+// This returns an object that implements the SandboxBPFPolicy interface with
+// a "baseline" policy within Chromium.
+// The "baseline" policy is somewhat arbitrary. All Chromium policies are an
+// alteration of it, and it represents a reasonable common ground to run most
+// code in a sandboxed environment.
+class BaselinePolicy : public SandboxBPFPolicy {
+ public:
+ BaselinePolicy();
+ // |fs_denied_errno| is the errno returned when a filesystem access system
+ // call is denied.
+ explicit BaselinePolicy(int fs_denied_errno);
+ virtual ~BaselinePolicy();
+
+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
+ int system_call_number) const OVERRIDE;
+
+ private:
+ int fs_denied_errno_;
+ DISALLOW_COPY_AND_ASSIGN(BaselinePolicy);
+};
+
+} // namespace sandbox.
+
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_BASELINE_POLICY_H_
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
new file mode 100644
index 0000000..6ff7125
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
@@ -0,0 +1,146 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Note: any code in this file MUST be async-signal safe.
+
+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+
+#include <unistd.h>
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "base/posix/eintr_wrapper.h"
+#include "build/build_config.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+namespace {
+
+inline bool IsArchitectureX86_64() {
+#if defined(__x86_64__)
+ return true;
+#else
+ return false;
+#endif
+}
+
+// Write |error_message| to stderr. Similar to RawLog(), but a bit more careful
+// about async-signal safety. |size| is the size to write and should typically
+// not include a terminating \0.
+void WriteToStdErr(const char* error_message, size_t size) {
+ while (size > 0) {
+ // TODO(jln): query the current policy to check if send() is available and
+ // use it to perform a non-blocking write.
+ const int ret = HANDLE_EINTR(write(STDERR_FILENO, error_message, size));
+ // We can't handle any type of error here.
+ if (ret <= 0 || static_cast<size_t>(ret) > size) break;
+ size -= ret;
+ error_message += ret;
+ }
+}
+
+// Print a seccomp-bpf failure to handle |sysno| to stderr in an
+// async-signal safe way.
+void PrintSyscallError(uint32_t sysno) {
+ if (sysno >= 1024)
+ sysno = 0;
+ // TODO(markus): replace with async-signal safe snprintf when available.
+ const size_t kNumDigits = 4;
+ char sysno_base10[kNumDigits];
+ uint32_t rem = sysno;
+ uint32_t mod = 0;
+ for (int i = kNumDigits - 1; i >= 0; i--) {
+ mod = rem % 10;
+ rem /= 10;
+ sysno_base10[i] = '0' + mod;
+ }
+ static const char kSeccompErrorPrefix[] =
+ __FILE__":**CRASHING**:seccomp-bpf failure in syscall ";
+ static const char kSeccompErrorPostfix[] = "\n";
+ WriteToStdErr(kSeccompErrorPrefix, sizeof(kSeccompErrorPrefix) - 1);
+ WriteToStdErr(sysno_base10, sizeof(sysno_base10));
+ WriteToStdErr(kSeccompErrorPostfix, sizeof(kSeccompErrorPostfix) - 1);
+}
+
+} // namespace.
+
+namespace sandbox {
+
+intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux) {
+ uint32_t syscall = args.nr;
+ if (syscall >= 1024)
+ syscall = 0;
+ PrintSyscallError(syscall);
+
+ // Encode 8-bits of the 1st two arguments too, so we can discern which socket
+ // type, which fcntl, ... etc., without being likely to hit a mapped
+ // address.
+ // Do not encode more bits here without thinking about increasing the
+ // likelihood of collision with mapped pages.
+ syscall |= ((args.args[0] & 0xffUL) << 12);
+ syscall |= ((args.args[1] & 0xffUL) << 20);
+ // Purposefully dereference the syscall as an address so it'll show up very
+ // clearly and easily in crash dumps.
+ volatile char* addr = reinterpret_cast<volatile char*>(syscall);
+ *addr = '\0';
+ // In case we hit a mapped address, hit the null page with just the syscall,
+ // for paranoia.
+ syscall &= 0xfffUL;
+ addr = reinterpret_cast<volatile char*>(syscall);
+ *addr = '\0';
+ for (;;)
+ _exit(1);
+}
+
+// TODO(jln): refactor the reporting functions.
+
+intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux) {
+ // "flags" is the first argument in the kernel's clone().
+ // Mark as volatile to be able to find the value on the stack in a minidump.
+#if !defined(NDEBUG)
+ RAW_LOG(ERROR, __FILE__":**CRASHING**:clone() failure\n");
+#endif
+ volatile uint64_t clone_flags = args.args[0];
+ volatile char* addr;
+ if (IsArchitectureX86_64()) {
+ addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFFFFF);
+ *addr = '\0';
+ }
+ // Hit the NULL page if this fails to fault.
+ addr = reinterpret_cast<volatile char*>(clone_flags & 0xFFF);
+ *addr = '\0';
+ for (;;)
+ _exit(1);
+}
+
+intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args,
+ void* /* aux */) {
+ // Mark as volatile to be able to find the value on the stack in a minidump.
+#if !defined(NDEBUG)
+ RAW_LOG(ERROR, __FILE__":**CRASHING**:prctl() failure\n");
+#endif
+ volatile uint64_t option = args.args[0];
+ volatile char* addr =
+ reinterpret_cast<volatile char*>(option & 0xFFF);
+ *addr = '\0';
+ for (;;)
+ _exit(1);
+}
+
+intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args,
+ void* /* aux */) {
+ // Make "request" volatile so that we can see it on the stack in a minidump.
+#if !defined(NDEBUG)
+ RAW_LOG(ERROR, __FILE__":**CRASHING**:ioctl() failure\n");
+#endif
+ volatile uint64_t request = args.args[1];
+ volatile char* addr = reinterpret_cast<volatile char*>(request & 0xFFFF);
+ *addr = '\0';
+ // Hit the NULL page if this fails.
+ addr = reinterpret_cast<volatile char*>(request & 0xFFF);
+ *addr = '\0';
+ for (;;)
+ _exit(1);
+}
+
+} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
new file mode 100644
index 0000000..3bf5c16
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
@@ -0,0 +1,39 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_
+
+#include "base/basictypes.h"
+#include "build/build_config.h"
+
+// The handlers are suitable for use in Trap() error codes. They are
+// guaranteed to be async-signal safe.
+// See sandbox/linux/seccomp-bpf/trap.h to see how they work.
+
+namespace sandbox {
+
+struct arch_seccomp_data;
+
+// This handler will crash the currently running process. The crashing address
+// will be the number of the current system call, extracted from |args|.
+// This handler will also print to stderr the number of the crashing syscall.
+intptr_t CrashSIGSYS_Handler(const struct arch_seccomp_data& args, void* aux);
+
+// The following three handlers are suitable to report failures with the
+// clone(), prctl() and ioctl() system calls respectively.
+
+// The crashing address will be (clone_flags & 0xFFFFFF), where clone_flags is
+// the clone(2) argument, extracted from |args|.
+intptr_t SIGSYSCloneFailure(const struct arch_seccomp_data& args, void* aux);
+// The crashing address will be (option & 0xFFF), where option is the prctl(2)
+// argument.
+intptr_t SIGSYSPrctlFailure(const struct arch_seccomp_data& args, void* aux);
+// The crashing address will be request & 0xFFFF, where request is the ioctl(2)
+// argument.
+intptr_t SIGSYSIoctlFailure(const struct arch_seccomp_data& args, void* aux);
+
+} // namespace sandbox.
+
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SIGSYS_HANDLERS_H_
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
new file mode 100644
index 0000000..9b417ce
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc
@@ -0,0 +1,214 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h"
+
+#include <errno.h>
+#include <fcntl.h>
+#include <fcntl.h>
+#include <linux/net.h>
+#include <sched.h>
+#include <signal.h>
+#include <sys/ioctl.h>
+#include <sys/mman.h>
+#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+
+#if defined(OS_ANDROID)
+#if !defined(F_DUPFD_CLOEXEC)
+#define F_DUPFD_CLOEXEC (F_LINUX_SPECIFIC_BASE + 6)
+#endif
+#endif
+
+#if defined(__arm__) && !defined(MAP_STACK)
+#define MAP_STACK 0x20000 // Daisy build environment has old headers.
+#endif
+
+namespace {
+
+inline bool RunningOnASAN() {
+#if defined(ADDRESS_SANITIZER)
+ return true;
+#else
+ return false;
+#endif
+}
+
+inline bool IsArchitectureX86_64() {
+#if defined(__x86_64__)
+ return true;
+#else
+ return false;
+#endif
+}
+
+inline bool IsArchitectureI386() {
+#if defined(__i386__)
+ return true;
+#else
+ return false;
+#endif
+}
+
+} // namespace.
+
+namespace sandbox {
+
+ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) {
+ // Glibc's pthread.
+ if (!RunningOnASAN()) {
+ return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ CLONE_VM | CLONE_FS | CLONE_FILES | CLONE_SIGHAND |
+ CLONE_THREAD | CLONE_SYSVSEM | CLONE_SETTLS |
+ CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ CLONE_PARENT_SETTID | SIGCHLD,
+ ErrorCode(EPERM),
+ // ARM
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID | SIGCHLD,
+ ErrorCode(EPERM),
+ sandbox->Trap(SIGSYSCloneFailure, NULL))));
+ } else {
+ return ErrorCode(ErrorCode::ERR_ALLOWED);
+ }
+}
+
+ErrorCode RestrictPrctl(SandboxBPF* sandbox) {
+ // Will need to add seccomp compositing in the future. PR_SET_PTRACER is
+ // used by breakpad but not needed anymore.
+ return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ PR_SET_NAME, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ PR_SET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ PR_GET_DUMPABLE, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Trap(SIGSYSPrctlFailure, NULL))));
+}
+
+ErrorCode RestrictIoctl(SandboxBPF* sandbox) {
+ return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Trap(SIGSYSIoctlFailure, NULL)));
+}
+
+ErrorCode RestrictMmapFlags(SandboxBPF* sandbox) {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as
+ // MAP_POPULATE.
+ // TODO(davidung), remove MAP_DENYWRITE with updated Tegra libraries.
+ uint32_t denied_mask = ~(MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+ MAP_STACK | MAP_NORESERVE | MAP_FIXED |
+ MAP_DENYWRITE);
+ return sandbox->Cond(3, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+ denied_mask,
+ sandbox->Trap(CrashSIGSYS_Handler, NULL),
+ ErrorCode(ErrorCode::ERR_ALLOWED));
+}
+
+ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox) {
+ // The flags you see are actually the allowed ones, and the variable is a
+ // "denied" mask because of the negation operator.
+ // Significantly, we don't permit weird undocumented flags such as
+ // PROT_GROWSDOWN.
+ uint32_t denied_mask = ~(PROT_READ | PROT_WRITE | PROT_EXEC);
+ return sandbox->Cond(2, ErrorCode::TP_32BIT, ErrorCode::OP_HAS_ANY_BITS,
+ denied_mask,
+ sandbox->Trap(CrashSIGSYS_Handler, NULL),
+ ErrorCode(ErrorCode::ERR_ALLOWED));
+}
+
+ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) {
+ // We also restrict the flags in F_SETFL. We don't want to permit flags with
+ // a history of trouble such as O_DIRECT. The flags you see are actually the
+ // allowed ones, and the variable is a "denied" mask because of the negation
+ // operator.
+ // Glibc overrides the kernel's O_LARGEFILE value. Account for this.
+ int kOLargeFileFlag = O_LARGEFILE;
+ if (IsArchitectureX86_64() || IsArchitectureI386())
+ kOLargeFileFlag = 0100000;
+
+ // TODO(jln): add TP_LONG/TP_SIZET types.
+ ErrorCode::ArgType mask_long_type;
+ if (sizeof(long) == 8)
+ mask_long_type = ErrorCode::TP_64BIT;
+ else if (sizeof(long) == 4)
+ mask_long_type = ErrorCode::TP_32BIT;
+ else
+ NOTREACHED();
+
+ unsigned long denied_mask = ~(O_ACCMODE | O_APPEND | O_NONBLOCK | O_SYNC |
+ kOLargeFileFlag | O_CLOEXEC | O_NOATIME);
+ return sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_GETFL,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_SETFL,
+ sandbox->Cond(2, mask_long_type,
+ ErrorCode::OP_HAS_ANY_BITS, denied_mask,
+ sandbox->Trap(CrashSIGSYS_Handler, NULL),
+ ErrorCode(ErrorCode::ERR_ALLOWED)),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_GETFD,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_SETFD,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_DUPFD,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_SETLK,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_SETLKW,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_GETLK,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(1, ErrorCode::TP_32BIT,
+ ErrorCode::OP_EQUAL, F_DUPFD_CLOEXEC,
+ ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Trap(CrashSIGSYS_Handler, NULL))))))))));
+}
+
+#if defined(__i386__)
+ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) {
+ // Unfortunately, we are unable to restrict the first parameter to
+ // socketpair(2). Whilst initially sounding bad, it's noteworthy that very
+ // few protocols actually support socketpair(2). The scary call that we're
+ // worried about, socket(2), remains blocked.
+ return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_SOCKETPAIR, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_SEND, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_RECV, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_SENDTO, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_RECVFROM, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_SHUTDOWN, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_SENDMSG, ErrorCode(ErrorCode::ERR_ALLOWED),
+ sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL,
+ SYS_RECVMSG, ErrorCode(ErrorCode::ERR_ALLOWED),
+ ErrorCode(EPERM)))))))));
+}
+#endif
+
+} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
new file mode 100644
index 0000000..65b7c47
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h
@@ -0,0 +1,58 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
+
+#include "build/build_config.h"
+
+// These are helpers to build seccomp-bpf policies, i.e. policies for a
+// sandbox that reduces the Linux kernel's attack surface. They return an
+// ErrorCode suitable to restrict certain system call parameters.
+
+namespace sandbox {
+
+class ErrorCode;
+class SandboxBPF;
+
+// Allow clone(2) for threads.
+// Reject fork(2) attempts with EPERM.
+// Don't restrict on ASAN.
+// Crash if anything else is attempted.
+ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox);
+
+// Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE.
+// Crash if anything else is attempted.
+ErrorCode RestrictPrctl(SandboxBPF* sandbox);
+
+// Allow TCGETS and FIONREAD.
+// Crash if anything else is attempted.
+ErrorCode RestrictIoctl(SandboxBPF* sandbox);
+
+// Restrict the flags argument in mmap(2).
+// Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS |
+// MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE.
+// Crash if any other flag is used.
+ErrorCode RestrictMmapFlags(SandboxBPF* sandbox);
+
+// Restrict the prot argument in mprotect(2).
+// Only allow: PROT_READ | PROT_WRITE | PROT_EXEC.
+ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox);
+
+// Restrict fcntl(2) cmd argument to:
+// We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC,
+// F_SETLK, F_SETLKW and F_GETLK.
+// Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND |
+// O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME.
+ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox);
+
+#if defined(__i386__)
+// Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2),
+// sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2).
+ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox);
+#endif
+
+} // namespace sandbox.
+
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_PARAMETERS_RESTRICTIONS_H_
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
new file mode 100644
index 0000000..032f6c3
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -0,0 +1,981 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf-helpers/syscall_sets.h"
+
+#include "build/build_config.h"
+#include "sandbox/linux/services/linux_syscalls.h"
+
+namespace sandbox {
+
+// The functions below cover all existing i386, x86_64, and ARM system calls;
+// excluding syscalls made obsolete in ARM EABI.
+// The implicitly defined sets form a partition of the sets of
+// system calls.
+
+// TODO(jln) we need to restrict the first parameter!
+bool SyscallSets::IsKill(int sysno) {
+ switch (sysno) {
+ case __NR_kill:
+ case __NR_tkill:
+ case __NR_tgkill:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedGettime(int sysno) {
+ switch (sysno) {
+ case __NR_clock_gettime:
+ case __NR_gettimeofday:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_time:
+#endif
+ return true;
+ case __NR_adjtimex: // Privileged.
+ case __NR_clock_adjtime: // Privileged.
+ case __NR_clock_getres: // Could be allowed.
+ case __NR_clock_nanosleep: // Could be allowed.
+ case __NR_clock_settime: // Privileged.
+#if defined(__i386__)
+ case __NR_ftime: // Obsolete.
+#endif
+ case __NR_settimeofday: // Privileged.
+#if defined(__i386__)
+ case __NR_stime:
+#endif
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsCurrentDirectory(int sysno) {
+ switch (sysno) {
+ case __NR_getcwd:
+ case __NR_chdir:
+ case __NR_fchdir:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsUmask(int sysno) {
+ switch (sysno) {
+ case __NR_umask:
+ return true;
+ default:
+ return false;
+ }
+}
+
+// System calls that directly access the file system. They might acquire
+// a new file descriptor or otherwise perform an operation directly
+// via a path.
+// Both EPERM and ENOENT are valid errno unless otherwise noted in comment.
+bool SyscallSets::IsFileSystem(int sysno) {
+ switch (sysno) {
+ case __NR_access: // EPERM not a valid errno.
+ case __NR_chmod:
+ case __NR_chown:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_chown32:
+#endif
+ case __NR_creat:
+ case __NR_execve:
+ case __NR_faccessat: // EPERM not a valid errno.
+ case __NR_fchmodat:
+ case __NR_fchownat: // Should be called chownat ?
+#if defined(__x86_64__)
+ case __NR_newfstatat: // fstatat(). EPERM not a valid errno.
+#elif defined(__i386__) || defined(__arm__)
+ case __NR_fstatat64:
+#endif
+ case __NR_futimesat: // Should be called utimesat ?
+ case __NR_lchown:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_lchown32:
+#endif
+ case __NR_link:
+ case __NR_linkat:
+ case __NR_lookup_dcookie: // ENOENT not a valid errno.
+ case __NR_lstat: // EPERM not a valid errno.
+#if defined(__i386__)
+ case __NR_oldlstat:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR_lstat64:
+#endif
+ case __NR_mkdir:
+ case __NR_mkdirat:
+ case __NR_mknod:
+ case __NR_mknodat:
+ case __NR_open:
+ case __NR_openat:
+ case __NR_readlink: // EPERM not a valid errno.
+ case __NR_readlinkat:
+ case __NR_rename:
+ case __NR_renameat:
+ case __NR_rmdir:
+ case __NR_stat: // EPERM not a valid errno.
+#if defined(__i386__)
+ case __NR_oldstat:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR_stat64:
+#endif
+ case __NR_statfs: // EPERM not a valid errno.
+#if defined(__i386__) || defined(__arm__)
+ case __NR_statfs64:
+#endif
+ case __NR_symlink:
+ case __NR_symlinkat:
+ case __NR_truncate:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_truncate64:
+#endif
+ case __NR_unlink:
+ case __NR_unlinkat:
+ case __NR_uselib: // Neither EPERM, nor ENOENT are valid errno.
+ case __NR_ustat: // Same as above. Deprecated.
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_utime:
+#endif
+ case __NR_utimensat: // New.
+ case __NR_utimes:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedFileSystemAccessViaFd(int sysno) {
+ switch (sysno) {
+ case __NR_fstat:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_fstat64:
+#endif
+ return true;
+// TODO(jln): these should be denied gracefully as well (moved below).
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_fadvise64: // EPERM not a valid errno.
+#endif
+#if defined(__i386__)
+ case __NR_fadvise64_64:
+#endif
+#if defined(__arm__)
+ case __NR_arm_fadvise64_64:
+#endif
+ case __NR_fdatasync: // EPERM not a valid errno.
+ case __NR_flock: // EPERM not a valid errno.
+ case __NR_fstatfs: // Give information about the whole filesystem.
+#if defined(__i386__) || defined(__arm__)
+ case __NR_fstatfs64:
+#endif
+ case __NR_fsync: // EPERM not a valid errno.
+#if defined(__i386__)
+ case __NR_oldfstat:
+#endif
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_sync_file_range: // EPERM not a valid errno.
+#elif defined(__arm__)
+ case __NR_arm_sync_file_range: // EPERM not a valid errno.
+#endif
+ default:
+ return false;
+ }
+}
+
+// EPERM is a good errno for any of these.
+bool SyscallSets::IsDeniedFileSystemAccessViaFd(int sysno) {
+ switch (sysno) {
+ case __NR_fallocate:
+ case __NR_fchmod:
+ case __NR_fchown:
+ case __NR_ftruncate:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_fchown32:
+ case __NR_ftruncate64:
+#endif
+ case __NR_getdents: // EPERM not a valid errno.
+ case __NR_getdents64: // EPERM not a valid errno.
+#if defined(__i386__)
+ case __NR_readdir:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsGetSimpleId(int sysno) {
+ switch (sysno) {
+ case __NR_capget:
+ case __NR_getegid:
+ case __NR_geteuid:
+ case __NR_getgid:
+ case __NR_getgroups:
+ case __NR_getpid:
+ case __NR_getppid:
+ case __NR_getresgid:
+ case __NR_getsid:
+ case __NR_gettid:
+ case __NR_getuid:
+ case __NR_getresuid:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_getegid32:
+ case __NR_geteuid32:
+ case __NR_getgid32:
+ case __NR_getgroups32:
+ case __NR_getresgid32:
+ case __NR_getresuid32:
+ case __NR_getuid32:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsProcessPrivilegeChange(int sysno) {
+ switch (sysno) {
+ case __NR_capset:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_ioperm: // Intel privilege.
+ case __NR_iopl: // Intel privilege.
+#endif
+ case __NR_setfsgid:
+ case __NR_setfsuid:
+ case __NR_setgid:
+ case __NR_setgroups:
+ case __NR_setregid:
+ case __NR_setresgid:
+ case __NR_setresuid:
+ case __NR_setreuid:
+ case __NR_setuid:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_setfsgid32:
+ case __NR_setfsuid32:
+ case __NR_setgid32:
+ case __NR_setgroups32:
+ case __NR_setregid32:
+ case __NR_setresgid32:
+ case __NR_setresuid32:
+ case __NR_setreuid32:
+ case __NR_setuid32:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsProcessGroupOrSession(int sysno) {
+ switch (sysno) {
+ case __NR_setpgid:
+ case __NR_getpgrp:
+ case __NR_setsid:
+ case __NR_getpgid:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedSignalHandling(int sysno) {
+ switch (sysno) {
+ case __NR_rt_sigaction:
+ case __NR_rt_sigprocmask:
+ case __NR_rt_sigreturn:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_sigaction:
+ case __NR_sigprocmask:
+ case __NR_sigreturn:
+#endif
+ return true;
+ case __NR_rt_sigpending:
+ case __NR_rt_sigqueueinfo:
+ case __NR_rt_sigsuspend:
+ case __NR_rt_sigtimedwait:
+ case __NR_rt_tgsigqueueinfo:
+ case __NR_sigaltstack:
+ case __NR_signalfd:
+ case __NR_signalfd4:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_sigpending:
+ case __NR_sigsuspend:
+#endif
+#if defined(__i386__)
+ case __NR_signal:
+ case __NR_sgetmask: // Obsolete.
+ case __NR_ssetmask:
+#endif
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedOperationOnFd(int sysno) {
+ switch (sysno) {
+ case __NR_close:
+ case __NR_dup:
+ case __NR_dup2:
+ case __NR_dup3:
+#if defined(__x86_64__) || defined(__arm__)
+ case __NR_shutdown:
+#endif
+ return true;
+ case __NR_fcntl:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_fcntl64:
+#endif
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsKernelInternalApi(int sysno) {
+ switch (sysno) {
+ case __NR_restart_syscall:
+#if defined(__arm__)
+ case __ARM_NR_cmpxchg:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+// This should be thought through in conjunction with IsFutex().
+bool SyscallSets::IsAllowedProcessStartOrDeath(int sysno) {
+ switch (sysno) {
+ case __NR_clone: // TODO(jln): restrict flags.
+ case __NR_exit:
+ case __NR_exit_group:
+ case __NR_wait4:
+ case __NR_waitid:
+#if defined(__i386__)
+ case __NR_waitpid:
+#endif
+ return true;
+ case __NR_setns: // Privileged.
+ case __NR_fork:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_get_thread_area:
+ case __NR_set_thread_area:
+#endif
+ case __NR_set_tid_address:
+ case __NR_unshare:
+ case __NR_vfork:
+ default:
+ return false;
+ }
+}
+
+// It's difficult to restrict those, but there is attack surface here.
+bool SyscallSets::IsFutex(int sysno) {
+ switch (sysno) {
+ case __NR_futex:
+ case __NR_get_robust_list:
+ case __NR_set_robust_list:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedEpoll(int sysno) {
+ switch (sysno) {
+ case __NR_epoll_create:
+ case __NR_epoll_create1:
+ case __NR_epoll_ctl:
+ case __NR_epoll_wait:
+ return true;
+ default:
+#if defined(__x86_64__)
+ case __NR_epoll_ctl_old:
+#endif
+ case __NR_epoll_pwait:
+#if defined(__x86_64__)
+ case __NR_epoll_wait_old:
+#endif
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedGetOrModifySocket(int sysno) {
+ switch (sysno) {
+ case __NR_pipe:
+ case __NR_pipe2:
+ return true;
+ default:
+#if defined(__x86_64__) || defined(__arm__)
+ case __NR_socketpair: // We will want to inspect its argument.
+#endif
+ return false;
+ }
+}
+
+bool SyscallSets::IsDeniedGetOrModifySocket(int sysno) {
+ switch (sysno) {
+#if defined(__x86_64__) || defined(__arm__)
+ case __NR_accept:
+ case __NR_accept4:
+ case __NR_bind:
+ case __NR_connect:
+ case __NR_socket:
+ case __NR_listen:
+ return true;
+#endif
+ default:
+ return false;
+ }
+}
+
+#if defined(__i386__)
+// Big multiplexing system call for sockets.
+bool SyscallSets::IsSocketCall(int sysno) {
+ switch (sysno) {
+ case __NR_socketcall:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+#if defined(__x86_64__) || defined(__arm__)
+bool SyscallSets::IsNetworkSocketInformation(int sysno) {
+ switch (sysno) {
+ case __NR_getpeername:
+ case __NR_getsockname:
+ case __NR_getsockopt:
+ case __NR_setsockopt:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+bool SyscallSets::IsAllowedAddressSpaceAccess(int sysno) {
+ switch (sysno) {
+ case __NR_brk:
+ case __NR_mlock:
+ case __NR_munlock:
+ case __NR_munmap:
+ return true;
+ case __NR_madvise:
+ case __NR_mincore:
+ case __NR_mlockall:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_mmap:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR_mmap2:
+#endif
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_modify_ldt:
+#endif
+ case __NR_mprotect:
+ case __NR_mremap:
+ case __NR_msync:
+ case __NR_munlockall:
+ case __NR_readahead:
+ case __NR_remap_file_pages:
+#if defined(__i386__)
+ case __NR_vm86:
+ case __NR_vm86old:
+#endif
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedGeneralIo(int sysno) {
+ switch (sysno) {
+ case __NR_lseek:
+#if defined(__i386__) || defined(__arm__)
+ case __NR__llseek:
+#endif
+ case __NR_poll:
+ case __NR_ppoll:
+ case __NR_pselect6:
+ case __NR_read:
+ case __NR_readv:
+#if defined(__arm__)
+ case __NR_recv:
+#endif
+#if defined(__x86_64__) || defined(__arm__)
+ case __NR_recvfrom: // Could specify source.
+ case __NR_recvmsg: // Could specify source.
+#endif
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_select:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR__newselect:
+#endif
+#if defined(__arm__)
+ case __NR_send:
+#endif
+#if defined(__x86_64__) || defined(__arm__)
+ case __NR_sendmsg: // Could specify destination.
+ case __NR_sendto: // Could specify destination.
+#endif
+ case __NR_write:
+ case __NR_writev:
+ return true;
+ case __NR_ioctl: // Can be very powerful.
+ case __NR_pread64:
+ case __NR_preadv:
+ case __NR_pwrite64:
+ case __NR_pwritev:
+ case __NR_recvmmsg: // Could specify source.
+ case __NR_sendfile:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_sendfile64:
+#endif
+ case __NR_sendmmsg: // Could specify destination.
+ case __NR_splice:
+ case __NR_tee:
+ case __NR_vmsplice:
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedPrctl(int sysno) {
+ switch (sysno) {
+ case __NR_prctl:
+ return true;
+ default:
+#if defined(__x86_64__)
+ case __NR_arch_prctl:
+#endif
+ return false;
+ }
+}
+
+bool SyscallSets::IsAllowedBasicScheduler(int sysno) {
+ switch (sysno) {
+ case __NR_sched_yield:
+ case __NR_pause:
+ case __NR_nanosleep:
+ return true;
+ case __NR_getpriority:
+#if defined(__i386__) || defined(__arm__)
+ case __NR_nice:
+#endif
+ case __NR_setpriority:
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAdminOperation(int sysno) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__arm__)
+ case __NR_bdflush:
+#endif
+ case __NR_kexec_load:
+ case __NR_reboot:
+ case __NR_setdomainname:
+ case __NR_sethostname:
+ case __NR_syslog:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsKernelModule(int sysno) {
+ switch (sysno) {
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_create_module:
+ case __NR_get_kernel_syms: // Should ENOSYS.
+ case __NR_query_module:
+#endif
+ case __NR_delete_module:
+ case __NR_init_module:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsGlobalFSViewChange(int sysno) {
+ switch (sysno) {
+ case __NR_pivot_root:
+ case __NR_chroot:
+ case __NR_sync:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsFsControl(int sysno) {
+ switch (sysno) {
+ case __NR_mount:
+ case __NR_nfsservctl:
+ case __NR_quotactl:
+ case __NR_swapoff:
+ case __NR_swapon:
+#if defined(__i386__)
+ case __NR_umount:
+#endif
+ case __NR_umount2:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsNuma(int sysno) {
+ switch (sysno) {
+ case __NR_get_mempolicy:
+ case __NR_getcpu:
+ case __NR_mbind:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_migrate_pages:
+#endif
+ case __NR_move_pages:
+ case __NR_set_mempolicy:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsMessageQueue(int sysno) {
+ switch (sysno) {
+ case __NR_mq_getsetattr:
+ case __NR_mq_notify:
+ case __NR_mq_open:
+ case __NR_mq_timedreceive:
+ case __NR_mq_timedsend:
+ case __NR_mq_unlink:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsGlobalProcessEnvironment(int sysno) {
+ switch (sysno) {
+ case __NR_acct: // Privileged.
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_getrlimit:
+#endif
+#if defined(__i386__) || defined(__arm__)
+ case __NR_ugetrlimit:
+#endif
+#if defined(__i386__)
+ case __NR_ulimit:
+#endif
+ case __NR_getrusage:
+ case __NR_personality: // Can change its personality as well.
+ case __NR_prlimit64: // Like setrlimit / getrlimit.
+ case __NR_setrlimit:
+ case __NR_times:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsDebug(int sysno) {
+ switch (sysno) {
+ case __NR_ptrace:
+ case __NR_process_vm_readv:
+ case __NR_process_vm_writev:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_kcmp:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsGlobalSystemStatus(int sysno) {
+ switch (sysno) {
+ case __NR__sysctl:
+ case __NR_sysfs:
+ case __NR_sysinfo:
+ case __NR_uname:
+#if defined(__i386__)
+ case __NR_olduname:
+ case __NR_oldolduname:
+#endif
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsEventFd(int sysno) {
+ switch (sysno) {
+ case __NR_eventfd:
+ case __NR_eventfd2:
+ return true;
+ default:
+ return false;
+ }
+}
+
+// Asynchronous I/O API.
+bool SyscallSets::IsAsyncIo(int sysno) {
+ switch (sysno) {
+ case __NR_io_cancel:
+ case __NR_io_destroy:
+ case __NR_io_getevents:
+ case __NR_io_setup:
+ case __NR_io_submit:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsKeyManagement(int sysno) {
+ switch (sysno) {
+ case __NR_add_key:
+ case __NR_keyctl:
+ case __NR_request_key:
+ return true;
+ default:
+ return false;
+ }
+}
+
+#if defined(__x86_64__) || defined(__arm__)
+bool SyscallSets::IsSystemVSemaphores(int sysno) {
+ switch (sysno) {
+ case __NR_semctl:
+ case __NR_semget:
+ case __NR_semop:
+ case __NR_semtimedop:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+#if defined(__x86_64__) || defined(__arm__)
+// These give a lot of ambient authority and bypass the setuid sandbox.
+bool SyscallSets::IsSystemVSharedMemory(int sysno) {
+ switch (sysno) {
+ case __NR_shmat:
+ case __NR_shmctl:
+ case __NR_shmdt:
+ case __NR_shmget:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+#if defined(__x86_64__) || defined(__arm__)
+bool SyscallSets::IsSystemVMessageQueue(int sysno) {
+ switch (sysno) {
+ case __NR_msgctl:
+ case __NR_msgget:
+ case __NR_msgrcv:
+ case __NR_msgsnd:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+#if defined(__i386__)
+// Big system V multiplexing system call.
+bool SyscallSets::IsSystemVIpc(int sysno) {
+ switch (sysno) {
+ case __NR_ipc:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif
+
+bool SyscallSets::IsAnySystemV(int sysno) {
+#if defined(__x86_64__) || defined(__arm__)
+ return IsSystemVMessageQueue(sysno) || IsSystemVSemaphores(sysno) ||
+ IsSystemVSharedMemory(sysno);
+#elif defined(__i386__)
+ return IsSystemVIpc(sysno);
+#endif
+}
+
+bool SyscallSets::IsAdvancedScheduler(int sysno) {
+ switch (sysno) {
+ case __NR_ioprio_get: // IO scheduler.
+ case __NR_ioprio_set:
+ case __NR_sched_get_priority_max:
+ case __NR_sched_get_priority_min:
+ case __NR_sched_getaffinity:
+ case __NR_sched_getparam:
+ case __NR_sched_getscheduler:
+ case __NR_sched_rr_get_interval:
+ case __NR_sched_setaffinity:
+ case __NR_sched_setparam:
+ case __NR_sched_setscheduler:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsInotify(int sysno) {
+ switch (sysno) {
+ case __NR_inotify_add_watch:
+ case __NR_inotify_init:
+ case __NR_inotify_init1:
+ case __NR_inotify_rm_watch:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsFaNotify(int sysno) {
+ switch (sysno) {
+ case __NR_fanotify_init:
+ case __NR_fanotify_mark:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsTimer(int sysno) {
+ switch (sysno) {
+ case __NR_getitimer:
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_alarm:
+#endif
+ case __NR_setitimer:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsAdvancedTimer(int sysno) {
+ switch (sysno) {
+ case __NR_timer_create:
+ case __NR_timer_delete:
+ case __NR_timer_getoverrun:
+ case __NR_timer_gettime:
+ case __NR_timer_settime:
+ case __NR_timerfd_create:
+ case __NR_timerfd_gettime:
+ case __NR_timerfd_settime:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsExtendedAttributes(int sysno) {
+ switch (sysno) {
+ case __NR_fgetxattr:
+ case __NR_flistxattr:
+ case __NR_fremovexattr:
+ case __NR_fsetxattr:
+ case __NR_getxattr:
+ case __NR_lgetxattr:
+ case __NR_listxattr:
+ case __NR_llistxattr:
+ case __NR_lremovexattr:
+ case __NR_lsetxattr:
+ case __NR_removexattr:
+ case __NR_setxattr:
+ return true;
+ default:
+ return false;
+ }
+}
+
+// Various system calls that need to be researched.
+// TODO(jln): classify this better.
+bool SyscallSets::IsMisc(int sysno) {
+ switch (sysno) {
+ case __NR_name_to_handle_at:
+ case __NR_open_by_handle_at:
+ case __NR_perf_event_open:
+ case __NR_syncfs:
+ case __NR_vhangup:
+// The system calls below are not implemented.
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_afs_syscall:
+#endif
+#if defined(__i386__)
+ case __NR_break:
+#endif
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_getpmsg:
+#endif
+#if defined(__i386__)
+ case __NR_gtty:
+ case __NR_idle:
+ case __NR_lock:
+ case __NR_mpx:
+ case __NR_prof:
+ case __NR_profil:
+#endif
+#if defined(__i386__) || defined(__x86_64__)
+ case __NR_putpmsg:
+#endif
+#if defined(__x86_64__)
+ case __NR_security:
+#endif
+#if defined(__i386__)
+ case __NR_stty:
+#endif
+#if defined(__x86_64__)
+ case __NR_tuxcall:
+#endif
+ case __NR_vserver:
+ return true;
+ default:
+ return false;
+ }
+}
+
+#if defined(__arm__)
+bool SyscallSets::IsArmPciConfig(int sysno) {
+ switch (sysno) {
+ case __NR_pciconfig_iobase:
+ case __NR_pciconfig_read:
+ case __NR_pciconfig_write:
+ return true;
+ default:
+ return false;
+ }
+}
+
+bool SyscallSets::IsArmPrivate(int sysno) {
+ switch (sysno) {
+ case __ARM_NR_breakpoint:
+ case __ARM_NR_cacheflush:
+ case __ARM_NR_set_tls:
+ case __ARM_NR_usr26:
+ case __ARM_NR_usr32:
+ return true;
+ default:
+ return false;
+ }
+}
+#endif // defined(__arm__)
+
+} // namespace sandbox.
diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
new file mode 100644
index 0000000..d2cf1a1
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf-helpers/syscall_sets.h
@@ -0,0 +1,105 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
+
+#include "base/basictypes.h"
+#include "build/build_config.h"
+
+// These are helpers to build seccomp-bpf policies, i.e. policies for a
+// sandbox that reduces the Linux kernel's attack surface. Given their
+// nature, they don't have any clear semantics and are completely
+// "implementation-defined".
+
+namespace sandbox {
+
+class SyscallSets {
+ public:
+ static bool IsKill(int sysno);
+ static bool IsAllowedGettime(int sysno);
+ static bool IsCurrentDirectory(int sysno);
+ static bool IsUmask(int sysno);
+ // System calls that directly access the file system. They might acquire
+ // a new file descriptor or otherwise perform an operation directly
+ // via a path.
+ static bool IsFileSystem(int sysno);
+ static bool IsAllowedFileSystemAccessViaFd(int sysno);
+ static bool IsDeniedFileSystemAccessViaFd(int sysno);
+ static bool IsGetSimpleId(int sysno);
+ static bool IsProcessPrivilegeChange(int sysno);
+ static bool IsProcessGroupOrSession(int sysno);
+ static bool IsAllowedSignalHandling(int sysno);
+ static bool IsAllowedOperationOnFd(int sysno);
+ static bool IsKernelInternalApi(int sysno);
+ // This should be thought through in conjunction with IsFutex().
+ static bool IsAllowedProcessStartOrDeath(int sysno);
+ // It's difficult to restrict those, but there is attack surface here.
+ static bool IsFutex(int sysno);
+ static bool IsAllowedEpoll(int sysno);
+ static bool IsAllowedGetOrModifySocket(int sysno);
+ static bool IsDeniedGetOrModifySocket(int sysno);
+
+#if defined(__i386__)
+ // Big multiplexing system call for sockets.
+ static bool IsSocketCall(int sysno);
+#endif
+
+#if defined(__x86_64__) || defined(__arm__)
+ static bool IsNetworkSocketInformation(int sysno);
+#endif
+
+ static bool IsAllowedAddressSpaceAccess(int sysno);
+ static bool IsAllowedGeneralIo(int sysno);
+ static bool IsAllowedPrctl(int sysno);
+ static bool IsAllowedBasicScheduler(int sysno);
+ static bool IsAdminOperation(int sysno);
+ static bool IsKernelModule(int sysno);
+ static bool IsGlobalFSViewChange(int sysno);
+ static bool IsFsControl(int sysno);
+ static bool IsNuma(int sysno);
+ static bool IsMessageQueue(int sysno);
+ static bool IsGlobalProcessEnvironment(int sysno);
+ static bool IsDebug(int sysno);
+ static bool IsGlobalSystemStatus(int sysno);
+ static bool IsEventFd(int sysno);
+ // Asynchronous I/O API.
+ static bool IsAsyncIo(int sysno);
+ static bool IsKeyManagement(int sysno);
+#if defined(__x86_64__) || defined(__arm__)
+ static bool IsSystemVSemaphores(int sysno);
+#endif
+#if defined(__x86_64__) || defined(__arm__)
+ // These give a lot of ambient authority and bypass the setuid sandbox.
+ static bool IsSystemVSharedMemory(int sysno);
+#endif
+
+#if defined(__x86_64__) || defined(__arm__)
+ static bool IsSystemVMessageQueue(int sysno);
+#endif
+
+#if defined(__i386__)
+ // Big system V multiplexing system call.
+ static bool IsSystemVIpc(int sysno);
+#endif
+
+ static bool IsAnySystemV(int sysno);
+ static bool IsAdvancedScheduler(int sysno);
+ static bool IsInotify(int sysno);
+ static bool IsFaNotify(int sysno);
+ static bool IsTimer(int sysno);
+ static bool IsAdvancedTimer(int sysno);
+ static bool IsExtendedAttributes(int sysno);
+ static bool IsMisc(int sysno);
+#if defined(__arm__)
+ static bool IsArmPciConfig(int sysno);
+ static bool IsArmPrivate(int sysno);
+#endif // defined(__arm__)
+ private:
+ DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallSets);
+};
+
+} // namespace sandbox.
+
+#endif // SANDBOX_LINUX_SECCOMP_BPF_HELPERS_SYSCALL_SETS_H_
diff --git a/sandbox/linux/seccomp-bpf/basicblock.cc b/sandbox/linux/seccomp-bpf/basicblock.cc
index 58d27b2..eb857f0 100644
--- a/sandbox/linux/seccomp-bpf/basicblock.cc
+++ b/sandbox/linux/seccomp-bpf/basicblock.cc
@@ -4,10 +4,10 @@
#include "sandbox/linux/seccomp-bpf/basicblock.h"
-namespace playground2 {
+namespace sandbox {
BasicBlock::BasicBlock() {}
BasicBlock::~BasicBlock() {}
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/basicblock.h b/sandbox/linux/seccomp-bpf/basicblock.h
index a116f41..d15a372 100644
--- a/sandbox/linux/seccomp-bpf/basicblock.h
+++ b/sandbox/linux/seccomp-bpf/basicblock.h
@@ -9,7 +9,7 @@
#include "sandbox/linux/seccomp-bpf/instruction.h"
-namespace playground2 {
+namespace sandbox {
struct BasicBlock {
BasicBlock();
@@ -44,6 +44,6 @@
int offset;
};
-} // namespace playground2
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_BASICBLOCK_H__
diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h
index 13ccf7d..7095c23 100644
--- a/sandbox/linux/seccomp-bpf/bpf_tests.h
+++ b/sandbox/linux/seccomp-bpf/bpf_tests.h
@@ -21,13 +21,13 @@
// A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see
// crbug.com/243968.
#define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \
- void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX); \
+ void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX); \
TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \
- sandbox::BpfTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \
- sandbox::BpfTests<aux>::RunTestInProcess( \
- sandbox::BpfTests<aux>::TestWrapper, &arg, death); \
+ sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \
+ sandbox::BPFTests<aux>::RunTestInProcess( \
+ sandbox::BPFTests<aux>::TestWrapper, &arg, death); \
} \
- void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX)
+ void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX)
// BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op,
// if the host does not have kernel support for running BPF filters.
@@ -37,7 +37,7 @@
// BPF_TEST() takes a C++ data type as an optional fourth parameter. If
// present, this sets up a variable that can be accessed as "BPF_AUX". This
// variable will be passed as an argument to the "policy" function. Policies
-// would typically use it as an argument to Sandbox::Trap(), if they want to
+// would typically use it as an argument to SandboxBPF::Trap(), if they want to
// communicate data between the BPF_TEST() and a Trap() function.
#define BPF_TEST(test_case_name, test_name, policy, aux...) \
BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)
@@ -49,42 +49,42 @@
// the caller doesn't provide any type, all the BPF_AUX related data compiles
// to nothing.
template <class Aux = int[0]>
-class BpfTests : public UnitTests {
+class BPFTests : public UnitTests {
public:
typedef Aux AuxType;
class TestArgs {
public:
- TestArgs(void (*t)(AuxType&), playground2::Sandbox::EvaluateSyscall p)
+ TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p)
: test_(t), policy_(p), aux_() {}
void (*test() const)(AuxType&) { return test_; }
- playground2::Sandbox::EvaluateSyscall policy() const { return policy_; }
+ sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; }
private:
- friend class BpfTests;
+ friend class BPFTests;
void (*test_)(AuxType&);
- playground2::Sandbox::EvaluateSyscall policy_;
+ sandbox::SandboxBPF::EvaluateSyscall policy_;
AuxType aux_;
};
static void TestWrapper(void* void_arg) {
TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg);
- playground2::Die::EnableSimpleExit();
- if (playground2::Sandbox::SupportsSeccompSandbox(-1) ==
- playground2::Sandbox::STATUS_AVAILABLE) {
+ sandbox::Die::EnableSimpleExit();
+ if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
+ sandbox::SandboxBPF::STATUS_AVAILABLE) {
// Ensure the the sandbox is actually available at this time
int proc_fd;
BPF_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0);
- BPF_ASSERT(playground2::Sandbox::SupportsSeccompSandbox(proc_fd) ==
- playground2::Sandbox::STATUS_AVAILABLE);
+ BPF_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) ==
+ sandbox::SandboxBPF::STATUS_AVAILABLE);
// Initialize and then start the sandbox with our custom policy
- playground2::Sandbox sandbox;
+ sandbox::SandboxBPF sandbox;
sandbox.set_proc_fd(proc_fd);
sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
- sandbox.Sandbox::StartSandbox();
+ sandbox.SandboxBPF::StartSandbox();
arg->test()(arg->aux_);
} else {
@@ -98,9 +98,9 @@
}
// Call the compiler and verify the policy. That's the least we can do,
// if we don't have kernel support.
- playground2::Sandbox sandbox;
+ sandbox::SandboxBPF sandbox;
sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
- playground2::Sandbox::Program* program =
+ sandbox::SandboxBPF::Program* program =
sandbox.AssembleFilter(true /* force_verification */);
delete program;
sandbox::UnitTests::IgnoreThisTest();
@@ -108,9 +108,9 @@
}
private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(BpfTests);
+ DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests);
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
diff --git a/sandbox/linux/seccomp-bpf/codegen.cc b/sandbox/linux/seccomp-bpf/codegen.cc
index 77df612..8fb1701 100644
--- a/sandbox/linux/seccomp-bpf/codegen.cc
+++ b/sandbox/linux/seccomp-bpf/codegen.cc
@@ -9,8 +9,8 @@
namespace {
// Helper function for Traverse().
-void TraverseRecursively(std::set<playground2::Instruction*>* visited,
- playground2::Instruction* instruction) {
+void TraverseRecursively(std::set<sandbox::Instruction*>* visited,
+ sandbox::Instruction* instruction) {
if (visited->find(instruction) == visited->end()) {
visited->insert(instruction);
switch (BPF_CLASS(instruction->code)) {
@@ -31,7 +31,7 @@
} // namespace
-namespace playground2 {
+namespace sandbox {
CodeGen::CodeGen() : compiled_(false) {}
@@ -48,8 +48,8 @@
}
}
-void CodeGen::PrintProgram(const Sandbox::Program& program) {
- for (Sandbox::Program::const_iterator iter = program.begin();
+void CodeGen::PrintProgram(const SandboxBPF::Program& program) {
+ for (SandboxBPF::Program::const_iterator iter = program.begin();
iter != program.end();
++iter) {
int ip = (int)(iter - program.begin());
@@ -706,7 +706,7 @@
}
void CodeGen::ConcatenateBasicBlocks(const BasicBlocks& basic_blocks,
- Sandbox::Program* program) {
+ SandboxBPF::Program* program) {
// Our basic blocks have been sorted and relative jump offsets have been
// computed. The last remaining step is for all the instructions in our
// basic blocks to be concatenated into a BPF program.
@@ -726,7 +726,7 @@
return;
}
-void CodeGen::Compile(Instruction* instructions, Sandbox::Program* program) {
+void CodeGen::Compile(Instruction* instructions, SandboxBPF::Program* program) {
if (compiled_) {
SANDBOX_DIE(
"Cannot call Compile() multiple times. Create a new code "
@@ -747,4 +747,4 @@
return;
}
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/codegen.h b/sandbox/linux/seccomp-bpf/codegen.h
index 6ef7603..2745e51 100644
--- a/sandbox/linux/seccomp-bpf/codegen.h
+++ b/sandbox/linux/seccomp-bpf/codegen.h
@@ -13,7 +13,7 @@
#include "sandbox/linux/seccomp-bpf/instruction.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-namespace playground2 {
+namespace sandbox {
typedef std::vector<Instruction*> Instructions;
typedef std::vector<BasicBlock*> BasicBlocks;
@@ -28,7 +28,7 @@
//
// Callers would typically create a new CodeGen object and then use it to
// build a DAG of Instructions. They'll eventually call Compile() to convert
-// this DAG to a Sandbox::Program.
+// this DAG to a SandboxBPF::Program.
//
// Instructions can be chained at the time when they are created, or they
// can be joined later by calling JoinInstructions().
@@ -46,7 +46,7 @@
//
// // Simplified code follows; in practice, it is important to avoid calling
// // any C++ destructors after starting the sandbox.
-// Sandbox::Program program;
+// SandboxBPF::Program program;
// gen.Compile(dag, program);
// const struct sock_fprog prog = {
// static_cast<unsigned short>(program->size()), &program[0] };
@@ -59,7 +59,7 @@
// This is a helper method that can be used for debugging purposes. It is
// not normally called.
- static void PrintProgram(const Sandbox::Program& program);
+ static void PrintProgram(const SandboxBPF::Program& program);
// Create a new instruction. Instructions form a DAG. The instruction objects
// are owned by the CodeGen object. They do not need to be explicitly
@@ -90,7 +90,7 @@
// Compiles the graph of instructions into a BPF program that can be passed
// to the kernel. Please note that this function modifies the graph in place
// and must therefore only be called once per graph.
- void Compile(Instruction* instructions, Sandbox::Program* program);
+ void Compile(Instruction* instructions, SandboxBPF::Program* program);
private:
friend class CodeGenUnittestHelper;
@@ -140,7 +140,7 @@
// Concatenate instructions from all basic blocks into a BPF program that
// can be passed to the kernel.
- void ConcatenateBasicBlocks(const BasicBlocks&, Sandbox::Program* program);
+ void ConcatenateBasicBlocks(const BasicBlocks&, SandboxBPF::Program* program);
// We stick all instructions and basic blocks into pools that get destroyed
// when the CodeGen object is destroyed. This way, we neither need to worry
@@ -154,6 +154,6 @@
bool compiled_;
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_CODEGEN_H__
diff --git a/sandbox/linux/seccomp-bpf/codegen_unittest.cc b/sandbox/linux/seccomp-bpf/codegen_unittest.cc
index ccc5656..0539a0d 100644
--- a/sandbox/linux/seccomp-bpf/codegen_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/codegen_unittest.cc
@@ -12,11 +12,11 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/tests/unit_tests.h"
-namespace playground2 {
+namespace sandbox {
-class SandboxUnittestHelper : public Sandbox {
+class SandboxUnittestHelper : public SandboxBPF {
public:
- typedef Sandbox::Program Program;
+ typedef SandboxBPF::Program Program;
};
// We want to access some of the private methods in the code generator. We
@@ -444,4 +444,4 @@
ForAllPrograms(CompileAndCompare);
}
-} // namespace playground2
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc
index 48df073..1418018 100644
--- a/sandbox/linux/seccomp-bpf/demo.cc
+++ b/sandbox/linux/seccomp-bpf/demo.cc
@@ -30,9 +30,9 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/services/linux_syscalls.h"
-using playground2::arch_seccomp_data;
-using playground2::ErrorCode;
-using playground2::Sandbox;
+using sandbox::ErrorCode;
+using sandbox::SandboxBPF;
+using sandbox::arch_seccomp_data;
#define ERR EPERM
@@ -237,7 +237,7 @@
return -ERR;
}
-ErrorCode Evaluator(Sandbox *sandbox, int sysno, void *) {
+ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) {
switch (sysno) {
#if defined(__NR_accept)
case __NR_accept: case __NR_accept4:
@@ -413,12 +413,12 @@
if (argc) { }
if (argv) { }
int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY);
- if (Sandbox::SupportsSeccompSandbox(proc_fd) !=
- Sandbox::STATUS_AVAILABLE) {
+ if (SandboxBPF::SupportsSeccompSandbox(proc_fd) !=
+ SandboxBPF::STATUS_AVAILABLE) {
perror("sandbox");
_exit(1);
}
- Sandbox sandbox;
+ SandboxBPF sandbox;
sandbox.set_proc_fd(proc_fd);
sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL);
sandbox.StartSandbox();
diff --git a/sandbox/linux/seccomp-bpf/die.cc b/sandbox/linux/seccomp-bpf/die.cc
index 594740c..533e2e9 100644
--- a/sandbox/linux/seccomp-bpf/die.cc
+++ b/sandbox/linux/seccomp-bpf/die.cc
@@ -14,7 +14,7 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/seccomp-bpf/syscall.h"
-namespace playground2 {
+namespace sandbox {
void Die::ExitGroup() {
// exit_group() should exit our program. After all, it is defined as a
@@ -82,4 +82,4 @@
bool Die::simple_exit_ = false;
bool Die::suppress_info_ = false;
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/die.h b/sandbox/linux/seccomp-bpf/die.h
index 2ed3f07..5dcfda0 100644
--- a/sandbox/linux/seccomp-bpf/die.h
+++ b/sandbox/linux/seccomp-bpf/die.h
@@ -7,18 +7,18 @@
#include "base/basictypes.h"
-namespace playground2 {
+namespace sandbox {
// This is the main API for using this file. Prints a error message and
// exits with a fatal error. This is not async-signal safe.
-#define SANDBOX_DIE(m) playground2::Die::SandboxDie(m, __FILE__, __LINE__)
+#define SANDBOX_DIE(m) sandbox::Die::SandboxDie(m, __FILE__, __LINE__)
// An async signal safe version of the same API. Won't print the filename
// and line numbers.
-#define RAW_SANDBOX_DIE(m) playground2::Die::RawSandboxDie(m)
+#define RAW_SANDBOX_DIE(m) sandbox::Die::RawSandboxDie(m)
// Adds an informational message to the log file or stderr as appropriate.
-#define SANDBOX_INFO(m) playground2::Die::SandboxInfo(m, __FILE__, __LINE__)
+#define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__)
class Die {
public:
@@ -62,6 +62,6 @@
DISALLOW_IMPLICIT_CONSTRUCTORS(Die);
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
diff --git a/sandbox/linux/seccomp-bpf/errorcode.cc b/sandbox/linux/seccomp-bpf/errorcode.cc
index e517d38..6484852 100644
--- a/sandbox/linux/seccomp-bpf/errorcode.cc
+++ b/sandbox/linux/seccomp-bpf/errorcode.cc
@@ -5,7 +5,7 @@
#include "sandbox/linux/seccomp-bpf/die.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
-namespace playground2 {
+namespace sandbox {
ErrorCode::ErrorCode(int err) {
switch (err) {
@@ -101,4 +101,4 @@
}
}
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h
index 182fadb..625d123 100644
--- a/sandbox/linux/seccomp-bpf/errorcode.h
+++ b/sandbox/linux/seccomp-bpf/errorcode.h
@@ -8,7 +8,7 @@
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
#include "sandbox/linux/seccomp-bpf/trap.h"
-namespace playground2 {
+namespace sandbox {
struct arch_seccomp_data;
@@ -46,7 +46,7 @@
// access 64bit quantities. But policies are still advised to specify whether
// a system call expects a 32bit or a 64bit quantity.
enum ArgType {
- // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that
+ // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that
// the conditional test should operate on the 32bit part of the system call
// argument.
// On 64bit architectures, this verifies that user space did not pass
@@ -64,7 +64,7 @@
// having been sign extended.
TP_32BIT,
- // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that
+ // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that
// the conditional test should operate on the full 64bit argument. It is
// generally harmless to perform a 64bit test on 32bit systems, as the
// kernel will always see the top 32 bits of all arguments as zero'd out.
@@ -148,7 +148,7 @@
private:
friend class CodeGen;
- friend class Sandbox;
+ friend class SandboxBPF;
friend class Trap;
// If we are wrapping a callback, we must assign a unique id. This id is
@@ -192,6 +192,6 @@
uint32_t err_;
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
diff --git a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc
index 3748e51..ef04a5f 100644
--- a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc
@@ -7,7 +7,7 @@
#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
#include "sandbox/linux/tests/unit_tests.h"
-using namespace playground2;
+namespace sandbox {
namespace {
@@ -21,13 +21,13 @@
ErrorCode e2(EPERM);
SANDBOX_ASSERT(e2.err() == SECCOMP_RET_ERRNO + EPERM);
- Sandbox sandbox;
+ SandboxBPF sandbox;
ErrorCode e3 = sandbox.Trap(NULL, NULL);
SANDBOX_ASSERT((e3.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP);
}
SANDBOX_TEST(ErrorCode, Trap) {
- Sandbox sandbox;
+ SandboxBPF sandbox;
ErrorCode e0 = sandbox.Trap(NULL, "a");
ErrorCode e1 = sandbox.Trap(NULL, "b");
SANDBOX_ASSERT((e0.err() & SECCOMP_RET_DATA) + 1 ==
@@ -48,7 +48,7 @@
ErrorCode e3(EPERM);
SANDBOX_ASSERT(!e1.Equals(e3));
- Sandbox sandbox;
+ SandboxBPF sandbox;
ErrorCode e4 = sandbox.Trap(NULL, "a");
ErrorCode e5 = sandbox.Trap(NULL, "b");
ErrorCode e6 = sandbox.Trap(NULL, "a");
@@ -69,7 +69,7 @@
SANDBOX_ASSERT(!e1.LessThan(e3));
SANDBOX_ASSERT( e3.LessThan(e1));
- Sandbox sandbox;
+ SandboxBPF sandbox;
ErrorCode e4 = sandbox.Trap(NULL, "a");
ErrorCode e5 = sandbox.Trap(NULL, "b");
ErrorCode e6 = sandbox.Trap(NULL, "a");
@@ -81,3 +81,5 @@
}
} // namespace
+
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/instruction.h b/sandbox/linux/seccomp-bpf/instruction.h
index 8d35187..8567c8f 100644
--- a/sandbox/linux/seccomp-bpf/instruction.h
+++ b/sandbox/linux/seccomp-bpf/instruction.h
@@ -7,7 +7,7 @@
#include <stdint.h>
-namespace playground2 {
+namespace sandbox {
// The fields in this structure have the same meaning as the corresponding
// fields in "struct sock_filter". See <linux/filter.h> for a lot more
@@ -57,6 +57,6 @@
uint32_t k;
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_INSTRUCTION_H__
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 3a4b678..6b2327e 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -30,7 +30,7 @@
#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
#include "sandbox/linux/seccomp-bpf/verifier.h"
-namespace playground2 {
+namespace sandbox {
namespace {
@@ -56,8 +56,8 @@
// We define a really simple sandbox policy. It is just good enough for us
// to tell that the sandbox has actually been activated.
-ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) __attribute__((const));
-ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) {
+ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
+ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
switch (sysnum) {
case __NR_getpid:
// Return EPERM so that we can check that the filter actually ran.
@@ -77,8 +77,8 @@
}
}
-ErrorCode AllowAllEvaluator(Sandbox*, int sysnum, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysnum)) {
+ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysnum)) {
return ErrorCode(ENOSYS);
}
return ErrorCode(ErrorCode::ERR_ALLOWED);
@@ -104,9 +104,9 @@
struct stat sb;
int task = -1;
if ((task = openat(proc_fd, "self/task", O_RDONLY | O_DIRECTORY)) < 0 ||
- fstat(task, &sb) != 0 || sb.st_nlink != 3 || HANDLE_EINTR(close(task))) {
+ fstat(task, &sb) != 0 || sb.st_nlink != 3 || IGNORE_EINTR(close(task))) {
if (task >= 0) {
- if (HANDLE_EINTR(close(task))) {
+ if (IGNORE_EINTR(close(task))) {
}
}
return false;
@@ -162,7 +162,7 @@
// The performance penalty for this extra round-trip to user-space is not
// actually that bad, as we only ever pay it for denied system calls; and a
// typical program has very few of these.
- Sandbox* sandbox = static_cast<Sandbox*>(aux);
+ SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux);
if (BPF_CLASS(insn->code) == BPF_RET &&
(insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
insn->k = sandbox->Trap(ReturnErrno,
@@ -174,15 +174,15 @@
// made by RedirectToUserspace(). This is part of the framework that allows BPF
// evaluation in userland.
// TODO(markus): document the code inside better.
-class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy {
+class RedirectToUserSpacePolicyWrapper : public SandboxBPFPolicy {
public:
explicit RedirectToUserSpacePolicyWrapper(
- const SandboxBpfPolicy* wrapped_policy)
+ const SandboxBPFPolicy* wrapped_policy)
: wrapped_policy_(wrapped_policy) {
DCHECK(wrapped_policy_);
}
- virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const OVERRIDE {
ErrorCode err =
wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number);
@@ -194,42 +194,42 @@
}
private:
- const SandboxBpfPolicy* wrapped_policy_;
+ const SandboxBPFPolicy* wrapped_policy_;
DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper);
};
-intptr_t BpfFailure(const struct arch_seccomp_data&, void* aux) {
+intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
SANDBOX_DIE(static_cast<char*>(aux));
}
// This class allows compatibility with the old, deprecated SetSandboxPolicy.
-class CompatibilityPolicy : public SandboxBpfPolicy {
+class CompatibilityPolicy : public SandboxBPFPolicy {
public:
- CompatibilityPolicy(Sandbox::EvaluateSyscall syscall_evaluator, void* aux)
+ CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux)
: syscall_evaluator_(syscall_evaluator), aux_(aux) {
DCHECK(syscall_evaluator_);
}
- virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const OVERRIDE {
return syscall_evaluator_(sandbox_compiler, system_call_number, aux_);
}
private:
- Sandbox::EvaluateSyscall syscall_evaluator_;
+ SandboxBPF::EvaluateSyscall syscall_evaluator_;
void* aux_;
DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy);
};
} // namespace
-Sandbox::Sandbox()
+SandboxBPF::SandboxBPF()
: quiet_(false),
proc_fd_(-1),
conds_(new Conds),
sandbox_has_started_(false) {}
-Sandbox::~Sandbox() {
+SandboxBPF::~SandboxBPF() {
// It is generally unsafe to call any memory allocator operations or to even
// call arbitrary destructors after having installed a new policy. We just
// have no way to tell whether this policy would allow the system calls that
@@ -246,13 +246,13 @@
}
}
-bool Sandbox::IsValidSyscallNumber(int sysnum) {
+bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
return SyscallIterator::IsValid(sysnum);
}
-bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(),
- Sandbox::EvaluateSyscall syscall_evaluator,
- void* aux) {
+bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
+ EvaluateSyscall syscall_evaluator,
+ void* aux) {
// Block all signals before forking a child process. This prevents an
// attacker from manipulating our test by sending us an unexpected signal.
sigset_t old_mask, new_mask;
@@ -268,6 +268,10 @@
SANDBOX_DIE("Process started without standard file descriptors");
}
+ // This code is using fork() and should only ever run single-threaded.
+ // Most of the code below is "async-signal-safe" and only minor changes
+ // would be needed to support threads.
+ DCHECK(IsSingleThreaded(proc_fd_));
pid_t pid = fork();
if (pid < 0) {
// Die if we cannot fork(). We would probably fail a little later
@@ -287,7 +291,7 @@
Die::EnableSimpleExit();
errno = 0;
- if (HANDLE_EINTR(close(fds[0]))) {
+ if (IGNORE_EINTR(close(fds[0]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
@@ -309,7 +313,7 @@
SANDBOX_DIE(NULL);
#endif
}
- if (HANDLE_EINTR(close(fds[1]))) {
+ if (IGNORE_EINTR(close(fds[1]))) {
// This call to close() has been failing in strange ways. See
// crbug.com/152530. So we only fail in debug mode now.
#if !defined(NDEBUG)
@@ -329,7 +333,7 @@
}
// In the parent process.
- if (HANDLE_EINTR(close(fds[1]))) {
+ if (IGNORE_EINTR(close(fds[1]))) {
SANDBOX_DIE("close() failed");
}
if (sigprocmask(SIG_SETMASK, &old_mask, NULL)) {
@@ -357,19 +361,19 @@
SANDBOX_DIE(buf);
}
}
- if (HANDLE_EINTR(close(fds[0]))) {
+ if (IGNORE_EINTR(close(fds[0]))) {
SANDBOX_DIE("close() failed");
}
return rc;
}
-bool Sandbox::KernelSupportSeccompBPF() {
+bool SandboxBPF::KernelSupportSeccompBPF() {
return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
}
-Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) {
+SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
// It the sandbox is currently active, we clearly must have support for
// sandboxing.
if (status_ == STATUS_ENABLED) {
@@ -404,7 +408,7 @@
// We create our own private copy of a "Sandbox" object. This ensures that
// the object does not have any policies configured, that might interfere
// with the tests done by "KernelSupportSeccompBPF()".
- Sandbox sandbox;
+ SandboxBPF sandbox;
// By setting "quiet_ = true" we suppress messages for expected and benign
// failures (e.g. if the current kernel lacks support for BPF filters).
@@ -424,9 +428,9 @@
return status_;
}
-void Sandbox::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
+void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; }
-void Sandbox::StartSandbox() {
+void SandboxBPF::StartSandbox() {
if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) {
SANDBOX_DIE(
"Trying to start sandbox, even though it is known to be "
@@ -451,7 +455,7 @@
// before installing the filters, just in case that our policy denies
// close().
if (proc_fd_ >= 0) {
- if (HANDLE_EINTR(close(proc_fd_))) {
+ if (IGNORE_EINTR(close(proc_fd_))) {
SANDBOX_DIE("Failed to close file descriptor for /proc");
}
proc_fd_ = -1;
@@ -464,7 +468,7 @@
status_ = STATUS_ENABLED;
}
-void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) {
+void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
for (SyscallIterator iter(true); !iter.Done();) {
uint32_t sysnum = iter.Next();
if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) {
@@ -477,8 +481,8 @@
}
// Deprecated API, supported with a wrapper to the new API.
-void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
- void* aux) {
+void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
+ void* aux) {
if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE("Cannot change policy after sandbox has started");
}
@@ -486,7 +490,7 @@
}
// Don't take a scoped_ptr here, polymorphism make their use awkward.
-void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) {
+void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) {
DCHECK(!policy_);
if (sandbox_has_started_ || !conds_) {
SANDBOX_DIE("Cannot change policy after sandbox has started");
@@ -495,7 +499,7 @@
policy_.reset(policy);
}
-void Sandbox::InstallFilter() {
+void SandboxBPF::InstallFilter() {
// We want to be very careful in not imposing any requirements on the
// policies that are set with SetSandboxPolicy(). This means, as soon as
// the sandbox is active, we shouldn't be relying on libraries that could
@@ -536,7 +540,7 @@
return;
}
-Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) {
+SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) {
#if !defined(NDEBUG)
force_verification = true;
#endif
@@ -709,7 +713,7 @@
return program;
}
-void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) {
+void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) {
// If we previously rewrote the BPF program so that it calls user-space
// whenever we return an "errno" value from the filter, then we have to
// wrap our system call evaluator to perform the same operation. Otherwise,
@@ -727,7 +731,7 @@
}
}
-void Sandbox::FindRanges(Ranges* ranges) {
+void SandboxBPF::FindRanges(Ranges* ranges) {
// Please note that "struct seccomp_data" defines system calls as a signed
// int32_t, but BPF instructions always operate on unsigned quantities. We
// deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
@@ -755,9 +759,9 @@
}
}
-Instruction* Sandbox::AssembleJumpTable(CodeGen* gen,
- Ranges::const_iterator start,
- Ranges::const_iterator stop) {
+Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen,
+ Ranges::const_iterator start,
+ Ranges::const_iterator stop) {
// We convert the list of system call ranges into jump table that performs
// a binary search over the ranges.
// As a sanity check, we need to have at least one distinct ranges for us
@@ -782,7 +786,7 @@
return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
}
-Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) {
+Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) {
if (err.error_type_ == ErrorCode::ET_COND) {
return CondExpression(gen, err);
} else {
@@ -790,7 +794,7 @@
}
}
-Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) {
+Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) {
// We can only inspect the six system call arguments that are passed in
// CPU registers.
if (cond.argno_ < 0 || cond.argno_ >= 6) {
@@ -973,19 +977,19 @@
return msb_head;
}
-ErrorCode Sandbox::Unexpected64bitArgument() {
+ErrorCode SandboxBPF::Unexpected64bitArgument() {
return Kill("Unexpected 64bit argument detected");
}
-ErrorCode Sandbox::Trap(Trap::TrapFnc fnc, const void* aux) {
+ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) {
return Trap::MakeTrap(fnc, aux, true /* Safe Trap */);
}
-ErrorCode Sandbox::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) {
+ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) {
return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */);
}
-intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) {
+intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
return SandboxSyscall(args.nr,
static_cast<intptr_t>(args.args[0]),
static_cast<intptr_t>(args.args[1]),
@@ -995,12 +999,12 @@
static_cast<intptr_t>(args.args[5]));
}
-ErrorCode Sandbox::Cond(int argno,
- ErrorCode::ArgType width,
- ErrorCode::Operation op,
- uint64_t value,
- const ErrorCode& passed,
- const ErrorCode& failed) {
+ErrorCode SandboxBPF::Cond(int argno,
+ ErrorCode::ArgType width,
+ ErrorCode::Operation op,
+ uint64_t value,
+ const ErrorCode& passed,
+ const ErrorCode& failed) {
return ErrorCode(argno,
width,
op,
@@ -1009,10 +1013,10 @@
&*conds_->insert(failed).first);
}
-ErrorCode Sandbox::Kill(const char* msg) {
- return Trap(BpfFailure, const_cast<char*>(msg));
+ErrorCode SandboxBPF::Kill(const char* msg) {
+ return Trap(BPFFailure, const_cast<char*>(msg));
}
-Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN;
+SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN;
-} // namespace playground2
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index dcb65bf..d626e4c 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -20,9 +20,8 @@
#include "sandbox/linux/seccomp-bpf/die.h"
#include "sandbox/linux/seccomp-bpf/errorcode.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h"
-namespace playground2 {
+namespace sandbox {
struct arch_seccomp_data {
int nr;
@@ -38,11 +37,11 @@
};
class CodeGen;
+class SandboxBPFPolicy;
class SandboxUnittestHelper;
-class SandboxBpfPolicy;
struct Instruction;
-class Sandbox {
+class SandboxBPF {
public:
enum SandboxStatus {
STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox()
@@ -52,16 +51,15 @@
STATUS_ENABLED // The sandbox is now active
};
- // BpfSandboxPolicy is the following type:
- // ErrorCode (Sandbox *sb, int sysnum, void *aux);
// When calling setSandboxPolicy(), the caller can provide an arbitrary
// pointer in |aux|. This pointer will then be forwarded to the sandbox
// policy each time a call is made through an EvaluateSyscall function
// pointer. One common use case would be to pass the "aux" pointer as an
// argument to Trap() functions.
- typedef BpfSandboxPolicy* EvaluateSyscall;
+ typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler,
+ int system_call_number,
+ void* aux);
typedef std::vector<std::pair<EvaluateSyscall, void*> > Evaluators;
-
// A vector of BPF instructions that need to be installed as a filter
// program in the kernel.
typedef std::vector<struct sock_filter> Program;
@@ -76,8 +74,8 @@
// should be noted that during its lifetime, the object probably made
// irreversible state changes to the runtime environment. These changes
// stay in effect even after the destructor has been run.
- Sandbox();
- ~Sandbox();
+ SandboxBPF();
+ ~SandboxBPF();
// Checks whether a particular system call number is valid on the current
// architecture. E.g. on ARM there's a non-contiguous range of private
@@ -114,7 +112,7 @@
// Set the BPF policy as |policy|. Ownership of |policy| is transfered here
// to the sandbox object.
- void SetSandboxPolicy(SandboxBpfPolicy* policy);
+ void SetSandboxPolicy(SandboxBPFPolicy* policy);
// We can use ErrorCode to request calling of a trap handler. This method
// performs the required wrapping of the callback function into an
@@ -226,7 +224,7 @@
bool KernelSupportSeccompBPF();
// Verify that the current policy passes some basic sanity checks.
- void PolicySanityChecks(SandboxBpfPolicy* policy);
+ void PolicySanityChecks(SandboxBPFPolicy* policy);
// Assembles and installs a filter based on the policy that has previously
// been configured with SetSandboxPolicy().
@@ -266,13 +264,13 @@
bool quiet_;
int proc_fd_;
- scoped_ptr<const SandboxBpfPolicy> policy_;
+ scoped_ptr<const SandboxBPFPolicy> policy_;
Conds* conds_;
bool sandbox_has_started_;
- DISALLOW_COPY_AND_ASSIGN(Sandbox);
+ DISALLOW_COPY_AND_ASSIGN(SandboxBPF);
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h
index 99d9e19..1ac5dab 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h
@@ -7,29 +7,29 @@
#include "base/basictypes.h"
-namespace playground2 {
+namespace sandbox {
class ErrorCode;
-class Sandbox;
+class SandboxBPF;
// This is the interface to implement to define a BPF sandbox policy.
-class SandboxBpfPolicy {
+class SandboxBPFPolicy {
public:
- SandboxBpfPolicy() {}
- virtual ~SandboxBpfPolicy() {}
+ SandboxBPFPolicy() {}
+ virtual ~SandboxBPFPolicy() {}
// The EvaluateSyscall method is called with the system call number. It can
// decide to allow the system call unconditionally by returning ERR_ALLOWED;
// it can deny the system call unconditionally by returning an appropriate
// "errno" value; or it can request inspection of system call argument(s) by
// returning a suitable ErrorCode.
- virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler,
+ virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
int system_call_number) const = 0;
private:
- DISALLOW_COPY_AND_ASSIGN(SandboxBpfPolicy);
+ DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy);
};
-} // namespace playground2
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h
deleted file mode 100644
index 77d9b53..0000000
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy_forward.h
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_
-#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_
-
-#include "base/callback_forward.h"
-
-namespace playground2 {
-
-class Sandbox;
-class ErrorCode;
-typedef ErrorCode BpfSandboxPolicy(Sandbox* sandbox_compiler,
- int system_call_number,
- void* aux);
-
-typedef base::Callback<BpfSandboxPolicy> BpfSandboxPolicyCallback;
-
-} // namespace playground2
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_FORWARD_H_
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index 9d67db8..988e295 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -40,8 +40,7 @@
#define PR_CAPBSET_DROP 24
#endif
-using namespace playground2;
-using sandbox::BrokerProcess;
+namespace sandbox {
namespace {
@@ -50,11 +49,11 @@
// This test should execute no matter whether we have kernel support. So,
// we make it a TEST() instead of a BPF_TEST().
-TEST(SandboxBpf, CallSupports) {
+TEST(SandboxBPF, CallSupports) {
// We check that we don't crash, but it's ok if the kernel doesn't
// support it.
bool seccomp_bpf_supported =
- Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE;
+ SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE;
// We want to log whether or not seccomp BPF is actually supported
// since actual test coverage depends on it.
RecordProperty("SeccompBPFSupported",
@@ -65,9 +64,9 @@
std::cout << "Pointer size: " << sizeof(void*) << "\n";
}
-SANDBOX_TEST(SandboxBpf, CallSupportsTwice) {
- Sandbox::SupportsSeccompSandbox(-1);
- Sandbox::SupportsSeccompSandbox(-1);
+SANDBOX_TEST(SandboxBPF, CallSupportsTwice) {
+ SandboxBPF::SupportsSeccompSandbox(-1);
+ SandboxBPF::SupportsSeccompSandbox(-1);
}
// BPF_TEST does a lot of the boiler-plate code around setting up a
@@ -83,8 +82,8 @@
return (*pid_ptr)++;
}
-ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode VerboseAPITestingPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
return ErrorCode(ENOSYS);
} else if (sysno == __NR_getpid) {
return sandbox->Trap(FakeGetPid, aux);
@@ -93,11 +92,11 @@
}
}
-SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) {
- if (Sandbox::SupportsSeccompSandbox(-1) ==
- playground2::Sandbox::STATUS_AVAILABLE) {
+SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
+ if (SandboxBPF::SupportsSeccompSandbox(-1) ==
+ sandbox::SandboxBPF::STATUS_AVAILABLE) {
pid_t test_var = 0;
- Sandbox sandbox;
+ SandboxBPF sandbox;
sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var);
sandbox.StartSandbox();
@@ -115,8 +114,8 @@
// A simple blacklist test
-ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
}
@@ -129,7 +128,7 @@
}
}
-BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
+BPF_TEST(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
// nanosleep() should be denied
const struct timespec ts = {0, 0};
errno = 0;
@@ -139,7 +138,7 @@
// Now do a simple whitelist test
-ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) {
+ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) {
switch (sysno) {
case __NR_getpid:
case __NR_exit_group:
@@ -149,7 +148,7 @@
}
}
-BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
+BPF_TEST(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
// getpid() should be allowed
errno = 0;
BPF_ASSERT(syscall(__NR_getpid) > 0);
@@ -169,10 +168,10 @@
return -ENOMEM;
}
-ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox,
+ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
int sysno,
void* aux) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
}
@@ -185,7 +184,7 @@
}
}
-BPF_TEST(SandboxBpf,
+BPF_TEST(SandboxBPF,
BasicBlacklistWithSigsys,
BlacklistNanosleepPolicySigsys,
int /* BPF_AUX */) {
@@ -206,8 +205,8 @@
// A simple test that verifies we can return arbitrary errno values.
-ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
}
@@ -236,7 +235,7 @@
}
}
-BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) {
+BPF_TEST(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
// Verify that dup2() returns success, but doesn't actually run.
int fds[4];
BPF_ASSERT(pipe(fds) == 0);
@@ -278,8 +277,8 @@
// Testing the stacking of two sandboxes
-ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
return ErrorCode(ENOSYS);
}
@@ -296,8 +295,8 @@
}
}
-ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
return ErrorCode(ENOSYS);
}
@@ -314,7 +313,7 @@
}
}
-BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) {
+BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
errno = 0;
BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
BPF_ASSERT(errno == 0);
@@ -324,7 +323,7 @@
// Stack a second sandbox with its own policy. Verify that we can further
// restrict filters, but we cannot relax existing filters.
- Sandbox sandbox;
+ SandboxBPF sandbox;
sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL);
sandbox.StartSandbox();
@@ -351,8 +350,8 @@
return ((sysno & ~3) >> 2) % 29 + 1;
}
-ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode SyntheticPolicy(SandboxBPF*, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
}
@@ -373,7 +372,7 @@
}
}
-BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) {
+BPF_TEST(SandboxBPF, SyntheticPolicy, SyntheticPolicy) {
// Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int
// overflow.
BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >=
@@ -407,8 +406,8 @@
}
}
-ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode ArmPrivatePolicy(SandboxBPF*, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy.
return ErrorCode(ENOSYS);
}
@@ -423,7 +422,7 @@
}
}
-BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) {
+BPF_TEST(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) {
for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1);
syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL);
++syscall_number) {
@@ -444,10 +443,10 @@
// Verify that we can now call the underlying system call without causing
// infinite recursion.
- return Sandbox::ForwardSyscall(args);
+ return SandboxBPF::ForwardSyscall(args);
}
-ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
// The use of UnsafeTrap() causes us to print a warning message. This is
// generally desirable, but it results in the unittest failing, as it doesn't
// expect any messages on "stderr". So, temporarily disable messages. The
@@ -472,7 +471,7 @@
} else if (sysno == __NR_getpid) {
// Disallow getpid()
return ErrorCode(EPERM);
- } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+ } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
// Allow (and count) all other system calls.
return sandbox->UnsafeTrap(CountSyscalls, aux);
} else {
@@ -480,7 +479,7 @@
}
}
-BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) {
+BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) {
BPF_ASSERT(syscall(__NR_getpid) == -1);
BPF_ASSERT(errno == EPERM);
BPF_ASSERT(BPF_AUX == 0);
@@ -497,7 +496,7 @@
BPF_ASSERT(*name);
}
-SANDBOX_TEST(SandboxBpf, EnableUnsafeTrapsInSigSysHandler) {
+SANDBOX_TEST(SandboxBPF, EnableUnsafeTrapsInSigSysHandler) {
// Disabling warning messages that could confuse our test framework.
setenv(kSandboxDebuggingEnv, "t", 0);
Die::SuppressInfoMessages(true);
@@ -516,18 +515,18 @@
// return an error. But our handler allows this call.
return 0;
} else {
- return Sandbox::ForwardSyscall(args);
+ return SandboxBPF::ForwardSyscall(args);
}
}
-ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PrctlPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
setenv(kSandboxDebuggingEnv, "t", 0);
Die::SuppressInfoMessages(true);
if (sysno == __NR_prctl) {
// Handle prctl() inside an UnsafeTrap()
return sandbox->UnsafeTrap(PrctlHandler, NULL);
- } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+ } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
// Allow all other system calls.
return ErrorCode(ErrorCode::ERR_ALLOWED);
} else {
@@ -535,7 +534,7 @@
}
}
-BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) {
+BPF_TEST(SandboxBPF, ForwardSyscall, PrctlPolicy) {
// This call should never be allowed. But our policy will intercept it and
// let it pass successfully.
BPF_ASSERT(
@@ -563,10 +562,10 @@
}
intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) {
- return Sandbox::ForwardSyscall(args);
+ return SandboxBPF::ForwardSyscall(args);
}
-ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode RedirectAllSyscallsPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
setenv(kSandboxDebuggingEnv, "t", 0);
Die::SuppressInfoMessages(true);
@@ -583,7 +582,7 @@
#endif
) {
return ErrorCode(ErrorCode::ERR_ALLOWED);
- } else if (Sandbox::IsValidSyscallNumber(sysno)) {
+ } else if (SandboxBPF::IsValidSyscallNumber(sysno)) {
return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux);
} else {
return ErrorCode(ENOSYS);
@@ -596,7 +595,7 @@
BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1);
}
-BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) {
+BPF_TEST(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) {
// We use the SIGBUS bit in the signal mask as a thread-local boolean
// value in the implementation of UnsafeTrap(). This is obviously a bit
// of a hack that could conceivably interfere with code that uses SIGBUS
@@ -619,7 +618,7 @@
BPF_ASSERT(c == 0x55);
}
-BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) {
+BPF_TEST(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) {
// Signal masks are potentially tricky to handle. For instance, if we
// ever tried to update them from inside a Trap() or UnsafeTrap() handler,
// the call to sigreturn() at the end of the signal handler would undo
@@ -646,7 +645,7 @@
BPF_ASSERT(sigismember(&mask2, SIGUSR2));
}
-BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) {
+BPF_TEST(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) {
// An UnsafeTrap() (or for that matter, a Trap()) has to report error
// conditions by returning an exit code in the range -1..-4096. This
// should happen automatically if using ForwardSyscall(). If the TrapFnc()
@@ -667,7 +666,7 @@
struct arch_seccomp_data args = {};
args.nr = __NR_close;
args.args[0] = -1;
- BPF_ASSERT(Sandbox::ForwardSyscall(args) == -EBADF);
+ BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF);
BPF_ASSERT(errno == 0);
}
@@ -719,9 +718,9 @@
}
}
-ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux);
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
return ErrorCode(ENOSYS);
}
@@ -740,7 +739,7 @@
// We use a InitializedOpenBroker class, so that we can run unsandboxed
// code in its constructor, which is the only way to do so in a BPF_TEST.
-BPF_TEST(SandboxBpf,
+BPF_TEST(SandboxBPF,
UseOpenBroker,
DenyOpenPolicy,
InitializedOpenBroker /* BPF_AUX */) {
@@ -785,10 +784,10 @@
BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0);
}
-// Simple test demonstrating how to use Sandbox::Cond()
+// Simple test demonstrating how to use SandboxBPF::Cond()
-ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
}
@@ -825,7 +824,7 @@
}
}
-BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) {
+BPF_TEST(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) {
int fd;
BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1);
BPF_ASSERT(errno == EROFS);
@@ -839,7 +838,7 @@
BPF_ASSERT(errno == ENOMEM);
}
-// This test exercises the Sandbox::Cond() method by building a complex
+// This test exercises the SandboxBPF::Cond() method by building a complex
// tree of conditional equality operations. It then makes system calls and
// verifies that they return the values that we expected from our BPF
// program.
@@ -879,8 +878,8 @@
}
}
- ErrorCode Policy(Sandbox* sandbox, int sysno) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ ErrorCode Policy(SandboxBPF* sandbox, int sysno) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno < 0 || sysno >= (int)arg_values_.size() ||
@@ -1039,7 +1038,7 @@
}
}
- ErrorCode ToErrorCode(Sandbox* sandbox, ArgValue* arg_value) {
+ ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) {
// Compute the ErrorCode that should be returned, if none of our
// tests succeed (i.e. the system call parameter doesn't match any
// of the values in arg_value->tests[].k_value).
@@ -1050,13 +1049,13 @@
err = ErrorCode(arg_value->err);
} else {
// If this wasn't a leaf node yet, recursively descend into the rest
- // of the tree. This will end up adding a few more Sandbox::Cond()
+ // of the tree. This will end up adding a few more SandboxBPF::Cond()
// tests to our ErrorCode.
err = ToErrorCode(sandbox, arg_value->arg_value);
}
// Now, iterate over all the test cases that we want to compare against.
- // This builds a chain of Sandbox::Cond() tests
+ // This builds a chain of SandboxBPF::Cond() tests
// (aka "if ... elif ... elif ... elif ... fi")
for (int n = arg_value->size; n-- > 0;) {
ErrorCode matched;
@@ -1140,19 +1139,19 @@
static const int kMaxArgs = 6;
};
-ErrorCode EqualityStressTestPolicy(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
return reinterpret_cast<EqualityStressTest*>(aux)->Policy(sandbox, sysno);
}
-BPF_TEST(SandboxBpf,
+BPF_TEST(SandboxBPF,
EqualityTests,
EqualityStressTestPolicy,
EqualityStressTest /* BPF_AUX */) {
BPF_AUX.VerifyFilter();
}
-ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_uname) {
@@ -1186,7 +1185,7 @@
}
}
-BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
+BPF_TEST(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) {
BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1);
BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2);
#if __SIZEOF_POINTER__ > 4
@@ -1206,7 +1205,7 @@
// On 32bit machines, there is no way to pass a 64bit argument through the
// syscall interface. So, we have to skip the part of the test that requires
// 64bit arguments.
-BPF_DEATH_TEST(SandboxBpf,
+BPF_DEATH_TEST(SandboxBPF,
EqualityArgumentUnallowed64bit,
DEATH_MESSAGE("Unexpected 64bit argument detected"),
EqualityArgumentWidthPolicy) {
@@ -1214,10 +1213,10 @@
}
#endif
-ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox,
+ErrorCode EqualityWithNegativeArgumentsPolicy(SandboxBPF* sandbox,
int sysno,
void*) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_uname) {
@@ -1232,7 +1231,7 @@
}
}
-BPF_TEST(SandboxBpf,
+BPF_TEST(SandboxBPF,
EqualityWithNegativeArguments,
EqualityWithNegativeArgumentsPolicy) {
BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1);
@@ -1241,7 +1240,7 @@
}
#if __SIZEOF_POINTER__ > 4
-BPF_DEATH_TEST(SandboxBpf,
+BPF_DEATH_TEST(SandboxBPF,
EqualityWithNegative64bitArguments,
DEATH_MESSAGE("Unexpected 64bit argument detected"),
EqualityWithNegativeArgumentsPolicy) {
@@ -1251,14 +1250,14 @@
BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1);
}
#endif
-ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) {
+ErrorCode AllBitTestPolicy(SandboxBPF* sandbox, int sysno, void *) {
// Test the OP_HAS_ALL_BITS conditional test operator with a couple of
// different bitmasks. We try to find bitmasks that could conceivably
// touch corner cases.
// For all of these tests, we override the uname(). We can make use with
// a single system call number, as we use the first system call argument to
// select the different bit masks that we want to test against.
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_uname) {
@@ -1344,7 +1343,7 @@
// We expect these tests to succeed on 64bit systems, but to tail on 32bit
// systems.
#define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE)
-BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) {
+BPF_TEST(SandboxBPF, AllBitTests, AllBitTestPolicy) {
// 32bit test: all of 0x0 (should always be true)
BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS);
BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS);
@@ -1447,14 +1446,14 @@
BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS);
}
-ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) {
+ErrorCode AnyBitTestPolicy(SandboxBPF* sandbox, int sysno, void*) {
// Test the OP_HAS_ANY_BITS conditional test operator with a couple of
// different bitmasks. We try to find bitmasks that could conceivably
// touch corner cases.
// For all of these tests, we override the uname(). We can make use with
// a single system call number, as we use the first system call argument to
// select the different bit masks that we want to test against.
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_uname) {
@@ -1521,7 +1520,7 @@
}
}
-BPF_TEST(SandboxBpf, AnyBitTests, AnyBitTestPolicy) {
+BPF_TEST(SandboxBPF, AnyBitTests, AnyBitTestPolicy) {
// 32bit test: any of 0x0 (should always be false)
BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE);
BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE);
@@ -1651,12 +1650,12 @@
}
return -EPERM;
}
-ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PthreadPolicyEquality(SandboxBPF* sandbox, int sysno, void* aux) {
// This policy allows creating threads with pthread_create(). But it
// doesn't allow any other uses of clone(). Most notably, it does not
// allow callers to implement fork() or vfork() by passing suitable flags
// to the clone() system call.
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_clone) {
@@ -1691,12 +1690,12 @@
}
}
-ErrorCode PthreadPolicyBitMask(Sandbox* sandbox, int sysno, void* aux) {
+ErrorCode PthreadPolicyBitMask(SandboxBPF* sandbox, int sysno, void* aux) {
// This policy allows creating threads with pthread_create(). But it
// doesn't allow any other uses of clone(). Most notably, it does not
// allow callers to implement fork() or vfork() by passing suitable flags
// to the clone() system call.
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
// FIXME: we should really not have to do that in a trivial policy
return ErrorCode(ENOSYS);
} else if (sysno == __NR_clone) {
@@ -1775,8 +1774,10 @@
&pid) == -EPERM);
}
-BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); }
+BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); }
-BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); }
+BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); }
-} // namespace
+} // namespace
+
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/syscall.cc b/sandbox/linux/seccomp-bpf/syscall.cc
index a5cbb02..acf207d 100644
--- a/sandbox/linux/seccomp-bpf/syscall.cc
+++ b/sandbox/linux/seccomp-bpf/syscall.cc
@@ -9,7 +9,7 @@
#include "base/basictypes.h"
-namespace playground2 {
+namespace sandbox {
asm( // We need to be able to tell the kernel exactly where we made a
// system call. The C++ compiler likes to sometimes clone or
@@ -196,7 +196,7 @@
// N.B. These are not the calling conventions normally used by the ABI.
: "=a"(ret)
: "0"(ret), "D"(args)
- : "esp", "memory", "ecx", "edx");
+ : "cc", "esp", "memory", "ecx", "edx");
#elif defined(__x86_64__)
intptr_t ret = nr;
{
@@ -208,7 +208,7 @@
// N.B. These are not the calling conventions normally used by the ABI.
: "=a"(ret)
: "0"(ret), "r"(data)
- : "rsp", "memory",
+ : "cc", "rsp", "memory",
"rcx", "rdi", "rsi", "rdx", "r8", "r9", "r10", "r11");
}
#elif defined(__arm__)
@@ -221,7 +221,7 @@
// N.B. These are not the calling conventions normally used by the ABI.
: "=r"(inout)
: "0"(inout), "r"(data)
- : "lr", "memory", "r1", "r2", "r3", "r4", "r5"
+ : "cc", "lr", "memory", "r1", "r2", "r3", "r4", "r5"
#if !defined(__arm__)
// In thumb mode, we cannot use "r7" as a general purpose register, as
// it is our frame pointer. We have to manually manage and preserve it.
@@ -240,4 +240,4 @@
return ret;
}
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h
index f63516b..0b51380 100644
--- a/sandbox/linux/seccomp-bpf/syscall.h
+++ b/sandbox/linux/seccomp-bpf/syscall.h
@@ -7,7 +7,7 @@
#include <stdint.h>
-namespace playground2 {
+namespace sandbox {
// We have to make sure that we have a single "magic" return address for
// our system calls, which we can check from within a BPF filter. This
@@ -133,6 +133,6 @@
#endif // Pre-C++11
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.cc b/sandbox/linux/seccomp-bpf/syscall_iterator.cc
index f1f2acf..89cc1cb 100644
--- a/sandbox/linux/seccomp-bpf/syscall_iterator.cc
+++ b/sandbox/linux/seccomp-bpf/syscall_iterator.cc
@@ -7,7 +7,7 @@
#include "base/basictypes.h"
#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
-namespace playground2 {
+namespace sandbox {
uint32_t SyscallIterator::Next() {
if (done_) {
@@ -89,4 +89,4 @@
bool SyscallIterator::IsArmPrivate(uint32_t) { return false; }
#endif
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.h b/sandbox/linux/seccomp-bpf/syscall_iterator.h
index 3d7f66d..3b56ea3 100644
--- a/sandbox/linux/seccomp-bpf/syscall_iterator.h
+++ b/sandbox/linux/seccomp-bpf/syscall_iterator.h
@@ -9,7 +9,7 @@
#include "base/basictypes.h"
-namespace playground2 {
+namespace sandbox {
// Iterates over the entire system call range from 0..0xFFFFFFFFu. This
// iterator is aware of how system calls look like and will skip quickly
@@ -50,6 +50,6 @@
DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallIterator);
};
-} // namespace playground2
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_ITERATOR_H__
diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc
index 61e95d7..08a857a 100644
--- a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc
@@ -6,7 +6,7 @@
#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
#include "sandbox/linux/tests/unit_tests.h"
-using namespace playground2;
+namespace sandbox {
namespace {
@@ -132,3 +132,5 @@
}
} // namespace
+
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_unittest.cc
index 0472448..60db69b 100644
--- a/sandbox/linux/seccomp-bpf/syscall_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/syscall_unittest.cc
@@ -18,7 +18,7 @@
#include "sandbox/linux/tests/unit_tests.h"
#include "testing/gtest/include/gtest/gtest.h"
-using namespace playground2;
+namespace sandbox {
namespace {
@@ -64,7 +64,7 @@
int new_fd;
// Duplicate standard error and close it.
ASSERT_GE(new_fd = SandboxSyscall(__NR_dup, 2), 0);
- int close_return_value = HANDLE_EINTR(SandboxSyscall(__NR_close, new_fd));
+ int close_return_value = IGNORE_EINTR(SandboxSyscall(__NR_close, new_fd));
ASSERT_EQ(close_return_value, 0);
}
@@ -78,8 +78,8 @@
return -ENOMEM;
}
-ErrorCode CopyAllArgsOnUnamePolicy(Sandbox* sandbox, int sysno, void* aux) {
- if (!Sandbox::IsValidSyscallNumber(sysno)) {
+ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+ if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
return ErrorCode(ENOSYS);
}
if (sysno == __NR_uname) {
@@ -160,7 +160,7 @@
// Clean up
EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr1, 4096L));
- EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd)));
+ EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd)));
// Check that the offset argument (i.e. the sixth argument) is processed
// correctly.
@@ -193,7 +193,9 @@
// Clean up
EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr2, 8192L));
EXPECT_EQ(0, SandboxSyscall(__NR_munmap, addr3, 4096L));
- EXPECT_EQ(0, HANDLE_EINTR(SandboxSyscall(__NR_close, fd)));
+ EXPECT_EQ(0, IGNORE_EINTR(SandboxSyscall(__NR_close, fd)));
}
} // namespace
+
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc
index de701a7..553a904 100644
--- a/sandbox/linux/seccomp-bpf/trap.cc
+++ b/sandbox/linux/seccomp-bpf/trap.cc
@@ -13,7 +13,6 @@
#include <limits>
#include "base/logging.h"
-#include "base/posix/eintr_wrapper.h"
#include "sandbox/linux/seccomp-bpf/codegen.h"
#include "sandbox/linux/seccomp-bpf/die.h"
#include "sandbox/linux/seccomp-bpf/syscall.h"
@@ -66,7 +65,7 @@
} // namespace
-namespace playground2 {
+namespace sandbox {
Trap::Trap()
: trap_array_(NULL),
@@ -352,4 +351,4 @@
Trap* Trap::global_trap_;
-} // namespace playground2
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/trap.h b/sandbox/linux/seccomp-bpf/trap.h
index edaa023..334a30d 100644
--- a/sandbox/linux/seccomp-bpf/trap.h
+++ b/sandbox/linux/seccomp-bpf/trap.h
@@ -13,7 +13,7 @@
#include "base/basictypes.h"
-namespace playground2 {
+namespace sandbox {
class ErrorCode;
@@ -111,6 +111,6 @@
DISALLOW_IMPLICIT_CONSTRUCTORS(Trap);
};
-} // namespace playground2
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
diff --git a/sandbox/linux/seccomp-bpf/verifier.cc b/sandbox/linux/seccomp-bpf/verifier.cc
index 1d6b26d..1292504 100644
--- a/sandbox/linux/seccomp-bpf/verifier.cc
+++ b/sandbox/linux/seccomp-bpf/verifier.cc
@@ -9,12 +9,10 @@
#include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
#include "sandbox/linux/seccomp-bpf/verifier.h"
-namespace {
-using playground2::ErrorCode;
-using playground2::Sandbox;
-using playground2::Verifier;
-using playground2::arch_seccomp_data;
+namespace sandbox {
+
+namespace {
struct State {
State(const std::vector<struct sock_filter>& p,
@@ -30,7 +28,7 @@
DISALLOW_IMPLICIT_CONSTRUCTORS(State);
};
-uint32_t EvaluateErrorCode(Sandbox* sandbox,
+uint32_t EvaluateErrorCode(SandboxBPF* sandbox,
const ErrorCode& code,
const struct arch_seccomp_data& data) {
if (code.error_type() == ErrorCode::ET_SIMPLE ||
@@ -78,7 +76,7 @@
}
}
-bool VerifyErrorCode(Sandbox* sandbox,
+bool VerifyErrorCode(SandboxBPF* sandbox,
const std::vector<struct sock_filter>& program,
struct arch_seccomp_data* data,
const ErrorCode& root_code,
@@ -362,11 +360,9 @@
} // namespace
-namespace playground2 {
-
-bool Verifier::VerifyBPF(Sandbox* sandbox,
+bool Verifier::VerifyBPF(SandboxBPF* sandbox,
const std::vector<struct sock_filter>& program,
- const SandboxBpfPolicy& policy,
+ const SandboxBPFPolicy& policy,
const char** err) {
*err = NULL;
for (SyscallIterator iter(false); !iter.Done();) {
@@ -447,4 +443,4 @@
return 0;
}
-} // namespace
+} // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/verifier.h b/sandbox/linux/seccomp-bpf/verifier.h
index fff5b63..4e80dd9 100644
--- a/sandbox/linux/seccomp-bpf/verifier.h
+++ b/sandbox/linux/seccomp-bpf/verifier.h
@@ -10,9 +10,9 @@
#include <utility>
#include <vector>
-namespace playground2 {
+namespace sandbox {
-class SandboxBpfPolicy;
+class SandboxBPFPolicy;
class Verifier {
public:
@@ -23,9 +23,9 @@
// set by the "evaluators".
// Upon success, "err" is set to NULL. Upon failure, it contains a static
// error message that does not need to be free()'d.
- static bool VerifyBPF(Sandbox* sandbox,
+ static bool VerifyBPF(SandboxBPF* sandbox,
const std::vector<struct sock_filter>& program,
- const SandboxBpfPolicy& policy,
+ const SandboxBPFPolicy& policy,
const char** err);
// Evaluate a given BPF program for a particular set of system call
@@ -44,6 +44,6 @@
DISALLOW_IMPLICIT_CONSTRUCTORS(Verifier);
};
-} // namespace
+} // namespace sandbox
#endif // SANDBOX_LINUX_SECCOMP_BPF_VERIFIER_H__
diff --git a/sandbox/linux/services/broker_process.cc b/sandbox/linux/services/broker_process.cc
index 0e91c20..438e972 100644
--- a/sandbox/linux/services/broker_process.cc
+++ b/sandbox/linux/services/broker_process.cc
@@ -21,6 +21,7 @@
#include "base/pickle.h"
#include "base/posix/eintr_wrapper.h"
#include "base/posix/unix_domain_socket_linux.h"
+#include "base/process/process_metrics.h"
#include "build/build_config.h"
#include "sandbox/linux/services/linux_syscalls.h"
@@ -131,7 +132,7 @@
BrokerProcess::~BrokerProcess() {
if (initialized_ && ipc_socketpair_ != -1) {
- void (HANDLE_EINTR(close(ipc_socketpair_)));
+ close(ipc_socketpair_);
}
}
@@ -146,15 +147,16 @@
return false;
}
+ DCHECK_EQ(1, base::GetNumberOfThreads(base::GetCurrentProcessHandle()));
int child_pid = fork();
if (child_pid == -1) {
- ignore_result(HANDLE_EINTR(close(socket_pair[0])));
- ignore_result(HANDLE_EINTR(close(socket_pair[1])));
+ close(socket_pair[0]);
+ close(socket_pair[1]);
return false;
}
if (child_pid) {
// We are the parent and we have just forked our broker process.
- ignore_result(HANDLE_EINTR(close(socket_pair[0])));
+ close(socket_pair[0]);
// We should only be able to write to the IPC channel. We'll always send
// a new file descriptor to receive the reply on.
shutdown(socket_pair[1], SHUT_RD);
@@ -165,7 +167,7 @@
return true;
} else {
// We are the broker.
- ignore_result(HANDLE_EINTR(close(socket_pair[1])));
+ close(socket_pair[1]);
// We should only be able to read from this IPC channel. We will send our
// replies on a new file descriptor attached to the requests.
shutdown(socket_pair[0], SHUT_WR);
@@ -329,7 +331,7 @@
r = false;
break;
}
- int ret = HANDLE_EINTR(close(temporary_ipc));
+ int ret = IGNORE_EINTR(close(temporary_ipc));
DCHECK(!ret) << "Could not close temporary IPC channel";
return r;
}
@@ -374,7 +376,7 @@
// Close anything we have opened in this process.
for (std::vector<int>::iterator it = opened_files.begin();
it < opened_files.end(); ++it) {
- int ret = HANDLE_EINTR(close(*it));
+ int ret = IGNORE_EINTR(close(*it));
DCHECK(!ret) << "Could not close file descriptor";
}
diff --git a/sandbox/linux/services/broker_process_unittest.cc b/sandbox/linux/services/broker_process_unittest.cc
index 4cb9c6f..f163ef9 100644
--- a/sandbox/linux/services/broker_process_unittest.cc
+++ b/sandbox/linux/services/broker_process_unittest.cc
@@ -48,7 +48,7 @@
}
~ScopedTemporaryFile() {
CHECK_EQ(0, unlink(full_file_name_));
- CHECK_EQ(0, HANDLE_EINTR(close(fd_)));
+ CHECK_EQ(0, IGNORE_EINTR(close(fd_)));
}
int fd() const { return fd_; }
diff --git a/sandbox/linux/services/credentials.cc b/sandbox/linux/services/credentials.cc
index cea757c..4f041dc 100644
--- a/sandbox/linux/services/credentials.cc
+++ b/sandbox/linux/services/credentials.cc
@@ -163,9 +163,15 @@
} else {
proc_self_fd = openat(AT_FDCWD, "/proc/self/fd", O_DIRECTORY | O_RDONLY);
if (proc_self_fd < 0) {
+ // If this process has been chrooted (eg into /proc/self/fdinfo) then
+ // the new root dir will not have directory listing permissions for us
+ // (hence EACCES). And if we do have this permission, then /proc won't
+ // exist anyway (hence ENOENT).
+ DPCHECK(errno == EACCES || errno == ENOENT)
+ << "Unexpected failure when trying to open /proc/self/fd: ("
+ << errno << ") " << strerror(errno);
+
// If not available, guess false.
- // TODO(mostynb@opera.com): add a CHECK_EQ(ENOENT, errno); Figure out what
- // other situations are here. http://crbug.com/314985
return false;
}
}
diff --git a/sandbox/linux/services/init_process_reaper.cc b/sandbox/linux/services/init_process_reaper.cc
index f5473ba..2e0b90b 100644
--- a/sandbox/linux/services/init_process_reaper.cc
+++ b/sandbox/linux/services/init_process_reaper.cc
@@ -33,9 +33,9 @@
pid_t child_pid = fork();
if (child_pid == -1) {
int close_ret;
- close_ret = HANDLE_EINTR(close(sync_fds[0]));
+ close_ret = IGNORE_EINTR(close(sync_fds[0]));
DPCHECK(!close_ret);
- close_ret = HANDLE_EINTR(close(sync_fds[1]));
+ close_ret = IGNORE_EINTR(close(sync_fds[1]));
DPCHECK(!close_ret);
return false;
}
@@ -50,7 +50,7 @@
CHECK(sigaction(SIGCHLD, &action, NULL) == 0);
int close_ret;
- close_ret = HANDLE_EINTR(close(sync_fds[0]));
+ close_ret = IGNORE_EINTR(close(sync_fds[0]));
DPCHECK(!close_ret);
close_ret = shutdown(sync_fds[1], SHUT_RD);
DPCHECK(!close_ret);
@@ -58,7 +58,7 @@
post_fork_parent_callback->Run();
// Tell the child to continue
CHECK(HANDLE_EINTR(send(sync_fds[1], "C", 1, MSG_NOSIGNAL)) == 1);
- close_ret = HANDLE_EINTR(close(sync_fds[1]));
+ close_ret = IGNORE_EINTR(close(sync_fds[1]));
DPCHECK(!close_ret);
for (;;) {
@@ -83,13 +83,13 @@
// The child needs to wait for the parent to run the callback to avoid a
// race condition.
int close_ret;
- close_ret = HANDLE_EINTR(close(sync_fds[1]));
+ close_ret = IGNORE_EINTR(close(sync_fds[1]));
DPCHECK(!close_ret);
close_ret = shutdown(sync_fds[0], SHUT_WR);
DPCHECK(!close_ret);
char should_continue;
int read_ret = HANDLE_EINTR(read(sync_fds[0], &should_continue, 1));
- close_ret = HANDLE_EINTR(close(sync_fds[0]));
+ close_ret = IGNORE_EINTR(close(sync_fds[0]));
DPCHECK(!close_ret);
if (read_ret == 1)
return true;
diff --git a/sandbox/linux/tests/unit_tests.cc b/sandbox/linux/tests/unit_tests.cc
index 320f52b..ad30d84 100644
--- a/sandbox/linux/tests/unit_tests.cc
+++ b/sandbox/linux/tests/unit_tests.cc
@@ -150,7 +150,7 @@
_exit(kExpectedValue);
}
- (void)HANDLE_EINTR(close(fds[1]));
+ close(fds[1]);
std::vector<char> msg_buf;
ssize_t rc;
@@ -175,7 +175,7 @@
}
ASSERT_NE(poll_ret, -1) << "poll() failed";
ASSERT_NE(poll_ret, 0) << "Timeout while reading child state";
- (void)HANDLE_EINTR(close(fds[0]));
+ close(fds[0]);
std::string msg(msg_buf.begin(), msg_buf.end());
int status = 0;