linux/bpf_dsl/bpf_dsl.h

// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
#define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

#include <stdint.h>

#include <utility>
#include <vector>

#include "base/macros.h"
#include "base/memory/ref_counted.h"
#include "sandbox/linux/bpf_dsl/cons.h"
#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
#include "sandbox/linux/seccomp-bpf/trap.h"
#include "sandbox/sandbox_export.h"

namespace sandbox {
class ErrorCode;
class SandboxBPF;
}

// The sandbox::bpf_dsl namespace provides a domain-specific language
// to make writing BPF policies more expressive.  In general, the
// object types all have value semantics (i.e., they can be copied
// around, returned from or passed to function calls, etc. without any
// surprising side effects), though not all support assignment.
//
// An idiomatic and demonstrative (albeit silly) example of this API
// would be:
//
//      #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
//
//      using namespace sandbox::bpf_dsl;
//
//      class SillyPolicy : public SandboxBPFDSLPolicy {
//       public:
//        SillyPolicy() {}
//        virtual ~SillyPolicy() {}
//        virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
//          if (sysno == __NR_fcntl) {
//            Arg<int> fd(0), cmd(1);
//            Arg<unsigned long> flags(2);
//            const uint64_t kGoodFlags = O_ACCMODE | O_NONBLOCK;
//            return If(fd == 0 && cmd == F_SETFL && (flags & ~kGoodFlags) == 0,
//                      Allow())
//                .ElseIf(cmd == F_DUPFD || cmd == F_DUPFD_CLOEXEC,
//                        Error(EMFILE))
//                .Else(Trap(SetFlagHandler, NULL));
//          } else {
//            return Allow();
//          }
//        }
//
//       private:
//        DISALLOW_COPY_AND_ASSIGN(SillyPolicy);
//      };
//
// More generally, the DSL currently supports the following grammar:
//
//   result = Allow() | Error(errno) | Kill(msg) | Trace(aux)
//          | Trap(trap_func, aux) | UnsafeTrap(trap_func, aux)
//          | If(bool, result)[.ElseIf(bool, result)].Else(result)
//          | Switch(arg)[.Case(val, result)].Default(result)
//   bool   = BoolConst(boolean) | !bool | bool && bool | bool || bool
//          | arg == val | arg != val
//   arg    = Arg<T>(num) | arg & mask
//
// The semantics of each function and operator are intended to be
// intuitive, but are described in more detail below.
//
// (Credit to Sean Parent's "Inheritance is the Base Class of Evil"
// talk at Going Native 2013 for promoting value semantics via shared
// pointers to immutable state.)

namespace sandbox {
namespace bpf_dsl {

// Forward declarations of classes; see below for proper documentation.
class Elser;
template <typename T>
class Caser;
namespace internal {
class ResultExprImpl;
class BoolExprImpl;
}

// ResultExpr is an opaque reference to an immutable result expression tree.
typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;

// BoolExpr is an opaque reference to an immutable boolean expression tree.
typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;

// Helper class to make writing policies easier.
class SANDBOX_EXPORT SandboxBPFDSLPolicy : public SandboxBPFPolicy {
 public:
  SandboxBPFDSLPolicy() : SandboxBPFPolicy() {}
  virtual ~SandboxBPFDSLPolicy() {}

  // User extension point for writing custom sandbox policies.
  virtual ResultExpr EvaluateSyscall(int sysno) const = 0;

  // Optional overload for specifying alternate behavior for invalid
  // system calls.  The default is to return ENOSYS.
  virtual ResultExpr InvalidSyscall() const;

  // Override implementations from SandboxBPFPolicy.  Marked as FINAL
  // to prevent mixups with child classes accidentally overloading
  // these instead of the above methods.
  virtual ErrorCode EvaluateSyscall(SandboxBPF* sb,
                                    int sysno) const OVERRIDE FINAL;
  virtual ErrorCode InvalidSyscall(SandboxBPF* sb) const OVERRIDE FINAL;

  // Helper method so policies can just write Trap(func, aux).
  static ResultExpr Trap(Trap::TrapFnc trap_func, const void* aux);

 private:
  DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy);
};

// Allow specifies a result that the system call should be allowed to
// execute normally.
SANDBOX_EXPORT ResultExpr Allow();

// Error specifies a result that the system call should fail with
// error number |err|.  As a special case, Error(0) will result in the
// system call appearing to have succeeded, but without having any
// side effects.
SANDBOX_EXPORT ResultExpr Error(int err);

// Kill specifies a result to kill the program and print an error message.
SANDBOX_EXPORT ResultExpr Kill(const char* msg);

// Trace specifies a result to notify a tracing process via the
// PTRACE_EVENT_SECCOMP event and allow it to change or skip the system call.
// The value of |aux| will be available to the tracer via PTRACE_GETEVENTMSG.
SANDBOX_EXPORT ResultExpr Trace(uint16_t aux);

// Trap specifies a result that the system call should be handled by
// trapping back into userspace and invoking |trap_func|, passing
// |aux| as the second parameter.
SANDBOX_EXPORT ResultExpr Trap(Trap::TrapFnc trap_func, const void* aux);

// UnsafeTrap is like Trap, except the policy is marked as "unsafe"
// and allowed to use SandboxSyscall to invoke any system call.
//
// NOTE: This feature, by definition, disables all security features of
//   the sandbox. It should never be used in production, but it can be
//   very useful to diagnose code that is incompatible with the sandbox.
//   If even a single system call returns "UnsafeTrap", the security of
//   entire sandbox should be considered compromised.
SANDBOX_EXPORT ResultExpr UnsafeTrap(Trap::TrapFnc trap_func, const void* aux);

// BoolConst converts a bool value into a BoolExpr.
SANDBOX_EXPORT BoolExpr BoolConst(bool value);

// Various ways to combine boolean expressions into more complex expressions.
// They follow standard boolean algebra laws.
SANDBOX_EXPORT BoolExpr operator!(const BoolExpr& cond);
SANDBOX_EXPORT BoolExpr operator&&(const BoolExpr& lhs, const BoolExpr& rhs);
SANDBOX_EXPORT BoolExpr operator||(const BoolExpr& lhs, const BoolExpr& rhs);

template <typename T>
class SANDBOX_EXPORT Arg {
 public:
  // Initializes the Arg to represent the |num|th system call
  // argument (indexed from 0), which is of type |T|.
  explicit Arg(int num);

  Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {}

  // Returns an Arg representing the current argument, but after
  // bitwise-and'ing it with |rhs|.
  friend Arg operator&(const Arg& lhs, uint64_t rhs) {
    return Arg(lhs.num_, lhs.mask_ & rhs);
  }

  // Returns a boolean expression comparing whether the system call argument
  // (after applying any bitmasks, if appropriate) equals |rhs|.
  friend BoolExpr operator==(const Arg& lhs, T rhs) { return lhs.EqualTo(rhs); }

  // Returns a boolean expression comparing whether the system call argument
  // (after applying any bitmasks, if appropriate) does not equal |rhs|.
  friend BoolExpr operator!=(const Arg& lhs, T rhs) { return !(lhs == rhs); }

 private:
  Arg(int num, uint64_t mask) : num_(num), mask_(mask) {}

  BoolExpr EqualTo(T val) const;

  int num_;
  uint64_t mask_;

  DISALLOW_ASSIGN(Arg);
};

// If begins a conditional result expression predicated on the
// specified boolean expression.
SANDBOX_EXPORT Elser If(const BoolExpr& cond, const ResultExpr& then_result);

class SANDBOX_EXPORT Elser {
 public:
  Elser(const Elser& elser);
  ~Elser();

  // ElseIf extends the conditional result expression with another
  // "if then" clause, predicated on the specified boolean expression.
  Elser ElseIf(const BoolExpr& cond, const ResultExpr& then_result) const;

  // Else terminates a conditional result expression using |else_result| as
  // the default fallback result expression.
  ResultExpr Else(const ResultExpr& else_result) const;

 private:
  typedef std::pair<BoolExpr, ResultExpr> Clause;

  explicit Elser(Cons<Clause>::List clause_list);

  Cons<Clause>::List clause_list_;

  friend Elser If(const BoolExpr&, const ResultExpr&);
  template <typename T>
  friend Caser<T> Switch(const Arg<T>&);
  DISALLOW_ASSIGN(Elser);
};

// Switch begins a switch expression dispatched according to the
// specified argument value.
template <typename T>
SANDBOX_EXPORT Caser<T> Switch(const Arg<T>& arg);

template <typename T>
class SANDBOX_EXPORT Caser {
 public:
  Caser(const Caser<T>& caser) : arg_(caser.arg_), elser_(caser.elser_) {}
  ~Caser() {}

  // Case adds a single-value "case" clause to the switch.
  Caser<T> Case(T value, ResultExpr result) const;

  // Cases adds a multiple-value "case" clause to the switch.
  // See also the SANDBOX_BPF_DSL_CASES macro below for a more idiomatic way
  // of using this function.
  Caser<T> Cases(const std::vector<T>& values, ResultExpr result) const;

  // Terminate the switch with a "default" clause.
  ResultExpr Default(ResultExpr result) const;

 private:
  Caser(const Arg<T>& arg, Elser elser) : arg_(arg), elser_(elser) {}

  Arg<T> arg_;
  Elser elser_;

  template <typename U>
  friend Caser<U> Switch(const Arg<U>&);
  DISALLOW_ASSIGN(Caser);
};

// Recommended usage is to put
//    #define CASES SANDBOX_BPF_DSL_CASES
// near the top of the .cc file (e.g., nearby any "using" statements), then
// use like:
//    Switch(arg).CASES((3, 5, 7), result)...;
#define SANDBOX_BPF_DSL_CASES(values, result) \
  Cases(SANDBOX_BPF_DSL_CASES_HELPER values, result)

// Helper macro to construct a std::vector from an initializer list.
// TODO(mdempsky): Convert to use C++11 initializer lists instead.
#define SANDBOX_BPF_DSL_CASES_HELPER(value, ...)                           \
  ({                                                                       \
    const __typeof__(value) bpf_dsl_cases_values[] = {value, __VA_ARGS__}; \
    std::vector<__typeof__(value)>(                                        \
        bpf_dsl_cases_values,                                              \
        bpf_dsl_cases_values + arraysize(bpf_dsl_cases_values));           \
  })

// =====================================================================
// Official API ends here.
// =====================================================================

// Definitions below are necessary here only for C++03 compatibility.
// Once C++11 is available, they should be moved into bpf_dsl.cc via extern
// templates.
namespace internal {

// Make argument-dependent lookup work.  This is necessary because although
// BoolExpr is defined in bpf_dsl, since it's merely a typedef for
// scoped_refptr<const internal::BoolExplImpl>, argument-dependent lookup only
// searches the "internal" nested namespace.
using bpf_dsl::operator!;
using bpf_dsl::operator||;
using bpf_dsl::operator&&;

// Returns a boolean expression that represents whether system call
// argument |num| of size |size| is equal to |val|, when masked
// according to |mask|.  Users should use the Arg template class below
// instead of using this API directly.
SANDBOX_EXPORT BoolExpr
    ArgEq(int num, size_t size, uint64_t mask, uint64_t val);

// Returns the default mask for a system call argument of the specified size.
SANDBOX_EXPORT uint64_t DefaultMask(size_t size);

// Internal interface implemented by BoolExpr implementations.
class SANDBOX_EXPORT BoolExprImpl : public base::RefCounted<BoolExprImpl> {
 public:
  BoolExprImpl() {}
  virtual ErrorCode Compile(SandboxBPF* sb,
                            ErrorCode true_ec,
                            ErrorCode false_ec) const = 0;

 protected:
  virtual ~BoolExprImpl() {}

 private:
  friend class base::RefCounted<BoolExprImpl>;
  DISALLOW_COPY_AND_ASSIGN(BoolExprImpl);
};

// Internal interface implemented by ResultExpr implementations.
class SANDBOX_EXPORT ResultExprImpl : public base::RefCounted<ResultExprImpl> {
 public:
  ResultExprImpl() {}
  virtual ErrorCode Compile(SandboxBPF* sb) const = 0;

 protected:
  virtual ~ResultExprImpl() {}

 private:
  friend class base::RefCounted<ResultExprImpl>;
  DISALLOW_COPY_AND_ASSIGN(ResultExprImpl);
};

}  // namespace internal

template <typename T>
Arg<T>::Arg(int num)
    : num_(num), mask_(internal::DefaultMask(sizeof(T))) {
}

// Definition requires ArgEq to have been declared.  Moved out-of-line
// to minimize how much internal clutter users have to ignore while
// reading the header documentation.
//
// Additionally, we use this helper member function to avoid linker errors
// caused by defining operator== out-of-line.  For a more detailed explanation,
// see http://www.parashift.com/c++-faq-lite/template-friends.html.
template <typename T>
BoolExpr Arg<T>::EqualTo(T val) const {
  return internal::ArgEq(num_, sizeof(T), mask_, static_cast<uint64_t>(val));
}

template <typename T>
SANDBOX_EXPORT Caser<T> Switch(const Arg<T>& arg) {
  return Caser<T>(arg, Elser(Cons<Elser::Clause>::List()));
}

template <typename T>
Caser<T> Caser<T>::Case(T value, ResultExpr result) const {
  return SANDBOX_BPF_DSL_CASES((value), result);
}

template <typename T>
Caser<T> Caser<T>::Cases(const std::vector<T>& values,
                         ResultExpr result) const {
  // Theoretically we could evaluate arg_ just once and emit a more efficient
  // dispatch table, but for now we simply translate into an equivalent
  // If/ElseIf/Else chain.

  typedef typename std::vector<T>::const_iterator Iter;
  BoolExpr test = BoolConst(false);
  for (Iter i = values.begin(), end = values.end(); i != end; ++i) {
    test = test || (arg_ == *i);
  }
  return Caser<T>(arg_, elser_.ElseIf(test, result));
}

template <typename T>
ResultExpr Caser<T>::Default(ResultExpr result) const {
  return elser_.Else(result);
}

}  // namespace bpf_dsl
}  // namespace sandbox

#endif  // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_