1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 7 8 #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" 9 #include "sandbox/linux/seccomp-bpf/trap.h" 10 11 namespace sandbox { 12 13 struct arch_seccomp_data; 14 15 // This class holds all the possible values that can be returned by a sandbox 16 // policy. 17 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an 18 // errno value (in the range 0..4095), a pointer to a TrapFnc callback 19 // handling a SECCOMP_RET_TRAP trap, or a complex constraint. 20 // All of the commonly used values are stored in the "err_" field. So, code 21 // that is using the ErrorCode class typically operates on a single 32bit 22 // field. 23 class ErrorCode { 24 public: 25 enum { 26 // Allow this system call. The value of ERR_ALLOWED is pretty much 27 // completely arbitrary. But we want to pick it so that is is unlikely 28 // to be passed in accidentally, when the user intended to return an 29 // "errno" (see below) value instead. 30 ERR_ALLOWED = 0x04000000, 31 32 // Deny the system call with a particular "errno" value. 33 // N.B.: It is also possible to return "0" here. That would normally 34 // indicate success, but it won't actually run the system call. 35 // This is very different from return ERR_ALLOWED. 36 ERR_MIN_ERRNO = 0, 37 // TODO(markus): Android only supports errno up to 255 38 // (crbug.com/181647). 39 ERR_MAX_ERRNO = 4095, 40 }; 41 42 // While BPF filter programs always operate on 32bit quantities, the kernel 43 // always sees system call arguments as 64bit values. This statement is true 44 // no matter whether the host system is natively operating in 32bit or 64bit. 45 // The BPF compiler hides the fact that BPF instructions cannot directly 46 // access 64bit quantities. But policies are still advised to specify whether 47 // a system call expects a 32bit or a 64bit quantity. 48 enum ArgType { 49 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that 50 // the conditional test should operate on the 32bit part of the system call 51 // argument. 52 // On 64bit architectures, this verifies that user space did not pass 53 // a 64bit value as an argument to the system call. If it did, that will be 54 // interpreted as an attempt at breaking the sandbox and results in the 55 // program getting terminated. 56 // In other words, only perform a 32bit test, if you are sure this 57 // particular system call would never legitimately take a 64bit 58 // argument. 59 // Implementation detail: TP_32BIT does two things. 1) it restricts the 60 // conditional test to operating on the LSB only, and 2) it adds code to 61 // the BPF filter program verifying that the MSB the kernel received from 62 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit 63 // 31 was set in the system call argument. It deals with 32bit arguments 64 // having been sign extended. 65 TP_32BIT, 66 67 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that 68 // the conditional test should operate on the full 64bit argument. It is 69 // generally harmless to perform a 64bit test on 32bit systems, as the 70 // kernel will always see the top 32 bits of all arguments as zero'd out. 71 // This approach has the desirable property that for tests of pointer 72 // values, we can always use TP_64BIT no matter the host architecture. 73 // But of course, that also means, it is possible to write conditional 74 // policies that turn into no-ops on 32bit systems; this is by design. 75 TP_64BIT, 76 }; 77 78 enum Operation { 79 // Test whether the system call argument is equal to the operand. 80 OP_EQUAL, 81 82 // Test whether the system call argument is greater (or equal) to the 83 // operand. Please note that all tests always operate on unsigned 84 // values. You can generally emulate signed tests, if that's what you 85 // need. 86 // TODO(markus): Check whether we should automatically emulate signed 87 // operations. 88 OP_GREATER_UNSIGNED, 89 OP_GREATER_EQUAL_UNSIGNED, 90 91 // Tests a system call argument against a bit mask. 92 // The "ALL_BITS" variant performs this test: "arg & mask == mask" 93 // This implies that a mask of zero always results in a passing test. 94 // The "ANY_BITS" variant performs this test: "arg & mask != 0" 95 // This implies that a mask of zero always results in a failing test. 96 OP_HAS_ALL_BITS, 97 OP_HAS_ANY_BITS, 98 99 // Total number of operations. 100 OP_NUM_OPS, 101 }; 102 103 enum ErrorType { 104 ET_INVALID, 105 ET_SIMPLE, 106 ET_TRAP, 107 ET_COND, 108 }; 109 110 // We allow the default constructor, as it makes the ErrorCode class 111 // much easier to use. But if we ever encounter an invalid ErrorCode 112 // when compiling a BPF filter, we deliberately generate an invalid 113 // program that will get flagged both by our Verifier class and by 114 // the Linux kernel. 115 ErrorCode() : error_type_(ET_INVALID), err_(SECCOMP_RET_INVALID) {} 116 explicit ErrorCode(int err); 117 118 // For all practical purposes, ErrorCodes are treated as if they were 119 // structs. The copy constructor and assignment operator are trivial and 120 // we do not need to explicitly specify them. 121 // Most notably, it is in fact perfectly OK to directly copy the passed_ and 122 // failed_ field. They only ever get set by our private constructor, and the 123 // callers handle life-cycle management for these objects. 124 125 // Destructor 126 ~ErrorCode() {} 127 128 bool Equals(const ErrorCode& err) const; 129 bool LessThan(const ErrorCode& err) const; 130 131 uint32_t err() const { return err_; } 132 ErrorType error_type() const { return error_type_; } 133 134 bool safe() const { return safe_; } 135 136 uint64_t value() const { return value_; } 137 int argno() const { return argno_; } 138 ArgType width() const { return width_; } 139 Operation op() const { return op_; } 140 const ErrorCode* passed() const { return passed_; } 141 const ErrorCode* failed() const { return failed_; } 142 143 struct LessThan { 144 bool operator()(const ErrorCode& a, const ErrorCode& b) const { 145 return a.LessThan(b); 146 } 147 }; 148 149 private: 150 friend class CodeGen; 151 friend class SandboxBPF; 152 friend class Trap; 153 154 // If we are wrapping a callback, we must assign a unique id. This id is 155 // how the kernel tells us which one of our different SECCOMP_RET_TRAP 156 // cases has been triggered. 157 ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe, uint16_t id); 158 159 // Some system calls require inspection of arguments. This constructor 160 // allows us to specify additional constraints. 161 ErrorCode(int argno, 162 ArgType width, 163 Operation op, 164 uint64_t value, 165 const ErrorCode* passed, 166 const ErrorCode* failed); 167 168 ErrorType error_type_; 169 170 union { 171 // Fields needed for SECCOMP_RET_TRAP callbacks 172 struct { 173 Trap::TrapFnc fnc_; // Callback function and arg, if trap was 174 void* aux_; // triggered by the kernel's BPF filter. 175 bool safe_; // Keep sandbox active while calling fnc_() 176 }; 177 178 // Fields needed when inspecting additional arguments. 179 struct { 180 uint64_t value_; // Value that we are comparing with. 181 int argno_; // Syscall arg number that we are inspecting. 182 ArgType width_; // Whether we are looking at a 32/64bit value. 183 Operation op_; // Comparison operation. 184 const ErrorCode* passed_; // Value to be returned if comparison passed, 185 const ErrorCode* failed_; // or if it failed. 186 }; 187 }; 188 189 // 32bit field used for all possible types of ErrorCode values. This is 190 // the value that uniquely identifies any ErrorCode and it (typically) can 191 // be emitted directly into a BPF filter program. 192 uint32_t err_; 193 }; 194 195 } // namespace sandbox 196 197 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 198
