| Jorge Lucangeli Obes | fc8ab53 | 2012-03-20 10:14:31 -0700 | [diff] [blame^] | 1 | /* bpf.h |
| 2 | * Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| 3 | * Use of this source code is governed by a BSD-style license that can be |
| 4 | * found in the LICENSE file. |
| 5 | * |
| 6 | * Berkeley Packet Filter functions. |
| 7 | */ |
| 8 | |
| 9 | #ifndef BPF_H |
| 10 | #define BPF_H |
| 11 | |
| 12 | #include <asm/bitsperlong.h> /* for __BITS_PER_LONG */ |
| 13 | #include <linux/filter.h> |
| 14 | #include <stddef.h> |
| 15 | #include <sys/user.h> |
| 16 | |
| 17 | #if __BITS_PER_LONG == 32 |
| 18 | #define BITS32 |
| 19 | #elif __BITS_PER_LONG == 64 |
| 20 | #define BITS64 |
| 21 | #endif |
| 22 | |
| 23 | /* Constants for comparison operators. */ |
| 24 | #define MIN_OPERATOR 128 |
| 25 | enum operator { |
| 26 | EQ = MIN_OPERATOR, |
| 27 | NE, |
| 28 | LT, |
| 29 | LE, |
| 30 | GT, |
| 31 | GE |
| 32 | }; |
| 33 | |
| 34 | /* |
| 35 | * BPF return values and data structures, |
| 36 | * since they're not yet in the kernel. |
| 37 | */ |
| 38 | #define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ |
| 39 | #define SECCOMP_RET_TRAP 0x00030000U /* return SIGSYS */ |
| 40 | #define SECCOMP_RET_ERRNO 0x00050000U /* return -1 and set errno */ |
| 41 | #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ |
| 42 | |
| 43 | #define SECCOMP_RET_DATA 0x0000ffffU /* mask for return value */ |
| 44 | |
| 45 | struct seccomp_data { |
| 46 | int nr; |
| 47 | __u32 arch; |
| 48 | __u64 instruction_pointer; |
| 49 | __u64 args[6]; |
| 50 | }; |
| 51 | |
| 52 | /* Size-dependent defines. */ |
| 53 | #if defined(BITS32) |
| 54 | /* On 32 bits, comparisons take 2 instructions: 1 load arg, and 1 cmp. */ |
| 55 | #define BPF_LOAD_ARG_LEN 1U |
| 56 | #define BPF_COMP_LEN 1U |
| 57 | #define BPF_ARG_COMP_LEN (BPF_LOAD_ARG_LEN + BPF_COMP_LEN) |
| 58 | |
| 59 | #define bpf_comp_jeq bpf_comp_jeq32 |
| 60 | |
| 61 | #define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) |
| 62 | |
| 63 | #elif __BITS_PER_LONG == 64 |
| 64 | #define BITS64 |
| 65 | /* On 64 bits, comparisons take 7 instructions: 4 load arg, and 3 cmp. */ |
| 66 | #define BPF_LOAD_ARG_LEN 4U |
| 67 | #define BPF_COMP_LEN 3U |
| 68 | #define BPF_ARG_COMP_LEN (BPF_LOAD_ARG_LEN + BPF_COMP_LEN) |
| 69 | |
| 70 | #define bpf_comp_jeq bpf_comp_jeq64 |
| 71 | |
| 72 | /* Ensure that we load the logically correct offset. */ |
| 73 | #if defined(__LITTLE_ENDIAN) |
| 74 | #define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) |
| 75 | #define HI_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(__u32) |
| 76 | #elif defined(__BIG_ENDIAN) |
| 77 | #define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(__u32) |
| 78 | #define HI_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) |
| 79 | #else |
| 80 | #error "Unknown endianness" |
| 81 | #endif |
| 82 | |
| 83 | #endif |
| 84 | |
| 85 | /* Common jump targets. */ |
| 86 | #define NEXT 0 |
| 87 | #define SKIP 1 |
| 88 | #define SKIPN(_n) (_n) |
| 89 | |
| 90 | /* Support for labels in BPF programs. */ |
| 91 | #define JUMP_JT 0xff |
| 92 | #define JUMP_JF 0xff |
| 93 | #define LABEL_JT 0xfe |
| 94 | #define LABEL_JF 0xfe |
| 95 | |
| 96 | #define MAX_BPF_LABEL_LEN 32 |
| 97 | |
| 98 | #define BPF_LABELS_MAX 256 |
| 99 | struct bpf_labels { |
| 100 | int count; |
| 101 | struct __bpf_label { |
| 102 | const char *label; |
| 103 | unsigned int location; |
| 104 | } labels[BPF_LABELS_MAX]; |
| 105 | }; |
| 106 | |
| 107 | /* BPF instruction manipulation functions and macros. */ |
| 108 | inline size_t set_bpf_instr(struct sock_filter *instr, |
| 109 | unsigned short code, unsigned int k, |
| 110 | unsigned char jt, unsigned char jf); |
| 111 | |
| 112 | #define set_bpf_stmt(_block, _code, _k) \ |
| 113 | set_bpf_instr((_block), (_code), (_k), 0, 0) |
| 114 | |
| 115 | #define set_bpf_jump(_block, _code, _k, _jt, _jf) \ |
| 116 | set_bpf_instr((_block), (_code), (_k), (_jt), (_jf)) |
| 117 | |
| 118 | #define set_bpf_lbl(_block, _lbl_id) \ |
| 119 | set_bpf_jump((_block), BPF_JMP+BPF_JA, (_lbl_id), \ |
| 120 | LABEL_JT, LABEL_JF) |
| 121 | |
| 122 | #define set_bpf_jump_lbl(_block, _lbl_id) \ |
| 123 | set_bpf_jump((_block), BPF_JMP+BPF_JA, (_lbl_id), \ |
| 124 | JUMP_JT, JUMP_JF) |
| 125 | |
| 126 | #define set_bpf_ret_kill(_block) \ |
| 127 | set_bpf_stmt((_block), BPF_RET+BPF_K, SECCOMP_RET_KILL) |
| 128 | |
| 129 | #define set_bpf_ret_errno(_block, _errno) \ |
| 130 | set_bpf_stmt((_block), BPF_RET+BPF_K, \ |
| 131 | SECCOMP_RET_ERRNO | ((_errno) & SECCOMP_RET_DATA)) |
| 132 | |
| 133 | #define set_bpf_ret_allow(_block) \ |
| 134 | set_bpf_stmt((_block), BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 135 | |
| 136 | /* BPF label functions. */ |
| 137 | int bpf_resolve_jumps(struct bpf_labels *labels, |
| 138 | struct sock_filter *filter, size_t count); |
| 139 | int bpf_label_id(struct bpf_labels *labels, const char *label); |
| 140 | void free_label_strings(struct bpf_labels *labels); |
| 141 | |
| 142 | /* BPF helper functions. */ |
| 143 | size_t bpf_load_arg(struct sock_filter *filter, int argidx); |
| 144 | size_t bpf_comp_jeq(struct sock_filter *filter, unsigned long c, |
| 145 | unsigned char jt, unsigned char jf); |
| 146 | |
| 147 | /* Functions called by syscall_filter.c */ |
| 148 | size_t bpf_arg_comp(struct sock_filter **pfilter, |
| 149 | int op, int argidx, unsigned long c, unsigned int label_id); |
| 150 | |
| 151 | /* Debug */ |
| 152 | void dump_bpf_prog(struct sock_fprog *fprog); |
| 153 | void dump_bpf_filter(struct sock_filter *filter, unsigned short len); |
| 154 | |
| 155 | #endif /* _MINIJAIL_BPF_H_ */ |