1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ 6 #define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ 7 8 #include <signal.h> 9 #include <stdint.h> 10 11 #include <map> 12 13 #include "base/macros.h" 14 #include "sandbox/sandbox_export.h" 15 16 namespace sandbox { 17 18 // This must match the kernel's seccomp_data structure. 19 struct arch_seccomp_data { 20 int nr; 21 uint32_t arch; 22 uint64_t instruction_pointer; 23 uint64_t args[6]; 24 }; 25 26 // The Trap class allows a BPF filter program to branch out to user space by 27 // raising a SIGSYS signal. 28 // N.B.: This class does not perform any synchronization operations. If 29 // modifications are made to any of the traps, it is the caller's 30 // responsibility to ensure that this happens in a thread-safe fashion. 31 // Preferably, that means that no other threads should be running at that 32 // time. For the purposes of our sandbox, this assertion should always be 33 // true. Threads are incompatible with the seccomp sandbox anyway. 34 class SANDBOX_EXPORT Trap { 35 public: 36 // TrapFnc is a pointer to a function that handles Seccomp traps in 37 // user-space. The seccomp policy can request that a trap handler gets 38 // installed; it does so by returning a suitable ErrorCode() from the 39 // syscallEvaluator. See the ErrorCode() constructor for how to pass in 40 // the function pointer. 41 // Please note that TrapFnc is executed from signal context and must be 42 // async-signal safe: 43 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html 44 // Also note that it follows the calling convention of native system calls. 45 // In other words, it reports an error by returning an exit code in the 46 // range -1..-4096. It should not set errno when reporting errors; on the 47 // other hand, accidentally modifying errno is harmless and the changes will 48 // be undone afterwards. 49 typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux); 50 51 // Registers a new trap handler and sets up the appropriate SIGSYS handler 52 // as needed. 53 // N.B.: This makes a permanent state change. Traps cannot be unregistered, 54 // as that would break existing BPF filters that are still active. 55 static uint16_t MakeTrap(TrapFnc fnc, const void* aux, bool safe); 56 57 // Enables support for unsafe traps in the SIGSYS signal handler. This is a 58 // one-way fuse. It works in conjunction with the BPF compiler emitting code 59 // that unconditionally allows system calls, if they have a magic return 60 // address (i.e. SandboxSyscall(-1)). 61 // Once unsafe traps are enabled, the sandbox is essentially compromised. 62 // But this is still a very useful feature for debugging purposes. Use with 63 // care. This feature is availably only if enabled by the user (see above). 64 // Returns "true", if unsafe traps were turned on. 65 static bool EnableUnsafeTrapsInSigSysHandler(); 66 67 // Returns true if a safe trap handler is associated with a 68 // particular trap ID. 69 static bool IsSafeTrapId(uint16_t id); 70 71 private: 72 struct TrapKey { TrapKeyTrapKey73 TrapKey() : fnc(NULL), aux(NULL), safe(false) {} TrapKeyTrapKey74 TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {} 75 TrapFnc fnc; 76 const void* aux; 77 bool safe; 78 bool operator<(const TrapKey&) const; 79 }; 80 typedef std::map<TrapKey, uint16_t> TrapIds; 81 82 // Our constructor is private. A shared global instance is created 83 // automatically as needed. 84 Trap(); 85 86 // The destructor is unimplemented. Don't ever attempt to destruct this 87 // object. It'll break subsequent system calls that trigger a SIGSYS. 88 ~Trap(); 89 90 // We only have a very small number of methods. We opt to make them static 91 // and have them internally call GetInstance(). This is a little more 92 // convenient than having each caller obtain short-lived reference to the 93 // singleton. 94 // It also gracefully deals with methods that should check for the singleton, 95 // but avoid instantiating it, if it doesn't exist yet 96 // (e.g. ErrorCodeFromTrapId()). 97 static Trap* GetInstance(); 98 static void SigSysAction(int nr, siginfo_t* info, void* void_context); 99 100 // Make sure that SigSys is not inlined in order to get slightly better crash 101 // dumps. 102 void SigSys(int nr, siginfo_t* info, void* void_context) 103 __attribute__((noinline)); 104 uint16_t MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe); 105 bool SandboxDebuggingAllowedByUser() const; 106 107 // We have a global singleton that handles all of our SIGSYS traps. This 108 // variable must never be deallocated after it has been set up initially, as 109 // there is no way to reset in-kernel BPF filters that generate SIGSYS 110 // events. 111 static Trap* global_trap_; 112 113 TrapIds trap_ids_; // Maps from TrapKeys to numeric ids 114 TrapKey* trap_array_; // Array of TrapKeys indexed by ids 115 size_t trap_array_size_; // Currently used size of array 116 size_t trap_array_capacity_; // Currently allocated capacity of array 117 bool has_unsafe_traps_; // Whether unsafe traps have been enabled 118 119 // Copying and assigning is unimplemented. It doesn't make sense for a 120 // singleton. 121 DISALLOW_COPY_AND_ASSIGN(Trap); 122 }; 123 124 } // namespace sandbox 125 126 #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ 127