[reland] Remove SandboxBPF's dependency on CompatibilityPolicy

SandboxBPF users are now required to always provide a SandboxBPFPolicy instead of a SyscallEvaluator. CompatibilityPolicy can't be removed just yet though because it's still used by the deprecated BPF_TEST macros. Review URL: https://codereview.chromium.org/286903005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271814 0039d316-1c4b-4281-b951-d872f2087c98

[reland] Remove SandboxBPF's dependency on CompatibilityPolicy
SandboxBPF users are now required to always provide a SandboxBPFPolicy instead of a SyscallEvaluator. CompatibilityPolicy can't be removed just yet though because it's still used by the deprecated BPF_TEST macros. Review URL: https://codereview.chromium.org/286903005 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271814 0039d316-1c4b-4281-b951-d872f2087c98
7ec573f6 · mdempsky@chromium.org · a131f530 · 7ec573f6 · 7ec573f6 · 7ec573f6
Commit 7ec573f6 authored May 21, 2014 by mdempsky@chromium.org
4 changed files
--- a/sandbox/linux/seccomp-bpf/demo.cc
+++ b/sandbox/linux/seccomp-bpf/demo.cc
@@ -26,12 +26,15 @@
 #include <time.h>
 #include <unistd.h>
+#include "base/macros.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
+#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/services/linux_syscalls.h"
 using sandbox::ErrorCode;
 using sandbox::SandboxBPF;
+using sandbox::SandboxBPFPolicy;
 using sandbox::arch_seccomp_data;
 #define ERR EPERM
@@ -237,7 +240,17 @@ intptr_t DefaultHandler(const struct arch_seccomp_data& data, void *) {
  return -ERR;
 }
-ErrorCode Evaluator(SandboxBPF* sandbox, int sysno, void *) {
+class DemoPolicy : public SandboxBPFPolicy {
+ public:
+  DemoPolicy() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE;
+ private:
+  DISALLOW_COPY_AND_ASSIGN(DemoPolicy);
+};
+ErrorCode DemoPolicy::EvaluateSyscall(SandboxBPF* sandbox, int sysno) const {
  switch (sysno) {
 #if defined(__NR_accept)
  case __NR_accept: case __NR_accept4:
@@ -420,7 +433,7 @@ int main(int argc, char *argv[]) {
  }
  SandboxBPF sandbox;
  sandbox.set_proc_fd(proc_fd);
-  sandbox.SetSandboxPolicyDeprecated(Evaluator, NULL);
+  sandbox.SetSandboxPolicy(new DemoPolicy());
  if (!sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED)) {
    fprintf(stderr, "StartSandbox() failed");
    _exit(1);

--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
@@ -22,10 +22,10 @@
 #include "base/compiler_specific.h"
 #include "base/logging.h"
+#include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/posix/eintr_wrapper.h"
 #include "sandbox/linux/seccomp-bpf/codegen.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_compatibility_policy.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/syscall.h"
 #include "sandbox/linux/seccomp-bpf/syscall_iterator.h"
@@ -57,8 +57,10 @@ void WriteFailedStderrSetupMessage(int out_fd) {
 // We define a really simple sandbox policy. It is just good enough for us
 // to tell that the sandbox has actually been activated.
-ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) __attribute__((const));
+class ProbePolicy : public SandboxBPFPolicy {
-ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
+ public:
+  ProbePolicy() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
    switch (sysnum) {
      case __NR_getpid:
        // Return EPERM so that we can check that the filter actually ran.
@@ -70,7 +72,11 @@ ErrorCode ProbeEvaluator(SandboxBPF*, int sysnum, void*) {
        // Make everything else fail in an easily recognizable way.
        return ErrorCode(EINVAL);
    }
-}
+  }
+ private:
+  DISALLOW_COPY_AND_ASSIGN(ProbePolicy);
+};
 void ProbeProcess(void) {
  if (syscall(__NR_getpid) < 0 && errno == EPERM) {
@@ -78,10 +84,17 @@ void ProbeProcess(void) {
  }
 }
-ErrorCode AllowAllEvaluator(SandboxBPF*, int sysnum, void*) {
+class AllowAllPolicy : public SandboxBPFPolicy {
+ public:
+  AllowAllPolicy() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF*, int sysnum) const OVERRIDE {
    DCHECK(SandboxBPF::IsValidSyscallNumber(sysnum));
    return ErrorCode(ErrorCode::ERR_ALLOWED);
-}
+  }
+ private:
+  DISALLOW_COPY_AND_ASSIGN(AllowAllPolicy);
+};
 void TryVsyscallProcess(void) {
  time_t current_time;
@@ -239,8 +252,7 @@ bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
 }
 bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
-                                     EvaluateSyscall syscall_evaluator,
+                                     scoped_ptr<SandboxBPFPolicy> policy) {
-                                     void* aux) {
  // Block all signals before forking a child process. This prevents an
  // attacker from manipulating our test by sending us an unexpected signal.
  sigset_t old_mask, new_mask;
@@ -310,7 +322,7 @@ bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
 #endif
    }
-    SetSandboxPolicyDeprecated(syscall_evaluator, aux);
+    SetSandboxPolicy(policy.release());
    if (!StartSandbox(PROCESS_SINGLE_THREADED)) {
      SANDBOX_DIE(NULL);
    }
@@ -359,8 +371,11 @@ bool SandboxBPF::RunFunctionInPolicy(void (*code_in_sandbox)(),
 }
 bool SandboxBPF::KernelSupportSeccompBPF() {
-  return RunFunctionInPolicy(ProbeProcess, ProbeEvaluator, 0) &&
+  return RunFunctionInPolicy(ProbeProcess,
-         RunFunctionInPolicy(TryVsyscallProcess, AllowAllEvaluator, 0);
+                             scoped_ptr<SandboxBPFPolicy>(new ProbePolicy())) &&
+         RunFunctionInPolicy(
+             TryVsyscallProcess,
+             scoped_ptr<SandboxBPFPolicy>(new AllowAllPolicy()));
 }
 SandboxBPF::SandboxStatus SandboxBPF::SupportsSeccompSandbox(int proc_fd) {
@@ -475,15 +490,6 @@ void SandboxBPF::PolicySanityChecks(SandboxBPFPolicy* policy) {
  return;
 }
-// Deprecated API, supported with a wrapper to the new API.
-void SandboxBPF::SetSandboxPolicyDeprecated(EvaluateSyscall syscall_evaluator,
-                                            void* aux) {
-  if (sandbox_has_started_ || !conds_) {
-    SANDBOX_DIE("Cannot change policy after sandbox has started");
-  }
-  SetSandboxPolicy(new CompatibilityPolicy<void>(syscall_evaluator, aux));
-}
 // Don't take a scoped_ptr here, polymorphism make their use awkward.
 void SandboxBPF::SetSandboxPolicy(SandboxBPFPolicy* policy) {
  DCHECK(!policy_);

--- a/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf.h
@@ -65,14 +65,6 @@ class SANDBOX_EXPORT SandboxBPF {
    PROCESS_MULTI_THREADED,   // The program may be multi-threaded.
  };
-  // When calling setSandboxPolicy(), the caller can provide an arbitrary
-  // pointer in |aux|. This pointer will then be forwarded to the sandbox
-  // policy each time a call is made through an EvaluateSyscall function
-  // pointer.  One common use case would be to pass the "aux" pointer as an
-  // argument to Trap() functions.
-  typedef ErrorCode (*EvaluateSyscall)(SandboxBPF* sandbox_compiler,
-                                       int system_call_number,
-                                       void* aux);
  // A vector of BPF instructions that need to be installed as a filter
  // program in the kernel.
  typedef std::vector<struct sock_filter> Program;
@@ -109,20 +101,6 @@ class SANDBOX_EXPORT SandboxBPF {
  // eventually close it when "StartSandbox()" executes.
  void set_proc_fd(int proc_fd);
-  // The system call evaluator function is called with the system
-  // call number. It can decide to allow the system call unconditionally
-  // by returning ERR_ALLOWED; it can deny the system call unconditionally by
-  // returning an appropriate "errno" value; or it can request inspection
-  // of system call argument(s) by returning a suitable ErrorCode.
-  // The "aux" parameter can be used to pass optional data to the system call
-  // evaluator. There are different possible uses for this data, but one of the
-  // use cases would be for the policy to then forward this pointer to a Trap()
-  // handler. In this case, of course, the data that is pointed to must remain
-  // valid for the entire time that Trap() handlers can be called; typically,
-  // this would be the lifetime of the program.
-  // DEPRECATED: use the policy interface below.
-  void SetSandboxPolicyDeprecated(EvaluateSyscall syscallEvaluator, void* aux);
  // Set the BPF policy as |policy|. Ownership of |policy| is transfered here
  // to the sandbox object.
  void SetSandboxPolicy(SandboxBPFPolicy* policy);
@@ -229,8 +207,7 @@ class SANDBOX_EXPORT SandboxBPF {
  // policy. The caller has to make sure that "this" has not yet been
  // initialized with any other policies.
  bool RunFunctionInPolicy(void (*code_in_sandbox)(),
-                           EvaluateSyscall syscall_evaluator,
+                           scoped_ptr<SandboxBPFPolicy> policy);
-                           void* aux);
  // Performs a couple of sanity checks to verify that the kernel supports the
  // features that we need for successful sandboxing.

--- a/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
+++ b/sandbox/linux/seccomp-bpf/sandbox_bpf_unittest.cc
@@ -22,6 +22,7 @@
 #include "base/bind.h"
 #include "base/logging.h"
+#include "base/macros.h"
 #include "base/memory/scoped_ptr.h"
 #include "build/build_config.h"
 #include "sandbox/linux/seccomp-bpf/bpf_tests.h"
@@ -84,29 +85,38 @@ intptr_t FakeGetPid(const struct arch_seccomp_data& args, void* aux) {
  return (*pid_ptr)++;
 }
-ErrorCode VerboseAPITestingPolicy(SandboxBPF* sandbox, int sysno, void* aux) {
+class VerboseAPITestingPolicy : public SandboxBPFPolicy {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
+ public:
-    return ErrorCode(ENOSYS);
+  VerboseAPITestingPolicy(pid_t* pid_ptr) : pid_ptr_(pid_ptr) {}
-  } else if (sysno == __NR_getpid) {
-    return sandbox->Trap(FakeGetPid, aux);
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
-  } else {
+                                    int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
+    if (sysno == __NR_getpid) {
+      return sandbox->Trap(FakeGetPid, pid_ptr_);
+    }
    return ErrorCode(ErrorCode::ERR_ALLOWED);
  }
-}
+ private:
+  pid_t* pid_ptr_;
+  DISALLOW_COPY_AND_ASSIGN(VerboseAPITestingPolicy);
+};
 SANDBOX_TEST(SandboxBPF, DISABLE_ON_TSAN(VerboseAPITesting)) {
  if (SandboxBPF::SupportsSeccompSandbox(-1) ==
      sandbox::SandboxBPF::STATUS_AVAILABLE) {
-    pid_t test_var = 0;
+    pid_t pid = 0;
    SandboxBPF sandbox;
-    sandbox.SetSandboxPolicyDeprecated(VerboseAPITestingPolicy, &test_var);
+    sandbox.SetSandboxPolicy(new VerboseAPITestingPolicy(&pid));
    BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
-    BPF_ASSERT(test_var == 0);
+    BPF_ASSERT_EQ(0, pid);
-    BPF_ASSERT(syscall(__NR_getpid) == 0);
+    BPF_ASSERT_EQ(0, syscall(__NR_getpid));
-    BPF_ASSERT(test_var == 1);
+    BPF_ASSERT_EQ(1, pid);
-    BPF_ASSERT(syscall(__NR_getpid) == 1);
+    BPF_ASSERT_EQ(1, syscall(__NR_getpid));
-    BPF_ASSERT(test_var == 2);
+    BPF_ASSERT_EQ(2, pid);
    // N.B.: Any future call to getpid() would corrupt the stack.
    //       This is OK. The SANDBOX_TEST() macro is guaranteed to
@@ -284,11 +294,12 @@ BPF_TEST(SandboxBPF, ErrnoTest, ErrnoTestPolicy) {
 // Testing the stacking of two sandboxes
-ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) {
+class StackingPolicyPartOne : public SandboxBPFPolicy {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
+ public:
-    return ErrorCode(ENOSYS);
+  StackingPolicyPartOne() {}
-  }
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
    switch (sysno) {
      case __NR_getppid:
        return sandbox->Cond(0,
@@ -300,13 +311,18 @@ ErrorCode StackingPolicyPartOne(SandboxBPF* sandbox, int sysno, void*) {
      default:
        return ErrorCode(ErrorCode::ERR_ALLOWED);
    }
-}
-ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) {
-  if (!SandboxBPF::IsValidSyscallNumber(sysno)) {
-    return ErrorCode(ENOSYS);
  }
+ private:
+  DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartOne);
+};
+class StackingPolicyPartTwo : public SandboxBPFPolicy {
+ public:
+  StackingPolicyPartTwo() {}
+  virtual ErrorCode EvaluateSyscall(SandboxBPF* sandbox,
+                                    int sysno) const OVERRIDE {
+    DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
    switch (sysno) {
      case __NR_getppid:
        return sandbox->Cond(0,
@@ -318,9 +334,13 @@ ErrorCode StackingPolicyPartTwo(SandboxBPF* sandbox, int sysno, void*) {
      default:
        return ErrorCode(ErrorCode::ERR_ALLOWED);
    }
-}
+  }
+ private:
+  DISALLOW_COPY_AND_ASSIGN(StackingPolicyPartTwo);
+};
-BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
+BPF_TEST_C(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
  errno = 0;
  BPF_ASSERT(syscall(__NR_getppid, 0) > 0);
  BPF_ASSERT(errno == 0);
@@ -331,7 +351,7 @@ BPF_TEST(SandboxBPF, StackingPolicy, StackingPolicyPartOne) {
  // Stack a second sandbox with its own policy. Verify that we can further
  // restrict filters, but we cannot relax existing filters.
  SandboxBPF sandbox;
-  sandbox.SetSandboxPolicyDeprecated(StackingPolicyPartTwo, NULL);
+  sandbox.SetSandboxPolicy(new StackingPolicyPartTwo());
  BPF_ASSERT(sandbox.StartSandbox(SandboxBPF::PROCESS_SINGLE_THREADED));
  errno = 0;