1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 6 #define SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 7 8 #include "sandbox/linux/seccomp-bpf/trap.h" 9 #include "sandbox/sandbox_export.h" 10 11 namespace sandbox { 12 13 // This class holds all the possible values that can be returned by a sandbox 14 // policy. 15 // We can either wrap a symbolic ErrorCode (i.e. ERR_XXX enum values), an 16 // errno value (in the range 0..4095), a pointer to a TrapFnc callback 17 // handling a SECCOMP_RET_TRAP trap, or a complex constraint. 18 // All of the commonly used values are stored in the "err_" field. So, code 19 // that is using the ErrorCode class typically operates on a single 32bit 20 // field. 21 class SANDBOX_EXPORT ErrorCode { 22 public: 23 enum { 24 // Allow this system call. The value of ERR_ALLOWED is pretty much 25 // completely arbitrary. But we want to pick it so that is is unlikely 26 // to be passed in accidentally, when the user intended to return an 27 // "errno" (see below) value instead. 28 ERR_ALLOWED = 0x04000000, 29 30 // If the progress is being ptraced with PTRACE_O_TRACESECCOMP, then the 31 // tracer will be notified of a PTRACE_EVENT_SECCOMP and allowed to change 32 // or skip the system call. The lower 16 bits of err will be available to 33 // the tracer via PTRACE_GETEVENTMSG. 34 ERR_TRACE = 0x08000000, 35 36 // Deny the system call with a particular "errno" value. 37 // N.B.: It is also possible to return "0" here. That would normally 38 // indicate success, but it won't actually run the system call. 39 // This is very different from return ERR_ALLOWED. 40 ERR_MIN_ERRNO = 0, 41 #if defined(__mips__) 42 // MIPS only supports errno up to 1133 43 ERR_MAX_ERRNO = 1133, 44 #else 45 // TODO(markus): Android only supports errno up to 255 46 // (crbug.com/181647). 47 ERR_MAX_ERRNO = 4095, 48 #endif 49 }; 50 51 // While BPF filter programs always operate on 32bit quantities, the kernel 52 // always sees system call arguments as 64bit values. This statement is true 53 // no matter whether the host system is natively operating in 32bit or 64bit. 54 // The BPF compiler hides the fact that BPF instructions cannot directly 55 // access 64bit quantities. But policies are still advised to specify whether 56 // a system call expects a 32bit or a 64bit quantity. 57 enum ArgType { 58 // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that 59 // the conditional test should operate on the 32bit part of the system call 60 // argument. 61 // On 64bit architectures, this verifies that user space did not pass 62 // a 64bit value as an argument to the system call. If it did, that will be 63 // interpreted as an attempt at breaking the sandbox and results in the 64 // program getting terminated. 65 // In other words, only perform a 32bit test, if you are sure this 66 // particular system call would never legitimately take a 64bit 67 // argument. 68 // Implementation detail: TP_32BIT does two things. 1) it restricts the 69 // conditional test to operating on the LSB only, and 2) it adds code to 70 // the BPF filter program verifying that the MSB the kernel received from 71 // user space is either 0, or 0xFFFFFFFF; the latter is acceptable, iff bit 72 // 31 was set in the system call argument. It deals with 32bit arguments 73 // having been sign extended. 74 TP_32BIT, 75 76 // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that 77 // the conditional test should operate on the full 64bit argument. It is 78 // generally harmless to perform a 64bit test on 32bit systems, as the 79 // kernel will always see the top 32 bits of all arguments as zero'd out. 80 // This approach has the desirable property that for tests of pointer 81 // values, we can always use TP_64BIT no matter the host architecture. 82 // But of course, that also means, it is possible to write conditional 83 // policies that turn into no-ops on 32bit systems; this is by design. 84 TP_64BIT, 85 }; 86 87 // Deprecated. 88 enum Operation { 89 // Test whether the system call argument is equal to the operand. 90 OP_EQUAL, 91 92 // Tests a system call argument against a bit mask. 93 // The "ALL_BITS" variant performs this test: "arg & mask == mask" 94 // This implies that a mask of zero always results in a passing test. 95 // The "ANY_BITS" variant performs this test: "arg & mask != 0" 96 // This implies that a mask of zero always results in a failing test. 97 OP_HAS_ALL_BITS, 98 OP_HAS_ANY_BITS, 99 }; 100 101 enum ErrorType { 102 ET_INVALID, 103 ET_SIMPLE, 104 ET_TRAP, 105 ET_COND, 106 }; 107 108 // We allow the default constructor, as it makes the ErrorCode class 109 // much easier to use. But if we ever encounter an invalid ErrorCode 110 // when compiling a BPF filter, we deliberately generate an invalid 111 // program that will get flagged both by our Verifier class and by 112 // the Linux kernel. 113 ErrorCode(); 114 explicit ErrorCode(int err); 115 116 // For all practical purposes, ErrorCodes are treated as if they were 117 // structs. The copy constructor and assignment operator are trivial and 118 // we do not need to explicitly specify them. 119 // Most notably, it is in fact perfectly OK to directly copy the passed_ and 120 // failed_ field. They only ever get set by our private constructor, and the 121 // callers handle life-cycle management for these objects. 122 123 // Destructor ~ErrorCode()124 ~ErrorCode() {} 125 126 bool Equals(const ErrorCode& err) const; 127 bool LessThan(const ErrorCode& err) const; 128 err()129 uint32_t err() const { return err_; } error_type()130 ErrorType error_type() const { return error_type_; } 131 safe()132 bool safe() const { return safe_; } 133 mask()134 uint64_t mask() const { return mask_; } value()135 uint64_t value() const { return value_; } argno()136 int argno() const { return argno_; } width()137 ArgType width() const { return width_; } passed()138 const ErrorCode* passed() const { return passed_; } failed()139 const ErrorCode* failed() const { return failed_; } 140 141 struct LessThan { operatorLessThan142 bool operator()(const ErrorCode& a, const ErrorCode& b) const { 143 return a.LessThan(b); 144 } 145 }; 146 147 private: 148 friend class CodeGen; 149 friend class SandboxBPF; 150 friend class Trap; 151 152 // If we are wrapping a callback, we must assign a unique id. This id is 153 // how the kernel tells us which one of our different SECCOMP_RET_TRAP 154 // cases has been triggered. 155 ErrorCode(Trap::TrapFnc fnc, const void* aux, bool safe); 156 157 // Some system calls require inspection of arguments. This constructor 158 // allows us to specify additional constraints. 159 ErrorCode(int argno, 160 ArgType width, 161 uint64_t mask, 162 uint64_t value, 163 const ErrorCode* passed, 164 const ErrorCode* failed); 165 166 ErrorType error_type_; 167 168 union { 169 // Fields needed for SECCOMP_RET_TRAP callbacks 170 struct { 171 Trap::TrapFnc fnc_; // Callback function and arg, if trap was 172 void* aux_; // triggered by the kernel's BPF filter. 173 bool safe_; // Keep sandbox active while calling fnc_() 174 }; 175 176 // Fields needed when inspecting additional arguments. 177 struct { 178 uint64_t mask_; // Mask that we are comparing under. 179 uint64_t value_; // Value that we are comparing with. 180 int argno_; // Syscall arg number that we are inspecting. 181 ArgType width_; // Whether we are looking at a 32/64bit value. 182 const ErrorCode* passed_; // Value to be returned if comparison passed, 183 const ErrorCode* failed_; // or if it failed. 184 }; 185 }; 186 187 // 32bit field used for all possible types of ErrorCode values. This is 188 // the value that uniquely identifies any ErrorCode and it (typically) can 189 // be emitted directly into a BPF filter program. 190 uint32_t err_; 191 }; 192 193 } // namespace sandbox 194 195 #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ 196