sandbox/linux/bpf_dsl/bpf_dsl.h - platform/external/chromium_org - Git at Google

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
 #define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

 #include <stdint.h>

 #include <utility>

 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "sandbox/linux/bpf_dsl/cons.h"
 #include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
 #include "sandbox/linux/seccomp-bpf/trap.h"
 #include "sandbox/sandbox_export.h"

 namespace sandbox {
 class ErrorCode;
 class SandboxBPF;
 }

 // The sandbox::bpf_dsl namespace provides a domain-specific language
 // to make writing BPF policies more expressive.  In general, the
 // object types all have value semantics (i.e., they can be copied
 // around, returned from or passed to function calls, etc. without any
 // surprising side effects), though not all support assignment.
 //
 // An idiomatic and demonstrative (albeit silly) example of this API
 // would be:
 //
 //      #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
 //
 //      using namespace sandbox::bpf_dsl;
 //
 //      class SillyPolicy : public SandboxBPFDSLPolicy {
 //       public:
 //        SillyPolicy() {}
 //        virtual ~SillyPolicy() {}
 //        virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
 //          if (sysno == __NR_fcntl) {
 //            Arg<int> fd(0), cmd(1);
 //            Arg<unsigned long> flags(2);
 //            const unsigned long kBadFlags = ~(O_ACCMODE | O_NONBLOCK);
 //            return If(fd == 0 && cmd == F_SETFL && (flags & kBadFlags) == 0,
 //                      Allow())
 //                .ElseIf(cmd == F_DUPFD || cmd == F_DUPFD_CLOEXEC,
 //                        Error(EMFILE))
 //                .Else(Trap(SetFlagHandler, NULL));
 //          } else {
 //            return Allow();
 //          }
 //        }
 //
 //       private:
 //        DISALLOW_COPY_AND_ASSIGN(SillyPolicy);
 //      };
 //
 // More generally, the DSL currently supports the following grammar:
 //
 //   result = Allow() | Error(errno) | Trap(trap_func, arg)
 //          | If(bool, result)[.ElseIf(bool, result)].Else(result)
 //   bool   = arg == val | (arg & mask) == mask | (arg & mask) == 0
 //          | !bool | bool && bool | bool || bool
 //
 // The semantics of each function and operator are intended to be
 // intuitive, but are described in more detail below.
 //
 // (Credit to Sean Parent's "Inheritance is the Base Class of Evil"
 // talk at Going Native 2013 for promoting value semantics via shared
 // pointers to immutable state.)

 namespace sandbox {
 namespace bpf_dsl {

 // Forward declarations of classes; see below for proper documentation.
 class Elser;
 namespace internal {
 class ResultExprImpl;
 class BoolExprImpl;
 }

 // ResultExpr is an opaque reference to an immutable result expression tree.
 typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;

 // BoolExpr is an opaque reference to an immutable boolean expression tree.
 typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;

 // Helper class to make writing policies easier.
 class SANDBOX_EXPORT SandboxBPFDSLPolicy : public SandboxBPFPolicy {
  public:
   SandboxBPFDSLPolicy() : SandboxBPFPolicy() {}
   virtual ~SandboxBPFDSLPolicy() {}

   // User extension point for writing custom sandbox policies.
   virtual ResultExpr EvaluateSyscall(int sysno) const = 0;

   // Optional overload for specifying alternate behavior for invalid
   // system calls.  The default is to return ENOSYS.
   virtual ResultExpr InvalidSyscall() const;

   // Override implementations from SandboxBPFPolicy.  Marked as FINAL
   // to prevent mixups with child classes accidentally overloading
   // these instead of the above methods.
   virtual ErrorCode EvaluateSyscall(SandboxBPF* sb,
                                     int sysno) const OVERRIDE FINAL;
   virtual ErrorCode InvalidSyscall(SandboxBPF* sb) const OVERRIDE FINAL;

   // Helper method so policies can just write Trap(func, aux).
   static ResultExpr Trap(::sandbox::Trap::TrapFnc trap_func, void* aux);

  private:
   DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy);
 };

 // Allow specifies a result that the system call should be allowed to
 // execute normally.
 SANDBOX_EXPORT ResultExpr Allow();

 // Error specifies a result that the system call should fail with
 // error number |err|.  As a special case, Error(0) will result in the
 // system call appearing to have succeeded, but without having any
 // side effects.
 SANDBOX_EXPORT ResultExpr Error(int err);

 // Trap specifies a result that the system call should be handled by
 // trapping back into userspace and invoking |trap_func|, passing
 // |aux| as the second parameter.
 SANDBOX_EXPORT ResultExpr Trap(::sandbox::Trap::TrapFnc trap_func, void* aux);

 template <typename T>
 class SANDBOX_EXPORT Arg {
  public:
   // Initializes the Arg to represent the |num|th system call
   // argument (indexed from 0), which is of type |T|.
   explicit Arg(int num) : num_(num), mask_(-1) {}

   Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {}

   // Returns an Arg representing the current argument, but after
   // bitwise-and'ing it with |rhs|.
   Arg operator&(uint64_t rhs) const { return Arg(num_, mask_ & rhs); }

   // Returns a boolean expression comparing whether the system call
   // argument (after applying any bitmasks, if appropriate) equals |rhs|.
   BoolExpr operator==(T rhs) const;

  private:
   Arg(int num, uint64_t mask) : num_(num), mask_(mask) {}
   int num_;
   uint64_t mask_;
   DISALLOW_ASSIGN(Arg);
 };

 // Various ways to combine boolean expressions into more complex expressions.
 // They follow standard boolean algebra laws.
 SANDBOX_EXPORT BoolExpr operator!(BoolExpr cond);
 SANDBOX_EXPORT BoolExpr operator&&(BoolExpr lhs, BoolExpr rhs);
 SANDBOX_EXPORT BoolExpr operator||(BoolExpr lhs, BoolExpr rhs);

 // If begins a conditional result expression predicated on the
 // specified boolean expression.
 SANDBOX_EXPORT Elser If(BoolExpr cond, ResultExpr then_result);

 class SANDBOX_EXPORT Elser {
  public:
   Elser(const Elser& elser);
   ~Elser();

   // ElseIf extends the conditional result expression with another
   // "if then" clause, predicated on the specified boolean expression.
   Elser ElseIf(BoolExpr cond, ResultExpr then_result) const;

   // Else terminates a conditional result expression using |else_result| as
   // the default fallback result expression.
   ResultExpr Else(ResultExpr else_result) const;

  private:
   typedef std::pair<BoolExpr, ResultExpr> Clause;
   explicit Elser(Cons<Clause>::List clause_list);
   Cons<Clause>::List clause_list_;
   friend Elser If(BoolExpr, ResultExpr);
   DISALLOW_ASSIGN(Elser);
 };

 // =====================================================================
 // Official API ends here.
 // =====================================================================

 // Definitions below are necessary here only for C++03 compatibility.
 // Once C++11 is available, they should be moved into bpf_dsl.cc via extern
 // templates.
 namespace internal {

 // Returns a boolean expression that represents whether system call
 // argument |num| of size |size| is equal to |val|, when masked
 // according to |mask|.  Users should use the Arg template class below
 // instead of using this API directly.
 SANDBOX_EXPORT BoolExpr
     ArgEq(int num, size_t size, uint64_t mask, uint64_t val);

 // Internal interface implemented by BoolExpr implementations.
 class SANDBOX_EXPORT BoolExprImpl : public base::RefCounted<BoolExprImpl> {
  public:
   BoolExprImpl() {}
   virtual ErrorCode Compile(SandboxBPF* sb,
                             ErrorCode true_ec,
                             ErrorCode false_ec) const = 0;

  protected:
   virtual ~BoolExprImpl() {}

  private:
   friend class base::RefCounted<BoolExprImpl>;
   DISALLOW_COPY_AND_ASSIGN(BoolExprImpl);
 };

 // Internal interface implemented by ResultExpr implementations.
 class SANDBOX_EXPORT ResultExprImpl : public base::RefCounted<ResultExprImpl> {
  public:
   ResultExprImpl() {}
   virtual ErrorCode Compile(SandboxBPF* sb) const = 0;

  protected:
   virtual ~ResultExprImpl() {}

  private:
   friend class base::RefCounted<ResultExprImpl>;
   DISALLOW_COPY_AND_ASSIGN(ResultExprImpl);
 };

 }  // namespace internal

 // Definition requires ArgEq to have been declared.  Moved out-of-line
 // to minimize how much internal clutter users have to ignore while
 // reading the header documentation.
 template <typename T>
 BoolExpr Arg<T>::operator==(T rhs) const {
   return internal::ArgEq(num_, sizeof(T), mask_, static_cast<uint64_t>(rhs));
 }

 }  // namespace bpf_dsl
 }  // namespace sandbox

 #endif  // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
	// Copyright 2014 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
	#define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_

	#include <stdint.h>

	#include <utility>

	#include "base/macros.h"
	#include "base/memory/ref_counted.h"
	#include "sandbox/linux/bpf_dsl/cons.h"
	#include "sandbox/linux/seccomp-bpf/sandbox_bpf_policy.h"
	#include "sandbox/linux/seccomp-bpf/trap.h"
	#include "sandbox/sandbox_export.h"

	namespace sandbox {
	class ErrorCode;
	class SandboxBPF;
	}

	// The sandbox::bpf_dsl namespace provides a domain-specific language
	// to make writing BPF policies more expressive. In general, the
	// object types all have value semantics (i.e., they can be copied
	// around, returned from or passed to function calls, etc. without any
	// surprising side effects), though not all support assignment.
	//
	// An idiomatic and demonstrative (albeit silly) example of this API
	// would be:
	//
	// #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
	//
	// using namespace sandbox::bpf_dsl;
	//
	// class SillyPolicy : public SandboxBPFDSLPolicy {
	// public:
	// SillyPolicy() {}
	// virtual ~SillyPolicy() {}
	// virtual ResultExpr EvaluateSyscall(int sysno) const OVERRIDE {
	// if (sysno == __NR_fcntl) {
	// Arg<int> fd(0), cmd(1);
	// Arg<unsigned long> flags(2);
	// const unsigned long kBadFlags = ~(O_ACCMODE \| O_NONBLOCK);
	// return If(fd == 0 && cmd == F_SETFL && (flags & kBadFlags) == 0,
	// Allow())
	// .ElseIf(cmd == F_DUPFD \|\| cmd == F_DUPFD_CLOEXEC,
	// Error(EMFILE))
	// .Else(Trap(SetFlagHandler, NULL));
	// } else {
	// return Allow();
	// }
	// }
	//
	// private:
	// DISALLOW_COPY_AND_ASSIGN(SillyPolicy);
	// };
	//
	// More generally, the DSL currently supports the following grammar:
	//
	// result = Allow() \| Error(errno) \| Trap(trap_func, arg)
	// \| If(bool, result)[.ElseIf(bool, result)].Else(result)
	// bool = arg == val \| (arg & mask) == mask \| (arg & mask) == 0
	// \| !bool \| bool && bool \| bool \|\| bool
	//
	// The semantics of each function and operator are intended to be
	// intuitive, but are described in more detail below.
	//
	// (Credit to Sean Parent's "Inheritance is the Base Class of Evil"
	// talk at Going Native 2013 for promoting value semantics via shared
	// pointers to immutable state.)

	namespace sandbox {
	namespace bpf_dsl {

	// Forward declarations of classes; see below for proper documentation.
	class Elser;
	namespace internal {
	class ResultExprImpl;
	class BoolExprImpl;
	}

	// ResultExpr is an opaque reference to an immutable result expression tree.
	typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;

	// BoolExpr is an opaque reference to an immutable boolean expression tree.
	typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;

	// Helper class to make writing policies easier.
	class SANDBOX_EXPORT SandboxBPFDSLPolicy : public SandboxBPFPolicy {
	public:
	SandboxBPFDSLPolicy() : SandboxBPFPolicy() {}
	virtual ~SandboxBPFDSLPolicy() {}

	// User extension point for writing custom sandbox policies.
	virtual ResultExpr EvaluateSyscall(int sysno) const = 0;

	// Optional overload for specifying alternate behavior for invalid
	// system calls. The default is to return ENOSYS.
	virtual ResultExpr InvalidSyscall() const;

	// Override implementations from SandboxBPFPolicy. Marked as FINAL
	// to prevent mixups with child classes accidentally overloading
	// these instead of the above methods.
	virtual ErrorCode EvaluateSyscall(SandboxBPF* sb,
	int sysno) const OVERRIDE FINAL;
	virtual ErrorCode InvalidSyscall(SandboxBPF* sb) const OVERRIDE FINAL;

	// Helper method so policies can just write Trap(func, aux).
	static ResultExpr Trap(::sandbox::Trap::TrapFnc trap_func, void* aux);

	private:
	DISALLOW_COPY_AND_ASSIGN(SandboxBPFDSLPolicy);
	};

	// Allow specifies a result that the system call should be allowed to
	// execute normally.
	SANDBOX_EXPORT ResultExpr Allow();

	// Error specifies a result that the system call should fail with
	// error number \|err\|. As a special case, Error(0) will result in the
	// system call appearing to have succeeded, but without having any
	// side effects.
	SANDBOX_EXPORT ResultExpr Error(int err);

	// Trap specifies a result that the system call should be handled by
	// trapping back into userspace and invoking \|trap_func\|, passing
	// \|aux\| as the second parameter.
	SANDBOX_EXPORT ResultExpr Trap(::sandbox::Trap::TrapFnc trap_func, void* aux);

	template <typename T>
	class SANDBOX_EXPORT Arg {
	public:
	// Initializes the Arg to represent the \|num\|th system call
	// argument (indexed from 0), which is of type \|T\|.
	explicit Arg(int num) : num_(num), mask_(-1) {}

	Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {}

	// Returns an Arg representing the current argument, but after
	// bitwise-and'ing it with \|rhs\|.
	Arg operator&(uint64_t rhs) const { return Arg(num_, mask_ & rhs); }

	// Returns a boolean expression comparing whether the system call
	// argument (after applying any bitmasks, if appropriate) equals \|rhs\|.
	BoolExpr operator==(T rhs) const;

	private:
	Arg(int num, uint64_t mask) : num_(num), mask_(mask) {}
	int num_;
	uint64_t mask_;
	DISALLOW_ASSIGN(Arg);
	};

	// Various ways to combine boolean expressions into more complex expressions.
	// They follow standard boolean algebra laws.
	SANDBOX_EXPORT BoolExpr operator!(BoolExpr cond);
	SANDBOX_EXPORT BoolExpr operator&&(BoolExpr lhs, BoolExpr rhs);
	SANDBOX_EXPORT BoolExpr operator\|\|(BoolExpr lhs, BoolExpr rhs);

	// If begins a conditional result expression predicated on the
	// specified boolean expression.
	SANDBOX_EXPORT Elser If(BoolExpr cond, ResultExpr then_result);

	class SANDBOX_EXPORT Elser {
	public:
	Elser(const Elser& elser);
	~Elser();

	// ElseIf extends the conditional result expression with another
	// "if then" clause, predicated on the specified boolean expression.
	Elser ElseIf(BoolExpr cond, ResultExpr then_result) const;

	// Else terminates a conditional result expression using \|else_result\| as
	// the default fallback result expression.
	ResultExpr Else(ResultExpr else_result) const;

	private:
	typedef std::pair<BoolExpr, ResultExpr> Clause;
	explicit Elser(Cons<Clause>::List clause_list);
	Cons<Clause>::List clause_list_;
	friend Elser If(BoolExpr, ResultExpr);
	DISALLOW_ASSIGN(Elser);
	};

	// =====================================================================
	// Official API ends here.
	// =====================================================================

	// Definitions below are necessary here only for C++03 compatibility.
	// Once C++11 is available, they should be moved into bpf_dsl.cc via extern
	// templates.
	namespace internal {

	// Returns a boolean expression that represents whether system call
	// argument \|num\| of size \|size\| is equal to \|val\|, when masked
	// according to \|mask\|. Users should use the Arg template class below
	// instead of using this API directly.
	SANDBOX_EXPORT BoolExpr
	ArgEq(int num, size_t size, uint64_t mask, uint64_t val);

	// Internal interface implemented by BoolExpr implementations.
	class SANDBOX_EXPORT BoolExprImpl : public base::RefCounted<BoolExprImpl> {
	public:
	BoolExprImpl() {}
	virtual ErrorCode Compile(SandboxBPF* sb,
	ErrorCode true_ec,
	ErrorCode false_ec) const = 0;

	protected:
	virtual ~BoolExprImpl() {}

	private:
	friend class base::RefCounted<BoolExprImpl>;
	DISALLOW_COPY_AND_ASSIGN(BoolExprImpl);
	};

	// Internal interface implemented by ResultExpr implementations.
	class SANDBOX_EXPORT ResultExprImpl : public base::RefCounted<ResultExprImpl> {
	public:
	ResultExprImpl() {}
	virtual ErrorCode Compile(SandboxBPF* sb) const = 0;

	protected:
	virtual ~ResultExprImpl() {}

	private:
	friend class base::RefCounted<ResultExprImpl>;
	DISALLOW_COPY_AND_ASSIGN(ResultExprImpl);
	};

	} // namespace internal

	// Definition requires ArgEq to have been declared. Moved out-of-line
	// to minimize how much internal clutter users have to ignore while
	// reading the header documentation.
	template <typename T>
	BoolExpr Arg<T>::operator==(T rhs) const {
	return internal::ArgEq(num_, sizeof(T), mask_, static_cast<uint64_t>(rhs));
	}

	} // namespace bpf_dsl
	} // namespace sandbox

	#endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_