1 /* Copyright 2012 The ChromiumOS Authors
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 */
5
6 #include <stdint.h>
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <string.h>
10
11 #include "bpf.h"
12 #include "util.h"
13
14 /* Architecture validation. */
bpf_validate_arch(struct sock_filter * filter)15 size_t bpf_validate_arch(struct sock_filter *filter)
16 {
17 struct sock_filter *curr_block = filter;
18 set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, arch_nr);
19 set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, MINIJAIL_ARCH_NR,
20 SKIP, NEXT);
21 set_bpf_ret_kill(curr_block++);
22 return curr_block - filter;
23 }
24
25 /* Syscall number eval functions. */
bpf_allow_syscall(struct sock_filter * filter,int nr)26 size_t bpf_allow_syscall(struct sock_filter *filter, int nr)
27 {
28 struct sock_filter *curr_block = filter;
29 set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, nr, NEXT, SKIP);
30 set_bpf_stmt(curr_block++, BPF_RET + BPF_K, SECCOMP_RET_ALLOW);
31 return curr_block - filter;
32 }
33
bpf_allow_syscall_args(struct sock_filter * filter,int nr,unsigned int id)34 size_t bpf_allow_syscall_args(struct sock_filter *filter, int nr,
35 unsigned int id)
36 {
37 struct sock_filter *curr_block = filter;
38 set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, nr, NEXT, SKIP);
39 set_bpf_jump_lbl(curr_block++, id);
40 return curr_block - filter;
41 }
42
43 /* Size-aware arg loaders. */
44 #if defined(BITS32)
bpf_load_arg(struct sock_filter * filter,int argidx)45 size_t bpf_load_arg(struct sock_filter *filter, int argidx)
46 {
47 set_bpf_stmt(filter, BPF_LD + BPF_W + BPF_ABS, LO_ARG(argidx));
48 return 1U;
49 }
50 #elif defined(BITS64)
bpf_load_arg(struct sock_filter * filter,int argidx)51 size_t bpf_load_arg(struct sock_filter *filter, int argidx)
52 {
53 struct sock_filter *curr_block = filter;
54 set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, LO_ARG(argidx));
55 set_bpf_stmt(curr_block++, BPF_ST, 0); /* lo -> M[0] */
56 set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, HI_ARG(argidx));
57 set_bpf_stmt(curr_block++, BPF_ST, 1); /* hi -> M[1] */
58 return curr_block - filter;
59 }
60 #endif
61
62 /* Size-aware comparisons. */
bpf_comp_jeq32(struct sock_filter * filter,unsigned long c,unsigned char jt,unsigned char jf)63 size_t bpf_comp_jeq32(struct sock_filter *filter, unsigned long c,
64 unsigned char jt, unsigned char jf)
65 {
66 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
67 set_bpf_jump(filter, BPF_JMP + BPF_JEQ + BPF_K, lo, jt, jf);
68 return 1U;
69 }
70
71 /*
72 * On 64 bits, we have to do two 32-bit comparisons.
73 * We jump true when *both* comparisons are true.
74 */
75 #if defined(BITS64)
bpf_comp_jeq64(struct sock_filter * filter,uint64_t c,unsigned char jt,unsigned char jf)76 size_t bpf_comp_jeq64(struct sock_filter *filter, uint64_t c, unsigned char jt,
77 unsigned char jf)
78 {
79 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
80 unsigned int hi = (unsigned int)(c >> 32);
81
82 struct sock_filter *curr_block = filter;
83
84 /* bpf_load_arg leaves |hi| in A */
85 curr_block += bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
86 set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
87 curr_block += bpf_comp_jeq32(curr_block, lo, jt, jf);
88
89 return curr_block - filter;
90 }
91 #endif
92
bpf_comp_jgt32(struct sock_filter * filter,unsigned long c,unsigned char jt,unsigned char jf)93 size_t bpf_comp_jgt32(struct sock_filter *filter, unsigned long c,
94 unsigned char jt, unsigned char jf)
95 {
96 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
97 set_bpf_jump(filter, BPF_JMP + BPF_JGT + BPF_K, lo, jt, jf);
98 return 1U;
99 }
100
bpf_comp_jge32(struct sock_filter * filter,unsigned long c,unsigned char jt,unsigned char jf)101 size_t bpf_comp_jge32(struct sock_filter *filter, unsigned long c,
102 unsigned char jt, unsigned char jf)
103 {
104 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
105 set_bpf_jump(filter, BPF_JMP + BPF_JGE + BPF_K, lo, jt, jf);
106 return 1U;
107 }
108
109 /*
110 * On 64 bits, we have to do two/three 32-bit comparisons.
111 * We jump true when the |hi| comparison is true *or* |hi| is equal and the
112 * |lo| comparison is true.
113 */
114 #if defined(BITS64)
bpf_comp_jgt64(struct sock_filter * filter,uint64_t c,unsigned char jt,unsigned char jf)115 size_t bpf_comp_jgt64(struct sock_filter *filter, uint64_t c, unsigned char jt,
116 unsigned char jf)
117 {
118 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
119 unsigned int hi = (unsigned int)(c >> 32);
120
121 struct sock_filter *curr_block = filter;
122
123 /* bpf_load_arg leaves |hi| in A. */
124 if (hi == 0) {
125 curr_block +=
126 bpf_comp_jgt32(curr_block, hi, SKIPN(2) + jt, NEXT);
127 } else {
128 curr_block +=
129 bpf_comp_jgt32(curr_block, hi, SKIPN(3) + jt, NEXT);
130 curr_block +=
131 bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
132 }
133 set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
134 curr_block += bpf_comp_jgt32(curr_block, lo, jt, jf);
135
136 return curr_block - filter;
137 }
138
bpf_comp_jge64(struct sock_filter * filter,uint64_t c,unsigned char jt,unsigned char jf)139 size_t bpf_comp_jge64(struct sock_filter *filter, uint64_t c, unsigned char jt,
140 unsigned char jf)
141 {
142 unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
143 unsigned int hi = (unsigned int)(c >> 32);
144
145 struct sock_filter *curr_block = filter;
146
147 /* bpf_load_arg leaves |hi| in A. */
148 if (hi == 0) {
149 curr_block +=
150 bpf_comp_jgt32(curr_block, hi, SKIPN(2) + jt, NEXT);
151 } else {
152 curr_block +=
153 bpf_comp_jgt32(curr_block, hi, SKIPN(3) + jt, NEXT);
154 curr_block +=
155 bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
156 }
157 set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
158 curr_block += bpf_comp_jge32(curr_block, lo, jt, jf);
159
160 return curr_block - filter;
161 }
162 #endif
163
164 /* Size-aware bitwise AND. */
bpf_comp_jset32(struct sock_filter * filter,unsigned long mask,unsigned char jt,unsigned char jf)165 size_t bpf_comp_jset32(struct sock_filter *filter, unsigned long mask,
166 unsigned char jt, unsigned char jf)
167 {
168 unsigned int mask_lo = (unsigned int)(mask & 0xFFFFFFFF);
169 set_bpf_jump(filter, BPF_JMP + BPF_JSET + BPF_K, mask_lo, jt, jf);
170 return 1U;
171 }
172
173 /*
174 * On 64 bits, we have to do two 32-bit bitwise ANDs.
175 * We jump true when *either* bitwise AND is true (non-zero).
176 */
177 #if defined(BITS64)
bpf_comp_jset64(struct sock_filter * filter,uint64_t mask,unsigned char jt,unsigned char jf)178 size_t bpf_comp_jset64(struct sock_filter *filter, uint64_t mask,
179 unsigned char jt, unsigned char jf)
180 {
181 unsigned int mask_lo = (unsigned int)(mask & 0xFFFFFFFF);
182 unsigned int mask_hi = (unsigned int)(mask >> 32);
183
184 struct sock_filter *curr_block = filter;
185
186 /* bpf_load_arg leaves |hi| in A */
187 curr_block += bpf_comp_jset32(curr_block, mask_hi, SKIPN(2) + jt, NEXT);
188 set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
189 curr_block += bpf_comp_jset32(curr_block, mask_lo, jt, jf);
190
191 return curr_block - filter;
192 }
193 #endif
194
bpf_comp_jin(struct sock_filter * filter,unsigned long mask,unsigned char jt,unsigned char jf)195 size_t bpf_comp_jin(struct sock_filter *filter, unsigned long mask,
196 unsigned char jt, unsigned char jf)
197 {
198 unsigned long negative_mask = ~mask;
199 /*
200 * The mask is negated, so the comparison will be true when the argument
201 * includes a flag that wasn't listed in the original (non-negated)
202 * mask. This would be the failure case, so we switch |jt| and |jf|.
203 */
204 return bpf_comp_jset(filter, negative_mask, jf, jt);
205 }
206
bpf_arg_comp_len(int op,unsigned long c attribute_unused)207 static size_t bpf_arg_comp_len(int op, unsigned long c attribute_unused)
208 {
209 /* The comparisons that use gt/ge internally may have extra opcodes. */
210 switch (op) {
211 case LT:
212 case LE:
213 case GT:
214 case GE:
215 #if defined(BITS64)
216 /*
217 * |c| can only have a high 32-bit part when running on 64 bits.
218 */
219 if ((c >> 32) == 0)
220 return BPF_ARG_SHORT_GT_GE_COMP_LEN + 1;
221 #endif
222 return BPF_ARG_GT_GE_COMP_LEN + 1;
223 default:
224 return BPF_ARG_COMP_LEN + 1;
225 }
226 }
227
bpf_arg_comp(struct sock_filter ** pfilter,int op,int argidx,unsigned long c,unsigned int label_id)228 size_t bpf_arg_comp(struct sock_filter **pfilter, int op, int argidx,
229 unsigned long c, unsigned int label_id)
230 {
231 size_t filter_len = bpf_arg_comp_len(op, c);
232 struct sock_filter *filter =
233 calloc(filter_len, sizeof(struct sock_filter));
234 struct sock_filter *curr_block = filter;
235 size_t (*comp_function)(struct sock_filter * filter, unsigned long k,
236 unsigned char jt, unsigned char jf);
237 int flip = 0;
238
239 if (!filter) {
240 *pfilter = NULL;
241 return 0;
242 }
243
244 /* Load arg */
245 curr_block += bpf_load_arg(curr_block, argidx);
246
247 /* Jump type */
248 switch (op) {
249 case EQ:
250 comp_function = bpf_comp_jeq;
251 flip = 0;
252 break;
253 case NE:
254 comp_function = bpf_comp_jeq;
255 flip = 1;
256 break;
257 case LT:
258 comp_function = bpf_comp_jge;
259 flip = 1;
260 break;
261 case LE:
262 comp_function = bpf_comp_jgt;
263 flip = 1;
264 break;
265 case GT:
266 comp_function = bpf_comp_jgt;
267 flip = 0;
268 break;
269 case GE:
270 comp_function = bpf_comp_jge;
271 flip = 0;
272 break;
273 case SET:
274 comp_function = bpf_comp_jset;
275 flip = 0;
276 break;
277 case IN:
278 comp_function = bpf_comp_jin;
279 flip = 0;
280 break;
281 default:
282 *pfilter = NULL;
283 return 0;
284 }
285
286 /*
287 * It's easier for the rest of the code to have the true branch
288 * skip and the false branch fall through.
289 */
290 unsigned char jt = flip ? NEXT : SKIP;
291 unsigned char jf = flip ? SKIP : NEXT;
292 curr_block += comp_function(curr_block, c, jt, jf);
293 curr_block += set_bpf_jump_lbl(curr_block, label_id);
294
295 *pfilter = filter;
296 return curr_block - filter;
297 }
298
bpf_resolve_jumps(struct bpf_labels * labels,struct sock_filter * filter,size_t len)299 int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter,
300 size_t len)
301 {
302 struct sock_filter *instr;
303 size_t i, offset;
304
305 if (len > BPF_MAXINSNS)
306 return -1;
307
308 /*
309 * Walk it once, backwards, to build the label table and do fixups.
310 * Since backward jumps are disallowed by BPF, this is easy.
311 */
312 for (i = 0; i < len; i++) {
313 offset = len - i - 1;
314 instr = &filter[offset];
315 if (instr->code != (BPF_JMP + BPF_JA))
316 continue;
317 switch ((instr->jt << 8) | instr->jf) {
318 case (JUMP_JT << 8) | JUMP_JF:
319 if (instr->k >= labels->count) {
320 warn("nonexistent label id: %u", instr->k);
321 return -1;
322 }
323 if (labels->labels[instr->k].location == 0xffffffff) {
324 warn("unresolved label: '%s'",
325 labels->labels[instr->k].label);
326 return -1;
327 }
328 instr->k =
329 labels->labels[instr->k].location - (offset + 1);
330 instr->jt = 0;
331 instr->jf = 0;
332 continue;
333 case (LABEL_JT << 8) | LABEL_JF:
334 if (labels->labels[instr->k].location != 0xffffffff) {
335 warn("duplicate label: '%s'",
336 labels->labels[instr->k].label);
337 return -1;
338 }
339 labels->labels[instr->k].location = offset;
340 instr->k = 0; /* Fall through. */
341 instr->jt = 0;
342 instr->jf = 0;
343 continue;
344 }
345 }
346 return 0;
347 }
348
349 /* Simple lookup table for labels. */
bpf_label_id(struct bpf_labels * labels,const char * label)350 int bpf_label_id(struct bpf_labels *labels, const char *label)
351 {
352 struct __bpf_label *begin = labels->labels, *end;
353 int id;
354 if (labels->count == 0) {
355 begin->label = strndup(label, MAX_BPF_LABEL_LEN);
356 if (!begin->label) {
357 return -1;
358 }
359 begin->location = 0xffffffff;
360 labels->count++;
361 return 0;
362 }
363 end = begin + labels->count;
364 for (id = 0; begin < end; ++begin, ++id) {
365 if (streq(label, begin->label)) {
366 return id;
367 }
368 }
369
370 /* The label wasn't found. Insert it only if there's space. */
371 if (labels->count == BPF_LABELS_MAX) {
372 return -1;
373 }
374 begin->label = strndup(label, MAX_BPF_LABEL_LEN);
375 if (!begin->label) {
376 return -1;
377 }
378 begin->location = 0xffffffff;
379 labels->count++;
380 return id;
381 }
382
free_label_strings(struct bpf_labels * labels)383 void free_label_strings(struct bpf_labels *labels)
384 {
385 if (labels->count == 0)
386 return;
387
388 struct __bpf_label *begin = labels->labels, *end;
389
390 end = begin + labels->count;
391 for (; begin < end; ++begin) {
392 if (begin->label)
393 free((void *)(begin->label));
394 }
395
396 labels->count = 0;
397 }
398