Adding Peter Thatcher to the owners file.
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / trap.h
blob4073bfe1201caa067ba6728672b316e84d1227e0
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
8 #include <signal.h>
9 #include <stdint.h>
11 #include <map>
13 #include "base/macros.h"
14 #include "sandbox/linux/bpf_dsl/trap_registry.h"
15 #include "sandbox/sandbox_export.h"
17 namespace sandbox {
19 // The Trap class allows a BPF filter program to branch out to user space by
20 // raising a SIGSYS signal.
21 // N.B.: This class does not perform any synchronization operations. If
22 // modifications are made to any of the traps, it is the caller's
23 // responsibility to ensure that this happens in a thread-safe fashion.
24 // Preferably, that means that no other threads should be running at that
25 // time. For the purposes of our sandbox, this assertion should always be
26 // true. Threads are incompatible with the seccomp sandbox anyway.
27 class SANDBOX_EXPORT Trap : public bpf_dsl::TrapRegistry {
28 public:
29 uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override;
31 bool EnableUnsafeTraps() override;
33 // Registry returns the trap registry used by Trap's SIGSYS handler,
34 // creating it if necessary.
35 static bpf_dsl::TrapRegistry* Registry();
37 // SandboxDebuggingAllowedByUser returns whether the
38 // "CHROME_SANDBOX_DEBUGGING" environment variable is set.
39 static bool SandboxDebuggingAllowedByUser();
41 private:
42 struct TrapKey {
43 TrapKey() : fnc(NULL), aux(NULL), safe(false) {}
44 TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {}
45 TrapFnc fnc;
46 const void* aux;
47 bool safe;
48 bool operator<(const TrapKey&) const;
50 typedef std::map<TrapKey, uint16_t> TrapIds;
52 // Our constructor is private. A shared global instance is created
53 // automatically as needed.
54 Trap();
56 // The destructor is unimplemented as destroying this object would
57 // break subsequent system calls that trigger a SIGSYS.
58 ~Trap() = delete;
60 static void SigSysAction(int nr, siginfo_t* info, void* void_context);
62 // Make sure that SigSys is not inlined in order to get slightly better crash
63 // dumps.
64 void SigSys(int nr, siginfo_t* info, void* void_context)
65 __attribute__((noinline));
66 // We have a global singleton that handles all of our SIGSYS traps. This
67 // variable must never be deallocated after it has been set up initially, as
68 // there is no way to reset in-kernel BPF filters that generate SIGSYS
69 // events.
70 static Trap* global_trap_;
72 TrapIds trap_ids_; // Maps from TrapKeys to numeric ids
73 TrapKey* trap_array_; // Array of TrapKeys indexed by ids
74 size_t trap_array_size_; // Currently used size of array
75 size_t trap_array_capacity_; // Currently allocated capacity of array
76 bool has_unsafe_traps_; // Whether unsafe traps have been enabled
78 // Copying and assigning is unimplemented. It doesn't make sense for a
79 // singleton.
80 DISALLOW_COPY_AND_ASSIGN(Trap);
83 } // namespace sandbox
85 #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__