| commit | 6c20e4dde6b5c8d7594d3576ed1bbbe97586fb58 | |
| author | mdempsky <mdempsky@chromium.org> | |
| Thu, 9 Oct 2014 04:34:28 +0000 (8 21:34 -0700) | ||
| committer | Commit bot <commit-bot@chromium.org> | |
| Thu, 9 Oct 2014 04:35:18 +0000 (9 04:35 +0000) | ||
| tree | fef07eea917b8ac6b5d5b8cda8a89b3f728f1548 | treesnapshot (tar.gz zip) |
| parent | 0a570bb9a3e42e63e0b1a9b4000556d28d8dbf6c | commitdiff |
sandbox_bpf: rework how unsafe traps are compiled/verified
One tricky quirk of unsafe traps is we can't use SECCOMP_RET_ERROR,
otherwise the unsafe trap handlers won't be able to make use of the
filtered system calls. To workaround this, when unsafe traps are
enabled, we use a "ReturnErrno" trap instead of SECCOMP_RET_ERROR,
and the SIGSYS signal handler instead decides whether to allow the
system call or run the trap handler (i.e., return an error).
Currently, SandboxBPF implements this in a very roundabout manner
though: it compiles the policy normally, searches the compiled
instructions for any trap returns that corresponded to an unsafe trap,
then rewrites any error instructions to also use traps. This is
further complicated by the verifier, because it then needs a policy
wrapper so the verifier wouldn't be surprised when an "error" was
actually compiled as a "trap". (That policy wrapper is also the last
SandboxBPFPolicy, and not amenable to conversion to use bpf_dsl.)
This CL changes things to upfront check if the policy uses any unsafe
traps; and if so, it directly compiles "Error(x)" into a trap instead
of using SECCOMP_RET_ERROR.
BUG=414363
Review URL: https://codereview.chromium.org/628823003
Cr-Commit-Position: refs/heads/master@{#298763}
One tricky quirk of unsafe traps is we can't use SECCOMP_RET_ERROR,
otherwise the unsafe trap handlers won't be able to make use of the
filtered system calls. To workaround this, when unsafe traps are
enabled, we use a "ReturnErrno" trap instead of SECCOMP_RET_ERROR,
and the SIGSYS signal handler instead decides whether to allow the
system call or run the trap handler (i.e., return an error).
Currently, SandboxBPF implements this in a very roundabout manner
though: it compiles the policy normally, searches the compiled
instructions for any trap returns that corresponded to an unsafe trap,
then rewrites any error instructions to also use traps. This is
further complicated by the verifier, because it then needs a policy
wrapper so the verifier wouldn't be surprised when an "error" was
actually compiled as a "trap". (That policy wrapper is also the last
SandboxBPFPolicy, and not amenable to conversion to use bpf_dsl.)
This CL changes things to upfront check if the policy uses any unsafe
traps; and if so, it directly compiles "Error(x)" into a trap instead
of using SECCOMP_RET_ERROR.
BUG=414363
Review URL: https://codereview.chromium.org/628823003
Cr-Commit-Position: refs/heads/master@{#298763}