| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Firefox/third_party/rlbox/include/ (Browser von der Mozilla Stiftung Version 136.0.1©) Datei vom 10.2.2025 mit Größe 37 kB |
|
Quelle rlbox_sandbox.hpp Sprache: C |
|||||||||||||||
|
#pragma once // IWYU pragma: private, include "rlbox.hpp" // IWYU pragma: friend "rlbox_.*\.hpp" #include <algorithm> #include <atomic> #ifdef RLBOX_MEASURE_TRANSITION_TIMES # include <chrono> #endif #include <cstdlib> #include <limits> #include <map> #include <mutex> #ifndef RLBOX_USE_CUSTOM_SHARED_LOCK # include <shared_mutex> #endif #ifdef RLBOX_MEASURE_TRANSITION_TIMES # include <sstream> # include <string> #endif #include <stdint.h> #include <type_traits> #include <utility> #include <vector> #include "rlbox_conversion.hpp" #include "rlbox_helpers.hpp" #include "rlbox_stdlib_polyfill.hpp" #include "rlbox_struct_support.hpp" #include "rlbox_type_traits.hpp" #include "rlbox_wrapper_traits.hpp" #ifdef RLBOX_MEASURE_TRANSITION_TIMES using namespace std::chrono; #endif namespace rlbox { namespace convert_fn_ptr_to_sandbox_equivalent_detail { template<typename T, typename T_Sbx> using conv = ::rlbox::detail::convert_to_sandbox_equivalent_t<T, T_Sbx>; template<typename T_Ret, typename... T_Args> using T_Func = T_Ret (*)(T_Args...); template<typename T_Sbx, typename T_Ret, typename... T_Args> T_Func<conv<T_Ret, T_Sbx>, conv<T_Args, T_Sbx>...> helper( T_Ret (*)(T_Args...)); } #if defined(RLBOX_MEASURE_TRANSITION_TIMES) || \ defined(RLBOX_TRANSITION_ACTION_OUT) || defined(RLBOX_TRANSITION_ACTION_IN) enum class rlbox_transition { INVOKE, CALLBACK }; #endif #ifdef RLBOX_MEASURE_TRANSITION_TIMES struct rlbox_transition_timing { rlbox_transition invoke; const char* name; void* ptr; int64_t time; std::string to_string() { std::ostringstream ret; if (invoke == rlbox_transition::INVOKE) { ret << name; } else { ret << "Callback " << ptr; } ret << " : " << time << "\n"; return ret.str(); } }; #endif #ifndef RLBOX_SINGLE_THREADED_INVOCATIONS # error \ "RLBox does not yet support threading. Please define RLBOX_SINGLE_THREADED_INVOC #endif /** * @brief Encapsulation for sandboxes. * * @tparam T_Sbx Type of sandbox. For the null sandbox this is * `rlbox_noop_sandbox` */ template<typename T_Sbx> class rlbox_sandbox : protected T_Sbx { KEEP_CLASSES_FRIENDLY private: #ifdef RLBOX_MEASURE_TRANSITION_TIMES std::vector<rlbox_transition_timing> transition_times; #endif static inline RLBOX_SHARED_LOCK(sandbox_list_lock); // The actual type of the vector is std::vector<rlbox_sandbox<T_Sbx>*> // However clang 5, 6 have bugs where compilation seg-faults on this type // So we just use this std::vector<void*> static inline MOZ_RUNINIT std::vector<void*> sandbox_list; RLBOX_SHARED_LOCK(func_ptr_cache_lock); std::map<std::string, void*> func_ptr_map; app_pointer_map<typename T_Sbx::T_PointerType> app_ptr_map; // This variable tracks of the sandbox has already been created/destroyed. // APIs in this class should be called only when the sandbox is created. // However, it is expensive to check in APIs such as invoke or in the callback // interceptor. What's more, there could be time of check time of use issues // in the checks as well. // In general, we leave it up to the user to ensure these APIs are never // called prior to sandbox construction or after destruction. We perform some // conservative sanity checks, where they would not add too much overhead. enum class Sandbox_Status { NOT_CREATED, INITIALIZING, CREATED, CLEANING_UP }; std::atomic<Sandbox_Status> sandbox_created = Sandbox_Status::NOT_CREATED; std::mutex callback_lock; std::vector<void*> callback_keys; void* transition_state = nullptr; template<typename T> using convert_fn_ptr_to_sandbox_equivalent_t = decltype( ::rlbox::convert_fn_ptr_to_sandbox_equivalent_detail::helper<T_Sbx>( std::declval<T>())); template<typename T> inline constexpr void check_invoke_param_type_is_ok() { using T_NoRef = std::remove_reference_t<T>; if_constexpr_named(cond1, detail::rlbox_is_wrapper_v<T_NoRef>) { if_constexpr_named( subcond1, !std::is_same_v<T_Sbx, detail::rlbox_get_wrapper_sandbox_t<T_NoRef>>) { rlbox_detail_static_fail_because( cond1 && subcond1, "Mixing tainted data from a different sandbox types. This could " "happen due to couple of different reasons.\n" "1. You are using 2 sandbox types for example'rlbox_noop_sandbox' " "and 'rlbox_lucet_sandbox', and are passing tainted data from one " "sandbox as parameters into a function call to the other sandbox. " "This is not allowed, unwrap the tainted data with copy_and_verify " "or other unwrapping APIs first.\n" "2. You have inadvertantly forgotten to set/remove " "RLBOX_USE_STATIC_CALLS depending on the sandbox type. Some sandbox " "types like rlbox_noop_sandbox require this to be set to a given " "value, while other types like rlbox_lucet_sandbox, require this not " "to be set."); } } else if_constexpr_named(cond2, std::is_null_pointer_v<T_NoRef> || detail::is_fundamental_or_enum_v<T_NoRef>) {} else { constexpr auto unknownCase = !(cond1 || cond2); rlbox_detail_static_fail_because( unknownCase, "Arguments to a sandbox function call should be primitives or wrapped " "types like tainted, callbacks etc."); } } template<typename T> inline auto invoke_process_param(T&& param) { check_invoke_param_type_is_ok<T>(); using T_NoRef = std::remove_reference_t<T>; if constexpr (detail::rlbox_is_tainted_opaque_v<T_NoRef>) { auto ret = from_opaque(param); return ret.UNSAFE_sandboxed(*this); } else if constexpr (detail::rlbox_is_wrapper_v<T_NoRef>) { return param.UNSAFE_sandboxed(*this); } else if constexpr (std::is_null_pointer_v<T_NoRef>) { tainted<void*, T_Sbx> ret = nullptr; return ret.UNSAFE_sandboxed(*this); } else if constexpr (detail::is_fundamental_or_enum_v<T_NoRef>) { // For unwrapped primitives, assign to a tainted var and then unwrap so // that we adjust for machine model tainted<T_NoRef, T_Sbx> ret = param; return ret.UNSAFE_sandboxed(*this); } else { rlbox_detail_static_fail_because( detail::true_v<T_NoRef>, "Only tainted types, callbacks or primitive values such as ints can be " "passed as parameters.\n" "To make a parameter tainted, try moving the allocation into the " "sandbox.\n" "If the parameter is a callback, try registering the callback via the " "register_callback API."); } } template<typename T, typename T_Arg> inline tainted<T, T_Sbx> sandbox_callback_intercept_convert_param( rlbox_sandbox<T_Sbx>& sandbox, const T_Arg& arg) { tainted<T, T_Sbx> ret; using namespace detail; convert_type<T_Sbx, adjust_type_direction::TO_APPLICATION, adjust_type_context::SANDBOX>( ret.get_raw_value_ref(), arg, nullptr /* example_unsandboxed_ptr */, &sandbox); return ret; } template<typename T_Ret, typename... T_Args> static detail::convert_to_sandbox_equivalent_t<T_Ret, T_Sbx> sandbox_callback_interceptor( detail::convert_to_sandbox_equivalent_t<T_Args, T_Sbx>... args) { std::pair<T_Sbx*, void*> context = T_Sbx::impl_get_executed_callback_sandbox_and_key(); auto& sandbox = *(reinterpret_cast<rlbox_sandbox<T_Sbx>*>(context.first)); auto key = context.second; using T_Func_Ret = std::conditional_t<std::is_void_v<T_Ret>, void, tainted<T_Ret, T_Sbx>>; using T_Func = T_Func_Ret (*)(rlbox_sandbox<T_Sbx>&, tainted<T_Args, T_Sbx>...); auto target_fn_ptr = reinterpret_cast<T_Func>(key); #ifdef RLBOX_MEASURE_TRANSITION_TIMES high_resolution_clock::time_point enter_time = high_resolution_clock::now(); auto on_exit = rlbox::detail::make_scope_exit([&] { auto exit_time = high_resolution_clock::now(); int64_t ns = duration_cast<nanoseconds>(exit_time - enter_time).count(); sandbox.transition_times.push_back( rlbox_transition_timing{ rlbox_transition::CALLBACK, nullptr /* func_name */, key /* func_ptr */, ns }); }); #endif #ifdef RLBOX_TRANSITION_ACTION_OUT RLBOX_TRANSITION_ACTION_OUT(rlbox_transition::CALLBACK, nullptr /* func_name */, key /* func_ptr */, sandbox.transition_state); #endif #ifdef RLBOX_TRANSITION_ACTION_IN auto on_exit_transition = rlbox::detail::make_scope_exit([&] { RLBOX_TRANSITION_ACTION_IN(rlbox_transition::CALLBACK, nullptr /* func_name */, key /* func_ptr */, sandbox.transition_state); }); #endif if constexpr (std::is_void_v<T_Func_Ret>) { (*target_fn_ptr)( sandbox, sandbox.template sandbox_callback_intercept_convert_param<T_Args>( sandbox, args)...); return; } else { auto tainted_ret = (*target_fn_ptr)( sandbox, sandbox.template sandbox_callback_intercept_convert_param<T_Args>( sandbox, args)...); using namespace detail; convert_to_sandbox_equivalent_t<T_Ret, T_Sbx> ret; convert_type<T_Sbx, adjust_type_direction::TO_SANDBOX, adjust_type_context::SANDBOX>( ret, tainted_ret.get_raw_value_ref(), nullptr /* example_unsandboxed_ptr */, &sandbox); return ret; } } /** * @brief Unregister a callback function and disallow the sandbox from * calling this function henceforth. */ template<typename T_Ret, typename... T_Args> inline void unregister_callback(void* key) { // Silently swallowing the failure is better here as RAII types may try to // cleanup callbacks after sandbox destruction if (sandbox_created.load() != Sandbox_Status::CREATED) { return; } this->template impl_unregister_callback< detail::convert_to_sandbox_equivalent_t<T_Ret, T_Sbx>, detail::convert_to_sandbox_equivalent_t<T_Args, T_Sbx>...>(key); std::lock_guard<std::mutex> lock(callback_lock); auto el_ref = std::find(callback_keys.begin(), callback_keys.end(), key); detail::dynamic_check( el_ref != callback_keys.end(), "Unexpected state. Unregistering a callback that was never registered."); callback_keys.erase(el_ref); } static T_Sbx* find_sandbox_from_example(const void* example_sandbox_ptr) { detail::dynamic_check( example_sandbox_ptr != nullptr, "Internal error: received a null example pointer. Please file a bug."); RLBOX_ACQUIRE_SHARED_GUARD(lock, sandbox_list_lock); for (auto sandbox_v : sandbox_list) { auto sandbox = reinterpret_cast<rlbox_sandbox<T_Sbx>*>(sandbox_v); if (sandbox->is_pointer_in_sandbox_memory(example_sandbox_ptr)) { return sandbox; } } return nullptr; } template<typename... T_Args> static auto impl_create_sandbox_helper(rlbox_sandbox<T_Sbx>* this_ptr, T_Args... args) { return this_ptr->impl_create_sandbox(std::forward<T_Args>(args)...); } public: /** * @brief Unused member that allows the calling code to save data in a * "per-sandbox" storage. This can be useful to save context which is used * in callbacks. */ void* sandbox_storage; /***** Function to adjust for custom machine models *****/ template<typename T> using convert_to_sandbox_equivalent_nonclass_t = detail::convert_base_types_t<T, typename T_Sbx::T_ShortType, typename T_Sbx::T_IntType, typename T_Sbx::T_LongType, typename T_Sbx::T_LongLongType, typename T_Sbx::T_PointerType>; T_Sbx* get_sandbox_impl() { return this; } /** * @brief Create a new sandbox. * * @tparam T_Args Arguments passed to the underlying sandbox * implementation. For the null sandbox, no arguments are necessary. */ template<typename... T_Args> inline bool create_sandbox(T_Args... args) { #ifdef RLBOX_MEASURE_TRANSITION_TIMES // Warm up the timer. The first call is always slow (at least on the test // platform) for (int i = 0; i < 10; i++) { auto val = high_resolution_clock::now(); RLBOX_UNUSED(val); } #endif auto expected = Sandbox_Status::NOT_CREATED; bool success = sandbox_created.compare_exchange_strong( expected, Sandbox_Status::INITIALIZING /* desired */); detail::dynamic_check( success, "create_sandbox called when sandbox already created/is being " "created concurrently"); using T_Result = rlbox::detail::polyfill::invoke_result_t< decltype(impl_create_sandbox_helper<T_Args...>), decltype(this), T_Args...>; bool created = true; if constexpr (std::is_same_v<T_Result, void>) { this->impl_create_sandbox(std::forward<T_Args>(args)...); } else if constexpr (std::is_same_v<T_Result, bool>) { created = this->impl_create_sandbox(std::forward<T_Args>(args)...); } else { rlbox_detail_static_fail_because( (!std::is_same_v<T_Result, void> && !std::is_same_v<T_Result, bool>), "Expected impl_create_sandbox to return void or a boolean"); } if (created) { sandbox_created.store(Sandbox_Status::CREATED); RLBOX_ACQUIRE_UNIQUE_GUARD(lock, sandbox_list_lock); sandbox_list.push_back(this); } return created; } /** * @brief Destroy sandbox and reclaim any memory. */ inline auto destroy_sandbox() { auto expected = Sandbox_Status::CREATED; bool success = sandbox_created.compare_exchange_strong( expected, Sandbox_Status::CLEANING_UP /* desired */); detail::dynamic_check( success, "destroy_sandbox called without sandbox creation/is being " "destroyed concurrently"); { RLBOX_ACQUIRE_UNIQUE_GUARD(lock, sandbox_list_lock); auto el_ref = std::find(sandbox_list.begin(), sandbox_list.end(), this); detail::dynamic_check( el_ref != sandbox_list.end(), "Unexpected state. Destroying a sandbox that was never initialized."); sandbox_list.erase(el_ref); } sandbox_created.store(Sandbox_Status::NOT_CREATED); return this->impl_destroy_sandbox(); } template<typename T> inline T get_unsandboxed_pointer( convert_to_sandbox_equivalent_nonclass_t<T> p) const { static_assert(std::is_pointer_v<T>); if (p == 0) { return nullptr; } auto ret = this->template impl_get_unsandboxed_pointer<T>(p); return reinterpret_cast<T>(ret); } template<typename T> inline convert_to_sandbox_equivalent_nonclass_t<T> get_sandboxed_pointer( const void* p) const { static_assert(std::is_pointer_v<T>); if (p == nullptr) { return 0; } return this->template impl_get_sandboxed_pointer<T>(p); } template<typename T> static inline T get_unsandboxed_pointer_no_ctx( convert_to_sandbox_equivalent_nonclass_t<T> p, const void* example_unsandboxed_ptr) { static_assert(std::is_pointer_v<T>); if (p == 0) { return nullptr; } auto ret = T_Sbx::template impl_get_unsandboxed_pointer_no_ctx<T>( p, example_unsandboxed_ptr, find_sandbox_from_example); return reinterpret_cast<T>(ret); } template<typename T> static inline convert_to_sandbox_equivalent_nonclass_t<T> get_sandboxed_pointer_no_ctx(const void* p, const void* example_unsandboxed_ptr) { static_assert(std::is_pointer_v<T>); if (p == nullptr) { return 0; } return T_Sbx::template impl_get_sandboxed_pointer_no_ctx<T>( p, example_unsandboxed_ptr, find_sandbox_from_example); } /** * @brief Allocate a new pointer that is accessible to both the application * and sandbox. The pointer is allocated in sandbox memory. * * @tparam T The type of the pointer you want to create. If T=int, this * would return a pointer to an int. * * @return tainted<T*, T_Sbx> Tainted pointer accessible to the application * and sandbox. */ template<typename T> inline tainted<T*, T_Sbx> malloc_in_sandbox() { const uint32_t defaultCount = 1; return malloc_in_sandbox<T>(defaultCount); } /** * @brief Allocate an array that is accessible to both the application * and sandbox. The pointer is allocated in sandbox memory. * * @tparam T The type of the array elements you want to create. If T=int, this * would return a pointer to an array of ints. * * @param count The number of array elements to allocate. * * @return tainted<T*, T_Sbx> Tainted pointer accessible to the application * and sandbox. */ template<typename T> inline tainted<T*, T_Sbx> malloc_in_sandbox(uint32_t count) { // Silently swallowing the failure is better here as RAII types may try to // malloc after sandbox destruction if (sandbox_created.load() != Sandbox_Status::CREATED) { return tainted<T*, T_Sbx>::internal_factory(nullptr); } detail::dynamic_check(count != 0, "Malloc tried to allocate 0 bytes"); if constexpr (sizeof(T) >= std::numeric_limits<uint32_t>::max()) { rlbox_detail_static_fail_because(sizeof(T) >= std::numeric_limits<uint32_t>::max(), "Tried to allocate an object over 4GB."); } auto total_size = static_cast<uint64_t>(sizeof(T)) * count; if constexpr (sizeof(size_t) == 4) { // On a 32-bit platform, we need to make sure that total_size is not >=4GB detail::dynamic_check(total_size < std::numeric_limits<uint32_t>::max(), "Tried to allocate memory over 4GB"); } else if constexpr (sizeof(size_t) != 8) { // Double check we are on a 64-bit platform // Note for static checks we need to have some dependence on T, so adding // a dummy constexpr bool dummy = sizeof(T) >= 0; rlbox_detail_static_fail_because(dummy && sizeof(size_t) != 8, "Expected 32 or 64 bit platform."); } auto ptr_in_sandbox = this->impl_malloc_in_sandbox(total_size); auto ptr = get_unsandboxed_pointer<T*>(ptr_in_sandbox); if (!ptr) { return tainted<T*, T_Sbx>(nullptr); } detail::dynamic_check(is_pointer_in_sandbox_memory(ptr), "Malloc returned pointer outside the sandbox memory"); auto ptr_end = reinterpret_cast<uintptr_t>(ptr + (count - 1)); detail::dynamic_check( is_in_same_sandbox(ptr, reinterpret_cast<void*>(ptr_end)), "Malloc returned a pointer whose range goes beyond sandbox memory"); auto cast_ptr = reinterpret_cast<T*>(ptr); return tainted<T*, T_Sbx>::internal_factory(cast_ptr); } /** * @brief Free the memory referenced by the tainted pointer. * * @param ptr Pointer to sandbox memory to free. */ template<typename T> inline void free_in_sandbox(tainted<T*, T_Sbx> ptr) { // Silently swallowing the failure is better here as RAII types may try to // free after sandbox destruction if (sandbox_created.load() != Sandbox_Status::CREATED) { return; } this->impl_free_in_sandbox(ptr.get_raw_sandbox_value(*this)); } /** * @brief Free the memory referenced by a tainted_volatile pointer ref. * * @param ptr_ref Pointer reference to sandbox memory to free. */ template<typename T> inline void free_in_sandbox(tainted_volatile<T, T_Sbx>& ptr_ref) { tainted<T, T_Sbx> ptr = ptr_ref; free_in_sandbox(ptr); } /** * @brief Free the memory referenced by a tainted_opaque pointer. * * @param ptr_opaque Opaque pointer to sandbox memory to free. */ template<typename T> inline void free_in_sandbox(tainted_opaque<T, T_Sbx> ptr_opaque) { tainted<T, T_Sbx> ptr = from_opaque(ptr_opaque); free_in_sandbox(ptr); } /** * @brief Check if two pointers are in the same sandbox. * For the null-sandbox, this always returns true. */ static inline bool is_in_same_sandbox(const void* p1, const void* p2) { const size_t num_args = detail::func_arg_nums_v<decltype(T_Sbx::impl_is_in_same_sandbox)>; if constexpr (num_args == 2) { return T_Sbx::impl_is_in_same_sandbox(p1, p2); } else { return T_Sbx::impl_is_in_same_sandbox(p1, p2, find_sandbox_from_example); } } /** * @brief Check if the pointer points to this sandbox's memory. * For the null-sandbox, this always returns true. */ inline bool is_pointer_in_sandbox_memory(const void* p) { return this->impl_is_pointer_in_sandbox_memory(p); } /** * @brief Check if the pointer points to application memory. * For the null-sandbox, this always returns true. */ inline bool is_pointer_in_app_memory(const void* p) { return this->impl_is_pointer_in_app_memory(p); } inline size_t get_total_memory() { return this->impl_get_total_memory(); } inline void* get_memory_location() { return this->impl_get_memory_location(); } void* get_transition_state() { return transition_state; } void set_transition_state(void* new_state) { transition_state = new_state; } /** * @brief For internal use only. * Grant access of the passed in buffer in to the sandbox instance. Called by * internal APIs only if the underlying sandbox supports * can_grant_deny_access by including the line * ``` * using can_grant_deny_access = void; * ``` */ template<typename T> inline tainted<T*, T_Sbx> INTERNAL_grant_access(T* src, size_t num, bool& success) { auto ret = this->impl_grant_access(src, num, success); return tainted<T*, T_Sbx>::internal_factory(ret); } /** * @brief For internal use only. * Grant access of the passed in buffer in to the sandbox instance. Called by * internal APIs only if the underlying sandbox supports * can_grant_deny_access by including the line * ``` * using can_grant_deny_access = void; * ``` */ template<typename T> inline T* INTERNAL_deny_access(tainted<T*, T_Sbx> src, size_t num, bool& success) { auto ret = this->impl_deny_access(src.INTERNAL_unverified_safe(), num, success); return ret; } void* lookup_symbol(const char* func_name) { { RLBOX_ACQUIRE_SHARED_GUARD(lock, func_ptr_cache_lock); auto func_ptr_ref = func_ptr_map.find(func_name); if (func_ptr_ref != func_ptr_map.end()) { return func_ptr_ref->second; } } void* func_ptr = this->impl_lookup_symbol(func_name); RLBOX_ACQUIRE_UNIQUE_GUARD(lock, func_ptr_cache_lock); func_ptr_map[func_name] = func_ptr; return func_ptr; } void* internal_lookup_symbol(const char* func_name) { { RLBOX_ACQUIRE_SHARED_GUARD(lock, func_ptr_cache_lock); auto func_ptr_ref = func_ptr_map.find(func_name); if (func_ptr_ref != func_ptr_map.end()) { return func_ptr_ref->second; } } void* func_ptr = 0; if constexpr (rlbox::detail:: has_member_using_needs_internal_lookup_symbol_v<T_Sbx>) { func_ptr = this->impl_internal_lookup_symbol(func_name); } else { func_ptr = this->impl_lookup_symbol(func_name); } RLBOX_ACQUIRE_UNIQUE_GUARD(lock, func_ptr_cache_lock); func_ptr_map[func_name] = func_ptr; return func_ptr; } // this is an internal function invoked from macros, so it has be public template<typename T, typename... T_Args> inline auto INTERNAL_invoke_with_func_name(const char* func_name, T_Args&&... params) { return INTERNAL_invoke_with_func_ptr<T, T_Args...>( func_name, lookup_symbol(func_name), std::forward<T_Args>(params)...); } // this is an internal function invoked from macros, so it has be public // Explicitly don't use inline on this, as this adds a lot of instructions // prior to function call. What's more, by not inlining, different function // calls with the same signature can share the same code segments for // sandboxed function execution in the binary template<typename T, typename... T_Args> auto INTERNAL_invoke_with_func_ptr(const char* func_name, void* func_ptr, T_Args&&... params) { // unused in some paths RLBOX_UNUSED(func_name); #ifdef RLBOX_MEASURE_TRANSITION_TIMES auto enter_time = high_resolution_clock::now(); auto on_exit = rlbox::detail::make_scope_exit([&] { auto exit_time = high_resolution_clock::now(); int64_t ns = duration_cast<nanoseconds>(exit_time - enter_time).count(); transition_times.push_back(rlbox_transition_timing{ rlbox_transition::INVOKE, func_name, func_ptr, ns }); }); #endif #ifdef RLBOX_TRANSITION_ACTION_IN RLBOX_TRANSITION_ACTION_IN( rlbox_transition::INVOKE, func_name, func_ptr, transition_state); #endif #ifdef RLBOX_TRANSITION_ACTION_OUT auto on_exit_transition = rlbox::detail::make_scope_exit([&] { RLBOX_TRANSITION_ACTION_OUT( rlbox_transition::INVOKE, func_name, func_ptr, transition_state); }); #endif (check_invoke_param_type_is_ok<T_Args>(), ...); static_assert( rlbox::detail::polyfill::is_invocable_v< T, detail::rlbox_remove_wrapper_t<std::remove_reference_t<T_Args>>...>, "Mismatched arguments types for function"); using T_Result = rlbox::detail::polyfill::invoke_result_t< T, detail::rlbox_remove_wrapper_t<std::remove_reference_t<T_Args>>...>; using T_Converted = std::remove_pointer_t<convert_fn_ptr_to_sandbox_equivalent_t<T*>>; if constexpr (std::is_void_v<T_Result>) { this->template impl_invoke_with_func_ptr<T>( reinterpret_cast<T_Converted*>(func_ptr), invoke_process_param(params)...); return; } else { auto raw_result = this->template impl_invoke_with_func_ptr<T>( reinterpret_cast<T_Converted*>(func_ptr), invoke_process_param(params)...); tainted<T_Result, T_Sbx> wrapped_result; using namespace detail; convert_type<T_Sbx, adjust_type_direction::TO_APPLICATION, adjust_type_context::SANDBOX>( wrapped_result.get_raw_value_ref(), raw_result, nullptr /* example_unsandboxed_ptr */, this /* sandbox_ptr */); return wrapped_result; } } // Useful in the porting stage to temporarily allow non tainted pointers to go // through. This will only ever work in the rlbox_noop_sandbox. Any sandbox // that actually enforces isolation will crash here. template<typename T2> tainted<T2, T_Sbx> UNSAFE_accept_pointer(T2 ptr) { static_assert(std::is_pointer_v<T2>, "UNSAFE_accept_pointer expects a pointer param"); tainted<T2, T_Sbx> ret; ret.assign_raw_pointer(*this, ptr); return ret; } template<typename T_Ret, typename... T_Args> using T_Cb_no_wrap = detail::rlbox_remove_wrapper_t<T_Ret>( detail::rlbox_remove_wrapper_t<T_Args>...); template<typename T_Ret> sandbox_callback<T_Cb_no_wrap<T_Ret>*, T_Sbx> register_callback(T_Ret (*)()) { rlbox_detail_static_fail_because( detail::true_v<T_Ret>, "Modify the callback to change the first parameter to a sandbox. " "For instance if a callback has type\n\n" "int foo() {...}\n\n" "Change this to \n\n" "tainted // this is never executed, but we need it for the function to type-check std::abort(); } /** * @brief Expose a callback function to the sandboxed code. * * @param func_ptr The callback to expose. * * @tparam T_RL Sandbox reference type (first argument). * @tparam T_Ret Return type of callback. Must be tainted or void. * @tparam T_Args Types of remaining callback arguments. Must be tainted. * * @return Wrapped callback function pointer that can be passed to the * sandbox. */ template<typename T_RL, typename T_Ret, typename... T_Args> sandbox_callback<T_Cb_no_wrap<T_Ret, T_Args...>*, T_Sbx> register_callback( T_Ret (*func_ptr)(T_RL, T_Args...)) { // Some branches don't use the param RLBOX_UNUSED(func_ptr); if_constexpr_named(cond1, !std::is_same_v<T_RL, rlbox_sandbox<T_Sbx>&>) { rlbox_detail_static_fail_because( cond1, "Modify the callback to change the first parameter to a sandbox. " "For instance if a callback has type\n\n" "int foo(int a, int b) {...}\n\n" "Change this to \n\n" "tainted "tainted } else if_constexpr_named( cond2, !(detail::rlbox_is_tainted_or_opaque_v<T_Args> && ...)) { rlbox_detail_static_fail_because( cond2, "Change all arguments to the callback have to be tainted or " "tainted_opaque. " "For instance if a callback has type\n\n" "int foo(int a, int b) {...}\n\n" "Change this to \n\n" "tainted "tainted } else if_constexpr_named( cond3, (std::is_array_v<detail::rlbox_remove_wrapper_t<T_Args>> || ...)) { rlbox_detail_static_fail_because( cond3, "Change all static array arguments to the callback to be pointers. " "For instance if a callback has type\n\n" "int foo(int a[4]) {...}\n\n" "Change this to \n\n" "tainted "tainted } else if_constexpr_named( cond4, !(std::is_void_v<T_Ret> || detail::rlbox_is_tainted_or_opaque_v<T_Ret>)) { rlbox_detail_static_fail_because( cond4, "Change the callback return type to be tainted or tainted_opaque if it " "is not void. " "For instance if a callback has type\n\n" "int foo(int a, int b) {...}\n\n" "Change this to \n\n" "tainted "tainted } else { detail::dynamic_check( sandbox_created.load() == Sandbox_Status::CREATED, "register_callback called without sandbox creation"); // Need unique key for each callback we register - just use the func addr void* unique_key = reinterpret_cast<void*>(func_ptr); // Make sure that the user hasn't previously registered this function... // If they have, we would returning 2 owning types (sandbox_callback) to // the same callback which would be bad { std::lock_guard<std::mutex> lock(callback_lock); bool exists = std::find(callback_keys.begin(), callback_keys.end(), unique_key) != callback_keys.end(); detail::dynamic_check( !exists, "You have previously already registered this callback."); callback_keys.push_back(unique_key); } auto callback_interceptor = sandbox_callback_interceptor<detail::rlbox_remove_wrapper_t<T_Ret>, detail::rlbox_remove_wrapper_t<T_Args>...>; auto callback_trampoline = this->template impl_register_callback< detail::convert_to_sandbox_equivalent_t< detail::rlbox_remove_wrapper_t<T_Ret>, T_Sbx>, detail::convert_to_sandbox_equivalent_t< detail::rlbox_remove_wrapper_t<T_Args>, T_Sbx>...>(unique_key, reinterpret_cast<void*>(callback_interceptor)); auto tainted_func_ptr = reinterpret_cast< detail::rlbox_tainted_opaque_to_tainted_t<T_Ret, T_Sbx> (*)( T_RL, detail::rlbox_tainted_opaque_to_tainted_t<T_Args, T_Sbx>...)>( reinterpret_cast<void*>(func_ptr)); auto ret = sandbox_callback<T_Cb_no_wrap<T_Ret, T_Args...>*, T_Sbx>( this, tainted_func_ptr, callback_interceptor, callback_trampoline, unique_key); return ret; } } // this is an internal function invoked from macros, so it has be public template<typename T> inline tainted<T*, T_Sbx> INTERNAL_get_sandbox_function_name( const char* func_name) { return INTERNAL_get_sandbox_function_ptr<T>( internal_lookup_symbol(func_name)); } // this is an internal function invoked from macros, so it has be public template<typename T> inline tainted<T*, T_Sbx> INTERNAL_get_sandbox_function_ptr(void* func_ptr) { return tainted<T*, T_Sbx>::internal_factory(reinterpret_cast<T*>(func_ptr)); } /** * @brief Create a "fake" pointer referring to a location in the application * memory * * @param ptr The pointer to refer to * * @return The app_pointer object that refers to this location. */ template<typename T> app_pointer<T*, T_Sbx> get_app_pointer(T* ptr) { auto max_ptr = (typename T_Sbx::T_PointerType)(get_total_memory() - 1); auto idx = app_ptr_map.get_app_pointer_idx((void*)ptr, max_ptr); auto idx_as_ptr = this->template impl_get_unsandboxed_pointer<T>(idx); // Right now we simply assume that any integer can be converted to a valid // pointer in the sandbox This may not be true for some sandboxing mechanism // plugins in the future In this case, we will have to come up with // something more clever to construct indexes that look like valid pointers // Add a check for now to make sure things work fine detail::dynamic_check(is_pointer_in_sandbox_memory(idx_as_ptr), "App pointers are not currently supported for this " "rlbox sandbox plugin. Please file a bug."); auto ret = app_pointer<T*, T_Sbx>( &app_ptr_map, idx, reinterpret_cast<T*>(idx_as_ptr)); return ret; } /** * @brief The mirror of get_app_pointer. Take a tainted pointer which is * actually an app_pointer, and get the application location being pointed to * * @param tainted_ptr The tainted pointer that is actually an app_pointer * * @return The original location being referred to by the app_ptr */ template<typename T> T* lookup_app_ptr(tainted<T*, T_Sbx> tainted_ptr) { auto idx = tainted_ptr.get_raw_sandbox_value(*this); void* ret = app_ptr_map.lookup_index(idx); return reinterpret_cast<T*>(ret); } #ifdef RLBOX_MEASURE_TRANSITION_TIMES inline std::vector<rlbox_transition_timing>& process_and_get_transition_times() { return transition_times; } inline int64_t get_total_ns_time_in_sandbox_and_transitions() { int64_t ret = 0; for (auto& transition_time : transition_times) { if (transition_time.invoke == rlbox_transition::INVOKE) { ret += transition_time.time; } else { ret -= transition_time.time; } } return ret; } inline void clear_transition_times() { transition_times.clear(); } #endif }; #if defined(__clang__) # pragma clang diagnostic push # pragma clang diagnostic ignored "-Wgnu-zero-variadic-macro-arguments" #elif defined(__GNUC__) || defined(__GNUG__) // Can't turn off the variadic macro warning emitted from -pedantic so use a // hack to stop GCC emitting warnings for the reminder of this file # pragma GCC system_header #elif defined(_MSC_VER) // Doesn't seem to emit the warning #else // Don't know the compiler... just let it go through #endif /** * @def invoke_sandbox_function * @brief Call sandbox function. * * @param func_name The sandboxed library function to call. * @param ... Arguments to function should be simple or tainted values. * @return Tainted value or void. */ #ifdef RLBOX_USE_STATIC_CALLS # define sandbox_lookup_symbol_helper(prefix, func_name) prefix(func_name) # define invoke_sandbox_function(func_name, ...) \ template INTERNAL_invoke_with_func_ptr<decltype(func_name)>( \ #func_name, \ sandbox_lookup_symbol_helper(RLBOX_USE_STATIC_CALLS(), func_name), \ ##__VA_ARGS__) # define get_sandbox_function_address(func_name) \ template INTERNAL_get_sandbox_function_ptr<decltype(func_name)>( \ sandbox_lookup_symbol_helper(RLBOX_USE_STATIC_CALLS(), func_name)) #else # define invoke_sandbox_function(func_name, ...) \ template INTERNAL_invoke_with_func_name<decltype(func_name)>( \ #func_name, ##__VA_ARGS__) # define get_sandbox_function_address(func_name) \ template INTERNAL_get_sandbox_function_name<decltype(func_name)>(#func_name) #endif #define sandbox_invoke(sandbox, func_name, ...) \ (sandbox).invoke_sandbox_function(func_name, ##__VA_ARGS__) #define sandbox_function_address(sandbox, func_name) \ (sandbox).get_sandbox_function_address(func_name) #if defined(__clang__) # pragma clang diagnostic pop #else #endif }
¤ Dauer der Verarbeitung: 0.13 Sekunden ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-02