1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
6#define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
7
8#include <signal.h>
9#include <stdint.h>
10
11#include <map>
12
13#include "base/macros.h"
14#include "sandbox/sandbox_export.h"
15
16namespace sandbox {
17
18// This must match the kernel's seccomp_data structure.
19struct arch_seccomp_data {
20  int nr;
21  uint32_t arch;
22  uint64_t instruction_pointer;
23  uint64_t args[6];
24};
25
26// The Trap class allows a BPF filter program to branch out to user space by
27// raising a SIGSYS signal.
28// N.B.: This class does not perform any synchronization operations. If
29//   modifications are made to any of the traps, it is the caller's
30//   responsibility to ensure that this happens in a thread-safe fashion.
31//   Preferably, that means that no other threads should be running at that
32//   time. For the purposes of our sandbox, this assertion should always be
33//   true. Threads are incompatible with the seccomp sandbox anyway.
34class SANDBOX_EXPORT Trap {
35 public:
36  // TrapFnc is a pointer to a function that handles Seccomp traps in
37  // user-space. The seccomp policy can request that a trap handler gets
38  // installed; it does so by returning a suitable ErrorCode() from the
39  // syscallEvaluator. See the ErrorCode() constructor for how to pass in
40  // the function pointer.
41  // Please note that TrapFnc is executed from signal context and must be
42  // async-signal safe:
43  // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
44  // Also note that it follows the calling convention of native system calls.
45  // In other words, it reports an error by returning an exit code in the
46  // range -1..-4096. It should not set errno when reporting errors; on the
47  // other hand, accidentally modifying errno is harmless and the changes will
48  // be undone afterwards.
49  typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux);
50
51  // Registers a new trap handler and sets up the appropriate SIGSYS handler
52  // as needed.
53  // N.B.: This makes a permanent state change. Traps cannot be unregistered,
54  //   as that would break existing BPF filters that are still active.
55  static uint16_t MakeTrap(TrapFnc fnc, const void* aux, bool safe);
56
57  // Enables support for unsafe traps in the SIGSYS signal handler. This is a
58  // one-way fuse. It works in conjunction with the BPF compiler emitting code
59  // that unconditionally allows system calls, if they have a magic return
60  // address (i.e. SandboxSyscall(-1)).
61  // Once unsafe traps are enabled, the sandbox is essentially compromised.
62  // But this is still a very useful feature for debugging purposes. Use with
63  // care. This feature is availably only if enabled by the user (see above).
64  // Returns "true", if unsafe traps were turned on.
65  static bool EnableUnsafeTrapsInSigSysHandler();
66
67  // Returns true if a safe trap handler is associated with a
68  // particular trap ID.
69  static bool IsSafeTrapId(uint16_t id);
70
71 private:
72  struct TrapKey {
73    TrapKey() : fnc(NULL), aux(NULL), safe(false) {}
74    TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {}
75    TrapFnc fnc;
76    const void* aux;
77    bool safe;
78    bool operator<(const TrapKey&) const;
79  };
80  typedef std::map<TrapKey, uint16_t> TrapIds;
81
82  // Our constructor is private. A shared global instance is created
83  // automatically as needed.
84  Trap();
85
86  // The destructor is unimplemented. Don't ever attempt to destruct this
87  // object. It'll break subsequent system calls that trigger a SIGSYS.
88  ~Trap();
89
90  // We only have a very small number of methods. We opt to make them static
91  // and have them internally call GetInstance(). This is a little more
92  // convenient than having each caller obtain short-lived reference to the
93  // singleton.
94  // It also gracefully deals with methods that should check for the singleton,
95  // but avoid instantiating it, if it doesn't exist yet
96  // (e.g. ErrorCodeFromTrapId()).
97  static Trap* GetInstance();
98  static void SigSysAction(int nr, siginfo_t* info, void* void_context);
99
100  // Make sure that SigSys is not inlined in order to get slightly better crash
101  // dumps.
102  void SigSys(int nr, siginfo_t* info, void* void_context)
103      __attribute__((noinline));
104  uint16_t MakeTrapImpl(TrapFnc fnc, const void* aux, bool safe);
105  bool SandboxDebuggingAllowedByUser() const;
106
107  // We have a global singleton that handles all of our SIGSYS traps. This
108  // variable must never be deallocated after it has been set up initially, as
109  // there is no way to reset in-kernel BPF filters that generate SIGSYS
110  // events.
111  static Trap* global_trap_;
112
113  TrapIds trap_ids_;            // Maps from TrapKeys to numeric ids
114  TrapKey* trap_array_;         // Array of TrapKeys indexed by ids
115  size_t trap_array_size_;      // Currently used size of array
116  size_t trap_array_capacity_;  // Currently allocated capacity of array
117  bool has_unsafe_traps_;       // Whether unsafe traps have been enabled
118
119  // Copying and assigning is unimplemented. It doesn't make sense for a
120  // singleton.
121  DISALLOW_COPY_AND_ASSIGN(Trap);
122};
123
124}  // namespace sandbox
125
126#endif  // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
127