search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix link in German terms of service.
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / policy_compiler.cc
blobf38232f85f929fd0ed2331bc248807c4cfd93b55
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "sandbox/linux/bpf_dsl/policy_compiler.h"
6
7 #include <errno.h>
8 #include <sys/syscall.h>
9
10 #include <limits>
11
12 #include "base/logging.h"
13 #include "base/macros.h"
14 #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
15 #include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
16 #include "sandbox/linux/bpf_dsl/codegen.h"
17 #include "sandbox/linux/bpf_dsl/dump_bpf.h"
18 #include "sandbox/linux/bpf_dsl/policy.h"
19 #include "sandbox/linux/bpf_dsl/seccomp_macros.h"
20 #include "sandbox/linux/bpf_dsl/syscall_set.h"
21 #include "sandbox/linux/bpf_dsl/verifier.h"
22 #include "sandbox/linux/seccomp-bpf/errorcode.h"
23 #include "sandbox/linux/system_headers/linux_filter.h"
24 #include "sandbox/linux/system_headers/linux_seccomp.h"
25 #include "sandbox/linux/system_headers/linux_syscalls.h"
26
27 namespace sandbox {
28 namespace bpf_dsl {
29
30 namespace {
31
32 #if defined(__i386__) || defined(__x86_64__)
33 const bool kIsIntel = true;
34 #else
35 const bool kIsIntel = false;
36 #endif
37 #if defined(__x86_64__) && defined(__ILP32__)
38 const bool kIsX32 = true;
39 #else
40 const bool kIsX32 = false;
41 #endif
42
43 const int kSyscallsRequiredForUnsafeTraps[] = {
44 __NR_rt_sigprocmask,
45 __NR_rt_sigreturn,
46 #if defined(__NR_sigprocmask)
47 __NR_sigprocmask,
48 #endif
49 #if defined(__NR_sigreturn)
50 __NR_sigreturn,
51 #endif
52 };
53
54 bool HasExactlyOneBit(uint64_t x) {
55 // Common trick; e.g., see http://stackoverflow.com/a/108329.
56 return x != 0 && (x & (x - 1)) == 0;
57 }
58
59 // A Trap() handler that returns an "errno" value. The value is encoded
60 // in the "aux" parameter.
61 intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
62 // TrapFnc functions report error by following the native kernel convention
63 // of returning an exit code in the range of -1..-4096. They do not try to
64 // set errno themselves. The glibc wrapper that triggered the SIGSYS will
65 // ultimately do so for us.
66 int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
67 return -err;
68 }
69
70 bool HasUnsafeTraps(const Policy* policy) {
71 DCHECK(policy);
72 for (uint32_t sysnum : SyscallSet::ValidOnly()) {
73 if (policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
74 return true;
75 }
76 }
77 return policy->InvalidSyscall()->HasUnsafeTraps();
78 }
79
80 } // namespace
81
82 struct PolicyCompiler::Range {
83 uint32_t from;
84 CodeGen::Node node;
85 };
86
87 PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
88 : policy_(policy),
89 registry_(registry),
90 escapepc_(0),
91 conds_(),
92 gen_(),
93 has_unsafe_traps_(HasUnsafeTraps(policy_)) {
94 DCHECK(policy);
95 }
96
97 PolicyCompiler::~PolicyCompiler() {
98 }
99
100 scoped_ptr<CodeGen::Program> PolicyCompiler::Compile(bool verify) {
101 CHECK(policy_->InvalidSyscall()->IsDeny())
102 << "Policies should deny invalid system calls";
103
104 // If our BPF program has unsafe traps, enable support for them.
105 if (has_unsafe_traps_) {
106 CHECK_NE(0U, escapepc_) << "UnsafeTrap() requires a valid escape PC";
107
108 for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
109 CHECK(policy_->EvaluateSyscall(sysnum)->IsAllow())
110 << "Policies that use UnsafeTrap() must unconditionally allow all "
111 "required system calls";
112 }
113
114 CHECK(registry_->EnableUnsafeTraps())
115 << "We'd rather die than enable unsafe traps";
116 }
117
118 // Assemble the BPF filter program.
119 scoped_ptr<CodeGen::Program> program(new CodeGen::Program());
120 gen_.Compile(AssemblePolicy(), program.get());
121
122 // Make sure compilation resulted in a BPF program that executes
123 // correctly. Otherwise, there is an internal error in our BPF compiler.
124 // There is really nothing the caller can do until the bug is fixed.
125 if (verify) {
126 const char* err = nullptr;
127 if (!Verifier::VerifyBPF(this, *program, *policy_, &err)) {
128 DumpBPF::PrintProgram(*program);
129 LOG(FATAL) << err;
130 }
131 }
132
133 return program.Pass();
134 }
135
136 void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
137 escapepc_ = escapepc;
138 }
139
140 CodeGen::Node PolicyCompiler::AssemblePolicy() {
141 // A compiled policy consists of three logical parts:
142 // 1. Check that the "arch" field matches the expected architecture.
143 // 2. If the policy involves unsafe traps, check if the syscall was
144 // invoked by Syscall::Call, and then allow it unconditionally.
145 // 3. Check the system call number and jump to the appropriate compiled
146 // system call policy number.
147 return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
148 }
149
150 CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
151 // If the architecture doesn't match SECCOMP_ARCH, disallow the
152 // system call.
153 return gen_.MakeInstruction(
154 BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
155 gen_.MakeInstruction(
156 BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
157 CompileResult(Kill("Invalid audit architecture in BPF filter"))));
158 }
159
160 CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
161 // If no unsafe traps, then simply return |rest|.
162 if (!has_unsafe_traps_) {
163 return rest;
164 }
165
166 // We already enabled unsafe traps in Compile, but enable them again to give
167 // the trap registry a second chance to complain before we add the backdoor.
168 CHECK(registry_->EnableUnsafeTraps());
169
170 // Allow system calls, if they originate from our magic return address.
171 const uint32_t lopc = static_cast<uint32_t>(escapepc_);
172 const uint32_t hipc = static_cast<uint32_t>(escapepc_ >> 32);
173
174 // BPF cannot do native 64-bit comparisons, so we have to compare
175 // both 32-bit halves of the instruction pointer. If they match what
176 // we expect, we return ERR_ALLOWED. If either or both don't match,
177 // we continue evalutating the rest of the sandbox policy.
178 //
179 // For simplicity, we check the full 64-bit instruction pointer even
180 // on 32-bit architectures.
181 return gen_.MakeInstruction(
182 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
183 gen_.MakeInstruction(
184 BPF_JMP + BPF_JEQ + BPF_K, lopc,
185 gen_.MakeInstruction(
186 BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
187 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hipc,
188 CompileResult(Allow()), rest)),
189 rest));
190 }
191
192 CodeGen::Node PolicyCompiler::DispatchSyscall() {
193 // Evaluate all possible system calls and group their ErrorCodes into
194 // ranges of identical codes.
195 Ranges ranges;
196 FindRanges(&ranges);
197
198 // Compile the system call ranges to an optimized BPF jumptable
199 CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
200
201 // Grab the system call number, so that we can check it and then
202 // execute the jump table.
203 return gen_.MakeInstruction(
204 BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
205 }
206
207 CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
208 if (kIsIntel) {
209 // On Intel architectures, verify that system call numbers are in the
210 // expected number range.
211 CodeGen::Node invalidX32 =
212 CompileResult(Kill("Illegal mixing of system call ABIs"));
213 if (kIsX32) {
214 // The newer x32 API always sets bit 30.
215 return gen_.MakeInstruction(
216 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
217 } else {
218 // The older i386 and x86-64 APIs clear bit 30 on all system calls.
219 return gen_.MakeInstruction(
220 BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
221 }
222 }
223
224 // TODO(mdempsky): Similar validation for other architectures?
225 return passed;
226 }
227
228 void PolicyCompiler::FindRanges(Ranges* ranges) {
229 // Please note that "struct seccomp_data" defines system calls as a signed
230 // int32_t, but BPF instructions always operate on unsigned quantities. We
231 // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
232 // and then verifying that the rest of the number range (both positive and
233 // negative) all return the same ErrorCode.
234 const CodeGen::Node invalid_node = CompileResult(policy_->InvalidSyscall());
235 uint32_t old_sysnum = 0;
236 CodeGen::Node old_node =
237 SyscallSet::IsValid(old_sysnum)
238 ? CompileResult(policy_->EvaluateSyscall(old_sysnum))
239 : invalid_node;
240
241 for (uint32_t sysnum : SyscallSet::All()) {
242 CodeGen::Node node =
243 SyscallSet::IsValid(sysnum)
244 ? CompileResult(policy_->EvaluateSyscall(static_cast<int>(sysnum)))
245 : invalid_node;
246 // N.B., here we rely on CodeGen folding (i.e., returning the same
247 // node value for) identical code sequences, otherwise our jump
248 // table will blow up in size.
249 if (node != old_node) {
250 ranges->push_back(Range{old_sysnum, old_node});
251 old_sysnum = sysnum;
252 old_node = node;
253 }
254 }
255 ranges->push_back(Range{old_sysnum, old_node});
256 }
257
258 CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
259 Ranges::const_iterator stop) {
260 // We convert the list of system call ranges into jump table that performs
261 // a binary search over the ranges.
262 // As a sanity check, we need to have at least one distinct ranges for us
263 // to be able to build a jump table.
264 CHECK(start < stop) << "Invalid iterator range";
265 const auto n = stop - start;
266 if (n == 1) {
267 // If we have narrowed things down to a single range object, we can
268 // return from the BPF filter program.
269 return start->node;
270 }
271
272 // Pick the range object that is located at the mid point of our list.
273 // We compare our system call number against the lowest valid system call
274 // number in this range object. If our number is lower, it is outside of
275 // this range object. If it is greater or equal, it might be inside.
276 Ranges::const_iterator mid = start + n / 2;
277
278 // Sub-divide the list of ranges and continue recursively.
279 CodeGen::Node jf = AssembleJumpTable(start, mid);
280 CodeGen::Node jt = AssembleJumpTable(mid, stop);
281 return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
282 }
283
284 CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
285 return RetExpression(res->Compile(this));
286 }
287
288 CodeGen::Node PolicyCompiler::RetExpression(const ErrorCode& err) {
289 switch (err.error_type()) {
290 case ErrorCode::ET_COND:
291 return CondExpression(err);
292 case ErrorCode::ET_SIMPLE:
293 case ErrorCode::ET_TRAP:
294 return gen_.MakeInstruction(BPF_RET + BPF_K, err.err());
295 default:
296 LOG(FATAL)
297 << "ErrorCode is not suitable for returning from a BPF program";
298 return CodeGen::kNullNode;
299 }
300 }
301
302 CodeGen::Node PolicyCompiler::CondExpression(const ErrorCode& cond) {
303 // Sanity check that |cond| makes sense.
304 CHECK(cond.argno_ >= 0 && cond.argno_ < 6) << "Invalid argument number "
305 << cond.argno_;
306 CHECK(cond.width_ == ErrorCode::TP_32BIT ||
307 cond.width_ == ErrorCode::TP_64BIT)
308 << "Invalid argument width " << cond.width_;
309 CHECK_NE(0U, cond.mask_) << "Zero mask is invalid";
310 CHECK_EQ(cond.value_, cond.value_ & cond.mask_)
311 << "Value contains masked out bits";
312 if (sizeof(void*) == 4) {
313 CHECK_EQ(ErrorCode::TP_32BIT, cond.width_)
314 << "Invalid width on 32-bit platform";
315 }
316 if (cond.width_ == ErrorCode::TP_32BIT) {
317 CHECK_EQ(0U, cond.mask_ >> 32) << "Mask exceeds argument size";
318 CHECK_EQ(0U, cond.value_ >> 32) << "Value exceeds argument size";
319 }
320
321 CodeGen::Node passed = RetExpression(*cond.passed_);
322 CodeGen::Node failed = RetExpression(*cond.failed_);
323
324 // We want to emit code to check "(arg & mask) == value" where arg, mask, and
325 // value are 64-bit values, but the BPF machine is only 32-bit. We implement
326 // this by independently testing the upper and lower 32-bits and continuing to
327 // |passed| if both evaluate true, or to |failed| if either evaluate false.
328 return CondExpressionHalf(cond,
329 UpperHalf,
330 CondExpressionHalf(cond, LowerHalf, passed, failed),
331 failed);
332 }
333
334 CodeGen::Node PolicyCompiler::CondExpressionHalf(const ErrorCode& cond,
335 ArgHalf half,
336 CodeGen::Node passed,
337 CodeGen::Node failed) {
338 if (cond.width_ == ErrorCode::TP_32BIT && half == UpperHalf) {
339 // Special logic for sanity checking the upper 32-bits of 32-bit system
340 // call arguments.
341
342 // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
343 CodeGen::Node invalid_64bit = RetExpression(Unexpected64bitArgument());
344
345 const uint32_t upper = SECCOMP_ARG_MSB_IDX(cond.argno_);
346 const uint32_t lower = SECCOMP_ARG_LSB_IDX(cond.argno_);
347
348 if (sizeof(void*) == 4) {
349 // On 32-bit platforms, the upper 32-bits should always be 0:
350 // LDW [upper]
351 // JEQ 0, passed, invalid
352 return gen_.MakeInstruction(
353 BPF_LD + BPF_W + BPF_ABS,
354 upper,
355 gen_.MakeInstruction(
356 BPF_JMP + BPF_JEQ + BPF_K, 0, passed, invalid_64bit));
357 }
358
359 // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow
360 // ~0 if the sign bit of the lower 32-bits is set too:
361 // LDW [upper]
362 // JEQ 0, passed, (next)
363 // JEQ ~0, (next), invalid
364 // LDW [lower]
365 // JSET (1<<31), passed, invalid
366 //
367 // TODO(mdempsky): The JSET instruction could perhaps jump to passed->next
368 // instead, as the first instruction of passed should be "LDW [lower]".
369 return gen_.MakeInstruction(
370 BPF_LD + BPF_W + BPF_ABS,
371 upper,
372 gen_.MakeInstruction(
373 BPF_JMP + BPF_JEQ + BPF_K,
374 0,
375 passed,
376 gen_.MakeInstruction(
377 BPF_JMP + BPF_JEQ + BPF_K,
378 std::numeric_limits<uint32_t>::max(),
379 gen_.MakeInstruction(
380 BPF_LD + BPF_W + BPF_ABS,
381 lower,
382 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
383 1U << 31,
384 passed,
385 invalid_64bit)),
386 invalid_64bit)));
387 }
388
389 const uint32_t idx = (half == UpperHalf) ? SECCOMP_ARG_MSB_IDX(cond.argno_)
390 : SECCOMP_ARG_LSB_IDX(cond.argno_);
391 const uint32_t mask = (half == UpperHalf) ? cond.mask_ >> 32 : cond.mask_;
392 const uint32_t value = (half == UpperHalf) ? cond.value_ >> 32 : cond.value_;
393
394 // Emit a suitable instruction sequence for (arg & mask) == value.
395
396 // For (arg & 0) == 0, just return passed.
397 if (mask == 0) {
398 CHECK_EQ(0U, value);
399 return passed;
400 }
401
402 // For (arg & ~0) == value, emit:
403 // LDW [idx]
404 // JEQ value, passed, failed
405 if (mask == std::numeric_limits<uint32_t>::max()) {
406 return gen_.MakeInstruction(
407 BPF_LD + BPF_W + BPF_ABS,
408 idx,
409 gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed));
410 }
411
412 // For (arg & mask) == 0, emit:
413 // LDW [idx]
414 // JSET mask, failed, passed
415 // (Note: failed and passed are intentionally swapped.)
416 if (value == 0) {
417 return gen_.MakeInstruction(
418 BPF_LD + BPF_W + BPF_ABS,
419 idx,
420 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, failed, passed));
421 }
422
423 // For (arg & x) == x where x is a single-bit value, emit:
424 // LDW [idx]
425 // JSET mask, passed, failed
426 if (mask == value && HasExactlyOneBit(mask)) {
427 return gen_.MakeInstruction(
428 BPF_LD + BPF_W + BPF_ABS,
429 idx,
430 gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, passed, failed));
431 }
432
433 // Generic fallback:
434 // LDW [idx]
435 // AND mask
436 // JEQ value, passed, failed
437 return gen_.MakeInstruction(
438 BPF_LD + BPF_W + BPF_ABS,
439 idx,
440 gen_.MakeInstruction(
441 BPF_ALU + BPF_AND + BPF_K,
442 mask,
443 gen_.MakeInstruction(
444 BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
445 }
446
447 ErrorCode PolicyCompiler::Unexpected64bitArgument() {
448 return Kill("Unexpected 64bit argument detected")->Compile(this);
449 }
450
451 ErrorCode PolicyCompiler::Error(int err) {
452 if (has_unsafe_traps_) {
453 // When inside an UnsafeTrap() callback, we want to allow all system calls.
454 // This means, we must conditionally disable the sandbox -- and that's not
455 // something that kernel-side BPF filters can do, as they cannot inspect
456 // any state other than the syscall arguments.
457 // But if we redirect all error handlers to user-space, then we can easily
458 // make this decision.
459 // The performance penalty for this extra round-trip to user-space is not
460 // actually that bad, as we only ever pay it for denied system calls; and a
461 // typical program has very few of these.
462 return Trap(ReturnErrno, reinterpret_cast<void*>(err), true);
463 }
464
465 return ErrorCode(err);
466 }
467
468 ErrorCode PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc,
469 const void* aux,
470 bool safe) {
471 uint16_t trap_id = registry_->Add(fnc, aux, safe);
472 return ErrorCode(trap_id, fnc, aux, safe);
473 }
474
475 bool PolicyCompiler::IsRequiredForUnsafeTrap(int sysno) {
476 for (size_t i = 0; i < arraysize(kSyscallsRequiredForUnsafeTraps); ++i) {
477 if (sysno == kSyscallsRequiredForUnsafeTraps[i]) {
478 return true;
479 }
480 }
481 return false;
482 }
483
484 ErrorCode PolicyCompiler::CondMaskedEqual(int argno,
485 ErrorCode::ArgType width,
486 uint64_t mask,
487 uint64_t value,
488 const ErrorCode& passed,
489 const ErrorCode& failed) {
490 return ErrorCode(argno,
491 width,
492 mask,
493 value,
494 &*conds_.insert(passed).first,
495 &*conds_.insert(failed).first);
496 }
497
498 } // namespace bpf_dsl
499 } // namespace sandbox