sandbox/linux/bpf_dsl/seccomp_macros.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
   6 #define SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
   7
   8 #include <sys/cdefs.h>
   9 // Old Bionic versions do not have sys/user.h.  The if can be removed once we no
  10 // longer need to support these old Bionic versions.
  11 // All x86_64 builds use a new enough bionic to have sys/user.h.
  12 #if !defined(__BIONIC__) || defined(__x86_64__)
  13 #include <sys/types.h>  // Fix for gcc 4.7, make sure __uint16_t is defined.
  14 #if !defined(__native_client_nonsfi__)
  15 #include <sys/user.h>
  16 #endif
  17 #if defined(__mips__)
  18 // sys/user.h in eglibc misses size_t definition
  19 #include <stddef.h>
  20 #endif
  21 #endif
  22
  23 #include "sandbox/linux/system_headers/linux_seccomp.h"  // For AUDIT_ARCH_*
  24
  25 // Impose some reasonable maximum BPF program size. Realistically, the
  26 // kernel probably has much lower limits. But by limiting to less than
  27 // 30 bits, we can ease requirements on some of our data types.
  28 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
  29
  30 #if defined(__i386__)
  31 #define SECCOMP_ARCH        AUDIT_ARCH_I386
  32
  33 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
  34 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_EAX)
  35 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_EAX)
  36 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_EIP)
  37 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_EBX)
  38 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_ECX)
  39 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_EDX)
  40 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_ESI)
  41 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_EDI)
  42 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_EBP)
  43 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
  44 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
  45 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
  46                                           instruction_pointer) + 4)
  47 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
  48                                           instruction_pointer) + 0)
  49 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
  50                                  8*(nr) + 4)
  51 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
  52                                  8*(nr) + 0)
  53
  54
  55 #if defined(__BIONIC__) || defined(__native_client_nonsfi__)
  56 // Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
  57 // define regs_struct directly.  This can be removed once we no longer need to
  58 // support these old Bionic versions and PNaCl toolchain.
  59 struct regs_struct {
  60   long int ebx;
  61   long int ecx;
  62   long int edx;
  63   long int esi;
  64   long int edi;
  65   long int ebp;
  66   long int eax;
  67   long int xds;
  68   long int xes;
  69   long int xfs;
  70   long int xgs;
  71   long int orig_eax;
  72   long int eip;
  73   long int xcs;
  74   long int eflags;
  75   long int esp;
  76   long int xss;
  77 };
  78 #else
  79 typedef user_regs_struct regs_struct;
  80 #endif
  81
  82 #define SECCOMP_PT_RESULT(_regs)  (_regs).eax
  83 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_eax
  84 #define SECCOMP_PT_IP(_regs)      (_regs).eip
  85 #define SECCOMP_PT_PARM1(_regs)   (_regs).ebx
  86 #define SECCOMP_PT_PARM2(_regs)   (_regs).ecx
  87 #define SECCOMP_PT_PARM3(_regs)   (_regs).edx
  88 #define SECCOMP_PT_PARM4(_regs)   (_regs).esi
  89 #define SECCOMP_PT_PARM5(_regs)   (_regs).edi
  90 #define SECCOMP_PT_PARM6(_regs)   (_regs).ebp
  91
  92 #elif defined(__x86_64__)
  93 #define SECCOMP_ARCH        AUDIT_ARCH_X86_64
  94
  95 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
  96 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, REG_RAX)
  97 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, REG_RAX)
  98 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, REG_RIP)
  99 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, REG_RDI)
 100 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, REG_RSI)
 101 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, REG_RDX)
 102 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, REG_R10)
 103 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, REG_R8)
 104 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, REG_R9)
 105 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 106 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 107 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 108                                           instruction_pointer) + 4)
 109 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 110                                           instruction_pointer) + 0)
 111 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 112                                  8*(nr) + 4)
 113 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 114                                  8*(nr) + 0)
 115
 116 typedef user_regs_struct regs_struct;
 117 #define SECCOMP_PT_RESULT(_regs)  (_regs).rax
 118 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_rax
 119 #define SECCOMP_PT_IP(_regs)      (_regs).rip
 120 #define SECCOMP_PT_PARM1(_regs)   (_regs).rdi
 121 #define SECCOMP_PT_PARM2(_regs)   (_regs).rsi
 122 #define SECCOMP_PT_PARM3(_regs)   (_regs).rdx
 123 #define SECCOMP_PT_PARM4(_regs)   (_regs).r10
 124 #define SECCOMP_PT_PARM5(_regs)   (_regs).r8
 125 #define SECCOMP_PT_PARM6(_regs)   (_regs).r9
 126
 127 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
 128 #define SECCOMP_ARCH AUDIT_ARCH_ARM
 129
 130 // ARM sigcontext_t is different from i386/x86_64.
 131 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
 132 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
 133 // ARM EABI syscall convention.
 134 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, r0)
 135 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, r7)
 136 #define SECCOMP_IP(_ctx)        SECCOMP_REG(_ctx, pc)
 137 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, r0)
 138 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, r1)
 139 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, r2)
 140 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, r3)
 141 #define SECCOMP_PARM5(_ctx)     SECCOMP_REG(_ctx, r4)
 142 #define SECCOMP_PARM6(_ctx)     SECCOMP_REG(_ctx, r5)
 143 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 144 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 145 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 146                                           instruction_pointer) + 4)
 147 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 148                                           instruction_pointer) + 0)
 149 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 150                                  8*(nr) + 4)
 151 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 152                                  8*(nr) + 0)
 153
 154 #if defined(__BIONIC__) || defined(__native_client_nonsfi__)
 155 // Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
 156 // define regs_struct directly.  This can be removed once we no longer need to
 157 // support these old Bionic versions and PNaCl toolchain.
 158 struct regs_struct {
 159   unsigned long uregs[18];
 160 };
 161 #else
 162 typedef user_regs regs_struct;
 163 #endif
 164
 165 #define REG_cpsr    uregs[16]
 166 #define REG_pc      uregs[15]
 167 #define REG_lr      uregs[14]
 168 #define REG_sp      uregs[13]
 169 #define REG_ip      uregs[12]
 170 #define REG_fp      uregs[11]
 171 #define REG_r10     uregs[10]
 172 #define REG_r9      uregs[9]
 173 #define REG_r8      uregs[8]
 174 #define REG_r7      uregs[7]
 175 #define REG_r6      uregs[6]
 176 #define REG_r5      uregs[5]
 177 #define REG_r4      uregs[4]
 178 #define REG_r3      uregs[3]
 179 #define REG_r2      uregs[2]
 180 #define REG_r1      uregs[1]
 181 #define REG_r0      uregs[0]
 182 #define REG_ORIG_r0 uregs[17]
 183
 184 #define SECCOMP_PT_RESULT(_regs)  (_regs).REG_r0
 185 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7
 186 #define SECCOMP_PT_IP(_regs)      (_regs).REG_pc
 187 #define SECCOMP_PT_PARM1(_regs)   (_regs).REG_r0
 188 #define SECCOMP_PT_PARM2(_regs)   (_regs).REG_r1
 189 #define SECCOMP_PT_PARM3(_regs)   (_regs).REG_r2
 190 #define SECCOMP_PT_PARM4(_regs)   (_regs).REG_r3
 191 #define SECCOMP_PT_PARM5(_regs)   (_regs).REG_r4
 192 #define SECCOMP_PT_PARM6(_regs)   (_regs).REG_r5
 193
 194 #elif defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
 195 #define SECCOMP_ARCH        AUDIT_ARCH_MIPSEL
 196 #define SYSCALL_EIGHT_ARGS
 197 // MIPS sigcontext_t is different from i386/x86_64 and ARM.
 198 // See </arch/mips/include/uapi/asm/sigcontext.h> in the Linux kernel.
 199 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[_reg])
 200 // Based on MIPS o32 ABI syscall convention.
 201 // On MIPS, when indirect syscall is being made (syscall(__NR_foo)),
 202 // real identificator (__NR_foo) is not in v0, but in a0
 203 #define SECCOMP_RESULT(_ctx)    SECCOMP_REG(_ctx, 2)
 204 #define SECCOMP_SYSCALL(_ctx)   SECCOMP_REG(_ctx, 2)
 205 #define SECCOMP_IP(_ctx)        (_ctx)->uc_mcontext.pc
 206 #define SECCOMP_PARM1(_ctx)     SECCOMP_REG(_ctx, 4)
 207 #define SECCOMP_PARM2(_ctx)     SECCOMP_REG(_ctx, 5)
 208 #define SECCOMP_PARM3(_ctx)     SECCOMP_REG(_ctx, 6)
 209 #define SECCOMP_PARM4(_ctx)     SECCOMP_REG(_ctx, 7)
 210 // Only the first 4 arguments of syscall are in registers.
 211 // The rest are on the stack.
 212 #define SECCOMP_STACKPARM(_ctx, n)  (((long *)SECCOMP_REG(_ctx, 29))[(n)])
 213 #define SECCOMP_PARM5(_ctx)         SECCOMP_STACKPARM(_ctx, 4)
 214 #define SECCOMP_PARM6(_ctx)         SECCOMP_STACKPARM(_ctx, 5)
 215 #define SECCOMP_PARM7(_ctx)         SECCOMP_STACKPARM(_ctx, 6)
 216 #define SECCOMP_PARM8(_ctx)         SECCOMP_STACKPARM(_ctx, 7)
 217 #define SECCOMP_NR_IDX          (offsetof(struct arch_seccomp_data, nr))
 218 #define SECCOMP_ARCH_IDX        (offsetof(struct arch_seccomp_data, arch))
 219 #define SECCOMP_IP_MSB_IDX      (offsetof(struct arch_seccomp_data,           \
 220                                           instruction_pointer) + 4)
 221 #define SECCOMP_IP_LSB_IDX      (offsetof(struct arch_seccomp_data,           \
 222                                           instruction_pointer) + 0)
 223 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 224                                  8*(nr) + 4)
 225 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) +   \
 226                                  8*(nr) + 0)
 227
 228 // On Mips we don't have structures like user_regs or user_regs_struct in
 229 // sys/user.h that we could use, so we just define regs_struct directly.
 230 struct regs_struct {
 231   unsigned long long regs[32];
 232 };
 233
 234 #define REG_a3 regs[7]
 235 #define REG_a2 regs[6]
 236 #define REG_a1 regs[5]
 237 #define REG_a0 regs[4]
 238 #define REG_v1 regs[3]
 239 #define REG_v0 regs[2]
 240
 241 #define SECCOMP_PT_RESULT(_regs)  (_regs).REG_v0
 242 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_v0
 243 #define SECCOMP_PT_PARM1(_regs)   (_regs).REG_a0
 244 #define SECCOMP_PT_PARM2(_regs)   (_regs).REG_a1
 245 #define SECCOMP_PT_PARM3(_regs)   (_regs).REG_a2
 246 #define SECCOMP_PT_PARM4(_regs)   (_regs).REG_a3
 247
 248 #elif defined(__aarch64__)
 249 struct regs_struct {
 250   unsigned long long regs[31];
 251   unsigned long long sp;
 252   unsigned long long pc;
 253   unsigned long long pstate;
 254 };
 255
 256 #define SECCOMP_ARCH AUDIT_ARCH_AARCH64
 257
 258 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.regs[_reg])
 259
 260 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 0)
 261 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 8)
 262 #define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
 263 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 0)
 264 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 1)
 265 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 2)
 266 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 3)
 267 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, 4)
 268 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, 5)
 269
 270 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
 271 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
 272 #define SECCOMP_IP_MSB_IDX \
 273   (offsetof(struct arch_seccomp_data, instruction_pointer) + 4)
 274 #define SECCOMP_IP_LSB_IDX \
 275   (offsetof(struct arch_seccomp_data, instruction_pointer) + 0)
 276 #define SECCOMP_ARG_MSB_IDX(nr) \
 277   (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 4)
 278 #define SECCOMP_ARG_LSB_IDX(nr) \
 279   (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 0)
 280
 281 #define SECCOMP_PT_RESULT(_regs) (_regs).regs[0]
 282 #define SECCOMP_PT_SYSCALL(_regs) (_regs).regs[8]
 283 #define SECCOMP_PT_IP(_regs) (_regs).pc
 284 #define SECCOMP_PT_PARM1(_regs) (_regs).regs[0]
 285 #define SECCOMP_PT_PARM2(_regs) (_regs).regs[1]
 286 #define SECCOMP_PT_PARM3(_regs) (_regs).regs[2]
 287 #define SECCOMP_PT_PARM4(_regs) (_regs).regs[3]
 288 #define SECCOMP_PT_PARM5(_regs) (_regs).regs[4]
 289 #define SECCOMP_PT_PARM6(_regs) (_regs).regs[5]
 290 #else
 291 #error Unsupported target platform
 292
 293 #endif
 294
 295 #endif  // SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_