sandbox/linux/bpf_dsl/trap_registry.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_
   6 #define SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_
   7
   8 #include <stdint.h>
   9
  10 #include "base/macros.h"
  11 #include "sandbox/sandbox_export.h"
  12
  13 namespace sandbox {
  14
  15 // This must match the kernel's seccomp_data structure.
  16 struct arch_seccomp_data {
  17   int nr;
  18   uint32_t arch;
  19   uint64_t instruction_pointer;
  20   uint64_t args[6];
  21 };
  22
  23 namespace bpf_dsl {
  24
  25 // TrapRegistry provides an interface for registering "trap handlers"
  26 // by associating them with non-zero 16-bit trap IDs. Trap IDs should
  27 // remain valid for the lifetime of the trap registry.
  28 class SANDBOX_EXPORT TrapRegistry {
  29  public:
  30   // TrapFnc is a pointer to a function that fulfills the trap handler
  31   // function signature.
  32   //
  33   // Trap handlers follow the calling convention of native system
  34   // calls; e.g., to report an error, they return an exit code in the
  35   // range -1..-4096 instead of directly modifying errno. However,
  36   // modifying errno is harmless, as the original value will be
  37   // restored afterwards.
  38   //
  39   // Trap handlers are executed from signal context and possibly an
  40   // async-signal context, so they must be async-signal safe:
  41   // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
  42   typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux);
  43
  44   // Add registers the specified trap handler tuple and returns a
  45   // non-zero trap ID that uniquely identifies the tuple for the life
  46   // time of the trap registry. If the same tuple is registered
  47   // multiple times, the same value will be returned each time.
  48   virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) = 0;
  49
  50   // EnableUnsafeTraps tries to enable unsafe traps and returns
  51   // whether it was successful. This is a one-way operation.
  52   //
  53   // CAUTION: Enabling unsafe traps effectively defeats the security
  54   // guarantees provided by the sandbox policy. TrapRegistry
  55   // implementations should ensure unsafe traps are only enabled
  56   // during testing.
  57   virtual bool EnableUnsafeTraps() = 0;
  58
  59  protected:
  60   TrapRegistry() {}
  61
  62   // TrapRegistry's destructor is intentionally non-virtual so that
  63   // implementations can omit their destructor.  Instead we protect against
  64   // misuse by marking it protected.
  65   ~TrapRegistry() {}
  66
  67   DISALLOW_COPY_AND_ASSIGN(TrapRegistry);
  68 };
  69
  70 }  // namespace bpf_dsl
  71 }  // namespace sandbox
  72
  73 #endif  // SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_