Updating trunk VERSION from 2139.0 to 2140.0
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / trap.h
blobadc6d7f5e22f4e1cad6b0aecee6aa11e80012fa3
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
8 #include <signal.h>
9 #include <stdint.h>
11 #include <map>
12 #include <vector>
14 #include "base/basictypes.h"
15 #include "sandbox/sandbox_export.h"
17 namespace sandbox {
19 class ErrorCode;
21 // The Trap class allows a BPF filter program to branch out to user space by
22 // raising a SIGSYS signal.
23 // N.B.: This class does not perform any synchronization operations. If
24 // modifications are made to any of the traps, it is the caller's
25 // responsibility to ensure that this happens in a thread-safe fashion.
26 // Preferably, that means that no other threads should be running at that
27 // time. For the purposes of our sandbox, this assertion should always be
28 // true. Threads are incompatible with the seccomp sandbox anyway.
29 class SANDBOX_EXPORT Trap {
30 public:
31 // TrapFnc is a pointer to a function that handles Seccomp traps in
32 // user-space. The seccomp policy can request that a trap handler gets
33 // installed; it does so by returning a suitable ErrorCode() from the
34 // syscallEvaluator. See the ErrorCode() constructor for how to pass in
35 // the function pointer.
36 // Please note that TrapFnc is executed from signal context and must be
37 // async-signal safe:
38 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
39 // Also note that it follows the calling convention of native system calls.
40 // In other words, it reports an error by returning an exit code in the
41 // range -1..-4096. It should not set errno when reporting errors; on the
42 // other hand, accidentally modifying errno is harmless and the changes will
43 // be undone afterwards.
44 typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux);
46 // Registers a new trap handler and sets up the appropriate SIGSYS handler
47 // as needed.
48 // N.B.: This makes a permanent state change. Traps cannot be unregistered,
49 // as that would break existing BPF filters that are still active.
50 static ErrorCode MakeTrap(TrapFnc fnc, const void* aux, bool safe);
52 // Enables support for unsafe traps in the SIGSYS signal handler. This is a
53 // one-way fuse. It works in conjunction with the BPF compiler emitting code
54 // that unconditionally allows system calls, if they have a magic return
55 // address (i.e. SandboxSyscall(-1)).
56 // Once unsafe traps are enabled, the sandbox is essentially compromised.
57 // But this is still a very useful feature for debugging purposes. Use with
58 // care. This feature is availably only if enabled by the user (see above).
59 // Returns "true", if unsafe traps were turned on.
60 static bool EnableUnsafeTrapsInSigSysHandler();
62 // Returns the ErrorCode associate with a particular trap id.
63 static ErrorCode ErrorCodeFromTrapId(uint16_t id);
65 private:
66 struct TrapKey {
67 TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {}
68 TrapFnc fnc;
69 const void* aux;
70 bool safe;
71 bool operator<(const TrapKey&) const;
73 typedef std::map<TrapKey, uint16_t> TrapIds;
75 // Our constructor is private. A shared global instance is created
76 // automatically as needed.
77 Trap();
79 // The destructor is unimplemented. Don't ever attempt to destruct this
80 // object. It'll break subsequent system calls that trigger a SIGSYS.
81 ~Trap();
83 // We only have a very small number of methods. We opt to make them static
84 // and have them internally call GetInstance(). This is a little more
85 // convenient than having each caller obtain short-lived reference to the
86 // singleton.
87 // It also gracefully deals with methods that should check for the singleton,
88 // but avoid instantiating it, if it doesn't exist yet
89 // (e.g. ErrorCodeFromTrapId()).
90 static Trap* GetInstance();
91 static void SigSysAction(int nr, siginfo_t* info, void* void_context);
93 // Make sure that SigSys is not inlined in order to get slightly better crash
94 // dumps.
95 void SigSys(int nr, siginfo_t* info, void* void_context)
96 __attribute__((noinline));
97 ErrorCode MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe);
98 bool SandboxDebuggingAllowedByUser() const;
100 // We have a global singleton that handles all of our SIGSYS traps. This
101 // variable must never be deallocated after it has been set up initially, as
102 // there is no way to reset in-kernel BPF filters that generate SIGSYS
103 // events.
104 static Trap* global_trap_;
106 TrapIds trap_ids_; // Maps from TrapKeys to numeric ids
107 ErrorCode* trap_array_; // Array of ErrorCodes indexed by ids
108 size_t trap_array_size_; // Currently used size of array
109 size_t trap_array_capacity_; // Currently allocated capacity of array
110 bool has_unsafe_traps_; // Whether unsafe traps have been enabled
112 // Copying and assigning is unimplemented. It doesn't make sense for a
113 // singleton.
114 DISALLOW_COPY_AND_ASSIGN(Trap);
117 } // namespace sandbox
119 #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__