search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
sandbox: move SyscallSet into bpf_dsl
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / policy_compiler.cc
blob2b72f3b7752c69021a2698575b24f46823130b8d
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
6
7 #include <errno.h>
8 #include <linux/filter.h>
9 #include <sys/syscall.h>
10
11 #include <limits>
12
13 #include "base/logging.h"
14 #include "base/macros.h"
15 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
16 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
17 #include "sandbox/linux/bpf_dsl/codegen.h"
18 #include "sandbox/linux/bpf_dsl/policy.h"
19 #include "sandbox/linux/bpf_dsl/syscall_set.h"
20 #include "sandbox/linux/seccomp-bpf/die.h"
21 #include "sandbox/linux/seccomp-bpf/errorcode.h"
22 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
23 #include "sandbox/linux/seccomp-bpf/syscall.h"
24
25 namespace sandbox {
26 namespace bpf_dsl {
27
28 namespace {
29
30 #if defined(__i386__) || defined(__x86_64__)
31 const bool kIsIntel = true;
32 #else
33 const bool kIsIntel = false;
34 #endif
35 #if defined(__x86_64__) && defined(__ILP32__)
36 const bool kIsX32 = true;
37 #else
38 const bool kIsX32 = false;
39 #endif
40
41 const int kSyscallsRequiredForUnsafeTraps[] = {
42 __NR_rt_sigprocmask,
43 __NR_rt_sigreturn,
44 #if defined(__NR_sigprocmask)
45 __NR_sigprocmask,
46 #endif
47 #if defined(__NR_sigreturn)
48 __NR_sigreturn,
49 #endif
50 };
51
52 bool HasExactlyOneBit(uint64_t x) {
53 // Common trick; e.g., see http://stackoverflow.com/a/108329.
54 return x != 0 && (x & (x - 1)) == 0;
55 }
56
57 // A Trap() handler that returns an "errno" value. The value is encoded
58 // in the "aux" parameter.
59 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
60 // TrapFnc functions report error by following the native kernel convention
61 // of returning an exit code in the range of -1..-4096. They do not try to
62 // set errno themselves. The glibc wrapper that triggered the SIGSYS will
63 // ultimately do so for us.
64 int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
65 return -err;
66 }
67
68 bool HasUnsafeTraps(const Policy* policy) {
69 DCHECK(policy);
70 for (uint32_t sysnum : SyscallSet::ValidOnly()) {
71 if (policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
72 return true;
73 }
74 }
75 return policy->InvalidSyscall()->HasUnsafeTraps();
76 }
77
78 } // namespace
79
80 struct PolicyCompiler::Range {
81 uint32_t from;
82 CodeGen::Node node;
83 };
84
85 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
86 : policy_(policy),
87 registry_(registry),
88 conds_(),
89 gen_(),
90 has_unsafe_traps_(HasUnsafeTraps(policy_)) {
91 DCHECK(policy);
92 }
93
94 PolicyCompiler::~PolicyCompiler() {
95 }
96
97 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile() {
98 if (!policy_->InvalidSyscall()->IsDeny()) {
99 SANDBOX_DIE("Policies should deny invalid system calls.");
100 }
101
102 // If our BPF program has unsafe traps, enable support for them.
103 if (has_unsafe_traps_) {
104 // As support for unsafe jumps essentially defeats all the security
105 // measures that the sandbox provides, we print a big warning message --
106 // and of course, we make sure to only ever enable this feature if it
107 // is actually requested by the sandbox policy.
108 if (Syscall::Call(-1) == -1 && errno == ENOSYS) {
109 SANDBOX_DIE(
110 "Support for UnsafeTrap() has not yet been ported to this "
111 "architecture");
112 }
113
114 for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
115 if (!policy_->EvaluateSyscall(sysnum)->IsAllow()) {
116 SANDBOX_DIE(
117 "Policies that use UnsafeTrap() must unconditionally allow all "
118 "required system calls");
119 }
120 }
121
122 if (!registry_->EnableUnsafeTraps()) {
123 // We should never be able to get here, as UnsafeTrap() should never
124 // actually return a valid ErrorCode object unless the user set the
125 // CHROME_SANDBOX_DEBUGGING environment variable; and therefore,
126 // "has_unsafe_traps" would always be false. But better double-check
127 // than enabling dangerous code.
128 SANDBOX_DIE("We'd rather die than enable unsafe traps");
129 }
130 }
131
132 // Assemble the BPF filter program.
133 scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
134 gen_.Compile(AssemblePolicy(), program.get());
135 return program.Pass();
136 }
137
138 CodeGen::Node PolicyCompiler::AssemblePolicy() {
139 // A compiled policy consists of three logical parts:
140 // 1. Check that the "arch" field matches the expected architecture.
141 // 2. If the policy involves unsafe traps, check if the syscall was
142 // invoked by Syscall::Call, and then allow it unconditionally.
143 // 3. Check the system call number and jump to the appropriate compiled
144 // system call policy number.
145 return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
146 }
147
148 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
149 // If the architecture doesn't match SECCOMP_ARCH, disallow the
150 // system call.
151 return gen_.MakeInstruction(
152 BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
153 gen_.MakeInstruction(
154 BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
155 CompileResult(Kill("Invalid audit architecture in BPF filter"))));
156 }
157
158 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
159 // If no unsafe traps, then simply return |rest|.
160 if (!has_unsafe_traps_) {
161 return rest;
162 }
163
164 // Allow system calls, if they originate from our magic return address
165 // (which we can query by calling Syscall::Call(-1)).
166 uint64_t syscall_entry_point =
167 static_cast<uint64_t>(static_cast<uintptr_t>(Syscall::Call(-1)));
168 uint32_t low = static_cast<uint32_t>(syscall_entry_point);
169 uint32_t hi = static_cast<uint32_t>(syscall_entry_point >> 32);
170
171 // BPF cannot do native 64-bit comparisons, so we have to compare
172 // both 32-bit halves of the instruction pointer. If they match what
173 // we expect, we return ERR_ALLOWED. If either or both don't match,
174 // we continue evalutating the rest of the sandbox policy.
175 //
176 // For simplicity, we check the full 64-bit instruction pointer even
177 // on 32-bit architectures.
178 return gen_.MakeInstruction(
179 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
180 gen_.MakeInstruction(
181 BPF_JMP + BPF_JEQ + BPF_K, low,
182 gen_.MakeInstruction(
183 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
184 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hi,
185 CompileResult(Allow()), rest)),
186 rest));
187 }
188
189 CodeGen::Node PolicyCompiler::DispatchSyscall() {
190 // Evaluate all possible system calls and group their ErrorCodes into
191 // ranges of identical codes.
192 Ranges ranges;
193 FindRanges(&ranges);
194
195 // Compile the system call ranges to an optimized BPF jumptable
196 CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
197
198 // Grab the system call number, so that we can check it and then
199 // execute the jump table.
200 return gen_.MakeInstruction(
201 BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
202 }
203
204 CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
205 if (kIsIntel) {
206 // On Intel architectures, verify that system call numbers are in the
207 // expected number range.
208 CodeGen::Node invalidX32 =
209 CompileResult(Kill("Illegal mixing of system call ABIs"));
210 if (kIsX32) {
211 // The newer x32 API always sets bit 30.
212 return gen_.MakeInstruction(
213 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
214 } else {
215 // The older i386 and x86-64 APIs clear bit 30 on all system calls.
216 return gen_.MakeInstruction(
217 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
218 }
219 }
220
221 // TODO(mdempsky): Similar validation for other architectures?
222 return passed;
223 }
224
225 void PolicyCompiler::FindRanges(Ranges* ranges) {
226 // Please note that "struct seccomp_data" defines system calls as a signed
227 // int32_t, but BPF instructions always operate on unsigned quantities. We
228 // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
229 // and then verifying that the rest of the number range (both positive and
230 // negative) all return the same ErrorCode.
231 const CodeGen::Node invalid_node = CompileResult(policy_->InvalidSyscall());
232 uint32_t old_sysnum = 0;
233 CodeGen::Node old_node =
234 SyscallSet::IsValid(old_sysnum)
235 ? CompileResult(policy_->EvaluateSyscall(old_sysnum))
236 : invalid_node;
237
238 for (uint32_t sysnum : SyscallSet::All()) {
239 CodeGen::Node node =
240 SyscallSet::IsValid(sysnum)
241 ? CompileResult(policy_->EvaluateSyscall(static_cast<int>(sysnum)))
242 : invalid_node;
243 // N.B., here we rely on CodeGen folding (i.e., returning the same
244 // node value for) identical code sequences, otherwise our jump
245 // table will blow up in size.
246 if (node != old_node) {
247 ranges->push_back(Range{old_sysnum, old_node});
248 old_sysnum = sysnum;
249 old_node = node;
250 }
251 }
252 ranges->push_back(Range{old_sysnum, old_node});
253 }
254
255 CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
256 Ranges::const_iterator stop) {
257 // We convert the list of system call ranges into jump table that performs
258 // a binary search over the ranges.
259 // As a sanity check, we need to have at least one distinct ranges for us
260 // to be able to build a jump table.
261 if (stop - start <= 0) {
262 SANDBOX_DIE("Invalid set of system call ranges");
263 } else if (stop - start == 1) {
264 // If we have narrowed things down to a single range object, we can
265 // return from the BPF filter program.
266 return start->node;
267 }
268
269 // Pick the range object that is located at the mid point of our list.
270 // We compare our system call number against the lowest valid system call
271 // number in this range object. If our number is lower, it is outside of
272 // this range object. If it is greater or equal, it might be inside.
273 Ranges::const_iterator mid = start + (stop - start) / 2;
274
275 // Sub-divide the list of ranges and continue recursively.
276 CodeGen::Node jf = AssembleJumpTable(start, mid);
277 CodeGen::Node jt = AssembleJumpTable(mid, stop);
278 return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
279 }
280
281 CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
282 return RetExpression(res->Compile(this));
283 }
284
285 CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
286 switch (err.error_type()) {
287 case ErrorCode::ET_COND:
288 return CondExpression(err);
289 case ErrorCode::ET_SIMPLE:
290 case ErrorCode::ET_TRAP:
291 return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
292 default:
293 SANDBOX_DIE("ErrorCode is not suitable for returning from a BPF program");
294 }
295 }
296
297 CodeGen::Node PolicyCompiler::CondExpression(const ErrorCode& cond) {
298 // Sanity check that |cond| makes sense.
299 if (cond.argno_ < 0 || cond.argno_ >= 6) {
300 SANDBOX_DIE("sandbox_bpf: invalid argument number");
301 }
302 if (cond.width_ != ErrorCode::TP_32BIT &&
303 cond.width_ != ErrorCode::TP_64BIT) {
304 SANDBOX_DIE("sandbox_bpf: invalid argument width");
305 }
306 if (cond.mask_ == 0) {
307 SANDBOX_DIE("sandbox_bpf: zero mask is invalid");
308 }
309 if ((cond.value_ & cond.mask_) != cond.value_) {
310 SANDBOX_DIE("sandbox_bpf: value contains masked out bits");
311 }
312 if (cond.width_ == ErrorCode::TP_32BIT &&
313 ((cond.mask_ >> 32) != 0 || (cond.value_ >> 32) != 0)) {
314 SANDBOX_DIE("sandbox_bpf: test exceeds argument size");
315 }
316 // TODO(mdempsky): Reject TP_64BIT on 32-bit platforms. For now we allow it
317 // because some SandboxBPF unit tests exercise it.
318
319 CodeGen::Node passed = RetExpression(*cond.passed_);
320 CodeGen::Node failed = RetExpression(*cond.failed_);
321
322 // We want to emit code to check "(arg & mask) == value" where arg, mask, and
323 // value are 64-bit values, but the BPF machine is only 32-bit. We implement
324 // this by independently testing the upper and lower 32-bits and continuing to
325 // |passed| if both evaluate true, or to |failed| if either evaluate false.
326 return CondExpressionHalf(cond,
327 UpperHalf,
328 CondExpressionHalf(cond, LowerHalf, passed, failed),
329 failed);
330 }
331
332 CodeGen::Node PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
333 ArgHalf half,
334 CodeGen::Node passed,
335 CodeGen::Node failed) {
336 if (cond.width_ == ErrorCode::TP_32BIT && half == UpperHalf) {
337 // Special logic for sanity checking the upper 32-bits of 32-bit system
338 // call arguments.
339
340 // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
341 CodeGen::Node invalid_64bit = RetExpression(Unexpected64bitArgument());
342
343 const uint32_t upper = SECCOMP_ARG_MSB_IDX(cond.argno_);
344 const uint32_t lower = SECCOMP_ARG_LSB_IDX(cond.argno_);
345
346 if (sizeof(void*) == 4) {
347 // On 32-bit platforms, the upper 32-bits should always be 0:
348 // LDW [upper]
349 // JEQ 0, passed, invalid
350 return gen_.MakeInstruction(
351 BPF_LD + BPF_W + BPF_ABS,
352 upper,
353 gen_.MakeInstruction(
354 BPF_JMP + BPF_JEQ + BPF_K, 0, passed, invalid_64bit));
355 }
356
357 // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow
358 // ~0 if the sign bit of the lower 32-bits is set too:
359 // LDW [upper]
360 // JEQ 0, passed, (next)
361 // JEQ ~0, (next), invalid
362 // LDW [lower]
363 // JSET (1<<31), passed, invalid
364 //
365 // TODO(mdempsky): The JSET instruction could perhaps jump to passed->next
366 // instead, as the first instruction of passed should be "LDW [lower]".
367 return gen_.MakeInstruction(
368 BPF_LD + BPF_W + BPF_ABS,
369 upper,
370 gen_.MakeInstruction(
371 BPF_JMP + BPF_JEQ + BPF_K,
372 0,
373 passed,
374 gen_.MakeInstruction(
375 BPF_JMP + BPF_JEQ + BPF_K,
376 std::numeric_limits<uint32_t>::max(),
377 gen_.MakeInstruction(
378 BPF_LD + BPF_W + BPF_ABS,
379 lower,
380 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
381 1U << 31,
382 passed,
383 invalid_64bit)),
384 invalid_64bit)));
385 }
386
387 const uint32_t idx = (half == UpperHalf) ? SECCOMP_ARG_MSB_IDX(cond.argno_)
388 : SECCOMP_ARG_LSB_IDX(cond.argno_);
389 const uint32_t mask = (half == UpperHalf) ? cond.mask_ >> 32 : cond.mask_;
390 const uint32_t value = (half == UpperHalf) ? cond.value_ >> 32 : cond.value_;
391
392 // Emit a suitable instruction sequence for (arg & mask) == value.
393
394 // For (arg & 0) == 0, just return passed.
395 if (mask == 0) {
396 CHECK_EQ(0U, value);
397 return passed;
398 }
399
400 // For (arg & ~0) == value, emit:
401 // LDW [idx]
402 // JEQ value, passed, failed
403 if (mask == std::numeric_limits<uint32_t>::max()) {
404 return gen_.MakeInstruction(
405 BPF_LD + BPF_W + BPF_ABS,
406 idx,
407 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed));
408 }
409
410 // For (arg & mask) == 0, emit:
411 // LDW [idx]
412 // JSET mask, failed, passed
413 // (Note: failed and passed are intentionally swapped.)
414 if (value == 0) {
415 return gen_.MakeInstruction(
416 BPF_LD + BPF_W + BPF_ABS,
417 idx,
418 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, failed, passed));
419 }
420
421 // For (arg & x) == x where x is a single-bit value, emit:
422 // LDW [idx]
423 // JSET mask, passed, failed
424 if (mask == value && HasExactlyOneBit(mask)) {
425 return gen_.MakeInstruction(
426 BPF_LD + BPF_W + BPF_ABS,
427 idx,
428 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, passed, failed));
429 }
430
431 // Generic fallback:
432 // LDW [idx]
433 // AND mask
434 // JEQ value, passed, failed
435 return gen_.MakeInstruction(
436 BPF_LD + BPF_W + BPF_ABS,
437 idx,
438 gen_.MakeInstruction(
439 BPF_ALU + BPF_AND + BPF_K,
440 mask,
441 gen_.MakeInstruction(
442 BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
443 }
444
445 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
446 return Kill("Unexpected 64bit argument detected")->Compile(this);
447 }
448
449 ErrorCode PolicyCompiler::Error(int err) {
450 if (has_unsafe_traps_) {
451 // When inside an UnsafeTrap() callback, we want to allow all system calls.
452 // This means, we must conditionally disable the sandbox -- and that's not
453 // something that kernel-side BPF filters can do, as they cannot inspect
454 // any state other than the syscall arguments.
455 // But if we redirect all error handlers to user-space, then we can easily
456 // make this decision.
457 // The performance penalty for this extra round-trip to user-space is not
458 // actually that bad, as we only ever pay it for denied system calls; and a
459 // typical program has very few of these.
460 return Trap(ReturnErrno, reinterpret_cast<void*>(err), true);
461 }
462
463 return ErrorCode(err);
464 }
465
466 ErrorCode PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc,
467 const void* aux,
468 bool safe) {
469 uint16_t trap_id = registry_->Add(fnc, aux, safe);
470 return ErrorCode(trap_id, fnc, aux, safe);
471 }
472
473 bool PolicyCompiler::IsRequiredForUnsafeTrap(int sysno) {
474 for (size_t i = 0; i < arraysize(kSyscallsRequiredForUnsafeTraps); ++i) {
475 if (sysno == kSyscallsRequiredForUnsafeTraps[i]) {
476 return true;
477 }
478 }
479 return false;
480 }
481
482 ErrorCode PolicyCompiler::CondMaskedEqual(int argno,
483 ErrorCode::ArgType width,
484 uint64_t mask,
485 uint64_t value,
486 const ErrorCode& passed,
487 const ErrorCode& failed) {
488 return ErrorCode(argno,
489 width,
490 mask,
491 value,
492 &*conds_.insert(passed).first,
493 &*conds_.insert(failed).first);
494 }
495
496 } // namespace bpf_dsl
497 } // namespace sandbox