|  | // Copyright 2014 The Chromium Authors. All rights reserved. | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #ifndef SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ | 
|  | #define SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ | 
|  |  | 
|  | #include <stdint.h> | 
|  |  | 
|  | #include "base/macros.h" | 
|  | #include "sandbox/sandbox_export.h" | 
|  |  | 
|  | namespace sandbox { | 
|  |  | 
|  | // This must match the kernel's seccomp_data structure. | 
|  | struct arch_seccomp_data { | 
|  | int nr; | 
|  | uint32_t arch; | 
|  | uint64_t instruction_pointer; | 
|  | uint64_t args[6]; | 
|  | }; | 
|  |  | 
|  | namespace bpf_dsl { | 
|  |  | 
|  | // TrapRegistry provides an interface for registering "trap handlers" | 
|  | // by associating them with non-zero 16-bit trap IDs. Trap IDs should | 
|  | // remain valid for the lifetime of the trap registry. | 
|  | class SANDBOX_EXPORT TrapRegistry { | 
|  | public: | 
|  | // TrapFnc is a pointer to a function that fulfills the trap handler | 
|  | // function signature. | 
|  | // | 
|  | // Trap handlers follow the calling convention of native system | 
|  | // calls; e.g., to report an error, they return an exit code in the | 
|  | // range -1..-4096 instead of directly modifying errno. However, | 
|  | // modifying errno is harmless, as the original value will be | 
|  | // restored afterwards. | 
|  | // | 
|  | // Trap handlers are executed from signal context and possibly an | 
|  | // async-signal context, so they must be async-signal safe: | 
|  | // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html | 
|  | typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux); | 
|  |  | 
|  | // Add registers the specified trap handler tuple and returns a | 
|  | // non-zero trap ID that uniquely identifies the tuple for the life | 
|  | // time of the trap registry. If the same tuple is registered | 
|  | // multiple times, the same value will be returned each time. | 
|  | virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) = 0; | 
|  |  | 
|  | // EnableUnsafeTraps tries to enable unsafe traps and returns | 
|  | // whether it was successful. This is a one-way operation. | 
|  | // | 
|  | // CAUTION: Enabling unsafe traps effectively defeats the security | 
|  | // guarantees provided by the sandbox policy. TrapRegistry | 
|  | // implementations should ensure unsafe traps are only enabled | 
|  | // during testing. | 
|  | virtual bool EnableUnsafeTraps() = 0; | 
|  |  | 
|  | protected: | 
|  | TrapRegistry() {} | 
|  |  | 
|  | // TrapRegistry's destructor is intentionally non-virtual so that | 
|  | // implementations can omit their destructor.  Instead we protect against | 
|  | // misuse by marking it protected. | 
|  | ~TrapRegistry() {} | 
|  |  | 
|  | DISALLOW_COPY_AND_ASSIGN(TrapRegistry); | 
|  | }; | 
|  |  | 
|  | }  // namespace bpf_dsl | 
|  | }  // namespace sandbox | 
|  |  | 
|  | #endif  // SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_ |