Permission message rules: Each rule must have >= 1 required permissions
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / syscall.cc
blobbc6461f11773b245919596162eb4230162be56a4
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sandbox/linux/seccomp-bpf/syscall.h"
7 #include <errno.h>
8 #include <stdint.h>
10 #include "base/logging.h"
11 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
13 namespace sandbox {
15 namespace {
17 #if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
18 defined(ARCH_CPU_MIPS_FAMILY)
19 // Number that's not currently used by any Linux kernel ABIs.
20 const int kInvalidSyscallNumber = 0x351d3;
21 #else
22 #error Unrecognized architecture
23 #endif
25 asm(// We need to be able to tell the kernel exactly where we made a
26 // system call. The C++ compiler likes to sometimes clone or
27 // inline code, which would inadvertently end up duplicating
28 // the entry point.
29 // "gcc" can suppress code duplication with suitable function
30 // attributes, but "clang" doesn't have this ability.
31 // The "clang" developer mailing list suggested that the correct
32 // and portable solution is a file-scope assembly block.
33 // N.B. We do mark our code as a proper function so that backtraces
34 // work correctly. But we make absolutely no attempt to use the
35 // ABI's calling conventions for passing arguments. We will only
36 // ever be called from assembly code and thus can pick more
37 // suitable calling conventions.
38 #if defined(__i386__)
39 ".text\n"
40 ".align 16, 0x90\n"
41 ".type SyscallAsm, @function\n"
42 "SyscallAsm:.cfi_startproc\n"
43 // Check if "%eax" is negative. If so, do not attempt to make a
44 // system call. Instead, compute the return address that is visible
45 // to the kernel after we execute "int $0x80". This address can be
46 // used as a marker that BPF code inspects.
47 "test %eax, %eax\n"
48 "jge 1f\n"
49 // Always, make sure that our code is position-independent, or
50 // address space randomization might not work on i386. This means,
51 // we can't use "lea", but instead have to rely on "call/pop".
52 "call 0f; .cfi_adjust_cfa_offset 4\n"
53 "0:pop %eax; .cfi_adjust_cfa_offset -4\n"
54 "addl $2f-0b, %eax\n"
55 "ret\n"
56 // Save register that we don't want to clobber. On i386, we need to
57 // save relatively aggressively, as there are a couple or registers
58 // that are used internally (e.g. %ebx for position-independent
59 // code, and %ebp for the frame pointer), and as we need to keep at
60 // least a few registers available for the register allocator.
61 "1:push %esi; .cfi_adjust_cfa_offset 4; .cfi_rel_offset esi, 0\n"
62 "push %edi; .cfi_adjust_cfa_offset 4; .cfi_rel_offset edi, 0\n"
63 "push %ebx; .cfi_adjust_cfa_offset 4; .cfi_rel_offset ebx, 0\n"
64 "push %ebp; .cfi_adjust_cfa_offset 4; .cfi_rel_offset ebp, 0\n"
65 // Copy entries from the array holding the arguments into the
66 // correct CPU registers.
67 "movl 0(%edi), %ebx\n"
68 "movl 4(%edi), %ecx\n"
69 "movl 8(%edi), %edx\n"
70 "movl 12(%edi), %esi\n"
71 "movl 20(%edi), %ebp\n"
72 "movl 16(%edi), %edi\n"
73 // Enter the kernel.
74 "int $0x80\n"
75 // This is our "magic" return address that the BPF filter sees.
76 "2:"
77 // Restore any clobbered registers that we didn't declare to the
78 // compiler.
79 "pop %ebp; .cfi_restore ebp; .cfi_adjust_cfa_offset -4\n"
80 "pop %ebx; .cfi_restore ebx; .cfi_adjust_cfa_offset -4\n"
81 "pop %edi; .cfi_restore edi; .cfi_adjust_cfa_offset -4\n"
82 "pop %esi; .cfi_restore esi; .cfi_adjust_cfa_offset -4\n"
83 "ret\n"
84 ".cfi_endproc\n"
85 "9:.size SyscallAsm, 9b-SyscallAsm\n"
86 #elif defined(__x86_64__)
87 ".text\n"
88 ".align 16, 0x90\n"
89 ".type SyscallAsm, @function\n"
90 "SyscallAsm:.cfi_startproc\n"
91 // Check if "%rdi" is negative. If so, do not attempt to make a
92 // system call. Instead, compute the return address that is visible
93 // to the kernel after we execute "syscall". This address can be
94 // used as a marker that BPF code inspects.
95 "test %rdi, %rdi\n"
96 "jge 1f\n"
97 // Always make sure that our code is position-independent, or the
98 // linker will throw a hissy fit on x86-64.
99 "lea 2f(%rip), %rax\n"
100 "ret\n"
101 // Now we load the registers used to pass arguments to the system
102 // call: system call number in %rax, and arguments in %rdi, %rsi,
103 // %rdx, %r10, %r8, %r9. Note: These are all caller-save registers
104 // (only %rbx, %rbp, %rsp, and %r12-%r15 are callee-save), so no
105 // need to worry here about spilling registers or CFI directives.
106 "1:movq %rdi, %rax\n"
107 "movq 0(%rsi), %rdi\n"
108 "movq 16(%rsi), %rdx\n"
109 "movq 24(%rsi), %r10\n"
110 "movq 32(%rsi), %r8\n"
111 "movq 40(%rsi), %r9\n"
112 "movq 8(%rsi), %rsi\n"
113 // Enter the kernel.
114 "syscall\n"
115 // This is our "magic" return address that the BPF filter sees.
116 "2:ret\n"
117 ".cfi_endproc\n"
118 "9:.size SyscallAsm, 9b-SyscallAsm\n"
119 #elif defined(__arm__)
120 // Throughout this file, we use the same mode (ARM vs. thumb)
121 // that the C++ compiler uses. This means, when transfering control
122 // from C++ to assembly code, we do not need to switch modes (e.g.
123 // by using the "bx" instruction). It also means that our assembly
124 // code should not be invoked directly from code that lives in
125 // other compilation units, as we don't bother implementing thumb
126 // interworking. That's OK, as we don't make any of the assembly
127 // symbols public. They are all local to this file.
128 ".text\n"
129 ".align 2\n"
130 ".type SyscallAsm, %function\n"
131 #if defined(__thumb__)
132 ".thumb_func\n"
133 #else
134 ".arm\n"
135 #endif
136 "SyscallAsm:\n"
137 #if !defined(__native_client_nonsfi__)
138 // .fnstart and .fnend pseudo operations creates unwind table.
139 // It also creates a reference to the symbol __aeabi_unwind_cpp_pr0, which
140 // is not provided by PNaCl toolchain. Disable it.
141 ".fnstart\n"
142 #endif
143 "@ args = 0, pretend = 0, frame = 8\n"
144 "@ frame_needed = 1, uses_anonymous_args = 0\n"
145 #if defined(__thumb__)
146 ".cfi_startproc\n"
147 "push {r7, lr}\n"
148 ".save {r7, lr}\n"
149 ".cfi_offset 14, -4\n"
150 ".cfi_offset 7, -8\n"
151 ".cfi_def_cfa_offset 8\n"
152 #else
153 "stmfd sp!, {fp, lr}\n"
154 "add fp, sp, #4\n"
155 #endif
156 // Check if "r0" is negative. If so, do not attempt to make a
157 // system call. Instead, compute the return address that is visible
158 // to the kernel after we execute "swi 0". This address can be
159 // used as a marker that BPF code inspects.
160 "cmp r0, #0\n"
161 "bge 1f\n"
162 "adr r0, 2f\n"
163 "b 2f\n"
164 // We declared (almost) all clobbered registers to the compiler. On
165 // ARM there is no particular register pressure. So, we can go
166 // ahead and directly copy the entries from the arguments array
167 // into the appropriate CPU registers.
168 "1:ldr r5, [r6, #20]\n"
169 "ldr r4, [r6, #16]\n"
170 "ldr r3, [r6, #12]\n"
171 "ldr r2, [r6, #8]\n"
172 "ldr r1, [r6, #4]\n"
173 "mov r7, r0\n"
174 "ldr r0, [r6, #0]\n"
175 // Enter the kernel
176 "swi 0\n"
177 // Restore the frame pointer. Also restore the program counter from
178 // the link register; this makes us return to the caller.
179 #if defined(__thumb__)
180 "2:pop {r7, pc}\n"
181 ".cfi_endproc\n"
182 #else
183 "2:ldmfd sp!, {fp, pc}\n"
184 #endif
185 #if !defined(__native_client_nonsfi__)
186 // Do not use .fnstart and .fnend for PNaCl toolchain. See above comment,
187 // for more details.
188 ".fnend\n"
189 #endif
190 "9:.size SyscallAsm, 9b-SyscallAsm\n"
191 #elif defined(__mips__)
192 ".text\n"
193 ".align 4\n"
194 ".type SyscallAsm, @function\n"
195 "SyscallAsm:.ent SyscallAsm\n"
196 ".frame $sp, 40, $ra\n"
197 ".set push\n"
198 ".set noreorder\n"
199 "addiu $sp, $sp, -40\n"
200 "sw $ra, 36($sp)\n"
201 // Check if "v0" is negative. If so, do not attempt to make a
202 // system call. Instead, compute the return address that is visible
203 // to the kernel after we execute "syscall". This address can be
204 // used as a marker that BPF code inspects.
205 "bgez $v0, 1f\n"
206 " nop\n"
207 "la $v0, 2f\n"
208 "b 2f\n"
209 " nop\n"
210 // On MIPS first four arguments go to registers a0 - a3 and any
211 // argument after that goes to stack. We can go ahead and directly
212 // copy the entries from the arguments array into the appropriate
213 // CPU registers and on the stack.
214 "1:lw $a3, 28($a0)\n"
215 "lw $a2, 24($a0)\n"
216 "lw $a1, 20($a0)\n"
217 "lw $t0, 16($a0)\n"
218 "sw $a3, 28($sp)\n"
219 "sw $a2, 24($sp)\n"
220 "sw $a1, 20($sp)\n"
221 "sw $t0, 16($sp)\n"
222 "lw $a3, 12($a0)\n"
223 "lw $a2, 8($a0)\n"
224 "lw $a1, 4($a0)\n"
225 "lw $a0, 0($a0)\n"
226 // Enter the kernel
227 "syscall\n"
228 // This is our "magic" return address that the BPF filter sees.
229 // Restore the return address from the stack.
230 "2:lw $ra, 36($sp)\n"
231 "jr $ra\n"
232 " addiu $sp, $sp, 40\n"
233 ".set pop\n"
234 ".end SyscallAsm\n"
235 ".size SyscallAsm,.-SyscallAsm\n"
236 #elif defined(__aarch64__)
237 ".text\n"
238 ".align 2\n"
239 ".type SyscallAsm, %function\n"
240 "SyscallAsm:\n"
241 ".cfi_startproc\n"
242 "cmp x0, #0\n"
243 "b.ge 1f\n"
244 "adr x0,2f\n"
245 "b 2f\n"
246 "1:ldr x5, [x6, #40]\n"
247 "ldr x4, [x6, #32]\n"
248 "ldr x3, [x6, #24]\n"
249 "ldr x2, [x6, #16]\n"
250 "ldr x1, [x6, #8]\n"
251 "mov x8, x0\n"
252 "ldr x0, [x6, #0]\n"
253 // Enter the kernel
254 "svc 0\n"
255 "2:ret\n"
256 ".cfi_endproc\n"
257 ".size SyscallAsm, .-SyscallAsm\n"
258 #endif
259 ); // asm
261 #if defined(__x86_64__)
262 extern "C" {
263 intptr_t SyscallAsm(intptr_t nr, const intptr_t args[6]);
265 #endif
267 } // namespace
269 intptr_t Syscall::InvalidCall() {
270 // Explicitly pass eight zero arguments just in case.
271 return Call(kInvalidSyscallNumber, 0, 0, 0, 0, 0, 0, 0, 0);
274 intptr_t Syscall::Call(int nr,
275 intptr_t p0,
276 intptr_t p1,
277 intptr_t p2,
278 intptr_t p3,
279 intptr_t p4,
280 intptr_t p5,
281 intptr_t p6,
282 intptr_t p7) {
283 // We rely on "intptr_t" to be the exact size as a "void *". This is
284 // typically true, but just in case, we add a check. The language
285 // specification allows platforms some leeway in cases, where
286 // "sizeof(void *)" is not the same as "sizeof(void (*)())". We expect
287 // that this would only be an issue for IA64, which we are currently not
288 // planning on supporting. And it is even possible that this would work
289 // on IA64, but for lack of actual hardware, I cannot test.
290 static_assert(sizeof(void*) == sizeof(intptr_t),
291 "pointer types and intptr_t must be exactly the same size");
293 // TODO(nedeljko): Enable use of more than six parameters on architectures
294 // where that makes sense.
295 #if defined(__mips__)
296 const intptr_t args[8] = {p0, p1, p2, p3, p4, p5, p6, p7};
297 #else
298 DCHECK_EQ(p6, 0) << " Support for syscalls with more than six arguments not "
299 "added for this architecture";
300 DCHECK_EQ(p7, 0) << " Support for syscalls with more than six arguments not "
301 "added for this architecture";
302 const intptr_t args[6] = {p0, p1, p2, p3, p4, p5};
303 #endif // defined(__mips__)
305 // Invoke our file-scope assembly code. The constraints have been picked
306 // carefully to match what the rest of the assembly code expects in input,
307 // output, and clobbered registers.
308 #if defined(__i386__)
309 intptr_t ret = nr;
310 asm volatile(
311 "call SyscallAsm\n"
312 // N.B. These are not the calling conventions normally used by the ABI.
313 : "=a"(ret)
314 : "0"(ret), "D"(args)
315 : "cc", "esp", "memory", "ecx", "edx");
316 #elif defined(__x86_64__)
317 intptr_t ret = SyscallAsm(nr, args);
318 #elif defined(__arm__)
319 intptr_t ret;
321 register intptr_t inout __asm__("r0") = nr;
322 register const intptr_t* data __asm__("r6") = args;
323 asm volatile(
324 "bl SyscallAsm\n"
325 // N.B. These are not the calling conventions normally used by the ABI.
326 : "=r"(inout)
327 : "0"(inout), "r"(data)
328 : "cc",
329 "lr",
330 "memory",
331 "r1",
332 "r2",
333 "r3",
334 "r4",
335 "r5"
336 #if !defined(__thumb__)
337 // In thumb mode, we cannot use "r7" as a general purpose register, as
338 // it is our frame pointer. We have to manually manage and preserve
339 // it.
340 // In ARM mode, we have a dedicated frame pointer register and "r7" is
341 // thus available as a general purpose register. We don't preserve it,
342 // but instead mark it as clobbered.
344 "r7"
345 #endif // !defined(__thumb__)
347 ret = inout;
349 #elif defined(__mips__)
350 int err_status;
351 intptr_t ret = Syscall::SandboxSyscallRaw(nr, args, &err_status);
353 if (err_status) {
354 // On error, MIPS returns errno from syscall instead of -errno.
355 // The purpose of this negation is for SandboxSyscall() to behave
356 // more like it would on other architectures.
357 ret = -ret;
359 #elif defined(__aarch64__)
360 intptr_t ret;
362 register intptr_t inout __asm__("x0") = nr;
363 register const intptr_t* data __asm__("x6") = args;
364 asm volatile("bl SyscallAsm\n"
365 : "=r"(inout)
366 : "0"(inout), "r"(data)
367 : "memory", "x1", "x2", "x3", "x4", "x5", "x8", "x30");
368 ret = inout;
371 #else
372 #error "Unimplemented architecture"
373 #endif
374 return ret;
377 void Syscall::PutValueInUcontext(intptr_t ret_val, ucontext_t* ctx) {
378 #if defined(__mips__)
379 // Mips ABI states that on error a3 CPU register has non zero value and if
380 // there is no error, it should be zero.
381 if (ret_val <= -1 && ret_val >= -4095) {
382 // |ret_val| followes the Syscall::Call() convention of being -errno on
383 // errors. In order to write correct value to return register this sign
384 // needs to be changed back.
385 ret_val = -ret_val;
386 SECCOMP_PARM4(ctx) = 1;
387 } else
388 SECCOMP_PARM4(ctx) = 0;
389 #endif
390 SECCOMP_RESULT(ctx) = static_cast<greg_t>(ret_val);
393 #if defined(__mips__)
394 intptr_t Syscall::SandboxSyscallRaw(int nr,
395 const intptr_t* args,
396 intptr_t* err_ret) {
397 register intptr_t ret __asm__("v0") = nr;
398 // a3 register becomes non zero on error.
399 register intptr_t err_stat __asm__("a3") = 0;
401 register const intptr_t* data __asm__("a0") = args;
402 asm volatile(
403 "la $t9, SyscallAsm\n"
404 "jalr $t9\n"
405 " nop\n"
406 : "=r"(ret), "=r"(err_stat)
407 : "0"(ret),
408 "r"(data)
409 // a2 is in the clober list so inline assembly can not change its
410 // value.
411 : "memory", "ra", "t9", "a2");
414 // Set an error status so it can be used outside of this function
415 *err_ret = err_stat;
417 return ret;
419 #endif // defined(__mips__)
421 } // namespace sandbox