summaryrefslogtreecommitdiffstats
path: root/sandbox/linux/seccomp/trusted_thread.cc
diff options
context:
space:
mode:
Diffstat (limited to 'sandbox/linux/seccomp/trusted_thread.cc')
-rw-r--r--sandbox/linux/seccomp/trusted_thread.cc270
1 files changed, 158 insertions, 112 deletions
diff --git a/sandbox/linux/seccomp/trusted_thread.cc b/sandbox/linux/seccomp/trusted_thread.cc
index 6edc05d..af2e913 100644
--- a/sandbox/linux/seccomp/trusted_thread.cc
+++ b/sandbox/linux/seccomp/trusted_thread.cc
@@ -1,3 +1,7 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
#include "sandbox_impl.h"
#include "syscall_table.h"
@@ -17,7 +21,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"mov %0, %%rbp\n" // %rbp = args
"xor %%rbx, %%rbx\n" // initial sequence number
"lea 999f(%%rip), %%r15\n" // continue in same thread
- "jmp 19f\n" // create trusted thread
+ "jmp 20f\n" // create trusted thread
// TODO(markus): Coalesce the read() operations by reading into a bigger
// buffer.
@@ -140,7 +144,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"test %%rax, %%rax\n"
"js 25f\n" // exit process
"mov %%rax, %%rdi\n"
- "jnz 7f\n" // wait for child, then return result
+ "jnz 8f\n" // wait for child, then return result
"mov %%fs:0x0, %%rdi\n" // start = secure_mem
"mov $4096, %%esi\n" // len = 4096
"mov $3, %%edx\n" // prot = PROT_READ | PROT_WRITE
@@ -148,17 +152,43 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"syscall\n"
"mov %%r8d, 0xD4(%%rdi)\n" // set most recently returned SysV shm id
"xor %%rdi, %%rdi\n"
+
+ // When debugging messages are enabled, warn about expensive system calls
+ #ifndef NDEBUG
+ "cmpw $0, %%fs:0xD0\n" // debug mode
+ "jz 26f\n"
+ "mov $1, %%eax\n" // NR_write
+ "mov $2, %%edi\n" // fd = stderr
+ "lea 101f(%%rip), %%rsi\n" // "This is an expensive system call"
+ "mov $102f-101f, %%edx\n" // len = strlen(msg)
+ "syscall\n"
+ "xor %%rdi, %%rdi\n"
+ #endif
+
"jmp 26f\n" // exit program, no message
"4:syscall\n"
- "jmp 14f\n" // return result
+ "jmp 15f\n" // return result
// If syscall number is -2, execute locked system call from the
// secure memory area
- "5:jg 11f\n"
+ "5:jg 12f\n"
"cmp $-2, %%eax\n"
- "jnz 8f\n"
+ "jnz 9f\n"
"cmp %%rbx, %%fs:0x8\n"
"jne 25f\n" // exit process
+
+ // When debugging messages are enabled, warn about expensive system calls
+ #ifndef NDEBUG
+ "cmpw $0, %%fs:0xD0\n" // debug mode
+ "jz 6f\n"
+ "mov $1, %%eax\n" // NR_write
+ "mov $2, %%edi\n" // fd = stderr
+ "lea 101f(%%rip), %%rsi\n" // "This is an expensive system call"
+ "mov $102f-101f, %%edx\n" // len = strlen(msg)
+ "syscall\n"
+ "6:"
+ #endif
+
"mov %%fs:0x10, %%rax\n"
"mov %%fs:0x18, %%rdi\n"
"mov %%fs:0x20, %%rsi\n"
@@ -171,17 +201,17 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// clone() has unusual calling conventions and must be handled specially
"cmp $56, %%rax\n" // NR_clone
- "jz 18f\n"
+ "jz 19f\n"
// exit() terminates trusted thread
"cmp $60, %%eax\n" // NR_exit
- "jz 17f\n"
+ "jz 18f\n"
// Perform requested system call
"syscall\n"
// Unlock mutex
- "6:cmp %%rbx, %%fs:0x8\n"
+ "7:cmp %%rbx, %%fs:0x8\n"
"jne 25f\n" // exit process
"add $2, %%rbx\n"
"mov %%rax, %%r8\n"
@@ -193,37 +223,37 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"js 25f\n" // exit process
"jz 22f\n" // unlock and exit
"mov %%rax, %%rdi\n"
- "7:xor %%rsi, %%rsi\n"
+ "8:xor %%rsi, %%rsi\n"
"xor %%rdx, %%rdx\n"
"xor %%r10, %%r10\n"
"mov $61, %%eax\n" // NR_wait4
"syscall\n"
"cmp $-4, %%eax\n" // EINTR
- "jz 7b\n"
+ "jz 8b\n"
"mov %%r8, %%rax\n"
- "jmp 14f\n" // return result
+ "jmp 15f\n" // return result
// If syscall number is -3, read the time stamp counter
- "8:cmp $-3, %%eax\n"
- "jnz 9f\n"
+ "9:cmp $-3, %%eax\n"
+ "jnz 10f\n"
"rdtsc\n" // sets %edx:%eax
"xor %%rcx, %%rcx\n"
- "jmp 10f\n"
- "9:cmp $-4, %%eax\n"
- "jnz 11f\n"
+ "jmp 11f\n"
+ "10:cmp $-4, %%eax\n"
+ "jnz 12f\n"
"rdtscp\n" // sets %edx:%eax and %ecx
- "10:add $0x3C, %%rsi\n"
+ "11:add $0x3C, %%rsi\n"
"mov %%eax, 0(%%rsi)\n"
"mov %%edx, 4(%%rsi)\n"
"mov %%ecx, 8(%%rsi)\n"
"mov $12, %%edx\n"
- "jmp 15f\n" // return result
+ "jmp 16f\n" // return result
// Check in syscallTable whether this system call is unrestricted
- "11:mov %%rax, %%r9\n"
+ "12:mov %%rax, %%r9\n"
#ifndef NDEBUG
"cmpw $0, %%fs:0xD0\n" // debug mode
- "jnz 12f\n"
+ "jnz 13f\n"
#endif
"cmp playground$maxSyscall(%%rip), %%eax\n"
"ja 25f\n" // exit process
@@ -236,14 +266,14 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// Default behavior for unrestricted system calls is to just execute
// them. Read the remaining arguments first.
- "12:mov %%rsi, %%r8\n"
+ "13:mov %%rsi, %%r8\n"
"xor %%rax, %%rax\n" // NR_read
"mov %%r13, %%rdi\n" // fd = threadFd
"add $4, %%rsi\n" // buf = &scratch + 4
"mov $48, %%edx\n" // len = 6*sizeof(void *)
- "13:syscall\n"
+ "14:syscall\n"
"cmp $-4, %%rax\n" // EINTR
- "jz 13b\n"
+ "jz 14b\n"
"cmp %%rdx, %%rax\n"
"jnz 25f\n" // exit process
"mov %%r9, %%rax\n"
@@ -258,27 +288,27 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"syscall\n"
// Return result of system call to sandboxed thread
- "14:mov %%fs:0x0, %%rsi\n"
+ "15:mov %%fs:0x0, %%rsi\n"
"add $0x1034, %%rsi\n" // buf = &scratch + 52
"mov %%rax, (%%rsi)\n"
"mov $8, %%edx\n" // len = 8
- "15:mov %%r13, %%rdi\n" // fd = threadFd
+ "16:mov %%r13, %%rdi\n" // fd = threadFd
"mov $1, %%eax\n" // NR_write
- "16:syscall\n"
+ "17:syscall\n"
"cmp %%rdx, %%rax\n"
"jz 1b\n"
"cmp $-4, %%rax\n" // EINTR
- "jz 16b\n"
+ "jz 17b\n"
"jmp 25f\n" // exit process
// NR_exit:
// Exit trusted thread after cleaning up resources
- "17:mov %%fs:0x0, %%rsi\n"
+ "18:mov %%fs:0x0, %%rsi\n"
"mov 0xE8(%%rsi), %%rdi\n" // fd = threadFdPub
"mov $3, %%eax\n" // NR_close
"syscall\n"
"mov %%rsi, %%rdi\n" // start = secure_mem
- "mov $8192, %%esi\n" // length = 4096
+ "mov $8192, %%esi\n" // length = 8192
"xor %%rdx, %%rdx\n" // prot = PROT_NONE
"mov $10, %%eax\n" // NR_mprotect
"syscall\n"
@@ -291,6 +321,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"syscall\n"
"mov %%rax, %%rdi\n"
"test %%rax, %%rax\n"
+ "js 26f\n" // exit process
"jne 21f\n" // reap helper, exit thread
"jmp 22f\n" // unlock mutex
@@ -305,20 +336,20 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// terminates the program. But if we ever support signal handling,
// we have to be careful that the user cannot install a SIGSEGV
// handler that gets executed with elevated privileges.
- "18:mov %%fs:0x0, %%rbp\n" // %rbp = old_shared_mem
+ "19:mov %%fs:0x0, %%rbp\n" // %rbp = old_shared_mem
"syscall\n" // calls NR_clone
"cmp $-4095, %%rax\n" // return codes -1..-4095 are errno values
- "jae 6b\n"
+ "jae 7b\n" // unlock mutex, return result
"add $2, %%rbx\n"
"test %%rax, %%rax\n"
- "jne 14b\n" // return result
+ "jne 15b\n" // return result
// In nascent thread, now.
"sub $2, %%rbx\n"
"xor %%r15, %%r15\n" // Request to return from clone() when done
// Get thread id of nascent thread
- "19:mov $186, %%eax\n" // NR_gettid
+ "20:mov $186, %%eax\n" // NR_gettid
"syscall\n"
"mov %%rax, %%r14\n"
@@ -342,14 +373,6 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// the parent. For our purposes, it is sufficient to fail with a
// fatal error.
"jmp 25f\n" // exit process
- "20:mov $56, %%eax\n" // NR_clone
- "mov $17, %%rdi\n" // flags = SIGCHLD
- "mov $1, %%rsi\n" // stack = 1
- "syscall\n"
- "test %%rax, %%rax\n"
- "js 25f\n" // exit process
- "jz 22f\n" // unlock and exit
- "mov %%rax, %%rdi\n"
"21:xor %%rsi, %%rsi\n"
"xor %%rdx, %%rdx\n"
"xor %%r10, %%r10\n"
@@ -374,7 +397,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"24:syscall\n"
"25:mov $1, %%eax\n" // NR_write
"mov $2, %%edi\n" // fd = stderr
- "lea 100f(%%rip), %%rsi\n"
+ "lea 100f(%%rip), %%rsi\n" // "Sandbox violation detected"
"mov $101f-100f, %%edx\n" // len = strlen(msg)
"syscall\n"
"mov $1, %%edi\n"
@@ -426,7 +449,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"mov $0x1001, %%edi\n" // option = ARCH_SET_GS
"syscall\n"
"cmp $-4095, %%rax\n" // return codes -1..-4095 are errno values
- "jae 20b\n" // exit thread, unlock global mutex
+ "jae 25b\n" // exit process
// Check whether this is the initial thread, or a newly created one.
// At startup we run the same code as when we create a new thread. At
@@ -524,7 +547,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"mov $61, %%eax\n" // NR_wait4
"syscall\n"
"cmp $-4, %%eax\n" // EINTR
- "jz 30\n"
+ "jz 30b\n"
// Release privileges by entering seccomp mode.
"mov $157, %%eax\n" // NR_prctl
@@ -578,7 +601,8 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
".pushsection \".rodata\"\n"
"100:.ascii \"Sandbox violation detected, program aborted\\n\"\n"
- "101:\n"
+ "101:.ascii \"WARNING! This is an expensive system call\\n\"\n"
+ "102:\n"
".popsection\n"
"999:pop %%rbp\n"
@@ -613,7 +637,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"movd %%ebx, %%mm3\n"
"xor %%ebx, %%ebx\n" // initial sequence number
"movd %%ebx, %%mm2\n"
- "jmp 19f\n" // create trusted thread
+ "jmp 20f\n" // create trusted thread
// TODO(markus): Coalesce the read() operations by reading into a bigger
// buffer.
@@ -645,21 +669,20 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// 0x1C: fifth argument; passed to syscall in %edi
// 0x20: sixth argument; passed to syscall in %ebp
// 0x24: stored return address for clone() system call
- // 0x28: second stored return address for clone() system call
- // 0x2C: stored %ebp value for clone() system call
- // 0x30: stored %edi value for clone() system call
- // 0x34: stored %esi value for clone() system call
- // 0x38: stored %edx value for clone() system call
- // 0x3C: stored %ecx value for clone() system call
- // 0x40: stored %ebx value for clone() system call
- // 0x44: new shared memory for clone()
- // 0x48: processFdPub for talking to trusted process
- // 0x4C: cloneFdPub for talking to trusted process
- // 0x50: set to non-zero, if in debugging mode
- // 0x54: most recent SHM id returned by shmget(IPC_PRIVATE)
- // 0x58: cookie assigned to us by the trusted process (TLS_COOKIE)
- // 0x60: thread id (TLS_TID)
- // 0x68: threadFdPub (TLS_THREAD_FD)
+ // 0x28: stored %ebp value for clone() system call
+ // 0x2C: stored %edi value for clone() system call
+ // 0x30: stored %esi value for clone() system call
+ // 0x34: stored %edx value for clone() system call
+ // 0x38: stored %ecx value for clone() system call
+ // 0x3C: stored %ebx value for clone() system call
+ // 0x40: new shared memory for clone()
+ // 0x44: processFdPub for talking to trusted process
+ // 0x48: cloneFdPub for talking to trusted process
+ // 0x4C: set to non-zero, if in debugging mode
+ // 0x50: most recent SHM id returned by shmget(IPC_PRIVATE)
+ // 0x54: cookie assigned to us by the trusted process (TLS_COOKIE)
+ // 0x5C: thread id (TLS_TID)
+ // 0x64: threadFdPub (TLS_THREAD_FD)
// 0x200-0x1000: securely passed verified file name(s)
// Layout of (untrusted) scratch space:
@@ -674,6 +697,8 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// 0x20: RDTSCP result (%eax)
// 0x24: RDTSCP result (%edx)
// 0x28: RDTSCP result (%ecx)
+ // 0x2C: last system call (updated in syscall.cc)
+ // 0x30: number of consecutive calls to a time fnc. (e.g. gettimeofday)
"0:xor %%esp, %%esp\n"
"mov $2, %%eax\n" // %mm2 = initial sequence number
@@ -738,26 +763,55 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"test %%eax, %%eax\n"
"js 25f\n" // exit process
"mov %%eax, %%ebx\n"
- "jnz 7f\n" // wait for child, then return result
+ "jnz 8f\n" // wait for child, then return result
"movd %%mm5, %%ebx\n" // start = secure_mem
"mov $4096, %%ecx\n" // len = 4096
"mov $3, %%edx\n" // prot = PROT_READ | PROT_WRITE
"mov $125, %%eax\n" // NR_mprotect
"int $0x80\n"
- "mov %%ebp, 0x54(%%ebx)\n" // set most recently returned SysV shm id
+ "mov %%ebp, 0x50(%%ebx)\n" // set most recently returned SysV shm id
"xor %%ebx, %%ebx\n"
+
+ // When debugging messages are enabled, warn about expensive system calls
+ #ifndef NDEBUG
+ "movd %%mm5, %%ecx\n"
+ "cmpw $0, 0x4C(%%ecx)\n" // debug mode
+ "jz 26f\n"
+ "mov $4, %%eax\n" // NR_write
+ "mov $2, %%ebx\n" // fd = stderr
+ "lea 101f, %%ecx\n" // "This is an expensive system call"
+ "mov $102f-101f, %%edx\n" // len = strlen(msg)
+ "int $0x80\n"
+ "xor %%ebx, %%ebx\n"
+ #endif
+
"jmp 26f\n" // exit program, no message
"4:int $0x80\n"
- "jmp 14f\n" // return result
+ "jmp 15f\n" // return result
// If syscall number is -2, execute locked system call from the
// secure memory area
- "5:jg 11f\n"
+ "5:jg 12f\n"
"cmp $-2, %%eax\n"
- "jnz 8f\n"
+ "jnz 9f\n"
"movd %%mm2, %%ebp\n"
"cmp %%ebp, 0x4-0x1000(%%ecx)\n"
"jne 25f\n" // exit process
+
+ // When debugging messages are enabled, warn about expensive system calls
+ #ifndef NDEBUG
+ "cmpw $0, 0x4C-0x1000(%%ecx)\n"
+ "jz 6f\n" // debug mode
+ "mov %%ecx, %%ebp\n"
+ "mov $4, %%eax\n" // NR_write
+ "mov $2, %%ebx\n" // fd = stderr
+ "lea 101f, %%ecx\n" // "This is an expensive system call"
+ "mov $102f-101f, %%edx\n" // len = strlen(msg)
+ "int $0x80\n"
+ "mov %%ebp, %%ecx\n"
+ "6:"
+ #endif
+
"mov 0x08-0x1000(%%ecx), %%eax\n"
"mov 0x0C-0x1000(%%ecx), %%ebx\n"
"mov 0x14-0x1000(%%ecx), %%edx\n"
@@ -774,11 +828,11 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// clone() has unusual calling conventions and must be handled specially
"cmp $120, %%eax\n" // NR_clone
- "jz 18f\n"
+ "jz 19f\n"
// exit() terminates trusted thread
"cmp $1, %%eax\n" // NR_exit
- "jz 17f\n"
+ "jz 18f\n"
// Perform requested system call
"movd %%mm4, %%edi\n"
@@ -786,7 +840,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"int $0x80\n"
// Unlock mutex
- "6:movd %%mm2, %%ebp\n"
+ "7:movd %%mm2, %%ebp\n"
"movd %%mm5, %%edi\n"
"cmp %%ebp, 4(%%edi)\n"
"jne 25f\n" // exit process
@@ -801,38 +855,38 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"js 25f\n" // exit process
"jz 22f\n" // unlock and exit
"mov %%eax, %%ebx\n"
- "7:xor %%ecx, %%ecx\n"
+ "8:xor %%ecx, %%ecx\n"
"xor %%edx, %%edx\n"
"mov $7, %%eax\n" // NR_waitpid
"int $0x80\n"
"cmp $-4, %%eax\n" // EINTR
"jz 6\n"
"mov %%ebp, %%eax\n"
- "jmp 14f\n" // return result
+ "jmp 15f\n" // return result
// If syscall number is -3, read the time stamp counter
- "8:cmp $-3, %%eax\n"
- "jnz 9f\n"
+ "9:cmp $-3, %%eax\n"
+ "jnz 10f\n"
"rdtsc\n" // sets %edx:%eax
"xor %%ecx, %%ecx\n"
- "jmp 10f\n"
- "9:cmp $-4, %%eax\n"
- "jnz 11f\n"
+ "jmp 11f\n"
+ "10:cmp $-4, %%eax\n"
+ "jnz 12f\n"
"rdtscp\n" // sets %edx:%eax and %ecx
- "10:movd %%mm5, %%ebx\n"
+ "11:movd %%mm5, %%ebx\n"
"add $0x1020, %%ebx\n"
"mov %%eax, 0(%%ebx)\n"
"mov %%edx, 4(%%ebx)\n"
"mov %%ecx, 8(%%ebx)\n"
"mov %%ebx, %%ecx\n"
"mov $12, %%edx\n"
- "jmp 15f\n" // return result
+ "jmp 16f\n" // return result
// Check in syscallTable whether this system call is unrestricted
- "11:mov %%eax, %%ebp\n"
+ "12:mov %%eax, %%ebp\n"
#ifndef NDEBUG
- "cmpw $0, 0x50-0x1000(%%ecx)\n"
- "jnz 12f\n" // debug mode
+ "cmpw $0, 0x4C-0x1000(%%ecx)\n"
+ "jnz 13f\n" // debug mode
#endif
"cmp playground$maxSyscall, %%eax\n"
"ja 25f\n" // exit process
@@ -844,13 +898,13 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// Default behavior for unrestricted system calls is to just execute
// them. Read the remaining arguments first.
- "12:mov $3, %%eax\n" // NR_read
+ "13:mov $3, %%eax\n" // NR_read
"movd %%mm0, %%ebx\n" // fd = threadFd
"add $4, %%ecx\n" // buf = &scratch + 4
"mov $24, %%edx\n" // len = 6*sizeof(void *)
- "13:int $0x80\n"
+ "14:int $0x80\n"
"cmp $-4, %%eax\n" // EINTR
- "jz 13b\n"
+ "jz 14b\n"
"cmp %%edx, %%eax\n"
"jnz 25f\n" // exit process
"mov %%ebp, %%eax\n"
@@ -865,27 +919,27 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"int $0x80\n"
// Return result of system call to sandboxed thread
- "14:movd %%mm5, %%ecx\n"
+ "15:movd %%mm5, %%ecx\n"
"add $0x101C, %%ecx\n" // buf = &scratch + 28
"mov %%eax, (%%ecx)\n"
"mov $4, %%edx\n" // len = 4
- "15:movd %%mm0, %%ebx\n" // fd = threadFd
+ "16:movd %%mm0, %%ebx\n" // fd = threadFd
"mov $4, %%eax\n" // NR_write
- "16:int $0x80\n"
+ "17:int $0x80\n"
"cmp %%edx, %%eax\n"
"jz 1b\n"
"cmp $-4, %%eax\n" // EINTR
- "jz 16b\n"
+ "jz 17b\n"
"jmp 25f\n" // exit process
// NR_exit:
// Exit trusted thread after cleaning up resources
- "17:mov %%edi, %%ecx\n"
- "mov 0x68(%%ecx), %%ebx\n" // fd = threadFdPub
+ "18:mov %%edi, %%ecx\n"
+ "mov 0x64(%%ecx), %%ebx\n" // fd = threadFdPub
"mov $6, %%eax\n" // NR_close
"int $0x80\n"
"mov %%ecx, %%ebx\n" // start = secure_mem
- "mov $8192, %%ecx\n" // length = 4096
+ "mov $8192, %%ecx\n" // length = 8192
"xor %%edx, %%edx\n" // prot = PROT_NONE
"mov $125, %%eax\n" // NR_mprotect
"int $0x80\n"
@@ -898,6 +952,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"int $0x80\n"
"mov %%eax, %%ebx\n"
"test %%eax, %%eax\n"
+ "js 25f\n" // exit process
"jne 21f\n" // reap helper, exit thread
"jmp 22f\n" // unlock mutex
@@ -912,17 +967,17 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// terminates the program. But if we ever support signal handling,
// we have to be careful that the user cannot install a SIGSEGV
// handler that gets executed with elevated privileges.
- "18:movd %%edi, %%mm6\n" // %mm6 = old_shared_mem
+ "19:movd %%edi, %%mm6\n" // %mm6 = old_shared_mem
"movd %%mm4, %%edi\n"
"movd %%mm7, %%ebp\n"
"int $0x80\n" // calls NR_clone
"cmp $-4095, %%eax\n" // return codes -1..-4095 are errno values
- "jae 6b\n"
+ "jae 7b\n" // unlock mutex, return result
"movd %%mm2, %%edi\n"
"add $2, %%edi\n"
"movd %%edi, %%mm2\n"
"test %%eax, %%eax\n"
- "jne 14b\n" // return result
+ "jne 15b\n" // return result
// In nascent thread, now.
"sub $2, %%edi\n"
@@ -930,7 +985,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"movd %%eax, %%mm3\n" // Request to return from clone() when done
// Get thread id of nascent thread
- "19:mov $224, %%eax\n" // NR_gettid
+ "20:mov $224, %%eax\n" // NR_gettid
"int $0x80\n"
"movd %%eax, %%mm4\n"
@@ -958,14 +1013,6 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// the parent. For our purposes, it is sufficient to fail with a
// fatal error.
"jmp 25f\n" // exit process
- "20:mov $120, %%eax\n" // NR_clone
- "mov $17, %%ebx\n" // flags = SIGCHLD
- "mov $1, %%ecx\n" // stack = 1
- "int $0x80\n"
- "test %%eax, %%eax\n"
- "js 25f\n" // exit process
- "jz 22f\n" // unlock and exit
- "mov %%eax, %%ebx\n"
"21:xor %%ecx, %%ecx\n"
"xor %%edx, %%edx\n"
"mov $7, %%eax\n" // NR_waitpid
@@ -989,7 +1036,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"24:int $0x80\n"
"25:mov $4, %%eax\n" // NR_write
"mov $2, %%ebx\n" // fd = stderr
- "lea 100f, %%ecx\n"
+ "lea 100f, %%ecx\n" // "Sandbox violation detected"
"mov $101f-100f, %%edx\n" // len = strlen(msg)
"int $0x80\n"
"mov $1, %%ebx\n"
@@ -998,7 +1045,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
// The first page is mapped read-only for use as securely shared memory
"27:movd %%mm6, %%ebp\n"
- "mov 0x44(%%ebp), %%esi\n"
+ "mov 0x40(%%ebp), %%esi\n"
"movd %%esi, %%mm5\n" // %mm5 = secure shared memory
"movd %%mm2, %%edi\n"
"cmp %%edi, 4(%%ebp)\n"
@@ -1024,7 +1071,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"mov $120, %%eax\n" // NR_clone
"mov $0x850F00, %%ebx\n" // flags = VM|FS|FILES|SIGH|THR|SYSV|UTR
"mov $1, %%ecx\n" // stack = 1
- "movd 0x48(%%ebp), %%mm1\n" // %mm1 = processFdPub
+ "movd 0x44(%%ebp), %%mm1\n" // %mm1 = processFdPub
"cmp %%edi, 4(%%ebp)\n"
"jne 25b\n" // exit process
"int $0x80\n"
@@ -1037,7 +1084,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"push %%eax\n"
"mov $0xFFFFF, %%eax\n" // limit
"push %%eax\n"
- "add $0x58, %%esi\n"
+ "add $0x54, %%esi\n"
"push %%esi\n" // base_addr = &secure_mem.TLS
"mov %%fs, %%eax\n"
"shr $3, %%eax\n"
@@ -1080,8 +1127,6 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"push %%eax\n"
"mov 0x3C(%%ebp), %%eax\n"
"push %%eax\n"
- "mov 0x40(%%ebp), %%eax\n"
- "push %%eax\n"
"cmp %%edi, 4(%%ebp)\n"
"jne 25b\n" // exit process
@@ -1111,7 +1156,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"movd %%mm0, %%eax\n" // fd1 = threadFd
"push %%eax\n"
"push %%esi\n" // fd0 = threadFdPub
- "mov 0x4C(%%ebp), %%eax\n" // transport = Sandbox::cloneFdPub()
+ "mov 0x48(%%ebp), %%eax\n" // transport = Sandbox::cloneFdPub()
"cmp %%edi, 4(%%ebp)\n"
"jne 25b\n" // exit process
"push %%eax\n"
@@ -1139,7 +1184,7 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
"mov $7, %%eax\n" // NR_waitpid
"int $0x80\n"
"cmp $-4, %%eax\n" // EINTR
- "jz 30\n"
+ "jz 30b\n"
// Release privileges by entering seccomp mode.
"mov $172, %%eax\n" // NR_prctl
@@ -1190,7 +1235,8 @@ void Sandbox::createTrustedThread(int processFdPub, int cloneFdPub,
".pushsection \".rodata\"\n"
"100:.ascii \"Sandbox violation detected, program aborted\\n\"\n"
- "101:\n"
+ "101:.ascii \"WARNING! This is an expensive system call\\n\"\n"
+ "102:\n"
".popsection\n"
"999:pop %%ebp\n"
generated by cgit v1.1 at 2025-02-15 18:36:51 +0000