1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ 6 #define SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ 7 8 #include <stdint.h> 9 10 #include "base/macros.h" 11 #include "sandbox/sandbox_export.h" 12 13 namespace sandbox { 14 15 // This must match the kernel's seccomp_data structure. 16 struct arch_seccomp_data { 17 int nr; 18 uint32_t arch; 19 uint64_t instruction_pointer; 20 uint64_t args[6]; 21 }; 22 23 namespace bpf_dsl { 24 25 // TrapRegistry provides an interface for registering "trap handlers" 26 // by associating them with non-zero 16-bit trap IDs. Trap IDs should 27 // remain valid for the lifetime of the trap registry. 28 class SANDBOX_EXPORT TrapRegistry { 29 public: 30 // TrapFnc is a pointer to a function that fulfills the trap handler 31 // function signature. 32 // 33 // Trap handlers follow the calling convention of native system 34 // calls; e.g., to report an error, they return an exit code in the 35 // range -1..-4096 instead of directly modifying errno. However, 36 // modifying errno is harmless, as the original value will be 37 // restored afterwards. 38 // 39 // Trap handlers are executed from signal context and possibly an 40 // async-signal context, so they must be async-signal safe: 41 // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html 42 typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux); 43 44 // Add registers the specified trap handler tuple and returns a 45 // non-zero trap ID that uniquely identifies the tuple for the life 46 // time of the trap registry. If the same tuple is registered 47 // multiple times, the same value will be returned each time. 48 virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) = 0; 49 50 // EnableUnsafeTraps tries to enable unsafe traps and returns 51 // whether it was successful. This is a one-way operation. 52 // 53 // CAUTION: Enabling unsafe traps effectively defeats the security 54 // guarantees provided by the sandbox policy. TrapRegistry 55 // implementations should ensure unsafe traps are only enabled 56 // during testing. 57 virtual bool EnableUnsafeTraps() = 0; 58 59 protected: TrapRegistry()60 TrapRegistry() {} 61 62 // TrapRegistry's destructor is intentionally non-virtual so that 63 // implementations can omit their destructor. Instead we protect against 64 // misuse by marking it protected. ~TrapRegistry()65 ~TrapRegistry() {} 66 67 DISALLOW_COPY_AND_ASSIGN(TrapRegistry); 68 }; 69 70 } // namespace bpf_dsl 71 } // namespace sandbox 72 73 #endif // SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ 74