blob: 0a5d2f14cccfcd2c51ed80e7bfa39d8811d79464 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <stdint.h>
#include "base/macros.h"
#include "sandbox/sandbox_export.h"
namespace sandbox {
// This must match the kernel's seccomp_data structure.
struct arch_seccomp_data {
int nr;
uint32_t arch;
uint64_t instruction_pointer;
uint64_t args[6];
namespace bpf_dsl {
// TrapRegistry provides an interface for registering "trap handlers"
// by associating them with non-zero 16-bit trap IDs. Trap IDs should
// remain valid for the lifetime of the trap registry.
class SANDBOX_EXPORT TrapRegistry {
// TrapFnc is a pointer to a function that fulfills the trap handler
// function signature.
// Trap handlers follow the calling convention of native system
// calls; e.g., to report an error, they return an exit code in the
// range -1..-4096 instead of directly modifying errno. However,
// modifying errno is harmless, as the original value will be
// restored afterwards.
// Trap handlers are executed from signal context and possibly an
// async-signal context, so they must be async-signal safe:
typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux);
// Add registers the specified trap handler tuple and returns a
// non-zero trap ID that uniquely identifies the tuple for the life
// time of the trap registry. If the same tuple is registered
// multiple times, the same value will be returned each time.
virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) = 0;
// EnableUnsafeTraps tries to enable unsafe traps and returns
// whether it was successful. This is a one-way operation.
// CAUTION: Enabling unsafe traps effectively defeats the security
// guarantees provided by the sandbox policy. TrapRegistry
// implementations should ensure unsafe traps are only enabled
// during testing.
virtual bool EnableUnsafeTraps() = 0;
TrapRegistry() {}
// TrapRegistry's destructor is intentionally non-virtual so that
// implementations can omit their destructor. Instead we protect against
// misuse by marking it protected.
~TrapRegistry() {}
} // namespace bpf_dsl
} // namespace sandbox