sandbox/linux/bpf_dsl/errorcode.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__
   6 #define SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__
   7
   8 #include "sandbox/linux/bpf_dsl/trap_registry.h"
   9 #include "sandbox/sandbox_export.h"
  10
  11 namespace sandbox {
  12 namespace bpf_dsl {
  13
  14 // This class holds all the possible values that can be returned by a sandbox
  15 // policy.
  16 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an
  17 // errno value (in the range 0..4095), a pointer to a TrapFnc callback
  18 // handling a SECCOMP_RET_TRAP trap, or a complex constraint.
  19 // All of the commonly used values are stored in the "err_" field. So, code
  20 // that is using the ErrorCode class typically operates on a single 32bit
  21 // field.
  22 //
  23 // TODO(mdempsky): Nuke from orbit. The only reason this class still
  24 // exists is for Verifier, which will eventually be replaced by a true
  25 // BPF symbolic evaluator and constraint solver.
  26 class SANDBOX_EXPORT ErrorCode {
  27  public:
  28   enum {
  29     // Allow this system call. The value of ERR_ALLOWED is pretty much
  30     // completely arbitrary. But we want to pick it so that is is unlikely
  31     // to be passed in accidentally, when the user intended to return an
  32     // "errno" (see below) value instead.
  33     ERR_ALLOWED = 0x04000000,
  34
  35     // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the
  36     // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change
  37     // or skip the system call.  The lower 16 bits of err will be available to
  38     // the tracer via PTRACE_GETEVENTMSG.
  39     ERR_TRACE = 0x08000000,
  40
  41     // Kill the process immediately.
  42     ERR_KILL = 0x10000000,
  43
  44     // Deny the system call with a particular "errno" value.
  45     // N.B.: It is also possible to return "0" here. That would normally
  46     //       indicate success, but it won't actually run the system call.
  47     //       This is very different from return ERR_ALLOWED.
  48     ERR_MIN_ERRNO = 0,
  49 #if defined(__mips__)
  50     // MIPS only supports errno up to 1133
  51     ERR_MAX_ERRNO = 1133,
  52 #else
  53     // TODO(markus): Android only supports errno up to 255
  54     // (crbug.com/181647).
  55     ERR_MAX_ERRNO = 4095,
  56 #endif
  57   };
  58
  59   // While BPF filter programs always operate on 32bit quantities, the kernel
  60   // always sees system call arguments as 64bit values. This statement is true
  61   // no matter whether the host system is natively operating in 32bit or 64bit.
  62   // The BPF compiler hides the fact that BPF instructions cannot directly
  63   // access 64bit quantities. But policies are still advised to specify whether
  64   // a system call expects a 32bit or a 64bit quantity.
  65   enum ArgType {
  66     // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that
  67     // the conditional test should operate on the 32bit part of the system call
  68     // argument.
  69     // On 64bit architectures, this verifies that user space did not pass
  70     // a 64bit value as an argument to the system call. If it did, that will be
  71     // interpreted as an attempt at breaking the sandbox and results in the
  72     // program getting terminated.
  73     // In other words, only perform a 32bit test, if you are sure this
  74     // particular system call would never legitimately take a 64bit
  75     // argument.
  76     // Implementation detail: TP_32BIT does two things. 1) it restricts the
  77     // conditional test to operating on the LSB only, and 2) it adds code to
  78     // the BPF filter program verifying that the MSB  the kernel received from
  79     // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit
  80     // 31 was set in the system call argument. It deals with 32bit arguments
  81     // having been sign extended.
  82     TP_32BIT,
  83
  84     // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that
  85     // the conditional test should operate on the full 64bit argument. It is
  86     // generally harmless to perform a 64bit test on 32bit systems, as the
  87     // kernel will always see the top 32 bits of all arguments as zero'd out.
  88     // This approach has the desirable property that for tests of pointer
  89     // values, we can always use TP_64BIT no matter the host architecture.
  90     // But of course, that also means, it is possible to write conditional
  91     // policies that turn into no-ops on 32bit systems; this is by design.
  92     TP_64BIT,
  93   };
  94
  95   // Deprecated.
  96   enum Operation {
  97     // Test whether the system call argument is equal to the operand.
  98     OP_EQUAL,
  99
 100     // Tests a system call argument against a bit mask.
 101     // The "ALL_BITS" variant performs this test: "arg & mask == mask"
 102     // This implies that a mask of zero always results in a passing test.
 103     // The "ANY_BITS" variant performs this test: "arg & mask != 0"
 104     // This implies that a mask of zero always results in a failing test.
 105     OP_HAS_ALL_BITS,
 106     OP_HAS_ANY_BITS,
 107   };
 108
 109   enum ErrorType {
 110     ET_INVALID,
 111     ET_SIMPLE,
 112     ET_TRAP,
 113     ET_COND,
 114   };
 115
 116   // We allow the default constructor, as it makes the ErrorCode class
 117   // much easier to use. But if we ever encounter an invalid ErrorCode
 118   // when compiling a BPF filter, we deliberately generate an invalid
 119   // program that will get flagged both by our Verifier class and by
 120   // the Linux kernel.
 121   ErrorCode();
 122   explicit ErrorCode(int err);
 123
 124   // For all practical purposes, ErrorCodes are treated as if they were
 125   // structs. The copy constructor and assignment operator are trivial and
 126   // we do not need to explicitly specify them.
 127   // Most notably, it is in fact perfectly OK to directly copy the passed_ and
 128   // failed_ field. They only ever get set by our private constructor, and the
 129   // callers handle life-cycle management for these objects.
 130
 131   // Destructor
 132   ~ErrorCode() {}
 133
 134   bool Equals(const ErrorCode& err) const;
 135   bool LessThan(const ErrorCode& err) const;
 136
 137   uint32_t err() const { return err_; }
 138   ErrorType error_type() const { return error_type_; }
 139
 140   bool safe() const { return safe_; }
 141
 142   uint64_t mask() const { return mask_; }
 143   uint64_t value() const { return value_; }
 144   int argno() const { return argno_; }
 145   ArgType width() const { return width_; }
 146   const ErrorCode* passed() const { return passed_; }
 147   const ErrorCode* failed() const { return failed_; }
 148
 149   struct LessThan {
 150     bool operator()(const ErrorCode& a, const ErrorCode& b) const {
 151       return a.LessThan(b);
 152     }
 153   };
 154
 155  private:
 156   friend class PolicyCompiler;
 157
 158   // If we are wrapping a callback, we must assign a unique id. This id is
 159   // how the kernel tells us which one of our different SECCOMP_RET_TRAP
 160   // cases has been triggered.
 161   ErrorCode(uint16_t trap_id,
 162             TrapRegistry::TrapFnc fnc,
 163             const void* aux,
 164             bool safe);
 165
 166   // Some system calls require inspection of arguments. This constructor
 167   // allows us to specify additional constraints.
 168   ErrorCode(int argno,
 169             ArgType width,
 170             uint64_t mask,
 171             uint64_t value,
 172             const ErrorCode* passed,
 173             const ErrorCode* failed);
 174
 175   ErrorType error_type_;
 176
 177   union {
 178     // Fields needed for SECCOMP_RET_TRAP callbacks
 179     struct {
 180       TrapRegistry::TrapFnc fnc_;  // Callback function and arg, if trap was
 181       void* aux_;                  //   triggered by the kernel's BPF filter.
 182       bool safe_;                  // Keep sandbox active while calling fnc_()
 183     };
 184
 185     // Fields needed when inspecting additional arguments.
 186     struct {
 187       uint64_t mask_;            // Mask that we are comparing under.
 188       uint64_t value_;           // Value that we are comparing with.
 189       int argno_;                // Syscall arg number that we are inspecting.
 190       ArgType width_;            // Whether we are looking at a 32/64bit value.
 191       const ErrorCode* passed_;  // Value to be returned if comparison passed,
 192       const ErrorCode* failed_;  //   or if it failed.
 193     };
 194   };
 195
 196   // 32bit field used for all possible types of ErrorCode values. This is
 197   // the value that uniquely identifies any ErrorCode and it (typically) can
 198   // be emitted directly into a BPF filter program.
 199   uint32_t err_;
 200 };
 201
 202 }  // namespace bpf_dsl
 203 }  // namespace sandbox
 204
 205 #endif  // SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__