398 lines
10 KiB
C
398 lines
10 KiB
C
/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
|
|
* Use of this source code is governed by a BSD-style license that can be
|
|
* found in the LICENSE file.
|
|
*/
|
|
|
|
#include <stdint.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include "bpf.h"
|
|
#include "util.h"
|
|
|
|
/* Architecture validation. */
|
|
size_t bpf_validate_arch(struct sock_filter *filter)
|
|
{
|
|
struct sock_filter *curr_block = filter;
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, arch_nr);
|
|
set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, MINIJAIL_ARCH_NR,
|
|
SKIP, NEXT);
|
|
set_bpf_ret_kill(curr_block++);
|
|
return curr_block - filter;
|
|
}
|
|
|
|
/* Syscall number eval functions. */
|
|
size_t bpf_allow_syscall(struct sock_filter *filter, int nr)
|
|
{
|
|
struct sock_filter *curr_block = filter;
|
|
set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, nr, NEXT, SKIP);
|
|
set_bpf_stmt(curr_block++, BPF_RET + BPF_K, SECCOMP_RET_ALLOW);
|
|
return curr_block - filter;
|
|
}
|
|
|
|
size_t bpf_allow_syscall_args(struct sock_filter *filter, int nr,
|
|
unsigned int id)
|
|
{
|
|
struct sock_filter *curr_block = filter;
|
|
set_bpf_jump(curr_block++, BPF_JMP + BPF_JEQ + BPF_K, nr, NEXT, SKIP);
|
|
set_bpf_jump_lbl(curr_block++, id);
|
|
return curr_block - filter;
|
|
}
|
|
|
|
/* Size-aware arg loaders. */
|
|
#if defined(BITS32)
|
|
size_t bpf_load_arg(struct sock_filter *filter, int argidx)
|
|
{
|
|
set_bpf_stmt(filter, BPF_LD + BPF_W + BPF_ABS, LO_ARG(argidx));
|
|
return 1U;
|
|
}
|
|
#elif defined(BITS64)
|
|
size_t bpf_load_arg(struct sock_filter *filter, int argidx)
|
|
{
|
|
struct sock_filter *curr_block = filter;
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, LO_ARG(argidx));
|
|
set_bpf_stmt(curr_block++, BPF_ST, 0); /* lo -> M[0] */
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_W + BPF_ABS, HI_ARG(argidx));
|
|
set_bpf_stmt(curr_block++, BPF_ST, 1); /* hi -> M[1] */
|
|
return curr_block - filter;
|
|
}
|
|
#endif
|
|
|
|
/* Size-aware comparisons. */
|
|
size_t bpf_comp_jeq32(struct sock_filter *filter, unsigned long c,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
set_bpf_jump(filter, BPF_JMP + BPF_JEQ + BPF_K, lo, jt, jf);
|
|
return 1U;
|
|
}
|
|
|
|
/*
|
|
* On 64 bits, we have to do two 32-bit comparisons.
|
|
* We jump true when *both* comparisons are true.
|
|
*/
|
|
#if defined(BITS64)
|
|
size_t bpf_comp_jeq64(struct sock_filter *filter, uint64_t c, unsigned char jt,
|
|
unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
unsigned int hi = (unsigned int)(c >> 32);
|
|
|
|
struct sock_filter *curr_block = filter;
|
|
|
|
/* bpf_load_arg leaves |hi| in A */
|
|
curr_block += bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
|
|
curr_block += bpf_comp_jeq32(curr_block, lo, jt, jf);
|
|
|
|
return curr_block - filter;
|
|
}
|
|
#endif
|
|
|
|
size_t bpf_comp_jgt32(struct sock_filter *filter, unsigned long c,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
set_bpf_jump(filter, BPF_JMP + BPF_JGT + BPF_K, lo, jt, jf);
|
|
return 1U;
|
|
}
|
|
|
|
size_t bpf_comp_jge32(struct sock_filter *filter, unsigned long c,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
set_bpf_jump(filter, BPF_JMP + BPF_JGE + BPF_K, lo, jt, jf);
|
|
return 1U;
|
|
}
|
|
|
|
/*
|
|
* On 64 bits, we have to do two/three 32-bit comparisons.
|
|
* We jump true when the |hi| comparison is true *or* |hi| is equal and the
|
|
* |lo| comparison is true.
|
|
*/
|
|
#if defined(BITS64)
|
|
size_t bpf_comp_jgt64(struct sock_filter *filter, uint64_t c, unsigned char jt,
|
|
unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
unsigned int hi = (unsigned int)(c >> 32);
|
|
|
|
struct sock_filter *curr_block = filter;
|
|
|
|
/* bpf_load_arg leaves |hi| in A. */
|
|
if (hi == 0) {
|
|
curr_block +=
|
|
bpf_comp_jgt32(curr_block, hi, SKIPN(2) + jt, NEXT);
|
|
} else {
|
|
curr_block +=
|
|
bpf_comp_jgt32(curr_block, hi, SKIPN(3) + jt, NEXT);
|
|
curr_block +=
|
|
bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
|
|
}
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
|
|
curr_block += bpf_comp_jgt32(curr_block, lo, jt, jf);
|
|
|
|
return curr_block - filter;
|
|
}
|
|
|
|
size_t bpf_comp_jge64(struct sock_filter *filter, uint64_t c, unsigned char jt,
|
|
unsigned char jf)
|
|
{
|
|
unsigned int lo = (unsigned int)(c & 0xFFFFFFFF);
|
|
unsigned int hi = (unsigned int)(c >> 32);
|
|
|
|
struct sock_filter *curr_block = filter;
|
|
|
|
/* bpf_load_arg leaves |hi| in A. */
|
|
if (hi == 0) {
|
|
curr_block +=
|
|
bpf_comp_jgt32(curr_block, hi, SKIPN(2) + jt, NEXT);
|
|
} else {
|
|
curr_block +=
|
|
bpf_comp_jgt32(curr_block, hi, SKIPN(3) + jt, NEXT);
|
|
curr_block +=
|
|
bpf_comp_jeq32(curr_block, hi, NEXT, SKIPN(2) + jf);
|
|
}
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
|
|
curr_block += bpf_comp_jge32(curr_block, lo, jt, jf);
|
|
|
|
return curr_block - filter;
|
|
}
|
|
#endif
|
|
|
|
/* Size-aware bitwise AND. */
|
|
size_t bpf_comp_jset32(struct sock_filter *filter, unsigned long mask,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned int mask_lo = (unsigned int)(mask & 0xFFFFFFFF);
|
|
set_bpf_jump(filter, BPF_JMP + BPF_JSET + BPF_K, mask_lo, jt, jf);
|
|
return 1U;
|
|
}
|
|
|
|
/*
|
|
* On 64 bits, we have to do two 32-bit bitwise ANDs.
|
|
* We jump true when *either* bitwise AND is true (non-zero).
|
|
*/
|
|
#if defined(BITS64)
|
|
size_t bpf_comp_jset64(struct sock_filter *filter, uint64_t mask,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned int mask_lo = (unsigned int)(mask & 0xFFFFFFFF);
|
|
unsigned int mask_hi = (unsigned int)(mask >> 32);
|
|
|
|
struct sock_filter *curr_block = filter;
|
|
|
|
/* bpf_load_arg leaves |hi| in A */
|
|
curr_block += bpf_comp_jset32(curr_block, mask_hi, SKIPN(2) + jt, NEXT);
|
|
set_bpf_stmt(curr_block++, BPF_LD + BPF_MEM, 0); /* swap in |lo| */
|
|
curr_block += bpf_comp_jset32(curr_block, mask_lo, jt, jf);
|
|
|
|
return curr_block - filter;
|
|
}
|
|
#endif
|
|
|
|
size_t bpf_comp_jin(struct sock_filter *filter, unsigned long mask,
|
|
unsigned char jt, unsigned char jf)
|
|
{
|
|
unsigned long negative_mask = ~mask;
|
|
/*
|
|
* The mask is negated, so the comparison will be true when the argument
|
|
* includes a flag that wasn't listed in the original (non-negated)
|
|
* mask. This would be the failure case, so we switch |jt| and |jf|.
|
|
*/
|
|
return bpf_comp_jset(filter, negative_mask, jf, jt);
|
|
}
|
|
|
|
static size_t bpf_arg_comp_len(int op, unsigned long c attribute_unused)
|
|
{
|
|
/* The comparisons that use gt/ge internally may have extra opcodes. */
|
|
switch (op) {
|
|
case LT:
|
|
case LE:
|
|
case GT:
|
|
case GE:
|
|
#if defined(BITS64)
|
|
/*
|
|
* |c| can only have a high 32-bit part when running on 64 bits.
|
|
*/
|
|
if ((c >> 32) == 0)
|
|
return BPF_ARG_SHORT_GT_GE_COMP_LEN + 1;
|
|
#endif
|
|
return BPF_ARG_GT_GE_COMP_LEN + 1;
|
|
default:
|
|
return BPF_ARG_COMP_LEN + 1;
|
|
}
|
|
}
|
|
|
|
size_t bpf_arg_comp(struct sock_filter **pfilter, int op, int argidx,
|
|
unsigned long c, unsigned int label_id)
|
|
{
|
|
size_t filter_len = bpf_arg_comp_len(op, c);
|
|
struct sock_filter *filter =
|
|
calloc(filter_len, sizeof(struct sock_filter));
|
|
struct sock_filter *curr_block = filter;
|
|
size_t (*comp_function)(struct sock_filter * filter, unsigned long k,
|
|
unsigned char jt, unsigned char jf);
|
|
int flip = 0;
|
|
|
|
if (!filter) {
|
|
*pfilter = NULL;
|
|
return 0;
|
|
}
|
|
|
|
/* Load arg */
|
|
curr_block += bpf_load_arg(curr_block, argidx);
|
|
|
|
/* Jump type */
|
|
switch (op) {
|
|
case EQ:
|
|
comp_function = bpf_comp_jeq;
|
|
flip = 0;
|
|
break;
|
|
case NE:
|
|
comp_function = bpf_comp_jeq;
|
|
flip = 1;
|
|
break;
|
|
case LT:
|
|
comp_function = bpf_comp_jge;
|
|
flip = 1;
|
|
break;
|
|
case LE:
|
|
comp_function = bpf_comp_jgt;
|
|
flip = 1;
|
|
break;
|
|
case GT:
|
|
comp_function = bpf_comp_jgt;
|
|
flip = 0;
|
|
break;
|
|
case GE:
|
|
comp_function = bpf_comp_jge;
|
|
flip = 0;
|
|
break;
|
|
case SET:
|
|
comp_function = bpf_comp_jset;
|
|
flip = 0;
|
|
break;
|
|
case IN:
|
|
comp_function = bpf_comp_jin;
|
|
flip = 0;
|
|
break;
|
|
default:
|
|
*pfilter = NULL;
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* It's easier for the rest of the code to have the true branch
|
|
* skip and the false branch fall through.
|
|
*/
|
|
unsigned char jt = flip ? NEXT : SKIP;
|
|
unsigned char jf = flip ? SKIP : NEXT;
|
|
curr_block += comp_function(curr_block, c, jt, jf);
|
|
curr_block += set_bpf_jump_lbl(curr_block, label_id);
|
|
|
|
*pfilter = filter;
|
|
return curr_block - filter;
|
|
}
|
|
|
|
int bpf_resolve_jumps(struct bpf_labels *labels, struct sock_filter *filter,
|
|
size_t len)
|
|
{
|
|
struct sock_filter *instr;
|
|
size_t i, offset;
|
|
|
|
if (len > BPF_MAXINSNS)
|
|
return -1;
|
|
|
|
/*
|
|
* Walk it once, backwards, to build the label table and do fixups.
|
|
* Since backward jumps are disallowed by BPF, this is easy.
|
|
*/
|
|
for (i = 0; i < len; i++) {
|
|
offset = len - i - 1;
|
|
instr = &filter[offset];
|
|
if (instr->code != (BPF_JMP + BPF_JA))
|
|
continue;
|
|
switch ((instr->jt << 8) | instr->jf) {
|
|
case (JUMP_JT << 8) | JUMP_JF:
|
|
if (instr->k >= labels->count) {
|
|
warn("nonexistent label id: %u", instr->k);
|
|
return -1;
|
|
}
|
|
if (labels->labels[instr->k].location == 0xffffffff) {
|
|
warn("unresolved label: '%s'",
|
|
labels->labels[instr->k].label);
|
|
return -1;
|
|
}
|
|
instr->k =
|
|
labels->labels[instr->k].location - (offset + 1);
|
|
instr->jt = 0;
|
|
instr->jf = 0;
|
|
continue;
|
|
case (LABEL_JT << 8) | LABEL_JF:
|
|
if (labels->labels[instr->k].location != 0xffffffff) {
|
|
warn("duplicate label: '%s'",
|
|
labels->labels[instr->k].label);
|
|
return -1;
|
|
}
|
|
labels->labels[instr->k].location = offset;
|
|
instr->k = 0; /* Fall through. */
|
|
instr->jt = 0;
|
|
instr->jf = 0;
|
|
continue;
|
|
}
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/* Simple lookup table for labels. */
|
|
int bpf_label_id(struct bpf_labels *labels, const char *label)
|
|
{
|
|
struct __bpf_label *begin = labels->labels, *end;
|
|
int id;
|
|
if (labels->count == 0) {
|
|
begin->label = strndup(label, MAX_BPF_LABEL_LEN);
|
|
if (!begin->label) {
|
|
return -1;
|
|
}
|
|
begin->location = 0xffffffff;
|
|
labels->count++;
|
|
return 0;
|
|
}
|
|
end = begin + labels->count;
|
|
for (id = 0; begin < end; ++begin, ++id) {
|
|
if (!strcmp(label, begin->label)) {
|
|
return id;
|
|
}
|
|
}
|
|
|
|
/* The label wasn't found. Insert it only if there's space. */
|
|
if (labels->count == BPF_LABELS_MAX) {
|
|
return -1;
|
|
}
|
|
begin->label = strndup(label, MAX_BPF_LABEL_LEN);
|
|
if (!begin->label) {
|
|
return -1;
|
|
}
|
|
begin->location = 0xffffffff;
|
|
labels->count++;
|
|
return id;
|
|
}
|
|
|
|
void free_label_strings(struct bpf_labels *labels)
|
|
{
|
|
if (labels->count == 0)
|
|
return;
|
|
|
|
struct __bpf_label *begin = labels->labels, *end;
|
|
|
|
end = begin + labels->count;
|
|
for (; begin < end; ++begin) {
|
|
if (begin->label)
|
|
free((void *)(begin->label));
|
|
}
|
|
|
|
labels->count = 0;
|
|
}
|