Home | History | Annotate | Download | only in seccomp-bpf 
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
      6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
      7 
      8 #include <signal.h>
      9 #include <stdint.h>
     10 
     11 #include <map>
     12 #include <vector>
     13 
     14 #include "sandbox/linux/seccomp-bpf/port.h"
     15 
     16 
     17 namespace playground2 {
     18 
     19 class ErrorCode;
     20 
     21 // The Trap class allows a BPF filter program to branch out to user space by
     22 // raising a SIGSYS signal.
     23 // N.B.: This class does not perform any synchronization operations. If
     24 //   modifications are made to any of the traps, it is the caller's
     25 //   responsibility to ensure that this happens in a thread-safe fashion.
     26 //   Preferably, that means that no other threads should be running at that
     27 //   time. For the purposes of our sandbox, this assertion should always be
     28 //   true. Threads are incompatible with the seccomp sandbox anyway.
     29 class Trap {
     30  public:
     31   // TrapFnc is a pointer to a function that handles Seccomp traps in
     32   // user-space. The seccomp policy can request that a trap handler gets
     33   // installed; it does so by returning a suitable ErrorCode() from the
     34   // syscallEvaluator. See the ErrorCode() constructor for how to pass in
     35   // the function pointer.
     36   // Please note that TrapFnc is executed from signal context and must be
     37   // async-signal safe:
     38   // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
     39   // Also note that it follows the calling convention of native system calls.
     40   // In other words, it reports an error by returning an exit code in the
     41   // range -1..-4096. It should not set errno when reporting errors; on the
     42   // other hand, accidentally modifying errno is harmless and the changes will
     43   // be undone afterwards.
     44   typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void *aux);
     45 
     46   // Registers a new trap handler and sets up the appropriate SIGSYS handler
     47   // as needed.
     48   // N.B.: This makes a permanent state change. Traps cannot be unregistered,
     49   //   as that would break existing BPF filters that are still active.
     50   static ErrorCode MakeTrap(TrapFnc fnc, const void *aux, bool safe);
     51 
     52   // Enables support for unsafe traps in the SIGSYS signal handler. This is a
     53   // one-way fuse. It works in conjunction with the BPF compiler emitting code
     54   // that unconditionally allows system calls, if they have a magic return
     55   // address (i.e. SandboxSyscall(-1)).
     56   // Once unsafe traps are enabled, the sandbox is essentially compromised.
     57   // But this is still a very useful feature for debugging purposes. Use with
     58   // care. This feature is availably only if enabled by the user (see above).
     59   // Returns "true", if unsafe traps were turned on.
     60   static bool EnableUnsafeTrapsInSigSysHandler();
     61 
     62   // Returns the ErrorCode associate with a particular trap id.
     63   static ErrorCode ErrorCodeFromTrapId(uint16_t id);
     64 
     65  private:
     66   // The destructor is unimplemented. Don't ever attempt to destruct this
     67   // object. It'll break subsequent system calls that trigger a SIGSYS.
     68   ~Trap();
     69 
     70   struct TrapKey {
     71     TrapKey(TrapFnc f, const void *a, bool s)
     72         : fnc(f),
     73           aux(a),
     74           safe(s) {
     75     }
     76     TrapFnc    fnc;
     77     const void *aux;
     78     bool       safe;
     79     bool operator<(const TrapKey&) const;
     80   };
     81   typedef std::map<TrapKey, uint16_t> TrapIds;
     82 
     83   // We only have a very small number of methods. We opt to make them static
     84   // and have them internally call GetInstance(). This is a little more
     85   // convenient than having each caller obtain short-lived reference to the
     86   // singleton.
     87   // It also gracefully deals with methods that should check for the singleton,
     88   // but avoid instantiating it, if it doesn't exist yet
     89   // (e.g. ErrorCodeFromTrapId()).
     90   static Trap *GetInstance();
     91   static void SigSysAction(int nr, siginfo_t *info, void *void_context);
     92 
     93   void SigSys(int nr, siginfo_t *info, void *void_context);
     94   ErrorCode MakeTrapImpl(TrapFnc fnc, const void *aux, bool safe);
     95   bool SandboxDebuggingAllowedByUser() const;
     96 
     97 
     98 
     99   // We have a global singleton that handles all of our SIGSYS traps. This
    100   // variable must never be deallocated after it has been set up initially, as
    101   // there is no way to reset in-kernel BPF filters that generate SIGSYS
    102   // events.
    103   static Trap *global_trap_;
    104 
    105   TrapIds   trap_ids_;             // Maps from TrapKeys to numeric ids
    106   ErrorCode *trap_array_;          // Array of ErrorCodes indexed by ids
    107   size_t    trap_array_size_;      // Currently used size of array
    108   size_t    trap_array_capacity_;  // Currently allocated capacity of array
    109   bool      has_unsafe_traps_;     // Whether unsafe traps have been enabled
    110 
    111   // Our constructor is private. A shared global instance is created
    112   // automatically as needed.
    113   // Copying and assigning is unimplemented. It doesn't make sense for a
    114   // singleton.
    115   DISALLOW_IMPLICIT_CONSTRUCTORS(Trap);
    116 };
    117 
    118 }  // namespace playground2
    119 
    120 #endif  // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
    121