Linux sandbox: get rid of a number of reinterpret_cast

Bring back a little bit of sanity to BPF_TEST. Remove a lot of void* types and
their associated reinterpret_cast and enjoy type checking.

BUG=368970
R=jorgelo@chromium.org, mdempsky@chromium.org

Review URL: https://codereview.chromium.org/260963003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@267695 0039d316-1c4b-4281-b951-d872f2087c98

10 files changed, 243 insertions, 74 deletions

diff --git a/sandbox/linux/sandbox_linux.gypi b/sandbox/linux/sandbox_linux.gypi
index 0cccd2e..cf9922e 100644
--- a/sandbox/linux/sandbox_linux.gypi
+++ b/sandbox/linux/sandbox_linux.gypi
@@ -71,6 +71,17 @@
         'tests/unit_tests.cc',
         'tests/unit_tests.h',
       ],
+      'conditions': [
+        [ 'use_seccomp_bpf==1', {
+          'sources': [
+            'seccomp-bpf/bpf_tests.cc',
+            'seccomp-bpf/bpf_tests.h',
+          ],
+          'dependencies': [
+            'seccomp_bpf',
+          ]
+        }],
+      ],
     },
     {
       # The main sandboxing test target.
@@ -112,6 +123,7 @@
         'seccomp-bpf/linux_seccomp.h',
         'seccomp-bpf/sandbox_bpf.cc',
         'seccomp-bpf/sandbox_bpf.h',
+        'seccomp-bpf/sandbox_bpf_compatibility_policy.h',
         'seccomp-bpf/sandbox_bpf_policy.h',
         'seccomp-bpf/syscall.cc',
         'seccomp-bpf/syscall.h',
diff --git a/sandbox/linux/sandbox_linux_test_sources.gypi b/sandbox/linux/sandbox_linux_test_sources.gypi
index 9764830..b2ecac5 100644
--- a/sandbox/linux/sandbox_linux_test_sources.gypi
+++ b/sandbox/linux/sandbox_linux_test_sources.gypi
@@ -31,7 +31,7 @@
     }],
     [ 'use_seccomp_bpf==1', {
       'sources': [
-        'seccomp-bpf/bpf_tests.h',
+        'seccomp-bpf/bpf_tests_unittest.cc',
         'seccomp-bpf/codegen_unittest.cc',
         'seccomp-bpf/errorcode_unittest.cc',
         'seccomp-bpf/sandbox_bpf_unittest.cc',
diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.cc b/sandbox/linux/seccomp-bpf/bpf_tests.cc
new file mode 100644
index 0000000..dea0ab1
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/bpf_tests.cc
@@ -0,0 +1,21 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
+
+namespace sandbox {
+
+// static
+template <>
+void* BPFTests<void>::NewAux() {
+  return NULL;
+}
+
+// static
+template <>
+void BPFTests<void>::DeleteAux(void* aux) {
+  CHECK(!aux);
+}
+
+}  // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/bpf_tests.h b/sandbox/linux/seccomp-bpf/bpf_tests.h
index 357e29c..47a00b9 100644
--- a/sandbox/linux/seccomp-bpf/bpf_tests.h
+++ b/sandbox/linux/seccomp-bpf/bpf_tests.h
@@ -9,9 +9,12 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 
+#include "base/debug/leak_annotations.h"
+#include "base/memory/scoped_ptr.h"
 #include "build/build_config.h"
-#include "sandbox/linux/tests/unit_tests.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h"
+#include "sandbox/linux/tests/unit_tests.h"
 
 namespace sandbox {
 
@@ -21,13 +24,13 @@ namespace sandbox {
 // A BPF_DEATH_TEST is always disabled under ThreadSanitizer, see
 // crbug.com/243968.
 #define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux...) \
-  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX);   \
+  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType* BPF_AUX);   \
   TEST(test_case_name, DISABLE_ON_TSAN(test_name)) {                     \
     sandbox::BPFTests<aux>::TestArgs arg(BPF_TEST_##test_name, policy);  \
     sandbox::BPFTests<aux>::RunTestInProcess(                            \
         sandbox::BPFTests<aux>::TestWrapper, &arg, death);               \
   }                                                                      \
-  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType& BPF_AUX)
+  void BPF_TEST_##test_name(sandbox::BPFTests<aux>::AuxType* BPF_AUX)
 
 // BPF_TEST() is a special version of SANDBOX_TEST(). It turns into a no-op,
 // if the host does not have kernel support for running BPF filters.
@@ -38,7 +41,12 @@ namespace sandbox {
 // present, this sets up a variable that can be accessed as "BPF_AUX". This
 // variable will be passed as an argument to the "policy" function. Policies
 // would typically use it as an argument to SandboxBPF::Trap(), if they want to
-// communicate data between the BPF_TEST() and a Trap() function.
+// communicate data between the BPF_TEST() and a Trap() function. The life-time
+// of this object is the same as the life-time of the process.
+// The type specified in |aux| and the last parameter of the policy function
+// must be compatible. If |aux| is not specified, the policy function must
+// take a void* as its last parameter (that is, must have the EvaluateSyscall
+// type).
 #define BPF_TEST(test_case_name, test_name, policy, aux...) \
   BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)
 
@@ -51,33 +59,39 @@ namespace sandbox {
 #define BPF_ASSERT_LE(x, y) BPF_ASSERT((x) <= (y))
 #define BPF_ASSERT_GE(x, y) BPF_ASSERT((x) >= (y))
 
-// The "Aux" type is optional. We use an "empty" type by default, so that if
-// the caller doesn't provide any type, all the BPF_AUX related data compiles
-// to nothing.
-template <class Aux = int[0]>
+// The "Aux" type is optional. void is used by default and all pointers
+// provided to the tests will be NULL.
+template <class Aux = void>
 class BPFTests : public UnitTests {
  public:
   typedef Aux AuxType;
 
   class TestArgs {
    public:
-    TestArgs(void (*t)(AuxType&), sandbox::SandboxBPF::EvaluateSyscall p)
-        : test_(t), policy_(p), aux_() {}
+    TestArgs(void (*t)(AuxType*),
+             typename CompatibilityPolicy<AuxType>::SyscallEvaluator p)
+        : test_(t), policy_function_(p) {}
 
-    void (*test() const)(AuxType&) { return test_; }
-    sandbox::SandboxBPF::EvaluateSyscall policy() const { return policy_; }
+    void (*test() const)(AuxType*) { return test_; }
 
    private:
     friend class BPFTests;
 
-    void (*test_)(AuxType&);
-    sandbox::SandboxBPF::EvaluateSyscall policy_;
-    AuxType aux_;
+    void (*test_)(AuxType*);
+    typename CompatibilityPolicy<AuxType>::SyscallEvaluator policy_function_;
   };
 
   static void TestWrapper(void* void_arg) {
     TestArgs* arg = reinterpret_cast<TestArgs*>(void_arg);
     sandbox::Die::EnableSimpleExit();
+
+    // This will be NULL iff AuxType is void.
+    AuxType* aux_pointer_for_policy = NewAux();
+
+    scoped_ptr<CompatibilityPolicy<AuxType> > policy(
+        new CompatibilityPolicy<AuxType>(arg->policy_function_,
+                                         aux_pointer_for_policy));
+
     if (sandbox::SandboxBPF::SupportsSeccompSandbox(-1) ==
         sandbox::SandboxBPF::STATUS_AVAILABLE) {
       // Ensure the the sandbox is actually available at this time
@@ -89,11 +103,18 @@ class BPFTests : public UnitTests {
       // Initialize and then start the sandbox with our custom policy
       sandbox::SandboxBPF sandbox;
       sandbox.set_proc_fd(proc_fd);
-      sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
-      BPF_ASSERT(sandbox.StartSandbox(
-          sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
-
-      arg->test()(arg->aux_);
+      sandbox.SetSandboxPolicy(policy.release());
+      BPF_ASSERT(
+          sandbox.StartSandbox(sandbox::SandboxBPF::PROCESS_SINGLE_THREADED));
+
+      // Run the actual test.
+      arg->test()(aux_pointer_for_policy);
+
+      // Once a BPF policy is engaged, there is no going back. A SIGSYS handler
+      // can make use of aux, this can happen even in _exit(). This object's
+      // ownership has been passed to the kernel by engaging the sandbox and it
+      // will be destroyed with the process.
+      ANNOTATE_LEAKING_OBJECT_PTR(aux_pointer_for_policy);
     } else {
       printf("This BPF test is not fully running in this configuration!\n");
       // Android and Valgrind are the only configurations where we accept not
@@ -105,18 +126,30 @@ class BPFTests : public UnitTests {
       // Call the compiler and verify the policy. That's the least we can do,
       // if we don't have kernel support.
       sandbox::SandboxBPF sandbox;
-      sandbox.SetSandboxPolicyDeprecated(arg->policy(), &arg->aux_);
+      sandbox.SetSandboxPolicy(policy.release());
       sandbox::SandboxBPF::Program* program =
           sandbox.AssembleFilter(true /* force_verification */);
       delete program;
+      DeleteAux(aux_pointer_for_policy);
       sandbox::UnitTests::IgnoreThisTest();
     }
   }
 
  private:
+  // Allocate an object of type Aux. This is specialized to return NULL when
+  // trying to allocate a void.
+  static Aux* NewAux() { return new Aux(); }
+  static void DeleteAux(Aux* aux) { delete aux; }
+
   DISALLOW_IMPLICIT_CONSTRUCTORS(BPFTests);
 };
 
+// Specialization of NewAux that returns NULL;
+template <>
+void* BPFTests<void>::NewAux();
+template <>
+void BPFTests<void>::DeleteAux(void* aux);
+
 }  // namespace sandbox
 
 #endif  // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
diff --git a/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc b/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc
new file mode 100644
index 0000000..b91966f
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc
@@ -0,0 +1,72 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
+
+#include <errno.h>
+
+#include "base/logging.h"
+#include "build/build_config.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/services/linux_syscalls.h"
+#include "sandbox/linux/tests/unit_tests.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace sandbox {
+
+namespace {
+
+ErrorCode EmptyPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+  // |aux| should always be NULL since a type was not specified as an argument
+  // to BPF_TEST.
+  BPF_ASSERT(NULL == aux);
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
+    return ErrorCode(ENOSYS);
+  } else {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+BPF_TEST(BPFTest, BPFAUXIsNull, EmptyPolicy) {
+  // Check that the implicit BPF_AUX argument is NULL when we
+  // don't specify a fourth parameter to BPF_TEST.
+  BPF_ASSERT(NULL == BPF_AUX);
+}
+
+class FourtyTwo {
+ public:
+  static const int kMagicValue = 42;
+  FourtyTwo() : value_(kMagicValue) {}
+  int value() { return value_; }
+
+ private:
+  int value_;
+  DISALLOW_COPY_AND_ASSIGN(FourtyTwo);
+};
+
+ErrorCode EmptyPolicyTakesClass(SandboxBPF* sandbox,
+                                int sysno,
+                                FourtyTwo* fourty_two) {
+  // |aux| should point to an instance of FourtyTwo.
+  BPF_ASSERT(fourty_two);
+  BPF_ASSERT(FourtyTwo::kMagicValue == fourty_two->value());
+  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
+    return ErrorCode(ENOSYS);
+  } else {
+    return ErrorCode(ErrorCode::ERR_ALLOWED);
+  }
+}
+
+BPF_TEST(BPFTest,
+         BPFAUXPointsToClass,
+         EmptyPolicyTakesClass,
+         FourtyTwo /* *BPF_AUX */) {
+  // BPF_AUX should point to an instance of FourtyTwo.
+  BPF_ASSERT(BPF_AUX);
+  BPF_ASSERT(FourtyTwo::kMagicValue == BPF_AUX->value());
+}
+
+}  // namespace
+
+}  // namespace sandbox
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
index 1538fe8..497c343 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -25,6 +25,7 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
@@ -202,25 +203,6 @@ intptr_t BPFFailure(const struct arch_seccomp_data&, void* aux) {
   SANDBOX_DIE(static_cast<char*>(aux));
 }
 
-// This class allows compatibility with the old, deprecated SetSandboxPolicy.
-class CompatibilityPolicy : public SandboxBPFPolicy {
- public:
-  CompatibilityPolicy(SandboxBPF::EvaluateSyscall syscall_evaluator, void* aux)
-      : syscall_evaluator_(syscall_evaluator), aux_(aux) {
-    DCHECK(syscall_evaluator_);
-  }
-
-  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
-                                    int system_call_number) const OVERRIDE {
-    return syscall_evaluator_(sandbox_compiler, system_call_number, aux_);
-  }
-
- private:
-  SandboxBPF::EvaluateSyscall syscall_evaluator_;
-  void* aux_;
-  DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy);
-};
-
 }  // namespace
 
 SandboxBPF::SandboxBPF()
@@ -498,7 +480,7 @@ void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
   if (sandbox_has_started_ || !conds_) {
     SANDBOX_DIE("Cannot change policy after sandbox has started");
   }
-  SetSandboxPolicy(new CompatibilityPolicy(syscall_evaluator, aux));
+  SetSandboxPolicy(new CompatibilityPolicy<void>(syscall_evaluator, aux));
 }
 
 // Don't take a scoped_ptr here, polymorphism make their use awkward.
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
index 67b84b9..2391c5d 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -73,7 +73,6 @@ class SANDBOX_EXPORT SandboxBPF {
   typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler,
                                        int system_call_number,
                                        void* aux);
-  typedef std::vector<std::pair<EvaluateSyscall, void*> > Evaluators;
   // A vector of BPF instructions that need to be installed as a filter
   // program in the kernel.
   typedef std::vector<struct sock_filter> Program;
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h b/sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h
new file mode 100644
index 0000000..bd947ad
--- /dev/null
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h
@@ -0,0 +1,42 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_COMPATIBILITY_POLICY_H_
+#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_COMPATIBILITY_POLICY_H_
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "base/macros.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
+
+namespace sandbox {
+
+// This class allows compatibility with the old, deprecated
+// policies that were designed for SetSandboxPolicyDeprecated().
+template <class AuxType>
+class CompatibilityPolicy : public SandboxBPFPolicy {
+ public:
+  typedef ErrorCode (*SyscallEvaluator)(SandboxBPF* sandbox_compiler,
+                                        int system_call_number,
+                                        AuxType* aux);
+  CompatibilityPolicy(SyscallEvaluator syscall_evaluator, AuxType* aux)
+      : syscall_evaluator_(syscall_evaluator), aux_(aux) {}
+
+  virtual ~CompatibilityPolicy() {}
+
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox_compiler,
+                                    int system_call_number) const OVERRIDE {
+    return syscall_evaluator_(sandbox_compiler, system_call_number, aux_);
+  }
+
+ private:
+  SyscallEvaluator syscall_evaluator_;
+  AuxType* aux_;
+  DISALLOW_COPY_AND_ASSIGN(CompatibilityPolicy);
+};
+
+}  // namespace sandbox
+
+#endif  // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_COMPATIBILITY_POLICY_H_
diff --git a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
index 5c5c627..3b7470b 100644
--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -21,6 +21,7 @@
 #include <ostream>
 
 #include "base/bind.h"
+#include "base/logging.h"
 #include "base/memory/scoped_ptr.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
@@ -115,7 +116,10 @@ SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
 
 // A simple blacklist test
 
-ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void*) {
+ErrorCode BlacklistNanosleepPolicy(SandboxBPF*, int sysno, void* aux) {
+  // Since no type was specified in BPF_TEST as a fourth argument,
+  // |aux| must be NULL here.
+  BPF_ASSERT(NULL == aux);
   if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
@@ -136,7 +140,6 @@ BPF_TEST(SandboxBPF, ApplyBasicBlacklistPolicy, BlacklistNanosleepPolicy) {
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == EACCES);
 }
-
 // Now do a simple whitelist test
 
 ErrorCode WhitelistGetpidPolicy(SandboxBPF*, int sysno, void*) {
@@ -161,7 +164,6 @@ BPF_TEST(SandboxBPF, ApplyBasicWhitelistPolicy, WhitelistGetpidPolicy) {
 }
 
 // A simple blacklist policy, with a SIGSYS handler
-
 intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
   // We also check that the auxiliary data is correct
   SANDBOX_ASSERT(aux);
@@ -171,7 +173,7 @@ intptr_t EnomemHandler(const struct arch_seccomp_data& args, void* aux) {
 
 ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
                                          int sysno,
-                                         void* aux) {
+                                         int* aux) {
   if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     // FIXME: we should really not have to do that in a trivial policy
     return ErrorCode(ENOSYS);
@@ -188,20 +190,20 @@ ErrorCode BlacklistNanosleepPolicySigsys(SandboxBPF* sandbox,
 BPF_TEST(SandboxBPF,
          BasicBlacklistWithSigsys,
          BlacklistNanosleepPolicySigsys,
-         int /* BPF_AUX */) {
+         int /* (*BPF_AUX) */) {
   // getpid() should work properly
   errno = 0;
   BPF_ASSERT(syscall(__NR_getpid) > 0);
   BPF_ASSERT(errno == 0);
 
   // Our Auxiliary Data, should be reset by the signal handler
-  BPF_AUX = -1;
+  *BPF_AUX = -1;
   const struct timespec ts = {0, 0};
   BPF_ASSERT(syscall(__NR_nanosleep, &ts, NULL) == -1);
   BPF_ASSERT(errno == ENOMEM);
 
   // We expect the signal handler to modify AuxData
-  BPF_ASSERT(BPF_AUX == kExpectedReturnValue);
+  BPF_ASSERT(*BPF_AUX == kExpectedReturnValue);
 }
 
 // A simple test that verifies we can return arbitrary errno values.
@@ -444,7 +446,7 @@ intptr_t CountSyscalls(const struct arch_seccomp_data& args, void* aux) {
   return SandboxBPF::ForwardSyscall(args);
 }
 
-ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, int* aux) {
   // The use of UnsafeTrap() causes us to print a warning message. This is
   // generally desirable, but it results in the unittest failing, as it doesn't
   // expect any messages on "stderr". So, temporarily disable messages. The
@@ -477,12 +479,12 @@ ErrorCode GreyListedPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
   }
 }
 
-BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) {
+BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* (*BPF_AUX) */) {
   BPF_ASSERT(syscall(__NR_getpid) == -1);
   BPF_ASSERT(errno == EPERM);
-  BPF_ASSERT(BPF_AUX == 0);
+  BPF_ASSERT(*BPF_AUX == 0);
   BPF_ASSERT(syscall(__NR_geteuid) == syscall(__NR_getuid));
-  BPF_ASSERT(BPF_AUX == 2);
+  BPF_ASSERT(*BPF_AUX == 2);
   char name[17] = {};
   BPF_ASSERT(!syscall(__NR_prctl,
                       PR_GET_NAME,
@@ -490,7 +492,7 @@ BPF_TEST(SandboxBPF, GreyListedPolicy, GreyListedPolicy, int /* BPF_AUX */) {
                       (void*)NULL,
                       (void*)NULL,
                       (void*)NULL));
-  BPF_ASSERT(BPF_AUX == 3);
+  BPF_ASSERT(*BPF_AUX == 3);
   BPF_ASSERT(*name);
 }
 
@@ -724,8 +726,9 @@ intptr_t BrokerOpenTrapHandler(const struct arch_seccomp_data& args,
   }
 }
 
-ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
-  InitializedOpenBroker* iob = static_cast<InitializedOpenBroker*>(aux);
+ErrorCode DenyOpenPolicy(SandboxBPF* sandbox,
+                         int sysno,
+                         InitializedOpenBroker* iob) {
   if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
@@ -752,9 +755,9 @@ ErrorCode DenyOpenPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
 BPF_TEST(SandboxBPF,
          UseOpenBroker,
          DenyOpenPolicy,
-         InitializedOpenBroker /* BPF_AUX */) {
-  BPF_ASSERT(BPF_AUX.initialized());
-  BrokerProcess* broker_process = BPF_AUX.broker_process();
+         InitializedOpenBroker /* (*BPF_AUX) */) {
+  BPF_ASSERT(BPF_AUX->initialized());
+  BrokerProcess* broker_process = BPF_AUX->broker_process();
   BPF_ASSERT(broker_process != NULL);
 
   // First, use the broker "manually"
@@ -1161,15 +1164,18 @@ class EqualityStressTest {
   static const int kMaxArgs = 6;
 };
 
-ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
-  return reinterpret_cast<EqualityStressTest*>(aux)->Policy(sandbox, sysno);
+ErrorCode EqualityStressTestPolicy(SandboxBPF* sandbox,
+                                   int sysno,
+                                   EqualityStressTest* aux) {
+  DCHECK(aux);
+  return aux->Policy(sandbox, sysno);
 }
 
 BPF_TEST(SandboxBPF,
          EqualityTests,
          EqualityStressTestPolicy,
-         EqualityStressTest /* BPF_AUX */) {
-  BPF_AUX.VerifyFilter();
+         EqualityStressTest /* (*BPF_AUX) */) {
+  BPF_AUX->VerifyFilter();
 }
 
 ErrorCode EqualityArgumentWidthPolicy(SandboxBPF* sandbox, int sysno, void*) {
diff --git a/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/sandbox/linux/seccomp-bpf/syscall_unittest.cc
index 60db69b..bdeee4f 100644
--- a/sandbox/linux/seccomp-bpf/syscall_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/syscall_unittest.cc
@@ -70,7 +70,7 @@ TEST(Syscall, TrivialSyscallOneArg) {
 
 // SIGSYS trap handler that will be called on __NR_uname.
 intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) {
-  // |aux| is a pointer to our BPF_AUX.
+  // |aux| is our BPF_AUX pointer.
   std::vector<uint64_t>* const seen_syscall_args =
       static_cast<std::vector<uint64_t>*>(aux);
   BPF_ASSERT(arraysize(args.args) == 6);
@@ -78,7 +78,9 @@ intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) {
   return -ENOMEM;
 }
 
-ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox,
+                                   int sysno,
+                                   std::vector<uint64_t>* aux) {
   if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
     return ErrorCode(ENOSYS);
   }
@@ -94,7 +96,7 @@ ErrorCode CopyAllArgsOnUnamePolicy(SandboxBPF* sandbox, int sysno, void* aux) {
 BPF_TEST(Syscall,
          SyntheticSixArgs,
          CopyAllArgsOnUnamePolicy,
-         std::vector<uint64_t> /* BPF_AUX */) {
+         std::vector<uint64_t> /* (*BPF_AUX) */) {
   const int kExpectedValue = 42;
   // In this test we only pass integers to the kernel. We might want to make
   // additional tests to try other types. What we will see depends on
@@ -116,17 +118,17 @@ BPF_TEST(Syscall,
                             syscall_args[5]) == -ENOMEM);
 
   // We expect the trap handler to have copied the 6 arguments.
-  BPF_ASSERT(BPF_AUX.size() == 6);
+  BPF_ASSERT(BPF_AUX->size() == 6);
 
   // Don't loop here so that we can see which argument does cause the failure
   // easily from the failing line.
   // uint64_t is the type passed to our SIGSYS handler.
-  BPF_ASSERT(BPF_AUX[0] == static_cast<uint64_t>(syscall_args[0]));
-  BPF_ASSERT(BPF_AUX[1] == static_cast<uint64_t>(syscall_args[1]));
-  BPF_ASSERT(BPF_AUX[2] == static_cast<uint64_t>(syscall_args[2]));
-  BPF_ASSERT(BPF_AUX[3] == static_cast<uint64_t>(syscall_args[3]));
-  BPF_ASSERT(BPF_AUX[4] == static_cast<uint64_t>(syscall_args[4]));
-  BPF_ASSERT(BPF_AUX[5] == static_cast<uint64_t>(syscall_args[5]));
+  BPF_ASSERT((*BPF_AUX)[0] == static_cast<uint64_t>(syscall_args[0]));
+  BPF_ASSERT((*BPF_AUX)[1] == static_cast<uint64_t>(syscall_args[1]));
+  BPF_ASSERT((*BPF_AUX)[2] == static_cast<uint64_t>(syscall_args[2]));
+  BPF_ASSERT((*BPF_AUX)[3] == static_cast<uint64_t>(syscall_args[3]));
+  BPF_ASSERT((*BPF_AUX)[4] == static_cast<uint64_t>(syscall_args[4]));
+  BPF_ASSERT((*BPF_AUX)[5] == static_cast<uint64_t>(syscall_args[5]));
 }
 
 TEST(Syscall, ComplexSyscallSixArgs) {