1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
6#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
7
8#include <stddef.h>
9#include <sys/types.h>
10#include <sys/wait.h>
11
12#include <algorithm>
13#include <limits>
14#include <map>
15#include <set>
16#include <utility>
17#include <vector>
18
19#include "base/memory/scoped_ptr.h"
20#include "sandbox/linux/seccomp-bpf/die.h"
21#include "sandbox/linux/seccomp-bpf/errorcode.h"
22#include "sandbox/linux/seccomp-bpf/linux_seccomp.h"
23
24namespace sandbox {
25
26struct arch_seccomp_data {
27  int nr;
28  uint32_t arch;
29  uint64_t instruction_pointer;
30  uint64_t args[6];
31};
32
33struct arch_sigsys {
34  void* ip;
35  int nr;
36  unsigned int arch;
37};
38
39class CodeGen;
40class SandboxBPFPolicy;
41class SandboxUnittestHelper;
42struct Instruction;
43
44class SandboxBPF {
45 public:
46  enum SandboxStatus {
47    STATUS_UNKNOWN,      // Status prior to calling supportsSeccompSandbox()
48    STATUS_UNSUPPORTED,  // The kernel does not appear to support sandboxing
49    STATUS_UNAVAILABLE,  // Currently unavailable but might work again later
50    STATUS_AVAILABLE,    // Sandboxing is available but not currently active
51    STATUS_ENABLED       // The sandbox is now active
52  };
53
54  // When calling setSandboxPolicy(), the caller can provide an arbitrary
55  // pointer in |aux|. This pointer will then be forwarded to the sandbox
56  // policy each time a call is made through an EvaluateSyscall function
57  // pointer.  One common use case would be to pass the "aux" pointer as an
58  // argument to Trap() functions.
59  typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler,
60                                       int system_call_number,
61                                       void* aux);
62  typedef std::vector<std::pair<EvaluateSyscall, void*> > Evaluators;
63  // A vector of BPF instructions that need to be installed as a filter
64  // program in the kernel.
65  typedef std::vector<struct sock_filter> Program;
66
67  // Constructors and destructors.
68  // NOTE: Setting a policy and starting the sandbox is a one-way operation.
69  //       The kernel does not provide any option for unloading a loaded
70  //       sandbox. Strictly speaking, that means we should disallow calling
71  //       the destructor, if StartSandbox() has ever been called. In practice,
72  //       this makes it needlessly complicated to operate on "Sandbox"
73  //       objects. So, we instead opted to allow object destruction. But it
74  //       should be noted that during its lifetime, the object probably made
75  //       irreversible state changes to the runtime environment. These changes
76  //       stay in effect even after the destructor has been run.
77  SandboxBPF();
78  ~SandboxBPF();
79
80  // Checks whether a particular system call number is valid on the current
81  // architecture. E.g. on ARM there's a non-contiguous range of private
82  // system calls.
83  static bool IsValidSyscallNumber(int sysnum);
84
85  // There are a lot of reasons why the Seccomp sandbox might not be available.
86  // This could be because the kernel does not support Seccomp mode, or it
87  // could be because another sandbox is already active.
88  // "proc_fd" should be a file descriptor for "/proc", or -1 if not
89  // provided by the caller.
90  static SandboxStatus SupportsSeccompSandbox(int proc_fd);
91
92  // The sandbox needs to be able to access files in "/proc/self". If this
93  // directory is not accessible when "startSandbox()" gets called, the caller
94  // can provide an already opened file descriptor by calling "set_proc_fd()".
95  // The sandbox becomes the new owner of this file descriptor and will
96  // eventually close it when "StartSandbox()" executes.
97  void set_proc_fd(int proc_fd);
98
99  // The system call evaluator function is called with the system
100  // call number. It can decide to allow the system call unconditionally
101  // by returning ERR_ALLOWED; it can deny the system call unconditionally by
102  // returning an appropriate "errno" value; or it can request inspection
103  // of system call argument(s) by returning a suitable ErrorCode.
104  // The "aux" parameter can be used to pass optional data to the system call
105  // evaluator. There are different possible uses for this data, but one of the
106  // use cases would be for the policy to then forward this pointer to a Trap()
107  // handler. In this case, of course, the data that is pointed to must remain
108  // valid for the entire time that Trap() handlers can be called; typically,
109  // this would be the lifetime of the program.
110  // DEPRECATED: use the policy interface below.
111  void SetSandboxPolicyDeprecated(EvaluateSyscall syscallEvaluator, void* aux);
112
113  // Set the BPF policy as |policy|. Ownership of |policy| is transfered here
114  // to the sandbox object.
115  void SetSandboxPolicy(SandboxBPFPolicy* policy);
116
117  // We can use ErrorCode to request calling of a trap handler. This method
118  // performs the required wrapping of the callback function into an
119  // ErrorCode object.
120  // The "aux" field can carry a pointer to arbitrary data. See EvaluateSyscall
121  // for a description of how to pass data from SetSandboxPolicy() to a Trap()
122  // handler.
123  ErrorCode Trap(Trap::TrapFnc fnc, const void* aux);
124
125  // Calls a user-space trap handler and disables all sandboxing for system
126  // calls made from this trap handler.
127  // This feature is available only if explicitly enabled by the user having
128  // set the CHROME_SANDBOX_DEBUGGING environment variable.
129  // Returns an ET_INVALID ErrorCode, if called when not enabled.
130  // NOTE: This feature, by definition, disables all security features of
131  //   the sandbox. It should never be used in production, but it can be
132  //   very useful to diagnose code that is incompatible with the sandbox.
133  //   If even a single system call returns "UnsafeTrap", the security of
134  //   entire sandbox should be considered compromised.
135  ErrorCode UnsafeTrap(Trap::TrapFnc fnc, const void* aux);
136
137  // From within an UnsafeTrap() it is often useful to be able to execute
138  // the system call that triggered the trap. The ForwardSyscall() method
139  // makes this easy. It is more efficient than calling glibc's syscall()
140  // function, as it avoid the extra round-trip to the signal handler. And
141  // it automatically does the correct thing to report kernel-style error
142  // conditions, rather than setting errno. See the comments for TrapFnc for
143  // details. In other words, the return value from ForwardSyscall() is
144  // directly suitable as a return value for a trap handler.
145  static intptr_t ForwardSyscall(const struct arch_seccomp_data& args);
146
147  // We can also use ErrorCode to request evaluation of a conditional
148  // statement based on inspection of system call parameters.
149  // This method wrap an ErrorCode object around the conditional statement.
150  // Argument "argno" (1..6) will be compared to "value" using comparator
151  // "op". If the condition is true "passed" will be returned, otherwise
152  // "failed".
153  // If "is32bit" is set, the argument must in the range of 0x0..(1u << 32 - 1)
154  // If it is outside this range, the sandbox treats the system call just
155  // the same as any other ABI violation (i.e. it aborts with an error
156  // message).
157  ErrorCode Cond(int argno,
158                 ErrorCode::ArgType is_32bit,
159                 ErrorCode::Operation op,
160                 uint64_t value,
161                 const ErrorCode& passed,
162                 const ErrorCode& failed);
163
164  // Kill the program and print an error message.
165  ErrorCode Kill(const char* msg);
166
167  // This is the main public entry point. It finds all system calls that
168  // need rewriting, sets up the resources needed by the sandbox, and
169  // enters Seccomp mode.
170  // It is possible to stack multiple sandboxes by creating separate "Sandbox"
171  // objects and calling "StartSandbox()" on each of them. Please note, that
172  // this requires special care, though, as newly stacked sandboxes can never
173  // relax restrictions imposed by earlier sandboxes. Furthermore, installing
174  // a new policy requires making system calls, that might already be
175  // disallowed.
176  // Finally, stacking does add more kernel overhead than having a single
177  // combined policy. So, it should only be used if there are no alternatives.
178  void StartSandbox();
179
180  // Assembles a BPF filter program from the current policy. After calling this
181  // function, you must not call any other sandboxing function.
182  // Typically, AssembleFilter() is only used by unit tests and by sandbox
183  // internals. It should not be used by production code.
184  // For performance reasons, we normally only run the assembled BPF program
185  // through the verifier, iff the program was built in debug mode.
186  // But by setting "force_verification", the caller can request that the
187  // verifier is run unconditionally. This is useful for unittests.
188  Program* AssembleFilter(bool force_verification);
189
190  // Returns the fatal ErrorCode that is used to indicate that somebody
191  // attempted to pass a 64bit value in a 32bit system call argument.
192  // This method is primarily needed for testing purposes.
193  ErrorCode Unexpected64bitArgument();
194
195 private:
196  friend class CodeGen;
197  friend class SandboxUnittestHelper;
198  friend class ErrorCode;
199
200  struct Range {
201    Range(uint32_t f, uint32_t t, const ErrorCode& e)
202        : from(f), to(t), err(e) {}
203    uint32_t from, to;
204    ErrorCode err;
205  };
206  typedef std::vector<Range> Ranges;
207  typedef std::map<uint32_t, ErrorCode> ErrMap;
208  typedef std::set<ErrorCode, struct ErrorCode::LessThan> Conds;
209
210  // Get a file descriptor pointing to "/proc", if currently available.
211  int proc_fd() { return proc_fd_; }
212
213  // Creates a subprocess and runs "code_in_sandbox" inside of the specified
214  // policy. The caller has to make sure that "this" has not yet been
215  // initialized with any other policies.
216  bool RunFunctionInPolicy(void (*code_in_sandbox)(),
217                           EvaluateSyscall syscall_evaluator,
218                           void* aux);
219
220  // Performs a couple of sanity checks to verify that the kernel supports the
221  // features that we need for successful sandboxing.
222  // The caller has to make sure that "this" has not yet been initialized with
223  // any other policies.
224  bool KernelSupportSeccompBPF();
225
226  // Verify that the current policy passes some basic sanity checks.
227  void PolicySanityChecks(SandboxBPFPolicy* policy);
228
229  // Assembles and installs a filter based on the policy that has previously
230  // been configured with SetSandboxPolicy().
231  void InstallFilter();
232
233  // Verify the correctness of a compiled program by comparing it against the
234  // current policy. This function should only ever be called by unit tests and
235  // by the sandbox internals. It should not be used by production code.
236  void VerifyProgram(const Program& program, bool has_unsafe_traps);
237
238  // Finds all the ranges of system calls that need to be handled. Ranges are
239  // sorted in ascending order of system call numbers. There are no gaps in the
240  // ranges. System calls with identical ErrorCodes are coalesced into a single
241  // range.
242  void FindRanges(Ranges* ranges);
243
244  // Returns a BPF program snippet that implements a jump table for the
245  // given range of system call numbers. This function runs recursively.
246  Instruction* AssembleJumpTable(CodeGen* gen,
247                                 Ranges::const_iterator start,
248                                 Ranges::const_iterator stop);
249
250  // Returns a BPF program snippet that makes the BPF filter program exit
251  // with the given ErrorCode "err". N.B. the ErrorCode may very well be a
252  // conditional expression; if so, this function will recursively call
253  // CondExpression() and possibly RetExpression() to build a complex set of
254  // instructions.
255  Instruction* RetExpression(CodeGen* gen, const ErrorCode& err);
256
257  // Returns a BPF program that evaluates the conditional expression in
258  // "cond" and returns the appropriate value from the BPF filter program.
259  // This function recursively calls RetExpression(); it should only ever be
260  // called from RetExpression().
261  Instruction* CondExpression(CodeGen* gen, const ErrorCode& cond);
262
263  static SandboxStatus status_;
264
265  bool quiet_;
266  int proc_fd_;
267  scoped_ptr<const SandboxBPFPolicy> policy_;
268  Conds* conds_;
269  bool sandbox_has_started_;
270
271  DISALLOW_COPY_AND_ASSIGN(SandboxBPF);
272};
273
274}  // namespace sandbox
275
276#endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__
277