sandbox/linux/seccomp-bpf/trap.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
   6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
   7
   8 #include <signal.h>
   9 #include <stdint.h>
  10
  11 #include <map>
  12
  13 #include "base/macros.h"
  14 #include "sandbox/linux/bpf_dsl/trap_registry.h"
  15 #include "sandbox/sandbox_export.h"
  16
  17 namespace sandbox {
  18
  19 // The Trap class allows a BPF filter program to branch out to user space by
  20 // raising a SIGSYS signal.
  21 // N.B.: This class does not perform any synchronization operations. If
  22 //   modifications are made to any of the traps, it is the caller's
  23 //   responsibility to ensure that this happens in a thread-safe fashion.
  24 //   Preferably, that means that no other threads should be running at that
  25 //   time. For the purposes of our sandbox, this assertion should always be
  26 //   true. Threads are incompatible with the seccomp sandbox anyway.
  27 class SANDBOX_EXPORT Trap : public bpf_dsl::TrapRegistry {
  28  public:
  29   virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override;
  30
  31   virtual bool EnableUnsafeTraps() override;
  32
  33   // Registry returns the trap registry used by Trap's SIGSYS handler,
  34   // creating it if necessary.
  35   static bpf_dsl::TrapRegistry* Registry();
  36
  37   // Registers a new trap handler and sets up the appropriate SIGSYS handler
  38   // as needed.
  39   // N.B.: This makes a permanent state change. Traps cannot be unregistered,
  40   //   as that would break existing BPF filters that are still active.
  41   // TODO(mdempsky): Deprecated; remove.
  42   static uint16_t MakeTrap(TrapFnc fnc, const void* aux, bool safe);
  43
  44   // Enables support for unsafe traps in the SIGSYS signal handler. This is a
  45   // one-way fuse. It works in conjunction with the BPF compiler emitting code
  46   // that unconditionally allows system calls, if they have a magic return
  47   // address (i.e. SandboxSyscall(-1)).
  48   // Once unsafe traps are enabled, the sandbox is essentially compromised.
  49   // But this is still a very useful feature for debugging purposes. Use with
  50   // care. This feature is availably only if enabled by the user (see above).
  51   // Returns "true", if unsafe traps were turned on.
  52   // TODO(mdempsky): Deprecated; remove.
  53   static bool EnableUnsafeTrapsInSigSysHandler();
  54
  55  private:
  56   struct TrapKey {
  57     TrapKey() : fnc(NULL), aux(NULL), safe(false) {}
  58     TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {}
  59     TrapFnc fnc;
  60     const void* aux;
  61     bool safe;
  62     bool operator<(const TrapKey&) const;
  63   };
  64   typedef std::map<TrapKey, uint16_t> TrapIds;
  65
  66   // Our constructor is private. A shared global instance is created
  67   // automatically as needed.
  68   Trap();
  69
  70   // The destructor is unimplemented. Don't ever attempt to destruct this
  71   // object. It'll break subsequent system calls that trigger a SIGSYS.
  72   ~Trap();
  73
  74   static void SigSysAction(int nr, siginfo_t* info, void* void_context);
  75
  76   // Make sure that SigSys is not inlined in order to get slightly better crash
  77   // dumps.
  78   void SigSys(int nr, siginfo_t* info, void* void_context)
  79       __attribute__((noinline));
  80   bool SandboxDebuggingAllowedByUser() const;
  81
  82   // We have a global singleton that handles all of our SIGSYS traps. This
  83   // variable must never be deallocated after it has been set up initially, as
  84   // there is no way to reset in-kernel BPF filters that generate SIGSYS
  85   // events.
  86   static Trap* global_trap_;
  87
  88   TrapIds trap_ids_;            // Maps from TrapKeys to numeric ids
  89   TrapKey* trap_array_;         // Array of TrapKeys indexed by ids
  90   size_t trap_array_size_;      // Currently used size of array
  91   size_t trap_array_capacity_;  // Currently allocated capacity of array
  92   bool has_unsafe_traps_;       // Whether unsafe traps have been enabled
  93
  94   // Copying and assigning is unimplemented. It doesn't make sense for a
  95   // singleton.
  96   DISALLOW_COPY_AND_ASSIGN(Trap);
  97 };
  98
  99 }  // namespace sandbox
 100
 101 #endif  // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__