sandbox/linux/bpf_dsl/policy_compiler.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
   6 #define SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
   7
   8 #include <stdint.h>
   9
  10 #include <map>
  11 #include <set>
  12 #include <vector>
  13
  14 #include "base/macros.h"
  15 #include "base/memory/scoped_ptr.h"
  16 #include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
  17 #include "sandbox/linux/bpf_dsl/codegen.h"
  18 #include "sandbox/linux/seccomp-bpf/errorcode.h"
  19 #include "sandbox/sandbox_export.h"
  20
  21 namespace sandbox {
  22 namespace bpf_dsl {
  23 class Policy;
  24
  25 // PolicyCompiler implements the bpf_dsl compiler, allowing users to
  26 // transform bpf_dsl policies into BPF programs to be executed by the
  27 // Linux kernel.
  28 class SANDBOX_EXPORT PolicyCompiler {
  29  public:
  30   PolicyCompiler(const Policy* policy, TrapRegistry* registry);
  31   ~PolicyCompiler();
  32
  33   // Compile registers any trap handlers needed by the policy and
  34   // compiles the policy to a BPF program, which it returns.
  35   scoped_ptr<CodeGen::Program> Compile(bool verify);
  36
  37   // DangerousSetEscapePC sets the "escape PC" that is allowed to issue any
  38   // system calls, regardless of policy.
  39   void DangerousSetEscapePC(uint64_t escapepc);
  40
  41   // Error returns an ErrorCode to indicate the system call should fail with
  42   // the specified error number.
  43   ErrorCode Error(int err);
  44
  45   // Trap returns an ErrorCode to indicate the system call should
  46   // instead invoke a trap handler.
  47   ErrorCode Trap(TrapRegistry::TrapFnc fnc, const void* aux, bool safe);
  48
  49   // UnsafeTraps require some syscalls to always be allowed.
  50   // This helper function returns true for these calls.
  51   static bool IsRequiredForUnsafeTrap(int sysno);
  52
  53   // We can also use ErrorCode to request evaluation of a conditional
  54   // statement based on inspection of system call parameters.
  55   // This method wrap an ErrorCode object around the conditional statement.
  56   // Argument "argno" (1..6) will be bitwise-AND'd with "mask" and compared
  57   // to "value"; if equal, then "passed" will be returned, otherwise "failed".
  58   // If "is32bit" is set, the argument must in the range of 0x0..(1u << 32 - 1)
  59   // If it is outside this range, the sandbox treats the system call just
  60   // the same as any other ABI violation (i.e. it aborts with an error
  61   // message).
  62   ErrorCode CondMaskedEqual(int argno,
  63                             ErrorCode::ArgType is_32bit,
  64                             uint64_t mask,
  65                             uint64_t value,
  66                             const ErrorCode& passed,
  67                             const ErrorCode& failed);
  68
  69   // Returns the fatal ErrorCode that is used to indicate that somebody
  70   // attempted to pass a 64bit value in a 32bit system call argument.
  71   // This method is primarily needed for testing purposes.
  72   ErrorCode Unexpected64bitArgument();
  73
  74  private:
  75   struct Range;
  76   typedef std::vector<Range> Ranges;
  77   typedef std::set<ErrorCode, struct ErrorCode::LessThan> Conds;
  78
  79   // Used by CondExpressionHalf to track which half of the argument it's
  80   // emitting instructions for.
  81   enum ArgHalf {
  82     LowerHalf,
  83     UpperHalf,
  84   };
  85
  86   // Compile the configured policy into a complete instruction sequence.
  87   CodeGen::Node AssemblePolicy();
  88
  89   // Return an instruction sequence that checks the
  90   // arch_seccomp_data's "arch" field is valid, and then passes
  91   // control to |passed| if so.
  92   CodeGen::Node CheckArch(CodeGen::Node passed);
  93
  94   // If |has_unsafe_traps_| is true, returns an instruction sequence
  95   // that allows all system calls from |escapepc_|, and otherwise
  96   // passes control to |rest|. Otherwise, simply returns |rest|.
  97   CodeGen::Node MaybeAddEscapeHatch(CodeGen::Node rest);
  98
  99   // Return an instruction sequence that loads and checks the system
 100   // call number, performs a binary search, and then dispatches to an
 101   // appropriate instruction sequence compiled from the current
 102   // policy.
 103   CodeGen::Node DispatchSyscall();
 104
 105   // Return an instruction sequence that checks the system call number
 106   // (expected to be loaded in register A) and if valid, passes
 107   // control to |passed| (with register A still valid).
 108   CodeGen::Node CheckSyscallNumber(CodeGen::Node passed);
 109
 110   // Finds all the ranges of system calls that need to be handled. Ranges are
 111   // sorted in ascending order of system call numbers. There are no gaps in the
 112   // ranges. System calls with identical ErrorCodes are coalesced into a single
 113   // range.
 114   void FindRanges(Ranges* ranges);
 115
 116   // Returns a BPF program snippet that implements a jump table for the
 117   // given range of system call numbers. This function runs recursively.
 118   CodeGen::Node AssembleJumpTable(Ranges::const_iterator start,
 119                                   Ranges::const_iterator stop);
 120
 121   // CompileResult compiles an individual result expression into a
 122   // CodeGen node.
 123   CodeGen::Node CompileResult(const ResultExpr& res);
 124
 125   // Returns a BPF program snippet that makes the BPF filter program exit
 126   // with the given ErrorCode "err". N.B. the ErrorCode may very well be a
 127   // conditional expression; if so, this function will recursively call
 128   // CondExpression() and possibly RetExpression() to build a complex set of
 129   // instructions.
 130   CodeGen::Node RetExpression(const ErrorCode& err);
 131
 132   // Returns a BPF program that evaluates the conditional expression in
 133   // "cond" and returns the appropriate value from the BPF filter program.
 134   // This function recursively calls RetExpression(); it should only ever be
 135   // called from RetExpression().
 136   CodeGen::Node CondExpression(const ErrorCode& cond);
 137
 138   // Returns a BPF program that evaluates half of a conditional expression;
 139   // it should only ever be called from CondExpression().
 140   CodeGen::Node CondExpressionHalf(const ErrorCode& cond,
 141                                    ArgHalf half,
 142                                    CodeGen::Node passed,
 143                                    CodeGen::Node failed);
 144
 145   const Policy* policy_;
 146   TrapRegistry* registry_;
 147   uint64_t escapepc_;
 148
 149   Conds conds_;
 150   CodeGen gen_;
 151   bool has_unsafe_traps_;
 152
 153   DISALLOW_COPY_AND_ASSIGN(PolicyCompiler);
 154 };
 155
 156 }  // namespace bpf_dsl
 157 }  // namespace sandbox
 158
 159 #endif  // SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_