sandbox/linux/bpf_dsl/seccomp_macros.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
   6 #define SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
   7
   8 #include <sys/cdefs.h>
   9 // Old Bionic versions do not have sys/user.h.  The if can be removed once we no
  10 // longer need to support these old Bionic versions.
  11 // All x86_64 builds use a new enough bionic to have sys/user.h.
  12 #if !defined(__BIONIC__) || defined(__x86_64__)
  13 #include <sys/types.h>  // Fix for gcc 4.7, make sure __uint16_t is defined.
  14 #include <sys/user.h>
  15 #if defined(__mips__)
  16 // sys/user.h in eglibc misses size_t definition
  17 #include <stddef.h>
  18 #endif
  19 #endif
  20
  21 #include "sandbox/linux/system_headers/linux_seccomp.h"  // For AUDIT_ARCH_*
  22
  23 // Impose some reasonable maximum BPF program size. Realistically, the
  24 // kernel probably has much lower limits. But by limiting to less than
  25 // 30 bits, we can ease requirements on some of our data types.
  26 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
  27
  28 #if defined(__i386__)
  29 #define SECCOMP_ARCH        AUDIT_ARCH_I386
  30
  31 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
  32 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_EAX)
  33 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_EAX)
  34 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_EIP)
  35 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_EBX)
  36 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_ECX)
  37 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_EDX)
  38 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_ESI)
  39 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_EDI)
  40 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_EBP)
  41 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
  42 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
  43 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
  44                                           instruction_pointer) + 4)
  45 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
  46                                           instruction_pointer) + 0)
  47 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
  48                                  8*(nr) + 4)
  49 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
  50                                  8*(nr) + 0)
  51
  52
  53 #if defined(__BIONIC__)
  54 // Old Bionic versions don't have sys/user.h, so we just define regs_struct
  55 // directly.  This can be removed once we no longer need to support these old
  56 // Bionic versions.
  57 struct regs_struct {
  58   long int ebx;
  59   long int ecx;
  60   long int edx;
  61   long int esi;
  62   long int edi;
  63   long int ebp;
  64   long int eax;
  65   long int xds;
  66   long int xes;
  67   long int xfs;
  68   long int xgs;
  69   long int orig_eax;
  70   long int eip;
  71   long int xcs;
  72   long int eflags;
  73   long int esp;
  74   long int xss;
  75 };
  76 #else
  77 typedef user_regs_struct regs_struct;
  78 #endif
  79
  80 #define SECCOMP_PT_RESULT(_regs)  (_regs).eax
  81 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_eax
  82 #define SECCOMP_PT_IP(_regs)      (_regs).eip
  83 #define SECCOMP_PT_PARM1(_regs)   (_regs).ebx
  84 #define SECCOMP_PT_PARM2(_regs)   (_regs).ecx
  85 #define SECCOMP_PT_PARM3(_regs)   (_regs).edx
  86 #define SECCOMP_PT_PARM4(_regs)   (_regs).esi
  87 #define SECCOMP_PT_PARM5(_regs)   (_regs).edi
  88 #define SECCOMP_PT_PARM6(_regs)   (_regs).ebp
  89
  90 #elif defined(__x86_64__)
  91 #define SECCOMP_ARCH        AUDIT_ARCH_X86_64
  92
  93 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
  94 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_RAX)
  95 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_RAX)
  96 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_RIP)
  97 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_RDI)
  98 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_RSI)
  99 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_RDX)
 100 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_R10)
 101 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_R8)
 102 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_R9)
 103 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 104 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 105 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 106                                           instruction_pointer) + 4)
 107 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 108                                           instruction_pointer) + 0)
 109 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 110                                  8*(nr) + 4)
 111 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 112                                  8*(nr) + 0)
 113
 114 typedef user_regs_struct regs_struct;
 115 #define SECCOMP_PT_RESULT(_regs)  (_regs).rax
 116 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_rax
 117 #define SECCOMP_PT_IP(_regs)      (_regs).rip
 118 #define SECCOMP_PT_PARM1(_regs)   (_regs).rdi
 119 #define SECCOMP_PT_PARM2(_regs)   (_regs).rsi
 120 #define SECCOMP_PT_PARM3(_regs)   (_regs).rdx
 121 #define SECCOMP_PT_PARM4(_regs)   (_regs).r10
 122 #define SECCOMP_PT_PARM5(_regs)   (_regs).r8
 123 #define SECCOMP_PT_PARM6(_regs)   (_regs).r9
 124
 125 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
 126 #define SECCOMP_ARCH AUDIT_ARCH_ARM
 127
 128 // ARM sigcontext_t is different from i386/x86_64.
 129 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
 130 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
 131 // ARM EABI syscall convention.
 132 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, r0)
 133 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, r7)
 134 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, pc)
 135 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, r0)
 136 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, r1)
 137 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, r2)
 138 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, r3)
 139 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, r4)
 140 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, r5)
 141 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 142 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 143 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 144                                           instruction_pointer) + 4)
 145 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 146                                           instruction_pointer) + 0)
 147 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 148                                  8*(nr) + 4)
 149 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 150                                  8*(nr) + 0)
 151
 152 #if defined(__BIONIC__)
 153 // Old Bionic versions don't have sys/user.h, so we just define regs_struct
 154 // directly.  This can be removed once we no longer need to support these old
 155 // Bionic versions.
 156 struct regs_struct {
 157   unsigned long uregs[18];
 158 };
 159 #else
 160 typedef user_regs regs_struct;
 161 #endif
 162
 163 #define REG_cpsr    uregs[16]
 164 #define REG_pc      uregs[15]
 165 #define REG_lr      uregs[14]
 166 #define REG_sp      uregs[13]
 167 #define REG_ip      uregs[12]
 168 #define REG_fp      uregs[11]
 169 #define REG_r10     uregs[10]
 170 #define REG_r9      uregs[9]
 171 #define REG_r8      uregs[8]
 172 #define REG_r7      uregs[7]
 173 #define REG_r6      uregs[6]
 174 #define REG_r5      uregs[5]
 175 #define REG_r4      uregs[4]
 176 #define REG_r3      uregs[3]
 177 #define REG_r2      uregs[2]
 178 #define REG_r1      uregs[1]
 179 #define REG_r0      uregs[0]
 180 #define REG_ORIG_r0 uregs[17]
 181
 182 #define SECCOMP_PT_RESULT(_regs)  (_regs).REG_r0
 183 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7
 184 #define SECCOMP_PT_IP(_regs)      (_regs).REG_pc
 185 #define SECCOMP_PT_PARM1(_regs)   (_regs).REG_r0
 186 #define SECCOMP_PT_PARM2(_regs)   (_regs).REG_r1
 187 #define SECCOMP_PT_PARM3(_regs)   (_regs).REG_r2
 188 #define SECCOMP_PT_PARM4(_regs)   (_regs).REG_r3
 189 #define SECCOMP_PT_PARM5(_regs)   (_regs).REG_r4
 190 #define SECCOMP_PT_PARM6(_regs)   (_regs).REG_r5
 191
 192 #elif defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
 193 #define SECCOMP_ARCH        AUDIT_ARCH_MIPSEL
 194 #define SYSCALL_EIGHT_ARGS
 195 // MIPS sigcontext_t is different from i386/x86_64 and ARM.
 196 // See </arch/mips/include/uapi/asm/sigcontext.h> in the Linux kernel.
 197 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[_reg])
 198 // Based on MIPS o32 ABI syscall convention.
 199 // On MIPS, when indirect syscall is being made (syscall(__NR_foo)),
 200 // real identificator (__NR_foo) is not in v0, but in a0
 201 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, 2)
 202 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, 2)
 203 #define SECCOMP_IP(_ctx)        (_ctx)->uc_mcontext.pc
 204 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, 4)
 205 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, 5)
 206 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, 6)
 207 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, 7)
 208 // Only the first 4 arguments of syscall are in registers.
 209 // The rest are on the stack.
 210 #define SECCOMP_STACKPARM(_ctx, n)  (((long *)SECCOMP_REG(_ctx, 29))[(n)])
 211 #define SECCOMP_PARM5(_ctx)         SECCOMP_STACKPARM(_ctx, 4)
 212 #define SECCOMP_PARM6(_ctx)         SECCOMP_STACKPARM(_ctx, 5)
 213 #define SECCOMP_PARM7(_ctx)         SECCOMP_STACKPARM(_ctx, 6)
 214 #define SECCOMP_PARM8(_ctx)         SECCOMP_STACKPARM(_ctx, 7)
 215 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 216 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 217 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 218                                           instruction_pointer) + 4)
 219 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 220                                           instruction_pointer) + 0)
 221 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 222                                  8*(nr) + 4)
 223 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 224                                  8*(nr) + 0)
 225
 226 // On Mips we don't have structures like user_regs or user_regs_struct in
 227 // sys/user.h that we could use, so we just define regs_struct directly.
 228 struct regs_struct {
 229   unsigned long long regs[32];
 230 };
 231
 232 #define REG_a3 regs[7]
 233 #define REG_a2 regs[6]
 234 #define REG_a1 regs[5]
 235 #define REG_a0 regs[4]
 236 #define REG_v1 regs[3]
 237 #define REG_v0 regs[2]
 238
 239 #define SECCOMP_PT_RESULT(_regs)  (_regs).REG_v0
 240 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_v0
 241 #define SECCOMP_PT_PARM1(_regs)   (_regs).REG_a0
 242 #define SECCOMP_PT_PARM2(_regs)   (_regs).REG_a1
 243 #define SECCOMP_PT_PARM3(_regs)   (_regs).REG_a2
 244 #define SECCOMP_PT_PARM4(_regs)   (_regs).REG_a3
 245
 246 #elif defined(__aarch64__)
 247 struct regs_struct {
 248   unsigned long long regs[31];
 249   unsigned long long sp;
 250   unsigned long long pc;
 251   unsigned long long pstate;
 252 };
 253
 254 #define SECCOMP_ARCH AUDIT_ARCH_AARCH64
 255
 256 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.regs[_reg])
 257
 258 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 0)
 259 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 8)
 260 #define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
 261 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 0)
 262 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 1)
 263 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 2)
 264 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 3)
 265 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, 4)
 266 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, 5)
 267
 268 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
 269 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
 270 #define SECCOMP_IP_MSB_IDX \
 271   (offsetof(struct arch_seccomp_data, instruction_pointer) + 4)
 272 #define SECCOMP_IP_LSB_IDX \
 273   (offsetof(struct arch_seccomp_data, instruction_pointer) + 0)
 274 #define SECCOMP_ARG_MSB_IDX(nr) \
 275   (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 4)
 276 #define SECCOMP_ARG_LSB_IDX(nr) \
 277   (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 0)
 278
 279 #define SECCOMP_PT_RESULT(_regs) (_regs).regs[0]
 280 #define SECCOMP_PT_SYSCALL(_regs) (_regs).regs[8]
 281 #define SECCOMP_PT_IP(_regs) (_regs).pc
 282 #define SECCOMP_PT_PARM1(_regs) (_regs).regs[0]
 283 #define SECCOMP_PT_PARM2(_regs) (_regs).regs[1]
 284 #define SECCOMP_PT_PARM3(_regs) (_regs).regs[2]
 285 #define SECCOMP_PT_PARM4(_regs) (_regs).regs[3]
 286 #define SECCOMP_PT_PARM5(_regs) (_regs).regs[4]
 287 #define SECCOMP_PT_PARM6(_regs) (_regs).regs[5]
 288 #else
 289 #error Unsupported target platform
 290
 291 #endif
 292
 293 #endif  // SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_