Updating XTBs based on .GRDs from branch master
[chromium-blink-merge.git] / sandbox / linux / seccomp-bpf / errorcode.h
blobd88777313e3ef10abe6bc5b55689f097810ffdcf
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__
8 #include "sandbox/linux/seccomp-bpf/trap.h"
9 #include "sandbox/sandbox_export.h"
11 namespace sandbox {
12 namespace bpf_dsl {
13 class PolicyCompiler;
16 // This class holds all the possible values that can be returned by a sandbox
17 // policy.
18 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an
19 // errno value (in the range 0..4095), a pointer to a TrapFnc callback
20 // handling a SECCOMP_RET_TRAP trap, or a complex constraint.
21 // All of the commonly used values are stored in the "err_" field. So, code
22 // that is using the ErrorCode class typically operates on a single 32bit
23 // field.
25 // TODO(mdempsky): Nuke from orbit. The only reason this class still
26 // exists is for Verifier, which will eventually be replaced by a true
27 // BPF symbolic evaluator and constraint solver.
28 class SANDBOX_EXPORT ErrorCode {
29 public:
30 enum {
31 // Allow this system call. The value of ERR_ALLOWED is pretty much
32 // completely arbitrary. But we want to pick it so that is is unlikely
33 // to be passed in accidentally, when the user intended to return an
34 // "errno" (see below) value instead.
35 ERR_ALLOWED = 0x04000000,
37 // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the
38 // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change
39 // or skip the system call. The lower 16 bits of err will be available to
40 // the tracer via PTRACE_GETEVENTMSG.
41 ERR_TRACE = 0x08000000,
43 // Deny the system call with a particular "errno" value.
44 // N.B.: It is also possible to return "0" here. That would normally
45 // indicate success, but it won't actually run the system call.
46 // This is very different from return ERR_ALLOWED.
47 ERR_MIN_ERRNO = 0,
48 #if defined(__mips__)
49 // MIPS only supports errno up to 1133
50 ERR_MAX_ERRNO = 1133,
51 #else
52 // TODO(markus): Android only supports errno up to 255
53 // (crbug.com/181647).
54 ERR_MAX_ERRNO = 4095,
55 #endif
58 // While BPF filter programs always operate on 32bit quantities, the kernel
59 // always sees system call arguments as 64bit values. This statement is true
60 // no matter whether the host system is natively operating in 32bit or 64bit.
61 // The BPF compiler hides the fact that BPF instructions cannot directly
62 // access 64bit quantities. But policies are still advised to specify whether
63 // a system call expects a 32bit or a 64bit quantity.
64 enum ArgType {
65 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that
66 // the conditional test should operate on the 32bit part of the system call
67 // argument.
68 // On 64bit architectures, this verifies that user space did not pass
69 // a 64bit value as an argument to the system call. If it did, that will be
70 // interpreted as an attempt at breaking the sandbox and results in the
71 // program getting terminated.
72 // In other words, only perform a 32bit test, if you are sure this
73 // particular system call would never legitimately take a 64bit
74 // argument.
75 // Implementation detail: TP_32BIT does two things. 1) it restricts the
76 // conditional test to operating on the LSB only, and 2) it adds code to
77 // the BPF filter program verifying that the MSB the kernel received from
78 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit
79 // 31 was set in the system call argument. It deals with 32bit arguments
80 // having been sign extended.
81 TP_32BIT,
83 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that
84 // the conditional test should operate on the full 64bit argument. It is
85 // generally harmless to perform a 64bit test on 32bit systems, as the
86 // kernel will always see the top 32 bits of all arguments as zero'd out.
87 // This approach has the desirable property that for tests of pointer
88 // values, we can always use TP_64BIT no matter the host architecture.
89 // But of course, that also means, it is possible to write conditional
90 // policies that turn into no-ops on 32bit systems; this is by design.
91 TP_64BIT,
94 // Deprecated.
95 enum Operation {
96 // Test whether the system call argument is equal to the operand.
97 OP_EQUAL,
99 // Tests a system call argument against a bit mask.
100 // The "ALL_BITS" variant performs this test: "arg & mask == mask"
101 // This implies that a mask of zero always results in a passing test.
102 // The "ANY_BITS" variant performs this test: "arg & mask != 0"
103 // This implies that a mask of zero always results in a failing test.
104 OP_HAS_ALL_BITS,
105 OP_HAS_ANY_BITS,
108 enum ErrorType {
109 ET_INVALID,
110 ET_SIMPLE,
111 ET_TRAP,
112 ET_COND,
115 // We allow the default constructor, as it makes the ErrorCode class
116 // much easier to use. But if we ever encounter an invalid ErrorCode
117 // when compiling a BPF filter, we deliberately generate an invalid
118 // program that will get flagged both by our Verifier class and by
119 // the Linux kernel.
120 ErrorCode();
121 explicit ErrorCode(int err);
123 // For all practical purposes, ErrorCodes are treated as if they were
124 // structs. The copy constructor and assignment operator are trivial and
125 // we do not need to explicitly specify them.
126 // Most notably, it is in fact perfectly OK to directly copy the passed_ and
127 // failed_ field. They only ever get set by our private constructor, and the
128 // callers handle life-cycle management for these objects.
130 // Destructor
131 ~ErrorCode() {}
133 bool Equals(const ErrorCode& err) const;
134 bool LessThan(const ErrorCode& err) const;
136 uint32_t err() const { return err_; }
137 ErrorType error_type() const { return error_type_; }
139 bool safe() const { return safe_; }
141 uint64_t mask() const { return mask_; }
142 uint64_t value() const { return value_; }
143 int argno() const { return argno_; }
144 ArgType width() const { return width_; }
145 const ErrorCode* passed() const { return passed_; }
146 const ErrorCode* failed() const { return failed_; }
148 struct LessThan {
149 bool operator()(const ErrorCode& a, const ErrorCode& b) const {
150 return a.LessThan(b);
154 private:
155 friend bpf_dsl::PolicyCompiler;
156 friend class CodeGen;
157 friend class SandboxBPF;
158 friend class Trap;
160 // If we are wrapping a callback, we must assign a unique id. This id is
161 // how the kernel tells us which one of our different SECCOMP_RET_TRAP
162 // cases has been triggered.
163 ErrorCode(uint16_t trap_id, Trap::TrapFnc fnc, const void* aux, bool safe);
165 // Some system calls require inspection of arguments. This constructor
166 // allows us to specify additional constraints.
167 ErrorCode(int argno,
168 ArgType width,
169 uint64_t mask,
170 uint64_t value,
171 const ErrorCode* passed,
172 const ErrorCode* failed);
174 ErrorType error_type_;
176 union {
177 // Fields needed for SECCOMP_RET_TRAP callbacks
178 struct {
179 Trap::TrapFnc fnc_; // Callback function and arg, if trap was
180 void* aux_; // triggered by the kernel's BPF filter.
181 bool safe_; // Keep sandbox active while calling fnc_()
184 // Fields needed when inspecting additional arguments.
185 struct {
186 uint64_t mask_; // Mask that we are comparing under.
187 uint64_t value_; // Value that we are comparing with.
188 int argno_; // Syscall arg number that we are inspecting.
189 ArgType width_; // Whether we are looking at a 32/64bit value.
190 const ErrorCode* passed_; // Value to be returned if comparison passed,
191 const ErrorCode* failed_; // or if it failed.
195 // 32bit field used for all possible types of ErrorCode values. This is
196 // the value that uniquely identifies any ErrorCode and it (typically) can
197 // be emitted directly into a BPF filter program.
198 uint32_t err_;
201 } // namespace sandbox
203 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__