search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Permission message rules: Each rule must have >= 1 required permissions
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / policy_compiler.cc
blobad9ccbab61170df5e54733e096297844b5d5e7fa
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
6
7 #include <errno.h>
8 #include <sys/syscall.h>
9
10 #include <limits>
11
12 #include "base/logging.h"
13 #include "base/macros.h"
14 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
15 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
16 #include "sandbox/linux/bpf_dsl/codegen.h"
17 #include "sandbox/linux/bpf_dsl/errorcode.h"
18 #include "sandbox/linux/bpf_dsl/policy.h"
19 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
20 #include "sandbox/linux/bpf_dsl/syscall_set.h"
21 #include "sandbox/linux/system_headers/linux_filter.h"
22 #include "sandbox/linux/system_headers/linux_seccomp.h"
23 #include "sandbox/linux/system_headers/linux_syscalls.h"
24
25 namespace sandbox {
26 namespace bpf_dsl {
27
28 namespace {
29
30 #if defined(__i386__) || defined(__x86_64__)
31 const bool kIsIntel = true;
32 #else
33 const bool kIsIntel = false;
34 #endif
35 #if defined(__x86_64__) && defined(__ILP32__)
36 const bool kIsX32 = true;
37 #else
38 const bool kIsX32 = false;
39 #endif
40
41 const int kSyscallsRequiredForUnsafeTraps[] = {
42 __NR_rt_sigprocmask,
43 __NR_rt_sigreturn,
44 #if defined(__NR_sigprocmask)
45 __NR_sigprocmask,
46 #endif
47 #if defined(__NR_sigreturn)
48 __NR_sigreturn,
49 #endif
50 };
51
52 bool HasExactlyOneBit(uint64_t x) {
53 // Common trick; e.g., see http://stackoverflow.com/a/108329.
54 return x != 0 && (x & (x - 1)) == 0;
55 }
56
57 ResultExpr DefaultPanic(const char* error) {
58 return Kill();
59 }
60
61 // A Trap() handler that returns an "errno" value. The value is encoded
62 // in the "aux" parameter.
63 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
64 // TrapFnc functions report error by following the native kernel convention
65 // of returning an exit code in the range of -1..-4096. They do not try to
66 // set errno themselves. The glibc wrapper that triggered the SIGSYS will
67 // ultimately do so for us.
68 int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
69 return -err;
70 }
71
72 bool HasUnsafeTraps(const Policy* policy) {
73 DCHECK(policy);
74 for (uint32_t sysnum : SyscallSet::ValidOnly()) {
75 if (policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
76 return true;
77 }
78 }
79 return policy->InvalidSyscall()->HasUnsafeTraps();
80 }
81
82 } // namespace
83
84 struct PolicyCompiler::Range {
85 uint32_t from;
86 CodeGen::Node node;
87 };
88
89 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
90 : policy_(policy),
91 registry_(registry),
92 escapepc_(0),
93 panic_func_(DefaultPanic),
94 conds_(),
95 gen_(),
96 has_unsafe_traps_(HasUnsafeTraps(policy_)) {
97 DCHECK(policy);
98 }
99
100 PolicyCompiler::~PolicyCompiler() {
101 }
102
103 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
104 CHECK(policy_->InvalidSyscall()->IsDeny())
105 << "Policies should deny invalid system calls";
106
107 // If our BPF program has unsafe traps, enable support for them.
108 if (has_unsafe_traps_) {
109 CHECK_NE(0U, escapepc_) << "UnsafeTrap() requires a valid escape PC";
110
111 for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
112 CHECK(policy_->EvaluateSyscall(sysnum)->IsAllow())
113 << "Policies that use UnsafeTrap() must unconditionally allow all "
114 "required system calls";
115 }
116
117 CHECK(registry_->EnableUnsafeTraps())
118 << "We'd rather die than enable unsafe traps";
119 }
120
121 // Assemble the BPF filter program.
122 scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
123 gen_.Compile(AssemblePolicy(), program.get());
124 return program.Pass();
125 }
126
127 void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
128 escapepc_ = escapepc;
129 }
130
131 void PolicyCompiler::SetPanicFunc(PanicFunc panic_func) {
132 panic_func_ = panic_func;
133 }
134
135 CodeGen::Node PolicyCompiler::AssemblePolicy() {
136 // A compiled policy consists of three logical parts:
137 // 1. Check that the "arch" field matches the expected architecture.
138 // 2. If the policy involves unsafe traps, check if the syscall was
139 // invoked by Syscall::Call, and then allow it unconditionally.
140 // 3. Check the system call number and jump to the appropriate compiled
141 // system call policy number.
142 return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
143 }
144
145 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
146 // If the architecture doesn't match SECCOMP_ARCH, disallow the
147 // system call.
148 return gen_.MakeInstruction(
149 BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
150 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
151 CompileResult(panic_func_(
152 "Invalid audit architecture in BPF filter"))));
153 }
154
155 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
156 // If no unsafe traps, then simply return |rest|.
157 if (!has_unsafe_traps_) {
158 return rest;
159 }
160
161 // We already enabled unsafe traps in Compile, but enable them again to give
162 // the trap registry a second chance to complain before we add the backdoor.
163 CHECK(registry_->EnableUnsafeTraps());
164
165 // Allow system calls, if they originate from our magic return address.
166 const uint32_t lopc = static_cast<uint32_t>(escapepc_);
167 const uint32_t hipc = static_cast<uint32_t>(escapepc_ >> 32);
168
169 // BPF cannot do native 64-bit comparisons, so we have to compare
170 // both 32-bit halves of the instruction pointer. If they match what
171 // we expect, we return ERR_ALLOWED. If either or both don't match,
172 // we continue evalutating the rest of the sandbox policy.
173 //
174 // For simplicity, we check the full 64-bit instruction pointer even
175 // on 32-bit architectures.
176 return gen_.MakeInstruction(
177 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
178 gen_.MakeInstruction(
179 BPF_JMP + BPF_JEQ + BPF_K, lopc,
180 gen_.MakeInstruction(
181 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
182 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hipc,
183 CompileResult(Allow()), rest)),
184 rest));
185 }
186
187 CodeGen::Node PolicyCompiler::DispatchSyscall() {
188 // Evaluate all possible system calls and group their ErrorCodes into
189 // ranges of identical codes.
190 Ranges ranges;
191 FindRanges(&ranges);
192
193 // Compile the system call ranges to an optimized BPF jumptable
194 CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
195
196 // Grab the system call number, so that we can check it and then
197 // execute the jump table.
198 return gen_.MakeInstruction(
199 BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
200 }
201
202 CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
203 if (kIsIntel) {
204 // On Intel architectures, verify that system call numbers are in the
205 // expected number range.
206 CodeGen::Node invalidX32 =
207 CompileResult(panic_func_("Illegal mixing of system call ABIs"));
208 if (kIsX32) {
209 // The newer x32 API always sets bit 30.
210 return gen_.MakeInstruction(
211 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
212 } else {
213 // The older i386 and x86-64 APIs clear bit 30 on all system calls.
214 return gen_.MakeInstruction(
215 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
216 }
217 }
218
219 // TODO(mdempsky): Similar validation for other architectures?
220 return passed;
221 }
222
223 void PolicyCompiler::FindRanges(Ranges* ranges) {
224 // Please note that "struct seccomp_data" defines system calls as a signed
225 // int32_t, but BPF instructions always operate on unsigned quantities. We
226 // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
227 // and then verifying that the rest of the number range (both positive and
228 // negative) all return the same ErrorCode.
229 const CodeGen::Node invalid_node = CompileResult(policy_->InvalidSyscall());
230 uint32_t old_sysnum = 0;
231 CodeGen::Node old_node =
232 SyscallSet::IsValid(old_sysnum)
233 ? CompileResult(policy_->EvaluateSyscall(old_sysnum))
234 : invalid_node;
235
236 for (uint32_t sysnum : SyscallSet::All()) {
237 CodeGen::Node node =
238 SyscallSet::IsValid(sysnum)
239 ? CompileResult(policy_->EvaluateSyscall(static_cast<int>(sysnum)))
240 : invalid_node;
241 // N.B., here we rely on CodeGen folding (i.e., returning the same
242 // node value for) identical code sequences, otherwise our jump
243 // table will blow up in size.
244 if (node != old_node) {
245 ranges->push_back(Range{old_sysnum, old_node});
246 old_sysnum = sysnum;
247 old_node = node;
248 }
249 }
250 ranges->push_back(Range{old_sysnum, old_node});
251 }
252
253 CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
254 Ranges::const_iterator stop) {
255 // We convert the list of system call ranges into jump table that performs
256 // a binary search over the ranges.
257 // As a sanity check, we need to have at least one distinct ranges for us
258 // to be able to build a jump table.
259 CHECK(start < stop) << "Invalid iterator range";
260 const auto n = stop - start;
261 if (n == 1) {
262 // If we have narrowed things down to a single range object, we can
263 // return from the BPF filter program.
264 return start->node;
265 }
266
267 // Pick the range object that is located at the mid point of our list.
268 // We compare our system call number against the lowest valid system call
269 // number in this range object. If our number is lower, it is outside of
270 // this range object. If it is greater or equal, it might be inside.
271 Ranges::const_iterator mid = start + n / 2;
272
273 // Sub-divide the list of ranges and continue recursively.
274 CodeGen::Node jf = AssembleJumpTable(start, mid);
275 CodeGen::Node jt = AssembleJumpTable(mid, stop);
276 return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
277 }
278
279 CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
280 return RetExpression(res->Compile(this));
281 }
282
283 CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
284 switch (err.error_type()) {
285 case ErrorCode::ET_COND:
286 return CondExpression(err);
287 case ErrorCode::ET_SIMPLE:
288 case ErrorCode::ET_TRAP:
289 return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
290 default:
291 LOG(FATAL)
292 << "ErrorCode is not suitable for returning from a BPF program";
293 return CodeGen::kNullNode;
294 }
295 }
296
297 CodeGen::Node PolicyCompiler::CondExpression(const ErrorCode& cond) {
298 // Sanity check that |cond| makes sense.
299 CHECK(cond.argno_ >= 0 && cond.argno_ < 6) << "Invalid argument number "
300 << cond.argno_;
301 CHECK(cond.width_ == ErrorCode::TP_32BIT ||
302 cond.width_ == ErrorCode::TP_64BIT)
303 << "Invalid argument width " << cond.width_;
304 CHECK_NE(0U, cond.mask_) << "Zero mask is invalid";
305 CHECK_EQ(cond.value_, cond.value_ & cond.mask_)
306 << "Value contains masked out bits";
307 if (sizeof(void*) == 4) {
308 CHECK_EQ(ErrorCode::TP_32BIT, cond.width_)
309 << "Invalid width on 32-bit platform";
310 }
311 if (cond.width_ == ErrorCode::TP_32BIT) {
312 CHECK_EQ(0U, cond.mask_ >> 32) << "Mask exceeds argument size";
313 CHECK_EQ(0U, cond.value_ >> 32) << "Value exceeds argument size";
314 }
315
316 CodeGen::Node passed = RetExpression(*cond.passed_);
317 CodeGen::Node failed = RetExpression(*cond.failed_);
318
319 // We want to emit code to check "(arg & mask) == value" where arg, mask, and
320 // value are 64-bit values, but the BPF machine is only 32-bit. We implement
321 // this by independently testing the upper and lower 32-bits and continuing to
322 // |passed| if both evaluate true, or to |failed| if either evaluate false.
323 return CondExpressionHalf(cond,
324 UpperHalf,
325 CondExpressionHalf(cond, LowerHalf, passed, failed),
326 failed);
327 }
328
329 CodeGen::Node PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
330 ArgHalf half,
331 CodeGen::Node passed,
332 CodeGen::Node failed) {
333 if (cond.width_ == ErrorCode::TP_32BIT && half == UpperHalf) {
334 // Special logic for sanity checking the upper 32-bits of 32-bit system
335 // call arguments.
336
337 // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
338 CodeGen::Node invalid_64bit = RetExpression(Unexpected64bitArgument());
339
340 const uint32_t upper = SECCOMP_ARG_MSB_IDX(cond.argno_);
341 const uint32_t lower = SECCOMP_ARG_LSB_IDX(cond.argno_);
342
343 if (sizeof(void*) == 4) {
344 // On 32-bit platforms, the upper 32-bits should always be 0:
345 // LDW [upper]
346 // JEQ 0, passed, invalid
347 return gen_.MakeInstruction(
348 BPF_LD + BPF_W + BPF_ABS,
349 upper,
350 gen_.MakeInstruction(
351 BPF_JMP + BPF_JEQ + BPF_K, 0, passed, invalid_64bit));
352 }
353
354 // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow
355 // ~0 if the sign bit of the lower 32-bits is set too:
356 // LDW [upper]
357 // JEQ 0, passed, (next)
358 // JEQ ~0, (next), invalid
359 // LDW [lower]
360 // JSET (1<<31), passed, invalid
361 //
362 // TODO(mdempsky): The JSET instruction could perhaps jump to passed->next
363 // instead, as the first instruction of passed should be "LDW [lower]".
364 return gen_.MakeInstruction(
365 BPF_LD + BPF_W + BPF_ABS,
366 upper,
367 gen_.MakeInstruction(
368 BPF_JMP + BPF_JEQ + BPF_K,
369 0,
370 passed,
371 gen_.MakeInstruction(
372 BPF_JMP + BPF_JEQ + BPF_K,
373 std::numeric_limits<uint32_t>::max(),
374 gen_.MakeInstruction(
375 BPF_LD + BPF_W + BPF_ABS,
376 lower,
377 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
378 1U << 31,
379 passed,
380 invalid_64bit)),
381 invalid_64bit)));
382 }
383
384 const uint32_t idx = (half == UpperHalf) ? SECCOMP_ARG_MSB_IDX(cond.argno_)
385 : SECCOMP_ARG_LSB_IDX(cond.argno_);
386 const uint32_t mask = (half == UpperHalf) ? cond.mask_ >> 32 : cond.mask_;
387 const uint32_t value = (half == UpperHalf) ? cond.value_ >> 32 : cond.value_;
388
389 // Emit a suitable instruction sequence for (arg & mask) == value.
390
391 // For (arg & 0) == 0, just return passed.
392 if (mask == 0) {
393 CHECK_EQ(0U, value);
394 return passed;
395 }
396
397 // For (arg & ~0) == value, emit:
398 // LDW [idx]
399 // JEQ value, passed, failed
400 if (mask == std::numeric_limits<uint32_t>::max()) {
401 return gen_.MakeInstruction(
402 BPF_LD + BPF_W + BPF_ABS,
403 idx,
404 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed));
405 }
406
407 // For (arg & mask) == 0, emit:
408 // LDW [idx]
409 // JSET mask, failed, passed
410 // (Note: failed and passed are intentionally swapped.)
411 if (value == 0) {
412 return gen_.MakeInstruction(
413 BPF_LD + BPF_W + BPF_ABS,
414 idx,
415 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, failed, passed));
416 }
417
418 // For (arg & x) == x where x is a single-bit value, emit:
419 // LDW [idx]
420 // JSET mask, passed, failed
421 if (mask == value && HasExactlyOneBit(mask)) {
422 return gen_.MakeInstruction(
423 BPF_LD + BPF_W + BPF_ABS,
424 idx,
425 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, passed, failed));
426 }
427
428 // Generic fallback:
429 // LDW [idx]
430 // AND mask
431 // JEQ value, passed, failed
432 return gen_.MakeInstruction(
433 BPF_LD + BPF_W + BPF_ABS,
434 idx,
435 gen_.MakeInstruction(
436 BPF_ALU + BPF_AND + BPF_K,
437 mask,
438 gen_.MakeInstruction(
439 BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
440 }
441
442 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
443 return panic_func_("Unexpected 64bit argument detected")->Compile(this);
444 }
445
446 ErrorCode PolicyCompiler::Error(int err) {
447 if (has_unsafe_traps_) {
448 // When inside an UnsafeTrap() callback, we want to allow all system calls.
449 // This means, we must conditionally disable the sandbox -- and that's not
450 // something that kernel-side BPF filters can do, as they cannot inspect
451 // any state other than the syscall arguments.
452 // But if we redirect all error handlers to user-space, then we can easily
453 // make this decision.
454 // The performance penalty for this extra round-trip to user-space is not
455 // actually that bad, as we only ever pay it for denied system calls; and a
456 // typical program has very few of these.
457 return Trap(ReturnErrno, reinterpret_cast<void*>(err), true);
458 }
459
460 return ErrorCode(err);
461 }
462
463 ErrorCode PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc,
464 const void* aux,
465 bool safe) {
466 uint16_t trap_id = registry_->Add(fnc, aux, safe);
467 return ErrorCode(trap_id, fnc, aux, safe);
468 }
469
470 bool PolicyCompiler::IsRequiredForUnsafeTrap(int sysno) {
471 for (size_t i = 0; i < arraysize(kSyscallsRequiredForUnsafeTraps); ++i) {
472 if (sysno == kSyscallsRequiredForUnsafeTraps[i]) {
473 return true;
474 }
475 }
476 return false;
477 }
478
479 ErrorCode PolicyCompiler::CondMaskedEqual(int argno,
480 ErrorCode::ArgType width,
481 uint64_t mask,
482 uint64_t value,
483 const ErrorCode& passed,
484 const ErrorCode& failed) {
485 return ErrorCode(argno,
486 width,
487 mask,
488 value,
489 &*conds_.insert(passed).first,
490 &*conds_.insert(failed).first);
491 }
492
493 } // namespace bpf_dsl
494 } // namespace sandbox