// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" #include "sandbox/linux/seccomp-bpf/trap.h" #include "sandbox/sandbox_export.h" namespace sandbox { struct arch_seccomp_data; // This class holds all the possible values that can be returned by a sandbox // policy. // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an // errno value (in the range 0..4095), a pointer to a TrapFnc callback // handling a SECCOMP_RET_TRAP trap, or a complex constraint. // All of the commonly used values are stored in the "err_" field. So, code // that is using the ErrorCode class typically operates on a single 32bit // field. class SANDBOX_EXPORT ErrorCode { public: enum { // Allow this system call. The value of ERR_ALLOWED is pretty much // completely arbitrary. But we want to pick it so that is is unlikely // to be passed in accidentally, when the user intended to return an // "errno" (see below) value instead. ERR_ALLOWED = 0x04000000, // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change // or skip the system call. The lower 16 bits of err will be available to // the tracer via PTRACE_GETEVENTMSG. ERR_TRACE = 0x08000000, // Deny the system call with a particular "errno" value. // N.B.: It is also possible to return "0" here. That would normally // indicate success, but it won't actually run the system call. // This is very different from return ERR_ALLOWED. ERR_MIN_ERRNO = 0, // TODO(markus): Android only supports errno up to 255 // (crbug.com/181647). ERR_MAX_ERRNO = 4095, }; // While BPF filter programs always operate on 32bit quantities, the kernel // always sees system call arguments as 64bit values. This statement is true // no matter whether the host system is natively operating in 32bit or 64bit. // The BPF compiler hides the fact that BPF instructions cannot directly // access 64bit quantities. But policies are still advised to specify whether // a system call expects a 32bit or a 64bit quantity. enum ArgType { // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that // the conditional test should operate on the 32bit part of the system call // argument. // On 64bit architectures, this verifies that user space did not pass // a 64bit value as an argument to the system call. If it did, that will be // interpreted as an attempt at breaking the sandbox and results in the // program getting terminated. // In other words, only perform a 32bit test, if you are sure this // particular system call would never legitimately take a 64bit // argument. // Implementation detail: TP_32BIT does two things. 1) it restricts the // conditional test to operating on the LSB only, and 2) it adds code to // the BPF filter program verifying that the MSB the kernel received from // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit // 31 was set in the system call argument. It deals with 32bit arguments // having been sign extended. TP_32BIT, // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that // the conditional test should operate on the full 64bit argument. It is // generally harmless to perform a 64bit test on 32bit systems, as the // kernel will always see the top 32 bits of all arguments as zero'd out. // This approach has the desirable property that for tests of pointer // values, we can always use TP_64BIT no matter the host architecture. // But of course, that also means, it is possible to write conditional // policies that turn into no-ops on 32bit systems; this is by design. TP_64BIT, }; enum Operation { // Test whether the system call argument is equal to the operand. OP_EQUAL, // Test whether the system call argument is greater (or equal) to the // operand. Please note that all tests always operate on unsigned // values. You can generally emulate signed tests, if that's what you // need. // TODO(markus): Check whether we should automatically emulate signed // operations. OP_GREATER_UNSIGNED, OP_GREATER_EQUAL_UNSIGNED, // Tests a system call argument against a bit mask. // The "ALL_BITS" variant performs this test: "arg & mask == mask" // This implies that a mask of zero always results in a passing test. // The "ANY_BITS" variant performs this test: "arg & mask != 0" // This implies that a mask of zero always results in a failing test. OP_HAS_ALL_BITS, OP_HAS_ANY_BITS, // Total number of operations. OP_NUM_OPS, }; enum ErrorType { ET_INVALID, ET_SIMPLE, ET_TRAP, ET_COND, }; // We allow the default constructor, as it makes the ErrorCode class // much easier to use. But if we ever encounter an invalid ErrorCode // when compiling a BPF filter, we deliberately generate an invalid // program that will get flagged both by our Verifier class and by // the Linux kernel. ErrorCode() : error_type_(ET_INVALID), err_(SECCOMP_RET_INVALID) {} explicit ErrorCode(int err); // For all practical purposes, ErrorCodes are treated as if they were // structs. The copy constructor and assignment operator are trivial and // we do not need to explicitly specify them. // Most notably, it is in fact perfectly OK to directly copy the passed_ and // failed_ field. They only ever get set by our private constructor, and the // callers handle life-cycle management for these objects. // Destructor ~ErrorCode() {} bool Equals(const ErrorCode& err) const; bool LessThan(const ErrorCode& err) const; uint32_t err() const { return err_; } ErrorType error_type() const { return error_type_; } bool safe() const { return safe_; } uint64_t value() const { return value_; } int argno() const { return argno_; } ArgType width() const { return width_; } Operation op() const { return op_; } const ErrorCode* passed() const { return passed_; } const ErrorCode* failed() const { return failed_; } struct LessThan { bool operator()(const ErrorCode& a, const ErrorCode& b) const { return a.LessThan(b); } }; private: friend class CodeGen; friend class SandboxBPF; friend class Trap; // If we are wrapping a callback, we must assign a unique id. This id is // how the kernel tells us which one of our different SECCOMP_RET_TRAP // cases has been triggered. ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe, uint16_t id); // Some system calls require inspection of arguments. This constructor // allows us to specify additional constraints. ErrorCode(int argno, ArgType width, Operation op, uint64_t value, const ErrorCode* passed, const ErrorCode* failed); ErrorType error_type_; union { // Fields needed for SECCOMP_RET_TRAP callbacks struct { Trap::TrapFnc fnc_; // Callback function and arg, if trap was void* aux_; // triggered by the kernel's BPF filter. bool safe_; // Keep sandbox active while calling fnc_() }; // Fields needed when inspecting additional arguments. struct { uint64_t value_; // Value that we are comparing with. int argno_; // Syscall arg number that we are inspecting. ArgType width_; // Whether we are looking at a 32/64bit value. Operation op_; // Comparison operation. const ErrorCode* passed_; // Value to be returned if comparison passed, const ErrorCode* failed_; // or if it failed. }; }; // 32bit field used for all possible types of ErrorCode values. This is // the value that uniquely identifies any ErrorCode and it (typically) can // be emitted directly into a BPF filter program. uint32_t err_; }; } // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__