diff options
| author | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-10 22:18:42 +0000 |
|---|---|---|
| committer | jln@chromium.org <jln@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-12-10 22:18:42 +0000 |
| commit | 2980768633ff5144fe6e7902abb39b8ff1740baa (patch) | |
| tree | 5e99302565a71d9a76f2580b02be6f1b678f6e56 | |
| parent | e91eae91d6330a50d227d1629d00d599f189f3d8 (diff) | |
| download | chromium_src-2980768633ff5144fe6e7902abb39b8ff1740baa.zip chromium_src-2980768633ff5144fe6e7902abb39b8ff1740baa.tar.gz chromium_src-2980768633ff5144fe6e7902abb39b8ff1740baa.tar.bz2 | |
Linux sandbox: cleanup sandbox-bpf naming.
1. Rename playground2 namespace to sandbox.
The playground2 namespace is confusing and against the style guide.
We rename it to sandbox, like the rest of sandbox/linux/.
2. Rename the "Sandbox" class to "SandboxBPF".
BUG=325535
R=rsesek@chromium.org
TBR=jochen@chromium.org
Review URL: https://codereview.chromium.org/101773003
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@239865 0039d316-1c4b-4281-b951-d872f2087c98
47 files changed, 413 insertions, 430 deletions
diff --git a/chrome/browser/ui/webui/about_ui.cc b/chrome/browser/ui/webui/about_ui.cc index 4a779f6..5e87c39 100644 --- a/chrome/browser/ui/webui/about_ui.cc +++ b/chrome/browser/ui/webui/about_ui.cc @@ -823,7 +823,7 @@ std::string AboutSandbox() { AboutSandboxRow(&data, std::string(), IDS_ABOUT_SANDBOX_SECCOMP_BPF_SANDBOX, - status & content::kSandboxLinuxSeccompBpf); + status & content::kSandboxLinuxSeccompBPF); data.append("</table>"); @@ -832,7 +832,7 @@ std::string AboutSandbox() { status & content::kSandboxLinuxPIDNS && status & content::kSandboxLinuxNetNS; // A second-layer sandbox is also required to be adequately sandboxed. - bool good_layer2 = status & content::kSandboxLinuxSeccompBpf; + bool good_layer2 = status & content::kSandboxLinuxSeccompBPF; bool good = good_layer1 && good_layer2; if (good) { diff --git a/chrome/test/security_tests/sandbox_browsertest_linux.cc b/chrome/test/security_tests/sandbox_browsertest_linux.cc index f9c26599..f51db55 100644 --- a/chrome/test/security_tests/sandbox_browsertest_linux.cc +++ b/chrome/test/security_tests/sandbox_browsertest_linux.cc @@ -27,7 +27,7 @@ IN_PROC_BROWSER_TEST_F(SandboxLinuxTest, MAYBE_SandboxStatus) { status & content::kSandboxLinuxPIDNS && status & content::kSandboxLinuxNetNS; // A second-layer sandbox is also required to be adequately sandboxed. - bool good_layer2 = status & content::kSandboxLinuxSeccompBpf; + bool good_layer2 = status & content::kSandboxLinuxSeccompBPF; EXPECT_TRUE(good_layer1); EXPECT_TRUE(good_layer2); diff --git a/components/nacl/loader/nacl_helper_linux.cc b/components/nacl/loader/nacl_helper_linux.cc index 37e0dd5..c8139bf 100644 --- a/components/nacl/loader/nacl_helper_linux.cc +++ b/components/nacl/loader/nacl_helper_linux.cc @@ -52,7 +52,7 @@ void BecomeNaClLoader(const std::vector<int>& child_fds, // don't need zygote FD any more if (IGNORE_EINTR(close(kNaClZygoteDescriptor)) != 0) LOG(ERROR) << "close(kNaClZygoteDescriptor) failed."; - bool sandbox_initialized = InitializeBpfSandbox(); + bool sandbox_initialized = InitializeBPFSandbox(); if (!sandbox_initialized) { LOG(ERROR) << "Could not initialize NaCl's second " << "layer sandbox (seccomp-bpf)."; diff --git a/components/nacl/loader/nacl_sandbox_linux.cc b/components/nacl/loader/nacl_sandbox_linux.cc index f92cc08..14ba18f 100644 --- a/components/nacl/loader/nacl_sandbox_linux.cc +++ b/components/nacl/loader/nacl_sandbox_linux.cc @@ -18,9 +18,9 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" #include "sandbox/linux/services/linux_syscalls.h" -using playground2::ErrorCode; -using playground2::Sandbox; -using playground2::SandboxBpfPolicy; +using sandbox::ErrorCode; +using sandbox::SandboxBPF; +using sandbox::SandboxBPFPolicy; namespace { @@ -52,22 +52,22 @@ bool IsSystemVIpc(int sysno) { } #endif -class NaClBpfSandboxPolicy : public SandboxBpfPolicy { +class NaClBPFSandboxPolicy : public SandboxBPFPolicy { public: - NaClBpfSandboxPolicy() - : baseline_policy_(content::GetBpfSandboxBaselinePolicy()) {} - virtual ~NaClBpfSandboxPolicy() {} + NaClBPFSandboxPolicy() + : baseline_policy_(content::GetBPFSandboxBaselinePolicy()) {} + virtual ~NaClBPFSandboxPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: - scoped_ptr<SandboxBpfPolicy> baseline_policy_; - DISALLOW_COPY_AND_ASSIGN(NaClBpfSandboxPolicy); + scoped_ptr<SandboxBPFPolicy> baseline_policy_; + DISALLOW_COPY_AND_ASSIGN(NaClBPFSandboxPolicy); }; -ErrorCode NaClBpfSandboxPolicy::EvaluateSyscall( - playground2::Sandbox* sb, int sysno) const { +ErrorCode NaClBPFSandboxPolicy::EvaluateSyscall( + sandbox::SandboxBPF* sb, int sysno) const { DCHECK(baseline_policy_); switch (sysno) { // TODO(jln): NaCl's GDB debug stub uses the following socket system calls, @@ -151,9 +151,9 @@ void RunSandboxSanityChecks() { } // namespace -bool InitializeBpfSandbox() { +bool InitializeBPFSandbox() { bool sandbox_is_initialized = content::InitializeSandbox( - scoped_ptr<SandboxBpfPolicy>(new NaClBpfSandboxPolicy())); + scoped_ptr<SandboxBPFPolicy>(new NaClBPFSandboxPolicy())); if (sandbox_is_initialized) { RunSandboxSanityChecks(); return true; diff --git a/components/nacl/loader/nacl_sandbox_linux.h b/components/nacl/loader/nacl_sandbox_linux.h index 12eea45..8a61cb3 100644 --- a/components/nacl/loader/nacl_sandbox_linux.h +++ b/components/nacl/loader/nacl_sandbox_linux.h @@ -5,6 +5,6 @@ #ifndef COMPONENTS_NACL_LOADER_NACL_SANDBOX_LINUX_H_ #define COMPONENTS_NACL_LOADER_NACL_SANDBOX_LINUX_H_ -bool InitializeBpfSandbox(); +bool InitializeBPFSandbox(); #endif // COMPONENTS_NACL_LOADER_NACL_SANDBOX_LINUX_H_ diff --git a/content/common/sandbox_bpf_base_policy_linux.cc b/content/common/sandbox_bpf_base_policy_linux.cc index 226c8e5..4341e92 100644 --- a/content/common/sandbox_bpf_base_policy_linux.cc +++ b/content/common/sandbox_bpf_base_policy_linux.cc @@ -18,18 +18,18 @@ static const int kFSDeniedErrno = EPERM; } // namespace. -SandboxBpfBasePolicy::SandboxBpfBasePolicy() +SandboxBPFBasePolicy::SandboxBPFBasePolicy() : baseline_policy_(new sandbox::BaselinePolicy(kFSDeniedErrno)) {} -SandboxBpfBasePolicy::~SandboxBpfBasePolicy() {} +SandboxBPFBasePolicy::~SandboxBPFBasePolicy() {} -ErrorCode SandboxBpfBasePolicy::EvaluateSyscall(Sandbox* sandbox_compiler, +ErrorCode SandboxBPFBasePolicy::EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const { DCHECK(baseline_policy_); return baseline_policy_->EvaluateSyscall(sandbox_compiler, system_call_number); } -int SandboxBpfBasePolicy::GetFSDeniedErrno() { +int SandboxBPFBasePolicy::GetFSDeniedErrno() { return kFSDeniedErrno; } diff --git a/content/common/sandbox_bpf_base_policy_linux.h b/content/common/sandbox_bpf_base_policy_linux.h index 4ba83da..8edba1d 100644 --- a/content/common/sandbox_bpf_base_policy_linux.h +++ b/content/common/sandbox_bpf_base_policy_linux.h @@ -10,21 +10,21 @@ #include "sandbox/linux/seccomp-bpf-helpers/baseline_policy.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" -using playground2::ErrorCode; -using playground2::Sandbox; +using sandbox::ErrorCode; +using sandbox::SandboxBPF; namespace content { // The "baseline" BPF policy for content/. Any content/ seccomp-bpf policy // should inherit from it. -// It implements the main SandboxBpfPolicy interface. Due to its nature +// It implements the main SandboxBPFPolicy interface. Due to its nature // as a "kernel attack surface reduction" layer, it's implementation-defined. -class SandboxBpfBasePolicy : public playground2::SandboxBpfPolicy { +class SandboxBPFBasePolicy : public sandbox::SandboxBPFPolicy { public: - SandboxBpfBasePolicy(); - virtual ~SandboxBpfBasePolicy(); + SandboxBPFBasePolicy(); + virtual ~SandboxBPFBasePolicy(); - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; // Get the errno(3) to return for filesystem errors. static int GetFSDeniedErrno(); @@ -32,7 +32,7 @@ class SandboxBpfBasePolicy : public playground2::SandboxBpfPolicy { private: // Compose the BaselinePolicy from sandbox/. scoped_ptr<sandbox::BaselinePolicy> baseline_policy_; - DISALLOW_COPY_AND_ASSIGN(SandboxBpfBasePolicy); + DISALLOW_COPY_AND_ASSIGN(SandboxBPFBasePolicy); }; } // namespace content diff --git a/content/common/sandbox_init_linux.cc b/content/common/sandbox_init_linux.cc index 16b1a60..b2e6b4a 100644 --- a/content/common/sandbox_init_linux.cc +++ b/content/common/sandbox_init_linux.cc @@ -10,12 +10,12 @@ namespace content { -bool InitializeSandbox(scoped_ptr<playground2::SandboxBpfPolicy> policy) { - return SandboxSeccompBpf::StartSandboxWithExternalPolicy(policy.Pass()); +bool InitializeSandbox(scoped_ptr<sandbox::SandboxBPFPolicy> policy) { + return SandboxSeccompBPF::StartSandboxWithExternalPolicy(policy.Pass()); } -scoped_ptr<playground2::SandboxBpfPolicy> GetBpfSandboxBaselinePolicy() { - return SandboxSeccompBpf::GetBaselinePolicy().Pass(); +scoped_ptr<sandbox::SandboxBPFPolicy> GetBPFSandboxBaselinePolicy() { + return SandboxSeccompBPF::GetBaselinePolicy().Pass(); } } // namespace content diff --git a/content/common/sandbox_linux.cc b/content/common/sandbox_linux.cc index 85a3e36..55e5044 100644 --- a/content/common/sandbox_linux.cc +++ b/content/common/sandbox_linux.cc @@ -108,8 +108,8 @@ void LinuxSandbox::PreinitializeSandbox() { CHECK_GE(proc_fd_, 0); #endif // !defined(NDEBUG) // We "pre-warm" the code that detects supports for seccomp BPF. - if (SandboxSeccompBpf::IsSeccompBpfDesired()) { - if (!SandboxSeccompBpf::SupportsSandbox()) { + if (SandboxSeccompBPF::IsSeccompBPFDesired()) { + if (!SandboxSeccompBPF::SupportsSandbox()) { VLOG(1) << "Lacking support for seccomp-bpf sandbox."; } else { seccomp_bpf_supported_ = true; @@ -154,7 +154,7 @@ bool LinuxSandbox::InitializeSandbox() { linux_sandbox->LimitAddressSpace(process_type); // First, try to enable seccomp-bpf. - seccomp_bpf_started = linux_sandbox->StartSeccompBpf(process_type); + seccomp_bpf_started = linux_sandbox->StartSeccompBPF(process_type); return seccomp_bpf_started; } @@ -171,10 +171,10 @@ int LinuxSandbox::GetStatus() const { } if (seccomp_bpf_supported() && - SandboxSeccompBpf::ShouldEnableSeccompBpf(switches::kRendererProcess)) { + SandboxSeccompBPF::ShouldEnableSeccompBPF(switches::kRendererProcess)) { // We report whether the sandbox will be activated when renderers go // through sandbox initialization. - sandbox_flags |= kSandboxLinuxSeccompBpf; + sandbox_flags |= kSandboxLinuxSeccompBPF; } return sandbox_flags; @@ -224,13 +224,13 @@ sandbox::SetuidSandboxClient* return setuid_sandbox_client_.get(); } -// For seccomp-bpf, we use the SandboxSeccompBpf class. -bool LinuxSandbox::StartSeccompBpf(const std::string& process_type) { +// For seccomp-bpf, we use the SandboxSeccompBPF class. +bool LinuxSandbox::StartSeccompBPF(const std::string& process_type) { CHECK(!seccomp_bpf_started_); if (!pre_initialized_) PreinitializeSandbox(); if (seccomp_bpf_supported()) - seccomp_bpf_started_ = SandboxSeccompBpf::StartSandbox(process_type); + seccomp_bpf_started_ = SandboxSeccompBPF::StartSandbox(process_type); if (seccomp_bpf_started_) LogSandboxStarted("seccomp-bpf"); diff --git a/content/common/sandbox_linux.h b/content/common/sandbox_linux.h index 2cf105f..5101f23 100644 --- a/content/common/sandbox_linux.h +++ b/content/common/sandbox_linux.h @@ -69,7 +69,7 @@ class LinuxSandbox { // Check the policy and eventually start the seccomp-bpf sandbox. This should // never be called with threads started. If we detect that threads have // started we will crash. - bool StartSeccompBpf(const std::string& process_type); + bool StartSeccompBPF(const std::string& process_type); // Limit the address space of the current process (and its children). // to make some vulnerabilities harder to exploit. diff --git a/content/common/sandbox_seccomp_bpf_linux.cc b/content/common/sandbox_seccomp_bpf_linux.cc index e1f344d..484fe73 100644 --- a/content/common/sandbox_seccomp_bpf_linux.cc +++ b/content/common/sandbox_seccomp_bpf_linux.cc @@ -46,18 +46,18 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" #include "sandbox/linux/services/linux_syscalls.h" -using playground2::arch_seccomp_data; -using playground2::ErrorCode; -using playground2::Sandbox; -using sandbox::BrokerProcess; using sandbox::BaselinePolicy; +using sandbox::BrokerProcess; +using sandbox::ErrorCode; +using sandbox::SandboxBPF; using sandbox::SyscallSets; +using sandbox::arch_seccomp_data; namespace content { namespace { -void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy); +void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy); inline bool IsChromeOS() { #if defined(OS_CHROMEOS) @@ -141,13 +141,13 @@ intptr_t GpuSIGSYS_Handler(const struct arch_seccomp_data& args, } } -class GpuProcessPolicy : public SandboxBpfBasePolicy { +class GpuProcessPolicy : public SandboxBPFBasePolicy { public: explicit GpuProcessPolicy(void* broker_process) : broker_process_(broker_process) {} virtual ~GpuProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: @@ -156,7 +156,8 @@ class GpuProcessPolicy : public SandboxBpfBasePolicy { }; // Main policy for x86_64/i386. Extended by ArmGpuProcessPolicy. -ErrorCode GpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox, int sysno) const { +ErrorCode GpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, + int sysno) const { switch (sysno) { case __NR_ioctl: #if defined(__i386__) || defined(__x86_64__) @@ -180,7 +181,7 @@ ErrorCode GpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox, int sysno) const { return ErrorCode(ErrorCode::ERR_ALLOWED); // Default on the baseline policy. - return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno); + return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); } } @@ -189,7 +190,7 @@ class GpuBrokerProcessPolicy : public GpuProcessPolicy { GpuBrokerProcessPolicy() : GpuProcessPolicy(NULL) {} virtual ~GpuBrokerProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: @@ -199,7 +200,7 @@ class GpuBrokerProcessPolicy : public GpuProcessPolicy { // x86_64/i386. // A GPU broker policy is the same as a GPU policy with open and // openat allowed. -ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode GpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { switch (sysno) { case __NR_access: @@ -217,7 +218,7 @@ class ArmGpuProcessPolicy : public GpuProcessPolicy { : GpuProcessPolicy(broker_process), allow_shmat_(allow_shmat) {} virtual ~ArmGpuProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: @@ -226,7 +227,7 @@ class ArmGpuProcessPolicy : public GpuProcessPolicy { }; // Generic ARM GPU process sandbox, inheriting from GpuProcessPolicy. -ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode ArmGpuProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { #if defined(__arm__) if (allow_shmat_ && sysno == __NR_shmat) @@ -265,7 +266,7 @@ class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy { ArmGpuBrokerProcessPolicy() : ArmGpuProcessPolicy(NULL, false) {} virtual ~ArmGpuBrokerProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: @@ -274,7 +275,7 @@ class ArmGpuBrokerProcessPolicy : public ArmGpuProcessPolicy { // A GPU broker policy is the same as a GPU policy with open and // openat allowed. -ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { switch (sysno) { case __NR_access: @@ -289,19 +290,19 @@ ErrorCode ArmGpuBrokerProcessPolicy::EvaluateSyscall(Sandbox* sandbox, // Policy for renderer and worker processes. // TODO(jln): move to renderer/ -class RendererOrWorkerProcessPolicy : public SandboxBpfBasePolicy { +class RendererOrWorkerProcessPolicy : public SandboxBPFBasePolicy { public: RendererOrWorkerProcessPolicy() {} virtual ~RendererOrWorkerProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: DISALLOW_COPY_AND_ASSIGN(RendererOrWorkerProcessPolicy); }; -ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { switch (sysno) { case __NR_clone: @@ -349,25 +350,25 @@ ErrorCode RendererOrWorkerProcessPolicy::EvaluateSyscall(Sandbox* sandbox, } // Default on the content baseline policy. - return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno); + return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); } } // Policy for PPAPI plugins. // TODO(jln): move to ppapi_plugin/. -class FlashProcessPolicy : public SandboxBpfBasePolicy { +class FlashProcessPolicy : public SandboxBPFBasePolicy { public: FlashProcessPolicy() {} virtual ~FlashProcessPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: DISALLOW_COPY_AND_ASSIGN(FlashProcessPolicy); }; -ErrorCode FlashProcessPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode FlashProcessPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { switch (sysno) { case __NR_clone: @@ -397,25 +398,25 @@ ErrorCode FlashProcessPolicy::EvaluateSyscall(Sandbox* sandbox, } // Default on the baseline policy. - return SandboxBpfBasePolicy::EvaluateSyscall(sandbox, sysno); + return SandboxBPFBasePolicy::EvaluateSyscall(sandbox, sysno); } } -class BlacklistDebugAndNumaPolicy : public SandboxBpfBasePolicy { +class BlacklistDebugAndNumaPolicy : public SandboxBPFBasePolicy { public: BlacklistDebugAndNumaPolicy() {} virtual ~BlacklistDebugAndNumaPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: DISALLOW_COPY_AND_ASSIGN(BlacklistDebugAndNumaPolicy); }; -ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(Sandbox* sandbox, +ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // TODO(jln) we should not have to do that in a trivial policy. return ErrorCode(ENOSYS); } @@ -425,12 +426,12 @@ ErrorCode BlacklistDebugAndNumaPolicy::EvaluateSyscall(Sandbox* sandbox, return ErrorCode(ErrorCode::ERR_ALLOWED); } -class AllowAllPolicy : public SandboxBpfBasePolicy { +class AllowAllPolicy : public SandboxBPFBasePolicy { public: AllowAllPolicy() {} virtual ~AllowAllPolicy() {} - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; private: @@ -440,8 +441,8 @@ class AllowAllPolicy : public SandboxBpfBasePolicy { // Allow all syscalls. // This will still deny x32 or IA32 calls in 64 bits mode or // 64 bits system calls in compatibility mode. -ErrorCode AllowAllPolicy::EvaluateSyscall(Sandbox*, int sysno) const { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode AllowAllPolicy::EvaluateSyscall(SandboxBPF*, int sysno) const { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // TODO(jln) we should not have to do that in a trivial policy. return ErrorCode(ENOSYS); } else { @@ -469,7 +470,7 @@ void RunSandboxSanityChecks(const std::string& process_type) { // open() must be restricted. syscall_ret = open("/etc/passwd", O_RDONLY); CHECK_EQ(-1, syscall_ret); - CHECK_EQ(SandboxBpfBasePolicy::GetFSDeniedErrno(), errno); + CHECK_EQ(SandboxBPFBasePolicy::GetFSDeniedErrno(), errno); // We should never allow the creation of netlink sockets. syscall_ret = socket(AF_NETLINK, SOCK_DGRAM, 0); @@ -588,7 +589,7 @@ void InitGpuBrokerProcess(bool for_chromeos_arm, sandbox_callback = EnableGpuBrokerPolicyCallback; } - *broker_process = new BrokerProcess(SandboxBpfBasePolicy::GetFSDeniedErrno(), + *broker_process = new BrokerProcess(SandboxBPFBasePolicy::GetFSDeniedErrno(), read_whitelist, write_whitelist); // Initialize the broker process and give it a sandbox callback. @@ -664,7 +665,7 @@ void StartGpuProcessSandbox(const CommandLine& command_line, // eventually start a broker process. WarmupPolicy(chromeos_arm_gpu, &broker_process); - scoped_ptr<SandboxBpfBasePolicy> gpu_policy; + scoped_ptr<SandboxBPFBasePolicy> gpu_policy; if (chromeos_arm_gpu) { gpu_policy.reset(new ArmGpuProcessPolicy(broker_process, allow_sysv_shm)); } else { @@ -674,19 +675,19 @@ void StartGpuProcessSandbox(const CommandLine& command_line, } // This function takes ownership of |policy|. -void StartSandboxWithPolicy(playground2::SandboxBpfPolicy* policy) { +void StartSandboxWithPolicy(sandbox::SandboxBPFPolicy* policy) { // Starting the sandbox is a one-way operation. The kernel doesn't allow // us to unload a sandbox policy after it has been started. Nonetheless, // in order to make the use of the "Sandbox" object easier, we allow for // the object to be destroyed after the sandbox has been started. Note that // doing so does not stop the sandbox. - Sandbox sandbox; + SandboxBPF sandbox; sandbox.SetSandboxPolicy(policy); sandbox.StartSandbox(); } void StartNonGpuSandbox(const std::string& process_type) { - scoped_ptr<SandboxBpfBasePolicy> policy; + scoped_ptr<SandboxBPFBasePolicy> policy; if (process_type == switches::kRendererProcess || process_type == switches::kWorkerProcess) { @@ -704,7 +705,7 @@ void StartNonGpuSandbox(const std::string& process_type) { } // Initialize the seccomp-bpf sandbox. -bool StartBpfSandbox(const CommandLine& command_line, +bool StartBPFSandbox(const CommandLine& command_line, const std::string& process_type) { if (process_type == switches::kGpuProcess) { @@ -722,7 +723,7 @@ bool StartBpfSandbox(const CommandLine& command_line, #endif // SECCOMP_BPF_SANDBOX // Is seccomp BPF globally enabled? -bool SandboxSeccompBpf::IsSeccompBpfDesired() { +bool SandboxSeccompBPF::IsSeccompBPFDesired() { const CommandLine& command_line = *CommandLine::ForCurrentProcess(); if (!command_line.HasSwitch(switches::kNoSandbox) && !command_line.HasSwitch(switches::kDisableSeccompFilterSandbox)) { @@ -732,7 +733,7 @@ bool SandboxSeccompBpf::IsSeccompBpfDesired() { } } -bool SandboxSeccompBpf::ShouldEnableSeccompBpf( +bool SandboxSeccompBPF::ShouldEnableSeccompBPF( const std::string& process_type) { #if defined(SECCOMP_BPF_SANDBOX) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); @@ -744,33 +745,33 @@ bool SandboxSeccompBpf::ShouldEnableSeccompBpf( return false; } -bool SandboxSeccompBpf::SupportsSandbox() { +bool SandboxSeccompBPF::SupportsSandbox() { #if defined(SECCOMP_BPF_SANDBOX) // TODO(jln): pass the saved proc_fd_ from the LinuxSandbox singleton // here. - Sandbox::SandboxStatus bpf_sandbox_status = - Sandbox::SupportsSeccompSandbox(-1); + SandboxBPF::SandboxStatus bpf_sandbox_status = + SandboxBPF::SupportsSeccompSandbox(-1); // Kernel support is what we are interested in here. Other status // such as STATUS_UNAVAILABLE (has threads) still indicate kernel support. // We make this a negative check, since if there is a bug, we would rather // "fail closed" (expect a sandbox to be available and try to start it). - if (bpf_sandbox_status != Sandbox::STATUS_UNSUPPORTED) { + if (bpf_sandbox_status != SandboxBPF::STATUS_UNSUPPORTED) { return true; } #endif return false; } -bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { +bool SandboxSeccompBPF::StartSandbox(const std::string& process_type) { #if defined(SECCOMP_BPF_SANDBOX) const CommandLine& command_line = *CommandLine::ForCurrentProcess(); - if (IsSeccompBpfDesired() && // Global switches policy. - ShouldEnableSeccompBpf(process_type) && // Process-specific policy. + if (IsSeccompBPFDesired() && // Global switches policy. + ShouldEnableSeccompBPF(process_type) && // Process-specific policy. SupportsSandbox()) { // If the kernel supports the sandbox, and if the command line says we // should enable it, enable it or die. - bool started_sandbox = StartBpfSandbox(command_line, process_type); + bool started_sandbox = StartBPFSandbox(command_line, process_type); CHECK(started_sandbox); return true; } @@ -778,10 +779,10 @@ bool SandboxSeccompBpf::StartSandbox(const std::string& process_type) { return false; } -bool SandboxSeccompBpf::StartSandboxWithExternalPolicy( - scoped_ptr<playground2::SandboxBpfPolicy> policy) { +bool SandboxSeccompBPF::StartSandboxWithExternalPolicy( + scoped_ptr<sandbox::SandboxBPFPolicy> policy) { #if defined(SECCOMP_BPF_SANDBOX) - if (IsSeccompBpfDesired() && SupportsSandbox()) { + if (IsSeccompBPFDesired() && SupportsSandbox()) { CHECK(policy); StartSandboxWithPolicy(policy.release()); return true; @@ -790,12 +791,12 @@ bool SandboxSeccompBpf::StartSandboxWithExternalPolicy( return false; } -scoped_ptr<playground2::SandboxBpfPolicy> -SandboxSeccompBpf::GetBaselinePolicy() { +scoped_ptr<sandbox::SandboxBPFPolicy> +SandboxSeccompBPF::GetBaselinePolicy() { #if defined(SECCOMP_BPF_SANDBOX) - return scoped_ptr<playground2::SandboxBpfPolicy>(new BaselinePolicy); + return scoped_ptr<sandbox::SandboxBPFPolicy>(new BaselinePolicy); #else - return scoped_ptr<playground2::SandboxBpfPolicy>(); + return scoped_ptr<sandbox::SandboxBPFPolicy>(); #endif // defined(SECCOMP_BPF_SANDBOX) } diff --git a/content/common/sandbox_seccomp_bpf_linux.h b/content/common/sandbox_seccomp_bpf_linux.h index a32973d..c6058c4 100644 --- a/content/common/sandbox_seccomp_bpf_linux.h +++ b/content/common/sandbox_seccomp_bpf_linux.h @@ -10,8 +10,8 @@ #include "base/basictypes.h" #include "base/memory/scoped_ptr.h" -namespace playground2 { -class SandboxBpfPolicy; +namespace sandbox { +class SandboxBPFPolicy; } namespace content { @@ -19,16 +19,16 @@ namespace content { // This class has two main sets of APIs. One can be used to start the sandbox // for internal content process types, the other is indirectly exposed as // a public content/ API and uses a supplied policy. -class SandboxSeccompBpf { +class SandboxSeccompBPF { public: // This is the API to enable a seccomp-bpf sandbox for content/ // process-types: // Is the sandbox globally enabled, can anything use it at all ? // This looks at global command line flags to see if the sandbox // should be enabled at all. - static bool IsSeccompBpfDesired(); + static bool IsSeccompBPFDesired(); // Should the sandbox be enabled for process_type ? - static bool ShouldEnableSeccompBpf(const std::string& process_type); + static bool ShouldEnableSeccompBPF(const std::string& process_type); // Check if the kernel supports this sandbox. It's useful to "prewarm" // this, part of the result will be cached. static bool SupportsSandbox(); @@ -39,12 +39,12 @@ class SandboxSeccompBpf { // This is the API to enable a seccomp-bpf sandbox by using an // external policy. static bool StartSandboxWithExternalPolicy( - scoped_ptr<playground2::SandboxBpfPolicy> policy); + scoped_ptr<sandbox::SandboxBPFPolicy> policy); // The "baseline" policy can be a useful base to build a sandbox policy. - static scoped_ptr<playground2::SandboxBpfPolicy> GetBaselinePolicy(); + static scoped_ptr<sandbox::SandboxBPFPolicy> GetBaselinePolicy(); private: - DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBpf); + DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxSeccompBPF); }; } // namespace content diff --git a/content/public/common/sandbox_init.h b/content/public/common/sandbox_init.h index 33a76c2..f709d23 100644 --- a/content/public/common/sandbox_init.h +++ b/content/public/common/sandbox_init.h @@ -16,11 +16,8 @@ namespace base { class FilePath; } -namespace playground2 { -class SandboxBpfPolicy; -} - namespace sandbox { +class SandboxBPFPolicy; struct SandboxInterfaceInfo; } @@ -90,12 +87,12 @@ class SandboxInitializerDelegate; // Initialize a seccomp-bpf sandbox. |policy| may not be NULL. // Returns true if the sandbox has been properly engaged. CONTENT_EXPORT bool InitializeSandbox( - scoped_ptr<playground2::SandboxBpfPolicy> policy); + scoped_ptr<sandbox::SandboxBPFPolicy> policy); // Return a "baseline" policy. This is used by a SandboxInitializerDelegate to // implement a policy that is derived from the baseline. -CONTENT_EXPORT scoped_ptr<playground2::SandboxBpfPolicy> -GetBpfSandboxBaselinePolicy(); +CONTENT_EXPORT scoped_ptr<sandbox::SandboxBPFPolicy> +GetBPFSandboxBaselinePolicy(); #endif // defined(OS_LINUX) } // namespace content diff --git a/content/public/common/sandbox_linux.h b/content/public/common/sandbox_linux.h index 6824d55..72e212e 100644 --- a/content/public/common/sandbox_linux.h +++ b/content/public/common/sandbox_linux.h @@ -21,7 +21,7 @@ enum LinuxSandboxStatus { kSandboxLinuxNetNS = 1 << 2, // seccomp-bpf sandbox active. - kSandboxLinuxSeccompBpf = 1 << 3, + kSandboxLinuxSeccompBPF = 1 << 3, }; } // namespace content diff --git a/content/renderer/renderer_main_platform_delegate_linux.cc b/content/renderer/renderer_main_platform_delegate_linux.cc index e473ad8..135a084 100644 --- a/content/renderer/renderer_main_platform_delegate_linux.cc +++ b/content/renderer/renderer_main_platform_delegate_linux.cc @@ -69,7 +69,7 @@ void RendererMainPlatformDelegate::RunSandboxTests(bool no_sandbox) { // Here, we test that the status of SeccompBpf in the renderer is consistent // with what LinuxSandbox::GetStatus() said we would do. class LinuxSandbox* linux_sandbox = LinuxSandbox::GetInstance(); - if (linux_sandbox->GetStatus() & kSandboxLinuxSeccompBpf) { + if (linux_sandbox->GetStatus() & kSandboxLinuxSeccompBPF) { CHECK(linux_sandbox->seccomp_bpf_started()); } diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc index a3c8ddc..92e5fae 100644 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc @@ -81,7 +81,7 @@ bool IsBaselinePolicyWatched(int sysno) { } // |fs_denied_errno| is the errno return for denied filesystem access. -ErrorCode EvaluateSyscallImpl(int fs_denied_errno, Sandbox* sandbox, +ErrorCode EvaluateSyscallImpl(int fs_denied_errno, SandboxBPF* sandbox, int sysno) { if (IsBaselinePolicyAllowed(sysno)) { return ErrorCode(ErrorCode::ERR_ALLOWED); @@ -167,12 +167,13 @@ BaselinePolicy::BaselinePolicy(int fs_denied_errno) BaselinePolicy::~BaselinePolicy() {} -ErrorCode BaselinePolicy::EvaluateSyscall(Sandbox* sandbox, int sysno) const { +ErrorCode BaselinePolicy::EvaluateSyscall(SandboxBPF* sandbox, + int sysno) const { return EvaluateSyscallImpl(fs_denied_errno_, sandbox, sysno); } // TODO(jln): Migrate NaCl and remove. -ErrorCode BaselinePolicy::BaselinePolicyDeprecated(Sandbox* sandbox, +ErrorCode BaselinePolicy::BaselinePolicyDeprecated(SandboxBPF* sandbox, int sysno, void* aux) { DCHECK(!aux); diff --git a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h index 88dd9dc..52f9f4d 100644 --- a/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h +++ b/sandbox/linux/seccomp-bpf-helpers/baseline_policy.h @@ -8,27 +8,21 @@ #include "sandbox/linux/seccomp-bpf/errorcode.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h" -namespace playground2 { -class Sandbox; -class SandboxBpfPolicy; -} - -using playground2::ErrorCode; -using playground2::Sandbox; -using playground2::SandboxBpfPolicy; - namespace sandbox { +class SandboxBPF; +class SandboxBPFPolicy; + // This is a helper to build seccomp-bpf policies, i.e. policies for a sandbox // that reduces the Linux kernel's attack surface. Given its nature, it doesn't // have a clear semantics and is mostly "implementation-defined". // -// This returns an object that implements the SandboxBpfPolicy interface with +// This returns an object that implements the SandboxBPFPolicy interface with // a "baseline" policy within Chromium. // The "baseline" policy is somewhat arbitrary. All Chromium policies are an // alteration of it, and it represents a reasonable common ground to run most // code in a sandboxed environment. -class BaselinePolicy : public SandboxBpfPolicy { +class BaselinePolicy : public SandboxBPFPolicy { public: BaselinePolicy(); // |fs_denied_errno| is the errno returned when a filesystem access system @@ -36,11 +30,11 @@ class BaselinePolicy : public SandboxBpfPolicy { explicit BaselinePolicy(int fs_denied_errno); virtual ~BaselinePolicy(); - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE; // TODO(jln): remove once NaCl uses the new policy format. Do not use in new // code. This is the same as EvaluateSyscall. |aux| must be NULL. - static ErrorCode BaselinePolicyDeprecated(Sandbox* sandbox, + static ErrorCode BaselinePolicyDeprecated(SandboxBPF* sandbox, int sysno, void* aux); diff --git a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h index 7915d68..3bf5c16 100644 --- a/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +++ b/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h @@ -12,14 +12,10 @@ // guaranteed to be async-signal safe. // See sandbox/linux/seccomp-bpf/trap.h to see how they work. -namespace playground2 { -struct arch_seccomp_data; -} - -using playground2::arch_seccomp_data; - namespace sandbox { +struct arch_seccomp_data; + // This handler will crash the currently running process. The crashing address // will be the number of the current system call, extracted from |args|. // This handler will also print to stderr the number of the crashing syscall. diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc index c26cfd8..9b417ce 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.cc @@ -33,10 +33,6 @@ #define MAP_STACK 0x20000 // Daisy build environment has old headers. #endif -using playground2::arch_seccomp_data; -using playground2::ErrorCode; -using playground2::Sandbox; - namespace { inline bool RunningOnASAN() { @@ -67,7 +63,7 @@ inline bool IsArchitectureI386() { namespace sandbox { -ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) { +ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox) { // Glibc's pthread. if (!RunningOnASAN()) { return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, @@ -88,7 +84,7 @@ ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox) { } } -ErrorCode RestrictPrctl(Sandbox* sandbox) { +ErrorCode RestrictPrctl(SandboxBPF* sandbox) { // Will need to add seccomp compositing in the future. PR_SET_PTRACER is // used by breakpad but not needed anymore. return sandbox->Cond(0, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, @@ -100,7 +96,7 @@ ErrorCode RestrictPrctl(Sandbox* sandbox) { sandbox->Trap(SIGSYSPrctlFailure, NULL)))); } -ErrorCode RestrictIoctl(Sandbox* sandbox) { +ErrorCode RestrictIoctl(SandboxBPF* sandbox) { return sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, TCGETS, ErrorCode(ErrorCode::ERR_ALLOWED), sandbox->Cond(1, ErrorCode::TP_32BIT, ErrorCode::OP_EQUAL, FIONREAD, @@ -108,7 +104,7 @@ ErrorCode RestrictIoctl(Sandbox* sandbox) { sandbox->Trap(SIGSYSIoctlFailure, NULL))); } -ErrorCode RestrictMmapFlags(Sandbox* sandbox) { +ErrorCode RestrictMmapFlags(SandboxBPF* sandbox) { // The flags you see are actually the allowed ones, and the variable is a // "denied" mask because of the negation operator. // Significantly, we don't permit MAP_HUGETLB, or the newer flags such as @@ -123,7 +119,7 @@ ErrorCode RestrictMmapFlags(Sandbox* sandbox) { ErrorCode(ErrorCode::ERR_ALLOWED)); } -ErrorCode RestrictMprotectFlags(Sandbox* sandbox) { +ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox) { // The flags you see are actually the allowed ones, and the variable is a // "denied" mask because of the negation operator. // Significantly, we don't permit weird undocumented flags such as @@ -135,7 +131,7 @@ ErrorCode RestrictMprotectFlags(Sandbox* sandbox) { ErrorCode(ErrorCode::ERR_ALLOWED)); } -ErrorCode RestrictFcntlCommands(Sandbox* sandbox) { +ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox) { // We also restrict the flags in F_SETFL. We don't want to permit flags with // a history of trouble such as O_DIRECT. The flags you see are actually the // allowed ones, and the variable is a "denied" mask because of the negation @@ -190,7 +186,7 @@ ErrorCode RestrictFcntlCommands(Sandbox* sandbox) { } #if defined(__i386__) -ErrorCode RestrictSocketcallCommand(Sandbox* sandbox) { +ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox) { // Unfortunately, we are unable to restrict the first parameter to // socketpair(2). Whilst initially sounding bad, it's noteworthy that very // few protocols actually support socketpair(2). The scary call that we're diff --git a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h index c54291a..65b7c47 100644 --- a/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h +++ b/sandbox/linux/seccomp-bpf-helpers/syscall_parameters_restrictions.h @@ -11,51 +11,46 @@ // sandbox that reduces the Linux kernel's attack surface. They return an // ErrorCode suitable to restrict certain system call parameters. -namespace playground2 { -class ErrorCode; -class Sandbox; -} - -using playground2::ErrorCode; -using playground2::Sandbox; - namespace sandbox { +class ErrorCode; +class SandboxBPF; + // Allow clone(2) for threads. // Reject fork(2) attempts with EPERM. // Don't restrict on ASAN. // Crash if anything else is attempted. -ErrorCode RestrictCloneToThreadsAndEPERMFork(Sandbox* sandbox); +ErrorCode RestrictCloneToThreadsAndEPERMFork(SandboxBPF* sandbox); // Allow PR_SET_NAME, PR_SET_DUMPABLE, PR_GET_DUMPABLE. // Crash if anything else is attempted. -ErrorCode RestrictPrctl(Sandbox* sandbox); +ErrorCode RestrictPrctl(SandboxBPF* sandbox); // Allow TCGETS and FIONREAD. // Crash if anything else is attempted. -ErrorCode RestrictIoctl(Sandbox* sandbox); +ErrorCode RestrictIoctl(SandboxBPF* sandbox); // Restrict the flags argument in mmap(2). // Only allow: MAP_SHARED | MAP_PRIVATE | MAP_ANONYMOUS | // MAP_STACK | MAP_NORESERVE | MAP_FIXED | MAP_DENYWRITE. // Crash if any other flag is used. -ErrorCode RestrictMmapFlags(Sandbox* sandbox); +ErrorCode RestrictMmapFlags(SandboxBPF* sandbox); // Restrict the prot argument in mprotect(2). // Only allow: PROT_READ | PROT_WRITE | PROT_EXEC. -ErrorCode RestrictMprotectFlags(Sandbox* sandbox); +ErrorCode RestrictMprotectFlags(SandboxBPF* sandbox); // Restrict fcntl(2) cmd argument to: // We allow F_GETFL, F_SETFL, F_GETFD, F_SETFD, F_DUPFD, F_DUPFD_CLOEXEC, // F_SETLK, F_SETLKW and F_GETLK. // Also, in F_SETFL, restrict the allowed flags to: O_ACCMODE | O_APPEND | // O_NONBLOCK | O_SYNC | O_LARGEFILE | O_CLOEXEC | O_NOATIME. -ErrorCode RestrictFcntlCommands(Sandbox* sandbox); +ErrorCode RestrictFcntlCommands(SandboxBPF* sandbox); #if defined(__i386__) // Restrict socketcall(2) to only allow socketpair(2), send(2), recv(2), // sendto(2), recvfrom(2), shutdown(2), sendmsg(2) and recvmsg(2). -ErrorCode RestrictSocketcallCommand(Sandbox* sandbox); +ErrorCode RestrictSocketcallCommand(SandboxBPF* sandbox); #endif } // namespace sandbox. diff --git a/sandbox/linux/seccomp-bpf/basicblock.cc b/sandbox/linux/seccomp-bpf/basicblock.cc index 58d27b2..eb857f0 100644 --- a/sandbox/linux/seccomp-bpf/basicblock.cc +++ b/sandbox/linux/seccomp-bpf/basicblock.cc @@ -4,10 +4,10 @@ #include "sandbox/linux/seccomp-bpf/basicblock.h" -namespace playground2 { +namespace sandbox { BasicBlock::BasicBlock() {} BasicBlock::~BasicBlock() {} -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/basicblock.h b/sandbox/linux/seccomp-bpf/basicblock.h index a116f41..d15a372 100644 --- a/sandbox/linux/seccomp-bpf/basicblock.h +++ b/sandbox/linux/seccomp-bpf/basicblock.h @@ -9,7 +9,7 @@ #include "sandbox/linux/seccomp-bpf/instruction.h" -namespace playground2 { +namespace sandbox { struct BasicBlock { BasicBlock(); @@ -44,6 +44,6 @@ struct BasicBlock { int offset; }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_BASICBLOCK_H__ diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h index 13ccf7d..7095c23 100644 --- a/sandbox/linux/seccomp-bpf/bpf_tests.h +++ b/sandbox/linux/seccomp-bpf/bpf_tests.h @@ -21,13 +21,13 @@ namespace sandbox { // A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see // crbug.com/243968. #define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \ - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX); \ + void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX); \ TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \ - sandbox::BpfTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \ - sandbox::BpfTests<aux>::RunTestInProcess( \ - sandbox::BpfTests<aux>::TestWrapper, &arg, death); \ + sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy); \ + sandbox::BPFTests<aux>::RunTestInProcess( \ + sandbox::BPFTests<aux>::TestWrapper, &arg, death); \ } \ - void BPF_TEST_##test_name(sandbox::BpfTests<aux>::AuxType& BPF_AUX) + void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX) // BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op, // if the host does not have kernel support for running BPF filters. @@ -37,7 +37,7 @@ namespace sandbox { // BPF_TEST() takes a C++ data type as an optional fourth parameter. If // present, this sets up a variable that can be accessed as "BPF_AUX". This // variable will be passed as an argument to the "policy" function. Policies -// would typically use it as an argument to Sandbox::Trap(), if they want to +// would typically use it as an argument to SandboxBPF::Trap(), if they want to // communicate data between the BPF_TEST() and a Trap() function. #define BPF_TEST(test_case_name, test_name, policy, aux...) \ BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux) @@ -49,42 +49,42 @@ namespace sandbox { // the caller doesn't provide any type, all the BPF_AUX related data compiles // to nothing. template <class Aux = int[0]> -class BpfTests : public UnitTests { +class BPFTests : public UnitTests { public: typedef Aux AuxType; class TestArgs { public: - TestArgs(void (*t)(AuxType&), playground2::Sandbox::EvaluateSyscall p) + TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p) : test_(t), policy_(p), aux_() {} void (*test() const)(AuxType&) { return test_; } - playground2::Sandbox::EvaluateSyscall policy() const { return policy_; } + sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; } private: - friend class BpfTests; + friend class BPFTests; void (*test_)(AuxType&); - playground2::Sandbox::EvaluateSyscall policy_; + sandbox::SandboxBPF::EvaluateSyscall policy_; AuxType aux_; }; static void TestWrapper(void* void_arg) { TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg); - playground2::Die::EnableSimpleExit(); - if (playground2::Sandbox::SupportsSeccompSandbox(-1) == - playground2::Sandbox::STATUS_AVAILABLE) { + sandbox::Die::EnableSimpleExit(); + if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) == + sandbox::SandboxBPF::STATUS_AVAILABLE) { // Ensure the the sandbox is actually available at this time int proc_fd; BPF_ASSERT((proc_fd = open("/proc", O_RDONLY | O_DIRECTORY)) >= 0); - BPF_ASSERT(playground2::Sandbox::SupportsSeccompSandbox(proc_fd) == - playground2::Sandbox::STATUS_AVAILABLE); + BPF_ASSERT(sandbox::SandboxBPF::SupportsSeccompSandbox(proc_fd) == + sandbox::SandboxBPF::STATUS_AVAILABLE); // Initialize and then start the sandbox with our custom policy - playground2::Sandbox sandbox; + sandbox::SandboxBPF sandbox; sandbox.set_proc_fd(proc_fd); sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_); - sandbox.Sandbox::StartSandbox(); + sandbox.SandboxBPF::StartSandbox(); arg->test()(arg->aux_); } else { @@ -98,9 +98,9 @@ class BpfTests : public UnitTests { } // Call the compiler and verify the policy. That's the least we can do, // if we don't have kernel support. - playground2::Sandbox sandbox; + sandbox::SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_); - playground2::Sandbox::Program* program = + sandbox::SandboxBPF::Program* program = sandbox.AssembleFilter(true /* force_verification */); delete program; sandbox::UnitTests::IgnoreThisTest(); @@ -108,9 +108,9 @@ class BpfTests : public UnitTests { } private: - DISALLOW_IMPLICIT_CONSTRUCTORS(BpfTests); + DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__ diff --git a/sandbox/linux/seccomp-bpf/codegen.cc b/sandbox/linux/seccomp-bpf/codegen.cc index 77df612..8fb1701 100644 --- a/sandbox/linux/seccomp-bpf/codegen.cc +++ b/sandbox/linux/seccomp-bpf/codegen.cc @@ -9,8 +9,8 @@ namespace { // Helper function for Traverse(). -void TraverseRecursively(std::set<playground2::Instruction*>* visited, - playground2::Instruction* instruction) { +void TraverseRecursively(std::set<sandbox::Instruction*>* visited, + sandbox::Instruction* instruction) { if (visited->find(instruction) == visited->end()) { visited->insert(instruction); switch (BPF_CLASS(instruction->code)) { @@ -31,7 +31,7 @@ void TraverseRecursively(std::set<playground2::Instruction*>* visited, } // namespace -namespace playground2 { +namespace sandbox { CodeGen::CodeGen() : compiled_(false) {} @@ -48,8 +48,8 @@ CodeGen::~CodeGen() { } } -void CodeGen::PrintProgram(const Sandbox::Program& program) { - for (Sandbox::Program::const_iterator iter = program.begin(); +void CodeGen::PrintProgram(const SandboxBPF::Program& program) { + for (SandboxBPF::Program::const_iterator iter = program.begin(); iter != program.end(); ++iter) { int ip = (int)(iter - program.begin()); @@ -706,7 +706,7 @@ void CodeGen::ComputeRelativeJumps(BasicBlocks* basic_blocks, } void CodeGen::ConcatenateBasicBlocks(const BasicBlocks& basic_blocks, - Sandbox::Program* program) { + SandboxBPF::Program* program) { // Our basic blocks have been sorted and relative jump offsets have been // computed. The last remaining step is for all the instructions in our // basic blocks to be concatenated into a BPF program. @@ -726,7 +726,7 @@ void CodeGen::ConcatenateBasicBlocks(const BasicBlocks& basic_blocks, return; } -void CodeGen::Compile(Instruction* instructions, Sandbox::Program* program) { +void CodeGen::Compile(Instruction* instructions, SandboxBPF::Program* program) { if (compiled_) { SANDBOX_DIE( "Cannot call Compile() multiple times. Create a new code " @@ -747,4 +747,4 @@ void CodeGen::Compile(Instruction* instructions, Sandbox::Program* program) { return; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/codegen.h b/sandbox/linux/seccomp-bpf/codegen.h index 6ef7603..2745e51 100644 --- a/sandbox/linux/seccomp-bpf/codegen.h +++ b/sandbox/linux/seccomp-bpf/codegen.h @@ -13,7 +13,7 @@ #include "sandbox/linux/seccomp-bpf/instruction.h" #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" -namespace playground2 { +namespace sandbox { typedef std::vector<Instruction*> Instructions; typedef std::vector<BasicBlock*> BasicBlocks; @@ -28,7 +28,7 @@ typedef std::map<const BasicBlock*, int> IncomingBranches; // // Callers would typically create a new CodeGen object and then use it to // build a DAG of Instructions. They'll eventually call Compile() to convert -// this DAG to a Sandbox::Program. +// this DAG to a SandboxBPF::Program. // // Instructions can be chained at the time when they are created, or they // can be joined later by calling JoinInstructions(). @@ -46,7 +46,7 @@ typedef std::map<const BasicBlock*, int> IncomingBranches; // // // Simplified code follows; in practice, it is important to avoid calling // // any C++ destructors after starting the sandbox. -// Sandbox::Program program; +// SandboxBPF::Program program; // gen.Compile(dag, program); // const struct sock_fprog prog = { // static_cast<unsigned short>(program->size()), &program[0] }; @@ -59,7 +59,7 @@ class CodeGen { // This is a helper method that can be used for debugging purposes. It is // not normally called. - static void PrintProgram(const Sandbox::Program& program); + static void PrintProgram(const SandboxBPF::Program& program); // Create a new instruction. Instructions form a DAG. The instruction objects // are owned by the CodeGen object. They do not need to be explicitly @@ -90,7 +90,7 @@ class CodeGen { // Compiles the graph of instructions into a BPF program that can be passed // to the kernel. Please note that this function modifies the graph in place // and must therefore only be called once per graph. - void Compile(Instruction* instructions, Sandbox::Program* program); + void Compile(Instruction* instructions, SandboxBPF::Program* program); private: friend class CodeGenUnittestHelper; @@ -140,7 +140,7 @@ class CodeGen { // Concatenate instructions from all basic blocks into a BPF program that // can be passed to the kernel. - void ConcatenateBasicBlocks(const BasicBlocks&, Sandbox::Program* program); + void ConcatenateBasicBlocks(const BasicBlocks&, SandboxBPF::Program* program); // We stick all instructions and basic blocks into pools that get destroyed // when the CodeGen object is destroyed. This way, we neither need to worry @@ -154,6 +154,6 @@ class CodeGen { bool compiled_; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_CODEGEN_H__ diff --git a/sandbox/linux/seccomp-bpf/codegen_unittest.cc b/sandbox/linux/seccomp-bpf/codegen_unittest.cc index ccc5656..0539a0d 100644 --- a/sandbox/linux/seccomp-bpf/codegen_unittest.cc +++ b/sandbox/linux/seccomp-bpf/codegen_unittest.cc @@ -12,11 +12,11 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/tests/unit_tests.h" -namespace playground2 { +namespace sandbox { -class SandboxUnittestHelper : public Sandbox { +class SandboxUnittestHelper : public SandboxBPF { public: - typedef Sandbox::Program Program; + typedef SandboxBPF::Program Program; }; // We want to access some of the private methods in the code generator. We @@ -444,4 +444,4 @@ SANDBOX_TEST(CodeGen, All) { ForAllPrograms(CompileAndCompare); } -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/demo.cc b/sandbox/linux/seccomp-bpf/demo.cc index 48df073..1418018 100644 --- a/sandbox/linux/seccomp-bpf/demo.cc +++ b/sandbox/linux/seccomp-bpf/demo.cc @@ -30,9 +30,9 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/services/linux_syscalls.h" -using playground2::arch_seccomp_data; -using playground2::ErrorCode; -using playground2::Sandbox; +using sandbox::ErrorCode; +using sandbox::SandboxBPF; +using sandbox::arch_seccomp_data; #define ERR EPERM @@ -237,7 +237,7 @@ intptr_t DefaultHandler(const struct arch_seccomp_data& data, void *) { return -ERR; } -ErrorCode Evaluator(Sandbox *sandbox, int sysno, void *) { +ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) { switch (sysno) { #if defined(__NR_accept) case __NR_accept: case __NR_accept4: @@ -413,12 +413,12 @@ int main(int argc, char *argv[]) { if (argc) { } if (argv) { } int proc_fd = open("/proc", O_RDONLY|O_DIRECTORY); - if (Sandbox::SupportsSeccompSandbox(proc_fd) != - Sandbox::STATUS_AVAILABLE) { + if (SandboxBPF::SupportsSeccompSandbox(proc_fd) != + SandboxBPF::STATUS_AVAILABLE) { perror("sandbox"); _exit(1); } - Sandbox sandbox; + SandboxBPF sandbox; sandbox.set_proc_fd(proc_fd); sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL); sandbox.StartSandbox(); diff --git a/sandbox/linux/seccomp-bpf/die.cc b/sandbox/linux/seccomp-bpf/die.cc index 594740c..533e2e9 100644 --- a/sandbox/linux/seccomp-bpf/die.cc +++ b/sandbox/linux/seccomp-bpf/die.cc @@ -14,7 +14,7 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/seccomp-bpf/syscall.h" -namespace playground2 { +namespace sandbox { void Die::ExitGroup() { // exit_group() should exit our program. After all, it is defined as a @@ -82,4 +82,4 @@ void Die::LogToStderr(const char* msg, const char* file, int line) { bool Die::simple_exit_ = false; bool Die::suppress_info_ = false; -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/die.h b/sandbox/linux/seccomp-bpf/die.h index 2ed3f07..5dcfda0 100644 --- a/sandbox/linux/seccomp-bpf/die.h +++ b/sandbox/linux/seccomp-bpf/die.h @@ -7,18 +7,18 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { // This is the main API for using this file. Prints a error message and // exits with a fatal error. This is not async-signal safe. -#define SANDBOX_DIE(m) playground2::Die::SandboxDie(m, __FILE__, __LINE__) +#define SANDBOX_DIE(m) sandbox::Die::SandboxDie(m, __FILE__, __LINE__) // An async signal safe version of the same API. Won't print the filename // and line numbers. -#define RAW_SANDBOX_DIE(m) playground2::Die::RawSandboxDie(m) +#define RAW_SANDBOX_DIE(m) sandbox::Die::RawSandboxDie(m) // Adds an informational message to the log file or stderr as appropriate. -#define SANDBOX_INFO(m) playground2::Die::SandboxInfo(m, __FILE__, __LINE__) +#define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__) class Die { public: @@ -62,6 +62,6 @@ class Die { DISALLOW_IMPLICIT_CONSTRUCTORS(Die); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_DIE_H__ diff --git a/sandbox/linux/seccomp-bpf/errorcode.cc b/sandbox/linux/seccomp-bpf/errorcode.cc index e517d38..6484852 100644 --- a/sandbox/linux/seccomp-bpf/errorcode.cc +++ b/sandbox/linux/seccomp-bpf/errorcode.cc @@ -5,7 +5,7 @@ #include "sandbox/linux/seccomp-bpf/die.h" #include "sandbox/linux/seccomp-bpf/errorcode.h" -namespace playground2 { +namespace sandbox { ErrorCode::ErrorCode(int err) { switch (err) { @@ -101,4 +101,4 @@ bool ErrorCode::LessThan(const ErrorCode& err) const { } } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/errorcode.h b/sandbox/linux/seccomp-bpf/errorcode.h index 182fadb..625d123 100644 --- a/sandbox/linux/seccomp-bpf/errorcode.h +++ b/sandbox/linux/seccomp-bpf/errorcode.h @@ -8,7 +8,7 @@ #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" #include "sandbox/linux/seccomp-bpf/trap.h" -namespace playground2 { +namespace sandbox { struct arch_seccomp_data; @@ -46,7 +46,7 @@ class ErrorCode { // access 64bit quantities. But policies are still advised to specify whether // a system call expects a 32bit or a 64bit quantity. enum ArgType { - // When passed as an argument to Sandbox::Cond(), TP_32BIT requests that + // When passed as an argument to SandboxBPF::Cond(), TP_32BIT requests that // the conditional test should operate on the 32bit part of the system call // argument. // On 64bit architectures, this verifies that user space did not pass @@ -64,7 +64,7 @@ class ErrorCode { // having been sign extended. TP_32BIT, - // When passed as an argument to Sandbox::Cond(), TP_64BIT requests that + // When passed as an argument to SandboxBPF::Cond(), TP_64BIT requests that // the conditional test should operate on the full 64bit argument. It is // generally harmless to perform a 64bit test on 32bit systems, as the // kernel will always see the top 32 bits of all arguments as zero'd out. @@ -148,7 +148,7 @@ class ErrorCode { private: friend class CodeGen; - friend class Sandbox; + friend class SandboxBPF; friend class Trap; // If we are wrapping a callback, we must assign a unique id. This id is @@ -192,6 +192,6 @@ class ErrorCode { uint32_t err_; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_ERRORCODE_H__ diff --git a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc index 3748e51..ef04a5f 100644 --- a/sandbox/linux/seccomp-bpf/errorcode_unittest.cc +++ b/sandbox/linux/seccomp-bpf/errorcode_unittest.cc @@ -7,7 +7,7 @@ #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h" #include "sandbox/linux/tests/unit_tests.h" -using namespace playground2; +namespace sandbox { namespace { @@ -21,13 +21,13 @@ SANDBOX_TEST(ErrorCode, ErrnoConstructor) { ErrorCode e2(EPERM); SANDBOX_ASSERT(e2.err() == SECCOMP_RET_ERRNO + EPERM); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e3 = sandbox.Trap(NULL, NULL); SANDBOX_ASSERT((e3.err() & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP); } SANDBOX_TEST(ErrorCode, Trap) { - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e0 = sandbox.Trap(NULL, "a"); ErrorCode e1 = sandbox.Trap(NULL, "b"); SANDBOX_ASSERT((e0.err() & SECCOMP_RET_DATA) + 1 == @@ -48,7 +48,7 @@ SANDBOX_TEST(ErrorCode, Equals) { ErrorCode e3(EPERM); SANDBOX_ASSERT(!e1.Equals(e3)); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e4 = sandbox.Trap(NULL, "a"); ErrorCode e5 = sandbox.Trap(NULL, "b"); ErrorCode e6 = sandbox.Trap(NULL, "a"); @@ -69,7 +69,7 @@ SANDBOX_TEST(ErrorCode, LessThan) { SANDBOX_ASSERT(!e1.LessThan(e3)); SANDBOX_ASSERT( e3.LessThan(e1)); - Sandbox sandbox; + SandboxBPF sandbox; ErrorCode e4 = sandbox.Trap(NULL, "a"); ErrorCode e5 = sandbox.Trap(NULL, "b"); ErrorCode e6 = sandbox.Trap(NULL, "a"); @@ -81,3 +81,5 @@ SANDBOX_TEST(ErrorCode, LessThan) { } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/instruction.h b/sandbox/linux/seccomp-bpf/instruction.h index 8d35187..8567c8f 100644 --- a/sandbox/linux/seccomp-bpf/instruction.h +++ b/sandbox/linux/seccomp-bpf/instruction.h @@ -7,7 +7,7 @@ #include <stdint.h> -namespace playground2 { +namespace sandbox { // The fields in this structure have the same meaning as the corresponding // fields in "struct sock_filter". See <linux/filter.h> for a lot more @@ -57,6 +57,6 @@ struct Instruction { uint32_t k; }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_INSTRUCTION_H__ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc index b598d76..15faef6 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc @@ -30,7 +30,7 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/seccomp-bpf/verifier.h" -namespace playground2 { +namespace sandbox { namespace { @@ -56,8 +56,8 @@ void WriteFailedStderrSetupMessage(int out_fd) { // We define a really simple sandbox policy. It is just good enough for us // to tell that the sandbox has actually been activated. -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) __attribute__((const)); -ErrorCode ProbeEvaluator(Sandbox*, int sysnum, void*) { +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const)); +ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) { switch (sysnum) { case __NR_getpid: // Return EPERM so that we can check that the filter actually ran. @@ -77,8 +77,8 @@ void ProbeProcess(void) { } } -ErrorCode AllowAllEvaluator(Sandbox*, int sysnum, void*) { - if (!Sandbox::IsValidSyscallNumber(sysnum)) { +ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysnum)) { return ErrorCode(ENOSYS); } return ErrorCode(ErrorCode::ERR_ALLOWED); @@ -162,7 +162,7 @@ void RedirectToUserspace(Instruction* insn, void* aux) { // The performance penalty for this extra round-trip to user-space is not // actually that bad, as we only ever pay it for denied system calls; and a // typical program has very few of these. - Sandbox* sandbox = static_cast<Sandbox*>(aux); + SandboxBPF* sandbox = static_cast<SandboxBPF*>(aux); if (BPF_CLASS(insn->code) == BPF_RET && (insn->k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) { insn->k = sandbox->Trap(ReturnErrno, @@ -174,15 +174,15 @@ void RedirectToUserspace(Instruction* insn, void* aux) { // made by RedirectToUserspace(). This is part of the framework that allows BPF // evaluation in userland. // TODO(markus): document the code inside better. -class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy { +class RedirectToUserSpacePolicyWrapper : public SandboxBPFPolicy { public: explicit RedirectToUserSpacePolicyWrapper( - const SandboxBpfPolicy* wrapped_policy) + const SandboxBPFPolicy* wrapped_policy) : wrapped_policy_(wrapped_policy) { DCHECK(wrapped_policy_); } - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE { ErrorCode err = wrapped_policy_->EvaluateSyscall(sandbox_compiler, system_call_number); @@ -194,42 +194,42 @@ class RedirectToUserSpacePolicyWrapper : public SandboxBpfPolicy { } private: - const SandboxBpfPolicy* wrapped_policy_; + const SandboxBPFPolicy* wrapped_policy_; DISALLOW_COPY_AND_ASSIGN(RedirectToUserSpacePolicyWrapper); }; -intptr_t BpfFailure(const struct arch_seccomp_data&, void* aux) { +intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) { SANDBOX_DIE(static_cast<char*>(aux)); } // This class allows compatibility with the old, deprecated SetSandboxPolicy. -class CompatibilityPolicy : public SandboxBpfPolicy { +class CompatibilityPolicy : public SandboxBPFPolicy { public: - CompatibilityPolicy(Sandbox::EvaluateSyscall syscall_evaluator, void* aux) + CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux) : syscall_evaluator_(syscall_evaluator), aux_(aux) { DCHECK(syscall_evaluator_); } - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const OVERRIDE { return syscall_evaluator_(sandbox_compiler, system_call_number, aux_); } private: - Sandbox::EvaluateSyscall syscall_evaluator_; + SandboxBPF::EvaluateSyscall syscall_evaluator_; void* aux_; DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy); }; } // namespace -Sandbox::Sandbox() +SandboxBPF::SandboxBPF() : quiet_(false), proc_fd_(-1), conds_(new Conds), sandbox_has_started_(false) {} -Sandbox::~Sandbox() { +SandboxBPF::~SandboxBPF() { // It is generally unsafe to call any memory allocator operations or to even // call arbitrary destructors after having installed a new policy. We just // have no way to tell whether this policy would allow the system calls that @@ -246,13 +246,13 @@ Sandbox::~Sandbox() { } } -bool Sandbox::IsValidSyscallNumber(int sysnum) { +bool SandboxBPF::IsValidSyscallNumber(int sysnum) { return SyscallIterator::IsValid(sysnum); } -bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), - Sandbox::EvaluateSyscall syscall_evaluator, - void* aux) { +bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(), + EvaluateSyscall syscall_evaluator, + void* aux) { // Block all signals before forking a child process. This prevents an // attacker from manipulating our test by sending us an unexpected signal. sigset_t old_mask, new_mask; @@ -364,12 +364,12 @@ bool Sandbox::RunFunctionInPolicy(void (*code_in_sandbox)(), return rc; } -bool Sandbox::KernelSupportSeccompBPF() { +bool SandboxBPF::KernelSupportSeccompBPF() { return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) && RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0); } -Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { +SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) { // It the sandbox is currently active, we clearly must have support for // sandboxing. if (status_ == STATUS_ENABLED) { @@ -404,7 +404,7 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { // We create our own private copy of a "Sandbox" object. This ensures that // the object does not have any policies configured, that might interfere // with the tests done by "KernelSupportSeccompBPF()". - Sandbox sandbox; + SandboxBPF sandbox; // By setting "quiet_ = true" we suppress messages for expected and benign // failures (e.g. if the current kernel lacks support for BPF filters). @@ -424,9 +424,9 @@ Sandbox::SandboxStatus Sandbox::SupportsSeccompSandbox(int proc_fd) { return status_; } -void Sandbox::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } +void SandboxBPF::set_proc_fd(int proc_fd) { proc_fd_ = proc_fd; } -void Sandbox::StartSandbox() { +void SandboxBPF::StartSandbox() { if (status_ == STATUS_UNSUPPORTED || status_ == STATUS_UNAVAILABLE) { SANDBOX_DIE( "Trying to start sandbox, even though it is known to be " @@ -464,7 +464,7 @@ void Sandbox::StartSandbox() { status_ = STATUS_ENABLED; } -void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { +void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) { for (SyscallIterator iter(true); !iter.Done();) { uint32_t sysnum = iter.Next(); if (!IsDenied(policy->EvaluateSyscall(this, sysnum))) { @@ -477,8 +477,8 @@ void Sandbox::PolicySanityChecks(SandboxBpfPolicy* policy) { } // Deprecated API, supported with a wrapper to the new API. -void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, - void* aux) { +void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, + void* aux) { if (sandbox_has_started_ || !conds_) { SANDBOX_DIE("Cannot change policy after sandbox has started"); } @@ -486,7 +486,7 @@ void Sandbox::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator, } // Don't take a scoped_ptr here, polymorphism make their use awkward. -void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { +void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) { DCHECK(!policy_); if (sandbox_has_started_ || !conds_) { SANDBOX_DIE("Cannot change policy after sandbox has started"); @@ -495,7 +495,7 @@ void Sandbox::SetSandboxPolicy(SandboxBpfPolicy* policy) { policy_.reset(policy); } -void Sandbox::InstallFilter() { +void SandboxBPF::InstallFilter() { // We want to be very careful in not imposing any requirements on the // policies that are set with SetSandboxPolicy(). This means, as soon as // the sandbox is active, we shouldn't be relying on libraries that could @@ -536,7 +536,7 @@ void Sandbox::InstallFilter() { return; } -Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { +SandboxBPF::Program* SandboxBPF::AssembleFilter(bool force_verification) { #if !defined(NDEBUG) force_verification = true; #endif @@ -709,7 +709,7 @@ Sandbox::Program* Sandbox::AssembleFilter(bool force_verification) { return program; } -void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { +void SandboxBPF::VerifyProgram(const Program& program, bool has_unsafe_traps) { // If we previously rewrote the BPF program so that it calls user-space // whenever we return an "errno" value from the filter, then we have to // wrap our system call evaluator to perform the same operation. Otherwise, @@ -727,7 +727,7 @@ void Sandbox::VerifyProgram(const Program& program, bool has_unsafe_traps) { } } -void Sandbox::FindRanges(Ranges* ranges) { +void SandboxBPF::FindRanges(Ranges* ranges) { // Please note that "struct seccomp_data" defines system calls as a signed // int32_t, but BPF instructions always operate on unsigned quantities. We // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL, @@ -755,9 +755,9 @@ void Sandbox::FindRanges(Ranges* ranges) { } } -Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, - Ranges::const_iterator start, - Ranges::const_iterator stop) { +Instruction* SandboxBPF::AssembleJumpTable(CodeGen* gen, + Ranges::const_iterator start, + Ranges::const_iterator stop) { // We convert the list of system call ranges into jump table that performs // a binary search over the ranges. // As a sanity check, we need to have at least one distinct ranges for us @@ -782,7 +782,7 @@ Instruction* Sandbox::AssembleJumpTable(CodeGen* gen, return gen->MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf); } -Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { +Instruction* SandboxBPF::RetExpression(CodeGen* gen, const ErrorCode& err) { if (err.error_type_ == ErrorCode::ET_COND) { return CondExpression(gen, err); } else { @@ -790,7 +790,7 @@ Instruction* Sandbox::RetExpression(CodeGen* gen, const ErrorCode& err) { } } -Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { +Instruction* SandboxBPF::CondExpression(CodeGen* gen, const ErrorCode& cond) { // We can only inspect the six system call arguments that are passed in // CPU registers. if (cond.argno_ < 0 || cond.argno_ >= 6) { @@ -973,19 +973,19 @@ Instruction* Sandbox::CondExpression(CodeGen* gen, const ErrorCode& cond) { return msb_head; } -ErrorCode Sandbox::Unexpected64bitArgument() { +ErrorCode SandboxBPF::Unexpected64bitArgument() { return Kill("Unexpected 64bit argument detected"); } -ErrorCode Sandbox::Trap(Trap::TrapFnc fnc, const void* aux) { +ErrorCode SandboxBPF::Trap(Trap::TrapFnc fnc, const void* aux) { return Trap::MakeTrap(fnc, aux, true /* Safe Trap */); } -ErrorCode Sandbox::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { +ErrorCode SandboxBPF::UnsafeTrap(Trap::TrapFnc fnc, const void* aux) { return Trap::MakeTrap(fnc, aux, false /* Unsafe Trap */); } -intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { +intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) { return SandboxSyscall(args.nr, static_cast<intptr_t>(args.args[0]), static_cast<intptr_t>(args.args[1]), @@ -995,12 +995,12 @@ intptr_t Sandbox::ForwardSyscall(const struct arch_seccomp_data& args) { static_cast<intptr_t>(args.args[5])); } -ErrorCode Sandbox::Cond(int argno, - ErrorCode::ArgType width, - ErrorCode::Operation op, - uint64_t value, - const ErrorCode& passed, - const ErrorCode& failed) { +ErrorCode SandboxBPF::Cond(int argno, + ErrorCode::ArgType width, + ErrorCode::Operation op, + uint64_t value, + const ErrorCode& passed, + const ErrorCode& failed) { return ErrorCode(argno, width, op, @@ -1009,10 +1009,10 @@ ErrorCode Sandbox::Cond(int argno, &*conds_->insert(failed).first); } -ErrorCode Sandbox::Kill(const char* msg) { - return Trap(BpfFailure, const_cast<char*>(msg)); +ErrorCode SandboxBPF::Kill(const char* msg) { + return Trap(BPFFailure, const_cast<char*>(msg)); } -Sandbox::SandboxStatus Sandbox::status_ = STATUS_UNKNOWN; +SandboxBPF::SandboxStatus SandboxBPF::status_ = STATUS_UNKNOWN; -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h index fef5098..d626e4c 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h @@ -21,7 +21,7 @@ #include "sandbox/linux/seccomp-bpf/errorcode.h" #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" -namespace playground2 { +namespace sandbox { struct arch_seccomp_data { int nr; @@ -37,11 +37,11 @@ struct arch_sigsys { }; class CodeGen; +class SandboxBPFPolicy; class SandboxUnittestHelper; -class SandboxBpfPolicy; struct Instruction; -class Sandbox { +class SandboxBPF { public: enum SandboxStatus { STATUS_UNKNOWN, // Status prior to calling supportsSeccompSandbox() @@ -56,7 +56,7 @@ class Sandbox { // policy each time a call is made through an EvaluateSyscall function // pointer. One common use case would be to pass the "aux" pointer as an // argument to Trap() functions. - typedef ErrorCode (*EvaluateSyscall)(Sandbox* sandbox_compiler, + typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler, int system_call_number, void* aux); typedef std::vector<std::pair<EvaluateSyscall, void*> > Evaluators; @@ -74,8 +74,8 @@ class Sandbox { // should be noted that during its lifetime, the object probably made // irreversible state changes to the runtime environment. These changes // stay in effect even after the destructor has been run. - Sandbox(); - ~Sandbox(); + SandboxBPF(); + ~SandboxBPF(); // Checks whether a particular system call number is valid on the current // architecture. E.g. on ARM there's a non-contiguous range of private @@ -112,7 +112,7 @@ class Sandbox { // Set the BPF policy as |policy|. Ownership of |policy| is transfered here // to the sandbox object. - void SetSandboxPolicy(SandboxBpfPolicy* policy); + void SetSandboxPolicy(SandboxBPFPolicy* policy); // We can use ErrorCode to request calling of a trap handler. This method // performs the required wrapping of the callback function into an @@ -224,7 +224,7 @@ class Sandbox { bool KernelSupportSeccompBPF(); // Verify that the current policy passes some basic sanity checks. - void PolicySanityChecks(SandboxBpfPolicy* policy); + void PolicySanityChecks(SandboxBPFPolicy* policy); // Assembles and installs a filter based on the policy that has previously // been configured with SetSandboxPolicy(). @@ -264,13 +264,13 @@ class Sandbox { bool quiet_; int proc_fd_; - scoped_ptr<const SandboxBpfPolicy> policy_; + scoped_ptr<const SandboxBPFPolicy> policy_; Conds* conds_; bool sandbox_has_started_; - DISALLOW_COPY_AND_ASSIGN(Sandbox); + DISALLOW_COPY_AND_ASSIGN(SandboxBPF); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H__ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h index 99d9e19..1ac5dab 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h @@ -7,29 +7,29 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { class ErrorCode; -class Sandbox; +class SandboxBPF; // This is the interface to implement to define a BPF sandbox policy. -class SandboxBpfPolicy { +class SandboxBPFPolicy { public: - SandboxBpfPolicy() {} - virtual ~SandboxBpfPolicy() {} + SandboxBPFPolicy() {} + virtual ~SandboxBPFPolicy() {} // The EvaluateSyscall method is called with the system call number. It can // decide to allow the system call unconditionally by returning ERR_ALLOWED; // it can deny the system call unconditionally by returning an appropriate // "errno" value; or it can request inspection of system call argument(s) by // returning a suitable ErrorCode. - virtual ErrorCode EvaluateSyscall(Sandbox* sandbox_compiler, + virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler, int system_call_number) const = 0; private: - DISALLOW_COPY_AND_ASSIGN(SandboxBpfPolicy); + DISALLOW_COPY_AND_ASSIGN(SandboxBPFPolicy); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_POLICY_H_ diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc index 9d67db8..988e295 100644 --- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc +++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc @@ -40,8 +40,7 @@ #define PR_CAPBSET_DROP 24 #endif -using namespace playground2; -using sandbox::BrokerProcess; +namespace sandbox { namespace { @@ -50,11 +49,11 @@ const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING"; // This test should execute no matter whether we have kernel support. So, // we make it a TEST() instead of a BPF_TEST(). -TEST(SandboxBpf, CallSupports) { +TEST(SandboxBPF, CallSupports) { // We check that we don't crash, but it's ok if the kernel doesn't // support it. bool seccomp_bpf_supported = - Sandbox::SupportsSeccompSandbox(-1) == Sandbox::STATUS_AVAILABLE; + SandboxBPF::SupportsSeccompSandbox(-1) == SandboxBPF::STATUS_AVAILABLE; // We want to log whether or not seccomp BPF is actually supported // since actual test coverage depends on it. RecordProperty("SeccompBPFSupported", @@ -65,9 +64,9 @@ TEST(SandboxBpf, CallSupports) { std::cout << "Pointer size: " << sizeof(void*) << "\n"; } -SANDBOX_TEST(SandboxBpf, CallSupportsTwice) { - Sandbox::SupportsSeccompSandbox(-1); - Sandbox::SupportsSeccompSandbox(-1); +SANDBOX_TEST(SandboxBPF, CallSupportsTwice) { + SandboxBPF::SupportsSeccompSandbox(-1); + SandboxBPF::SupportsSeccompSandbox(-1); } // BPF_TEST does a lot of the boiler-plate code around setting up a @@ -83,8 +82,8 @@ intptr_t FakeGetPid(const struct arch_seccomp_data& args, void* aux) { return (*pid_ptr)++; } -ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode VerboseAPITestingPolicy(SandboxBPF* sandbox, int sysno, void* aux) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } else if (sysno == __NR_getpid) { return sandbox->Trap(FakeGetPid, aux); @@ -93,11 +92,11 @@ ErrorCode VerboseAPITestingPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) { - if (Sandbox::SupportsSeccompSandbox(-1) == - playground2::Sandbox::STATUS_AVAILABLE) { +SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) { + if (SandboxBPF::SupportsSeccompSandbox(-1) == + sandbox::SandboxBPF::STATUS_AVAILABLE) { pid_t test_var = 0; - Sandbox sandbox; + SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var); sandbox.StartSandbox(); @@ -115,8 +114,8 @@ SANDBOX_TEST(SandboxBpf, DISABLE_ON_TSAN(VerboseAPITesting)) { // A simple blacklist test -ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -129,7 +128,7 @@ ErrorCode BlacklistNanosleepPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { +BPF_TEST(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { // nanosleep() should be denied const struct timespec ts = {0, 0}; errno = 0; @@ -139,7 +138,7 @@ BPF_TEST(SandboxBpf, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) { // Now do a simple whitelist test -ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) { +ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) { switch (sysno) { case __NR_getpid: case __NR_exit_group: @@ -149,7 +148,7 @@ ErrorCode WhitelistGetpidPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { +BPF_TEST(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) { // getpid() should be allowed errno = 0; BPF_ASSERT(syscall(__NR_getpid) > 0); @@ -169,10 +168,10 @@ intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) { return -ENOMEM; } -ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox, +ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -185,7 +184,7 @@ ErrorCode BlacklistNanosleepPolicySigsys(Sandbox* sandbox, } } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, BasicBlacklistWithSigsys, BlacklistNanosleepPolicySigsys, int /* BPF_AUX */) { @@ -206,8 +205,8 @@ BPF_TEST(SandboxBpf, // A simple test that verifies we can return arbitrary errno values. -ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode ErrnoTestPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -236,7 +235,7 @@ ErrorCode ErrnoTestPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { +BPF_TEST(SandboxBPF, ErrnoTest, ErrnoTestPolicy) { // Verify that dup2() returns success, but doesn't actually run. int fds[4]; BPF_ASSERT(pipe(fds) == 0); @@ -278,8 +277,8 @@ BPF_TEST(SandboxBpf, ErrnoTest, ErrnoTestPolicy) { // Testing the stacking of two sandboxes -ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -296,8 +295,8 @@ ErrorCode StackingPolicyPartOne(Sandbox* sandbox, int sysno, void*) { } } -ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -314,7 +313,7 @@ ErrorCode StackingPolicyPartTwo(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) { +BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) { errno = 0; BPF_ASSERT(syscall(__NR_getppid, 0) > 0); BPF_ASSERT(errno == 0); @@ -324,7 +323,7 @@ BPF_TEST(SandboxBpf, StackingPolicy, StackingPolicyPartOne) { // Stack a second sandbox with its own policy. Verify that we can further // restrict filters, but we cannot relax existing filters. - Sandbox sandbox; + SandboxBPF sandbox; sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL); sandbox.StartSandbox(); @@ -351,8 +350,8 @@ int SysnoToRandomErrno(int sysno) { return ((sysno & ~3) >> 2) % 29 + 1; } -ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode SyntheticPolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -373,7 +372,7 @@ ErrorCode SyntheticPolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, SyntheticPolicy, SyntheticPolicy) { +BPF_TEST(SandboxBPF, SyntheticPolicy, SyntheticPolicy) { // Ensure that that kExpectedReturnValue + syscallnumber + 1 does not int // overflow. BPF_ASSERT(std::numeric_limits<int>::max() - kExpectedReturnValue - 1 >= @@ -407,8 +406,8 @@ int ArmPrivateSysnoToErrno(int sysno) { } } -ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode ArmPrivatePolicy(SandboxBPF*, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy. return ErrorCode(ENOSYS); } @@ -423,7 +422,7 @@ ErrorCode ArmPrivatePolicy(Sandbox*, int sysno, void*) { } } -BPF_TEST(SandboxBpf, ArmPrivatePolicy, ArmPrivatePolicy) { +BPF_TEST(SandboxBPF, ArmPrivatePolicy, ArmPrivatePolicy) { for (int syscall_number = static_cast<int>(__ARM_NR_set_tls + 1); syscall_number <= static_cast<int>(MAX_PRIVATE_SYSCALL); ++syscall_number) { @@ -444,10 +443,10 @@ intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) { // Verify that we can now call the underlying system call without causing // infinite recursion. - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } -ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) { // The use of UnsafeTrap() causes us to print a warning message. This is // generally desirable, but it results in the unittest failing, as it doesn't // expect any messages on "stderr". So, temporarily disable messages. The @@ -472,7 +471,7 @@ ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { } else if (sysno == __NR_getpid) { // Disallow getpid() return ErrorCode(EPERM); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { // Allow (and count) all other system calls. return sandbox->UnsafeTrap(CountSyscalls, aux); } else { @@ -480,7 +479,7 @@ ErrorCode GreyListedPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { +BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { BPF_ASSERT(syscall(__NR_getpid) == -1); BPF_ASSERT(errno == EPERM); BPF_ASSERT(BPF_AUX == 0); @@ -497,7 +496,7 @@ BPF_TEST(SandboxBpf, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) { BPF_ASSERT(*name); } -SANDBOX_TEST(SandboxBpf, EnableUnsafeTrapsInSigSysHandler) { +SANDBOX_TEST(SandboxBPF, EnableUnsafeTrapsInSigSysHandler) { // Disabling warning messages that could confuse our test framework. setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); @@ -516,18 +515,18 @@ intptr_t PrctlHandler(const struct arch_seccomp_data& args, void*) { // return an error. But our handler allows this call. return 0; } else { - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } } -ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PrctlPolicy(SandboxBPF* sandbox, int sysno, void* aux) { setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); if (sysno == __NR_prctl) { // Handle prctl() inside an UnsafeTrap() return sandbox->UnsafeTrap(PrctlHandler, NULL); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { // Allow all other system calls. return ErrorCode(ErrorCode::ERR_ALLOWED); } else { @@ -535,7 +534,7 @@ ErrorCode PrctlPolicy(Sandbox* sandbox, int sysno, void* aux) { } } -BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) { +BPF_TEST(SandboxBPF, ForwardSyscall, PrctlPolicy) { // This call should never be allowed. But our policy will intercept it and // let it pass successfully. BPF_ASSERT( @@ -563,10 +562,10 @@ BPF_TEST(SandboxBpf, ForwardSyscall, PrctlPolicy) { } intptr_t AllowRedirectedSyscall(const struct arch_seccomp_data& args, void*) { - return Sandbox::ForwardSyscall(args); + return SandboxBPF::ForwardSyscall(args); } -ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode RedirectAllSyscallsPolicy(SandboxBPF* sandbox, int sysno, void* aux) { setenv(kSandboxDebuggingEnv, "t", 0); Die::SuppressInfoMessages(true); @@ -583,7 +582,7 @@ ErrorCode RedirectAllSyscallsPolicy(Sandbox* sandbox, int sysno, void* aux) { #endif ) { return ErrorCode(ErrorCode::ERR_ALLOWED); - } else if (Sandbox::IsValidSyscallNumber(sysno)) { + } else if (SandboxBPF::IsValidSyscallNumber(sysno)) { return sandbox->UnsafeTrap(AllowRedirectedSyscall, aux); } else { return ErrorCode(ENOSYS); @@ -596,7 +595,7 @@ void SigBusHandler(int, siginfo_t* info, void* void_context) { BPF_ASSERT(write(bus_handler_fd_, "\x55", 1) == 1); } -BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, SigBus, RedirectAllSyscallsPolicy) { // We use the SIGBUS bit in the signal mask as a thread-local boolean // value in the implementation of UnsafeTrap(). This is obviously a bit // of a hack that could conceivably interfere with code that uses SIGBUS @@ -619,7 +618,7 @@ BPF_TEST(SandboxBpf, SigBus, RedirectAllSyscallsPolicy) { BPF_ASSERT(c == 0x55); } -BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, SigMask, RedirectAllSyscallsPolicy) { // Signal masks are potentially tricky to handle. For instance, if we // ever tried to update them from inside a Trap() or UnsafeTrap() handler, // the call to sigreturn() at the end of the signal handler would undo @@ -646,7 +645,7 @@ BPF_TEST(SandboxBpf, SigMask, RedirectAllSyscallsPolicy) { BPF_ASSERT(sigismember(&mask2, SIGUSR2)); } -BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { +BPF_TEST(SandboxBPF, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { // An UnsafeTrap() (or for that matter, a Trap()) has to report error // conditions by returning an exit code in the range -1..-4096. This // should happen automatically if using ForwardSyscall(). If the TrapFnc() @@ -667,7 +666,7 @@ BPF_TEST(SandboxBpf, UnsafeTrapWithErrno, RedirectAllSyscallsPolicy) { struct arch_seccomp_data args = {}; args.nr = __NR_close; args.args[0] = -1; - BPF_ASSERT(Sandbox::ForwardSyscall(args) == -EBADF); + BPF_ASSERT(SandboxBPF::ForwardSyscall(args) == -EBADF); BPF_ASSERT(errno == 0); } @@ -719,9 +718,9 @@ intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args, } } -ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) { InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux); - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } @@ -740,7 +739,7 @@ ErrorCode DenyOpenPolicy(Sandbox* sandbox, int sysno, void* aux) { // We use a InitializedOpenBroker class, so that we can run unsandboxed // code in its constructor, which is the only way to do so in a BPF_TEST. -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, UseOpenBroker, DenyOpenPolicy, InitializedOpenBroker /* BPF_AUX */) { @@ -785,10 +784,10 @@ BPF_TEST(SandboxBpf, BPF_ASSERT(read(cpu_info_fd, buf, sizeof(buf)) > 0); } -// Simple test demonstrating how to use Sandbox::Cond() +// Simple test demonstrating how to use SandboxBPF::Cond() -ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode SimpleCondTestPolicy(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } @@ -825,7 +824,7 @@ ErrorCode SimpleCondTestPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) { +BPF_TEST(SandboxBPF, SimpleCondTest, SimpleCondTestPolicy) { int fd; BPF_ASSERT((fd = open("/proc/self/comm", O_RDWR)) == -1); BPF_ASSERT(errno == EROFS); @@ -839,7 +838,7 @@ BPF_TEST(SandboxBpf, SimpleCondTest, SimpleCondTestPolicy) { BPF_ASSERT(errno == ENOMEM); } -// This test exercises the Sandbox::Cond() method by building a complex +// This test exercises the SandboxBPF::Cond() method by building a complex // tree of conditional equality operations. It then makes system calls and // verifies that they return the values that we expected from our BPF // program. @@ -879,8 +878,8 @@ class EqualityStressTest { } } - ErrorCode Policy(Sandbox* sandbox, int sysno) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + ErrorCode Policy(SandboxBPF* sandbox, int sysno) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno < 0 || sysno >= (int)arg_values_.size() || @@ -1039,7 +1038,7 @@ class EqualityStressTest { } } - ErrorCode ToErrorCode(Sandbox* sandbox, ArgValue* arg_value) { + ErrorCode ToErrorCode(SandboxBPF* sandbox, ArgValue* arg_value) { // Compute the ErrorCode that should be returned, if none of our // tests succeed (i.e. the system call parameter doesn't match any // of the values in arg_value->tests[].k_value). @@ -1050,13 +1049,13 @@ class EqualityStressTest { err = ErrorCode(arg_value->err); } else { // If this wasn't a leaf node yet, recursively descend into the rest - // of the tree. This will end up adding a few more Sandbox::Cond() + // of the tree. This will end up adding a few more SandboxBPF::Cond() // tests to our ErrorCode. err = ToErrorCode(sandbox, arg_value->arg_value); } // Now, iterate over all the test cases that we want to compare against. - // This builds a chain of Sandbox::Cond() tests + // This builds a chain of SandboxBPF::Cond() tests // (aka "if ... elif ... elif ... elif ... fi") for (int n = arg_value->size; n-- > 0;) { ErrorCode matched; @@ -1140,19 +1139,19 @@ class EqualityStressTest { static const int kMaxArgs = 6; }; -ErrorCode EqualityStressTestPolicy(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, int sysno, void* aux) { return reinterpret_cast<EqualityStressTest*>(aux)->Policy(sandbox, sysno); } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, EqualityTests, EqualityStressTestPolicy, EqualityStressTest /* BPF_AUX */) { BPF_AUX.VerifyFilter(); } -ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1186,7 +1185,7 @@ ErrorCode EqualityArgumentWidthPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { +BPF_TEST(SandboxBPF, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0x55555555) == -1); BPF_ASSERT(SandboxSyscall(__NR_uname, 0, 0xAAAAAAAA) == -2); #if __SIZEOF_POINTER__ > 4 @@ -1206,7 +1205,7 @@ BPF_TEST(SandboxBpf, EqualityArgumentWidth, EqualityArgumentWidthPolicy) { // On 32bit machines, there is no way to pass a 64bit argument through the // syscall interface. So, we have to skip the part of the test that requires // 64bit arguments. -BPF_DEATH_TEST(SandboxBpf, +BPF_DEATH_TEST(SandboxBPF, EqualityArgumentUnallowed64bit, DEATH_MESSAGE("Unexpected 64bit argument detected"), EqualityArgumentWidthPolicy) { @@ -1214,10 +1213,10 @@ BPF_DEATH_TEST(SandboxBpf, } #endif -ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox, +ErrorCode EqualityWithNegativeArgumentsPolicy(SandboxBPF* sandbox, int sysno, void*) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1232,7 +1231,7 @@ ErrorCode EqualityWithNegativeArgumentsPolicy(Sandbox* sandbox, } } -BPF_TEST(SandboxBpf, +BPF_TEST(SandboxBPF, EqualityWithNegativeArguments, EqualityWithNegativeArgumentsPolicy) { BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF) == -1); @@ -1241,7 +1240,7 @@ BPF_TEST(SandboxBpf, } #if __SIZEOF_POINTER__ > 4 -BPF_DEATH_TEST(SandboxBpf, +BPF_DEATH_TEST(SandboxBPF, EqualityWithNegative64bitArguments, DEATH_MESSAGE("Unexpected 64bit argument detected"), EqualityWithNegativeArgumentsPolicy) { @@ -1251,14 +1250,14 @@ BPF_DEATH_TEST(SandboxBpf, BPF_ASSERT(SandboxSyscall(__NR_uname, 0xFFFFFFFF00000000LL) == -1); } #endif -ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) { +ErrorCode AllBitTestPolicy(SandboxBPF* sandbox, int sysno, void *) { // Test the OP_HAS_ALL_BITS conditional test operator with a couple of // different bitmasks. We try to find bitmasks that could conceivably // touch corner cases. // For all of these tests, we override the uname(). We can make use with // a single system call number, as we use the first system call argument to // select the different bit masks that we want to test against. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1344,7 +1343,7 @@ ErrorCode AllBitTestPolicy(Sandbox *sandbox, int sysno, void *) { // We expect these tests to succeed on 64bit systems, but to tail on 32bit // systems. #define EXPT64_SUCCESS (sizeof(void*) > 4 ? EXPECT_SUCCESS : EXPECT_FAILURE) -BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) { +BPF_TEST(SandboxBPF, AllBitTests, AllBitTestPolicy) { // 32bit test: all of 0x0 (should always be true) BITMASK_TEST( 0, 0, ALLBITS32, 0, EXPECT_SUCCESS); BITMASK_TEST( 0, 1, ALLBITS32, 0, EXPECT_SUCCESS); @@ -1447,14 +1446,14 @@ BPF_TEST(SandboxBpf, AllBitTests, AllBitTestPolicy) { BITMASK_TEST(10, -1L, ALLBITS64,0x100000001, EXPT64_SUCCESS); } -ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) { +ErrorCode AnyBitTestPolicy(SandboxBPF* sandbox, int sysno, void*) { // Test the OP_HAS_ANY_BITS conditional test operator with a couple of // different bitmasks. We try to find bitmasks that could conceivably // touch corner cases. // For all of these tests, we override the uname(). We can make use with // a single system call number, as we use the first system call argument to // select the different bit masks that we want to test against. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_uname) { @@ -1521,7 +1520,7 @@ ErrorCode AnyBitTestPolicy(Sandbox* sandbox, int sysno, void*) { } } -BPF_TEST(SandboxBpf, AnyBitTests, AnyBitTestPolicy) { +BPF_TEST(SandboxBPF, AnyBitTests, AnyBitTestPolicy) { // 32bit test: any of 0x0 (should always be false) BITMASK_TEST( 0, 0, ANYBITS32, 0x0, EXPECT_FAILURE); BITMASK_TEST( 0, 1, ANYBITS32, 0x0, EXPECT_FAILURE); @@ -1651,12 +1650,12 @@ intptr_t PthreadTrapHandler(const struct arch_seccomp_data& args, void* aux) { } return -EPERM; } -ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PthreadPolicyEquality(SandboxBPF* sandbox, int sysno, void* aux) { // This policy allows creating threads with pthread_create(). But it // doesn't allow any other uses of clone(). Most notably, it does not // allow callers to implement fork() or vfork() by passing suitable flags // to the clone() system call. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_clone) { @@ -1691,12 +1690,12 @@ ErrorCode PthreadPolicyEquality(Sandbox* sandbox, int sysno, void* aux) { } } -ErrorCode PthreadPolicyBitMask(Sandbox* sandbox, int sysno, void* aux) { +ErrorCode PthreadPolicyBitMask(SandboxBPF* sandbox, int sysno, void* aux) { // This policy allows creating threads with pthread_create(). But it // doesn't allow any other uses of clone(). Most notably, it does not // allow callers to implement fork() or vfork() by passing suitable flags // to the clone() system call. - if (!Sandbox::IsValidSyscallNumber(sysno)) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { // FIXME: we should really not have to do that in a trivial policy return ErrorCode(ENOSYS); } else if (sysno == __NR_clone) { @@ -1775,8 +1774,10 @@ static void PthreadTest() { &pid) == -EPERM); } -BPF_TEST(SandboxBpf, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } +BPF_TEST(SandboxBPF, PthreadEquality, PthreadPolicyEquality) { PthreadTest(); } -BPF_TEST(SandboxBpf, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } +BPF_TEST(SandboxBPF, PthreadBitMask, PthreadPolicyBitMask) { PthreadTest(); } -} // namespace +} // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall.cc b/sandbox/linux/seccomp-bpf/syscall.cc index 6be827a..acf207d 100644 --- a/sandbox/linux/seccomp-bpf/syscall.cc +++ b/sandbox/linux/seccomp-bpf/syscall.cc @@ -9,7 +9,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { asm( // We need to be able to tell the kernel exactly where we made a // system call. The C++ compiler likes to sometimes clone or @@ -240,4 +240,4 @@ intptr_t SandboxSyscall(int nr, return ret; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall.h b/sandbox/linux/seccomp-bpf/syscall.h index f63516b..0b51380 100644 --- a/sandbox/linux/seccomp-bpf/syscall.h +++ b/sandbox/linux/seccomp-bpf/syscall.h @@ -7,7 +7,7 @@ #include <stdint.h> -namespace playground2 { +namespace sandbox { // We have to make sure that we have a single "magic" return address for // our system calls, which we can check from within a BPF filter. This @@ -133,6 +133,6 @@ inline intptr_t SandboxSyscall(int nr) { #endif // Pre-C++11 -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__ diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.cc b/sandbox/linux/seccomp-bpf/syscall_iterator.cc index f1f2acf..89cc1cb 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator.cc +++ b/sandbox/linux/seccomp-bpf/syscall_iterator.cc @@ -7,7 +7,7 @@ #include "base/basictypes.h" #include "sandbox/linux/seccomp-bpf/linux_seccomp.h" -namespace playground2 { +namespace sandbox { uint32_t SyscallIterator::Next() { if (done_) { @@ -89,4 +89,4 @@ bool SyscallIterator::IsArmPrivate(uint32_t num) { bool SyscallIterator::IsArmPrivate(uint32_t) { return false; } #endif -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator.h b/sandbox/linux/seccomp-bpf/syscall_iterator.h index 3d7f66d..3b56ea3 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator.h +++ b/sandbox/linux/seccomp-bpf/syscall_iterator.h @@ -9,7 +9,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { // Iterates over the entire system call range from 0..0xFFFFFFFFu. This // iterator is aware of how system calls look like and will skip quickly @@ -50,6 +50,6 @@ class SyscallIterator { DISALLOW_IMPLICIT_CONSTRUCTORS(SyscallIterator); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_ITERATOR_H__ diff --git a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc index 61e95d7..08a857a 100644 --- a/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc +++ b/sandbox/linux/seccomp-bpf/syscall_iterator_unittest.cc @@ -6,7 +6,7 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/tests/unit_tests.h" -using namespace playground2; +namespace sandbox { namespace { @@ -132,3 +132,5 @@ SANDBOX_TEST(SyscallIterator, InvalidOnly) { } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_unittest.cc index 261453b..60db69b 100644 --- a/sandbox/linux/seccomp-bpf/syscall_unittest.cc +++ b/sandbox/linux/seccomp-bpf/syscall_unittest.cc @@ -18,7 +18,7 @@ #include "sandbox/linux/tests/unit_tests.h" #include "testing/gtest/include/gtest/gtest.h" -using namespace playground2; +namespace sandbox { namespace { @@ -78,8 +78,8 @@ intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) { return -ENOMEM; } -ErrorCode CopyAllArgsOnUnamePolicy(Sandbox* sandbox, int sysno, void* aux) { - if (!Sandbox::IsValidSyscallNumber(sysno)) { +ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) { + if (!SandboxBPF::IsValidSyscallNumber(sysno)) { return ErrorCode(ENOSYS); } if (sysno == __NR_uname) { @@ -197,3 +197,5 @@ TEST(Syscall, ComplexSyscallSixArgs) { } } // namespace + +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/trap.cc b/sandbox/linux/seccomp-bpf/trap.cc index 3dcd256..553a904 100644 --- a/sandbox/linux/seccomp-bpf/trap.cc +++ b/sandbox/linux/seccomp-bpf/trap.cc @@ -65,7 +65,7 @@ bool IsDefaultSignalAction(const struct sigaction& sa) { } // namespace -namespace playground2 { +namespace sandbox { Trap::Trap() : trap_array_(NULL), @@ -351,4 +351,4 @@ ErrorCode Trap::ErrorCodeFromTrapId(uint16_t id) { Trap* Trap::global_trap_; -} // namespace playground2 +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/trap.h b/sandbox/linux/seccomp-bpf/trap.h index edaa023..334a30d 100644 --- a/sandbox/linux/seccomp-bpf/trap.h +++ b/sandbox/linux/seccomp-bpf/trap.h @@ -13,7 +13,7 @@ #include "base/basictypes.h" -namespace playground2 { +namespace sandbox { class ErrorCode; @@ -111,6 +111,6 @@ class Trap { DISALLOW_IMPLICIT_CONSTRUCTORS(Trap); }; -} // namespace playground2 +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__ diff --git a/sandbox/linux/seccomp-bpf/verifier.cc b/sandbox/linux/seccomp-bpf/verifier.cc index 1d6b26d..1292504 100644 --- a/sandbox/linux/seccomp-bpf/verifier.cc +++ b/sandbox/linux/seccomp-bpf/verifier.cc @@ -9,12 +9,10 @@ #include "sandbox/linux/seccomp-bpf/syscall_iterator.h" #include "sandbox/linux/seccomp-bpf/verifier.h" -namespace { -using playground2::ErrorCode; -using playground2::Sandbox; -using playground2::Verifier; -using playground2::arch_seccomp_data; +namespace sandbox { + +namespace { struct State { State(const std::vector<struct sock_filter>& p, @@ -30,7 +28,7 @@ struct State { DISALLOW_IMPLICIT_CONSTRUCTORS(State); }; -uint32_t EvaluateErrorCode(Sandbox* sandbox, +uint32_t EvaluateErrorCode(SandboxBPF* sandbox, const ErrorCode& code, const struct arch_seccomp_data& data) { if (code.error_type() == ErrorCode::ET_SIMPLE || @@ -78,7 +76,7 @@ uint32_t EvaluateErrorCode(Sandbox* sandbox, } } -bool VerifyErrorCode(Sandbox* sandbox, +bool VerifyErrorCode(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, struct arch_seccomp_data* data, const ErrorCode& root_code, @@ -362,11 +360,9 @@ void Alu(State* state, const struct sock_filter& insn, const char** err) { } // namespace -namespace playground2 { - -bool Verifier::VerifyBPF(Sandbox* sandbox, +bool Verifier::VerifyBPF(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, - const SandboxBpfPolicy& policy, + const SandboxBPFPolicy& policy, const char** err) { *err = NULL; for (SyscallIterator iter(false); !iter.Done();) { @@ -447,4 +443,4 @@ uint32_t Verifier::EvaluateBPF(const std::vector<struct sock_filter>& program, return 0; } -} // namespace +} // namespace sandbox diff --git a/sandbox/linux/seccomp-bpf/verifier.h b/sandbox/linux/seccomp-bpf/verifier.h index fff5b63..4e80dd9 100644 --- a/sandbox/linux/seccomp-bpf/verifier.h +++ b/sandbox/linux/seccomp-bpf/verifier.h @@ -10,9 +10,9 @@ #include <utility> #include <vector> -namespace playground2 { +namespace sandbox { -class SandboxBpfPolicy; +class SandboxBPFPolicy; class Verifier { public: @@ -23,9 +23,9 @@ class Verifier { // set by the "evaluators". // Upon success, "err" is set to NULL. Upon failure, it contains a static // error message that does not need to be free()'d. - static bool VerifyBPF(Sandbox* sandbox, + static bool VerifyBPF(SandboxBPF* sandbox, const std::vector<struct sock_filter>& program, - const SandboxBpfPolicy& policy, + const SandboxBPFPolicy& policy, const char** err); // Evaluate a given BPF program for a particular set of system call @@ -44,6 +44,6 @@ class Verifier { DISALLOW_IMPLICIT_CONSTRUCTORS(Verifier); }; -} // namespace +} // namespace sandbox #endif // SANDBOX_LINUX_SECCOMP_BPF_VERIFIER_H__ |