summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/sandbox/chromium-shim/base/MissingBasicTypes.h25
-rw-r--r--security/sandbox/chromium-shim/base/debug/debugging_flags.h19
-rw-r--r--security/sandbox/chromium-shim/base/file_version_info_win.h29
-rw-r--r--security/sandbox/chromium-shim/base/files/file_path.cpp19
-rw-r--r--security/sandbox/chromium-shim/base/gtest_prod_util.h17
-rw-r--r--security/sandbox/chromium-shim/base/logging.cpp156
-rw-r--r--security/sandbox/chromium-shim/base/third_party/nspr/prtime.h8
-rw-r--r--security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h8
-rw-r--r--security/sandbox/chromium-shim/base/tracked_objects.h19
-rw-r--r--security/sandbox/chromium-shim/base/win/registry.h34
-rw-r--r--security/sandbox/chromium-shim/base/win/sdkdecls.h191
-rw-r--r--security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h98
-rw-r--r--security/sandbox/chromium-shim/sandbox/win/loggingTypes.h27
-rw-r--r--security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp82
-rw-r--r--security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h51
-rw-r--r--security/sandbox/chromium/LICENSE27
-rw-r--r--security/sandbox/chromium/base/at_exit.cc82
-rw-r--r--security/sandbox/chromium/base/at_exit.h76
-rw-r--r--security/sandbox/chromium/base/atomic_ref_count.h66
-rw-r--r--security/sandbox/chromium/base/atomic_sequence_num.h60
-rw-r--r--security/sandbox/chromium/base/atomicops.h161
-rw-r--r--security/sandbox/chromium/base/atomicops_internals_portable.h229
-rw-r--r--security/sandbox/chromium/base/atomicops_internals_x86_msvc.h196
-rw-r--r--security/sandbox/chromium/base/base_export.h29
-rw-r--r--security/sandbox/chromium/base/base_paths.h55
-rw-r--r--security/sandbox/chromium/base/base_paths_win.h54
-rw-r--r--security/sandbox/chromium/base/base_switches.cc95
-rw-r--r--security/sandbox/chromium/base/base_switches.h41
-rw-r--r--security/sandbox/chromium/base/bind.h101
-rw-r--r--security/sandbox/chromium/base/bind_helpers.h658
-rw-r--r--security/sandbox/chromium/base/bind_internal.h425
-rw-r--r--security/sandbox/chromium/base/bind_internal_win.h69
-rw-r--r--security/sandbox/chromium/base/bit_cast.h71
-rw-r--r--security/sandbox/chromium/base/callback.h405
-rw-r--r--security/sandbox/chromium/base/callback_forward.h19
-rw-r--r--security/sandbox/chromium/base/callback_internal.cc46
-rw-r--r--security/sandbox/chromium/base/callback_internal.h234
-rw-r--r--security/sandbox/chromium/base/compiler_specific.h190
-rw-r--r--security/sandbox/chromium/base/containers/hash_tables.h281
-rw-r--r--security/sandbox/chromium/base/cpu.cc296
-rw-r--r--security/sandbox/chromium/base/cpu.h92
-rw-r--r--security/sandbox/chromium/base/debug/alias.cc23
-rw-r--r--security/sandbox/chromium/base/debug/alias.h21
-rw-r--r--security/sandbox/chromium/base/debug/debugger.h44
-rw-r--r--security/sandbox/chromium/base/debug/leak_annotations.h46
-rw-r--r--security/sandbox/chromium/base/debug/profiler.cc221
-rw-r--r--security/sandbox/chromium/base/debug/profiler.h91
-rw-r--r--security/sandbox/chromium/base/file_descriptor_posix.h59
-rw-r--r--security/sandbox/chromium/base/files/file_path.h477
-rw-r--r--security/sandbox/chromium/base/guid.h33
-rw-r--r--security/sandbox/chromium/base/hash.cc18
-rw-r--r--security/sandbox/chromium/base/hash.h40
-rw-r--r--security/sandbox/chromium/base/lazy_instance.cc54
-rw-r--r--security/sandbox/chromium/base/lazy_instance.h207
-rw-r--r--security/sandbox/chromium/base/location.cc106
-rw-r--r--security/sandbox/chromium/base/location.h110
-rw-r--r--security/sandbox/chromium/base/logging.h976
-rw-r--r--security/sandbox/chromium/base/macros.h87
-rw-r--r--security/sandbox/chromium/base/memory/aligned_memory.h117
-rw-r--r--security/sandbox/chromium/base/memory/raw_scoped_refptr_mismatch_checker.h64
-rw-r--r--security/sandbox/chromium/base/memory/ref_counted.cc53
-rw-r--r--security/sandbox/chromium/base/memory/ref_counted.h446
-rw-r--r--security/sandbox/chromium/base/memory/scoped_ptr.h607
-rw-r--r--security/sandbox/chromium/base/memory/singleton.cc34
-rw-r--r--security/sandbox/chromium/base/memory/singleton.h284
-rw-r--r--security/sandbox/chromium/base/memory/weak_ptr.h345
-rw-r--r--security/sandbox/chromium/base/move.h57
-rw-r--r--security/sandbox/chromium/base/numerics/safe_conversions.h165
-rw-r--r--security/sandbox/chromium/base/numerics/safe_conversions_impl.h264
-rw-r--r--security/sandbox/chromium/base/numerics/safe_math.h299
-rw-r--r--security/sandbox/chromium/base/numerics/safe_math_impl.h545
-rw-r--r--security/sandbox/chromium/base/os_compat_android.h28
-rw-r--r--security/sandbox/chromium/base/path_service.h97
-rw-r--r--security/sandbox/chromium/base/posix/eintr_wrapper.h67
-rw-r--r--security/sandbox/chromium/base/process/process_handle.h81
-rw-r--r--security/sandbox/chromium/base/rand_util.h62
-rw-r--r--security/sandbox/chromium/base/scoped_clear_errno.h34
-rw-r--r--security/sandbox/chromium/base/sequence_checker.h62
-rw-r--r--security/sandbox/chromium/base/sequence_checker_impl.h52
-rw-r--r--security/sandbox/chromium/base/sequenced_task_runner.h159
-rw-r--r--security/sandbox/chromium/base/sequenced_task_runner_helpers.h113
-rw-r--r--security/sandbox/chromium/base/single_thread_task_runner.h38
-rw-r--r--security/sandbox/chromium/base/stl_util.h262
-rw-r--r--security/sandbox/chromium/base/strings/nullable_string16.cc17
-rw-r--r--security/sandbox/chromium/base/strings/nullable_string16.h46
-rw-r--r--security/sandbox/chromium/base/strings/safe_sprintf.cc686
-rw-r--r--security/sandbox/chromium/base/strings/safe_sprintf.h246
-rw-r--r--security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc763
-rw-r--r--security/sandbox/chromium/base/strings/string16.cc82
-rw-r--r--security/sandbox/chromium/base/strings/string16.h187
-rw-r--r--security/sandbox/chromium/base/strings/string_number_conversions.cc485
-rw-r--r--security/sandbox/chromium/base/strings/string_number_conversions.h137
-rw-r--r--security/sandbox/chromium/base/strings/string_piece.cc452
-rw-r--r--security/sandbox/chromium/base/strings/string_piece.h469
-rw-r--r--security/sandbox/chromium/base/strings/string_split.cc264
-rw-r--r--security/sandbox/chromium/base/strings/string_split.h129
-rw-r--r--security/sandbox/chromium/base/strings/string_util.cc1001
-rw-r--r--security/sandbox/chromium/base/strings/string_util.h461
-rw-r--r--security/sandbox/chromium/base/strings/string_util_constants.cc67
-rw-r--r--security/sandbox/chromium/base/strings/string_util_posix.h37
-rw-r--r--security/sandbox/chromium/base/strings/string_util_win.h44
-rw-r--r--security/sandbox/chromium/base/strings/stringprintf.cc189
-rw-r--r--security/sandbox/chromium/base/strings/stringprintf.h66
-rw-r--r--security/sandbox/chromium/base/strings/utf_string_conversion_utils.cc148
-rw-r--r--security/sandbox/chromium/base/strings/utf_string_conversion_utils.h99
-rw-r--r--security/sandbox/chromium/base/strings/utf_string_conversions.cc231
-rw-r--r--security/sandbox/chromium/base/strings/utf_string_conversions.h54
-rw-r--r--security/sandbox/chromium/base/synchronization/condition_variable.h118
-rw-r--r--security/sandbox/chromium/base/synchronization/condition_variable_posix.cc137
-rw-r--r--security/sandbox/chromium/base/synchronization/lock.cc38
-rw-r--r--security/sandbox/chromium/base/synchronization/lock.h140
-rw-r--r--security/sandbox/chromium/base/synchronization/lock_impl.h60
-rw-r--r--security/sandbox/chromium/base/synchronization/lock_impl_posix.cc55
-rw-r--r--security/sandbox/chromium/base/synchronization/lock_impl_win.cc36
-rw-r--r--security/sandbox/chromium/base/synchronization/waitable_event.h189
-rw-r--r--security/sandbox/chromium/base/synchronization/waitable_event_posix.cc417
-rw-r--r--security/sandbox/chromium/base/task_runner.h154
-rw-r--r--security/sandbox/chromium/base/template_util.h122
-rw-r--r--security/sandbox/chromium/base/third_party/dmg_fp/LICENSE18
-rw-r--r--security/sandbox/chromium/base/third_party/dmg_fp/dmg_fp.h30
-rw-r--r--security/sandbox/chromium/base/third_party/dmg_fp/dtoa.cc4234
-rw-r--r--security/sandbox/chromium/base/third_party/dmg_fp/g_fmt.cc102
-rw-r--r--security/sandbox/chromium/base/third_party/dynamic_annotations/LICENSE28
-rw-r--r--security/sandbox/chromium/base/third_party/dynamic_annotations/dynamic_annotations.h595
-rw-r--r--security/sandbox/chromium/base/third_party/icu/LICENSE32
-rw-r--r--security/sandbox/chromium/base/third_party/icu/icu_utf.cc227
-rw-r--r--security/sandbox/chromium/base/third_party/icu/icu_utf.h400
-rw-r--r--security/sandbox/chromium/base/third_party/superfasthash/LICENSE27
-rw-r--r--security/sandbox/chromium/base/third_party/superfasthash/README.chromium29
-rw-r--r--security/sandbox/chromium/base/third_party/superfasthash/superfasthash.c84
-rw-r--r--security/sandbox/chromium/base/third_party/valgrind/LICENSE39
-rw-r--r--security/sandbox/chromium/base/third_party/valgrind/valgrind.h4792
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread.h199
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread_internal_posix.cc35
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread_internal_posix.h43
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread_linux.cc120
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread_posix.cc263
-rw-r--r--security/sandbox/chromium/base/threading/platform_thread_win.cc284
-rw-r--r--security/sandbox/chromium/base/threading/sequenced_worker_pool.h384
-rw-r--r--security/sandbox/chromium/base/threading/thread_checker_impl.h44
-rw-r--r--security/sandbox/chromium/base/threading/thread_collision_warner.cc64
-rw-r--r--security/sandbox/chromium/base/threading/thread_collision_warner.h245
-rw-r--r--security/sandbox/chromium/base/threading/thread_id_name_manager.cc112
-rw-r--r--security/sandbox/chromium/base/threading/thread_id_name_manager.h68
-rw-r--r--security/sandbox/chromium/base/threading/thread_local.h134
-rw-r--r--security/sandbox/chromium/base/threading/thread_local_posix.cc43
-rw-r--r--security/sandbox/chromium/base/threading/thread_local_storage.h148
-rw-r--r--security/sandbox/chromium/base/threading/thread_local_win.cc40
-rw-r--r--security/sandbox/chromium/base/threading/thread_restrictions.cc85
-rw-r--r--security/sandbox/chromium/base/threading/thread_restrictions.h266
-rw-r--r--security/sandbox/chromium/base/time/time.cc347
-rw-r--r--security/sandbox/chromium/base/time/time.h764
-rw-r--r--security/sandbox/chromium/base/time/time_posix.cc363
-rw-r--r--security/sandbox/chromium/base/time/time_win.cc616
-rw-r--r--security/sandbox/chromium/base/tuple.h306
-rw-r--r--security/sandbox/chromium/base/values.h567
-rw-r--r--security/sandbox/chromium/base/version.h72
-rw-r--r--security/sandbox/chromium/base/win/pe_image.cc580
-rw-r--r--security/sandbox/chromium/base/win/pe_image.h265
-rw-r--r--security/sandbox/chromium/base/win/scoped_handle.cc248
-rw-r--r--security/sandbox/chromium/base/win/scoped_handle.h182
-rw-r--r--security/sandbox/chromium/base/win/scoped_process_information.cc147
-rw-r--r--security/sandbox/chromium/base/win/scoped_process_information.h83
-rw-r--r--security/sandbox/chromium/base/win/startup_information.cc109
-rw-r--r--security/sandbox/chromium/base/win/startup_information.h51
-rw-r--r--security/sandbox/chromium/base/win/windows_version.cc225
-rw-r--r--security/sandbox/chromium/base/win/windows_version.h133
-rw-r--r--security/sandbox/chromium/build/build_config.h168
-rw-r--r--security/sandbox/chromium/build/buildflag.h47
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc348
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.h335
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_forward.h42
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h69
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.cc161
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.h122
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/cons.h139
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.cc159
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.h24
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/errorcode.h37
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h57
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.cc19
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.h37
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc466
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h153
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/seccomp_macros.h294
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.cc146
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.h103
-rw-r--r--security/sandbox/chromium/sandbox/linux/bpf_dsl/trap_registry.h73
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h55
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests.h122
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc154
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc93
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.h68
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc280
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h114
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc65
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h61
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc421
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.h166
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc244
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc387
-rw-r--r--security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.h86
-rw-r--r--security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.cc261
-rw-r--r--security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.h85
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h1418
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_ucontext.h69
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/capability.h42
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h96
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_filter.h140
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_futex.h84
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_seccomp.h107
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_signal.h146
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h37
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/linux_ucontext.h28
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h1494
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h1294
-rw-r--r--security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_ucontext.h90
-rw-r--r--security/sandbox/chromium/sandbox/sandbox_export.h26
-rw-r--r--security/sandbox/chromium/sandbox/win/src/Wow64.cc226
-rw-r--r--security/sandbox/chromium/sandbox/win/src/Wow64.h52
-rw-r--r--security/sandbox/chromium/sandbox/win/src/Wow64_64.cc22
-rw-r--r--security/sandbox/chromium/sandbox/win/src/acl.cc125
-rw-r--r--security/sandbox/chromium/sandbox/win/src/acl.h44
-rw-r--r--security/sandbox/chromium/sandbox/win/src/app_container.cc184
-rw-r--r--security/sandbox/chromium/sandbox/win/src/app_container.h70
-rw-r--r--security/sandbox/chromium/sandbox/win/src/app_container_test.cc161
-rw-r--r--security/sandbox/chromium/sandbox/win/src/app_container_unittest.cc58
-rw-r--r--security/sandbox/chromium/sandbox/win/src/broker_services.cc558
-rw-r--r--security/sandbox/chromium/sandbox/win/src/broker_services.h112
-rw-r--r--security/sandbox/chromium/sandbox/win/src/crosscall_client.h526
-rw-r--r--security/sandbox/chromium/sandbox/win/src/crosscall_params.h287
-rw-r--r--security/sandbox/chromium/sandbox/win/src/crosscall_server.cc314
-rw-r--r--security/sandbox/chromium/sandbox/win/src/crosscall_server.h228
-rw-r--r--security/sandbox/chromium/sandbox/win/src/eat_resolver.cc88
-rw-r--r--security/sandbox/chromium/sandbox/win/src/eat_resolver.h50
-rw-r--r--security/sandbox/chromium/sandbox/win/src/file_policy_test.cc673
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc318
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.h74
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc402
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_interception.h53
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc435
-rw-r--r--security/sandbox/chromium/sandbox/win/src/filesystem_policy.h113
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_closer.cc196
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_closer.h76
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc203
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_closer_agent.h47
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_closer_test.cc300
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc92
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h41
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_inheritance_test.cc52
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_interception.cc48
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_interception.h24
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy.cc92
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy.h39
-rw-r--r--security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc114
-rw-r--r--security/sandbox/chromium/sandbox/win/src/integrity_level_test.cc91
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception.cc560
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception.h286
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception_agent.cc235
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception_agent.h87
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception_internal.h78
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interception_unittest.cc260
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interceptors.h55
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interceptors_64.cc278
-rw-r--r--security/sandbox/chromium/sandbox/win/src/interceptors_64.h175
-rw-r--r--security/sandbox/chromium/sandbox/win/src/internal_types.h76
-rw-r--r--security/sandbox/chromium/sandbox/win/src/ipc_ping_test.cc58
-rw-r--r--security/sandbox/chromium/sandbox/win/src/ipc_tags.h40
-rw-r--r--security/sandbox/chromium/sandbox/win/src/ipc_unittest.cc632
-rw-r--r--security/sandbox/chromium/sandbox/win/src/job.cc119
-rw-r--r--security/sandbox/chromium/sandbox/win/src/job.h67
-rw-r--r--security/sandbox/chromium/sandbox/win/src/job_unittest.cc204
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.cc103
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.h44
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc76
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_interception.h36
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_policy.cc86
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_policy.h45
-rw-r--r--security/sandbox/chromium/sandbox/win/src/named_pipe_policy_test.cc140
-rw-r--r--security/sandbox/chromium/sandbox/win/src/nt_internals.h703
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_broker.cc126
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_broker.h26
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc446
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.h388
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_params.h202
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc110
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_processor.h148
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc105
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_low_level.cc360
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_low_level.h193
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_low_level_unittest.cc621
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_opcodes_unittest.cc372
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_params.h67
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_target.cc129
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_target.h45
-rw-r--r--security/sandbox/chromium/sandbox/win/src/policy_target_test.cc417
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations.cc333
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations.h44
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_test.cc252
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc57
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h31
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.cc29
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.h45
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.cc24
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.h34
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_policy_test.cc385
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.cc247
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.h59
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc423
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_interception.h90
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_policy.cc241
-rw-r--r--security/sandbox/chromium/sandbox/win/src/process_thread_policy.h84
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_dispatcher.cc175
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_dispatcher.h49
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_interception.cc251
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_interception.h38
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_policy.cc228
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_policy.h59
-rw-r--r--security/sandbox/chromium/sandbox/win/src/registry_policy_test.cc289
-rw-r--r--security/sandbox/chromium/sandbox/win/src/resolver.cc64
-rw-r--r--security/sandbox/chromium/sandbox/win/src/resolver.h107
-rw-r--r--security/sandbox/chromium/sandbox/win/src/resolver_32.cc94
-rw-r--r--security/sandbox/chromium/sandbox/win/src/resolver_64.cc66
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token.cc458
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token.h201
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token_unittest.cc620
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc323
-rw-r--r--security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h75
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox.cc48
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox.h164
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox.vcproj658
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_factory.h51
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_globals.cc18
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_nt_types.h46
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc676
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h196
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_policy.h259
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc770
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h177
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc22
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_rand.h16
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_types.h95
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_utils.cc32
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sandbox_utils.h25
-rw-r--r--security/sandbox/chromium/sandbox/win/src/security_level.h209
-rw-r--r--security/sandbox/chromium/sandbox/win/src/service_resolver.cc46
-rw-r--r--security/sandbox/chromium/sandbox/win/src/service_resolver.h159
-rw-r--r--security/sandbox/chromium/sandbox/win/src/service_resolver_32.cc478
-rw-r--r--security/sandbox/chromium/sandbox/win/src/service_resolver_64.cc252
-rw-r--r--security/sandbox/chromium/sandbox/win/src/service_resolver_unittest.cc268
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.cc153
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.h139
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc430
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.h134
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sid.cc26
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sid.h29
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sid_unittest.cc71
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/ia32_modrm_map.cpp92
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/ia32_opcode_map.cpp1159
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.cpp395
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.h156
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h197
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher.h111
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher_with_stub.cpp181
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep_resolver.cc204
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sidestep_resolver.h75
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_dispatcher.cc82
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_dispatcher.h42
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_interception.cc178
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_interception.h46
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_policy.cc246
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_policy.h52
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_policy_test.cc149
-rw-r--r--security/sandbox/chromium/sandbox/win/src/sync_policy_test.h18
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_interceptions.cc100
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_interceptions.h35
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_process.cc368
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_process.h143
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_services.cc261
-rw-r--r--security/sandbox/chromium/sandbox/win/src/target_services.h71
-rw-r--r--security/sandbox/chromium/sandbox/win/src/threadpool_unittest.cc97
-rw-r--r--security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc146
-rw-r--r--security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h51
-rw-r--r--security/sandbox/chromium/sandbox/win/src/unload_dll_test.cc93
-rw-r--r--security/sandbox/chromium/sandbox/win/src/win2k_threadpool.cc66
-rw-r--r--security/sandbox/chromium/sandbox/win/src/win2k_threadpool.h61
-rw-r--r--security/sandbox/chromium/sandbox/win/src/win_utils.cc437
-rw-r--r--security/sandbox/chromium/sandbox/win/src/win_utils.h117
-rw-r--r--security/sandbox/chromium/sandbox/win/src/win_utils_unittest.cc111
-rw-r--r--security/sandbox/chromium/sandbox/win/src/window.cc161
-rw-r--r--security/sandbox/chromium/sandbox/win/src/window.h40
-rw-r--r--security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc346
-rw-r--r--security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h75
-rw-r--r--security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc38
-rw-r--r--security/sandbox/chromium/sandbox/win/wow_helper/target_code.h41
-rw-r--r--security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc87
-rw-r--r--security/sandbox/linux/LinuxCapabilities.cpp28
-rw-r--r--security/sandbox/linux/LinuxCapabilities.h128
-rw-r--r--security/sandbox/linux/LinuxSched.h35
-rw-r--r--security/sandbox/linux/Sandbox.cpp609
-rw-r--r--security/sandbox/linux/Sandbox.h24
-rw-r--r--security/sandbox/linux/SandboxBrokerClient.cpp247
-rw-r--r--security/sandbox/linux/SandboxBrokerClient.h58
-rw-r--r--security/sandbox/linux/SandboxChroot.cpp212
-rw-r--r--security/sandbox/linux/SandboxChroot.h66
-rw-r--r--security/sandbox/linux/SandboxFilter.cpp343
-rw-r--r--security/sandbox/linux/SandboxFilter.h23
-rw-r--r--security/sandbox/linux/SandboxFilterUtil.cpp121
-rw-r--r--security/sandbox/linux/SandboxFilterUtil.h148
-rw-r--r--security/sandbox/linux/SandboxHooks.cpp72
-rw-r--r--security/sandbox/linux/SandboxInfo.cpp259
-rw-r--r--security/sandbox/linux/SandboxInfo.h81
-rw-r--r--security/sandbox/linux/SandboxInternal.h28
-rw-r--r--security/sandbox/linux/SandboxLogging.cpp60
-rw-r--r--security/sandbox/linux/SandboxLogging.h52
-rw-r--r--security/sandbox/linux/SandboxUtil.cpp106
-rw-r--r--security/sandbox/linux/SandboxUtil.h21
-rw-r--r--security/sandbox/linux/broker/SandboxBroker.cpp731
-rw-r--r--security/sandbox/linux/broker/SandboxBroker.h132
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerCommon.cpp120
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerCommon.h72
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp50
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h28
-rw-r--r--security/sandbox/linux/broker/SandboxBrokerUtils.h30
-rw-r--r--security/sandbox/linux/broker/moz.build37
-rw-r--r--security/sandbox/linux/glue/SandboxCrash.cpp131
-rw-r--r--security/sandbox/linux/glue/moz.build29
-rw-r--r--security/sandbox/linux/gtest/TestBroker.cpp626
-rw-r--r--security/sandbox/linux/gtest/TestBrokerPolicy.cpp98
-rw-r--r--security/sandbox/linux/gtest/TestSandboxUtil.cpp44
-rw-r--r--security/sandbox/linux/gtest/moz.build27
-rw-r--r--security/sandbox/linux/moz.build116
-rw-r--r--security/sandbox/mac/Sandbox.h65
-rw-r--r--security/sandbox/mac/Sandbox.mm489
-rw-r--r--security/sandbox/mac/moz.build15
-rw-r--r--security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt9
-rw-r--r--security/sandbox/moz-chromium-commit-status.txt4
-rw-r--r--security/sandbox/moz.build176
-rw-r--r--security/sandbox/test/browser.ini11
-rw-r--r--security/sandbox/test/browser_content_sandbox_fs.js169
-rw-r--r--security/sandbox/test/browser_content_sandbox_syscalls.js223
-rw-r--r--security/sandbox/test/browser_content_sandbox_utils.js57
-rw-r--r--security/sandbox/win/SandboxInitialization.cpp81
-rw-r--r--security/sandbox/win/SandboxInitialization.h47
-rw-r--r--security/sandbox/win/src/sandboxbroker/moz.build33
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp471
-rw-r--r--security/sandbox/win/src/sandboxbroker/sandboxBroker.h60
-rw-r--r--security/sandbox/win/src/sandboxtarget/moz.build20
-rw-r--r--security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp21
-rw-r--r--security/sandbox/win/src/sandboxtarget/sandboxTarget.h83
-rw-r--r--security/sandbox/win/wow_helper/Makefile.in47
-rw-r--r--security/sandbox/win/wow_helper/moz.build30
452 files changed, 0 insertions, 87958 deletions
diff --git a/security/sandbox/chromium-shim/base/MissingBasicTypes.h b/security/sandbox/chromium-shim/base/MissingBasicTypes.h
deleted file mode 100644
index 20eef00ab..000000000
--- a/security/sandbox/chromium-shim/base/MissingBasicTypes.h
+++ /dev/null
@@ -1,25 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef security_sandbox_MissingBasicTypes_h__
-#define security_sandbox_MissingBasicTypes_h__
-
-#include <stdint.h>
-
-// These types are still used by the Chromium sandbox code. When referencing
-// Chromium sandbox code from Gecko we can't use the normal base/basictypes.h as
-// it clashes with the one from ipc/chromium/src/base/. These types have been
-// removed from the one in ipc/chromium/src/base/.
-typedef int8_t int8;
-typedef uint8_t uint8;
-typedef int16_t int16;
-typedef uint16_t uint16;
-typedef int32_t int32;
-typedef uint32_t uint32;
-typedef int64_t int64;
-typedef uint64_t uint64;
-
-#endif // security_sandbox_MissingBasicTypes_h__
diff --git a/security/sandbox/chromium-shim/base/debug/debugging_flags.h b/security/sandbox/chromium-shim/base/debug/debugging_flags.h
deleted file mode 100644
index ebb96dfca..000000000
--- a/security/sandbox/chromium-shim/base/debug/debugging_flags.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a copy of a file that is generated by the chromium build.
-
-// Generated by build/write_buildflag_header.py
-// From "//base:debugging_flags"
-
-#ifndef BASE_DEBUG_DEBUGGING_FLAGS_H_
-#define BASE_DEBUG_DEBUGGING_FLAGS_H_
-
-#include "build/buildflag.h"
-
-#define BUILDFLAG_INTERNAL_ENABLE_PROFILING() (0)
-
-#endif // BASE_DEBUG_DEBUGGING_FLAGS_H_
diff --git a/security/sandbox/chromium-shim/base/file_version_info_win.h b/security/sandbox/chromium-shim/base/file_version_info_win.h
deleted file mode 100644
index 8276900bd..000000000
--- a/security/sandbox/chromium-shim/base/file_version_info_win.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a dummy version of Chromium source file base/file_version_info_win.h
-// Within our copy of Chromium files FileVersionInfoWin is only used in
-// base/win/windows_version.cc in GetVersionFromKernel32, which we don't use.
-
-#ifndef BASE_FILE_VERSION_INFO_WIN_H_
-#define BASE_FILE_VERSION_INFO_WIN_H_
-
-struct tagVS_FIXEDFILEINFO;
-typedef tagVS_FIXEDFILEINFO VS_FIXEDFILEINFO;
-
-namespace base {
-class FilePath;
-}
-
-class FileVersionInfoWin {
- public:
- static FileVersionInfoWin*
- CreateFileVersionInfo(const base::FilePath& file_path) { return nullptr; }
-
- VS_FIXEDFILEINFO* fixed_file_info() { return nullptr; }
-};
-
-#endif // BASE_FILE_VERSION_INFO_WIN_H_
diff --git a/security/sandbox/chromium-shim/base/files/file_path.cpp b/security/sandbox/chromium-shim/base/files/file_path.cpp
deleted file mode 100644
index 245118f9e..000000000
--- a/security/sandbox/chromium-shim/base/files/file_path.cpp
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This is a dummy version of Chromium source file base/file/file_path.cc.
-// To provide the functions required in base/win/windows_version.cc
-// GetVersionFromKernel32, which we don't use.
-
-#include "base/files/file_path.h"
-
-namespace base {
-
-FilePath::FilePath(FilePath::StringPieceType path) {
-}
-
-FilePath::~FilePath() {
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium-shim/base/gtest_prod_util.h b/security/sandbox/chromium-shim/base/gtest_prod_util.h
deleted file mode 100644
index 3eb93fa2a..000000000
--- a/security/sandbox/chromium-shim/base/gtest_prod_util.h
+++ /dev/null
@@ -1,17 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef FRIEND_TEST
-#define FRIEND_TEST(A, B)
-#endif
-
-#ifndef FRIEND_TEST_ALL_PREFIXES
-#define FRIEND_TEST_ALL_PREFIXES(test_case_name, test_name)
-#endif
-
-#ifndef FORWARD_DECLARE_TEST
-#define FORWARD_DECLARE_TEST(test_case_name, test_name)
-#endif
diff --git a/security/sandbox/chromium-shim/base/logging.cpp b/security/sandbox/chromium-shim/base/logging.cpp
deleted file mode 100644
index 9c2113dcb..000000000
--- a/security/sandbox/chromium-shim/base/logging.cpp
+++ /dev/null
@@ -1,156 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a stripped down version of the Chromium source file base/logging.cc
-// This prevents dependency on the Chromium logging and dependency creep in
-// general.
-// At some point we should find a way to hook this into our own logging see
-// bug 1013988.
-// The formatting in this file matches the original Chromium file to aid future
-// merging.
-
-#include "base/logging.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#endif
-
-#if defined(OS_POSIX)
-#include <errno.h>
-#endif
-
-#if defined(OS_WIN)
-#include "base/strings/utf_string_conversions.h"
-#endif
-
-#include <algorithm>
-
-namespace logging {
-
-namespace {
-
-int g_min_log_level = 0;
-
-LoggingDestination g_logging_destination = LOG_DEFAULT;
-
-// For LOG_ERROR and above, always print to stderr.
-const int kAlwaysPrintErrorLevel = LOG_ERROR;
-
-// A log message handler that gets notified of every log message we process.
-LogMessageHandlerFunction log_message_handler = nullptr;
-
-} // namespace
-
-void SetMinLogLevel(int level) {
- g_min_log_level = std::min(LOG_FATAL, level);
-}
-
-int GetMinLogLevel() {
- return g_min_log_level;
-}
-
-bool ShouldCreateLogMessage(int severity) {
- if (severity < g_min_log_level)
- return false;
-
- // Return true here unless we know ~LogMessage won't do anything. Note that
- // ~LogMessage writes to stderr if severity_ >= kAlwaysPrintErrorLevel, even
- // when g_logging_destination is LOG_NONE.
- return g_logging_destination != LOG_NONE || log_message_handler ||
- severity >= kAlwaysPrintErrorLevel;
-}
-
-int GetVlogLevelHelper(const char* file, size_t N) {
- return 0;
-}
-
-// Explicit instantiations for commonly used comparisons.
-template std::string* MakeCheckOpString<int, int>(
- const int&, const int&, const char* names);
-template std::string* MakeCheckOpString<unsigned long, unsigned long>(
- const unsigned long&, const unsigned long&, const char* names);
-template std::string* MakeCheckOpString<unsigned long, unsigned int>(
- const unsigned long&, const unsigned int&, const char* names);
-template std::string* MakeCheckOpString<unsigned int, unsigned long>(
- const unsigned int&, const unsigned long&, const char* names);
-template std::string* MakeCheckOpString<std::string, std::string>(
- const std::string&, const std::string&, const char* name);
-
-#if defined(OS_WIN)
-LogMessage::SaveLastError::SaveLastError() : last_error_(::GetLastError()) {
-}
-
-LogMessage::SaveLastError::~SaveLastError() {
- ::SetLastError(last_error_);
-}
-#endif // defined(OS_WIN)
-
-LogMessage::LogMessage(const char* file, int line, LogSeverity severity)
- : severity_(severity), file_(file), line_(line) {
-}
-
-LogMessage::LogMessage(const char* file, int line, const char* condition)
- : severity_(LOG_FATAL), file_(file), line_(line) {
-}
-
-LogMessage::LogMessage(const char* file, int line, std::string* result)
- : severity_(LOG_FATAL), file_(file), line_(line) {
- delete result;
-}
-
-LogMessage::LogMessage(const char* file, int line, LogSeverity severity,
- std::string* result)
- : severity_(severity), file_(file), line_(line) {
- delete result;
-}
-
-LogMessage::~LogMessage() {
-}
-
-SystemErrorCode GetLastSystemErrorCode() {
-#if defined(OS_WIN)
- return ::GetLastError();
-#elif defined(OS_POSIX)
- return errno;
-#else
-#error Not implemented
-#endif
-}
-
-#if defined(OS_WIN)
-Win32ErrorLogMessage::Win32ErrorLogMessage(const char* file,
- int line,
- LogSeverity severity,
- SystemErrorCode err)
- : err_(err),
- log_message_(file, line, severity) {
-}
-
-Win32ErrorLogMessage::~Win32ErrorLogMessage() {
-}
-#elif defined(OS_POSIX)
-ErrnoLogMessage::ErrnoLogMessage(const char* file,
- int line,
- LogSeverity severity,
- SystemErrorCode err)
- : err_(err),
- log_message_(file, line, severity) {
-}
-
-ErrnoLogMessage::~ErrnoLogMessage() {
-}
-#endif // OS_WIN
-
-void RawLog(int level, const char* message) {
-}
-
-} // namespace logging
-
-#if defined(OS_WIN)
-std::ostream& std::operator<<(std::ostream& out, const wchar_t* wstr) {
- return out << base::WideToUTF8(std::wstring(wstr));
-}
-#endif
diff --git a/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h b/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h
deleted file mode 100644
index 9a18a3637..000000000
--- a/security/sandbox/chromium-shim/base/third_party/nspr/prtime.h
+++ /dev/null
@@ -1,8 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// Grab the copy from in our tree
-#include "pr/include/prtime.h"
diff --git a/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h b/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h
deleted file mode 100644
index 6aec5e08f..000000000
--- a/security/sandbox/chromium-shim/base/third_party/nspr/prtypes.h
+++ /dev/null
@@ -1,8 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// Grab the copy from in our tree
-#include "pr/include/prtypes.h"
diff --git a/security/sandbox/chromium-shim/base/tracked_objects.h b/security/sandbox/chromium-shim/base/tracked_objects.h
deleted file mode 100644
index 837705ee9..000000000
--- a/security/sandbox/chromium-shim/base/tracked_objects.h
+++ /dev/null
@@ -1,19 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef _SECURITY_SANDBOX_TRACKED_OBJECTS_H_
-#define _SECURITY_SANDBOX_TRACKED_OBJECTS_H_
-namespace tracked_objects
-{
- class ThreadData
- {
- public:
- static void InitializeThreadContext(const std::string& name)
- {
- }
- };
-}
-#endif
diff --git a/security/sandbox/chromium-shim/base/win/registry.h b/security/sandbox/chromium-shim/base/win/registry.h
deleted file mode 100644
index 9fba57277..000000000
--- a/security/sandbox/chromium-shim/base/win/registry.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This is a stripped down version of Chromium source file base/win/registry.h
-// Within our copy of Chromium files this is only used in base/win/windows_version.cc
-// in OSInfo::processor_model_name, which we don't use.
-
-#ifndef BASE_WIN_REGISTRY_H_
-#define BASE_WIN_REGISTRY_H_
-
-namespace base {
-namespace win {
-
-class BASE_EXPORT RegKey {
- public:
- RegKey(HKEY rootkey, const wchar_t* subkey, REGSAM access) {}
- ~RegKey() {}
-
- LONG ReadValue(const wchar_t* name, std::wstring* out_value) const
- {
- return 0;
- }
-
- private:
- DISALLOW_COPY_AND_ASSIGN(RegKey);
-};
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_REGISTRY_H_
diff --git a/security/sandbox/chromium-shim/base/win/sdkdecls.h b/security/sandbox/chromium-shim/base/win/sdkdecls.h
deleted file mode 100644
index e999ab967..000000000
--- a/security/sandbox/chromium-shim/base/win/sdkdecls.h
+++ /dev/null
@@ -1,191 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
-#define _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
-
-#include <windows.h>
-
-// This file contains definitions required for things dynamically loaded
-// while building or targetting lower platform versions or lower SDKs.
-
-#if (_WIN32_WINNT < 0x0600)
-typedef struct _STARTUPINFOEXA {
- STARTUPINFOA StartupInfo;
- LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
-} STARTUPINFOEXA, *LPSTARTUPINFOEXA;
-typedef struct _STARTUPINFOEXW {
- STARTUPINFOW StartupInfo;
- LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
-} STARTUPINFOEXW, *LPSTARTUPINFOEXW;
-#ifdef UNICODE
-typedef STARTUPINFOEXW STARTUPINFOEX;
-typedef LPSTARTUPINFOEXW LPSTARTUPINFOEX;
-#else
-typedef STARTUPINFOEXA STARTUPINFOEX;
-typedef LPSTARTUPINFOEXA LPSTARTUPINFOEX;
-#endif // UNICODE
-
-#define PROC_THREAD_ATTRIBUTE_NUMBER 0x0000FFFF
-#define PROC_THREAD_ATTRIBUTE_THREAD 0x00010000 // Attribute may be used with thread creation
-#define PROC_THREAD_ATTRIBUTE_INPUT 0x00020000 // Attribute is input only
-#define PROC_THREAD_ATTRIBUTE_ADDITIVE 0x00040000 // Attribute may be "accumulated," e.g. bitmasks, counters, etc.
-
-#define ProcThreadAttributeValue(Number, Thread, Input, Additive) \
- (((Number) & PROC_THREAD_ATTRIBUTE_NUMBER) | \
- ((Thread != FALSE) ? PROC_THREAD_ATTRIBUTE_THREAD : 0) | \
- ((Input != FALSE) ? PROC_THREAD_ATTRIBUTE_INPUT : 0) | \
- ((Additive != FALSE) ? PROC_THREAD_ATTRIBUTE_ADDITIVE : 0))
-
-#define ProcThreadAttributeHandleList 2
-
-#define PROC_THREAD_ATTRIBUTE_HANDLE_LIST \
- ProcThreadAttributeValue (ProcThreadAttributeHandleList, FALSE, TRUE, FALSE)
-
-#define PROCESS_DEP_ENABLE 0x00000001
-#define PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION 0x00000002
-
-// They dynamically load these, but they still use the functions to describe the
-// function pointers!
-WINBASEAPI
-int
-WINAPI
-GetUserDefaultLocaleName(
- _Out_writes_(cchLocaleName) LPWSTR lpLocaleName,
- _In_ int cchLocaleName
-);
-
-WINBASEAPI
-BOOL
-WINAPI
-QueryThreadCycleTime(
- _In_ HANDLE ThreadHandle,
- _Out_ PULONG64 CycleTime
- );
-
-#endif // (_WIN32_WINNT >= 0x0600)
-
-#if (_WIN32_WINNT < 0x0601)
-#define ProcThreadAttributeMitigationPolicy 7
-#define PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY \
- ProcThreadAttributeValue (ProcThreadAttributeMitigationPolicy, FALSE, TRUE, FALSE)
-
-#define PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE 0x01
-#define PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE 0x02
-#define PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE 0x04
-#endif // (_WIN32_WINNT >= 0x0601)
-
-#if (_WIN32_WINNT < 0x0602)
-#define ProcThreadAttributeSecurityCapabilities 9
-#define PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES \
- ProcThreadAttributeValue (ProcThreadAttributeSecurityCapabilities, FALSE, TRUE, FALSE)
-
-#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_MASK (0x00000003 << 8)
-#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_DEFER (0x00000000 << 8)
-#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000001 << 8)
-#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_OFF (0x00000002 << 8)
-#define PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS (0x00000003 << 8)
-#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_MASK (0x00000003 << 12)
-#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_DEFER (0x00000000 << 12)
-#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON (0x00000001 << 12)
-#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_OFF (0x00000002 << 12)
-#define PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_RESERVED (0x00000003 << 12)
-#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_MASK (0x00000003 << 16)
-#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_DEFER (0x00000000 << 16)
-#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00000001 << 16)
-#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00000002 << 16)
-#define PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_RESERVED (0x00000003 << 16)
-#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_MASK (0x00000003 << 20)
-#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_DEFER (0x00000000 << 20)
-#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON (0x00000001 << 20)
-#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_OFF (0x00000002 << 20)
-#define PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_RESERVED (0x00000003 << 20)
-#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_MASK (0x00000003 << 24)
-#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_DEFER (0x00000000 << 24)
-#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON (0x00000001 << 24)
-#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_OFF (0x00000002 << 24)
-#define PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_RESERVED (0x00000003 << 24)
-#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_MASK (0x00000003 << 28)
-#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_DEFER (0x00000000 << 28)
-#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON (0x00000001 << 28)
-#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_OFF (0x00000002 << 28)
-#define PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_RESERVED (0x00000003 << 28)
-#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_MASK (0x00000003ui64 << 32)
-#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_DEFER (0x00000000ui64 << 32)
-#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON (0x00000001ui64 << 32)
-#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_OFF (0x00000002ui64 << 32)
-#define PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_RESERVED (0x00000003ui64 << 32)
-
-// Check if we're including >= win8 winnt.h
-#ifndef NTDDI_WIN8
-
-typedef struct _SECURITY_CAPABILITIES {
- PSID AppContainerSid;
- PSID_AND_ATTRIBUTES Capabilities;
- DWORD CapabilityCount;
- DWORD Reserved;
-} SECURITY_CAPABILITIES, *PSECURITY_CAPABILITIES, *LPSECURITY_CAPABILITIES;
-
-typedef enum _PROCESS_MITIGATION_POLICY {
- ProcessDEPPolicy,
- ProcessASLRPolicy,
- ProcessReserved1MitigationPolicy,
- ProcessStrictHandleCheckPolicy,
- ProcessSystemCallDisablePolicy,
- ProcessMitigationOptionsMask,
- ProcessExtensionPointDisablePolicy,
- MaxProcessMitigationPolicy
-} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;
-
-#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS 0x00001000
-
-typedef struct _PROCESS_MITIGATION_ASLR_POLICY {
- union {
- DWORD Flags;
- struct {
- DWORD EnableBottomUpRandomization : 1;
- DWORD EnableForceRelocateImages : 1;
- DWORD EnableHighEntropy : 1;
- DWORD DisallowStrippedImages : 1;
- DWORD ReservedFlags : 28;
- };
- };
-} PROCESS_MITIGATION_ASLR_POLICY, *PPROCESS_MITIGATION_ASLR_POLICY;
-
-typedef struct _PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY {
- union {
- DWORD Flags;
- struct {
- DWORD RaiseExceptionOnInvalidHandleReference : 1;
- DWORD HandleExceptionsPermanentlyEnabled : 1;
- DWORD ReservedFlags : 30;
- };
- };
-} PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY, *PPROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY;
-
-typedef struct _PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY {
- union {
- DWORD Flags;
- struct {
- DWORD DisallowWin32kSystemCalls : 1;
- DWORD ReservedFlags : 31;
- };
- };
-} PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY, *PPROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY;
-
-typedef struct _PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY {
- union {
- DWORD Flags;
- struct {
- DWORD DisableExtensionPoints : 1;
- DWORD ReservedFlags : 31;
- };
- };
-} PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, *PPROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY;
-
-#endif // NTDDI_WIN8
-#endif // (_WIN32_WINNT < 0x0602)
-#endif // _SECURITY_SANDBOX_BASE_SHIM_SDKDECLS_H_
diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h b/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
deleted file mode 100644
index 27b6e5239..000000000
--- a/security/sandbox/chromium-shim/sandbox/win/loggingCallbacks.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef security_sandbox_loggingCallbacks_h__
-#define security_sandbox_loggingCallbacks_h__
-
-#include <sstream>
-#include <iostream>
-
-#include "mozilla/Logging.h"
-#include "mozilla/Preferences.h"
-#include "mozilla/sandboxing/loggingTypes.h"
-#include "nsContentUtils.h"
-
-#include "mozilla/StackWalk.h"
-
-namespace mozilla {
-
-static LazyLogModule sSandboxTargetLog("SandboxTarget");
-
-#define LOG_D(...) MOZ_LOG(sSandboxTargetLog, LogLevel::Debug, (__VA_ARGS__))
-
-namespace sandboxing {
-
-static uint32_t sStackTraceDepth = 0;
-
-// NS_WalkStackCallback to write a formatted stack frame to an ostringstream.
-static void
-StackFrameToOStringStream(uint32_t aFrameNumber, void* aPC, void* aSP,
- void* aClosure)
-{
- std::ostringstream* stream = static_cast<std::ostringstream*>(aClosure);
- MozCodeAddressDetails details;
- char buf[1024];
- MozDescribeCodeAddress(aPC, &details);
- MozFormatCodeAddressDetails(buf, sizeof(buf), aFrameNumber, aPC, &details);
- *stream << std::endl << "--" << buf;
- stream->flush();
-}
-
-// Log to the browser console and, if DEBUG build, stderr.
-static void
-Log(const char* aMessageType,
- const char* aFunctionName,
- const char* aContext,
- const bool aShouldLogStackTrace = false,
- uint32_t aFramesToSkip = 0)
-{
- std::ostringstream msgStream;
- msgStream << "Process Sandbox " << aMessageType << ": " << aFunctionName;
- if (aContext) {
- msgStream << " for : " << aContext;
- }
-
- if (aShouldLogStackTrace) {
- if (sStackTraceDepth) {
- msgStream << std::endl << "Stack Trace:";
- MozStackWalk(StackFrameToOStringStream, aFramesToSkip, sStackTraceDepth,
- &msgStream, 0, nullptr);
- }
- }
-
- std::string msg = msgStream.str();
-#if defined(DEBUG)
- // Use NS_DebugBreak directly as we want child process prefix, but not source
- // file or line number.
- NS_DebugBreak(NS_DEBUG_WARNING, nullptr, msg.c_str(), nullptr, -1);
-#endif
-
- if (nsContentUtils::IsInitialized()) {
- nsContentUtils::LogMessageToConsole(msg.c_str());
- }
-
- // As we don't always have the facility to log to console use MOZ_LOG as well.
- LOG_D("%s", msg.c_str());
-}
-
-// Initialize sandbox logging if required.
-static void
-InitLoggingIfRequired(ProvideLogFunctionCb aProvideLogFunctionCb)
-{
- if (!aProvideLogFunctionCb) {
- return;
- }
-
- if (Preferences::GetBool("security.sandbox.windows.log") ||
- PR_GetEnv("MOZ_WIN_SANDBOX_LOGGING")) {
- aProvideLogFunctionCb(Log);
- }
-}
-
-} // sandboxing
-} // mozilla
-
-#endif // security_sandbox_loggingCallbacks_h__
diff --git a/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h b/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h
deleted file mode 100644
index c9b74c14e..000000000
--- a/security/sandbox/chromium-shim/sandbox/win/loggingTypes.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef security_sandbox_loggingTypes_h__
-#define security_sandbox_loggingTypes_h__
-
-#include <stdint.h>
-
-namespace mozilla {
-namespace sandboxing {
-
-// We are using callbacks here that are passed in from the core code to prevent
-// a circular dependency in the linking during the build.
-typedef void (*LogFunction) (const char* aMessageType,
- const char* aFunctionName,
- const char* aContext,
- const bool aShouldLogStackTrace,
- uint32_t aFramesToSkip);
-typedef void (*ProvideLogFunctionCb) (LogFunction aLogFunction);
-
-} // sandboxing
-} // mozilla
-
-#endif // security_sandbox_loggingTypes_h__
diff --git a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp
deleted file mode 100644
index fa2314f69..000000000
--- a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.cpp
+++ /dev/null
@@ -1,82 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "sandboxLogging.h"
-
-#include "base/strings/utf_string_conversions.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace mozilla {
-namespace sandboxing {
-
-static LogFunction sLogFunction = nullptr;
-
-void
-ProvideLogFunction(LogFunction aLogFunction)
-{
- sLogFunction = aLogFunction;
-}
-
-void
-LogBlocked(const char* aFunctionName, const char* aContext, uint32_t aFramesToSkip)
-{
- if (sLogFunction) {
- sLogFunction("BLOCKED", aFunctionName, aContext,
- /* aShouldLogStackTrace */ true, aFramesToSkip);
- }
-}
-
-void
-LogBlocked(const char* aFunctionName, const wchar_t* aContext)
-{
- if (sLogFunction) {
- // Skip an extra frame to allow for this function.
- LogBlocked(aFunctionName, base::WideToUTF8(aContext).c_str(),
- /* aFramesToSkip */ 3);
- }
-}
-
-void
-LogBlocked(const char* aFunctionName, const wchar_t* aContext,
- uint16_t aLengthInBytes)
-{
- if (sLogFunction) {
- // Skip an extra frame to allow for this function.
- LogBlocked(aFunctionName,
- base::WideToUTF8(std::wstring(aContext, aLengthInBytes / sizeof(wchar_t))).c_str(),
- /* aFramesToSkip */ 3);
- }
-}
-
-void
-LogAllowed(const char* aFunctionName, const char* aContext)
-{
- if (sLogFunction) {
- sLogFunction("Broker ALLOWED", aFunctionName, aContext,
- /* aShouldLogStackTrace */ false, /* aFramesToSkip */ 0);
- }
-}
-
-void
-LogAllowed(const char* aFunctionName, const wchar_t* aContext)
-{
- if (sLogFunction) {
- LogAllowed(aFunctionName, base::WideToUTF8(aContext).c_str());
- }
-}
-
-void
-LogAllowed(const char* aFunctionName, const wchar_t* aContext,
- uint16_t aLengthInBytes)
-{
- if (sLogFunction) {
- LogAllowed(aFunctionName,
- base::WideToUTF8(std::wstring(aContext, aLengthInBytes / sizeof(wchar_t))).c_str());
- }
-}
-
-} // sandboxing
-} // mozilla
diff --git a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h b/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h
deleted file mode 100644
index 365afa574..000000000
--- a/security/sandbox/chromium-shim/sandbox/win/sandboxLogging.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-/*
- * Set of helper methods to implement logging for Windows sandbox.
- */
-
-#ifndef security_sandbox_sandboxLogging_h__
-#define security_sandbox_sandboxLogging_h__
-
-#include "loggingTypes.h"
-
-namespace sandbox {
-class TargetPolicy;
-}
-
-namespace mozilla {
-namespace sandboxing {
-
-// This is used to pass a LogCallback to the sandboxing code, as the logging
-// requires code to which we cannot link directly.
-void ProvideLogFunction(LogFunction aLogFunction);
-
-// Log a "BLOCKED" msg to the browser console and, if DEBUG build, stderr.
-// If the logging of a stack trace is enabled then the default aFramesToSkip
-// will start from our caller's caller, which should normally be the function
-// that triggered the interception.
-void LogBlocked(const char* aFunctionName, const char* aContext = nullptr,
- uint32_t aFramesToSkip = 2);
-
-// Convenience functions to convert to char*.
-void LogBlocked(const char* aFunctionName, const wchar_t* aContext);
-void LogBlocked(const char* aFunctionName, const wchar_t* aContext,
- uint16_t aLengthInBytes);
-
-// Log a "ALLOWED" msg to the browser console and, if DEBUG build, stderr.
-void LogAllowed(const char* aFunctionName, const char* aContext = nullptr);
-
-// Convenience functions to convert to char*.
-void LogAllowed(const char* aFunctionName, const wchar_t* aContext);
-void LogAllowed(const char* aFunctionName, const wchar_t* aContext,
- uint16_t aLengthInBytes);
-
-
-} // sandboxing
-} // mozilla
-
-#endif // security_sandbox_sandboxLogging_h__
diff --git a/security/sandbox/chromium/LICENSE b/security/sandbox/chromium/LICENSE
deleted file mode 100644
index a32e00ce6..000000000
--- a/security/sandbox/chromium/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// * Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above
-// copyright notice, this list of conditions and the following disclaimer
-// in the documentation and/or other materials provided with the
-// distribution.
-// * Neither the name of Google Inc. nor the names of its
-// contributors may be used to endorse or promote products derived from
-// this software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/security/sandbox/chromium/base/at_exit.cc b/security/sandbox/chromium/base/at_exit.cc
deleted file mode 100644
index 0fba35569..000000000
--- a/security/sandbox/chromium/base/at_exit.cc
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/at_exit.h"
-
-#include <stddef.h>
-#include <ostream>
-
-#include "base/bind.h"
-#include "base/callback.h"
-#include "base/logging.h"
-
-namespace base {
-
-// Keep a stack of registered AtExitManagers. We always operate on the most
-// recent, and we should never have more than one outside of testing (for a
-// statically linked version of this library). Testing may use the shadow
-// version of the constructor, and if we are building a dynamic library we may
-// end up with multiple AtExitManagers on the same process. We don't protect
-// this for thread-safe access, since it will only be modified in testing.
-static AtExitManager* g_top_manager = NULL;
-
-AtExitManager::AtExitManager() : next_manager_(g_top_manager) {
-// If multiple modules instantiate AtExitManagers they'll end up living in this
-// module... they have to coexist.
-#if !defined(COMPONENT_BUILD)
- DCHECK(!g_top_manager);
-#endif
- g_top_manager = this;
-}
-
-AtExitManager::~AtExitManager() {
- if (!g_top_manager) {
- NOTREACHED() << "Tried to ~AtExitManager without an AtExitManager";
- return;
- }
- DCHECK_EQ(this, g_top_manager);
-
- ProcessCallbacksNow();
- g_top_manager = next_manager_;
-}
-
-// static
-void AtExitManager::RegisterCallback(AtExitCallbackType func, void* param) {
- DCHECK(func);
- RegisterTask(base::Bind(func, param));
-}
-
-// static
-void AtExitManager::RegisterTask(base::Closure task) {
- if (!g_top_manager) {
- NOTREACHED() << "Tried to RegisterCallback without an AtExitManager";
- return;
- }
-
- AutoLock lock(g_top_manager->lock_);
- g_top_manager->stack_.push(task);
-}
-
-// static
-void AtExitManager::ProcessCallbacksNow() {
- if (!g_top_manager) {
- NOTREACHED() << "Tried to ProcessCallbacksNow without an AtExitManager";
- return;
- }
-
- AutoLock lock(g_top_manager->lock_);
-
- while (!g_top_manager->stack_.empty()) {
- base::Closure task = g_top_manager->stack_.top();
- task.Run();
- g_top_manager->stack_.pop();
- }
-}
-
-AtExitManager::AtExitManager(bool shadow) : next_manager_(g_top_manager) {
- DCHECK(shadow || !g_top_manager);
- g_top_manager = this;
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/at_exit.h b/security/sandbox/chromium/base/at_exit.h
deleted file mode 100644
index 04e3f7642..000000000
--- a/security/sandbox/chromium/base/at_exit.h
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_AT_EXIT_H_
-#define BASE_AT_EXIT_H_
-
-#include <stack>
-
-#include "base/base_export.h"
-#include "base/callback.h"
-#include "base/macros.h"
-#include "base/synchronization/lock.h"
-
-namespace base {
-
-// This class provides a facility similar to the CRT atexit(), except that
-// we control when the callbacks are executed. Under Windows for a DLL they
-// happen at a really bad time and under the loader lock. This facility is
-// mostly used by base::Singleton.
-//
-// The usage is simple. Early in the main() or WinMain() scope create an
-// AtExitManager object on the stack:
-// int main(...) {
-// base::AtExitManager exit_manager;
-//
-// }
-// When the exit_manager object goes out of scope, all the registered
-// callbacks and singleton destructors will be called.
-
-class BASE_EXPORT AtExitManager {
- public:
- typedef void (*AtExitCallbackType)(void*);
-
- AtExitManager();
-
- // The dtor calls all the registered callbacks. Do not try to register more
- // callbacks after this point.
- ~AtExitManager();
-
- // Registers the specified function to be called at exit. The prototype of
- // the callback function is void func(void*).
- static void RegisterCallback(AtExitCallbackType func, void* param);
-
- // Registers the specified task to be called at exit.
- static void RegisterTask(base::Closure task);
-
- // Calls the functions registered with RegisterCallback in LIFO order. It
- // is possible to register new callbacks after calling this function.
- static void ProcessCallbacksNow();
-
- protected:
- // This constructor will allow this instance of AtExitManager to be created
- // even if one already exists. This should only be used for testing!
- // AtExitManagers are kept on a global stack, and it will be removed during
- // destruction. This allows you to shadow another AtExitManager.
- explicit AtExitManager(bool shadow);
-
- private:
- base::Lock lock_;
- std::stack<base::Closure> stack_;
- AtExitManager* next_manager_; // Stack of managers to allow shadowing.
-
- DISALLOW_COPY_AND_ASSIGN(AtExitManager);
-};
-
-#if defined(UNIT_TEST)
-class ShadowingAtExitManager : public AtExitManager {
- public:
- ShadowingAtExitManager() : AtExitManager(true) {}
-};
-#endif // defined(UNIT_TEST)
-
-} // namespace base
-
-#endif // BASE_AT_EXIT_H_
diff --git a/security/sandbox/chromium/base/atomic_ref_count.h b/security/sandbox/chromium/base/atomic_ref_count.h
deleted file mode 100644
index 2ab724200..000000000
--- a/security/sandbox/chromium/base/atomic_ref_count.h
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This is a low level implementation of atomic semantics for reference
-// counting. Please use base/memory/ref_counted.h directly instead.
-
-#ifndef BASE_ATOMIC_REF_COUNT_H_
-#define BASE_ATOMIC_REF_COUNT_H_
-
-#include "base/atomicops.h"
-
-namespace base {
-
-typedef subtle::Atomic32 AtomicRefCount;
-
-// Increment a reference count by "increment", which must exceed 0.
-inline void AtomicRefCountIncN(volatile AtomicRefCount *ptr,
- AtomicRefCount increment) {
- subtle::NoBarrier_AtomicIncrement(ptr, increment);
-}
-
-// Decrement a reference count by "decrement", which must exceed 0,
-// and return whether the result is non-zero.
-// Insert barriers to ensure that state written before the reference count
-// became zero will be visible to a thread that has just made the count zero.
-inline bool AtomicRefCountDecN(volatile AtomicRefCount *ptr,
- AtomicRefCount decrement) {
- bool res = (subtle::Barrier_AtomicIncrement(ptr, -decrement) != 0);
- return res;
-}
-
-// Increment a reference count by 1.
-inline void AtomicRefCountInc(volatile AtomicRefCount *ptr) {
- base::AtomicRefCountIncN(ptr, 1);
-}
-
-// Decrement a reference count by 1 and return whether the result is non-zero.
-// Insert barriers to ensure that state written before the reference count
-// became zero will be visible to a thread that has just made the count zero.
-inline bool AtomicRefCountDec(volatile AtomicRefCount *ptr) {
- return base::AtomicRefCountDecN(ptr, 1);
-}
-
-// Return whether the reference count is one. If the reference count is used
-// in the conventional way, a refrerence count of 1 implies that the current
-// thread owns the reference and no other thread shares it. This call performs
-// the test for a reference count of one, and performs the memory barrier
-// needed for the owning thread to act on the object, knowing that it has
-// exclusive access to the object.
-inline bool AtomicRefCountIsOne(volatile AtomicRefCount *ptr) {
- bool res = (subtle::Acquire_Load(ptr) == 1);
- return res;
-}
-
-// Return whether the reference count is zero. With conventional object
-// referencing counting, the object will be destroyed, so the reference count
-// should never be zero. Hence this is generally used for a debug check.
-inline bool AtomicRefCountIsZero(volatile AtomicRefCount *ptr) {
- bool res = (subtle::Acquire_Load(ptr) == 0);
- return res;
-}
-
-} // namespace base
-
-#endif // BASE_ATOMIC_REF_COUNT_H_
diff --git a/security/sandbox/chromium/base/atomic_sequence_num.h b/security/sandbox/chromium/base/atomic_sequence_num.h
deleted file mode 100644
index 59b0d2551..000000000
--- a/security/sandbox/chromium/base/atomic_sequence_num.h
+++ /dev/null
@@ -1,60 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_ATOMIC_SEQUENCE_NUM_H_
-#define BASE_ATOMIC_SEQUENCE_NUM_H_
-
-#include "base/atomicops.h"
-#include "base/macros.h"
-
-namespace base {
-
-class AtomicSequenceNumber;
-
-// Static (POD) AtomicSequenceNumber that MUST be used in global scope (or
-// non-function scope) ONLY. This implementation does not generate any static
-// initializer. Note that it does not implement any constructor which means
-// that its fields are not initialized except when it is stored in the global
-// data section (.data in ELF). If you want to allocate an atomic sequence
-// number on the stack (or heap), please use the AtomicSequenceNumber class
-// declared below.
-class StaticAtomicSequenceNumber {
- public:
- inline int GetNext() {
- return static_cast<int>(
- base::subtle::NoBarrier_AtomicIncrement(&seq_, 1) - 1);
- }
-
- private:
- friend class AtomicSequenceNumber;
-
- inline void Reset() {
- base::subtle::Release_Store(&seq_, 0);
- }
-
- base::subtle::Atomic32 seq_;
-};
-
-// AtomicSequenceNumber that can be stored and used safely (i.e. its fields are
-// always initialized as opposed to StaticAtomicSequenceNumber declared above).
-// Please use StaticAtomicSequenceNumber if you want to declare an atomic
-// sequence number in the global scope.
-class AtomicSequenceNumber {
- public:
- AtomicSequenceNumber() {
- seq_.Reset();
- }
-
- inline int GetNext() {
- return seq_.GetNext();
- }
-
- private:
- StaticAtomicSequenceNumber seq_;
- DISALLOW_COPY_AND_ASSIGN(AtomicSequenceNumber);
-};
-
-} // namespace base
-
-#endif // BASE_ATOMIC_SEQUENCE_NUM_H_
diff --git a/security/sandbox/chromium/base/atomicops.h b/security/sandbox/chromium/base/atomicops.h
deleted file mode 100644
index 3428fe87a..000000000
--- a/security/sandbox/chromium/base/atomicops.h
+++ /dev/null
@@ -1,161 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// For atomic operations on reference counts, see atomic_refcount.h.
-// For atomic operations on sequence numbers, see atomic_sequence_num.h.
-
-// The routines exported by this module are subtle. If you use them, even if
-// you get the code right, it will depend on careful reasoning about atomicity
-// and memory ordering; it will be less readable, and harder to maintain. If
-// you plan to use these routines, you should have a good reason, such as solid
-// evidence that performance would otherwise suffer, or there being no
-// alternative. You should assume only properties explicitly guaranteed by the
-// specifications in this file. You are almost certainly _not_ writing code
-// just for the x86; if you assume x86 semantics, x86 hardware bugs and
-// implementations on other archtectures will cause your code to break. If you
-// do not know what you are doing, avoid these routines, and use a Mutex.
-//
-// It is incorrect to make direct assignments to/from an atomic variable.
-// You should use one of the Load or Store routines. The NoBarrier
-// versions are provided when no barriers are needed:
-// NoBarrier_Store()
-// NoBarrier_Load()
-// Although there are currently no compiler enforcement, you are encouraged
-// to use these.
-//
-
-#ifndef BASE_ATOMICOPS_H_
-#define BASE_ATOMICOPS_H_
-
-#include <stdint.h>
-
-// Small C++ header which defines implementation specific macros used to
-// identify the STL implementation.
-// - libc++: captures __config for _LIBCPP_VERSION
-// - libstdc++: captures bits/c++config.h for __GLIBCXX__
-#include <cstddef>
-
-#include "base/base_export.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN) && defined(ARCH_CPU_64_BITS)
-// windows.h #defines this (only on x64). This causes problems because the
-// public API also uses MemoryBarrier at the public name for this fence. So, on
-// X64, undef it, and call its documented
-// (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx)
-// implementation directly.
-#undef MemoryBarrier
-#endif
-
-namespace base {
-namespace subtle {
-
-typedef int32_t Atomic32;
-#ifdef ARCH_CPU_64_BITS
-// We need to be able to go between Atomic64 and AtomicWord implicitly. This
-// means Atomic64 and AtomicWord should be the same type on 64-bit.
-#if defined(__ILP32__) || defined(OS_NACL)
-// NaCl's intptr_t is not actually 64-bits on 64-bit!
-// http://code.google.com/p/nativeclient/issues/detail?id=1162
-typedef int64_t Atomic64;
-#else
-typedef intptr_t Atomic64;
-#endif
-#endif
-
-// Use AtomicWord for a machine-sized pointer. It will use the Atomic32 or
-// Atomic64 routines below, depending on your architecture.
-typedef intptr_t AtomicWord;
-
-// Atomically execute:
-// result = *ptr;
-// if (*ptr == old_value)
-// *ptr = new_value;
-// return result;
-//
-// I.e., replace "*ptr" with "new_value" if "*ptr" used to be "old_value".
-// Always return the old value of "*ptr"
-//
-// This routine implies no memory barriers.
-Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value);
-
-// Atomically store new_value into *ptr, returning the previous value held in
-// *ptr. This routine implies no memory barriers.
-Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr, Atomic32 new_value);
-
-// Atomically increment *ptr by "increment". Returns the new value of
-// *ptr with the increment applied. This routine implies no memory barriers.
-Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr, Atomic32 increment);
-
-Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr,
- Atomic32 increment);
-
-// These following lower-level operations are typically useful only to people
-// implementing higher-level synchronization operations like spinlocks,
-// mutexes, and condition-variables. They combine CompareAndSwap(), a load, or
-// a store with appropriate memory-ordering instructions. "Acquire" operations
-// ensure that no later memory access can be reordered ahead of the operation.
-// "Release" operations ensure that no previous memory access can be reordered
-// after the operation. "Barrier" operations have both "Acquire" and "Release"
-// semantics. A MemoryBarrier() has "Barrier" semantics, but does no memory
-// access.
-Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value);
-Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value);
-
-void MemoryBarrier();
-void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value);
-void Acquire_Store(volatile Atomic32* ptr, Atomic32 value);
-void Release_Store(volatile Atomic32* ptr, Atomic32 value);
-
-Atomic32 NoBarrier_Load(volatile const Atomic32* ptr);
-Atomic32 Acquire_Load(volatile const Atomic32* ptr);
-Atomic32 Release_Load(volatile const Atomic32* ptr);
-
-// 64-bit atomic operations (only available on 64-bit processors).
-#ifdef ARCH_CPU_64_BITS
-Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value);
-Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr, Atomic64 new_value);
-Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr, Atomic64 increment);
-Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr, Atomic64 increment);
-
-Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value);
-Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value);
-void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value);
-void Acquire_Store(volatile Atomic64* ptr, Atomic64 value);
-void Release_Store(volatile Atomic64* ptr, Atomic64 value);
-Atomic64 NoBarrier_Load(volatile const Atomic64* ptr);
-Atomic64 Acquire_Load(volatile const Atomic64* ptr);
-Atomic64 Release_Load(volatile const Atomic64* ptr);
-#endif // ARCH_CPU_64_BITS
-
-} // namespace subtle
-} // namespace base
-
-#if defined(OS_WIN)
-// TODO(jfb): The MSVC header includes windows.h, which other files end up
-// relying on. Fix this as part of crbug.com/559247.
-# include "base/atomicops_internals_x86_msvc.h"
-#else
-# include "base/atomicops_internals_portable.h"
-#endif
-
-// On some platforms we need additional declarations to make
-// AtomicWord compatible with our other Atomic* types.
-#if defined(OS_MACOSX) || defined(OS_OPENBSD)
-#include "base/atomicops_internals_atomicword_compat.h"
-#endif
-
-#endif // BASE_ATOMICOPS_H_
diff --git a/security/sandbox/chromium/base/atomicops_internals_portable.h b/security/sandbox/chromium/base/atomicops_internals_portable.h
deleted file mode 100644
index ee034dee1..000000000
--- a/security/sandbox/chromium/base/atomicops_internals_portable.h
+++ /dev/null
@@ -1,229 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file is an internal atomic implementation, use atomicops.h instead.
-//
-// This implementation uses C++11 atomics' member functions. The code base is
-// currently written assuming atomicity revolves around accesses instead of
-// C++11's memory locations. The burden is on the programmer to ensure that all
-// memory locations accessed atomically are never accessed non-atomically (tsan
-// should help with this).
-//
-// TODO(jfb) Modify the atomicops.h API and user code to declare atomic
-// locations as truly atomic. See the static_assert below.
-//
-// Of note in this implementation:
-// * All NoBarrier variants are implemented as relaxed.
-// * All Barrier variants are implemented as sequentially-consistent.
-// * Compare exchange's failure ordering is always the same as the success one
-// (except for release, which fails as relaxed): using a weaker ordering is
-// only valid under certain uses of compare exchange.
-// * Acquire store doesn't exist in the C11 memory model, it is instead
-// implemented as a relaxed store followed by a sequentially consistent
-// fence.
-// * Release load doesn't exist in the C11 memory model, it is instead
-// implemented as sequentially consistent fence followed by a relaxed load.
-// * Atomic increment is expected to return the post-incremented value, whereas
-// C11 fetch add returns the previous value. The implementation therefore
-// needs to increment twice (which the compiler should be able to detect and
-// optimize).
-
-#ifndef BASE_ATOMICOPS_INTERNALS_PORTABLE_H_
-#define BASE_ATOMICOPS_INTERNALS_PORTABLE_H_
-
-#include <atomic>
-
-#include "build/build_config.h"
-
-namespace base {
-namespace subtle {
-
-// This implementation is transitional and maintains the original API for
-// atomicops.h. This requires casting memory locations to the atomic types, and
-// assumes that the API and the C++11 implementation are layout-compatible,
-// which isn't true for all implementations or hardware platforms. The static
-// assertion should detect this issue, were it to fire then this header
-// shouldn't be used.
-//
-// TODO(jfb) If this header manages to stay committed then the API should be
-// modified, and all call sites updated.
-typedef volatile std::atomic<Atomic32>* AtomicLocation32;
-static_assert(sizeof(*(AtomicLocation32) nullptr) == sizeof(Atomic32),
- "incompatible 32-bit atomic layout");
-
-inline void MemoryBarrier() {
-#if defined(__GLIBCXX__)
- // Work around libstdc++ bug 51038 where atomic_thread_fence was declared but
- // not defined, leading to the linker complaining about undefined references.
- __atomic_thread_fence(std::memory_order_seq_cst);
-#else
- std::atomic_thread_fence(std::memory_order_seq_cst);
-#endif
-}
-
-inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- ((AtomicLocation32)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_relaxed,
- std::memory_order_relaxed);
- return old_value;
-}
-
-inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr,
- Atomic32 new_value) {
- return ((AtomicLocation32)ptr)
- ->exchange(new_value, std::memory_order_relaxed);
-}
-
-inline Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr,
- Atomic32 increment) {
- return increment +
- ((AtomicLocation32)ptr)
- ->fetch_add(increment, std::memory_order_relaxed);
-}
-
-inline Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr,
- Atomic32 increment) {
- return increment + ((AtomicLocation32)ptr)->fetch_add(increment);
-}
-
-inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- ((AtomicLocation32)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_acquire,
- std::memory_order_acquire);
- return old_value;
-}
-
-inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- ((AtomicLocation32)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_release,
- std::memory_order_relaxed);
- return old_value;
-}
-
-inline void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value) {
- ((AtomicLocation32)ptr)->store(value, std::memory_order_relaxed);
-}
-
-inline void Acquire_Store(volatile Atomic32* ptr, Atomic32 value) {
- ((AtomicLocation32)ptr)->store(value, std::memory_order_relaxed);
- MemoryBarrier();
-}
-
-inline void Release_Store(volatile Atomic32* ptr, Atomic32 value) {
- ((AtomicLocation32)ptr)->store(value, std::memory_order_release);
-}
-
-inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) {
- return ((AtomicLocation32)ptr)->load(std::memory_order_relaxed);
-}
-
-inline Atomic32 Acquire_Load(volatile const Atomic32* ptr) {
- return ((AtomicLocation32)ptr)->load(std::memory_order_acquire);
-}
-
-inline Atomic32 Release_Load(volatile const Atomic32* ptr) {
- MemoryBarrier();
- return ((AtomicLocation32)ptr)->load(std::memory_order_relaxed);
-}
-
-#if defined(ARCH_CPU_64_BITS)
-
-typedef volatile std::atomic<Atomic64>* AtomicLocation64;
-static_assert(sizeof(*(AtomicLocation64) nullptr) == sizeof(Atomic64),
- "incompatible 64-bit atomic layout");
-
-inline Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- ((AtomicLocation64)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_relaxed,
- std::memory_order_relaxed);
- return old_value;
-}
-
-inline Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr,
- Atomic64 new_value) {
- return ((AtomicLocation64)ptr)
- ->exchange(new_value, std::memory_order_relaxed);
-}
-
-inline Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr,
- Atomic64 increment) {
- return increment +
- ((AtomicLocation64)ptr)
- ->fetch_add(increment, std::memory_order_relaxed);
-}
-
-inline Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr,
- Atomic64 increment) {
- return increment + ((AtomicLocation64)ptr)->fetch_add(increment);
-}
-
-inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- ((AtomicLocation64)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_acquire,
- std::memory_order_acquire);
- return old_value;
-}
-
-inline Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- ((AtomicLocation64)ptr)
- ->compare_exchange_strong(old_value,
- new_value,
- std::memory_order_release,
- std::memory_order_relaxed);
- return old_value;
-}
-
-inline void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value) {
- ((AtomicLocation64)ptr)->store(value, std::memory_order_relaxed);
-}
-
-inline void Acquire_Store(volatile Atomic64* ptr, Atomic64 value) {
- ((AtomicLocation64)ptr)->store(value, std::memory_order_relaxed);
- MemoryBarrier();
-}
-
-inline void Release_Store(volatile Atomic64* ptr, Atomic64 value) {
- ((AtomicLocation64)ptr)->store(value, std::memory_order_release);
-}
-
-inline Atomic64 NoBarrier_Load(volatile const Atomic64* ptr) {
- return ((AtomicLocation64)ptr)->load(std::memory_order_relaxed);
-}
-
-inline Atomic64 Acquire_Load(volatile const Atomic64* ptr) {
- return ((AtomicLocation64)ptr)->load(std::memory_order_acquire);
-}
-
-inline Atomic64 Release_Load(volatile const Atomic64* ptr) {
- MemoryBarrier();
- return ((AtomicLocation64)ptr)->load(std::memory_order_relaxed);
-}
-
-#endif // defined(ARCH_CPU_64_BITS)
-} // namespace subtle
-} // namespace base
-
-#endif // BASE_ATOMICOPS_INTERNALS_PORTABLE_H_
diff --git a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h b/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h
deleted file mode 100644
index 9f05b7e78..000000000
--- a/security/sandbox/chromium/base/atomicops_internals_x86_msvc.h
+++ /dev/null
@@ -1,196 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file is an internal atomic implementation, use base/atomicops.h instead.
-
-#ifndef BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_
-#define BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_
-
-#include <windows.h>
-
-#include <intrin.h>
-
-#include "base/macros.h"
-#include "build/build_config.h"
-
-#if defined(ARCH_CPU_64_BITS)
-// windows.h #defines this (only on x64). This causes problems because the
-// public API also uses MemoryBarrier at the public name for this fence. So, on
-// X64, undef it, and call its documented
-// (http://msdn.microsoft.com/en-us/library/windows/desktop/ms684208.aspx)
-// implementation directly.
-#undef MemoryBarrier
-#endif
-
-namespace base {
-namespace subtle {
-
-inline Atomic32 NoBarrier_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- LONG result = _InterlockedCompareExchange(
- reinterpret_cast<volatile LONG*>(ptr),
- static_cast<LONG>(new_value),
- static_cast<LONG>(old_value));
- return static_cast<Atomic32>(result);
-}
-
-inline Atomic32 NoBarrier_AtomicExchange(volatile Atomic32* ptr,
- Atomic32 new_value) {
- LONG result = _InterlockedExchange(
- reinterpret_cast<volatile LONG*>(ptr),
- static_cast<LONG>(new_value));
- return static_cast<Atomic32>(result);
-}
-
-inline Atomic32 Barrier_AtomicIncrement(volatile Atomic32* ptr,
- Atomic32 increment) {
- return _InterlockedExchangeAdd(
- reinterpret_cast<volatile LONG*>(ptr),
- static_cast<LONG>(increment)) + increment;
-}
-
-inline Atomic32 NoBarrier_AtomicIncrement(volatile Atomic32* ptr,
- Atomic32 increment) {
- return Barrier_AtomicIncrement(ptr, increment);
-}
-
-inline void MemoryBarrier() {
-#if defined(ARCH_CPU_64_BITS)
- // See #undef and note at the top of this file.
- __faststorefence();
-#else
- // We use MemoryBarrier from WinNT.h
- ::MemoryBarrier();
-#endif
-}
-
-inline Atomic32 Acquire_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-}
-
-inline Atomic32 Release_CompareAndSwap(volatile Atomic32* ptr,
- Atomic32 old_value,
- Atomic32 new_value) {
- return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-}
-
-inline void NoBarrier_Store(volatile Atomic32* ptr, Atomic32 value) {
- *ptr = value;
-}
-
-inline void Acquire_Store(volatile Atomic32* ptr, Atomic32 value) {
- NoBarrier_AtomicExchange(ptr, value);
- // acts as a barrier in this implementation
-}
-
-inline void Release_Store(volatile Atomic32* ptr, Atomic32 value) {
- *ptr = value; // works w/o barrier for current Intel chips as of June 2005
- // See comments in Atomic64 version of Release_Store() below.
-}
-
-inline Atomic32 NoBarrier_Load(volatile const Atomic32* ptr) {
- return *ptr;
-}
-
-inline Atomic32 Acquire_Load(volatile const Atomic32* ptr) {
- Atomic32 value = *ptr;
- return value;
-}
-
-inline Atomic32 Release_Load(volatile const Atomic32* ptr) {
- MemoryBarrier();
- return *ptr;
-}
-
-#if defined(_WIN64)
-
-// 64-bit low-level operations on 64-bit platform.
-
-static_assert(sizeof(Atomic64) == sizeof(PVOID), "atomic word is atomic");
-
-inline Atomic64 NoBarrier_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- PVOID result = InterlockedCompareExchangePointer(
- reinterpret_cast<volatile PVOID*>(ptr),
- reinterpret_cast<PVOID>(new_value), reinterpret_cast<PVOID>(old_value));
- return reinterpret_cast<Atomic64>(result);
-}
-
-inline Atomic64 NoBarrier_AtomicExchange(volatile Atomic64* ptr,
- Atomic64 new_value) {
- PVOID result = InterlockedExchangePointer(
- reinterpret_cast<volatile PVOID*>(ptr),
- reinterpret_cast<PVOID>(new_value));
- return reinterpret_cast<Atomic64>(result);
-}
-
-inline Atomic64 Barrier_AtomicIncrement(volatile Atomic64* ptr,
- Atomic64 increment) {
- return InterlockedExchangeAdd64(
- reinterpret_cast<volatile LONGLONG*>(ptr),
- static_cast<LONGLONG>(increment)) + increment;
-}
-
-inline Atomic64 NoBarrier_AtomicIncrement(volatile Atomic64* ptr,
- Atomic64 increment) {
- return Barrier_AtomicIncrement(ptr, increment);
-}
-
-inline void NoBarrier_Store(volatile Atomic64* ptr, Atomic64 value) {
- *ptr = value;
-}
-
-inline void Acquire_Store(volatile Atomic64* ptr, Atomic64 value) {
- NoBarrier_AtomicExchange(ptr, value);
- // acts as a barrier in this implementation
-}
-
-inline void Release_Store(volatile Atomic64* ptr, Atomic64 value) {
- *ptr = value; // works w/o barrier for current Intel chips as of June 2005
-
- // When new chips come out, check:
- // IA-32 Intel Architecture Software Developer's Manual, Volume 3:
- // System Programming Guide, Chatper 7: Multiple-processor management,
- // Section 7.2, Memory Ordering.
- // Last seen at:
- // http://developer.intel.com/design/pentium4/manuals/index_new.htm
-}
-
-inline Atomic64 NoBarrier_Load(volatile const Atomic64* ptr) {
- return *ptr;
-}
-
-inline Atomic64 Acquire_Load(volatile const Atomic64* ptr) {
- Atomic64 value = *ptr;
- return value;
-}
-
-inline Atomic64 Release_Load(volatile const Atomic64* ptr) {
- MemoryBarrier();
- return *ptr;
-}
-
-inline Atomic64 Acquire_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-}
-
-inline Atomic64 Release_CompareAndSwap(volatile Atomic64* ptr,
- Atomic64 old_value,
- Atomic64 new_value) {
- return NoBarrier_CompareAndSwap(ptr, old_value, new_value);
-}
-
-
-#endif // defined(_WIN64)
-
-} // namespace subtle
-} // namespace base
-
-#endif // BASE_ATOMICOPS_INTERNALS_X86_MSVC_H_
diff --git a/security/sandbox/chromium/base/base_export.h b/security/sandbox/chromium/base/base_export.h
deleted file mode 100644
index cf7ebd781..000000000
--- a/security/sandbox/chromium/base/base_export.h
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BASE_EXPORT_H_
-#define BASE_BASE_EXPORT_H_
-
-#if defined(COMPONENT_BUILD)
-#if defined(WIN32)
-
-#if defined(BASE_IMPLEMENTATION)
-#define BASE_EXPORT __declspec(dllexport)
-#else
-#define BASE_EXPORT __declspec(dllimport)
-#endif // defined(BASE_IMPLEMENTATION)
-
-#else // defined(WIN32)
-#if defined(BASE_IMPLEMENTATION)
-#define BASE_EXPORT __attribute__((visibility("default")))
-#else
-#define BASE_EXPORT
-#endif // defined(BASE_IMPLEMENTATION)
-#endif
-
-#else // defined(COMPONENT_BUILD)
-#define BASE_EXPORT
-#endif
-
-#endif // BASE_BASE_EXPORT_H_
diff --git a/security/sandbox/chromium/base/base_paths.h b/security/sandbox/chromium/base/base_paths.h
deleted file mode 100644
index 26b2fd4c9..000000000
--- a/security/sandbox/chromium/base/base_paths.h
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BASE_PATHS_H_
-#define BASE_BASE_PATHS_H_
-
-// This file declares path keys for the base module. These can be used with
-// the PathService to access various special directories and files.
-
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include "base/base_paths_win.h"
-#elif defined(OS_MACOSX)
-#include "base/base_paths_mac.h"
-#elif defined(OS_ANDROID)
-#include "base/base_paths_android.h"
-#endif
-
-#if defined(OS_POSIX)
-#include "base/base_paths_posix.h"
-#endif
-
-namespace base {
-
-enum BasePathKey {
- PATH_START = 0,
-
- DIR_CURRENT, // Current directory.
- DIR_EXE, // Directory containing FILE_EXE.
- DIR_MODULE, // Directory containing FILE_MODULE.
- DIR_TEMP, // Temporary directory.
- DIR_HOME, // User's root home directory. On Windows this will look
- // like "C:\Users\you" (or on XP
- // "C:\Document and Settings\you") which isn't necessarily
- // a great place to put files.
- FILE_EXE, // Path and filename of the current executable.
- FILE_MODULE, // Path and filename of the module containing the code for
- // the PathService (which could differ from FILE_EXE if the
- // PathService were compiled into a shared object, for
- // example).
- DIR_SOURCE_ROOT, // Returns the root of the source tree. This key is useful
- // for tests that need to locate various resources. It
- // should not be used outside of test code.
- DIR_USER_DESKTOP, // The current user's Desktop.
-
- DIR_TEST_DATA, // Used only for testing.
-
- PATH_END
-};
-
-} // namespace base
-
-#endif // BASE_BASE_PATHS_H_
diff --git a/security/sandbox/chromium/base/base_paths_win.h b/security/sandbox/chromium/base/base_paths_win.h
deleted file mode 100644
index d9dbc39f9..000000000
--- a/security/sandbox/chromium/base/base_paths_win.h
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BASE_PATHS_WIN_H_
-#define BASE_BASE_PATHS_WIN_H_
-
-// This file declares windows-specific path keys for the base module.
-// These can be used with the PathService to access various special
-// directories and files.
-
-namespace base {
-
-enum {
- PATH_WIN_START = 100,
-
- DIR_WINDOWS, // Windows directory, usually "c:\windows"
- DIR_SYSTEM, // Usually c:\windows\system32"
- // 32-bit 32-bit on 64-bit 64-bit on 64-bit
- // DIR_PROGRAM_FILES 1 2 1
- // DIR_PROGRAM_FILESX86 1 2 2
- // DIR_PROGRAM_FILES6432 1 1 1
- // 1 - C:\Program Files 2 - C:\Program Files (x86)
- DIR_PROGRAM_FILES, // See table above.
- DIR_PROGRAM_FILESX86, // See table above.
- DIR_PROGRAM_FILES6432, // See table above.
-
- DIR_IE_INTERNET_CACHE, // Temporary Internet Files directory.
- DIR_COMMON_START_MENU, // Usually "C:\Documents and Settings\All Users\
- // Start Menu\Programs"
- DIR_START_MENU, // Usually "C:\Documents and Settings\<user>\
- // Start Menu\Programs"
- DIR_APP_DATA, // Application Data directory under the user profile.
- DIR_LOCAL_APP_DATA, // "Local Settings\Application Data" directory under
- // the user profile.
- DIR_COMMON_APP_DATA, // W2K, XP, W2K3: "C:\Documents and Settings\
- // All Users\Application Data".
- // Vista, W2K8 and above: "C:\ProgramData".
- DIR_APP_SHORTCUTS, // Where tiles on the start screen are stored, only
- // for Windows 8. Maps to "Local\AppData\Microsoft\
- // Windows\Application Shortcuts\".
- DIR_COMMON_DESKTOP, // Directory for the common desktop (visible
- // on all user's Desktop).
- DIR_USER_QUICK_LAUNCH, // Directory for the quick launch shortcuts.
- DIR_TASKBAR_PINS, // Directory for the shortcuts pinned to taskbar
- // (Win7-8) via base::win::PinShortcutToTaskbar().
- DIR_WINDOWS_FONTS, // Usually C:\Windows\Fonts.
-
- PATH_WIN_END
-};
-
-} // namespace base
-
-#endif // BASE_BASE_PATHS_WIN_H_
diff --git a/security/sandbox/chromium/base/base_switches.cc b/security/sandbox/chromium/base/base_switches.cc
deleted file mode 100644
index 02b222988..000000000
--- a/security/sandbox/chromium/base/base_switches.cc
+++ /dev/null
@@ -1,95 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/base_switches.h"
-#include "build/build_config.h"
-
-namespace switches {
-
-// Disables the crash reporting.
-const char kDisableBreakpad[] = "disable-breakpad";
-
-// Indicates that crash reporting should be enabled. On platforms where helper
-// processes cannot access to files needed to make this decision, this flag is
-// generated internally.
-const char kEnableCrashReporter[] = "enable-crash-reporter";
-
-// Makes memory allocators keep track of their allocations and context, so a
-// detailed breakdown of memory usage can be presented in chrome://tracing when
-// the memory-infra category is enabled.
-const char kEnableHeapProfiling[] = "enable-heap-profiling";
-
-// Generates full memory crash dump.
-const char kFullMemoryCrashReport[] = "full-memory-crash-report";
-
-// Force low-end device mode when set.
-const char kEnableLowEndDeviceMode[] = "enable-low-end-device-mode";
-
-// Force disabling of low-end device mode when set.
-const char kDisableLowEndDeviceMode[] = "disable-low-end-device-mode";
-
-// This option can be used to force field trials when testing changes locally.
-// The argument is a list of name and value pairs, separated by slashes. If a
-// trial name is prefixed with an asterisk, that trial will start activated.
-// For example, the following argument defines two trials, with the second one
-// activated: "GoogleNow/Enable/*MaterialDesignNTP/Default/" This option can
-// also be used by the browser process to send the list of trials to a
-// non-browser process, using the same format. See
-// FieldTrialList::CreateTrialsFromString() in field_trial.h for details.
-const char kForceFieldTrials[] = "force-fieldtrials";
-
-// Suppresses all error dialogs when present.
-const char kNoErrorDialogs[] = "noerrdialogs";
-
-// When running certain tests that spawn child processes, this switch indicates
-// to the test framework that the current process is a child process.
-const char kTestChildProcess[] = "test-child-process";
-
-// Gives the default maximal active V-logging level; 0 is the default.
-// Normally positive values are used for V-logging levels.
-const char kV[] = "v";
-
-// Gives the per-module maximal V-logging levels to override the value
-// given by --v. E.g. "my_module=2,foo*=3" would change the logging
-// level for all code in source files "my_module.*" and "foo*.*"
-// ("-inl" suffixes are also disregarded for this matching).
-//
-// Any pattern containing a forward or backward slash will be tested
-// against the whole pathname and not just the module. E.g.,
-// "*/foo/bar/*=2" would change the logging level for all code in
-// source files under a "foo/bar" directory.
-const char kVModule[] = "vmodule";
-
-// Will wait for 60 seconds for a debugger to come to attach to the process.
-const char kWaitForDebugger[] = "wait-for-debugger";
-
-// Sends trace events from these categories to a file.
-// --trace-to-file on its own sends to default categories.
-const char kTraceToFile[] = "trace-to-file";
-
-// Specifies the file name for --trace-to-file. If unspecified, it will
-// go to a default file name.
-const char kTraceToFileName[] = "trace-to-file-name";
-
-// Configure whether chrome://profiler will contain timing information. This
-// option is enabled by default. A value of "0" will disable profiler timing,
-// while all other values will enable it.
-const char kProfilerTiming[] = "profiler-timing";
-// Value of the --profiler-timing flag that will disable timing information for
-// chrome://profiler.
-const char kProfilerTimingDisabledValue[] = "0";
-
-#if defined(OS_WIN)
-// Disables the USB keyboard detection for blocking the OSK on Win8+.
-const char kDisableUsbKeyboardDetect[] = "disable-usb-keyboard-detect";
-#endif
-
-#if defined(OS_POSIX)
-// Used for turning on Breakpad crash reporting in a debug environment where
-// crash reporting is typically compiled but disabled.
-const char kEnableCrashReporterForTesting[] =
- "enable-crash-reporter-for-testing";
-#endif
-
-} // namespace switches
diff --git a/security/sandbox/chromium/base/base_switches.h b/security/sandbox/chromium/base/base_switches.h
deleted file mode 100644
index c97a629d9..000000000
--- a/security/sandbox/chromium/base/base_switches.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Defines all the "base" command-line switches.
-
-#ifndef BASE_BASE_SWITCHES_H_
-#define BASE_BASE_SWITCHES_H_
-
-#include "build/build_config.h"
-
-namespace switches {
-
-extern const char kDisableBreakpad[];
-extern const char kDisableLowEndDeviceMode[];
-extern const char kEnableCrashReporter[];
-extern const char kEnableHeapProfiling[];
-extern const char kEnableLowEndDeviceMode[];
-extern const char kForceFieldTrials[];
-extern const char kFullMemoryCrashReport[];
-extern const char kNoErrorDialogs[];
-extern const char kProfilerTiming[];
-extern const char kProfilerTimingDisabledValue[];
-extern const char kTestChildProcess[];
-extern const char kTraceToFile[];
-extern const char kTraceToFileName[];
-extern const char kV[];
-extern const char kVModule[];
-extern const char kWaitForDebugger[];
-
-#if defined(OS_WIN)
-extern const char kDisableUsbKeyboardDetect[];
-#endif
-
-#if defined(OS_POSIX)
-extern const char kEnableCrashReporterForTesting[];
-#endif
-
-} // namespace switches
-
-#endif // BASE_BASE_SWITCHES_H_
diff --git a/security/sandbox/chromium/base/bind.h b/security/sandbox/chromium/base/bind.h
deleted file mode 100644
index 770e45706..000000000
--- a/security/sandbox/chromium/base/bind.h
+++ /dev/null
@@ -1,101 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BIND_H_
-#define BASE_BIND_H_
-
-#include "base/bind_internal.h"
-#include "base/callback_internal.h"
-
-// -----------------------------------------------------------------------------
-// Usage documentation
-// -----------------------------------------------------------------------------
-//
-// See base/callback.h for documentation.
-//
-//
-// -----------------------------------------------------------------------------
-// Implementation notes
-// -----------------------------------------------------------------------------
-//
-// If you're reading the implementation, before proceeding further, you should
-// read the top comment of base/bind_internal.h for a definition of common
-// terms and concepts.
-//
-// RETURN TYPES
-//
-// Though Bind()'s result is meant to be stored in a Callback<> type, it
-// cannot actually return the exact type without requiring a large amount
-// of extra template specializations. The problem is that in order to
-// discern the correct specialization of Callback<>, Bind would need to
-// unwrap the function signature to determine the signature's arity, and
-// whether or not it is a method.
-//
-// Each unique combination of (arity, function_type, num_prebound) where
-// function_type is one of {function, method, const_method} would require
-// one specialization. We eventually have to do a similar number of
-// specializations anyways in the implementation (see the Invoker<>,
-// classes). However, it is avoidable in Bind if we return the result
-// via an indirection like we do below.
-//
-// TODO(ajwong): We might be able to avoid this now, but need to test.
-//
-// It is possible to move most of the static_assert into BindState<>, but it
-// feels a little nicer to have the asserts here so people do not need to crack
-// open bind_internal.h. On the other hand, it makes Bind() harder to read.
-
-namespace base {
-
-template <typename Functor, typename... Args>
-base::Callback<
- typename internal::BindState<
- typename internal::FunctorTraits<Functor>::RunnableType,
- typename internal::FunctorTraits<Functor>::RunType,
- typename internal::CallbackParamTraits<Args>::StorageType...>
- ::UnboundRunType>
-Bind(Functor functor, const Args&... args) {
- // Type aliases for how to store and run the functor.
- using RunnableType = typename internal::FunctorTraits<Functor>::RunnableType;
- using RunType = typename internal::FunctorTraits<Functor>::RunType;
-
- // Use RunnableType::RunType instead of RunType above because our
- // checks below for bound references need to know what the actual
- // functor is going to interpret the argument as.
- using BoundRunType = typename RunnableType::RunType;
-
- using BoundArgs =
- internal::TakeTypeListItem<sizeof...(Args),
- internal::ExtractArgs<BoundRunType>>;
-
- // Do not allow binding a non-const reference parameter. Non-const reference
- // parameters are disallowed by the Google style guide. Also, binding a
- // non-const reference parameter can make for subtle bugs because the
- // invoked function will receive a reference to the stored copy of the
- // argument and not the original.
- static_assert(!internal::HasNonConstReferenceItem<BoundArgs>::value,
- "do not bind functions with nonconst ref");
-
- const bool is_method = internal::HasIsMethodTag<RunnableType>::value;
-
- // For methods, we need to be careful for parameter 1. We do not require
- // a scoped_refptr because BindState<> itself takes care of AddRef() for
- // methods. We also disallow binding of an array as the method's target
- // object.
- static_assert(!internal::BindsArrayToFirstArg<is_method, Args...>::value,
- "first bound argument to method cannot be array");
- static_assert(
- !internal::HasRefCountedParamAsRawPtr<is_method, Args...>::value,
- "a parameter is a refcounted type and needs scoped_refptr");
-
- using BindState = internal::BindState<
- RunnableType, RunType,
- typename internal::CallbackParamTraits<Args>::StorageType...>;
-
- return Callback<typename BindState::UnboundRunType>(
- new BindState(internal::MakeRunnable(functor), args...));
-}
-
-} // namespace base
-
-#endif // BASE_BIND_H_
diff --git a/security/sandbox/chromium/base/bind_helpers.h b/security/sandbox/chromium/base/bind_helpers.h
deleted file mode 100644
index 2add755b4..000000000
--- a/security/sandbox/chromium/base/bind_helpers.h
+++ /dev/null
@@ -1,658 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This defines a set of argument wrappers and related factory methods that
-// can be used specify the refcounting and reference semantics of arguments
-// that are bound by the Bind() function in base/bind.h.
-//
-// It also defines a set of simple functions and utilities that people want
-// when using Callback<> and Bind().
-//
-//
-// ARGUMENT BINDING WRAPPERS
-//
-// The wrapper functions are base::Unretained(), base::Owned(), base::Passed(),
-// base::ConstRef(), and base::IgnoreResult().
-//
-// Unretained() allows Bind() to bind a non-refcounted class, and to disable
-// refcounting on arguments that are refcounted objects.
-//
-// Owned() transfers ownership of an object to the Callback resulting from
-// bind; the object will be deleted when the Callback is deleted.
-//
-// Passed() is for transferring movable-but-not-copyable types (eg. scoped_ptr)
-// through a Callback. Logically, this signifies a destructive transfer of
-// the state of the argument into the target function. Invoking
-// Callback::Run() twice on a Callback that was created with a Passed()
-// argument will CHECK() because the first invocation would have already
-// transferred ownership to the target function.
-//
-// ConstRef() allows binding a constant reference to an argument rather
-// than a copy.
-//
-// IgnoreResult() is used to adapt a function or Callback with a return type to
-// one with a void return. This is most useful if you have a function with,
-// say, a pesky ignorable bool return that you want to use with PostTask or
-// something else that expect a Callback with a void return.
-//
-// EXAMPLE OF Unretained():
-//
-// class Foo {
-// public:
-// void func() { cout << "Foo:f" << endl; }
-// };
-//
-// // In some function somewhere.
-// Foo foo;
-// Closure foo_callback =
-// Bind(&Foo::func, Unretained(&foo));
-// foo_callback.Run(); // Prints "Foo:f".
-//
-// Without the Unretained() wrapper on |&foo|, the above call would fail
-// to compile because Foo does not support the AddRef() and Release() methods.
-//
-//
-// EXAMPLE OF Owned():
-//
-// void foo(int* arg) { cout << *arg << endl }
-//
-// int* pn = new int(1);
-// Closure foo_callback = Bind(&foo, Owned(pn));
-//
-// foo_callback.Run(); // Prints "1"
-// foo_callback.Run(); // Prints "1"
-// *n = 2;
-// foo_callback.Run(); // Prints "2"
-//
-// foo_callback.Reset(); // |pn| is deleted. Also will happen when
-// // |foo_callback| goes out of scope.
-//
-// Without Owned(), someone would have to know to delete |pn| when the last
-// reference to the Callback is deleted.
-//
-//
-// EXAMPLE OF ConstRef():
-//
-// void foo(int arg) { cout << arg << endl }
-//
-// int n = 1;
-// Closure no_ref = Bind(&foo, n);
-// Closure has_ref = Bind(&foo, ConstRef(n));
-//
-// no_ref.Run(); // Prints "1"
-// has_ref.Run(); // Prints "1"
-//
-// n = 2;
-// no_ref.Run(); // Prints "1"
-// has_ref.Run(); // Prints "2"
-//
-// Note that because ConstRef() takes a reference on |n|, |n| must outlive all
-// its bound callbacks.
-//
-//
-// EXAMPLE OF IgnoreResult():
-//
-// int DoSomething(int arg) { cout << arg << endl; }
-//
-// // Assign to a Callback with a void return type.
-// Callback<void(int)> cb = Bind(IgnoreResult(&DoSomething));
-// cb->Run(1); // Prints "1".
-//
-// // Prints "1" on |ml|.
-// ml->PostTask(FROM_HERE, Bind(IgnoreResult(&DoSomething), 1);
-//
-//
-// EXAMPLE OF Passed():
-//
-// void TakesOwnership(scoped_ptr<Foo> arg) { }
-// scoped_ptr<Foo> CreateFoo() { return scoped_ptr<Foo>(new Foo()); }
-//
-// scoped_ptr<Foo> f(new Foo());
-//
-// // |cb| is given ownership of Foo(). |f| is now NULL.
-// // You can use std::move(f) in place of &f, but it's more verbose.
-// Closure cb = Bind(&TakesOwnership, Passed(&f));
-//
-// // Run was never called so |cb| still owns Foo() and deletes
-// // it on Reset().
-// cb.Reset();
-//
-// // |cb| is given a new Foo created by CreateFoo().
-// cb = Bind(&TakesOwnership, Passed(CreateFoo()));
-//
-// // |arg| in TakesOwnership() is given ownership of Foo(). |cb|
-// // no longer owns Foo() and, if reset, would not delete Foo().
-// cb.Run(); // Foo() is now transferred to |arg| and deleted.
-// cb.Run(); // This CHECK()s since Foo() already been used once.
-//
-// Passed() is particularly useful with PostTask() when you are transferring
-// ownership of an argument into a task, but don't necessarily know if the
-// task will always be executed. This can happen if the task is cancellable
-// or if it is posted to a TaskRunner.
-//
-//
-// SIMPLE FUNCTIONS AND UTILITIES.
-//
-// DoNothing() - Useful for creating a Closure that does nothing when called.
-// DeletePointer<T>() - Useful for creating a Closure that will delete a
-// pointer when invoked. Only use this when necessary.
-// In most cases MessageLoop::DeleteSoon() is a better
-// fit.
-
-#ifndef BASE_BIND_HELPERS_H_
-#define BASE_BIND_HELPERS_H_
-
-#include <stddef.h>
-
-#include <type_traits>
-#include <utility>
-
-#include "base/callback.h"
-#include "base/memory/weak_ptr.h"
-#include "base/template_util.h"
-#include "build/build_config.h"
-
-namespace base {
-namespace internal {
-
-// Use the Substitution Failure Is Not An Error (SFINAE) trick to inspect T
-// for the existence of AddRef() and Release() functions of the correct
-// signature.
-//
-// http://en.wikipedia.org/wiki/Substitution_failure_is_not_an_error
-// http://stackoverflow.com/questions/257288/is-it-possible-to-write-a-c-template-to-check-for-a-functions-existence
-// http://stackoverflow.com/questions/4358584/sfinae-approach-comparison
-// http://stackoverflow.com/questions/1966362/sfinae-to-check-for-inherited-member-functions
-//
-// The last link in particular show the method used below.
-//
-// For SFINAE to work with inherited methods, we need to pull some extra tricks
-// with multiple inheritance. In the more standard formulation, the overloads
-// of Check would be:
-//
-// template <typename C>
-// Yes NotTheCheckWeWant(Helper<&C::TargetFunc>*);
-//
-// template <typename C>
-// No NotTheCheckWeWant(...);
-//
-// static const bool value = sizeof(NotTheCheckWeWant<T>(0)) == sizeof(Yes);
-//
-// The problem here is that template resolution will not match
-// C::TargetFunc if TargetFunc does not exist directly in C. That is, if
-// TargetFunc in inherited from an ancestor, &C::TargetFunc will not match,
-// |value| will be false. This formulation only checks for whether or
-// not TargetFunc exist directly in the class being introspected.
-//
-// To get around this, we play a dirty trick with multiple inheritance.
-// First, We create a class BaseMixin that declares each function that we
-// want to probe for. Then we create a class Base that inherits from both T
-// (the class we wish to probe) and BaseMixin. Note that the function
-// signature in BaseMixin does not need to match the signature of the function
-// we are probing for; thus it's easiest to just use void().
-//
-// Now, if TargetFunc exists somewhere in T, then &Base::TargetFunc has an
-// ambiguous resolution between BaseMixin and T. This lets us write the
-// following:
-//
-// template <typename C>
-// No GoodCheck(Helper<&C::TargetFunc>*);
-//
-// template <typename C>
-// Yes GoodCheck(...);
-//
-// static const bool value = sizeof(GoodCheck<Base>(0)) == sizeof(Yes);
-//
-// Notice here that the variadic version of GoodCheck() returns Yes here
-// instead of No like the previous one. Also notice that we calculate |value|
-// by specializing GoodCheck() on Base instead of T.
-//
-// We've reversed the roles of the variadic, and Helper overloads.
-// GoodCheck(Helper<&C::TargetFunc>*), when C = Base, fails to be a valid
-// substitution if T::TargetFunc exists. Thus GoodCheck<Base>(0) will resolve
-// to the variadic version if T has TargetFunc. If T::TargetFunc does not
-// exist, then &C::TargetFunc is not ambiguous, and the overload resolution
-// will prefer GoodCheck(Helper<&C::TargetFunc>*).
-//
-// This method of SFINAE will correctly probe for inherited names, but it cannot
-// typecheck those names. It's still a good enough sanity check though.
-//
-// Works on gcc-4.2, gcc-4.4, and Visual Studio 2008.
-//
-// TODO(ajwong): Move to ref_counted.h or template_util.h when we've vetted
-// this works well.
-//
-// TODO(ajwong): Make this check for Release() as well.
-// See http://crbug.com/82038.
-template <typename T>
-class SupportsAddRefAndRelease {
- using Yes = char[1];
- using No = char[2];
-
- struct BaseMixin {
- void AddRef();
- };
-
-// MSVC warns when you try to use Base if T has a private destructor, the
-// common pattern for refcounted types. It does this even though no attempt to
-// instantiate Base is made. We disable the warning for this definition.
-#if defined(OS_WIN)
-#pragma warning(push)
-#pragma warning(disable:4624)
-#endif
- struct Base : public T, public BaseMixin {
- };
-#if defined(OS_WIN)
-#pragma warning(pop)
-#endif
-
- template <void(BaseMixin::*)()> struct Helper {};
-
- template <typename C>
- static No& Check(Helper<&C::AddRef>*);
-
- template <typename >
- static Yes& Check(...);
-
- public:
- enum { value = sizeof(Check<Base>(0)) == sizeof(Yes) };
-};
-
-// Helpers to assert that arguments of a recounted type are bound with a
-// scoped_refptr.
-template <bool IsClasstype, typename T>
-struct UnsafeBindtoRefCountedArgHelper : false_type {
-};
-
-template <typename T>
-struct UnsafeBindtoRefCountedArgHelper<true, T>
- : integral_constant<bool, SupportsAddRefAndRelease<T>::value> {
-};
-
-template <typename T>
-struct UnsafeBindtoRefCountedArg : false_type {
-};
-
-template <typename T>
-struct UnsafeBindtoRefCountedArg<T*>
- : UnsafeBindtoRefCountedArgHelper<is_class<T>::value, T> {
-};
-
-template <typename T>
-class HasIsMethodTag {
- using Yes = char[1];
- using No = char[2];
-
- template <typename U>
- static Yes& Check(typename U::IsMethod*);
-
- template <typename U>
- static No& Check(...);
-
- public:
- enum { value = sizeof(Check<T>(0)) == sizeof(Yes) };
-};
-
-template <typename T>
-class UnretainedWrapper {
- public:
- explicit UnretainedWrapper(T* o) : ptr_(o) {}
- T* get() const { return ptr_; }
- private:
- T* ptr_;
-};
-
-template <typename T>
-class ConstRefWrapper {
- public:
- explicit ConstRefWrapper(const T& o) : ptr_(&o) {}
- const T& get() const { return *ptr_; }
- private:
- const T* ptr_;
-};
-
-template <typename T>
-struct IgnoreResultHelper {
- explicit IgnoreResultHelper(T functor) : functor_(functor) {}
-
- T functor_;
-};
-
-template <typename T>
-struct IgnoreResultHelper<Callback<T> > {
- explicit IgnoreResultHelper(const Callback<T>& functor) : functor_(functor) {}
-
- const Callback<T>& functor_;
-};
-
-// An alternate implementation is to avoid the destructive copy, and instead
-// specialize ParamTraits<> for OwnedWrapper<> to change the StorageType to
-// a class that is essentially a scoped_ptr<>.
-//
-// The current implementation has the benefit though of leaving ParamTraits<>
-// fully in callback_internal.h as well as avoiding type conversions during
-// storage.
-template <typename T>
-class OwnedWrapper {
- public:
- explicit OwnedWrapper(T* o) : ptr_(o) {}
- ~OwnedWrapper() { delete ptr_; }
- T* get() const { return ptr_; }
- OwnedWrapper(const OwnedWrapper& other) {
- ptr_ = other.ptr_;
- other.ptr_ = NULL;
- }
-
- private:
- mutable T* ptr_;
-};
-
-// PassedWrapper is a copyable adapter for a scoper that ignores const.
-//
-// It is needed to get around the fact that Bind() takes a const reference to
-// all its arguments. Because Bind() takes a const reference to avoid
-// unnecessary copies, it is incompatible with movable-but-not-copyable
-// types; doing a destructive "move" of the type into Bind() would violate
-// the const correctness.
-//
-// This conundrum cannot be solved without either C++11 rvalue references or
-// a O(2^n) blowup of Bind() templates to handle each combination of regular
-// types and movable-but-not-copyable types. Thus we introduce a wrapper type
-// that is copyable to transmit the correct type information down into
-// BindState<>. Ignoring const in this type makes sense because it is only
-// created when we are explicitly trying to do a destructive move.
-//
-// Two notes:
-// 1) PassedWrapper supports any type that has a move constructor, however
-// the type will need to be specifically whitelisted in order for it to be
-// bound to a Callback. We guard this explicitly at the call of Passed()
-// to make for clear errors. Things not given to Passed() will be forwarded
-// and stored by value which will not work for general move-only types.
-// 2) is_valid_ is distinct from NULL because it is valid to bind a "NULL"
-// scoper to a Callback and allow the Callback to execute once.
-template <typename T>
-class PassedWrapper {
- public:
- explicit PassedWrapper(T&& scoper)
- : is_valid_(true), scoper_(std::move(scoper)) {}
- PassedWrapper(const PassedWrapper& other)
- : is_valid_(other.is_valid_), scoper_(std::move(other.scoper_)) {}
- T Pass() const {
- CHECK(is_valid_);
- is_valid_ = false;
- return std::move(scoper_);
- }
-
- private:
- mutable bool is_valid_;
- mutable T scoper_;
-};
-
-// Unwrap the stored parameters for the wrappers above.
-template <typename T>
-struct UnwrapTraits {
- using ForwardType = const T&;
- static ForwardType Unwrap(const T& o) { return o; }
-};
-
-template <typename T>
-struct UnwrapTraits<UnretainedWrapper<T> > {
- using ForwardType = T*;
- static ForwardType Unwrap(UnretainedWrapper<T> unretained) {
- return unretained.get();
- }
-};
-
-template <typename T>
-struct UnwrapTraits<ConstRefWrapper<T> > {
- using ForwardType = const T&;
- static ForwardType Unwrap(ConstRefWrapper<T> const_ref) {
- return const_ref.get();
- }
-};
-
-template <typename T>
-struct UnwrapTraits<scoped_refptr<T> > {
- using ForwardType = T*;
- static ForwardType Unwrap(const scoped_refptr<T>& o) { return o.get(); }
-};
-
-template <typename T>
-struct UnwrapTraits<WeakPtr<T> > {
- using ForwardType = const WeakPtr<T>&;
- static ForwardType Unwrap(const WeakPtr<T>& o) { return o; }
-};
-
-template <typename T>
-struct UnwrapTraits<OwnedWrapper<T> > {
- using ForwardType = T*;
- static ForwardType Unwrap(const OwnedWrapper<T>& o) {
- return o.get();
- }
-};
-
-template <typename T>
-struct UnwrapTraits<PassedWrapper<T> > {
- using ForwardType = T;
- static T Unwrap(PassedWrapper<T>& o) {
- return o.Pass();
- }
-};
-
-// Utility for handling different refcounting semantics in the Bind()
-// function.
-template <bool is_method, typename... T>
-struct MaybeScopedRefPtr;
-
-template <bool is_method>
-struct MaybeScopedRefPtr<is_method> {
- MaybeScopedRefPtr() {}
-};
-
-template <typename T, typename... Rest>
-struct MaybeScopedRefPtr<false, T, Rest...> {
- MaybeScopedRefPtr(const T&, const Rest&...) {}
-};
-
-template <typename T, size_t n, typename... Rest>
-struct MaybeScopedRefPtr<false, T[n], Rest...> {
- MaybeScopedRefPtr(const T*, const Rest&...) {}
-};
-
-template <typename T, typename... Rest>
-struct MaybeScopedRefPtr<true, T, Rest...> {
- MaybeScopedRefPtr(const T& o, const Rest&...) {}
-};
-
-template <typename T, typename... Rest>
-struct MaybeScopedRefPtr<true, T*, Rest...> {
- MaybeScopedRefPtr(T* o, const Rest&...) : ref_(o) {}
- scoped_refptr<T> ref_;
-};
-
-// No need to additionally AddRef() and Release() since we are storing a
-// scoped_refptr<> inside the storage object already.
-template <typename T, typename... Rest>
-struct MaybeScopedRefPtr<true, scoped_refptr<T>, Rest...> {
- MaybeScopedRefPtr(const scoped_refptr<T>&, const Rest&...) {}
-};
-
-template <typename T, typename... Rest>
-struct MaybeScopedRefPtr<true, const T*, Rest...> {
- MaybeScopedRefPtr(const T* o, const Rest&...) : ref_(o) {}
- scoped_refptr<const T> ref_;
-};
-
-// IsWeakMethod is a helper that determine if we are binding a WeakPtr<> to a
-// method. It is used internally by Bind() to select the correct
-// InvokeHelper that will no-op itself in the event the WeakPtr<> for
-// the target object is invalidated.
-//
-// The first argument should be the type of the object that will be received by
-// the method.
-template <bool IsMethod, typename... Args>
-struct IsWeakMethod : public false_type {};
-
-template <typename T, typename... Args>
-struct IsWeakMethod<true, WeakPtr<T>, Args...> : public true_type {};
-
-template <typename T, typename... Args>
-struct IsWeakMethod<true, ConstRefWrapper<WeakPtr<T>>, Args...>
- : public true_type {};
-
-
-// Packs a list of types to hold them in a single type.
-template <typename... Types>
-struct TypeList {};
-
-// Used for DropTypeListItem implementation.
-template <size_t n, typename List>
-struct DropTypeListItemImpl;
-
-// Do not use enable_if and SFINAE here to avoid MSVC2013 compile failure.
-template <size_t n, typename T, typename... List>
-struct DropTypeListItemImpl<n, TypeList<T, List...>>
- : DropTypeListItemImpl<n - 1, TypeList<List...>> {};
-
-template <typename T, typename... List>
-struct DropTypeListItemImpl<0, TypeList<T, List...>> {
- using Type = TypeList<T, List...>;
-};
-
-template <>
-struct DropTypeListItemImpl<0, TypeList<>> {
- using Type = TypeList<>;
-};
-
-// A type-level function that drops |n| list item from given TypeList.
-template <size_t n, typename List>
-using DropTypeListItem = typename DropTypeListItemImpl<n, List>::Type;
-
-// Used for TakeTypeListItem implementation.
-template <size_t n, typename List, typename... Accum>
-struct TakeTypeListItemImpl;
-
-// Do not use enable_if and SFINAE here to avoid MSVC2013 compile failure.
-template <size_t n, typename T, typename... List, typename... Accum>
-struct TakeTypeListItemImpl<n, TypeList<T, List...>, Accum...>
- : TakeTypeListItemImpl<n - 1, TypeList<List...>, Accum..., T> {};
-
-template <typename T, typename... List, typename... Accum>
-struct TakeTypeListItemImpl<0, TypeList<T, List...>, Accum...> {
- using Type = TypeList<Accum...>;
-};
-
-template <typename... Accum>
-struct TakeTypeListItemImpl<0, TypeList<>, Accum...> {
- using Type = TypeList<Accum...>;
-};
-
-// A type-level function that takes first |n| list item from given TypeList.
-// E.g. TakeTypeListItem<3, TypeList<A, B, C, D>> is evaluated to
-// TypeList<A, B, C>.
-template <size_t n, typename List>
-using TakeTypeListItem = typename TakeTypeListItemImpl<n, List>::Type;
-
-// Used for ConcatTypeLists implementation.
-template <typename List1, typename List2>
-struct ConcatTypeListsImpl;
-
-template <typename... Types1, typename... Types2>
-struct ConcatTypeListsImpl<TypeList<Types1...>, TypeList<Types2...>> {
- using Type = TypeList<Types1..., Types2...>;
-};
-
-// A type-level function that concats two TypeLists.
-template <typename List1, typename List2>
-using ConcatTypeLists = typename ConcatTypeListsImpl<List1, List2>::Type;
-
-// Used for MakeFunctionType implementation.
-template <typename R, typename ArgList>
-struct MakeFunctionTypeImpl;
-
-template <typename R, typename... Args>
-struct MakeFunctionTypeImpl<R, TypeList<Args...>> {
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R Type(Args...);
-};
-
-// A type-level function that constructs a function type that has |R| as its
-// return type and has TypeLists items as its arguments.
-template <typename R, typename ArgList>
-using MakeFunctionType = typename MakeFunctionTypeImpl<R, ArgList>::Type;
-
-// Used for ExtractArgs.
-template <typename Signature>
-struct ExtractArgsImpl;
-
-template <typename R, typename... Args>
-struct ExtractArgsImpl<R(Args...)> {
- using Type = TypeList<Args...>;
-};
-
-// A type-level function that extracts function arguments into a TypeList.
-// E.g. ExtractArgs<R(A, B, C)> is evaluated to TypeList<A, B, C>.
-template <typename Signature>
-using ExtractArgs = typename ExtractArgsImpl<Signature>::Type;
-
-} // namespace internal
-
-template <typename T>
-static inline internal::UnretainedWrapper<T> Unretained(T* o) {
- return internal::UnretainedWrapper<T>(o);
-}
-
-template <typename T>
-static inline internal::ConstRefWrapper<T> ConstRef(const T& o) {
- return internal::ConstRefWrapper<T>(o);
-}
-
-template <typename T>
-static inline internal::OwnedWrapper<T> Owned(T* o) {
- return internal::OwnedWrapper<T>(o);
-}
-
-// We offer 2 syntaxes for calling Passed(). The first takes an rvalue and
-// is best suited for use with the return value of a function or other temporary
-// rvalues. The second takes a pointer to the scoper and is just syntactic sugar
-// to avoid having to write Passed(std::move(scoper)).
-//
-// Both versions of Passed() prevent T from being an lvalue reference. The first
-// via use of enable_if, and the second takes a T* which will not bind to T&.
-template <typename T,
- typename std::enable_if<internal::IsMoveOnlyType<T>::value &&
- !std::is_lvalue_reference<T>::value>::type* =
- nullptr>
-static inline internal::PassedWrapper<T> Passed(T&& scoper) {
- return internal::PassedWrapper<T>(std::move(scoper));
-}
-template <typename T,
- typename std::enable_if<internal::IsMoveOnlyType<T>::value>::type* =
- nullptr>
-static inline internal::PassedWrapper<T> Passed(T* scoper) {
- return internal::PassedWrapper<T>(std::move(*scoper));
-}
-
-template <typename T>
-static inline internal::IgnoreResultHelper<T> IgnoreResult(T data) {
- return internal::IgnoreResultHelper<T>(data);
-}
-
-template <typename T>
-static inline internal::IgnoreResultHelper<Callback<T> >
-IgnoreResult(const Callback<T>& data) {
- return internal::IgnoreResultHelper<Callback<T> >(data);
-}
-
-BASE_EXPORT void DoNothing();
-
-template<typename T>
-void DeletePointer(T* obj) {
- delete obj;
-}
-
-} // namespace base
-
-#endif // BASE_BIND_HELPERS_H_
diff --git a/security/sandbox/chromium/base/bind_internal.h b/security/sandbox/chromium/base/bind_internal.h
deleted file mode 100644
index ac7cd0098..000000000
--- a/security/sandbox/chromium/base/bind_internal.h
+++ /dev/null
@@ -1,425 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BIND_INTERNAL_H_
-#define BASE_BIND_INTERNAL_H_
-
-#include <stddef.h>
-
-#include <type_traits>
-
-#include "base/bind_helpers.h"
-#include "base/callback_internal.h"
-#include "base/memory/raw_scoped_refptr_mismatch_checker.h"
-#include "base/memory/weak_ptr.h"
-#include "base/template_util.h"
-#include "base/tuple.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include "base/bind_internal_win.h"
-#endif
-
-namespace base {
-namespace internal {
-
-// See base/callback.h for user documentation.
-//
-//
-// CONCEPTS:
-// Runnable -- A type (really a type class) that has a single Run() method
-// and a RunType typedef that corresponds to the type of Run().
-// A Runnable can declare that it should treated like a method
-// call by including a typedef named IsMethod. The value of
-// this typedef is NOT inspected, only the existence. When a
-// Runnable declares itself a method, Bind() will enforce special
-// refcounting + WeakPtr handling semantics for the first
-// parameter which is expected to be an object.
-// Functor -- A copyable type representing something that should be called.
-// All function pointers, Callback<>, and Runnables are functors
-// even if the invocation syntax differs.
-// RunType -- A function type (as opposed to function _pointer_ type) for
-// a Run() function. Usually just a convenience typedef.
-// (Bound)Args -- A set of types that stores the arguments.
-//
-// Types:
-// RunnableAdapter<> -- Wraps the various "function" pointer types into an
-// object that adheres to the Runnable interface.
-// ForceVoidReturn<> -- Helper class for translating function signatures to
-// equivalent forms with a "void" return type.
-// FunctorTraits<> -- Type traits used determine the correct RunType and
-// RunnableType for a Functor. This is where function
-// signature adapters are applied.
-// MakeRunnable<> -- Takes a Functor and returns an object in the Runnable
-// type class that represents the underlying Functor.
-// InvokeHelper<> -- Take a Runnable + arguments and actully invokes it.
-// Handle the differing syntaxes needed for WeakPtr<>
-// support, and for ignoring return values. This is separate
-// from Invoker to avoid creating multiple version of
-// Invoker<>.
-// Invoker<> -- Unwraps the curried parameters and executes the Runnable.
-// BindState<> -- Stores the curried parameters, and is the main entry point
-// into the Bind() system, doing most of the type resolution.
-// There are ARITY BindState types.
-
-// HasNonConstReferenceParam selects true_type when any of the parameters in
-// |Sig| is a non-const reference.
-// Implementation note: This non-specialized case handles zero-arity case only.
-// Non-zero-arity cases should be handled by the specialization below.
-template <typename List>
-struct HasNonConstReferenceItem : false_type {};
-
-// Implementation note: Select true_type if the first parameter is a non-const
-// reference. Otherwise, skip the first parameter and check rest of parameters
-// recursively.
-template <typename T, typename... Args>
-struct HasNonConstReferenceItem<TypeList<T, Args...>>
- : std::conditional<is_non_const_reference<T>::value,
- true_type,
- HasNonConstReferenceItem<TypeList<Args...>>>::type {};
-
-// HasRefCountedTypeAsRawPtr selects true_type when any of the |Args| is a raw
-// pointer to a RefCounted type.
-// Implementation note: This non-specialized case handles zero-arity case only.
-// Non-zero-arity cases should be handled by the specialization below.
-template <typename... Args>
-struct HasRefCountedTypeAsRawPtr : false_type {};
-
-// Implementation note: Select true_type if the first parameter is a raw pointer
-// to a RefCounted type. Otherwise, skip the first parameter and check rest of
-// parameters recursively.
-template <typename T, typename... Args>
-struct HasRefCountedTypeAsRawPtr<T, Args...>
- : std::conditional<NeedsScopedRefptrButGetsRawPtr<T>::value,
- true_type,
- HasRefCountedTypeAsRawPtr<Args...>>::type {};
-
-// BindsArrayToFirstArg selects true_type when |is_method| is true and the first
-// item of |Args| is an array type.
-// Implementation note: This non-specialized case handles !is_method case and
-// zero-arity case only. Other cases should be handled by the specialization
-// below.
-template <bool is_method, typename... Args>
-struct BindsArrayToFirstArg : false_type {};
-
-template <typename T, typename... Args>
-struct BindsArrayToFirstArg<true, T, Args...> : is_array<T> {};
-
-// HasRefCountedParamAsRawPtr is the same to HasRefCountedTypeAsRawPtr except
-// when |is_method| is true HasRefCountedParamAsRawPtr skips the first argument.
-// Implementation note: This non-specialized case handles !is_method case and
-// zero-arity case only. Other cases should be handled by the specialization
-// below.
-template <bool is_method, typename... Args>
-struct HasRefCountedParamAsRawPtr : HasRefCountedTypeAsRawPtr<Args...> {};
-
-template <typename T, typename... Args>
-struct HasRefCountedParamAsRawPtr<true, T, Args...>
- : HasRefCountedTypeAsRawPtr<Args...> {};
-
-// RunnableAdapter<>
-//
-// The RunnableAdapter<> templates provide a uniform interface for invoking
-// a function pointer, method pointer, or const method pointer. The adapter
-// exposes a Run() method with an appropriate signature. Using this wrapper
-// allows for writing code that supports all three pointer types without
-// undue repetition. Without it, a lot of code would need to be repeated 3
-// times.
-//
-// For method pointers and const method pointers the first argument to Run()
-// is considered to be the received of the method. This is similar to STL's
-// mem_fun().
-//
-// This class also exposes a RunType typedef that is the function type of the
-// Run() function.
-//
-// If and only if the wrapper contains a method or const method pointer, an
-// IsMethod typedef is exposed. The existence of this typedef (NOT the value)
-// marks that the wrapper should be considered a method wrapper.
-
-template <typename Functor>
-class RunnableAdapter;
-
-// Function.
-template <typename R, typename... Args>
-class RunnableAdapter<R(*)(Args...)> {
- public:
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R RunType(Args...);
-
- explicit RunnableAdapter(R(*function)(Args...))
- : function_(function) {
- }
-
- R Run(typename CallbackParamTraits<Args>::ForwardType... args) {
- return function_(CallbackForward(args)...);
- }
-
- private:
- R (*function_)(Args...);
-};
-
-// Method.
-template <typename R, typename T, typename... Args>
-class RunnableAdapter<R(T::*)(Args...)> {
- public:
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R RunType(T*, Args...);
- using IsMethod = true_type;
-
- explicit RunnableAdapter(R(T::*method)(Args...))
- : method_(method) {
- }
-
- R Run(T* object, typename CallbackParamTraits<Args>::ForwardType... args) {
- return (object->*method_)(CallbackForward(args)...);
- }
-
- private:
- R (T::*method_)(Args...);
-};
-
-// Const Method.
-template <typename R, typename T, typename... Args>
-class RunnableAdapter<R(T::*)(Args...) const> {
- public:
- using RunType = R(const T*, Args...);
- using IsMethod = true_type;
-
- explicit RunnableAdapter(R(T::*method)(Args...) const)
- : method_(method) {
- }
-
- R Run(const T* object,
- typename CallbackParamTraits<Args>::ForwardType... args) {
- return (object->*method_)(CallbackForward(args)...);
- }
-
- private:
- R (T::*method_)(Args...) const;
-};
-
-
-// ForceVoidReturn<>
-//
-// Set of templates that support forcing the function return type to void.
-template <typename Sig>
-struct ForceVoidReturn;
-
-template <typename R, typename... Args>
-struct ForceVoidReturn<R(Args...)> {
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef void RunType(Args...);
-};
-
-
-// FunctorTraits<>
-//
-// See description at top of file.
-template <typename T>
-struct FunctorTraits {
- using RunnableType = RunnableAdapter<T>;
- using RunType = typename RunnableType::RunType;
-};
-
-template <typename T>
-struct FunctorTraits<IgnoreResultHelper<T>> {
- using RunnableType = typename FunctorTraits<T>::RunnableType;
- using RunType =
- typename ForceVoidReturn<typename RunnableType::RunType>::RunType;
-};
-
-template <typename T>
-struct FunctorTraits<Callback<T>> {
- using RunnableType = Callback<T> ;
- using RunType = typename Callback<T>::RunType;
-};
-
-
-// MakeRunnable<>
-//
-// Converts a passed in functor to a RunnableType using type inference.
-
-template <typename T>
-typename FunctorTraits<T>::RunnableType MakeRunnable(const T& t) {
- return RunnableAdapter<T>(t);
-}
-
-template <typename T>
-typename FunctorTraits<T>::RunnableType
-MakeRunnable(const IgnoreResultHelper<T>& t) {
- return MakeRunnable(t.functor_);
-}
-
-template <typename T>
-const typename FunctorTraits<Callback<T>>::RunnableType&
-MakeRunnable(const Callback<T>& t) {
- DCHECK(!t.is_null());
- return t;
-}
-
-
-// InvokeHelper<>
-//
-// There are 3 logical InvokeHelper<> specializations: normal, void-return,
-// WeakCalls.
-//
-// The normal type just calls the underlying runnable.
-//
-// We need a InvokeHelper to handle void return types in order to support
-// IgnoreResult(). Normally, if the Runnable's RunType had a void return,
-// the template system would just accept "return functor.Run()" ignoring
-// the fact that a void function is being used with return. This piece of
-// sugar breaks though when the Runnable's RunType is not void. Thus, we
-// need a partial specialization to change the syntax to drop the "return"
-// from the invocation call.
-//
-// WeakCalls similarly need special syntax that is applied to the first
-// argument to check if they should no-op themselves.
-template <bool IsWeakCall, typename ReturnType, typename Runnable,
- typename ArgsType>
-struct InvokeHelper;
-
-template <typename ReturnType, typename Runnable, typename... Args>
-struct InvokeHelper<false, ReturnType, Runnable, TypeList<Args...>> {
- static ReturnType MakeItSo(Runnable runnable, Args... args) {
- return runnable.Run(CallbackForward(args)...);
- }
-};
-
-template <typename Runnable, typename... Args>
-struct InvokeHelper<false, void, Runnable, TypeList<Args...>> {
- static void MakeItSo(Runnable runnable, Args... args) {
- runnable.Run(CallbackForward(args)...);
- }
-};
-
-template <typename Runnable, typename BoundWeakPtr, typename... Args>
-struct InvokeHelper<true, void, Runnable, TypeList<BoundWeakPtr, Args...>> {
- static void MakeItSo(Runnable runnable, BoundWeakPtr weak_ptr, Args... args) {
- if (!weak_ptr.get()) {
- return;
- }
- runnable.Run(weak_ptr.get(), CallbackForward(args)...);
- }
-};
-
-#if !defined(_MSC_VER)
-
-template <typename ReturnType, typename Runnable, typename ArgsType>
-struct InvokeHelper<true, ReturnType, Runnable, ArgsType> {
- // WeakCalls are only supported for functions with a void return type.
- // Otherwise, the function result would be undefined if the the WeakPtr<>
- // is invalidated.
- static_assert(is_void<ReturnType>::value,
- "weak_ptrs can only bind to methods without return values");
-};
-
-#endif
-
-// Invoker<>
-//
-// See description at the top of the file.
-template <typename BoundIndices,
- typename StorageType, typename Unwrappers,
- typename InvokeHelperType, typename UnboundForwardRunType>
-struct Invoker;
-
-template <size_t... bound_indices,
- typename StorageType,
- typename... Unwrappers,
- typename InvokeHelperType,
- typename R,
- typename... UnboundForwardArgs>
-struct Invoker<IndexSequence<bound_indices...>,
- StorageType, TypeList<Unwrappers...>,
- InvokeHelperType, R(UnboundForwardArgs...)> {
- static R Run(BindStateBase* base,
- UnboundForwardArgs... unbound_args) {
- StorageType* storage = static_cast<StorageType*>(base);
- // Local references to make debugger stepping easier. If in a debugger,
- // you really want to warp ahead and step through the
- // InvokeHelper<>::MakeItSo() call below.
- return InvokeHelperType::MakeItSo(
- storage->runnable_,
- Unwrappers::Unwrap(get<bound_indices>(storage->bound_args_))...,
- CallbackForward(unbound_args)...);
- }
-};
-
-
-// BindState<>
-//
-// This stores all the state passed into Bind() and is also where most
-// of the template resolution magic occurs.
-//
-// Runnable is the functor we are binding arguments to.
-// RunType is type of the Run() function that the Invoker<> should use.
-// Normally, this is the same as the RunType of the Runnable, but it can
-// be different if an adapter like IgnoreResult() has been used.
-//
-// BoundArgs contains the storage type for all the bound arguments.
-template <typename Runnable, typename RunType, typename... BoundArgs>
-struct BindState;
-
-template <typename Runnable,
- typename R,
- typename... Args,
- typename... BoundArgs>
-struct BindState<Runnable, R(Args...), BoundArgs...> final
- : public BindStateBase {
- private:
- using StorageType = BindState<Runnable, R(Args...), BoundArgs...>;
- using RunnableType = Runnable;
-
- // true_type if Runnable is a method invocation and the first bound argument
- // is a WeakPtr.
- using IsWeakCall =
- IsWeakMethod<HasIsMethodTag<Runnable>::value, BoundArgs...>;
-
- using BoundIndices = MakeIndexSequence<sizeof...(BoundArgs)>;
- using Unwrappers = TypeList<UnwrapTraits<BoundArgs>...>;
- using UnboundForwardArgs = DropTypeListItem<
- sizeof...(BoundArgs),
- TypeList<typename CallbackParamTraits<Args>::ForwardType...>>;
- using UnboundForwardRunType = MakeFunctionType<R, UnboundForwardArgs>;
-
- using InvokeHelperArgs = ConcatTypeLists<
- TypeList<typename UnwrapTraits<BoundArgs>::ForwardType...>,
- UnboundForwardArgs>;
- using InvokeHelperType =
- InvokeHelper<IsWeakCall::value, R, Runnable, InvokeHelperArgs>;
-
- using UnboundArgs = DropTypeListItem<sizeof...(BoundArgs), TypeList<Args...>>;
-
- public:
- using InvokerType = Invoker<BoundIndices, StorageType, Unwrappers,
- InvokeHelperType, UnboundForwardRunType>;
- using UnboundRunType = MakeFunctionType<R, UnboundArgs>;
-
- BindState(const Runnable& runnable, const BoundArgs&... bound_args)
- : BindStateBase(&Destroy),
- runnable_(runnable),
- ref_(bound_args...),
- bound_args_(bound_args...) {}
-
- RunnableType runnable_;
- MaybeScopedRefPtr<HasIsMethodTag<Runnable>::value, BoundArgs...> ref_;
- Tuple<BoundArgs...> bound_args_;
-
- private:
- ~BindState() {}
-
- static void Destroy(BindStateBase* self) {
- delete static_cast<BindState*>(self);
- }
-};
-
-} // namespace internal
-} // namespace base
-
-#endif // BASE_BIND_INTERNAL_H_
diff --git a/security/sandbox/chromium/base/bind_internal_win.h b/security/sandbox/chromium/base/bind_internal_win.h
deleted file mode 100644
index 2ee12ef21..000000000
--- a/security/sandbox/chromium/base/bind_internal_win.h
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Specializations of RunnableAdapter<> for Windows specific calling
-// conventions. Please see base/bind_internal.h for more info.
-
-#ifndef BASE_BIND_INTERNAL_WIN_H_
-#define BASE_BIND_INTERNAL_WIN_H_
-
-#include "build/build_config.h"
-
-// In the x64 architecture in Windows, __fastcall, __stdcall, etc, are all
-// the same as __cdecl which would turn the following specializations into
-// multiple definitions.
-#if !defined(ARCH_CPU_X86_64)
-
-namespace base {
-namespace internal {
-
-template <typename Functor>
-class RunnableAdapter;
-
-// __stdcall Function.
-template <typename R, typename... Args>
-class RunnableAdapter<R(__stdcall *)(Args...)> {
- public:
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R RunType(Args...);
-
- explicit RunnableAdapter(R(__stdcall *function)(Args...))
- : function_(function) {
- }
-
- R Run(typename CallbackParamTraits<Args>::ForwardType... args) {
- return function_(args...);
- }
-
- private:
- R (__stdcall *function_)(Args...);
-};
-
-// __fastcall Function.
-template <typename R, typename... Args>
-class RunnableAdapter<R(__fastcall *)(Args...)> {
- public:
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R RunType(Args...);
-
- explicit RunnableAdapter(R(__fastcall *function)(Args...))
- : function_(function) {
- }
-
- R Run(typename CallbackParamTraits<Args>::ForwardType... args) {
- return function_(args...);
- }
-
- private:
- R (__fastcall *function_)(Args...);
-};
-
-} // namespace internal
-} // namespace base
-
-#endif // !defined(ARCH_CPU_X86_64)
-
-#endif // BASE_BIND_INTERNAL_WIN_H_
diff --git a/security/sandbox/chromium/base/bit_cast.h b/security/sandbox/chromium/base/bit_cast.h
deleted file mode 100644
index b548467e7..000000000
--- a/security/sandbox/chromium/base/bit_cast.h
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_BIT_CAST_H_
-#define BASE_BIT_CAST_H_
-
-#include <string.h>
-
-// bit_cast<Dest,Source> is a template function that implements the equivalent
-// of "*reinterpret_cast<Dest*>(&source)". We need this in very low-level
-// functions like the protobuf library and fast math support.
-//
-// float f = 3.14159265358979;
-// int i = bit_cast<int32_t>(f);
-// // i = 0x40490fdb
-//
-// The classical address-casting method is:
-//
-// // WRONG
-// float f = 3.14159265358979; // WRONG
-// int i = * reinterpret_cast<int*>(&f); // WRONG
-//
-// The address-casting method actually produces undefined behavior according to
-// the ISO C++98 specification, section 3.10 ("basic.lval"), paragraph 15.
-// (This did not substantially change in C++11.) Roughly, this section says: if
-// an object in memory has one type, and a program accesses it with a different
-// type, then the result is undefined behavior for most values of "different
-// type".
-//
-// This is true for any cast syntax, either *(int*)&f or
-// *reinterpret_cast<int*>(&f). And it is particularly true for conversions
-// between integral lvalues and floating-point lvalues.
-//
-// The purpose of this paragraph is to allow optimizing compilers to assume that
-// expressions with different types refer to different memory. Compilers are
-// known to take advantage of this. So a non-conforming program quietly
-// produces wildly incorrect output.
-//
-// The problem is not the use of reinterpret_cast. The problem is type punning:
-// holding an object in memory of one type and reading its bits back using a
-// different type.
-//
-// The C++ standard is more subtle and complex than this, but that is the basic
-// idea.
-//
-// Anyways ...
-//
-// bit_cast<> calls memcpy() which is blessed by the standard, especially by the
-// example in section 3.9 . Also, of course, bit_cast<> wraps up the nasty
-// logic in one place.
-//
-// Fortunately memcpy() is very fast. In optimized mode, compilers replace
-// calls to memcpy() with inline object code when the size argument is a
-// compile-time constant. On a 32-bit system, memcpy(d,s,4) compiles to one
-// load and one store, and memcpy(d,s,8) compiles to two loads and two stores.
-//
-// WARNING: if Dest or Source is a non-POD type, the result of the memcpy
-// is likely to surprise you.
-
-template <class Dest, class Source>
-inline Dest bit_cast(const Source& source) {
- static_assert(sizeof(Dest) == sizeof(Source),
- "bit_cast requires source and destination to be the same size");
-
- Dest dest;
- memcpy(&dest, &source, sizeof(dest));
- return dest;
-}
-
-#endif // BASE_BIT_CAST_H_
diff --git a/security/sandbox/chromium/base/callback.h b/security/sandbox/chromium/base/callback.h
deleted file mode 100644
index 3bf0008b6..000000000
--- a/security/sandbox/chromium/base/callback.h
+++ /dev/null
@@ -1,405 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_CALLBACK_H_
-#define BASE_CALLBACK_H_
-
-#include "base/callback_forward.h"
-#include "base/callback_internal.h"
-#include "base/template_util.h"
-
-// NOTE: Header files that do not require the full definition of Callback or
-// Closure should #include "base/callback_forward.h" instead of this file.
-
-// -----------------------------------------------------------------------------
-// Introduction
-// -----------------------------------------------------------------------------
-//
-// The templated Callback class is a generalized function object. Together
-// with the Bind() function in bind.h, they provide a type-safe method for
-// performing partial application of functions.
-//
-// Partial application (or "currying") is the process of binding a subset of
-// a function's arguments to produce another function that takes fewer
-// arguments. This can be used to pass around a unit of delayed execution,
-// much like lexical closures are used in other languages. For example, it
-// is used in Chromium code to schedule tasks on different MessageLoops.
-//
-// A callback with no unbound input parameters (base::Callback<void()>)
-// is called a base::Closure. Note that this is NOT the same as what other
-// languages refer to as a closure -- it does not retain a reference to its
-// enclosing environment.
-//
-// MEMORY MANAGEMENT AND PASSING
-//
-// The Callback objects themselves should be passed by const-reference, and
-// stored by copy. They internally store their state via a refcounted class
-// and thus do not need to be deleted.
-//
-// The reason to pass via a const-reference is to avoid unnecessary
-// AddRef/Release pairs to the internal state.
-//
-//
-// -----------------------------------------------------------------------------
-// Quick reference for basic stuff
-// -----------------------------------------------------------------------------
-//
-// BINDING A BARE FUNCTION
-//
-// int Return5() { return 5; }
-// base::Callback<int()> func_cb = base::Bind(&Return5);
-// LOG(INFO) << func_cb.Run(); // Prints 5.
-//
-// BINDING A CLASS METHOD
-//
-// The first argument to bind is the member function to call, the second is
-// the object on which to call it.
-//
-// class Ref : public base::RefCountedThreadSafe<Ref> {
-// public:
-// int Foo() { return 3; }
-// void PrintBye() { LOG(INFO) << "bye."; }
-// };
-// scoped_refptr<Ref> ref = new Ref();
-// base::Callback<void()> ref_cb = base::Bind(&Ref::Foo, ref);
-// LOG(INFO) << ref_cb.Run(); // Prints out 3.
-//
-// By default the object must support RefCounted or you will get a compiler
-// error. If you're passing between threads, be sure it's
-// RefCountedThreadSafe! See "Advanced binding of member functions" below if
-// you don't want to use reference counting.
-//
-// RUNNING A CALLBACK
-//
-// Callbacks can be run with their "Run" method, which has the same
-// signature as the template argument to the callback.
-//
-// void DoSomething(const base::Callback<void(int, std::string)>& callback) {
-// callback.Run(5, "hello");
-// }
-//
-// Callbacks can be run more than once (they don't get deleted or marked when
-// run). However, this precludes using base::Passed (see below).
-//
-// void DoSomething(const base::Callback<double(double)>& callback) {
-// double myresult = callback.Run(3.14159);
-// myresult += callback.Run(2.71828);
-// }
-//
-// PASSING UNBOUND INPUT PARAMETERS
-//
-// Unbound parameters are specified at the time a callback is Run(). They are
-// specified in the Callback template type:
-//
-// void MyFunc(int i, const std::string& str) {}
-// base::Callback<void(int, const std::string&)> cb = base::Bind(&MyFunc);
-// cb.Run(23, "hello, world");
-//
-// PASSING BOUND INPUT PARAMETERS
-//
-// Bound parameters are specified when you create thee callback as arguments
-// to Bind(). They will be passed to the function and the Run()ner of the
-// callback doesn't see those values or even know that the function it's
-// calling.
-//
-// void MyFunc(int i, const std::string& str) {}
-// base::Callback<void()> cb = base::Bind(&MyFunc, 23, "hello world");
-// cb.Run();
-//
-// A callback with no unbound input parameters (base::Callback<void()>)
-// is called a base::Closure. So we could have also written:
-//
-// base::Closure cb = base::Bind(&MyFunc, 23, "hello world");
-//
-// When calling member functions, bound parameters just go after the object
-// pointer.
-//
-// base::Closure cb = base::Bind(&MyClass::MyFunc, this, 23, "hello world");
-//
-// PARTIAL BINDING OF PARAMETERS
-//
-// You can specify some parameters when you create the callback, and specify
-// the rest when you execute the callback.
-//
-// void MyFunc(int i, const std::string& str) {}
-// base::Callback<void(const std::string&)> cb = base::Bind(&MyFunc, 23);
-// cb.Run("hello world");
-//
-// When calling a function bound parameters are first, followed by unbound
-// parameters.
-//
-//
-// -----------------------------------------------------------------------------
-// Quick reference for advanced binding
-// -----------------------------------------------------------------------------
-//
-// BINDING A CLASS METHOD WITH WEAK POINTERS
-//
-// base::Bind(&MyClass::Foo, GetWeakPtr());
-//
-// The callback will not be run if the object has already been destroyed.
-// DANGER: weak pointers are not threadsafe, so don't use this
-// when passing between threads!
-//
-// BINDING A CLASS METHOD WITH MANUAL LIFETIME MANAGEMENT
-//
-// base::Bind(&MyClass::Foo, base::Unretained(this));
-//
-// This disables all lifetime management on the object. You're responsible
-// for making sure the object is alive at the time of the call. You break it,
-// you own it!
-//
-// BINDING A CLASS METHOD AND HAVING THE CALLBACK OWN THE CLASS
-//
-// MyClass* myclass = new MyClass;
-// base::Bind(&MyClass::Foo, base::Owned(myclass));
-//
-// The object will be deleted when the callback is destroyed, even if it's
-// not run (like if you post a task during shutdown). Potentially useful for
-// "fire and forget" cases.
-//
-// IGNORING RETURN VALUES
-//
-// Sometimes you want to call a function that returns a value in a callback
-// that doesn't expect a return value.
-//
-// int DoSomething(int arg) { cout << arg << endl; }
-// base::Callback<void(int)> cb =
-// base::Bind(base::IgnoreResult(&DoSomething));
-//
-//
-// -----------------------------------------------------------------------------
-// Quick reference for binding parameters to Bind()
-// -----------------------------------------------------------------------------
-//
-// Bound parameters are specified as arguments to Bind() and are passed to the
-// function. A callback with no parameters or no unbound parameters is called a
-// Closure (base::Callback<void()> and base::Closure are the same thing).
-//
-// PASSING PARAMETERS OWNED BY THE CALLBACK
-//
-// void Foo(int* arg) { cout << *arg << endl; }
-// int* pn = new int(1);
-// base::Closure foo_callback = base::Bind(&foo, base::Owned(pn));
-//
-// The parameter will be deleted when the callback is destroyed, even if it's
-// not run (like if you post a task during shutdown).
-//
-// PASSING PARAMETERS AS A scoped_ptr
-//
-// void TakesOwnership(scoped_ptr<Foo> arg) {}
-// scoped_ptr<Foo> f(new Foo);
-// // f becomes null during the following call.
-// base::Closure cb = base::Bind(&TakesOwnership, base::Passed(&f));
-//
-// Ownership of the parameter will be with the callback until the it is run,
-// when ownership is passed to the callback function. This means the callback
-// can only be run once. If the callback is never run, it will delete the
-// object when it's destroyed.
-//
-// PASSING PARAMETERS AS A scoped_refptr
-//
-// void TakesOneRef(scoped_refptr<Foo> arg) {}
-// scoped_refptr<Foo> f(new Foo)
-// base::Closure cb = base::Bind(&TakesOneRef, f);
-//
-// This should "just work." The closure will take a reference as long as it
-// is alive, and another reference will be taken for the called function.
-//
-// PASSING PARAMETERS BY REFERENCE
-//
-// Const references are *copied* unless ConstRef is used. Example:
-//
-// void foo(const int& arg) { printf("%d %p\n", arg, &arg); }
-// int n = 1;
-// base::Closure has_copy = base::Bind(&foo, n);
-// base::Closure has_ref = base::Bind(&foo, base::ConstRef(n));
-// n = 2;
-// foo(n); // Prints "2 0xaaaaaaaaaaaa"
-// has_copy.Run(); // Prints "1 0xbbbbbbbbbbbb"
-// has_ref.Run(); // Prints "2 0xaaaaaaaaaaaa"
-//
-// Normally parameters are copied in the closure. DANGER: ConstRef stores a
-// const reference instead, referencing the original parameter. This means
-// that you must ensure the object outlives the callback!
-//
-//
-// -----------------------------------------------------------------------------
-// Implementation notes
-// -----------------------------------------------------------------------------
-//
-// WHERE IS THIS DESIGN FROM:
-//
-// The design Callback and Bind is heavily influenced by C++'s
-// tr1::function/tr1::bind, and by the "Google Callback" system used inside
-// Google.
-//
-//
-// HOW THE IMPLEMENTATION WORKS:
-//
-// There are three main components to the system:
-// 1) The Callback classes.
-// 2) The Bind() functions.
-// 3) The arguments wrappers (e.g., Unretained() and ConstRef()).
-//
-// The Callback classes represent a generic function pointer. Internally,
-// it stores a refcounted piece of state that represents the target function
-// and all its bound parameters. Each Callback specialization has a templated
-// constructor that takes an BindState<>*. In the context of the constructor,
-// the static type of this BindState<> pointer uniquely identifies the
-// function it is representing, all its bound parameters, and a Run() method
-// that is capable of invoking the target.
-//
-// Callback's constructor takes the BindState<>* that has the full static type
-// and erases the target function type as well as the types of the bound
-// parameters. It does this by storing a pointer to the specific Run()
-// function, and upcasting the state of BindState<>* to a
-// BindStateBase*. This is safe as long as this BindStateBase pointer
-// is only used with the stored Run() pointer.
-//
-// To BindState<> objects are created inside the Bind() functions.
-// These functions, along with a set of internal templates, are responsible for
-//
-// - Unwrapping the function signature into return type, and parameters
-// - Determining the number of parameters that are bound
-// - Creating the BindState storing the bound parameters
-// - Performing compile-time asserts to avoid error-prone behavior
-// - Returning an Callback<> with an arity matching the number of unbound
-// parameters and that knows the correct refcounting semantics for the
-// target object if we are binding a method.
-//
-// The Bind functions do the above using type-inference, and template
-// specializations.
-//
-// By default Bind() will store copies of all bound parameters, and attempt
-// to refcount a target object if the function being bound is a class method.
-// These copies are created even if the function takes parameters as const
-// references. (Binding to non-const references is forbidden, see bind.h.)
-//
-// To change this behavior, we introduce a set of argument wrappers
-// (e.g., Unretained(), and ConstRef()). These are simple container templates
-// that are passed by value, and wrap a pointer to argument. See the
-// file-level comment in base/bind_helpers.h for more info.
-//
-// These types are passed to the Unwrap() functions, and the MaybeRefcount()
-// functions respectively to modify the behavior of Bind(). The Unwrap()
-// and MaybeRefcount() functions change behavior by doing partial
-// specialization based on whether or not a parameter is a wrapper type.
-//
-// ConstRef() is similar to tr1::cref. Unretained() is specific to Chromium.
-//
-//
-// WHY NOT TR1 FUNCTION/BIND?
-//
-// Direct use of tr1::function and tr1::bind was considered, but ultimately
-// rejected because of the number of copy constructors invocations involved
-// in the binding of arguments during construction, and the forwarding of
-// arguments during invocation. These copies will no longer be an issue in
-// C++0x because C++0x will support rvalue reference allowing for the compiler
-// to avoid these copies. However, waiting for C++0x is not an option.
-//
-// Measured with valgrind on gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5), the
-// tr1::bind call itself will invoke a non-trivial copy constructor three times
-// for each bound parameter. Also, each when passing a tr1::function, each
-// bound argument will be copied again.
-//
-// In addition to the copies taken at binding and invocation, copying a
-// tr1::function causes a copy to be made of all the bound parameters and
-// state.
-//
-// Furthermore, in Chromium, it is desirable for the Callback to take a
-// reference on a target object when representing a class method call. This
-// is not supported by tr1.
-//
-// Lastly, tr1::function and tr1::bind has a more general and flexible API.
-// This includes things like argument reordering by use of
-// tr1::bind::placeholder, support for non-const reference parameters, and some
-// limited amount of subtyping of the tr1::function object (e.g.,
-// tr1::function<int(int)> is convertible to tr1::function<void(int)>).
-//
-// These are not features that are required in Chromium. Some of them, such as
-// allowing for reference parameters, and subtyping of functions, may actually
-// become a source of errors. Removing support for these features actually
-// allows for a simpler implementation, and a terser Currying API.
-//
-//
-// WHY NOT GOOGLE CALLBACKS?
-//
-// The Google callback system also does not support refcounting. Furthermore,
-// its implementation has a number of strange edge cases with respect to type
-// conversion of its arguments. In particular, the argument's constness must
-// at times match exactly the function signature, or the type-inference might
-// break. Given the above, writing a custom solution was easier.
-//
-//
-// MISSING FUNCTIONALITY
-// - Invoking the return of Bind. Bind(&foo).Run() does not work;
-// - Binding arrays to functions that take a non-const pointer.
-// Example:
-// void Foo(const char* ptr);
-// void Bar(char* ptr);
-// Bind(&Foo, "test");
-// Bind(&Bar, "test"); // This fails because ptr is not const.
-
-namespace base {
-
-// First, we forward declare the Callback class template. This informs the
-// compiler that the template only has 1 type parameter which is the function
-// signature that the Callback is representing.
-//
-// After this, create template specializations for 0-7 parameters. Note that
-// even though the template typelist grows, the specialization still
-// only has one type: the function signature.
-//
-// If you are thinking of forward declaring Callback in your own header file,
-// please include "base/callback_forward.h" instead.
-
-namespace internal {
-template <typename Runnable, typename RunType, typename... BoundArgsType>
-struct BindState;
-} // namespace internal
-
-template <typename R, typename... Args>
-class Callback<R(Args...)> : public internal::CallbackBase {
- public:
- // MSVC 2013 doesn't support Type Alias of function types.
- // Revisit this after we update it to newer version.
- typedef R RunType(Args...);
-
- Callback() : CallbackBase(nullptr) { }
-
- template <typename Runnable, typename BindRunType, typename... BoundArgsType>
- explicit Callback(
- internal::BindState<Runnable, BindRunType, BoundArgsType...>* bind_state)
- : CallbackBase(bind_state) {
- // Force the assignment to a local variable of PolymorphicInvoke
- // so the compiler will typecheck that the passed in Run() method has
- // the correct type.
- PolymorphicInvoke invoke_func =
- &internal::BindState<Runnable, BindRunType, BoundArgsType...>
- ::InvokerType::Run;
- polymorphic_invoke_ = reinterpret_cast<InvokeFuncStorage>(invoke_func);
- }
-
- bool Equals(const Callback& other) const {
- return CallbackBase::Equals(other);
- }
-
- R Run(typename internal::CallbackParamTraits<Args>::ForwardType... args)
- const {
- PolymorphicInvoke f =
- reinterpret_cast<PolymorphicInvoke>(polymorphic_invoke_);
-
- return f(bind_state_.get(), internal::CallbackForward(args)...);
- }
-
- private:
- using PolymorphicInvoke =
- R(*)(internal::BindStateBase*,
- typename internal::CallbackParamTraits<Args>::ForwardType...);
-};
-
-} // namespace base
-
-#endif // BASE_CALLBACK_H_
diff --git a/security/sandbox/chromium/base/callback_forward.h b/security/sandbox/chromium/base/callback_forward.h
deleted file mode 100644
index a9a263a50..000000000
--- a/security/sandbox/chromium/base/callback_forward.h
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_CALLBACK_FORWARD_H_
-#define BASE_CALLBACK_FORWARD_H_
-
-namespace base {
-
-template <typename Sig>
-class Callback;
-
-// Syntactic sugar to make Callback<void()> easier to declare since it
-// will be used in a lot of APIs with delayed execution.
-using Closure = Callback<void()>;
-
-} // namespace base
-
-#endif // BASE_CALLBACK_FORWARD_H_
diff --git a/security/sandbox/chromium/base/callback_internal.cc b/security/sandbox/chromium/base/callback_internal.cc
deleted file mode 100644
index 2553fe7e1..000000000
--- a/security/sandbox/chromium/base/callback_internal.cc
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/callback_internal.h"
-
-#include "base/logging.h"
-
-namespace base {
-namespace internal {
-
-void BindStateBase::AddRef() {
- AtomicRefCountInc(&ref_count_);
-}
-
-void BindStateBase::Release() {
- if (!AtomicRefCountDec(&ref_count_))
- destructor_(this);
-}
-
-CallbackBase::CallbackBase(const CallbackBase& c) = default;
-CallbackBase& CallbackBase::operator=(const CallbackBase& c) = default;
-
-void CallbackBase::Reset() {
- polymorphic_invoke_ = NULL;
- // NULL the bind_state_ last, since it may be holding the last ref to whatever
- // object owns us, and we may be deleted after that.
- bind_state_ = NULL;
-}
-
-bool CallbackBase::Equals(const CallbackBase& other) const {
- return bind_state_.get() == other.bind_state_.get() &&
- polymorphic_invoke_ == other.polymorphic_invoke_;
-}
-
-CallbackBase::CallbackBase(BindStateBase* bind_state)
- : bind_state_(bind_state),
- polymorphic_invoke_(NULL) {
- DCHECK(!bind_state_.get() || bind_state_->ref_count_ == 1);
-}
-
-CallbackBase::~CallbackBase() {
-}
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/callback_internal.h b/security/sandbox/chromium/base/callback_internal.h
deleted file mode 100644
index d1d8ab8ec..000000000
--- a/security/sandbox/chromium/base/callback_internal.h
+++ /dev/null
@@ -1,234 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains utility functions and classes that help the
-// implementation, and management of the Callback objects.
-
-#ifndef BASE_CALLBACK_INTERNAL_H_
-#define BASE_CALLBACK_INTERNAL_H_
-
-#include <stddef.h>
-#include <memory>
-#include <type_traits>
-
-#include "base/atomic_ref_count.h"
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/template_util.h"
-
-namespace base {
-namespace internal {
-class CallbackBase;
-
-// BindStateBase is used to provide an opaque handle that the Callback
-// class can use to represent a function object with bound arguments. It
-// behaves as an existential type that is used by a corresponding
-// DoInvoke function to perform the function execution. This allows
-// us to shield the Callback class from the types of the bound argument via
-// "type erasure."
-// At the base level, the only task is to add reference counting data. Don't use
-// RefCountedThreadSafe since it requires the destructor to be a virtual method.
-// Creating a vtable for every BindState template instantiation results in a lot
-// of bloat. Its only task is to call the destructor which can be done with a
-// function pointer.
-class BindStateBase {
- protected:
- explicit BindStateBase(void (*destructor)(BindStateBase*))
- : ref_count_(0), destructor_(destructor) {}
- ~BindStateBase() = default;
-
- private:
- friend class scoped_refptr<BindStateBase>;
- friend class CallbackBase;
-
- void AddRef();
- void Release();
-
- AtomicRefCount ref_count_;
-
- // Pointer to a function that will properly destroy |this|.
- void (*destructor_)(BindStateBase*);
-
- DISALLOW_COPY_AND_ASSIGN(BindStateBase);
-};
-
-// Holds the Callback methods that don't require specialization to reduce
-// template bloat.
-class BASE_EXPORT CallbackBase {
- public:
- CallbackBase(const CallbackBase& c);
- CallbackBase& operator=(const CallbackBase& c);
-
- // Returns true if Callback is null (doesn't refer to anything).
- bool is_null() const { return bind_state_.get() == NULL; }
-
- // Returns the Callback into an uninitialized state.
- void Reset();
-
- protected:
- // In C++, it is safe to cast function pointers to function pointers of
- // another type. It is not okay to use void*. We create a InvokeFuncStorage
- // that that can store our function pointer, and then cast it back to
- // the original type on usage.
- using InvokeFuncStorage = void(*)();
-
- // Returns true if this callback equals |other|. |other| may be null.
- bool Equals(const CallbackBase& other) const;
-
- // Allow initializing of |bind_state_| via the constructor to avoid default
- // initialization of the scoped_refptr. We do not also initialize
- // |polymorphic_invoke_| here because doing a normal assignment in the
- // derived Callback templates makes for much nicer compiler errors.
- explicit CallbackBase(BindStateBase* bind_state);
-
- // Force the destructor to be instantiated inside this translation unit so
- // that our subclasses will not get inlined versions. Avoids more template
- // bloat.
- ~CallbackBase();
-
- scoped_refptr<BindStateBase> bind_state_;
- InvokeFuncStorage polymorphic_invoke_;
-};
-
-// A helper template to determine if given type is non-const move-only-type,
-// i.e. if a value of the given type should be passed via std::move() in a
-// destructive way. Types are considered to be move-only if they have a
-// sentinel MoveOnlyTypeForCPP03 member: a class typically gets this from using
-// the DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND macro.
-// It would be easy to generalize this trait to all move-only types... but this
-// confuses template deduction in VS2013 with certain types such as
-// std::unique_ptr.
-// TODO(dcheng): Revisit this when Windows switches to VS2015 by default.
-template <typename T> struct IsMoveOnlyType {
- template <typename U>
- static YesType Test(const typename U::MoveOnlyTypeForCPP03*);
-
- template <typename U>
- static NoType Test(...);
-
- static const bool value = sizeof((Test<T>(0))) == sizeof(YesType) &&
- !is_const<T>::value;
-};
-
-// Specialization of IsMoveOnlyType so that std::unique_ptr is still considered
-// move-only, even without the sentinel member.
-template <typename T>
-struct IsMoveOnlyType<std::unique_ptr<T>> : std::true_type {};
-
-template <typename>
-struct CallbackParamTraitsForMoveOnlyType;
-
-template <typename>
-struct CallbackParamTraitsForNonMoveOnlyType;
-
-// TODO(tzik): Use a default parameter once MSVS supports variadic templates
-// with default values.
-// http://connect.microsoft.com/VisualStudio/feedbackdetail/view/957801/compilation-error-with-variadic-templates
-//
-// This is a typetraits object that's used to take an argument type, and
-// extract a suitable type for storing and forwarding arguments.
-//
-// In particular, it strips off references, and converts arrays to
-// pointers for storage; and it avoids accidentally trying to create a
-// "reference of a reference" if the argument is a reference type.
-//
-// This array type becomes an issue for storage because we are passing bound
-// parameters by const reference. In this case, we end up passing an actual
-// array type in the initializer list which C++ does not allow. This will
-// break passing of C-string literals.
-template <typename T>
-struct CallbackParamTraits
- : std::conditional<IsMoveOnlyType<T>::value,
- CallbackParamTraitsForMoveOnlyType<T>,
- CallbackParamTraitsForNonMoveOnlyType<T>>::type {
-};
-
-template <typename T>
-struct CallbackParamTraitsForNonMoveOnlyType {
- using ForwardType = const T&;
- using StorageType = T;
-};
-
-// The Storage should almost be impossible to trigger unless someone manually
-// specifies type of the bind parameters. However, in case they do,
-// this will guard against us accidentally storing a reference parameter.
-//
-// The ForwardType should only be used for unbound arguments.
-template <typename T>
-struct CallbackParamTraitsForNonMoveOnlyType<T&> {
- using ForwardType = T&;
- using StorageType = T;
-};
-
-// Note that for array types, we implicitly add a const in the conversion. This
-// means that it is not possible to bind array arguments to functions that take
-// a non-const pointer. Trying to specialize the template based on a "const
-// T[n]" does not seem to match correctly, so we are stuck with this
-// restriction.
-template <typename T, size_t n>
-struct CallbackParamTraitsForNonMoveOnlyType<T[n]> {
- using ForwardType = const T*;
- using StorageType = const T*;
-};
-
-// See comment for CallbackParamTraits<T[n]>.
-template <typename T>
-struct CallbackParamTraitsForNonMoveOnlyType<T[]> {
- using ForwardType = const T*;
- using StorageType = const T*;
-};
-
-// Parameter traits for movable-but-not-copyable scopers.
-//
-// Callback<>/Bind() understands movable-but-not-copyable semantics where
-// the type cannot be copied but can still have its state destructively
-// transferred (aka. moved) to another instance of the same type by calling a
-// helper function. When used with Bind(), this signifies transferal of the
-// object's state to the target function.
-//
-// For these types, the ForwardType must not be a const reference, or a
-// reference. A const reference is inappropriate, and would break const
-// correctness, because we are implementing a destructive move. A non-const
-// reference cannot be used with temporaries which means the result of a
-// function or a cast would not be usable with Callback<> or Bind().
-template <typename T>
-struct CallbackParamTraitsForMoveOnlyType {
- using ForwardType = T;
- using StorageType = T;
-};
-
-// CallbackForward() is a very limited simulation of C++11's std::forward()
-// used by the Callback/Bind system for a set of movable-but-not-copyable
-// types. It is needed because forwarding a movable-but-not-copyable
-// argument to another function requires us to invoke the proper move
-// operator to create a rvalue version of the type. The supported types are
-// whitelisted below as overloads of the CallbackForward() function. The
-// default template compiles out to be a no-op.
-//
-// In C++11, std::forward would replace all uses of this function. However, it
-// is impossible to implement a general std::forward without C++11 due to a lack
-// of rvalue references.
-//
-// In addition to Callback/Bind, this is used by PostTaskAndReplyWithResult to
-// simulate std::forward() and forward the result of one Callback as a
-// parameter to another callback. This is to support Callbacks that return
-// the movable-but-not-copyable types whitelisted above.
-template <typename T>
-typename std::enable_if<!IsMoveOnlyType<T>::value, T>::type& CallbackForward(
- T& t) {
- return t;
-}
-
-template <typename T>
-typename std::enable_if<IsMoveOnlyType<T>::value, T>::type CallbackForward(
- T& t) {
- return std::move(t);
-}
-
-} // namespace internal
-} // namespace base
-
-#endif // BASE_CALLBACK_INTERNAL_H_
diff --git a/security/sandbox/chromium/base/compiler_specific.h b/security/sandbox/chromium/base/compiler_specific.h
deleted file mode 100644
index 339e9b74e..000000000
--- a/security/sandbox/chromium/base/compiler_specific.h
+++ /dev/null
@@ -1,190 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_COMPILER_SPECIFIC_H_
-#define BASE_COMPILER_SPECIFIC_H_
-
-#include "build/build_config.h"
-
-#if defined(COMPILER_MSVC)
-
-// For _Printf_format_string_.
-#include <sal.h>
-
-// Macros for suppressing and disabling warnings on MSVC.
-//
-// Warning numbers are enumerated at:
-// http://msdn.microsoft.com/en-us/library/8x5x43k7(VS.80).aspx
-//
-// The warning pragma:
-// http://msdn.microsoft.com/en-us/library/2c8f766e(VS.80).aspx
-//
-// Using __pragma instead of #pragma inside macros:
-// http://msdn.microsoft.com/en-us/library/d9x1s805.aspx
-
-// MSVC_SUPPRESS_WARNING disables warning |n| for the remainder of the line and
-// for the next line of the source file.
-#define MSVC_SUPPRESS_WARNING(n) __pragma(warning(suppress:n))
-
-// MSVC_PUSH_DISABLE_WARNING pushes |n| onto a stack of warnings to be disabled.
-// The warning remains disabled until popped by MSVC_POP_WARNING.
-#define MSVC_PUSH_DISABLE_WARNING(n) __pragma(warning(push)) \
- __pragma(warning(disable:n))
-
-// MSVC_PUSH_WARNING_LEVEL pushes |n| as the global warning level. The level
-// remains in effect until popped by MSVC_POP_WARNING(). Use 0 to disable all
-// warnings.
-#define MSVC_PUSH_WARNING_LEVEL(n) __pragma(warning(push, n))
-
-// Pop effects of innermost MSVC_PUSH_* macro.
-#define MSVC_POP_WARNING() __pragma(warning(pop))
-
-#define MSVC_DISABLE_OPTIMIZE() __pragma(optimize("", off))
-#define MSVC_ENABLE_OPTIMIZE() __pragma(optimize("", on))
-
-// Allows exporting a class that inherits from a non-exported base class.
-// This uses suppress instead of push/pop because the delimiter after the
-// declaration (either "," or "{") has to be placed before the pop macro.
-//
-// Example usage:
-// class EXPORT_API Foo : NON_EXPORTED_BASE(public Bar) {
-//
-// MSVC Compiler warning C4275:
-// non dll-interface class 'Bar' used as base for dll-interface class 'Foo'.
-// Note that this is intended to be used only when no access to the base class'
-// static data is done through derived classes or inline methods. For more info,
-// see http://msdn.microsoft.com/en-us/library/3tdb471s(VS.80).aspx
-#define NON_EXPORTED_BASE(code) MSVC_SUPPRESS_WARNING(4275) \
- code
-
-#else // Not MSVC
-
-#define _Printf_format_string_
-#define MSVC_SUPPRESS_WARNING(n)
-#define MSVC_PUSH_DISABLE_WARNING(n)
-#define MSVC_PUSH_WARNING_LEVEL(n)
-#define MSVC_POP_WARNING()
-#define MSVC_DISABLE_OPTIMIZE()
-#define MSVC_ENABLE_OPTIMIZE()
-#define NON_EXPORTED_BASE(code) code
-
-#endif // COMPILER_MSVC
-
-
-// Annotate a variable indicating it's ok if the variable is not used.
-// (Typically used to silence a compiler warning when the assignment
-// is important for some other reason.)
-// Use like:
-// int x = ...;
-// ALLOW_UNUSED_LOCAL(x);
-#define ALLOW_UNUSED_LOCAL(x) false ? (void)x : (void)0
-
-// Annotate a typedef or function indicating it's ok if it's not used.
-// Use like:
-// typedef Foo Bar ALLOW_UNUSED_TYPE;
-#if defined(COMPILER_GCC) || defined(__clang__)
-#define ALLOW_UNUSED_TYPE __attribute__((unused))
-#else
-#define ALLOW_UNUSED_TYPE
-#endif
-
-// Annotate a function indicating it should not be inlined.
-// Use like:
-// NOINLINE void DoStuff() { ... }
-#if defined(COMPILER_GCC)
-#define NOINLINE __attribute__((noinline))
-#elif defined(COMPILER_MSVC)
-#define NOINLINE __declspec(noinline)
-#else
-#define NOINLINE
-#endif
-
-// Specify memory alignment for structs, classes, etc.
-// Use like:
-// class ALIGNAS(16) MyClass { ... }
-// ALIGNAS(16) int array[4];
-#if defined(COMPILER_MSVC)
-#define ALIGNAS(byte_alignment) __declspec(align(byte_alignment))
-#elif defined(COMPILER_GCC)
-#define ALIGNAS(byte_alignment) __attribute__((aligned(byte_alignment)))
-#endif
-
-// Return the byte alignment of the given type (available at compile time).
-// Use like:
-// ALIGNOF(int32_t) // this would be 4
-#if defined(COMPILER_MSVC)
-#define ALIGNOF(type) __alignof(type)
-#elif defined(COMPILER_GCC)
-#define ALIGNOF(type) __alignof__(type)
-#endif
-
-// Annotate a function indicating the caller must examine the return value.
-// Use like:
-// int foo() WARN_UNUSED_RESULT;
-// To explicitly ignore a result, see |ignore_result()| in base/macros.h.
-#undef WARN_UNUSED_RESULT
-#if defined(COMPILER_GCC) || defined(__clang__)
-#define WARN_UNUSED_RESULT __attribute__((warn_unused_result))
-#else
-#define WARN_UNUSED_RESULT
-#endif
-
-// Tell the compiler a function is using a printf-style format string.
-// |format_param| is the one-based index of the format string parameter;
-// |dots_param| is the one-based index of the "..." parameter.
-// For v*printf functions (which take a va_list), pass 0 for dots_param.
-// (This is undocumented but matches what the system C headers do.)
-#if defined(COMPILER_GCC)
-#define PRINTF_FORMAT(format_param, dots_param) \
- __attribute__((format(printf, format_param, dots_param)))
-#else
-#define PRINTF_FORMAT(format_param, dots_param)
-#endif
-
-// WPRINTF_FORMAT is the same, but for wide format strings.
-// This doesn't appear to yet be implemented in any compiler.
-// See http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38308 .
-#define WPRINTF_FORMAT(format_param, dots_param)
-// If available, it would look like:
-// __attribute__((format(wprintf, format_param, dots_param)))
-
-// MemorySanitizer annotations.
-#if defined(MEMORY_SANITIZER) && !defined(OS_NACL)
-#include <sanitizer/msan_interface.h>
-
-// Mark a memory region fully initialized.
-// Use this to annotate code that deliberately reads uninitialized data, for
-// example a GC scavenging root set pointers from the stack.
-#define MSAN_UNPOISON(p, size) __msan_unpoison(p, size)
-
-// Check a memory region for initializedness, as if it was being used here.
-// If any bits are uninitialized, crash with an MSan report.
-// Use this to sanitize data which MSan won't be able to track, e.g. before
-// passing data to another process via shared memory.
-#define MSAN_CHECK_MEM_IS_INITIALIZED(p, size) \
- __msan_check_mem_is_initialized(p, size)
-#else // MEMORY_SANITIZER
-#define MSAN_UNPOISON(p, size)
-#define MSAN_CHECK_MEM_IS_INITIALIZED(p, size)
-#endif // MEMORY_SANITIZER
-
-// Macro useful for writing cross-platform function pointers.
-#if !defined(CDECL)
-#if defined(OS_WIN)
-#define CDECL __cdecl
-#else // defined(OS_WIN)
-#define CDECL
-#endif // defined(OS_WIN)
-#endif // !defined(CDECL)
-
-// Macro for hinting that an expression is likely to be false.
-#if !defined(UNLIKELY)
-#if defined(COMPILER_GCC)
-#define UNLIKELY(x) __builtin_expect(!!(x), 0)
-#else
-#define UNLIKELY(x) (x)
-#endif // defined(COMPILER_GCC)
-#endif // !defined(UNLIKELY)
-
-#endif // BASE_COMPILER_SPECIFIC_H_
diff --git a/security/sandbox/chromium/base/containers/hash_tables.h b/security/sandbox/chromium/base/containers/hash_tables.h
deleted file mode 100644
index c421dddf3..000000000
--- a/security/sandbox/chromium/base/containers/hash_tables.h
+++ /dev/null
@@ -1,281 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-//
-
-//
-// Deal with the differences between Microsoft and GNU implemenations
-// of hash_map. Allows all platforms to use |base::hash_map| and
-// |base::hash_set|.
-// eg:
-// base::hash_map<int> my_map;
-// base::hash_set<int> my_set;
-//
-// NOTE: It is an explicit non-goal of this class to provide a generic hash
-// function for pointers. If you want to hash a pointers to a particular class,
-// please define the template specialization elsewhere (for example, in its
-// header file) and keep it specific to just pointers to that class. This is
-// because identity hashes are not desirable for all types that might show up
-// in containers as pointers.
-
-#ifndef BASE_CONTAINERS_HASH_TABLES_H_
-#define BASE_CONTAINERS_HASH_TABLES_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <utility>
-
-#include "base/strings/string16.h"
-#include "build/build_config.h"
-
-#if defined(COMPILER_MSVC)
-#include <unordered_map>
-#include <unordered_set>
-
-#define BASE_HASH_NAMESPACE std
-
-#elif defined(COMPILER_GCC)
-
-#define BASE_HASH_NAMESPACE base_hash
-
-// This is a hack to disable the gcc 4.4 warning about hash_map and hash_set
-// being deprecated. We can get rid of this when we upgrade to VS2008 and we
-// can use <tr1/unordered_map> and <tr1/unordered_set>.
-#ifdef __DEPRECATED
-#define CHROME_OLD__DEPRECATED __DEPRECATED
-#undef __DEPRECATED
-#endif
-
-#include <ext/hash_map>
-#include <ext/hash_set>
-#define BASE_HASH_IMPL_NAMESPACE __gnu_cxx
-
-#include <string>
-
-#ifdef CHROME_OLD__DEPRECATED
-#define __DEPRECATED CHROME_OLD__DEPRECATED
-#undef CHROME_OLD__DEPRECATED
-#endif
-
-namespace BASE_HASH_NAMESPACE {
-
-// The pre-standard hash behaves like C++11's std::hash, except around pointers.
-// const char* is specialized to hash the C string and hash functions for
-// general T* are missing. Define a BASE_HASH_NAMESPACE::hash which aligns with
-// the C++11 behavior.
-
-template<typename T>
-struct hash {
- std::size_t operator()(const T& value) const {
- return BASE_HASH_IMPL_NAMESPACE::hash<T>()(value);
- }
-};
-
-template<typename T>
-struct hash<T*> {
- std::size_t operator()(T* value) const {
- return BASE_HASH_IMPL_NAMESPACE::hash<uintptr_t>()(
- reinterpret_cast<uintptr_t>(value));
- }
-};
-
-// The GNU C++ library provides identity hash functions for many integral types,
-// but not for |long long|. This hash function will truncate if |size_t| is
-// narrower than |long long|. This is probably good enough for what we will
-// use it for.
-
-#define DEFINE_TRIVIAL_HASH(integral_type) \
- template<> \
- struct hash<integral_type> { \
- std::size_t operator()(integral_type value) const { \
- return static_cast<std::size_t>(value); \
- } \
- }
-
-DEFINE_TRIVIAL_HASH(long long);
-DEFINE_TRIVIAL_HASH(unsigned long long);
-
-#undef DEFINE_TRIVIAL_HASH
-
-// Implement string hash functions so that strings of various flavors can
-// be used as keys in STL maps and sets. The hash algorithm comes from the
-// GNU C++ library, in <tr1/functional>. It is duplicated here because GCC
-// versions prior to 4.3.2 are unable to compile <tr1/functional> when RTTI
-// is disabled, as it is in our build.
-
-#define DEFINE_STRING_HASH(string_type) \
- template<> \
- struct hash<string_type> { \
- std::size_t operator()(const string_type& s) const { \
- std::size_t result = 0; \
- for (string_type::const_iterator i = s.begin(); i != s.end(); ++i) \
- result = (result * 131) + *i; \
- return result; \
- } \
- }
-
-DEFINE_STRING_HASH(std::string);
-DEFINE_STRING_HASH(base::string16);
-
-#undef DEFINE_STRING_HASH
-
-} // namespace BASE_HASH_NAMESPACE
-
-#else // COMPILER
-#error define BASE_HASH_NAMESPACE for your compiler
-#endif // COMPILER
-
-namespace base {
-
-// On MSVC, use the C++11 containers.
-#if defined(COMPILER_MSVC)
-
-template<class Key, class T,
- class Hash = std::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<std::pair<const Key, T>>>
-using hash_map = std::unordered_map<Key, T, Hash, Pred, Alloc>;
-
-template<class Key, class T,
- class Hash = std::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<std::pair<const Key, T>>>
-using hash_multimap = std::unordered_multimap<Key, T, Hash, Pred, Alloc>;
-
-template<class Key,
- class Hash = std::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<Key>>
-using hash_multiset = std::unordered_multiset<Key, Hash, Pred, Alloc>;
-
-template<class Key,
- class Hash = std::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<Key>>
-using hash_set = std::unordered_set<Key, Hash, Pred, Alloc>;
-
-#else // !COMPILER_MSVC
-
-// Otherwise, use the pre-standard ones, but override the default hash to match
-// C++11.
-template<class Key, class T,
- class Hash = BASE_HASH_NAMESPACE::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<std::pair<const Key, T>>>
-using hash_map = BASE_HASH_IMPL_NAMESPACE::hash_map<Key, T, Hash, Pred, Alloc>;
-
-template<class Key, class T,
- class Hash = BASE_HASH_NAMESPACE::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<std::pair<const Key, T>>>
-using hash_multimap =
- BASE_HASH_IMPL_NAMESPACE::hash_multimap<Key, T, Hash, Pred, Alloc>;
-
-template<class Key,
- class Hash = BASE_HASH_NAMESPACE::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<Key>>
-using hash_multiset =
- BASE_HASH_IMPL_NAMESPACE::hash_multiset<Key, Hash, Pred, Alloc>;
-
-template<class Key,
- class Hash = BASE_HASH_NAMESPACE::hash<Key>,
- class Pred = std::equal_to<Key>,
- class Alloc = std::allocator<Key>>
-using hash_set = BASE_HASH_IMPL_NAMESPACE::hash_set<Key, Hash, Pred, Alloc>;
-
-#undef BASE_HASH_IMPL_NAMESPACE
-
-#endif // COMPILER_MSVC
-
-// Implement hashing for pairs of at-most 32 bit integer values.
-// When size_t is 32 bits, we turn the 64-bit hash code into 32 bits by using
-// multiply-add hashing. This algorithm, as described in
-// Theorem 4.3.3 of the thesis "Über die Komplexität der Multiplikation in
-// eingeschränkten Branchingprogrammmodellen" by Woelfel, is:
-//
-// h32(x32, y32) = (h64(x32, y32) * rand_odd64 + rand16 * 2^16) % 2^64 / 2^32
-//
-// Contact danakj@chromium.org for any questions.
-inline std::size_t HashInts32(uint32_t value1, uint32_t value2) {
- uint64_t value1_64 = value1;
- uint64_t hash64 = (value1_64 << 32) | value2;
-
- if (sizeof(std::size_t) >= sizeof(uint64_t))
- return static_cast<std::size_t>(hash64);
-
- uint64_t odd_random = 481046412LL << 32 | 1025306955LL;
- uint32_t shift_random = 10121U << 16;
-
- hash64 = hash64 * odd_random + shift_random;
- std::size_t high_bits = static_cast<std::size_t>(
- hash64 >> (8 * (sizeof(uint64_t) - sizeof(std::size_t))));
- return high_bits;
-}
-
-// Implement hashing for pairs of up-to 64-bit integer values.
-// We use the compound integer hash method to produce a 64-bit hash code, by
-// breaking the two 64-bit inputs into 4 32-bit values:
-// http://opendatastructures.org/versions/edition-0.1d/ods-java/node33.html#SECTION00832000000000000000
-// Then we reduce our result to 32 bits if required, similar to above.
-inline std::size_t HashInts64(uint64_t value1, uint64_t value2) {
- uint32_t short_random1 = 842304669U;
- uint32_t short_random2 = 619063811U;
- uint32_t short_random3 = 937041849U;
- uint32_t short_random4 = 3309708029U;
-
- uint32_t value1a = static_cast<uint32_t>(value1 & 0xffffffff);
- uint32_t value1b = static_cast<uint32_t>((value1 >> 32) & 0xffffffff);
- uint32_t value2a = static_cast<uint32_t>(value2 & 0xffffffff);
- uint32_t value2b = static_cast<uint32_t>((value2 >> 32) & 0xffffffff);
-
- uint64_t product1 = static_cast<uint64_t>(value1a) * short_random1;
- uint64_t product2 = static_cast<uint64_t>(value1b) * short_random2;
- uint64_t product3 = static_cast<uint64_t>(value2a) * short_random3;
- uint64_t product4 = static_cast<uint64_t>(value2b) * short_random4;
-
- uint64_t hash64 = product1 + product2 + product3 + product4;
-
- if (sizeof(std::size_t) >= sizeof(uint64_t))
- return static_cast<std::size_t>(hash64);
-
- uint64_t odd_random = 1578233944LL << 32 | 194370989LL;
- uint32_t shift_random = 20591U << 16;
-
- hash64 = hash64 * odd_random + shift_random;
- std::size_t high_bits = static_cast<std::size_t>(
- hash64 >> (8 * (sizeof(uint64_t) - sizeof(std::size_t))));
- return high_bits;
-}
-
-template<typename T1, typename T2>
-inline std::size_t HashPair(T1 value1, T2 value2) {
- // This condition is expected to be compile-time evaluated and optimised away
- // in release builds.
- if (sizeof(T1) > sizeof(uint32_t) || (sizeof(T2) > sizeof(uint32_t)))
- return HashInts64(value1, value2);
-
- return HashInts32(value1, value2);
-}
-
-} // namespace base
-
-namespace BASE_HASH_NAMESPACE {
-
-// Implement methods for hashing a pair of integers, so they can be used as
-// keys in STL containers.
-
-template<typename Type1, typename Type2>
-struct hash<std::pair<Type1, Type2> > {
- std::size_t operator()(std::pair<Type1, Type2> value) const {
- return base::HashPair(value.first, value.second);
- }
-};
-
-} // namespace BASE_HASH_NAMESPACE
-
-#undef DEFINE_PAIR_HASH_FUNCTION_START
-#undef DEFINE_PAIR_HASH_FUNCTION_END
-
-#endif // BASE_CONTAINERS_HASH_TABLES_H_
diff --git a/security/sandbox/chromium/base/cpu.cc b/security/sandbox/chromium/base/cpu.cc
deleted file mode 100644
index 713544566..000000000
--- a/security/sandbox/chromium/base/cpu.cc
+++ /dev/null
@@ -1,296 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/cpu.h"
-
-#include <limits.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <algorithm>
-
-#include "base/macros.h"
-#include "base/strings/string_piece.h"
-#include "build/build_config.h"
-
-#if defined(ARCH_CPU_ARM_FAMILY) && (defined(OS_ANDROID) || defined(OS_LINUX))
-#include "base/files/file_util.h"
-#include "base/lazy_instance.h"
-#endif
-
-#if defined(ARCH_CPU_X86_FAMILY)
-#if defined(_MSC_VER)
-#include <intrin.h>
-#include <immintrin.h> // For _xgetbv()
-#endif
-#endif
-
-namespace base {
-
-CPU::CPU()
- : signature_(0),
- type_(0),
- family_(0),
- model_(0),
- stepping_(0),
- ext_model_(0),
- ext_family_(0),
- has_mmx_(false),
- has_sse_(false),
- has_sse2_(false),
- has_sse3_(false),
- has_ssse3_(false),
- has_sse41_(false),
- has_sse42_(false),
- has_avx_(false),
- has_avx2_(false),
- has_aesni_(false),
- has_non_stop_time_stamp_counter_(false),
- has_broken_neon_(false),
- cpu_vendor_("unknown") {
- Initialize();
-}
-
-namespace {
-
-#if defined(ARCH_CPU_X86_FAMILY)
-#ifndef _MSC_VER
-
-#if defined(__pic__) && defined(__i386__)
-
-void __cpuid(int cpu_info[4], int info_type) {
- __asm__ volatile (
- "mov %%ebx, %%edi\n"
- "cpuid\n"
- "xchg %%edi, %%ebx\n"
- : "=a"(cpu_info[0]), "=D"(cpu_info[1]), "=c"(cpu_info[2]), "=d"(cpu_info[3])
- : "a"(info_type)
- );
-}
-
-#else
-
-void __cpuid(int cpu_info[4], int info_type) {
- __asm__ volatile (
- "cpuid\n"
- : "=a"(cpu_info[0]), "=b"(cpu_info[1]), "=c"(cpu_info[2]), "=d"(cpu_info[3])
- : "a"(info_type)
- );
-}
-
-#endif
-
-// _xgetbv returns the value of an Intel Extended Control Register (XCR).
-// Currently only XCR0 is defined by Intel so |xcr| should always be zero.
-uint64_t _xgetbv(uint32_t xcr) {
- uint32_t eax, edx;
-
- __asm__ volatile (
- "xgetbv" : "=a"(eax), "=d"(edx) : "c"(xcr));
- return (static_cast<uint64_t>(edx) << 32) | eax;
-}
-
-#endif // !_MSC_VER
-#endif // ARCH_CPU_X86_FAMILY
-
-#if defined(ARCH_CPU_ARM_FAMILY) && (defined(OS_ANDROID) || defined(OS_LINUX))
-class LazyCpuInfoValue {
- public:
- LazyCpuInfoValue() : has_broken_neon_(false) {
- // This function finds the value from /proc/cpuinfo under the key "model
- // name" or "Processor". "model name" is used in Linux 3.8 and later (3.7
- // and later for arm64) and is shown once per CPU. "Processor" is used in
- // earler versions and is shown only once at the top of /proc/cpuinfo
- // regardless of the number CPUs.
- const char kModelNamePrefix[] = "model name\t: ";
- const char kProcessorPrefix[] = "Processor\t: ";
-
- // This function also calculates whether we believe that this CPU has a
- // broken NEON unit based on these fields from cpuinfo:
- unsigned implementer = 0, architecture = 0, variant = 0, part = 0,
- revision = 0;
- const struct {
- const char key[17];
- unsigned int* result;
- } kUnsignedValues[] = {
- {"CPU implementer", &implementer},
- {"CPU architecture", &architecture},
- {"CPU variant", &variant},
- {"CPU part", &part},
- {"CPU revision", &revision},
- };
-
- std::string contents;
- ReadFileToString(FilePath("/proc/cpuinfo"), &contents);
- DCHECK(!contents.empty());
- if (contents.empty()) {
- return;
- }
-
- std::istringstream iss(contents);
- std::string line;
- while (std::getline(iss, line)) {
- if (brand_.empty() &&
- (line.compare(0, strlen(kModelNamePrefix), kModelNamePrefix) == 0 ||
- line.compare(0, strlen(kProcessorPrefix), kProcessorPrefix) == 0)) {
- brand_.assign(line.substr(strlen(kModelNamePrefix)));
- }
-
- for (size_t i = 0; i < arraysize(kUnsignedValues); i++) {
- const char *key = kUnsignedValues[i].key;
- const size_t len = strlen(key);
-
- if (line.compare(0, len, key) == 0 &&
- line.size() >= len + 1 &&
- (line[len] == '\t' || line[len] == ' ' || line[len] == ':')) {
- size_t colon_pos = line.find(':', len);
- if (colon_pos == std::string::npos) {
- continue;
- }
-
- const StringPiece line_sp(line);
- StringPiece value_sp = line_sp.substr(colon_pos + 1);
- while (!value_sp.empty() &&
- (value_sp[0] == ' ' || value_sp[0] == '\t')) {
- value_sp = value_sp.substr(1);
- }
-
- // The string may have leading "0x" or not, so we use strtoul to
- // handle that.
- char* endptr;
- std::string value(value_sp.as_string());
- unsigned long int result = strtoul(value.c_str(), &endptr, 0);
- if (*endptr == 0 && result <= UINT_MAX) {
- *kUnsignedValues[i].result = result;
- }
- }
- }
- }
-
- has_broken_neon_ =
- implementer == 0x51 &&
- architecture == 7 &&
- variant == 1 &&
- part == 0x4d &&
- revision == 0;
- }
-
- const std::string& brand() const { return brand_; }
- bool has_broken_neon() const { return has_broken_neon_; }
-
- private:
- std::string brand_;
- bool has_broken_neon_;
- DISALLOW_COPY_AND_ASSIGN(LazyCpuInfoValue);
-};
-
-base::LazyInstance<LazyCpuInfoValue>::Leaky g_lazy_cpuinfo =
- LAZY_INSTANCE_INITIALIZER;
-
-#endif // defined(ARCH_CPU_ARM_FAMILY) && (defined(OS_ANDROID) ||
- // defined(OS_LINUX))
-
-} // anonymous namespace
-
-void CPU::Initialize() {
-#if defined(ARCH_CPU_X86_FAMILY)
- int cpu_info[4] = {-1};
- char cpu_string[48];
-
- // __cpuid with an InfoType argument of 0 returns the number of
- // valid Ids in CPUInfo[0] and the CPU identification string in
- // the other three array elements. The CPU identification string is
- // not in linear order. The code below arranges the information
- // in a human readable form. The human readable order is CPUInfo[1] |
- // CPUInfo[3] | CPUInfo[2]. CPUInfo[2] and CPUInfo[3] are swapped
- // before using memcpy to copy these three array elements to cpu_string.
- __cpuid(cpu_info, 0);
- int num_ids = cpu_info[0];
- std::swap(cpu_info[2], cpu_info[3]);
- memcpy(cpu_string, &cpu_info[1], 3 * sizeof(cpu_info[1]));
- cpu_vendor_.assign(cpu_string, 3 * sizeof(cpu_info[1]));
-
- // Interpret CPU feature information.
- if (num_ids > 0) {
- int cpu_info7[4] = {0};
- __cpuid(cpu_info, 1);
- if (num_ids >= 7) {
- __cpuid(cpu_info7, 7);
- }
- signature_ = cpu_info[0];
- stepping_ = cpu_info[0] & 0xf;
- model_ = ((cpu_info[0] >> 4) & 0xf) + ((cpu_info[0] >> 12) & 0xf0);
- family_ = (cpu_info[0] >> 8) & 0xf;
- type_ = (cpu_info[0] >> 12) & 0x3;
- ext_model_ = (cpu_info[0] >> 16) & 0xf;
- ext_family_ = (cpu_info[0] >> 20) & 0xff;
- has_mmx_ = (cpu_info[3] & 0x00800000) != 0;
- has_sse_ = (cpu_info[3] & 0x02000000) != 0;
- has_sse2_ = (cpu_info[3] & 0x04000000) != 0;
- has_sse3_ = (cpu_info[2] & 0x00000001) != 0;
- has_ssse3_ = (cpu_info[2] & 0x00000200) != 0;
- has_sse41_ = (cpu_info[2] & 0x00080000) != 0;
- has_sse42_ = (cpu_info[2] & 0x00100000) != 0;
- // AVX instructions will generate an illegal instruction exception unless
- // a) they are supported by the CPU,
- // b) XSAVE is supported by the CPU and
- // c) XSAVE is enabled by the kernel.
- // See http://software.intel.com/en-us/blogs/2011/04/14/is-avx-enabled
- //
- // In addition, we have observed some crashes with the xgetbv instruction
- // even after following Intel's example code. (See crbug.com/375968.)
- // Because of that, we also test the XSAVE bit because its description in
- // the CPUID documentation suggests that it signals xgetbv support.
- has_avx_ =
- (cpu_info[2] & 0x10000000) != 0 &&
- (cpu_info[2] & 0x04000000) != 0 /* XSAVE */ &&
- (cpu_info[2] & 0x08000000) != 0 /* OSXSAVE */ &&
- (_xgetbv(0) & 6) == 6 /* XSAVE enabled by kernel */;
- has_aesni_ = (cpu_info[2] & 0x02000000) != 0;
- has_avx2_ = has_avx_ && (cpu_info7[1] & 0x00000020) != 0;
- }
-
- // Get the brand string of the cpu.
- __cpuid(cpu_info, 0x80000000);
- const int parameter_end = 0x80000004;
- int max_parameter = cpu_info[0];
-
- if (cpu_info[0] >= parameter_end) {
- char* cpu_string_ptr = cpu_string;
-
- for (int parameter = 0x80000002; parameter <= parameter_end &&
- cpu_string_ptr < &cpu_string[sizeof(cpu_string)]; parameter++) {
- __cpuid(cpu_info, parameter);
- memcpy(cpu_string_ptr, cpu_info, sizeof(cpu_info));
- cpu_string_ptr += sizeof(cpu_info);
- }
- cpu_brand_.assign(cpu_string, cpu_string_ptr - cpu_string);
- }
-
- const int parameter_containing_non_stop_time_stamp_counter = 0x80000007;
- if (max_parameter >= parameter_containing_non_stop_time_stamp_counter) {
- __cpuid(cpu_info, parameter_containing_non_stop_time_stamp_counter);
- has_non_stop_time_stamp_counter_ = (cpu_info[3] & (1 << 8)) != 0;
- }
-#elif defined(ARCH_CPU_ARM_FAMILY) && (defined(OS_ANDROID) || defined(OS_LINUX))
- cpu_brand_.assign(g_lazy_cpuinfo.Get().brand());
- has_broken_neon_ = g_lazy_cpuinfo.Get().has_broken_neon();
-#endif
-}
-
-CPU::IntelMicroArchitecture CPU::GetIntelMicroArchitecture() const {
- if (has_avx2()) return AVX2;
- if (has_avx()) return AVX;
- if (has_sse42()) return SSE42;
- if (has_sse41()) return SSE41;
- if (has_ssse3()) return SSSE3;
- if (has_sse3()) return SSE3;
- if (has_sse2()) return SSE2;
- if (has_sse()) return SSE;
- return PENTIUM;
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/cpu.h b/security/sandbox/chromium/base/cpu.h
deleted file mode 100644
index 8c3c06c04..000000000
--- a/security/sandbox/chromium/base/cpu.h
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_CPU_H_
-#define BASE_CPU_H_
-
-#include <string>
-
-#include "base/base_export.h"
-
-namespace base {
-
-// Query information about the processor.
-class BASE_EXPORT CPU {
- public:
- // Constructor
- CPU();
-
- enum IntelMicroArchitecture {
- PENTIUM,
- SSE,
- SSE2,
- SSE3,
- SSSE3,
- SSE41,
- SSE42,
- AVX,
- AVX2,
- MAX_INTEL_MICRO_ARCHITECTURE
- };
-
- // Accessors for CPU information.
- const std::string& vendor_name() const { return cpu_vendor_; }
- int signature() const { return signature_; }
- int stepping() const { return stepping_; }
- int model() const { return model_; }
- int family() const { return family_; }
- int type() const { return type_; }
- int extended_model() const { return ext_model_; }
- int extended_family() const { return ext_family_; }
- bool has_mmx() const { return has_mmx_; }
- bool has_sse() const { return has_sse_; }
- bool has_sse2() const { return has_sse2_; }
- bool has_sse3() const { return has_sse3_; }
- bool has_ssse3() const { return has_ssse3_; }
- bool has_sse41() const { return has_sse41_; }
- bool has_sse42() const { return has_sse42_; }
- bool has_avx() const { return has_avx_; }
- bool has_avx2() const { return has_avx2_; }
- bool has_aesni() const { return has_aesni_; }
- bool has_non_stop_time_stamp_counter() const {
- return has_non_stop_time_stamp_counter_;
- }
- // has_broken_neon is only valid on ARM chips. If true, it indicates that we
- // believe that the NEON unit on the current CPU is flawed and cannot execute
- // some code. See https://code.google.com/p/chromium/issues/detail?id=341598
- bool has_broken_neon() const { return has_broken_neon_; }
-
- IntelMicroArchitecture GetIntelMicroArchitecture() const;
- const std::string& cpu_brand() const { return cpu_brand_; }
-
- private:
- // Query the processor for CPUID information.
- void Initialize();
-
- int signature_; // raw form of type, family, model, and stepping
- int type_; // process type
- int family_; // family of the processor
- int model_; // model of processor
- int stepping_; // processor revision number
- int ext_model_;
- int ext_family_;
- bool has_mmx_;
- bool has_sse_;
- bool has_sse2_;
- bool has_sse3_;
- bool has_ssse3_;
- bool has_sse41_;
- bool has_sse42_;
- bool has_avx_;
- bool has_avx2_;
- bool has_aesni_;
- bool has_non_stop_time_stamp_counter_;
- bool has_broken_neon_;
- std::string cpu_vendor_;
- std::string cpu_brand_;
-};
-
-} // namespace base
-
-#endif // BASE_CPU_H_
diff --git a/security/sandbox/chromium/base/debug/alias.cc b/security/sandbox/chromium/base/debug/alias.cc
deleted file mode 100644
index 6b0caaa6d..000000000
--- a/security/sandbox/chromium/base/debug/alias.cc
+++ /dev/null
@@ -1,23 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/debug/alias.h"
-#include "build/build_config.h"
-
-namespace base {
-namespace debug {
-
-#if defined(COMPILER_MSVC)
-#pragma optimize("", off)
-#endif
-
-void Alias(const void* var) {
-}
-
-#if defined(COMPILER_MSVC)
-#pragma optimize("", on)
-#endif
-
-} // namespace debug
-} // namespace base
diff --git a/security/sandbox/chromium/base/debug/alias.h b/security/sandbox/chromium/base/debug/alias.h
deleted file mode 100644
index 3b2ab64f3..000000000
--- a/security/sandbox/chromium/base/debug/alias.h
+++ /dev/null
@@ -1,21 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_DEBUG_ALIAS_H_
-#define BASE_DEBUG_ALIAS_H_
-
-#include "base/base_export.h"
-
-namespace base {
-namespace debug {
-
-// Make the optimizer think that var is aliased. This is to prevent it from
-// optimizing out variables that that would not otherwise be live at the point
-// of a potential crash.
-void BASE_EXPORT Alias(const void* var);
-
-} // namespace debug
-} // namespace base
-
-#endif // BASE_DEBUG_ALIAS_H_
diff --git a/security/sandbox/chromium/base/debug/debugger.h b/security/sandbox/chromium/base/debug/debugger.h
deleted file mode 100644
index 8680e281e..000000000
--- a/security/sandbox/chromium/base/debug/debugger.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This is a cross platform interface for helper functions related to
-// debuggers. You should use this to test if you're running under a debugger,
-// and if you would like to yield (breakpoint) into the debugger.
-
-#ifndef BASE_DEBUG_DEBUGGER_H_
-#define BASE_DEBUG_DEBUGGER_H_
-
-#include "base/base_export.h"
-
-namespace base {
-namespace debug {
-
-// Waits wait_seconds seconds for a debugger to attach to the current process.
-// When silent is false, an exception is thrown when a debugger is detected.
-BASE_EXPORT bool WaitForDebugger(int wait_seconds, bool silent);
-
-// Returns true if the given process is being run under a debugger.
-//
-// On OS X, the underlying mechanism doesn't work when the sandbox is enabled.
-// To get around this, this function caches its value.
-//
-// WARNING: Because of this, on OS X, a call MUST be made to this function
-// BEFORE the sandbox is enabled.
-BASE_EXPORT bool BeingDebugged();
-
-// Break into the debugger, assumes a debugger is present.
-BASE_EXPORT void BreakDebugger();
-
-// Used in test code, this controls whether showing dialogs and breaking into
-// the debugger is suppressed for debug errors, even in debug mode (normally
-// release mode doesn't do this stuff -- this is controlled separately).
-// Normally UI is not suppressed. This is normally used when running automated
-// tests where we want a crash rather than a dialog or a debugger.
-BASE_EXPORT void SetSuppressDebugUI(bool suppress);
-BASE_EXPORT bool IsDebugUISuppressed();
-
-} // namespace debug
-} // namespace base
-
-#endif // BASE_DEBUG_DEBUGGER_H_
diff --git a/security/sandbox/chromium/base/debug/leak_annotations.h b/security/sandbox/chromium/base/debug/leak_annotations.h
deleted file mode 100644
index dc502461d..000000000
--- a/security/sandbox/chromium/base/debug/leak_annotations.h
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_DEBUG_LEAK_ANNOTATIONS_H_
-#define BASE_DEBUG_LEAK_ANNOTATIONS_H_
-
-#include "base/macros.h"
-#include "build/build_config.h"
-
-// This file defines macros which can be used to annotate intentional memory
-// leaks. Support for annotations is implemented in LeakSanitizer. Annotated
-// objects will be treated as a source of live pointers, i.e. any heap objects
-// reachable by following pointers from an annotated object will not be
-// reported as leaks.
-//
-// ANNOTATE_SCOPED_MEMORY_LEAK: all allocations made in the current scope
-// will be annotated as leaks.
-// ANNOTATE_LEAKING_OBJECT_PTR(X): the heap object referenced by pointer X will
-// be annotated as a leak.
-
-#if defined(LEAK_SANITIZER) && !defined(OS_NACL)
-
-#include <sanitizer/lsan_interface.h>
-
-class ScopedLeakSanitizerDisabler {
- public:
- ScopedLeakSanitizerDisabler() { __lsan_disable(); }
- ~ScopedLeakSanitizerDisabler() { __lsan_enable(); }
- private:
- DISALLOW_COPY_AND_ASSIGN(ScopedLeakSanitizerDisabler);
-};
-
-#define ANNOTATE_SCOPED_MEMORY_LEAK \
- ScopedLeakSanitizerDisabler leak_sanitizer_disabler; static_cast<void>(0)
-
-#define ANNOTATE_LEAKING_OBJECT_PTR(X) __lsan_ignore_object(X);
-
-#else
-
-#define ANNOTATE_SCOPED_MEMORY_LEAK ((void)0)
-#define ANNOTATE_LEAKING_OBJECT_PTR(X) ((void)0)
-
-#endif
-
-#endif // BASE_DEBUG_LEAK_ANNOTATIONS_H_
diff --git a/security/sandbox/chromium/base/debug/profiler.cc b/security/sandbox/chromium/base/debug/profiler.cc
deleted file mode 100644
index 75e9aac0c..000000000
--- a/security/sandbox/chromium/base/debug/profiler.cc
+++ /dev/null
@@ -1,221 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/debug/profiler.h"
-
-#include <string>
-
-#include "base/debug/debugging_flags.h"
-#include "base/process/process_handle.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/string_util.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include "base/win/pe_image.h"
-#endif // defined(OS_WIN)
-
-// TODO(peria): Enable profiling on Windows.
-#if BUILDFLAG(ENABLE_PROFILING) && !defined(NO_TCMALLOC) && !defined(OS_WIN)
-#include "third_party/tcmalloc/chromium/src/gperftools/profiler.h"
-#endif
-
-namespace base {
-namespace debug {
-
-// TODO(peria): Enable profiling on Windows.
-#if BUILDFLAG(ENABLE_PROFILING) && !defined(NO_TCMALLOC) && !defined(OS_WIN)
-
-static int profile_count = 0;
-
-void StartProfiling(const std::string& name) {
- ++profile_count;
- std::string full_name(name);
- std::string pid = IntToString(GetCurrentProcId());
- std::string count = IntToString(profile_count);
- ReplaceSubstringsAfterOffset(&full_name, 0, "{pid}", pid);
- ReplaceSubstringsAfterOffset(&full_name, 0, "{count}", count);
- ProfilerStart(full_name.c_str());
-}
-
-void StopProfiling() {
- ProfilerFlush();
- ProfilerStop();
-}
-
-void FlushProfiling() {
- ProfilerFlush();
-}
-
-bool BeingProfiled() {
- return ProfilingIsEnabledForAllThreads();
-}
-
-void RestartProfilingAfterFork() {
- ProfilerRegisterThread();
-}
-
-#else
-
-void StartProfiling(const std::string& name) {
-}
-
-void StopProfiling() {
-}
-
-void FlushProfiling() {
-}
-
-bool BeingProfiled() {
- return false;
-}
-
-void RestartProfilingAfterFork() {
-}
-
-#endif
-
-#if !defined(OS_WIN)
-
-bool IsBinaryInstrumented() {
- return false;
-}
-
-ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
- return NULL;
-}
-
-DynamicFunctionEntryHook GetProfilerDynamicFunctionEntryHookFunc() {
- return NULL;
-}
-
-AddDynamicSymbol GetProfilerAddDynamicSymbolFunc() {
- return NULL;
-}
-
-MoveDynamicSymbol GetProfilerMoveDynamicSymbolFunc() {
- return NULL;
-}
-
-#else // defined(OS_WIN)
-
-// http://blogs.msdn.com/oldnewthing/archive/2004/10/25/247180.aspx
-extern "C" IMAGE_DOS_HEADER __ImageBase;
-
-bool IsBinaryInstrumented() {
- enum InstrumentationCheckState {
- UNINITIALIZED,
- INSTRUMENTED_IMAGE,
- NON_INSTRUMENTED_IMAGE,
- };
-
- static InstrumentationCheckState state = UNINITIALIZED;
-
- if (state == UNINITIALIZED) {
- HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
- base::win::PEImage image(this_module);
-
- // Check to be sure our image is structured as we'd expect.
- DCHECK(image.VerifyMagic());
-
- // Syzygy-instrumented binaries contain a PE image section named ".thunks",
- // and all Syzygy-modified binaries contain the ".syzygy" image section.
- // This is a very fast check, as it only looks at the image header.
- if ((image.GetImageSectionHeaderByName(".thunks") != NULL) &&
- (image.GetImageSectionHeaderByName(".syzygy") != NULL)) {
- state = INSTRUMENTED_IMAGE;
- } else {
- state = NON_INSTRUMENTED_IMAGE;
- }
- }
- DCHECK(state != UNINITIALIZED);
-
- return state == INSTRUMENTED_IMAGE;
-}
-
-namespace {
-
-struct FunctionSearchContext {
- const char* name;
- FARPROC function;
-};
-
-// Callback function to PEImage::EnumImportChunks.
-bool FindResolutionFunctionInImports(
- const base::win::PEImage &image, const char* module_name,
- PIMAGE_THUNK_DATA unused_name_table, PIMAGE_THUNK_DATA import_address_table,
- PVOID cookie) {
- FunctionSearchContext* context =
- reinterpret_cast<FunctionSearchContext*>(cookie);
-
- DCHECK_NE(static_cast<FunctionSearchContext*>(NULL), context);
- DCHECK_EQ(static_cast<FARPROC>(NULL), context->function);
-
- // Our import address table contains pointers to the functions we import
- // at this point. Let's retrieve the first such function and use it to
- // find the module this import was resolved to by the loader.
- const wchar_t* function_in_module =
- reinterpret_cast<const wchar_t*>(import_address_table->u1.Function);
-
- // Retrieve the module by a function in the module.
- const DWORD kFlags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
- GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT;
- HMODULE module = NULL;
- if (!::GetModuleHandleEx(kFlags, function_in_module, &module)) {
- // This can happen if someone IAT patches us to a thunk.
- return true;
- }
-
- // See whether this module exports the function we're looking for.
- FARPROC exported_func = ::GetProcAddress(module, context->name);
- if (exported_func != NULL) {
- // We found it, return the function and terminate the enumeration.
- context->function = exported_func;
- return false;
- }
-
- // Keep going.
- return true;
-}
-
-template <typename FunctionType>
-FunctionType FindFunctionInImports(const char* function_name) {
- if (!IsBinaryInstrumented())
- return NULL;
-
- HMODULE this_module = reinterpret_cast<HMODULE>(&__ImageBase);
- base::win::PEImage image(this_module);
-
- FunctionSearchContext ctx = { function_name, NULL };
- image.EnumImportChunks(FindResolutionFunctionInImports, &ctx);
-
- return reinterpret_cast<FunctionType>(ctx.function);
-}
-
-} // namespace
-
-ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc() {
- return FindFunctionInImports<ReturnAddressLocationResolver>(
- "ResolveReturnAddressLocation");
-}
-
-DynamicFunctionEntryHook GetProfilerDynamicFunctionEntryHookFunc() {
- return FindFunctionInImports<DynamicFunctionEntryHook>(
- "OnDynamicFunctionEntry");
-}
-
-AddDynamicSymbol GetProfilerAddDynamicSymbolFunc() {
- return FindFunctionInImports<AddDynamicSymbol>(
- "AddDynamicSymbol");
-}
-
-MoveDynamicSymbol GetProfilerMoveDynamicSymbolFunc() {
- return FindFunctionInImports<MoveDynamicSymbol>(
- "MoveDynamicSymbol");
-}
-
-#endif // defined(OS_WIN)
-
-} // namespace debug
-} // namespace base
diff --git a/security/sandbox/chromium/base/debug/profiler.h b/security/sandbox/chromium/base/debug/profiler.h
deleted file mode 100644
index 7cce7b08f..000000000
--- a/security/sandbox/chromium/base/debug/profiler.h
+++ /dev/null
@@ -1,91 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_DEBUG_PROFILER_H_
-#define BASE_DEBUG_PROFILER_H_
-
-#include <stddef.h>
-
-#include <string>
-
-#include "base/base_export.h"
-
-// The Profiler functions allow usage of the underlying sampling based
-// profiler. If the application has not been built with the necessary
-// flags (-DENABLE_PROFILING and not -DNO_TCMALLOC) then these functions
-// are noops.
-namespace base {
-namespace debug {
-
-// Start profiling with the supplied name.
-// {pid} will be replaced by the process' pid and {count} will be replaced
-// by the count of the profile run (starts at 1 with each process).
-BASE_EXPORT void StartProfiling(const std::string& name);
-
-// Stop profiling and write out data.
-BASE_EXPORT void StopProfiling();
-
-// Force data to be written to file.
-BASE_EXPORT void FlushProfiling();
-
-// Returns true if process is being profiled.
-BASE_EXPORT bool BeingProfiled();
-
-// Reset profiling after a fork, which disables timers.
-BASE_EXPORT void RestartProfilingAfterFork();
-
-// Returns true iff this executable is instrumented with the Syzygy profiler.
-BASE_EXPORT bool IsBinaryInstrumented();
-
-// There's a class of profilers that use "return address swizzling" to get a
-// hook on function exits. This class of profilers uses some form of entry hook,
-// like e.g. binary instrumentation, or a compiler flag, that calls a hook each
-// time a function is invoked. The hook then switches the return address on the
-// stack for the address of an exit hook function, and pushes the original
-// return address to a shadow stack of some type. When in due course the CPU
-// executes a return to the exit hook, the exit hook will do whatever work it
-// does on function exit, then arrange to return to the original return address.
-// This class of profiler does not play well with programs that look at the
-// return address, as does e.g. V8. V8 uses the return address to certain
-// runtime functions to find the JIT code that called it, and from there finds
-// the V8 data structures associated to the JS function involved.
-// A return address resolution function is used to fix this. It allows such
-// programs to resolve a location on stack where a return address originally
-// resided, to the shadow stack location where the profiler stashed it.
-typedef uintptr_t (*ReturnAddressLocationResolver)(
- uintptr_t return_addr_location);
-
-// This type declaration must match V8's FunctionEntryHook.
-typedef void (*DynamicFunctionEntryHook)(uintptr_t function,
- uintptr_t return_addr_location);
-
-// The functions below here are to support profiling V8-generated code.
-// V8 has provisions for generating a call to an entry hook for newly generated
-// JIT code, and it can push symbol information on code generation and advise
-// when the garbage collector moves code. The functions declarations below here
-// make glue between V8's facilities and a profiler.
-
-// This type declaration must match V8's FunctionEntryHook.
-typedef void (*DynamicFunctionEntryHook)(uintptr_t function,
- uintptr_t return_addr_location);
-
-typedef void (*AddDynamicSymbol)(const void* address,
- size_t length,
- const char* name,
- size_t name_len);
-typedef void (*MoveDynamicSymbol)(const void* address, const void* new_address);
-
-
-// If this binary is instrumented and the instrumentation supplies a function
-// for each of those purposes, find and return the function in question.
-// Otherwise returns NULL.
-BASE_EXPORT ReturnAddressLocationResolver GetProfilerReturnAddrResolutionFunc();
-BASE_EXPORT DynamicFunctionEntryHook GetProfilerDynamicFunctionEntryHookFunc();
-BASE_EXPORT AddDynamicSymbol GetProfilerAddDynamicSymbolFunc();
-BASE_EXPORT MoveDynamicSymbol GetProfilerMoveDynamicSymbolFunc();
-
-} // namespace debug
-} // namespace base
-
-#endif // BASE_DEBUG_PROFILER_H_
diff --git a/security/sandbox/chromium/base/file_descriptor_posix.h b/security/sandbox/chromium/base/file_descriptor_posix.h
deleted file mode 100644
index 2a366116a..000000000
--- a/security/sandbox/chromium/base/file_descriptor_posix.h
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright (c) 2006-2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_FILE_DESCRIPTOR_POSIX_H_
-#define BASE_FILE_DESCRIPTOR_POSIX_H_
-
-#include "base/files/file.h"
-#include "base/files/scoped_file.h"
-
-namespace base {
-
-// -----------------------------------------------------------------------------
-// We introduct a special structure for file descriptors in order that we are
-// able to use template specialisation to special-case their handling.
-//
-// IMPORTANT: This is primarily intended for use when sending file descriptors
-// over IPC. Even if |auto_close| is true, base::FileDescriptor does NOT close()
-// |fd| when going out of scope. Instead, a consumer of a base::FileDescriptor
-// must invoke close() on |fd| if |auto_close| is true.
-//
-// In the case of IPC, the the IPC subsystem knows to close() |fd| after sending
-// a message that contains a base::FileDescriptor if auto_close == true. On the
-// other end, the receiver must make sure to close() |fd| after it has finished
-// processing the IPC message. See the IPC::ParamTraits<> specialization in
-// ipc/ipc_message_utils.h for all the details.
-// -----------------------------------------------------------------------------
-struct FileDescriptor {
- FileDescriptor() : fd(-1), auto_close(false) {}
-
- FileDescriptor(int ifd, bool iauto_close) : fd(ifd), auto_close(iauto_close) {
- }
-
- FileDescriptor(File file) : fd(file.TakePlatformFile()), auto_close(true) {}
- explicit FileDescriptor(ScopedFD fd) : fd(fd.release()), auto_close(true) {}
-
- bool operator==(const FileDescriptor& other) const {
- return (fd == other.fd && auto_close == other.auto_close);
- }
-
- bool operator!=(const FileDescriptor& other) const {
- return !operator==(other);
- }
-
- // A comparison operator so that we can use these as keys in a std::map.
- bool operator<(const FileDescriptor& other) const {
- return other.fd < fd;
- }
-
- int fd;
- // If true, this file descriptor should be closed after it has been used. For
- // example an IPC system might interpret this flag as indicating that the
- // file descriptor it has been given should be closed after use.
- bool auto_close;
-};
-
-} // namespace base
-
-#endif // BASE_FILE_DESCRIPTOR_POSIX_H_
diff --git a/security/sandbox/chromium/base/files/file_path.h b/security/sandbox/chromium/base/files/file_path.h
deleted file mode 100644
index 89e9cbfb1..000000000
--- a/security/sandbox/chromium/base/files/file_path.h
+++ /dev/null
@@ -1,477 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// FilePath is a container for pathnames stored in a platform's native string
-// type, providing containers for manipulation in according with the
-// platform's conventions for pathnames. It supports the following path
-// types:
-//
-// POSIX Windows
-// --------------- ----------------------------------
-// Fundamental type char[] wchar_t[]
-// Encoding unspecified* UTF-16
-// Separator / \, tolerant of /
-// Drive letters no case-insensitive A-Z followed by :
-// Alternate root // (surprise!) \\, for UNC paths
-//
-// * The encoding need not be specified on POSIX systems, although some
-// POSIX-compliant systems do specify an encoding. Mac OS X uses UTF-8.
-// Chrome OS also uses UTF-8.
-// Linux does not specify an encoding, but in practice, the locale's
-// character set may be used.
-//
-// For more arcane bits of path trivia, see below.
-//
-// FilePath objects are intended to be used anywhere paths are. An
-// application may pass FilePath objects around internally, masking the
-// underlying differences between systems, only differing in implementation
-// where interfacing directly with the system. For example, a single
-// OpenFile(const FilePath &) function may be made available, allowing all
-// callers to operate without regard to the underlying implementation. On
-// POSIX-like platforms, OpenFile might wrap fopen, and on Windows, it might
-// wrap _wfopen_s, perhaps both by calling file_path.value().c_str(). This
-// allows each platform to pass pathnames around without requiring conversions
-// between encodings, which has an impact on performance, but more imporantly,
-// has an impact on correctness on platforms that do not have well-defined
-// encodings for pathnames.
-//
-// Several methods are available to perform common operations on a FilePath
-// object, such as determining the parent directory (DirName), isolating the
-// final path component (BaseName), and appending a relative pathname string
-// to an existing FilePath object (Append). These methods are highly
-// recommended over attempting to split and concatenate strings directly.
-// These methods are based purely on string manipulation and knowledge of
-// platform-specific pathname conventions, and do not consult the filesystem
-// at all, making them safe to use without fear of blocking on I/O operations.
-// These methods do not function as mutators but instead return distinct
-// instances of FilePath objects, and are therefore safe to use on const
-// objects. The objects themselves are safe to share between threads.
-//
-// To aid in initialization of FilePath objects from string literals, a
-// FILE_PATH_LITERAL macro is provided, which accounts for the difference
-// between char[]-based pathnames on POSIX systems and wchar_t[]-based
-// pathnames on Windows.
-//
-// As a precaution against premature truncation, paths can't contain NULs.
-//
-// Because a FilePath object should not be instantiated at the global scope,
-// instead, use a FilePath::CharType[] and initialize it with
-// FILE_PATH_LITERAL. At runtime, a FilePath object can be created from the
-// character array. Example:
-//
-// | const FilePath::CharType kLogFileName[] = FILE_PATH_LITERAL("log.txt");
-// |
-// | void Function() {
-// | FilePath log_file_path(kLogFileName);
-// | [...]
-// | }
-//
-// WARNING: FilePaths should ALWAYS be displayed with LTR directionality, even
-// when the UI language is RTL. This means you always need to pass filepaths
-// through base::i18n::WrapPathWithLTRFormatting() before displaying it in the
-// RTL UI.
-//
-// This is a very common source of bugs, please try to keep this in mind.
-//
-// ARCANE BITS OF PATH TRIVIA
-//
-// - A double leading slash is actually part of the POSIX standard. Systems
-// are allowed to treat // as an alternate root, as Windows does for UNC
-// (network share) paths. Most POSIX systems don't do anything special
-// with two leading slashes, but FilePath handles this case properly
-// in case it ever comes across such a system. FilePath needs this support
-// for Windows UNC paths, anyway.
-// References:
-// The Open Group Base Specifications Issue 7, sections 3.267 ("Pathname")
-// and 4.12 ("Pathname Resolution"), available at:
-// http://www.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_267
-// http://www.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap04.html#tag_04_12
-//
-// - Windows treats c:\\ the same way it treats \\. This was intended to
-// allow older applications that require drive letters to support UNC paths
-// like \\server\share\path, by permitting c:\\server\share\path as an
-// equivalent. Since the OS treats these paths specially, FilePath needs
-// to do the same. Since Windows can use either / or \ as the separator,
-// FilePath treats c://, c:\\, //, and \\ all equivalently.
-// Reference:
-// The Old New Thing, "Why is a drive letter permitted in front of UNC
-// paths (sometimes)?", available at:
-// http://blogs.msdn.com/oldnewthing/archive/2005/11/22/495740.aspx
-
-#ifndef BASE_FILES_FILE_PATH_H_
-#define BASE_FILES_FILE_PATH_H_
-
-#include <stddef.h>
-
-#include <iosfwd>
-#include <string>
-#include <vector>
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/containers/hash_tables.h"
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h"
-#include "build/build_config.h"
-
-// Windows-style drive letter support and pathname separator characters can be
-// enabled and disabled independently, to aid testing. These #defines are
-// here so that the same setting can be used in both the implementation and
-// in the unit test.
-#if defined(OS_WIN)
-#define FILE_PATH_USES_DRIVE_LETTERS
-#define FILE_PATH_USES_WIN_SEPARATORS
-#endif // OS_WIN
-
-// To print path names portably use PRIsFP (based on PRIuS and friends from
-// C99 and format_macros.h) like this:
-// base::StringPrintf("Path is %" PRIsFP ".\n", path.value().c_str());
-#if defined(OS_POSIX)
-#define PRIsFP "s"
-#elif defined(OS_WIN)
-#define PRIsFP "ls"
-#endif // OS_WIN
-
-namespace base {
-
-class Pickle;
-class PickleIterator;
-
-// An abstraction to isolate users from the differences between native
-// pathnames on different platforms.
-class BASE_EXPORT FilePath {
- public:
-#if defined(OS_POSIX)
- // On most platforms, native pathnames are char arrays, and the encoding
- // may or may not be specified. On Mac OS X, native pathnames are encoded
- // in UTF-8.
- typedef std::string StringType;
-#elif defined(OS_WIN)
- // On Windows, for Unicode-aware applications, native pathnames are wchar_t
- // arrays encoded in UTF-16.
- typedef std::wstring StringType;
-#endif // OS_WIN
-
- typedef BasicStringPiece<StringType> StringPieceType;
- typedef StringType::value_type CharType;
-
- // Null-terminated array of separators used to separate components in
- // hierarchical paths. Each character in this array is a valid separator,
- // but kSeparators[0] is treated as the canonical separator and will be used
- // when composing pathnames.
- static const CharType kSeparators[];
-
- // arraysize(kSeparators).
- static const size_t kSeparatorsLength;
-
- // A special path component meaning "this directory."
- static const CharType kCurrentDirectory[];
-
- // A special path component meaning "the parent directory."
- static const CharType kParentDirectory[];
-
- // The character used to identify a file extension.
- static const CharType kExtensionSeparator;
-
- FilePath();
- FilePath(const FilePath& that);
- explicit FilePath(StringPieceType path);
- ~FilePath();
- FilePath& operator=(const FilePath& that);
-
- bool operator==(const FilePath& that) const;
-
- bool operator!=(const FilePath& that) const;
-
- // Required for some STL containers and operations
- bool operator<(const FilePath& that) const {
- return path_ < that.path_;
- }
-
- const StringType& value() const { return path_; }
-
- bool empty() const { return path_.empty(); }
-
- void clear() { path_.clear(); }
-
- // Returns true if |character| is in kSeparators.
- static bool IsSeparator(CharType character);
-
- // Returns a vector of all of the components of the provided path. It is
- // equivalent to calling DirName().value() on the path's root component,
- // and BaseName().value() on each child component.
- //
- // To make sure this is lossless so we can differentiate absolute and
- // relative paths, the root slash will be included even though no other
- // slashes will be. The precise behavior is:
- //
- // Posix: "/foo/bar" -> [ "/", "foo", "bar" ]
- // Windows: "C:\foo\bar" -> [ "C:", "\\", "foo", "bar" ]
- void GetComponents(std::vector<FilePath::StringType>* components) const;
-
- // Returns true if this FilePath is a strict parent of the |child|. Absolute
- // and relative paths are accepted i.e. is /foo parent to /foo/bar and
- // is foo parent to foo/bar. Does not convert paths to absolute, follow
- // symlinks or directory navigation (e.g. ".."). A path is *NOT* its own
- // parent.
- bool IsParent(const FilePath& child) const;
-
- // If IsParent(child) holds, appends to path (if non-NULL) the
- // relative path to child and returns true. For example, if parent
- // holds "/Users/johndoe/Library/Application Support", child holds
- // "/Users/johndoe/Library/Application Support/Google/Chrome/Default", and
- // *path holds "/Users/johndoe/Library/Caches", then after
- // parent.AppendRelativePath(child, path) is called *path will hold
- // "/Users/johndoe/Library/Caches/Google/Chrome/Default". Otherwise,
- // returns false.
- bool AppendRelativePath(const FilePath& child, FilePath* path) const;
-
- // Returns a FilePath corresponding to the directory containing the path
- // named by this object, stripping away the file component. If this object
- // only contains one component, returns a FilePath identifying
- // kCurrentDirectory. If this object already refers to the root directory,
- // returns a FilePath identifying the root directory.
- FilePath DirName() const WARN_UNUSED_RESULT;
-
- // Returns a FilePath corresponding to the last path component of this
- // object, either a file or a directory. If this object already refers to
- // the root directory, returns a FilePath identifying the root directory;
- // this is the only situation in which BaseName will return an absolute path.
- FilePath BaseName() const WARN_UNUSED_RESULT;
-
- // Returns ".jpg" for path "C:\pics\jojo.jpg", or an empty string if
- // the file has no extension. If non-empty, Extension() will always start
- // with precisely one ".". The following code should always work regardless
- // of the value of path. For common double-extensions like .tar.gz and
- // .user.js, this method returns the combined extension. For a single
- // component, use FinalExtension().
- // new_path = path.RemoveExtension().value().append(path.Extension());
- // ASSERT(new_path == path.value());
- // NOTE: this is different from the original file_util implementation which
- // returned the extension without a leading "." ("jpg" instead of ".jpg")
- StringType Extension() const WARN_UNUSED_RESULT;
-
- // Returns the path's file extension, as in Extension(), but will
- // never return a double extension.
- //
- // TODO(davidben): Check all our extension-sensitive code to see if
- // we can rename this to Extension() and the other to something like
- // LongExtension(), defaulting to short extensions and leaving the
- // long "extensions" to logic like base::GetUniquePathNumber().
- StringType FinalExtension() const WARN_UNUSED_RESULT;
-
- // Returns "C:\pics\jojo" for path "C:\pics\jojo.jpg"
- // NOTE: this is slightly different from the similar file_util implementation
- // which returned simply 'jojo'.
- FilePath RemoveExtension() const WARN_UNUSED_RESULT;
-
- // Removes the path's file extension, as in RemoveExtension(), but
- // ignores double extensions.
- FilePath RemoveFinalExtension() const WARN_UNUSED_RESULT;
-
- // Inserts |suffix| after the file name portion of |path| but before the
- // extension. Returns "" if BaseName() == "." or "..".
- // Examples:
- // path == "C:\pics\jojo.jpg" suffix == " (1)", returns "C:\pics\jojo (1).jpg"
- // path == "jojo.jpg" suffix == " (1)", returns "jojo (1).jpg"
- // path == "C:\pics\jojo" suffix == " (1)", returns "C:\pics\jojo (1)"
- // path == "C:\pics.old\jojo" suffix == " (1)", returns "C:\pics.old\jojo (1)"
- FilePath InsertBeforeExtension(
- StringPieceType suffix) const WARN_UNUSED_RESULT;
- FilePath InsertBeforeExtensionASCII(
- StringPiece suffix) const WARN_UNUSED_RESULT;
-
- // Adds |extension| to |file_name|. Returns the current FilePath if
- // |extension| is empty. Returns "" if BaseName() == "." or "..".
- FilePath AddExtension(StringPieceType extension) const WARN_UNUSED_RESULT;
-
- // Replaces the extension of |file_name| with |extension|. If |file_name|
- // does not have an extension, then |extension| is added. If |extension| is
- // empty, then the extension is removed from |file_name|.
- // Returns "" if BaseName() == "." or "..".
- FilePath ReplaceExtension(StringPieceType extension) const WARN_UNUSED_RESULT;
-
- // Returns true if the file path matches the specified extension. The test is
- // case insensitive. Don't forget the leading period if appropriate.
- bool MatchesExtension(StringPieceType extension) const;
-
- // Returns a FilePath by appending a separator and the supplied path
- // component to this object's path. Append takes care to avoid adding
- // excessive separators if this object's path already ends with a separator.
- // If this object's path is kCurrentDirectory, a new FilePath corresponding
- // only to |component| is returned. |component| must be a relative path;
- // it is an error to pass an absolute path.
- FilePath Append(StringPieceType component) const WARN_UNUSED_RESULT;
- FilePath Append(const FilePath& component) const WARN_UNUSED_RESULT;
-
- // Although Windows StringType is std::wstring, since the encoding it uses for
- // paths is well defined, it can handle ASCII path components as well.
- // Mac uses UTF8, and since ASCII is a subset of that, it works there as well.
- // On Linux, although it can use any 8-bit encoding for paths, we assume that
- // ASCII is a valid subset, regardless of the encoding, since many operating
- // system paths will always be ASCII.
- FilePath AppendASCII(StringPiece component) const WARN_UNUSED_RESULT;
-
- // Returns true if this FilePath contains an absolute path. On Windows, an
- // absolute path begins with either a drive letter specification followed by
- // a separator character, or with two separator characters. On POSIX
- // platforms, an absolute path begins with a separator character.
- bool IsAbsolute() const;
-
- // Returns true if the patch ends with a path separator character.
- bool EndsWithSeparator() const WARN_UNUSED_RESULT;
-
- // Returns a copy of this FilePath that ends with a trailing separator. If
- // the input path is empty, an empty FilePath will be returned.
- FilePath AsEndingWithSeparator() const WARN_UNUSED_RESULT;
-
- // Returns a copy of this FilePath that does not end with a trailing
- // separator.
- FilePath StripTrailingSeparators() const WARN_UNUSED_RESULT;
-
- // Returns true if this FilePath contains an attempt to reference a parent
- // directory (e.g. has a path component that is "..").
- bool ReferencesParent() const;
-
- // Return a Unicode human-readable version of this path.
- // Warning: you can *not*, in general, go from a display name back to a real
- // path. Only use this when displaying paths to users, not just when you
- // want to stuff a string16 into some other API.
- string16 LossyDisplayName() const;
-
- // Return the path as ASCII, or the empty string if the path is not ASCII.
- // This should only be used for cases where the FilePath is representing a
- // known-ASCII filename.
- std::string MaybeAsASCII() const;
-
- // Return the path as UTF-8.
- //
- // This function is *unsafe* as there is no way to tell what encoding is
- // used in file names on POSIX systems other than Mac and Chrome OS,
- // although UTF-8 is practically used everywhere these days. To mitigate
- // the encoding issue, this function internally calls
- // SysNativeMBToWide() on POSIX systems other than Mac and Chrome OS,
- // per assumption that the current locale's encoding is used in file
- // names, but this isn't a perfect solution.
- //
- // Once it becomes safe to to stop caring about non-UTF-8 file names,
- // the SysNativeMBToWide() hack will be removed from the code, along
- // with "Unsafe" in the function name.
- std::string AsUTF8Unsafe() const;
-
- // Similar to AsUTF8Unsafe, but returns UTF-16 instead.
- string16 AsUTF16Unsafe() const;
-
- // Returns a FilePath object from a path name in UTF-8. This function
- // should only be used for cases where you are sure that the input
- // string is UTF-8.
- //
- // Like AsUTF8Unsafe(), this function is unsafe. This function
- // internally calls SysWideToNativeMB() on POSIX systems other than Mac
- // and Chrome OS, to mitigate the encoding issue. See the comment at
- // AsUTF8Unsafe() for details.
- static FilePath FromUTF8Unsafe(const std::string& utf8);
-
- // Similar to FromUTF8Unsafe, but accepts UTF-16 instead.
- static FilePath FromUTF16Unsafe(const string16& utf16);
-
- void WriteToPickle(Pickle* pickle) const;
- bool ReadFromPickle(PickleIterator* iter);
-
- // Normalize all path separators to backslash on Windows
- // (if FILE_PATH_USES_WIN_SEPARATORS is true), or do nothing on POSIX systems.
- FilePath NormalizePathSeparators() const;
-
- // Normalize all path separattors to given type on Windows
- // (if FILE_PATH_USES_WIN_SEPARATORS is true), or do nothing on POSIX systems.
- FilePath NormalizePathSeparatorsTo(CharType separator) const;
-
- // Compare two strings in the same way the file system does.
- // Note that these always ignore case, even on file systems that are case-
- // sensitive. If case-sensitive comparison is ever needed, add corresponding
- // methods here.
- // The methods are written as a static method so that they can also be used
- // on parts of a file path, e.g., just the extension.
- // CompareIgnoreCase() returns -1, 0 or 1 for less-than, equal-to and
- // greater-than respectively.
- static int CompareIgnoreCase(StringPieceType string1,
- StringPieceType string2);
- static bool CompareEqualIgnoreCase(StringPieceType string1,
- StringPieceType string2) {
- return CompareIgnoreCase(string1, string2) == 0;
- }
- static bool CompareLessIgnoreCase(StringPieceType string1,
- StringPieceType string2) {
- return CompareIgnoreCase(string1, string2) < 0;
- }
-
-#if defined(OS_MACOSX)
- // Returns the string in the special canonical decomposed form as defined for
- // HFS, which is close to, but not quite, decomposition form D. See
- // http://developer.apple.com/mac/library/technotes/tn/tn1150.html#UnicodeSubtleties
- // for further comments.
- // Returns the epmty string if the conversion failed.
- static StringType GetHFSDecomposedForm(StringPieceType string);
-
- // Special UTF-8 version of FastUnicodeCompare. Cf:
- // http://developer.apple.com/mac/library/technotes/tn/tn1150.html#StringComparisonAlgorithm
- // IMPORTANT: The input strings must be in the special HFS decomposed form!
- // (cf. above GetHFSDecomposedForm method)
- static int HFSFastUnicodeCompare(StringPieceType string1,
- StringPieceType string2);
-#endif
-
-#if defined(OS_ANDROID)
- // On android, file selection dialog can return a file with content uri
- // scheme(starting with content://). Content uri needs to be opened with
- // ContentResolver to guarantee that the app has appropriate permissions
- // to access it.
- // Returns true if the path is a content uri, or false otherwise.
- bool IsContentUri() const;
-#endif
-
- private:
- // Remove trailing separators from this object. If the path is absolute, it
- // will never be stripped any more than to refer to the absolute root
- // directory, so "////" will become "/", not "". A leading pair of
- // separators is never stripped, to support alternate roots. This is used to
- // support UNC paths on Windows.
- void StripTrailingSeparatorsInternal();
-
- StringType path_;
-};
-
-// This is required by googletest to print a readable output on test failures.
-// This is declared here for use in gtest-based unit tests but is defined in
-// the test_support_base target. Depend on that to use this in your unit test.
-// This should not be used in production code - call ToString() instead.
-void PrintTo(const FilePath& path, std::ostream* out);
-
-} // namespace base
-
-// Macros for string literal initialization of FilePath::CharType[], and for
-// using a FilePath::CharType[] in a printf-style format string.
-#if defined(OS_POSIX)
-#define FILE_PATH_LITERAL(x) x
-#define PRFilePath "s"
-#elif defined(OS_WIN)
-#define FILE_PATH_LITERAL(x) L ## x
-#define PRFilePath "ls"
-#endif // OS_WIN
-
-// Provide a hash function so that hash_sets and maps can contain FilePath
-// objects.
-namespace BASE_HASH_NAMESPACE {
-
-template<>
-struct hash<base::FilePath> {
- size_t operator()(const base::FilePath& f) const {
- return hash<base::FilePath::StringType>()(f.value());
- }
-};
-
-} // namespace BASE_HASH_NAMESPACE
-
-#endif // BASE_FILES_FILE_PATH_H_
diff --git a/security/sandbox/chromium/base/guid.h b/security/sandbox/chromium/base/guid.h
deleted file mode 100644
index c0a06f885..000000000
--- a/security/sandbox/chromium/base/guid.h
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_GUID_H_
-#define BASE_GUID_H_
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/base_export.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// Generate a 128-bit random GUID of the form: "%08X-%04X-%04X-%04X-%012llX".
-// If GUID generation fails an empty string is returned.
-// The POSIX implementation uses pseudo random number generation to create
-// the GUID. The Windows implementation uses system services.
-BASE_EXPORT std::string GenerateGUID();
-
-// Returns true if the input string conforms to the GUID format.
-BASE_EXPORT bool IsValidGUID(const std::string& guid);
-
-#if defined(OS_POSIX)
-// For unit testing purposes only. Do not use outside of tests.
-BASE_EXPORT std::string RandomDataToGUIDString(const uint64_t bytes[2]);
-#endif
-
-} // namespace base
-
-#endif // BASE_GUID_H_
diff --git a/security/sandbox/chromium/base/hash.cc b/security/sandbox/chromium/base/hash.cc
deleted file mode 100644
index d3206f6a6..000000000
--- a/security/sandbox/chromium/base/hash.cc
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/hash.h"
-
-// Definition in base/third_party/superfasthash/superfasthash.c. (Third-party
-// code did not come with its own header file, so declaring the function here.)
-// Note: This algorithm is also in Blink under Source/wtf/StringHasher.h.
-extern "C" uint32_t SuperFastHash(const char* data, int len);
-
-namespace base {
-
-uint32_t SuperFastHash(const char* data, int len) {
- return ::SuperFastHash(data, len);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/hash.h b/security/sandbox/chromium/base/hash.h
deleted file mode 100644
index ed8d9fd4c..000000000
--- a/security/sandbox/chromium/base/hash.h
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_HASH_H_
-#define BASE_HASH_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <limits>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/logging.h"
-
-namespace base {
-
-// WARNING: This hash function should not be used for any cryptographic purpose.
-BASE_EXPORT uint32_t SuperFastHash(const char* data, int len);
-
-// Computes a hash of a memory buffer |data| of a given |length|.
-// WARNING: This hash function should not be used for any cryptographic purpose.
-inline uint32_t Hash(const char* data, size_t length) {
- if (length > static_cast<size_t>(std::numeric_limits<int>::max())) {
- NOTREACHED();
- return 0;
- }
- return SuperFastHash(data, static_cast<int>(length));
-}
-
-// Computes a hash of a string |str|.
-// WARNING: This hash function should not be used for any cryptographic purpose.
-inline uint32_t Hash(const std::string& str) {
- return Hash(str.data(), str.size());
-}
-
-} // namespace base
-
-#endif // BASE_HASH_H_
diff --git a/security/sandbox/chromium/base/lazy_instance.cc b/security/sandbox/chromium/base/lazy_instance.cc
deleted file mode 100644
index 54680655a..000000000
--- a/security/sandbox/chromium/base/lazy_instance.cc
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/lazy_instance.h"
-
-#include "base/at_exit.h"
-#include "base/atomicops.h"
-#include "base/threading/platform_thread.h"
-
-namespace base {
-namespace internal {
-
-// TODO(joth): This function could be shared with Singleton, in place of its
-// WaitForInstance() call.
-bool NeedsLazyInstance(subtle::AtomicWord* state) {
- // Try to create the instance, if we're the first, will go from 0 to
- // kLazyInstanceStateCreating, otherwise we've already been beaten here.
- // The memory access has no memory ordering as state 0 and
- // kLazyInstanceStateCreating have no associated data (memory barriers are
- // all about ordering of memory accesses to *associated* data).
- if (subtle::NoBarrier_CompareAndSwap(state, 0,
- kLazyInstanceStateCreating) == 0)
- // Caller must create instance
- return true;
-
- // It's either in the process of being created, or already created. Spin.
- // The load has acquire memory ordering as a thread which sees
- // state_ == STATE_CREATED needs to acquire visibility over
- // the associated data (buf_). Pairing Release_Store is in
- // CompleteLazyInstance().
- while (subtle::Acquire_Load(state) == kLazyInstanceStateCreating) {
- PlatformThread::YieldCurrentThread();
- }
- // Someone else created the instance.
- return false;
-}
-
-void CompleteLazyInstance(subtle::AtomicWord* state,
- subtle::AtomicWord new_instance,
- void* lazy_instance,
- void (*dtor)(void*)) {
- // Instance is created, go from CREATING to CREATED.
- // Releases visibility over private_buf_ to readers. Pairing Acquire_Load's
- // are in NeedsInstance() and Pointer().
- subtle::Release_Store(state, new_instance);
-
- // Make sure that the lazily instantiated object will get destroyed at exit.
- if (dtor)
- AtExitManager::RegisterCallback(dtor, lazy_instance);
-}
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/lazy_instance.h b/security/sandbox/chromium/base/lazy_instance.h
deleted file mode 100644
index fd0321017..000000000
--- a/security/sandbox/chromium/base/lazy_instance.h
+++ /dev/null
@@ -1,207 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// The LazyInstance<Type, Traits> class manages a single instance of Type,
-// which will be lazily created on the first time it's accessed. This class is
-// useful for places you would normally use a function-level static, but you
-// need to have guaranteed thread-safety. The Type constructor will only ever
-// be called once, even if two threads are racing to create the object. Get()
-// and Pointer() will always return the same, completely initialized instance.
-// When the instance is constructed it is registered with AtExitManager. The
-// destructor will be called on program exit.
-//
-// LazyInstance is completely thread safe, assuming that you create it safely.
-// The class was designed to be POD initialized, so it shouldn't require a
-// static constructor. It really only makes sense to declare a LazyInstance as
-// a global variable using the LAZY_INSTANCE_INITIALIZER initializer.
-//
-// LazyInstance is similar to Singleton, except it does not have the singleton
-// property. You can have multiple LazyInstance's of the same type, and each
-// will manage a unique instance. It also preallocates the space for Type, as
-// to avoid allocating the Type instance on the heap. This may help with the
-// performance of creating the instance, and reducing heap fragmentation. This
-// requires that Type be a complete type so we can determine the size.
-//
-// Example usage:
-// static LazyInstance<MyClass> my_instance = LAZY_INSTANCE_INITIALIZER;
-// void SomeMethod() {
-// my_instance.Get().SomeMethod(); // MyClass::SomeMethod()
-//
-// MyClass* ptr = my_instance.Pointer();
-// ptr->DoDoDo(); // MyClass::DoDoDo
-// }
-
-#ifndef BASE_LAZY_INSTANCE_H_
-#define BASE_LAZY_INSTANCE_H_
-
-#include <new> // For placement new.
-
-#include "base/atomicops.h"
-#include "base/base_export.h"
-#include "base/debug/leak_annotations.h"
-#include "base/logging.h"
-#include "base/memory/aligned_memory.h"
-#include "base/threading/thread_restrictions.h"
-
-// LazyInstance uses its own struct initializer-list style static
-// initialization, as base's LINKER_INITIALIZED requires a constructor and on
-// some compilers (notably gcc 4.4) this still ends up needing runtime
-// initialization.
-#define LAZY_INSTANCE_INITIALIZER {0}
-
-namespace base {
-
-template <typename Type>
-struct DefaultLazyInstanceTraits {
- static const bool kRegisterOnExit = true;
-#ifndef NDEBUG
- static const bool kAllowedToAccessOnNonjoinableThread = false;
-#endif
-
- static Type* New(void* instance) {
- DCHECK_EQ(reinterpret_cast<uintptr_t>(instance) & (ALIGNOF(Type) - 1), 0u)
- << ": Bad boy, the buffer passed to placement new is not aligned!\n"
- "This may break some stuff like SSE-based optimizations assuming the "
- "<Type> objects are word aligned.";
- // Use placement new to initialize our instance in our preallocated space.
- // The parenthesis is very important here to force POD type initialization.
- return new (instance) Type();
- }
- static void Delete(Type* instance) {
- // Explicitly call the destructor.
- instance->~Type();
- }
-};
-
-// We pull out some of the functionality into non-templated functions, so we
-// can implement the more complicated pieces out of line in the .cc file.
-namespace internal {
-
-// Use LazyInstance<T>::Leaky for a less-verbose call-site typedef; e.g.:
-// base::LazyInstance<T>::Leaky my_leaky_lazy_instance;
-// instead of:
-// base::LazyInstance<T, base::internal::LeakyLazyInstanceTraits<T> >
-// my_leaky_lazy_instance;
-// (especially when T is MyLongTypeNameImplClientHolderFactory).
-// Only use this internal::-qualified verbose form to extend this traits class
-// (depending on its implementation details).
-template <typename Type>
-struct LeakyLazyInstanceTraits {
- static const bool kRegisterOnExit = false;
-#ifndef NDEBUG
- static const bool kAllowedToAccessOnNonjoinableThread = true;
-#endif
-
- static Type* New(void* instance) {
- ANNOTATE_SCOPED_MEMORY_LEAK;
- return DefaultLazyInstanceTraits<Type>::New(instance);
- }
- static void Delete(Type* instance) {
- }
-};
-
-// Our AtomicWord doubles as a spinlock, where a value of
-// kBeingCreatedMarker means the spinlock is being held for creation.
-static const subtle::AtomicWord kLazyInstanceStateCreating = 1;
-
-// Check if instance needs to be created. If so return true otherwise
-// if another thread has beat us, wait for instance to be created and
-// return false.
-BASE_EXPORT bool NeedsLazyInstance(subtle::AtomicWord* state);
-
-// After creating an instance, call this to register the dtor to be called
-// at program exit and to update the atomic state to hold the |new_instance|
-BASE_EXPORT void CompleteLazyInstance(subtle::AtomicWord* state,
- subtle::AtomicWord new_instance,
- void* lazy_instance,
- void (*dtor)(void*));
-
-} // namespace internal
-
-template <typename Type, typename Traits = DefaultLazyInstanceTraits<Type> >
-class LazyInstance {
- public:
- // Do not define a destructor, as doing so makes LazyInstance a
- // non-POD-struct. We don't want that because then a static initializer will
- // be created to register the (empty) destructor with atexit() under MSVC, for
- // example. We handle destruction of the contained Type class explicitly via
- // the OnExit member function, where needed.
- // ~LazyInstance() {}
-
- // Convenience typedef to avoid having to repeat Type for leaky lazy
- // instances.
- typedef LazyInstance<Type, internal::LeakyLazyInstanceTraits<Type> > Leaky;
-
- Type& Get() {
- return *Pointer();
- }
-
- Type* Pointer() {
-#ifndef NDEBUG
- // Avoid making TLS lookup on release builds.
- if (!Traits::kAllowedToAccessOnNonjoinableThread)
- ThreadRestrictions::AssertSingletonAllowed();
-#endif
- // If any bit in the created mask is true, the instance has already been
- // fully constructed.
- static const subtle::AtomicWord kLazyInstanceCreatedMask =
- ~internal::kLazyInstanceStateCreating;
-
- // We will hopefully have fast access when the instance is already created.
- // Since a thread sees private_instance_ == 0 or kLazyInstanceStateCreating
- // at most once, the load is taken out of NeedsInstance() as a fast-path.
- // The load has acquire memory ordering as a thread which sees
- // private_instance_ > creating needs to acquire visibility over
- // the associated data (private_buf_). Pairing Release_Store is in
- // CompleteLazyInstance().
- subtle::AtomicWord value = subtle::Acquire_Load(&private_instance_);
- if (!(value & kLazyInstanceCreatedMask) &&
- internal::NeedsLazyInstance(&private_instance_)) {
- // Create the instance in the space provided by |private_buf_|.
- value = reinterpret_cast<subtle::AtomicWord>(
- Traits::New(private_buf_.void_data()));
- internal::CompleteLazyInstance(&private_instance_, value, this,
- Traits::kRegisterOnExit ? OnExit : NULL);
- }
- return instance();
- }
-
- bool operator==(Type* p) {
- switch (subtle::NoBarrier_Load(&private_instance_)) {
- case 0:
- return p == NULL;
- case internal::kLazyInstanceStateCreating:
- return static_cast<void*>(p) == private_buf_.void_data();
- default:
- return p == instance();
- }
- }
-
- // Effectively private: member data is only public to allow the linker to
- // statically initialize it and to maintain a POD class. DO NOT USE FROM
- // OUTSIDE THIS CLASS.
-
- subtle::AtomicWord private_instance_;
- // Preallocated space for the Type instance.
- base::AlignedMemory<sizeof(Type), ALIGNOF(Type)> private_buf_;
-
- private:
- Type* instance() {
- return reinterpret_cast<Type*>(subtle::NoBarrier_Load(&private_instance_));
- }
-
- // Adapter function for use with AtExit. This should be called single
- // threaded, so don't synchronize across threads.
- // Calling OnExit while the instance is in use by other threads is a mistake.
- static void OnExit(void* lazy_instance) {
- LazyInstance<Type, Traits>* me =
- reinterpret_cast<LazyInstance<Type, Traits>*>(lazy_instance);
- Traits::Delete(me->instance());
- subtle::NoBarrier_Store(&me->private_instance_, 0);
- }
-};
-
-} // namespace base
-
-#endif // BASE_LAZY_INSTANCE_H_
diff --git a/security/sandbox/chromium/base/location.cc b/security/sandbox/chromium/base/location.cc
deleted file mode 100644
index 1333e6ec4..000000000
--- a/security/sandbox/chromium/base/location.cc
+++ /dev/null
@@ -1,106 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "build/build_config.h"
-
-#if defined(COMPILER_MSVC)
-#include <intrin.h>
-#endif
-
-#include "base/location.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/stringprintf.h"
-
-namespace tracked_objects {
-
-Location::Location(const char* function_name,
- const char* file_name,
- int line_number,
- const void* program_counter)
- : function_name_(function_name),
- file_name_(file_name),
- line_number_(line_number),
- program_counter_(program_counter) {
-}
-
-Location::Location()
- : function_name_("Unknown"),
- file_name_("Unknown"),
- line_number_(-1),
- program_counter_(NULL) {
-}
-
-Location::Location(const Location& other)
- : function_name_(other.function_name_),
- file_name_(other.file_name_),
- line_number_(other.line_number_),
- program_counter_(other.program_counter_) {
-}
-
-std::string Location::ToString() const {
- return std::string(function_name_) + "@" + file_name_ + ":" +
- base::IntToString(line_number_);
-}
-
-void Location::Write(bool display_filename, bool display_function_name,
- std::string* output) const {
- base::StringAppendF(output, "%s[%d] ",
- display_filename ? file_name_ : "line",
- line_number_);
-
- if (display_function_name) {
- WriteFunctionName(output);
- output->push_back(' ');
- }
-}
-
-void Location::WriteFunctionName(std::string* output) const {
- // Translate "<" to "&lt;" for HTML safety.
- // TODO(jar): Support ASCII or html for logging in ASCII.
- for (const char *p = function_name_; *p; p++) {
- switch (*p) {
- case '<':
- output->append("&lt;");
- break;
-
- case '>':
- output->append("&gt;");
- break;
-
- default:
- output->push_back(*p);
- break;
- }
- }
-}
-
-//------------------------------------------------------------------------------
-LocationSnapshot::LocationSnapshot() : line_number(-1) {
-}
-
-LocationSnapshot::LocationSnapshot(
- const tracked_objects::Location& location)
- : file_name(location.file_name()),
- function_name(location.function_name()),
- line_number(location.line_number()) {
-}
-
-LocationSnapshot::~LocationSnapshot() {
-}
-
-//------------------------------------------------------------------------------
-#if defined(COMPILER_MSVC)
-__declspec(noinline)
-#endif
-BASE_EXPORT const void* GetProgramCounter() {
-#if defined(COMPILER_MSVC)
- return _ReturnAddress();
-#elif defined(COMPILER_GCC) && !defined(OS_NACL)
- return __builtin_extract_return_addr(__builtin_return_address(0));
-#else
- return NULL;
-#endif
-}
-
-} // namespace tracked_objects
diff --git a/security/sandbox/chromium/base/location.h b/security/sandbox/chromium/base/location.h
deleted file mode 100644
index d3bb23c63..000000000
--- a/security/sandbox/chromium/base/location.h
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_LOCATION_H_
-#define BASE_LOCATION_H_
-
-#include <stddef.h>
-
-#include <cassert>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/containers/hash_tables.h"
-
-namespace tracked_objects {
-
-// Location provides basic info where of an object was constructed, or was
-// significantly brought to life.
-class BASE_EXPORT Location {
- public:
- // Constructor should be called with a long-lived char*, such as __FILE__.
- // It assumes the provided value will persist as a global constant, and it
- // will not make a copy of it.
- Location(const char* function_name,
- const char* file_name,
- int line_number,
- const void* program_counter);
-
- // Provide a default constructor for easy of debugging.
- Location();
-
- // Copy constructor.
- Location(const Location& other);
-
- // Comparator for hash map insertion.
- // No need to use |function_name_| since the other two fields uniquely
- // identify this location.
- bool operator==(const Location& other) const {
- return line_number_ == other.line_number_ &&
- file_name_ == other.file_name_;
- }
-
- const char* function_name() const { return function_name_; }
- const char* file_name() const { return file_name_; }
- int line_number() const { return line_number_; }
- const void* program_counter() const { return program_counter_; }
-
- std::string ToString() const;
-
- // Hash operator for hash maps.
- struct Hash {
- size_t operator()(const Location& location) const {
- // Compute the hash value using file name pointer and line number.
- // No need to use |function_name_| since the other two fields uniquely
- // identify this location.
-
- // The file name will always be uniquely identified by its pointer since
- // it comes from __FILE__, so no need to check the contents of the string.
- // See the definition of FROM_HERE in location.h, and how it is used
- // elsewhere.
- return base::HashPair(reinterpret_cast<uintptr_t>(location.file_name()),
- location.line_number());
- }
- };
-
- // Translate the some of the state in this instance into a human readable
- // string with HTML characters in the function names escaped, and append that
- // string to |output|. Inclusion of the file_name_ and function_name_ are
- // optional, and controlled by the boolean arguments.
- void Write(bool display_filename, bool display_function_name,
- std::string* output) const;
-
- // Write function_name_ in HTML with '<' and '>' properly encoded.
- void WriteFunctionName(std::string* output) const;
-
- private:
- const char* function_name_;
- const char* file_name_;
- int line_number_;
- const void* program_counter_;
-};
-
-// A "snapshotted" representation of the Location class that can safely be
-// passed across process boundaries.
-struct BASE_EXPORT LocationSnapshot {
- // The default constructor is exposed to support the IPC serialization macros.
- LocationSnapshot();
- explicit LocationSnapshot(const tracked_objects::Location& location);
- ~LocationSnapshot();
-
- std::string file_name;
- std::string function_name;
- int line_number;
-};
-
-BASE_EXPORT const void* GetProgramCounter();
-
-// Define a macro to record the current source location.
-#define FROM_HERE FROM_HERE_WITH_EXPLICIT_FUNCTION(__FUNCTION__)
-
-#define FROM_HERE_WITH_EXPLICIT_FUNCTION(function_name) \
- ::tracked_objects::Location(function_name, \
- __FILE__, \
- __LINE__, \
- ::tracked_objects::GetProgramCounter())
-
-} // namespace tracked_objects
-
-#endif // BASE_LOCATION_H_
diff --git a/security/sandbox/chromium/base/logging.h b/security/sandbox/chromium/base/logging.h
deleted file mode 100644
index 300c9b526..000000000
--- a/security/sandbox/chromium/base/logging.h
+++ /dev/null
@@ -1,976 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_LOGGING_H_
-#define BASE_LOGGING_H_
-
-#include <stddef.h>
-
-#include <cassert>
-#include <cstring>
-#include <sstream>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/debug/debugger.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-
-//
-// Optional message capabilities
-// -----------------------------
-// Assertion failed messages and fatal errors are displayed in a dialog box
-// before the application exits. However, running this UI creates a message
-// loop, which causes application messages to be processed and potentially
-// dispatched to existing application windows. Since the application is in a
-// bad state when this assertion dialog is displayed, these messages may not
-// get processed and hang the dialog, or the application might go crazy.
-//
-// Therefore, it can be beneficial to display the error dialog in a separate
-// process from the main application. When the logging system needs to display
-// a fatal error dialog box, it will look for a program called
-// "DebugMessage.exe" in the same directory as the application executable. It
-// will run this application with the message as the command line, and will
-// not include the name of the application as is traditional for easier
-// parsing.
-//
-// The code for DebugMessage.exe is only one line. In WinMain, do:
-// MessageBox(NULL, GetCommandLineW(), L"Fatal Error", 0);
-//
-// If DebugMessage.exe is not found, the logging code will use a normal
-// MessageBox, potentially causing the problems discussed above.
-
-
-// Instructions
-// ------------
-//
-// Make a bunch of macros for logging. The way to log things is to stream
-// things to LOG(<a particular severity level>). E.g.,
-//
-// LOG(INFO) << "Found " << num_cookies << " cookies";
-//
-// You can also do conditional logging:
-//
-// LOG_IF(INFO, num_cookies > 10) << "Got lots of cookies";
-//
-// The CHECK(condition) macro is active in both debug and release builds and
-// effectively performs a LOG(FATAL) which terminates the process and
-// generates a crashdump unless a debugger is attached.
-//
-// There are also "debug mode" logging macros like the ones above:
-//
-// DLOG(INFO) << "Found cookies";
-//
-// DLOG_IF(INFO, num_cookies > 10) << "Got lots of cookies";
-//
-// All "debug mode" logging is compiled away to nothing for non-debug mode
-// compiles. LOG_IF and development flags also work well together
-// because the code can be compiled away sometimes.
-//
-// We also have
-//
-// LOG_ASSERT(assertion);
-// DLOG_ASSERT(assertion);
-//
-// which is syntactic sugar for {,D}LOG_IF(FATAL, assert fails) << assertion;
-//
-// There are "verbose level" logging macros. They look like
-//
-// VLOG(1) << "I'm printed when you run the program with --v=1 or more";
-// VLOG(2) << "I'm printed when you run the program with --v=2 or more";
-//
-// These always log at the INFO log level (when they log at all).
-// The verbose logging can also be turned on module-by-module. For instance,
-// --vmodule=profile=2,icon_loader=1,browser_*=3,*/chromeos/*=4 --v=0
-// will cause:
-// a. VLOG(2) and lower messages to be printed from profile.{h,cc}
-// b. VLOG(1) and lower messages to be printed from icon_loader.{h,cc}
-// c. VLOG(3) and lower messages to be printed from files prefixed with
-// "browser"
-// d. VLOG(4) and lower messages to be printed from files under a
-// "chromeos" directory.
-// e. VLOG(0) and lower messages to be printed from elsewhere
-//
-// The wildcarding functionality shown by (c) supports both '*' (match
-// 0 or more characters) and '?' (match any single character)
-// wildcards. Any pattern containing a forward or backward slash will
-// be tested against the whole pathname and not just the module.
-// E.g., "*/foo/bar/*=2" would change the logging level for all code
-// in source files under a "foo/bar" directory.
-//
-// There's also VLOG_IS_ON(n) "verbose level" condition macro. To be used as
-//
-// if (VLOG_IS_ON(2)) {
-// // do some logging preparation and logging
-// // that can't be accomplished with just VLOG(2) << ...;
-// }
-//
-// There is also a VLOG_IF "verbose level" condition macro for sample
-// cases, when some extra computation and preparation for logs is not
-// needed.
-//
-// VLOG_IF(1, (size > 1024))
-// << "I'm printed when size is more than 1024 and when you run the "
-// "program with --v=1 or more";
-//
-// We also override the standard 'assert' to use 'DLOG_ASSERT'.
-//
-// Lastly, there is:
-//
-// PLOG(ERROR) << "Couldn't do foo";
-// DPLOG(ERROR) << "Couldn't do foo";
-// PLOG_IF(ERROR, cond) << "Couldn't do foo";
-// DPLOG_IF(ERROR, cond) << "Couldn't do foo";
-// PCHECK(condition) << "Couldn't do foo";
-// DPCHECK(condition) << "Couldn't do foo";
-//
-// which append the last system error to the message in string form (taken from
-// GetLastError() on Windows and errno on POSIX).
-//
-// The supported severity levels for macros that allow you to specify one
-// are (in increasing order of severity) INFO, WARNING, ERROR, and FATAL.
-//
-// Very important: logging a message at the FATAL severity level causes
-// the program to terminate (after the message is logged).
-//
-// There is the special severity of DFATAL, which logs FATAL in debug mode,
-// ERROR in normal mode.
-
-namespace logging {
-
-// TODO(avi): do we want to do a unification of character types here?
-#if defined(OS_WIN)
-typedef wchar_t PathChar;
-#else
-typedef char PathChar;
-#endif
-
-// Where to record logging output? A flat file and/or system debug log
-// via OutputDebugString.
-enum LoggingDestination {
- LOG_NONE = 0,
- LOG_TO_FILE = 1 << 0,
- LOG_TO_SYSTEM_DEBUG_LOG = 1 << 1,
-
- LOG_TO_ALL = LOG_TO_FILE | LOG_TO_SYSTEM_DEBUG_LOG,
-
- // On Windows, use a file next to the exe; on POSIX platforms, where
- // it may not even be possible to locate the executable on disk, use
- // stderr.
-#if defined(OS_WIN)
- LOG_DEFAULT = LOG_TO_FILE,
-#elif defined(OS_POSIX)
- LOG_DEFAULT = LOG_TO_SYSTEM_DEBUG_LOG,
-#endif
-};
-
-// Indicates that the log file should be locked when being written to.
-// Unless there is only one single-threaded process that is logging to
-// the log file, the file should be locked during writes to make each
-// log output atomic. Other writers will block.
-//
-// All processes writing to the log file must have their locking set for it to
-// work properly. Defaults to LOCK_LOG_FILE.
-enum LogLockingState { LOCK_LOG_FILE, DONT_LOCK_LOG_FILE };
-
-// On startup, should we delete or append to an existing log file (if any)?
-// Defaults to APPEND_TO_OLD_LOG_FILE.
-enum OldFileDeletionState { DELETE_OLD_LOG_FILE, APPEND_TO_OLD_LOG_FILE };
-
-struct BASE_EXPORT LoggingSettings {
- // The defaults values are:
- //
- // logging_dest: LOG_DEFAULT
- // log_file: NULL
- // lock_log: LOCK_LOG_FILE
- // delete_old: APPEND_TO_OLD_LOG_FILE
- LoggingSettings();
-
- LoggingDestination logging_dest;
-
- // The three settings below have an effect only when LOG_TO_FILE is
- // set in |logging_dest|.
- const PathChar* log_file;
- LogLockingState lock_log;
- OldFileDeletionState delete_old;
-};
-
-// Define different names for the BaseInitLoggingImpl() function depending on
-// whether NDEBUG is defined or not so that we'll fail to link if someone tries
-// to compile logging.cc with NDEBUG but includes logging.h without defining it,
-// or vice versa.
-#if NDEBUG
-#define BaseInitLoggingImpl BaseInitLoggingImpl_built_with_NDEBUG
-#else
-#define BaseInitLoggingImpl BaseInitLoggingImpl_built_without_NDEBUG
-#endif
-
-// Implementation of the InitLogging() method declared below. We use a
-// more-specific name so we can #define it above without affecting other code
-// that has named stuff "InitLogging".
-BASE_EXPORT bool BaseInitLoggingImpl(const LoggingSettings& settings);
-
-// Sets the log file name and other global logging state. Calling this function
-// is recommended, and is normally done at the beginning of application init.
-// If you don't call it, all the flags will be initialized to their default
-// values, and there is a race condition that may leak a critical section
-// object if two threads try to do the first log at the same time.
-// See the definition of the enums above for descriptions and default values.
-//
-// The default log file is initialized to "debug.log" in the application
-// directory. You probably don't want this, especially since the program
-// directory may not be writable on an enduser's system.
-//
-// This function may be called a second time to re-direct logging (e.g after
-// loging in to a user partition), however it should never be called more than
-// twice.
-inline bool InitLogging(const LoggingSettings& settings) {
- return BaseInitLoggingImpl(settings);
-}
-
-// Sets the log level. Anything at or above this level will be written to the
-// log file/displayed to the user (if applicable). Anything below this level
-// will be silently ignored. The log level defaults to 0 (everything is logged
-// up to level INFO) if this function is not called.
-// Note that log messages for VLOG(x) are logged at level -x, so setting
-// the min log level to negative values enables verbose logging.
-BASE_EXPORT void SetMinLogLevel(int level);
-
-// Gets the current log level.
-BASE_EXPORT int GetMinLogLevel();
-
-// Used by LOG_IS_ON to lazy-evaluate stream arguments.
-BASE_EXPORT bool ShouldCreateLogMessage(int severity);
-
-// Gets the VLOG default verbosity level.
-BASE_EXPORT int GetVlogVerbosity();
-
-// Gets the current vlog level for the given file (usually taken from
-// __FILE__).
-
-// Note that |N| is the size *with* the null terminator.
-BASE_EXPORT int GetVlogLevelHelper(const char* file_start, size_t N);
-
-template <size_t N>
-int GetVlogLevel(const char (&file)[N]) {
- return GetVlogLevelHelper(file, N);
-}
-
-// Sets the common items you want to be prepended to each log message.
-// process and thread IDs default to off, the timestamp defaults to on.
-// If this function is not called, logging defaults to writing the timestamp
-// only.
-BASE_EXPORT void SetLogItems(bool enable_process_id, bool enable_thread_id,
- bool enable_timestamp, bool enable_tickcount);
-
-// Sets whether or not you'd like to see fatal debug messages popped up in
-// a dialog box or not.
-// Dialogs are not shown by default.
-BASE_EXPORT void SetShowErrorDialogs(bool enable_dialogs);
-
-// Sets the Log Assert Handler that will be used to notify of check failures.
-// The default handler shows a dialog box and then terminate the process,
-// however clients can use this function to override with their own handling
-// (e.g. a silent one for Unit Tests)
-typedef void (*LogAssertHandlerFunction)(const std::string& str);
-BASE_EXPORT void SetLogAssertHandler(LogAssertHandlerFunction handler);
-
-// Sets the Log Message Handler that gets passed every log message before
-// it's sent to other log destinations (if any).
-// Returns true to signal that it handled the message and the message
-// should not be sent to other log destinations.
-typedef bool (*LogMessageHandlerFunction)(int severity,
- const char* file, int line, size_t message_start, const std::string& str);
-BASE_EXPORT void SetLogMessageHandler(LogMessageHandlerFunction handler);
-BASE_EXPORT LogMessageHandlerFunction GetLogMessageHandler();
-
-typedef int LogSeverity;
-const LogSeverity LOG_VERBOSE = -1; // This is level 1 verbosity
-// Note: the log severities are used to index into the array of names,
-// see log_severity_names.
-const LogSeverity LOG_INFO = 0;
-const LogSeverity LOG_WARNING = 1;
-const LogSeverity LOG_ERROR = 2;
-const LogSeverity LOG_FATAL = 3;
-const LogSeverity LOG_NUM_SEVERITIES = 4;
-
-// LOG_DFATAL is LOG_FATAL in debug mode, ERROR in normal mode
-#ifdef NDEBUG
-const LogSeverity LOG_DFATAL = LOG_ERROR;
-#else
-const LogSeverity LOG_DFATAL = LOG_FATAL;
-#endif
-
-// A few definitions of macros that don't generate much code. These are used
-// by LOG() and LOG_IF, etc. Since these are used all over our code, it's
-// better to have compact code for these operations.
-#define COMPACT_GOOGLE_LOG_EX_INFO(ClassName, ...) \
- logging::ClassName(__FILE__, __LINE__, logging::LOG_INFO , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_EX_WARNING(ClassName, ...) \
- logging::ClassName(__FILE__, __LINE__, logging::LOG_WARNING , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_EX_ERROR(ClassName, ...) \
- logging::ClassName(__FILE__, __LINE__, logging::LOG_ERROR , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_EX_FATAL(ClassName, ...) \
- logging::ClassName(__FILE__, __LINE__, logging::LOG_FATAL , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_EX_DFATAL(ClassName, ...) \
- logging::ClassName(__FILE__, __LINE__, logging::LOG_DFATAL , ##__VA_ARGS__)
-
-#define COMPACT_GOOGLE_LOG_INFO \
- COMPACT_GOOGLE_LOG_EX_INFO(LogMessage)
-#define COMPACT_GOOGLE_LOG_WARNING \
- COMPACT_GOOGLE_LOG_EX_WARNING(LogMessage)
-#define COMPACT_GOOGLE_LOG_ERROR \
- COMPACT_GOOGLE_LOG_EX_ERROR(LogMessage)
-#define COMPACT_GOOGLE_LOG_FATAL \
- COMPACT_GOOGLE_LOG_EX_FATAL(LogMessage)
-#define COMPACT_GOOGLE_LOG_DFATAL \
- COMPACT_GOOGLE_LOG_EX_DFATAL(LogMessage)
-
-#if defined(OS_WIN)
-// wingdi.h defines ERROR to be 0. When we call LOG(ERROR), it gets
-// substituted with 0, and it expands to COMPACT_GOOGLE_LOG_0. To allow us
-// to keep using this syntax, we define this macro to do the same thing
-// as COMPACT_GOOGLE_LOG_ERROR, and also define ERROR the same way that
-// the Windows SDK does for consistency.
-#define ERROR 0
-#define COMPACT_GOOGLE_LOG_EX_0(ClassName, ...) \
- COMPACT_GOOGLE_LOG_EX_ERROR(ClassName , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_0 COMPACT_GOOGLE_LOG_ERROR
-// Needed for LOG_IS_ON(ERROR).
-const LogSeverity LOG_0 = LOG_ERROR;
-#endif
-
-// As special cases, we can assume that LOG_IS_ON(FATAL) always holds. Also,
-// LOG_IS_ON(DFATAL) always holds in debug mode. In particular, CHECK()s will
-// always fire if they fail.
-#define LOG_IS_ON(severity) \
- (::logging::ShouldCreateLogMessage(::logging::LOG_##severity))
-
-// We can't do any caching tricks with VLOG_IS_ON() like the
-// google-glog version since it requires GCC extensions. This means
-// that using the v-logging functions in conjunction with --vmodule
-// may be slow.
-#define VLOG_IS_ON(verboselevel) \
- ((verboselevel) <= ::logging::GetVlogLevel(__FILE__))
-
-// Helper macro which avoids evaluating the arguments to a stream if
-// the condition doesn't hold. Condition is evaluated once and only once.
-#define LAZY_STREAM(stream, condition) \
- !(condition) ? (void) 0 : ::logging::LogMessageVoidify() & (stream)
-
-// We use the preprocessor's merging operator, "##", so that, e.g.,
-// LOG(INFO) becomes the token COMPACT_GOOGLE_LOG_INFO. There's some funny
-// subtle difference between ostream member streaming functions (e.g.,
-// ostream::operator<<(int) and ostream non-member streaming functions
-// (e.g., ::operator<<(ostream&, string&): it turns out that it's
-// impossible to stream something like a string directly to an unnamed
-// ostream. We employ a neat hack by calling the stream() member
-// function of LogMessage which seems to avoid the problem.
-#define LOG_STREAM(severity) COMPACT_GOOGLE_LOG_ ## severity.stream()
-
-#define LOG(severity) LAZY_STREAM(LOG_STREAM(severity), LOG_IS_ON(severity))
-#define LOG_IF(severity, condition) \
- LAZY_STREAM(LOG_STREAM(severity), LOG_IS_ON(severity) && (condition))
-
-#define SYSLOG(severity) LOG(severity)
-#define SYSLOG_IF(severity, condition) LOG_IF(severity, condition)
-
-// The VLOG macros log with negative verbosities.
-#define VLOG_STREAM(verbose_level) \
- logging::LogMessage(__FILE__, __LINE__, -verbose_level).stream()
-
-#define VLOG(verbose_level) \
- LAZY_STREAM(VLOG_STREAM(verbose_level), VLOG_IS_ON(verbose_level))
-
-#define VLOG_IF(verbose_level, condition) \
- LAZY_STREAM(VLOG_STREAM(verbose_level), \
- VLOG_IS_ON(verbose_level) && (condition))
-
-#if defined (OS_WIN)
-#define VPLOG_STREAM(verbose_level) \
- logging::Win32ErrorLogMessage(__FILE__, __LINE__, -verbose_level, \
- ::logging::GetLastSystemErrorCode()).stream()
-#elif defined(OS_POSIX)
-#define VPLOG_STREAM(verbose_level) \
- logging::ErrnoLogMessage(__FILE__, __LINE__, -verbose_level, \
- ::logging::GetLastSystemErrorCode()).stream()
-#endif
-
-#define VPLOG(verbose_level) \
- LAZY_STREAM(VPLOG_STREAM(verbose_level), VLOG_IS_ON(verbose_level))
-
-#define VPLOG_IF(verbose_level, condition) \
- LAZY_STREAM(VPLOG_STREAM(verbose_level), \
- VLOG_IS_ON(verbose_level) && (condition))
-
-// TODO(akalin): Add more VLOG variants, e.g. VPLOG.
-
-#define LOG_ASSERT(condition) \
- LOG_IF(FATAL, !(condition)) << "Assert failed: " #condition ". "
-#define SYSLOG_ASSERT(condition) \
- SYSLOG_IF(FATAL, !(condition)) << "Assert failed: " #condition ". "
-
-#if defined(OS_WIN)
-#define PLOG_STREAM(severity) \
- COMPACT_GOOGLE_LOG_EX_ ## severity(Win32ErrorLogMessage, \
- ::logging::GetLastSystemErrorCode()).stream()
-#elif defined(OS_POSIX)
-#define PLOG_STREAM(severity) \
- COMPACT_GOOGLE_LOG_EX_ ## severity(ErrnoLogMessage, \
- ::logging::GetLastSystemErrorCode()).stream()
-#endif
-
-#define PLOG(severity) \
- LAZY_STREAM(PLOG_STREAM(severity), LOG_IS_ON(severity))
-
-#define PLOG_IF(severity, condition) \
- LAZY_STREAM(PLOG_STREAM(severity), LOG_IS_ON(severity) && (condition))
-
-// The actual stream used isn't important.
-#define EAT_STREAM_PARAMETERS \
- true ? (void) 0 : ::logging::LogMessageVoidify() & LOG_STREAM(FATAL)
-
-// Captures the result of a CHECK_EQ (for example) and facilitates testing as a
-// boolean.
-class CheckOpResult {
- public:
- // |message| must be null if and only if the check failed.
- CheckOpResult(std::string* message) : message_(message) {}
- // Returns true if the check succeeded.
- operator bool() const { return !message_; }
- // Returns the message.
- std::string* message() { return message_; }
-
- private:
- std::string* message_;
-};
-
-// CHECK dies with a fatal error if condition is not true. It is *not*
-// controlled by NDEBUG, so the check will be executed regardless of
-// compilation mode.
-//
-// We make sure CHECK et al. always evaluates their arguments, as
-// doing CHECK(FunctionWithSideEffect()) is a common idiom.
-
-#if defined(OFFICIAL_BUILD) && defined(NDEBUG) && !defined(OS_ANDROID)
-
-// Make all CHECK functions discard their log strings to reduce code
-// bloat for official release builds (except Android).
-
-// TODO(akalin): This would be more valuable if there were some way to
-// remove BreakDebugger() from the backtrace, perhaps by turning it
-// into a macro (like __debugbreak() on Windows).
-#define CHECK(condition) \
- !(condition) ? ::base::debug::BreakDebugger() : EAT_STREAM_PARAMETERS
-
-#define PCHECK(condition) CHECK(condition)
-
-#define CHECK_OP(name, op, val1, val2) CHECK((val1) op (val2))
-
-#else
-
-#if defined(_PREFAST_) && defined(OS_WIN)
-// Use __analysis_assume to tell the VC++ static analysis engine that
-// assert conditions are true, to suppress warnings. The LAZY_STREAM
-// parameter doesn't reference 'condition' in /analyze builds because
-// this evaluation confuses /analyze. The !! before condition is because
-// __analysis_assume gets confused on some conditions:
-// http://randomascii.wordpress.com/2011/09/13/analyze-for-visual-studio-the-ugly-part-5/
-
-#define CHECK(condition) \
- __analysis_assume(!!(condition)), \
- LAZY_STREAM(LOG_STREAM(FATAL), false) \
- << "Check failed: " #condition ". "
-
-#define PCHECK(condition) \
- __analysis_assume(!!(condition)), \
- LAZY_STREAM(PLOG_STREAM(FATAL), false) \
- << "Check failed: " #condition ". "
-
-#else // _PREFAST_
-
-// Do as much work as possible out of line to reduce inline code size.
-#define CHECK(condition) \
- LAZY_STREAM(logging::LogMessage(__FILE__, __LINE__, #condition).stream(), \
- !(condition))
-
-#define PCHECK(condition) \
- LAZY_STREAM(PLOG_STREAM(FATAL), !(condition)) \
- << "Check failed: " #condition ". "
-
-#endif // _PREFAST_
-
-// Helper macro for binary operators.
-// Don't use this macro directly in your code, use CHECK_EQ et al below.
-// The 'switch' is used to prevent the 'else' from being ambiguous when the
-// macro is used in an 'if' clause such as:
-// if (a == 1)
-// CHECK_EQ(2, a);
-#define CHECK_OP(name, op, val1, val2) \
- switch (0) case 0: default: \
- if (logging::CheckOpResult true_if_passed = \
- logging::Check##name##Impl((val1), (val2), \
- #val1 " " #op " " #val2)) \
- ; \
- else \
- logging::LogMessage(__FILE__, __LINE__, true_if_passed.message()).stream()
-
-#endif
-
-// Build the error message string. This is separate from the "Impl"
-// function template because it is not performance critical and so can
-// be out of line, while the "Impl" code should be inline. Caller
-// takes ownership of the returned string.
-template<class t1, class t2>
-std::string* MakeCheckOpString(const t1& v1, const t2& v2, const char* names) {
- std::ostringstream ss;
- ss << names << " (" << v1 << " vs. " << v2 << ")";
- std::string* msg = new std::string(ss.str());
- return msg;
-}
-
-// Commonly used instantiations of MakeCheckOpString<>. Explicitly instantiated
-// in logging.cc.
-extern template BASE_EXPORT std::string* MakeCheckOpString<int, int>(
- const int&, const int&, const char* names);
-extern template BASE_EXPORT
-std::string* MakeCheckOpString<unsigned long, unsigned long>(
- const unsigned long&, const unsigned long&, const char* names);
-extern template BASE_EXPORT
-std::string* MakeCheckOpString<unsigned long, unsigned int>(
- const unsigned long&, const unsigned int&, const char* names);
-extern template BASE_EXPORT
-std::string* MakeCheckOpString<unsigned int, unsigned long>(
- const unsigned int&, const unsigned long&, const char* names);
-extern template BASE_EXPORT
-std::string* MakeCheckOpString<std::string, std::string>(
- const std::string&, const std::string&, const char* name);
-
-// Helper functions for CHECK_OP macro.
-// The (int, int) specialization works around the issue that the compiler
-// will not instantiate the template version of the function on values of
-// unnamed enum type - see comment below.
-#define DEFINE_CHECK_OP_IMPL(name, op) \
- template <class t1, class t2> \
- inline std::string* Check##name##Impl(const t1& v1, const t2& v2, \
- const char* names) { \
- if (v1 op v2) return NULL; \
- else return MakeCheckOpString(v1, v2, names); \
- } \
- inline std::string* Check##name##Impl(int v1, int v2, const char* names) { \
- if (v1 op v2) return NULL; \
- else return MakeCheckOpString(v1, v2, names); \
- }
-DEFINE_CHECK_OP_IMPL(EQ, ==)
-DEFINE_CHECK_OP_IMPL(NE, !=)
-DEFINE_CHECK_OP_IMPL(LE, <=)
-DEFINE_CHECK_OP_IMPL(LT, < )
-DEFINE_CHECK_OP_IMPL(GE, >=)
-DEFINE_CHECK_OP_IMPL(GT, > )
-#undef DEFINE_CHECK_OP_IMPL
-
-#define CHECK_EQ(val1, val2) CHECK_OP(EQ, ==, val1, val2)
-#define CHECK_NE(val1, val2) CHECK_OP(NE, !=, val1, val2)
-#define CHECK_LE(val1, val2) CHECK_OP(LE, <=, val1, val2)
-#define CHECK_LT(val1, val2) CHECK_OP(LT, < , val1, val2)
-#define CHECK_GE(val1, val2) CHECK_OP(GE, >=, val1, val2)
-#define CHECK_GT(val1, val2) CHECK_OP(GT, > , val1, val2)
-
-#if defined(NDEBUG)
-#define ENABLE_DLOG 0
-#else
-#define ENABLE_DLOG 1
-#endif
-
-#if defined(NDEBUG) && !defined(DCHECK_ALWAYS_ON)
-#define DCHECK_IS_ON() 0
-#else
-#define DCHECK_IS_ON() 1
-#endif
-
-// Definitions for DLOG et al.
-
-#if ENABLE_DLOG
-
-#define DLOG_IS_ON(severity) LOG_IS_ON(severity)
-#define DLOG_IF(severity, condition) LOG_IF(severity, condition)
-#define DLOG_ASSERT(condition) LOG_ASSERT(condition)
-#define DPLOG_IF(severity, condition) PLOG_IF(severity, condition)
-#define DVLOG_IF(verboselevel, condition) VLOG_IF(verboselevel, condition)
-#define DVPLOG_IF(verboselevel, condition) VPLOG_IF(verboselevel, condition)
-
-#else // ENABLE_DLOG
-
-// If ENABLE_DLOG is off, we want to avoid emitting any references to
-// |condition| (which may reference a variable defined only if NDEBUG
-// is not defined). Contrast this with DCHECK et al., which has
-// different behavior.
-
-#define DLOG_IS_ON(severity) false
-#define DLOG_IF(severity, condition) EAT_STREAM_PARAMETERS
-#define DLOG_ASSERT(condition) EAT_STREAM_PARAMETERS
-#define DPLOG_IF(severity, condition) EAT_STREAM_PARAMETERS
-#define DVLOG_IF(verboselevel, condition) EAT_STREAM_PARAMETERS
-#define DVPLOG_IF(verboselevel, condition) EAT_STREAM_PARAMETERS
-
-#endif // ENABLE_DLOG
-
-// DEBUG_MODE is for uses like
-// if (DEBUG_MODE) foo.CheckThatFoo();
-// instead of
-// #ifndef NDEBUG
-// foo.CheckThatFoo();
-// #endif
-//
-// We tie its state to ENABLE_DLOG.
-enum { DEBUG_MODE = ENABLE_DLOG };
-
-#undef ENABLE_DLOG
-
-#define DLOG(severity) \
- LAZY_STREAM(LOG_STREAM(severity), DLOG_IS_ON(severity))
-
-#define DPLOG(severity) \
- LAZY_STREAM(PLOG_STREAM(severity), DLOG_IS_ON(severity))
-
-#define DVLOG(verboselevel) DVLOG_IF(verboselevel, VLOG_IS_ON(verboselevel))
-
-#define DVPLOG(verboselevel) DVPLOG_IF(verboselevel, VLOG_IS_ON(verboselevel))
-
-// Definitions for DCHECK et al.
-
-#if DCHECK_IS_ON()
-
-#define COMPACT_GOOGLE_LOG_EX_DCHECK(ClassName, ...) \
- COMPACT_GOOGLE_LOG_EX_FATAL(ClassName , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_DCHECK COMPACT_GOOGLE_LOG_FATAL
-const LogSeverity LOG_DCHECK = LOG_FATAL;
-
-#else // DCHECK_IS_ON()
-
-// These are just dummy values.
-#define COMPACT_GOOGLE_LOG_EX_DCHECK(ClassName, ...) \
- COMPACT_GOOGLE_LOG_EX_INFO(ClassName , ##__VA_ARGS__)
-#define COMPACT_GOOGLE_LOG_DCHECK COMPACT_GOOGLE_LOG_INFO
-const LogSeverity LOG_DCHECK = LOG_INFO;
-
-#endif // DCHECK_IS_ON()
-
-// DCHECK et al. make sure to reference |condition| regardless of
-// whether DCHECKs are enabled; this is so that we don't get unused
-// variable warnings if the only use of a variable is in a DCHECK.
-// This behavior is different from DLOG_IF et al.
-
-#if defined(_PREFAST_) && defined(OS_WIN)
-// See comments on the previous use of __analysis_assume.
-
-#define DCHECK(condition) \
- __analysis_assume(!!(condition)), \
- LAZY_STREAM(LOG_STREAM(DCHECK), false) \
- << "Check failed: " #condition ". "
-
-#define DPCHECK(condition) \
- __analysis_assume(!!(condition)), \
- LAZY_STREAM(PLOG_STREAM(DCHECK), false) \
- << "Check failed: " #condition ". "
-
-#else // _PREFAST_
-
-#define DCHECK(condition) \
- LAZY_STREAM(LOG_STREAM(DCHECK), DCHECK_IS_ON() ? !(condition) : false) \
- << "Check failed: " #condition ". "
-
-#define DPCHECK(condition) \
- LAZY_STREAM(PLOG_STREAM(DCHECK), DCHECK_IS_ON() ? !(condition) : false) \
- << "Check failed: " #condition ". "
-
-#endif // _PREFAST_
-
-// Helper macro for binary operators.
-// Don't use this macro directly in your code, use DCHECK_EQ et al below.
-// The 'switch' is used to prevent the 'else' from being ambiguous when the
-// macro is used in an 'if' clause such as:
-// if (a == 1)
-// DCHECK_EQ(2, a);
-#define DCHECK_OP(name, op, val1, val2) \
- switch (0) case 0: default: \
- if (logging::CheckOpResult true_if_passed = \
- DCHECK_IS_ON() ? \
- logging::Check##name##Impl((val1), (val2), \
- #val1 " " #op " " #val2) : nullptr) \
- ; \
- else \
- logging::LogMessage(__FILE__, __LINE__, ::logging::LOG_DCHECK, \
- true_if_passed.message()).stream()
-
-// Equality/Inequality checks - compare two values, and log a
-// LOG_DCHECK message including the two values when the result is not
-// as expected. The values must have operator<<(ostream, ...)
-// defined.
-//
-// You may append to the error message like so:
-// DCHECK_NE(1, 2) << ": The world must be ending!";
-//
-// We are very careful to ensure that each argument is evaluated exactly
-// once, and that anything which is legal to pass as a function argument is
-// legal here. In particular, the arguments may be temporary expressions
-// which will end up being destroyed at the end of the apparent statement,
-// for example:
-// DCHECK_EQ(string("abc")[1], 'b');
-//
-// WARNING: These may not compile correctly if one of the arguments is a pointer
-// and the other is NULL. To work around this, simply static_cast NULL to the
-// type of the desired pointer.
-
-#define DCHECK_EQ(val1, val2) DCHECK_OP(EQ, ==, val1, val2)
-#define DCHECK_NE(val1, val2) DCHECK_OP(NE, !=, val1, val2)
-#define DCHECK_LE(val1, val2) DCHECK_OP(LE, <=, val1, val2)
-#define DCHECK_LT(val1, val2) DCHECK_OP(LT, < , val1, val2)
-#define DCHECK_GE(val1, val2) DCHECK_OP(GE, >=, val1, val2)
-#define DCHECK_GT(val1, val2) DCHECK_OP(GT, > , val1, val2)
-
-#if !DCHECK_IS_ON() && defined(OS_CHROMEOS)
-// Implement logging of NOTREACHED() as a dedicated function to get function
-// call overhead down to a minimum.
-void LogErrorNotReached(const char* file, int line);
-#define NOTREACHED() \
- true ? ::logging::LogErrorNotReached(__FILE__, __LINE__) \
- : EAT_STREAM_PARAMETERS
-#else
-#define NOTREACHED() DCHECK(false)
-#endif
-
-// Redefine the standard assert to use our nice log files
-#undef assert
-#define assert(x) DLOG_ASSERT(x)
-
-// This class more or less represents a particular log message. You
-// create an instance of LogMessage and then stream stuff to it.
-// When you finish streaming to it, ~LogMessage is called and the
-// full message gets streamed to the appropriate destination.
-//
-// You shouldn't actually use LogMessage's constructor to log things,
-// though. You should use the LOG() macro (and variants thereof)
-// above.
-class BASE_EXPORT LogMessage {
- public:
- // Used for LOG(severity).
- LogMessage(const char* file, int line, LogSeverity severity);
-
- // Used for CHECK(). Implied severity = LOG_FATAL.
- LogMessage(const char* file, int line, const char* condition);
-
- // Used for CHECK_EQ(), etc. Takes ownership of the given string.
- // Implied severity = LOG_FATAL.
- LogMessage(const char* file, int line, std::string* result);
-
- // Used for DCHECK_EQ(), etc. Takes ownership of the given string.
- LogMessage(const char* file, int line, LogSeverity severity,
- std::string* result);
-
- ~LogMessage();
-
- std::ostream& stream() { return stream_; }
-
- private:
- void Init(const char* file, int line);
-
- LogSeverity severity_;
- std::ostringstream stream_;
- size_t message_start_; // Offset of the start of the message (past prefix
- // info).
- // The file and line information passed in to the constructor.
- const char* file_;
- const int line_;
-
-#if defined(OS_WIN)
- // Stores the current value of GetLastError in the constructor and restores
- // it in the destructor by calling SetLastError.
- // This is useful since the LogMessage class uses a lot of Win32 calls
- // that will lose the value of GLE and the code that called the log function
- // will have lost the thread error value when the log call returns.
- class SaveLastError {
- public:
- SaveLastError();
- ~SaveLastError();
-
- unsigned long get_error() const { return last_error_; }
-
- protected:
- unsigned long last_error_;
- };
-
- SaveLastError last_error_;
-#endif
-
- DISALLOW_COPY_AND_ASSIGN(LogMessage);
-};
-
-// A non-macro interface to the log facility; (useful
-// when the logging level is not a compile-time constant).
-inline void LogAtLevel(int log_level, const std::string& msg) {
- LogMessage(__FILE__, __LINE__, log_level).stream() << msg;
-}
-
-// This class is used to explicitly ignore values in the conditional
-// logging macros. This avoids compiler warnings like "value computed
-// is not used" and "statement has no effect".
-class LogMessageVoidify {
- public:
- LogMessageVoidify() { }
- // This has to be an operator with a precedence lower than << but
- // higher than ?:
- void operator&(std::ostream&) { }
-};
-
-#if defined(OS_WIN)
-typedef unsigned long SystemErrorCode;
-#elif defined(OS_POSIX)
-typedef int SystemErrorCode;
-#endif
-
-// Alias for ::GetLastError() on Windows and errno on POSIX. Avoids having to
-// pull in windows.h just for GetLastError() and DWORD.
-BASE_EXPORT SystemErrorCode GetLastSystemErrorCode();
-BASE_EXPORT std::string SystemErrorCodeToString(SystemErrorCode error_code);
-
-#if defined(OS_WIN)
-// Appends a formatted system message of the GetLastError() type.
-class BASE_EXPORT Win32ErrorLogMessage {
- public:
- Win32ErrorLogMessage(const char* file,
- int line,
- LogSeverity severity,
- SystemErrorCode err);
-
- // Appends the error message before destructing the encapsulated class.
- ~Win32ErrorLogMessage();
-
- std::ostream& stream() { return log_message_.stream(); }
-
- private:
- SystemErrorCode err_;
- LogMessage log_message_;
-
- DISALLOW_COPY_AND_ASSIGN(Win32ErrorLogMessage);
-};
-#elif defined(OS_POSIX)
-// Appends a formatted system message of the errno type
-class BASE_EXPORT ErrnoLogMessage {
- public:
- ErrnoLogMessage(const char* file,
- int line,
- LogSeverity severity,
- SystemErrorCode err);
-
- // Appends the error message before destructing the encapsulated class.
- ~ErrnoLogMessage();
-
- std::ostream& stream() { return log_message_.stream(); }
-
- private:
- SystemErrorCode err_;
- LogMessage log_message_;
-
- DISALLOW_COPY_AND_ASSIGN(ErrnoLogMessage);
-};
-#endif // OS_WIN
-
-// Closes the log file explicitly if open.
-// NOTE: Since the log file is opened as necessary by the action of logging
-// statements, there's no guarantee that it will stay closed
-// after this call.
-BASE_EXPORT void CloseLogFile();
-
-// Async signal safe logging mechanism.
-BASE_EXPORT void RawLog(int level, const char* message);
-
-#define RAW_LOG(level, message) logging::RawLog(logging::LOG_ ## level, message)
-
-#define RAW_CHECK(condition) \
- do { \
- if (!(condition)) \
- logging::RawLog(logging::LOG_FATAL, "Check failed: " #condition "\n"); \
- } while (0)
-
-#if defined(OS_WIN)
-// Returns true if logging to file is enabled.
-BASE_EXPORT bool IsLoggingToFileEnabled();
-
-// Returns the default log file path.
-BASE_EXPORT std::wstring GetLogFileFullPath();
-#endif
-
-} // namespace logging
-
-// Note that "The behavior of a C++ program is undefined if it adds declarations
-// or definitions to namespace std or to a namespace within namespace std unless
-// otherwise specified." --C++11[namespace.std]
-//
-// We've checked that this particular definition has the intended behavior on
-// our implementations, but it's prone to breaking in the future, and please
-// don't imitate this in your own definitions without checking with some
-// standard library experts.
-namespace std {
-// These functions are provided as a convenience for logging, which is where we
-// use streams (it is against Google style to use streams in other places). It
-// is designed to allow you to emit non-ASCII Unicode strings to the log file,
-// which is normally ASCII. It is relatively slow, so try not to use it for
-// common cases. Non-ASCII characters will be converted to UTF-8 by these
-// operators.
-BASE_EXPORT std::ostream& operator<<(std::ostream& out, const wchar_t* wstr);
-inline std::ostream& operator<<(std::ostream& out, const std::wstring& wstr) {
- return out << wstr.c_str();
-}
-} // namespace std
-
-// The NOTIMPLEMENTED() macro annotates codepaths which have
-// not been implemented yet.
-//
-// The implementation of this macro is controlled by NOTIMPLEMENTED_POLICY:
-// 0 -- Do nothing (stripped by compiler)
-// 1 -- Warn at compile time
-// 2 -- Fail at compile time
-// 3 -- Fail at runtime (DCHECK)
-// 4 -- [default] LOG(ERROR) at runtime
-// 5 -- LOG(ERROR) at runtime, only once per call-site
-
-#ifndef NOTIMPLEMENTED_POLICY
-#if defined(OS_ANDROID) && defined(OFFICIAL_BUILD)
-#define NOTIMPLEMENTED_POLICY 0
-#else
-// Select default policy: LOG(ERROR)
-#define NOTIMPLEMENTED_POLICY 4
-#endif
-#endif
-
-#if defined(COMPILER_GCC)
-// On Linux, with GCC, we can use __PRETTY_FUNCTION__ to get the demangled name
-// of the current function in the NOTIMPLEMENTED message.
-#define NOTIMPLEMENTED_MSG "Not implemented reached in " << __PRETTY_FUNCTION__
-#else
-#define NOTIMPLEMENTED_MSG "NOT IMPLEMENTED"
-#endif
-
-#if NOTIMPLEMENTED_POLICY == 0
-#define NOTIMPLEMENTED() EAT_STREAM_PARAMETERS
-#elif NOTIMPLEMENTED_POLICY == 1
-// TODO, figure out how to generate a warning
-#define NOTIMPLEMENTED() static_assert(false, "NOT_IMPLEMENTED")
-#elif NOTIMPLEMENTED_POLICY == 2
-#define NOTIMPLEMENTED() static_assert(false, "NOT_IMPLEMENTED")
-#elif NOTIMPLEMENTED_POLICY == 3
-#define NOTIMPLEMENTED() NOTREACHED()
-#elif NOTIMPLEMENTED_POLICY == 4
-#define NOTIMPLEMENTED() LOG(ERROR) << NOTIMPLEMENTED_MSG
-#elif NOTIMPLEMENTED_POLICY == 5
-#define NOTIMPLEMENTED() do {\
- static bool logged_once = false;\
- LOG_IF(ERROR, !logged_once) << NOTIMPLEMENTED_MSG;\
- logged_once = true;\
-} while(0);\
-EAT_STREAM_PARAMETERS
-#endif
-
-#endif // BASE_LOGGING_H_
diff --git a/security/sandbox/chromium/base/macros.h b/security/sandbox/chromium/base/macros.h
deleted file mode 100644
index 46ee1dadb..000000000
--- a/security/sandbox/chromium/base/macros.h
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains macros and macro-like constructs (e.g., templates) that
-// are commonly used throughout Chromium source. (It may also contain things
-// that are closely related to things that are commonly used that belong in this
-// file.)
-
-#ifndef BASE_MACROS_H_
-#define BASE_MACROS_H_
-
-#include <stddef.h> // For size_t.
-
-// Put this in the declarations for a class to be uncopyable.
-#define DISALLOW_COPY(TypeName) \
- TypeName(const TypeName&) = delete
-
-// Put this in the declarations for a class to be unassignable.
-#define DISALLOW_ASSIGN(TypeName) \
- void operator=(const TypeName&) = delete
-
-// A macro to disallow the copy constructor and operator= functions
-// This should be used in the private: declarations for a class
-#define DISALLOW_COPY_AND_ASSIGN(TypeName) \
- TypeName(const TypeName&); \
- void operator=(const TypeName&)
-
-// A macro to disallow all the implicit constructors, namely the
-// default constructor, copy constructor and operator= functions.
-//
-// This should be used in the private: declarations for a class
-// that wants to prevent anyone from instantiating it. This is
-// especially useful for classes containing only static methods.
-#define DISALLOW_IMPLICIT_CONSTRUCTORS(TypeName) \
- TypeName() = delete; \
- DISALLOW_COPY_AND_ASSIGN(TypeName)
-
-// The arraysize(arr) macro returns the # of elements in an array arr. The
-// expression is a compile-time constant, and therefore can be used in defining
-// new arrays, for example. If you use arraysize on a pointer by mistake, you
-// will get a compile-time error. For the technical details, refer to
-// http://blogs.msdn.com/b/the1/archive/2004/05/07/128242.aspx.
-
-// This template function declaration is used in defining arraysize.
-// Note that the function doesn't need an implementation, as we only
-// use its type.
-template <typename T, size_t N> char (&ArraySizeHelper(T (&array)[N]))[N];
-#define arraysize(array) (sizeof(ArraySizeHelper(array)))
-
-// Used to explicitly mark the return value of a function as unused. If you are
-// really sure you don't want to do anything with the return value of a function
-// that has been marked WARN_UNUSED_RESULT, wrap it with this. Example:
-//
-// scoped_ptr<MyType> my_var = ...;
-// if (TakeOwnership(my_var.get()) == SUCCESS)
-// ignore_result(my_var.release());
-//
-template<typename T>
-inline void ignore_result(const T&) {
-}
-
-// The following enum should be used only as a constructor argument to indicate
-// that the variable has static storage class, and that the constructor should
-// do nothing to its state. It indicates to the reader that it is legal to
-// declare a static instance of the class, provided the constructor is given
-// the base::LINKER_INITIALIZED argument. Normally, it is unsafe to declare a
-// static variable that has a constructor or a destructor because invocation
-// order is undefined. However, IF the type can be initialized by filling with
-// zeroes (which the loader does for static variables), AND the destructor also
-// does nothing to the storage, AND there are no virtual methods, then a
-// constructor declared as
-// explicit MyClass(base::LinkerInitialized x) {}
-// and invoked as
-// static MyClass my_variable_name(base::LINKER_INITIALIZED);
-namespace base {
-enum LinkerInitialized { LINKER_INITIALIZED };
-
-// Use these to declare and define a static local variable (static T;) so that
-// it is leaked so that its destructors are not called at exit. If you need
-// thread-safe initialization, use base/lazy_instance.h instead.
-#define CR_DEFINE_STATIC_LOCAL(type, name, arguments) \
- static type& name = *new type arguments
-
-} // base
-
-#endif // BASE_MACROS_H_
diff --git a/security/sandbox/chromium/base/memory/aligned_memory.h b/security/sandbox/chromium/base/memory/aligned_memory.h
deleted file mode 100644
index bb7bd872c..000000000
--- a/security/sandbox/chromium/base/memory/aligned_memory.h
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// AlignedMemory is a POD type that gives you a portable way to specify static
-// or local stack data of a given alignment and size. For example, if you need
-// static storage for a class, but you want manual control over when the object
-// is constructed and destructed (you don't want static initialization and
-// destruction), use AlignedMemory:
-//
-// static AlignedMemory<sizeof(MyClass), ALIGNOF(MyClass)> my_class;
-//
-// // ... at runtime:
-// new(my_class.void_data()) MyClass();
-//
-// // ... use it:
-// MyClass* mc = my_class.data_as<MyClass>();
-//
-// // ... later, to destruct my_class:
-// my_class.data_as<MyClass>()->MyClass::~MyClass();
-//
-// Alternatively, a runtime sized aligned allocation can be created:
-//
-// float* my_array = static_cast<float*>(AlignedAlloc(size, alignment));
-//
-// // ... later, to release the memory:
-// AlignedFree(my_array);
-//
-// Or using scoped_ptr:
-//
-// scoped_ptr<float, AlignedFreeDeleter> my_array(
-// static_cast<float*>(AlignedAlloc(size, alignment)));
-
-#ifndef BASE_MEMORY_ALIGNED_MEMORY_H_
-#define BASE_MEMORY_ALIGNED_MEMORY_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-
-#if defined(COMPILER_MSVC)
-#include <malloc.h>
-#else
-#include <stdlib.h>
-#endif
-
-namespace base {
-
-// AlignedMemory is specialized for all supported alignments.
-// Make sure we get a compiler error if someone uses an unsupported alignment.
-template <size_t Size, size_t ByteAlignment>
-struct AlignedMemory {};
-
-#define BASE_DECL_ALIGNED_MEMORY(byte_alignment) \
- template <size_t Size> \
- class AlignedMemory<Size, byte_alignment> { \
- public: \
- ALIGNAS(byte_alignment) uint8_t data_[Size]; \
- void* void_data() { return static_cast<void*>(data_); } \
- const void* void_data() const { return static_cast<const void*>(data_); } \
- template <typename Type> \
- Type* data_as() { \
- return static_cast<Type*>(void_data()); \
- } \
- template <typename Type> \
- const Type* data_as() const { \
- return static_cast<const Type*>(void_data()); \
- } \
- \
- private: \
- void* operator new(size_t); \
- void operator delete(void*); \
- }
-
-// Specialization for all alignments is required because MSVC (as of VS 2008)
-// does not understand ALIGNAS(ALIGNOF(Type)) or ALIGNAS(template_param).
-// Greater than 4096 alignment is not supported by some compilers, so 4096 is
-// the maximum specified here.
-BASE_DECL_ALIGNED_MEMORY(1);
-BASE_DECL_ALIGNED_MEMORY(2);
-BASE_DECL_ALIGNED_MEMORY(4);
-BASE_DECL_ALIGNED_MEMORY(8);
-BASE_DECL_ALIGNED_MEMORY(16);
-BASE_DECL_ALIGNED_MEMORY(32);
-BASE_DECL_ALIGNED_MEMORY(64);
-BASE_DECL_ALIGNED_MEMORY(128);
-BASE_DECL_ALIGNED_MEMORY(256);
-BASE_DECL_ALIGNED_MEMORY(512);
-BASE_DECL_ALIGNED_MEMORY(1024);
-BASE_DECL_ALIGNED_MEMORY(2048);
-BASE_DECL_ALIGNED_MEMORY(4096);
-
-#undef BASE_DECL_ALIGNED_MEMORY
-
-BASE_EXPORT void* AlignedAlloc(size_t size, size_t alignment);
-
-inline void AlignedFree(void* ptr) {
-#if defined(COMPILER_MSVC)
- _aligned_free(ptr);
-#else
- free(ptr);
-#endif
-}
-
-// Deleter for use with scoped_ptr. E.g., use as
-// scoped_ptr<Foo, base::AlignedFreeDeleter> foo;
-struct AlignedFreeDeleter {
- inline void operator()(void* ptr) const {
- AlignedFree(ptr);
- }
-};
-
-} // namespace base
-
-#endif // BASE_MEMORY_ALIGNED_MEMORY_H_
diff --git a/security/sandbox/chromium/base/memory/raw_scoped_refptr_mismatch_checker.h b/security/sandbox/chromium/base/memory/raw_scoped_refptr_mismatch_checker.h
deleted file mode 100644
index 09f982b12..000000000
--- a/security/sandbox/chromium/base/memory/raw_scoped_refptr_mismatch_checker.h
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_MEMORY_RAW_SCOPED_REFPTR_MISMATCH_CHECKER_H_
-#define BASE_MEMORY_RAW_SCOPED_REFPTR_MISMATCH_CHECKER_H_
-
-#include "base/memory/ref_counted.h"
-#include "base/template_util.h"
-#include "base/tuple.h"
-#include "build/build_config.h"
-
-// It is dangerous to post a task with a T* argument where T is a subtype of
-// RefCounted(Base|ThreadSafeBase), since by the time the parameter is used, the
-// object may already have been deleted since it was not held with a
-// scoped_refptr. Example: http://crbug.com/27191
-// The following set of traits are designed to generate a compile error
-// whenever this antipattern is attempted.
-
-namespace base {
-
-// This is a base internal implementation file used by task.h and callback.h.
-// Not for public consumption, so we wrap it in namespace internal.
-namespace internal {
-
-template <typename T>
-struct NeedsScopedRefptrButGetsRawPtr {
-#if defined(OS_WIN)
- enum {
- value = base::false_type::value
- };
-#else
- enum {
- // Human readable translation: you needed to be a scoped_refptr if you are a
- // raw pointer type and are convertible to a RefCounted(Base|ThreadSafeBase)
- // type.
- value = (is_pointer<T>::value &&
- (is_convertible<T, subtle::RefCountedBase*>::value ||
- is_convertible<T, subtle::RefCountedThreadSafeBase*>::value))
- };
-#endif
-};
-
-template <typename Params>
-struct ParamsUseScopedRefptrCorrectly {
- enum { value = 0 };
-};
-
-template <>
-struct ParamsUseScopedRefptrCorrectly<Tuple<>> {
- enum { value = 1 };
-};
-
-template <typename Head, typename... Tail>
-struct ParamsUseScopedRefptrCorrectly<Tuple<Head, Tail...>> {
- enum { value = !NeedsScopedRefptrButGetsRawPtr<Head>::value &&
- ParamsUseScopedRefptrCorrectly<Tuple<Tail...>>::value };
-};
-
-} // namespace internal
-
-} // namespace base
-
-#endif // BASE_MEMORY_RAW_SCOPED_REFPTR_MISMATCH_CHECKER_H_
diff --git a/security/sandbox/chromium/base/memory/ref_counted.cc b/security/sandbox/chromium/base/memory/ref_counted.cc
deleted file mode 100644
index f5924d0fe..000000000
--- a/security/sandbox/chromium/base/memory/ref_counted.cc
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/memory/ref_counted.h"
-#include "base/threading/thread_collision_warner.h"
-
-namespace base {
-
-namespace subtle {
-
-bool RefCountedThreadSafeBase::HasOneRef() const {
- return AtomicRefCountIsOne(
- &const_cast<RefCountedThreadSafeBase*>(this)->ref_count_);
-}
-
-RefCountedThreadSafeBase::RefCountedThreadSafeBase() : ref_count_(0) {
-#ifndef NDEBUG
- in_dtor_ = false;
-#endif
-}
-
-RefCountedThreadSafeBase::~RefCountedThreadSafeBase() {
-#ifndef NDEBUG
- DCHECK(in_dtor_) << "RefCountedThreadSafe object deleted without "
- "calling Release()";
-#endif
-}
-
-void RefCountedThreadSafeBase::AddRef() const {
-#ifndef NDEBUG
- DCHECK(!in_dtor_);
-#endif
- AtomicRefCountInc(&ref_count_);
-}
-
-bool RefCountedThreadSafeBase::Release() const {
-#ifndef NDEBUG
- DCHECK(!in_dtor_);
- DCHECK(!AtomicRefCountIsZero(&ref_count_));
-#endif
- if (!AtomicRefCountDec(&ref_count_)) {
-#ifndef NDEBUG
- in_dtor_ = true;
-#endif
- return true;
- }
- return false;
-}
-
-} // namespace subtle
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/memory/ref_counted.h b/security/sandbox/chromium/base/memory/ref_counted.h
deleted file mode 100644
index a1c126969..000000000
--- a/security/sandbox/chromium/base/memory/ref_counted.h
+++ /dev/null
@@ -1,446 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_MEMORY_REF_COUNTED_H_
-#define BASE_MEMORY_REF_COUNTED_H_
-
-#include <cassert>
-#include <iosfwd>
-
-#include "base/atomic_ref_count.h"
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#ifndef NDEBUG
-#include "base/logging.h"
-#endif
-#include "base/threading/thread_collision_warner.h"
-#include "build/build_config.h"
-
-namespace base {
-
-namespace subtle {
-
-class BASE_EXPORT RefCountedBase {
- public:
- bool HasOneRef() const { return ref_count_ == 1; }
-
- protected:
- RefCountedBase()
- : ref_count_(0)
- #ifndef NDEBUG
- , in_dtor_(false)
- #endif
- {
- }
-
- ~RefCountedBase() {
- #ifndef NDEBUG
- DCHECK(in_dtor_) << "RefCounted object deleted without calling Release()";
- #endif
- }
-
-
- void AddRef() const {
- // TODO(maruel): Add back once it doesn't assert 500 times/sec.
- // Current thread books the critical section "AddRelease"
- // without release it.
- // DFAKE_SCOPED_LOCK_THREAD_LOCKED(add_release_);
- #ifndef NDEBUG
- DCHECK(!in_dtor_);
- #endif
- ++ref_count_;
- }
-
- // Returns true if the object should self-delete.
- bool Release() const {
- // TODO(maruel): Add back once it doesn't assert 500 times/sec.
- // Current thread books the critical section "AddRelease"
- // without release it.
- // DFAKE_SCOPED_LOCK_THREAD_LOCKED(add_release_);
- #ifndef NDEBUG
- DCHECK(!in_dtor_);
- #endif
- if (--ref_count_ == 0) {
- #ifndef NDEBUG
- in_dtor_ = true;
- #endif
- return true;
- }
- return false;
- }
-
- private:
- mutable int ref_count_;
-#ifndef NDEBUG
- mutable bool in_dtor_;
-#endif
-
- DFAKE_MUTEX(add_release_);
-
- DISALLOW_COPY_AND_ASSIGN(RefCountedBase);
-};
-
-class BASE_EXPORT RefCountedThreadSafeBase {
- public:
- bool HasOneRef() const;
-
- protected:
- RefCountedThreadSafeBase();
- ~RefCountedThreadSafeBase();
-
- void AddRef() const;
-
- // Returns true if the object should self-delete.
- bool Release() const;
-
- private:
- mutable AtomicRefCount ref_count_;
-#ifndef NDEBUG
- mutable bool in_dtor_;
-#endif
-
- DISALLOW_COPY_AND_ASSIGN(RefCountedThreadSafeBase);
-};
-
-} // namespace subtle
-
-//
-// A base class for reference counted classes. Otherwise, known as a cheap
-// knock-off of WebKit's RefCounted<T> class. To use this guy just extend your
-// class from it like so:
-//
-// class MyFoo : public base::RefCounted<MyFoo> {
-// ...
-// private:
-// friend class base::RefCounted<MyFoo>;
-// ~MyFoo();
-// };
-//
-// You should always make your destructor non-public, to avoid any code deleting
-// the object accidently while there are references to it.
-template <class T>
-class RefCounted : public subtle::RefCountedBase {
- public:
- RefCounted() {}
-
- void AddRef() const {
- subtle::RefCountedBase::AddRef();
- }
-
- void Release() const {
- if (subtle::RefCountedBase::Release()) {
- delete static_cast<const T*>(this);
- }
- }
-
- protected:
- ~RefCounted() {}
-
- private:
- DISALLOW_COPY_AND_ASSIGN(RefCounted<T>);
-};
-
-// Forward declaration.
-template <class T, typename Traits> class RefCountedThreadSafe;
-
-// Default traits for RefCountedThreadSafe<T>. Deletes the object when its ref
-// count reaches 0. Overload to delete it on a different thread etc.
-template<typename T>
-struct DefaultRefCountedThreadSafeTraits {
- static void Destruct(const T* x) {
- // Delete through RefCountedThreadSafe to make child classes only need to be
- // friend with RefCountedThreadSafe instead of this struct, which is an
- // implementation detail.
- RefCountedThreadSafe<T,
- DefaultRefCountedThreadSafeTraits>::DeleteInternal(x);
- }
-};
-
-//
-// A thread-safe variant of RefCounted<T>
-//
-// class MyFoo : public base::RefCountedThreadSafe<MyFoo> {
-// ...
-// };
-//
-// If you're using the default trait, then you should add compile time
-// asserts that no one else is deleting your object. i.e.
-// private:
-// friend class base::RefCountedThreadSafe<MyFoo>;
-// ~MyFoo();
-template <class T, typename Traits = DefaultRefCountedThreadSafeTraits<T> >
-class RefCountedThreadSafe : public subtle::RefCountedThreadSafeBase {
- public:
- RefCountedThreadSafe() {}
-
- void AddRef() const {
- subtle::RefCountedThreadSafeBase::AddRef();
- }
-
- void Release() const {
- if (subtle::RefCountedThreadSafeBase::Release()) {
- Traits::Destruct(static_cast<const T*>(this));
- }
- }
-
- protected:
- ~RefCountedThreadSafe() {}
-
- private:
- friend struct DefaultRefCountedThreadSafeTraits<T>;
- static void DeleteInternal(const T* x) { delete x; }
-
- DISALLOW_COPY_AND_ASSIGN(RefCountedThreadSafe);
-};
-
-//
-// A thread-safe wrapper for some piece of data so we can place other
-// things in scoped_refptrs<>.
-//
-template<typename T>
-class RefCountedData
- : public base::RefCountedThreadSafe< base::RefCountedData<T> > {
- public:
- RefCountedData() : data() {}
- RefCountedData(const T& in_value) : data(in_value) {}
-
- T data;
-
- private:
- friend class base::RefCountedThreadSafe<base::RefCountedData<T> >;
- ~RefCountedData() {}
-};
-
-} // namespace base
-
-//
-// A smart pointer class for reference counted objects. Use this class instead
-// of calling AddRef and Release manually on a reference counted object to
-// avoid common memory leaks caused by forgetting to Release an object
-// reference. Sample usage:
-//
-// class MyFoo : public RefCounted<MyFoo> {
-// ...
-// };
-//
-// void some_function() {
-// scoped_refptr<MyFoo> foo = new MyFoo();
-// foo->Method(param);
-// // |foo| is released when this function returns
-// }
-//
-// void some_other_function() {
-// scoped_refptr<MyFoo> foo = new MyFoo();
-// ...
-// foo = NULL; // explicitly releases |foo|
-// ...
-// if (foo)
-// foo->Method(param);
-// }
-//
-// The above examples show how scoped_refptr<T> acts like a pointer to T.
-// Given two scoped_refptr<T> classes, it is also possible to exchange
-// references between the two objects, like so:
-//
-// {
-// scoped_refptr<MyFoo> a = new MyFoo();
-// scoped_refptr<MyFoo> b;
-//
-// b.swap(a);
-// // now, |b| references the MyFoo object, and |a| references NULL.
-// }
-//
-// To make both |a| and |b| in the above example reference the same MyFoo
-// object, simply use the assignment operator:
-//
-// {
-// scoped_refptr<MyFoo> a = new MyFoo();
-// scoped_refptr<MyFoo> b;
-//
-// b = a;
-// // now, |a| and |b| each own a reference to the same MyFoo object.
-// }
-//
-template <class T>
-class scoped_refptr {
- public:
- typedef T element_type;
-
- scoped_refptr() : ptr_(NULL) {
- }
-
- scoped_refptr(T* p) : ptr_(p) {
- if (ptr_)
- AddRef(ptr_);
- }
-
- // Copy constructor.
- scoped_refptr(const scoped_refptr<T>& r) : ptr_(r.ptr_) {
- if (ptr_)
- AddRef(ptr_);
- }
-
- // Copy conversion constructor.
- template <typename U>
- scoped_refptr(const scoped_refptr<U>& r) : ptr_(r.get()) {
- if (ptr_)
- AddRef(ptr_);
- }
-
- // Move constructor. This is required in addition to the conversion
- // constructor below in order for clang to warn about pessimizing moves.
- scoped_refptr(scoped_refptr&& r) : ptr_(r.get()) { r.ptr_ = nullptr; }
-
- // Move conversion constructor.
- template <typename U>
- scoped_refptr(scoped_refptr<U>&& r) : ptr_(r.get()) {
- r.ptr_ = nullptr;
- }
-
- ~scoped_refptr() {
- if (ptr_)
- Release(ptr_);
- }
-
- T* get() const { return ptr_; }
-
- T& operator*() const {
- assert(ptr_ != NULL);
- return *ptr_;
- }
-
- T* operator->() const {
- assert(ptr_ != NULL);
- return ptr_;
- }
-
- scoped_refptr<T>& operator=(T* p) {
- // AddRef first so that self assignment should work
- if (p)
- AddRef(p);
- T* old_ptr = ptr_;
- ptr_ = p;
- if (old_ptr)
- Release(old_ptr);
- return *this;
- }
-
- scoped_refptr<T>& operator=(const scoped_refptr<T>& r) {
- return *this = r.ptr_;
- }
-
- template <typename U>
- scoped_refptr<T>& operator=(const scoped_refptr<U>& r) {
- return *this = r.get();
- }
-
- scoped_refptr<T>& operator=(scoped_refptr<T>&& r) {
- scoped_refptr<T>(std::move(r)).swap(*this);
- return *this;
- }
-
- template <typename U>
- scoped_refptr<T>& operator=(scoped_refptr<U>&& r) {
- scoped_refptr<T>(std::move(r)).swap(*this);
- return *this;
- }
-
- void swap(T** pp) {
- T* p = ptr_;
- ptr_ = *pp;
- *pp = p;
- }
-
- void swap(scoped_refptr<T>& r) {
- swap(&r.ptr_);
- }
-
- private:
- template <typename U> friend class scoped_refptr;
-
- // Allow scoped_refptr<T> to be used in boolean expressions, but not
- // implicitly convertible to a real bool (which is dangerous).
- //
- // Note that this trick is only safe when the == and != operators
- // are declared explicitly, as otherwise "refptr1 == refptr2"
- // will compile but do the wrong thing (i.e., convert to Testable
- // and then do the comparison).
- typedef T* scoped_refptr::*Testable;
-
- public:
- operator Testable() const { return ptr_ ? &scoped_refptr::ptr_ : nullptr; }
-
- template <typename U>
- bool operator==(const scoped_refptr<U>& rhs) const {
- return ptr_ == rhs.get();
- }
-
- template <typename U>
- bool operator!=(const scoped_refptr<U>& rhs) const {
- return !operator==(rhs);
- }
-
- template <typename U>
- bool operator<(const scoped_refptr<U>& rhs) const {
- return ptr_ < rhs.get();
- }
-
- protected:
- T* ptr_;
-
- private:
- // Non-inline helpers to allow:
- // class Opaque;
- // extern template class scoped_refptr<Opaque>;
- // Otherwise the compiler will complain that Opaque is an incomplete type.
- static void AddRef(T* ptr);
- static void Release(T* ptr);
-};
-
-template <typename T>
-void scoped_refptr<T>::AddRef(T* ptr) {
- ptr->AddRef();
-}
-
-template <typename T>
-void scoped_refptr<T>::Release(T* ptr) {
- ptr->Release();
-}
-
-// Handy utility for creating a scoped_refptr<T> out of a T* explicitly without
-// having to retype all the template arguments
-template <typename T>
-scoped_refptr<T> make_scoped_refptr(T* t) {
- return scoped_refptr<T>(t);
-}
-
-// Temporary operator overloads to facilitate the transition. See
-// https://crbug.com/110610.
-template <typename T, typename U>
-bool operator==(const scoped_refptr<T>& lhs, const U* rhs) {
- return lhs.get() == rhs;
-}
-
-template <typename T, typename U>
-bool operator==(const T* lhs, const scoped_refptr<U>& rhs) {
- return lhs == rhs.get();
-}
-
-template <typename T, typename U>
-bool operator!=(const scoped_refptr<T>& lhs, const U* rhs) {
- return !operator==(lhs, rhs);
-}
-
-template <typename T, typename U>
-bool operator!=(const T* lhs, const scoped_refptr<U>& rhs) {
- return !operator==(lhs, rhs);
-}
-
-template <typename T>
-std::ostream& operator<<(std::ostream& out, const scoped_refptr<T>& p) {
- return out << p.get();
-}
-
-#endif // BASE_MEMORY_REF_COUNTED_H_
diff --git a/security/sandbox/chromium/base/memory/scoped_ptr.h b/security/sandbox/chromium/base/memory/scoped_ptr.h
deleted file mode 100644
index 282a01486..000000000
--- a/security/sandbox/chromium/base/memory/scoped_ptr.h
+++ /dev/null
@@ -1,607 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Scopers help you manage ownership of a pointer, helping you easily manage a
-// pointer within a scope, and automatically destroying the pointer at the end
-// of a scope. There are two main classes you will use, which correspond to the
-// operators new/delete and new[]/delete[].
-//
-// Example usage (scoped_ptr<T>):
-// {
-// scoped_ptr<Foo> foo(new Foo("wee"));
-// } // foo goes out of scope, releasing the pointer with it.
-//
-// {
-// scoped_ptr<Foo> foo; // No pointer managed.
-// foo.reset(new Foo("wee")); // Now a pointer is managed.
-// foo.reset(new Foo("wee2")); // Foo("wee") was destroyed.
-// foo.reset(new Foo("wee3")); // Foo("wee2") was destroyed.
-// foo->Method(); // Foo::Method() called.
-// foo.get()->Method(); // Foo::Method() called.
-// SomeFunc(foo.release()); // SomeFunc takes ownership, foo no longer
-// // manages a pointer.
-// foo.reset(new Foo("wee4")); // foo manages a pointer again.
-// foo.reset(); // Foo("wee4") destroyed, foo no longer
-// // manages a pointer.
-// } // foo wasn't managing a pointer, so nothing was destroyed.
-//
-// Example usage (scoped_ptr<T[]>):
-// {
-// scoped_ptr<Foo[]> foo(new Foo[100]);
-// foo.get()->Method(); // Foo::Method on the 0th element.
-// foo[10].Method(); // Foo::Method on the 10th element.
-// }
-//
-// These scopers also implement part of the functionality of C++11 unique_ptr
-// in that they are "movable but not copyable." You can use the scopers in
-// the parameter and return types of functions to signify ownership transfer
-// in to and out of a function. When calling a function that has a scoper
-// as the argument type, it must be called with an rvalue of a scoper, which
-// can be created by using std::move(), or the result of another function that
-// generates a temporary; passing by copy will NOT work. Here is an example
-// using scoped_ptr:
-//
-// void TakesOwnership(scoped_ptr<Foo> arg) {
-// // Do something with arg.
-// }
-// scoped_ptr<Foo> CreateFoo() {
-// // No need for calling std::move() for returning a move-only value, or
-// // when you already have an rvalue as we do here.
-// return scoped_ptr<Foo>(new Foo("new"));
-// }
-// scoped_ptr<Foo> PassThru(scoped_ptr<Foo> arg) {
-// return arg;
-// }
-//
-// {
-// scoped_ptr<Foo> ptr(new Foo("yay")); // ptr manages Foo("yay").
-// TakesOwnership(std::move(ptr)); // ptr no longer owns Foo("yay").
-// scoped_ptr<Foo> ptr2 = CreateFoo(); // ptr2 owns the return Foo.
-// scoped_ptr<Foo> ptr3 = // ptr3 now owns what was in ptr2.
-// PassThru(std::move(ptr2)); // ptr2 is correspondingly nullptr.
-// }
-//
-// Notice that if you do not call std::move() when returning from PassThru(), or
-// when invoking TakesOwnership(), the code will not compile because scopers
-// are not copyable; they only implement move semantics which require calling
-// the std::move() function to signify a destructive transfer of state.
-// CreateFoo() is different though because we are constructing a temporary on
-// the return line and thus can avoid needing to call std::move().
-//
-// The conversion move-constructor properly handles upcast in initialization,
-// i.e. you can use a scoped_ptr<Child> to initialize a scoped_ptr<Parent>:
-//
-// scoped_ptr<Foo> foo(new Foo());
-// scoped_ptr<FooParent> parent(std::move(foo));
-
-#ifndef BASE_MEMORY_SCOPED_PTR_H_
-#define BASE_MEMORY_SCOPED_PTR_H_
-
-// This is an implementation designed to match the anticipated future TR2
-// implementation of the scoped_ptr class.
-
-#include <assert.h>
-#include <stddef.h>
-#include <stdlib.h>
-
-#include <iosfwd>
-#include <memory>
-#include <type_traits>
-#include <utility>
-
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "base/move.h"
-#include "base/template_util.h"
-
-namespace base {
-
-namespace subtle {
-class RefCountedBase;
-class RefCountedThreadSafeBase;
-} // namespace subtle
-
-// Function object which invokes 'free' on its parameter, which must be
-// a pointer. Can be used to store malloc-allocated pointers in scoped_ptr:
-//
-// scoped_ptr<int, base::FreeDeleter> foo_ptr(
-// static_cast<int*>(malloc(sizeof(int))));
-struct FreeDeleter {
- inline void operator()(void* ptr) const {
- free(ptr);
- }
-};
-
-namespace internal {
-
-template <typename T> struct IsNotRefCounted {
- enum {
- value = !base::is_convertible<T*, base::subtle::RefCountedBase*>::value &&
- !base::is_convertible<T*, base::subtle::RefCountedThreadSafeBase*>::
- value
- };
-};
-
-// Minimal implementation of the core logic of scoped_ptr, suitable for
-// reuse in both scoped_ptr and its specializations.
-template <class T, class D>
-class scoped_ptr_impl {
- public:
- explicit scoped_ptr_impl(T* p) : data_(p) {}
-
- // Initializer for deleters that have data parameters.
- scoped_ptr_impl(T* p, const D& d) : data_(p, d) {}
-
- // Templated constructor that destructively takes the value from another
- // scoped_ptr_impl.
- template <typename U, typename V>
- scoped_ptr_impl(scoped_ptr_impl<U, V>* other)
- : data_(other->release(), other->get_deleter()) {
- // We do not support move-only deleters. We could modify our move
- // emulation to have base::subtle::move() and base::subtle::forward()
- // functions that are imperfect emulations of their C++11 equivalents,
- // but until there's a requirement, just assume deleters are copyable.
- }
-
- template <typename U, typename V>
- void TakeState(scoped_ptr_impl<U, V>* other) {
- // See comment in templated constructor above regarding lack of support
- // for move-only deleters.
- reset(other->release());
- get_deleter() = other->get_deleter();
- }
-
- ~scoped_ptr_impl() {
- // Match libc++, which calls reset() in its destructor.
- // Use nullptr as the new value for three reasons:
- // 1. libc++ does it.
- // 2. Avoids infinitely recursing into destructors if two classes are owned
- // in a reference cycle (see ScopedPtrTest.ReferenceCycle).
- // 3. If |this| is accessed in the future, in a use-after-free bug, attempts
- // to dereference |this|'s pointer should cause either a failure or a
- // segfault closer to the problem. If |this| wasn't reset to nullptr,
- // the access would cause the deleted memory to be read or written
- // leading to other more subtle issues.
- reset(nullptr);
- }
-
- void reset(T* p) {
- // Match C++11's definition of unique_ptr::reset(), which requires changing
- // the pointer before invoking the deleter on the old pointer. This prevents
- // |this| from being accessed after the deleter is run, which may destroy
- // |this|.
- T* old = data_.ptr;
- data_.ptr = p;
- if (old != nullptr)
- static_cast<D&>(data_)(old);
- }
-
- T* get() const { return data_.ptr; }
-
- D& get_deleter() { return data_; }
- const D& get_deleter() const { return data_; }
-
- void swap(scoped_ptr_impl& p2) {
- // Standard swap idiom: 'using std::swap' ensures that std::swap is
- // present in the overload set, but we call swap unqualified so that
- // any more-specific overloads can be used, if available.
- using std::swap;
- swap(static_cast<D&>(data_), static_cast<D&>(p2.data_));
- swap(data_.ptr, p2.data_.ptr);
- }
-
- T* release() {
- T* old_ptr = data_.ptr;
- data_.ptr = nullptr;
- return old_ptr;
- }
-
- private:
- // Needed to allow type-converting constructor.
- template <typename U, typename V> friend class scoped_ptr_impl;
-
- // Use the empty base class optimization to allow us to have a D
- // member, while avoiding any space overhead for it when D is an
- // empty class. See e.g. http://www.cantrip.org/emptyopt.html for a good
- // discussion of this technique.
- struct Data : public D {
- explicit Data(T* ptr_in) : ptr(ptr_in) {}
- Data(T* ptr_in, const D& other) : D(other), ptr(ptr_in) {}
- T* ptr;
- };
-
- Data data_;
-
- DISALLOW_COPY_AND_ASSIGN(scoped_ptr_impl);
-};
-
-} // namespace internal
-
-} // namespace base
-
-// A scoped_ptr<T> is like a T*, except that the destructor of scoped_ptr<T>
-// automatically deletes the pointer it holds (if any).
-// That is, scoped_ptr<T> owns the T object that it points to.
-// Like a T*, a scoped_ptr<T> may hold either nullptr or a pointer to a T
-// object. Also like T*, scoped_ptr<T> is thread-compatible, and once you
-// dereference it, you get the thread safety guarantees of T.
-//
-// The size of scoped_ptr is small. On most compilers, when using the
-// std::default_delete, sizeof(scoped_ptr<T>) == sizeof(T*). Custom deleters
-// will increase the size proportional to whatever state they need to have. See
-// comments inside scoped_ptr_impl<> for details.
-//
-// Current implementation targets having a strict subset of C++11's
-// unique_ptr<> features. Known deficiencies include not supporting move-only
-// deleteres, function pointers as deleters, and deleters with reference
-// types.
-template <class T, class D = std::default_delete<T>>
-class scoped_ptr {
- DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND(scoped_ptr)
-
- static_assert(!std::is_array<T>::value,
- "scoped_ptr doesn't support array with size");
- static_assert(base::internal::IsNotRefCounted<T>::value,
- "T is a refcounted type and needs a scoped_refptr");
-
- public:
- // The element and deleter types.
- using element_type = T;
- using deleter_type = D;
-
- // Constructor. Defaults to initializing with nullptr.
- scoped_ptr() : impl_(nullptr) {}
-
- // Constructor. Takes ownership of p.
- explicit scoped_ptr(element_type* p) : impl_(p) {}
-
- // Constructor. Allows initialization of a stateful deleter.
- scoped_ptr(element_type* p, const D& d) : impl_(p, d) {}
-
- // Constructor. Allows construction from a nullptr.
- scoped_ptr(std::nullptr_t) : impl_(nullptr) {}
-
- // Move constructor.
- //
- // IMPLEMENTATION NOTE: Clang requires a move constructor to be defined (and
- // not just the conversion constructor) in order to warn on pessimizing moves.
- // The requirements for the move constructor are specified in C++11
- // 20.7.1.2.1.15-17, which has some subtleties around reference deleters. As
- // we don't support reference (or move-only) deleters, the post conditions are
- // trivially true: we always copy construct the deleter from other's deleter.
- scoped_ptr(scoped_ptr&& other) : impl_(&other.impl_) {}
-
- // Conversion constructor. Allows construction from a scoped_ptr rvalue for a
- // convertible type and deleter.
- //
- // IMPLEMENTATION NOTE: C++ 20.7.1.2.1.19 requires this constructor to only
- // participate in overload resolution if all the following are true:
- // - U is implicitly convertible to T: this is important for 2 reasons:
- // 1. So type traits don't incorrectly return true, e.g.
- // std::is_convertible<scoped_ptr<Base>, scoped_ptr<Derived>>::value
- // should be false.
- // 2. To make sure code like this compiles:
- // void F(scoped_ptr<int>);
- // void F(scoped_ptr<Base>);
- // // Ambiguous since both conversion constructors match.
- // F(scoped_ptr<Derived>());
- // - U is not an array type: to prevent conversions from scoped_ptr<T[]> to
- // scoped_ptr<T>.
- // - D is a reference type and E is the same type, or D is not a reference
- // type and E is implicitly convertible to D: again, we don't support
- // reference deleters, so we only worry about the latter requirement.
- template <typename U,
- typename E,
- typename std::enable_if<!std::is_array<U>::value &&
- std::is_convertible<U*, T*>::value &&
- std::is_convertible<E, D>::value>::type* =
- nullptr>
- scoped_ptr(scoped_ptr<U, E>&& other)
- : impl_(&other.impl_) {}
-
- // operator=.
- //
- // IMPLEMENTATION NOTE: Unlike the move constructor, Clang does not appear to
- // require a move assignment operator to trigger the pessimizing move warning:
- // in this case, the warning triggers when moving a temporary. For consistency
- // with the move constructor, we define it anyway. C++11 20.7.1.2.3.1-3
- // defines several requirements around this: like the move constructor, the
- // requirements are simplified by the fact that we don't support move-only or
- // reference deleters.
- scoped_ptr& operator=(scoped_ptr&& rhs) {
- impl_.TakeState(&rhs.impl_);
- return *this;
- }
-
- // operator=. Allows assignment from a scoped_ptr rvalue for a convertible
- // type and deleter.
- //
- // IMPLEMENTATION NOTE: C++11 unique_ptr<> keeps this operator= distinct from
- // the normal move assignment operator. C++11 20.7.1.2.3.4-7 contains the
- // requirement for this operator, but like the conversion constructor, the
- // requirements are greatly simplified by not supporting move-only or
- // reference deleters.
- template <typename U,
- typename E,
- typename std::enable_if<!std::is_array<U>::value &&
- std::is_convertible<U*, T*>::value &&
- // Note that this really should be
- // std::is_assignable, but <type_traits>
- // appears to be missing this on some
- // platforms. This is close enough (though
- // it's not the same).
- std::is_convertible<D, E>::value>::type* =
- nullptr>
- scoped_ptr& operator=(scoped_ptr<U, E>&& rhs) {
- impl_.TakeState(&rhs.impl_);
- return *this;
- }
-
- // operator=. Allows assignment from a nullptr. Deletes the currently owned
- // object, if any.
- scoped_ptr& operator=(std::nullptr_t) {
- reset();
- return *this;
- }
-
- // Reset. Deletes the currently owned object, if any.
- // Then takes ownership of a new object, if given.
- void reset(element_type* p = nullptr) { impl_.reset(p); }
-
- // Accessors to get the owned object.
- // operator* and operator-> will assert() if there is no current object.
- element_type& operator*() const {
- assert(impl_.get() != nullptr);
- return *impl_.get();
- }
- element_type* operator->() const {
- assert(impl_.get() != nullptr);
- return impl_.get();
- }
- element_type* get() const { return impl_.get(); }
-
- // Access to the deleter.
- deleter_type& get_deleter() { return impl_.get_deleter(); }
- const deleter_type& get_deleter() const { return impl_.get_deleter(); }
-
- // Allow scoped_ptr<element_type> to be used in boolean expressions, but not
- // implicitly convertible to a real bool (which is dangerous).
- //
- // Note that this trick is only safe when the == and != operators
- // are declared explicitly, as otherwise "scoped_ptr1 ==
- // scoped_ptr2" will compile but do the wrong thing (i.e., convert
- // to Testable and then do the comparison).
- private:
- typedef base::internal::scoped_ptr_impl<element_type, deleter_type>
- scoped_ptr::*Testable;
-
- public:
- operator Testable() const {
- return impl_.get() ? &scoped_ptr::impl_ : nullptr;
- }
-
- // Swap two scoped pointers.
- void swap(scoped_ptr& p2) {
- impl_.swap(p2.impl_);
- }
-
- // Release a pointer.
- // The return value is the current pointer held by this object. If this object
- // holds a nullptr, the return value is nullptr. After this operation, this
- // object will hold a nullptr, and will not own the object any more.
- element_type* release() WARN_UNUSED_RESULT {
- return impl_.release();
- }
-
- private:
- // Needed to reach into |impl_| in the constructor.
- template <typename U, typename V> friend class scoped_ptr;
- base::internal::scoped_ptr_impl<element_type, deleter_type> impl_;
-
- // Forbidden for API compatibility with std::unique_ptr.
- explicit scoped_ptr(int disallow_construction_from_null);
-};
-
-template <class T, class D>
-class scoped_ptr<T[], D> {
- DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND(scoped_ptr)
-
- public:
- // The element and deleter types.
- using element_type = T;
- using deleter_type = D;
-
- // Constructor. Defaults to initializing with nullptr.
- scoped_ptr() : impl_(nullptr) {}
-
- // Constructor. Stores the given array. Note that the argument's type
- // must exactly match T*. In particular:
- // - it cannot be a pointer to a type derived from T, because it is
- // inherently unsafe in the general case to access an array through a
- // pointer whose dynamic type does not match its static type (eg., if
- // T and the derived types had different sizes access would be
- // incorrectly calculated). Deletion is also always undefined
- // (C++98 [expr.delete]p3). If you're doing this, fix your code.
- // - it cannot be const-qualified differently from T per unique_ptr spec
- // (http://cplusplus.github.com/LWG/lwg-active.html#2118). Users wanting
- // to work around this may use const_cast<const T*>().
- explicit scoped_ptr(element_type* array) : impl_(array) {}
-
- // Constructor. Allows construction from a nullptr.
- scoped_ptr(std::nullptr_t) : impl_(nullptr) {}
-
- // Constructor. Allows construction from a scoped_ptr rvalue.
- scoped_ptr(scoped_ptr&& other) : impl_(&other.impl_) {}
-
- // operator=. Allows assignment from a scoped_ptr rvalue.
- scoped_ptr& operator=(scoped_ptr&& rhs) {
- impl_.TakeState(&rhs.impl_);
- return *this;
- }
-
- // operator=. Allows assignment from a nullptr. Deletes the currently owned
- // array, if any.
- scoped_ptr& operator=(std::nullptr_t) {
- reset();
- return *this;
- }
-
- // Reset. Deletes the currently owned array, if any.
- // Then takes ownership of a new object, if given.
- void reset(element_type* array = nullptr) { impl_.reset(array); }
-
- // Accessors to get the owned array.
- element_type& operator[](size_t i) const {
- assert(impl_.get() != nullptr);
- return impl_.get()[i];
- }
- element_type* get() const { return impl_.get(); }
-
- // Access to the deleter.
- deleter_type& get_deleter() { return impl_.get_deleter(); }
- const deleter_type& get_deleter() const { return impl_.get_deleter(); }
-
- // Allow scoped_ptr<element_type> to be used in boolean expressions, but not
- // implicitly convertible to a real bool (which is dangerous).
- private:
- typedef base::internal::scoped_ptr_impl<element_type, deleter_type>
- scoped_ptr::*Testable;
-
- public:
- operator Testable() const {
- return impl_.get() ? &scoped_ptr::impl_ : nullptr;
- }
-
- // Swap two scoped pointers.
- void swap(scoped_ptr& p2) {
- impl_.swap(p2.impl_);
- }
-
- // Release a pointer.
- // The return value is the current pointer held by this object. If this object
- // holds a nullptr, the return value is nullptr. After this operation, this
- // object will hold a nullptr, and will not own the object any more.
- element_type* release() WARN_UNUSED_RESULT {
- return impl_.release();
- }
-
- private:
- // Force element_type to be a complete type.
- enum { type_must_be_complete = sizeof(element_type) };
-
- // Actually hold the data.
- base::internal::scoped_ptr_impl<element_type, deleter_type> impl_;
-
- // Disable initialization from any type other than element_type*, by
- // providing a constructor that matches such an initialization, but is
- // private and has no definition. This is disabled because it is not safe to
- // call delete[] on an array whose static type does not match its dynamic
- // type.
- template <typename U> explicit scoped_ptr(U* array);
- explicit scoped_ptr(int disallow_construction_from_null);
-
- // Disable reset() from any type other than element_type*, for the same
- // reasons as the constructor above.
- template <typename U> void reset(U* array);
- void reset(int disallow_reset_from_null);
-};
-
-// Free functions
-template <class T, class D>
-void swap(scoped_ptr<T, D>& p1, scoped_ptr<T, D>& p2) {
- p1.swap(p2);
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator==(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return p1.get() == p2.get();
-}
-template <class T, class D>
-bool operator==(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return p.get() == nullptr;
-}
-template <class T, class D>
-bool operator==(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return p.get() == nullptr;
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator!=(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return !(p1 == p2);
-}
-template <class T, class D>
-bool operator!=(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return !(p == nullptr);
-}
-template <class T, class D>
-bool operator!=(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return !(p == nullptr);
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator<(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return p1.get() < p2.get();
-}
-template <class T, class D>
-bool operator<(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return p.get() < nullptr;
-}
-template <class T, class D>
-bool operator<(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return nullptr < p.get();
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator>(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return p2 < p1;
-}
-template <class T, class D>
-bool operator>(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return nullptr < p;
-}
-template <class T, class D>
-bool operator>(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return p < nullptr;
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator<=(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return !(p1 > p2);
-}
-template <class T, class D>
-bool operator<=(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return !(p > nullptr);
-}
-template <class T, class D>
-bool operator<=(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return !(nullptr > p);
-}
-
-template <class T1, class D1, class T2, class D2>
-bool operator>=(const scoped_ptr<T1, D1>& p1, const scoped_ptr<T2, D2>& p2) {
- return !(p1 < p2);
-}
-template <class T, class D>
-bool operator>=(const scoped_ptr<T, D>& p, std::nullptr_t) {
- return !(p < nullptr);
-}
-template <class T, class D>
-bool operator>=(std::nullptr_t, const scoped_ptr<T, D>& p) {
- return !(nullptr < p);
-}
-
-// A function to convert T* into scoped_ptr<T>
-// Doing e.g. make_scoped_ptr(new FooBarBaz<type>(arg)) is a shorter notation
-// for scoped_ptr<FooBarBaz<type> >(new FooBarBaz<type>(arg))
-template <typename T>
-scoped_ptr<T> make_scoped_ptr(T* ptr) {
- return scoped_ptr<T>(ptr);
-}
-
-template <typename T>
-std::ostream& operator<<(std::ostream& out, const scoped_ptr<T>& p) {
- return out << p.get();
-}
-
-#endif // BASE_MEMORY_SCOPED_PTR_H_
diff --git a/security/sandbox/chromium/base/memory/singleton.cc b/security/sandbox/chromium/base/memory/singleton.cc
deleted file mode 100644
index f68ecaa8d..000000000
--- a/security/sandbox/chromium/base/memory/singleton.cc
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/memory/singleton.h"
-#include "base/threading/platform_thread.h"
-
-namespace base {
-namespace internal {
-
-subtle::AtomicWord WaitForInstance(subtle::AtomicWord* instance) {
- // Handle the race. Another thread beat us and either:
- // - Has the object in BeingCreated state
- // - Already has the object created...
- // We know value != NULL. It could be kBeingCreatedMarker, or a valid ptr.
- // Unless your constructor can be very time consuming, it is very unlikely
- // to hit this race. When it does, we just spin and yield the thread until
- // the object has been created.
- subtle::AtomicWord value;
- while (true) {
- // The load has acquire memory ordering as the thread which reads the
- // instance pointer must acquire visibility over the associated data.
- // The pairing Release_Store operation is in Singleton::get().
- value = subtle::Acquire_Load(instance);
- if (value != kBeingCreatedMarker)
- break;
- PlatformThread::YieldCurrentThread();
- }
- return value;
-}
-
-} // namespace internal
-} // namespace base
-
diff --git a/security/sandbox/chromium/base/memory/singleton.h b/security/sandbox/chromium/base/memory/singleton.h
deleted file mode 100644
index 79e4441a8..000000000
--- a/security/sandbox/chromium/base/memory/singleton.h
+++ /dev/null
@@ -1,284 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// PLEASE READ: Do you really need a singleton?
-//
-// Singletons make it hard to determine the lifetime of an object, which can
-// lead to buggy code and spurious crashes.
-//
-// Instead of adding another singleton into the mix, try to identify either:
-// a) An existing singleton that can manage your object's lifetime
-// b) Locations where you can deterministically create the object and pass
-// into other objects
-//
-// If you absolutely need a singleton, please keep them as trivial as possible
-// and ideally a leaf dependency. Singletons get problematic when they attempt
-// to do too much in their destructor or have circular dependencies.
-
-#ifndef BASE_MEMORY_SINGLETON_H_
-#define BASE_MEMORY_SINGLETON_H_
-
-#include "base/at_exit.h"
-#include "base/atomicops.h"
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/memory/aligned_memory.h"
-#include "base/threading/thread_restrictions.h"
-
-namespace base {
-namespace internal {
-
-// Our AtomicWord doubles as a spinlock, where a value of
-// kBeingCreatedMarker means the spinlock is being held for creation.
-static const subtle::AtomicWord kBeingCreatedMarker = 1;
-
-// We pull out some of the functionality into a non-templated function, so that
-// we can implement the more complicated pieces out of line in the .cc file.
-BASE_EXPORT subtle::AtomicWord WaitForInstance(subtle::AtomicWord* instance);
-
-class DeleteTraceLogForTesting;
-
-} // namespace internal
-
-
-// Default traits for Singleton<Type>. Calls operator new and operator delete on
-// the object. Registers automatic deletion at process exit.
-// Overload if you need arguments or another memory allocation function.
-template<typename Type>
-struct DefaultSingletonTraits {
- // Allocates the object.
- static Type* New() {
- // The parenthesis is very important here; it forces POD type
- // initialization.
- return new Type();
- }
-
- // Destroys the object.
- static void Delete(Type* x) {
- delete x;
- }
-
- // Set to true to automatically register deletion of the object on process
- // exit. See below for the required call that makes this happen.
- static const bool kRegisterAtExit = true;
-
-#ifndef NDEBUG
- // Set to false to disallow access on a non-joinable thread. This is
- // different from kRegisterAtExit because StaticMemorySingletonTraits allows
- // access on non-joinable threads, and gracefully handles this.
- static const bool kAllowedToAccessOnNonjoinableThread = false;
-#endif
-};
-
-
-// Alternate traits for use with the Singleton<Type>. Identical to
-// DefaultSingletonTraits except that the Singleton will not be cleaned up
-// at exit.
-template<typename Type>
-struct LeakySingletonTraits : public DefaultSingletonTraits<Type> {
- static const bool kRegisterAtExit = false;
-#ifndef NDEBUG
- static const bool kAllowedToAccessOnNonjoinableThread = true;
-#endif
-};
-
-
-// Alternate traits for use with the Singleton<Type>. Allocates memory
-// for the singleton instance from a static buffer. The singleton will
-// be cleaned up at exit, but can't be revived after destruction unless
-// the Resurrect() method is called.
-//
-// This is useful for a certain category of things, notably logging and
-// tracing, where the singleton instance is of a type carefully constructed to
-// be safe to access post-destruction.
-// In logging and tracing you'll typically get stray calls at odd times, like
-// during static destruction, thread teardown and the like, and there's a
-// termination race on the heap-based singleton - e.g. if one thread calls
-// get(), but then another thread initiates AtExit processing, the first thread
-// may call into an object residing in unallocated memory. If the instance is
-// allocated from the data segment, then this is survivable.
-//
-// The destructor is to deallocate system resources, in this case to unregister
-// a callback the system will invoke when logging levels change. Note that
-// this is also used in e.g. Chrome Frame, where you have to allow for the
-// possibility of loading briefly into someone else's process space, and
-// so leaking is not an option, as that would sabotage the state of your host
-// process once you've unloaded.
-template <typename Type>
-struct StaticMemorySingletonTraits {
- // WARNING: User has to deal with get() in the singleton class
- // this is traits for returning NULL.
- static Type* New() {
- // Only constructs once and returns pointer; otherwise returns NULL.
- if (subtle::NoBarrier_AtomicExchange(&dead_, 1))
- return NULL;
-
- return new(buffer_.void_data()) Type();
- }
-
- static void Delete(Type* p) {
- if (p != NULL)
- p->Type::~Type();
- }
-
- static const bool kRegisterAtExit = true;
- static const bool kAllowedToAccessOnNonjoinableThread = true;
-
- // Exposed for unittesting.
- static void Resurrect() { subtle::NoBarrier_Store(&dead_, 0); }
-
- private:
- static AlignedMemory<sizeof(Type), ALIGNOF(Type)> buffer_;
- // Signal the object was already deleted, so it is not revived.
- static subtle::Atomic32 dead_;
-};
-
-template <typename Type>
-AlignedMemory<sizeof(Type), ALIGNOF(Type)>
- StaticMemorySingletonTraits<Type>::buffer_;
-template <typename Type>
-subtle::Atomic32 StaticMemorySingletonTraits<Type>::dead_ = 0;
-
-// The Singleton<Type, Traits, DifferentiatingType> class manages a single
-// instance of Type which will be created on first use and will be destroyed at
-// normal process exit). The Trait::Delete function will not be called on
-// abnormal process exit.
-//
-// DifferentiatingType is used as a key to differentiate two different
-// singletons having the same memory allocation functions but serving a
-// different purpose. This is mainly used for Locks serving different purposes.
-//
-// Example usage:
-//
-// In your header:
-// template <typename T> struct DefaultSingletonTraits;
-// class FooClass {
-// public:
-// static FooClass* GetInstance(); <-- See comment below on this.
-// void Bar() { ... }
-// private:
-// FooClass() { ... }
-// friend struct DefaultSingletonTraits<FooClass>;
-//
-// DISALLOW_COPY_AND_ASSIGN(FooClass);
-// };
-//
-// In your source file:
-// #include "base/memory/singleton.h"
-// FooClass* FooClass::GetInstance() {
-// return Singleton<FooClass>::get();
-// }
-//
-// And to call methods on FooClass:
-// FooClass::GetInstance()->Bar();
-//
-// NOTE: The method accessing Singleton<T>::get() has to be named as GetInstance
-// and it is important that FooClass::GetInstance() is not inlined in the
-// header. This makes sure that when source files from multiple targets include
-// this header they don't end up with different copies of the inlined code
-// creating multiple copies of the singleton.
-//
-// Singleton<> has no non-static members and doesn't need to actually be
-// instantiated.
-//
-// This class is itself thread-safe. The underlying Type must of course be
-// thread-safe if you want to use it concurrently. Two parameters may be tuned
-// depending on the user's requirements.
-//
-// Glossary:
-// RAE = kRegisterAtExit
-//
-// On every platform, if Traits::RAE is true, the singleton will be destroyed at
-// process exit. More precisely it uses AtExitManager which requires an
-// object of this type to be instantiated. AtExitManager mimics the semantics
-// of atexit() such as LIFO order but under Windows is safer to call. For more
-// information see at_exit.h.
-//
-// If Traits::RAE is false, the singleton will not be freed at process exit,
-// thus the singleton will be leaked if it is ever accessed. Traits::RAE
-// shouldn't be false unless absolutely necessary. Remember that the heap where
-// the object is allocated may be destroyed by the CRT anyway.
-//
-// Caveats:
-// (a) Every call to get(), operator->() and operator*() incurs some overhead
-// (16ns on my P4/2.8GHz) to check whether the object has already been
-// initialized. You may wish to cache the result of get(); it will not
-// change.
-//
-// (b) Your factory function must never throw an exception. This class is not
-// exception-safe.
-//
-
-template <typename Type,
- typename Traits = DefaultSingletonTraits<Type>,
- typename DifferentiatingType = Type>
-class Singleton {
- private:
- // Classes using the Singleton<T> pattern should declare a GetInstance()
- // method and call Singleton::get() from within that.
- friend Type* Type::GetInstance();
-
- // Allow TraceLog tests to test tracing after OnExit.
- friend class internal::DeleteTraceLogForTesting;
-
- // This class is safe to be constructed and copy-constructed since it has no
- // member.
-
- // Return a pointer to the one true instance of the class.
- static Type* get() {
-#ifndef NDEBUG
- // Avoid making TLS lookup on release builds.
- if (!Traits::kAllowedToAccessOnNonjoinableThread)
- ThreadRestrictions::AssertSingletonAllowed();
-#endif
-
- // The load has acquire memory ordering as the thread which reads the
- // instance_ pointer must acquire visibility over the singleton data.
- subtle::AtomicWord value = subtle::Acquire_Load(&instance_);
- if (value != 0 && value != internal::kBeingCreatedMarker) {
- return reinterpret_cast<Type*>(value);
- }
-
- // Object isn't created yet, maybe we will get to create it, let's try...
- if (subtle::Acquire_CompareAndSwap(&instance_, 0,
- internal::kBeingCreatedMarker) == 0) {
- // instance_ was NULL and is now kBeingCreatedMarker. Only one thread
- // will ever get here. Threads might be spinning on us, and they will
- // stop right after we do this store.
- Type* newval = Traits::New();
-
- // Releases the visibility over instance_ to the readers.
- subtle::Release_Store(&instance_,
- reinterpret_cast<subtle::AtomicWord>(newval));
-
- if (newval != NULL && Traits::kRegisterAtExit)
- AtExitManager::RegisterCallback(OnExit, NULL);
-
- return newval;
- }
-
- // We hit a race. Wait for the other thread to complete it.
- value = internal::WaitForInstance(&instance_);
-
- return reinterpret_cast<Type*>(value);
- }
-
- // Adapter function for use with AtExit(). This should be called single
- // threaded, so don't use atomic operations.
- // Calling OnExit while singleton is in use by other threads is a mistake.
- static void OnExit(void* /*unused*/) {
- // AtExit should only ever be register after the singleton instance was
- // created. We should only ever get here with a valid instance_ pointer.
- Traits::Delete(reinterpret_cast<Type*>(subtle::NoBarrier_Load(&instance_)));
- instance_ = 0;
- }
- static subtle::AtomicWord instance_;
-};
-
-template <typename Type, typename Traits, typename DifferentiatingType>
-subtle::AtomicWord Singleton<Type, Traits, DifferentiatingType>::instance_ = 0;
-
-} // namespace base
-
-#endif // BASE_MEMORY_SINGLETON_H_
diff --git a/security/sandbox/chromium/base/memory/weak_ptr.h b/security/sandbox/chromium/base/memory/weak_ptr.h
deleted file mode 100644
index 33d1e4736..000000000
--- a/security/sandbox/chromium/base/memory/weak_ptr.h
+++ /dev/null
@@ -1,345 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Weak pointers are pointers to an object that do not affect its lifetime,
-// and which may be invalidated (i.e. reset to NULL) by the object, or its
-// owner, at any time, most commonly when the object is about to be deleted.
-
-// Weak pointers are useful when an object needs to be accessed safely by one
-// or more objects other than its owner, and those callers can cope with the
-// object vanishing and e.g. tasks posted to it being silently dropped.
-// Reference-counting such an object would complicate the ownership graph and
-// make it harder to reason about the object's lifetime.
-
-// EXAMPLE:
-//
-// class Controller {
-// public:
-// Controller() : weak_factory_(this) {}
-// void SpawnWorker() { Worker::StartNew(weak_factory_.GetWeakPtr()); }
-// void WorkComplete(const Result& result) { ... }
-// private:
-// // Member variables should appear before the WeakPtrFactory, to ensure
-// // that any WeakPtrs to Controller are invalidated before its members
-// // variable's destructors are executed, rendering them invalid.
-// WeakPtrFactory<Controller> weak_factory_;
-// };
-//
-// class Worker {
-// public:
-// static void StartNew(const WeakPtr<Controller>& controller) {
-// Worker* worker = new Worker(controller);
-// // Kick off asynchronous processing...
-// }
-// private:
-// Worker(const WeakPtr<Controller>& controller)
-// : controller_(controller) {}
-// void DidCompleteAsynchronousProcessing(const Result& result) {
-// if (controller_)
-// controller_->WorkComplete(result);
-// }
-// WeakPtr<Controller> controller_;
-// };
-//
-// With this implementation a caller may use SpawnWorker() to dispatch multiple
-// Workers and subsequently delete the Controller, without waiting for all
-// Workers to have completed.
-
-// ------------------------- IMPORTANT: Thread-safety -------------------------
-
-// Weak pointers may be passed safely between threads, but must always be
-// dereferenced and invalidated on the same SequencedTaskRunner otherwise
-// checking the pointer would be racey.
-//
-// To ensure correct use, the first time a WeakPtr issued by a WeakPtrFactory
-// is dereferenced, the factory and its WeakPtrs become bound to the calling
-// thread or current SequencedWorkerPool token, and cannot be dereferenced or
-// invalidated on any other task runner. Bound WeakPtrs can still be handed
-// off to other task runners, e.g. to use to post tasks back to object on the
-// bound sequence.
-//
-// If all WeakPtr objects are destroyed or invalidated then the factory is
-// unbound from the SequencedTaskRunner/Thread. The WeakPtrFactory may then be
-// destroyed, or new WeakPtr objects may be used, from a different sequence.
-//
-// Thus, at least one WeakPtr object must exist and have been dereferenced on
-// the correct thread to enforce that other WeakPtr objects will enforce they
-// are used on the desired thread.
-
-#ifndef BASE_MEMORY_WEAK_PTR_H_
-#define BASE_MEMORY_WEAK_PTR_H_
-
-#include "base/base_export.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "base/sequence_checker.h"
-#include "base/template_util.h"
-
-namespace base {
-
-template <typename T> class SupportsWeakPtr;
-template <typename T> class WeakPtr;
-
-namespace internal {
-// These classes are part of the WeakPtr implementation.
-// DO NOT USE THESE CLASSES DIRECTLY YOURSELF.
-
-class BASE_EXPORT WeakReference {
- public:
- // Although Flag is bound to a specific SequencedTaskRunner, it may be
- // deleted from another via base::WeakPtr::~WeakPtr().
- class BASE_EXPORT Flag : public RefCountedThreadSafe<Flag> {
- public:
- Flag();
-
- void Invalidate();
- bool IsValid() const;
-
- private:
- friend class base::RefCountedThreadSafe<Flag>;
-
- ~Flag();
-
- SequenceChecker sequence_checker_;
- bool is_valid_;
- };
-
- WeakReference();
- explicit WeakReference(const Flag* flag);
- ~WeakReference();
-
- bool is_valid() const;
-
- private:
- scoped_refptr<const Flag> flag_;
-};
-
-class BASE_EXPORT WeakReferenceOwner {
- public:
- WeakReferenceOwner();
- ~WeakReferenceOwner();
-
- WeakReference GetRef() const;
-
- bool HasRefs() const {
- return flag_.get() && !flag_->HasOneRef();
- }
-
- void Invalidate();
-
- private:
- mutable scoped_refptr<WeakReference::Flag> flag_;
-};
-
-// This class simplifies the implementation of WeakPtr's type conversion
-// constructor by avoiding the need for a public accessor for ref_. A
-// WeakPtr<T> cannot access the private members of WeakPtr<U>, so this
-// base class gives us a way to access ref_ in a protected fashion.
-class BASE_EXPORT WeakPtrBase {
- public:
- WeakPtrBase();
- ~WeakPtrBase();
-
- protected:
- explicit WeakPtrBase(const WeakReference& ref);
-
- WeakReference ref_;
-};
-
-// This class provides a common implementation of common functions that would
-// otherwise get instantiated separately for each distinct instantiation of
-// SupportsWeakPtr<>.
-class SupportsWeakPtrBase {
- public:
- // A safe static downcast of a WeakPtr<Base> to WeakPtr<Derived>. This
- // conversion will only compile if there is exists a Base which inherits
- // from SupportsWeakPtr<Base>. See base::AsWeakPtr() below for a helper
- // function that makes calling this easier.
- template<typename Derived>
- static WeakPtr<Derived> StaticAsWeakPtr(Derived* t) {
- typedef
- is_convertible<Derived, internal::SupportsWeakPtrBase&> convertible;
- static_assert(convertible::value,
- "AsWeakPtr argument must inherit from SupportsWeakPtr");
- return AsWeakPtrImpl<Derived>(t, *t);
- }
-
- private:
- // This template function uses type inference to find a Base of Derived
- // which is an instance of SupportsWeakPtr<Base>. We can then safely
- // static_cast the Base* to a Derived*.
- template <typename Derived, typename Base>
- static WeakPtr<Derived> AsWeakPtrImpl(
- Derived* t, const SupportsWeakPtr<Base>&) {
- WeakPtr<Base> ptr = t->Base::AsWeakPtr();
- return WeakPtr<Derived>(ptr.ref_, static_cast<Derived*>(ptr.ptr_));
- }
-};
-
-} // namespace internal
-
-template <typename T> class WeakPtrFactory;
-
-// The WeakPtr class holds a weak reference to |T*|.
-//
-// This class is designed to be used like a normal pointer. You should always
-// null-test an object of this class before using it or invoking a method that
-// may result in the underlying object being destroyed.
-//
-// EXAMPLE:
-//
-// class Foo { ... };
-// WeakPtr<Foo> foo;
-// if (foo)
-// foo->method();
-//
-template <typename T>
-class WeakPtr : public internal::WeakPtrBase {
- public:
- WeakPtr() : ptr_(NULL) {
- }
-
- // Allow conversion from U to T provided U "is a" T. Note that this
- // is separate from the (implicit) copy constructor.
- template <typename U>
- WeakPtr(const WeakPtr<U>& other) : WeakPtrBase(other), ptr_(other.ptr_) {
- }
-
- T* get() const { return ref_.is_valid() ? ptr_ : NULL; }
-
- T& operator*() const {
- DCHECK(get() != NULL);
- return *get();
- }
- T* operator->() const {
- DCHECK(get() != NULL);
- return get();
- }
-
- // Allow WeakPtr<element_type> to be used in boolean expressions, but not
- // implicitly convertible to a real bool (which is dangerous).
- //
- // Note that this trick is only safe when the == and != operators
- // are declared explicitly, as otherwise "weak_ptr1 == weak_ptr2"
- // will compile but do the wrong thing (i.e., convert to Testable
- // and then do the comparison).
- private:
- typedef T* WeakPtr::*Testable;
-
- public:
- operator Testable() const { return get() ? &WeakPtr::ptr_ : NULL; }
-
- void reset() {
- ref_ = internal::WeakReference();
- ptr_ = NULL;
- }
-
- private:
- // Explicitly declare comparison operators as required by the bool
- // trick, but keep them private.
- template <class U> bool operator==(WeakPtr<U> const&) const;
- template <class U> bool operator!=(WeakPtr<U> const&) const;
-
- friend class internal::SupportsWeakPtrBase;
- template <typename U> friend class WeakPtr;
- friend class SupportsWeakPtr<T>;
- friend class WeakPtrFactory<T>;
-
- WeakPtr(const internal::WeakReference& ref, T* ptr)
- : WeakPtrBase(ref),
- ptr_(ptr) {
- }
-
- // This pointer is only valid when ref_.is_valid() is true. Otherwise, its
- // value is undefined (as opposed to NULL).
- T* ptr_;
-};
-
-// A class may be composed of a WeakPtrFactory and thereby
-// control how it exposes weak pointers to itself. This is helpful if you only
-// need weak pointers within the implementation of a class. This class is also
-// useful when working with primitive types. For example, you could have a
-// WeakPtrFactory<bool> that is used to pass around a weak reference to a bool.
-template <class T>
-class WeakPtrFactory {
- public:
- explicit WeakPtrFactory(T* ptr) : ptr_(ptr) {
- }
-
- ~WeakPtrFactory() {
- ptr_ = NULL;
- }
-
- WeakPtr<T> GetWeakPtr() {
- DCHECK(ptr_);
- return WeakPtr<T>(weak_reference_owner_.GetRef(), ptr_);
- }
-
- // Call this method to invalidate all existing weak pointers.
- void InvalidateWeakPtrs() {
- DCHECK(ptr_);
- weak_reference_owner_.Invalidate();
- }
-
- // Call this method to determine if any weak pointers exist.
- bool HasWeakPtrs() const {
- DCHECK(ptr_);
- return weak_reference_owner_.HasRefs();
- }
-
- private:
- internal::WeakReferenceOwner weak_reference_owner_;
- T* ptr_;
- DISALLOW_IMPLICIT_CONSTRUCTORS(WeakPtrFactory);
-};
-
-// A class may extend from SupportsWeakPtr to let others take weak pointers to
-// it. This avoids the class itself implementing boilerplate to dispense weak
-// pointers. However, since SupportsWeakPtr's destructor won't invalidate
-// weak pointers to the class until after the derived class' members have been
-// destroyed, its use can lead to subtle use-after-destroy issues.
-template <class T>
-class SupportsWeakPtr : public internal::SupportsWeakPtrBase {
- public:
- SupportsWeakPtr() {}
-
- WeakPtr<T> AsWeakPtr() {
- return WeakPtr<T>(weak_reference_owner_.GetRef(), static_cast<T*>(this));
- }
-
- protected:
- ~SupportsWeakPtr() {}
-
- private:
- internal::WeakReferenceOwner weak_reference_owner_;
- DISALLOW_COPY_AND_ASSIGN(SupportsWeakPtr);
-};
-
-// Helper function that uses type deduction to safely return a WeakPtr<Derived>
-// when Derived doesn't directly extend SupportsWeakPtr<Derived>, instead it
-// extends a Base that extends SupportsWeakPtr<Base>.
-//
-// EXAMPLE:
-// class Base : public base::SupportsWeakPtr<Producer> {};
-// class Derived : public Base {};
-//
-// Derived derived;
-// base::WeakPtr<Derived> ptr = base::AsWeakPtr(&derived);
-//
-// Note that the following doesn't work (invalid type conversion) since
-// Derived::AsWeakPtr() is WeakPtr<Base> SupportsWeakPtr<Base>::AsWeakPtr(),
-// and there's no way to safely cast WeakPtr<Base> to WeakPtr<Derived> at
-// the caller.
-//
-// base::WeakPtr<Derived> ptr = derived.AsWeakPtr(); // Fails.
-
-template <typename Derived>
-WeakPtr<Derived> AsWeakPtr(Derived* t) {
- return internal::SupportsWeakPtrBase::StaticAsWeakPtr<Derived>(t);
-}
-
-} // namespace base
-
-#endif // BASE_MEMORY_WEAK_PTR_H_
diff --git a/security/sandbox/chromium/base/move.h b/security/sandbox/chromium/base/move.h
deleted file mode 100644
index 0af416e00..000000000
--- a/security/sandbox/chromium/base/move.h
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_MOVE_H_
-#define BASE_MOVE_H_
-
-#include <utility>
-
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-
-// TODO(crbug.com/566182): DEPRECATED!
-// Use DISALLOW_COPY_AND_ASSIGN instead, or if your type will be used in
-// Callbacks, use DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND instead.
-#define MOVE_ONLY_TYPE_FOR_CPP_03(type) \
- DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND(type)
-
-// A macro to disallow the copy constructor and copy assignment functions.
-// This should be used in the private: declarations for a class.
-//
-// Use this macro instead of DISALLOW_COPY_AND_ASSIGN if you want to pass
-// ownership of the type through a base::Callback without heap-allocating it
-// into a scoped_ptr. The class must define a move constructor and move
-// assignment operator to make this work.
-//
-// This version of the macro adds a Pass() function and a cryptic
-// MoveOnlyTypeForCPP03 typedef for the base::Callback implementation to use.
-// See IsMoveOnlyType template and its usage in base/callback_internal.h
-// for more details.
-// TODO(crbug.com/566182): Remove this macro and use DISALLOW_COPY_AND_ASSIGN
-// everywhere instead.
-#if defined(OS_ANDROID) || defined(OS_LINUX) || defined(OS_MACOSX)
-#define DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND(type) \
- private: \
- type(const type&) = delete; \
- void operator=(const type&) = delete; \
- \
- public: \
- typedef void MoveOnlyTypeForCPP03; \
- \
- private:
-#else
-#define DISALLOW_COPY_AND_ASSIGN_WITH_MOVE_FOR_BIND(type) \
- private: \
- type(const type&) = delete; \
- void operator=(const type&) = delete; \
- \
- public: \
- type&& Pass() WARN_UNUSED_RESULT { return std::move(*this); } \
- typedef void MoveOnlyTypeForCPP03; \
- \
- private:
-#endif
-
-#endif // BASE_MOVE_H_
diff --git a/security/sandbox/chromium/base/numerics/safe_conversions.h b/security/sandbox/chromium/base/numerics/safe_conversions.h
deleted file mode 100644
index baac188fd..000000000
--- a/security/sandbox/chromium/base/numerics/safe_conversions.h
+++ /dev/null
@@ -1,165 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_NUMERICS_SAFE_CONVERSIONS_H_
-#define BASE_NUMERICS_SAFE_CONVERSIONS_H_
-
-#include <stddef.h>
-
-#include <limits>
-#include <type_traits>
-
-#include "base/logging.h"
-#include "base/numerics/safe_conversions_impl.h"
-
-namespace base {
-
-// Convenience function that returns true if the supplied value is in range
-// for the destination type.
-template <typename Dst, typename Src>
-inline bool IsValueInRangeForNumericType(Src value) {
- return internal::DstRangeRelationToSrcRange<Dst>(value) ==
- internal::RANGE_VALID;
-}
-
-// Convenience function for determining if a numeric value is negative without
-// throwing compiler warnings on: unsigned(value) < 0.
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_signed, bool>::type
-IsValueNegative(T value) {
- static_assert(std::numeric_limits<T>::is_specialized,
- "Argument must be numeric.");
- return value < 0;
-}
-
-template <typename T>
-typename std::enable_if<!std::numeric_limits<T>::is_signed, bool>::type
- IsValueNegative(T) {
- static_assert(std::numeric_limits<T>::is_specialized,
- "Argument must be numeric.");
- return false;
-}
-
-// checked_cast<> is analogous to static_cast<> for numeric types,
-// except that it CHECKs that the specified numeric conversion will not
-// overflow or underflow. NaN source will always trigger a CHECK.
-template <typename Dst, typename Src>
-inline Dst checked_cast(Src value) {
- CHECK(IsValueInRangeForNumericType<Dst>(value));
- return static_cast<Dst>(value);
-}
-
-// HandleNaN will cause this class to CHECK(false).
-struct SaturatedCastNaNBehaviorCheck {
- template <typename T>
- static T HandleNaN() {
- CHECK(false);
- return T();
- }
-};
-
-// HandleNaN will return 0 in this case.
-struct SaturatedCastNaNBehaviorReturnZero {
- template <typename T>
- static T HandleNaN() {
- return T();
- }
-};
-
-// saturated_cast<> is analogous to static_cast<> for numeric types, except
-// that the specified numeric conversion will saturate rather than overflow or
-// underflow. NaN assignment to an integral will defer the behavior to a
-// specified class. By default, it will return 0.
-template <typename Dst,
- class NaNHandler = SaturatedCastNaNBehaviorReturnZero,
- typename Src>
-inline Dst saturated_cast(Src value) {
- // Optimization for floating point values, which already saturate.
- if (std::numeric_limits<Dst>::is_iec559)
- return static_cast<Dst>(value);
-
- switch (internal::DstRangeRelationToSrcRange<Dst>(value)) {
- case internal::RANGE_VALID:
- return static_cast<Dst>(value);
-
- case internal::RANGE_UNDERFLOW:
- return std::numeric_limits<Dst>::min();
-
- case internal::RANGE_OVERFLOW:
- return std::numeric_limits<Dst>::max();
-
- // Should fail only on attempting to assign NaN to a saturated integer.
- case internal::RANGE_INVALID:
- return NaNHandler::template HandleNaN<Dst>();
- }
-
- NOTREACHED();
- return static_cast<Dst>(value);
-}
-
-// strict_cast<> is analogous to static_cast<> for numeric types, except that
-// it will cause a compile failure if the destination type is not large enough
-// to contain any value in the source type. It performs no runtime checking.
-template <typename Dst, typename Src>
-inline Dst strict_cast(Src value) {
- static_assert(std::numeric_limits<Src>::is_specialized,
- "Argument must be numeric.");
- static_assert(std::numeric_limits<Dst>::is_specialized,
- "Result must be numeric.");
- static_assert((internal::StaticDstRangeRelationToSrcRange<Dst, Src>::value ==
- internal::NUMERIC_RANGE_CONTAINED),
- "The numeric conversion is out of range for this type. You "
- "should probably use one of the following conversion "
- "mechanisms on the value you want to pass:\n"
- "- base::checked_cast\n"
- "- base::saturated_cast\n"
- "- base::CheckedNumeric");
-
- return static_cast<Dst>(value);
-}
-
-// StrictNumeric implements compile time range checking between numeric types by
-// wrapping assignment operations in a strict_cast. This class is intended to be
-// used for function arguments and return types, to ensure the destination type
-// can always contain the source type. This is essentially the same as enforcing
-// -Wconversion in gcc and C4302 warnings on MSVC, but it can be applied
-// incrementally at API boundaries, making it easier to convert code so that it
-// compiles cleanly with truncation warnings enabled.
-// This template should introduce no runtime overhead, but it also provides no
-// runtime checking of any of the associated mathematical operations. Use
-// CheckedNumeric for runtime range checks of tha actual value being assigned.
-template <typename T>
-class StrictNumeric {
- public:
- typedef T type;
-
- StrictNumeric() : value_(0) {}
-
- // Copy constructor.
- template <typename Src>
- StrictNumeric(const StrictNumeric<Src>& rhs)
- : value_(strict_cast<T>(rhs.value_)) {}
-
- // This is not an explicit constructor because we implicitly upgrade regular
- // numerics to StrictNumerics to make them easier to use.
- template <typename Src>
- StrictNumeric(Src value)
- : value_(strict_cast<T>(value)) {}
-
- // The numeric cast operator basically handles all the magic.
- template <typename Dst>
- operator Dst() const {
- return strict_cast<Dst>(value_);
- }
-
- private:
- T value_;
-};
-
-// Explicitly make a shorter size_t typedef for convenience.
-typedef StrictNumeric<size_t> SizeT;
-
-} // namespace base
-
-#endif // BASE_NUMERICS_SAFE_CONVERSIONS_H_
diff --git a/security/sandbox/chromium/base/numerics/safe_conversions_impl.h b/security/sandbox/chromium/base/numerics/safe_conversions_impl.h
deleted file mode 100644
index 02e68e25d..000000000
--- a/security/sandbox/chromium/base/numerics/safe_conversions_impl.h
+++ /dev/null
@@ -1,264 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
-#define BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
-
-#include <limits.h>
-#include <stdint.h>
-
-#include <limits>
-
-#include "base/template_util.h"
-
-namespace base {
-namespace internal {
-
-// The std library doesn't provide a binary max_exponent for integers, however
-// we can compute one by adding one to the number of non-sign bits. This allows
-// for accurate range comparisons between floating point and integer types.
-template <typename NumericType>
-struct MaxExponent {
- static const int value = std::numeric_limits<NumericType>::is_iec559
- ? std::numeric_limits<NumericType>::max_exponent
- : (sizeof(NumericType) * 8 + 1 -
- std::numeric_limits<NumericType>::is_signed);
-};
-
-enum IntegerRepresentation {
- INTEGER_REPRESENTATION_UNSIGNED,
- INTEGER_REPRESENTATION_SIGNED
-};
-
-// A range for a given nunmeric Src type is contained for a given numeric Dst
-// type if both numeric_limits<Src>::max() <= numeric_limits<Dst>::max() and
-// numeric_limits<Src>::min() >= numeric_limits<Dst>::min() are true.
-// We implement this as template specializations rather than simple static
-// comparisons to ensure type correctness in our comparisons.
-enum NumericRangeRepresentation {
- NUMERIC_RANGE_NOT_CONTAINED,
- NUMERIC_RANGE_CONTAINED
-};
-
-// Helper templates to statically determine if our destination type can contain
-// maximum and minimum values represented by the source type.
-
-template <
- typename Dst,
- typename Src,
- IntegerRepresentation DstSign = std::numeric_limits<Dst>::is_signed
- ? INTEGER_REPRESENTATION_SIGNED
- : INTEGER_REPRESENTATION_UNSIGNED,
- IntegerRepresentation SrcSign =
- std::numeric_limits<Src>::is_signed
- ? INTEGER_REPRESENTATION_SIGNED
- : INTEGER_REPRESENTATION_UNSIGNED >
-struct StaticDstRangeRelationToSrcRange;
-
-// Same sign: Dst is guaranteed to contain Src only if its range is equal or
-// larger.
-template <typename Dst, typename Src, IntegerRepresentation Sign>
-struct StaticDstRangeRelationToSrcRange<Dst, Src, Sign, Sign> {
- static const NumericRangeRepresentation value =
- MaxExponent<Dst>::value >= MaxExponent<Src>::value
- ? NUMERIC_RANGE_CONTAINED
- : NUMERIC_RANGE_NOT_CONTAINED;
-};
-
-// Unsigned to signed: Dst is guaranteed to contain source only if its range is
-// larger.
-template <typename Dst, typename Src>
-struct StaticDstRangeRelationToSrcRange<Dst,
- Src,
- INTEGER_REPRESENTATION_SIGNED,
- INTEGER_REPRESENTATION_UNSIGNED> {
- static const NumericRangeRepresentation value =
- MaxExponent<Dst>::value > MaxExponent<Src>::value
- ? NUMERIC_RANGE_CONTAINED
- : NUMERIC_RANGE_NOT_CONTAINED;
-};
-
-// Signed to unsigned: Dst cannot be statically determined to contain Src.
-template <typename Dst, typename Src>
-struct StaticDstRangeRelationToSrcRange<Dst,
- Src,
- INTEGER_REPRESENTATION_UNSIGNED,
- INTEGER_REPRESENTATION_SIGNED> {
- static const NumericRangeRepresentation value = NUMERIC_RANGE_NOT_CONTAINED;
-};
-
-enum RangeConstraint {
- RANGE_VALID = 0x0, // Value can be represented by the destination type.
- RANGE_UNDERFLOW = 0x1, // Value would overflow.
- RANGE_OVERFLOW = 0x2, // Value would underflow.
- RANGE_INVALID = RANGE_UNDERFLOW | RANGE_OVERFLOW // Invalid (i.e. NaN).
-};
-
-// Helper function for coercing an int back to a RangeContraint.
-inline RangeConstraint GetRangeConstraint(int integer_range_constraint) {
- DCHECK(integer_range_constraint >= RANGE_VALID &&
- integer_range_constraint <= RANGE_INVALID);
- return static_cast<RangeConstraint>(integer_range_constraint);
-}
-
-// This function creates a RangeConstraint from an upper and lower bound
-// check by taking advantage of the fact that only NaN can be out of range in
-// both directions at once.
-inline RangeConstraint GetRangeConstraint(bool is_in_upper_bound,
- bool is_in_lower_bound) {
- return GetRangeConstraint((is_in_upper_bound ? 0 : RANGE_OVERFLOW) |
- (is_in_lower_bound ? 0 : RANGE_UNDERFLOW));
-}
-
-// The following helper template addresses a corner case in range checks for
-// conversion from a floating-point type to an integral type of smaller range
-// but larger precision (e.g. float -> unsigned). The problem is as follows:
-// 1. Integral maximum is always one less than a power of two, so it must be
-// truncated to fit the mantissa of the floating point. The direction of
-// rounding is implementation defined, but by default it's always IEEE
-// floats, which round to nearest and thus result in a value of larger
-// magnitude than the integral value.
-// Example: float f = UINT_MAX; // f is 4294967296f but UINT_MAX
-// // is 4294967295u.
-// 2. If the floating point value is equal to the promoted integral maximum
-// value, a range check will erroneously pass.
-// Example: (4294967296f <= 4294967295u) // This is true due to a precision
-// // loss in rounding up to float.
-// 3. When the floating point value is then converted to an integral, the
-// resulting value is out of range for the target integral type and
-// thus is implementation defined.
-// Example: unsigned u = (float)INT_MAX; // u will typically overflow to 0.
-// To fix this bug we manually truncate the maximum value when the destination
-// type is an integral of larger precision than the source floating-point type,
-// such that the resulting maximum is represented exactly as a floating point.
-template <typename Dst, typename Src>
-struct NarrowingRange {
- typedef typename std::numeric_limits<Src> SrcLimits;
- typedef typename std::numeric_limits<Dst> DstLimits;
-
- static Dst max() {
- // The following logic avoids warnings where the max function is
- // instantiated with invalid values for a bit shift (even though
- // such a function can never be called).
- static const int shift =
- (MaxExponent<Src>::value > MaxExponent<Dst>::value &&
- SrcLimits::digits < DstLimits::digits && SrcLimits::is_iec559 &&
- DstLimits::is_integer)
- ? (DstLimits::digits - SrcLimits::digits)
- : 0;
-
- // We use UINTMAX_C below to avoid compiler warnings about shifting floating
- // points. Since it's a compile time calculation, it shouldn't have any
- // performance impact.
- return DstLimits::max() - static_cast<Dst>((UINTMAX_C(1) << shift) - 1);
- }
-
- static Dst min() {
- return std::numeric_limits<Dst>::is_iec559 ? -DstLimits::max()
- : DstLimits::min();
- }
-};
-
-template <
- typename Dst,
- typename Src,
- IntegerRepresentation DstSign = std::numeric_limits<Dst>::is_signed
- ? INTEGER_REPRESENTATION_SIGNED
- : INTEGER_REPRESENTATION_UNSIGNED,
- IntegerRepresentation SrcSign = std::numeric_limits<Src>::is_signed
- ? INTEGER_REPRESENTATION_SIGNED
- : INTEGER_REPRESENTATION_UNSIGNED,
- NumericRangeRepresentation DstRange =
- StaticDstRangeRelationToSrcRange<Dst, Src>::value >
-struct DstRangeRelationToSrcRangeImpl;
-
-// The following templates are for ranges that must be verified at runtime. We
-// split it into checks based on signedness to avoid confusing casts and
-// compiler warnings on signed an unsigned comparisons.
-
-// Dst range is statically determined to contain Src: Nothing to check.
-template <typename Dst,
- typename Src,
- IntegerRepresentation DstSign,
- IntegerRepresentation SrcSign>
-struct DstRangeRelationToSrcRangeImpl<Dst,
- Src,
- DstSign,
- SrcSign,
- NUMERIC_RANGE_CONTAINED> {
- static RangeConstraint Check(Src value) { return RANGE_VALID; }
-};
-
-// Signed to signed narrowing: Both the upper and lower boundaries may be
-// exceeded.
-template <typename Dst, typename Src>
-struct DstRangeRelationToSrcRangeImpl<Dst,
- Src,
- INTEGER_REPRESENTATION_SIGNED,
- INTEGER_REPRESENTATION_SIGNED,
- NUMERIC_RANGE_NOT_CONTAINED> {
- static RangeConstraint Check(Src value) {
- return GetRangeConstraint((value <= NarrowingRange<Dst, Src>::max()),
- (value >= NarrowingRange<Dst, Src>::min()));
- }
-};
-
-// Unsigned to unsigned narrowing: Only the upper boundary can be exceeded.
-template <typename Dst, typename Src>
-struct DstRangeRelationToSrcRangeImpl<Dst,
- Src,
- INTEGER_REPRESENTATION_UNSIGNED,
- INTEGER_REPRESENTATION_UNSIGNED,
- NUMERIC_RANGE_NOT_CONTAINED> {
- static RangeConstraint Check(Src value) {
- return GetRangeConstraint(value <= NarrowingRange<Dst, Src>::max(), true);
- }
-};
-
-// Unsigned to signed: The upper boundary may be exceeded.
-template <typename Dst, typename Src>
-struct DstRangeRelationToSrcRangeImpl<Dst,
- Src,
- INTEGER_REPRESENTATION_SIGNED,
- INTEGER_REPRESENTATION_UNSIGNED,
- NUMERIC_RANGE_NOT_CONTAINED> {
- static RangeConstraint Check(Src value) {
- return sizeof(Dst) > sizeof(Src)
- ? RANGE_VALID
- : GetRangeConstraint(
- value <= static_cast<Src>(NarrowingRange<Dst, Src>::max()),
- true);
- }
-};
-
-// Signed to unsigned: The upper boundary may be exceeded for a narrower Dst,
-// and any negative value exceeds the lower boundary.
-template <typename Dst, typename Src>
-struct DstRangeRelationToSrcRangeImpl<Dst,
- Src,
- INTEGER_REPRESENTATION_UNSIGNED,
- INTEGER_REPRESENTATION_SIGNED,
- NUMERIC_RANGE_NOT_CONTAINED> {
- static RangeConstraint Check(Src value) {
- return (MaxExponent<Dst>::value >= MaxExponent<Src>::value)
- ? GetRangeConstraint(true, value >= static_cast<Src>(0))
- : GetRangeConstraint(
- value <= static_cast<Src>(NarrowingRange<Dst, Src>::max()),
- value >= static_cast<Src>(0));
- }
-};
-
-template <typename Dst, typename Src>
-inline RangeConstraint DstRangeRelationToSrcRange(Src value) {
- static_assert(std::numeric_limits<Src>::is_specialized,
- "Argument must be numeric.");
- static_assert(std::numeric_limits<Dst>::is_specialized,
- "Result must be numeric.");
- return DstRangeRelationToSrcRangeImpl<Dst, Src>::Check(value);
-}
-
-} // namespace internal
-} // namespace base
-
-#endif // BASE_NUMERICS_SAFE_CONVERSIONS_IMPL_H_
diff --git a/security/sandbox/chromium/base/numerics/safe_math.h b/security/sandbox/chromium/base/numerics/safe_math.h
deleted file mode 100644
index d169690a8..000000000
--- a/security/sandbox/chromium/base/numerics/safe_math.h
+++ /dev/null
@@ -1,299 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_NUMERICS_SAFE_MATH_H_
-#define BASE_NUMERICS_SAFE_MATH_H_
-
-#include <stddef.h>
-
-#include "base/numerics/safe_math_impl.h"
-
-namespace base {
-
-namespace internal {
-
-// CheckedNumeric implements all the logic and operators for detecting integer
-// boundary conditions such as overflow, underflow, and invalid conversions.
-// The CheckedNumeric type implicitly converts from floating point and integer
-// data types, and contains overloads for basic arithmetic operations (i.e.: +,
-// -, *, /, %).
-//
-// The following methods convert from CheckedNumeric to standard numeric values:
-// IsValid() - Returns true if the underlying numeric value is valid (i.e. has
-// has not wrapped and is not the result of an invalid conversion).
-// ValueOrDie() - Returns the underlying value. If the state is not valid this
-// call will crash on a CHECK.
-// ValueOrDefault() - Returns the current value, or the supplied default if the
-// state is not valid.
-// ValueFloating() - Returns the underlying floating point value (valid only
-// only for floating point CheckedNumeric types).
-//
-// Bitwise operations are explicitly not supported, because correct
-// handling of some cases (e.g. sign manipulation) is ambiguous. Comparison
-// operations are explicitly not supported because they could result in a crash
-// on a CHECK condition. You should use patterns like the following for these
-// operations:
-// Bitwise operation:
-// CheckedNumeric<int> checked_int = untrusted_input_value;
-// int x = checked_int.ValueOrDefault(0) | kFlagValues;
-// Comparison:
-// CheckedNumeric<size_t> checked_size = untrusted_input_value;
-// checked_size += HEADER LENGTH;
-// if (checked_size.IsValid() && checked_size.ValueOrDie() < buffer_size)
-// Do stuff...
-template <typename T>
-class CheckedNumeric {
- public:
- typedef T type;
-
- CheckedNumeric() {}
-
- // Copy constructor.
- template <typename Src>
- CheckedNumeric(const CheckedNumeric<Src>& rhs)
- : state_(rhs.ValueUnsafe(), rhs.validity()) {}
-
- template <typename Src>
- CheckedNumeric(Src value, RangeConstraint validity)
- : state_(value, validity) {}
-
- // This is not an explicit constructor because we implicitly upgrade regular
- // numerics to CheckedNumerics to make them easier to use.
- template <typename Src>
- CheckedNumeric(Src value)
- : state_(value) {
- static_assert(std::numeric_limits<Src>::is_specialized,
- "Argument must be numeric.");
- }
-
- // This is not an explicit constructor because we want a seamless conversion
- // from StrictNumeric types.
- template <typename Src>
- CheckedNumeric(StrictNumeric<Src> value)
- : state_(static_cast<Src>(value)) {
- }
-
- // IsValid() is the public API to test if a CheckedNumeric is currently valid.
- bool IsValid() const { return validity() == RANGE_VALID; }
-
- // ValueOrDie() The primary accessor for the underlying value. If the current
- // state is not valid it will CHECK and crash.
- T ValueOrDie() const {
- CHECK(IsValid());
- return state_.value();
- }
-
- // ValueOrDefault(T default_value) A convenience method that returns the
- // current value if the state is valid, and the supplied default_value for
- // any other state.
- T ValueOrDefault(T default_value) const {
- return IsValid() ? state_.value() : default_value;
- }
-
- // ValueFloating() - Since floating point values include their validity state,
- // we provide an easy method for extracting them directly, without a risk of
- // crashing on a CHECK.
- T ValueFloating() const {
- static_assert(std::numeric_limits<T>::is_iec559, "Argument must be float.");
- return CheckedNumeric<T>::cast(*this).ValueUnsafe();
- }
-
- // validity() - DO NOT USE THIS IN EXTERNAL CODE - It is public right now for
- // tests and to avoid a big matrix of friend operator overloads. But the
- // values it returns are likely to change in the future.
- // Returns: current validity state (i.e. valid, overflow, underflow, nan).
- // TODO(jschuh): crbug.com/332611 Figure out and implement semantics for
- // saturation/wrapping so we can expose this state consistently and implement
- // saturated arithmetic.
- RangeConstraint validity() const { return state_.validity(); }
-
- // ValueUnsafe() - DO NOT USE THIS IN EXTERNAL CODE - It is public right now
- // for tests and to avoid a big matrix of friend operator overloads. But the
- // values it returns are likely to change in the future.
- // Returns: the raw numeric value, regardless of the current state.
- // TODO(jschuh): crbug.com/332611 Figure out and implement semantics for
- // saturation/wrapping so we can expose this state consistently and implement
- // saturated arithmetic.
- T ValueUnsafe() const { return state_.value(); }
-
- // Prototypes for the supported arithmetic operator overloads.
- template <typename Src> CheckedNumeric& operator+=(Src rhs);
- template <typename Src> CheckedNumeric& operator-=(Src rhs);
- template <typename Src> CheckedNumeric& operator*=(Src rhs);
- template <typename Src> CheckedNumeric& operator/=(Src rhs);
- template <typename Src> CheckedNumeric& operator%=(Src rhs);
-
- CheckedNumeric operator-() const {
- RangeConstraint validity;
- T value = CheckedNeg(state_.value(), &validity);
- // Negation is always valid for floating point.
- if (std::numeric_limits<T>::is_iec559)
- return CheckedNumeric<T>(value);
-
- validity = GetRangeConstraint(state_.validity() | validity);
- return CheckedNumeric<T>(value, validity);
- }
-
- CheckedNumeric Abs() const {
- RangeConstraint validity;
- T value = CheckedAbs(state_.value(), &validity);
- // Absolute value is always valid for floating point.
- if (std::numeric_limits<T>::is_iec559)
- return CheckedNumeric<T>(value);
-
- validity = GetRangeConstraint(state_.validity() | validity);
- return CheckedNumeric<T>(value, validity);
- }
-
- // This function is available only for integral types. It returns an unsigned
- // integer of the same width as the source type, containing the absolute value
- // of the source, and properly handling signed min.
- CheckedNumeric<typename UnsignedOrFloatForSize<T>::type> UnsignedAbs() const {
- return CheckedNumeric<typename UnsignedOrFloatForSize<T>::type>(
- CheckedUnsignedAbs(state_.value()), state_.validity());
- }
-
- CheckedNumeric& operator++() {
- *this += 1;
- return *this;
- }
-
- CheckedNumeric operator++(int) {
- CheckedNumeric value = *this;
- *this += 1;
- return value;
- }
-
- CheckedNumeric& operator--() {
- *this -= 1;
- return *this;
- }
-
- CheckedNumeric operator--(int) {
- CheckedNumeric value = *this;
- *this -= 1;
- return value;
- }
-
- // These static methods behave like a convenience cast operator targeting
- // the desired CheckedNumeric type. As an optimization, a reference is
- // returned when Src is the same type as T.
- template <typename Src>
- static CheckedNumeric<T> cast(
- Src u,
- typename std::enable_if<std::numeric_limits<Src>::is_specialized,
- int>::type = 0) {
- return u;
- }
-
- template <typename Src>
- static CheckedNumeric<T> cast(
- const CheckedNumeric<Src>& u,
- typename std::enable_if<!is_same<Src, T>::value, int>::type = 0) {
- return u;
- }
-
- static const CheckedNumeric<T>& cast(const CheckedNumeric<T>& u) { return u; }
-
- private:
- template <typename NumericType>
- struct UnderlyingType {
- using type = NumericType;
- };
-
- template <typename NumericType>
- struct UnderlyingType<CheckedNumeric<NumericType>> {
- using type = NumericType;
- };
-
- CheckedNumericState<T> state_;
-};
-
-// This is the boilerplate for the standard arithmetic operator overloads. A
-// macro isn't the prettiest solution, but it beats rewriting these five times.
-// Some details worth noting are:
-// * We apply the standard arithmetic promotions.
-// * We skip range checks for floating points.
-// * We skip range checks for destination integers with sufficient range.
-// TODO(jschuh): extract these out into templates.
-#define BASE_NUMERIC_ARITHMETIC_OPERATORS(NAME, OP, COMPOUND_OP) \
- /* Binary arithmetic operator for CheckedNumerics of the same type. */ \
- template <typename T> \
- CheckedNumeric<typename ArithmeticPromotion<T>::type> operator OP( \
- const CheckedNumeric<T>& lhs, const CheckedNumeric<T>& rhs) { \
- typedef typename ArithmeticPromotion<T>::type Promotion; \
- /* Floating point always takes the fast path */ \
- if (std::numeric_limits<T>::is_iec559) \
- return CheckedNumeric<T>(lhs.ValueUnsafe() OP rhs.ValueUnsafe()); \
- if (IsIntegerArithmeticSafe<Promotion, T, T>::value) \
- return CheckedNumeric<Promotion>( \
- lhs.ValueUnsafe() OP rhs.ValueUnsafe(), \
- GetRangeConstraint(rhs.validity() | lhs.validity())); \
- RangeConstraint validity = RANGE_VALID; \
- T result = static_cast<T>(Checked##NAME( \
- static_cast<Promotion>(lhs.ValueUnsafe()), \
- static_cast<Promotion>(rhs.ValueUnsafe()), \
- &validity)); \
- return CheckedNumeric<Promotion>( \
- result, \
- GetRangeConstraint(validity | lhs.validity() | rhs.validity())); \
- } \
- /* Assignment arithmetic operator implementation from CheckedNumeric. */ \
- template <typename T> \
- template <typename Src> \
- CheckedNumeric<T>& CheckedNumeric<T>::operator COMPOUND_OP(Src rhs) { \
- *this = CheckedNumeric<T>::cast(*this) \
- OP CheckedNumeric<typename UnderlyingType<Src>::type>::cast(rhs); \
- return *this; \
- } \
- /* Binary arithmetic operator for CheckedNumeric of different type. */ \
- template <typename T, typename Src> \
- CheckedNumeric<typename ArithmeticPromotion<T, Src>::type> operator OP( \
- const CheckedNumeric<Src>& lhs, const CheckedNumeric<T>& rhs) { \
- typedef typename ArithmeticPromotion<T, Src>::type Promotion; \
- if (IsIntegerArithmeticSafe<Promotion, T, Src>::value) \
- return CheckedNumeric<Promotion>( \
- lhs.ValueUnsafe() OP rhs.ValueUnsafe(), \
- GetRangeConstraint(rhs.validity() | lhs.validity())); \
- return CheckedNumeric<Promotion>::cast(lhs) \
- OP CheckedNumeric<Promotion>::cast(rhs); \
- } \
- /* Binary arithmetic operator for left CheckedNumeric and right numeric. */ \
- template <typename T, typename Src> \
- CheckedNumeric<typename ArithmeticPromotion<T, Src>::type> operator OP( \
- const CheckedNumeric<T>& lhs, Src rhs) { \
- typedef typename ArithmeticPromotion<T, Src>::type Promotion; \
- if (IsIntegerArithmeticSafe<Promotion, T, Src>::value) \
- return CheckedNumeric<Promotion>(lhs.ValueUnsafe() OP rhs, \
- lhs.validity()); \
- return CheckedNumeric<Promotion>::cast(lhs) \
- OP CheckedNumeric<Promotion>::cast(rhs); \
- } \
- /* Binary arithmetic operator for right numeric and left CheckedNumeric. */ \
- template <typename T, typename Src> \
- CheckedNumeric<typename ArithmeticPromotion<T, Src>::type> operator OP( \
- Src lhs, const CheckedNumeric<T>& rhs) { \
- typedef typename ArithmeticPromotion<T, Src>::type Promotion; \
- if (IsIntegerArithmeticSafe<Promotion, T, Src>::value) \
- return CheckedNumeric<Promotion>(lhs OP rhs.ValueUnsafe(), \
- rhs.validity()); \
- return CheckedNumeric<Promotion>::cast(lhs) \
- OP CheckedNumeric<Promotion>::cast(rhs); \
- }
-
-BASE_NUMERIC_ARITHMETIC_OPERATORS(Add, +, += )
-BASE_NUMERIC_ARITHMETIC_OPERATORS(Sub, -, -= )
-BASE_NUMERIC_ARITHMETIC_OPERATORS(Mul, *, *= )
-BASE_NUMERIC_ARITHMETIC_OPERATORS(Div, /, /= )
-BASE_NUMERIC_ARITHMETIC_OPERATORS(Mod, %, %= )
-
-#undef BASE_NUMERIC_ARITHMETIC_OPERATORS
-
-} // namespace internal
-
-using internal::CheckedNumeric;
-
-} // namespace base
-
-#endif // BASE_NUMERICS_SAFE_MATH_H_
diff --git a/security/sandbox/chromium/base/numerics/safe_math_impl.h b/security/sandbox/chromium/base/numerics/safe_math_impl.h
deleted file mode 100644
index 4fbcc045b..000000000
--- a/security/sandbox/chromium/base/numerics/safe_math_impl.h
+++ /dev/null
@@ -1,545 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_NUMERICS_SAFE_MATH_IMPL_H_
-#define BASE_NUMERICS_SAFE_MATH_IMPL_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <cmath>
-#include <cstdlib>
-#include <limits>
-#include <type_traits>
-
-#include "base/numerics/safe_conversions.h"
-#include "base/template_util.h"
-
-namespace base {
-namespace internal {
-
-// Everything from here up to the floating point operations is portable C++,
-// but it may not be fast. This code could be split based on
-// platform/architecture and replaced with potentially faster implementations.
-
-// Integer promotion templates used by the portable checked integer arithmetic.
-template <size_t Size, bool IsSigned>
-struct IntegerForSizeAndSign;
-template <>
-struct IntegerForSizeAndSign<1, true> {
- typedef int8_t type;
-};
-template <>
-struct IntegerForSizeAndSign<1, false> {
- typedef uint8_t type;
-};
-template <>
-struct IntegerForSizeAndSign<2, true> {
- typedef int16_t type;
-};
-template <>
-struct IntegerForSizeAndSign<2, false> {
- typedef uint16_t type;
-};
-template <>
-struct IntegerForSizeAndSign<4, true> {
- typedef int32_t type;
-};
-template <>
-struct IntegerForSizeAndSign<4, false> {
- typedef uint32_t type;
-};
-template <>
-struct IntegerForSizeAndSign<8, true> {
- typedef int64_t type;
-};
-template <>
-struct IntegerForSizeAndSign<8, false> {
- typedef uint64_t type;
-};
-
-// WARNING: We have no IntegerForSizeAndSign<16, *>. If we ever add one to
-// support 128-bit math, then the ArithmeticPromotion template below will need
-// to be updated (or more likely replaced with a decltype expression).
-
-template <typename Integer>
-struct UnsignedIntegerForSize {
- typedef typename std::enable_if<
- std::numeric_limits<Integer>::is_integer,
- typename IntegerForSizeAndSign<sizeof(Integer), false>::type>::type type;
-};
-
-template <typename Integer>
-struct SignedIntegerForSize {
- typedef typename std::enable_if<
- std::numeric_limits<Integer>::is_integer,
- typename IntegerForSizeAndSign<sizeof(Integer), true>::type>::type type;
-};
-
-template <typename Integer>
-struct TwiceWiderInteger {
- typedef typename std::enable_if<
- std::numeric_limits<Integer>::is_integer,
- typename IntegerForSizeAndSign<
- sizeof(Integer) * 2,
- std::numeric_limits<Integer>::is_signed>::type>::type type;
-};
-
-template <typename Integer>
-struct PositionOfSignBit {
- static const typename std::enable_if<std::numeric_limits<Integer>::is_integer,
- size_t>::type value =
- 8 * sizeof(Integer) - 1;
-};
-
-// This is used for UnsignedAbs, where we need to support floating-point
-// template instantiations even though we don't actually support the operations.
-// However, there is no corresponding implementation of e.g. CheckedUnsignedAbs,
-// so the float versions will not compile.
-template <typename Numeric,
- bool IsInteger = std::numeric_limits<Numeric>::is_integer,
- bool IsFloat = std::numeric_limits<Numeric>::is_iec559>
-struct UnsignedOrFloatForSize;
-
-template <typename Numeric>
-struct UnsignedOrFloatForSize<Numeric, true, false> {
- typedef typename UnsignedIntegerForSize<Numeric>::type type;
-};
-
-template <typename Numeric>
-struct UnsignedOrFloatForSize<Numeric, false, true> {
- typedef Numeric type;
-};
-
-// Helper templates for integer manipulations.
-
-template <typename T>
-bool HasSignBit(T x) {
- // Cast to unsigned since right shift on signed is undefined.
- return !!(static_cast<typename UnsignedIntegerForSize<T>::type>(x) >>
- PositionOfSignBit<T>::value);
-}
-
-// This wrapper undoes the standard integer promotions.
-template <typename T>
-T BinaryComplement(T x) {
- return ~x;
-}
-
-// Here are the actual portable checked integer math implementations.
-// TODO(jschuh): Break this code out from the enable_if pattern and find a clean
-// way to coalesce things into the CheckedNumericState specializations below.
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer, T>::type
-CheckedAdd(T x, T y, RangeConstraint* validity) {
- // Since the value of x+y is undefined if we have a signed type, we compute
- // it using the unsigned type of the same size.
- typedef typename UnsignedIntegerForSize<T>::type UnsignedDst;
- UnsignedDst ux = static_cast<UnsignedDst>(x);
- UnsignedDst uy = static_cast<UnsignedDst>(y);
- UnsignedDst uresult = ux + uy;
- // Addition is valid if the sign of (x + y) is equal to either that of x or
- // that of y.
- if (std::numeric_limits<T>::is_signed) {
- if (HasSignBit(BinaryComplement((uresult ^ ux) & (uresult ^ uy))))
- *validity = RANGE_VALID;
- else // Direction of wrap is inverse of result sign.
- *validity = HasSignBit(uresult) ? RANGE_OVERFLOW : RANGE_UNDERFLOW;
-
- } else { // Unsigned is either valid or overflow.
- *validity = BinaryComplement(x) >= y ? RANGE_VALID : RANGE_OVERFLOW;
- }
- return static_cast<T>(uresult);
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer, T>::type
-CheckedSub(T x, T y, RangeConstraint* validity) {
- // Since the value of x+y is undefined if we have a signed type, we compute
- // it using the unsigned type of the same size.
- typedef typename UnsignedIntegerForSize<T>::type UnsignedDst;
- UnsignedDst ux = static_cast<UnsignedDst>(x);
- UnsignedDst uy = static_cast<UnsignedDst>(y);
- UnsignedDst uresult = ux - uy;
- // Subtraction is valid if either x and y have same sign, or (x-y) and x have
- // the same sign.
- if (std::numeric_limits<T>::is_signed) {
- if (HasSignBit(BinaryComplement((uresult ^ ux) & (ux ^ uy))))
- *validity = RANGE_VALID;
- else // Direction of wrap is inverse of result sign.
- *validity = HasSignBit(uresult) ? RANGE_OVERFLOW : RANGE_UNDERFLOW;
-
- } else { // Unsigned is either valid or underflow.
- *validity = x >= y ? RANGE_VALID : RANGE_UNDERFLOW;
- }
- return static_cast<T>(uresult);
-}
-
-// Integer multiplication is a bit complicated. In the fast case we just
-// we just promote to a twice wider type, and range check the result. In the
-// slow case we need to manually check that the result won't be truncated by
-// checking with division against the appropriate bound.
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- sizeof(T) * 2 <= sizeof(uintmax_t),
- T>::type
-CheckedMul(T x, T y, RangeConstraint* validity) {
- typedef typename TwiceWiderInteger<T>::type IntermediateType;
- IntermediateType tmp =
- static_cast<IntermediateType>(x) * static_cast<IntermediateType>(y);
- *validity = DstRangeRelationToSrcRange<T>(tmp);
- return static_cast<T>(tmp);
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- std::numeric_limits<T>::is_signed &&
- (sizeof(T) * 2 > sizeof(uintmax_t)),
- T>::type
-CheckedMul(T x, T y, RangeConstraint* validity) {
- // If either side is zero then the result will be zero.
- if (!x || !y) {
- return RANGE_VALID;
-
- } else if (x > 0) {
- if (y > 0)
- *validity =
- x <= std::numeric_limits<T>::max() / y ? RANGE_VALID : RANGE_OVERFLOW;
- else
- *validity = y >= std::numeric_limits<T>::min() / x ? RANGE_VALID
- : RANGE_UNDERFLOW;
-
- } else {
- if (y > 0)
- *validity = x >= std::numeric_limits<T>::min() / y ? RANGE_VALID
- : RANGE_UNDERFLOW;
- else
- *validity =
- y >= std::numeric_limits<T>::max() / x ? RANGE_VALID : RANGE_OVERFLOW;
- }
-
- return x * y;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- !std::numeric_limits<T>::is_signed &&
- (sizeof(T) * 2 > sizeof(uintmax_t)),
- T>::type
-CheckedMul(T x, T y, RangeConstraint* validity) {
- *validity = (y == 0 || x <= std::numeric_limits<T>::max() / y)
- ? RANGE_VALID
- : RANGE_OVERFLOW;
- return x * y;
-}
-
-// Division just requires a check for an invalid negation on signed min/-1.
-template <typename T>
-T CheckedDiv(T x,
- T y,
- RangeConstraint* validity,
- typename std::enable_if<std::numeric_limits<T>::is_integer,
- int>::type = 0) {
- if (std::numeric_limits<T>::is_signed && x == std::numeric_limits<T>::min() &&
- y == static_cast<T>(-1)) {
- *validity = RANGE_OVERFLOW;
- return std::numeric_limits<T>::min();
- }
-
- *validity = RANGE_VALID;
- return x / y;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- std::numeric_limits<T>::is_signed,
- T>::type
-CheckedMod(T x, T y, RangeConstraint* validity) {
- *validity = y > 0 ? RANGE_VALID : RANGE_INVALID;
- return x % y;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- !std::numeric_limits<T>::is_signed,
- T>::type
-CheckedMod(T x, T y, RangeConstraint* validity) {
- *validity = RANGE_VALID;
- return x % y;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- std::numeric_limits<T>::is_signed,
- T>::type
-CheckedNeg(T value, RangeConstraint* validity) {
- *validity =
- value != std::numeric_limits<T>::min() ? RANGE_VALID : RANGE_OVERFLOW;
- // The negation of signed min is min, so catch that one.
- return -value;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- !std::numeric_limits<T>::is_signed,
- T>::type
-CheckedNeg(T value, RangeConstraint* validity) {
- // The only legal unsigned negation is zero.
- *validity = value ? RANGE_UNDERFLOW : RANGE_VALID;
- return static_cast<T>(
- -static_cast<typename SignedIntegerForSize<T>::type>(value));
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- std::numeric_limits<T>::is_signed,
- T>::type
-CheckedAbs(T value, RangeConstraint* validity) {
- *validity =
- value != std::numeric_limits<T>::min() ? RANGE_VALID : RANGE_OVERFLOW;
- return static_cast<T>(std::abs(value));
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- !std::numeric_limits<T>::is_signed,
- T>::type
-CheckedAbs(T value, RangeConstraint* validity) {
- // T is unsigned, so |value| must already be positive.
- *validity = RANGE_VALID;
- return value;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- std::numeric_limits<T>::is_signed,
- typename UnsignedIntegerForSize<T>::type>::type
-CheckedUnsignedAbs(T value) {
- typedef typename UnsignedIntegerForSize<T>::type UnsignedT;
- return value == std::numeric_limits<T>::min()
- ? static_cast<UnsignedT>(std::numeric_limits<T>::max()) + 1
- : static_cast<UnsignedT>(std::abs(value));
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_integer &&
- !std::numeric_limits<T>::is_signed,
- T>::type
-CheckedUnsignedAbs(T value) {
- // T is unsigned, so |value| must already be positive.
- return value;
-}
-
-// These are the floating point stubs that the compiler needs to see. Only the
-// negation operation is ever called.
-#define BASE_FLOAT_ARITHMETIC_STUBS(NAME) \
- template <typename T> \
- typename std::enable_if<std::numeric_limits<T>::is_iec559, T>::type \
- Checked##NAME(T, T, RangeConstraint*) { \
- NOTREACHED(); \
- return 0; \
- }
-
-BASE_FLOAT_ARITHMETIC_STUBS(Add)
-BASE_FLOAT_ARITHMETIC_STUBS(Sub)
-BASE_FLOAT_ARITHMETIC_STUBS(Mul)
-BASE_FLOAT_ARITHMETIC_STUBS(Div)
-BASE_FLOAT_ARITHMETIC_STUBS(Mod)
-
-#undef BASE_FLOAT_ARITHMETIC_STUBS
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_iec559, T>::type CheckedNeg(
- T value,
- RangeConstraint*) {
- return -value;
-}
-
-template <typename T>
-typename std::enable_if<std::numeric_limits<T>::is_iec559, T>::type CheckedAbs(
- T value,
- RangeConstraint*) {
- return std::abs(value);
-}
-
-// Floats carry around their validity state with them, but integers do not. So,
-// we wrap the underlying value in a specialization in order to hide that detail
-// and expose an interface via accessors.
-enum NumericRepresentation {
- NUMERIC_INTEGER,
- NUMERIC_FLOATING,
- NUMERIC_UNKNOWN
-};
-
-template <typename NumericType>
-struct GetNumericRepresentation {
- static const NumericRepresentation value =
- std::numeric_limits<NumericType>::is_integer
- ? NUMERIC_INTEGER
- : (std::numeric_limits<NumericType>::is_iec559 ? NUMERIC_FLOATING
- : NUMERIC_UNKNOWN);
-};
-
-template <typename T, NumericRepresentation type =
- GetNumericRepresentation<T>::value>
-class CheckedNumericState {};
-
-// Integrals require quite a bit of additional housekeeping to manage state.
-template <typename T>
-class CheckedNumericState<T, NUMERIC_INTEGER> {
- private:
- T value_;
- RangeConstraint validity_;
-
- public:
- template <typename Src, NumericRepresentation type>
- friend class CheckedNumericState;
-
- CheckedNumericState() : value_(0), validity_(RANGE_VALID) {}
-
- template <typename Src>
- CheckedNumericState(Src value, RangeConstraint validity)
- : value_(static_cast<T>(value)),
- validity_(GetRangeConstraint(validity |
- DstRangeRelationToSrcRange<T>(value))) {
- static_assert(std::numeric_limits<Src>::is_specialized,
- "Argument must be numeric.");
- }
-
- // Copy constructor.
- template <typename Src>
- CheckedNumericState(const CheckedNumericState<Src>& rhs)
- : value_(static_cast<T>(rhs.value())),
- validity_(GetRangeConstraint(
- rhs.validity() | DstRangeRelationToSrcRange<T>(rhs.value()))) {}
-
- template <typename Src>
- explicit CheckedNumericState(
- Src value,
- typename std::enable_if<std::numeric_limits<Src>::is_specialized,
- int>::type = 0)
- : value_(static_cast<T>(value)),
- validity_(DstRangeRelationToSrcRange<T>(value)) {}
-
- RangeConstraint validity() const { return validity_; }
- T value() const { return value_; }
-};
-
-// Floating points maintain their own validity, but need translation wrappers.
-template <typename T>
-class CheckedNumericState<T, NUMERIC_FLOATING> {
- private:
- T value_;
-
- public:
- template <typename Src, NumericRepresentation type>
- friend class CheckedNumericState;
-
- CheckedNumericState() : value_(0.0) {}
-
- template <typename Src>
- CheckedNumericState(
- Src value,
- RangeConstraint validity,
- typename std::enable_if<std::numeric_limits<Src>::is_integer, int>::type =
- 0) {
- switch (DstRangeRelationToSrcRange<T>(value)) {
- case RANGE_VALID:
- value_ = static_cast<T>(value);
- break;
-
- case RANGE_UNDERFLOW:
- value_ = -std::numeric_limits<T>::infinity();
- break;
-
- case RANGE_OVERFLOW:
- value_ = std::numeric_limits<T>::infinity();
- break;
-
- case RANGE_INVALID:
- value_ = std::numeric_limits<T>::quiet_NaN();
- break;
-
- default:
- NOTREACHED();
- }
- }
-
- template <typename Src>
- explicit CheckedNumericState(
- Src value,
- typename std::enable_if<std::numeric_limits<Src>::is_specialized,
- int>::type = 0)
- : value_(static_cast<T>(value)) {}
-
- // Copy constructor.
- template <typename Src>
- CheckedNumericState(const CheckedNumericState<Src>& rhs)
- : value_(static_cast<T>(rhs.value())) {}
-
- RangeConstraint validity() const {
- return GetRangeConstraint(value_ <= std::numeric_limits<T>::max(),
- value_ >= -std::numeric_limits<T>::max());
- }
- T value() const { return value_; }
-};
-
-// For integers less than 128-bit and floats 32-bit or larger, we can distil
-// C/C++ arithmetic promotions down to two simple rules:
-// 1. The type with the larger maximum exponent always takes precedence.
-// 2. The resulting type must be promoted to at least an int.
-// The following template specializations implement that promotion logic.
-enum ArithmeticPromotionCategory {
- LEFT_PROMOTION,
- RIGHT_PROMOTION,
- DEFAULT_PROMOTION
-};
-
-template <typename Lhs,
- typename Rhs = Lhs,
- ArithmeticPromotionCategory Promotion =
- (MaxExponent<Lhs>::value > MaxExponent<Rhs>::value)
- ? (MaxExponent<Lhs>::value > MaxExponent<int>::value
- ? LEFT_PROMOTION
- : DEFAULT_PROMOTION)
- : (MaxExponent<Rhs>::value > MaxExponent<int>::value
- ? RIGHT_PROMOTION
- : DEFAULT_PROMOTION) >
-struct ArithmeticPromotion;
-
-template <typename Lhs, typename Rhs>
-struct ArithmeticPromotion<Lhs, Rhs, LEFT_PROMOTION> {
- typedef Lhs type;
-};
-
-template <typename Lhs, typename Rhs>
-struct ArithmeticPromotion<Lhs, Rhs, RIGHT_PROMOTION> {
- typedef Rhs type;
-};
-
-template <typename Lhs, typename Rhs>
-struct ArithmeticPromotion<Lhs, Rhs, DEFAULT_PROMOTION> {
- typedef int type;
-};
-
-// We can statically check if operations on the provided types can wrap, so we
-// can skip the checked operations if they're not needed. So, for an integer we
-// care if the destination type preserves the sign and is twice the width of
-// the source.
-template <typename T, typename Lhs, typename Rhs>
-struct IsIntegerArithmeticSafe {
- static const bool value = !std::numeric_limits<T>::is_iec559 &&
- StaticDstRangeRelationToSrcRange<T, Lhs>::value ==
- NUMERIC_RANGE_CONTAINED &&
- sizeof(T) >= (2 * sizeof(Lhs)) &&
- StaticDstRangeRelationToSrcRange<T, Rhs>::value !=
- NUMERIC_RANGE_CONTAINED &&
- sizeof(T) >= (2 * sizeof(Rhs));
-};
-
-} // namespace internal
-} // namespace base
-
-#endif // BASE_NUMERICS_SAFE_MATH_IMPL_H_
diff --git a/security/sandbox/chromium/base/os_compat_android.h b/security/sandbox/chromium/base/os_compat_android.h
deleted file mode 100644
index 0f2544496..000000000
--- a/security/sandbox/chromium/base/os_compat_android.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_OS_COMPAT_ANDROID_H_
-#define BASE_OS_COMPAT_ANDROID_H_
-
-#include <fcntl.h>
-#include <sys/types.h>
-#include <utime.h>
-
-// Not implemented in Bionic.
-extern "C" int futimes(int fd, const struct timeval tv[2]);
-
-// Not exposed or implemented in Bionic.
-extern "C" char* mkdtemp(char* path);
-
-// Android has no timegm().
-extern "C" time_t timegm(struct tm* const t);
-
-// The lockf() function is not available on Android; we translate to flock().
-#define F_LOCK LOCK_EX
-#define F_ULOCK LOCK_UN
-inline int lockf(int fd, int cmd, off_t ignored_len) {
- return flock(fd, cmd);
-}
-
-#endif // BASE_OS_COMPAT_ANDROID_H_
diff --git a/security/sandbox/chromium/base/path_service.h b/security/sandbox/chromium/base/path_service.h
deleted file mode 100644
index c7f1abe71..000000000
--- a/security/sandbox/chromium/base/path_service.h
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_PATH_SERVICE_H_
-#define BASE_PATH_SERVICE_H_
-
-#include <string>
-
-#include "base/base_export.h"
-#include "base/base_paths.h"
-#include "base/gtest_prod_util.h"
-#include "build/build_config.h"
-
-namespace base {
-
-class FilePath;
-class ScopedPathOverride;
-
-// The path service is a global table mapping keys to file system paths. It is
-// OK to use this service from multiple threads.
-//
-class BASE_EXPORT PathService {
- public:
- // Retrieves a path to a special directory or file and places it into the
- // string pointed to by 'path'. If you ask for a directory it is guaranteed
- // to NOT have a path separator at the end. For example, "c:\windows\temp"
- // Directories are also guaranteed to exist when this function succeeds.
- //
- // Returns true if the directory or file was successfully retrieved. On
- // failure, 'path' will not be changed.
- static bool Get(int key, FilePath* path);
-
- // Overrides the path to a special directory or file. This cannot be used to
- // change the value of DIR_CURRENT, but that should be obvious. Also, if the
- // path specifies a directory that does not exist, the directory will be
- // created by this method. This method returns true if successful.
- //
- // If the given path is relative, then it will be resolved against
- // DIR_CURRENT.
- //
- // WARNING: Consumers of PathService::Get may expect paths to be constant
- // over the lifetime of the app, so this method should be used with caution.
- //
- // Unit tests generally should use ScopedPathOverride instead. Overrides from
- // one test should not carry over to another.
- static bool Override(int key, const FilePath& path);
-
- // This function does the same as PathService::Override but it takes extra
- // parameters:
- // - |is_absolute| indicates that |path| has already been expanded into an
- // absolute path, otherwise MakeAbsoluteFilePath() will be used. This is
- // useful to override paths that may not exist yet, since MakeAbsoluteFilePath
- // fails for those. Note that MakeAbsoluteFilePath also expands symbolic
- // links, even if path.IsAbsolute() is already true.
- // - |create| guides whether the directory to be overriden must
- // be created in case it doesn't exist already.
- static bool OverrideAndCreateIfNeeded(int key,
- const FilePath& path,
- bool is_absolute,
- bool create);
-
- // To extend the set of supported keys, you can register a path provider,
- // which is just a function mirroring PathService::Get. The ProviderFunc
- // returns false if it cannot provide a non-empty path for the given key.
- // Otherwise, true is returned.
- //
- // WARNING: This function could be called on any thread from which the
- // PathService is used, so a the ProviderFunc MUST BE THREADSAFE.
- //
- typedef bool (*ProviderFunc)(int, FilePath*);
-
- // Call to register a path provider. You must specify the range "[key_start,
- // key_end)" of supported path keys.
- static void RegisterProvider(ProviderFunc provider,
- int key_start,
- int key_end);
-
- // Disable internal cache.
- static void DisableCache();
-
- private:
- friend class ScopedPathOverride;
- FRIEND_TEST_ALL_PREFIXES(PathServiceTest, RemoveOverride);
-
- // Removes an override for a special directory or file. Returns true if there
- // was an override to remove or false if none was present.
- // NOTE: This function is intended to be used by tests only!
- static bool RemoveOverride(int key);
-};
-
-} // namespace base
-
-// TODO(brettw) Convert all callers to using the base namespace and remove this.
-using base::PathService;
-
-#endif // BASE_PATH_SERVICE_H_
diff --git a/security/sandbox/chromium/base/posix/eintr_wrapper.h b/security/sandbox/chromium/base/posix/eintr_wrapper.h
deleted file mode 100644
index 5a5dc758a..000000000
--- a/security/sandbox/chromium/base/posix/eintr_wrapper.h
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This provides a wrapper around system calls which may be interrupted by a
-// signal and return EINTR. See man 7 signal.
-// To prevent long-lasting loops (which would likely be a bug, such as a signal
-// that should be masked) to go unnoticed, there is a limit after which the
-// caller will nonetheless see an EINTR in Debug builds.
-//
-// On Windows, this wrapper macro does nothing.
-//
-// Don't wrap close calls in HANDLE_EINTR. Use IGNORE_EINTR if the return
-// value of close is significant. See http://crbug.com/269623.
-
-#ifndef BASE_POSIX_EINTR_WRAPPER_H_
-#define BASE_POSIX_EINTR_WRAPPER_H_
-
-#include "build/build_config.h"
-
-#if defined(OS_POSIX)
-
-#include <errno.h>
-
-#if defined(NDEBUG)
-
-#define HANDLE_EINTR(x) ({ \
- decltype(x) eintr_wrapper_result; \
- do { \
- eintr_wrapper_result = (x); \
- } while (eintr_wrapper_result == -1 && errno == EINTR); \
- eintr_wrapper_result; \
-})
-
-#else
-
-#define HANDLE_EINTR(x) ({ \
- int eintr_wrapper_counter = 0; \
- decltype(x) eintr_wrapper_result; \
- do { \
- eintr_wrapper_result = (x); \
- } while (eintr_wrapper_result == -1 && errno == EINTR && \
- eintr_wrapper_counter++ < 100); \
- eintr_wrapper_result; \
-})
-
-#endif // NDEBUG
-
-#define IGNORE_EINTR(x) ({ \
- decltype(x) eintr_wrapper_result; \
- do { \
- eintr_wrapper_result = (x); \
- if (eintr_wrapper_result == -1 && errno == EINTR) { \
- eintr_wrapper_result = 0; \
- } \
- } while (0); \
- eintr_wrapper_result; \
-})
-
-#else
-
-#define HANDLE_EINTR(x) (x)
-#define IGNORE_EINTR(x) (x)
-
-#endif // OS_POSIX
-
-#endif // BASE_POSIX_EINTR_WRAPPER_H_
diff --git a/security/sandbox/chromium/base/process/process_handle.h b/security/sandbox/chromium/base/process/process_handle.h
deleted file mode 100644
index ef7a60255..000000000
--- a/security/sandbox/chromium/base/process/process_handle.h
+++ /dev/null
@@ -1,81 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_PROCESS_PROCESS_HANDLE_H_
-#define BASE_PROCESS_PROCESS_HANDLE_H_
-
-#include <stdint.h>
-#include <sys/types.h>
-
-#include "base/base_export.h"
-#include "base/files/file_path.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#endif
-
-namespace base {
-
-// ProcessHandle is a platform specific type which represents the underlying OS
-// handle to a process.
-// ProcessId is a number which identifies the process in the OS.
-#if defined(OS_WIN)
-typedef HANDLE ProcessHandle;
-typedef DWORD ProcessId;
-typedef HANDLE UserTokenHandle;
-const ProcessHandle kNullProcessHandle = NULL;
-const ProcessId kNullProcessId = 0;
-#elif defined(OS_POSIX)
-// On POSIX, our ProcessHandle will just be the PID.
-typedef pid_t ProcessHandle;
-typedef pid_t ProcessId;
-const ProcessHandle kNullProcessHandle = 0;
-const ProcessId kNullProcessId = 0;
-#endif // defined(OS_WIN)
-
-// Returns the id of the current process.
-// Note that on some platforms, this is not guaranteed to be unique across
-// processes (use GetUniqueIdForProcess if uniqueness is required).
-BASE_EXPORT ProcessId GetCurrentProcId();
-
-// Returns a unique ID for the current process. The ID will be unique across all
-// currently running processes within the chrome session, but IDs of terminated
-// processes may be reused. This returns an opaque value that is different from
-// a process's PID.
-BASE_EXPORT uint32_t GetUniqueIdForProcess();
-
-#if defined(OS_LINUX)
-// When a process is started in a different PID namespace from the browser
-// process, this function must be called with the process's PID in the browser's
-// PID namespace in order to initialize its unique ID. Not thread safe.
-// WARNING: To avoid inconsistent results from GetUniqueIdForProcess, this
-// should only be called very early after process startup - ideally as soon
-// after process creation as possible.
-BASE_EXPORT void InitUniqueIdForProcessInPidNamespace(
- ProcessId pid_outside_of_namespace);
-#endif
-
-// Returns the ProcessHandle of the current process.
-BASE_EXPORT ProcessHandle GetCurrentProcessHandle();
-
-// Returns the process ID for the specified process. This is functionally the
-// same as Windows' GetProcessId(), but works on versions of Windows before Win
-// XP SP1 as well.
-// DEPRECATED. New code should be using Process::Pid() instead.
-// Note that on some platforms, this is not guaranteed to be unique across
-// processes.
-BASE_EXPORT ProcessId GetProcId(ProcessHandle process);
-
-// Returns the ID for the parent of the given process.
-BASE_EXPORT ProcessId GetParentProcessId(ProcessHandle process);
-
-#if defined(OS_POSIX)
-// Returns the path to the executable of the given process.
-BASE_EXPORT FilePath GetProcessExecutablePath(ProcessHandle process);
-#endif
-
-} // namespace base
-
-#endif // BASE_PROCESS_PROCESS_HANDLE_H_
diff --git a/security/sandbox/chromium/base/rand_util.h b/security/sandbox/chromium/base/rand_util.h
deleted file mode 100644
index 881dbd50b..000000000
--- a/security/sandbox/chromium/base/rand_util.h
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_RAND_UTIL_H_
-#define BASE_RAND_UTIL_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-
-#include "base/base_export.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// Returns a random number in range [0, UINT64_MAX]. Thread-safe.
-BASE_EXPORT uint64_t RandUint64();
-
-// Returns a random number between min and max (inclusive). Thread-safe.
-BASE_EXPORT int RandInt(int min, int max);
-
-// Returns a random number in range [0, range). Thread-safe.
-//
-// Note that this can be used as an adapter for std::random_shuffle():
-// Given a pre-populated |std::vector<int> myvector|, shuffle it as
-// std::random_shuffle(myvector.begin(), myvector.end(), base::RandGenerator);
-BASE_EXPORT uint64_t RandGenerator(uint64_t range);
-
-// Returns a random double in range [0, 1). Thread-safe.
-BASE_EXPORT double RandDouble();
-
-// Given input |bits|, convert with maximum precision to a double in
-// the range [0, 1). Thread-safe.
-BASE_EXPORT double BitsToOpenEndedUnitInterval(uint64_t bits);
-
-// Fills |output_length| bytes of |output| with random data.
-//
-// WARNING:
-// Do not use for security-sensitive purposes.
-// See crypto/ for cryptographically secure random number generation APIs.
-BASE_EXPORT void RandBytes(void* output, size_t output_length);
-
-// Fills a string of length |length| with random data and returns it.
-// |length| should be nonzero.
-//
-// Note that this is a variation of |RandBytes| with a different return type.
-// The returned string is likely not ASCII/UTF-8. Use with care.
-//
-// WARNING:
-// Do not use for security-sensitive purposes.
-// See crypto/ for cryptographically secure random number generation APIs.
-BASE_EXPORT std::string RandBytesAsString(size_t length);
-
-#if defined(OS_POSIX)
-BASE_EXPORT int GetUrandomFD();
-#endif
-
-} // namespace base
-
-#endif // BASE_RAND_UTIL_H_
diff --git a/security/sandbox/chromium/base/scoped_clear_errno.h b/security/sandbox/chromium/base/scoped_clear_errno.h
deleted file mode 100644
index 585f6f768..000000000
--- a/security/sandbox/chromium/base/scoped_clear_errno.h
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SCOPED_CLEAR_ERRNO_H_
-#define BASE_SCOPED_CLEAR_ERRNO_H_
-
-#include <errno.h>
-
-#include "base/macros.h"
-
-namespace base {
-
-// Simple scoper that saves the current value of errno, resets it to 0, and on
-// destruction puts the old value back.
-class ScopedClearErrno {
- public:
- ScopedClearErrno() : old_errno_(errno) {
- errno = 0;
- }
- ~ScopedClearErrno() {
- if (errno == 0)
- errno = old_errno_;
- }
-
- private:
- const int old_errno_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedClearErrno);
-};
-
-} // namespace base
-
-#endif // BASE_SCOPED_CLEAR_ERRNO_H_
diff --git a/security/sandbox/chromium/base/sequence_checker.h b/security/sandbox/chromium/base/sequence_checker.h
deleted file mode 100644
index ad0182825..000000000
--- a/security/sandbox/chromium/base/sequence_checker.h
+++ /dev/null
@@ -1,62 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SEQUENCE_CHECKER_H_
-#define BASE_SEQUENCE_CHECKER_H_
-
-// See comments for the similar block in thread_checker.h.
-#if (!defined(NDEBUG) || defined(DCHECK_ALWAYS_ON))
-#define ENABLE_SEQUENCE_CHECKER 1
-#else
-#define ENABLE_SEQUENCE_CHECKER 0
-#endif
-
-#include "base/sequence_checker_impl.h"
-
-namespace base {
-
-// Do nothing implementation, for use in release mode.
-//
-// Note: You should almost always use the SequenceChecker class to get
-// the right version for your build configuration.
-class SequenceCheckerDoNothing {
- public:
- bool CalledOnValidSequencedThread() const {
- return true;
- }
-
- void DetachFromSequence() {}
-};
-
-// SequenceChecker is a helper class used to help verify that some
-// methods of a class are called in sequence -- that is, called from
-// the same SequencedTaskRunner. It is a generalization of
-// ThreadChecker; see comments in sequence_checker_impl.h for details.
-//
-// Example:
-// class MyClass {
-// public:
-// void Foo() {
-// DCHECK(sequence_checker_.CalledOnValidSequencedThread());
-// ... (do stuff) ...
-// }
-//
-// private:
-// SequenceChecker sequence_checker_;
-// }
-//
-// In Release mode, CalledOnValidSequencedThread() will always return true.
-#if ENABLE_SEQUENCE_CHECKER
-class SequenceChecker : public SequenceCheckerImpl {
-};
-#else
-class SequenceChecker : public SequenceCheckerDoNothing {
-};
-#endif // ENABLE_SEQUENCE_CHECKER
-
-#undef ENABLE_SEQUENCE_CHECKER
-
-} // namespace base
-
-#endif // BASE_SEQUENCE_CHECKER_H_
diff --git a/security/sandbox/chromium/base/sequence_checker_impl.h b/security/sandbox/chromium/base/sequence_checker_impl.h
deleted file mode 100644
index e3c5fed50..000000000
--- a/security/sandbox/chromium/base/sequence_checker_impl.h
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SEQUENCE_CHECKER_IMPL_H_
-#define BASE_SEQUENCE_CHECKER_IMPL_H_
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/synchronization/lock.h"
-#include "base/threading/sequenced_worker_pool.h"
-#include "base/threading/thread_checker_impl.h"
-
-namespace base {
-
-// SequenceCheckerImpl is used to help verify that some methods of a
-// class are called in sequence -- that is, called from the same
-// SequencedTaskRunner. It is a generalization of ThreadChecker; in
-// particular, it behaves exactly like ThreadChecker if constructed
-// on a thread that is not part of a SequencedWorkerPool.
-class BASE_EXPORT SequenceCheckerImpl {
- public:
- SequenceCheckerImpl();
- ~SequenceCheckerImpl();
-
- // Returns whether the we are being called on the same sequence token
- // as previous calls. If there is no associated sequence, then returns
- // whether we are being called on the underlying ThreadChecker's thread.
- bool CalledOnValidSequencedThread() const;
-
- // Unbinds the checker from the currently associated sequence. The
- // checker will be re-bound on the next call to CalledOnValidSequence().
- void DetachFromSequence();
-
- private:
- void EnsureSequenceTokenAssigned() const;
-
- // Guards all variables below.
- mutable Lock lock_;
-
- // Used if |sequence_token_| is not valid.
- ThreadCheckerImpl thread_checker_;
- mutable bool sequence_token_assigned_;
-
- mutable SequencedWorkerPool::SequenceToken sequence_token_;
-
- DISALLOW_COPY_AND_ASSIGN(SequenceCheckerImpl);
-};
-
-} // namespace base
-
-#endif // BASE_SEQUENCE_CHECKER_IMPL_H_
diff --git a/security/sandbox/chromium/base/sequenced_task_runner.h b/security/sandbox/chromium/base/sequenced_task_runner.h
deleted file mode 100644
index 6bb3f2b87..000000000
--- a/security/sandbox/chromium/base/sequenced_task_runner.h
+++ /dev/null
@@ -1,159 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SEQUENCED_TASK_RUNNER_H_
-#define BASE_SEQUENCED_TASK_RUNNER_H_
-
-#include "base/base_export.h"
-#include "base/sequenced_task_runner_helpers.h"
-#include "base/task_runner.h"
-
-namespace base {
-
-// A SequencedTaskRunner is a subclass of TaskRunner that provides
-// additional guarantees on the order that tasks are started, as well
-// as guarantees on when tasks are in sequence, i.e. one task finishes
-// before the other one starts.
-//
-// Summary
-// -------
-// Non-nested tasks with the same delay will run one by one in FIFO
-// order.
-//
-// Detailed guarantees
-// -------------------
-//
-// SequencedTaskRunner also adds additional methods for posting
-// non-nestable tasks. In general, an implementation of TaskRunner
-// may expose task-running methods which are themselves callable from
-// within tasks. A non-nestable task is one that is guaranteed to not
-// be run from within an already-running task. Conversely, a nestable
-// task (the default) is a task that can be run from within an
-// already-running task.
-//
-// The guarantees of SequencedTaskRunner are as follows:
-//
-// - Given two tasks T2 and T1, T2 will start after T1 starts if:
-//
-// * T2 is posted after T1; and
-// * T2 has equal or higher delay than T1; and
-// * T2 is non-nestable or T1 is nestable.
-//
-// - If T2 will start after T1 starts by the above guarantee, then
-// T2 will start after T1 finishes and is destroyed if:
-//
-// * T2 is non-nestable, or
-// * T1 doesn't call any task-running methods.
-//
-// - If T2 will start after T1 finishes by the above guarantee, then
-// all memory changes in T1 and T1's destruction will be visible
-// to T2.
-//
-// - If T2 runs nested within T1 via a call to the task-running
-// method M, then all memory changes in T1 up to the call to M
-// will be visible to T2, and all memory changes in T2 will be
-// visible to T1 from the return from M.
-//
-// Note that SequencedTaskRunner does not guarantee that tasks are run
-// on a single dedicated thread, although the above guarantees provide
-// most (but not all) of the same guarantees. If you do need to
-// guarantee that tasks are run on a single dedicated thread, see
-// SingleThreadTaskRunner (in single_thread_task_runner.h).
-//
-// Some corollaries to the above guarantees, assuming the tasks in
-// question don't call any task-running methods:
-//
-// - Tasks posted via PostTask are run in FIFO order.
-//
-// - Tasks posted via PostNonNestableTask are run in FIFO order.
-//
-// - Tasks posted with the same delay and the same nestable state
-// are run in FIFO order.
-//
-// - A list of tasks with the same nestable state posted in order of
-// non-decreasing delay is run in FIFO order.
-//
-// - A list of tasks posted in order of non-decreasing delay with at
-// most a single change in nestable state from nestable to
-// non-nestable is run in FIFO order. (This is equivalent to the
-// statement of the first guarantee above.)
-//
-// Some theoretical implementations of SequencedTaskRunner:
-//
-// - A SequencedTaskRunner that wraps a regular TaskRunner but makes
-// sure that only one task at a time is posted to the TaskRunner,
-// with appropriate memory barriers in between tasks.
-//
-// - A SequencedTaskRunner that, for each task, spawns a joinable
-// thread to run that task and immediately quit, and then
-// immediately joins that thread.
-//
-// - A SequencedTaskRunner that stores the list of posted tasks and
-// has a method Run() that runs each runnable task in FIFO order
-// that can be called from any thread, but only if another
-// (non-nested) Run() call isn't already happening.
-class BASE_EXPORT SequencedTaskRunner : public TaskRunner {
- public:
- // The two PostNonNestable*Task methods below are like their
- // nestable equivalents in TaskRunner, but they guarantee that the
- // posted task will not run nested within an already-running task.
- //
- // A simple corollary is that posting a task as non-nestable can
- // only delay when the task gets run. That is, posting a task as
- // non-nestable may not affect when the task gets run, or it could
- // make it run later than it normally would, but it won't make it
- // run earlier than it normally would.
-
- // TODO(akalin): Get rid of the boolean return value for the methods
- // below.
-
- bool PostNonNestableTask(const tracked_objects::Location& from_here,
- const Closure& task);
-
- virtual bool PostNonNestableDelayedTask(
- const tracked_objects::Location& from_here,
- const Closure& task,
- base::TimeDelta delay) = 0;
-
- // Submits a non-nestable task to delete the given object. Returns
- // true if the object may be deleted at some point in the future,
- // and false if the object definitely will not be deleted.
- template <class T>
- bool DeleteSoon(const tracked_objects::Location& from_here,
- const T* object) {
- return
- subtle::DeleteHelperInternal<T, bool>::DeleteViaSequencedTaskRunner(
- this, from_here, object);
- }
-
- // Submits a non-nestable task to release the given object. Returns
- // true if the object may be released at some point in the future,
- // and false if the object definitely will not be released.
- template <class T>
- bool ReleaseSoon(const tracked_objects::Location& from_here,
- T* object) {
- return
- subtle::ReleaseHelperInternal<T, bool>::ReleaseViaSequencedTaskRunner(
- this, from_here, object);
- }
-
- protected:
- ~SequencedTaskRunner() override {}
-
- private:
- template <class T, class R> friend class subtle::DeleteHelperInternal;
- template <class T, class R> friend class subtle::ReleaseHelperInternal;
-
- bool DeleteSoonInternal(const tracked_objects::Location& from_here,
- void(*deleter)(const void*),
- const void* object);
-
- bool ReleaseSoonInternal(const tracked_objects::Location& from_here,
- void(*releaser)(const void*),
- const void* object);
-};
-
-} // namespace base
-
-#endif // BASE_SEQUENCED_TASK_RUNNER_H_
diff --git a/security/sandbox/chromium/base/sequenced_task_runner_helpers.h b/security/sandbox/chromium/base/sequenced_task_runner_helpers.h
deleted file mode 100644
index 7980b46b6..000000000
--- a/security/sandbox/chromium/base/sequenced_task_runner_helpers.h
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SEQUENCED_TASK_RUNNER_HELPERS_H_
-#define BASE_SEQUENCED_TASK_RUNNER_HELPERS_H_
-
-#include "base/debug/alias.h"
-#include "base/macros.h"
-
-// TODO(akalin): Investigate whether it's possible to just have
-// SequencedTaskRunner use these helpers (instead of MessageLoop).
-// Then we can just move these to sequenced_task_runner.h.
-
-namespace tracked_objects {
-class Location;
-}
-
-namespace base {
-
-namespace subtle {
-template <class T, class R> class DeleteHelperInternal;
-template <class T, class R> class ReleaseHelperInternal;
-}
-
-// Template helpers which use function indirection to erase T from the
-// function signature while still remembering it so we can call the
-// correct destructor/release function.
-//
-// We use this trick so we don't need to include bind.h in a header
-// file like sequenced_task_runner.h. We also wrap the helpers in a
-// templated class to make it easier for users of DeleteSoon to
-// declare the helper as a friend.
-template <class T>
-class DeleteHelper {
- private:
- template <class T2, class R> friend class subtle::DeleteHelperInternal;
-
- static void DoDelete(const void* object) {
- delete reinterpret_cast<const T*>(object);
- }
-
- DISALLOW_COPY_AND_ASSIGN(DeleteHelper);
-};
-
-template <class T>
-class ReleaseHelper {
- private:
- template <class T2, class R> friend class subtle::ReleaseHelperInternal;
-
- static void DoRelease(const void* object) {
- reinterpret_cast<const T*>(object)->Release();
- }
-
- DISALLOW_COPY_AND_ASSIGN(ReleaseHelper);
-};
-
-namespace subtle {
-
-// An internal SequencedTaskRunner-like class helper for DeleteHelper
-// and ReleaseHelper. We don't want to expose the Do*() functions
-// directly directly since the void* argument makes it possible to
-// pass/ an object of the wrong type to delete. Instead, we force
-// callers to go through these internal helpers for type
-// safety. SequencedTaskRunner-like classes which expose DeleteSoon or
-// ReleaseSoon methods should friend the appropriate helper and
-// implement a corresponding *Internal method with the following
-// signature:
-//
-// bool(const tracked_objects::Location&,
-// void(*function)(const void*),
-// void* object)
-//
-// An implementation of this function should simply create a
-// base::Closure from (function, object) and return the result of
-// posting the task.
-template <class T, class ReturnType>
-class DeleteHelperInternal {
- public:
- template <class SequencedTaskRunnerType>
- static ReturnType DeleteViaSequencedTaskRunner(
- SequencedTaskRunnerType* sequenced_task_runner,
- const tracked_objects::Location& from_here,
- const T* object) {
- return sequenced_task_runner->DeleteSoonInternal(
- from_here, &DeleteHelper<T>::DoDelete, object);
- }
-
- private:
- DISALLOW_COPY_AND_ASSIGN(DeleteHelperInternal);
-};
-
-template <class T, class ReturnType>
-class ReleaseHelperInternal {
- public:
- template <class SequencedTaskRunnerType>
- static ReturnType ReleaseViaSequencedTaskRunner(
- SequencedTaskRunnerType* sequenced_task_runner,
- const tracked_objects::Location& from_here,
- const T* object) {
- return sequenced_task_runner->ReleaseSoonInternal(
- from_here, &ReleaseHelper<T>::DoRelease, object);
- }
-
- private:
- DISALLOW_COPY_AND_ASSIGN(ReleaseHelperInternal);
-};
-
-} // namespace subtle
-
-} // namespace base
-
-#endif // BASE_SEQUENCED_TASK_RUNNER_HELPERS_H_
diff --git a/security/sandbox/chromium/base/single_thread_task_runner.h b/security/sandbox/chromium/base/single_thread_task_runner.h
deleted file mode 100644
index 6e9319314..000000000
--- a/security/sandbox/chromium/base/single_thread_task_runner.h
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SINGLE_THREAD_TASK_RUNNER_H_
-#define BASE_SINGLE_THREAD_TASK_RUNNER_H_
-
-#include "base/base_export.h"
-#include "base/sequenced_task_runner.h"
-
-namespace base {
-
-// A SingleThreadTaskRunner is a SequencedTaskRunner with one more
-// guarantee; namely, that all tasks are run on a single dedicated
-// thread. Most use cases require only a SequencedTaskRunner, unless
-// there is a specific need to run tasks on only a single thread.
-//
-// SingleThreadTaskRunner implementations might:
-// - Post tasks to an existing thread's MessageLoop (see
-// MessageLoop::task_runner()).
-// - Create their own worker thread and MessageLoop to post tasks to.
-// - Add tasks to a FIFO and signal to a non-MessageLoop thread for them to
-// be processed. This allows TaskRunner-oriented code run on threads
-// running other kinds of message loop, e.g. Jingle threads.
-class BASE_EXPORT SingleThreadTaskRunner : public SequencedTaskRunner {
- public:
- // A more explicit alias to RunsTasksOnCurrentThread().
- bool BelongsToCurrentThread() const {
- return RunsTasksOnCurrentThread();
- }
-
- protected:
- ~SingleThreadTaskRunner() override {}
-};
-
-} // namespace base
-
-#endif // BASE_SINGLE_THREAD_TASK_RUNNER_H_
diff --git a/security/sandbox/chromium/base/stl_util.h b/security/sandbox/chromium/base/stl_util.h
deleted file mode 100644
index 12e226a9d..000000000
--- a/security/sandbox/chromium/base/stl_util.h
+++ /dev/null
@@ -1,262 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Derived from google3/util/gtl/stl_util.h
-
-#ifndef BASE_STL_UTIL_H_
-#define BASE_STL_UTIL_H_
-
-#include <algorithm>
-#include <functional>
-#include <iterator>
-#include <string>
-#include <vector>
-
-#include "base/logging.h"
-
-// Clears internal memory of an STL object.
-// STL clear()/reserve(0) does not always free internal memory allocated
-// This function uses swap/destructor to ensure the internal memory is freed.
-template<class T>
-void STLClearObject(T* obj) {
- T tmp;
- tmp.swap(*obj);
- // Sometimes "T tmp" allocates objects with memory (arena implementation?).
- // Hence using additional reserve(0) even if it doesn't always work.
- obj->reserve(0);
-}
-
-// For a range within a container of pointers, calls delete (non-array version)
-// on these pointers.
-// NOTE: for these three functions, we could just implement a DeleteObject
-// functor and then call for_each() on the range and functor, but this
-// requires us to pull in all of algorithm.h, which seems expensive.
-// For hash_[multi]set, it is important that this deletes behind the iterator
-// because the hash_set may call the hash function on the iterator when it is
-// advanced, which could result in the hash function trying to deference a
-// stale pointer.
-template <class ForwardIterator>
-void STLDeleteContainerPointers(ForwardIterator begin, ForwardIterator end) {
- while (begin != end) {
- ForwardIterator temp = begin;
- ++begin;
- delete *temp;
- }
-}
-
-// For a range within a container of pairs, calls delete (non-array version) on
-// BOTH items in the pairs.
-// NOTE: Like STLDeleteContainerPointers, it is important that this deletes
-// behind the iterator because if both the key and value are deleted, the
-// container may call the hash function on the iterator when it is advanced,
-// which could result in the hash function trying to dereference a stale
-// pointer.
-template <class ForwardIterator>
-void STLDeleteContainerPairPointers(ForwardIterator begin,
- ForwardIterator end) {
- while (begin != end) {
- ForwardIterator temp = begin;
- ++begin;
- delete temp->first;
- delete temp->second;
- }
-}
-
-// For a range within a container of pairs, calls delete (non-array version) on
-// the FIRST item in the pairs.
-// NOTE: Like STLDeleteContainerPointers, deleting behind the iterator.
-template <class ForwardIterator>
-void STLDeleteContainerPairFirstPointers(ForwardIterator begin,
- ForwardIterator end) {
- while (begin != end) {
- ForwardIterator temp = begin;
- ++begin;
- delete temp->first;
- }
-}
-
-// For a range within a container of pairs, calls delete.
-// NOTE: Like STLDeleteContainerPointers, deleting behind the iterator.
-// Deleting the value does not always invalidate the iterator, but it may
-// do so if the key is a pointer into the value object.
-template <class ForwardIterator>
-void STLDeleteContainerPairSecondPointers(ForwardIterator begin,
- ForwardIterator end) {
- while (begin != end) {
- ForwardIterator temp = begin;
- ++begin;
- delete temp->second;
- }
-}
-
-// Counts the number of instances of val in a container.
-template <typename Container, typename T>
-typename std::iterator_traits<
- typename Container::const_iterator>::difference_type
-STLCount(const Container& container, const T& val) {
- return std::count(container.begin(), container.end(), val);
-}
-
-// Return a mutable char* pointing to a string's internal buffer,
-// which may not be null-terminated. Writing through this pointer will
-// modify the string.
-//
-// string_as_array(&str)[i] is valid for 0 <= i < str.size() until the
-// next call to a string method that invalidates iterators.
-//
-// As of 2006-04, there is no standard-blessed way of getting a
-// mutable reference to a string's internal buffer. However, issue 530
-// (http://www.open-std.org/JTC1/SC22/WG21/docs/lwg-active.html#530)
-// proposes this as the method. According to Matt Austern, this should
-// already work on all current implementations.
-inline char* string_as_array(std::string* str) {
- // DO NOT USE const_cast<char*>(str->data())
- return str->empty() ? NULL : &*str->begin();
-}
-
-// The following functions are useful for cleaning up STL containers whose
-// elements point to allocated memory.
-
-// STLDeleteElements() deletes all the elements in an STL container and clears
-// the container. This function is suitable for use with a vector, set,
-// hash_set, or any other STL container which defines sensible begin(), end(),
-// and clear() methods.
-//
-// If container is NULL, this function is a no-op.
-//
-// As an alternative to calling STLDeleteElements() directly, consider
-// STLElementDeleter (defined below), which ensures that your container's
-// elements are deleted when the STLElementDeleter goes out of scope.
-template <class T>
-void STLDeleteElements(T* container) {
- if (!container)
- return;
- STLDeleteContainerPointers(container->begin(), container->end());
- container->clear();
-}
-
-// Given an STL container consisting of (key, value) pairs, STLDeleteValues
-// deletes all the "value" components and clears the container. Does nothing
-// in the case it's given a NULL pointer.
-template <class T>
-void STLDeleteValues(T* container) {
- if (!container)
- return;
- STLDeleteContainerPairSecondPointers(container->begin(), container->end());
- container->clear();
-}
-
-
-// The following classes provide a convenient way to delete all elements or
-// values from STL containers when they goes out of scope. This greatly
-// simplifies code that creates temporary objects and has multiple return
-// statements. Example:
-//
-// vector<MyProto *> tmp_proto;
-// STLElementDeleter<vector<MyProto *> > d(&tmp_proto);
-// if (...) return false;
-// ...
-// return success;
-
-// Given a pointer to an STL container this class will delete all the element
-// pointers when it goes out of scope.
-template<class T>
-class STLElementDeleter {
- public:
- STLElementDeleter<T>(T* container) : container_(container) {}
- ~STLElementDeleter<T>() { STLDeleteElements(container_); }
-
- private:
- T* container_;
-};
-
-// Given a pointer to an STL container this class will delete all the value
-// pointers when it goes out of scope.
-template<class T>
-class STLValueDeleter {
- public:
- STLValueDeleter<T>(T* container) : container_(container) {}
- ~STLValueDeleter<T>() { STLDeleteValues(container_); }
-
- private:
- T* container_;
-};
-
-// Test to see if a set, map, hash_set or hash_map contains a particular key.
-// Returns true if the key is in the collection.
-template <typename Collection, typename Key>
-bool ContainsKey(const Collection& collection, const Key& key) {
- return collection.find(key) != collection.end();
-}
-
-// Test to see if a collection like a vector contains a particular value.
-// Returns true if the value is in the collection.
-template <typename Collection, typename Value>
-bool ContainsValue(const Collection& collection, const Value& value) {
- return std::find(collection.begin(), collection.end(), value) !=
- collection.end();
-}
-
-namespace base {
-
-// Returns true if the container is sorted.
-template <typename Container>
-bool STLIsSorted(const Container& cont) {
- // Note: Use reverse iterator on container to ensure we only require
- // value_type to implement operator<.
- return std::adjacent_find(cont.rbegin(), cont.rend(),
- std::less<typename Container::value_type>())
- == cont.rend();
-}
-
-// Returns a new ResultType containing the difference of two sorted containers.
-template <typename ResultType, typename Arg1, typename Arg2>
-ResultType STLSetDifference(const Arg1& a1, const Arg2& a2) {
- DCHECK(STLIsSorted(a1));
- DCHECK(STLIsSorted(a2));
- ResultType difference;
- std::set_difference(a1.begin(), a1.end(),
- a2.begin(), a2.end(),
- std::inserter(difference, difference.end()));
- return difference;
-}
-
-// Returns a new ResultType containing the union of two sorted containers.
-template <typename ResultType, typename Arg1, typename Arg2>
-ResultType STLSetUnion(const Arg1& a1, const Arg2& a2) {
- DCHECK(STLIsSorted(a1));
- DCHECK(STLIsSorted(a2));
- ResultType result;
- std::set_union(a1.begin(), a1.end(),
- a2.begin(), a2.end(),
- std::inserter(result, result.end()));
- return result;
-}
-
-// Returns a new ResultType containing the intersection of two sorted
-// containers.
-template <typename ResultType, typename Arg1, typename Arg2>
-ResultType STLSetIntersection(const Arg1& a1, const Arg2& a2) {
- DCHECK(STLIsSorted(a1));
- DCHECK(STLIsSorted(a2));
- ResultType result;
- std::set_intersection(a1.begin(), a1.end(),
- a2.begin(), a2.end(),
- std::inserter(result, result.end()));
- return result;
-}
-
-// Returns true if the sorted container |a1| contains all elements of the sorted
-// container |a2|.
-template <typename Arg1, typename Arg2>
-bool STLIncludes(const Arg1& a1, const Arg2& a2) {
- DCHECK(STLIsSorted(a1));
- DCHECK(STLIsSorted(a2));
- return std::includes(a1.begin(), a1.end(),
- a2.begin(), a2.end());
-}
-
-} // namespace base
-
-#endif // BASE_STL_UTIL_H_
diff --git a/security/sandbox/chromium/base/strings/nullable_string16.cc b/security/sandbox/chromium/base/strings/nullable_string16.cc
deleted file mode 100644
index 07f81d433..000000000
--- a/security/sandbox/chromium/base/strings/nullable_string16.cc
+++ /dev/null
@@ -1,17 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/nullable_string16.h"
-
-#include <ostream>
-
-#include "base/strings/utf_string_conversions.h"
-
-namespace base {
-
-std::ostream& operator<<(std::ostream& out, const NullableString16& value) {
- return value.is_null() ? out << "(null)" : out << UTF16ToUTF8(value.string());
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/nullable_string16.h b/security/sandbox/chromium/base/strings/nullable_string16.h
deleted file mode 100644
index 016c25c25..000000000
--- a/security/sandbox/chromium/base/strings/nullable_string16.h
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_NULLABLE_STRING16_H_
-#define BASE_STRINGS_NULLABLE_STRING16_H_
-
-#include <iosfwd>
-
-#include "base/base_export.h"
-#include "base/strings/string16.h"
-
-namespace base {
-
-// This class is a simple wrapper for string16 which also contains a null
-// state. This should be used only where the difference between null and
-// empty is meaningful.
-class NullableString16 {
- public:
- NullableString16() : is_null_(true) { }
- NullableString16(const string16& string, bool is_null)
- : string_(string), is_null_(is_null) {
- }
-
- const string16& string() const { return string_; }
- bool is_null() const { return is_null_; }
-
- private:
- string16 string_;
- bool is_null_;
-};
-
-inline bool operator==(const NullableString16& a, const NullableString16& b) {
- return a.is_null() == b.is_null() && a.string() == b.string();
-}
-
-inline bool operator!=(const NullableString16& a, const NullableString16& b) {
- return !(a == b);
-}
-
-BASE_EXPORT std::ostream& operator<<(std::ostream& out,
- const NullableString16& value);
-
-} // namespace base
-
-#endif // BASE_STRINGS_NULLABLE_STRING16_H_
diff --git a/security/sandbox/chromium/base/strings/safe_sprintf.cc b/security/sandbox/chromium/base/strings/safe_sprintf.cc
deleted file mode 100644
index a51c77827..000000000
--- a/security/sandbox/chromium/base/strings/safe_sprintf.cc
+++ /dev/null
@@ -1,686 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/safe_sprintf.h"
-
-#include <errno.h>
-#include <string.h>
-
-#include <limits>
-
-#include "base/macros.h"
-#include "build/build_config.h"
-
-#if !defined(NDEBUG)
-// In debug builds, we use RAW_CHECK() to print useful error messages, if
-// SafeSPrintf() is called with broken arguments.
-// As our contract promises that SafeSPrintf() can be called from any
-// restricted run-time context, it is not actually safe to call logging
-// functions from it; and we only ever do so for debug builds and hope for the
-// best. We should _never_ call any logging function other than RAW_CHECK(),
-// and we should _never_ include any logging code that is active in production
-// builds. Most notably, we should not include these logging functions in
-// unofficial release builds, even though those builds would otherwise have
-// DCHECKS() enabled.
-// In other words; please do not remove the #ifdef around this #include.
-// Instead, in production builds we opt for returning a degraded result,
-// whenever an error is encountered.
-// E.g. The broken function call
-// SafeSPrintf("errno = %d (%x)", errno, strerror(errno))
-// will print something like
-// errno = 13, (%x)
-// instead of
-// errno = 13 (Access denied)
-// In most of the anticipated use cases, that's probably the preferred
-// behavior.
-#include "base/logging.h"
-#define DEBUG_CHECK RAW_CHECK
-#else
-#define DEBUG_CHECK(x) do { if (x) { } } while (0)
-#endif
-
-namespace base {
-namespace strings {
-
-// The code in this file is extremely careful to be async-signal-safe.
-//
-// Most obviously, we avoid calling any code that could dynamically allocate
-// memory. Doing so would almost certainly result in bugs and dead-locks.
-// We also avoid calling any other STL functions that could have unintended
-// side-effects involving memory allocation or access to other shared
-// resources.
-//
-// But on top of that, we also avoid calling other library functions, as many
-// of them have the side-effect of calling getenv() (in order to deal with
-// localization) or accessing errno. The latter sounds benign, but there are
-// several execution contexts where it isn't even possible to safely read let
-// alone write errno.
-//
-// The stated design goal of the SafeSPrintf() function is that it can be
-// called from any context that can safely call C or C++ code (i.e. anything
-// that doesn't require assembly code).
-//
-// For a brief overview of some but not all of the issues with async-signal-
-// safety, refer to:
-// http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
-
-namespace {
-const size_t kSSizeMaxConst = ((size_t)(ssize_t)-1) >> 1;
-
-const char kUpCaseHexDigits[] = "0123456789ABCDEF";
-const char kDownCaseHexDigits[] = "0123456789abcdef";
-}
-
-#if defined(NDEBUG)
-// We would like to define kSSizeMax as std::numeric_limits<ssize_t>::max(),
-// but C++ doesn't allow us to do that for constants. Instead, we have to
-// use careful casting and shifting. We later use a static_assert to
-// verify that this worked correctly.
-namespace {
-const size_t kSSizeMax = kSSizeMaxConst;
-}
-#else // defined(NDEBUG)
-// For efficiency, we really need kSSizeMax to be a constant. But for unit
-// tests, it should be adjustable. This allows us to verify edge cases without
-// having to fill the entire available address space. As a compromise, we make
-// kSSizeMax adjustable in debug builds, and then only compile that particular
-// part of the unit test in debug builds.
-namespace {
-static size_t kSSizeMax = kSSizeMaxConst;
-}
-
-namespace internal {
-void SetSafeSPrintfSSizeMaxForTest(size_t max) {
- kSSizeMax = max;
-}
-
-size_t GetSafeSPrintfSSizeMaxForTest() {
- return kSSizeMax;
-}
-}
-#endif // defined(NDEBUG)
-
-namespace {
-class Buffer {
- public:
- // |buffer| is caller-allocated storage that SafeSPrintf() writes to. It
- // has |size| bytes of writable storage. It is the caller's responsibility
- // to ensure that the buffer is at least one byte in size, so that it fits
- // the trailing NUL that will be added by the destructor. The buffer also
- // must be smaller or equal to kSSizeMax in size.
- Buffer(char* buffer, size_t size)
- : buffer_(buffer),
- size_(size - 1), // Account for trailing NUL byte
- count_(0) {
-// MSVS2013's standard library doesn't mark max() as constexpr yet. cl.exe
-// supports static_cast but doesn't really implement constexpr yet so it doesn't
-// complain, but clang does.
-#if __cplusplus >= 201103 && !(defined(__clang__) && defined(OS_WIN))
- static_assert(kSSizeMaxConst ==
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()),
- "kSSizeMaxConst should be the max value of an ssize_t");
-#endif
- DEBUG_CHECK(size > 0);
- DEBUG_CHECK(size <= kSSizeMax);
- }
-
- ~Buffer() {
- // The code calling the constructor guaranteed that there was enough space
- // to store a trailing NUL -- and in debug builds, we are actually
- // verifying this with DEBUG_CHECK()s in the constructor. So, we can
- // always unconditionally write the NUL byte in the destructor. We do not
- // need to adjust the count_, as SafeSPrintf() copies snprintf() in not
- // including the NUL byte in its return code.
- *GetInsertionPoint() = '\000';
- }
-
- // Returns true, iff the buffer is filled all the way to |kSSizeMax-1|. The
- // caller can now stop adding more data, as GetCount() has reached its
- // maximum possible value.
- inline bool OutOfAddressableSpace() const {
- return count_ == static_cast<size_t>(kSSizeMax - 1);
- }
-
- // Returns the number of bytes that would have been emitted to |buffer_|
- // if it was sized sufficiently large. This number can be larger than
- // |size_|, if the caller provided an insufficiently large output buffer.
- // But it will never be bigger than |kSSizeMax-1|.
- inline ssize_t GetCount() const {
- DEBUG_CHECK(count_ < kSSizeMax);
- return static_cast<ssize_t>(count_);
- }
-
- // Emits one |ch| character into the |buffer_| and updates the |count_| of
- // characters that are currently supposed to be in the buffer.
- // Returns "false", iff the buffer was already full.
- // N.B. |count_| increases even if no characters have been written. This is
- // needed so that GetCount() can return the number of bytes that should
- // have been allocated for the |buffer_|.
- inline bool Out(char ch) {
- if (size_ >= 1 && count_ < size_) {
- buffer_[count_] = ch;
- return IncrementCountByOne();
- }
- // |count_| still needs to be updated, even if the buffer has been
- // filled completely. This allows SafeSPrintf() to return the number of
- // bytes that should have been emitted.
- IncrementCountByOne();
- return false;
- }
-
- // Inserts |padding|-|len| bytes worth of padding into the |buffer_|.
- // |count_| will also be incremented by the number of bytes that were meant
- // to be emitted. The |pad| character is typically either a ' ' space
- // or a '0' zero, but other non-NUL values are legal.
- // Returns "false", iff the the |buffer_| filled up (i.e. |count_|
- // overflowed |size_|) at any time during padding.
- inline bool Pad(char pad, size_t padding, size_t len) {
- DEBUG_CHECK(pad);
- DEBUG_CHECK(padding <= kSSizeMax);
- for (; padding > len; --padding) {
- if (!Out(pad)) {
- if (--padding) {
- IncrementCount(padding-len);
- }
- return false;
- }
- }
- return true;
- }
-
- // POSIX doesn't define any async-signal-safe function for converting
- // an integer to ASCII. Define our own version.
- //
- // This also gives us the ability to make the function a little more
- // powerful and have it deal with |padding|, with truncation, and with
- // predicting the length of the untruncated output.
- //
- // IToASCII() converts an integer |i| to ASCII.
- //
- // Unlike similar functions in the standard C library, it never appends a
- // NUL character. This is left for the caller to do.
- //
- // While the function signature takes a signed int64_t, the code decides at
- // run-time whether to treat the argument as signed (int64_t) or as unsigned
- // (uint64_t) based on the value of |sign|.
- //
- // It supports |base|s 2 through 16. Only a |base| of 10 is allowed to have
- // a |sign|. Otherwise, |i| is treated as unsigned.
- //
- // For bases larger than 10, |upcase| decides whether lower-case or upper-
- // case letters should be used to designate digits greater than 10.
- //
- // Padding can be done with either '0' zeros or ' ' spaces. Padding has to
- // be positive and will always be applied to the left of the output.
- //
- // Prepends a |prefix| to the number (e.g. "0x"). This prefix goes to
- // the left of |padding|, if |pad| is '0'; and to the right of |padding|
- // if |pad| is ' '.
- //
- // Returns "false", if the |buffer_| overflowed at any time.
- bool IToASCII(bool sign, bool upcase, int64_t i, int base,
- char pad, size_t padding, const char* prefix);
-
- private:
- // Increments |count_| by |inc| unless this would cause |count_| to
- // overflow |kSSizeMax-1|. Returns "false", iff an overflow was detected;
- // it then clamps |count_| to |kSSizeMax-1|.
- inline bool IncrementCount(size_t inc) {
- // "inc" is either 1 or a "padding" value. Padding is clamped at
- // run-time to at most kSSizeMax-1. So, we know that "inc" is always in
- // the range 1..kSSizeMax-1.
- // This allows us to compute "kSSizeMax - 1 - inc" without incurring any
- // integer overflows.
- DEBUG_CHECK(inc <= kSSizeMax - 1);
- if (count_ > kSSizeMax - 1 - inc) {
- count_ = kSSizeMax - 1;
- return false;
- } else {
- count_ += inc;
- return true;
- }
- }
-
- // Convenience method for the common case of incrementing |count_| by one.
- inline bool IncrementCountByOne() {
- return IncrementCount(1);
- }
-
- // Return the current insertion point into the buffer. This is typically
- // at |buffer_| + |count_|, but could be before that if truncation
- // happened. It always points to one byte past the last byte that was
- // successfully placed into the |buffer_|.
- inline char* GetInsertionPoint() const {
- size_t idx = count_;
- if (idx > size_) {
- idx = size_;
- }
- return buffer_ + idx;
- }
-
- // User-provided buffer that will receive the fully formatted output string.
- char* buffer_;
-
- // Number of bytes that are available in the buffer excluding the trailing
- // NUL byte that will be added by the destructor.
- const size_t size_;
-
- // Number of bytes that would have been emitted to the buffer, if the buffer
- // was sufficiently big. This number always excludes the trailing NUL byte
- // and it is guaranteed to never grow bigger than kSSizeMax-1.
- size_t count_;
-
- DISALLOW_COPY_AND_ASSIGN(Buffer);
-};
-
-
-bool Buffer::IToASCII(bool sign, bool upcase, int64_t i, int base,
- char pad, size_t padding, const char* prefix) {
- // Sanity check for parameters. None of these should ever fail, but see
- // above for the rationale why we can't call CHECK().
- DEBUG_CHECK(base >= 2);
- DEBUG_CHECK(base <= 16);
- DEBUG_CHECK(!sign || base == 10);
- DEBUG_CHECK(pad == '0' || pad == ' ');
- DEBUG_CHECK(padding <= kSSizeMax);
- DEBUG_CHECK(!(sign && prefix && *prefix));
-
- // Handle negative numbers, if the caller indicated that |i| should be
- // treated as a signed number; otherwise treat |i| as unsigned (even if the
- // MSB is set!)
- // Details are tricky, because of limited data-types, but equivalent pseudo-
- // code would look like:
- // if (sign && i < 0)
- // prefix = "-";
- // num = abs(i);
- int minint = 0;
- uint64_t num;
- if (sign && i < 0) {
- prefix = "-";
-
- // Turn our number positive.
- if (i == std::numeric_limits<int64_t>::min()) {
- // The most negative integer needs special treatment.
- minint = 1;
- num = static_cast<uint64_t>(-(i + 1));
- } else {
- // "Normal" negative numbers are easy.
- num = static_cast<uint64_t>(-i);
- }
- } else {
- num = static_cast<uint64_t>(i);
- }
-
- // If padding with '0' zero, emit the prefix or '-' character now. Otherwise,
- // make the prefix accessible in reverse order, so that we can later output
- // it right between padding and the number.
- // We cannot choose the easier approach of just reversing the number, as that
- // fails in situations where we need to truncate numbers that have padding
- // and/or prefixes.
- const char* reverse_prefix = NULL;
- if (prefix && *prefix) {
- if (pad == '0') {
- while (*prefix) {
- if (padding) {
- --padding;
- }
- Out(*prefix++);
- }
- prefix = NULL;
- } else {
- for (reverse_prefix = prefix; *reverse_prefix; ++reverse_prefix) {
- }
- }
- } else
- prefix = NULL;
- const size_t prefix_length = reverse_prefix - prefix;
-
- // Loop until we have converted the entire number. Output at least one
- // character (i.e. '0').
- size_t start = count_;
- size_t discarded = 0;
- bool started = false;
- do {
- // Make sure there is still enough space left in our output buffer.
- if (count_ >= size_) {
- if (start < size_) {
- // It is rare that we need to output a partial number. But if asked
- // to do so, we will still make sure we output the correct number of
- // leading digits.
- // Since we are generating the digits in reverse order, we actually
- // have to discard digits in the order that we have already emitted
- // them. This is essentially equivalent to:
- // memmove(buffer_ + start, buffer_ + start + 1, size_ - start - 1)
- for (char* move = buffer_ + start, *end = buffer_ + size_ - 1;
- move < end;
- ++move) {
- *move = move[1];
- }
- ++discarded;
- --count_;
- } else if (count_ - size_ > 1) {
- // Need to increment either |count_| or |discarded| to make progress.
- // The latter is more efficient, as it eventually triggers fast
- // handling of padding. But we have to ensure we don't accidentally
- // change the overall state (i.e. switch the state-machine from
- // discarding to non-discarding). |count_| needs to always stay
- // bigger than |size_|.
- --count_;
- ++discarded;
- }
- }
-
- // Output the next digit and (if necessary) compensate for the most
- // negative integer needing special treatment. This works because,
- // no matter the bit width of the integer, the lowest-most decimal
- // integer always ends in 2, 4, 6, or 8.
- if (!num && started) {
- if (reverse_prefix > prefix) {
- Out(*--reverse_prefix);
- } else {
- Out(pad);
- }
- } else {
- started = true;
- Out((upcase ? kUpCaseHexDigits : kDownCaseHexDigits)[num%base + minint]);
- }
-
- minint = 0;
- num /= base;
-
- // Add padding, if requested.
- if (padding > 0) {
- --padding;
-
- // Performance optimization for when we are asked to output excessive
- // padding, but our output buffer is limited in size. Even if we output
- // a 64bit number in binary, we would never write more than 64 plus
- // prefix non-padding characters. So, once this limit has been passed,
- // any further state change can be computed arithmetically; we know that
- // by this time, our entire final output consists of padding characters
- // that have all already been output.
- if (discarded > 8*sizeof(num) + prefix_length) {
- IncrementCount(padding);
- padding = 0;
- }
- }
- } while (num || padding || (reverse_prefix > prefix));
-
- // Conversion to ASCII actually resulted in the digits being in reverse
- // order. We can't easily generate them in forward order, as we can't tell
- // the number of characters needed until we are done converting.
- // So, now, we reverse the string (except for the possible '-' sign).
- char* front = buffer_ + start;
- char* back = GetInsertionPoint();
- while (--back > front) {
- char ch = *back;
- *back = *front;
- *front++ = ch;
- }
-
- IncrementCount(discarded);
- return !discarded;
-}
-
-} // anonymous namespace
-
-namespace internal {
-
-ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt, const Arg* args,
- const size_t max_args) {
- // Make sure that at least one NUL byte can be written, and that the buffer
- // never overflows kSSizeMax. Not only does that use up most or all of the
- // address space, it also would result in a return code that cannot be
- // represented.
- if (static_cast<ssize_t>(sz) < 1) {
- return -1;
- } else if (sz > kSSizeMax) {
- sz = kSSizeMax;
- }
-
- // Iterate over format string and interpret '%' arguments as they are
- // encountered.
- Buffer buffer(buf, sz);
- size_t padding;
- char pad;
- for (unsigned int cur_arg = 0; *fmt && !buffer.OutOfAddressableSpace(); ) {
- if (*fmt++ == '%') {
- padding = 0;
- pad = ' ';
- char ch = *fmt++;
- format_character_found:
- switch (ch) {
- case '0': case '1': case '2': case '3': case '4':
- case '5': case '6': case '7': case '8': case '9':
- // Found a width parameter. Convert to an integer value and store in
- // "padding". If the leading digit is a zero, change the padding
- // character from a space ' ' to a zero '0'.
- pad = ch == '0' ? '0' : ' ';
- for (;;) {
- // The maximum allowed padding fills all the available address
- // space and leaves just enough space to insert the trailing NUL.
- const size_t max_padding = kSSizeMax - 1;
- if (padding > max_padding/10 ||
- 10*padding > max_padding - (ch - '0')) {
- DEBUG_CHECK(padding <= max_padding/10 &&
- 10*padding <= max_padding - (ch - '0'));
- // Integer overflow detected. Skip the rest of the width until
- // we find the format character, then do the normal error handling.
- padding_overflow:
- padding = max_padding;
- while ((ch = *fmt++) >= '0' && ch <= '9') {
- }
- if (cur_arg < max_args) {
- ++cur_arg;
- }
- goto fail_to_expand;
- }
- padding = 10*padding + ch - '0';
- if (padding > max_padding) {
- // This doesn't happen for "sane" values of kSSizeMax. But once
- // kSSizeMax gets smaller than about 10, our earlier range checks
- // are incomplete. Unittests do trigger this artificial corner
- // case.
- DEBUG_CHECK(padding <= max_padding);
- goto padding_overflow;
- }
- ch = *fmt++;
- if (ch < '0' || ch > '9') {
- // Reached the end of the width parameter. This is where the format
- // character is found.
- goto format_character_found;
- }
- }
- break;
- case 'c': { // Output an ASCII character.
- // Check that there are arguments left to be inserted.
- if (cur_arg >= max_args) {
- DEBUG_CHECK(cur_arg < max_args);
- goto fail_to_expand;
- }
-
- // Check that the argument has the expected type.
- const Arg& arg = args[cur_arg++];
- if (arg.type != Arg::INT && arg.type != Arg::UINT) {
- DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
- goto fail_to_expand;
- }
-
- // Apply padding, if needed.
- buffer.Pad(' ', padding, 1);
-
- // Convert the argument to an ASCII character and output it.
- char as_char = static_cast<char>(arg.integer.i);
- if (!as_char) {
- goto end_of_output_buffer;
- }
- buffer.Out(as_char);
- break; }
- case 'd': // Output a possibly signed decimal value.
- case 'o': // Output an unsigned octal value.
- case 'x': // Output an unsigned hexadecimal value.
- case 'X':
- case 'p': { // Output a pointer value.
- // Check that there are arguments left to be inserted.
- if (cur_arg >= max_args) {
- DEBUG_CHECK(cur_arg < max_args);
- goto fail_to_expand;
- }
-
- const Arg& arg = args[cur_arg++];
- int64_t i;
- const char* prefix = NULL;
- if (ch != 'p') {
- // Check that the argument has the expected type.
- if (arg.type != Arg::INT && arg.type != Arg::UINT) {
- DEBUG_CHECK(arg.type == Arg::INT || arg.type == Arg::UINT);
- goto fail_to_expand;
- }
- i = arg.integer.i;
-
- if (ch != 'd') {
- // The Arg() constructor automatically performed sign expansion on
- // signed parameters. This is great when outputting a %d decimal
- // number, but can result in unexpected leading 0xFF bytes when
- // outputting a %x hexadecimal number. Mask bits, if necessary.
- // We have to do this here, instead of in the Arg() constructor, as
- // the Arg() constructor cannot tell whether we will output a %d
- // or a %x. Only the latter should experience masking.
- if (arg.integer.width < sizeof(int64_t)) {
- i &= (1LL << (8*arg.integer.width)) - 1;
- }
- }
- } else {
- // Pointer values require an actual pointer or a string.
- if (arg.type == Arg::POINTER) {
- i = reinterpret_cast<uintptr_t>(arg.ptr);
- } else if (arg.type == Arg::STRING) {
- i = reinterpret_cast<uintptr_t>(arg.str);
- } else if (arg.type == Arg::INT &&
- arg.integer.width == sizeof(NULL) &&
- arg.integer.i == 0) { // Allow C++'s version of NULL
- i = 0;
- } else {
- DEBUG_CHECK(arg.type == Arg::POINTER || arg.type == Arg::STRING);
- goto fail_to_expand;
- }
-
- // Pointers always include the "0x" prefix.
- prefix = "0x";
- }
-
- // Use IToASCII() to convert to ASCII representation. For decimal
- // numbers, optionally print a sign. For hexadecimal numbers,
- // distinguish between upper and lower case. %p addresses are always
- // printed as upcase. Supports base 8, 10, and 16. Prints padding
- // and/or prefixes, if so requested.
- buffer.IToASCII(ch == 'd' && arg.type == Arg::INT,
- ch != 'x', i,
- ch == 'o' ? 8 : ch == 'd' ? 10 : 16,
- pad, padding, prefix);
- break; }
- case 's': {
- // Check that there are arguments left to be inserted.
- if (cur_arg >= max_args) {
- DEBUG_CHECK(cur_arg < max_args);
- goto fail_to_expand;
- }
-
- // Check that the argument has the expected type.
- const Arg& arg = args[cur_arg++];
- const char *s;
- if (arg.type == Arg::STRING) {
- s = arg.str ? arg.str : "<NULL>";
- } else if (arg.type == Arg::INT && arg.integer.width == sizeof(NULL) &&
- arg.integer.i == 0) { // Allow C++'s version of NULL
- s = "<NULL>";
- } else {
- DEBUG_CHECK(arg.type == Arg::STRING);
- goto fail_to_expand;
- }
-
- // Apply padding, if needed. This requires us to first check the
- // length of the string that we are outputting.
- if (padding) {
- size_t len = 0;
- for (const char* src = s; *src++; ) {
- ++len;
- }
- buffer.Pad(' ', padding, len);
- }
-
- // Printing a string involves nothing more than copying it into the
- // output buffer and making sure we don't output more bytes than
- // available space; Out() takes care of doing that.
- for (const char* src = s; *src; ) {
- buffer.Out(*src++);
- }
- break; }
- case '%':
- // Quoted percent '%' character.
- goto copy_verbatim;
- fail_to_expand:
- // C++ gives us tools to do type checking -- something that snprintf()
- // could never really do. So, whenever we see arguments that don't
- // match up with the format string, we refuse to output them. But
- // since we have to be extremely conservative about being async-
- // signal-safe, we are limited in the type of error handling that we
- // can do in production builds (in debug builds we can use
- // DEBUG_CHECK() and hope for the best). So, all we do is pass the
- // format string unchanged. That should eventually get the user's
- // attention; and in the meantime, it hopefully doesn't lose too much
- // data.
- default:
- // Unknown or unsupported format character. Just copy verbatim to
- // output.
- buffer.Out('%');
- DEBUG_CHECK(ch);
- if (!ch) {
- goto end_of_format_string;
- }
- buffer.Out(ch);
- break;
- }
- } else {
- copy_verbatim:
- buffer.Out(fmt[-1]);
- }
- }
- end_of_format_string:
- end_of_output_buffer:
- return buffer.GetCount();
-}
-
-} // namespace internal
-
-ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt) {
- // Make sure that at least one NUL byte can be written, and that the buffer
- // never overflows kSSizeMax. Not only does that use up most or all of the
- // address space, it also would result in a return code that cannot be
- // represented.
- if (static_cast<ssize_t>(sz) < 1) {
- return -1;
- } else if (sz > kSSizeMax) {
- sz = kSSizeMax;
- }
-
- Buffer buffer(buf, sz);
-
- // In the slow-path, we deal with errors by copying the contents of
- // "fmt" unexpanded. This means, if there are no arguments passed, the
- // SafeSPrintf() function always degenerates to a version of strncpy() that
- // de-duplicates '%' characters.
- const char* src = fmt;
- for (; *src; ++src) {
- buffer.Out(*src);
- DEBUG_CHECK(src[0] != '%' || src[1] == '%');
- if (src[0] == '%' && src[1] == '%') {
- ++src;
- }
- }
- return buffer.GetCount();
-}
-
-} // namespace strings
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/safe_sprintf.h b/security/sandbox/chromium/base/strings/safe_sprintf.h
deleted file mode 100644
index 65524a50c..000000000
--- a/security/sandbox/chromium/base/strings/safe_sprintf.h
+++ /dev/null
@@ -1,246 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_SAFE_SPRINTF_H_
-#define BASE_STRINGS_SAFE_SPRINTF_H_
-
-#include "build/build_config.h"
-
-#include <stddef.h>
-#include <stdint.h>
-#include <stdlib.h>
-
-#if defined(OS_POSIX)
-// For ssize_t
-#include <unistd.h>
-#endif
-
-#include "base/base_export.h"
-
-namespace base {
-namespace strings {
-
-#if defined(_MSC_VER)
-// Define ssize_t inside of our namespace.
-#if defined(_WIN64)
-typedef __int64 ssize_t;
-#else
-typedef long ssize_t;
-#endif
-#endif
-
-// SafeSPrintf() is a type-safe and completely self-contained version of
-// snprintf().
-//
-// SafeSNPrintf() is an alternative function signature that can be used when
-// not dealing with fixed-sized buffers. When possible, SafeSPrintf() should
-// always be used instead of SafeSNPrintf()
-//
-// These functions allow for formatting complicated messages from contexts that
-// require strict async-signal-safety. In fact, it is safe to call them from
-// any low-level execution context, as they are guaranteed to make no library
-// or system calls. It deliberately never touches "errno", either.
-//
-// The only exception to this rule is that in debug builds the code calls
-// RAW_CHECK() to help diagnose problems when the format string does not
-// match the rest of the arguments. In release builds, no CHECK()s are used,
-// and SafeSPrintf() instead returns an output string that expands only
-// those arguments that match their format characters. Mismatched arguments
-// are ignored.
-//
-// The code currently only supports a subset of format characters:
-// %c, %o, %d, %x, %X, %p, and %s.
-//
-// SafeSPrintf() aims to be as liberal as reasonably possible. Integer-like
-// values of arbitrary width can be passed to all of the format characters
-// that expect integers. Thus, it is explicitly legal to pass an "int" to
-// "%c", and output will automatically look at the LSB only. It is also
-// explicitly legal to pass either signed or unsigned values, and the format
-// characters will automatically interpret the arguments accordingly.
-//
-// It is still not legal to mix-and-match integer-like values with pointer
-// values. For instance, you cannot pass a pointer to %x, nor can you pass an
-// integer to %p.
-//
-// The one exception is "0" zero being accepted by "%p". This works-around
-// the problem of C++ defining NULL as an integer-like value.
-//
-// All format characters take an optional width parameter. This must be a
-// positive integer. For %d, %o, %x, %X and %p, if the width starts with
-// a leading '0', padding is done with '0' instead of ' ' characters.
-//
-// There are a few features of snprintf()-style format strings, that
-// SafeSPrintf() does not support at this time.
-//
-// If an actual user showed up, there is no particularly strong reason they
-// couldn't be added. But that assumes that the trade-offs between complexity
-// and utility are favorable.
-//
-// For example, adding support for negative padding widths, and for %n are all
-// likely to be viewed positively. They are all clearly useful, low-risk, easy
-// to test, don't jeopardize the async-signal-safety of the code, and overall
-// have little impact on other parts of SafeSPrintf() function.
-//
-// On the other hands, adding support for alternate forms, positional
-// arguments, grouping, wide characters, localization or floating point numbers
-// are all unlikely to ever be added.
-//
-// SafeSPrintf() and SafeSNPrintf() mimic the behavior of snprintf() and they
-// return the number of bytes needed to store the untruncated output. This
-// does *not* include the terminating NUL byte.
-//
-// They return -1, iff a fatal error happened. This typically can only happen,
-// if the buffer size is a) negative, or b) zero (i.e. not even the NUL byte
-// can be written). The return value can never be larger than SSIZE_MAX-1.
-// This ensures that the caller can always add one to the signed return code
-// in order to determine the amount of storage that needs to be allocated.
-//
-// While the code supports type checking and while it is generally very careful
-// to avoid printing incorrect values, it tends to be conservative in printing
-// as much as possible, even when given incorrect parameters. Typically, in
-// case of an error, the format string will not be expanded. (i.e. something
-// like SafeSPrintf(buf, "%p %d", 1, 2) results in "%p 2"). See above for
-// the use of RAW_CHECK() in debug builds, though.
-//
-// Basic example:
-// char buf[20];
-// base::strings::SafeSPrintf(buf, "The answer: %2d", 42);
-//
-// Example with dynamically sized buffer (async-signal-safe). This code won't
-// work on Visual studio, as it requires dynamically allocating arrays on the
-// stack. Consider picking a smaller value for |kMaxSize| if stack size is
-// limited and known. On the other hand, if the parameters to SafeSNPrintf()
-// are trusted and not controllable by the user, you can consider eliminating
-// the check for |kMaxSize| altogether. The current value of SSIZE_MAX is
-// essentially a no-op that just illustrates how to implement an upper bound:
-// const size_t kInitialSize = 128;
-// const size_t kMaxSize = std::numeric_limits<ssize_t>::max();
-// size_t size = kInitialSize;
-// for (;;) {
-// char buf[size];
-// size = SafeSNPrintf(buf, size, "Error message \"%s\"\n", err) + 1;
-// if (sizeof(buf) < kMaxSize && size > kMaxSize) {
-// size = kMaxSize;
-// continue;
-// } else if (size > sizeof(buf))
-// continue;
-// write(2, buf, size-1);
-// break;
-// }
-
-namespace internal {
-// Helpers that use C++ overloading, templates, and specializations to deduce
-// and record type information from function arguments. This allows us to
-// later write a type-safe version of snprintf().
-
-struct Arg {
- enum Type { INT, UINT, STRING, POINTER };
-
- // Any integer-like value.
- Arg(signed char c) : type(INT) {
- integer.i = c;
- integer.width = sizeof(char);
- }
- Arg(unsigned char c) : type(UINT) {
- integer.i = c;
- integer.width = sizeof(char);
- }
- Arg(signed short j) : type(INT) {
- integer.i = j;
- integer.width = sizeof(short);
- }
- Arg(unsigned short j) : type(UINT) {
- integer.i = j;
- integer.width = sizeof(short);
- }
- Arg(signed int j) : type(INT) {
- integer.i = j;
- integer.width = sizeof(int);
- }
- Arg(unsigned int j) : type(UINT) {
- integer.i = j;
- integer.width = sizeof(int);
- }
- Arg(signed long j) : type(INT) {
- integer.i = j;
- integer.width = sizeof(long);
- }
- Arg(unsigned long j) : type(UINT) {
- integer.i = j;
- integer.width = sizeof(long);
- }
- Arg(signed long long j) : type(INT) {
- integer.i = j;
- integer.width = sizeof(long long);
- }
- Arg(unsigned long long j) : type(UINT) {
- integer.i = j;
- integer.width = sizeof(long long);
- }
-
- // A C-style text string.
- Arg(const char* s) : str(s), type(STRING) { }
- Arg(char* s) : str(s), type(STRING) { }
-
- // Any pointer value that can be cast to a "void*".
- template<class T> Arg(T* p) : ptr((void*)p), type(POINTER) { }
-
- union {
- // An integer-like value.
- struct {
- int64_t i;
- unsigned char width;
- } integer;
-
- // A C-style text string.
- const char* str;
-
- // A pointer to an arbitrary object.
- const void* ptr;
- };
- const enum Type type;
-};
-
-// This is the internal function that performs the actual formatting of
-// an snprintf()-style format string.
-BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t sz, const char* fmt,
- const Arg* args, size_t max_args);
-
-#if !defined(NDEBUG)
-// In debug builds, allow unit tests to artificially lower the kSSizeMax
-// constant that is used as a hard upper-bound for all buffers. In normal
-// use, this constant should always be std::numeric_limits<ssize_t>::max().
-BASE_EXPORT void SetSafeSPrintfSSizeMaxForTest(size_t max);
-BASE_EXPORT size_t GetSafeSPrintfSSizeMaxForTest();
-#endif
-
-} // namespace internal
-
-template<typename... Args>
-ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt, Args... args) {
- // Use Arg() object to record type information and then copy arguments to an
- // array to make it easier to iterate over them.
- const internal::Arg arg_array[] = { args... };
- return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
-}
-
-template<size_t N, typename... Args>
-ssize_t SafeSPrintf(char (&buf)[N], const char* fmt, Args... args) {
- // Use Arg() object to record type information and then copy arguments to an
- // array to make it easier to iterate over them.
- const internal::Arg arg_array[] = { args... };
- return internal::SafeSNPrintf(buf, N, fmt, arg_array, sizeof...(args));
-}
-
-// Fast-path when we don't actually need to substitute any arguments.
-BASE_EXPORT ssize_t SafeSNPrintf(char* buf, size_t N, const char* fmt);
-template<size_t N>
-inline ssize_t SafeSPrintf(char (&buf)[N], const char* fmt) {
- return SafeSNPrintf(buf, N, fmt);
-}
-
-} // namespace strings
-} // namespace base
-
-#endif // BASE_STRINGS_SAFE_SPRINTF_H_
diff --git a/security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc b/security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc
deleted file mode 100644
index 931ace8b1..000000000
--- a/security/sandbox/chromium/base/strings/safe_sprintf_unittest.cc
+++ /dev/null
@@ -1,763 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/safe_sprintf.h"
-
-#include <stddef.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <string.h>
-
-#include <limits>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "build/build_config.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-// Death tests on Android are currently very flaky. No need to add more flaky
-// tests, as they just make it hard to spot real problems.
-// TODO(markus): See if the restrictions on Android can eventually be lifted.
-#if defined(GTEST_HAS_DEATH_TEST) && !defined(OS_ANDROID)
-#define ALLOW_DEATH_TEST
-#endif
-
-namespace base {
-namespace strings {
-
-TEST(SafeSPrintfTest, Empty) {
- char buf[2] = { 'X', 'X' };
-
- // Negative buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), ""));
- EXPECT_EQ('X', buf[0]);
- EXPECT_EQ('X', buf[1]);
-
- // Zero buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, 0, ""));
- EXPECT_EQ('X', buf[0]);
- EXPECT_EQ('X', buf[1]);
-
- // A one-byte buffer should always print a single NUL byte.
- EXPECT_EQ(0, SafeSNPrintf(buf, 1, ""));
- EXPECT_EQ(0, buf[0]);
- EXPECT_EQ('X', buf[1]);
- buf[0] = 'X';
-
- // A larger buffer should leave the trailing bytes unchanged.
- EXPECT_EQ(0, SafeSNPrintf(buf, 2, ""));
- EXPECT_EQ(0, buf[0]);
- EXPECT_EQ('X', buf[1]);
- buf[0] = 'X';
-
- // The same test using SafeSPrintf() instead of SafeSNPrintf().
- EXPECT_EQ(0, SafeSPrintf(buf, ""));
- EXPECT_EQ(0, buf[0]);
- EXPECT_EQ('X', buf[1]);
- buf[0] = 'X';
-}
-
-TEST(SafeSPrintfTest, NoArguments) {
- // Output a text message that doesn't require any substitutions. This
- // is roughly equivalent to calling strncpy() (but unlike strncpy(), it does
- // always add a trailing NUL; it always deduplicates '%' characters).
- static const char text[] = "hello world";
- char ref[20], buf[20];
- memset(ref, 'X', sizeof(ref));
- memcpy(buf, ref, sizeof(buf));
-
- // A negative buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), text));
- EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
-
- // Zero buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, 0, text));
- EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
-
- // A one-byte buffer should always print a single NUL byte.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 1, text));
- EXPECT_EQ(0, buf[0]);
- EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
- memcpy(buf, ref, sizeof(buf));
-
- // A larger (but limited) buffer should always leave the trailing bytes
- // unchanged.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSNPrintf(buf, 2, text));
- EXPECT_EQ(text[0], buf[0]);
- EXPECT_EQ(0, buf[1]);
- EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
- memcpy(buf, ref, sizeof(buf));
-
- // A unrestricted buffer length should always leave the trailing bytes
- // unchanged.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
- SafeSNPrintf(buf, sizeof(buf), text));
- EXPECT_EQ(std::string(text), std::string(buf));
- EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
- sizeof(buf) - sizeof(text)));
- memcpy(buf, ref, sizeof(buf));
-
- // The same test using SafeSPrintf() instead of SafeSNPrintf().
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, text));
- EXPECT_EQ(std::string(text), std::string(buf));
- EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
- sizeof(buf) - sizeof(text)));
- memcpy(buf, ref, sizeof(buf));
-
- // Check for deduplication of '%' percent characters.
- EXPECT_EQ(1, SafeSPrintf(buf, "%%"));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%%"));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%X"));
- EXPECT_EQ(3, SafeSPrintf(buf, "%%%%X"));
-#if defined(NDEBUG)
- EXPECT_EQ(1, SafeSPrintf(buf, "%"));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
- EXPECT_EQ(2, SafeSPrintf(buf, "%X"));
- EXPECT_EQ(3, SafeSPrintf(buf, "%%%X"));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, "%"), "src.1. == '%'");
- EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
- EXPECT_DEATH(SafeSPrintf(buf, "%X"), "src.1. == '%'");
- EXPECT_DEATH(SafeSPrintf(buf, "%%%X"), "src.1. == '%'");
-#endif
-}
-
-TEST(SafeSPrintfTest, OneArgument) {
- // Test basic single-argument single-character substitution.
- const char text[] = "hello world";
- const char fmt[] = "hello%cworld";
- char ref[20], buf[20];
- memset(ref, 'X', sizeof(buf));
- memcpy(buf, ref, sizeof(buf));
-
- // A negative buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, static_cast<size_t>(-1), fmt, ' '));
- EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
-
- // Zero buffer size should always result in an error.
- EXPECT_EQ(-1, SafeSNPrintf(buf, 0, fmt, ' '));
- EXPECT_TRUE(!memcmp(buf, ref, sizeof(buf)));
-
- // A one-byte buffer should always print a single NUL byte.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
- SafeSNPrintf(buf, 1, fmt, ' '));
- EXPECT_EQ(0, buf[0]);
- EXPECT_TRUE(!memcmp(buf+1, ref+1, sizeof(buf)-1));
- memcpy(buf, ref, sizeof(buf));
-
- // A larger (but limited) buffer should always leave the trailing bytes
- // unchanged.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
- SafeSNPrintf(buf, 2, fmt, ' '));
- EXPECT_EQ(text[0], buf[0]);
- EXPECT_EQ(0, buf[1]);
- EXPECT_TRUE(!memcmp(buf+2, ref+2, sizeof(buf)-2));
- memcpy(buf, ref, sizeof(buf));
-
- // A unrestricted buffer length should always leave the trailing bytes
- // unchanged.
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1,
- SafeSNPrintf(buf, sizeof(buf), fmt, ' '));
- EXPECT_EQ(std::string(text), std::string(buf));
- EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
- sizeof(buf) - sizeof(text)));
- memcpy(buf, ref, sizeof(buf));
-
- // The same test using SafeSPrintf() instead of SafeSNPrintf().
- EXPECT_EQ(static_cast<ssize_t>(sizeof(text))-1, SafeSPrintf(buf, fmt, ' '));
- EXPECT_EQ(std::string(text), std::string(buf));
- EXPECT_TRUE(!memcmp(buf + sizeof(text), ref + sizeof(text),
- sizeof(buf) - sizeof(text)));
- memcpy(buf, ref, sizeof(buf));
-
- // Check for deduplication of '%' percent characters.
- EXPECT_EQ(1, SafeSPrintf(buf, "%%", 0));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%%", 0));
- EXPECT_EQ(2, SafeSPrintf(buf, "%Y", 0));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%Y", 0));
- EXPECT_EQ(3, SafeSPrintf(buf, "%%%Y", 0));
- EXPECT_EQ(3, SafeSPrintf(buf, "%%%%Y", 0));
-#if defined(NDEBUG)
- EXPECT_EQ(1, SafeSPrintf(buf, "%", 0));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, "%", 0), "ch");
- EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
-#endif
-}
-
-TEST(SafeSPrintfTest, MissingArg) {
-#if defined(NDEBUG)
- char buf[20];
- EXPECT_EQ(3, SafeSPrintf(buf, "%c%c", 'A'));
- EXPECT_EQ("A%c", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- char buf[20];
- EXPECT_DEATH(SafeSPrintf(buf, "%c%c", 'A'), "cur_arg < max_args");
-#endif
-}
-
-TEST(SafeSPrintfTest, ASANFriendlyBufferTest) {
- // Print into a buffer that is sized exactly to size. ASAN can verify that
- // nobody attempts to write past the end of the buffer.
- // There is a more complicated test in PrintLongString() that covers a lot
- // more edge case, but it is also harder to debug in case of a failure.
- const char kTestString[] = "This is a test";
- scoped_ptr<char[]> buf(new char[sizeof(kTestString)]);
- EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
- SafeSNPrintf(buf.get(), sizeof(kTestString), kTestString));
- EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
- EXPECT_EQ(static_cast<ssize_t>(sizeof(kTestString) - 1),
- SafeSNPrintf(buf.get(), sizeof(kTestString), "%s", kTestString));
- EXPECT_EQ(std::string(kTestString), std::string(buf.get()));
-}
-
-TEST(SafeSPrintfTest, NArgs) {
- // Pre-C++11 compilers have a different code path, that can only print
- // up to ten distinct arguments.
- // We test both SafeSPrintf() and SafeSNPrintf(). This makes sure we don't
- // have typos in the copy-n-pasted code that is needed to deal with various
- // numbers of arguments.
- char buf[12];
- EXPECT_EQ(1, SafeSPrintf(buf, "%c", 1));
- EXPECT_EQ("\1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%c%c", 1, 2));
- EXPECT_EQ("\1\2", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%c%c%c", 1, 2, 3));
- EXPECT_EQ("\1\2\3", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%c%c%c%c", 1, 2, 3, 4));
- EXPECT_EQ("\1\2\3\4", std::string(buf));
- EXPECT_EQ(5, SafeSPrintf(buf, "%c%c%c%c%c", 1, 2, 3, 4, 5));
- EXPECT_EQ("\1\2\3\4\5", std::string(buf));
- EXPECT_EQ(6, SafeSPrintf(buf, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
- EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
- EXPECT_EQ(7, SafeSPrintf(buf, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
- EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
- EXPECT_EQ(8, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7, 8));
- EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
- EXPECT_EQ(9, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9));
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
- EXPECT_EQ(10, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
-
- // Repeat all the tests with SafeSNPrintf() instead of SafeSPrintf().
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
- EXPECT_EQ(1, SafeSNPrintf(buf, 11, "%c", 1));
- EXPECT_EQ("\1", std::string(buf));
- EXPECT_EQ(2, SafeSNPrintf(buf, 11, "%c%c", 1, 2));
- EXPECT_EQ("\1\2", std::string(buf));
- EXPECT_EQ(3, SafeSNPrintf(buf, 11, "%c%c%c", 1, 2, 3));
- EXPECT_EQ("\1\2\3", std::string(buf));
- EXPECT_EQ(4, SafeSNPrintf(buf, 11, "%c%c%c%c", 1, 2, 3, 4));
- EXPECT_EQ("\1\2\3\4", std::string(buf));
- EXPECT_EQ(5, SafeSNPrintf(buf, 11, "%c%c%c%c%c", 1, 2, 3, 4, 5));
- EXPECT_EQ("\1\2\3\4\5", std::string(buf));
- EXPECT_EQ(6, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6));
- EXPECT_EQ("\1\2\3\4\5\6", std::string(buf));
- EXPECT_EQ(7, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c", 1, 2, 3, 4, 5, 6, 7));
- EXPECT_EQ("\1\2\3\4\5\6\7", std::string(buf));
- EXPECT_EQ(8, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8));
- EXPECT_EQ("\1\2\3\4\5\6\7\10", std::string(buf));
- EXPECT_EQ(9, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9));
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11", std::string(buf));
- EXPECT_EQ(10, SafeSNPrintf(buf, 11, "%c%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10));
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12", std::string(buf));
-
- EXPECT_EQ(11, SafeSPrintf(buf, "%c%c%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11));
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf));
- EXPECT_EQ(11, SafeSNPrintf(buf, 12, "%c%c%c%c%c%c%c%c%c%c%c",
- 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11));
- EXPECT_EQ("\1\2\3\4\5\6\7\10\11\12\13", std::string(buf));
-}
-
-TEST(SafeSPrintfTest, DataTypes) {
- char buf[40];
-
- // Bytes
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint8_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%d", (uint8_t)-1));
- EXPECT_EQ("255", std::string(buf));
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int8_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int8_t)-1));
- EXPECT_EQ("-1", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%d", (int8_t)-128));
- EXPECT_EQ("-128", std::string(buf));
-
- // Half-words
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint16_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(5, SafeSPrintf(buf, "%d", (uint16_t)-1));
- EXPECT_EQ("65535", std::string(buf));
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int16_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int16_t)-1));
- EXPECT_EQ("-1", std::string(buf));
- EXPECT_EQ(6, SafeSPrintf(buf, "%d", (int16_t)-32768));
- EXPECT_EQ("-32768", std::string(buf));
-
- // Words
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint32_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(10, SafeSPrintf(buf, "%d", (uint32_t)-1));
- EXPECT_EQ("4294967295", std::string(buf));
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int32_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int32_t)-1));
- EXPECT_EQ("-1", std::string(buf));
- // Work-around for an limitation of C90
- EXPECT_EQ(11, SafeSPrintf(buf, "%d", (int32_t)-2147483647-1));
- EXPECT_EQ("-2147483648", std::string(buf));
-
- // Quads
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (uint64_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(20, SafeSPrintf(buf, "%d", (uint64_t)-1));
- EXPECT_EQ("18446744073709551615", std::string(buf));
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", (int64_t)1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%d", (int64_t)-1));
- EXPECT_EQ("-1", std::string(buf));
- // Work-around for an limitation of C90
- EXPECT_EQ(20, SafeSPrintf(buf, "%d", (int64_t)-9223372036854775807LL-1));
- EXPECT_EQ("-9223372036854775808", std::string(buf));
-
- // Strings (both const and mutable).
- EXPECT_EQ(4, SafeSPrintf(buf, "test"));
- EXPECT_EQ("test", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, buf));
- EXPECT_EQ("test", std::string(buf));
-
- // Pointer
- char addr[20];
- sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
- SafeSPrintf(buf, "%p", buf);
- EXPECT_EQ(std::string(addr), std::string(buf));
- SafeSPrintf(buf, "%p", (const char *)buf);
- EXPECT_EQ(std::string(addr), std::string(buf));
- sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)sprintf);
- SafeSPrintf(buf, "%p", sprintf);
- EXPECT_EQ(std::string(addr), std::string(buf));
-
- // Padding for pointers is a little more complicated because of the "0x"
- // prefix. Padding with '0' zeros is relatively straight-forward, but
- // padding with ' ' spaces requires more effort.
- sprintf(addr, "0x%017llX", (unsigned long long)(uintptr_t)buf);
- SafeSPrintf(buf, "%019p", buf);
- EXPECT_EQ(std::string(addr), std::string(buf));
- sprintf(addr, "0x%llX", (unsigned long long)(uintptr_t)buf);
- memset(addr, ' ',
- (char*)memmove(addr + sizeof(addr) - strlen(addr) - 1,
- addr, strlen(addr)+1) - addr);
- SafeSPrintf(buf, "%19p", buf);
- EXPECT_EQ(std::string(addr), std::string(buf));
-}
-
-namespace {
-void PrintLongString(char* buf, size_t sz) {
- // Output a reasonably complex expression into a limited-size buffer.
- // At least one byte is available for writing the NUL character.
- CHECK_GT(sz, static_cast<size_t>(0));
-
- // Allocate slightly more space, so that we can verify that SafeSPrintf()
- // never writes past the end of the buffer.
- scoped_ptr<char[]> tmp(new char[sz+2]);
- memset(tmp.get(), 'X', sz+2);
-
- // Use SafeSPrintf() to output a complex list of arguments:
- // - test padding and truncating %c single characters.
- // - test truncating %s simple strings.
- // - test mismatching arguments and truncating (for %d != %s).
- // - test zero-padding and truncating %x hexadecimal numbers.
- // - test outputting and truncating %d MININT.
- // - test outputting and truncating %p arbitrary pointer values.
- // - test outputting, padding and truncating NULL-pointer %s strings.
- char* out = tmp.get();
- size_t out_sz = sz;
- size_t len;
- for (scoped_ptr<char[]> perfect_buf;;) {
- size_t needed = SafeSNPrintf(out, out_sz,
-#if defined(NDEBUG)
- "A%2cong %s: %d %010X %d %p%7s", 'l', "string", "",
-#else
- "A%2cong %s: %%d %010X %d %p%7s", 'l', "string",
-#endif
- 0xDEADBEEF, std::numeric_limits<intptr_t>::min(),
- PrintLongString, static_cast<char*>(NULL)) + 1;
-
- // Various sanity checks:
- // The numbered of characters needed to print the full string should always
- // be bigger or equal to the bytes that have actually been output.
- len = strlen(tmp.get());
- CHECK_GE(needed, len+1);
-
- // The number of characters output should always fit into the buffer that
- // was passed into SafeSPrintf().
- CHECK_LT(len, out_sz);
-
- // The output is always terminated with a NUL byte (actually, this test is
- // always going to pass, as strlen() already verified this)
- EXPECT_FALSE(tmp[len]);
-
- // ASAN can check that we are not overwriting buffers, iff we make sure the
- // buffer is exactly the size that we are expecting to be written. After
- // running SafeSNPrintf() the first time, it is possible to compute the
- // correct buffer size for this test. So, allocate a second buffer and run
- // the exact same SafeSNPrintf() command again.
- if (!perfect_buf.get()) {
- out_sz = std::min(needed, sz);
- out = new char[out_sz];
- perfect_buf.reset(out);
- } else {
- break;
- }
- }
-
- // All trailing bytes are unchanged.
- for (size_t i = len+1; i < sz+2; ++i)
- EXPECT_EQ('X', tmp[i]);
-
- // The text that was generated by SafeSPrintf() should always match the
- // equivalent text generated by sprintf(). Please note that the format
- // string for sprintf() is not complicated, as it does not have the
- // benefit of getting type information from the C++ compiler.
- //
- // N.B.: It would be so much cleaner to use snprintf(). But unfortunately,
- // Visual Studio doesn't support this function, and the work-arounds
- // are all really awkward.
- char ref[256];
- CHECK_LE(sz, sizeof(ref));
- sprintf(ref, "A long string: %%d 00DEADBEEF %lld 0x%llX <NULL>",
- static_cast<long long>(std::numeric_limits<intptr_t>::min()),
- static_cast<unsigned long long>(
- reinterpret_cast<uintptr_t>(PrintLongString)));
- ref[sz-1] = '\000';
-
-#if defined(NDEBUG)
- const size_t kSSizeMax = std::numeric_limits<ssize_t>::max();
-#else
- const size_t kSSizeMax = internal::GetSafeSPrintfSSizeMaxForTest();
-#endif
-
- // Compare the output from SafeSPrintf() to the one from sprintf().
- EXPECT_EQ(std::string(ref).substr(0, kSSizeMax-1), std::string(tmp.get()));
-
- // We allocated a slightly larger buffer, so that we could perform some
- // extra sanity checks. Now that the tests have all passed, we copy the
- // data to the output buffer that the caller provided.
- memcpy(buf, tmp.get(), len+1);
-}
-
-#if !defined(NDEBUG)
-class ScopedSafeSPrintfSSizeMaxSetter {
- public:
- ScopedSafeSPrintfSSizeMaxSetter(size_t sz) {
- old_ssize_max_ = internal::GetSafeSPrintfSSizeMaxForTest();
- internal::SetSafeSPrintfSSizeMaxForTest(sz);
- }
-
- ~ScopedSafeSPrintfSSizeMaxSetter() {
- internal::SetSafeSPrintfSSizeMaxForTest(old_ssize_max_);
- }
-
- private:
- size_t old_ssize_max_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedSafeSPrintfSSizeMaxSetter);
-};
-#endif
-
-} // anonymous namespace
-
-TEST(SafeSPrintfTest, Truncation) {
- // We use PrintLongString() to print a complex long string and then
- // truncate to all possible lengths. This ends up exercising a lot of
- // different code paths in SafeSPrintf() and IToASCII(), as truncation can
- // happen in a lot of different states.
- char ref[256];
- PrintLongString(ref, sizeof(ref));
- for (size_t i = strlen(ref)+1; i; --i) {
- char buf[sizeof(ref)];
- PrintLongString(buf, i);
- EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
- }
-
- // When compiling in debug mode, we have the ability to fake a small
- // upper limit for the maximum value that can be stored in an ssize_t.
- // SafeSPrintf() uses this upper limit to determine how many bytes it will
- // write to the buffer, even if the caller claimed a bigger buffer size.
- // Repeat the truncation test and verify that this other code path in
- // SafeSPrintf() works correctly, too.
-#if !defined(NDEBUG)
- for (size_t i = strlen(ref)+1; i > 1; --i) {
- ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(i);
- char buf[sizeof(ref)];
- PrintLongString(buf, sizeof(buf));
- EXPECT_EQ(std::string(ref, i - 1), std::string(buf));
- }
-
- // kSSizeMax is also used to constrain the maximum amount of padding, before
- // SafeSPrintf() detects an error in the format string.
- ScopedSafeSPrintfSSizeMaxSetter ssize_max_setter(100);
- char buf[256];
- EXPECT_EQ(99, SafeSPrintf(buf, "%99c", ' '));
- EXPECT_EQ(std::string(99, ' '), std::string(buf));
- *buf = '\000';
-#if defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, "%100c", ' '), "padding <= max_padding");
-#endif
- EXPECT_EQ(0, *buf);
-#endif
-}
-
-TEST(SafeSPrintfTest, Padding) {
- char buf[40], fmt[40];
-
- // Chars %c
- EXPECT_EQ(1, SafeSPrintf(buf, "%c", 'A'));
- EXPECT_EQ("A", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%2c", 'A'));
- EXPECT_EQ(" A", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%02c", 'A'));
- EXPECT_EQ(" A", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2c", 'A'));
- EXPECT_EQ("%-2c", std::string(buf));
- SafeSPrintf(fmt, "%%%dc", std::numeric_limits<ssize_t>::max() - 1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1, SafeSPrintf(buf, fmt, 'A'));
- SafeSPrintf(fmt, "%%%dc",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, 'A'));
- EXPECT_EQ("%c", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, 'A'), "padding <= max_padding");
-#endif
-
- // Octal %o
- EXPECT_EQ(1, SafeSPrintf(buf, "%o", 1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%2o", 1));
- EXPECT_EQ(" 1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%02o", 1));
- EXPECT_EQ("01", std::string(buf));
- EXPECT_EQ(12, SafeSPrintf(buf, "%12o", -1));
- EXPECT_EQ(" 37777777777", std::string(buf));
- EXPECT_EQ(12, SafeSPrintf(buf, "%012o", -1));
- EXPECT_EQ("037777777777", std::string(buf));
- EXPECT_EQ(23, SafeSPrintf(buf, "%23o", -1LL));
- EXPECT_EQ(" 1777777777777777777777", std::string(buf));
- EXPECT_EQ(23, SafeSPrintf(buf, "%023o", -1LL));
- EXPECT_EQ("01777777777777777777777", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%2o", 0111));
- EXPECT_EQ("111", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2o", 1));
- EXPECT_EQ("%-2o", std::string(buf));
- SafeSPrintf(fmt, "%%%do", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%0%do", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ("000", std::string(buf));
- SafeSPrintf(fmt, "%%%do",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
- EXPECT_EQ("%o", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
-#endif
-
- // Decimals %d
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", 1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%2d", 1));
- EXPECT_EQ(" 1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%02d", 1));
- EXPECT_EQ("01", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%3d", -1));
- EXPECT_EQ(" -1", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%03d", -1));
- EXPECT_EQ("-01", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%2d", 111));
- EXPECT_EQ("111", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%2d", -111));
- EXPECT_EQ("-111", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2d", 1));
- EXPECT_EQ("%-2d", std::string(buf));
- SafeSPrintf(fmt, "%%%dd", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%0%dd", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ("000", std::string(buf));
- SafeSPrintf(fmt, "%%%dd",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
- EXPECT_EQ("%d", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
-#endif
-
- // Hex %X
- EXPECT_EQ(1, SafeSPrintf(buf, "%X", 1));
- EXPECT_EQ("1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%2X", 1));
- EXPECT_EQ(" 1", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%02X", 1));
- EXPECT_EQ("01", std::string(buf));
- EXPECT_EQ(9, SafeSPrintf(buf, "%9X", -1));
- EXPECT_EQ(" FFFFFFFF", std::string(buf));
- EXPECT_EQ(9, SafeSPrintf(buf, "%09X", -1));
- EXPECT_EQ("0FFFFFFFF", std::string(buf));
- EXPECT_EQ(17, SafeSPrintf(buf, "%17X", -1LL));
- EXPECT_EQ(" FFFFFFFFFFFFFFFF", std::string(buf));
- EXPECT_EQ(17, SafeSPrintf(buf, "%017X", -1LL));
- EXPECT_EQ("0FFFFFFFFFFFFFFFF", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%2X", 0x111));
- EXPECT_EQ("111", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2X", 1));
- EXPECT_EQ("%-2X", std::string(buf));
- SafeSPrintf(fmt, "%%%dX", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%0%dX", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, 1));
- EXPECT_EQ("000", std::string(buf));
- SafeSPrintf(fmt, "%%%dX",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
- EXPECT_EQ("%X", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
-#endif
-
- // Pointer %p
- EXPECT_EQ(3, SafeSPrintf(buf, "%p", (void*)1));
- EXPECT_EQ("0x1", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%4p", (void*)1));
- EXPECT_EQ(" 0x1", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%04p", (void*)1));
- EXPECT_EQ("0x01", std::string(buf));
- EXPECT_EQ(5, SafeSPrintf(buf, "%4p", (void*)0x111));
- EXPECT_EQ("0x111", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2p", (void*)1));
- EXPECT_EQ("%-2p", std::string(buf));
- SafeSPrintf(fmt, "%%%dp", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, (void*)1));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%0%dp", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, (void*)1));
- EXPECT_EQ("0x0", std::string(buf));
- SafeSPrintf(fmt, "%%%dp",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, 1));
- EXPECT_EQ("%p", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, 1), "padding <= max_padding");
-#endif
-
- // String
- EXPECT_EQ(1, SafeSPrintf(buf, "%s", "A"));
- EXPECT_EQ("A", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%2s", "A"));
- EXPECT_EQ(" A", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%02s", "A"));
- EXPECT_EQ(" A", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%2s", "AAA"));
- EXPECT_EQ("AAA", std::string(buf));
- EXPECT_EQ(4, SafeSPrintf(buf, "%-2s", "A"));
- EXPECT_EQ("%-2s", std::string(buf));
- SafeSPrintf(fmt, "%%%ds", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, "A"));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%0%ds", std::numeric_limits<ssize_t>::max()-1);
- EXPECT_EQ(std::numeric_limits<ssize_t>::max()-1,
- SafeSNPrintf(buf, 4, fmt, "A"));
- EXPECT_EQ(" ", std::string(buf));
- SafeSPrintf(fmt, "%%%ds",
- static_cast<size_t>(std::numeric_limits<ssize_t>::max()));
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, fmt, "A"));
- EXPECT_EQ("%s", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, fmt, "A"), "padding <= max_padding");
-#endif
-}
-
-TEST(SafeSPrintfTest, EmbeddedNul) {
- char buf[] = { 'X', 'X', 'X', 'X' };
- EXPECT_EQ(2, SafeSPrintf(buf, "%3c", 0));
- EXPECT_EQ(' ', buf[0]);
- EXPECT_EQ(' ', buf[1]);
- EXPECT_EQ(0, buf[2]);
- EXPECT_EQ('X', buf[3]);
-
- // Check handling of a NUL format character. N.B. this takes two different
- // code paths depending on whether we are actually passing arguments. If
- // we don't have any arguments, we are running in the fast-path code, that
- // looks (almost) like a strncpy().
-#if defined(NDEBUG)
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%"));
- EXPECT_EQ("%%", std::string(buf));
- EXPECT_EQ(2, SafeSPrintf(buf, "%%%", 0));
- EXPECT_EQ("%%", std::string(buf));
-#elif defined(ALLOW_DEATH_TEST)
- EXPECT_DEATH(SafeSPrintf(buf, "%%%"), "src.1. == '%'");
- EXPECT_DEATH(SafeSPrintf(buf, "%%%", 0), "ch");
-#endif
-}
-
-TEST(SafeSPrintfTest, EmitNULL) {
- char buf[40];
-#if defined(__GNUC__)
-#pragma GCC diagnostic push
-#pragma GCC diagnostic ignored "-Wconversion-null"
-#endif
- EXPECT_EQ(1, SafeSPrintf(buf, "%d", NULL));
- EXPECT_EQ("0", std::string(buf));
- EXPECT_EQ(3, SafeSPrintf(buf, "%p", NULL));
- EXPECT_EQ("0x0", std::string(buf));
- EXPECT_EQ(6, SafeSPrintf(buf, "%s", NULL));
- EXPECT_EQ("<NULL>", std::string(buf));
-#if defined(__GCC__)
-#pragma GCC diagnostic pop
-#endif
-}
-
-TEST(SafeSPrintfTest, PointerSize) {
- // The internal data representation is a 64bit value, independent of the
- // native word size. We want to perform sign-extension for signed integers,
- // but we want to avoid doing so for pointer types. This could be a
- // problem on systems, where pointers are only 32bit. This tests verifies
- // that there is no such problem.
- char *str = reinterpret_cast<char *>(0x80000000u);
- void *ptr = str;
- char buf[40];
- EXPECT_EQ(10, SafeSPrintf(buf, "%p", str));
- EXPECT_EQ("0x80000000", std::string(buf));
- EXPECT_EQ(10, SafeSPrintf(buf, "%p", ptr));
- EXPECT_EQ("0x80000000", std::string(buf));
-}
-
-} // namespace strings
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string16.cc b/security/sandbox/chromium/base/strings/string16.cc
deleted file mode 100644
index f4c8cf746..000000000
--- a/security/sandbox/chromium/base/strings/string16.cc
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/string16.h"
-
-#if defined(WCHAR_T_IS_UTF16)
-
-#error This file should not be used on 2-byte wchar_t systems
-// If this winds up being needed on 2-byte wchar_t systems, either the
-// definitions below can be used, or the host system's wide character
-// functions like wmemcmp can be wrapped.
-
-#elif defined(WCHAR_T_IS_UTF32)
-
-#include <ostream>
-
-#include "base/strings/utf_string_conversions.h"
-
-namespace base {
-
-int c16memcmp(const char16* s1, const char16* s2, size_t n) {
- // We cannot call memcmp because that changes the semantics.
- while (n-- > 0) {
- if (*s1 != *s2) {
- // We cannot use (*s1 - *s2) because char16 is unsigned.
- return ((*s1 < *s2) ? -1 : 1);
- }
- ++s1;
- ++s2;
- }
- return 0;
-}
-
-size_t c16len(const char16* s) {
- const char16 *s_orig = s;
- while (*s) {
- ++s;
- }
- return s - s_orig;
-}
-
-const char16* c16memchr(const char16* s, char16 c, size_t n) {
- while (n-- > 0) {
- if (*s == c) {
- return s;
- }
- ++s;
- }
- return 0;
-}
-
-char16* c16memmove(char16* s1, const char16* s2, size_t n) {
- return static_cast<char16*>(memmove(s1, s2, n * sizeof(char16)));
-}
-
-char16* c16memcpy(char16* s1, const char16* s2, size_t n) {
- return static_cast<char16*>(memcpy(s1, s2, n * sizeof(char16)));
-}
-
-char16* c16memset(char16* s, char16 c, size_t n) {
- char16 *s_orig = s;
- while (n-- > 0) {
- *s = c;
- ++s;
- }
- return s_orig;
-}
-
-std::ostream& operator<<(std::ostream& out, const string16& str) {
- return out << UTF16ToUTF8(str);
-}
-
-void PrintTo(const string16& str, std::ostream* out) {
- *out << str;
-}
-
-} // namespace base
-
-template class std::basic_string<base::char16, base::string16_char_traits>;
-
-#endif // WCHAR_T_IS_UTF32
diff --git a/security/sandbox/chromium/base/strings/string16.h b/security/sandbox/chromium/base/strings/string16.h
deleted file mode 100644
index e47669c1b..000000000
--- a/security/sandbox/chromium/base/strings/string16.h
+++ /dev/null
@@ -1,187 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRING16_H_
-#define BASE_STRINGS_STRING16_H_
-
-// WHAT:
-// A version of std::basic_string that provides 2-byte characters even when
-// wchar_t is not implemented as a 2-byte type. You can access this class as
-// string16. We also define char16, which string16 is based upon.
-//
-// WHY:
-// On Windows, wchar_t is 2 bytes, and it can conveniently handle UTF-16/UCS-2
-// data. Plenty of existing code operates on strings encoded as UTF-16.
-//
-// On many other platforms, sizeof(wchar_t) is 4 bytes by default. We can make
-// it 2 bytes by using the GCC flag -fshort-wchar. But then std::wstring fails
-// at run time, because it calls some functions (like wcslen) that come from
-// the system's native C library -- which was built with a 4-byte wchar_t!
-// It's wasteful to use 4-byte wchar_t strings to carry UTF-16 data, and it's
-// entirely improper on those systems where the encoding of wchar_t is defined
-// as UTF-32.
-//
-// Here, we define string16, which is similar to std::wstring but replaces all
-// libc functions with custom, 2-byte-char compatible routines. It is capable
-// of carrying UTF-16-encoded data.
-
-#include <stddef.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <string>
-
-#include "base/base_export.h"
-#include "build/build_config.h"
-
-#if defined(WCHAR_T_IS_UTF16)
-
-namespace base {
-
-typedef wchar_t char16;
-typedef std::wstring string16;
-typedef std::char_traits<wchar_t> string16_char_traits;
-
-} // namespace base
-
-#elif defined(WCHAR_T_IS_UTF32)
-
-namespace base {
-
-typedef uint16_t char16;
-
-// char16 versions of the functions required by string16_char_traits; these
-// are based on the wide character functions of similar names ("w" or "wcs"
-// instead of "c16").
-BASE_EXPORT int c16memcmp(const char16* s1, const char16* s2, size_t n);
-BASE_EXPORT size_t c16len(const char16* s);
-BASE_EXPORT const char16* c16memchr(const char16* s, char16 c, size_t n);
-BASE_EXPORT char16* c16memmove(char16* s1, const char16* s2, size_t n);
-BASE_EXPORT char16* c16memcpy(char16* s1, const char16* s2, size_t n);
-BASE_EXPORT char16* c16memset(char16* s, char16 c, size_t n);
-
-struct string16_char_traits {
- typedef char16 char_type;
- typedef int int_type;
-
- // int_type needs to be able to hold each possible value of char_type, and in
- // addition, the distinct value of eof().
- static_assert(sizeof(int_type) > sizeof(char_type),
- "int must be larger than 16 bits wide");
-
- typedef std::streamoff off_type;
- typedef mbstate_t state_type;
- typedef std::fpos<state_type> pos_type;
-
- static void assign(char_type& c1, const char_type& c2) {
- c1 = c2;
- }
-
- static bool eq(const char_type& c1, const char_type& c2) {
- return c1 == c2;
- }
- static bool lt(const char_type& c1, const char_type& c2) {
- return c1 < c2;
- }
-
- static int compare(const char_type* s1, const char_type* s2, size_t n) {
- return c16memcmp(s1, s2, n);
- }
-
- static size_t length(const char_type* s) {
- return c16len(s);
- }
-
- static const char_type* find(const char_type* s, size_t n,
- const char_type& a) {
- return c16memchr(s, a, n);
- }
-
- static char_type* move(char_type* s1, const char_type* s2, size_t n) {
- return c16memmove(s1, s2, n);
- }
-
- static char_type* copy(char_type* s1, const char_type* s2, size_t n) {
- return c16memcpy(s1, s2, n);
- }
-
- static char_type* assign(char_type* s, size_t n, char_type a) {
- return c16memset(s, a, n);
- }
-
- static int_type not_eof(const int_type& c) {
- return eq_int_type(c, eof()) ? 0 : c;
- }
-
- static char_type to_char_type(const int_type& c) {
- return char_type(c);
- }
-
- static int_type to_int_type(const char_type& c) {
- return int_type(c);
- }
-
- static bool eq_int_type(const int_type& c1, const int_type& c2) {
- return c1 == c2;
- }
-
- static int_type eof() {
- return static_cast<int_type>(EOF);
- }
-};
-
-typedef std::basic_string<char16, base::string16_char_traits> string16;
-
-BASE_EXPORT extern std::ostream& operator<<(std::ostream& out,
- const string16& str);
-
-// This is required by googletest to print a readable output on test failures.
-BASE_EXPORT extern void PrintTo(const string16& str, std::ostream* out);
-
-} // namespace base
-
-// The string class will be explicitly instantiated only once, in string16.cc.
-//
-// std::basic_string<> in GNU libstdc++ contains a static data member,
-// _S_empty_rep_storage, to represent empty strings. When an operation such
-// as assignment or destruction is performed on a string, causing its existing
-// data member to be invalidated, it must not be freed if this static data
-// member is being used. Otherwise, it counts as an attempt to free static
-// (and not allocated) data, which is a memory error.
-//
-// Generally, due to C++ template magic, _S_empty_rep_storage will be marked
-// as a coalesced symbol, meaning that the linker will combine multiple
-// instances into a single one when generating output.
-//
-// If a string class is used by multiple shared libraries, a problem occurs.
-// Each library will get its own copy of _S_empty_rep_storage. When strings
-// are passed across a library boundary for alteration or destruction, memory
-// errors will result. GNU libstdc++ contains a configuration option,
-// --enable-fully-dynamic-string (_GLIBCXX_FULLY_DYNAMIC_STRING), which
-// disables the static data member optimization, but it's a good optimization
-// and non-STL code is generally at the mercy of the system's STL
-// configuration. Fully-dynamic strings are not the default for GNU libstdc++
-// libstdc++ itself or for the libstdc++ installations on the systems we care
-// about, such as Mac OS X and relevant flavors of Linux.
-//
-// See also http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24196 .
-//
-// To avoid problems, string classes need to be explicitly instantiated only
-// once, in exactly one library. All other string users see it via an "extern"
-// declaration. This is precisely how GNU libstdc++ handles
-// std::basic_string<char> (string) and std::basic_string<wchar_t> (wstring).
-//
-// This also works around a Mac OS X linker bug in ld64-85.2.1 (Xcode 3.1.2),
-// in which the linker does not fully coalesce symbols when dead code
-// stripping is enabled. This bug causes the memory errors described above
-// to occur even when a std::basic_string<> does not cross shared library
-// boundaries, such as in statically-linked executables.
-//
-// TODO(mark): File this bug with Apple and update this note with a bug number.
-
-extern template
-class BASE_EXPORT std::basic_string<base::char16, base::string16_char_traits>;
-
-#endif // WCHAR_T_IS_UTF32
-
-#endif // BASE_STRINGS_STRING16_H_
diff --git a/security/sandbox/chromium/base/strings/string_number_conversions.cc b/security/sandbox/chromium/base/strings/string_number_conversions.cc
deleted file mode 100644
index 07248501e..000000000
--- a/security/sandbox/chromium/base/strings/string_number_conversions.cc
+++ /dev/null
@@ -1,485 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/string_number_conversions.h"
-
-#include <ctype.h>
-#include <errno.h>
-#include <stdlib.h>
-#include <wctype.h>
-
-#include <limits>
-
-#include "base/logging.h"
-#include "base/numerics/safe_conversions.h"
-#include "base/numerics/safe_math.h"
-#include "base/scoped_clear_errno.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/third_party/dmg_fp/dmg_fp.h"
-
-namespace base {
-
-namespace {
-
-template <typename STR, typename INT>
-struct IntToStringT {
- static STR IntToString(INT value) {
- // log10(2) ~= 0.3 bytes needed per bit or per byte log10(2**8) ~= 2.4.
- // So round up to allocate 3 output characters per byte, plus 1 for '-'.
- const size_t kOutputBufSize =
- 3 * sizeof(INT) + std::numeric_limits<INT>::is_signed;
-
- // Create the string in a temporary buffer, write it back to front, and
- // then return the substr of what we ended up using.
- using CHR = typename STR::value_type;
- CHR outbuf[kOutputBufSize];
-
- // The ValueOrDie call below can never fail, because UnsignedAbs is valid
- // for all valid inputs.
- auto res = CheckedNumeric<INT>(value).UnsignedAbs().ValueOrDie();
-
- CHR* end = outbuf + kOutputBufSize;
- CHR* i = end;
- do {
- --i;
- DCHECK(i != outbuf);
- *i = static_cast<CHR>((res % 10) + '0');
- res /= 10;
- } while (res != 0);
- if (IsValueNegative(value)) {
- --i;
- DCHECK(i != outbuf);
- *i = static_cast<CHR>('-');
- }
- return STR(i, end);
- }
-};
-
-// Utility to convert a character to a digit in a given base
-template<typename CHAR, int BASE, bool BASE_LTE_10> class BaseCharToDigit {
-};
-
-// Faster specialization for bases <= 10
-template<typename CHAR, int BASE> class BaseCharToDigit<CHAR, BASE, true> {
- public:
- static bool Convert(CHAR c, uint8_t* digit) {
- if (c >= '0' && c < '0' + BASE) {
- *digit = static_cast<uint8_t>(c - '0');
- return true;
- }
- return false;
- }
-};
-
-// Specialization for bases where 10 < base <= 36
-template<typename CHAR, int BASE> class BaseCharToDigit<CHAR, BASE, false> {
- public:
- static bool Convert(CHAR c, uint8_t* digit) {
- if (c >= '0' && c <= '9') {
- *digit = c - '0';
- } else if (c >= 'a' && c < 'a' + BASE - 10) {
- *digit = c - 'a' + 10;
- } else if (c >= 'A' && c < 'A' + BASE - 10) {
- *digit = c - 'A' + 10;
- } else {
- return false;
- }
- return true;
- }
-};
-
-template <int BASE, typename CHAR>
-bool CharToDigit(CHAR c, uint8_t* digit) {
- return BaseCharToDigit<CHAR, BASE, BASE <= 10>::Convert(c, digit);
-}
-
-// There is an IsUnicodeWhitespace for wchars defined in string_util.h, but it
-// is locale independent, whereas the functions we are replacing were
-// locale-dependent. TBD what is desired, but for the moment let's not
-// introduce a change in behaviour.
-template<typename CHAR> class WhitespaceHelper {
-};
-
-template<> class WhitespaceHelper<char> {
- public:
- static bool Invoke(char c) {
- return 0 != isspace(static_cast<unsigned char>(c));
- }
-};
-
-template<> class WhitespaceHelper<char16> {
- public:
- static bool Invoke(char16 c) {
- return 0 != iswspace(c);
- }
-};
-
-template<typename CHAR> bool LocalIsWhitespace(CHAR c) {
- return WhitespaceHelper<CHAR>::Invoke(c);
-}
-
-// IteratorRangeToNumberTraits should provide:
-// - a typedef for iterator_type, the iterator type used as input.
-// - a typedef for value_type, the target numeric type.
-// - static functions min, max (returning the minimum and maximum permitted
-// values)
-// - constant kBase, the base in which to interpret the input
-template<typename IteratorRangeToNumberTraits>
-class IteratorRangeToNumber {
- public:
- typedef IteratorRangeToNumberTraits traits;
- typedef typename traits::iterator_type const_iterator;
- typedef typename traits::value_type value_type;
-
- // Generalized iterator-range-to-number conversion.
- //
- static bool Invoke(const_iterator begin,
- const_iterator end,
- value_type* output) {
- bool valid = true;
-
- while (begin != end && LocalIsWhitespace(*begin)) {
- valid = false;
- ++begin;
- }
-
- if (begin != end && *begin == '-') {
- if (!std::numeric_limits<value_type>::is_signed) {
- valid = false;
- } else if (!Negative::Invoke(begin + 1, end, output)) {
- valid = false;
- }
- } else {
- if (begin != end && *begin == '+') {
- ++begin;
- }
- if (!Positive::Invoke(begin, end, output)) {
- valid = false;
- }
- }
-
- return valid;
- }
-
- private:
- // Sign provides:
- // - a static function, CheckBounds, that determines whether the next digit
- // causes an overflow/underflow
- // - a static function, Increment, that appends the next digit appropriately
- // according to the sign of the number being parsed.
- template<typename Sign>
- class Base {
- public:
- static bool Invoke(const_iterator begin, const_iterator end,
- typename traits::value_type* output) {
- *output = 0;
-
- if (begin == end) {
- return false;
- }
-
- // Note: no performance difference was found when using template
- // specialization to remove this check in bases other than 16
- if (traits::kBase == 16 && end - begin > 2 && *begin == '0' &&
- (*(begin + 1) == 'x' || *(begin + 1) == 'X')) {
- begin += 2;
- }
-
- for (const_iterator current = begin; current != end; ++current) {
- uint8_t new_digit = 0;
-
- if (!CharToDigit<traits::kBase>(*current, &new_digit)) {
- return false;
- }
-
- if (current != begin) {
- if (!Sign::CheckBounds(output, new_digit)) {
- return false;
- }
- *output *= traits::kBase;
- }
-
- Sign::Increment(new_digit, output);
- }
- return true;
- }
- };
-
- class Positive : public Base<Positive> {
- public:
- static bool CheckBounds(value_type* output, uint8_t new_digit) {
- if (*output > static_cast<value_type>(traits::max() / traits::kBase) ||
- (*output == static_cast<value_type>(traits::max() / traits::kBase) &&
- new_digit > traits::max() % traits::kBase)) {
- *output = traits::max();
- return false;
- }
- return true;
- }
- static void Increment(uint8_t increment, value_type* output) {
- *output += increment;
- }
- };
-
- class Negative : public Base<Negative> {
- public:
- static bool CheckBounds(value_type* output, uint8_t new_digit) {
- if (*output < traits::min() / traits::kBase ||
- (*output == traits::min() / traits::kBase &&
- new_digit > 0 - traits::min() % traits::kBase)) {
- *output = traits::min();
- return false;
- }
- return true;
- }
- static void Increment(uint8_t increment, value_type* output) {
- *output -= increment;
- }
- };
-};
-
-template<typename ITERATOR, typename VALUE, int BASE>
-class BaseIteratorRangeToNumberTraits {
- public:
- typedef ITERATOR iterator_type;
- typedef VALUE value_type;
- static value_type min() {
- return std::numeric_limits<value_type>::min();
- }
- static value_type max() {
- return std::numeric_limits<value_type>::max();
- }
- static const int kBase = BASE;
-};
-
-template<typename ITERATOR>
-class BaseHexIteratorRangeToIntTraits
- : public BaseIteratorRangeToNumberTraits<ITERATOR, int, 16> {
-};
-
-template <typename ITERATOR>
-class BaseHexIteratorRangeToUIntTraits
- : public BaseIteratorRangeToNumberTraits<ITERATOR, uint32_t, 16> {};
-
-template <typename ITERATOR>
-class BaseHexIteratorRangeToInt64Traits
- : public BaseIteratorRangeToNumberTraits<ITERATOR, int64_t, 16> {};
-
-template <typename ITERATOR>
-class BaseHexIteratorRangeToUInt64Traits
- : public BaseIteratorRangeToNumberTraits<ITERATOR, uint64_t, 16> {};
-
-typedef BaseHexIteratorRangeToIntTraits<StringPiece::const_iterator>
- HexIteratorRangeToIntTraits;
-
-typedef BaseHexIteratorRangeToUIntTraits<StringPiece::const_iterator>
- HexIteratorRangeToUIntTraits;
-
-typedef BaseHexIteratorRangeToInt64Traits<StringPiece::const_iterator>
- HexIteratorRangeToInt64Traits;
-
-typedef BaseHexIteratorRangeToUInt64Traits<StringPiece::const_iterator>
- HexIteratorRangeToUInt64Traits;
-
-template <typename STR>
-bool HexStringToBytesT(const STR& input, std::vector<uint8_t>* output) {
- DCHECK_EQ(output->size(), 0u);
- size_t count = input.size();
- if (count == 0 || (count % 2) != 0)
- return false;
- for (uintptr_t i = 0; i < count / 2; ++i) {
- uint8_t msb = 0; // most significant 4 bits
- uint8_t lsb = 0; // least significant 4 bits
- if (!CharToDigit<16>(input[i * 2], &msb) ||
- !CharToDigit<16>(input[i * 2 + 1], &lsb))
- return false;
- output->push_back((msb << 4) | lsb);
- }
- return true;
-}
-
-template <typename VALUE, int BASE>
-class StringPieceToNumberTraits
- : public BaseIteratorRangeToNumberTraits<StringPiece::const_iterator,
- VALUE,
- BASE> {
-};
-
-template <typename VALUE>
-bool StringToIntImpl(const StringPiece& input, VALUE* output) {
- return IteratorRangeToNumber<StringPieceToNumberTraits<VALUE, 10> >::Invoke(
- input.begin(), input.end(), output);
-}
-
-template <typename VALUE, int BASE>
-class StringPiece16ToNumberTraits
- : public BaseIteratorRangeToNumberTraits<StringPiece16::const_iterator,
- VALUE,
- BASE> {
-};
-
-template <typename VALUE>
-bool String16ToIntImpl(const StringPiece16& input, VALUE* output) {
- return IteratorRangeToNumber<StringPiece16ToNumberTraits<VALUE, 10> >::Invoke(
- input.begin(), input.end(), output);
-}
-
-} // namespace
-
-std::string IntToString(int value) {
- return IntToStringT<std::string, int>::IntToString(value);
-}
-
-string16 IntToString16(int value) {
- return IntToStringT<string16, int>::IntToString(value);
-}
-
-std::string UintToString(unsigned int value) {
- return IntToStringT<std::string, unsigned int>::IntToString(value);
-}
-
-string16 UintToString16(unsigned int value) {
- return IntToStringT<string16, unsigned int>::IntToString(value);
-}
-
-std::string Int64ToString(int64_t value) {
- return IntToStringT<std::string, int64_t>::IntToString(value);
-}
-
-string16 Int64ToString16(int64_t value) {
- return IntToStringT<string16, int64_t>::IntToString(value);
-}
-
-std::string Uint64ToString(uint64_t value) {
- return IntToStringT<std::string, uint64_t>::IntToString(value);
-}
-
-string16 Uint64ToString16(uint64_t value) {
- return IntToStringT<string16, uint64_t>::IntToString(value);
-}
-
-std::string SizeTToString(size_t value) {
- return IntToStringT<std::string, size_t>::IntToString(value);
-}
-
-string16 SizeTToString16(size_t value) {
- return IntToStringT<string16, size_t>::IntToString(value);
-}
-
-std::string DoubleToString(double value) {
- // According to g_fmt.cc, it is sufficient to declare a buffer of size 32.
- char buffer[32];
- dmg_fp::g_fmt(buffer, value);
- return std::string(buffer);
-}
-
-bool StringToInt(const StringPiece& input, int* output) {
- return StringToIntImpl(input, output);
-}
-
-bool StringToInt(const StringPiece16& input, int* output) {
- return String16ToIntImpl(input, output);
-}
-
-bool StringToUint(const StringPiece& input, unsigned* output) {
- return StringToIntImpl(input, output);
-}
-
-bool StringToUint(const StringPiece16& input, unsigned* output) {
- return String16ToIntImpl(input, output);
-}
-
-bool StringToInt64(const StringPiece& input, int64_t* output) {
- return StringToIntImpl(input, output);
-}
-
-bool StringToInt64(const StringPiece16& input, int64_t* output) {
- return String16ToIntImpl(input, output);
-}
-
-bool StringToUint64(const StringPiece& input, uint64_t* output) {
- return StringToIntImpl(input, output);
-}
-
-bool StringToUint64(const StringPiece16& input, uint64_t* output) {
- return String16ToIntImpl(input, output);
-}
-
-bool StringToSizeT(const StringPiece& input, size_t* output) {
- return StringToIntImpl(input, output);
-}
-
-bool StringToSizeT(const StringPiece16& input, size_t* output) {
- return String16ToIntImpl(input, output);
-}
-
-bool StringToDouble(const std::string& input, double* output) {
- // Thread-safe? It is on at least Mac, Linux, and Windows.
- ScopedClearErrno clear_errno;
-
- char* endptr = NULL;
- *output = dmg_fp::strtod(input.c_str(), &endptr);
-
- // Cases to return false:
- // - If errno is ERANGE, there was an overflow or underflow.
- // - If the input string is empty, there was nothing to parse.
- // - If endptr does not point to the end of the string, there are either
- // characters remaining in the string after a parsed number, or the string
- // does not begin with a parseable number. endptr is compared to the
- // expected end given the string's stated length to correctly catch cases
- // where the string contains embedded NUL characters.
- // - If the first character is a space, there was leading whitespace
- return errno == 0 &&
- !input.empty() &&
- input.c_str() + input.length() == endptr &&
- !isspace(input[0]);
-}
-
-// Note: if you need to add String16ToDouble, first ask yourself if it's
-// really necessary. If it is, probably the best implementation here is to
-// convert to 8-bit and then use the 8-bit version.
-
-// Note: if you need to add an iterator range version of StringToDouble, first
-// ask yourself if it's really necessary. If it is, probably the best
-// implementation here is to instantiate a string and use the string version.
-
-std::string HexEncode(const void* bytes, size_t size) {
- static const char kHexChars[] = "0123456789ABCDEF";
-
- // Each input byte creates two output hex characters.
- std::string ret(size * 2, '\0');
-
- for (size_t i = 0; i < size; ++i) {
- char b = reinterpret_cast<const char*>(bytes)[i];
- ret[(i * 2)] = kHexChars[(b >> 4) & 0xf];
- ret[(i * 2) + 1] = kHexChars[b & 0xf];
- }
- return ret;
-}
-
-bool HexStringToInt(const StringPiece& input, int* output) {
- return IteratorRangeToNumber<HexIteratorRangeToIntTraits>::Invoke(
- input.begin(), input.end(), output);
-}
-
-bool HexStringToUInt(const StringPiece& input, uint32_t* output) {
- return IteratorRangeToNumber<HexIteratorRangeToUIntTraits>::Invoke(
- input.begin(), input.end(), output);
-}
-
-bool HexStringToInt64(const StringPiece& input, int64_t* output) {
- return IteratorRangeToNumber<HexIteratorRangeToInt64Traits>::Invoke(
- input.begin(), input.end(), output);
-}
-
-bool HexStringToUInt64(const StringPiece& input, uint64_t* output) {
- return IteratorRangeToNumber<HexIteratorRangeToUInt64Traits>::Invoke(
- input.begin(), input.end(), output);
-}
-
-bool HexStringToBytes(const std::string& input, std::vector<uint8_t>* output) {
- return HexStringToBytesT(input, output);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string_number_conversions.h b/security/sandbox/chromium/base/strings/string_number_conversions.h
deleted file mode 100644
index 1265f0dcb..000000000
--- a/security/sandbox/chromium/base/strings/string_number_conversions.h
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRING_NUMBER_CONVERSIONS_H_
-#define BASE_STRINGS_STRING_NUMBER_CONVERSIONS_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-#include <vector>
-
-#include "base/base_export.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h"
-
-// ----------------------------------------------------------------------------
-// IMPORTANT MESSAGE FROM YOUR SPONSOR
-//
-// This file contains no "wstring" variants. New code should use string16. If
-// you need to make old code work, use the UTF8 version and convert. Please do
-// not add wstring variants.
-//
-// Please do not add "convenience" functions for converting strings to integers
-// that return the value and ignore success/failure. That encourages people to
-// write code that doesn't properly handle the error conditions.
-// ----------------------------------------------------------------------------
-
-namespace base {
-
-// Number -> string conversions ------------------------------------------------
-
-BASE_EXPORT std::string IntToString(int value);
-BASE_EXPORT string16 IntToString16(int value);
-
-BASE_EXPORT std::string UintToString(unsigned value);
-BASE_EXPORT string16 UintToString16(unsigned value);
-
-BASE_EXPORT std::string Int64ToString(int64_t value);
-BASE_EXPORT string16 Int64ToString16(int64_t value);
-
-BASE_EXPORT std::string Uint64ToString(uint64_t value);
-BASE_EXPORT string16 Uint64ToString16(uint64_t value);
-
-BASE_EXPORT std::string SizeTToString(size_t value);
-BASE_EXPORT string16 SizeTToString16(size_t value);
-
-// DoubleToString converts the double to a string format that ignores the
-// locale. If you want to use locale specific formatting, use ICU.
-BASE_EXPORT std::string DoubleToString(double value);
-
-// String -> number conversions ------------------------------------------------
-
-// Perform a best-effort conversion of the input string to a numeric type,
-// setting |*output| to the result of the conversion. Returns true for
-// "perfect" conversions; returns false in the following cases:
-// - Overflow. |*output| will be set to the maximum value supported
-// by the data type.
-// - Underflow. |*output| will be set to the minimum value supported
-// by the data type.
-// - Trailing characters in the string after parsing the number. |*output|
-// will be set to the value of the number that was parsed.
-// - Leading whitespace in the string before parsing the number. |*output| will
-// be set to the value of the number that was parsed.
-// - No characters parseable as a number at the beginning of the string.
-// |*output| will be set to 0.
-// - Empty string. |*output| will be set to 0.
-// WARNING: Will write to |output| even when returning false.
-// Read the comments above carefully.
-BASE_EXPORT bool StringToInt(const StringPiece& input, int* output);
-BASE_EXPORT bool StringToInt(const StringPiece16& input, int* output);
-
-BASE_EXPORT bool StringToUint(const StringPiece& input, unsigned* output);
-BASE_EXPORT bool StringToUint(const StringPiece16& input, unsigned* output);
-
-BASE_EXPORT bool StringToInt64(const StringPiece& input, int64_t* output);
-BASE_EXPORT bool StringToInt64(const StringPiece16& input, int64_t* output);
-
-BASE_EXPORT bool StringToUint64(const StringPiece& input, uint64_t* output);
-BASE_EXPORT bool StringToUint64(const StringPiece16& input, uint64_t* output);
-
-BASE_EXPORT bool StringToSizeT(const StringPiece& input, size_t* output);
-BASE_EXPORT bool StringToSizeT(const StringPiece16& input, size_t* output);
-
-// For floating-point conversions, only conversions of input strings in decimal
-// form are defined to work. Behavior with strings representing floating-point
-// numbers in hexadecimal, and strings representing non-finite values (such as
-// NaN and inf) is undefined. Otherwise, these behave the same as the integral
-// variants. This expects the input string to NOT be specific to the locale.
-// If your input is locale specific, use ICU to read the number.
-// WARNING: Will write to |output| even when returning false.
-// Read the comments here and above StringToInt() carefully.
-BASE_EXPORT bool StringToDouble(const std::string& input, double* output);
-
-// Hex encoding ----------------------------------------------------------------
-
-// Returns a hex string representation of a binary buffer. The returned hex
-// string will be in upper case. This function does not check if |size| is
-// within reasonable limits since it's written with trusted data in mind. If
-// you suspect that the data you want to format might be large, the absolute
-// max size for |size| should be is
-// std::numeric_limits<size_t>::max() / 2
-BASE_EXPORT std::string HexEncode(const void* bytes, size_t size);
-
-// Best effort conversion, see StringToInt above for restrictions.
-// Will only successful parse hex values that will fit into |output|, i.e.
-// -0x80000000 < |input| < 0x7FFFFFFF.
-BASE_EXPORT bool HexStringToInt(const StringPiece& input, int* output);
-
-// Best effort conversion, see StringToInt above for restrictions.
-// Will only successful parse hex values that will fit into |output|, i.e.
-// 0x00000000 < |input| < 0xFFFFFFFF.
-// The string is not required to start with 0x.
-BASE_EXPORT bool HexStringToUInt(const StringPiece& input, uint32_t* output);
-
-// Best effort conversion, see StringToInt above for restrictions.
-// Will only successful parse hex values that will fit into |output|, i.e.
-// -0x8000000000000000 < |input| < 0x7FFFFFFFFFFFFFFF.
-BASE_EXPORT bool HexStringToInt64(const StringPiece& input, int64_t* output);
-
-// Best effort conversion, see StringToInt above for restrictions.
-// Will only successful parse hex values that will fit into |output|, i.e.
-// 0x0000000000000000 < |input| < 0xFFFFFFFFFFFFFFFF.
-// The string is not required to start with 0x.
-BASE_EXPORT bool HexStringToUInt64(const StringPiece& input, uint64_t* output);
-
-// Similar to the previous functions, except that output is a vector of bytes.
-// |*output| will contain as many bytes as were successfully parsed prior to the
-// error. There is no overflow, but input.size() must be evenly divisible by 2.
-// Leading 0x or +/- are not allowed.
-BASE_EXPORT bool HexStringToBytes(const std::string& input,
- std::vector<uint8_t>* output);
-
-} // namespace base
-
-#endif // BASE_STRINGS_STRING_NUMBER_CONVERSIONS_H_
diff --git a/security/sandbox/chromium/base/strings/string_piece.cc b/security/sandbox/chromium/base/strings/string_piece.cc
deleted file mode 100644
index c26bb3652..000000000
--- a/security/sandbox/chromium/base/strings/string_piece.cc
+++ /dev/null
@@ -1,452 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Copied from strings/stringpiece.cc with modifications
-
-#include "base/strings/string_piece.h"
-
-#include <limits.h>
-
-#include <algorithm>
-#include <ostream>
-
-#include "base/logging.h"
-
-namespace base {
-namespace {
-
-// For each character in characters_wanted, sets the index corresponding
-// to the ASCII code of that character to 1 in table. This is used by
-// the find_.*_of methods below to tell whether or not a character is in
-// the lookup table in constant time.
-// The argument `table' must be an array that is large enough to hold all
-// the possible values of an unsigned char. Thus it should be be declared
-// as follows:
-// bool table[UCHAR_MAX + 1]
-inline void BuildLookupTable(const StringPiece& characters_wanted,
- bool* table) {
- const size_t length = characters_wanted.length();
- const char* const data = characters_wanted.data();
- for (size_t i = 0; i < length; ++i) {
- table[static_cast<unsigned char>(data[i])] = true;
- }
-}
-
-} // namespace
-
-// MSVC doesn't like complex extern templates and DLLs.
-#if !defined(COMPILER_MSVC)
-template class BasicStringPiece<std::string>;
-template class BasicStringPiece<string16>;
-#endif
-
-bool operator==(const StringPiece& x, const StringPiece& y) {
- if (x.size() != y.size())
- return false;
-
- return StringPiece::wordmemcmp(x.data(), y.data(), x.size()) == 0;
-}
-
-std::ostream& operator<<(std::ostream& o, const StringPiece& piece) {
- o.write(piece.data(), static_cast<std::streamsize>(piece.size()));
- return o;
-}
-
-namespace internal {
-
-template<typename STR>
-void CopyToStringT(const BasicStringPiece<STR>& self, STR* target) {
- if (self.empty())
- target->clear();
- else
- target->assign(self.data(), self.size());
-}
-
-void CopyToString(const StringPiece& self, std::string* target) {
- CopyToStringT(self, target);
-}
-
-void CopyToString(const StringPiece16& self, string16* target) {
- CopyToStringT(self, target);
-}
-
-template<typename STR>
-void AppendToStringT(const BasicStringPiece<STR>& self, STR* target) {
- if (!self.empty())
- target->append(self.data(), self.size());
-}
-
-void AppendToString(const StringPiece& self, std::string* target) {
- AppendToStringT(self, target);
-}
-
-void AppendToString(const StringPiece16& self, string16* target) {
- AppendToStringT(self, target);
-}
-
-template<typename STR>
-size_t copyT(const BasicStringPiece<STR>& self,
- typename STR::value_type* buf,
- size_t n,
- size_t pos) {
- size_t ret = std::min(self.size() - pos, n);
- memcpy(buf, self.data() + pos, ret * sizeof(typename STR::value_type));
- return ret;
-}
-
-size_t copy(const StringPiece& self, char* buf, size_t n, size_t pos) {
- return copyT(self, buf, n, pos);
-}
-
-size_t copy(const StringPiece16& self, char16* buf, size_t n, size_t pos) {
- return copyT(self, buf, n, pos);
-}
-
-template<typename STR>
-size_t findT(const BasicStringPiece<STR>& self,
- const BasicStringPiece<STR>& s,
- size_t pos) {
- if (pos > self.size())
- return BasicStringPiece<STR>::npos;
-
- typename BasicStringPiece<STR>::const_iterator result =
- std::search(self.begin() + pos, self.end(), s.begin(), s.end());
- const size_t xpos =
- static_cast<size_t>(result - self.begin());
- return xpos + s.size() <= self.size() ? xpos : BasicStringPiece<STR>::npos;
-}
-
-size_t find(const StringPiece& self, const StringPiece& s, size_t pos) {
- return findT(self, s, pos);
-}
-
-size_t find(const StringPiece16& self, const StringPiece16& s, size_t pos) {
- return findT(self, s, pos);
-}
-
-template<typename STR>
-size_t findT(const BasicStringPiece<STR>& self,
- typename STR::value_type c,
- size_t pos) {
- if (pos >= self.size())
- return BasicStringPiece<STR>::npos;
-
- typename BasicStringPiece<STR>::const_iterator result =
- std::find(self.begin() + pos, self.end(), c);
- return result != self.end() ?
- static_cast<size_t>(result - self.begin()) : BasicStringPiece<STR>::npos;
-}
-
-size_t find(const StringPiece& self, char c, size_t pos) {
- return findT(self, c, pos);
-}
-
-size_t find(const StringPiece16& self, char16 c, size_t pos) {
- return findT(self, c, pos);
-}
-
-template<typename STR>
-size_t rfindT(const BasicStringPiece<STR>& self,
- const BasicStringPiece<STR>& s,
- size_t pos) {
- if (self.size() < s.size())
- return BasicStringPiece<STR>::npos;
-
- if (s.empty())
- return std::min(self.size(), pos);
-
- typename BasicStringPiece<STR>::const_iterator last =
- self.begin() + std::min(self.size() - s.size(), pos) + s.size();
- typename BasicStringPiece<STR>::const_iterator result =
- std::find_end(self.begin(), last, s.begin(), s.end());
- return result != last ?
- static_cast<size_t>(result - self.begin()) : BasicStringPiece<STR>::npos;
-}
-
-size_t rfind(const StringPiece& self, const StringPiece& s, size_t pos) {
- return rfindT(self, s, pos);
-}
-
-size_t rfind(const StringPiece16& self, const StringPiece16& s, size_t pos) {
- return rfindT(self, s, pos);
-}
-
-template<typename STR>
-size_t rfindT(const BasicStringPiece<STR>& self,
- typename STR::value_type c,
- size_t pos) {
- if (self.size() == 0)
- return BasicStringPiece<STR>::npos;
-
- for (size_t i = std::min(pos, self.size() - 1); ;
- --i) {
- if (self.data()[i] == c)
- return i;
- if (i == 0)
- break;
- }
- return BasicStringPiece<STR>::npos;
-}
-
-size_t rfind(const StringPiece& self, char c, size_t pos) {
- return rfindT(self, c, pos);
-}
-
-size_t rfind(const StringPiece16& self, char16 c, size_t pos) {
- return rfindT(self, c, pos);
-}
-
-// 8-bit version using lookup table.
-size_t find_first_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos) {
- if (self.size() == 0 || s.size() == 0)
- return StringPiece::npos;
-
- // Avoid the cost of BuildLookupTable() for a single-character search.
- if (s.size() == 1)
- return find(self, s.data()[0], pos);
-
- bool lookup[UCHAR_MAX + 1] = { false };
- BuildLookupTable(s, lookup);
- for (size_t i = pos; i < self.size(); ++i) {
- if (lookup[static_cast<unsigned char>(self.data()[i])]) {
- return i;
- }
- }
- return StringPiece::npos;
-}
-
-// 16-bit brute force version.
-size_t find_first_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos) {
- StringPiece16::const_iterator found =
- std::find_first_of(self.begin() + pos, self.end(), s.begin(), s.end());
- if (found == self.end())
- return StringPiece16::npos;
- return found - self.begin();
-}
-
-// 8-bit version using lookup table.
-size_t find_first_not_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos) {
- if (self.size() == 0)
- return StringPiece::npos;
-
- if (s.size() == 0)
- return 0;
-
- // Avoid the cost of BuildLookupTable() for a single-character search.
- if (s.size() == 1)
- return find_first_not_of(self, s.data()[0], pos);
-
- bool lookup[UCHAR_MAX + 1] = { false };
- BuildLookupTable(s, lookup);
- for (size_t i = pos; i < self.size(); ++i) {
- if (!lookup[static_cast<unsigned char>(self.data()[i])]) {
- return i;
- }
- }
- return StringPiece::npos;
-}
-
-// 16-bit brute-force version.
-BASE_EXPORT size_t find_first_not_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos) {
- if (self.size() == 0)
- return StringPiece16::npos;
-
- for (size_t self_i = pos; self_i < self.size(); ++self_i) {
- bool found = false;
- for (size_t s_i = 0; s_i < s.size(); ++s_i) {
- if (self[self_i] == s[s_i]) {
- found = true;
- break;
- }
- }
- if (!found)
- return self_i;
- }
- return StringPiece16::npos;
-}
-
-template<typename STR>
-size_t find_first_not_ofT(const BasicStringPiece<STR>& self,
- typename STR::value_type c,
- size_t pos) {
- if (self.size() == 0)
- return BasicStringPiece<STR>::npos;
-
- for (; pos < self.size(); ++pos) {
- if (self.data()[pos] != c) {
- return pos;
- }
- }
- return BasicStringPiece<STR>::npos;
-}
-
-size_t find_first_not_of(const StringPiece& self,
- char c,
- size_t pos) {
- return find_first_not_ofT(self, c, pos);
-}
-
-size_t find_first_not_of(const StringPiece16& self,
- char16 c,
- size_t pos) {
- return find_first_not_ofT(self, c, pos);
-}
-
-// 8-bit version using lookup table.
-size_t find_last_of(const StringPiece& self, const StringPiece& s, size_t pos) {
- if (self.size() == 0 || s.size() == 0)
- return StringPiece::npos;
-
- // Avoid the cost of BuildLookupTable() for a single-character search.
- if (s.size() == 1)
- return rfind(self, s.data()[0], pos);
-
- bool lookup[UCHAR_MAX + 1] = { false };
- BuildLookupTable(s, lookup);
- for (size_t i = std::min(pos, self.size() - 1); ; --i) {
- if (lookup[static_cast<unsigned char>(self.data()[i])])
- return i;
- if (i == 0)
- break;
- }
- return StringPiece::npos;
-}
-
-// 16-bit brute-force version.
-size_t find_last_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos) {
- if (self.size() == 0)
- return StringPiece16::npos;
-
- for (size_t self_i = std::min(pos, self.size() - 1); ;
- --self_i) {
- for (size_t s_i = 0; s_i < s.size(); s_i++) {
- if (self.data()[self_i] == s[s_i])
- return self_i;
- }
- if (self_i == 0)
- break;
- }
- return StringPiece16::npos;
-}
-
-// 8-bit version using lookup table.
-size_t find_last_not_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos) {
- if (self.size() == 0)
- return StringPiece::npos;
-
- size_t i = std::min(pos, self.size() - 1);
- if (s.size() == 0)
- return i;
-
- // Avoid the cost of BuildLookupTable() for a single-character search.
- if (s.size() == 1)
- return find_last_not_of(self, s.data()[0], pos);
-
- bool lookup[UCHAR_MAX + 1] = { false };
- BuildLookupTable(s, lookup);
- for (; ; --i) {
- if (!lookup[static_cast<unsigned char>(self.data()[i])])
- return i;
- if (i == 0)
- break;
- }
- return StringPiece::npos;
-}
-
-// 16-bit brute-force version.
-size_t find_last_not_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos) {
- if (self.size() == 0)
- return StringPiece::npos;
-
- for (size_t self_i = std::min(pos, self.size() - 1); ; --self_i) {
- bool found = false;
- for (size_t s_i = 0; s_i < s.size(); s_i++) {
- if (self.data()[self_i] == s[s_i]) {
- found = true;
- break;
- }
- }
- if (!found)
- return self_i;
- if (self_i == 0)
- break;
- }
- return StringPiece16::npos;
-}
-
-template<typename STR>
-size_t find_last_not_ofT(const BasicStringPiece<STR>& self,
- typename STR::value_type c,
- size_t pos) {
- if (self.size() == 0)
- return BasicStringPiece<STR>::npos;
-
- for (size_t i = std::min(pos, self.size() - 1); ; --i) {
- if (self.data()[i] != c)
- return i;
- if (i == 0)
- break;
- }
- return BasicStringPiece<STR>::npos;
-}
-
-size_t find_last_not_of(const StringPiece& self,
- char c,
- size_t pos) {
- return find_last_not_ofT(self, c, pos);
-}
-
-size_t find_last_not_of(const StringPiece16& self,
- char16 c,
- size_t pos) {
- return find_last_not_ofT(self, c, pos);
-}
-
-template<typename STR>
-BasicStringPiece<STR> substrT(const BasicStringPiece<STR>& self,
- size_t pos,
- size_t n) {
- if (pos > self.size()) pos = self.size();
- if (n > self.size() - pos) n = self.size() - pos;
- return BasicStringPiece<STR>(self.data() + pos, n);
-}
-
-StringPiece substr(const StringPiece& self,
- size_t pos,
- size_t n) {
- return substrT(self, pos, n);
-}
-
-StringPiece16 substr(const StringPiece16& self,
- size_t pos,
- size_t n) {
- return substrT(self, pos, n);
-}
-
-#if DCHECK_IS_ON()
-void AssertIteratorsInOrder(std::string::const_iterator begin,
- std::string::const_iterator end) {
- DCHECK(begin <= end) << "StringPiece iterators swapped or invalid.";
-}
-void AssertIteratorsInOrder(string16::const_iterator begin,
- string16::const_iterator end) {
- DCHECK(begin <= end) << "StringPiece iterators swapped or invalid.";
-}
-#endif
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string_piece.h b/security/sandbox/chromium/base/strings/string_piece.h
deleted file mode 100644
index 31e7596d1..000000000
--- a/security/sandbox/chromium/base/strings/string_piece.h
+++ /dev/null
@@ -1,469 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-// Copied from strings/stringpiece.h with modifications
-//
-// A string-like object that points to a sized piece of memory.
-//
-// You can use StringPiece as a function or method parameter. A StringPiece
-// parameter can receive a double-quoted string literal argument, a "const
-// char*" argument, a string argument, or a StringPiece argument with no data
-// copying. Systematic use of StringPiece for arguments reduces data
-// copies and strlen() calls.
-//
-// Prefer passing StringPieces by value:
-// void MyFunction(StringPiece arg);
-// If circumstances require, you may also pass by const reference:
-// void MyFunction(const StringPiece& arg); // not preferred
-// Both of these have the same lifetime semantics. Passing by value
-// generates slightly smaller code. For more discussion, Googlers can see
-// the thread go/stringpiecebyvalue on c-users.
-
-#ifndef BASE_STRINGS_STRING_PIECE_H_
-#define BASE_STRINGS_STRING_PIECE_H_
-
-#include <stddef.h>
-
-#include <iosfwd>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/containers/hash_tables.h"
-#include "base/logging.h"
-#include "base/strings/string16.h"
-
-namespace base {
-
-template <typename STRING_TYPE> class BasicStringPiece;
-typedef BasicStringPiece<std::string> StringPiece;
-typedef BasicStringPiece<string16> StringPiece16;
-
-// internal --------------------------------------------------------------------
-
-// Many of the StringPiece functions use different implementations for the
-// 8-bit and 16-bit versions, and we don't want lots of template expansions in
-// this (very common) header that will slow down compilation.
-//
-// So here we define overloaded functions called by the StringPiece template.
-// For those that share an implementation, the two versions will expand to a
-// template internal to the .cc file.
-namespace internal {
-
-BASE_EXPORT void CopyToString(const StringPiece& self, std::string* target);
-BASE_EXPORT void CopyToString(const StringPiece16& self, string16* target);
-
-BASE_EXPORT void AppendToString(const StringPiece& self, std::string* target);
-BASE_EXPORT void AppendToString(const StringPiece16& self, string16* target);
-
-BASE_EXPORT size_t copy(const StringPiece& self,
- char* buf,
- size_t n,
- size_t pos);
-BASE_EXPORT size_t copy(const StringPiece16& self,
- char16* buf,
- size_t n,
- size_t pos);
-
-BASE_EXPORT size_t find(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t find(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-BASE_EXPORT size_t find(const StringPiece& self,
- char c,
- size_t pos);
-BASE_EXPORT size_t find(const StringPiece16& self,
- char16 c,
- size_t pos);
-
-BASE_EXPORT size_t rfind(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t rfind(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-BASE_EXPORT size_t rfind(const StringPiece& self,
- char c,
- size_t pos);
-BASE_EXPORT size_t rfind(const StringPiece16& self,
- char16 c,
- size_t pos);
-
-BASE_EXPORT size_t find_first_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t find_first_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-
-BASE_EXPORT size_t find_first_not_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t find_first_not_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-BASE_EXPORT size_t find_first_not_of(const StringPiece& self,
- char c,
- size_t pos);
-BASE_EXPORT size_t find_first_not_of(const StringPiece16& self,
- char16 c,
- size_t pos);
-
-BASE_EXPORT size_t find_last_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t find_last_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-BASE_EXPORT size_t find_last_of(const StringPiece& self,
- char c,
- size_t pos);
-BASE_EXPORT size_t find_last_of(const StringPiece16& self,
- char16 c,
- size_t pos);
-
-BASE_EXPORT size_t find_last_not_of(const StringPiece& self,
- const StringPiece& s,
- size_t pos);
-BASE_EXPORT size_t find_last_not_of(const StringPiece16& self,
- const StringPiece16& s,
- size_t pos);
-BASE_EXPORT size_t find_last_not_of(const StringPiece16& self,
- char16 c,
- size_t pos);
-BASE_EXPORT size_t find_last_not_of(const StringPiece& self,
- char c,
- size_t pos);
-
-BASE_EXPORT StringPiece substr(const StringPiece& self,
- size_t pos,
- size_t n);
-BASE_EXPORT StringPiece16 substr(const StringPiece16& self,
- size_t pos,
- size_t n);
-
-#if DCHECK_IS_ON()
-// Asserts that begin <= end to catch some errors with iterator usage.
-BASE_EXPORT void AssertIteratorsInOrder(std::string::const_iterator begin,
- std::string::const_iterator end);
-BASE_EXPORT void AssertIteratorsInOrder(string16::const_iterator begin,
- string16::const_iterator end);
-#endif
-
-} // namespace internal
-
-// BasicStringPiece ------------------------------------------------------------
-
-// Defines the types, methods, operators, and data members common to both
-// StringPiece and StringPiece16. Do not refer to this class directly, but
-// rather to BasicStringPiece, StringPiece, or StringPiece16.
-//
-// This is templatized by string class type rather than character type, so
-// BasicStringPiece<std::string> or BasicStringPiece<base::string16>.
-template <typename STRING_TYPE> class BasicStringPiece {
- public:
- // Standard STL container boilerplate.
- typedef size_t size_type;
- typedef typename STRING_TYPE::value_type value_type;
- typedef const value_type* pointer;
- typedef const value_type& reference;
- typedef const value_type& const_reference;
- typedef ptrdiff_t difference_type;
- typedef const value_type* const_iterator;
- typedef std::reverse_iterator<const_iterator> const_reverse_iterator;
-
- static const size_type npos;
-
- public:
- // We provide non-explicit singleton constructors so users can pass
- // in a "const char*" or a "string" wherever a "StringPiece" is
- // expected (likewise for char16, string16, StringPiece16).
- BasicStringPiece() : ptr_(NULL), length_(0) {}
- BasicStringPiece(const value_type* str)
- : ptr_(str),
- length_((str == NULL) ? 0 : STRING_TYPE::traits_type::length(str)) {}
- BasicStringPiece(const STRING_TYPE& str)
- : ptr_(str.data()), length_(str.size()) {}
- BasicStringPiece(const value_type* offset, size_type len)
- : ptr_(offset), length_(len) {}
- BasicStringPiece(const typename STRING_TYPE::const_iterator& begin,
- const typename STRING_TYPE::const_iterator& end) {
-#if DCHECK_IS_ON()
- // This assertion is done out-of-line to avoid bringing in logging.h and
- // instantiating logging macros for every instantiation.
- internal::AssertIteratorsInOrder(begin, end);
-#endif
- length_ = static_cast<size_t>(std::distance(begin, end));
-
- // The length test before assignment is to avoid dereferencing an iterator
- // that may point to the end() of a string.
- ptr_ = length_ > 0 ? &*begin : nullptr;
- }
-
- // data() may return a pointer to a buffer with embedded NULs, and the
- // returned buffer may or may not be null terminated. Therefore it is
- // typically a mistake to pass data() to a routine that expects a NUL
- // terminated string.
- const value_type* data() const { return ptr_; }
- size_type size() const { return length_; }
- size_type length() const { return length_; }
- bool empty() const { return length_ == 0; }
-
- void clear() {
- ptr_ = NULL;
- length_ = 0;
- }
- void set(const value_type* data, size_type len) {
- ptr_ = data;
- length_ = len;
- }
- void set(const value_type* str) {
- ptr_ = str;
- length_ = str ? STRING_TYPE::traits_type::length(str) : 0;
- }
-
- value_type operator[](size_type i) const { return ptr_[i]; }
-
- void remove_prefix(size_type n) {
- ptr_ += n;
- length_ -= n;
- }
-
- void remove_suffix(size_type n) {
- length_ -= n;
- }
-
- int compare(const BasicStringPiece<STRING_TYPE>& x) const {
- int r = wordmemcmp(
- ptr_, x.ptr_, (length_ < x.length_ ? length_ : x.length_));
- if (r == 0) {
- if (length_ < x.length_) r = -1;
- else if (length_ > x.length_) r = +1;
- }
- return r;
- }
-
- STRING_TYPE as_string() const {
- // std::string doesn't like to take a NULL pointer even with a 0 size.
- return empty() ? STRING_TYPE() : STRING_TYPE(data(), size());
- }
-
- const_iterator begin() const { return ptr_; }
- const_iterator end() const { return ptr_ + length_; }
- const_reverse_iterator rbegin() const {
- return const_reverse_iterator(ptr_ + length_);
- }
- const_reverse_iterator rend() const {
- return const_reverse_iterator(ptr_);
- }
-
- size_type max_size() const { return length_; }
- size_type capacity() const { return length_; }
-
- static int wordmemcmp(const value_type* p,
- const value_type* p2,
- size_type N) {
- return STRING_TYPE::traits_type::compare(p, p2, N);
- }
-
- // Sets the value of the given string target type to be the current string.
- // This saves a temporary over doing |a = b.as_string()|
- void CopyToString(STRING_TYPE* target) const {
- internal::CopyToString(*this, target);
- }
-
- void AppendToString(STRING_TYPE* target) const {
- internal::AppendToString(*this, target);
- }
-
- size_type copy(value_type* buf, size_type n, size_type pos = 0) const {
- return internal::copy(*this, buf, n, pos);
- }
-
- // Does "this" start with "x"
- bool starts_with(const BasicStringPiece& x) const {
- return ((this->length_ >= x.length_) &&
- (wordmemcmp(this->ptr_, x.ptr_, x.length_) == 0));
- }
-
- // Does "this" end with "x"
- bool ends_with(const BasicStringPiece& x) const {
- return ((this->length_ >= x.length_) &&
- (wordmemcmp(this->ptr_ + (this->length_-x.length_),
- x.ptr_, x.length_) == 0));
- }
-
- // find: Search for a character or substring at a given offset.
- size_type find(const BasicStringPiece<STRING_TYPE>& s,
- size_type pos = 0) const {
- return internal::find(*this, s, pos);
- }
- size_type find(value_type c, size_type pos = 0) const {
- return internal::find(*this, c, pos);
- }
-
- // rfind: Reverse find.
- size_type rfind(const BasicStringPiece& s,
- size_type pos = BasicStringPiece::npos) const {
- return internal::rfind(*this, s, pos);
- }
- size_type rfind(value_type c, size_type pos = BasicStringPiece::npos) const {
- return internal::rfind(*this, c, pos);
- }
-
- // find_first_of: Find the first occurence of one of a set of characters.
- size_type find_first_of(const BasicStringPiece& s,
- size_type pos = 0) const {
- return internal::find_first_of(*this, s, pos);
- }
- size_type find_first_of(value_type c, size_type pos = 0) const {
- return find(c, pos);
- }
-
- // find_first_not_of: Find the first occurence not of a set of characters.
- size_type find_first_not_of(const BasicStringPiece& s,
- size_type pos = 0) const {
- return internal::find_first_not_of(*this, s, pos);
- }
- size_type find_first_not_of(value_type c, size_type pos = 0) const {
- return internal::find_first_not_of(*this, c, pos);
- }
-
- // find_last_of: Find the last occurence of one of a set of characters.
- size_type find_last_of(const BasicStringPiece& s,
- size_type pos = BasicStringPiece::npos) const {
- return internal::find_last_of(*this, s, pos);
- }
- size_type find_last_of(value_type c,
- size_type pos = BasicStringPiece::npos) const {
- return rfind(c, pos);
- }
-
- // find_last_not_of: Find the last occurence not of a set of characters.
- size_type find_last_not_of(const BasicStringPiece& s,
- size_type pos = BasicStringPiece::npos) const {
- return internal::find_last_not_of(*this, s, pos);
- }
- size_type find_last_not_of(value_type c,
- size_type pos = BasicStringPiece::npos) const {
- return internal::find_last_not_of(*this, c, pos);
- }
-
- // substr.
- BasicStringPiece substr(size_type pos,
- size_type n = BasicStringPiece::npos) const {
- return internal::substr(*this, pos, n);
- }
-
- protected:
- const value_type* ptr_;
- size_type length_;
-};
-
-template <typename STRING_TYPE>
-const typename BasicStringPiece<STRING_TYPE>::size_type
-BasicStringPiece<STRING_TYPE>::npos =
- typename BasicStringPiece<STRING_TYPE>::size_type(-1);
-
-// MSVC doesn't like complex extern templates and DLLs.
-#if !defined(COMPILER_MSVC)
-extern template class BASE_EXPORT BasicStringPiece<std::string>;
-extern template class BASE_EXPORT BasicStringPiece<string16>;
-#endif
-
-// StingPiece operators --------------------------------------------------------
-
-BASE_EXPORT bool operator==(const StringPiece& x, const StringPiece& y);
-
-inline bool operator!=(const StringPiece& x, const StringPiece& y) {
- return !(x == y);
-}
-
-inline bool operator<(const StringPiece& x, const StringPiece& y) {
- const int r = StringPiece::wordmemcmp(
- x.data(), y.data(), (x.size() < y.size() ? x.size() : y.size()));
- return ((r < 0) || ((r == 0) && (x.size() < y.size())));
-}
-
-inline bool operator>(const StringPiece& x, const StringPiece& y) {
- return y < x;
-}
-
-inline bool operator<=(const StringPiece& x, const StringPiece& y) {
- return !(x > y);
-}
-
-inline bool operator>=(const StringPiece& x, const StringPiece& y) {
- return !(x < y);
-}
-
-// StringPiece16 operators -----------------------------------------------------
-
-inline bool operator==(const StringPiece16& x, const StringPiece16& y) {
- if (x.size() != y.size())
- return false;
-
- return StringPiece16::wordmemcmp(x.data(), y.data(), x.size()) == 0;
-}
-
-inline bool operator!=(const StringPiece16& x, const StringPiece16& y) {
- return !(x == y);
-}
-
-inline bool operator<(const StringPiece16& x, const StringPiece16& y) {
- const int r = StringPiece16::wordmemcmp(
- x.data(), y.data(), (x.size() < y.size() ? x.size() : y.size()));
- return ((r < 0) || ((r == 0) && (x.size() < y.size())));
-}
-
-inline bool operator>(const StringPiece16& x, const StringPiece16& y) {
- return y < x;
-}
-
-inline bool operator<=(const StringPiece16& x, const StringPiece16& y) {
- return !(x > y);
-}
-
-inline bool operator>=(const StringPiece16& x, const StringPiece16& y) {
- return !(x < y);
-}
-
-BASE_EXPORT std::ostream& operator<<(std::ostream& o,
- const StringPiece& piece);
-
-} // namespace base
-
-// Hashing ---------------------------------------------------------------------
-
-// We provide appropriate hash functions so StringPiece and StringPiece16 can
-// be used as keys in hash sets and maps.
-
-// This hash function is copied from base/containers/hash_tables.h. We don't
-// use the ones already defined for string and string16 directly because it
-// would require the string constructors to be called, which we don't want.
-#define HASH_STRING_PIECE(StringPieceType, string_piece) \
- std::size_t result = 0; \
- for (StringPieceType::const_iterator i = string_piece.begin(); \
- i != string_piece.end(); ++i) \
- result = (result * 131) + *i; \
- return result; \
-
-namespace BASE_HASH_NAMESPACE {
-
-template<>
-struct hash<base::StringPiece> {
- std::size_t operator()(const base::StringPiece& sp) const {
- HASH_STRING_PIECE(base::StringPiece, sp);
- }
-};
-template<>
-struct hash<base::StringPiece16> {
- std::size_t operator()(const base::StringPiece16& sp16) const {
- HASH_STRING_PIECE(base::StringPiece16, sp16);
- }
-};
-
-} // namespace BASE_HASH_NAMESPACE
-
-#endif // BASE_STRINGS_STRING_PIECE_H_
diff --git a/security/sandbox/chromium/base/strings/string_split.cc b/security/sandbox/chromium/base/strings/string_split.cc
deleted file mode 100644
index 6c949b989..000000000
--- a/security/sandbox/chromium/base/strings/string_split.cc
+++ /dev/null
@@ -1,264 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/string_split.h"
-
-#include <stddef.h>
-
-#include "base/logging.h"
-#include "base/strings/string_util.h"
-#include "base/third_party/icu/icu_utf.h"
-
-namespace base {
-
-namespace {
-
-// PieceToOutputType converts a StringPiece as needed to a given output type,
-// which is either the same type of StringPiece (a NOP) or the corresponding
-// non-piece string type.
-//
-// The default converter is a NOP, it works when the OutputType is the
-// correct StringPiece.
-template<typename Str, typename OutputType>
-OutputType PieceToOutputType(BasicStringPiece<Str> piece) {
- return piece;
-}
-template<> // Convert StringPiece to std::string
-std::string PieceToOutputType<std::string, std::string>(StringPiece piece) {
- return piece.as_string();
-}
-template<> // Convert StringPiece16 to string16.
-string16 PieceToOutputType<string16, string16>(StringPiece16 piece) {
- return piece.as_string();
-}
-
-// Returns either the ASCII or UTF-16 whitespace.
-template<typename Str> BasicStringPiece<Str> WhitespaceForType();
-template<> StringPiece16 WhitespaceForType<string16>() {
- return kWhitespaceUTF16;
-}
-template<> StringPiece WhitespaceForType<std::string>() {
- return kWhitespaceASCII;
-}
-
-// Optimize the single-character case to call find() on the string instead,
-// since this is the common case and can be made faster. This could have been
-// done with template specialization too, but would have been less clear.
-//
-// There is no corresponding FindFirstNotOf because StringPiece already
-// implements these different versions that do the optimized searching.
-size_t FindFirstOf(StringPiece piece, char c, size_t pos) {
- return piece.find(c, pos);
-}
-size_t FindFirstOf(StringPiece16 piece, char16 c, size_t pos) {
- return piece.find(c, pos);
-}
-size_t FindFirstOf(StringPiece piece, StringPiece one_of, size_t pos) {
- return piece.find_first_of(one_of, pos);
-}
-size_t FindFirstOf(StringPiece16 piece, StringPiece16 one_of, size_t pos) {
- return piece.find_first_of(one_of, pos);
-}
-
-// General string splitter template. Can take 8- or 16-bit input, can produce
-// the corresponding string or StringPiece output, and can take single- or
-// multiple-character delimiters.
-//
-// DelimiterType is either a character (Str::value_type) or a string piece of
-// multiple characters (BasicStringPiece<Str>). StringPiece has a version of
-// find for both of these cases, and the single-character version is the most
-// common and can be implemented faster, which is why this is a template.
-template<typename Str, typename OutputStringType, typename DelimiterType>
-static std::vector<OutputStringType> SplitStringT(
- BasicStringPiece<Str> str,
- DelimiterType delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- std::vector<OutputStringType> result;
- if (str.empty())
- return result;
-
- size_t start = 0;
- while (start != Str::npos) {
- size_t end = FindFirstOf(str, delimiter, start);
-
- BasicStringPiece<Str> piece;
- if (end == Str::npos) {
- piece = str.substr(start);
- start = Str::npos;
- } else {
- piece = str.substr(start, end - start);
- start = end + 1;
- }
-
- if (whitespace == TRIM_WHITESPACE)
- piece = TrimString(piece, WhitespaceForType<Str>(), TRIM_ALL);
-
- if (result_type == SPLIT_WANT_ALL || !piece.empty())
- result.push_back(PieceToOutputType<Str, OutputStringType>(piece));
- }
- return result;
-}
-
-bool AppendStringKeyValue(StringPiece input,
- char delimiter,
- StringPairs* result) {
- // Always append a new item regardless of success (it might be empty). The
- // below code will copy the strings directly into the result pair.
- result->resize(result->size() + 1);
- auto& result_pair = result->back();
-
- // Find the delimiter.
- size_t end_key_pos = input.find_first_of(delimiter);
- if (end_key_pos == std::string::npos) {
- DVLOG(1) << "cannot find delimiter in: " << input;
- return false; // No delimiter.
- }
- input.substr(0, end_key_pos).CopyToString(&result_pair.first);
-
- // Find the value string.
- StringPiece remains = input.substr(end_key_pos, input.size() - end_key_pos);
- size_t begin_value_pos = remains.find_first_not_of(delimiter);
- if (begin_value_pos == StringPiece::npos) {
- DVLOG(1) << "cannot parse value from input: " << input;
- return false; // No value.
- }
- remains.substr(begin_value_pos, remains.size() - begin_value_pos)
- .CopyToString(&result_pair.second);
-
- return true;
-}
-
-template <typename Str, typename OutputStringType>
-void SplitStringUsingSubstrT(BasicStringPiece<Str> input,
- BasicStringPiece<Str> delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type,
- std::vector<OutputStringType>* result) {
- using Piece = BasicStringPiece<Str>;
- using size_type = typename Piece::size_type;
-
- result->clear();
- for (size_type begin_index = 0, end_index = 0; end_index != Piece::npos;
- begin_index = end_index + delimiter.size()) {
- end_index = input.find(delimiter, begin_index);
- Piece term = end_index == Piece::npos
- ? input.substr(begin_index)
- : input.substr(begin_index, end_index - begin_index);
-
- if (whitespace == TRIM_WHITESPACE)
- term = TrimString(term, WhitespaceForType<Str>(), TRIM_ALL);
-
- if (result_type == SPLIT_WANT_ALL || !term.empty())
- result->push_back(PieceToOutputType<Str, OutputStringType>(term));
- }
-}
-
-} // namespace
-
-std::vector<std::string> SplitString(StringPiece input,
- StringPiece separators,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- if (separators.size() == 1) {
- return SplitStringT<std::string, std::string, char>(
- input, separators[0], whitespace, result_type);
- }
- return SplitStringT<std::string, std::string, StringPiece>(
- input, separators, whitespace, result_type);
-}
-
-std::vector<string16> SplitString(StringPiece16 input,
- StringPiece16 separators,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- if (separators.size() == 1) {
- return SplitStringT<string16, string16, char16>(
- input, separators[0], whitespace, result_type);
- }
- return SplitStringT<string16, string16, StringPiece16>(
- input, separators, whitespace, result_type);
-}
-
-std::vector<StringPiece> SplitStringPiece(StringPiece input,
- StringPiece separators,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- if (separators.size() == 1) {
- return SplitStringT<std::string, StringPiece, char>(
- input, separators[0], whitespace, result_type);
- }
- return SplitStringT<std::string, StringPiece, StringPiece>(
- input, separators, whitespace, result_type);
-}
-
-std::vector<StringPiece16> SplitStringPiece(StringPiece16 input,
- StringPiece16 separators,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- if (separators.size() == 1) {
- return SplitStringT<string16, StringPiece16, char16>(
- input, separators[0], whitespace, result_type);
- }
- return SplitStringT<string16, StringPiece16, StringPiece16>(
- input, separators, whitespace, result_type);
-}
-
-bool SplitStringIntoKeyValuePairs(StringPiece input,
- char key_value_delimiter,
- char key_value_pair_delimiter,
- StringPairs* key_value_pairs) {
- key_value_pairs->clear();
-
- std::vector<StringPiece> pairs = SplitStringPiece(
- input, std::string(1, key_value_pair_delimiter),
- TRIM_WHITESPACE, SPLIT_WANT_NONEMPTY);
- key_value_pairs->reserve(pairs.size());
-
- bool success = true;
- for (const StringPiece& pair : pairs) {
- if (!AppendStringKeyValue(pair, key_value_delimiter, key_value_pairs)) {
- // Don't return here, to allow for pairs without associated
- // value or key; just record that the split failed.
- success = false;
- }
- }
- return success;
-}
-
-void SplitStringUsingSubstr(StringPiece16 input,
- StringPiece16 delimiter,
- std::vector<string16>* result) {
- SplitStringUsingSubstrT(input, delimiter, TRIM_WHITESPACE, SPLIT_WANT_ALL,
- result);
-}
-
-void SplitStringUsingSubstr(StringPiece input,
- StringPiece delimiter,
- std::vector<std::string>* result) {
- SplitStringUsingSubstrT(input, delimiter, TRIM_WHITESPACE, SPLIT_WANT_ALL,
- result);
-}
-
-std::vector<StringPiece16> SplitStringPieceUsingSubstr(
- StringPiece16 input,
- StringPiece16 delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- std::vector<StringPiece16> result;
- SplitStringUsingSubstrT(input, delimiter, whitespace, result_type, &result);
- return result;
-}
-
-std::vector<StringPiece> SplitStringPieceUsingSubstr(
- StringPiece input,
- StringPiece delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type) {
- std::vector<StringPiece> result;
- SplitStringUsingSubstrT(input, delimiter, whitespace, result_type, &result);
- return result;
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string_split.h b/security/sandbox/chromium/base/strings/string_split.h
deleted file mode 100644
index ec9f24604..000000000
--- a/security/sandbox/chromium/base/strings/string_split.h
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRING_SPLIT_H_
-#define BASE_STRINGS_STRING_SPLIT_H_
-
-#include <string>
-#include <utility>
-#include <vector>
-
-#include "base/base_export.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h"
-
-namespace base {
-
-enum WhitespaceHandling {
- KEEP_WHITESPACE,
- TRIM_WHITESPACE,
-};
-
-enum SplitResult {
- // Strictly return all results.
- //
- // If the input is ",," and the separator is ',' this will return a
- // vector of three empty strings.
- SPLIT_WANT_ALL,
-
- // Only nonempty results will be added to the results. Multiple separators
- // will be coalesced. Separators at the beginning and end of the input will
- // be ignored. With TRIM_WHITESPACE, whitespace-only results will be dropped.
- //
- // If the input is ",," and the separator is ',', this will return an empty
- // vector.
- SPLIT_WANT_NONEMPTY,
-};
-
-// Split the given string on ANY of the given separators, returning copies of
-// the result.
-//
-// To split on either commas or semicolons, keeping all whitespace:
-//
-// std::vector<std::string> tokens = base::SplitString(
-// input, ",;", base::KEEP_WHITESPACE, base::SPLIT_WANT_ALL);
-BASE_EXPORT std::vector<std::string> SplitString(
- StringPiece input,
- StringPiece separators,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-BASE_EXPORT std::vector<string16> SplitString(
- StringPiece16 input,
- StringPiece16 separators,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-
-// Like SplitString above except it returns a vector of StringPieces which
-// reference the original buffer without copying. Although you have to be
-// careful to keep the original string unmodified, this provides an efficient
-// way to iterate through tokens in a string.
-//
-// To iterate through all whitespace-separated tokens in an input string:
-//
-// for (const auto& cur :
-// base::SplitStringPiece(input, base::kWhitespaceASCII,
-// base::KEEP_WHITESPACE,
-// base::SPLIT_WANT_NONEMPTY)) {
-// ...
-BASE_EXPORT std::vector<StringPiece> SplitStringPiece(
- StringPiece input,
- StringPiece separators,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-BASE_EXPORT std::vector<StringPiece16> SplitStringPiece(
- StringPiece16 input,
- StringPiece16 separators,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-
-using StringPairs = std::vector<std::pair<std::string, std::string>>;
-
-// Splits |line| into key value pairs according to the given delimiters and
-// removes whitespace leading each key and trailing each value. Returns true
-// only if each pair has a non-empty key and value. |key_value_pairs| will
-// include ("","") pairs for entries without |key_value_delimiter|.
-BASE_EXPORT bool SplitStringIntoKeyValuePairs(StringPiece input,
- char key_value_delimiter,
- char key_value_pair_delimiter,
- StringPairs* key_value_pairs);
-
-// Similar to SplitString, but use a substring delimiter instead of a list of
-// characters that are all possible delimiters.
-//
-// TODO(brettw) this should probably be changed and expanded to provide a
-// mirror of the SplitString[Piece] API above, just with the different
-// delimiter handling.
-BASE_EXPORT void SplitStringUsingSubstr(StringPiece16 input,
- StringPiece16 delimiter,
- std::vector<string16>* result);
-BASE_EXPORT void SplitStringUsingSubstr(StringPiece input,
- StringPiece delimiter,
- std::vector<std::string>* result);
-
-// Like SplitStringUsingSubstr above except it returns a vector of StringPieces
-// which reference the original buffer without copying. Although you have to be
-// careful to keep the original string unmodified, this provides an efficient
-// way to iterate through tokens in a string.
-//
-// To iterate through all newline-separated tokens in an input string:
-//
-// for (const auto& cur :
-// base::SplitStringUsingSubstr(input, "\r\n",
-// base::KEEP_WHITESPACE,
-// base::SPLIT_WANT_NONEMPTY)) {
-// ...
-BASE_EXPORT std::vector<StringPiece16> SplitStringPieceUsingSubstr(
- StringPiece16 input,
- StringPiece16 delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-BASE_EXPORT std::vector<StringPiece> SplitStringPieceUsingSubstr(
- StringPiece input,
- StringPiece delimiter,
- WhitespaceHandling whitespace,
- SplitResult result_type);
-
-} // namespace base
-
-#endif // BASE_STRINGS_STRING_SPLIT_H_
diff --git a/security/sandbox/chromium/base/strings/string_util.cc b/security/sandbox/chromium/base/strings/string_util.cc
deleted file mode 100644
index e8000abd4..000000000
--- a/security/sandbox/chromium/base/strings/string_util.cc
+++ /dev/null
@@ -1,1001 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/string_util.h"
-
-#include <ctype.h>
-#include <errno.h>
-#include <math.h>
-#include <stdarg.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <time.h>
-#include <wchar.h>
-#include <wctype.h>
-
-#include <algorithm>
-#include <limits>
-#include <vector>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/singleton.h"
-#include "base/strings/string_split.h"
-#include "base/strings/utf_string_conversion_utils.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/third_party/icu/icu_utf.h"
-#include "build/build_config.h"
-
-namespace base {
-
-namespace {
-
-// Force the singleton used by EmptyString[16] to be a unique type. This
-// prevents other code that might accidentally use Singleton<string> from
-// getting our internal one.
-struct EmptyStrings {
- EmptyStrings() {}
- const std::string s;
- const string16 s16;
-
- static EmptyStrings* GetInstance() {
- return Singleton<EmptyStrings>::get();
- }
-};
-
-// Used by ReplaceStringPlaceholders to track the position in the string of
-// replaced parameters.
-struct ReplacementOffset {
- ReplacementOffset(uintptr_t parameter, size_t offset)
- : parameter(parameter),
- offset(offset) {}
-
- // Index of the parameter.
- uintptr_t parameter;
-
- // Starting position in the string.
- size_t offset;
-};
-
-static bool CompareParameter(const ReplacementOffset& elem1,
- const ReplacementOffset& elem2) {
- return elem1.parameter < elem2.parameter;
-}
-
-// Assuming that a pointer is the size of a "machine word", then
-// uintptr_t is an integer type that is also a machine word.
-typedef uintptr_t MachineWord;
-const uintptr_t kMachineWordAlignmentMask = sizeof(MachineWord) - 1;
-
-inline bool IsAlignedToMachineWord(const void* pointer) {
- return !(reinterpret_cast<MachineWord>(pointer) & kMachineWordAlignmentMask);
-}
-
-template<typename T> inline T* AlignToMachineWord(T* pointer) {
- return reinterpret_cast<T*>(reinterpret_cast<MachineWord>(pointer) &
- ~kMachineWordAlignmentMask);
-}
-
-template<size_t size, typename CharacterType> struct NonASCIIMask;
-template<> struct NonASCIIMask<4, char16> {
- static inline uint32_t value() { return 0xFF80FF80U; }
-};
-template<> struct NonASCIIMask<4, char> {
- static inline uint32_t value() { return 0x80808080U; }
-};
-template<> struct NonASCIIMask<8, char16> {
- static inline uint64_t value() { return 0xFF80FF80FF80FF80ULL; }
-};
-template<> struct NonASCIIMask<8, char> {
- static inline uint64_t value() { return 0x8080808080808080ULL; }
-};
-#if defined(WCHAR_T_IS_UTF32)
-template<> struct NonASCIIMask<4, wchar_t> {
- static inline uint32_t value() { return 0xFFFFFF80U; }
-};
-template<> struct NonASCIIMask<8, wchar_t> {
- static inline uint64_t value() { return 0xFFFFFF80FFFFFF80ULL; }
-};
-#endif // WCHAR_T_IS_UTF32
-
-} // namespace
-
-bool IsWprintfFormatPortable(const wchar_t* format) {
- for (const wchar_t* position = format; *position != '\0'; ++position) {
- if (*position == '%') {
- bool in_specification = true;
- bool modifier_l = false;
- while (in_specification) {
- // Eat up characters until reaching a known specifier.
- if (*++position == '\0') {
- // The format string ended in the middle of a specification. Call
- // it portable because no unportable specifications were found. The
- // string is equally broken on all platforms.
- return true;
- }
-
- if (*position == 'l') {
- // 'l' is the only thing that can save the 's' and 'c' specifiers.
- modifier_l = true;
- } else if (((*position == 's' || *position == 'c') && !modifier_l) ||
- *position == 'S' || *position == 'C' || *position == 'F' ||
- *position == 'D' || *position == 'O' || *position == 'U') {
- // Not portable.
- return false;
- }
-
- if (wcschr(L"diouxXeEfgGaAcspn%", *position)) {
- // Portable, keep scanning the rest of the format string.
- in_specification = false;
- }
- }
- }
- }
-
- return true;
-}
-
-namespace {
-
-template<typename StringType>
-StringType ToLowerASCIIImpl(BasicStringPiece<StringType> str) {
- StringType ret;
- ret.reserve(str.size());
- for (size_t i = 0; i < str.size(); i++)
- ret.push_back(ToLowerASCII(str[i]));
- return ret;
-}
-
-template<typename StringType>
-StringType ToUpperASCIIImpl(BasicStringPiece<StringType> str) {
- StringType ret;
- ret.reserve(str.size());
- for (size_t i = 0; i < str.size(); i++)
- ret.push_back(ToUpperASCII(str[i]));
- return ret;
-}
-
-} // namespace
-
-std::string ToLowerASCII(StringPiece str) {
- return ToLowerASCIIImpl<std::string>(str);
-}
-
-string16 ToLowerASCII(StringPiece16 str) {
- return ToLowerASCIIImpl<string16>(str);
-}
-
-std::string ToUpperASCII(StringPiece str) {
- return ToUpperASCIIImpl<std::string>(str);
-}
-
-string16 ToUpperASCII(StringPiece16 str) {
- return ToUpperASCIIImpl<string16>(str);
-}
-
-template<class StringType>
-int CompareCaseInsensitiveASCIIT(BasicStringPiece<StringType> a,
- BasicStringPiece<StringType> b) {
- // Find the first characters that aren't equal and compare them. If the end
- // of one of the strings is found before a nonequal character, the lengths
- // of the strings are compared.
- size_t i = 0;
- while (i < a.length() && i < b.length()) {
- typename StringType::value_type lower_a = ToLowerASCII(a[i]);
- typename StringType::value_type lower_b = ToLowerASCII(b[i]);
- if (lower_a < lower_b)
- return -1;
- if (lower_a > lower_b)
- return 1;
- i++;
- }
-
- // End of one string hit before finding a different character. Expect the
- // common case to be "strings equal" at this point so check that first.
- if (a.length() == b.length())
- return 0;
-
- if (a.length() < b.length())
- return -1;
- return 1;
-}
-
-int CompareCaseInsensitiveASCII(StringPiece a, StringPiece b) {
- return CompareCaseInsensitiveASCIIT<std::string>(a, b);
-}
-
-int CompareCaseInsensitiveASCII(StringPiece16 a, StringPiece16 b) {
- return CompareCaseInsensitiveASCIIT<string16>(a, b);
-}
-
-bool EqualsCaseInsensitiveASCII(StringPiece a, StringPiece b) {
- if (a.length() != b.length())
- return false;
- return CompareCaseInsensitiveASCIIT<std::string>(a, b) == 0;
-}
-
-bool EqualsCaseInsensitiveASCII(StringPiece16 a, StringPiece16 b) {
- if (a.length() != b.length())
- return false;
- return CompareCaseInsensitiveASCIIT<string16>(a, b) == 0;
-}
-
-const std::string& EmptyString() {
- return EmptyStrings::GetInstance()->s;
-}
-
-const string16& EmptyString16() {
- return EmptyStrings::GetInstance()->s16;
-}
-
-template<typename STR>
-bool ReplaceCharsT(const STR& input,
- const STR& replace_chars,
- const STR& replace_with,
- STR* output) {
- bool removed = false;
- size_t replace_length = replace_with.length();
-
- *output = input;
-
- size_t found = output->find_first_of(replace_chars);
- while (found != STR::npos) {
- removed = true;
- output->replace(found, 1, replace_with);
- found = output->find_first_of(replace_chars, found + replace_length);
- }
-
- return removed;
-}
-
-bool ReplaceChars(const string16& input,
- const StringPiece16& replace_chars,
- const string16& replace_with,
- string16* output) {
- return ReplaceCharsT(input, replace_chars.as_string(), replace_with, output);
-}
-
-bool ReplaceChars(const std::string& input,
- const StringPiece& replace_chars,
- const std::string& replace_with,
- std::string* output) {
- return ReplaceCharsT(input, replace_chars.as_string(), replace_with, output);
-}
-
-bool RemoveChars(const string16& input,
- const StringPiece16& remove_chars,
- string16* output) {
- return ReplaceChars(input, remove_chars.as_string(), string16(), output);
-}
-
-bool RemoveChars(const std::string& input,
- const StringPiece& remove_chars,
- std::string* output) {
- return ReplaceChars(input, remove_chars.as_string(), std::string(), output);
-}
-
-template<typename Str>
-TrimPositions TrimStringT(const Str& input,
- BasicStringPiece<Str> trim_chars,
- TrimPositions positions,
- Str* output) {
- // Find the edges of leading/trailing whitespace as desired. Need to use
- // a StringPiece version of input to be able to call find* on it with the
- // StringPiece version of trim_chars (normally the trim_chars will be a
- // constant so avoid making a copy).
- BasicStringPiece<Str> input_piece(input);
- const size_t last_char = input.length() - 1;
- const size_t first_good_char = (positions & TRIM_LEADING) ?
- input_piece.find_first_not_of(trim_chars) : 0;
- const size_t last_good_char = (positions & TRIM_TRAILING) ?
- input_piece.find_last_not_of(trim_chars) : last_char;
-
- // When the string was all trimmed, report that we stripped off characters
- // from whichever position the caller was interested in. For empty input, we
- // stripped no characters, but we still need to clear |output|.
- if (input.empty() ||
- (first_good_char == Str::npos) || (last_good_char == Str::npos)) {
- bool input_was_empty = input.empty(); // in case output == &input
- output->clear();
- return input_was_empty ? TRIM_NONE : positions;
- }
-
- // Trim.
- *output =
- input.substr(first_good_char, last_good_char - first_good_char + 1);
-
- // Return where we trimmed from.
- return static_cast<TrimPositions>(
- ((first_good_char == 0) ? TRIM_NONE : TRIM_LEADING) |
- ((last_good_char == last_char) ? TRIM_NONE : TRIM_TRAILING));
-}
-
-bool TrimString(const string16& input,
- StringPiece16 trim_chars,
- string16* output) {
- return TrimStringT(input, trim_chars, TRIM_ALL, output) != TRIM_NONE;
-}
-
-bool TrimString(const std::string& input,
- StringPiece trim_chars,
- std::string* output) {
- return TrimStringT(input, trim_chars, TRIM_ALL, output) != TRIM_NONE;
-}
-
-template<typename Str>
-BasicStringPiece<Str> TrimStringPieceT(BasicStringPiece<Str> input,
- BasicStringPiece<Str> trim_chars,
- TrimPositions positions) {
- size_t begin = (positions & TRIM_LEADING) ?
- input.find_first_not_of(trim_chars) : 0;
- size_t end = (positions & TRIM_TRAILING) ?
- input.find_last_not_of(trim_chars) + 1 : input.size();
- return input.substr(begin, end - begin);
-}
-
-StringPiece16 TrimString(StringPiece16 input,
- const StringPiece16& trim_chars,
- TrimPositions positions) {
- return TrimStringPieceT(input, trim_chars, positions);
-}
-
-StringPiece TrimString(StringPiece input,
- const StringPiece& trim_chars,
- TrimPositions positions) {
- return TrimStringPieceT(input, trim_chars, positions);
-}
-
-void TruncateUTF8ToByteSize(const std::string& input,
- const size_t byte_size,
- std::string* output) {
- DCHECK(output);
- if (byte_size > input.length()) {
- *output = input;
- return;
- }
- DCHECK_LE(byte_size,
- static_cast<uint32_t>(std::numeric_limits<int32_t>::max()));
- // Note: This cast is necessary because CBU8_NEXT uses int32_ts.
- int32_t truncation_length = static_cast<int32_t>(byte_size);
- int32_t char_index = truncation_length - 1;
- const char* data = input.data();
-
- // Using CBU8, we will move backwards from the truncation point
- // to the beginning of the string looking for a valid UTF8
- // character. Once a full UTF8 character is found, we will
- // truncate the string to the end of that character.
- while (char_index >= 0) {
- int32_t prev = char_index;
- base_icu::UChar32 code_point = 0;
- CBU8_NEXT(data, char_index, truncation_length, code_point);
- if (!IsValidCharacter(code_point) ||
- !IsValidCodepoint(code_point)) {
- char_index = prev - 1;
- } else {
- break;
- }
- }
-
- if (char_index >= 0 )
- *output = input.substr(0, char_index);
- else
- output->clear();
-}
-
-TrimPositions TrimWhitespace(const string16& input,
- TrimPositions positions,
- string16* output) {
- return TrimStringT(input, StringPiece16(kWhitespaceUTF16), positions, output);
-}
-
-StringPiece16 TrimWhitespace(StringPiece16 input,
- TrimPositions positions) {
- return TrimStringPieceT(input, StringPiece16(kWhitespaceUTF16), positions);
-}
-
-TrimPositions TrimWhitespaceASCII(const std::string& input,
- TrimPositions positions,
- std::string* output) {
- return TrimStringT(input, StringPiece(kWhitespaceASCII), positions, output);
-}
-
-StringPiece TrimWhitespaceASCII(StringPiece input, TrimPositions positions) {
- return TrimStringPieceT(input, StringPiece(kWhitespaceASCII), positions);
-}
-
-template<typename STR>
-STR CollapseWhitespaceT(const STR& text,
- bool trim_sequences_with_line_breaks) {
- STR result;
- result.resize(text.size());
-
- // Set flags to pretend we're already in a trimmed whitespace sequence, so we
- // will trim any leading whitespace.
- bool in_whitespace = true;
- bool already_trimmed = true;
-
- int chars_written = 0;
- for (typename STR::const_iterator i(text.begin()); i != text.end(); ++i) {
- if (IsUnicodeWhitespace(*i)) {
- if (!in_whitespace) {
- // Reduce all whitespace sequences to a single space.
- in_whitespace = true;
- result[chars_written++] = L' ';
- }
- if (trim_sequences_with_line_breaks && !already_trimmed &&
- ((*i == '\n') || (*i == '\r'))) {
- // Whitespace sequences containing CR or LF are eliminated entirely.
- already_trimmed = true;
- --chars_written;
- }
- } else {
- // Non-whitespace chracters are copied straight across.
- in_whitespace = false;
- already_trimmed = false;
- result[chars_written++] = *i;
- }
- }
-
- if (in_whitespace && !already_trimmed) {
- // Any trailing whitespace is eliminated.
- --chars_written;
- }
-
- result.resize(chars_written);
- return result;
-}
-
-string16 CollapseWhitespace(const string16& text,
- bool trim_sequences_with_line_breaks) {
- return CollapseWhitespaceT(text, trim_sequences_with_line_breaks);
-}
-
-std::string CollapseWhitespaceASCII(const std::string& text,
- bool trim_sequences_with_line_breaks) {
- return CollapseWhitespaceT(text, trim_sequences_with_line_breaks);
-}
-
-bool ContainsOnlyChars(const StringPiece& input,
- const StringPiece& characters) {
- return input.find_first_not_of(characters) == StringPiece::npos;
-}
-
-bool ContainsOnlyChars(const StringPiece16& input,
- const StringPiece16& characters) {
- return input.find_first_not_of(characters) == StringPiece16::npos;
-}
-
-template <class Char>
-inline bool DoIsStringASCII(const Char* characters, size_t length) {
- MachineWord all_char_bits = 0;
- const Char* end = characters + length;
-
- // Prologue: align the input.
- while (!IsAlignedToMachineWord(characters) && characters != end) {
- all_char_bits |= *characters;
- ++characters;
- }
-
- // Compare the values of CPU word size.
- const Char* word_end = AlignToMachineWord(end);
- const size_t loop_increment = sizeof(MachineWord) / sizeof(Char);
- while (characters < word_end) {
- all_char_bits |= *(reinterpret_cast<const MachineWord*>(characters));
- characters += loop_increment;
- }
-
- // Process the remaining bytes.
- while (characters != end) {
- all_char_bits |= *characters;
- ++characters;
- }
-
- MachineWord non_ascii_bit_mask =
- NonASCIIMask<sizeof(MachineWord), Char>::value();
- return !(all_char_bits & non_ascii_bit_mask);
-}
-
-bool IsStringASCII(const StringPiece& str) {
- return DoIsStringASCII(str.data(), str.length());
-}
-
-bool IsStringASCII(const StringPiece16& str) {
- return DoIsStringASCII(str.data(), str.length());
-}
-
-bool IsStringASCII(const string16& str) {
- return DoIsStringASCII(str.data(), str.length());
-}
-
-#if defined(WCHAR_T_IS_UTF32)
-bool IsStringASCII(const std::wstring& str) {
- return DoIsStringASCII(str.data(), str.length());
-}
-#endif
-
-bool IsStringUTF8(const StringPiece& str) {
- const char *src = str.data();
- int32_t src_len = static_cast<int32_t>(str.length());
- int32_t char_index = 0;
-
- while (char_index < src_len) {
- int32_t code_point;
- CBU8_NEXT(src, char_index, src_len, code_point);
- if (!IsValidCharacter(code_point))
- return false;
- }
- return true;
-}
-
-// Implementation note: Normally this function will be called with a hardcoded
-// constant for the lowercase_ascii parameter. Constructing a StringPiece from
-// a C constant requires running strlen, so the result will be two passes
-// through the buffers, one to file the length of lowercase_ascii, and one to
-// compare each letter.
-//
-// This function could have taken a const char* to avoid this and only do one
-// pass through the string. But the strlen is faster than the case-insensitive
-// compares and lets us early-exit in the case that the strings are different
-// lengths (will often be the case for non-matches). So whether one approach or
-// the other will be faster depends on the case.
-//
-// The hardcoded strings are typically very short so it doesn't matter, and the
-// string piece gives additional flexibility for the caller (doesn't have to be
-// null terminated) so we choose the StringPiece route.
-template<typename Str>
-static inline bool DoLowerCaseEqualsASCII(BasicStringPiece<Str> str,
- StringPiece lowercase_ascii) {
- if (str.size() != lowercase_ascii.size())
- return false;
- for (size_t i = 0; i < str.size(); i++) {
- if (ToLowerASCII(str[i]) != lowercase_ascii[i])
- return false;
- }
- return true;
-}
-
-bool LowerCaseEqualsASCII(StringPiece str, StringPiece lowercase_ascii) {
- return DoLowerCaseEqualsASCII<std::string>(str, lowercase_ascii);
-}
-
-bool LowerCaseEqualsASCII(StringPiece16 str, StringPiece lowercase_ascii) {
- return DoLowerCaseEqualsASCII<string16>(str, lowercase_ascii);
-}
-
-bool EqualsASCII(StringPiece16 str, StringPiece ascii) {
- if (str.length() != ascii.length())
- return false;
- return std::equal(ascii.begin(), ascii.end(), str.begin());
-}
-
-template<typename Str>
-bool StartsWithT(BasicStringPiece<Str> str,
- BasicStringPiece<Str> search_for,
- CompareCase case_sensitivity) {
- if (search_for.size() > str.size())
- return false;
-
- BasicStringPiece<Str> source = str.substr(0, search_for.size());
-
- switch (case_sensitivity) {
- case CompareCase::SENSITIVE:
- return source == search_for;
-
- case CompareCase::INSENSITIVE_ASCII:
- return std::equal(
- search_for.begin(), search_for.end(),
- source.begin(),
- CaseInsensitiveCompareASCII<typename Str::value_type>());
-
- default:
- NOTREACHED();
- return false;
- }
-}
-
-bool StartsWith(StringPiece str,
- StringPiece search_for,
- CompareCase case_sensitivity) {
- return StartsWithT<std::string>(str, search_for, case_sensitivity);
-}
-
-bool StartsWith(StringPiece16 str,
- StringPiece16 search_for,
- CompareCase case_sensitivity) {
- return StartsWithT<string16>(str, search_for, case_sensitivity);
-}
-
-template <typename Str>
-bool EndsWithT(BasicStringPiece<Str> str,
- BasicStringPiece<Str> search_for,
- CompareCase case_sensitivity) {
- if (search_for.size() > str.size())
- return false;
-
- BasicStringPiece<Str> source = str.substr(str.size() - search_for.size(),
- search_for.size());
-
- switch (case_sensitivity) {
- case CompareCase::SENSITIVE:
- return source == search_for;
-
- case CompareCase::INSENSITIVE_ASCII:
- return std::equal(
- source.begin(), source.end(),
- search_for.begin(),
- CaseInsensitiveCompareASCII<typename Str::value_type>());
-
- default:
- NOTREACHED();
- return false;
- }
-}
-
-bool EndsWith(StringPiece str,
- StringPiece search_for,
- CompareCase case_sensitivity) {
- return EndsWithT<std::string>(str, search_for, case_sensitivity);
-}
-
-bool EndsWith(StringPiece16 str,
- StringPiece16 search_for,
- CompareCase case_sensitivity) {
- return EndsWithT<string16>(str, search_for, case_sensitivity);
-}
-
-char HexDigitToInt(wchar_t c) {
- DCHECK(IsHexDigit(c));
- if (c >= '0' && c <= '9')
- return static_cast<char>(c - '0');
- if (c >= 'A' && c <= 'F')
- return static_cast<char>(c - 'A' + 10);
- if (c >= 'a' && c <= 'f')
- return static_cast<char>(c - 'a' + 10);
- return 0;
-}
-
-bool IsUnicodeWhitespace(wchar_t c) {
- // kWhitespaceWide is a NULL-terminated string
- for (const wchar_t* cur = kWhitespaceWide; *cur; ++cur) {
- if (*cur == c)
- return true;
- }
- return false;
-}
-
-static const char* const kByteStringsUnlocalized[] = {
- " B",
- " kB",
- " MB",
- " GB",
- " TB",
- " PB"
-};
-
-string16 FormatBytesUnlocalized(int64_t bytes) {
- double unit_amount = static_cast<double>(bytes);
- size_t dimension = 0;
- const int kKilo = 1024;
- while (unit_amount >= kKilo &&
- dimension < arraysize(kByteStringsUnlocalized) - 1) {
- unit_amount /= kKilo;
- dimension++;
- }
-
- char buf[64];
- if (bytes != 0 && dimension > 0 && unit_amount < 100) {
- base::snprintf(buf, arraysize(buf), "%.1lf%s", unit_amount,
- kByteStringsUnlocalized[dimension]);
- } else {
- base::snprintf(buf, arraysize(buf), "%.0lf%s", unit_amount,
- kByteStringsUnlocalized[dimension]);
- }
-
- return ASCIIToUTF16(buf);
-}
-
-// Runs in O(n) time in the length of |str|.
-template<class StringType>
-void DoReplaceSubstringsAfterOffset(StringType* str,
- size_t offset,
- BasicStringPiece<StringType> find_this,
- BasicStringPiece<StringType> replace_with,
- bool replace_all) {
- DCHECK(!find_this.empty());
-
- // If the find string doesn't appear, there's nothing to do.
- offset = str->find(find_this.data(), offset, find_this.size());
- if (offset == StringType::npos)
- return;
-
- // If we're only replacing one instance, there's no need to do anything
- // complicated.
- size_t find_length = find_this.length();
- if (!replace_all) {
- str->replace(offset, find_length, replace_with.data(), replace_with.size());
- return;
- }
-
- // If the find and replace strings are the same length, we can simply use
- // replace() on each instance, and finish the entire operation in O(n) time.
- size_t replace_length = replace_with.length();
- if (find_length == replace_length) {
- do {
- str->replace(offset, find_length,
- replace_with.data(), replace_with.size());
- offset = str->find(find_this.data(), offset + replace_length,
- find_this.size());
- } while (offset != StringType::npos);
- return;
- }
-
- // Since the find and replace strings aren't the same length, a loop like the
- // one above would be O(n^2) in the worst case, as replace() will shift the
- // entire remaining string each time. We need to be more clever to keep
- // things O(n).
- //
- // If we're shortening the string, we can alternate replacements with shifting
- // forward the intervening characters using memmove().
- size_t str_length = str->length();
- if (find_length > replace_length) {
- size_t write_offset = offset;
- do {
- if (replace_length) {
- str->replace(write_offset, replace_length,
- replace_with.data(), replace_with.size());
- write_offset += replace_length;
- }
- size_t read_offset = offset + find_length;
- offset = std::min(
- str->find(find_this.data(), read_offset, find_this.size()),
- str_length);
- size_t length = offset - read_offset;
- if (length) {
- memmove(&(*str)[write_offset], &(*str)[read_offset],
- length * sizeof(typename StringType::value_type));
- write_offset += length;
- }
- } while (offset < str_length);
- str->resize(write_offset);
- return;
- }
-
- // We're lengthening the string. We can use alternating replacements and
- // memmove() calls like above, but we need to precalculate the final string
- // length and then expand from back-to-front to avoid overwriting the string
- // as we're reading it, needing to shift, or having to copy to a second string
- // temporarily.
- size_t first_match = offset;
-
- // First, calculate the final length and resize the string.
- size_t final_length = str_length;
- size_t expansion = replace_length - find_length;
- size_t current_match;
- do {
- final_length += expansion;
- // Minor optimization: save this offset into |current_match|, so that on
- // exit from the loop, |current_match| will point at the last instance of
- // the find string, and we won't need to find() it again immediately.
- current_match = offset;
- offset = str->find(find_this.data(), offset + find_length,
- find_this.size());
- } while (offset != StringType::npos);
- str->resize(final_length);
-
- // Now do the replacement loop, working backwards through the string.
- for (size_t prev_match = str_length, write_offset = final_length; ;
- current_match = str->rfind(find_this.data(), current_match - 1,
- find_this.size())) {
- size_t read_offset = current_match + find_length;
- size_t length = prev_match - read_offset;
- if (length) {
- write_offset -= length;
- memmove(&(*str)[write_offset], &(*str)[read_offset],
- length * sizeof(typename StringType::value_type));
- }
- write_offset -= replace_length;
- str->replace(write_offset, replace_length,
- replace_with.data(), replace_with.size());
- if (current_match == first_match)
- return;
- prev_match = current_match;
- }
-}
-
-void ReplaceFirstSubstringAfterOffset(string16* str,
- size_t start_offset,
- StringPiece16 find_this,
- StringPiece16 replace_with) {
- DoReplaceSubstringsAfterOffset<string16>(
- str, start_offset, find_this, replace_with, false); // Replace first.
-}
-
-void ReplaceFirstSubstringAfterOffset(std::string* str,
- size_t start_offset,
- StringPiece find_this,
- StringPiece replace_with) {
- DoReplaceSubstringsAfterOffset<std::string>(
- str, start_offset, find_this, replace_with, false); // Replace first.
-}
-
-void ReplaceSubstringsAfterOffset(string16* str,
- size_t start_offset,
- StringPiece16 find_this,
- StringPiece16 replace_with) {
- DoReplaceSubstringsAfterOffset<string16>(
- str, start_offset, find_this, replace_with, true); // Replace all.
-}
-
-void ReplaceSubstringsAfterOffset(std::string* str,
- size_t start_offset,
- StringPiece find_this,
- StringPiece replace_with) {
- DoReplaceSubstringsAfterOffset<std::string>(
- str, start_offset, find_this, replace_with, true); // Replace all.
-}
-
-template <class string_type>
-inline typename string_type::value_type* WriteIntoT(string_type* str,
- size_t length_with_null) {
- DCHECK_GT(length_with_null, 1u);
- str->reserve(length_with_null);
- str->resize(length_with_null - 1);
- return &((*str)[0]);
-}
-
-char* WriteInto(std::string* str, size_t length_with_null) {
- return WriteIntoT(str, length_with_null);
-}
-
-char16* WriteInto(string16* str, size_t length_with_null) {
- return WriteIntoT(str, length_with_null);
-}
-
-template<typename STR>
-static STR JoinStringT(const std::vector<STR>& parts,
- BasicStringPiece<STR> sep) {
- if (parts.empty())
- return STR();
-
- STR result(parts[0]);
- auto iter = parts.begin();
- ++iter;
-
- for (; iter != parts.end(); ++iter) {
- sep.AppendToString(&result);
- result += *iter;
- }
-
- return result;
-}
-
-std::string JoinString(const std::vector<std::string>& parts,
- StringPiece separator) {
- return JoinStringT(parts, separator);
-}
-
-string16 JoinString(const std::vector<string16>& parts,
- StringPiece16 separator) {
- return JoinStringT(parts, separator);
-}
-
-template<class FormatStringType, class OutStringType>
-OutStringType DoReplaceStringPlaceholders(
- const FormatStringType& format_string,
- const std::vector<OutStringType>& subst,
- std::vector<size_t>* offsets) {
- size_t substitutions = subst.size();
-
- size_t sub_length = 0;
- for (const auto& cur : subst)
- sub_length += cur.length();
-
- OutStringType formatted;
- formatted.reserve(format_string.length() + sub_length);
-
- std::vector<ReplacementOffset> r_offsets;
- for (auto i = format_string.begin(); i != format_string.end(); ++i) {
- if ('$' == *i) {
- if (i + 1 != format_string.end()) {
- ++i;
- DCHECK('$' == *i || '1' <= *i) << "Invalid placeholder: " << *i;
- if ('$' == *i) {
- while (i != format_string.end() && '$' == *i) {
- formatted.push_back('$');
- ++i;
- }
- --i;
- } else {
- uintptr_t index = 0;
- while (i != format_string.end() && '0' <= *i && *i <= '9') {
- index *= 10;
- index += *i - '0';
- ++i;
- }
- --i;
- index -= 1;
- if (offsets) {
- ReplacementOffset r_offset(index,
- static_cast<int>(formatted.size()));
- r_offsets.insert(std::lower_bound(r_offsets.begin(),
- r_offsets.end(),
- r_offset,
- &CompareParameter),
- r_offset);
- }
- if (index < substitutions)
- formatted.append(subst.at(index));
- }
- }
- } else {
- formatted.push_back(*i);
- }
- }
- if (offsets) {
- for (const auto& cur : r_offsets)
- offsets->push_back(cur.offset);
- }
- return formatted;
-}
-
-string16 ReplaceStringPlaceholders(const string16& format_string,
- const std::vector<string16>& subst,
- std::vector<size_t>* offsets) {
- return DoReplaceStringPlaceholders(format_string, subst, offsets);
-}
-
-std::string ReplaceStringPlaceholders(const StringPiece& format_string,
- const std::vector<std::string>& subst,
- std::vector<size_t>* offsets) {
- return DoReplaceStringPlaceholders(format_string, subst, offsets);
-}
-
-string16 ReplaceStringPlaceholders(const string16& format_string,
- const string16& a,
- size_t* offset) {
- std::vector<size_t> offsets;
- std::vector<string16> subst;
- subst.push_back(a);
- string16 result = ReplaceStringPlaceholders(format_string, subst, &offsets);
-
- DCHECK_EQ(1U, offsets.size());
- if (offset)
- *offset = offsets[0];
- return result;
-}
-
-// The following code is compatible with the OpenBSD lcpy interface. See:
-// http://www.gratisoft.us/todd/papers/strlcpy.html
-// ftp://ftp.openbsd.org/pub/OpenBSD/src/lib/libc/string/{wcs,str}lcpy.c
-
-namespace {
-
-template <typename CHAR>
-size_t lcpyT(CHAR* dst, const CHAR* src, size_t dst_size) {
- for (size_t i = 0; i < dst_size; ++i) {
- if ((dst[i] = src[i]) == 0) // We hit and copied the terminating NULL.
- return i;
- }
-
- // We were left off at dst_size. We over copied 1 byte. Null terminate.
- if (dst_size != 0)
- dst[dst_size - 1] = 0;
-
- // Count the rest of the |src|, and return it's length in characters.
- while (src[dst_size]) ++dst_size;
- return dst_size;
-}
-
-} // namespace
-
-size_t strlcpy(char* dst, const char* src, size_t dst_size) {
- return lcpyT<char>(dst, src, dst_size);
-}
-size_t wcslcpy(wchar_t* dst, const wchar_t* src, size_t dst_size) {
- return lcpyT<wchar_t>(dst, src, dst_size);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string_util.h b/security/sandbox/chromium/base/strings/string_util.h
deleted file mode 100644
index e369f294d..000000000
--- a/security/sandbox/chromium/base/strings/string_util.h
+++ /dev/null
@@ -1,461 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-//
-// This file defines utility functions for working with strings.
-
-#ifndef BASE_STRINGS_STRING_UTIL_H_
-#define BASE_STRINGS_STRING_UTIL_H_
-
-#include <ctype.h>
-#include <stdarg.h> // va_list
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-#include <vector>
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h" // For implicit conversions.
-#include "build/build_config.h"
-
-namespace base {
-
-// C standard-library functions that aren't cross-platform are provided as
-// "base::...", and their prototypes are listed below. These functions are
-// then implemented as inline calls to the platform-specific equivalents in the
-// platform-specific headers.
-
-// Wrapper for vsnprintf that always null-terminates and always returns the
-// number of characters that would be in an untruncated formatted
-// string, even when truncation occurs.
-int vsnprintf(char* buffer, size_t size, const char* format, va_list arguments)
- PRINTF_FORMAT(3, 0);
-
-// Some of these implementations need to be inlined.
-
-// We separate the declaration from the implementation of this inline
-// function just so the PRINTF_FORMAT works.
-inline int snprintf(char* buffer,
- size_t size,
- _Printf_format_string_ const char* format,
- ...) PRINTF_FORMAT(3, 4);
-inline int snprintf(char* buffer,
- size_t size,
- _Printf_format_string_ const char* format,
- ...) {
- va_list arguments;
- va_start(arguments, format);
- int result = vsnprintf(buffer, size, format, arguments);
- va_end(arguments);
- return result;
-}
-
-// BSD-style safe and consistent string copy functions.
-// Copies |src| to |dst|, where |dst_size| is the total allocated size of |dst|.
-// Copies at most |dst_size|-1 characters, and always NULL terminates |dst|, as
-// long as |dst_size| is not 0. Returns the length of |src| in characters.
-// If the return value is >= dst_size, then the output was truncated.
-// NOTE: All sizes are in number of characters, NOT in bytes.
-BASE_EXPORT size_t strlcpy(char* dst, const char* src, size_t dst_size);
-BASE_EXPORT size_t wcslcpy(wchar_t* dst, const wchar_t* src, size_t dst_size);
-
-// Scan a wprintf format string to determine whether it's portable across a
-// variety of systems. This function only checks that the conversion
-// specifiers used by the format string are supported and have the same meaning
-// on a variety of systems. It doesn't check for other errors that might occur
-// within a format string.
-//
-// Nonportable conversion specifiers for wprintf are:
-// - 's' and 'c' without an 'l' length modifier. %s and %c operate on char
-// data on all systems except Windows, which treat them as wchar_t data.
-// Use %ls and %lc for wchar_t data instead.
-// - 'S' and 'C', which operate on wchar_t data on all systems except Windows,
-// which treat them as char data. Use %ls and %lc for wchar_t data
-// instead.
-// - 'F', which is not identified by Windows wprintf documentation.
-// - 'D', 'O', and 'U', which are deprecated and not available on all systems.
-// Use %ld, %lo, and %lu instead.
-//
-// Note that there is no portable conversion specifier for char data when
-// working with wprintf.
-//
-// This function is intended to be called from base::vswprintf.
-BASE_EXPORT bool IsWprintfFormatPortable(const wchar_t* format);
-
-// ASCII-specific tolower. The standard library's tolower is locale sensitive,
-// so we don't want to use it here.
-inline char ToLowerASCII(char c) {
- return (c >= 'A' && c <= 'Z') ? (c + ('a' - 'A')) : c;
-}
-inline char16 ToLowerASCII(char16 c) {
- return (c >= 'A' && c <= 'Z') ? (c + ('a' - 'A')) : c;
-}
-
-// ASCII-specific toupper. The standard library's toupper is locale sensitive,
-// so we don't want to use it here.
-inline char ToUpperASCII(char c) {
- return (c >= 'a' && c <= 'z') ? (c + ('A' - 'a')) : c;
-}
-inline char16 ToUpperASCII(char16 c) {
- return (c >= 'a' && c <= 'z') ? (c + ('A' - 'a')) : c;
-}
-
-// Converts the given string to it's ASCII-lowercase equivalent.
-BASE_EXPORT std::string ToLowerASCII(StringPiece str);
-BASE_EXPORT string16 ToLowerASCII(StringPiece16 str);
-
-// Converts the given string to it's ASCII-uppercase equivalent.
-BASE_EXPORT std::string ToUpperASCII(StringPiece str);
-BASE_EXPORT string16 ToUpperASCII(StringPiece16 str);
-
-// Functor for case-insensitive ASCII comparisons for STL algorithms like
-// std::search.
-//
-// Note that a full Unicode version of this functor is not possible to write
-// because case mappings might change the number of characters, depend on
-// context (combining accents), and require handling UTF-16. If you need
-// proper Unicode support, use base::i18n::ToLower/FoldCase and then just
-// use a normal operator== on the result.
-template<typename Char> struct CaseInsensitiveCompareASCII {
- public:
- bool operator()(Char x, Char y) const {
- return ToLowerASCII(x) == ToLowerASCII(y);
- }
-};
-
-// Like strcasecmp for case-insensitive ASCII characters only. Returns:
-// -1 (a < b)
-// 0 (a == b)
-// 1 (a > b)
-// (unlike strcasecmp which can return values greater or less than 1/-1). For
-// full Unicode support, use base::i18n::ToLower or base::i18h::FoldCase
-// and then just call the normal string operators on the result.
-BASE_EXPORT int CompareCaseInsensitiveASCII(StringPiece a, StringPiece b);
-BASE_EXPORT int CompareCaseInsensitiveASCII(StringPiece16 a, StringPiece16 b);
-
-// Equality for ASCII case-insensitive comparisons. For full Unicode support,
-// use base::i18n::ToLower or base::i18h::FoldCase and then compare with either
-// == or !=.
-BASE_EXPORT bool EqualsCaseInsensitiveASCII(StringPiece a, StringPiece b);
-BASE_EXPORT bool EqualsCaseInsensitiveASCII(StringPiece16 a, StringPiece16 b);
-
-// These threadsafe functions return references to globally unique empty
-// strings.
-//
-// It is likely faster to construct a new empty string object (just a few
-// instructions to set the length to 0) than to get the empty string singleton
-// returned by these functions (which requires threadsafe singleton access).
-//
-// Therefore, DO NOT USE THESE AS A GENERAL-PURPOSE SUBSTITUTE FOR DEFAULT
-// CONSTRUCTORS. There is only one case where you should use these: functions
-// which need to return a string by reference (e.g. as a class member
-// accessor), and don't have an empty string to use (e.g. in an error case).
-// These should not be used as initializers, function arguments, or return
-// values for functions which return by value or outparam.
-BASE_EXPORT const std::string& EmptyString();
-BASE_EXPORT const string16& EmptyString16();
-
-// Contains the set of characters representing whitespace in the corresponding
-// encoding. Null-terminated. The ASCII versions are the whitespaces as defined
-// by HTML5, and don't include control characters.
-BASE_EXPORT extern const wchar_t kWhitespaceWide[]; // Includes Unicode.
-BASE_EXPORT extern const char16 kWhitespaceUTF16[]; // Includes Unicode.
-BASE_EXPORT extern const char kWhitespaceASCII[];
-BASE_EXPORT extern const char16 kWhitespaceASCIIAs16[]; // No unicode.
-
-// Null-terminated string representing the UTF-8 byte order mark.
-BASE_EXPORT extern const char kUtf8ByteOrderMark[];
-
-// Removes characters in |remove_chars| from anywhere in |input|. Returns true
-// if any characters were removed. |remove_chars| must be null-terminated.
-// NOTE: Safe to use the same variable for both |input| and |output|.
-BASE_EXPORT bool RemoveChars(const string16& input,
- const StringPiece16& remove_chars,
- string16* output);
-BASE_EXPORT bool RemoveChars(const std::string& input,
- const StringPiece& remove_chars,
- std::string* output);
-
-// Replaces characters in |replace_chars| from anywhere in |input| with
-// |replace_with|. Each character in |replace_chars| will be replaced with
-// the |replace_with| string. Returns true if any characters were replaced.
-// |replace_chars| must be null-terminated.
-// NOTE: Safe to use the same variable for both |input| and |output|.
-BASE_EXPORT bool ReplaceChars(const string16& input,
- const StringPiece16& replace_chars,
- const string16& replace_with,
- string16* output);
-BASE_EXPORT bool ReplaceChars(const std::string& input,
- const StringPiece& replace_chars,
- const std::string& replace_with,
- std::string* output);
-
-enum TrimPositions {
- TRIM_NONE = 0,
- TRIM_LEADING = 1 << 0,
- TRIM_TRAILING = 1 << 1,
- TRIM_ALL = TRIM_LEADING | TRIM_TRAILING,
-};
-
-// Removes characters in |trim_chars| from the beginning and end of |input|.
-// The 8-bit version only works on 8-bit characters, not UTF-8.
-//
-// It is safe to use the same variable for both |input| and |output| (this is
-// the normal usage to trim in-place).
-BASE_EXPORT bool TrimString(const string16& input,
- StringPiece16 trim_chars,
- string16* output);
-BASE_EXPORT bool TrimString(const std::string& input,
- StringPiece trim_chars,
- std::string* output);
-
-// StringPiece versions of the above. The returned pieces refer to the original
-// buffer.
-BASE_EXPORT StringPiece16 TrimString(StringPiece16 input,
- const StringPiece16& trim_chars,
- TrimPositions positions);
-BASE_EXPORT StringPiece TrimString(StringPiece input,
- const StringPiece& trim_chars,
- TrimPositions positions);
-
-// Truncates a string to the nearest UTF-8 character that will leave
-// the string less than or equal to the specified byte size.
-BASE_EXPORT void TruncateUTF8ToByteSize(const std::string& input,
- const size_t byte_size,
- std::string* output);
-
-// Trims any whitespace from either end of the input string.
-//
-// The StringPiece versions return a substring referencing the input buffer.
-// The ASCII versions look only for ASCII whitespace.
-//
-// The std::string versions return where whitespace was found.
-// NOTE: Safe to use the same variable for both input and output.
-BASE_EXPORT TrimPositions TrimWhitespace(const string16& input,
- TrimPositions positions,
- string16* output);
-BASE_EXPORT StringPiece16 TrimWhitespace(StringPiece16 input,
- TrimPositions positions);
-BASE_EXPORT TrimPositions TrimWhitespaceASCII(const std::string& input,
- TrimPositions positions,
- std::string* output);
-BASE_EXPORT StringPiece TrimWhitespaceASCII(StringPiece input,
- TrimPositions positions);
-
-// Searches for CR or LF characters. Removes all contiguous whitespace
-// strings that contain them. This is useful when trying to deal with text
-// copied from terminals.
-// Returns |text|, with the following three transformations:
-// (1) Leading and trailing whitespace is trimmed.
-// (2) If |trim_sequences_with_line_breaks| is true, any other whitespace
-// sequences containing a CR or LF are trimmed.
-// (3) All other whitespace sequences are converted to single spaces.
-BASE_EXPORT string16 CollapseWhitespace(
- const string16& text,
- bool trim_sequences_with_line_breaks);
-BASE_EXPORT std::string CollapseWhitespaceASCII(
- const std::string& text,
- bool trim_sequences_with_line_breaks);
-
-// Returns true if |input| is empty or contains only characters found in
-// |characters|.
-BASE_EXPORT bool ContainsOnlyChars(const StringPiece& input,
- const StringPiece& characters);
-BASE_EXPORT bool ContainsOnlyChars(const StringPiece16& input,
- const StringPiece16& characters);
-
-// Returns true if the specified string matches the criteria. How can a wide
-// string be 8-bit or UTF8? It contains only characters that are < 256 (in the
-// first case) or characters that use only 8-bits and whose 8-bit
-// representation looks like a UTF-8 string (the second case).
-//
-// Note that IsStringUTF8 checks not only if the input is structurally
-// valid but also if it doesn't contain any non-character codepoint
-// (e.g. U+FFFE). It's done on purpose because all the existing callers want
-// to have the maximum 'discriminating' power from other encodings. If
-// there's a use case for just checking the structural validity, we have to
-// add a new function for that.
-//
-// IsStringASCII assumes the input is likely all ASCII, and does not leave early
-// if it is not the case.
-BASE_EXPORT bool IsStringUTF8(const StringPiece& str);
-BASE_EXPORT bool IsStringASCII(const StringPiece& str);
-BASE_EXPORT bool IsStringASCII(const StringPiece16& str);
-// A convenience adaptor for WebStrings, as they don't convert into
-// StringPieces directly.
-BASE_EXPORT bool IsStringASCII(const string16& str);
-#if defined(WCHAR_T_IS_UTF32)
-BASE_EXPORT bool IsStringASCII(const std::wstring& str);
-#endif
-
-// Compare the lower-case form of the given string against the given
-// previously-lower-cased ASCII string (typically a constant).
-BASE_EXPORT bool LowerCaseEqualsASCII(StringPiece str,
- StringPiece lowecase_ascii);
-BASE_EXPORT bool LowerCaseEqualsASCII(StringPiece16 str,
- StringPiece lowecase_ascii);
-
-// Performs a case-sensitive string compare of the given 16-bit string against
-// the given 8-bit ASCII string (typically a constant). The behavior is
-// undefined if the |ascii| string is not ASCII.
-BASE_EXPORT bool EqualsASCII(StringPiece16 str, StringPiece ascii);
-
-// Indicates case sensitivity of comparisons. Only ASCII case insensitivity
-// is supported. Full Unicode case-insensitive conversions would need to go in
-// base/i18n so it can use ICU.
-//
-// If you need to do Unicode-aware case-insensitive StartsWith/EndsWith, it's
-// best to call base::i18n::ToLower() or base::i18n::FoldCase() (see
-// base/i18n/case_conversion.h for usage advice) on the arguments, and then use
-// the results to a case-sensitive comparison.
-enum class CompareCase {
- SENSITIVE,
- INSENSITIVE_ASCII,
-};
-
-BASE_EXPORT bool StartsWith(StringPiece str,
- StringPiece search_for,
- CompareCase case_sensitivity);
-BASE_EXPORT bool StartsWith(StringPiece16 str,
- StringPiece16 search_for,
- CompareCase case_sensitivity);
-BASE_EXPORT bool EndsWith(StringPiece str,
- StringPiece search_for,
- CompareCase case_sensitivity);
-BASE_EXPORT bool EndsWith(StringPiece16 str,
- StringPiece16 search_for,
- CompareCase case_sensitivity);
-
-// Determines the type of ASCII character, independent of locale (the C
-// library versions will change based on locale).
-template <typename Char>
-inline bool IsAsciiWhitespace(Char c) {
- return c == ' ' || c == '\r' || c == '\n' || c == '\t';
-}
-template <typename Char>
-inline bool IsAsciiAlpha(Char c) {
- return ((c >= 'A') && (c <= 'Z')) || ((c >= 'a') && (c <= 'z'));
-}
-template <typename Char>
-inline bool IsAsciiDigit(Char c) {
- return c >= '0' && c <= '9';
-}
-
-template <typename Char>
-inline bool IsHexDigit(Char c) {
- return (c >= '0' && c <= '9') ||
- (c >= 'A' && c <= 'F') ||
- (c >= 'a' && c <= 'f');
-}
-
-// Returns the integer corresponding to the given hex character. For example:
-// '4' -> 4
-// 'a' -> 10
-// 'B' -> 11
-// Assumes the input is a valid hex character. DCHECKs in debug builds if not.
-BASE_EXPORT char HexDigitToInt(wchar_t c);
-
-// Returns true if it's a Unicode whitespace character.
-BASE_EXPORT bool IsUnicodeWhitespace(wchar_t c);
-
-// Return a byte string in human-readable format with a unit suffix. Not
-// appropriate for use in any UI; use of FormatBytes and friends in ui/base is
-// highly recommended instead. TODO(avi): Figure out how to get callers to use
-// FormatBytes instead; remove this.
-BASE_EXPORT string16 FormatBytesUnlocalized(int64_t bytes);
-
-// Starting at |start_offset| (usually 0), replace the first instance of
-// |find_this| with |replace_with|.
-BASE_EXPORT void ReplaceFirstSubstringAfterOffset(
- base::string16* str,
- size_t start_offset,
- StringPiece16 find_this,
- StringPiece16 replace_with);
-BASE_EXPORT void ReplaceFirstSubstringAfterOffset(
- std::string* str,
- size_t start_offset,
- StringPiece find_this,
- StringPiece replace_with);
-
-// Starting at |start_offset| (usually 0), look through |str| and replace all
-// instances of |find_this| with |replace_with|.
-//
-// This does entire substrings; use std::replace in <algorithm> for single
-// characters, for example:
-// std::replace(str.begin(), str.end(), 'a', 'b');
-BASE_EXPORT void ReplaceSubstringsAfterOffset(
- string16* str,
- size_t start_offset,
- StringPiece16 find_this,
- StringPiece16 replace_with);
-BASE_EXPORT void ReplaceSubstringsAfterOffset(
- std::string* str,
- size_t start_offset,
- StringPiece find_this,
- StringPiece replace_with);
-
-// Reserves enough memory in |str| to accommodate |length_with_null| characters,
-// sets the size of |str| to |length_with_null - 1| characters, and returns a
-// pointer to the underlying contiguous array of characters. This is typically
-// used when calling a function that writes results into a character array, but
-// the caller wants the data to be managed by a string-like object. It is
-// convenient in that is can be used inline in the call, and fast in that it
-// avoids copying the results of the call from a char* into a string.
-//
-// |length_with_null| must be at least 2, since otherwise the underlying string
-// would have size 0, and trying to access &((*str)[0]) in that case can result
-// in a number of problems.
-//
-// Internally, this takes linear time because the resize() call 0-fills the
-// underlying array for potentially all
-// (|length_with_null - 1| * sizeof(string_type::value_type)) bytes. Ideally we
-// could avoid this aspect of the resize() call, as we expect the caller to
-// immediately write over this memory, but there is no other way to set the size
-// of the string, and not doing that will mean people who access |str| rather
-// than str.c_str() will get back a string of whatever size |str| had on entry
-// to this function (probably 0).
-BASE_EXPORT char* WriteInto(std::string* str, size_t length_with_null);
-BASE_EXPORT char16* WriteInto(string16* str, size_t length_with_null);
-#ifndef OS_WIN
-BASE_EXPORT wchar_t* WriteInto(std::wstring* str, size_t length_with_null);
-#endif
-
-// Does the opposite of SplitString().
-BASE_EXPORT std::string JoinString(const std::vector<std::string>& parts,
- StringPiece separator);
-BASE_EXPORT string16 JoinString(const std::vector<string16>& parts,
- StringPiece16 separator);
-
-// Replace $1-$2-$3..$9 in the format string with |a|-|b|-|c|..|i| respectively.
-// Additionally, any number of consecutive '$' characters is replaced by that
-// number less one. Eg $$->$, $$$->$$, etc. The offsets parameter here can be
-// NULL. This only allows you to use up to nine replacements.
-BASE_EXPORT string16 ReplaceStringPlaceholders(
- const string16& format_string,
- const std::vector<string16>& subst,
- std::vector<size_t>* offsets);
-
-BASE_EXPORT std::string ReplaceStringPlaceholders(
- const StringPiece& format_string,
- const std::vector<std::string>& subst,
- std::vector<size_t>* offsets);
-
-// Single-string shortcut for ReplaceStringHolders. |offset| may be NULL.
-BASE_EXPORT string16 ReplaceStringPlaceholders(const string16& format_string,
- const string16& a,
- size_t* offset);
-
-} // namespace base
-
-#if defined(OS_WIN)
-#include "base/strings/string_util_win.h"
-#elif defined(OS_POSIX)
-#include "base/strings/string_util_posix.h"
-#else
-#error Define string operations appropriately for your platform
-#endif
-
-#endif // BASE_STRINGS_STRING_UTIL_H_
diff --git a/security/sandbox/chromium/base/strings/string_util_constants.cc b/security/sandbox/chromium/base/strings/string_util_constants.cc
deleted file mode 100644
index aba1b12b8..000000000
--- a/security/sandbox/chromium/base/strings/string_util_constants.cc
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/string_util.h"
-
-namespace base {
-
-#define WHITESPACE_UNICODE \
- 0x0009, /* CHARACTER TABULATION */ \
- 0x000A, /* LINE FEED (LF) */ \
- 0x000B, /* LINE TABULATION */ \
- 0x000C, /* FORM FEED (FF) */ \
- 0x000D, /* CARRIAGE RETURN (CR) */ \
- 0x0020, /* SPACE */ \
- 0x0085, /* NEXT LINE (NEL) */ \
- 0x00A0, /* NO-BREAK SPACE */ \
- 0x1680, /* OGHAM SPACE MARK */ \
- 0x2000, /* EN QUAD */ \
- 0x2001, /* EM QUAD */ \
- 0x2002, /* EN SPACE */ \
- 0x2003, /* EM SPACE */ \
- 0x2004, /* THREE-PER-EM SPACE */ \
- 0x2005, /* FOUR-PER-EM SPACE */ \
- 0x2006, /* SIX-PER-EM SPACE */ \
- 0x2007, /* FIGURE SPACE */ \
- 0x2008, /* PUNCTUATION SPACE */ \
- 0x2009, /* THIN SPACE */ \
- 0x200A, /* HAIR SPACE */ \
- 0x2028, /* LINE SEPARATOR */ \
- 0x2029, /* PARAGRAPH SEPARATOR */ \
- 0x202F, /* NARROW NO-BREAK SPACE */ \
- 0x205F, /* MEDIUM MATHEMATICAL SPACE */ \
- 0x3000, /* IDEOGRAPHIC SPACE */ \
- 0
-
-const wchar_t kWhitespaceWide[] = {
- WHITESPACE_UNICODE
-};
-
-const char16 kWhitespaceUTF16[] = {
- WHITESPACE_UNICODE
-};
-
-const char kWhitespaceASCII[] = {
- 0x09, // CHARACTER TABULATION
- 0x0A, // LINE FEED (LF)
- 0x0B, // LINE TABULATION
- 0x0C, // FORM FEED (FF)
- 0x0D, // CARRIAGE RETURN (CR)
- 0x20, // SPACE
- 0
-};
-
-const char16 kWhitespaceASCIIAs16[] = {
- 0x09, // CHARACTER TABULATION
- 0x0A, // LINE FEED (LF)
- 0x0B, // LINE TABULATION
- 0x0C, // FORM FEED (FF)
- 0x0D, // CARRIAGE RETURN (CR)
- 0x20, // SPACE
- 0
-};
-
-const char kUtf8ByteOrderMark[] = "\xEF\xBB\xBF";
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/string_util_posix.h b/security/sandbox/chromium/base/strings/string_util_posix.h
deleted file mode 100644
index 8299118e1..000000000
--- a/security/sandbox/chromium/base/strings/string_util_posix.h
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRING_UTIL_POSIX_H_
-#define BASE_STRINGS_STRING_UTIL_POSIX_H_
-
-#include <stdarg.h>
-#include <stddef.h>
-#include <stdio.h>
-#include <string.h>
-#include <wchar.h>
-
-#include "base/logging.h"
-
-namespace base {
-
-// Chromium code style is to not use malloc'd strings; this is only for use
-// for interaction with APIs that require it.
-inline char* strdup(const char* str) {
- return ::strdup(str);
-}
-
-inline int vsnprintf(char* buffer, size_t size,
- const char* format, va_list arguments) {
- return ::vsnprintf(buffer, size, format, arguments);
-}
-
-inline int vswprintf(wchar_t* buffer, size_t size,
- const wchar_t* format, va_list arguments) {
- DCHECK(IsWprintfFormatPortable(format));
- return ::vswprintf(buffer, size, format, arguments);
-}
-
-} // namespace base
-
-#endif // BASE_STRINGS_STRING_UTIL_POSIX_H_
diff --git a/security/sandbox/chromium/base/strings/string_util_win.h b/security/sandbox/chromium/base/strings/string_util_win.h
deleted file mode 100644
index 7f260bfc8..000000000
--- a/security/sandbox/chromium/base/strings/string_util_win.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRING_UTIL_WIN_H_
-#define BASE_STRINGS_STRING_UTIL_WIN_H_
-
-#include <stdarg.h>
-#include <stddef.h>
-#include <stdio.h>
-#include <string.h>
-#include <wchar.h>
-
-#include "base/logging.h"
-
-namespace base {
-
-// Chromium code style is to not use malloc'd strings; this is only for use
-// for interaction with APIs that require it.
-inline char* strdup(const char* str) {
- return _strdup(str);
-}
-
-inline int vsnprintf(char* buffer, size_t size,
- const char* format, va_list arguments) {
- int length = vsnprintf_s(buffer, size, size - 1, format, arguments);
- if (length < 0)
- return _vscprintf(format, arguments);
- return length;
-}
-
-inline int vswprintf(wchar_t* buffer, size_t size,
- const wchar_t* format, va_list arguments) {
- DCHECK(IsWprintfFormatPortable(format));
-
- int length = _vsnwprintf_s(buffer, size, size - 1, format, arguments);
- if (length < 0)
- return _vscwprintf(format, arguments);
- return length;
-}
-
-} // namespace base
-
-#endif // BASE_STRINGS_STRING_UTIL_WIN_H_
diff --git a/security/sandbox/chromium/base/strings/stringprintf.cc b/security/sandbox/chromium/base/strings/stringprintf.cc
deleted file mode 100644
index 415845d61..000000000
--- a/security/sandbox/chromium/base/strings/stringprintf.cc
+++ /dev/null
@@ -1,189 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/stringprintf.h"
-
-#include <errno.h>
-#include <stddef.h>
-
-#include <vector>
-
-#include "base/macros.h"
-#include "base/scoped_clear_errno.h"
-#include "base/strings/string_util.h"
-#include "base/strings/utf_string_conversions.h"
-#include "build/build_config.h"
-
-namespace base {
-
-namespace {
-
-// Overloaded wrappers around vsnprintf and vswprintf. The buf_size parameter
-// is the size of the buffer. These return the number of characters in the
-// formatted string excluding the NUL terminator. If the buffer is not
-// large enough to accommodate the formatted string without truncation, they
-// return the number of characters that would be in the fully-formatted string
-// (vsnprintf, and vswprintf on Windows), or -1 (vswprintf on POSIX platforms).
-inline int vsnprintfT(char* buffer,
- size_t buf_size,
- const char* format,
- va_list argptr) {
- return base::vsnprintf(buffer, buf_size, format, argptr);
-}
-
-#if defined(OS_WIN)
-inline int vsnprintfT(wchar_t* buffer,
- size_t buf_size,
- const wchar_t* format,
- va_list argptr) {
- return base::vswprintf(buffer, buf_size, format, argptr);
-}
-#endif
-
-// Templatized backend for StringPrintF/StringAppendF. This does not finalize
-// the va_list, the caller is expected to do that.
-template <class StringType>
-static void StringAppendVT(StringType* dst,
- const typename StringType::value_type* format,
- va_list ap) {
- // First try with a small fixed size buffer.
- // This buffer size should be kept in sync with StringUtilTest.GrowBoundary
- // and StringUtilTest.StringPrintfBounds.
- typename StringType::value_type stack_buf[1024];
-
- va_list ap_copy;
- va_copy(ap_copy, ap);
-
-#if !defined(OS_WIN)
- ScopedClearErrno clear_errno;
-#endif
- int result = vsnprintfT(stack_buf, arraysize(stack_buf), format, ap_copy);
- va_end(ap_copy);
-
- if (result >= 0 && result < static_cast<int>(arraysize(stack_buf))) {
- // It fit.
- dst->append(stack_buf, result);
- return;
- }
-
- // Repeatedly increase buffer size until it fits.
- int mem_length = arraysize(stack_buf);
- while (true) {
- if (result < 0) {
-#if defined(OS_WIN)
- // On Windows, vsnprintfT always returns the number of characters in a
- // fully-formatted string, so if we reach this point, something else is
- // wrong and no amount of buffer-doubling is going to fix it.
- return;
-#else
- if (errno != 0 && errno != EOVERFLOW)
- return;
- // Try doubling the buffer size.
- mem_length *= 2;
-#endif
- } else {
- // We need exactly "result + 1" characters.
- mem_length = result + 1;
- }
-
- if (mem_length > 32 * 1024 * 1024) {
- // That should be plenty, don't try anything larger. This protects
- // against huge allocations when using vsnprintfT implementations that
- // return -1 for reasons other than overflow without setting errno.
- DLOG(WARNING) << "Unable to printf the requested string due to size.";
- return;
- }
-
- std::vector<typename StringType::value_type> mem_buf(mem_length);
-
- // NOTE: You can only use a va_list once. Since we're in a while loop, we
- // need to make a new copy each time so we don't use up the original.
- va_copy(ap_copy, ap);
- result = vsnprintfT(&mem_buf[0], mem_length, format, ap_copy);
- va_end(ap_copy);
-
- if ((result >= 0) && (result < mem_length)) {
- // It fit.
- dst->append(&mem_buf[0], result);
- return;
- }
- }
-}
-
-} // namespace
-
-std::string StringPrintf(const char* format, ...) {
- va_list ap;
- va_start(ap, format);
- std::string result;
- StringAppendV(&result, format, ap);
- va_end(ap);
- return result;
-}
-
-#if defined(OS_WIN)
-std::wstring StringPrintf(const wchar_t* format, ...) {
- va_list ap;
- va_start(ap, format);
- std::wstring result;
- StringAppendV(&result, format, ap);
- va_end(ap);
- return result;
-}
-#endif
-
-std::string StringPrintV(const char* format, va_list ap) {
- std::string result;
- StringAppendV(&result, format, ap);
- return result;
-}
-
-const std::string& SStringPrintf(std::string* dst, const char* format, ...) {
- va_list ap;
- va_start(ap, format);
- dst->clear();
- StringAppendV(dst, format, ap);
- va_end(ap);
- return *dst;
-}
-
-#if defined(OS_WIN)
-const std::wstring& SStringPrintf(std::wstring* dst,
- const wchar_t* format, ...) {
- va_list ap;
- va_start(ap, format);
- dst->clear();
- StringAppendV(dst, format, ap);
- va_end(ap);
- return *dst;
-}
-#endif
-
-void StringAppendF(std::string* dst, const char* format, ...) {
- va_list ap;
- va_start(ap, format);
- StringAppendV(dst, format, ap);
- va_end(ap);
-}
-
-#if defined(OS_WIN)
-void StringAppendF(std::wstring* dst, const wchar_t* format, ...) {
- va_list ap;
- va_start(ap, format);
- StringAppendV(dst, format, ap);
- va_end(ap);
-}
-#endif
-
-void StringAppendV(std::string* dst, const char* format, va_list ap) {
- StringAppendVT(dst, format, ap);
-}
-
-#if defined(OS_WIN)
-void StringAppendV(std::wstring* dst, const wchar_t* format, va_list ap) {
- StringAppendVT(dst, format, ap);
-}
-#endif
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/stringprintf.h b/security/sandbox/chromium/base/strings/stringprintf.h
deleted file mode 100644
index 7a75d89e1..000000000
--- a/security/sandbox/chromium/base/strings/stringprintf.h
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_STRINGPRINTF_H_
-#define BASE_STRINGS_STRINGPRINTF_H_
-
-#include <stdarg.h> // va_list
-
-#include <string>
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// Return a C++ string given printf-like input.
-BASE_EXPORT std::string StringPrintf(_Printf_format_string_ const char* format,
- ...)
- PRINTF_FORMAT(1, 2) WARN_UNUSED_RESULT;
-#if defined(OS_WIN)
-BASE_EXPORT std::wstring StringPrintf(
- _Printf_format_string_ const wchar_t* format,
- ...) WPRINTF_FORMAT(1, 2) WARN_UNUSED_RESULT;
-#endif
-
-// Return a C++ string given vprintf-like input.
-BASE_EXPORT std::string StringPrintV(const char* format, va_list ap)
- PRINTF_FORMAT(1, 0) WARN_UNUSED_RESULT;
-
-// Store result into a supplied string and return it.
-BASE_EXPORT const std::string& SStringPrintf(
- std::string* dst,
- _Printf_format_string_ const char* format,
- ...) PRINTF_FORMAT(2, 3);
-#if defined(OS_WIN)
-BASE_EXPORT const std::wstring& SStringPrintf(
- std::wstring* dst,
- _Printf_format_string_ const wchar_t* format,
- ...) WPRINTF_FORMAT(2, 3);
-#endif
-
-// Append result to a supplied string.
-BASE_EXPORT void StringAppendF(std::string* dst,
- _Printf_format_string_ const char* format,
- ...) PRINTF_FORMAT(2, 3);
-#if defined(OS_WIN)
-BASE_EXPORT void StringAppendF(std::wstring* dst,
- _Printf_format_string_ const wchar_t* format,
- ...) WPRINTF_FORMAT(2, 3);
-#endif
-
-// Lower-level routine that takes a va_list and appends to a specified
-// string. All other routines are just convenience wrappers around it.
-BASE_EXPORT void StringAppendV(std::string* dst, const char* format, va_list ap)
- PRINTF_FORMAT(2, 0);
-#if defined(OS_WIN)
-BASE_EXPORT void StringAppendV(std::wstring* dst,
- const wchar_t* format, va_list ap)
- WPRINTF_FORMAT(2, 0);
-#endif
-
-} // namespace base
-
-#endif // BASE_STRINGS_STRINGPRINTF_H_
diff --git a/security/sandbox/chromium/base/strings/utf_string_conversion_utils.cc b/security/sandbox/chromium/base/strings/utf_string_conversion_utils.cc
deleted file mode 100644
index 3101a6028..000000000
--- a/security/sandbox/chromium/base/strings/utf_string_conversion_utils.cc
+++ /dev/null
@@ -1,148 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/utf_string_conversion_utils.h"
-
-#include "base/third_party/icu/icu_utf.h"
-
-namespace base {
-
-// ReadUnicodeCharacter --------------------------------------------------------
-
-bool ReadUnicodeCharacter(const char* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point_out) {
- // U8_NEXT expects to be able to use -1 to signal an error, so we must
- // use a signed type for code_point. But this function returns false
- // on error anyway, so code_point_out is unsigned.
- int32_t code_point;
- CBU8_NEXT(src, *char_index, src_len, code_point);
- *code_point_out = static_cast<uint32_t>(code_point);
-
- // The ICU macro above moves to the next char, we want to point to the last
- // char consumed.
- (*char_index)--;
-
- // Validate the decoded value.
- return IsValidCodepoint(code_point);
-}
-
-bool ReadUnicodeCharacter(const char16* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point) {
- if (CBU16_IS_SURROGATE(src[*char_index])) {
- if (!CBU16_IS_SURROGATE_LEAD(src[*char_index]) ||
- *char_index + 1 >= src_len ||
- !CBU16_IS_TRAIL(src[*char_index + 1])) {
- // Invalid surrogate pair.
- return false;
- }
-
- // Valid surrogate pair.
- *code_point = CBU16_GET_SUPPLEMENTARY(src[*char_index],
- src[*char_index + 1]);
- (*char_index)++;
- } else {
- // Not a surrogate, just one 16-bit word.
- *code_point = src[*char_index];
- }
-
- return IsValidCodepoint(*code_point);
-}
-
-#if defined(WCHAR_T_IS_UTF32)
-bool ReadUnicodeCharacter(const wchar_t* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point) {
- // Conversion is easy since the source is 32-bit.
- *code_point = src[*char_index];
-
- // Validate the value.
- return IsValidCodepoint(*code_point);
-}
-#endif // defined(WCHAR_T_IS_UTF32)
-
-// WriteUnicodeCharacter -------------------------------------------------------
-
-size_t WriteUnicodeCharacter(uint32_t code_point, std::string* output) {
- if (code_point <= 0x7f) {
- // Fast path the common case of one byte.
- output->push_back(static_cast<char>(code_point));
- return 1;
- }
-
-
- // CBU8_APPEND_UNSAFE can append up to 4 bytes.
- size_t char_offset = output->length();
- size_t original_char_offset = char_offset;
- output->resize(char_offset + CBU8_MAX_LENGTH);
-
- CBU8_APPEND_UNSAFE(&(*output)[0], char_offset, code_point);
-
- // CBU8_APPEND_UNSAFE will advance our pointer past the inserted character, so
- // it will represent the new length of the string.
- output->resize(char_offset);
- return char_offset - original_char_offset;
-}
-
-size_t WriteUnicodeCharacter(uint32_t code_point, string16* output) {
- if (CBU16_LENGTH(code_point) == 1) {
- // Thie code point is in the Basic Multilingual Plane (BMP).
- output->push_back(static_cast<char16>(code_point));
- return 1;
- }
- // Non-BMP characters use a double-character encoding.
- size_t char_offset = output->length();
- output->resize(char_offset + CBU16_MAX_LENGTH);
- CBU16_APPEND_UNSAFE(&(*output)[0], char_offset, code_point);
- return CBU16_MAX_LENGTH;
-}
-
-// Generalized Unicode converter -----------------------------------------------
-
-template<typename CHAR>
-void PrepareForUTF8Output(const CHAR* src,
- size_t src_len,
- std::string* output) {
- output->clear();
- if (src_len == 0)
- return;
- if (src[0] < 0x80) {
- // Assume that the entire input will be ASCII.
- output->reserve(src_len);
- } else {
- // Assume that the entire input is non-ASCII and will have 3 bytes per char.
- output->reserve(src_len * 3);
- }
-}
-
-// Instantiate versions we know callers will need.
-template void PrepareForUTF8Output(const wchar_t*, size_t, std::string*);
-template void PrepareForUTF8Output(const char16*, size_t, std::string*);
-
-template<typename STRING>
-void PrepareForUTF16Or32Output(const char* src,
- size_t src_len,
- STRING* output) {
- output->clear();
- if (src_len == 0)
- return;
- if (static_cast<unsigned char>(src[0]) < 0x80) {
- // Assume the input is all ASCII, which means 1:1 correspondence.
- output->reserve(src_len);
- } else {
- // Otherwise assume that the UTF-8 sequences will have 2 bytes for each
- // character.
- output->reserve(src_len / 2);
- }
-}
-
-// Instantiate versions we know callers will need.
-template void PrepareForUTF16Or32Output(const char*, size_t, std::wstring*);
-template void PrepareForUTF16Or32Output(const char*, size_t, string16*);
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/utf_string_conversion_utils.h b/security/sandbox/chromium/base/strings/utf_string_conversion_utils.h
deleted file mode 100644
index c71640453..000000000
--- a/security/sandbox/chromium/base/strings/utf_string_conversion_utils.h
+++ /dev/null
@@ -1,99 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_UTF_STRING_CONVERSION_UTILS_H_
-#define BASE_STRINGS_UTF_STRING_CONVERSION_UTILS_H_
-
-// This should only be used by the various UTF string conversion files.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/base_export.h"
-#include "base/strings/string16.h"
-
-namespace base {
-
-inline bool IsValidCodepoint(uint32_t code_point) {
- // Excludes the surrogate code points ([0xD800, 0xDFFF]) and
- // codepoints larger than 0x10FFFF (the highest codepoint allowed).
- // Non-characters and unassigned codepoints are allowed.
- return code_point < 0xD800u ||
- (code_point >= 0xE000u && code_point <= 0x10FFFFu);
-}
-
-inline bool IsValidCharacter(uint32_t code_point) {
- // Excludes non-characters (U+FDD0..U+FDEF, and all codepoints ending in
- // 0xFFFE or 0xFFFF) from the set of valid code points.
- return code_point < 0xD800u || (code_point >= 0xE000u &&
- code_point < 0xFDD0u) || (code_point > 0xFDEFu &&
- code_point <= 0x10FFFFu && (code_point & 0xFFFEu) != 0xFFFEu);
-}
-
-// ReadUnicodeCharacter --------------------------------------------------------
-
-// Reads a UTF-8 stream, placing the next code point into the given output
-// |*code_point|. |src| represents the entire string to read, and |*char_index|
-// is the character offset within the string to start reading at. |*char_index|
-// will be updated to index the last character read, such that incrementing it
-// (as in a for loop) will take the reader to the next character.
-//
-// Returns true on success. On false, |*code_point| will be invalid.
-BASE_EXPORT bool ReadUnicodeCharacter(const char* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point_out);
-
-// Reads a UTF-16 character. The usage is the same as the 8-bit version above.
-BASE_EXPORT bool ReadUnicodeCharacter(const char16* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point);
-
-#if defined(WCHAR_T_IS_UTF32)
-// Reads UTF-32 character. The usage is the same as the 8-bit version above.
-BASE_EXPORT bool ReadUnicodeCharacter(const wchar_t* src,
- int32_t src_len,
- int32_t* char_index,
- uint32_t* code_point);
-#endif // defined(WCHAR_T_IS_UTF32)
-
-// WriteUnicodeCharacter -------------------------------------------------------
-
-// Appends a UTF-8 character to the given 8-bit string. Returns the number of
-// bytes written.
-BASE_EXPORT size_t WriteUnicodeCharacter(uint32_t code_point,
- std::string* output);
-
-// Appends the given code point as a UTF-16 character to the given 16-bit
-// string. Returns the number of 16-bit values written.
-BASE_EXPORT size_t WriteUnicodeCharacter(uint32_t code_point, string16* output);
-
-#if defined(WCHAR_T_IS_UTF32)
-// Appends the given UTF-32 character to the given 32-bit string. Returns the
-// number of 32-bit values written.
-inline size_t WriteUnicodeCharacter(uint32_t code_point, std::wstring* output) {
- // This is the easy case, just append the character.
- output->push_back(code_point);
- return 1;
-}
-#endif // defined(WCHAR_T_IS_UTF32)
-
-// Generalized Unicode converter -----------------------------------------------
-
-// Guesses the length of the output in UTF-8 in bytes, clears that output
-// string, and reserves that amount of space. We assume that the input
-// character types are unsigned, which will be true for UTF-16 and -32 on our
-// systems.
-template<typename CHAR>
-void PrepareForUTF8Output(const CHAR* src, size_t src_len, std::string* output);
-
-// Prepares an output buffer (containing either UTF-16 or -32 data) given some
-// UTF-8 input that will be converted to it. See PrepareForUTF8Output().
-template<typename STRING>
-void PrepareForUTF16Or32Output(const char* src, size_t src_len, STRING* output);
-
-} // namespace base
-
-#endif // BASE_STRINGS_UTF_STRING_CONVERSION_UTILS_H_
diff --git a/security/sandbox/chromium/base/strings/utf_string_conversions.cc b/security/sandbox/chromium/base/strings/utf_string_conversions.cc
deleted file mode 100644
index 6b17eacd6..000000000
--- a/security/sandbox/chromium/base/strings/utf_string_conversions.cc
+++ /dev/null
@@ -1,231 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/utf_string_conversions.h"
-
-#include <stdint.h>
-
-#include "base/strings/string_piece.h"
-#include "base/strings/string_util.h"
-#include "base/strings/utf_string_conversion_utils.h"
-#include "build/build_config.h"
-
-namespace base {
-
-namespace {
-
-// Generalized Unicode converter -----------------------------------------------
-
-// Converts the given source Unicode character type to the given destination
-// Unicode character type as a STL string. The given input buffer and size
-// determine the source, and the given output STL string will be replaced by
-// the result.
-template<typename SRC_CHAR, typename DEST_STRING>
-bool ConvertUnicode(const SRC_CHAR* src,
- size_t src_len,
- DEST_STRING* output) {
- // ICU requires 32-bit numbers.
- bool success = true;
- int32_t src_len32 = static_cast<int32_t>(src_len);
- for (int32_t i = 0; i < src_len32; i++) {
- uint32_t code_point;
- if (ReadUnicodeCharacter(src, src_len32, &i, &code_point)) {
- WriteUnicodeCharacter(code_point, output);
- } else {
- WriteUnicodeCharacter(0xFFFD, output);
- success = false;
- }
- }
-
- return success;
-}
-
-} // namespace
-
-// UTF-8 <-> Wide --------------------------------------------------------------
-
-bool WideToUTF8(const wchar_t* src, size_t src_len, std::string* output) {
- if (IsStringASCII(std::wstring(src, src_len))) {
- output->assign(src, src + src_len);
- return true;
- } else {
- PrepareForUTF8Output(src, src_len, output);
- return ConvertUnicode(src, src_len, output);
- }
-}
-
-std::string WideToUTF8(const std::wstring& wide) {
- if (IsStringASCII(wide)) {
- return std::string(wide.data(), wide.data() + wide.length());
- }
-
- std::string ret;
- PrepareForUTF8Output(wide.data(), wide.length(), &ret);
- ConvertUnicode(wide.data(), wide.length(), &ret);
- return ret;
-}
-
-bool UTF8ToWide(const char* src, size_t src_len, std::wstring* output) {
- if (IsStringASCII(StringPiece(src, src_len))) {
- output->assign(src, src + src_len);
- return true;
- } else {
- PrepareForUTF16Or32Output(src, src_len, output);
- return ConvertUnicode(src, src_len, output);
- }
-}
-
-std::wstring UTF8ToWide(StringPiece utf8) {
- if (IsStringASCII(utf8)) {
- return std::wstring(utf8.begin(), utf8.end());
- }
-
- std::wstring ret;
- PrepareForUTF16Or32Output(utf8.data(), utf8.length(), &ret);
- ConvertUnicode(utf8.data(), utf8.length(), &ret);
- return ret;
-}
-
-// UTF-16 <-> Wide -------------------------------------------------------------
-
-#if defined(WCHAR_T_IS_UTF16)
-
-// When wide == UTF-16, then conversions are a NOP.
-bool WideToUTF16(const wchar_t* src, size_t src_len, string16* output) {
- output->assign(src, src_len);
- return true;
-}
-
-string16 WideToUTF16(const std::wstring& wide) {
- return wide;
-}
-
-bool UTF16ToWide(const char16* src, size_t src_len, std::wstring* output) {
- output->assign(src, src_len);
- return true;
-}
-
-std::wstring UTF16ToWide(const string16& utf16) {
- return utf16;
-}
-
-#elif defined(WCHAR_T_IS_UTF32)
-
-bool WideToUTF16(const wchar_t* src, size_t src_len, string16* output) {
- output->clear();
- // Assume that normally we won't have any non-BMP characters so the counts
- // will be the same.
- output->reserve(src_len);
- return ConvertUnicode(src, src_len, output);
-}
-
-string16 WideToUTF16(const std::wstring& wide) {
- string16 ret;
- WideToUTF16(wide.data(), wide.length(), &ret);
- return ret;
-}
-
-bool UTF16ToWide(const char16* src, size_t src_len, std::wstring* output) {
- output->clear();
- // Assume that normally we won't have any non-BMP characters so the counts
- // will be the same.
- output->reserve(src_len);
- return ConvertUnicode(src, src_len, output);
-}
-
-std::wstring UTF16ToWide(const string16& utf16) {
- std::wstring ret;
- UTF16ToWide(utf16.data(), utf16.length(), &ret);
- return ret;
-}
-
-#endif // defined(WCHAR_T_IS_UTF32)
-
-// UTF16 <-> UTF8 --------------------------------------------------------------
-
-#if defined(WCHAR_T_IS_UTF32)
-
-bool UTF8ToUTF16(const char* src, size_t src_len, string16* output) {
- if (IsStringASCII(StringPiece(src, src_len))) {
- output->assign(src, src + src_len);
- return true;
- } else {
- PrepareForUTF16Or32Output(src, src_len, output);
- return ConvertUnicode(src, src_len, output);
- }
-}
-
-string16 UTF8ToUTF16(StringPiece utf8) {
- if (IsStringASCII(utf8)) {
- return string16(utf8.begin(), utf8.end());
- }
-
- string16 ret;
- PrepareForUTF16Or32Output(utf8.data(), utf8.length(), &ret);
- // Ignore the success flag of this call, it will do the best it can for
- // invalid input, which is what we want here.
- ConvertUnicode(utf8.data(), utf8.length(), &ret);
- return ret;
-}
-
-bool UTF16ToUTF8(const char16* src, size_t src_len, std::string* output) {
- if (IsStringASCII(StringPiece16(src, src_len))) {
- output->assign(src, src + src_len);
- return true;
- } else {
- PrepareForUTF8Output(src, src_len, output);
- return ConvertUnicode(src, src_len, output);
- }
-}
-
-std::string UTF16ToUTF8(StringPiece16 utf16) {
- if (IsStringASCII(utf16)) {
- return std::string(utf16.begin(), utf16.end());
- }
-
- std::string ret;
- // Ignore the success flag of this call, it will do the best it can for
- // invalid input, which is what we want here.
- UTF16ToUTF8(utf16.data(), utf16.length(), &ret);
- return ret;
-}
-
-#elif defined(WCHAR_T_IS_UTF16)
-// Easy case since we can use the "wide" versions we already wrote above.
-
-bool UTF8ToUTF16(const char* src, size_t src_len, string16* output) {
- return UTF8ToWide(src, src_len, output);
-}
-
-string16 UTF8ToUTF16(StringPiece utf8) {
- return UTF8ToWide(utf8);
-}
-
-bool UTF16ToUTF8(const char16* src, size_t src_len, std::string* output) {
- return WideToUTF8(src, src_len, output);
-}
-
-std::string UTF16ToUTF8(StringPiece16 utf16) {
- if (IsStringASCII(utf16))
- return std::string(utf16.data(), utf16.data() + utf16.length());
-
- std::string ret;
- PrepareForUTF8Output(utf16.data(), utf16.length(), &ret);
- ConvertUnicode(utf16.data(), utf16.length(), &ret);
- return ret;
-}
-
-#endif
-
-string16 ASCIIToUTF16(StringPiece ascii) {
- DCHECK(IsStringASCII(ascii)) << ascii;
- return string16(ascii.begin(), ascii.end());
-}
-
-std::string UTF16ToASCII(StringPiece16 utf16) {
- DCHECK(IsStringASCII(utf16)) << UTF16ToUTF8(utf16);
- return std::string(utf16.begin(), utf16.end());
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/strings/utf_string_conversions.h b/security/sandbox/chromium/base/strings/utf_string_conversions.h
deleted file mode 100644
index 2995f4cbc..000000000
--- a/security/sandbox/chromium/base/strings/utf_string_conversions.h
+++ /dev/null
@@ -1,54 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_STRINGS_UTF_STRING_CONVERSIONS_H_
-#define BASE_STRINGS_UTF_STRING_CONVERSIONS_H_
-
-#include <stddef.h>
-
-#include <string>
-
-#include "base/base_export.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h"
-
-namespace base {
-
-// These convert between UTF-8, -16, and -32 strings. They are potentially slow,
-// so avoid unnecessary conversions. The low-level versions return a boolean
-// indicating whether the conversion was 100% valid. In this case, it will still
-// do the best it can and put the result in the output buffer. The versions that
-// return strings ignore this error and just return the best conversion
-// possible.
-BASE_EXPORT bool WideToUTF8(const wchar_t* src, size_t src_len,
- std::string* output);
-BASE_EXPORT std::string WideToUTF8(const std::wstring& wide);
-BASE_EXPORT bool UTF8ToWide(const char* src, size_t src_len,
- std::wstring* output);
-BASE_EXPORT std::wstring UTF8ToWide(StringPiece utf8);
-
-BASE_EXPORT bool WideToUTF16(const wchar_t* src, size_t src_len,
- string16* output);
-BASE_EXPORT string16 WideToUTF16(const std::wstring& wide);
-BASE_EXPORT bool UTF16ToWide(const char16* src, size_t src_len,
- std::wstring* output);
-BASE_EXPORT std::wstring UTF16ToWide(const string16& utf16);
-
-BASE_EXPORT bool UTF8ToUTF16(const char* src, size_t src_len, string16* output);
-BASE_EXPORT string16 UTF8ToUTF16(StringPiece utf8);
-BASE_EXPORT bool UTF16ToUTF8(const char16* src, size_t src_len,
- std::string* output);
-BASE_EXPORT std::string UTF16ToUTF8(StringPiece16 utf16);
-
-// This converts an ASCII string, typically a hardcoded constant, to a UTF16
-// string.
-BASE_EXPORT string16 ASCIIToUTF16(StringPiece ascii);
-
-// Converts to 7-bit ASCII by truncating. The result must be known to be ASCII
-// beforehand.
-BASE_EXPORT std::string UTF16ToASCII(StringPiece16 utf16);
-
-} // namespace base
-
-#endif // BASE_STRINGS_UTF_STRING_CONVERSIONS_H_
diff --git a/security/sandbox/chromium/base/synchronization/condition_variable.h b/security/sandbox/chromium/base/synchronization/condition_variable.h
deleted file mode 100644
index a41b2ba5a..000000000
--- a/security/sandbox/chromium/base/synchronization/condition_variable.h
+++ /dev/null
@@ -1,118 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// ConditionVariable wraps pthreads condition variable synchronization or, on
-// Windows, simulates it. This functionality is very helpful for having
-// several threads wait for an event, as is common with a thread pool managed
-// by a master. The meaning of such an event in the (worker) thread pool
-// scenario is that additional tasks are now available for processing. It is
-// used in Chrome in the DNS prefetching system to notify worker threads that
-// a queue now has items (tasks) which need to be tended to. A related use
-// would have a pool manager waiting on a ConditionVariable, waiting for a
-// thread in the pool to announce (signal) that there is now more room in a
-// (bounded size) communications queue for the manager to deposit tasks, or,
-// as a second example, that the queue of tasks is completely empty and all
-// workers are waiting.
-//
-// USAGE NOTE 1: spurious signal events are possible with this and
-// most implementations of condition variables. As a result, be
-// *sure* to retest your condition before proceeding. The following
-// is a good example of doing this correctly:
-//
-// while (!work_to_be_done()) Wait(...);
-//
-// In contrast do NOT do the following:
-//
-// if (!work_to_be_done()) Wait(...); // Don't do this.
-//
-// Especially avoid the above if you are relying on some other thread only
-// issuing a signal up *if* there is work-to-do. There can/will
-// be spurious signals. Recheck state on waiting thread before
-// assuming the signal was intentional. Caveat caller ;-).
-//
-// USAGE NOTE 2: Broadcast() frees up all waiting threads at once,
-// which leads to contention for the locks they all held when they
-// called Wait(). This results in POOR performance. A much better
-// approach to getting a lot of threads out of Wait() is to have each
-// thread (upon exiting Wait()) call Signal() to free up another
-// Wait'ing thread. Look at condition_variable_unittest.cc for
-// both examples.
-//
-// Broadcast() can be used nicely during teardown, as it gets the job
-// done, and leaves no sleeping threads... and performance is less
-// critical at that point.
-//
-// The semantics of Broadcast() are carefully crafted so that *all*
-// threads that were waiting when the request was made will indeed
-// get signaled. Some implementations mess up, and don't signal them
-// all, while others allow the wait to be effectively turned off (for
-// a while while waiting threads come around). This implementation
-// appears correct, as it will not "lose" any signals, and will guarantee
-// that all threads get signaled by Broadcast().
-//
-// This implementation offers support for "performance" in its selection of
-// which thread to revive. Performance, in direct contrast with "fairness,"
-// assures that the thread that most recently began to Wait() is selected by
-// Signal to revive. Fairness would (if publicly supported) assure that the
-// thread that has Wait()ed the longest is selected. The default policy
-// may improve performance, as the selected thread may have a greater chance of
-// having some of its stack data in various CPU caches.
-//
-// For a discussion of the many very subtle implementation details, see the FAQ
-// at the end of condition_variable_win.cc.
-
-#ifndef BASE_SYNCHRONIZATION_CONDITION_VARIABLE_H_
-#define BASE_SYNCHRONIZATION_CONDITION_VARIABLE_H_
-
-#include "base/base_export.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/synchronization/lock.h"
-#include "build/build_config.h"
-
-#if defined(OS_POSIX)
-#include <pthread.h>
-#endif
-
-namespace base {
-
-class ConditionVarImpl;
-class TimeDelta;
-
-class BASE_EXPORT ConditionVariable {
- public:
- // Construct a cv for use with ONLY one user lock.
- explicit ConditionVariable(Lock* user_lock);
-
- ~ConditionVariable();
-
- // Wait() releases the caller's critical section atomically as it starts to
- // sleep, and the reacquires it when it is signaled.
- void Wait();
- void TimedWait(const TimeDelta& max_time);
-
- // Broadcast() revives all waiting threads.
- void Broadcast();
- // Signal() revives one waiting thread.
- void Signal();
-
- private:
-
-#if defined(OS_WIN)
- ConditionVarImpl* impl_;
-#elif defined(OS_POSIX)
- pthread_cond_t condition_;
- pthread_mutex_t* user_mutex_;
-#if DCHECK_IS_ON()
- base::Lock* user_lock_; // Needed to adjust shadow lock state on wait.
-#endif
-
-#endif
-
- DISALLOW_COPY_AND_ASSIGN(ConditionVariable);
-};
-
-} // namespace base
-
-#endif // BASE_SYNCHRONIZATION_CONDITION_VARIABLE_H_
diff --git a/security/sandbox/chromium/base/synchronization/condition_variable_posix.cc b/security/sandbox/chromium/base/synchronization/condition_variable_posix.cc
deleted file mode 100644
index d86fd180e..000000000
--- a/security/sandbox/chromium/base/synchronization/condition_variable_posix.cc
+++ /dev/null
@@ -1,137 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/synchronization/condition_variable.h"
-
-#include <errno.h>
-#include <stdint.h>
-#include <sys/time.h>
-
-#include "base/synchronization/lock.h"
-#include "base/threading/thread_restrictions.h"
-#include "base/time/time.h"
-#include "build/build_config.h"
-
-namespace base {
-
-ConditionVariable::ConditionVariable(Lock* user_lock)
- : user_mutex_(user_lock->lock_.native_handle())
-#if DCHECK_IS_ON()
- , user_lock_(user_lock)
-#endif
-{
- int rv = 0;
- // http://crbug.com/293736
- // NaCl doesn't support monotonic clock based absolute deadlines.
- // On older Android platform versions, it's supported through the
- // non-standard pthread_cond_timedwait_monotonic_np. Newer platform
- // versions have pthread_condattr_setclock.
- // Mac can use relative time deadlines.
-#if !defined(OS_MACOSX) && !defined(OS_NACL) && \
- !(defined(OS_ANDROID) && defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC))
- pthread_condattr_t attrs;
- rv = pthread_condattr_init(&attrs);
- DCHECK_EQ(0, rv);
- pthread_condattr_setclock(&attrs, CLOCK_MONOTONIC);
- rv = pthread_cond_init(&condition_, &attrs);
- pthread_condattr_destroy(&attrs);
-#else
- rv = pthread_cond_init(&condition_, NULL);
-#endif
- DCHECK_EQ(0, rv);
-}
-
-ConditionVariable::~ConditionVariable() {
-#if defined(OS_MACOSX)
- // This hack is necessary to avoid a fatal pthreads subsystem bug in the
- // Darwin kernel. http://crbug.com/517681.
- {
- base::Lock lock;
- base::AutoLock l(lock);
- struct timespec ts;
- ts.tv_sec = 0;
- ts.tv_nsec = 1;
- pthread_cond_timedwait_relative_np(&condition_, lock.lock_.native_handle(),
- &ts);
- }
-#endif
-
- int rv = pthread_cond_destroy(&condition_);
- DCHECK_EQ(0, rv);
-}
-
-void ConditionVariable::Wait() {
- base::ThreadRestrictions::AssertWaitAllowed();
-#if DCHECK_IS_ON()
- user_lock_->CheckHeldAndUnmark();
-#endif
- int rv = pthread_cond_wait(&condition_, user_mutex_);
- DCHECK_EQ(0, rv);
-#if DCHECK_IS_ON()
- user_lock_->CheckUnheldAndMark();
-#endif
-}
-
-void ConditionVariable::TimedWait(const TimeDelta& max_time) {
- base::ThreadRestrictions::AssertWaitAllowed();
- int64_t usecs = max_time.InMicroseconds();
- struct timespec relative_time;
- relative_time.tv_sec = usecs / Time::kMicrosecondsPerSecond;
- relative_time.tv_nsec =
- (usecs % Time::kMicrosecondsPerSecond) * Time::kNanosecondsPerMicrosecond;
-
-#if DCHECK_IS_ON()
- user_lock_->CheckHeldAndUnmark();
-#endif
-
-#if defined(OS_MACOSX)
- int rv = pthread_cond_timedwait_relative_np(
- &condition_, user_mutex_, &relative_time);
-#else
- // The timeout argument to pthread_cond_timedwait is in absolute time.
- struct timespec absolute_time;
-#if defined(OS_NACL)
- // See comment in constructor for why this is different in NaCl.
- struct timeval now;
- gettimeofday(&now, NULL);
- absolute_time.tv_sec = now.tv_sec;
- absolute_time.tv_nsec = now.tv_usec * Time::kNanosecondsPerMicrosecond;
-#else
- struct timespec now;
- clock_gettime(CLOCK_MONOTONIC, &now);
- absolute_time.tv_sec = now.tv_sec;
- absolute_time.tv_nsec = now.tv_nsec;
-#endif
-
- absolute_time.tv_sec += relative_time.tv_sec;
- absolute_time.tv_nsec += relative_time.tv_nsec;
- absolute_time.tv_sec += absolute_time.tv_nsec / Time::kNanosecondsPerSecond;
- absolute_time.tv_nsec %= Time::kNanosecondsPerSecond;
- DCHECK_GE(absolute_time.tv_sec, now.tv_sec); // Overflow paranoia
-
-#if defined(OS_ANDROID) && defined(HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC)
- int rv = pthread_cond_timedwait_monotonic_np(
- &condition_, user_mutex_, &absolute_time);
-#else
- int rv = pthread_cond_timedwait(&condition_, user_mutex_, &absolute_time);
-#endif // OS_ANDROID && HAVE_PTHREAD_COND_TIMEDWAIT_MONOTONIC
-#endif // OS_MACOSX
-
- DCHECK(rv == 0 || rv == ETIMEDOUT);
-#if DCHECK_IS_ON()
- user_lock_->CheckUnheldAndMark();
-#endif
-}
-
-void ConditionVariable::Broadcast() {
- int rv = pthread_cond_broadcast(&condition_);
- DCHECK_EQ(0, rv);
-}
-
-void ConditionVariable::Signal() {
- int rv = pthread_cond_signal(&condition_);
- DCHECK_EQ(0, rv);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/synchronization/lock.cc b/security/sandbox/chromium/base/synchronization/lock.cc
deleted file mode 100644
index 03297ada5..000000000
--- a/security/sandbox/chromium/base/synchronization/lock.cc
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file is used for debugging assertion support. The Lock class
-// is functionally a wrapper around the LockImpl class, so the only
-// real intelligence in the class is in the debugging logic.
-
-#include "base/synchronization/lock.h"
-
-#if DCHECK_IS_ON()
-
-namespace base {
-
-Lock::Lock() : lock_() {
-}
-
-Lock::~Lock() {
- DCHECK(owning_thread_ref_.is_null());
-}
-
-void Lock::AssertAcquired() const {
- DCHECK(owning_thread_ref_ == PlatformThread::CurrentRef());
-}
-
-void Lock::CheckHeldAndUnmark() {
- DCHECK(owning_thread_ref_ == PlatformThread::CurrentRef());
- owning_thread_ref_ = PlatformThreadRef();
-}
-
-void Lock::CheckUnheldAndMark() {
- DCHECK(owning_thread_ref_.is_null());
- owning_thread_ref_ = PlatformThread::CurrentRef();
-}
-
-} // namespace base
-
-#endif // DCHECK_IS_ON()
diff --git a/security/sandbox/chromium/base/synchronization/lock.h b/security/sandbox/chromium/base/synchronization/lock.h
deleted file mode 100644
index f7dd35dcc..000000000
--- a/security/sandbox/chromium/base/synchronization/lock.h
+++ /dev/null
@@ -1,140 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SYNCHRONIZATION_LOCK_H_
-#define BASE_SYNCHRONIZATION_LOCK_H_
-
-#include "base/base_export.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/synchronization/lock_impl.h"
-#include "base/threading/platform_thread.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// A convenient wrapper for an OS specific critical section. The only real
-// intelligence in this class is in debug mode for the support for the
-// AssertAcquired() method.
-class BASE_EXPORT Lock {
- public:
-#if !DCHECK_IS_ON()
- // Optimized wrapper implementation
- Lock() : lock_() {}
- ~Lock() {}
- void Acquire() { lock_.Lock(); }
- void Release() { lock_.Unlock(); }
-
- // If the lock is not held, take it and return true. If the lock is already
- // held by another thread, immediately return false. This must not be called
- // by a thread already holding the lock (what happens is undefined and an
- // assertion may fail).
- bool Try() { return lock_.Try(); }
-
- // Null implementation if not debug.
- void AssertAcquired() const {}
-#else
- Lock();
- ~Lock();
-
- // NOTE: Although windows critical sections support recursive locks, we do not
- // allow this, and we will commonly fire a DCHECK() if a thread attempts to
- // acquire the lock a second time (while already holding it).
- void Acquire() {
- lock_.Lock();
- CheckUnheldAndMark();
- }
- void Release() {
- CheckHeldAndUnmark();
- lock_.Unlock();
- }
-
- bool Try() {
- bool rv = lock_.Try();
- if (rv) {
- CheckUnheldAndMark();
- }
- return rv;
- }
-
- void AssertAcquired() const;
-#endif // DCHECK_IS_ON()
-
-#if defined(OS_POSIX)
- // The posix implementation of ConditionVariable needs to be able
- // to see our lock and tweak our debugging counters, as it releases
- // and acquires locks inside of pthread_cond_{timed,}wait.
- friend class ConditionVariable;
-#elif defined(OS_WIN)
- // The Windows Vista implementation of ConditionVariable needs the
- // native handle of the critical section.
- friend class WinVistaCondVar;
-#endif
-
- private:
-#if DCHECK_IS_ON()
- // Members and routines taking care of locks assertions.
- // Note that this checks for recursive locks and allows them
- // if the variable is set. This is allowed by the underlying implementation
- // on windows but not on Posix, so we're doing unneeded checks on Posix.
- // It's worth it to share the code.
- void CheckHeldAndUnmark();
- void CheckUnheldAndMark();
-
- // All private data is implicitly protected by lock_.
- // Be VERY careful to only access members under that lock.
- base::PlatformThreadRef owning_thread_ref_;
-#endif // DCHECK_IS_ON()
-
- // Platform specific underlying lock implementation.
- internal::LockImpl lock_;
-
- DISALLOW_COPY_AND_ASSIGN(Lock);
-};
-
-// A helper class that acquires the given Lock while the AutoLock is in scope.
-class AutoLock {
- public:
- struct AlreadyAcquired {};
-
- explicit AutoLock(Lock& lock) : lock_(lock) {
- lock_.Acquire();
- }
-
- AutoLock(Lock& lock, const AlreadyAcquired&) : lock_(lock) {
- lock_.AssertAcquired();
- }
-
- ~AutoLock() {
- lock_.AssertAcquired();
- lock_.Release();
- }
-
- private:
- Lock& lock_;
- DISALLOW_COPY_AND_ASSIGN(AutoLock);
-};
-
-// AutoUnlock is a helper that will Release() the |lock| argument in the
-// constructor, and re-Acquire() it in the destructor.
-class AutoUnlock {
- public:
- explicit AutoUnlock(Lock& lock) : lock_(lock) {
- // We require our caller to have the lock.
- lock_.AssertAcquired();
- lock_.Release();
- }
-
- ~AutoUnlock() {
- lock_.Acquire();
- }
-
- private:
- Lock& lock_;
- DISALLOW_COPY_AND_ASSIGN(AutoUnlock);
-};
-
-} // namespace base
-
-#endif // BASE_SYNCHRONIZATION_LOCK_H_
diff --git a/security/sandbox/chromium/base/synchronization/lock_impl.h b/security/sandbox/chromium/base/synchronization/lock_impl.h
deleted file mode 100644
index ed85987b3..000000000
--- a/security/sandbox/chromium/base/synchronization/lock_impl.h
+++ /dev/null
@@ -1,60 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SYNCHRONIZATION_LOCK_IMPL_H_
-#define BASE_SYNCHRONIZATION_LOCK_IMPL_H_
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#elif defined(OS_POSIX)
-#include <pthread.h>
-#endif
-
-namespace base {
-namespace internal {
-
-// This class implements the underlying platform-specific spin-lock mechanism
-// used for the Lock class. Most users should not use LockImpl directly, but
-// should instead use Lock.
-class BASE_EXPORT LockImpl {
- public:
-#if defined(OS_WIN)
- typedef CRITICAL_SECTION NativeHandle;
-#elif defined(OS_POSIX)
- typedef pthread_mutex_t NativeHandle;
-#endif
-
- LockImpl();
- ~LockImpl();
-
- // If the lock is not held, take it and return true. If the lock is already
- // held by something else, immediately return false.
- bool Try();
-
- // Take the lock, blocking until it is available if necessary.
- void Lock();
-
- // Release the lock. This must only be called by the lock's holder: after
- // a successful call to Try, or a call to Lock.
- void Unlock();
-
- // Return the native underlying lock.
- // TODO(awalker): refactor lock and condition variables so that this is
- // unnecessary.
- NativeHandle* native_handle() { return &native_handle_; }
-
- private:
- NativeHandle native_handle_;
-
- DISALLOW_COPY_AND_ASSIGN(LockImpl);
-};
-
-} // namespace internal
-} // namespace base
-
-#endif // BASE_SYNCHRONIZATION_LOCK_IMPL_H_
diff --git a/security/sandbox/chromium/base/synchronization/lock_impl_posix.cc b/security/sandbox/chromium/base/synchronization/lock_impl_posix.cc
deleted file mode 100644
index 5619adaf5..000000000
--- a/security/sandbox/chromium/base/synchronization/lock_impl_posix.cc
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/synchronization/lock_impl.h"
-
-#include <errno.h>
-#include <string.h>
-
-#include "base/logging.h"
-
-namespace base {
-namespace internal {
-
-LockImpl::LockImpl() {
-#ifndef NDEBUG
- // In debug, setup attributes for lock error checking.
- pthread_mutexattr_t mta;
- int rv = pthread_mutexattr_init(&mta);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
- rv = pthread_mutexattr_settype(&mta, PTHREAD_MUTEX_ERRORCHECK);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
- rv = pthread_mutex_init(&native_handle_, &mta);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
- rv = pthread_mutexattr_destroy(&mta);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
-#else
- // In release, go with the default lock attributes.
- pthread_mutex_init(&native_handle_, NULL);
-#endif
-}
-
-LockImpl::~LockImpl() {
- int rv = pthread_mutex_destroy(&native_handle_);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
-}
-
-bool LockImpl::Try() {
- int rv = pthread_mutex_trylock(&native_handle_);
- DCHECK(rv == 0 || rv == EBUSY) << ". " << strerror(rv);
- return rv == 0;
-}
-
-void LockImpl::Lock() {
- int rv = pthread_mutex_lock(&native_handle_);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
-}
-
-void LockImpl::Unlock() {
- int rv = pthread_mutex_unlock(&native_handle_);
- DCHECK_EQ(rv, 0) << ". " << strerror(rv);
-}
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/synchronization/lock_impl_win.cc b/security/sandbox/chromium/base/synchronization/lock_impl_win.cc
deleted file mode 100644
index fbc1bdd46..000000000
--- a/security/sandbox/chromium/base/synchronization/lock_impl_win.cc
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/synchronization/lock_impl.h"
-
-namespace base {
-namespace internal {
-
-LockImpl::LockImpl() {
- // The second parameter is the spin count, for short-held locks it avoid the
- // contending thread from going to sleep which helps performance greatly.
- ::InitializeCriticalSectionAndSpinCount(&native_handle_, 2000);
-}
-
-LockImpl::~LockImpl() {
- ::DeleteCriticalSection(&native_handle_);
-}
-
-bool LockImpl::Try() {
- if (::TryEnterCriticalSection(&native_handle_) != FALSE) {
- return true;
- }
- return false;
-}
-
-void LockImpl::Lock() {
- ::EnterCriticalSection(&native_handle_);
-}
-
-void LockImpl::Unlock() {
- ::LeaveCriticalSection(&native_handle_);
-}
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/synchronization/waitable_event.h b/security/sandbox/chromium/base/synchronization/waitable_event.h
deleted file mode 100644
index b5d91d00b..000000000
--- a/security/sandbox/chromium/base/synchronization/waitable_event.h
+++ /dev/null
@@ -1,189 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_SYNCHRONIZATION_WAITABLE_EVENT_H_
-#define BASE_SYNCHRONIZATION_WAITABLE_EVENT_H_
-
-#include <stddef.h>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include "base/win/scoped_handle.h"
-#endif
-
-#if defined(OS_POSIX)
-#include <list>
-#include <utility>
-#include "base/memory/ref_counted.h"
-#include "base/synchronization/lock.h"
-#endif
-
-namespace base {
-
-class TimeDelta;
-
-// A WaitableEvent can be a useful thread synchronization tool when you want to
-// allow one thread to wait for another thread to finish some work. For
-// non-Windows systems, this can only be used from within a single address
-// space.
-//
-// Use a WaitableEvent when you would otherwise use a Lock+ConditionVariable to
-// protect a simple boolean value. However, if you find yourself using a
-// WaitableEvent in conjunction with a Lock to wait for a more complex state
-// change (e.g., for an item to be added to a queue), then you should probably
-// be using a ConditionVariable instead of a WaitableEvent.
-//
-// NOTE: On Windows, this class provides a subset of the functionality afforded
-// by a Windows event object. This is intentional. If you are writing Windows
-// specific code and you need other features of a Windows event, then you might
-// be better off just using an Windows event directly.
-class BASE_EXPORT WaitableEvent {
- public:
- // If manual_reset is true, then to set the event state to non-signaled, a
- // consumer must call the Reset method. If this parameter is false, then the
- // system automatically resets the event state to non-signaled after a single
- // waiting thread has been released.
- WaitableEvent(bool manual_reset, bool initially_signaled);
-
-#if defined(OS_WIN)
- // Create a WaitableEvent from an Event HANDLE which has already been
- // created. This objects takes ownership of the HANDLE and will close it when
- // deleted.
- explicit WaitableEvent(win::ScopedHandle event_handle);
-#endif
-
- ~WaitableEvent();
-
- // Put the event in the un-signaled state.
- void Reset();
-
- // Put the event in the signaled state. Causing any thread blocked on Wait
- // to be woken up.
- void Signal();
-
- // Returns true if the event is in the signaled state, else false. If this
- // is not a manual reset event, then this test will cause a reset.
- bool IsSignaled();
-
- // Wait indefinitely for the event to be signaled. Wait's return "happens
- // after" |Signal| has completed. This means that it's safe for a
- // WaitableEvent to synchronise its own destruction, like this:
- //
- // WaitableEvent *e = new WaitableEvent;
- // SendToOtherThread(e);
- // e->Wait();
- // delete e;
- void Wait();
-
- // Wait up until max_time has passed for the event to be signaled. Returns
- // true if the event was signaled. If this method returns false, then it
- // does not necessarily mean that max_time was exceeded.
- //
- // TimedWait can synchronise its own destruction like |Wait|.
- bool TimedWait(const TimeDelta& max_time);
-
-#if defined(OS_WIN)
- HANDLE handle() const { return handle_.Get(); }
-#endif
-
- // Wait, synchronously, on multiple events.
- // waitables: an array of WaitableEvent pointers
- // count: the number of elements in @waitables
- //
- // returns: the index of a WaitableEvent which has been signaled.
- //
- // You MUST NOT delete any of the WaitableEvent objects while this wait is
- // happening, however WaitMany's return "happens after" the |Signal| call
- // that caused it has completed, like |Wait|.
- static size_t WaitMany(WaitableEvent** waitables, size_t count);
-
- // For asynchronous waiting, see WaitableEventWatcher
-
- // This is a private helper class. It's here because it's used by friends of
- // this class (such as WaitableEventWatcher) to be able to enqueue elements
- // of the wait-list
- class Waiter {
- public:
- // Signal the waiter to wake up.
- //
- // Consider the case of a Waiter which is in multiple WaitableEvent's
- // wait-lists. Each WaitableEvent is automatic-reset and two of them are
- // signaled at the same time. Now, each will wake only the first waiter in
- // the wake-list before resetting. However, if those two waiters happen to
- // be the same object (as can happen if another thread didn't have a chance
- // to dequeue the waiter from the other wait-list in time), two auto-resets
- // will have happened, but only one waiter has been signaled!
- //
- // Because of this, a Waiter may "reject" a wake by returning false. In
- // this case, the auto-reset WaitableEvent shouldn't act as if anything has
- // been notified.
- virtual bool Fire(WaitableEvent* signaling_event) = 0;
-
- // Waiters may implement this in order to provide an extra condition for
- // two Waiters to be considered equal. In WaitableEvent::Dequeue, if the
- // pointers match then this function is called as a final check. See the
- // comments in ~Handle for why.
- virtual bool Compare(void* tag) = 0;
-
- protected:
- virtual ~Waiter() {}
- };
-
- private:
- friend class WaitableEventWatcher;
-
-#if defined(OS_WIN)
- win::ScopedHandle handle_;
-#else
- // On Windows, one can close a HANDLE which is currently being waited on. The
- // MSDN documentation says that the resulting behaviour is 'undefined', but
- // it doesn't crash. However, if we were to include the following members
- // directly then, on POSIX, one couldn't use WaitableEventWatcher to watch an
- // event which gets deleted. This mismatch has bitten us several times now,
- // so we have a kernel of the WaitableEvent, which is reference counted.
- // WaitableEventWatchers may then take a reference and thus match the Windows
- // behaviour.
- struct WaitableEventKernel :
- public RefCountedThreadSafe<WaitableEventKernel> {
- public:
- WaitableEventKernel(bool manual_reset, bool initially_signaled);
-
- bool Dequeue(Waiter* waiter, void* tag);
-
- base::Lock lock_;
- const bool manual_reset_;
- bool signaled_;
- std::list<Waiter*> waiters_;
-
- private:
- friend class RefCountedThreadSafe<WaitableEventKernel>;
- ~WaitableEventKernel();
- };
-
- typedef std::pair<WaitableEvent*, size_t> WaiterAndIndex;
-
- // When dealing with arrays of WaitableEvent*, we want to sort by the address
- // of the WaitableEvent in order to have a globally consistent locking order.
- // In that case we keep them, in sorted order, in an array of pairs where the
- // second element is the index of the WaitableEvent in the original,
- // unsorted, array.
- static size_t EnqueueMany(WaiterAndIndex* waitables,
- size_t count, Waiter* waiter);
-
- bool SignalAll();
- bool SignalOne();
- void Enqueue(Waiter* waiter);
-
- scoped_refptr<WaitableEventKernel> kernel_;
-#endif
-
- DISALLOW_COPY_AND_ASSIGN(WaitableEvent);
-};
-
-} // namespace base
-
-#endif // BASE_SYNCHRONIZATION_WAITABLE_EVENT_H_
diff --git a/security/sandbox/chromium/base/synchronization/waitable_event_posix.cc b/security/sandbox/chromium/base/synchronization/waitable_event_posix.cc
deleted file mode 100644
index 64d4376fe..000000000
--- a/security/sandbox/chromium/base/synchronization/waitable_event_posix.cc
+++ /dev/null
@@ -1,417 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-
-#include <algorithm>
-#include <vector>
-
-#include "base/logging.h"
-#include "base/synchronization/condition_variable.h"
-#include "base/synchronization/lock.h"
-#include "base/synchronization/waitable_event.h"
-#include "base/threading/thread_restrictions.h"
-
-// -----------------------------------------------------------------------------
-// A WaitableEvent on POSIX is implemented as a wait-list. Currently we don't
-// support cross-process events (where one process can signal an event which
-// others are waiting on). Because of this, we can avoid having one thread per
-// listener in several cases.
-//
-// The WaitableEvent maintains a list of waiters, protected by a lock. Each
-// waiter is either an async wait, in which case we have a Task and the
-// MessageLoop to run it on, or a blocking wait, in which case we have the
-// condition variable to signal.
-//
-// Waiting involves grabbing the lock and adding oneself to the wait list. Async
-// waits can be canceled, which means grabbing the lock and removing oneself
-// from the list.
-//
-// Waiting on multiple events is handled by adding a single, synchronous wait to
-// the wait-list of many events. An event passes a pointer to itself when
-// firing a waiter and so we can store that pointer to find out which event
-// triggered.
-// -----------------------------------------------------------------------------
-
-namespace base {
-
-// -----------------------------------------------------------------------------
-// This is just an abstract base class for waking the two types of waiters
-// -----------------------------------------------------------------------------
-WaitableEvent::WaitableEvent(bool manual_reset, bool initially_signaled)
- : kernel_(new WaitableEventKernel(manual_reset, initially_signaled)) {
-}
-
-WaitableEvent::~WaitableEvent() {
-}
-
-void WaitableEvent::Reset() {
- base::AutoLock locked(kernel_->lock_);
- kernel_->signaled_ = false;
-}
-
-void WaitableEvent::Signal() {
- base::AutoLock locked(kernel_->lock_);
-
- if (kernel_->signaled_)
- return;
-
- if (kernel_->manual_reset_) {
- SignalAll();
- kernel_->signaled_ = true;
- } else {
- // In the case of auto reset, if no waiters were woken, we remain
- // signaled.
- if (!SignalOne())
- kernel_->signaled_ = true;
- }
-}
-
-bool WaitableEvent::IsSignaled() {
- base::AutoLock locked(kernel_->lock_);
-
- const bool result = kernel_->signaled_;
- if (result && !kernel_->manual_reset_)
- kernel_->signaled_ = false;
- return result;
-}
-
-// -----------------------------------------------------------------------------
-// Synchronous waits
-
-// -----------------------------------------------------------------------------
-// This is a synchronous waiter. The thread is waiting on the given condition
-// variable and the fired flag in this object.
-// -----------------------------------------------------------------------------
-class SyncWaiter : public WaitableEvent::Waiter {
- public:
- SyncWaiter()
- : fired_(false),
- signaling_event_(NULL),
- lock_(),
- cv_(&lock_) {
- }
-
- bool Fire(WaitableEvent* signaling_event) override {
- base::AutoLock locked(lock_);
-
- if (fired_)
- return false;
-
- fired_ = true;
- signaling_event_ = signaling_event;
-
- cv_.Broadcast();
-
- // Unlike AsyncWaiter objects, SyncWaiter objects are stack-allocated on
- // the blocking thread's stack. There is no |delete this;| in Fire. The
- // SyncWaiter object is destroyed when it goes out of scope.
-
- return true;
- }
-
- WaitableEvent* signaling_event() const {
- return signaling_event_;
- }
-
- // ---------------------------------------------------------------------------
- // These waiters are always stack allocated and don't delete themselves. Thus
- // there's no problem and the ABA tag is the same as the object pointer.
- // ---------------------------------------------------------------------------
- bool Compare(void* tag) override { return this == tag; }
-
- // ---------------------------------------------------------------------------
- // Called with lock held.
- // ---------------------------------------------------------------------------
- bool fired() const {
- return fired_;
- }
-
- // ---------------------------------------------------------------------------
- // During a TimedWait, we need a way to make sure that an auto-reset
- // WaitableEvent doesn't think that this event has been signaled between
- // unlocking it and removing it from the wait-list. Called with lock held.
- // ---------------------------------------------------------------------------
- void Disable() {
- fired_ = true;
- }
-
- base::Lock* lock() {
- return &lock_;
- }
-
- base::ConditionVariable* cv() {
- return &cv_;
- }
-
- private:
- bool fired_;
- WaitableEvent* signaling_event_; // The WaitableEvent which woke us
- base::Lock lock_;
- base::ConditionVariable cv_;
-};
-
-void WaitableEvent::Wait() {
- bool result = TimedWait(TimeDelta::FromSeconds(-1));
- DCHECK(result) << "TimedWait() should never fail with infinite timeout";
-}
-
-bool WaitableEvent::TimedWait(const TimeDelta& max_time) {
- base::ThreadRestrictions::AssertWaitAllowed();
- const TimeTicks end_time(TimeTicks::Now() + max_time);
- const bool finite_time = max_time.ToInternalValue() >= 0;
-
- kernel_->lock_.Acquire();
- if (kernel_->signaled_) {
- if (!kernel_->manual_reset_) {
- // In this case we were signaled when we had no waiters. Now that
- // someone has waited upon us, we can automatically reset.
- kernel_->signaled_ = false;
- }
-
- kernel_->lock_.Release();
- return true;
- }
-
- SyncWaiter sw;
- sw.lock()->Acquire();
-
- Enqueue(&sw);
- kernel_->lock_.Release();
- // We are violating locking order here by holding the SyncWaiter lock but not
- // the WaitableEvent lock. However, this is safe because we don't lock @lock_
- // again before unlocking it.
-
- for (;;) {
- const TimeTicks current_time(TimeTicks::Now());
-
- if (sw.fired() || (finite_time && current_time >= end_time)) {
- const bool return_value = sw.fired();
-
- // We can't acquire @lock_ before releasing the SyncWaiter lock (because
- // of locking order), however, in between the two a signal could be fired
- // and @sw would accept it, however we will still return false, so the
- // signal would be lost on an auto-reset WaitableEvent. Thus we call
- // Disable which makes sw::Fire return false.
- sw.Disable();
- sw.lock()->Release();
-
- // This is a bug that has been enshrined in the interface of
- // WaitableEvent now: |Dequeue| is called even when |sw.fired()| is true,
- // even though it'll always return false in that case. However, taking
- // the lock ensures that |Signal| has completed before we return and
- // means that a WaitableEvent can synchronise its own destruction.
- kernel_->lock_.Acquire();
- kernel_->Dequeue(&sw, &sw);
- kernel_->lock_.Release();
-
- return return_value;
- }
-
- if (finite_time) {
- const TimeDelta max_wait(end_time - current_time);
- sw.cv()->TimedWait(max_wait);
- } else {
- sw.cv()->Wait();
- }
- }
-}
-
-// -----------------------------------------------------------------------------
-// Synchronous waiting on multiple objects.
-
-static bool // StrictWeakOrdering
-cmp_fst_addr(const std::pair<WaitableEvent*, unsigned> &a,
- const std::pair<WaitableEvent*, unsigned> &b) {
- return a.first < b.first;
-}
-
-// static
-size_t WaitableEvent::WaitMany(WaitableEvent** raw_waitables,
- size_t count) {
- base::ThreadRestrictions::AssertWaitAllowed();
- DCHECK(count) << "Cannot wait on no events";
-
- // We need to acquire the locks in a globally consistent order. Thus we sort
- // the array of waitables by address. We actually sort a pairs so that we can
- // map back to the original index values later.
- std::vector<std::pair<WaitableEvent*, size_t> > waitables;
- waitables.reserve(count);
- for (size_t i = 0; i < count; ++i)
- waitables.push_back(std::make_pair(raw_waitables[i], i));
-
- DCHECK_EQ(count, waitables.size());
-
- sort(waitables.begin(), waitables.end(), cmp_fst_addr);
-
- // The set of waitables must be distinct. Since we have just sorted by
- // address, we can check this cheaply by comparing pairs of consecutive
- // elements.
- for (size_t i = 0; i < waitables.size() - 1; ++i) {
- DCHECK(waitables[i].first != waitables[i+1].first);
- }
-
- SyncWaiter sw;
-
- const size_t r = EnqueueMany(&waitables[0], count, &sw);
- if (r) {
- // One of the events is already signaled. The SyncWaiter has not been
- // enqueued anywhere. EnqueueMany returns the count of remaining waitables
- // when the signaled one was seen, so the index of the signaled event is
- // @count - @r.
- return waitables[count - r].second;
- }
-
- // At this point, we hold the locks on all the WaitableEvents and we have
- // enqueued our waiter in them all.
- sw.lock()->Acquire();
- // Release the WaitableEvent locks in the reverse order
- for (size_t i = 0; i < count; ++i) {
- waitables[count - (1 + i)].first->kernel_->lock_.Release();
- }
-
- for (;;) {
- if (sw.fired())
- break;
-
- sw.cv()->Wait();
- }
- sw.lock()->Release();
-
- // The address of the WaitableEvent which fired is stored in the SyncWaiter.
- WaitableEvent *const signaled_event = sw.signaling_event();
- // This will store the index of the raw_waitables which fired.
- size_t signaled_index = 0;
-
- // Take the locks of each WaitableEvent in turn (except the signaled one) and
- // remove our SyncWaiter from the wait-list
- for (size_t i = 0; i < count; ++i) {
- if (raw_waitables[i] != signaled_event) {
- raw_waitables[i]->kernel_->lock_.Acquire();
- // There's no possible ABA issue with the address of the SyncWaiter here
- // because it lives on the stack. Thus the tag value is just the pointer
- // value again.
- raw_waitables[i]->kernel_->Dequeue(&sw, &sw);
- raw_waitables[i]->kernel_->lock_.Release();
- } else {
- // By taking this lock here we ensure that |Signal| has completed by the
- // time we return, because |Signal| holds this lock. This matches the
- // behaviour of |Wait| and |TimedWait|.
- raw_waitables[i]->kernel_->lock_.Acquire();
- raw_waitables[i]->kernel_->lock_.Release();
- signaled_index = i;
- }
- }
-
- return signaled_index;
-}
-
-// -----------------------------------------------------------------------------
-// If return value == 0:
-// The locks of the WaitableEvents have been taken in order and the Waiter has
-// been enqueued in the wait-list of each. None of the WaitableEvents are
-// currently signaled
-// else:
-// None of the WaitableEvent locks are held. The Waiter has not been enqueued
-// in any of them and the return value is the index of the first WaitableEvent
-// which was signaled, from the end of the array.
-// -----------------------------------------------------------------------------
-// static
-size_t WaitableEvent::EnqueueMany
- (std::pair<WaitableEvent*, size_t>* waitables,
- size_t count, Waiter* waiter) {
- if (!count)
- return 0;
-
- waitables[0].first->kernel_->lock_.Acquire();
- if (waitables[0].first->kernel_->signaled_) {
- if (!waitables[0].first->kernel_->manual_reset_)
- waitables[0].first->kernel_->signaled_ = false;
- waitables[0].first->kernel_->lock_.Release();
- return count;
- }
-
- const size_t r = EnqueueMany(waitables + 1, count - 1, waiter);
- if (r) {
- waitables[0].first->kernel_->lock_.Release();
- } else {
- waitables[0].first->Enqueue(waiter);
- }
-
- return r;
-}
-
-// -----------------------------------------------------------------------------
-
-
-// -----------------------------------------------------------------------------
-// Private functions...
-
-WaitableEvent::WaitableEventKernel::WaitableEventKernel(bool manual_reset,
- bool initially_signaled)
- : manual_reset_(manual_reset),
- signaled_(initially_signaled) {
-}
-
-WaitableEvent::WaitableEventKernel::~WaitableEventKernel() {
-}
-
-// -----------------------------------------------------------------------------
-// Wake all waiting waiters. Called with lock held.
-// -----------------------------------------------------------------------------
-bool WaitableEvent::SignalAll() {
- bool signaled_at_least_one = false;
-
- for (std::list<Waiter*>::iterator
- i = kernel_->waiters_.begin(); i != kernel_->waiters_.end(); ++i) {
- if ((*i)->Fire(this))
- signaled_at_least_one = true;
- }
-
- kernel_->waiters_.clear();
- return signaled_at_least_one;
-}
-
-// ---------------------------------------------------------------------------
-// Try to wake a single waiter. Return true if one was woken. Called with lock
-// held.
-// ---------------------------------------------------------------------------
-bool WaitableEvent::SignalOne() {
- for (;;) {
- if (kernel_->waiters_.empty())
- return false;
-
- const bool r = (*kernel_->waiters_.begin())->Fire(this);
- kernel_->waiters_.pop_front();
- if (r)
- return true;
- }
-}
-
-// -----------------------------------------------------------------------------
-// Add a waiter to the list of those waiting. Called with lock held.
-// -----------------------------------------------------------------------------
-void WaitableEvent::Enqueue(Waiter* waiter) {
- kernel_->waiters_.push_back(waiter);
-}
-
-// -----------------------------------------------------------------------------
-// Remove a waiter from the list of those waiting. Return true if the waiter was
-// actually removed. Called with lock held.
-// -----------------------------------------------------------------------------
-bool WaitableEvent::WaitableEventKernel::Dequeue(Waiter* waiter, void* tag) {
- for (std::list<Waiter*>::iterator
- i = waiters_.begin(); i != waiters_.end(); ++i) {
- if (*i == waiter && (*i)->Compare(tag)) {
- waiters_.erase(i);
- return true;
- }
- }
-
- return false;
-}
-
-// -----------------------------------------------------------------------------
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/task_runner.h b/security/sandbox/chromium/base/task_runner.h
deleted file mode 100644
index 6dd82ccac..000000000
--- a/security/sandbox/chromium/base/task_runner.h
+++ /dev/null
@@ -1,154 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_TASK_RUNNER_H_
-#define BASE_TASK_RUNNER_H_
-
-#include <stddef.h>
-
-#include "base/base_export.h"
-#include "base/callback_forward.h"
-#include "base/memory/ref_counted.h"
-#include "base/time/time.h"
-
-namespace tracked_objects {
-class Location;
-} // namespace tracked_objects
-
-namespace base {
-
-struct TaskRunnerTraits;
-
-// A TaskRunner is an object that runs posted tasks (in the form of
-// Closure objects). The TaskRunner interface provides a way of
-// decoupling task posting from the mechanics of how each task will be
-// run. TaskRunner provides very weak guarantees as to how posted
-// tasks are run (or if they're run at all). In particular, it only
-// guarantees:
-//
-// - Posting a task will not run it synchronously. That is, no
-// Post*Task method will call task.Run() directly.
-//
-// - Increasing the delay can only delay when the task gets run.
-// That is, increasing the delay may not affect when the task gets
-// run, or it could make it run later than it normally would, but
-// it won't make it run earlier than it normally would.
-//
-// TaskRunner does not guarantee the order in which posted tasks are
-// run, whether tasks overlap, or whether they're run on a particular
-// thread. Also it does not guarantee a memory model for shared data
-// between tasks. (In other words, you should use your own
-// synchronization/locking primitives if you need to share data
-// between tasks.)
-//
-// Implementations of TaskRunner should be thread-safe in that all
-// methods must be safe to call on any thread. Ownership semantics
-// for TaskRunners are in general not clear, which is why the
-// interface itself is RefCountedThreadSafe.
-//
-// Some theoretical implementations of TaskRunner:
-//
-// - A TaskRunner that uses a thread pool to run posted tasks.
-//
-// - A TaskRunner that, for each task, spawns a non-joinable thread
-// to run that task and immediately quit.
-//
-// - A TaskRunner that stores the list of posted tasks and has a
-// method Run() that runs each runnable task in random order.
-class BASE_EXPORT TaskRunner
- : public RefCountedThreadSafe<TaskRunner, TaskRunnerTraits> {
- public:
- // Posts the given task to be run. Returns true if the task may be
- // run at some point in the future, and false if the task definitely
- // will not be run.
- //
- // Equivalent to PostDelayedTask(from_here, task, 0).
- bool PostTask(const tracked_objects::Location& from_here,
- const Closure& task);
-
- // Like PostTask, but tries to run the posted task only after
- // |delay_ms| has passed.
- //
- // It is valid for an implementation to ignore |delay_ms|; that is,
- // to have PostDelayedTask behave the same as PostTask.
- virtual bool PostDelayedTask(const tracked_objects::Location& from_here,
- const Closure& task,
- base::TimeDelta delay) = 0;
-
- // Returns true if the current thread is a thread on which a task
- // may be run, and false if no task will be run on the current
- // thread.
- //
- // It is valid for an implementation to always return true, or in
- // general to use 'true' as a default value.
- virtual bool RunsTasksOnCurrentThread() const = 0;
-
- // Posts |task| on the current TaskRunner. On completion, |reply|
- // is posted to the thread that called PostTaskAndReply(). Both
- // |task| and |reply| are guaranteed to be deleted on the thread
- // from which PostTaskAndReply() is invoked. This allows objects
- // that must be deleted on the originating thread to be bound into
- // the |task| and |reply| Closures. In particular, it can be useful
- // to use WeakPtr<> in the |reply| Closure so that the reply
- // operation can be canceled. See the following pseudo-code:
- //
- // class DataBuffer : public RefCountedThreadSafe<DataBuffer> {
- // public:
- // // Called to add data into a buffer.
- // void AddData(void* buf, size_t length);
- // ...
- // };
- //
- //
- // class DataLoader : public SupportsWeakPtr<DataLoader> {
- // public:
- // void GetData() {
- // scoped_refptr<DataBuffer> buffer = new DataBuffer();
- // target_thread_.task_runner()->PostTaskAndReply(
- // FROM_HERE,
- // base::Bind(&DataBuffer::AddData, buffer),
- // base::Bind(&DataLoader::OnDataReceived, AsWeakPtr(), buffer));
- // }
- //
- // private:
- // void OnDataReceived(scoped_refptr<DataBuffer> buffer) {
- // // Do something with buffer.
- // }
- // };
- //
- //
- // Things to notice:
- // * Results of |task| are shared with |reply| by binding a shared argument
- // (a DataBuffer instance).
- // * The DataLoader object has no special thread safety.
- // * The DataLoader object can be deleted while |task| is still running,
- // and the reply will cancel itself safely because it is bound to a
- // WeakPtr<>.
- bool PostTaskAndReply(const tracked_objects::Location& from_here,
- const Closure& task,
- const Closure& reply);
-
- protected:
- friend struct TaskRunnerTraits;
-
- // Only the Windows debug build seems to need this: see
- // http://crbug.com/112250.
- friend class RefCountedThreadSafe<TaskRunner, TaskRunnerTraits>;
-
- TaskRunner();
- virtual ~TaskRunner();
-
- // Called when this object should be destroyed. By default simply
- // deletes |this|, but can be overridden to do something else, like
- // delete on a certain thread.
- virtual void OnDestruct() const;
-};
-
-struct BASE_EXPORT TaskRunnerTraits {
- static void Destruct(const TaskRunner* task_runner);
-};
-
-} // namespace base
-
-#endif // BASE_TASK_RUNNER_H_
diff --git a/security/sandbox/chromium/base/template_util.h b/security/sandbox/chromium/base/template_util.h
deleted file mode 100644
index d58807a77..000000000
--- a/security/sandbox/chromium/base/template_util.h
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_TEMPLATE_UTIL_H_
-#define BASE_TEMPLATE_UTIL_H_
-
-#include <stddef.h>
-
-#include "build/build_config.h"
-
-namespace base {
-
-// template definitions from tr1
-
-template<class T, T v>
-struct integral_constant {
- static const T value = v;
- typedef T value_type;
- typedef integral_constant<T, v> type;
-};
-
-template <class T, T v> const T integral_constant<T, v>::value;
-
-typedef integral_constant<bool, true> true_type;
-typedef integral_constant<bool, false> false_type;
-
-template <class T> struct is_pointer : false_type {};
-template <class T> struct is_pointer<T*> : true_type {};
-
-// Member function pointer detection. This is built-in to C++ 11's stdlib, and
-// we can remove this when we switch to it.
-template<typename T>
-struct is_member_function_pointer : false_type {};
-
-template <typename R, typename Z, typename... A>
-struct is_member_function_pointer<R(Z::*)(A...)> : true_type {};
-template <typename R, typename Z, typename... A>
-struct is_member_function_pointer<R(Z::*)(A...) const> : true_type {};
-
-
-template <class T, class U> struct is_same : public false_type {};
-template <class T> struct is_same<T,T> : true_type {};
-
-template<class> struct is_array : public false_type {};
-template<class T, size_t n> struct is_array<T[n]> : public true_type {};
-template<class T> struct is_array<T[]> : public true_type {};
-
-template <class T> struct is_non_const_reference : false_type {};
-template <class T> struct is_non_const_reference<T&> : true_type {};
-template <class T> struct is_non_const_reference<const T&> : false_type {};
-
-template <class T> struct is_const : false_type {};
-template <class T> struct is_const<const T> : true_type {};
-
-template <class T> struct is_void : false_type {};
-template <> struct is_void<void> : true_type {};
-
-namespace internal {
-
-// Types YesType and NoType are guaranteed such that sizeof(YesType) <
-// sizeof(NoType).
-typedef char YesType;
-
-struct NoType {
- YesType dummy[2];
-};
-
-// This class is an implementation detail for is_convertible, and you
-// don't need to know how it works to use is_convertible. For those
-// who care: we declare two different functions, one whose argument is
-// of type To and one with a variadic argument list. We give them
-// return types of different size, so we can use sizeof to trick the
-// compiler into telling us which function it would have chosen if we
-// had called it with an argument of type From. See Alexandrescu's
-// _Modern C++ Design_ for more details on this sort of trick.
-
-struct ConvertHelper {
- template <typename To>
- static YesType Test(To);
-
- template <typename To>
- static NoType Test(...);
-
- template <typename From>
- static From& Create();
-};
-
-// Used to determine if a type is a struct/union/class. Inspired by Boost's
-// is_class type_trait implementation.
-struct IsClassHelper {
- template <typename C>
- static YesType Test(void(C::*)(void));
-
- template <typename C>
- static NoType Test(...);
-};
-
-} // namespace internal
-
-// Inherits from true_type if From is convertible to To, false_type otherwise.
-//
-// Note that if the type is convertible, this will be a true_type REGARDLESS
-// of whether or not the conversion would emit a warning.
-template <typename From, typename To>
-struct is_convertible
- : integral_constant<bool,
- sizeof(internal::ConvertHelper::Test<To>(
- internal::ConvertHelper::Create<From>())) ==
- sizeof(internal::YesType)> {
-};
-
-template <typename T>
-struct is_class
- : integral_constant<bool,
- sizeof(internal::IsClassHelper::Test<T>(0)) ==
- sizeof(internal::YesType)> {
-};
-
-} // namespace base
-
-#endif // BASE_TEMPLATE_UTIL_H_
diff --git a/security/sandbox/chromium/base/third_party/dmg_fp/LICENSE b/security/sandbox/chromium/base/third_party/dmg_fp/LICENSE
deleted file mode 100644
index 716f1ef2b..000000000
--- a/security/sandbox/chromium/base/third_party/dmg_fp/LICENSE
+++ /dev/null
@@ -1,18 +0,0 @@
-/****************************************************************
- *
- * The author of this software is David M. Gay.
- *
- * Copyright (c) 1991, 2000, 2001 by Lucent Technologies.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose without fee is hereby granted, provided that this entire notice
- * is included in all copies of any software which is or includes a copy
- * or modification of this software and in all copies of the supporting
- * documentation for such software.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR LUCENT MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
- * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
- *
- ***************************************************************/
diff --git a/security/sandbox/chromium/base/third_party/dmg_fp/dmg_fp.h b/security/sandbox/chromium/base/third_party/dmg_fp/dmg_fp.h
deleted file mode 100644
index 4795397ec..000000000
--- a/security/sandbox/chromium/base/third_party/dmg_fp/dmg_fp.h
+++ /dev/null
@@ -1,30 +0,0 @@
-// Copyright (c) 2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef THIRD_PARTY_DMG_FP_H_
-#define THIRD_PARTY_DMG_FP_H_
-
-namespace dmg_fp {
-
-// Return a nearest machine number to the input decimal
-// string (or set errno to ERANGE). With IEEE arithmetic, ties are
-// broken by the IEEE round-even rule. Otherwise ties are broken by
-// biased rounding (add half and chop).
-double strtod(const char* s00, char** se);
-
-// Convert double to ASCII string. For meaning of parameters
-// see dtoa.cc file.
-char* dtoa(double d, int mode, int ndigits,
- int* decpt, int* sign, char** rve);
-
-// Must be used to free values returned by dtoa.
-void freedtoa(char* s);
-
-// Store the closest decimal approximation to x in b (null terminated).
-// Returns a pointer to b. It is sufficient for |b| to be 32 characters.
-char* g_fmt(char* b, double x);
-
-} // namespace dmg_fp
-
-#endif // THIRD_PARTY_DMG_FP_H_
diff --git a/security/sandbox/chromium/base/third_party/dmg_fp/dtoa.cc b/security/sandbox/chromium/base/third_party/dmg_fp/dtoa.cc
deleted file mode 100644
index 502c16cc7..000000000
--- a/security/sandbox/chromium/base/third_party/dmg_fp/dtoa.cc
+++ /dev/null
@@ -1,4234 +0,0 @@
-/****************************************************************
- *
- * The author of this software is David M. Gay.
- *
- * Copyright (c) 1991, 2000, 2001 by Lucent Technologies.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose without fee is hereby granted, provided that this entire notice
- * is included in all copies of any software which is or includes a copy
- * or modification of this software and in all copies of the supporting
- * documentation for such software.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR LUCENT MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
- * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
- *
- ***************************************************************/
-
-/* Please send bug reports to David M. Gay (dmg at acm dot org,
- * with " at " changed at "@" and " dot " changed to "."). */
-
-/* On a machine with IEEE extended-precision registers, it is
- * necessary to specify double-precision (53-bit) rounding precision
- * before invoking strtod or dtoa. If the machine uses (the equivalent
- * of) Intel 80x87 arithmetic, the call
- * _control87(PC_53, MCW_PC);
- * does this with many compilers. Whether this or another call is
- * appropriate depends on the compiler; for this to work, it may be
- * necessary to #include "float.h" or another system-dependent header
- * file.
- */
-
-/* strtod for IEEE-, VAX-, and IBM-arithmetic machines.
- *
- * This strtod returns a nearest machine number to the input decimal
- * string (or sets errno to ERANGE). With IEEE arithmetic, ties are
- * broken by the IEEE round-even rule. Otherwise ties are broken by
- * biased rounding (add half and chop).
- *
- * Inspired loosely by William D. Clinger's paper "How to Read Floating
- * Point Numbers Accurately" [Proc. ACM SIGPLAN '90, pp. 92-101].
- *
- * Modifications:
- *
- * 1. We only require IEEE, IBM, or VAX double-precision
- * arithmetic (not IEEE double-extended).
- * 2. We get by with floating-point arithmetic in a case that
- * Clinger missed -- when we're computing d * 10^n
- * for a small integer d and the integer n is not too
- * much larger than 22 (the maximum integer k for which
- * we can represent 10^k exactly), we may be able to
- * compute (d*10^k) * 10^(e-k) with just one roundoff.
- * 3. Rather than a bit-at-a-time adjustment of the binary
- * result in the hard case, we use floating-point
- * arithmetic to determine the adjustment to within
- * one bit; only in really hard cases do we need to
- * compute a second residual.
- * 4. Because of 3., we don't need a large table of powers of 10
- * for ten-to-e (just some small tables, e.g. of 10^k
- * for 0 <= k <= 22).
- */
-
-/*
- * #define IEEE_8087 for IEEE-arithmetic machines where the least
- * significant byte has the lowest address.
- * #define IEEE_MC68k for IEEE-arithmetic machines where the most
- * significant byte has the lowest address.
- * #define Long int on machines with 32-bit ints and 64-bit longs.
- * #define IBM for IBM mainframe-style floating-point arithmetic.
- * #define VAX for VAX-style floating-point arithmetic (D_floating).
- * #define No_leftright to omit left-right logic in fast floating-point
- * computation of dtoa.
- * #define Honor_FLT_ROUNDS if FLT_ROUNDS can assume the values 2 or 3
- * and strtod and dtoa should round accordingly. Unless Trust_FLT_ROUNDS
- * is also #defined, fegetround() will be queried for the rounding mode.
- * Note that both FLT_ROUNDS and fegetround() are specified by the C99
- * standard (and are specified to be consistent, with fesetround()
- * affecting the value of FLT_ROUNDS), but that some (Linux) systems
- * do not work correctly in this regard, so using fegetround() is more
- * portable than using FLT_FOUNDS directly.
- * #define Check_FLT_ROUNDS if FLT_ROUNDS can assume the values 2 or 3
- * and Honor_FLT_ROUNDS is not #defined.
- * #define RND_PRODQUOT to use rnd_prod and rnd_quot (assembly routines
- * that use extended-precision instructions to compute rounded
- * products and quotients) with IBM.
- * #define ROUND_BIASED for IEEE-format with biased rounding.
- * #define Inaccurate_Divide for IEEE-format with correctly rounded
- * products but inaccurate quotients, e.g., for Intel i860.
- * #define NO_LONG_LONG on machines that do not have a "long long"
- * integer type (of >= 64 bits). On such machines, you can
- * #define Just_16 to store 16 bits per 32-bit Long when doing
- * high-precision integer arithmetic. Whether this speeds things
- * up or slows things down depends on the machine and the number
- * being converted. If long long is available and the name is
- * something other than "long long", #define Llong to be the name,
- * and if "unsigned Llong" does not work as an unsigned version of
- * Llong, #define #ULLong to be the corresponding unsigned type.
- * #define KR_headers for old-style C function headers.
- * #define Bad_float_h if your system lacks a float.h or if it does not
- * define some or all of DBL_DIG, DBL_MAX_10_EXP, DBL_MAX_EXP,
- * FLT_RADIX, FLT_ROUNDS, and DBL_MAX.
- * #define MALLOC your_malloc, where your_malloc(n) acts like malloc(n)
- * if memory is available and otherwise does something you deem
- * appropriate. If MALLOC is undefined, malloc will be invoked
- * directly -- and assumed always to succeed. Similarly, if you
- * want something other than the system's free() to be called to
- * recycle memory acquired from MALLOC, #define FREE to be the
- * name of the alternate routine. (FREE or free is only called in
- * pathological cases, e.g., in a dtoa call after a dtoa return in
- * mode 3 with thousands of digits requested.)
- * #define Omit_Private_Memory to omit logic (added Jan. 1998) for making
- * memory allocations from a private pool of memory when possible.
- * When used, the private pool is PRIVATE_MEM bytes long: 2304 bytes,
- * unless #defined to be a different length. This default length
- * suffices to get rid of MALLOC calls except for unusual cases,
- * such as decimal-to-binary conversion of a very long string of
- * digits. The longest string dtoa can return is about 751 bytes
- * long. For conversions by strtod of strings of 800 digits and
- * all dtoa conversions in single-threaded executions with 8-byte
- * pointers, PRIVATE_MEM >= 7400 appears to suffice; with 4-byte
- * pointers, PRIVATE_MEM >= 7112 appears adequate.
- * #define NO_INFNAN_CHECK if you do not wish to have INFNAN_CHECK
- * #defined automatically on IEEE systems. On such systems,
- * when INFNAN_CHECK is #defined, strtod checks
- * for Infinity and NaN (case insensitively). On some systems
- * (e.g., some HP systems), it may be necessary to #define NAN_WORD0
- * appropriately -- to the most significant word of a quiet NaN.
- * (On HP Series 700/800 machines, -DNAN_WORD0=0x7ff40000 works.)
- * When INFNAN_CHECK is #defined and No_Hex_NaN is not #defined,
- * strtod also accepts (case insensitively) strings of the form
- * NaN(x), where x is a string of hexadecimal digits and spaces;
- * if there is only one string of hexadecimal digits, it is taken
- * for the 52 fraction bits of the resulting NaN; if there are two
- * or more strings of hex digits, the first is for the high 20 bits,
- * the second and subsequent for the low 32 bits, with intervening
- * white space ignored; but if this results in none of the 52
- * fraction bits being on (an IEEE Infinity symbol), then NAN_WORD0
- * and NAN_WORD1 are used instead.
- * #define MULTIPLE_THREADS if the system offers preemptively scheduled
- * multiple threads. In this case, you must provide (or suitably
- * #define) two locks, acquired by ACQUIRE_DTOA_LOCK(n) and freed
- * by FREE_DTOA_LOCK(n) for n = 0 or 1. (The second lock, accessed
- * in pow5mult, ensures lazy evaluation of only one copy of high
- * powers of 5; omitting this lock would introduce a small
- * probability of wasting memory, but would otherwise be harmless.)
- * You must also invoke freedtoa(s) to free the value s returned by
- * dtoa. You may do so whether or not MULTIPLE_THREADS is #defined.
- * #define NO_IEEE_Scale to disable new (Feb. 1997) logic in strtod that
- * avoids underflows on inputs whose result does not underflow.
- * If you #define NO_IEEE_Scale on a machine that uses IEEE-format
- * floating-point numbers and flushes underflows to zero rather
- * than implementing gradual underflow, then you must also #define
- * Sudden_Underflow.
- * #define USE_LOCALE to use the current locale's decimal_point value.
- * #define SET_INEXACT if IEEE arithmetic is being used and extra
- * computation should be done to set the inexact flag when the
- * result is inexact and avoid setting inexact when the result
- * is exact. In this case, dtoa.c must be compiled in
- * an environment, perhaps provided by #include "dtoa.c" in a
- * suitable wrapper, that defines two functions,
- * int get_inexact(void);
- * void clear_inexact(void);
- * such that get_inexact() returns a nonzero value if the
- * inexact bit is already set, and clear_inexact() sets the
- * inexact bit to 0. When SET_INEXACT is #defined, strtod
- * also does extra computations to set the underflow and overflow
- * flags when appropriate (i.e., when the result is tiny and
- * inexact or when it is a numeric value rounded to +-infinity).
- * #define NO_ERRNO if strtod should not assign errno = ERANGE when
- * the result overflows to +-Infinity or underflows to 0.
- * #define NO_HEX_FP to omit recognition of hexadecimal floating-point
- * values by strtod.
- * #define NO_STRTOD_BIGCOMP (on IEEE-arithmetic systems only for now)
- * to disable logic for "fast" testing of very long input strings
- * to strtod. This testing proceeds by initially truncating the
- * input string, then if necessary comparing the whole string with
- * a decimal expansion to decide close cases. This logic is only
- * used for input more than STRTOD_DIGLIM digits long (default 40).
- */
-
-#define IEEE_8087
-#define NO_HEX_FP
-
-#ifndef Long
-#if __LP64__
-#define Long int
-#else
-#define Long long
-#endif
-#endif
-#ifndef ULong
-typedef unsigned Long ULong;
-#endif
-
-#ifdef DEBUG
-#include "stdio.h"
-#define Bug(x) {fprintf(stderr, "%s\n", x); exit(1);}
-#endif
-
-#include "stdlib.h"
-#include "string.h"
-
-#ifdef USE_LOCALE
-#include "locale.h"
-#endif
-
-#ifdef Honor_FLT_ROUNDS
-#ifndef Trust_FLT_ROUNDS
-#include <fenv.h>
-#endif
-#endif
-
-#ifdef MALLOC
-#ifdef KR_headers
-extern char *MALLOC();
-#else
-extern void *MALLOC(size_t);
-#endif
-#else
-#define MALLOC malloc
-#endif
-
-#ifndef Omit_Private_Memory
-#ifndef PRIVATE_MEM
-#define PRIVATE_MEM 2304
-#endif
-#define PRIVATE_mem ((unsigned)((PRIVATE_MEM+sizeof(double)-1)/sizeof(double)))
-static double private_mem[PRIVATE_mem], *pmem_next = private_mem;
-#endif
-
-#undef IEEE_Arith
-#undef Avoid_Underflow
-#ifdef IEEE_MC68k
-#define IEEE_Arith
-#endif
-#ifdef IEEE_8087
-#define IEEE_Arith
-#endif
-
-#ifdef IEEE_Arith
-#ifndef NO_INFNAN_CHECK
-#undef INFNAN_CHECK
-#define INFNAN_CHECK
-#endif
-#else
-#undef INFNAN_CHECK
-#define NO_STRTOD_BIGCOMP
-#endif
-
-#include "errno.h"
-
-#ifdef Bad_float_h
-
-#ifdef IEEE_Arith
-#define DBL_DIG 15
-#define DBL_MAX_10_EXP 308
-#define DBL_MAX_EXP 1024
-#define FLT_RADIX 2
-#endif /*IEEE_Arith*/
-
-#ifdef IBM
-#define DBL_DIG 16
-#define DBL_MAX_10_EXP 75
-#define DBL_MAX_EXP 63
-#define FLT_RADIX 16
-#define DBL_MAX 7.2370055773322621e+75
-#endif
-
-#ifdef VAX
-#define DBL_DIG 16
-#define DBL_MAX_10_EXP 38
-#define DBL_MAX_EXP 127
-#define FLT_RADIX 2
-#define DBL_MAX 1.7014118346046923e+38
-#endif
-
-#ifndef LONG_MAX
-#define LONG_MAX 2147483647
-#endif
-
-#else /* ifndef Bad_float_h */
-#include "float.h"
-#endif /* Bad_float_h */
-
-#ifndef __MATH_H__
-#include "math.h"
-#endif
-
-namespace dmg_fp {
-
-#ifndef CONST
-#ifdef KR_headers
-#define CONST /* blank */
-#else
-#define CONST const
-#endif
-#endif
-
-#if defined(IEEE_8087) + defined(IEEE_MC68k) + defined(VAX) + defined(IBM) != 1
-Exactly one of IEEE_8087, IEEE_MC68k, VAX, or IBM should be defined.
-#endif
-
-typedef union { double d; ULong L[2]; } U;
-
-#ifdef IEEE_8087
-#define word0(x) (x)->L[1]
-#define word1(x) (x)->L[0]
-#else
-#define word0(x) (x)->L[0]
-#define word1(x) (x)->L[1]
-#endif
-#define dval(x) (x)->d
-
-#ifndef STRTOD_DIGLIM
-#define STRTOD_DIGLIM 40
-#endif
-
-#ifdef DIGLIM_DEBUG
-extern int strtod_diglim;
-#else
-#define strtod_diglim STRTOD_DIGLIM
-#endif
-
-/* The following definition of Storeinc is appropriate for MIPS processors.
- * An alternative that might be better on some machines is
- * #define Storeinc(a,b,c) (*a++ = b << 16 | c & 0xffff)
- */
-#if defined(IEEE_8087) + defined(VAX)
-#define Storeinc(a,b,c) (((unsigned short *)a)[1] = (unsigned short)b, \
-((unsigned short *)a)[0] = (unsigned short)c, a++)
-#else
-#define Storeinc(a,b,c) (((unsigned short *)a)[0] = (unsigned short)b, \
-((unsigned short *)a)[1] = (unsigned short)c, a++)
-#endif
-
-/* #define P DBL_MANT_DIG */
-/* Ten_pmax = floor(P*log(2)/log(5)) */
-/* Bletch = (highest power of 2 < DBL_MAX_10_EXP) / 16 */
-/* Quick_max = floor((P-1)*log(FLT_RADIX)/log(10) - 1) */
-/* Int_max = floor(P*log(FLT_RADIX)/log(10) - 1) */
-
-#ifdef IEEE_Arith
-#define Exp_shift 20
-#define Exp_shift1 20
-#define Exp_msk1 0x100000
-#define Exp_msk11 0x100000
-#define Exp_mask 0x7ff00000
-#define P 53
-#define Nbits 53
-#define Bias 1023
-#define Emax 1023
-#define Emin (-1022)
-#define Exp_1 0x3ff00000
-#define Exp_11 0x3ff00000
-#define Ebits 11
-#define Frac_mask 0xfffff
-#define Frac_mask1 0xfffff
-#define Ten_pmax 22
-#define Bletch 0x10
-#define Bndry_mask 0xfffff
-#define Bndry_mask1 0xfffff
-#define LSB 1
-#define Sign_bit 0x80000000
-#define Log2P 1
-#define Tiny0 0
-#define Tiny1 1
-#define Quick_max 14
-#define Int_max 14
-#ifndef NO_IEEE_Scale
-#define Avoid_Underflow
-#ifdef Flush_Denorm /* debugging option */
-#undef Sudden_Underflow
-#endif
-#endif
-
-#ifndef Flt_Rounds
-#ifdef FLT_ROUNDS
-#define Flt_Rounds FLT_ROUNDS
-#else
-#define Flt_Rounds 1
-#endif
-#endif /*Flt_Rounds*/
-
-#ifdef Honor_FLT_ROUNDS
-#undef Check_FLT_ROUNDS
-#define Check_FLT_ROUNDS
-#else
-#define Rounding Flt_Rounds
-#endif
-
-#else /* ifndef IEEE_Arith */
-#undef Check_FLT_ROUNDS
-#undef Honor_FLT_ROUNDS
-#undef SET_INEXACT
-#undef Sudden_Underflow
-#define Sudden_Underflow
-#ifdef IBM
-#undef Flt_Rounds
-#define Flt_Rounds 0
-#define Exp_shift 24
-#define Exp_shift1 24
-#define Exp_msk1 0x1000000
-#define Exp_msk11 0x1000000
-#define Exp_mask 0x7f000000
-#define P 14
-#define Nbits 56
-#define Bias 65
-#define Emax 248
-#define Emin (-260)
-#define Exp_1 0x41000000
-#define Exp_11 0x41000000
-#define Ebits 8 /* exponent has 7 bits, but 8 is the right value in b2d */
-#define Frac_mask 0xffffff
-#define Frac_mask1 0xffffff
-#define Bletch 4
-#define Ten_pmax 22
-#define Bndry_mask 0xefffff
-#define Bndry_mask1 0xffffff
-#define LSB 1
-#define Sign_bit 0x80000000
-#define Log2P 4
-#define Tiny0 0x100000
-#define Tiny1 0
-#define Quick_max 14
-#define Int_max 15
-#else /* VAX */
-#undef Flt_Rounds
-#define Flt_Rounds 1
-#define Exp_shift 23
-#define Exp_shift1 7
-#define Exp_msk1 0x80
-#define Exp_msk11 0x800000
-#define Exp_mask 0x7f80
-#define P 56
-#define Nbits 56
-#define Bias 129
-#define Emax 126
-#define Emin (-129)
-#define Exp_1 0x40800000
-#define Exp_11 0x4080
-#define Ebits 8
-#define Frac_mask 0x7fffff
-#define Frac_mask1 0xffff007f
-#define Ten_pmax 24
-#define Bletch 2
-#define Bndry_mask 0xffff007f
-#define Bndry_mask1 0xffff007f
-#define LSB 0x10000
-#define Sign_bit 0x8000
-#define Log2P 1
-#define Tiny0 0x80
-#define Tiny1 0
-#define Quick_max 15
-#define Int_max 15
-#endif /* IBM, VAX */
-#endif /* IEEE_Arith */
-
-#ifndef IEEE_Arith
-#define ROUND_BIASED
-#endif
-
-#ifdef RND_PRODQUOT
-#define rounded_product(a,b) a = rnd_prod(a, b)
-#define rounded_quotient(a,b) a = rnd_quot(a, b)
-#ifdef KR_headers
-extern double rnd_prod(), rnd_quot();
-#else
-extern double rnd_prod(double, double), rnd_quot(double, double);
-#endif
-#else
-#define rounded_product(a,b) a *= b
-#define rounded_quotient(a,b) a /= b
-#endif
-
-#define Big0 (Frac_mask1 | Exp_msk1*(DBL_MAX_EXP+Bias-1))
-#define Big1 0xffffffff
-
-#ifndef Pack_32
-#define Pack_32
-#endif
-
-typedef struct BCinfo BCinfo;
- struct
-BCinfo { int dp0, dp1, dplen, dsign, e0, inexact, nd, nd0, rounding, scale, uflchk; };
-
-#ifdef KR_headers
-#define FFFFFFFF ((((unsigned long)0xffff)<<16)|(unsigned long)0xffff)
-#else
-#define FFFFFFFF 0xffffffffUL
-#endif
-
-#ifdef NO_LONG_LONG
-#undef ULLong
-#ifdef Just_16
-#undef Pack_32
-/* When Pack_32 is not defined, we store 16 bits per 32-bit Long.
- * This makes some inner loops simpler and sometimes saves work
- * during multiplications, but it often seems to make things slightly
- * slower. Hence the default is now to store 32 bits per Long.
- */
-#endif
-#else /* long long available */
-#ifndef Llong
-#define Llong long long
-#endif
-#ifndef ULLong
-#define ULLong unsigned Llong
-#endif
-#endif /* NO_LONG_LONG */
-
-#ifndef MULTIPLE_THREADS
-#define ACQUIRE_DTOA_LOCK(n) /*nothing*/
-#define FREE_DTOA_LOCK(n) /*nothing*/
-#endif
-
-#define Kmax 7
-
-double strtod(const char *s00, char **se);
-char *dtoa(double d, int mode, int ndigits,
- int *decpt, int *sign, char **rve);
-
- struct
-Bigint {
- struct Bigint *next;
- int k, maxwds, sign, wds;
- ULong x[1];
- };
-
- typedef struct Bigint Bigint;
-
- static Bigint *freelist[Kmax+1];
-
- static Bigint *
-Balloc
-#ifdef KR_headers
- (k) int k;
-#else
- (int k)
-#endif
-{
- int x;
- Bigint *rv;
-#ifndef Omit_Private_Memory
- unsigned int len;
-#endif
-
- ACQUIRE_DTOA_LOCK(0);
- /* The k > Kmax case does not need ACQUIRE_DTOA_LOCK(0), */
- /* but this case seems very unlikely. */
- if (k <= Kmax && freelist[k]) {
- rv = freelist[k];
- freelist[k] = rv->next;
- }
- else {
- x = 1 << k;
-#ifdef Omit_Private_Memory
- rv = (Bigint *)MALLOC(sizeof(Bigint) + (x-1)*sizeof(ULong));
-#else
- len = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)
- /sizeof(double);
- if (k <= Kmax && pmem_next - private_mem + len <= PRIVATE_mem) {
- rv = (Bigint*)pmem_next;
- pmem_next += len;
- }
- else
- rv = (Bigint*)MALLOC(len*sizeof(double));
-#endif
- rv->k = k;
- rv->maxwds = x;
- }
- FREE_DTOA_LOCK(0);
- rv->sign = rv->wds = 0;
- return rv;
- }
-
- static void
-Bfree
-#ifdef KR_headers
- (v) Bigint *v;
-#else
- (Bigint *v)
-#endif
-{
- if (v) {
- if (v->k > Kmax)
-#ifdef FREE
- FREE((void*)v);
-#else
- free((void*)v);
-#endif
- else {
- ACQUIRE_DTOA_LOCK(0);
- v->next = freelist[v->k];
- freelist[v->k] = v;
- FREE_DTOA_LOCK(0);
- }
- }
- }
-
-#define Bcopy(x,y) memcpy((char *)&x->sign, (char *)&y->sign, \
-y->wds*sizeof(Long) + 2*sizeof(int))
-
- static Bigint *
-multadd
-#ifdef KR_headers
- (b, m, a) Bigint *b; int m, a;
-#else
- (Bigint *b, int m, int a) /* multiply by m and add a */
-#endif
-{
- int i, wds;
-#ifdef ULLong
- ULong *x;
- ULLong carry, y;
-#else
- ULong carry, *x, y;
-#ifdef Pack_32
- ULong xi, z;
-#endif
-#endif
- Bigint *b1;
-
- wds = b->wds;
- x = b->x;
- i = 0;
- carry = a;
- do {
-#ifdef ULLong
- y = *x * (ULLong)m + carry;
- carry = y >> 32;
- *x++ = y & FFFFFFFF;
-#else
-#ifdef Pack_32
- xi = *x;
- y = (xi & 0xffff) * m + carry;
- z = (xi >> 16) * m + (y >> 16);
- carry = z >> 16;
- *x++ = (z << 16) + (y & 0xffff);
-#else
- y = *x * m + carry;
- carry = y >> 16;
- *x++ = y & 0xffff;
-#endif
-#endif
- }
- while(++i < wds);
- if (carry) {
- if (wds >= b->maxwds) {
- b1 = Balloc(b->k+1);
- Bcopy(b1, b);
- Bfree(b);
- b = b1;
- }
- b->x[wds++] = (ULong)carry;
- b->wds = wds;
- }
- return b;
- }
-
- static Bigint *
-s2b
-#ifdef KR_headers
- (s, nd0, nd, y9, dplen) CONST char *s; int nd0, nd, dplen; ULong y9;
-#else
- (CONST char *s, int nd0, int nd, ULong y9, int dplen)
-#endif
-{
- Bigint *b;
- int i, k;
- Long x, y;
-
- x = (nd + 8) / 9;
- for(k = 0, y = 1; x > y; y <<= 1, k++) ;
-#ifdef Pack_32
- b = Balloc(k);
- b->x[0] = y9;
- b->wds = 1;
-#else
- b = Balloc(k+1);
- b->x[0] = y9 & 0xffff;
- b->wds = (b->x[1] = y9 >> 16) ? 2 : 1;
-#endif
-
- i = 9;
- if (9 < nd0) {
- s += 9;
- do b = multadd(b, 10, *s++ - '0');
- while(++i < nd0);
- s += dplen;
- }
- else
- s += dplen + 9;
- for(; i < nd; i++)
- b = multadd(b, 10, *s++ - '0');
- return b;
- }
-
- static int
-hi0bits
-#ifdef KR_headers
- (x) ULong x;
-#else
- (ULong x)
-#endif
-{
- int k = 0;
-
- if (!(x & 0xffff0000)) {
- k = 16;
- x <<= 16;
- }
- if (!(x & 0xff000000)) {
- k += 8;
- x <<= 8;
- }
- if (!(x & 0xf0000000)) {
- k += 4;
- x <<= 4;
- }
- if (!(x & 0xc0000000)) {
- k += 2;
- x <<= 2;
- }
- if (!(x & 0x80000000)) {
- k++;
- if (!(x & 0x40000000))
- return 32;
- }
- return k;
- }
-
- static int
-lo0bits
-#ifdef KR_headers
- (y) ULong *y;
-#else
- (ULong *y)
-#endif
-{
- int k;
- ULong x = *y;
-
- if (x & 7) {
- if (x & 1)
- return 0;
- if (x & 2) {
- *y = x >> 1;
- return 1;
- }
- *y = x >> 2;
- return 2;
- }
- k = 0;
- if (!(x & 0xffff)) {
- k = 16;
- x >>= 16;
- }
- if (!(x & 0xff)) {
- k += 8;
- x >>= 8;
- }
- if (!(x & 0xf)) {
- k += 4;
- x >>= 4;
- }
- if (!(x & 0x3)) {
- k += 2;
- x >>= 2;
- }
- if (!(x & 1)) {
- k++;
- x >>= 1;
- if (!x)
- return 32;
- }
- *y = x;
- return k;
- }
-
- static Bigint *
-i2b
-#ifdef KR_headers
- (i) int i;
-#else
- (int i)
-#endif
-{
- Bigint *b;
-
- b = Balloc(1);
- b->x[0] = i;
- b->wds = 1;
- return b;
- }
-
- static Bigint *
-mult
-#ifdef KR_headers
- (a, b) Bigint *a, *b;
-#else
- (Bigint *a, Bigint *b)
-#endif
-{
- Bigint *c;
- int k, wa, wb, wc;
- ULong *x, *xa, *xae, *xb, *xbe, *xc, *xc0;
- ULong y;
-#ifdef ULLong
- ULLong carry, z;
-#else
- ULong carry, z;
-#ifdef Pack_32
- ULong z2;
-#endif
-#endif
-
- if (a->wds < b->wds) {
- c = a;
- a = b;
- b = c;
- }
- k = a->k;
- wa = a->wds;
- wb = b->wds;
- wc = wa + wb;
- if (wc > a->maxwds)
- k++;
- c = Balloc(k);
- for(x = c->x, xa = x + wc; x < xa; x++)
- *x = 0;
- xa = a->x;
- xae = xa + wa;
- xb = b->x;
- xbe = xb + wb;
- xc0 = c->x;
-#ifdef ULLong
- for(; xb < xbe; xc0++) {
- y = *xb++;
- if (y) {
- x = xa;
- xc = xc0;
- carry = 0;
- do {
- z = *x++ * (ULLong)y + *xc + carry;
- carry = z >> 32;
- *xc++ = z & FFFFFFFF;
- }
- while(x < xae);
- *xc = (ULong)carry;
- }
- }
-#else
-#ifdef Pack_32
- for(; xb < xbe; xb++, xc0++) {
- if (y = *xb & 0xffff) {
- x = xa;
- xc = xc0;
- carry = 0;
- do {
- z = (*x & 0xffff) * y + (*xc & 0xffff) + carry;
- carry = z >> 16;
- z2 = (*x++ >> 16) * y + (*xc >> 16) + carry;
- carry = z2 >> 16;
- Storeinc(xc, z2, z);
- }
- while(x < xae);
- *xc = carry;
- }
- if (y = *xb >> 16) {
- x = xa;
- xc = xc0;
- carry = 0;
- z2 = *xc;
- do {
- z = (*x & 0xffff) * y + (*xc >> 16) + carry;
- carry = z >> 16;
- Storeinc(xc, z, z2);
- z2 = (*x++ >> 16) * y + (*xc & 0xffff) + carry;
- carry = z2 >> 16;
- }
- while(x < xae);
- *xc = z2;
- }
- }
-#else
- for(; xb < xbe; xc0++) {
- if (y = *xb++) {
- x = xa;
- xc = xc0;
- carry = 0;
- do {
- z = *x++ * y + *xc + carry;
- carry = z >> 16;
- *xc++ = z & 0xffff;
- }
- while(x < xae);
- *xc = carry;
- }
- }
-#endif
-#endif
- for(xc0 = c->x, xc = xc0 + wc; wc > 0 && !*--xc; --wc) ;
- c->wds = wc;
- return c;
- }
-
- static Bigint *p5s;
-
- static Bigint *
-pow5mult
-#ifdef KR_headers
- (b, k) Bigint *b; int k;
-#else
- (Bigint *b, int k)
-#endif
-{
- Bigint *b1, *p5, *p51;
- int i;
- static int p05[3] = { 5, 25, 125 };
-
- i = k & 3;
- if (i)
- b = multadd(b, p05[i-1], 0);
-
- if (!(k >>= 2))
- return b;
- p5 = p5s;
- if (!p5) {
- /* first time */
-#ifdef MULTIPLE_THREADS
- ACQUIRE_DTOA_LOCK(1);
- p5 = p5s;
- if (!p5) {
- p5 = p5s = i2b(625);
- p5->next = 0;
- }
- FREE_DTOA_LOCK(1);
-#else
- p5 = p5s = i2b(625);
- p5->next = 0;
-#endif
- }
- for(;;) {
- if (k & 1) {
- b1 = mult(b, p5);
- Bfree(b);
- b = b1;
- }
- if (!(k >>= 1))
- break;
- p51 = p5->next;
- if (!p51) {
-#ifdef MULTIPLE_THREADS
- ACQUIRE_DTOA_LOCK(1);
- p51 = p5->next;
- if (!p51) {
- p51 = p5->next = mult(p5,p5);
- p51->next = 0;
- }
- FREE_DTOA_LOCK(1);
-#else
- p51 = p5->next = mult(p5,p5);
- p51->next = 0;
-#endif
- }
- p5 = p51;
- }
- return b;
- }
-
- static Bigint *
-lshift
-#ifdef KR_headers
- (b, k) Bigint *b; int k;
-#else
- (Bigint *b, int k)
-#endif
-{
- int i, k1, n, n1;
- Bigint *b1;
- ULong *x, *x1, *xe, z;
-
-#ifdef Pack_32
- n = k >> 5;
-#else
- n = k >> 4;
-#endif
- k1 = b->k;
- n1 = n + b->wds + 1;
- for(i = b->maxwds; n1 > i; i <<= 1)
- k1++;
- b1 = Balloc(k1);
- x1 = b1->x;
- for(i = 0; i < n; i++)
- *x1++ = 0;
- x = b->x;
- xe = x + b->wds;
-#ifdef Pack_32
- if (k &= 0x1f) {
- k1 = 32 - k;
- z = 0;
- do {
- *x1++ = *x << k | z;
- z = *x++ >> k1;
- }
- while(x < xe);
- *x1 = z;
- if (*x1)
- ++n1;
- }
-#else
- if (k &= 0xf) {
- k1 = 16 - k;
- z = 0;
- do {
- *x1++ = *x << k & 0xffff | z;
- z = *x++ >> k1;
- }
- while(x < xe);
- if (*x1 = z)
- ++n1;
- }
-#endif
- else do
- *x1++ = *x++;
- while(x < xe);
- b1->wds = n1 - 1;
- Bfree(b);
- return b1;
- }
-
- static int
-cmp
-#ifdef KR_headers
- (a, b) Bigint *a, *b;
-#else
- (Bigint *a, Bigint *b)
-#endif
-{
- ULong *xa, *xa0, *xb, *xb0;
- int i, j;
-
- i = a->wds;
- j = b->wds;
-#ifdef DEBUG
- if (i > 1 && !a->x[i-1])
- Bug("cmp called with a->x[a->wds-1] == 0");
- if (j > 1 && !b->x[j-1])
- Bug("cmp called with b->x[b->wds-1] == 0");
-#endif
- if (i -= j)
- return i;
- xa0 = a->x;
- xa = xa0 + j;
- xb0 = b->x;
- xb = xb0 + j;
- for(;;) {
- if (*--xa != *--xb)
- return *xa < *xb ? -1 : 1;
- if (xa <= xa0)
- break;
- }
- return 0;
- }
-
- static Bigint *
-diff
-#ifdef KR_headers
- (a, b) Bigint *a, *b;
-#else
- (Bigint *a, Bigint *b)
-#endif
-{
- Bigint *c;
- int i, wa, wb;
- ULong *xa, *xae, *xb, *xbe, *xc;
-#ifdef ULLong
- ULLong borrow, y;
-#else
- ULong borrow, y;
-#ifdef Pack_32
- ULong z;
-#endif
-#endif
-
- i = cmp(a,b);
- if (!i) {
- c = Balloc(0);
- c->wds = 1;
- c->x[0] = 0;
- return c;
- }
- if (i < 0) {
- c = a;
- a = b;
- b = c;
- i = 1;
- }
- else
- i = 0;
- c = Balloc(a->k);
- c->sign = i;
- wa = a->wds;
- xa = a->x;
- xae = xa + wa;
- wb = b->wds;
- xb = b->x;
- xbe = xb + wb;
- xc = c->x;
- borrow = 0;
-#ifdef ULLong
- do {
- y = (ULLong)*xa++ - *xb++ - borrow;
- borrow = y >> 32 & (ULong)1;
- *xc++ = y & FFFFFFFF;
- }
- while(xb < xbe);
- while(xa < xae) {
- y = *xa++ - borrow;
- borrow = y >> 32 & (ULong)1;
- *xc++ = y & FFFFFFFF;
- }
-#else
-#ifdef Pack_32
- do {
- y = (*xa & 0xffff) - (*xb & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- z = (*xa++ >> 16) - (*xb++ >> 16) - borrow;
- borrow = (z & 0x10000) >> 16;
- Storeinc(xc, z, y);
- }
- while(xb < xbe);
- while(xa < xae) {
- y = (*xa & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- z = (*xa++ >> 16) - borrow;
- borrow = (z & 0x10000) >> 16;
- Storeinc(xc, z, y);
- }
-#else
- do {
- y = *xa++ - *xb++ - borrow;
- borrow = (y & 0x10000) >> 16;
- *xc++ = y & 0xffff;
- }
- while(xb < xbe);
- while(xa < xae) {
- y = *xa++ - borrow;
- borrow = (y & 0x10000) >> 16;
- *xc++ = y & 0xffff;
- }
-#endif
-#endif
- while(!*--xc)
- wa--;
- c->wds = wa;
- return c;
- }
-
- static double
-ulp
-#ifdef KR_headers
- (x) U *x;
-#else
- (U *x)
-#endif
-{
- Long L;
- U u;
-
- L = (word0(x) & Exp_mask) - (P-1)*Exp_msk1;
-#ifndef Avoid_Underflow
-#ifndef Sudden_Underflow
- if (L > 0) {
-#endif
-#endif
-#ifdef IBM
- L |= Exp_msk1 >> 4;
-#endif
- word0(&u) = L;
- word1(&u) = 0;
-#ifndef Avoid_Underflow
-#ifndef Sudden_Underflow
- }
- else {
- L = -L >> Exp_shift;
- if (L < Exp_shift) {
- word0(&u) = 0x80000 >> L;
- word1(&u) = 0;
- }
- else {
- word0(&u) = 0;
- L -= Exp_shift;
- word1(&u) = L >= 31 ? 1 : 1 << 31 - L;
- }
- }
-#endif
-#endif
- return dval(&u);
- }
-
- static double
-b2d
-#ifdef KR_headers
- (a, e) Bigint *a; int *e;
-#else
- (Bigint *a, int *e)
-#endif
-{
- ULong *xa, *xa0, w, y, z;
- int k;
- U d;
-#ifdef VAX
- ULong d0, d1;
-#else
-#define d0 word0(&d)
-#define d1 word1(&d)
-#endif
-
- xa0 = a->x;
- xa = xa0 + a->wds;
- y = *--xa;
-#ifdef DEBUG
- if (!y) Bug("zero y in b2d");
-#endif
- k = hi0bits(y);
- *e = 32 - k;
-#ifdef Pack_32
- if (k < Ebits) {
- d0 = Exp_1 | y >> (Ebits - k);
- w = xa > xa0 ? *--xa : 0;
- d1 = y << ((32-Ebits) + k) | w >> (Ebits - k);
- goto ret_d;
- }
- z = xa > xa0 ? *--xa : 0;
- if (k -= Ebits) {
- d0 = Exp_1 | y << k | z >> (32 - k);
- y = xa > xa0 ? *--xa : 0;
- d1 = z << k | y >> (32 - k);
- }
- else {
- d0 = Exp_1 | y;
- d1 = z;
- }
-#else
- if (k < Ebits + 16) {
- z = xa > xa0 ? *--xa : 0;
- d0 = Exp_1 | y << k - Ebits | z >> Ebits + 16 - k;
- w = xa > xa0 ? *--xa : 0;
- y = xa > xa0 ? *--xa : 0;
- d1 = z << k + 16 - Ebits | w << k - Ebits | y >> 16 + Ebits - k;
- goto ret_d;
- }
- z = xa > xa0 ? *--xa : 0;
- w = xa > xa0 ? *--xa : 0;
- k -= Ebits + 16;
- d0 = Exp_1 | y << k + 16 | z << k | w >> 16 - k;
- y = xa > xa0 ? *--xa : 0;
- d1 = w << k + 16 | y << k;
-#endif
- ret_d:
-#ifdef VAX
- word0(&d) = d0 >> 16 | d0 << 16;
- word1(&d) = d1 >> 16 | d1 << 16;
-#else
-#undef d0
-#undef d1
-#endif
- return dval(&d);
- }
-
- static Bigint *
-d2b
-#ifdef KR_headers
- (d, e, bits) U *d; int *e, *bits;
-#else
- (U *d, int *e, int *bits)
-#endif
-{
- Bigint *b;
- int de, k;
- ULong *x, y, z;
-#ifndef Sudden_Underflow
- int i;
-#endif
-#ifdef VAX
- ULong d0, d1;
- d0 = word0(d) >> 16 | word0(d) << 16;
- d1 = word1(d) >> 16 | word1(d) << 16;
-#else
-#define d0 word0(d)
-#define d1 word1(d)
-#endif
-
-#ifdef Pack_32
- b = Balloc(1);
-#else
- b = Balloc(2);
-#endif
- x = b->x;
-
- z = d0 & Frac_mask;
- d0 &= 0x7fffffff; /* clear sign bit, which we ignore */
-#ifdef Sudden_Underflow
- de = (int)(d0 >> Exp_shift);
-#ifndef IBM
- z |= Exp_msk11;
-#endif
-#else
- de = (int)(d0 >> Exp_shift);
- if (de)
- z |= Exp_msk1;
-#endif
-#ifdef Pack_32
- y = d1;
- if (y) {
- k = lo0bits(&y);
- if (k) {
- x[0] = y | z << (32 - k);
- z >>= k;
- }
- else
- x[0] = y;
- x[1] = z;
- b->wds = x[1] ? 2 : 1;
-#ifndef Sudden_Underflow
- i = b->wds;
-#endif
- }
- else {
- k = lo0bits(&z);
- x[0] = z;
-#ifndef Sudden_Underflow
- i =
-#endif
- b->wds = 1;
- k += 32;
- }
-#else
- if (y = d1) {
- if (k = lo0bits(&y))
- if (k >= 16) {
- x[0] = y | z << 32 - k & 0xffff;
- x[1] = z >> k - 16 & 0xffff;
- x[2] = z >> k;
- i = 2;
- }
- else {
- x[0] = y & 0xffff;
- x[1] = y >> 16 | z << 16 - k & 0xffff;
- x[2] = z >> k & 0xffff;
- x[3] = z >> k+16;
- i = 3;
- }
- else {
- x[0] = y & 0xffff;
- x[1] = y >> 16;
- x[2] = z & 0xffff;
- x[3] = z >> 16;
- i = 3;
- }
- }
- else {
-#ifdef DEBUG
- if (!z)
- Bug("Zero passed to d2b");
-#endif
- k = lo0bits(&z);
- if (k >= 16) {
- x[0] = z;
- i = 0;
- }
- else {
- x[0] = z & 0xffff;
- x[1] = z >> 16;
- i = 1;
- }
- k += 32;
- }
- while(!x[i])
- --i;
- b->wds = i + 1;
-#endif
-#ifndef Sudden_Underflow
- if (de) {
-#endif
-#ifdef IBM
- *e = (de - Bias - (P-1) << 2) + k;
- *bits = 4*P + 8 - k - hi0bits(word0(d) & Frac_mask);
-#else
- *e = de - Bias - (P-1) + k;
- *bits = P - k;
-#endif
-#ifndef Sudden_Underflow
- }
- else {
- *e = de - Bias - (P-1) + 1 + k;
-#ifdef Pack_32
- *bits = 32*i - hi0bits(x[i-1]);
-#else
- *bits = (i+2)*16 - hi0bits(x[i]);
-#endif
- }
-#endif
- return b;
- }
-#undef d0
-#undef d1
-
- static double
-ratio
-#ifdef KR_headers
- (a, b) Bigint *a, *b;
-#else
- (Bigint *a, Bigint *b)
-#endif
-{
- U da, db;
- int k, ka, kb;
-
- dval(&da) = b2d(a, &ka);
- dval(&db) = b2d(b, &kb);
-#ifdef Pack_32
- k = ka - kb + 32*(a->wds - b->wds);
-#else
- k = ka - kb + 16*(a->wds - b->wds);
-#endif
-#ifdef IBM
- if (k > 0) {
- word0(&da) += (k >> 2)*Exp_msk1;
- if (k &= 3)
- dval(&da) *= 1 << k;
- }
- else {
- k = -k;
- word0(&db) += (k >> 2)*Exp_msk1;
- if (k &= 3)
- dval(&db) *= 1 << k;
- }
-#else
- if (k > 0)
- word0(&da) += k*Exp_msk1;
- else {
- k = -k;
- word0(&db) += k*Exp_msk1;
- }
-#endif
- return dval(&da) / dval(&db);
- }
-
- static CONST double
-tens[] = {
- 1e0, 1e1, 1e2, 1e3, 1e4, 1e5, 1e6, 1e7, 1e8, 1e9,
- 1e10, 1e11, 1e12, 1e13, 1e14, 1e15, 1e16, 1e17, 1e18, 1e19,
- 1e20, 1e21, 1e22
-#ifdef VAX
- , 1e23, 1e24
-#endif
- };
-
- static CONST double
-#ifdef IEEE_Arith
-bigtens[] = { 1e16, 1e32, 1e64, 1e128, 1e256 };
-static CONST double tinytens[] = { 1e-16, 1e-32, 1e-64, 1e-128,
-#ifdef Avoid_Underflow
- 9007199254740992.*9007199254740992.e-256
- /* = 2^106 * 1e-256 */
-#else
- 1e-256
-#endif
- };
-/* The factor of 2^53 in tinytens[4] helps us avoid setting the underflow */
-/* flag unnecessarily. It leads to a song and dance at the end of strtod. */
-#define Scale_Bit 0x10
-#define n_bigtens 5
-#else
-#ifdef IBM
-bigtens[] = { 1e16, 1e32, 1e64 };
-static CONST double tinytens[] = { 1e-16, 1e-32, 1e-64 };
-#define n_bigtens 3
-#else
-bigtens[] = { 1e16, 1e32 };
-static CONST double tinytens[] = { 1e-16, 1e-32 };
-#define n_bigtens 2
-#endif
-#endif
-
-#undef Need_Hexdig
-#ifdef INFNAN_CHECK
-#ifndef No_Hex_NaN
-#define Need_Hexdig
-#endif
-#endif
-
-#ifndef Need_Hexdig
-#ifndef NO_HEX_FP
-#define Need_Hexdig
-#endif
-#endif
-
-#ifdef Need_Hexdig /*{*/
-static unsigned char hexdig[256];
-
- static void
-#ifdef KR_headers
-htinit(h, s, inc) unsigned char *h; unsigned char *s; int inc;
-#else
-htinit(unsigned char *h, unsigned char *s, int inc)
-#endif
-{
- int i, j;
- for(i = 0; (j = s[i]) !=0; i++)
- h[j] = (unsigned char)(i + inc);
- }
-
- static void
-#ifdef KR_headers
-hexdig_init()
-#else
-hexdig_init(void)
-#endif
-{
-#define USC (unsigned char *)
- htinit(hexdig, USC "0123456789", 0x10);
- htinit(hexdig, USC "abcdef", 0x10 + 10);
- htinit(hexdig, USC "ABCDEF", 0x10 + 10);
- }
-#endif /* } Need_Hexdig */
-
-#ifdef INFNAN_CHECK
-
-#ifndef NAN_WORD0
-#define NAN_WORD0 0x7ff80000
-#endif
-
-#ifndef NAN_WORD1
-#define NAN_WORD1 0
-#endif
-
- static int
-match
-#ifdef KR_headers
- (sp, t) char **sp, *t;
-#else
- (CONST char **sp, CONST char *t)
-#endif
-{
- int c, d;
- CONST char *s = *sp;
-
- for(d = *t++; d; d = *t++) {
- if ((c = *++s) >= 'A' && c <= 'Z')
- c += 'a' - 'A';
- if (c != d)
- return 0;
- }
- *sp = s + 1;
- return 1;
- }
-
-#ifndef No_Hex_NaN
- static void
-hexnan
-#ifdef KR_headers
- (rvp, sp) U *rvp; CONST char **sp;
-#else
- (U *rvp, CONST char **sp)
-#endif
-{
- ULong c, x[2];
- CONST char *s;
- int c1, havedig, udx0, xshift;
-
- if (!hexdig['0'])
- hexdig_init();
- x[0] = x[1] = 0;
- havedig = xshift = 0;
- udx0 = 1;
- s = *sp;
- /* allow optional initial 0x or 0X */
- for(c = *(CONST unsigned char*)(s+1); c && c <= ' '; c = *(CONST unsigned char*)(s+1))
- ++s;
- if (s[1] == '0' && (s[2] == 'x' || s[2] == 'X'))
- s += 2;
- for(c = *(CONST unsigned char*)++s; c; c = *(CONST unsigned char*)++s) {
- c1 = hexdig[c];
- if (c1)
- c = c1 & 0xf;
- else if (c <= ' ') {
- if (udx0 && havedig) {
- udx0 = 0;
- xshift = 1;
- }
- continue;
- }
-#ifdef GDTOA_NON_PEDANTIC_NANCHECK
- else if (/*(*/ c == ')' && havedig) {
- *sp = s + 1;
- break;
- }
- else
- return; /* invalid form: don't change *sp */
-#else
- else {
- do {
- if (/*(*/ c == ')') {
- *sp = s + 1;
- break;
- }
- c = *++s;
- } while(c);
- break;
- }
-#endif
- havedig = 1;
- if (xshift) {
- xshift = 0;
- x[0] = x[1];
- x[1] = 0;
- }
- if (udx0)
- x[0] = (x[0] << 4) | (x[1] >> 28);
- x[1] = (x[1] << 4) | c;
- }
- if ((x[0] &= 0xfffff) || x[1]) {
- word0(rvp) = Exp_mask | x[0];
- word1(rvp) = x[1];
- }
- }
-#endif /*No_Hex_NaN*/
-#endif /* INFNAN_CHECK */
-
-#ifdef Pack_32
-#define ULbits 32
-#define kshift 5
-#define kmask 31
-#else
-#define ULbits 16
-#define kshift 4
-#define kmask 15
-#endif
-#ifndef NO_HEX_FP /*{*/
-
- static void
-#ifdef KR_headers
-rshift(b, k) Bigint *b; int k;
-#else
-rshift(Bigint *b, int k)
-#endif
-{
- ULong *x, *x1, *xe, y;
- int n;
-
- x = x1 = b->x;
- n = k >> kshift;
- if (n < b->wds) {
- xe = x + b->wds;
- x += n;
- if (k &= kmask) {
- n = 32 - k;
- y = *x++ >> k;
- while(x < xe) {
- *x1++ = (y | (*x << n)) & 0xffffffff;
- y = *x++ >> k;
- }
- if ((*x1 = y) !=0)
- x1++;
- }
- else
- while(x < xe)
- *x1++ = *x++;
- }
- if ((b->wds = x1 - b->x) == 0)
- b->x[0] = 0;
- }
-
- static ULong
-#ifdef KR_headers
-any_on(b, k) Bigint *b; int k;
-#else
-any_on(Bigint *b, int k)
-#endif
-{
- int n, nwds;
- ULong *x, *x0, x1, x2;
-
- x = b->x;
- nwds = b->wds;
- n = k >> kshift;
- if (n > nwds)
- n = nwds;
- else if (n < nwds && (k &= kmask)) {
- x1 = x2 = x[n];
- x1 >>= k;
- x1 <<= k;
- if (x1 != x2)
- return 1;
- }
- x0 = x;
- x += n;
- while(x > x0)
- if (*--x)
- return 1;
- return 0;
- }
-
-enum { /* rounding values: same as FLT_ROUNDS */
- Round_zero = 0,
- Round_near = 1,
- Round_up = 2,
- Round_down = 3
- };
-
- static Bigint *
-#ifdef KR_headers
-increment(b) Bigint *b;
-#else
-increment(Bigint *b)
-#endif
-{
- ULong *x, *xe;
- Bigint *b1;
-
- x = b->x;
- xe = x + b->wds;
- do {
- if (*x < (ULong)0xffffffffL) {
- ++*x;
- return b;
- }
- *x++ = 0;
- } while(x < xe);
- {
- if (b->wds >= b->maxwds) {
- b1 = Balloc(b->k+1);
- Bcopy(b1,b);
- Bfree(b);
- b = b1;
- }
- b->x[b->wds++] = 1;
- }
- return b;
- }
-
- void
-#ifdef KR_headers
-gethex(sp, rvp, rounding, sign)
- CONST char **sp; U *rvp; int rounding, sign;
-#else
-gethex( CONST char **sp, U *rvp, int rounding, int sign)
-#endif
-{
- Bigint *b;
- CONST unsigned char *decpt, *s0, *s, *s1;
- Long e, e1;
- ULong L, lostbits, *x;
- int big, denorm, esign, havedig, k, n, nbits, up, zret;
-#ifdef IBM
- int j;
-#endif
- enum {
-#ifdef IEEE_Arith /*{{*/
- emax = 0x7fe - Bias - P + 1,
- emin = Emin - P + 1
-#else /*}{*/
- emin = Emin - P,
-#ifdef VAX
- emax = 0x7ff - Bias - P + 1
-#endif
-#ifdef IBM
- emax = 0x7f - Bias - P
-#endif
-#endif /*}}*/
- };
-#ifdef USE_LOCALE
- int i;
-#ifdef NO_LOCALE_CACHE
- const unsigned char *decimalpoint = (unsigned char*)
- localeconv()->decimal_point;
-#else
- const unsigned char *decimalpoint;
- static unsigned char *decimalpoint_cache;
- if (!(s0 = decimalpoint_cache)) {
- s0 = (unsigned char*)localeconv()->decimal_point;
- if ((decimalpoint_cache = (unsigned char*)
- MALLOC(strlen((CONST char*)s0) + 1))) {
- strcpy((char*)decimalpoint_cache, (CONST char*)s0);
- s0 = decimalpoint_cache;
- }
- }
- decimalpoint = s0;
-#endif
-#endif
-
- if (!hexdig['0'])
- hexdig_init();
- havedig = 0;
- s0 = *(CONST unsigned char **)sp + 2;
- while(s0[havedig] == '0')
- havedig++;
- s0 += havedig;
- s = s0;
- decpt = 0;
- zret = 0;
- e = 0;
- if (hexdig[*s])
- havedig++;
- else {
- zret = 1;
-#ifdef USE_LOCALE
- for(i = 0; decimalpoint[i]; ++i) {
- if (s[i] != decimalpoint[i])
- goto pcheck;
- }
- decpt = s += i;
-#else
- if (*s != '.')
- goto pcheck;
- decpt = ++s;
-#endif
- if (!hexdig[*s])
- goto pcheck;
- while(*s == '0')
- s++;
- if (hexdig[*s])
- zret = 0;
- havedig = 1;
- s0 = s;
- }
- while(hexdig[*s])
- s++;
-#ifdef USE_LOCALE
- if (*s == *decimalpoint && !decpt) {
- for(i = 1; decimalpoint[i]; ++i) {
- if (s[i] != decimalpoint[i])
- goto pcheck;
- }
- decpt = s += i;
-#else
- if (*s == '.' && !decpt) {
- decpt = ++s;
-#endif
- while(hexdig[*s])
- s++;
- }/*}*/
- if (decpt)
- e = -(((Long)(s-decpt)) << 2);
- pcheck:
- s1 = s;
- big = esign = 0;
- switch(*s) {
- case 'p':
- case 'P':
- switch(*++s) {
- case '-':
- esign = 1;
- /* no break */
- case '+':
- s++;
- }
- if ((n = hexdig[*s]) == 0 || n > 0x19) {
- s = s1;
- break;
- }
- e1 = n - 0x10;
- while((n = hexdig[*++s]) !=0 && n <= 0x19) {
- if (e1 & 0xf8000000)
- big = 1;
- e1 = 10*e1 + n - 0x10;
- }
- if (esign)
- e1 = -e1;
- e += e1;
- }
- *sp = (char*)s;
- if (!havedig)
- *sp = (char*)s0 - 1;
- if (zret)
- goto retz1;
- if (big) {
- if (esign) {
-#ifdef IEEE_Arith
- switch(rounding) {
- case Round_up:
- if (sign)
- break;
- goto ret_tiny;
- case Round_down:
- if (!sign)
- break;
- goto ret_tiny;
- }
-#endif
- goto retz;
-#ifdef IEEE_Arith
- ret_tiny:
-#ifndef NO_ERRNO
- errno = ERANGE;
-#endif
- word0(rvp) = 0;
- word1(rvp) = 1;
- return;
-#endif /* IEEE_Arith */
- }
- switch(rounding) {
- case Round_near:
- goto ovfl1;
- case Round_up:
- if (!sign)
- goto ovfl1;
- goto ret_big;
- case Round_down:
- if (sign)
- goto ovfl1;
- goto ret_big;
- }
- ret_big:
- word0(rvp) = Big0;
- word1(rvp) = Big1;
- return;
- }
- n = s1 - s0 - 1;
- for(k = 0; n > (1 << (kshift-2)) - 1; n >>= 1)
- k++;
- b = Balloc(k);
- x = b->x;
- n = 0;
- L = 0;
-#ifdef USE_LOCALE
- for(i = 0; decimalpoint[i+1]; ++i);
-#endif
- while(s1 > s0) {
-#ifdef USE_LOCALE
- if (*--s1 == decimalpoint[i]) {
- s1 -= i;
- continue;
- }
-#else
- if (*--s1 == '.')
- continue;
-#endif
- if (n == ULbits) {
- *x++ = L;
- L = 0;
- n = 0;
- }
- L |= (hexdig[*s1] & 0x0f) << n;
- n += 4;
- }
- *x++ = L;
- b->wds = n = x - b->x;
- n = ULbits*n - hi0bits(L);
- nbits = Nbits;
- lostbits = 0;
- x = b->x;
- if (n > nbits) {
- n -= nbits;
- if (any_on(b,n)) {
- lostbits = 1;
- k = n - 1;
- if (x[k>>kshift] & 1 << (k & kmask)) {
- lostbits = 2;
- if (k > 0 && any_on(b,k))
- lostbits = 3;
- }
- }
- rshift(b, n);
- e += n;
- }
- else if (n < nbits) {
- n = nbits - n;
- b = lshift(b, n);
- e -= n;
- x = b->x;
- }
- if (e > Emax) {
- ovfl:
- Bfree(b);
- ovfl1:
-#ifndef NO_ERRNO
- errno = ERANGE;
-#endif
- word0(rvp) = Exp_mask;
- word1(rvp) = 0;
- return;
- }
- denorm = 0;
- if (e < emin) {
- denorm = 1;
- n = emin - e;
- if (n >= nbits) {
-#ifdef IEEE_Arith /*{*/
- switch (rounding) {
- case Round_near:
- if (n == nbits && (n < 2 || any_on(b,n-1)))
- goto ret_tiny;
- break;
- case Round_up:
- if (!sign)
- goto ret_tiny;
- break;
- case Round_down:
- if (sign)
- goto ret_tiny;
- }
-#endif /* } IEEE_Arith */
- Bfree(b);
- retz:
-#ifndef NO_ERRNO
- errno = ERANGE;
-#endif
- retz1:
- rvp->d = 0.;
- return;
- }
- k = n - 1;
- if (lostbits)
- lostbits = 1;
- else if (k > 0)
- lostbits = any_on(b,k);
- if (x[k>>kshift] & 1 << (k & kmask))
- lostbits |= 2;
- nbits -= n;
- rshift(b,n);
- e = emin;
- }
- if (lostbits) {
- up = 0;
- switch(rounding) {
- case Round_zero:
- break;
- case Round_near:
- if (lostbits & 2
- && (lostbits & 1) | (x[0] & 1))
- up = 1;
- break;
- case Round_up:
- up = 1 - sign;
- break;
- case Round_down:
- up = sign;
- }
- if (up) {
- k = b->wds;
- b = increment(b);
- x = b->x;
- if (denorm) {
-#if 0
- if (nbits == Nbits - 1
- && x[nbits >> kshift] & 1 << (nbits & kmask))
- denorm = 0; /* not currently used */
-#endif
- }
- else if (b->wds > k
- || ((n = nbits & kmask) !=0
- && hi0bits(x[k-1]) < 32-n)) {
- rshift(b,1);
- if (++e > Emax)
- goto ovfl;
- }
- }
- }
-#ifdef IEEE_Arith
- if (denorm)
- word0(rvp) = b->wds > 1 ? b->x[1] & ~0x100000 : 0;
- else
- word0(rvp) = (b->x[1] & ~0x100000) | ((e + 0x3ff + 52) << 20);
- word1(rvp) = b->x[0];
-#endif
-#ifdef IBM
- if ((j = e & 3)) {
- k = b->x[0] & ((1 << j) - 1);
- rshift(b,j);
- if (k) {
- switch(rounding) {
- case Round_up:
- if (!sign)
- increment(b);
- break;
- case Round_down:
- if (sign)
- increment(b);
- break;
- case Round_near:
- j = 1 << (j-1);
- if (k & j && ((k & (j-1)) | lostbits))
- increment(b);
- }
- }
- }
- e >>= 2;
- word0(rvp) = b->x[1] | ((e + 65 + 13) << 24);
- word1(rvp) = b->x[0];
-#endif
-#ifdef VAX
- /* The next two lines ignore swap of low- and high-order 2 bytes. */
- /* word0(rvp) = (b->x[1] & ~0x800000) | ((e + 129 + 55) << 23); */
- /* word1(rvp) = b->x[0]; */
- word0(rvp) = ((b->x[1] & ~0x800000) >> 16) | ((e + 129 + 55) << 7) | (b->x[1] << 16);
- word1(rvp) = (b->x[0] >> 16) | (b->x[0] << 16);
-#endif
- Bfree(b);
- }
-#endif /*}!NO_HEX_FP*/
-
- static int
-#ifdef KR_headers
-dshift(b, p2) Bigint *b; int p2;
-#else
-dshift(Bigint *b, int p2)
-#endif
-{
- int rv = hi0bits(b->x[b->wds-1]) - 4;
- if (p2 > 0)
- rv -= p2;
- return rv & kmask;
- }
-
- static int
-quorem
-#ifdef KR_headers
- (b, S) Bigint *b, *S;
-#else
- (Bigint *b, Bigint *S)
-#endif
-{
- int n;
- ULong *bx, *bxe, q, *sx, *sxe;
-#ifdef ULLong
- ULLong borrow, carry, y, ys;
-#else
- ULong borrow, carry, y, ys;
-#ifdef Pack_32
- ULong si, z, zs;
-#endif
-#endif
-
- n = S->wds;
-#ifdef DEBUG
- /*debug*/ if (b->wds > n)
- /*debug*/ Bug("oversize b in quorem");
-#endif
- if (b->wds < n)
- return 0;
- sx = S->x;
- sxe = sx + --n;
- bx = b->x;
- bxe = bx + n;
- q = *bxe / (*sxe + 1); /* ensure q <= true quotient */
-#ifdef DEBUG
- /*debug*/ if (q > 9)
- /*debug*/ Bug("oversized quotient in quorem");
-#endif
- if (q) {
- borrow = 0;
- carry = 0;
- do {
-#ifdef ULLong
- ys = *sx++ * (ULLong)q + carry;
- carry = ys >> 32;
- y = *bx - (ys & FFFFFFFF) - borrow;
- borrow = y >> 32 & (ULong)1;
- *bx++ = y & FFFFFFFF;
-#else
-#ifdef Pack_32
- si = *sx++;
- ys = (si & 0xffff) * q + carry;
- zs = (si >> 16) * q + (ys >> 16);
- carry = zs >> 16;
- y = (*bx & 0xffff) - (ys & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- z = (*bx >> 16) - (zs & 0xffff) - borrow;
- borrow = (z & 0x10000) >> 16;
- Storeinc(bx, z, y);
-#else
- ys = *sx++ * q + carry;
- carry = ys >> 16;
- y = *bx - (ys & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- *bx++ = y & 0xffff;
-#endif
-#endif
- }
- while(sx <= sxe);
- if (!*bxe) {
- bx = b->x;
- while(--bxe > bx && !*bxe)
- --n;
- b->wds = n;
- }
- }
- if (cmp(b, S) >= 0) {
- q++;
- borrow = 0;
- carry = 0;
- bx = b->x;
- sx = S->x;
- do {
-#ifdef ULLong
- ys = *sx++ + carry;
- carry = ys >> 32;
- y = *bx - (ys & FFFFFFFF) - borrow;
- borrow = y >> 32 & (ULong)1;
- *bx++ = y & FFFFFFFF;
-#else
-#ifdef Pack_32
- si = *sx++;
- ys = (si & 0xffff) + carry;
- zs = (si >> 16) + (ys >> 16);
- carry = zs >> 16;
- y = (*bx & 0xffff) - (ys & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- z = (*bx >> 16) - (zs & 0xffff) - borrow;
- borrow = (z & 0x10000) >> 16;
- Storeinc(bx, z, y);
-#else
- ys = *sx++ + carry;
- carry = ys >> 16;
- y = *bx - (ys & 0xffff) - borrow;
- borrow = (y & 0x10000) >> 16;
- *bx++ = y & 0xffff;
-#endif
-#endif
- }
- while(sx <= sxe);
- bx = b->x;
- bxe = bx + n;
- if (!*bxe) {
- while(--bxe > bx && !*bxe)
- --n;
- b->wds = n;
- }
- }
- return q;
- }
-
-#ifndef NO_STRTOD_BIGCOMP
-
- static void
-bigcomp
-#ifdef KR_headers
- (rv, s0, bc)
- U *rv; CONST char *s0; BCinfo *bc;
-#else
- (U *rv, CONST char *s0, BCinfo *bc)
-#endif
-{
- Bigint *b, *d;
- int b2, bbits, d2, dd, dig, dsign, i, j, nd, nd0, p2, p5, speccase;
-
- dsign = bc->dsign;
- nd = bc->nd;
- nd0 = bc->nd0;
- p5 = nd + bc->e0 - 1;
- dd = speccase = 0;
-#ifndef Sudden_Underflow
- if (rv->d == 0.) { /* special case: value near underflow-to-zero */
- /* threshold was rounded to zero */
- b = i2b(1);
- p2 = Emin - P + 1;
- bbits = 1;
-#ifdef Avoid_Underflow
- word0(rv) = (P+2) << Exp_shift;
-#else
- word1(rv) = 1;
-#endif
- i = 0;
-#ifdef Honor_FLT_ROUNDS
- if (bc->rounding == 1)
-#endif
- {
- speccase = 1;
- --p2;
- dsign = 0;
- goto have_i;
- }
- }
- else
-#endif
- b = d2b(rv, &p2, &bbits);
-#ifdef Avoid_Underflow
- p2 -= bc->scale;
-#endif
- /* floor(log2(rv)) == bbits - 1 + p2 */
- /* Check for denormal case. */
- i = P - bbits;
- if (i > (j = P - Emin - 1 + p2)) {
-#ifdef Sudden_Underflow
- Bfree(b);
- b = i2b(1);
- p2 = Emin;
- i = P - 1;
-#ifdef Avoid_Underflow
- word0(rv) = (1 + bc->scale) << Exp_shift;
-#else
- word0(rv) = Exp_msk1;
-#endif
- word1(rv) = 0;
-#else
- i = j;
-#endif
- }
-#ifdef Honor_FLT_ROUNDS
- if (bc->rounding != 1) {
- if (i > 0)
- b = lshift(b, i);
- if (dsign)
- b = increment(b);
- }
- else
-#endif
- {
- b = lshift(b, ++i);
- b->x[0] |= 1;
- }
-#ifndef Sudden_Underflow
- have_i:
-#endif
- p2 -= p5 + i;
- d = i2b(1);
- /* Arrange for convenient computation of quotients:
- * shift left if necessary so divisor has 4 leading 0 bits.
- */
- if (p5 > 0)
- d = pow5mult(d, p5);
- else if (p5 < 0)
- b = pow5mult(b, -p5);
- if (p2 > 0) {
- b2 = p2;
- d2 = 0;
- }
- else {
- b2 = 0;
- d2 = -p2;
- }
- i = dshift(d, d2);
- if ((b2 += i) > 0)
- b = lshift(b, b2);
- if ((d2 += i) > 0)
- d = lshift(d, d2);
-
- /* Now b/d = exactly half-way between the two floating-point values */
- /* on either side of the input string. Compute first digit of b/d. */
-
- dig = quorem(b,d);
- if (!dig) {
- b = multadd(b, 10, 0); /* very unlikely */
- dig = quorem(b,d);
- }
-
- /* Compare b/d with s0 */
-
- for(i = 0; i < nd0; ) {
- dd = s0[i++] - '0' - dig;
- if (dd)
- goto ret;
- if (!b->x[0] && b->wds == 1) {
- if (i < nd)
- dd = 1;
- goto ret;
- }
- b = multadd(b, 10, 0);
- dig = quorem(b,d);
- }
- for(j = bc->dp1; i++ < nd;) {
- dd = s0[j++] - '0' - dig;
- if (dd)
- goto ret;
- if (!b->x[0] && b->wds == 1) {
- if (i < nd)
- dd = 1;
- goto ret;
- }
- b = multadd(b, 10, 0);
- dig = quorem(b,d);
- }
- if (b->x[0] || b->wds > 1)
- dd = -1;
- ret:
- Bfree(b);
- Bfree(d);
-#ifdef Honor_FLT_ROUNDS
- if (bc->rounding != 1) {
- if (dd < 0) {
- if (bc->rounding == 0) {
- if (!dsign)
- goto retlow1;
- }
- else if (dsign)
- goto rethi1;
- }
- else if (dd > 0) {
- if (bc->rounding == 0) {
- if (dsign)
- goto rethi1;
- goto ret1;
- }
- if (!dsign)
- goto rethi1;
- dval(rv) += 2.*ulp(rv);
- }
- else {
- bc->inexact = 0;
- if (dsign)
- goto rethi1;
- }
- }
- else
-#endif
- if (speccase) {
- if (dd <= 0)
- rv->d = 0.;
- }
- else if (dd < 0) {
- if (!dsign) /* does not happen for round-near */
-retlow1:
- dval(rv) -= ulp(rv);
- }
- else if (dd > 0) {
- if (dsign) {
- rethi1:
- dval(rv) += ulp(rv);
- }
- }
- else {
- /* Exact half-way case: apply round-even rule. */
- if (word1(rv) & 1) {
- if (dsign)
- goto rethi1;
- goto retlow1;
- }
- }
-
-#ifdef Honor_FLT_ROUNDS
- ret1:
-#endif
- return;
- }
-#endif /* NO_STRTOD_BIGCOMP */
-
- double
-strtod
-#ifdef KR_headers
- (s00, se) CONST char *s00; char **se;
-#else
- (CONST char *s00, char **se)
-#endif
-{
- int bb2, bb5, bbe, bd2, bd5, bbbits, bs2, c, e, e1;
- int esign, i, j, k, nd, nd0, nf, nz, nz0, sign;
- CONST char *s, *s0, *s1;
- double aadj, aadj1;
- Long L;
- U aadj2, adj, rv, rv0;
- ULong y, z;
- BCinfo bc;
- Bigint *bb, *bb1, *bd, *bd0, *bs, *delta;
-#ifdef SET_INEXACT
- int oldinexact;
-#endif
-#ifdef Honor_FLT_ROUNDS /*{*/
-#ifdef Trust_FLT_ROUNDS /*{{ only define this if FLT_ROUNDS really works! */
- bc.rounding = Flt_Rounds;
-#else /*}{*/
- bc.rounding = 1;
- switch(fegetround()) {
- case FE_TOWARDZERO: bc.rounding = 0; break;
- case FE_UPWARD: bc.rounding = 2; break;
- case FE_DOWNWARD: bc.rounding = 3;
- }
-#endif /*}}*/
-#endif /*}*/
-#ifdef USE_LOCALE
- CONST char *s2;
-#endif
-
- sign = nz0 = nz = bc.dplen = bc.uflchk = 0;
- dval(&rv) = 0.;
- for(s = s00;;s++) switch(*s) {
- case '-':
- sign = 1;
- /* no break */
- case '+':
- if (*++s)
- goto break2;
- /* no break */
- case 0:
- goto ret0;
- case '\t':
- case '\n':
- case '\v':
- case '\f':
- case '\r':
- case ' ':
- continue;
- default:
- goto break2;
- }
- break2:
- if (*s == '0') {
-#ifndef NO_HEX_FP /*{*/
- switch(s[1]) {
- case 'x':
- case 'X':
-#ifdef Honor_FLT_ROUNDS
- gethex(&s, &rv, bc.rounding, sign);
-#else
- gethex(&s, &rv, 1, sign);
-#endif
- goto ret;
- }
-#endif /*}*/
- nz0 = 1;
- while(*++s == '0') ;
- if (!*s)
- goto ret;
- }
- s0 = s;
- y = z = 0;
- for(nd = nf = 0; (c = *s) >= '0' && c <= '9'; nd++, s++)
- if (nd < 9)
- y = 10*y + c - '0';
- else if (nd < 16)
- z = 10*z + c - '0';
- nd0 = nd;
- bc.dp0 = bc.dp1 = s - s0;
-#ifdef USE_LOCALE
- s1 = localeconv()->decimal_point;
- if (c == *s1) {
- c = '.';
- if (*++s1) {
- s2 = s;
- for(;;) {
- if (*++s2 != *s1) {
- c = 0;
- break;
- }
- if (!*++s1) {
- s = s2;
- break;
- }
- }
- }
- }
-#endif
- if (c == '.') {
- c = *++s;
- bc.dp1 = s - s0;
- bc.dplen = bc.dp1 - bc.dp0;
- if (!nd) {
- for(; c == '0'; c = *++s)
- nz++;
- if (c > '0' && c <= '9') {
- s0 = s;
- nf += nz;
- nz = 0;
- goto have_dig;
- }
- goto dig_done;
- }
- for(; c >= '0' && c <= '9'; c = *++s) {
- have_dig:
- nz++;
- if (c -= '0') {
- nf += nz;
- for(i = 1; i < nz; i++)
- if (nd++ < 9)
- y *= 10;
- else if (nd <= DBL_DIG + 1)
- z *= 10;
- if (nd++ < 9)
- y = 10*y + c;
- else if (nd <= DBL_DIG + 1)
- z = 10*z + c;
- nz = 0;
- }
- }
- }
- dig_done:
- e = 0;
- if (c == 'e' || c == 'E') {
- if (!nd && !nz && !nz0) {
- goto ret0;
- }
- s00 = s;
- esign = 0;
- switch(c = *++s) {
- case '-':
- esign = 1;
- case '+':
- c = *++s;
- }
- if (c >= '0' && c <= '9') {
- while(c == '0')
- c = *++s;
- if (c > '0' && c <= '9') {
- L = c - '0';
- s1 = s;
- while((c = *++s) >= '0' && c <= '9')
- L = 10*L + c - '0';
- if (s - s1 > 8 || L > 19999)
- /* Avoid confusion from exponents
- * so large that e might overflow.
- */
- e = 19999; /* safe for 16 bit ints */
- else
- e = (int)L;
- if (esign)
- e = -e;
- }
- else
- e = 0;
- }
- else
- s = s00;
- }
- if (!nd) {
- if (!nz && !nz0) {
-#ifdef INFNAN_CHECK
- /* Check for Nan and Infinity */
- if (!bc.dplen)
- switch(c) {
- case 'i':
- case 'I':
- if (match(&s,"nf")) {
- --s;
- if (!match(&s,"inity"))
- ++s;
- word0(&rv) = 0x7ff00000;
- word1(&rv) = 0;
- goto ret;
- }
- break;
- case 'n':
- case 'N':
- if (match(&s, "an")) {
- word0(&rv) = NAN_WORD0;
- word1(&rv) = NAN_WORD1;
-#ifndef No_Hex_NaN
- if (*s == '(') /*)*/
- hexnan(&rv, &s);
-#endif
- goto ret;
- }
- }
-#endif /* INFNAN_CHECK */
- ret0:
- s = s00;
- sign = 0;
- }
- goto ret;
- }
- bc.e0 = e1 = e -= nf;
-
- /* Now we have nd0 digits, starting at s0, followed by a
- * decimal point, followed by nd-nd0 digits. The number we're
- * after is the integer represented by those digits times
- * 10**e */
-
- if (!nd0)
- nd0 = nd;
- k = nd < DBL_DIG + 1 ? nd : DBL_DIG + 1;
- dval(&rv) = y;
- if (k > 9) {
-#ifdef SET_INEXACT
- if (k > DBL_DIG)
- oldinexact = get_inexact();
-#endif
- dval(&rv) = tens[k - 9] * dval(&rv) + z;
- }
- bd0 = 0;
- if (nd <= DBL_DIG
-#ifndef RND_PRODQUOT
-#ifndef Honor_FLT_ROUNDS
- && Flt_Rounds == 1
-#endif
-#endif
- ) {
- if (!e)
- goto ret;
- if (e > 0) {
- if (e <= Ten_pmax) {
-#ifdef VAX
- goto vax_ovfl_check;
-#else
-#ifdef Honor_FLT_ROUNDS
- /* round correctly FLT_ROUNDS = 2 or 3 */
- if (sign) {
- rv.d = -rv.d;
- sign = 0;
- }
-#endif
- /* rv = */ rounded_product(dval(&rv), tens[e]);
- goto ret;
-#endif
- }
- i = DBL_DIG - nd;
- if (e <= Ten_pmax + i) {
- /* A fancier test would sometimes let us do
- * this for larger i values.
- */
-#ifdef Honor_FLT_ROUNDS
- /* round correctly FLT_ROUNDS = 2 or 3 */
- if (sign) {
- rv.d = -rv.d;
- sign = 0;
- }
-#endif
- e -= i;
- dval(&rv) *= tens[i];
-#ifdef VAX
- /* VAX exponent range is so narrow we must
- * worry about overflow here...
- */
- vax_ovfl_check:
- word0(&rv) -= P*Exp_msk1;
- /* rv = */ rounded_product(dval(&rv), tens[e]);
- if ((word0(&rv) & Exp_mask)
- > Exp_msk1*(DBL_MAX_EXP+Bias-1-P))
- goto ovfl;
- word0(&rv) += P*Exp_msk1;
-#else
- /* rv = */ rounded_product(dval(&rv), tens[e]);
-#endif
- goto ret;
- }
- }
-#ifndef Inaccurate_Divide
- else if (e >= -Ten_pmax) {
-#ifdef Honor_FLT_ROUNDS
- /* round correctly FLT_ROUNDS = 2 or 3 */
- if (sign) {
- rv.d = -rv.d;
- sign = 0;
- }
-#endif
- /* rv = */ rounded_quotient(dval(&rv), tens[-e]);
- goto ret;
- }
-#endif
- }
- e1 += nd - k;
-
-#ifdef IEEE_Arith
-#ifdef SET_INEXACT
- bc.inexact = 1;
- if (k <= DBL_DIG)
- oldinexact = get_inexact();
-#endif
-#ifdef Avoid_Underflow
- bc.scale = 0;
-#endif
-#ifdef Honor_FLT_ROUNDS
- if (bc.rounding >= 2) {
- if (sign)
- bc.rounding = bc.rounding == 2 ? 0 : 2;
- else
- if (bc.rounding != 2)
- bc.rounding = 0;
- }
-#endif
-#endif /*IEEE_Arith*/
-
- /* Get starting approximation = rv * 10**e1 */
-
- if (e1 > 0) {
- i = e1 & 15;
- if (i)
- dval(&rv) *= tens[i];
- if (e1 &= ~15) {
- if (e1 > DBL_MAX_10_EXP) {
- ovfl:
-#ifndef NO_ERRNO
- errno = ERANGE;
-#endif
- /* Can't trust HUGE_VAL */
-#ifdef IEEE_Arith
-#ifdef Honor_FLT_ROUNDS
- switch(bc.rounding) {
- case 0: /* toward 0 */
- case 3: /* toward -infinity */
- word0(&rv) = Big0;
- word1(&rv) = Big1;
- break;
- default:
- word0(&rv) = Exp_mask;
- word1(&rv) = 0;
- }
-#else /*Honor_FLT_ROUNDS*/
- word0(&rv) = Exp_mask;
- word1(&rv) = 0;
-#endif /*Honor_FLT_ROUNDS*/
-#ifdef SET_INEXACT
- /* set overflow bit */
- dval(&rv0) = 1e300;
- dval(&rv0) *= dval(&rv0);
-#endif
-#else /*IEEE_Arith*/
- word0(&rv) = Big0;
- word1(&rv) = Big1;
-#endif /*IEEE_Arith*/
- goto ret;
- }
- e1 >>= 4;
- for(j = 0; e1 > 1; j++, e1 >>= 1)
- if (e1 & 1)
- dval(&rv) *= bigtens[j];
- /* The last multiplication could overflow. */
- word0(&rv) -= P*Exp_msk1;
- dval(&rv) *= bigtens[j];
- if ((z = word0(&rv) & Exp_mask)
- > Exp_msk1*(DBL_MAX_EXP+Bias-P))
- goto ovfl;
- if (z > Exp_msk1*(DBL_MAX_EXP+Bias-1-P)) {
- /* set to largest number */
- /* (Can't trust DBL_MAX) */
- word0(&rv) = Big0;
- word1(&rv) = Big1;
- }
- else
- word0(&rv) += P*Exp_msk1;
- }
- }
- else if (e1 < 0) {
- e1 = -e1;
- i = e1 & 15;
- if (i)
- dval(&rv) /= tens[i];
- if (e1 >>= 4) {
- if (e1 >= 1 << n_bigtens)
- goto undfl;
-#ifdef Avoid_Underflow
- if (e1 & Scale_Bit)
- bc.scale = 2*P;
- for(j = 0; e1 > 0; j++, e1 >>= 1)
- if (e1 & 1)
- dval(&rv) *= tinytens[j];
- if (bc.scale && (j = 2*P + 1 - ((word0(&rv) & Exp_mask)
- >> Exp_shift)) > 0) {
- /* scaled rv is denormal; clear j low bits */
- if (j >= 32) {
- word1(&rv) = 0;
- if (j >= 53)
- word0(&rv) = (P+2)*Exp_msk1;
- else
- word0(&rv) &= 0xffffffff << (j-32);
- }
- else
- word1(&rv) &= 0xffffffff << j;
- }
-#else
- for(j = 0; e1 > 1; j++, e1 >>= 1)
- if (e1 & 1)
- dval(&rv) *= tinytens[j];
- /* The last multiplication could underflow. */
- dval(&rv0) = dval(&rv);
- dval(&rv) *= tinytens[j];
- if (!dval(&rv)) {
- dval(&rv) = 2.*dval(&rv0);
- dval(&rv) *= tinytens[j];
-#endif
- if (!dval(&rv)) {
- undfl:
- dval(&rv) = 0.;
-#ifndef NO_ERRNO
- errno = ERANGE;
-#endif
- goto ret;
- }
-#ifndef Avoid_Underflow
- word0(&rv) = Tiny0;
- word1(&rv) = Tiny1;
- /* The refinement below will clean
- * this approximation up.
- */
- }
-#endif
- }
- }
-
- /* Now the hard part -- adjusting rv to the correct value.*/
-
- /* Put digits into bd: true value = bd * 10^e */
-
- bc.nd = nd;
-#ifndef NO_STRTOD_BIGCOMP
- bc.nd0 = nd0; /* Only needed if nd > strtod_diglim, but done here */
- /* to silence an erroneous warning about bc.nd0 */
- /* possibly not being initialized. */
- if (nd > strtod_diglim) {
- /* ASSERT(strtod_diglim >= 18); 18 == one more than the */
- /* minimum number of decimal digits to distinguish double values */
- /* in IEEE arithmetic. */
- i = j = 18;
- if (i > nd0)
- j += bc.dplen;
- for(;;) {
- if (--j <= bc.dp1 && j >= bc.dp0)
- j = bc.dp0 - 1;
- if (s0[j] != '0')
- break;
- --i;
- }
- e += nd - i;
- nd = i;
- if (nd0 > nd)
- nd0 = nd;
- if (nd < 9) { /* must recompute y */
- y = 0;
- for(i = 0; i < nd0; ++i)
- y = 10*y + s0[i] - '0';
- for(j = bc.dp1; i < nd; ++i)
- y = 10*y + s0[j++] - '0';
- }
- }
-#endif
- bd0 = s2b(s0, nd0, nd, y, bc.dplen);
-
- for(;;) {
- bd = Balloc(bd0->k);
- Bcopy(bd, bd0);
- bb = d2b(&rv, &bbe, &bbbits); /* rv = bb * 2^bbe */
- bs = i2b(1);
-
- if (e >= 0) {
- bb2 = bb5 = 0;
- bd2 = bd5 = e;
- }
- else {
- bb2 = bb5 = -e;
- bd2 = bd5 = 0;
- }
- if (bbe >= 0)
- bb2 += bbe;
- else
- bd2 -= bbe;
- bs2 = bb2;
-#ifdef Honor_FLT_ROUNDS
- if (bc.rounding != 1)
- bs2++;
-#endif
-#ifdef Avoid_Underflow
- j = bbe - bc.scale;
- i = j + bbbits - 1; /* logb(rv) */
- if (i < Emin) /* denormal */
- j += P - Emin;
- else
- j = P + 1 - bbbits;
-#else /*Avoid_Underflow*/
-#ifdef Sudden_Underflow
-#ifdef IBM
- j = 1 + 4*P - 3 - bbbits + ((bbe + bbbits - 1) & 3);
-#else
- j = P + 1 - bbbits;
-#endif
-#else /*Sudden_Underflow*/
- j = bbe;
- i = j + bbbits - 1; /* logb(rv) */
- if (i < Emin) /* denormal */
- j += P - Emin;
- else
- j = P + 1 - bbbits;
-#endif /*Sudden_Underflow*/
-#endif /*Avoid_Underflow*/
- bb2 += j;
- bd2 += j;
-#ifdef Avoid_Underflow
- bd2 += bc.scale;
-#endif
- i = bb2 < bd2 ? bb2 : bd2;
- if (i > bs2)
- i = bs2;
- if (i > 0) {
- bb2 -= i;
- bd2 -= i;
- bs2 -= i;
- }
- if (bb5 > 0) {
- bs = pow5mult(bs, bb5);
- bb1 = mult(bs, bb);
- Bfree(bb);
- bb = bb1;
- }
- if (bb2 > 0)
- bb = lshift(bb, bb2);
- if (bd5 > 0)
- bd = pow5mult(bd, bd5);
- if (bd2 > 0)
- bd = lshift(bd, bd2);
- if (bs2 > 0)
- bs = lshift(bs, bs2);
- delta = diff(bb, bd);
- bc.dsign = delta->sign;
- delta->sign = 0;
- i = cmp(delta, bs);
-#ifndef NO_STRTOD_BIGCOMP
- if (bc.nd > nd && i <= 0) {
- if (bc.dsign)
- break; /* Must use bigcomp(). */
-#ifdef Honor_FLT_ROUNDS
- if (bc.rounding != 1) {
- if (i < 0)
- break;
- }
- else
-#endif
- {
- bc.nd = nd;
- i = -1; /* Discarded digits make delta smaller. */
- }
- }
-#endif
-#ifdef Honor_FLT_ROUNDS
- if (bc.rounding != 1) {
- if (i < 0) {
- /* Error is less than an ulp */
- if (!delta->x[0] && delta->wds <= 1) {
- /* exact */
-#ifdef SET_INEXACT
- bc.inexact = 0;
-#endif
- break;
- }
- if (bc.rounding) {
- if (bc.dsign) {
- adj.d = 1.;
- goto apply_adj;
- }
- }
- else if (!bc.dsign) {
- adj.d = -1.;
- if (!word1(&rv)
- && !(word0(&rv) & Frac_mask)) {
- y = word0(&rv) & Exp_mask;
-#ifdef Avoid_Underflow
- if (!bc.scale || y > 2*P*Exp_msk1)
-#else
- if (y)
-#endif
- {
- delta = lshift(delta,Log2P);
- if (cmp(delta, bs) <= 0)
- adj.d = -0.5;
- }
- }
- apply_adj:
-#ifdef Avoid_Underflow
- if (bc.scale && (y = word0(&rv) & Exp_mask)
- <= 2*P*Exp_msk1)
- word0(&adj) += (2*P+1)*Exp_msk1 - y;
-#else
-#ifdef Sudden_Underflow
- if ((word0(&rv) & Exp_mask) <=
- P*Exp_msk1) {
- word0(&rv) += P*Exp_msk1;
- dval(&rv) += adj.d*ulp(dval(&rv));
- word0(&rv) -= P*Exp_msk1;
- }
- else
-#endif /*Sudden_Underflow*/
-#endif /*Avoid_Underflow*/
- dval(&rv) += adj.d*ulp(&rv);
- }
- break;
- }
- adj.d = ratio(delta, bs);
- if (adj.d < 1.)
- adj.d = 1.;
- if (adj.d <= 0x7ffffffe) {
- /* adj = rounding ? ceil(adj) : floor(adj); */
- y = adj.d;
- if (y != adj.d) {
- if (!((bc.rounding>>1) ^ bc.dsign))
- y++;
- adj.d = y;
- }
- }
-#ifdef Avoid_Underflow
- if (bc.scale && (y = word0(&rv) & Exp_mask) <= 2*P*Exp_msk1)
- word0(&adj) += (2*P+1)*Exp_msk1 - y;
-#else
-#ifdef Sudden_Underflow
- if ((word0(&rv) & Exp_mask) <= P*Exp_msk1) {
- word0(&rv) += P*Exp_msk1;
- adj.d *= ulp(dval(&rv));
- if (bc.dsign)
- dval(&rv) += adj.d;
- else
- dval(&rv) -= adj.d;
- word0(&rv) -= P*Exp_msk1;
- goto cont;
- }
-#endif /*Sudden_Underflow*/
-#endif /*Avoid_Underflow*/
- adj.d *= ulp(&rv);
- if (bc.dsign) {
- if (word0(&rv) == Big0 && word1(&rv) == Big1)
- goto ovfl;
- dval(&rv) += adj.d;
- }
- else
- dval(&rv) -= adj.d;
- goto cont;
- }
-#endif /*Honor_FLT_ROUNDS*/
-
- if (i < 0) {
- /* Error is less than half an ulp -- check for
- * special case of mantissa a power of two.
- */
- if (bc.dsign || word1(&rv) || word0(&rv) & Bndry_mask
-#ifdef IEEE_Arith
-#ifdef Avoid_Underflow
- || (word0(&rv) & Exp_mask) <= (2*P+1)*Exp_msk1
-#else
- || (word0(&rv) & Exp_mask) <= Exp_msk1
-#endif
-#endif
- ) {
-#ifdef SET_INEXACT
- if (!delta->x[0] && delta->wds <= 1)
- bc.inexact = 0;
-#endif
- break;
- }
- if (!delta->x[0] && delta->wds <= 1) {
- /* exact result */
-#ifdef SET_INEXACT
- bc.inexact = 0;
-#endif
- break;
- }
- delta = lshift(delta,Log2P);
- if (cmp(delta, bs) > 0)
- goto drop_down;
- break;
- }
- if (i == 0) {
- /* exactly half-way between */
- if (bc.dsign) {
- if ((word0(&rv) & Bndry_mask1) == Bndry_mask1
- && word1(&rv) == (
-#ifdef Avoid_Underflow
- (bc.scale && (y = word0(&rv) & Exp_mask) <= 2*P*Exp_msk1)
- ? (0xffffffff & (0xffffffff << (2*P+1-(y>>Exp_shift)))) :
-#endif
- 0xffffffff)) {
- /*boundary case -- increment exponent*/
- word0(&rv) = (word0(&rv) & Exp_mask)
- + Exp_msk1
-#ifdef IBM
- | Exp_msk1 >> 4
-#endif
- ;
- word1(&rv) = 0;
-#ifdef Avoid_Underflow
- bc.dsign = 0;
-#endif
- break;
- }
- }
- else if (!(word0(&rv) & Bndry_mask) && !word1(&rv)) {
- drop_down:
- /* boundary case -- decrement exponent */
-#ifdef Sudden_Underflow /*{{*/
- L = word0(&rv) & Exp_mask;
-#ifdef IBM
- if (L < Exp_msk1)
-#else
-#ifdef Avoid_Underflow
- if (L <= (bc.scale ? (2*P+1)*Exp_msk1 : Exp_msk1))
-#else
- if (L <= Exp_msk1)
-#endif /*Avoid_Underflow*/
-#endif /*IBM*/
- {
- if (bc.nd >nd) {
- bc.uflchk = 1;
- break;
- }
- goto undfl;
- }
- L -= Exp_msk1;
-#else /*Sudden_Underflow}{*/
-#ifdef Avoid_Underflow
- if (bc.scale) {
- L = word0(&rv) & Exp_mask;
- if (L <= (2*P+1)*Exp_msk1) {
- if (L > (P+2)*Exp_msk1)
- /* round even ==> */
- /* accept rv */
- break;
- /* rv = smallest denormal */
- if (bc.nd >nd) {
- bc.uflchk = 1;
- break;
- }
- goto undfl;
- }
- }
-#endif /*Avoid_Underflow*/
- L = (word0(&rv) & Exp_mask) - Exp_msk1;
-#endif /*Sudden_Underflow}}*/
- word0(&rv) = L | Bndry_mask1;
- word1(&rv) = 0xffffffff;
-#ifdef IBM
- goto cont;
-#else
- break;
-#endif
- }
-#ifndef ROUND_BIASED
- if (!(word1(&rv) & LSB))
- break;
-#endif
- if (bc.dsign)
- dval(&rv) += ulp(&rv);
-#ifndef ROUND_BIASED
- else {
- dval(&rv) -= ulp(&rv);
-#ifndef Sudden_Underflow
- if (!dval(&rv)) {
- if (bc.nd >nd) {
- bc.uflchk = 1;
- break;
- }
- goto undfl;
- }
-#endif
- }
-#ifdef Avoid_Underflow
- bc.dsign = 1 - bc.dsign;
-#endif
-#endif
- break;
- }
- if ((aadj = ratio(delta, bs)) <= 2.) {
- if (bc.dsign)
- aadj = aadj1 = 1.;
- else if (word1(&rv) || word0(&rv) & Bndry_mask) {
-#ifndef Sudden_Underflow
- if (word1(&rv) == Tiny1 && !word0(&rv)) {
- if (bc.nd >nd) {
- bc.uflchk = 1;
- break;
- }
- goto undfl;
- }
-#endif
- aadj = 1.;
- aadj1 = -1.;
- }
- else {
- /* special case -- power of FLT_RADIX to be */
- /* rounded down... */
-
- if (aadj < 2./FLT_RADIX)
- aadj = 1./FLT_RADIX;
- else
- aadj *= 0.5;
- aadj1 = -aadj;
- }
- }
- else {
- aadj *= 0.5;
- aadj1 = bc.dsign ? aadj : -aadj;
-#ifdef Check_FLT_ROUNDS
- switch(bc.rounding) {
- case 2: /* towards +infinity */
- aadj1 -= 0.5;
- break;
- case 0: /* towards 0 */
- case 3: /* towards -infinity */
- aadj1 += 0.5;
- }
-#else
- if (Flt_Rounds == 0)
- aadj1 += 0.5;
-#endif /*Check_FLT_ROUNDS*/
- }
- y = word0(&rv) & Exp_mask;
-
- /* Check for overflow */
-
- if (y == Exp_msk1*(DBL_MAX_EXP+Bias-1)) {
- dval(&rv0) = dval(&rv);
- word0(&rv) -= P*Exp_msk1;
- adj.d = aadj1 * ulp(&rv);
- dval(&rv) += adj.d;
- if ((word0(&rv) & Exp_mask) >=
- Exp_msk1*(DBL_MAX_EXP+Bias-P)) {
- if (word0(&rv0) == Big0 && word1(&rv0) == Big1)
- goto ovfl;
- word0(&rv) = Big0;
- word1(&rv) = Big1;
- goto cont;
- }
- else
- word0(&rv) += P*Exp_msk1;
- }
- else {
-#ifdef Avoid_Underflow
- if (bc.scale && y <= 2*P*Exp_msk1) {
- if (aadj <= 0x7fffffff) {
- if ((z = (ULong)aadj) <= 0)
- z = 1;
- aadj = z;
- aadj1 = bc.dsign ? aadj : -aadj;
- }
- dval(&aadj2) = aadj1;
- word0(&aadj2) += (2*P+1)*Exp_msk1 - y;
- aadj1 = dval(&aadj2);
- }
- adj.d = aadj1 * ulp(&rv);
- dval(&rv) += adj.d;
-#else
-#ifdef Sudden_Underflow
- if ((word0(&rv) & Exp_mask) <= P*Exp_msk1) {
- dval(&rv0) = dval(&rv);
- word0(&rv) += P*Exp_msk1;
- adj.d = aadj1 * ulp(&rv);
- dval(&rv) += adj.d;
-#ifdef IBM
- if ((word0(&rv) & Exp_mask) < P*Exp_msk1)
-#else
- if ((word0(&rv) & Exp_mask) <= P*Exp_msk1)
-#endif
- {
- if (word0(&rv0) == Tiny0
- && word1(&rv0) == Tiny1) {
- if (bc.nd >nd) {
- bc.uflchk = 1;
- break;
- }
- goto undfl;
- }
- word0(&rv) = Tiny0;
- word1(&rv) = Tiny1;
- goto cont;
- }
- else
- word0(&rv) -= P*Exp_msk1;
- }
- else {
- adj.d = aadj1 * ulp(&rv);
- dval(&rv) += adj.d;
- }
-#else /*Sudden_Underflow*/
- /* Compute adj so that the IEEE rounding rules will
- * correctly round rv + adj in some half-way cases.
- * If rv * ulp(rv) is denormalized (i.e.,
- * y <= (P-1)*Exp_msk1), we must adjust aadj to avoid
- * trouble from bits lost to denormalization;
- * example: 1.2e-307 .
- */
- if (y <= (P-1)*Exp_msk1 && aadj > 1.) {
- aadj1 = (double)(int)(aadj + 0.5);
- if (!bc.dsign)
- aadj1 = -aadj1;
- }
- adj.d = aadj1 * ulp(&rv);
- dval(&rv) += adj.d;
-#endif /*Sudden_Underflow*/
-#endif /*Avoid_Underflow*/
- }
- z = word0(&rv) & Exp_mask;
-#ifndef SET_INEXACT
- if (bc.nd == nd) {
-#ifdef Avoid_Underflow
- if (!bc.scale)
-#endif
- if (y == z) {
- /* Can we stop now? */
- L = (Long)aadj;
- aadj -= L;
- /* The tolerances below are conservative. */
- if (bc.dsign || word1(&rv) || word0(&rv) & Bndry_mask) {
- if (aadj < .4999999 || aadj > .5000001)
- break;
- }
- else if (aadj < .4999999/FLT_RADIX)
- break;
- }
- }
-#endif
- cont:
- Bfree(bb);
- Bfree(bd);
- Bfree(bs);
- Bfree(delta);
- }
- Bfree(bb);
- Bfree(bd);
- Bfree(bs);
- Bfree(bd0);
- Bfree(delta);
-#ifndef NO_STRTOD_BIGCOMP
- if (bc.nd > nd)
- bigcomp(&rv, s0, &bc);
-#endif
-#ifdef SET_INEXACT
- if (bc.inexact) {
- if (!oldinexact) {
- word0(&rv0) = Exp_1 + (70 << Exp_shift);
- word1(&rv0) = 0;
- dval(&rv0) += 1.;
- }
- }
- else if (!oldinexact)
- clear_inexact();
-#endif
-#ifdef Avoid_Underflow
- if (bc.scale) {
- word0(&rv0) = Exp_1 - 2*P*Exp_msk1;
- word1(&rv0) = 0;
- dval(&rv) *= dval(&rv0);
-#ifndef NO_ERRNO
- /* try to avoid the bug of testing an 8087 register value */
-#ifdef IEEE_Arith
- if (!(word0(&rv) & Exp_mask))
-#else
- if (word0(&rv) == 0 && word1(&rv) == 0)
-#endif
- errno = ERANGE;
-#endif
- }
-#endif /* Avoid_Underflow */
-#ifdef SET_INEXACT
- if (bc.inexact && !(word0(&rv) & Exp_mask)) {
- /* set underflow bit */
- dval(&rv0) = 1e-300;
- dval(&rv0) *= dval(&rv0);
- }
-#endif
- ret:
- if (se)
- *se = (char *)s;
- return sign ? -dval(&rv) : dval(&rv);
- }
-
-#ifndef MULTIPLE_THREADS
- static char *dtoa_result;
-#endif
-
- static char *
-#ifdef KR_headers
-rv_alloc(i) int i;
-#else
-rv_alloc(int i)
-#endif
-{
- int j, k, *r;
-
- j = sizeof(ULong);
- for(k = 0;
- sizeof(Bigint) - sizeof(ULong) - sizeof(int) + j <= (size_t)i;
- j <<= 1)
- k++;
- r = (int*)Balloc(k);
- *r = k;
- return
-#ifndef MULTIPLE_THREADS
- dtoa_result =
-#endif
- (char *)(r+1);
- }
-
- static char *
-#ifdef KR_headers
-nrv_alloc(s, rve, n) char *s, **rve; int n;
-#else
-nrv_alloc(CONST char *s, char **rve, int n)
-#endif
-{
- char *rv, *t;
-
- t = rv = rv_alloc(n);
- for(*t = *s++; *t; *t = *s++) t++;
- if (rve)
- *rve = t;
- return rv;
- }
-
-/* freedtoa(s) must be used to free values s returned by dtoa
- * when MULTIPLE_THREADS is #defined. It should be used in all cases,
- * but for consistency with earlier versions of dtoa, it is optional
- * when MULTIPLE_THREADS is not defined.
- */
-
- void
-#ifdef KR_headers
-freedtoa(s) char *s;
-#else
-freedtoa(char *s)
-#endif
-{
- Bigint *b = (Bigint *)((int *)s - 1);
- b->maxwds = 1 << (b->k = *(int*)b);
- Bfree(b);
-#ifndef MULTIPLE_THREADS
- if (s == dtoa_result)
- dtoa_result = 0;
-#endif
- }
-
-/* dtoa for IEEE arithmetic (dmg): convert double to ASCII string.
- *
- * Inspired by "How to Print Floating-Point Numbers Accurately" by
- * Guy L. Steele, Jr. and Jon L. White [Proc. ACM SIGPLAN '90, pp. 112-126].
- *
- * Modifications:
- * 1. Rather than iterating, we use a simple numeric overestimate
- * to determine k = floor(log10(d)). We scale relevant
- * quantities using O(log2(k)) rather than O(k) multiplications.
- * 2. For some modes > 2 (corresponding to ecvt and fcvt), we don't
- * try to generate digits strictly left to right. Instead, we
- * compute with fewer bits and propagate the carry if necessary
- * when rounding the final digit up. This is often faster.
- * 3. Under the assumption that input will be rounded nearest,
- * mode 0 renders 1e23 as 1e23 rather than 9.999999999999999e22.
- * That is, we allow equality in stopping tests when the
- * round-nearest rule will give the same floating-point value
- * as would satisfaction of the stopping test with strict
- * inequality.
- * 4. We remove common factors of powers of 2 from relevant
- * quantities.
- * 5. When converting floating-point integers less than 1e16,
- * we use floating-point arithmetic rather than resorting
- * to multiple-precision integers.
- * 6. When asked to produce fewer than 15 digits, we first try
- * to get by with floating-point arithmetic; we resort to
- * multiple-precision integer arithmetic only if we cannot
- * guarantee that the floating-point calculation has given
- * the correctly rounded result. For k requested digits and
- * "uniformly" distributed input, the probability is
- * something like 10^(k-15) that we must resort to the Long
- * calculation.
- */
-
- char *
-dtoa
-#ifdef KR_headers
- (dd, mode, ndigits, decpt, sign, rve)
- double dd; int mode, ndigits, *decpt, *sign; char **rve;
-#else
- (double dd, int mode, int ndigits, int *decpt, int *sign, char **rve)
-#endif
-{
- /* Arguments ndigits, decpt, sign are similar to those
- of ecvt and fcvt; trailing zeros are suppressed from
- the returned string. If not null, *rve is set to point
- to the end of the return value. If d is +-Infinity or NaN,
- then *decpt is set to 9999.
-
- mode:
- 0 ==> shortest string that yields d when read in
- and rounded to nearest.
- 1 ==> like 0, but with Steele & White stopping rule;
- e.g. with IEEE P754 arithmetic , mode 0 gives
- 1e23 whereas mode 1 gives 9.999999999999999e22.
- 2 ==> max(1,ndigits) significant digits. This gives a
- return value similar to that of ecvt, except
- that trailing zeros are suppressed.
- 3 ==> through ndigits past the decimal point. This
- gives a return value similar to that from fcvt,
- except that trailing zeros are suppressed, and
- ndigits can be negative.
- 4,5 ==> similar to 2 and 3, respectively, but (in
- round-nearest mode) with the tests of mode 0 to
- possibly return a shorter string that rounds to d.
- With IEEE arithmetic and compilation with
- -DHonor_FLT_ROUNDS, modes 4 and 5 behave the same
- as modes 2 and 3 when FLT_ROUNDS != 1.
- 6-9 ==> Debugging modes similar to mode - 4: don't try
- fast floating-point estimate (if applicable).
-
- Values of mode other than 0-9 are treated as mode 0.
-
- Sufficient space is allocated to the return value
- to hold the suppressed trailing zeros.
- */
-
- int bbits, b2, b5, be, dig, i, ieps, ilim, ilim0, ilim1,
- j, j1, k, k0, k_check, leftright, m2, m5, s2, s5,
- spec_case, try_quick;
- Long L;
-#ifndef Sudden_Underflow
- int denorm;
- ULong x;
-#endif
- Bigint *b, *b1, *delta, *mlo = NULL, *mhi, *S;
- U d2, eps, u;
- double ds;
- char *s, *s0;
-#ifdef SET_INEXACT
- int inexact, oldinexact;
-#endif
-#ifdef Honor_FLT_ROUNDS /*{*/
- int Rounding;
-#ifdef Trust_FLT_ROUNDS /*{{ only define this if FLT_ROUNDS really works! */
- Rounding = Flt_Rounds;
-#else /*}{*/
- Rounding = 1;
- switch(fegetround()) {
- case FE_TOWARDZERO: Rounding = 0; break;
- case FE_UPWARD: Rounding = 2; break;
- case FE_DOWNWARD: Rounding = 3;
- }
-#endif /*}}*/
-#endif /*}*/
-
-#ifndef MULTIPLE_THREADS
- if (dtoa_result) {
- freedtoa(dtoa_result);
- dtoa_result = 0;
- }
-#endif
-
- u.d = dd;
- if (word0(&u) & Sign_bit) {
- /* set sign for everything, including 0's and NaNs */
- *sign = 1;
- word0(&u) &= ~Sign_bit; /* clear sign bit */
- }
- else
- *sign = 0;
-
-#if defined(IEEE_Arith) + defined(VAX)
-#ifdef IEEE_Arith
- if ((word0(&u) & Exp_mask) == Exp_mask)
-#else
- if (word0(&u) == 0x8000)
-#endif
- {
- /* Infinity or NaN */
- *decpt = 9999;
-#ifdef IEEE_Arith
- if (!word1(&u) && !(word0(&u) & 0xfffff))
- return nrv_alloc("Infinity", rve, 8);
-#endif
- return nrv_alloc("NaN", rve, 3);
- }
-#endif
-#ifdef IBM
- dval(&u) += 0; /* normalize */
-#endif
- if (!dval(&u)) {
- *decpt = 1;
- return nrv_alloc("0", rve, 1);
- }
-
-#ifdef SET_INEXACT
- try_quick = oldinexact = get_inexact();
- inexact = 1;
-#endif
-#ifdef Honor_FLT_ROUNDS
- if (Rounding >= 2) {
- if (*sign)
- Rounding = Rounding == 2 ? 0 : 2;
- else
- if (Rounding != 2)
- Rounding = 0;
- }
-#endif
-
- b = d2b(&u, &be, &bbits);
- i = (int)(word0(&u) >> Exp_shift1 & (Exp_mask>>Exp_shift1));
-#ifndef Sudden_Underflow
- if (i) {
-#endif
- dval(&d2) = dval(&u);
- word0(&d2) &= Frac_mask1;
- word0(&d2) |= Exp_11;
-#ifdef IBM
- if (j = 11 - hi0bits(word0(&d2) & Frac_mask))
- dval(&d2) /= 1 << j;
-#endif
-
- /* log(x) ~=~ log(1.5) + (x-1.5)/1.5
- * log10(x) = log(x) / log(10)
- * ~=~ log(1.5)/log(10) + (x-1.5)/(1.5*log(10))
- * log10(d) = (i-Bias)*log(2)/log(10) + log10(d2)
- *
- * This suggests computing an approximation k to log10(d) by
- *
- * k = (i - Bias)*0.301029995663981
- * + ( (d2-1.5)*0.289529654602168 + 0.176091259055681 );
- *
- * We want k to be too large rather than too small.
- * The error in the first-order Taylor series approximation
- * is in our favor, so we just round up the constant enough
- * to compensate for any error in the multiplication of
- * (i - Bias) by 0.301029995663981; since |i - Bias| <= 1077,
- * and 1077 * 0.30103 * 2^-52 ~=~ 7.2e-14,
- * adding 1e-13 to the constant term more than suffices.
- * Hence we adjust the constant term to 0.1760912590558.
- * (We could get a more accurate k by invoking log10,
- * but this is probably not worthwhile.)
- */
-
- i -= Bias;
-#ifdef IBM
- i <<= 2;
- i += j;
-#endif
-#ifndef Sudden_Underflow
- denorm = 0;
- }
- else {
- /* d is denormalized */
-
- i = bbits + be + (Bias + (P-1) - 1);
- x = i > 32 ? word0(&u) << (64 - i) | word1(&u) >> (i - 32)
- : word1(&u) << (32 - i);
- dval(&d2) = x;
- word0(&d2) -= 31*Exp_msk1; /* adjust exponent */
- i -= (Bias + (P-1) - 1) + 1;
- denorm = 1;
- }
-#endif
- ds = (dval(&d2)-1.5)*0.289529654602168 + 0.1760912590558 + i*0.301029995663981;
- k = (int)ds;
- if (ds < 0. && ds != k)
- k--; /* want k = floor(ds) */
- k_check = 1;
- if (k >= 0 && k <= Ten_pmax) {
- if (dval(&u) < tens[k])
- k--;
- k_check = 0;
- }
- j = bbits - i - 1;
- if (j >= 0) {
- b2 = 0;
- s2 = j;
- }
- else {
- b2 = -j;
- s2 = 0;
- }
- if (k >= 0) {
- b5 = 0;
- s5 = k;
- s2 += k;
- }
- else {
- b2 -= k;
- b5 = -k;
- s5 = 0;
- }
- if (mode < 0 || mode > 9)
- mode = 0;
-
-#ifndef SET_INEXACT
-#ifdef Check_FLT_ROUNDS
- try_quick = Rounding == 1;
-#else
- try_quick = 1;
-#endif
-#endif /*SET_INEXACT*/
-
- if (mode > 5) {
- mode -= 4;
- try_quick = 0;
- }
- leftright = 1;
- ilim = ilim1 = -1; /* Values for cases 0 and 1; done here to */
- /* silence erroneous "gcc -Wall" warning. */
- switch(mode) {
- case 0:
- case 1:
- i = 18;
- ndigits = 0;
- break;
- case 2:
- leftright = 0;
- /* no break */
- case 4:
- if (ndigits <= 0)
- ndigits = 1;
- ilim = ilim1 = i = ndigits;
- break;
- case 3:
- leftright = 0;
- /* no break */
- case 5:
- i = ndigits + k + 1;
- ilim = i;
- ilim1 = i - 1;
- if (i <= 0)
- i = 1;
- }
- s = s0 = rv_alloc(i);
-
-#ifdef Honor_FLT_ROUNDS
- if (mode > 1 && Rounding != 1)
- leftright = 0;
-#endif
-
- if (ilim >= 0 && ilim <= Quick_max && try_quick) {
-
- /* Try to get by with floating-point arithmetic. */
-
- i = 0;
- dval(&d2) = dval(&u);
- k0 = k;
- ilim0 = ilim;
- ieps = 2; /* conservative */
- if (k > 0) {
- ds = tens[k&0xf];
- j = k >> 4;
- if (j & Bletch) {
- /* prevent overflows */
- j &= Bletch - 1;
- dval(&u) /= bigtens[n_bigtens-1];
- ieps++;
- }
- for(; j; j >>= 1, i++)
- if (j & 1) {
- ieps++;
- ds *= bigtens[i];
- }
- dval(&u) /= ds;
- }
- else {
- j1 = -k;
- if (j1) {
- dval(&u) *= tens[j1 & 0xf];
- for(j = j1 >> 4; j; j >>= 1, i++)
- if (j & 1) {
- ieps++;
- dval(&u) *= bigtens[i];
- }
- }
- }
- if (k_check && dval(&u) < 1. && ilim > 0) {
- if (ilim1 <= 0)
- goto fast_failed;
- ilim = ilim1;
- k--;
- dval(&u) *= 10.;
- ieps++;
- }
- dval(&eps) = ieps*dval(&u) + 7.;
- word0(&eps) -= (P-1)*Exp_msk1;
- if (ilim == 0) {
- S = mhi = 0;
- dval(&u) -= 5.;
- if (dval(&u) > dval(&eps))
- goto one_digit;
- if (dval(&u) < -dval(&eps))
- goto no_digits;
- goto fast_failed;
- }
-#ifndef No_leftright
- if (leftright) {
- /* Use Steele & White method of only
- * generating digits needed.
- */
- dval(&eps) = 0.5/tens[ilim-1] - dval(&eps);
- for(i = 0;;) {
- L = (long)dval(&u);
- dval(&u) -= L;
- *s++ = '0' + (char)L;
- if (dval(&u) < dval(&eps))
- goto ret1;
- if (1. - dval(&u) < dval(&eps))
- goto bump_up;
- if (++i >= ilim)
- break;
- dval(&eps) *= 10.;
- dval(&u) *= 10.;
- }
- }
- else {
-#endif
- /* Generate ilim digits, then fix them up. */
- dval(&eps) *= tens[ilim-1];
- for(i = 1;; i++, dval(&u) *= 10.) {
- L = (Long)(dval(&u));
- if (!(dval(&u) -= L))
- ilim = i;
- *s++ = '0' + (char)L;
- if (i == ilim) {
- if (dval(&u) > 0.5 + dval(&eps))
- goto bump_up;
- else if (dval(&u) < 0.5 - dval(&eps)) {
- while(*--s == '0') {}
- s++;
- goto ret1;
- }
- break;
- }
- }
-#ifndef No_leftright
- }
-#endif
- fast_failed:
- s = s0;
- dval(&u) = dval(&d2);
- k = k0;
- ilim = ilim0;
- }
-
- /* Do we have a "small" integer? */
-
- if (be >= 0 && k <= Int_max) {
- /* Yes. */
- ds = tens[k];
- if (ndigits < 0 && ilim <= 0) {
- S = mhi = 0;
- if (ilim < 0 || dval(&u) <= 5*ds)
- goto no_digits;
- goto one_digit;
- }
- for(i = 1; i <= k + 1; i++, dval(&u) *= 10.) {
- L = (Long)(dval(&u) / ds);
- dval(&u) -= L*ds;
-#ifdef Check_FLT_ROUNDS
- /* If FLT_ROUNDS == 2, L will usually be high by 1 */
- if (dval(&u) < 0) {
- L--;
- dval(&u) += ds;
- }
-#endif
- *s++ = '0' + (char)L;
- if (!dval(&u)) {
-#ifdef SET_INEXACT
- inexact = 0;
-#endif
- break;
- }
- if (i == ilim) {
-#ifdef Honor_FLT_ROUNDS
- if (mode > 1)
- switch(Rounding) {
- case 0: goto ret1;
- case 2: goto bump_up;
- }
-#endif
- dval(&u) += dval(&u);
- if (dval(&u) > ds || (dval(&u) == ds && L & 1)) {
- bump_up:
- while(*--s == '9')
- if (s == s0) {
- k++;
- *s = '0';
- break;
- }
- ++*s++;
- }
- break;
- }
- }
- goto ret1;
- }
-
- m2 = b2;
- m5 = b5;
- mhi = mlo = 0;
- if (leftright) {
- i =
-#ifndef Sudden_Underflow
- denorm ? be + (Bias + (P-1) - 1 + 1) :
-#endif
-#ifdef IBM
- 1 + 4*P - 3 - bbits + ((bbits + be - 1) & 3);
-#else
- 1 + P - bbits;
-#endif
- b2 += i;
- s2 += i;
- mhi = i2b(1);
- }
- if (m2 > 0 && s2 > 0) {
- i = m2 < s2 ? m2 : s2;
- b2 -= i;
- m2 -= i;
- s2 -= i;
- }
- if (b5 > 0) {
- if (leftright) {
- if (m5 > 0) {
- mhi = pow5mult(mhi, m5);
- b1 = mult(mhi, b);
- Bfree(b);
- b = b1;
- }
- j = b5 - m5;
- if (j)
- b = pow5mult(b, j);
- }
- else
- b = pow5mult(b, b5);
- }
- S = i2b(1);
- if (s5 > 0)
- S = pow5mult(S, s5);
-
- /* Check for special case that d is a normalized power of 2. */
-
- spec_case = 0;
- if ((mode < 2 || leftright)
-#ifdef Honor_FLT_ROUNDS
- && Rounding == 1
-#endif
- ) {
- if (!word1(&u) && !(word0(&u) & Bndry_mask)
-#ifndef Sudden_Underflow
- && word0(&u) & (Exp_mask & ~Exp_msk1)
-#endif
- ) {
- /* The special case */
- b2 += Log2P;
- s2 += Log2P;
- spec_case = 1;
- }
- }
-
- /* Arrange for convenient computation of quotients:
- * shift left if necessary so divisor has 4 leading 0 bits.
- *
- * Perhaps we should just compute leading 28 bits of S once
- * and for all and pass them and a shift to quorem, so it
- * can do shifts and ors to compute the numerator for q.
- */
-#ifdef Pack_32
- i = ((s5 ? 32 - hi0bits(S->x[S->wds-1]) : 1) + s2) & 0x1f;
- if (i)
- i = 32 - i;
-#define iInc 28
-#else
- if (i = ((s5 ? 32 - hi0bits(S->x[S->wds-1]) : 1) + s2) & 0xf)
- i = 16 - i;
-#define iInc 12
-#endif
- i = dshift(S, s2);
- b2 += i;
- m2 += i;
- s2 += i;
- if (b2 > 0)
- b = lshift(b, b2);
- if (s2 > 0)
- S = lshift(S, s2);
- if (k_check) {
- if (cmp(b,S) < 0) {
- k--;
- b = multadd(b, 10, 0); /* we botched the k estimate */
- if (leftright)
- mhi = multadd(mhi, 10, 0);
- ilim = ilim1;
- }
- }
- if (ilim <= 0 && (mode == 3 || mode == 5)) {
- if (ilim < 0 || cmp(b,S = multadd(S,5,0)) <= 0) {
- /* no digits, fcvt style */
- no_digits:
- k = -1 - ndigits;
- goto ret;
- }
- one_digit:
- *s++ = '1';
- k++;
- goto ret;
- }
- if (leftright) {
- if (m2 > 0)
- mhi = lshift(mhi, m2);
-
- /* Compute mlo -- check for special case
- * that d is a normalized power of 2.
- */
-
- mlo = mhi;
- if (spec_case) {
- mhi = Balloc(mhi->k);
- Bcopy(mhi, mlo);
- mhi = lshift(mhi, Log2P);
- }
-
- for(i = 1;;i++) {
- dig = quorem(b,S) + '0';
- /* Do we yet have the shortest decimal string
- * that will round to d?
- */
- j = cmp(b, mlo);
- delta = diff(S, mhi);
- j1 = delta->sign ? 1 : cmp(b, delta);
- Bfree(delta);
-#ifndef ROUND_BIASED
- if (j1 == 0 && mode != 1 && !(word1(&u) & 1)
-#ifdef Honor_FLT_ROUNDS
- && Rounding >= 1
-#endif
- ) {
- if (dig == '9')
- goto round_9_up;
- if (j > 0)
- dig++;
-#ifdef SET_INEXACT
- else if (!b->x[0] && b->wds <= 1)
- inexact = 0;
-#endif
- *s++ = (char)dig;
- goto ret;
- }
-#endif
- if (j < 0 || (j == 0 && mode != 1
-#ifndef ROUND_BIASED
- && !(word1(&u) & 1)
-#endif
- )) {
- if (!b->x[0] && b->wds <= 1) {
-#ifdef SET_INEXACT
- inexact = 0;
-#endif
- goto accept_dig;
- }
-#ifdef Honor_FLT_ROUNDS
- if (mode > 1)
- switch(Rounding) {
- case 0: goto accept_dig;
- case 2: goto keep_dig;
- }
-#endif /*Honor_FLT_ROUNDS*/
- if (j1 > 0) {
- b = lshift(b, 1);
- j1 = cmp(b, S);
- if ((j1 > 0 || (j1 == 0 && dig & 1))
- && dig++ == '9')
- goto round_9_up;
- }
- accept_dig:
- *s++ = (char)dig;
- goto ret;
- }
- if (j1 > 0) {
-#ifdef Honor_FLT_ROUNDS
- if (!Rounding)
- goto accept_dig;
-#endif
- if (dig == '9') { /* possible if i == 1 */
- round_9_up:
- *s++ = '9';
- goto roundoff;
- }
- *s++ = (char)dig + 1;
- goto ret;
- }
-#ifdef Honor_FLT_ROUNDS
- keep_dig:
-#endif
- *s++ = (char)dig;
- if (i == ilim)
- break;
- b = multadd(b, 10, 0);
- if (mlo == mhi)
- mlo = mhi = multadd(mhi, 10, 0);
- else {
- mlo = multadd(mlo, 10, 0);
- mhi = multadd(mhi, 10, 0);
- }
- }
- }
- else
- for(i = 1;; i++) {
- dig = quorem(b,S) + '0';
- *s++ = (char)dig;
- if (!b->x[0] && b->wds <= 1) {
-#ifdef SET_INEXACT
- inexact = 0;
-#endif
- goto ret;
- }
- if (i >= ilim)
- break;
- b = multadd(b, 10, 0);
- }
-
- /* Round off last digit */
-
-#ifdef Honor_FLT_ROUNDS
- switch(Rounding) {
- case 0: goto trimzeros;
- case 2: goto roundoff;
- }
-#endif
- b = lshift(b, 1);
- j = cmp(b, S);
- if (j > 0 || (j == 0 && dig & 1)) {
- roundoff:
- while(*--s == '9')
- if (s == s0) {
- k++;
- *s++ = '1';
- goto ret;
- }
- ++*s++;
- }
- else {
-#ifdef Honor_FLT_ROUNDS
- trimzeros:
-#endif
- while(*--s == '0') {}
- s++;
- }
- ret:
- Bfree(S);
- if (mhi) {
- if (mlo && mlo != mhi)
- Bfree(mlo);
- Bfree(mhi);
- }
- ret1:
-#ifdef SET_INEXACT
- if (inexact) {
- if (!oldinexact) {
- word0(&u) = Exp_1 + (70 << Exp_shift);
- word1(&u) = 0;
- dval(&u) += 1.;
- }
- }
- else if (!oldinexact)
- clear_inexact();
-#endif
- Bfree(b);
- *s = 0;
- *decpt = k + 1;
- if (rve)
- *rve = s;
- return s0;
- }
-
-} // namespace dmg_fp
diff --git a/security/sandbox/chromium/base/third_party/dmg_fp/g_fmt.cc b/security/sandbox/chromium/base/third_party/dmg_fp/g_fmt.cc
deleted file mode 100644
index bfa358d15..000000000
--- a/security/sandbox/chromium/base/third_party/dmg_fp/g_fmt.cc
+++ /dev/null
@@ -1,102 +0,0 @@
-/****************************************************************
- *
- * The author of this software is David M. Gay.
- *
- * Copyright (c) 1991, 1996 by Lucent Technologies.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose without fee is hereby granted, provided that this entire notice
- * is included in all copies of any software which is or includes a copy
- * or modification of this software and in all copies of the supporting
- * documentation for such software.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
- * WARRANTY. IN PARTICULAR, NEITHER THE AUTHOR NOR LUCENT MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
- * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
- *
- ***************************************************************/
-
-/* g_fmt(buf,x) stores the closest decimal approximation to x in buf;
- * it suffices to declare buf
- * char buf[32];
- */
-
-#include "dmg_fp.h"
-
-namespace dmg_fp {
-
- char *
-g_fmt(register char *b, double x)
-{
- register int i, k;
- register char *s;
- int decpt, j, sign;
- char *b0, *s0, *se;
-
- b0 = b;
-#ifdef IGNORE_ZERO_SIGN
- if (!x) {
- *b++ = '0';
- *b = 0;
- goto done;
- }
-#endif
- s = s0 = dtoa(x, 0, 0, &decpt, &sign, &se);
- if (sign)
- *b++ = '-';
- if (decpt == 9999) /* Infinity or Nan */ {
- for(*b = *s++; *b++; *b = *s++) {}
- goto done0;
- }
- if (decpt <= -4 || decpt > se - s + 5) {
- *b++ = *s++;
- if (*s) {
- *b++ = '.';
- for(*b = *s++; *b; *b = *s++)
- b++;
- }
- *b++ = 'e';
- /* sprintf(b, "%+.2d", decpt - 1); */
- if (--decpt < 0) {
- *b++ = '-';
- decpt = -decpt;
- }
- else
- *b++ = '+';
- for(j = 2, k = 10; 10*k <= decpt; j++, k *= 10) {}
- for(;;) {
- i = decpt / k;
- *b++ = (char)i + '0';
- if (--j <= 0)
- break;
- decpt -= i*k;
- decpt *= 10;
- }
- *b = 0;
- }
- else if (decpt <= 0) {
- *b++ = '.';
- for(; decpt < 0; decpt++)
- *b++ = '0';
- for(*b = *s++; *b++; *b = *s++) {}
- }
- else {
- for(*b = *s++; *b; *b = *s++) {
- b++;
- if (--decpt == 0 && *s)
- *b++ = '.';
- }
- for(; decpt > 0; decpt--)
- *b++ = '0';
- *b = 0;
- }
- done0:
- freedtoa(s0);
-#ifdef IGNORE_ZERO_SIGN
- done:
-#endif
- return b0;
- }
-
-} // namespace dmg_fp
diff --git a/security/sandbox/chromium/base/third_party/dynamic_annotations/LICENSE b/security/sandbox/chromium/base/third_party/dynamic_annotations/LICENSE
deleted file mode 100644
index 5c581a939..000000000
--- a/security/sandbox/chromium/base/third_party/dynamic_annotations/LICENSE
+++ /dev/null
@@ -1,28 +0,0 @@
-/* Copyright (c) 2008-2009, Google Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Neither the name of Google Inc. nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * ---
- * Author: Kostya Serebryany
- */
diff --git a/security/sandbox/chromium/base/third_party/dynamic_annotations/dynamic_annotations.h b/security/sandbox/chromium/base/third_party/dynamic_annotations/dynamic_annotations.h
deleted file mode 100644
index 8d7f05202..000000000
--- a/security/sandbox/chromium/base/third_party/dynamic_annotations/dynamic_annotations.h
+++ /dev/null
@@ -1,595 +0,0 @@
-/* Copyright (c) 2011, Google Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are
- * met:
- *
- * * Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * * Neither the name of Google Inc. nor the names of its
- * contributors may be used to endorse or promote products derived from
- * this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
- * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
- * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
- * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
- * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
- * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-/* This file defines dynamic annotations for use with dynamic analysis
- tool such as valgrind, PIN, etc.
-
- Dynamic annotation is a source code annotation that affects
- the generated code (that is, the annotation is not a comment).
- Each such annotation is attached to a particular
- instruction and/or to a particular object (address) in the program.
-
- The annotations that should be used by users are macros in all upper-case
- (e.g., ANNOTATE_NEW_MEMORY).
-
- Actual implementation of these macros may differ depending on the
- dynamic analysis tool being used.
-
- See http://code.google.com/p/data-race-test/ for more information.
-
- This file supports the following dynamic analysis tools:
- - None (DYNAMIC_ANNOTATIONS_ENABLED is not defined or zero).
- Macros are defined empty.
- - ThreadSanitizer, Helgrind, DRD (DYNAMIC_ANNOTATIONS_ENABLED is 1).
- Macros are defined as calls to non-inlinable empty functions
- that are intercepted by Valgrind. */
-
-#ifndef __DYNAMIC_ANNOTATIONS_H__
-#define __DYNAMIC_ANNOTATIONS_H__
-
-#ifndef DYNAMIC_ANNOTATIONS_PREFIX
-# define DYNAMIC_ANNOTATIONS_PREFIX
-#endif
-
-#ifndef DYNAMIC_ANNOTATIONS_PROVIDE_RUNNING_ON_VALGRIND
-# define DYNAMIC_ANNOTATIONS_PROVIDE_RUNNING_ON_VALGRIND 1
-#endif
-
-#ifdef DYNAMIC_ANNOTATIONS_WANT_ATTRIBUTE_WEAK
-# ifdef __GNUC__
-# define DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK __attribute__((weak))
-# else
-/* TODO(glider): for Windows support we may want to change this macro in order
- to prepend __declspec(selectany) to the annotations' declarations. */
-# error weak annotations are not supported for your compiler
-# endif
-#else
-# define DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK
-#endif
-
-/* The following preprocessor magic prepends the value of
- DYNAMIC_ANNOTATIONS_PREFIX to annotation function names. */
-#define DYNAMIC_ANNOTATIONS_GLUE0(A, B) A##B
-#define DYNAMIC_ANNOTATIONS_GLUE(A, B) DYNAMIC_ANNOTATIONS_GLUE0(A, B)
-#define DYNAMIC_ANNOTATIONS_NAME(name) \
- DYNAMIC_ANNOTATIONS_GLUE(DYNAMIC_ANNOTATIONS_PREFIX, name)
-
-#ifndef DYNAMIC_ANNOTATIONS_ENABLED
-# define DYNAMIC_ANNOTATIONS_ENABLED 0
-#endif
-
-#if DYNAMIC_ANNOTATIONS_ENABLED != 0
-
- /* -------------------------------------------------------------
- Annotations useful when implementing condition variables such as CondVar,
- using conditional critical sections (Await/LockWhen) and when constructing
- user-defined synchronization mechanisms.
-
- The annotations ANNOTATE_HAPPENS_BEFORE() and ANNOTATE_HAPPENS_AFTER() can
- be used to define happens-before arcs in user-defined synchronization
- mechanisms: the race detector will infer an arc from the former to the
- latter when they share the same argument pointer.
-
- Example 1 (reference counting):
-
- void Unref() {
- ANNOTATE_HAPPENS_BEFORE(&refcount_);
- if (AtomicDecrementByOne(&refcount_) == 0) {
- ANNOTATE_HAPPENS_AFTER(&refcount_);
- delete this;
- }
- }
-
- Example 2 (message queue):
-
- void MyQueue::Put(Type *e) {
- MutexLock lock(&mu_);
- ANNOTATE_HAPPENS_BEFORE(e);
- PutElementIntoMyQueue(e);
- }
-
- Type *MyQueue::Get() {
- MutexLock lock(&mu_);
- Type *e = GetElementFromMyQueue();
- ANNOTATE_HAPPENS_AFTER(e);
- return e;
- }
-
- Note: when possible, please use the existing reference counting and message
- queue implementations instead of inventing new ones. */
-
- /* Report that wait on the condition variable at address "cv" has succeeded
- and the lock at address "lock" is held. */
- #define ANNOTATE_CONDVAR_LOCK_WAIT(cv, lock) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarWait)(__FILE__, __LINE__, cv, lock)
-
- /* Report that wait on the condition variable at "cv" has succeeded. Variant
- w/o lock. */
- #define ANNOTATE_CONDVAR_WAIT(cv) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarWait)(__FILE__, __LINE__, cv, NULL)
-
- /* Report that we are about to signal on the condition variable at address
- "cv". */
- #define ANNOTATE_CONDVAR_SIGNAL(cv) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarSignal)(__FILE__, __LINE__, cv)
-
- /* Report that we are about to signal_all on the condition variable at address
- "cv". */
- #define ANNOTATE_CONDVAR_SIGNAL_ALL(cv) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarSignalAll)(__FILE__, __LINE__, cv)
-
- /* Annotations for user-defined synchronization mechanisms. */
- #define ANNOTATE_HAPPENS_BEFORE(obj) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateHappensBefore)(__FILE__, __LINE__, obj)
- #define ANNOTATE_HAPPENS_AFTER(obj) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateHappensAfter)(__FILE__, __LINE__, obj)
-
- /* DEPRECATED. Don't use it. */
- #define ANNOTATE_PUBLISH_MEMORY_RANGE(pointer, size) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotatePublishMemoryRange)(__FILE__, __LINE__, \
- pointer, size)
-
- /* DEPRECATED. Don't use it. */
- #define ANNOTATE_UNPUBLISH_MEMORY_RANGE(pointer, size) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateUnpublishMemoryRange)(__FILE__, __LINE__, \
- pointer, size)
-
- /* DEPRECATED. Don't use it. */
- #define ANNOTATE_SWAP_MEMORY_RANGE(pointer, size) \
- do { \
- ANNOTATE_UNPUBLISH_MEMORY_RANGE(pointer, size); \
- ANNOTATE_PUBLISH_MEMORY_RANGE(pointer, size); \
- } while (0)
-
- /* Instruct the tool to create a happens-before arc between mu->Unlock() and
- mu->Lock(). This annotation may slow down the race detector and hide real
- races. Normally it is used only when it would be difficult to annotate each
- of the mutex's critical sections individually using the annotations above.
- This annotation makes sense only for hybrid race detectors. For pure
- happens-before detectors this is a no-op. For more details see
- http://code.google.com/p/data-race-test/wiki/PureHappensBeforeVsHybrid . */
- #define ANNOTATE_PURE_HAPPENS_BEFORE_MUTEX(mu) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateMutexIsUsedAsCondVar)(__FILE__, __LINE__, \
- mu)
-
- /* Opposite to ANNOTATE_PURE_HAPPENS_BEFORE_MUTEX.
- Instruct the tool to NOT create h-b arcs between Unlock and Lock, even in
- pure happens-before mode. For a hybrid mode this is a no-op. */
- #define ANNOTATE_NOT_HAPPENS_BEFORE_MUTEX(mu) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateMutexIsNotPHB)(__FILE__, __LINE__, mu)
-
- /* Deprecated. Use ANNOTATE_PURE_HAPPENS_BEFORE_MUTEX. */
- #define ANNOTATE_MUTEX_IS_USED_AS_CONDVAR(mu) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateMutexIsUsedAsCondVar)(__FILE__, __LINE__, \
- mu)
-
- /* -------------------------------------------------------------
- Annotations useful when defining memory allocators, or when memory that
- was protected in one way starts to be protected in another. */
-
- /* Report that a new memory at "address" of size "size" has been allocated.
- This might be used when the memory has been retrieved from a free list and
- is about to be reused, or when a the locking discipline for a variable
- changes. */
- #define ANNOTATE_NEW_MEMORY(address, size) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateNewMemory)(__FILE__, __LINE__, address, \
- size)
-
- /* -------------------------------------------------------------
- Annotations useful when defining FIFO queues that transfer data between
- threads. */
-
- /* Report that the producer-consumer queue (such as ProducerConsumerQueue) at
- address "pcq" has been created. The ANNOTATE_PCQ_* annotations
- should be used only for FIFO queues. For non-FIFO queues use
- ANNOTATE_HAPPENS_BEFORE (for put) and ANNOTATE_HAPPENS_AFTER (for get). */
- #define ANNOTATE_PCQ_CREATE(pcq) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQCreate)(__FILE__, __LINE__, pcq)
-
- /* Report that the queue at address "pcq" is about to be destroyed. */
- #define ANNOTATE_PCQ_DESTROY(pcq) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQDestroy)(__FILE__, __LINE__, pcq)
-
- /* Report that we are about to put an element into a FIFO queue at address
- "pcq". */
- #define ANNOTATE_PCQ_PUT(pcq) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQPut)(__FILE__, __LINE__, pcq)
-
- /* Report that we've just got an element from a FIFO queue at address
- "pcq". */
- #define ANNOTATE_PCQ_GET(pcq) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQGet)(__FILE__, __LINE__, pcq)
-
- /* -------------------------------------------------------------
- Annotations that suppress errors. It is usually better to express the
- program's synchronization using the other annotations, but these can
- be used when all else fails. */
-
- /* Report that we may have a benign race at "pointer", with size
- "sizeof(*(pointer))". "pointer" must be a non-void* pointer. Insert at the
- point where "pointer" has been allocated, preferably close to the point
- where the race happens. See also ANNOTATE_BENIGN_RACE_STATIC. */
- #define ANNOTATE_BENIGN_RACE(pointer, description) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBenignRaceSized)(__FILE__, __LINE__, \
- pointer, sizeof(*(pointer)), description)
-
- /* Same as ANNOTATE_BENIGN_RACE(address, description), but applies to
- the memory range [address, address+size). */
- #define ANNOTATE_BENIGN_RACE_SIZED(address, size, description) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBenignRaceSized)(__FILE__, __LINE__, \
- address, size, description)
-
- /* Request the analysis tool to ignore all reads in the current thread
- until ANNOTATE_IGNORE_READS_END is called.
- Useful to ignore intentional racey reads, while still checking
- other reads and all writes.
- See also ANNOTATE_UNPROTECTED_READ. */
- #define ANNOTATE_IGNORE_READS_BEGIN() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreReadsBegin)(__FILE__, __LINE__)
-
- /* Stop ignoring reads. */
- #define ANNOTATE_IGNORE_READS_END() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreReadsEnd)(__FILE__, __LINE__)
-
- /* Similar to ANNOTATE_IGNORE_READS_BEGIN, but ignore writes. */
- #define ANNOTATE_IGNORE_WRITES_BEGIN() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreWritesBegin)(__FILE__, __LINE__)
-
- /* Stop ignoring writes. */
- #define ANNOTATE_IGNORE_WRITES_END() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreWritesEnd)(__FILE__, __LINE__)
-
- /* Start ignoring all memory accesses (reads and writes). */
- #define ANNOTATE_IGNORE_READS_AND_WRITES_BEGIN() \
- do {\
- ANNOTATE_IGNORE_READS_BEGIN();\
- ANNOTATE_IGNORE_WRITES_BEGIN();\
- }while(0)\
-
- /* Stop ignoring all memory accesses. */
- #define ANNOTATE_IGNORE_READS_AND_WRITES_END() \
- do {\
- ANNOTATE_IGNORE_WRITES_END();\
- ANNOTATE_IGNORE_READS_END();\
- }while(0)\
-
- /* Similar to ANNOTATE_IGNORE_READS_BEGIN, but ignore synchronization events:
- RWLOCK* and CONDVAR*. */
- #define ANNOTATE_IGNORE_SYNC_BEGIN() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreSyncBegin)(__FILE__, __LINE__)
-
- /* Stop ignoring sync events. */
- #define ANNOTATE_IGNORE_SYNC_END() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreSyncEnd)(__FILE__, __LINE__)
-
-
- /* Enable (enable!=0) or disable (enable==0) race detection for all threads.
- This annotation could be useful if you want to skip expensive race analysis
- during some period of program execution, e.g. during initialization. */
- #define ANNOTATE_ENABLE_RACE_DETECTION(enable) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateEnableRaceDetection)(__FILE__, __LINE__, \
- enable)
-
- /* -------------------------------------------------------------
- Annotations useful for debugging. */
-
- /* Request to trace every access to "address". */
- #define ANNOTATE_TRACE_MEMORY(address) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateTraceMemory)(__FILE__, __LINE__, address)
-
- /* Report the current thread name to a race detector. */
- #define ANNOTATE_THREAD_NAME(name) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateThreadName)(__FILE__, __LINE__, name)
-
- /* -------------------------------------------------------------
- Annotations useful when implementing locks. They are not
- normally needed by modules that merely use locks.
- The "lock" argument is a pointer to the lock object. */
-
- /* Report that a lock has been created at address "lock". */
- #define ANNOTATE_RWLOCK_CREATE(lock) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockCreate)(__FILE__, __LINE__, lock)
-
- /* Report that the lock at address "lock" is about to be destroyed. */
- #define ANNOTATE_RWLOCK_DESTROY(lock) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockDestroy)(__FILE__, __LINE__, lock)
-
- /* Report that the lock at address "lock" has been acquired.
- is_w=1 for writer lock, is_w=0 for reader lock. */
- #define ANNOTATE_RWLOCK_ACQUIRED(lock, is_w) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockAcquired)(__FILE__, __LINE__, lock, \
- is_w)
-
- /* Report that the lock at address "lock" is about to be released. */
- #define ANNOTATE_RWLOCK_RELEASED(lock, is_w) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockReleased)(__FILE__, __LINE__, lock, \
- is_w)
-
- /* -------------------------------------------------------------
- Annotations useful when implementing barriers. They are not
- normally needed by modules that merely use barriers.
- The "barrier" argument is a pointer to the barrier object. */
-
- /* Report that the "barrier" has been initialized with initial "count".
- If 'reinitialization_allowed' is true, initialization is allowed to happen
- multiple times w/o calling barrier_destroy() */
- #define ANNOTATE_BARRIER_INIT(barrier, count, reinitialization_allowed) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierInit)(__FILE__, __LINE__, barrier, \
- count, reinitialization_allowed)
-
- /* Report that we are about to enter barrier_wait("barrier"). */
- #define ANNOTATE_BARRIER_WAIT_BEFORE(barrier) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierWaitBefore)(__FILE__, __LINE__, \
- barrier)
-
- /* Report that we just exited barrier_wait("barrier"). */
- #define ANNOTATE_BARRIER_WAIT_AFTER(barrier) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierWaitAfter)(__FILE__, __LINE__, \
- barrier)
-
- /* Report that the "barrier" has been destroyed. */
- #define ANNOTATE_BARRIER_DESTROY(barrier) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierDestroy)(__FILE__, __LINE__, \
- barrier)
-
- /* -------------------------------------------------------------
- Annotations useful for testing race detectors. */
-
- /* Report that we expect a race on the variable at "address".
- Use only in unit tests for a race detector. */
- #define ANNOTATE_EXPECT_RACE(address, description) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateExpectRace)(__FILE__, __LINE__, address, \
- description)
-
- #define ANNOTATE_FLUSH_EXPECTED_RACES() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateFlushExpectedRaces)(__FILE__, __LINE__)
-
- /* A no-op. Insert where you like to test the interceptors. */
- #define ANNOTATE_NO_OP(arg) \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateNoOp)(__FILE__, __LINE__, arg)
-
- /* Force the race detector to flush its state. The actual effect depends on
- * the implementation of the detector. */
- #define ANNOTATE_FLUSH_STATE() \
- DYNAMIC_ANNOTATIONS_NAME(AnnotateFlushState)(__FILE__, __LINE__)
-
-
-#else /* DYNAMIC_ANNOTATIONS_ENABLED == 0 */
-
- #define ANNOTATE_RWLOCK_CREATE(lock) /* empty */
- #define ANNOTATE_RWLOCK_DESTROY(lock) /* empty */
- #define ANNOTATE_RWLOCK_ACQUIRED(lock, is_w) /* empty */
- #define ANNOTATE_RWLOCK_RELEASED(lock, is_w) /* empty */
- #define ANNOTATE_BARRIER_INIT(barrier, count, reinitialization_allowed) /* */
- #define ANNOTATE_BARRIER_WAIT_BEFORE(barrier) /* empty */
- #define ANNOTATE_BARRIER_WAIT_AFTER(barrier) /* empty */
- #define ANNOTATE_BARRIER_DESTROY(barrier) /* empty */
- #define ANNOTATE_CONDVAR_LOCK_WAIT(cv, lock) /* empty */
- #define ANNOTATE_CONDVAR_WAIT(cv) /* empty */
- #define ANNOTATE_CONDVAR_SIGNAL(cv) /* empty */
- #define ANNOTATE_CONDVAR_SIGNAL_ALL(cv) /* empty */
- #define ANNOTATE_HAPPENS_BEFORE(obj) /* empty */
- #define ANNOTATE_HAPPENS_AFTER(obj) /* empty */
- #define ANNOTATE_PUBLISH_MEMORY_RANGE(address, size) /* empty */
- #define ANNOTATE_UNPUBLISH_MEMORY_RANGE(address, size) /* empty */
- #define ANNOTATE_SWAP_MEMORY_RANGE(address, size) /* empty */
- #define ANNOTATE_PCQ_CREATE(pcq) /* empty */
- #define ANNOTATE_PCQ_DESTROY(pcq) /* empty */
- #define ANNOTATE_PCQ_PUT(pcq) /* empty */
- #define ANNOTATE_PCQ_GET(pcq) /* empty */
- #define ANNOTATE_NEW_MEMORY(address, size) /* empty */
- #define ANNOTATE_EXPECT_RACE(address, description) /* empty */
- #define ANNOTATE_FLUSH_EXPECTED_RACES(address, description) /* empty */
- #define ANNOTATE_BENIGN_RACE(address, description) /* empty */
- #define ANNOTATE_BENIGN_RACE_SIZED(address, size, description) /* empty */
- #define ANNOTATE_PURE_HAPPENS_BEFORE_MUTEX(mu) /* empty */
- #define ANNOTATE_MUTEX_IS_USED_AS_CONDVAR(mu) /* empty */
- #define ANNOTATE_TRACE_MEMORY(arg) /* empty */
- #define ANNOTATE_THREAD_NAME(name) /* empty */
- #define ANNOTATE_IGNORE_READS_BEGIN() /* empty */
- #define ANNOTATE_IGNORE_READS_END() /* empty */
- #define ANNOTATE_IGNORE_WRITES_BEGIN() /* empty */
- #define ANNOTATE_IGNORE_WRITES_END() /* empty */
- #define ANNOTATE_IGNORE_READS_AND_WRITES_BEGIN() /* empty */
- #define ANNOTATE_IGNORE_READS_AND_WRITES_END() /* empty */
- #define ANNOTATE_IGNORE_SYNC_BEGIN() /* empty */
- #define ANNOTATE_IGNORE_SYNC_END() /* empty */
- #define ANNOTATE_ENABLE_RACE_DETECTION(enable) /* empty */
- #define ANNOTATE_NO_OP(arg) /* empty */
- #define ANNOTATE_FLUSH_STATE() /* empty */
-
-#endif /* DYNAMIC_ANNOTATIONS_ENABLED */
-
-/* Use the macros above rather than using these functions directly. */
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockCreate)(
- const char *file, int line,
- const volatile void *lock) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockDestroy)(
- const char *file, int line,
- const volatile void *lock) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockAcquired)(
- const char *file, int line,
- const volatile void *lock, long is_w) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateRWLockReleased)(
- const char *file, int line,
- const volatile void *lock, long is_w) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierInit)(
- const char *file, int line, const volatile void *barrier, long count,
- long reinitialization_allowed) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierWaitBefore)(
- const char *file, int line,
- const volatile void *barrier) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierWaitAfter)(
- const char *file, int line,
- const volatile void *barrier) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBarrierDestroy)(
- const char *file, int line,
- const volatile void *barrier) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarWait)(
- const char *file, int line, const volatile void *cv,
- const volatile void *lock) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarSignal)(
- const char *file, int line,
- const volatile void *cv) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateCondVarSignalAll)(
- const char *file, int line,
- const volatile void *cv) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateHappensBefore)(
- const char *file, int line,
- const volatile void *obj) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateHappensAfter)(
- const char *file, int line,
- const volatile void *obj) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotatePublishMemoryRange)(
- const char *file, int line,
- const volatile void *address, long size) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateUnpublishMemoryRange)(
- const char *file, int line,
- const volatile void *address, long size) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQCreate)(
- const char *file, int line,
- const volatile void *pcq) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQDestroy)(
- const char *file, int line,
- const volatile void *pcq) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQPut)(
- const char *file, int line,
- const volatile void *pcq) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotatePCQGet)(
- const char *file, int line,
- const volatile void *pcq) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateNewMemory)(
- const char *file, int line,
- const volatile void *mem, long size) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateExpectRace)(
- const char *file, int line, const volatile void *mem,
- const char *description) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateFlushExpectedRaces)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBenignRace)(
- const char *file, int line, const volatile void *mem,
- const char *description) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateBenignRaceSized)(
- const char *file, int line, const volatile void *mem, long size,
- const char *description) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateMutexIsUsedAsCondVar)(
- const char *file, int line,
- const volatile void *mu) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateMutexIsNotPHB)(
- const char *file, int line,
- const volatile void *mu) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateTraceMemory)(
- const char *file, int line,
- const volatile void *arg) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateThreadName)(
- const char *file, int line,
- const char *name) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreReadsBegin)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreReadsEnd)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreWritesBegin)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreWritesEnd)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreSyncBegin)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateIgnoreSyncEnd)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateEnableRaceDetection)(
- const char *file, int line, int enable) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateNoOp)(
- const char *file, int line,
- const volatile void *arg) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-void DYNAMIC_ANNOTATIONS_NAME(AnnotateFlushState)(
- const char *file, int line) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-
-#if DYNAMIC_ANNOTATIONS_PROVIDE_RUNNING_ON_VALGRIND == 1
-/* Return non-zero value if running under valgrind.
-
- If "valgrind.h" is included into dynamic_annotations.c,
- the regular valgrind mechanism will be used.
- See http://valgrind.org/docs/manual/manual-core-adv.html about
- RUNNING_ON_VALGRIND and other valgrind "client requests".
- The file "valgrind.h" may be obtained by doing
- svn co svn://svn.valgrind.org/valgrind/trunk/include
-
- If for some reason you can't use "valgrind.h" or want to fake valgrind,
- there are two ways to make this function return non-zero:
- - Use environment variable: export RUNNING_ON_VALGRIND=1
- - Make your tool intercept the function RunningOnValgrind() and
- change its return value.
- */
-int RunningOnValgrind(void) DYNAMIC_ANNOTATIONS_ATTRIBUTE_WEAK;
-#endif /* DYNAMIC_ANNOTATIONS_PROVIDE_RUNNING_ON_VALGRIND == 1 */
-
-#ifdef __cplusplus
-}
-#endif
-
-#if DYNAMIC_ANNOTATIONS_ENABLED != 0 && defined(__cplusplus)
-
- /* ANNOTATE_UNPROTECTED_READ is the preferred way to annotate racey reads.
-
- Instead of doing
- ANNOTATE_IGNORE_READS_BEGIN();
- ... = x;
- ANNOTATE_IGNORE_READS_END();
- one can use
- ... = ANNOTATE_UNPROTECTED_READ(x); */
- template <class T>
- inline T ANNOTATE_UNPROTECTED_READ(const volatile T &x) {
- ANNOTATE_IGNORE_READS_BEGIN();
- T res = x;
- ANNOTATE_IGNORE_READS_END();
- return res;
- }
- /* Apply ANNOTATE_BENIGN_RACE_SIZED to a static variable. */
- #define ANNOTATE_BENIGN_RACE_STATIC(static_var, description) \
- namespace { \
- class static_var ## _annotator { \
- public: \
- static_var ## _annotator() { \
- ANNOTATE_BENIGN_RACE_SIZED(&static_var, \
- sizeof(static_var), \
- # static_var ": " description); \
- } \
- }; \
- static static_var ## _annotator the ## static_var ## _annotator;\
- }
-#else /* DYNAMIC_ANNOTATIONS_ENABLED == 0 */
-
- #define ANNOTATE_UNPROTECTED_READ(x) (x)
- #define ANNOTATE_BENIGN_RACE_STATIC(static_var, description) /* empty */
-
-#endif /* DYNAMIC_ANNOTATIONS_ENABLED */
-
-#endif /* __DYNAMIC_ANNOTATIONS_H__ */
diff --git a/security/sandbox/chromium/base/third_party/icu/LICENSE b/security/sandbox/chromium/base/third_party/icu/LICENSE
deleted file mode 100644
index 40282f494..000000000
--- a/security/sandbox/chromium/base/third_party/icu/LICENSE
+++ /dev/null
@@ -1,32 +0,0 @@
-ICU License - ICU 1.8.1 and later
-
-COPYRIGHT AND PERMISSION NOTICE
-
-Copyright (c) 1995-2009 International Business Machines Corporation and others
-
-All rights reserved.
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, and/or sell copies of the Software, and to permit persons
-to whom the Software is furnished to do so, provided that the above
-copyright notice(s) and this permission notice appear in all copies of
-the Software and that both the above copyright notice(s) and this
-permission notice appear in supporting documentation.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
-OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
-HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM, OR ANY
-SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES WHATSOEVER
-RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF
-CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-Except as contained in this notice, the name of a copyright holder
-shall not be used in advertising or otherwise to promote the sale, use
-or other dealings in this Software without prior written authorization
-of the copyright holder.
diff --git a/security/sandbox/chromium/base/third_party/icu/icu_utf.cc b/security/sandbox/chromium/base/third_party/icu/icu_utf.cc
deleted file mode 100644
index 2b67c5d9c..000000000
--- a/security/sandbox/chromium/base/third_party/icu/icu_utf.cc
+++ /dev/null
@@ -1,227 +0,0 @@
-/*
-******************************************************************************
-*
-* Copyright (C) 1999-2006, International Business Machines
-* Corporation and others. All Rights Reserved.
-*
-******************************************************************************
-* file name: utf_impl.c
-* encoding: US-ASCII
-* tab size: 8 (not used)
-* indentation:4
-*
-* created on: 1999sep13
-* created by: Markus W. Scherer
-*
-* This file provides implementation functions for macros in the utfXX.h
-* that would otherwise be too long as macros.
-*/
-
-#include "base/third_party/icu/icu_utf.h"
-
-namespace base_icu {
-
-/**
- * UTF8_ERROR_VALUE_1 and UTF8_ERROR_VALUE_2 are special error values for UTF-8,
- * which need 1 or 2 bytes in UTF-8:
- * \code
- * U+0015 = NAK = Negative Acknowledge, C0 control character
- * U+009f = highest C1 control character
- * \endcode
- *
- * These are used by UTF8_..._SAFE macros so that they can return an error value
- * that needs the same number of code units (bytes) as were seen by
- * a macro. They should be tested with UTF_IS_ERROR() or UTF_IS_VALID().
- *
- * @deprecated ICU 2.4. Obsolete, see utf_old.h.
- */
-#define CBUTF8_ERROR_VALUE_1 0x15
-
-/**
- * See documentation on UTF8_ERROR_VALUE_1 for details.
- *
- * @deprecated ICU 2.4. Obsolete, see utf_old.h.
- */
-#define CBUTF8_ERROR_VALUE_2 0x9f
-
-
-/**
- * Error value for all UTFs. This code point value will be set by macros with e>
- * checking if an error is detected.
- *
- * @deprecated ICU 2.4. Obsolete, see utf_old.h.
- */
-#define CBUTF_ERROR_VALUE 0xffff
-
-/*
- * This table could be replaced on many machines by
- * a few lines of assembler code using an
- * "index of first 0-bit from msb" instruction and
- * one or two more integer instructions.
- *
- * For example, on an i386, do something like
- * - MOV AL, leadByte
- * - NOT AL (8-bit, leave b15..b8==0..0, reverse only b7..b0)
- * - MOV AH, 0
- * - BSR BX, AX (16-bit)
- * - MOV AX, 6 (result)
- * - JZ finish (ZF==1 if leadByte==0xff)
- * - SUB AX, BX (result)
- * -finish:
- * (BSR: Bit Scan Reverse, scans for a 1-bit, starting from the MSB)
- *
- * In Unicode, all UTF-8 byte sequences with more than 4 bytes are illegal;
- * lead bytes above 0xf4 are illegal.
- * We keep them in this table for skipping long ISO 10646-UTF-8 sequences.
- */
-const uint8_t utf8_countTrailBytes[256] =
- {
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
-
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
-
- 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, 3, 3, 3,
- 3, 3, /* illegal in Unicode */
- 4, 4, 4, 4, /* illegal in Unicode */
- 5, 5, /* illegal in Unicode */
- 0, 0 /* illegal bytes 0xfe and 0xff */
-};
-
-static const UChar32
-utf8_minLegal[4]={ 0, 0x80, 0x800, 0x10000 };
-
-static const UChar32
-utf8_errorValue[6]={
- CBUTF8_ERROR_VALUE_1, CBUTF8_ERROR_VALUE_2, CBUTF_ERROR_VALUE, 0x10ffff,
- 0x3ffffff, 0x7fffffff
-};
-
-/*
- * Handle the non-inline part of the U8_NEXT() macro and its obsolete sibling
- * UTF8_NEXT_CHAR_SAFE().
- *
- * The "strict" parameter controls the error behavior:
- * <0 "Safe" behavior of U8_NEXT(): All illegal byte sequences yield a negative
- * code point result.
- * 0 Obsolete "safe" behavior of UTF8_NEXT_CHAR_SAFE(..., FALSE):
- * All illegal byte sequences yield a positive code point such that this
- * result code point would be encoded with the same number of bytes as
- * the illegal sequence.
- * >0 Obsolete "strict" behavior of UTF8_NEXT_CHAR_SAFE(..., TRUE):
- * Same as the obsolete "safe" behavior, but non-characters are also treated
- * like illegal sequences.
- *
- * The special negative (<0) value -2 is used for lenient treatment of surrogate
- * code points as legal. Some implementations use this for roundtripping of
- * Unicode 16-bit strings that are not well-formed UTF-16, that is, they
- * contain unpaired surrogates.
- *
- * Note that a UBool is the same as an int8_t.
- */
-UChar32 utf8_nextCharSafeBody(const uint8_t* s,
- int32_t* pi,
- int32_t length,
- UChar32 c,
- UBool strict) {
- int32_t i = *pi;
- uint8_t count = CBU8_COUNT_TRAIL_BYTES(c);
- if((i)+count<=(length)) {
- uint8_t trail, illegal = 0;
-
- CBU8_MASK_LEAD_BYTE((c), count);
- /* count==0 for illegally leading trail bytes and the illegal bytes 0xfe and 0xff */
- switch(count) {
- /* each branch falls through to the next one */
- case 5:
- case 4:
- /* count>=4 is always illegal: no more than 3 trail bytes in Unicode's UTF-8 */
- illegal=1;
- break;
- case 3:
- trail=s[(i)++];
- (c)=((c)<<6)|(trail&0x3f);
- if(c<0x110) {
- illegal|=(trail&0xc0)^0x80;
- } else {
- /* code point>0x10ffff, outside Unicode */
- illegal=1;
- break;
- }
- case 2:
- trail=s[(i)++];
- (c)=((c)<<6)|(trail&0x3f);
- illegal|=(trail&0xc0)^0x80;
- case 1:
- trail=s[(i)++];
- (c)=((c)<<6)|(trail&0x3f);
- illegal|=(trail&0xc0)^0x80;
- break;
- case 0:
- if(strict>=0) {
- return CBUTF8_ERROR_VALUE_1;
- } else {
- return CBU_SENTINEL;
- }
- /* no default branch to optimize switch() - all values are covered */
- }
-
- /*
- * All the error handling should return a value
- * that needs count bytes so that UTF8_GET_CHAR_SAFE() works right.
- *
- * Starting with Unicode 3.0.1, non-shortest forms are illegal.
- * Starting with Unicode 3.2, surrogate code points must not be
- * encoded in UTF-8, and there are no irregular sequences any more.
- *
- * U8_ macros (new in ICU 2.4) return negative values for error conditions.
- */
-
- /* correct sequence - all trail bytes have (b7..b6)==(10)? */
- /* illegal is also set if count>=4 */
- if(illegal || (c)<utf8_minLegal[count] || (CBU_IS_SURROGATE(c) && strict!=-2)) {
- /* error handling */
- uint8_t errorCount = count;
- /* don't go beyond this sequence */
- i=*pi;
- while(count>0 && CBU8_IS_TRAIL(s[i])) {
- ++(i);
- --count;
- }
- if(strict>=0) {
- c=utf8_errorValue[errorCount-count];
- } else {
- c=CBU_SENTINEL;
- }
- } else if((strict)>0 && CBU_IS_UNICODE_NONCHAR(c)) {
- /* strict: forbid non-characters like U+fffe */
- c=utf8_errorValue[count];
- }
- } else /* too few bytes left */ {
- /* error handling */
- int32_t i0 = i;
- /* don't just set (i)=(length) in case there is an illegal sequence */
- while((i)<(length) && CBU8_IS_TRAIL(s[i])) {
- ++(i);
- }
- if(strict>=0) {
- c=utf8_errorValue[i-i0];
- } else {
- c=CBU_SENTINEL;
- }
- }
- *pi=i;
- return c;
-}
-
-} // namespace base_icu
diff --git a/security/sandbox/chromium/base/third_party/icu/icu_utf.h b/security/sandbox/chromium/base/third_party/icu/icu_utf.h
deleted file mode 100644
index 4370fdec1..000000000
--- a/security/sandbox/chromium/base/third_party/icu/icu_utf.h
+++ /dev/null
@@ -1,400 +0,0 @@
-/*
-*******************************************************************************
-*
-* Copyright (C) 1999-2004, International Business Machines
-* Corporation and others. All Rights Reserved.
-*
-*******************************************************************************
-* file name: utf.h
-* encoding: US-ASCII
-* tab size: 8 (not used)
-* indentation:4
-*
-* created on: 1999sep09
-* created by: Markus W. Scherer
-*/
-
-#ifndef BASE_THIRD_PARTY_ICU_ICU_UTF_H_
-#define BASE_THIRD_PARTY_ICU_ICU_UTF_H_
-
-#include <stdint.h>
-
-namespace base_icu {
-
-typedef int32_t UChar32;
-typedef uint16_t UChar;
-typedef int8_t UBool;
-
-// General ---------------------------------------------------------------------
-// from utf.h
-
-/**
- * This value is intended for sentinel values for APIs that
- * (take or) return single code points (UChar32).
- * It is outside of the Unicode code point range 0..0x10ffff.
- *
- * For example, a "done" or "error" value in a new API
- * could be indicated with CBU_SENTINEL.
- *
- * ICU APIs designed before ICU 2.4 usually define service-specific "done"
- * values, mostly 0xffff.
- * Those may need to be distinguished from
- * actual U+ffff text contents by calling functions like
- * CharacterIterator::hasNext() or UnicodeString::length().
- *
- * @return -1
- * @see UChar32
- * @stable ICU 2.4
- */
-#define CBU_SENTINEL (-1)
-
-/**
- * Is this code point a Unicode noncharacter?
- * @param c 32-bit code point
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU_IS_UNICODE_NONCHAR(c) \
- ((c) >= 0xfdd0 && ((uint32_t)(c) <= 0xfdef || ((c)&0xfffe) == 0xfffe) && \
- (uint32_t)(c) <= 0x10ffff)
-
-/**
- * Is c a Unicode code point value (0..U+10ffff)
- * that can be assigned a character?
- *
- * Code points that are not characters include:
- * - single surrogate code points (U+d800..U+dfff, 2048 code points)
- * - the last two code points on each plane (U+__fffe and U+__ffff, 34 code points)
- * - U+fdd0..U+fdef (new with Unicode 3.1, 32 code points)
- * - the highest Unicode code point value is U+10ffff
- *
- * This means that all code points below U+d800 are character code points,
- * and that boundary is tested first for performance.
- *
- * @param c 32-bit code point
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU_IS_UNICODE_CHAR(c) \
- ((uint32_t)(c) < 0xd800 || \
- ((uint32_t)(c) > 0xdfff && (uint32_t)(c) <= 0x10ffff && \
- !CBU_IS_UNICODE_NONCHAR(c)))
-
-/**
- * Is this code point a surrogate (U+d800..U+dfff)?
- * @param c 32-bit code point
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU_IS_SURROGATE(c) (((c)&0xfffff800)==0xd800)
-
-/**
- * Assuming c is a surrogate code point (U_IS_SURROGATE(c)),
- * is it a lead surrogate?
- * @param c 32-bit code point
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU_IS_SURROGATE_LEAD(c) (((c)&0x400)==0)
-
-
-// UTF-8 macros ----------------------------------------------------------------
-// from utf8.h
-
-extern const uint8_t utf8_countTrailBytes[256];
-
-/**
- * Count the trail bytes for a UTF-8 lead byte.
- * @internal
- */
-#define CBU8_COUNT_TRAIL_BYTES(leadByte) \
- (base_icu::utf8_countTrailBytes[(uint8_t)leadByte])
-
-/**
- * Mask a UTF-8 lead byte, leave only the lower bits that form part of the code point value.
- * @internal
- */
-#define CBU8_MASK_LEAD_BYTE(leadByte, countTrailBytes) ((leadByte)&=(1<<(6-(countTrailBytes)))-1)
-
-/**
- * Does this code unit (byte) encode a code point by itself (US-ASCII 0..0x7f)?
- * @param c 8-bit code unit (byte)
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU8_IS_SINGLE(c) (((c)&0x80)==0)
-
-/**
- * Is this code unit (byte) a UTF-8 lead byte?
- * @param c 8-bit code unit (byte)
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU8_IS_LEAD(c) ((uint8_t)((c)-0xc0) < 0x3e)
-
-/**
- * Is this code unit (byte) a UTF-8 trail byte?
- * @param c 8-bit code unit (byte)
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU8_IS_TRAIL(c) (((c)&0xc0)==0x80)
-
-/**
- * How many code units (bytes) are used for the UTF-8 encoding
- * of this Unicode code point?
- * @param c 32-bit code point
- * @return 1..4, or 0 if c is a surrogate or not a Unicode code point
- * @stable ICU 2.4
- */
-#define CBU8_LENGTH(c) \
- ((uint32_t)(c) <= 0x7f \
- ? 1 \
- : ((uint32_t)(c) <= 0x7ff \
- ? 2 \
- : ((uint32_t)(c) <= 0xd7ff \
- ? 3 \
- : ((uint32_t)(c) <= 0xdfff || (uint32_t)(c) > 0x10ffff \
- ? 0 \
- : ((uint32_t)(c) <= 0xffff ? 3 : 4)))))
-
-/**
- * The maximum number of UTF-8 code units (bytes) per Unicode code point (U+0000..U+10ffff).
- * @return 4
- * @stable ICU 2.4
- */
-#define CBU8_MAX_LENGTH 4
-
-/**
- * Function for handling "next code point" with error-checking.
- * @internal
- */
-UChar32 utf8_nextCharSafeBody(const uint8_t* s,
- int32_t* pi,
- int32_t length,
- UChar32 c,
- UBool strict);
-
-/**
- * Get a code point from a string at a code point boundary offset,
- * and advance the offset to the next code point boundary.
- * (Post-incrementing forward iteration.)
- * "Safe" macro, checks for illegal sequences and for string boundaries.
- *
- * The offset may point to the lead byte of a multi-byte sequence,
- * in which case the macro will read the whole sequence.
- * If the offset points to a trail byte or an illegal UTF-8 sequence, then
- * c is set to a negative value.
- *
- * @param s const uint8_t * string
- * @param i string offset, i<length
- * @param length string length
- * @param c output UChar32 variable, set to <0 in case of an error
- * @see CBU8_NEXT_UNSAFE
- * @stable ICU 2.4
- */
-#define CBU8_NEXT(s, i, length, c) \
- { \
- (c) = (s)[(i)++]; \
- if (((uint8_t)(c)) >= 0x80) { \
- if (CBU8_IS_LEAD(c)) { \
- (c) = base_icu::utf8_nextCharSafeBody((const uint8_t*)s, &(i), \
- (int32_t)(length), c, -1); \
- } else { \
- (c) = CBU_SENTINEL; \
- } \
- } \
- }
-
-/**
- * Append a code point to a string, overwriting 1 to 4 bytes.
- * The offset points to the current end of the string contents
- * and is advanced (post-increment).
- * "Unsafe" macro, assumes a valid code point and sufficient space in the
- * string.
- * Otherwise, the result is undefined.
- *
- * @param s const uint8_t * string buffer
- * @param i string offset
- * @param c code point to append
- * @see CBU8_APPEND
- * @stable ICU 2.4
- */
-#define CBU8_APPEND_UNSAFE(s, i, c) \
- { \
- if ((uint32_t)(c) <= 0x7f) { \
- (s)[(i)++] = (uint8_t)(c); \
- } else { \
- if ((uint32_t)(c) <= 0x7ff) { \
- (s)[(i)++] = (uint8_t)(((c) >> 6) | 0xc0); \
- } else { \
- if ((uint32_t)(c) <= 0xffff) { \
- (s)[(i)++] = (uint8_t)(((c) >> 12) | 0xe0); \
- } else { \
- (s)[(i)++] = (uint8_t)(((c) >> 18) | 0xf0); \
- (s)[(i)++] = (uint8_t)((((c) >> 12) & 0x3f) | 0x80); \
- } \
- (s)[(i)++] = (uint8_t)((((c) >> 6) & 0x3f) | 0x80); \
- } \
- (s)[(i)++] = (uint8_t)(((c)&0x3f) | 0x80); \
- } \
- }
-
-// UTF-16 macros ---------------------------------------------------------------
-// from utf16.h
-
-/**
- * Does this code unit alone encode a code point (BMP, not a surrogate)?
- * @param c 16-bit code unit
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU16_IS_SINGLE(c) !CBU_IS_SURROGATE(c)
-
-/**
- * Is this code unit a lead surrogate (U+d800..U+dbff)?
- * @param c 16-bit code unit
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU16_IS_LEAD(c) (((c)&0xfffffc00)==0xd800)
-
-/**
- * Is this code unit a trail surrogate (U+dc00..U+dfff)?
- * @param c 16-bit code unit
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU16_IS_TRAIL(c) (((c)&0xfffffc00)==0xdc00)
-
-/**
- * Is this code unit a surrogate (U+d800..U+dfff)?
- * @param c 16-bit code unit
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU16_IS_SURROGATE(c) CBU_IS_SURROGATE(c)
-
-/**
- * Assuming c is a surrogate code point (U16_IS_SURROGATE(c)),
- * is it a lead surrogate?
- * @param c 16-bit code unit
- * @return TRUE or FALSE
- * @stable ICU 2.4
- */
-#define CBU16_IS_SURROGATE_LEAD(c) (((c)&0x400)==0)
-
-/**
- * Helper constant for CBU16_GET_SUPPLEMENTARY.
- * @internal
- */
-#define CBU16_SURROGATE_OFFSET ((0xd800<<10UL)+0xdc00-0x10000)
-
-/**
- * Get a supplementary code point value (U+10000..U+10ffff)
- * from its lead and trail surrogates.
- * The result is undefined if the input values are not
- * lead and trail surrogates.
- *
- * @param lead lead surrogate (U+d800..U+dbff)
- * @param trail trail surrogate (U+dc00..U+dfff)
- * @return supplementary code point (U+10000..U+10ffff)
- * @stable ICU 2.4
- */
-#define CBU16_GET_SUPPLEMENTARY(lead, trail) \
- (((base_icu::UChar32)(lead)<<10UL)+(base_icu::UChar32)(trail)-CBU16_SURROGATE_OFFSET)
-
-
-/**
- * Get the lead surrogate (0xd800..0xdbff) for a
- * supplementary code point (0x10000..0x10ffff).
- * @param supplementary 32-bit code point (U+10000..U+10ffff)
- * @return lead surrogate (U+d800..U+dbff) for supplementary
- * @stable ICU 2.4
- */
-#define CBU16_LEAD(supplementary) \
- (base_icu::UChar)(((supplementary)>>10)+0xd7c0)
-
-/**
- * Get the trail surrogate (0xdc00..0xdfff) for a
- * supplementary code point (0x10000..0x10ffff).
- * @param supplementary 32-bit code point (U+10000..U+10ffff)
- * @return trail surrogate (U+dc00..U+dfff) for supplementary
- * @stable ICU 2.4
- */
-#define CBU16_TRAIL(supplementary) \
- (base_icu::UChar)(((supplementary)&0x3ff)|0xdc00)
-
-/**
- * How many 16-bit code units are used to encode this Unicode code point? (1 or 2)
- * The result is not defined if c is not a Unicode code point (U+0000..U+10ffff).
- * @param c 32-bit code point
- * @return 1 or 2
- * @stable ICU 2.4
- */
-#define CBU16_LENGTH(c) ((uint32_t)(c) <= 0xffff ? 1 : 2)
-
-/**
- * The maximum number of 16-bit code units per Unicode code point (U+0000..U+10ffff).
- * @return 2
- * @stable ICU 2.4
- */
-#define CBU16_MAX_LENGTH 2
-
-/**
- * Get a code point from a string at a code point boundary offset,
- * and advance the offset to the next code point boundary.
- * (Post-incrementing forward iteration.)
- * "Safe" macro, handles unpaired surrogates and checks for string boundaries.
- *
- * The offset may point to the lead surrogate unit
- * for a supplementary code point, in which case the macro will read
- * the following trail surrogate as well.
- * If the offset points to a trail surrogate or
- * to a single, unpaired lead surrogate, then that itself
- * will be returned as the code point.
- *
- * @param s const UChar * string
- * @param i string offset, i<length
- * @param length string length
- * @param c output UChar32 variable
- * @stable ICU 2.4
- */
-#define CBU16_NEXT(s, i, length, c) \
- { \
- (c) = (s)[(i)++]; \
- if (CBU16_IS_LEAD(c)) { \
- uint16_t __c2; \
- if ((i) < (length) && CBU16_IS_TRAIL(__c2 = (s)[(i)])) { \
- ++(i); \
- (c) = CBU16_GET_SUPPLEMENTARY((c), __c2); \
- } \
- } \
- }
-
-/**
- * Append a code point to a string, overwriting 1 or 2 code units.
- * The offset points to the current end of the string contents
- * and is advanced (post-increment).
- * "Unsafe" macro, assumes a valid code point and sufficient space in the string.
- * Otherwise, the result is undefined.
- *
- * @param s const UChar * string buffer
- * @param i string offset
- * @param c code point to append
- * @see CBU16_APPEND
- * @stable ICU 2.4
- */
-#define CBU16_APPEND_UNSAFE(s, i, c) \
- { \
- if ((uint32_t)(c) <= 0xffff) { \
- (s)[(i)++] = (uint16_t)(c); \
- } else { \
- (s)[(i)++] = (uint16_t)(((c) >> 10) + 0xd7c0); \
- (s)[(i)++] = (uint16_t)(((c)&0x3ff) | 0xdc00); \
- } \
- }
-
-} // namesapce base_icu
-
-#endif // BASE_THIRD_PARTY_ICU_ICU_UTF_H_
diff --git a/security/sandbox/chromium/base/third_party/superfasthash/LICENSE b/security/sandbox/chromium/base/third_party/superfasthash/LICENSE
deleted file mode 100644
index 3c40a3ecd..000000000
--- a/security/sandbox/chromium/base/third_party/superfasthash/LICENSE
+++ /dev/null
@@ -1,27 +0,0 @@
-Paul Hsieh OLD BSD license
-
-Copyright (c) 2010, Paul Hsieh
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this
- list of conditions and the following disclaimer.
-* Redistributions in binary form must reproduce the above copyright notice, this
- list of conditions and the following disclaimer in the documentation and/or
- other materials provided with the distribution.
-* Neither my name, Paul Hsieh, nor the names of any other contributors to the
- code use may not be used to endorse or promote products derived from this
- software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/security/sandbox/chromium/base/third_party/superfasthash/README.chromium b/security/sandbox/chromium/base/third_party/superfasthash/README.chromium
deleted file mode 100644
index d41ed7724..000000000
--- a/security/sandbox/chromium/base/third_party/superfasthash/README.chromium
+++ /dev/null
@@ -1,29 +0,0 @@
-Name: Paul Hsieh's SuperFastHash
-Short Name: SuperFastHash
-URL: http://www.azillionmonkeys.com/qed/hash.html
-Version: 0
-Date: 2012-02-21
-License: BSD
-License File: LICENSE
-Security Critical: yes
-
-Description:
-A fast string hashing algorithm.
-
-Local Modifications:
-- Added LICENSE.
-- Added license text as a comment to the top of superfasthash.c.
-- #include <stdint.h> instead of "pstdint.h".
-- #include <stdlib.h>.
-
-The license is a standard 3-clause BSD license with the following minor changes:
-
-"nor the names of its contributors may be used"
-is replaced with:
-"nor the names of any other contributors to the code use may not be used"
-
-and
-
-"IN NO EVENT SHALL <COPYRIGHT HOLDER> BE LIABLE"
-is replaced with:
-"IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE"
diff --git a/security/sandbox/chromium/base/third_party/superfasthash/superfasthash.c b/security/sandbox/chromium/base/third_party/superfasthash/superfasthash.c
deleted file mode 100644
index 6e7687e13..000000000
--- a/security/sandbox/chromium/base/third_party/superfasthash/superfasthash.c
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright (c) 2010, Paul Hsieh
-// All rights reserved.
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are met:
-//
-// * Redistributions of source code must retain the above copyright notice, this
-// list of conditions and the following disclaimer.
-// * Redistributions in binary form must reproduce the above copyright notice,
-// this list of conditions and the following disclaimer in the documentation
-// and/or other materials provided with the distribution.
-// * Neither my name, Paul Hsieh, nor the names of any other contributors to the
-// code use may not be used to endorse or promote products derived from this
-// software without specific prior written permission.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
-// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
-// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
-// POSSIBILITY OF SUCH DAMAGE.
-
-#include <stdint.h>
-#include <stdlib.h>
-#undef get16bits
-#if (defined(__GNUC__) && defined(__i386__)) || defined(__WATCOMC__) \
- || defined(_MSC_VER) || defined (__BORLANDC__) || defined (__TURBOC__)
-#define get16bits(d) (*((const uint16_t *) (d)))
-#endif
-
-#if !defined (get16bits)
-#define get16bits(d) ((((uint32_t)(((const uint8_t *)(d))[1])) << 8)\
- +(uint32_t)(((const uint8_t *)(d))[0]) )
-#endif
-
-uint32_t SuperFastHash (const char * data, int len) {
-uint32_t hash = len, tmp;
-int rem;
-
- if (len <= 0 || data == NULL) return 0;
-
- rem = len & 3;
- len >>= 2;
-
- /* Main loop */
- for (;len > 0; len--) {
- hash += get16bits (data);
- tmp = (get16bits (data+2) << 11) ^ hash;
- hash = (hash << 16) ^ tmp;
- data += 2*sizeof (uint16_t);
- hash += hash >> 11;
- }
-
- /* Handle end cases */
- switch (rem) {
- case 3: hash += get16bits (data);
- hash ^= hash << 16;
- hash ^= ((signed char)data[sizeof (uint16_t)]) << 18;
- hash += hash >> 11;
- break;
- case 2: hash += get16bits (data);
- hash ^= hash << 11;
- hash += hash >> 17;
- break;
- case 1: hash += (signed char)*data;
- hash ^= hash << 10;
- hash += hash >> 1;
- }
-
- /* Force "avalanching" of final 127 bits */
- hash ^= hash << 3;
- hash += hash >> 5;
- hash ^= hash << 4;
- hash += hash >> 17;
- hash ^= hash << 25;
- hash += hash >> 6;
-
- return hash;
-}
diff --git a/security/sandbox/chromium/base/third_party/valgrind/LICENSE b/security/sandbox/chromium/base/third_party/valgrind/LICENSE
deleted file mode 100644
index 41f677bd1..000000000
--- a/security/sandbox/chromium/base/third_party/valgrind/LICENSE
+++ /dev/null
@@ -1,39 +0,0 @@
- Notice that the following BSD-style license applies to the Valgrind header
- files used by Chromium (valgrind.h and memcheck.h). However, the rest of
- Valgrind is licensed under the terms of the GNU General Public License,
- version 2, unless otherwise indicated.
-
- ----------------------------------------------------------------
-
- Copyright (C) 2000-2008 Julian Seward. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. The origin of this software must not be misrepresented; you must
- not claim that you wrote the original software. If you use this
- software in a product, an acknowledgment in the product
- documentation would be appreciated but is not required.
-
- 3. Altered source versions must be plainly marked as such, and must
- not be misrepresented as being the original software.
-
- 4. The name of the author may not be used to endorse or promote
- products derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
- OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
- GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/security/sandbox/chromium/base/third_party/valgrind/valgrind.h b/security/sandbox/chromium/base/third_party/valgrind/valgrind.h
deleted file mode 100644
index 0bae0aa13..000000000
--- a/security/sandbox/chromium/base/third_party/valgrind/valgrind.h
+++ /dev/null
@@ -1,4792 +0,0 @@
-/* -*- c -*-
- ----------------------------------------------------------------
-
- Notice that the following BSD-style license applies to this one
- file (valgrind.h) only. The rest of Valgrind is licensed under the
- terms of the GNU General Public License, version 2, unless
- otherwise indicated. See the COPYING file in the source
- distribution for details.
-
- ----------------------------------------------------------------
-
- This file is part of Valgrind, a dynamic binary instrumentation
- framework.
-
- Copyright (C) 2000-2010 Julian Seward. All rights reserved.
-
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
-
- 1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
- 2. The origin of this software must not be misrepresented; you must
- not claim that you wrote the original software. If you use this
- software in a product, an acknowledgment in the product
- documentation would be appreciated but is not required.
-
- 3. Altered source versions must be plainly marked as such, and must
- not be misrepresented as being the original software.
-
- 4. The name of the author may not be used to endorse or promote
- products derived from this software without specific prior written
- permission.
-
- THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS
- OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
- DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
- GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
- NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
- SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
- ----------------------------------------------------------------
-
- Notice that the above BSD-style license applies to this one file
- (valgrind.h) only. The entire rest of Valgrind is licensed under
- the terms of the GNU General Public License, version 2. See the
- COPYING file in the source distribution for details.
-
- ----------------------------------------------------------------
-*/
-
-
-/* This file is for inclusion into client (your!) code.
-
- You can use these macros to manipulate and query Valgrind's
- execution inside your own programs.
-
- The resulting executables will still run without Valgrind, just a
- little bit more slowly than they otherwise would, but otherwise
- unchanged. When not running on valgrind, each client request
- consumes very few (eg. 7) instructions, so the resulting performance
- loss is negligible unless you plan to execute client requests
- millions of times per second. Nevertheless, if that is still a
- problem, you can compile with the NVALGRIND symbol defined (gcc
- -DNVALGRIND) so that client requests are not even compiled in. */
-
-#ifndef __VALGRIND_H
-#define __VALGRIND_H
-
-
-/* ------------------------------------------------------------------ */
-/* VERSION NUMBER OF VALGRIND */
-/* ------------------------------------------------------------------ */
-
-/* Specify Valgrind's version number, so that user code can
- conditionally compile based on our version number. Note that these
- were introduced at version 3.6 and so do not exist in version 3.5
- or earlier. The recommended way to use them to check for "version
- X.Y or later" is (eg)
-
-#if defined(__VALGRIND_MAJOR__) && defined(__VALGRIND_MINOR__) \
- && (__VALGRIND_MAJOR__ > 3 \
- || (__VALGRIND_MAJOR__ == 3 && __VALGRIND_MINOR__ >= 6))
-*/
-#define __VALGRIND_MAJOR__ 3
-#define __VALGRIND_MINOR__ 6
-
-
-#include <stdarg.h>
-
-/* Nb: this file might be included in a file compiled with -ansi. So
- we can't use C++ style "//" comments nor the "asm" keyword (instead
- use "__asm__"). */
-
-/* Derive some tags indicating what the target platform is. Note
- that in this file we're using the compiler's CPP symbols for
- identifying architectures, which are different to the ones we use
- within the rest of Valgrind. Note, __powerpc__ is active for both
- 32 and 64-bit PPC, whereas __powerpc64__ is only active for the
- latter (on Linux, that is).
-
- Misc note: how to find out what's predefined in gcc by default:
- gcc -Wp,-dM somefile.c
-*/
-#undef PLAT_ppc64_aix5
-#undef PLAT_ppc32_aix5
-#undef PLAT_x86_darwin
-#undef PLAT_amd64_darwin
-#undef PLAT_x86_win32
-#undef PLAT_x86_linux
-#undef PLAT_amd64_linux
-#undef PLAT_ppc32_linux
-#undef PLAT_ppc64_linux
-#undef PLAT_arm_linux
-
-#if defined(_AIX) && defined(__64BIT__)
-# define PLAT_ppc64_aix5 1
-#elif defined(_AIX) && !defined(__64BIT__)
-# define PLAT_ppc32_aix5 1
-#elif defined(__APPLE__) && defined(__i386__)
-# define PLAT_x86_darwin 1
-#elif defined(__APPLE__) && defined(__x86_64__)
-# define PLAT_amd64_darwin 1
-#elif defined(__MINGW32__) || defined(__CYGWIN32__) || defined(_WIN32) && defined(_M_IX86)
-# define PLAT_x86_win32 1
-#elif defined(__linux__) && defined(__i386__)
-# define PLAT_x86_linux 1
-#elif defined(__linux__) && defined(__x86_64__)
-# define PLAT_amd64_linux 1
-#elif defined(__linux__) && defined(__powerpc__) && !defined(__powerpc64__)
-# define PLAT_ppc32_linux 1
-#elif defined(__linux__) && defined(__powerpc__) && defined(__powerpc64__)
-# define PLAT_ppc64_linux 1
-#elif defined(__linux__) && defined(__arm__)
-# define PLAT_arm_linux 1
-#else
-/* If we're not compiling for our target platform, don't generate
- any inline asms. */
-# if !defined(NVALGRIND)
-# define NVALGRIND 1
-# endif
-#endif
-
-
-/* ------------------------------------------------------------------ */
-/* ARCHITECTURE SPECIFICS for SPECIAL INSTRUCTIONS. There is nothing */
-/* in here of use to end-users -- skip to the next section. */
-/* ------------------------------------------------------------------ */
-
-#if defined(NVALGRIND)
-
-/* Define NVALGRIND to completely remove the Valgrind magic sequence
- from the compiled code (analogous to NDEBUG's effects on
- assert()) */
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- { \
- (_zzq_rlval) = (_zzq_default); \
- }
-
-#else /* ! NVALGRIND */
-
-/* The following defines the magic code sequences which the JITter
- spots and handles magically. Don't look too closely at them as
- they will rot your brain.
-
- The assembly code sequences for all architectures is in this one
- file. This is because this file must be stand-alone, and we don't
- want to have multiple files.
-
- For VALGRIND_DO_CLIENT_REQUEST, we must ensure that the default
- value gets put in the return slot, so that everything works when
- this is executed not under Valgrind. Args are passed in a memory
- block, and so there's no intrinsic limit to the number that could
- be passed, but it's currently five.
-
- The macro args are:
- _zzq_rlval result lvalue
- _zzq_default default value (result returned when running on real CPU)
- _zzq_request request code
- _zzq_arg1..5 request params
-
- The other two macros are used to support function wrapping, and are
- a lot simpler. VALGRIND_GET_NR_CONTEXT returns the value of the
- guest's NRADDR pseudo-register and whatever other information is
- needed to safely run the call original from the wrapper: on
- ppc64-linux, the R2 value at the divert point is also needed. This
- information is abstracted into a user-visible type, OrigFn.
-
- VALGRIND_CALL_NOREDIR_* behaves the same as the following on the
- guest, but guarantees that the branch instruction will not be
- redirected: x86: call *%eax, amd64: call *%rax, ppc32/ppc64:
- branch-and-link-to-r11. VALGRIND_CALL_NOREDIR is just text, not a
- complete inline asm, since it needs to be combined with more magic
- inline asm stuff to be useful.
-*/
-
-/* ------------------------- x86-{linux,darwin} ---------------- */
-
-#if defined(PLAT_x86_linux) || defined(PLAT_x86_darwin) \
- || (defined(PLAT_x86_win32) && defined(__GNUC__))
-
-typedef
- struct {
- unsigned int nraddr; /* where's the code? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "roll $3, %%edi ; roll $13, %%edi\n\t" \
- "roll $29, %%edi ; roll $19, %%edi\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- { volatile unsigned int _zzq_args[6]; \
- volatile unsigned int _zzq_result; \
- _zzq_args[0] = (unsigned int)(_zzq_request); \
- _zzq_args[1] = (unsigned int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned int)(_zzq_arg5); \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %EDX = client_request ( %EAX ) */ \
- "xchgl %%ebx,%%ebx" \
- : "=d" (_zzq_result) \
- : "a" (&_zzq_args[0]), "0" (_zzq_default) \
- : "cc", "memory" \
- ); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- volatile unsigned int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %EAX = guest_NRADDR */ \
- "xchgl %%ecx,%%ecx" \
- : "=a" (__addr) \
- : \
- : "cc", "memory" \
- ); \
- _zzq_orig->nraddr = __addr; \
- }
-
-#define VALGRIND_CALL_NOREDIR_EAX \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* call-noredir *%EAX */ \
- "xchgl %%edx,%%edx\n\t"
-#endif /* PLAT_x86_linux || PLAT_x86_darwin || (PLAT_x86_win32 && __GNUC__) */
-
-/* ------------------------- x86-Win32 ------------------------- */
-
-#if defined(PLAT_x86_win32) && !defined(__GNUC__)
-
-typedef
- struct {
- unsigned int nraddr; /* where's the code? */
- }
- OrigFn;
-
-#if defined(_MSC_VER)
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- __asm rol edi, 3 __asm rol edi, 13 \
- __asm rol edi, 29 __asm rol edi, 19
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- { volatile uintptr_t _zzq_args[6]; \
- volatile unsigned int _zzq_result; \
- _zzq_args[0] = (uintptr_t)(_zzq_request); \
- _zzq_args[1] = (uintptr_t)(_zzq_arg1); \
- _zzq_args[2] = (uintptr_t)(_zzq_arg2); \
- _zzq_args[3] = (uintptr_t)(_zzq_arg3); \
- _zzq_args[4] = (uintptr_t)(_zzq_arg4); \
- _zzq_args[5] = (uintptr_t)(_zzq_arg5); \
- __asm { __asm lea eax, _zzq_args __asm mov edx, _zzq_default \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* %EDX = client_request ( %EAX ) */ \
- __asm xchg ebx,ebx \
- __asm mov _zzq_result, edx \
- } \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- volatile unsigned int __addr; \
- __asm { __SPECIAL_INSTRUCTION_PREAMBLE \
- /* %EAX = guest_NRADDR */ \
- __asm xchg ecx,ecx \
- __asm mov __addr, eax \
- } \
- _zzq_orig->nraddr = __addr; \
- }
-
-#define VALGRIND_CALL_NOREDIR_EAX ERROR
-
-#else
-#error Unsupported compiler.
-#endif
-
-#endif /* PLAT_x86_win32 */
-
-/* ------------------------ amd64-{linux,darwin} --------------- */
-
-#if defined(PLAT_amd64_linux) || defined(PLAT_amd64_darwin)
-
-typedef
- struct {
- unsigned long long int nraddr; /* where's the code? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "rolq $3, %%rdi ; rolq $13, %%rdi\n\t" \
- "rolq $61, %%rdi ; rolq $51, %%rdi\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- { volatile unsigned long long int _zzq_args[6]; \
- volatile unsigned long long int _zzq_result; \
- _zzq_args[0] = (unsigned long long int)(_zzq_request); \
- _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %RDX = client_request ( %RAX ) */ \
- "xchgq %%rbx,%%rbx" \
- : "=d" (_zzq_result) \
- : "a" (&_zzq_args[0]), "0" (_zzq_default) \
- : "cc", "memory" \
- ); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- volatile unsigned long long int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %RAX = guest_NRADDR */ \
- "xchgq %%rcx,%%rcx" \
- : "=a" (__addr) \
- : \
- : "cc", "memory" \
- ); \
- _zzq_orig->nraddr = __addr; \
- }
-
-#define VALGRIND_CALL_NOREDIR_RAX \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* call-noredir *%RAX */ \
- "xchgq %%rdx,%%rdx\n\t"
-#endif /* PLAT_amd64_linux || PLAT_amd64_darwin */
-
-/* ------------------------ ppc32-linux ------------------------ */
-
-#if defined(PLAT_ppc32_linux)
-
-typedef
- struct {
- unsigned int nraddr; /* where's the code? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \
- "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- \
- { unsigned int _zzq_args[6]; \
- unsigned int _zzq_result; \
- unsigned int* _zzq_ptr; \
- _zzq_args[0] = (unsigned int)(_zzq_request); \
- _zzq_args[1] = (unsigned int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned int)(_zzq_arg5); \
- _zzq_ptr = _zzq_args; \
- __asm__ volatile("mr 3,%1\n\t" /*default*/ \
- "mr 4,%2\n\t" /*ptr*/ \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = client_request ( %R4 ) */ \
- "or 1,1,1\n\t" \
- "mr %0,3" /*result*/ \
- : "=b" (_zzq_result) \
- : "b" (_zzq_default), "b" (_zzq_ptr) \
- : "cc", "memory", "r3", "r4"); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- unsigned int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR */ \
- "or 2,2,2\n\t" \
- "mr %0,3" \
- : "=b" (__addr) \
- : \
- : "cc", "memory", "r3" \
- ); \
- _zzq_orig->nraddr = __addr; \
- }
-
-#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* branch-and-link-to-noredir *%R11 */ \
- "or 3,3,3\n\t"
-#endif /* PLAT_ppc32_linux */
-
-/* ------------------------ ppc64-linux ------------------------ */
-
-#if defined(PLAT_ppc64_linux)
-
-typedef
- struct {
- unsigned long long int nraddr; /* where's the code? */
- unsigned long long int r2; /* what tocptr do we need? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \
- "rotldi 0,0,61 ; rotldi 0,0,51\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- \
- { unsigned long long int _zzq_args[6]; \
- register unsigned long long int _zzq_result __asm__("r3"); \
- register unsigned long long int* _zzq_ptr __asm__("r4"); \
- _zzq_args[0] = (unsigned long long int)(_zzq_request); \
- _zzq_args[1] = (unsigned long long int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned long long int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned long long int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned long long int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned long long int)(_zzq_arg5); \
- _zzq_ptr = _zzq_args; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = client_request ( %R4 ) */ \
- "or 1,1,1" \
- : "=r" (_zzq_result) \
- : "0" (_zzq_default), "r" (_zzq_ptr) \
- : "cc", "memory"); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- register unsigned long long int __addr __asm__("r3"); \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR */ \
- "or 2,2,2" \
- : "=r" (__addr) \
- : \
- : "cc", "memory" \
- ); \
- _zzq_orig->nraddr = __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR_GPR2 */ \
- "or 4,4,4" \
- : "=r" (__addr) \
- : \
- : "cc", "memory" \
- ); \
- _zzq_orig->r2 = __addr; \
- }
-
-#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* branch-and-link-to-noredir *%R11 */ \
- "or 3,3,3\n\t"
-
-#endif /* PLAT_ppc64_linux */
-
-/* ------------------------- arm-linux ------------------------- */
-
-#if defined(PLAT_arm_linux)
-
-typedef
- struct {
- unsigned int nraddr; /* where's the code? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "mov r12, r12, ror #3 ; mov r12, r12, ror #13 \n\t" \
- "mov r12, r12, ror #29 ; mov r12, r12, ror #19 \n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- \
- { volatile unsigned int _zzq_args[6]; \
- volatile unsigned int _zzq_result; \
- _zzq_args[0] = (unsigned int)(_zzq_request); \
- _zzq_args[1] = (unsigned int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned int)(_zzq_arg5); \
- __asm__ volatile("mov r3, %1\n\t" /*default*/ \
- "mov r4, %2\n\t" /*ptr*/ \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* R3 = client_request ( R4 ) */ \
- "orr r10, r10, r10\n\t" \
- "mov %0, r3" /*result*/ \
- : "=r" (_zzq_result) \
- : "r" (_zzq_default), "r" (&_zzq_args[0]) \
- : "cc","memory", "r3", "r4"); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- unsigned int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* R3 = guest_NRADDR */ \
- "orr r11, r11, r11\n\t" \
- "mov %0, r3" \
- : "=r" (__addr) \
- : \
- : "cc", "memory", "r3" \
- ); \
- _zzq_orig->nraddr = __addr; \
- }
-
-#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* branch-and-link-to-noredir *%R4 */ \
- "orr r12, r12, r12\n\t"
-
-#endif /* PLAT_arm_linux */
-
-/* ------------------------ ppc32-aix5 ------------------------- */
-
-#if defined(PLAT_ppc32_aix5)
-
-typedef
- struct {
- unsigned int nraddr; /* where's the code? */
- unsigned int r2; /* what tocptr do we need? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "rlwinm 0,0,3,0,0 ; rlwinm 0,0,13,0,0\n\t" \
- "rlwinm 0,0,29,0,0 ; rlwinm 0,0,19,0,0\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- \
- { unsigned int _zzq_args[7]; \
- register unsigned int _zzq_result; \
- register unsigned int* _zzq_ptr; \
- _zzq_args[0] = (unsigned int)(_zzq_request); \
- _zzq_args[1] = (unsigned int)(_zzq_arg1); \
- _zzq_args[2] = (unsigned int)(_zzq_arg2); \
- _zzq_args[3] = (unsigned int)(_zzq_arg3); \
- _zzq_args[4] = (unsigned int)(_zzq_arg4); \
- _zzq_args[5] = (unsigned int)(_zzq_arg5); \
- _zzq_args[6] = (unsigned int)(_zzq_default); \
- _zzq_ptr = _zzq_args; \
- __asm__ volatile("mr 4,%1\n\t" \
- "lwz 3, 24(4)\n\t" \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = client_request ( %R4 ) */ \
- "or 1,1,1\n\t" \
- "mr %0,3" \
- : "=b" (_zzq_result) \
- : "b" (_zzq_ptr) \
- : "r3", "r4", "cc", "memory"); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- register unsigned int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR */ \
- "or 2,2,2\n\t" \
- "mr %0,3" \
- : "=b" (__addr) \
- : \
- : "r3", "cc", "memory" \
- ); \
- _zzq_orig->nraddr = __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR_GPR2 */ \
- "or 4,4,4\n\t" \
- "mr %0,3" \
- : "=b" (__addr) \
- : \
- : "r3", "cc", "memory" \
- ); \
- _zzq_orig->r2 = __addr; \
- }
-
-#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* branch-and-link-to-noredir *%R11 */ \
- "or 3,3,3\n\t"
-
-#endif /* PLAT_ppc32_aix5 */
-
-/* ------------------------ ppc64-aix5 ------------------------- */
-
-#if defined(PLAT_ppc64_aix5)
-
-typedef
- struct {
- unsigned long long int nraddr; /* where's the code? */
- unsigned long long int r2; /* what tocptr do we need? */
- }
- OrigFn;
-
-#define __SPECIAL_INSTRUCTION_PREAMBLE \
- "rotldi 0,0,3 ; rotldi 0,0,13\n\t" \
- "rotldi 0,0,61 ; rotldi 0,0,51\n\t"
-
-#define VALGRIND_DO_CLIENT_REQUEST( \
- _zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- \
- { unsigned long long int _zzq_args[7]; \
- register unsigned long long int _zzq_result; \
- register unsigned long long int* _zzq_ptr; \
- _zzq_args[0] = (unsigned int long long)(_zzq_request); \
- _zzq_args[1] = (unsigned int long long)(_zzq_arg1); \
- _zzq_args[2] = (unsigned int long long)(_zzq_arg2); \
- _zzq_args[3] = (unsigned int long long)(_zzq_arg3); \
- _zzq_args[4] = (unsigned int long long)(_zzq_arg4); \
- _zzq_args[5] = (unsigned int long long)(_zzq_arg5); \
- _zzq_args[6] = (unsigned int long long)(_zzq_default); \
- _zzq_ptr = _zzq_args; \
- __asm__ volatile("mr 4,%1\n\t" \
- "ld 3, 48(4)\n\t" \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = client_request ( %R4 ) */ \
- "or 1,1,1\n\t" \
- "mr %0,3" \
- : "=b" (_zzq_result) \
- : "b" (_zzq_ptr) \
- : "r3", "r4", "cc", "memory"); \
- _zzq_rlval = _zzq_result; \
- }
-
-#define VALGRIND_GET_NR_CONTEXT(_zzq_rlval) \
- { volatile OrigFn* _zzq_orig = &(_zzq_rlval); \
- register unsigned long long int __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR */ \
- "or 2,2,2\n\t" \
- "mr %0,3" \
- : "=b" (__addr) \
- : \
- : "r3", "cc", "memory" \
- ); \
- _zzq_orig->nraddr = __addr; \
- __asm__ volatile(__SPECIAL_INSTRUCTION_PREAMBLE \
- /* %R3 = guest_NRADDR_GPR2 */ \
- "or 4,4,4\n\t" \
- "mr %0,3" \
- : "=b" (__addr) \
- : \
- : "r3", "cc", "memory" \
- ); \
- _zzq_orig->r2 = __addr; \
- }
-
-#define VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- __SPECIAL_INSTRUCTION_PREAMBLE \
- /* branch-and-link-to-noredir *%R11 */ \
- "or 3,3,3\n\t"
-
-#endif /* PLAT_ppc64_aix5 */
-
-/* Insert assembly code for other platforms here... */
-
-#endif /* NVALGRIND */
-
-
-/* ------------------------------------------------------------------ */
-/* PLATFORM SPECIFICS for FUNCTION WRAPPING. This is all very */
-/* ugly. It's the least-worst tradeoff I can think of. */
-/* ------------------------------------------------------------------ */
-
-/* This section defines magic (a.k.a appalling-hack) macros for doing
- guaranteed-no-redirection macros, so as to get from function
- wrappers to the functions they are wrapping. The whole point is to
- construct standard call sequences, but to do the call itself with a
- special no-redirect call pseudo-instruction that the JIT
- understands and handles specially. This section is long and
- repetitious, and I can't see a way to make it shorter.
-
- The naming scheme is as follows:
-
- CALL_FN_{W,v}_{v,W,WW,WWW,WWWW,5W,6W,7W,etc}
-
- 'W' stands for "word" and 'v' for "void". Hence there are
- different macros for calling arity 0, 1, 2, 3, 4, etc, functions,
- and for each, the possibility of returning a word-typed result, or
- no result.
-*/
-
-/* Use these to write the name of your wrapper. NOTE: duplicates
- VG_WRAP_FUNCTION_Z{U,Z} in pub_tool_redir.h. */
-
-/* Use an extra level of macroisation so as to ensure the soname/fnname
- args are fully macro-expanded before pasting them together. */
-#define VG_CONCAT4(_aa,_bb,_cc,_dd) _aa##_bb##_cc##_dd
-
-#define I_WRAP_SONAME_FNNAME_ZU(soname,fnname) \
- VG_CONCAT4(_vgwZU_,soname,_,fnname)
-
-#define I_WRAP_SONAME_FNNAME_ZZ(soname,fnname) \
- VG_CONCAT4(_vgwZZ_,soname,_,fnname)
-
-/* Use this macro from within a wrapper function to collect the
- context (address and possibly other info) of the original function.
- Once you have that you can then use it in one of the CALL_FN_
- macros. The type of the argument _lval is OrigFn. */
-#define VALGRIND_GET_ORIG_FN(_lval) VALGRIND_GET_NR_CONTEXT(_lval)
-
-/* Derivatives of the main macros below, for calling functions
- returning void. */
-
-#define CALL_FN_v_v(fnptr) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_v(_junk,fnptr); } while (0)
-
-#define CALL_FN_v_W(fnptr, arg1) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_W(_junk,fnptr,arg1); } while (0)
-
-#define CALL_FN_v_WW(fnptr, arg1,arg2) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_WW(_junk,fnptr,arg1,arg2); } while (0)
-
-#define CALL_FN_v_WWW(fnptr, arg1,arg2,arg3) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_WWW(_junk,fnptr,arg1,arg2,arg3); } while (0)
-
-#define CALL_FN_v_WWWW(fnptr, arg1,arg2,arg3,arg4) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_WWWW(_junk,fnptr,arg1,arg2,arg3,arg4); } while (0)
-
-#define CALL_FN_v_5W(fnptr, arg1,arg2,arg3,arg4,arg5) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_5W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5); } while (0)
-
-#define CALL_FN_v_6W(fnptr, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_6W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5,arg6); } while (0)
-
-#define CALL_FN_v_7W(fnptr, arg1,arg2,arg3,arg4,arg5,arg6,arg7) \
- do { volatile unsigned long _junk; \
- CALL_FN_W_7W(_junk,fnptr,arg1,arg2,arg3,arg4,arg5,arg6,arg7); } while (0)
-
-/* ------------------------- x86-{linux,darwin} ---------------- */
-
-#if defined(PLAT_x86_linux) || defined(PLAT_x86_darwin)
-
-/* These regs are trashed by the hidden call. No need to mention eax
- as gcc can already see that, plus causes gcc to bomb. */
-#define __CALLER_SAVED_REGS /*"eax"*/ "ecx", "edx"
-
-/* These CALL_FN_ macros assume that on x86-linux, sizeof(unsigned
- long) == 4. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[1]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[2]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- __asm__ volatile( \
- "subl $12, %%esp\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $16, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- __asm__ volatile( \
- "subl $8, %%esp\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $16, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[4]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- __asm__ volatile( \
- "subl $4, %%esp\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $16, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[5]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- __asm__ volatile( \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $16, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[6]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- __asm__ volatile( \
- "subl $12, %%esp\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $32, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[7]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- __asm__ volatile( \
- "subl $8, %%esp\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $32, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[8]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- __asm__ volatile( \
- "subl $4, %%esp\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $32, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[9]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- __asm__ volatile( \
- "pushl 32(%%eax)\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $32, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[10]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- __asm__ volatile( \
- "subl $12, %%esp\n\t" \
- "pushl 36(%%eax)\n\t" \
- "pushl 32(%%eax)\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $48, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[11]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- __asm__ volatile( \
- "subl $8, %%esp\n\t" \
- "pushl 40(%%eax)\n\t" \
- "pushl 36(%%eax)\n\t" \
- "pushl 32(%%eax)\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $48, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5, \
- arg6,arg7,arg8,arg9,arg10, \
- arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[12]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- __asm__ volatile( \
- "subl $4, %%esp\n\t" \
- "pushl 44(%%eax)\n\t" \
- "pushl 40(%%eax)\n\t" \
- "pushl 36(%%eax)\n\t" \
- "pushl 32(%%eax)\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $48, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5, \
- arg6,arg7,arg8,arg9,arg10, \
- arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[13]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- _argvec[12] = (unsigned long)(arg12); \
- __asm__ volatile( \
- "pushl 48(%%eax)\n\t" \
- "pushl 44(%%eax)\n\t" \
- "pushl 40(%%eax)\n\t" \
- "pushl 36(%%eax)\n\t" \
- "pushl 32(%%eax)\n\t" \
- "pushl 28(%%eax)\n\t" \
- "pushl 24(%%eax)\n\t" \
- "pushl 20(%%eax)\n\t" \
- "pushl 16(%%eax)\n\t" \
- "pushl 12(%%eax)\n\t" \
- "pushl 8(%%eax)\n\t" \
- "pushl 4(%%eax)\n\t" \
- "movl (%%eax), %%eax\n\t" /* target->%eax */ \
- VALGRIND_CALL_NOREDIR_EAX \
- "addl $48, %%esp\n" \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_x86_linux || PLAT_x86_darwin */
-
-/* ------------------------ amd64-{linux,darwin} --------------- */
-
-#if defined(PLAT_amd64_linux) || defined(PLAT_amd64_darwin)
-
-/* ARGREGS: rdi rsi rdx rcx r8 r9 (the rest on stack in R-to-L order) */
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS /*"rax",*/ "rcx", "rdx", "rsi", \
- "rdi", "r8", "r9", "r10", "r11"
-
-/* This is all pretty complex. It's so as to make stack unwinding
- work reliably. See bug 243270. The basic problem is the sub and
- add of 128 of %rsp in all of the following macros. If gcc believes
- the CFA is in %rsp, then unwinding may fail, because what's at the
- CFA is not what gcc "expected" when it constructs the CFIs for the
- places where the macros are instantiated.
-
- But we can't just add a CFI annotation to increase the CFA offset
- by 128, to match the sub of 128 from %rsp, because we don't know
- whether gcc has chosen %rsp as the CFA at that point, or whether it
- has chosen some other register (eg, %rbp). In the latter case,
- adding a CFI annotation to change the CFA offset is simply wrong.
-
- So the solution is to get hold of the CFA using
- __builtin_dwarf_cfa(), put it in a known register, and add a
- CFI annotation to say what the register is. We choose %rbp for
- this (perhaps perversely), because:
-
- (1) %rbp is already subject to unwinding. If a new register was
- chosen then the unwinder would have to unwind it in all stack
- traces, which is expensive, and
-
- (2) %rbp is already subject to precise exception updates in the
- JIT. If a new register was chosen, we'd have to have precise
- exceptions for it too, which reduces performance of the
- generated code.
-
- However .. one extra complication. We can't just whack the result
- of __builtin_dwarf_cfa() into %rbp and then add %rbp to the
- list of trashed registers at the end of the inline assembly
- fragments; gcc won't allow %rbp to appear in that list. Hence
- instead we need to stash %rbp in %r15 for the duration of the asm,
- and say that %r15 is trashed instead. gcc seems happy to go with
- that.
-
- Oh .. and this all needs to be conditionalised so that it is
- unchanged from before this commit, when compiled with older gccs
- that don't support __builtin_dwarf_cfa. Furthermore, since
- this header file is freestanding, it has to be independent of
- config.h, and so the following conditionalisation cannot depend on
- configure time checks.
-
- Although it's not clear from
- 'defined(__GNUC__) && defined(__GCC_HAVE_DWARF2_CFI_ASM)',
- this expression excludes Darwin.
- .cfi directives in Darwin assembly appear to be completely
- different and I haven't investigated how they work.
-
- For even more entertainment value, note we have to use the
- completely undocumented __builtin_dwarf_cfa(), which appears to
- really compute the CFA, whereas __builtin_frame_address(0) claims
- to but actually doesn't. See
- https://bugs.kde.org/show_bug.cgi?id=243270#c47
-*/
-#if defined(__GNUC__) && defined(__GCC_HAVE_DWARF2_CFI_ASM)
-# define __FRAME_POINTER \
- ,"r"(__builtin_dwarf_cfa())
-# define VALGRIND_CFI_PROLOGUE \
- "movq %%rbp, %%r15\n\t" \
- "movq %2, %%rbp\n\t" \
- ".cfi_remember_state\n\t" \
- ".cfi_def_cfa rbp, 0\n\t"
-# define VALGRIND_CFI_EPILOGUE \
- "movq %%r15, %%rbp\n\t" \
- ".cfi_restore_state\n\t"
-#else
-# define __FRAME_POINTER
-# define VALGRIND_CFI_PROLOGUE
-# define VALGRIND_CFI_EPILOGUE
-#endif
-
-
-/* These CALL_FN_ macros assume that on amd64-linux, sizeof(unsigned
- long) == 8. */
-
-/* NB 9 Sept 07. There is a nasty kludge here in all these CALL_FN_
- macros. In order not to trash the stack redzone, we need to drop
- %rsp by 128 before the hidden call, and restore afterwards. The
- nastyness is that it is only by luck that the stack still appears
- to be unwindable during the hidden call - since then the behaviour
- of any routine using this macro does not match what the CFI data
- says. Sigh.
-
- Why is this important? Imagine that a wrapper has a stack
- allocated local, and passes to the hidden call, a pointer to it.
- Because gcc does not know about the hidden call, it may allocate
- that local in the redzone. Unfortunately the hidden call may then
- trash it before it comes to use it. So we must step clear of the
- redzone, for the duration of the hidden call, to make it safe.
-
- Probably the same problem afflicts the other redzone-style ABIs too
- (ppc64-linux, ppc32-aix5, ppc64-aix5); but for those, the stack is
- self describing (none of this CFI nonsense) so at least messing
- with the stack pointer doesn't give a danger of non-unwindable
- stack. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[1]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[2]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[4]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[5]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[6]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[7]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[8]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $136,%%rsp\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $8, %%rsp\n" \
- "addq $136,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[9]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "pushq 64(%%rax)\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $16, %%rsp\n" \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[10]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $136,%%rsp\n\t" \
- "pushq 72(%%rax)\n\t" \
- "pushq 64(%%rax)\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $24, %%rsp\n" \
- "addq $136,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[11]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "pushq 80(%%rax)\n\t" \
- "pushq 72(%%rax)\n\t" \
- "pushq 64(%%rax)\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $32, %%rsp\n" \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[12]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $136,%%rsp\n\t" \
- "pushq 88(%%rax)\n\t" \
- "pushq 80(%%rax)\n\t" \
- "pushq 72(%%rax)\n\t" \
- "pushq 64(%%rax)\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $40, %%rsp\n" \
- "addq $136,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[13]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- _argvec[12] = (unsigned long)(arg12); \
- __asm__ volatile( \
- VALGRIND_CFI_PROLOGUE \
- "subq $128,%%rsp\n\t" \
- "pushq 96(%%rax)\n\t" \
- "pushq 88(%%rax)\n\t" \
- "pushq 80(%%rax)\n\t" \
- "pushq 72(%%rax)\n\t" \
- "pushq 64(%%rax)\n\t" \
- "pushq 56(%%rax)\n\t" \
- "movq 48(%%rax), %%r9\n\t" \
- "movq 40(%%rax), %%r8\n\t" \
- "movq 32(%%rax), %%rcx\n\t" \
- "movq 24(%%rax), %%rdx\n\t" \
- "movq 16(%%rax), %%rsi\n\t" \
- "movq 8(%%rax), %%rdi\n\t" \
- "movq (%%rax), %%rax\n\t" /* target->%rax */ \
- VALGRIND_CALL_NOREDIR_RAX \
- "addq $48, %%rsp\n" \
- "addq $128,%%rsp\n\t" \
- VALGRIND_CFI_EPILOGUE \
- : /*out*/ "=a" (_res) \
- : /*in*/ "a" (&_argvec[0]) __FRAME_POINTER \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS, "r15" \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_amd64_linux || PLAT_amd64_darwin */
-
-/* ------------------------ ppc32-linux ------------------------ */
-
-#if defined(PLAT_ppc32_linux)
-
-/* This is useful for finding out about the on-stack stuff:
-
- extern int f9 ( int,int,int,int,int,int,int,int,int );
- extern int f10 ( int,int,int,int,int,int,int,int,int,int );
- extern int f11 ( int,int,int,int,int,int,int,int,int,int,int );
- extern int f12 ( int,int,int,int,int,int,int,int,int,int,int,int );
-
- int g9 ( void ) {
- return f9(11,22,33,44,55,66,77,88,99);
- }
- int g10 ( void ) {
- return f10(11,22,33,44,55,66,77,88,99,110);
- }
- int g11 ( void ) {
- return f11(11,22,33,44,55,66,77,88,99,110,121);
- }
- int g12 ( void ) {
- return f12(11,22,33,44,55,66,77,88,99,110,121,132);
- }
-*/
-
-/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS \
- "lr", "ctr", "xer", \
- "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \
- "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \
- "r11", "r12", "r13"
-
-/* These CALL_FN_ macros assume that on ppc32-linux,
- sizeof(unsigned long) == 4. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[1]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[2]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[4]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[5]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[6]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[7]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[8]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[9]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- _argvec[8] = (unsigned long)arg8; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 10,32(11)\n\t" /* arg8->r10 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[10]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- _argvec[8] = (unsigned long)arg8; \
- _argvec[9] = (unsigned long)arg9; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "addi 1,1,-16\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,8(1)\n\t" \
- /* args1-8 */ \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 10,32(11)\n\t" /* arg8->r10 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "addi 1,1,16\n\t" \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[11]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- _argvec[8] = (unsigned long)arg8; \
- _argvec[9] = (unsigned long)arg9; \
- _argvec[10] = (unsigned long)arg10; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "addi 1,1,-16\n\t" \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,12(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,8(1)\n\t" \
- /* args1-8 */ \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 10,32(11)\n\t" /* arg8->r10 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "addi 1,1,16\n\t" \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[12]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- _argvec[8] = (unsigned long)arg8; \
- _argvec[9] = (unsigned long)arg9; \
- _argvec[10] = (unsigned long)arg10; \
- _argvec[11] = (unsigned long)arg11; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "addi 1,1,-32\n\t" \
- /* arg11 */ \
- "lwz 3,44(11)\n\t" \
- "stw 3,16(1)\n\t" \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,12(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,8(1)\n\t" \
- /* args1-8 */ \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 10,32(11)\n\t" /* arg8->r10 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "addi 1,1,32\n\t" \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[13]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)arg1; \
- _argvec[2] = (unsigned long)arg2; \
- _argvec[3] = (unsigned long)arg3; \
- _argvec[4] = (unsigned long)arg4; \
- _argvec[5] = (unsigned long)arg5; \
- _argvec[6] = (unsigned long)arg6; \
- _argvec[7] = (unsigned long)arg7; \
- _argvec[8] = (unsigned long)arg8; \
- _argvec[9] = (unsigned long)arg9; \
- _argvec[10] = (unsigned long)arg10; \
- _argvec[11] = (unsigned long)arg11; \
- _argvec[12] = (unsigned long)arg12; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "addi 1,1,-32\n\t" \
- /* arg12 */ \
- "lwz 3,48(11)\n\t" \
- "stw 3,20(1)\n\t" \
- /* arg11 */ \
- "lwz 3,44(11)\n\t" \
- "stw 3,16(1)\n\t" \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,12(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,8(1)\n\t" \
- /* args1-8 */ \
- "lwz 3,4(11)\n\t" /* arg1->r3 */ \
- "lwz 4,8(11)\n\t" \
- "lwz 5,12(11)\n\t" \
- "lwz 6,16(11)\n\t" /* arg4->r6 */ \
- "lwz 7,20(11)\n\t" \
- "lwz 8,24(11)\n\t" \
- "lwz 9,28(11)\n\t" \
- "lwz 10,32(11)\n\t" /* arg8->r10 */ \
- "lwz 11,0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "addi 1,1,32\n\t" \
- "mr %0,3" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_ppc32_linux */
-
-/* ------------------------ ppc64-linux ------------------------ */
-
-#if defined(PLAT_ppc64_linux)
-
-/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS \
- "lr", "ctr", "xer", \
- "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \
- "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \
- "r11", "r12", "r13"
-
-/* These CALL_FN_ macros assume that on ppc64-linux, sizeof(unsigned
- long) == 8. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+0]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+1]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+2]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+3]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+4]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+5]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+6]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+7]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+8]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)" /* restore tocptr */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+9]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "addi 1,1,-128\n\t" /* expand stack frame */ \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- "addi 1,1,128" /* restore frame */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+10]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "addi 1,1,-128\n\t" /* expand stack frame */ \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- "addi 1,1,128" /* restore frame */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+11]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "addi 1,1,-144\n\t" /* expand stack frame */ \
- /* arg11 */ \
- "ld 3,88(11)\n\t" \
- "std 3,128(1)\n\t" \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- "addi 1,1,144" /* restore frame */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+12]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- _argvec[2+12] = (unsigned long)arg12; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "addi 1,1,-144\n\t" /* expand stack frame */ \
- /* arg12 */ \
- "ld 3,96(11)\n\t" \
- "std 3,136(1)\n\t" \
- /* arg11 */ \
- "ld 3,88(11)\n\t" \
- "std 3,128(1)\n\t" \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- "addi 1,1,144" /* restore frame */ \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_ppc64_linux */
-
-/* ------------------------- arm-linux ------------------------- */
-
-#if defined(PLAT_arm_linux)
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS "r0", "r1", "r2", "r3","r4","r14"
-
-/* These CALL_FN_ macros assume that on arm-linux, sizeof(unsigned
- long) == 4. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[1]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "mov %0, r0\n" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[2]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- __asm__ volatile( \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "mov %0, r0\n" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- __asm__ volatile( \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "mov %0, r0\n" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[4]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- __asm__ volatile( \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "mov %0, r0\n" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[5]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- __asm__ volatile( \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[6]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- __asm__ volatile( \
- "ldr r0, [%1, #20] \n\t" \
- "push {r0} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #4 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[7]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- __asm__ volatile( \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "push {r0, r1} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #8 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[8]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- __asm__ volatile( \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "push {r0, r1, r2} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #12 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[9]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- __asm__ volatile( \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "ldr r3, [%1, #32] \n\t" \
- "push {r0, r1, r2, r3} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #16 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[10]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- __asm__ volatile( \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "ldr r3, [%1, #32] \n\t" \
- "ldr r4, [%1, #36] \n\t" \
- "push {r0, r1, r2, r3, r4} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #20 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[11]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- __asm__ volatile( \
- "ldr r0, [%1, #40] \n\t" \
- "push {r0} \n\t" \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "ldr r3, [%1, #32] \n\t" \
- "ldr r4, [%1, #36] \n\t" \
- "push {r0, r1, r2, r3, r4} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #24 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5, \
- arg6,arg7,arg8,arg9,arg10, \
- arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[12]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- __asm__ volatile( \
- "ldr r0, [%1, #40] \n\t" \
- "ldr r1, [%1, #44] \n\t" \
- "push {r0, r1} \n\t" \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "ldr r3, [%1, #32] \n\t" \
- "ldr r4, [%1, #36] \n\t" \
- "push {r0, r1, r2, r3, r4} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #28 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory",__CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5, \
- arg6,arg7,arg8,arg9,arg10, \
- arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[13]; \
- volatile unsigned long _res; \
- _argvec[0] = (unsigned long)_orig.nraddr; \
- _argvec[1] = (unsigned long)(arg1); \
- _argvec[2] = (unsigned long)(arg2); \
- _argvec[3] = (unsigned long)(arg3); \
- _argvec[4] = (unsigned long)(arg4); \
- _argvec[5] = (unsigned long)(arg5); \
- _argvec[6] = (unsigned long)(arg6); \
- _argvec[7] = (unsigned long)(arg7); \
- _argvec[8] = (unsigned long)(arg8); \
- _argvec[9] = (unsigned long)(arg9); \
- _argvec[10] = (unsigned long)(arg10); \
- _argvec[11] = (unsigned long)(arg11); \
- _argvec[12] = (unsigned long)(arg12); \
- __asm__ volatile( \
- "ldr r0, [%1, #40] \n\t" \
- "ldr r1, [%1, #44] \n\t" \
- "ldr r2, [%1, #48] \n\t" \
- "push {r0, r1, r2} \n\t" \
- "ldr r0, [%1, #20] \n\t" \
- "ldr r1, [%1, #24] \n\t" \
- "ldr r2, [%1, #28] \n\t" \
- "ldr r3, [%1, #32] \n\t" \
- "ldr r4, [%1, #36] \n\t" \
- "push {r0, r1, r2, r3, r4} \n\t" \
- "ldr r0, [%1, #4] \n\t" \
- "ldr r1, [%1, #8] \n\t" \
- "ldr r2, [%1, #12] \n\t" \
- "ldr r3, [%1, #16] \n\t" \
- "ldr r4, [%1] \n\t" /* target->r4 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R4 \
- "add sp, sp, #32 \n\t" \
- "mov %0, r0" \
- : /*out*/ "=r" (_res) \
- : /*in*/ "0" (&_argvec[0]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_arm_linux */
-
-/* ------------------------ ppc32-aix5 ------------------------- */
-
-#if defined(PLAT_ppc32_aix5)
-
-/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS \
- "lr", "ctr", "xer", \
- "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \
- "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \
- "r11", "r12", "r13"
-
-/* Expand the stack frame, copying enough info that unwinding
- still works. Trashes r3. */
-
-#define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \
- "addi 1,1,-" #_n_fr "\n\t" \
- "lwz 3," #_n_fr "(1)\n\t" \
- "stw 3,0(1)\n\t"
-
-#define VG_CONTRACT_FRAME_BY(_n_fr) \
- "addi 1,1," #_n_fr "\n\t"
-
-/* These CALL_FN_ macros assume that on ppc32-aix5, sizeof(unsigned
- long) == 4. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+0]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+1]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+2]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+3]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+4]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+5]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+6]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+7]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+8]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 10, 32(11)\n\t" /* arg8->r10 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+9]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(64) \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,56(1)\n\t" \
- /* args1-8 */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 10, 32(11)\n\t" /* arg8->r10 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(64) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+10]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(64) \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,60(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,56(1)\n\t" \
- /* args1-8 */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 10, 32(11)\n\t" /* arg8->r10 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(64) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+11]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(72) \
- /* arg11 */ \
- "lwz 3,44(11)\n\t" \
- "stw 3,64(1)\n\t" \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,60(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,56(1)\n\t" \
- /* args1-8 */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 10, 32(11)\n\t" /* arg8->r10 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(72) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+12]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- _argvec[2+12] = (unsigned long)arg12; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "stw 2,-8(11)\n\t" /* save tocptr */ \
- "lwz 2,-4(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(72) \
- /* arg12 */ \
- "lwz 3,48(11)\n\t" \
- "stw 3,68(1)\n\t" \
- /* arg11 */ \
- "lwz 3,44(11)\n\t" \
- "stw 3,64(1)\n\t" \
- /* arg10 */ \
- "lwz 3,40(11)\n\t" \
- "stw 3,60(1)\n\t" \
- /* arg9 */ \
- "lwz 3,36(11)\n\t" \
- "stw 3,56(1)\n\t" \
- /* args1-8 */ \
- "lwz 3, 4(11)\n\t" /* arg1->r3 */ \
- "lwz 4, 8(11)\n\t" /* arg2->r4 */ \
- "lwz 5, 12(11)\n\t" /* arg3->r5 */ \
- "lwz 6, 16(11)\n\t" /* arg4->r6 */ \
- "lwz 7, 20(11)\n\t" /* arg5->r7 */ \
- "lwz 8, 24(11)\n\t" /* arg6->r8 */ \
- "lwz 9, 28(11)\n\t" /* arg7->r9 */ \
- "lwz 10, 32(11)\n\t" /* arg8->r10 */ \
- "lwz 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "lwz 2,-8(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(72) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_ppc32_aix5 */
-
-/* ------------------------ ppc64-aix5 ------------------------- */
-
-#if defined(PLAT_ppc64_aix5)
-
-/* ARGREGS: r3 r4 r5 r6 r7 r8 r9 r10 (the rest on stack somewhere) */
-
-/* These regs are trashed by the hidden call. */
-#define __CALLER_SAVED_REGS \
- "lr", "ctr", "xer", \
- "cr0", "cr1", "cr2", "cr3", "cr4", "cr5", "cr6", "cr7", \
- "r0", "r2", "r3", "r4", "r5", "r6", "r7", "r8", "r9", "r10", \
- "r11", "r12", "r13"
-
-/* Expand the stack frame, copying enough info that unwinding
- still works. Trashes r3. */
-
-#define VG_EXPAND_FRAME_BY_trashes_r3(_n_fr) \
- "addi 1,1,-" #_n_fr "\n\t" \
- "ld 3," #_n_fr "(1)\n\t" \
- "std 3,0(1)\n\t"
-
-#define VG_CONTRACT_FRAME_BY(_n_fr) \
- "addi 1,1," #_n_fr "\n\t"
-
-/* These CALL_FN_ macros assume that on ppc64-aix5, sizeof(unsigned
- long) == 8. */
-
-#define CALL_FN_W_v(lval, orig) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+0]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_W(lval, orig, arg1) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+1]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WW(lval, orig, arg1,arg2) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+2]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWW(lval, orig, arg1,arg2,arg3) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+3]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_WWWW(lval, orig, arg1,arg2,arg3,arg4) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+4]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_5W(lval, orig, arg1,arg2,arg3,arg4,arg5) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+5]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_6W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+6]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_7W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+7]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_8W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+8]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_9W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+9]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(128) \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(128) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_10W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+10]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(128) \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(128) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_11W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+11]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(144) \
- /* arg11 */ \
- "ld 3,88(11)\n\t" \
- "std 3,128(1)\n\t" \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(144) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#define CALL_FN_W_12W(lval, orig, arg1,arg2,arg3,arg4,arg5,arg6, \
- arg7,arg8,arg9,arg10,arg11,arg12) \
- do { \
- volatile OrigFn _orig = (orig); \
- volatile unsigned long _argvec[3+12]; \
- volatile unsigned long _res; \
- /* _argvec[0] holds current r2 across the call */ \
- _argvec[1] = (unsigned long)_orig.r2; \
- _argvec[2] = (unsigned long)_orig.nraddr; \
- _argvec[2+1] = (unsigned long)arg1; \
- _argvec[2+2] = (unsigned long)arg2; \
- _argvec[2+3] = (unsigned long)arg3; \
- _argvec[2+4] = (unsigned long)arg4; \
- _argvec[2+5] = (unsigned long)arg5; \
- _argvec[2+6] = (unsigned long)arg6; \
- _argvec[2+7] = (unsigned long)arg7; \
- _argvec[2+8] = (unsigned long)arg8; \
- _argvec[2+9] = (unsigned long)arg9; \
- _argvec[2+10] = (unsigned long)arg10; \
- _argvec[2+11] = (unsigned long)arg11; \
- _argvec[2+12] = (unsigned long)arg12; \
- __asm__ volatile( \
- "mr 11,%1\n\t" \
- VG_EXPAND_FRAME_BY_trashes_r3(512) \
- "std 2,-16(11)\n\t" /* save tocptr */ \
- "ld 2,-8(11)\n\t" /* use nraddr's tocptr */ \
- VG_EXPAND_FRAME_BY_trashes_r3(144) \
- /* arg12 */ \
- "ld 3,96(11)\n\t" \
- "std 3,136(1)\n\t" \
- /* arg11 */ \
- "ld 3,88(11)\n\t" \
- "std 3,128(1)\n\t" \
- /* arg10 */ \
- "ld 3,80(11)\n\t" \
- "std 3,120(1)\n\t" \
- /* arg9 */ \
- "ld 3,72(11)\n\t" \
- "std 3,112(1)\n\t" \
- /* args1-8 */ \
- "ld 3, 8(11)\n\t" /* arg1->r3 */ \
- "ld 4, 16(11)\n\t" /* arg2->r4 */ \
- "ld 5, 24(11)\n\t" /* arg3->r5 */ \
- "ld 6, 32(11)\n\t" /* arg4->r6 */ \
- "ld 7, 40(11)\n\t" /* arg5->r7 */ \
- "ld 8, 48(11)\n\t" /* arg6->r8 */ \
- "ld 9, 56(11)\n\t" /* arg7->r9 */ \
- "ld 10, 64(11)\n\t" /* arg8->r10 */ \
- "ld 11, 0(11)\n\t" /* target->r11 */ \
- VALGRIND_BRANCH_AND_LINK_TO_NOREDIR_R11 \
- "mr 11,%1\n\t" \
- "mr %0,3\n\t" \
- "ld 2,-16(11)\n\t" /* restore tocptr */ \
- VG_CONTRACT_FRAME_BY(144) \
- VG_CONTRACT_FRAME_BY(512) \
- : /*out*/ "=r" (_res) \
- : /*in*/ "r" (&_argvec[2]) \
- : /*trash*/ "cc", "memory", __CALLER_SAVED_REGS \
- ); \
- lval = (__typeof__(lval)) _res; \
- } while (0)
-
-#endif /* PLAT_ppc64_aix5 */
-
-
-/* ------------------------------------------------------------------ */
-/* ARCHITECTURE INDEPENDENT MACROS for CLIENT REQUESTS. */
-/* */
-/* ------------------------------------------------------------------ */
-
-/* Some request codes. There are many more of these, but most are not
- exposed to end-user view. These are the public ones, all of the
- form 0x1000 + small_number.
-
- Core ones are in the range 0x00000000--0x0000ffff. The non-public
- ones start at 0x2000.
-*/
-
-/* These macros are used by tools -- they must be public, but don't
- embed them into other programs. */
-#define VG_USERREQ_TOOL_BASE(a,b) \
- ((unsigned int)(((a)&0xff) << 24 | ((b)&0xff) << 16))
-#define VG_IS_TOOL_USERREQ(a, b, v) \
- (VG_USERREQ_TOOL_BASE(a,b) == ((v) & 0xffff0000))
-
-/* !! ABIWARNING !! ABIWARNING !! ABIWARNING !! ABIWARNING !!
- This enum comprises an ABI exported by Valgrind to programs
- which use client requests. DO NOT CHANGE THE ORDER OF THESE
- ENTRIES, NOR DELETE ANY -- add new ones at the end. */
-typedef
- enum { VG_USERREQ__RUNNING_ON_VALGRIND = 0x1001,
- VG_USERREQ__DISCARD_TRANSLATIONS = 0x1002,
-
- /* These allow any function to be called from the simulated
- CPU but run on the real CPU. Nb: the first arg passed to
- the function is always the ThreadId of the running
- thread! So CLIENT_CALL0 actually requires a 1 arg
- function, etc. */
- VG_USERREQ__CLIENT_CALL0 = 0x1101,
- VG_USERREQ__CLIENT_CALL1 = 0x1102,
- VG_USERREQ__CLIENT_CALL2 = 0x1103,
- VG_USERREQ__CLIENT_CALL3 = 0x1104,
-
- /* Can be useful in regression testing suites -- eg. can
- send Valgrind's output to /dev/null and still count
- errors. */
- VG_USERREQ__COUNT_ERRORS = 0x1201,
-
- /* These are useful and can be interpreted by any tool that
- tracks malloc() et al, by using vg_replace_malloc.c. */
- VG_USERREQ__MALLOCLIKE_BLOCK = 0x1301,
- VG_USERREQ__FREELIKE_BLOCK = 0x1302,
- /* Memory pool support. */
- VG_USERREQ__CREATE_MEMPOOL = 0x1303,
- VG_USERREQ__DESTROY_MEMPOOL = 0x1304,
- VG_USERREQ__MEMPOOL_ALLOC = 0x1305,
- VG_USERREQ__MEMPOOL_FREE = 0x1306,
- VG_USERREQ__MEMPOOL_TRIM = 0x1307,
- VG_USERREQ__MOVE_MEMPOOL = 0x1308,
- VG_USERREQ__MEMPOOL_CHANGE = 0x1309,
- VG_USERREQ__MEMPOOL_EXISTS = 0x130a,
-
- /* Allow printfs to valgrind log. */
- /* The first two pass the va_list argument by value, which
- assumes it is the same size as or smaller than a UWord,
- which generally isn't the case. Hence are deprecated.
- The second two pass the vargs by reference and so are
- immune to this problem. */
- /* both :: char* fmt, va_list vargs (DEPRECATED) */
- VG_USERREQ__PRINTF = 0x1401,
- VG_USERREQ__PRINTF_BACKTRACE = 0x1402,
- /* both :: char* fmt, va_list* vargs */
- VG_USERREQ__PRINTF_VALIST_BY_REF = 0x1403,
- VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF = 0x1404,
-
- /* Stack support. */
- VG_USERREQ__STACK_REGISTER = 0x1501,
- VG_USERREQ__STACK_DEREGISTER = 0x1502,
- VG_USERREQ__STACK_CHANGE = 0x1503,
-
- /* Wine support */
- VG_USERREQ__LOAD_PDB_DEBUGINFO = 0x1601,
-
- /* Querying of debug info. */
- VG_USERREQ__MAP_IP_TO_SRCLOC = 0x1701
- } Vg_ClientRequest;
-
-#if !defined(__GNUC__)
-# define __extension__ /* */
-#endif
-
-
-/*
- * VALGRIND_DO_CLIENT_REQUEST_EXPR(): a C expression that invokes a Valgrind
- * client request and whose value equals the client request result.
- */
-
-#if defined(NVALGRIND)
-
-#define VALGRIND_DO_CLIENT_REQUEST_EXPR( \
- _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- (_zzq_default)
-
-#else /*defined(NVALGRIND)*/
-
-#if defined(_MSC_VER)
-
-#define VALGRIND_DO_CLIENT_REQUEST_EXPR( \
- _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- (vg_VALGRIND_DO_CLIENT_REQUEST_EXPR((uintptr_t)(_zzq_default), \
- (_zzq_request), (uintptr_t)(_zzq_arg1), (uintptr_t)(_zzq_arg2), \
- (uintptr_t)(_zzq_arg3), (uintptr_t)(_zzq_arg4), \
- (uintptr_t)(_zzq_arg5)))
-
-static __inline unsigned
-vg_VALGRIND_DO_CLIENT_REQUEST_EXPR(uintptr_t _zzq_default,
- unsigned _zzq_request, uintptr_t _zzq_arg1,
- uintptr_t _zzq_arg2, uintptr_t _zzq_arg3,
- uintptr_t _zzq_arg4, uintptr_t _zzq_arg5)
-{
- unsigned _zzq_rlval;
- VALGRIND_DO_CLIENT_REQUEST(_zzq_rlval, _zzq_default, _zzq_request,
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5);
- return _zzq_rlval;
-}
-
-#else /*defined(_MSC_VER)*/
-
-#define VALGRIND_DO_CLIENT_REQUEST_EXPR( \
- _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- (__extension__({unsigned int _zzq_rlval; \
- VALGRIND_DO_CLIENT_REQUEST(_zzq_rlval, _zzq_default, _zzq_request, \
- _zzq_arg1, _zzq_arg2, _zzq_arg3, _zzq_arg4, _zzq_arg5) \
- _zzq_rlval; \
- }))
-
-#endif /*defined(_MSC_VER)*/
-
-#endif /*defined(NVALGRIND)*/
-
-
-/* Returns the number of Valgrinds this code is running under. That
- is, 0 if running natively, 1 if running under Valgrind, 2 if
- running under Valgrind which is running under another Valgrind,
- etc. */
-#define RUNNING_ON_VALGRIND \
- VALGRIND_DO_CLIENT_REQUEST_EXPR(0 /* if not */, \
- VG_USERREQ__RUNNING_ON_VALGRIND, \
- 0, 0, 0, 0, 0) \
-
-
-/* Discard translation of code in the range [_qzz_addr .. _qzz_addr +
- _qzz_len - 1]. Useful if you are debugging a JITter or some such,
- since it provides a way to make sure valgrind will retranslate the
- invalidated area. Returns no value. */
-#define VALGRIND_DISCARD_TRANSLATIONS(_qzz_addr,_qzz_len) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__DISCARD_TRANSLATIONS, \
- _qzz_addr, _qzz_len, 0, 0, 0); \
- }
-
-
-/* These requests are for getting Valgrind itself to print something.
- Possibly with a backtrace. This is a really ugly hack. The return value
- is the number of characters printed, excluding the "**<pid>** " part at the
- start and the backtrace (if present). */
-
-#if defined(NVALGRIND)
-
-# define VALGRIND_PRINTF(...)
-# define VALGRIND_PRINTF_BACKTRACE(...)
-
-#else /* NVALGRIND */
-
-#if !defined(_MSC_VER)
-/* Modern GCC will optimize the static routine out if unused,
- and unused attribute will shut down warnings about it. */
-static int VALGRIND_PRINTF(const char *format, ...)
- __attribute__((format(__printf__, 1, 2), __unused__));
-#endif
-static int
-#if defined(_MSC_VER)
-__inline
-#endif
-VALGRIND_PRINTF(const char *format, ...)
-{
- unsigned long _qzz_res;
- va_list vargs;
- va_start(vargs, format);
-#if defined(_MSC_VER)
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
- VG_USERREQ__PRINTF_VALIST_BY_REF,
- (uintptr_t)format,
- (uintptr_t)&vargs,
- 0, 0, 0);
-#else
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
- VG_USERREQ__PRINTF_VALIST_BY_REF,
- (unsigned long)format,
- (unsigned long)&vargs,
- 0, 0, 0);
-#endif
- va_end(vargs);
- return (int)_qzz_res;
-}
-
-#if !defined(_MSC_VER)
-static int VALGRIND_PRINTF_BACKTRACE(const char *format, ...)
- __attribute__((format(__printf__, 1, 2), __unused__));
-#endif
-static int
-#if defined(_MSC_VER)
-__inline
-#endif
-VALGRIND_PRINTF_BACKTRACE(const char *format, ...)
-{
- unsigned long _qzz_res;
- va_list vargs;
- va_start(vargs, format);
-#if defined(_MSC_VER)
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
- VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF,
- (uintptr_t)format,
- (uintptr_t)&vargs,
- 0, 0, 0);
-#else
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0,
- VG_USERREQ__PRINTF_BACKTRACE_VALIST_BY_REF,
- (unsigned long)format,
- (unsigned long)&vargs,
- 0, 0, 0);
-#endif
- va_end(vargs);
- return (int)_qzz_res;
-}
-
-#endif /* NVALGRIND */
-
-
-/* These requests allow control to move from the simulated CPU to the
- real CPU, calling an arbitary function.
-
- Note that the current ThreadId is inserted as the first argument.
- So this call:
-
- VALGRIND_NON_SIMD_CALL2(f, arg1, arg2)
-
- requires f to have this signature:
-
- Word f(Word tid, Word arg1, Word arg2)
-
- where "Word" is a word-sized type.
-
- Note that these client requests are not entirely reliable. For example,
- if you call a function with them that subsequently calls printf(),
- there's a high chance Valgrind will crash. Generally, your prospects of
- these working are made higher if the called function does not refer to
- any global variables, and does not refer to any libc or other functions
- (printf et al). Any kind of entanglement with libc or dynamic linking is
- likely to have a bad outcome, for tricky reasons which we've grappled
- with a lot in the past.
-*/
-#define VALGRIND_NON_SIMD_CALL0(_qyy_fn) \
- __extension__ \
- ({unsigned long _qyy_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \
- VG_USERREQ__CLIENT_CALL0, \
- _qyy_fn, \
- 0, 0, 0, 0); \
- _qyy_res; \
- })
-
-#define VALGRIND_NON_SIMD_CALL1(_qyy_fn, _qyy_arg1) \
- __extension__ \
- ({unsigned long _qyy_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \
- VG_USERREQ__CLIENT_CALL1, \
- _qyy_fn, \
- _qyy_arg1, 0, 0, 0); \
- _qyy_res; \
- })
-
-#define VALGRIND_NON_SIMD_CALL2(_qyy_fn, _qyy_arg1, _qyy_arg2) \
- __extension__ \
- ({unsigned long _qyy_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \
- VG_USERREQ__CLIENT_CALL2, \
- _qyy_fn, \
- _qyy_arg1, _qyy_arg2, 0, 0); \
- _qyy_res; \
- })
-
-#define VALGRIND_NON_SIMD_CALL3(_qyy_fn, _qyy_arg1, _qyy_arg2, _qyy_arg3) \
- __extension__ \
- ({unsigned long _qyy_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \
- VG_USERREQ__CLIENT_CALL3, \
- _qyy_fn, \
- _qyy_arg1, _qyy_arg2, \
- _qyy_arg3, 0); \
- _qyy_res; \
- })
-
-
-/* Counts the number of errors that have been recorded by a tool. Nb:
- the tool must record the errors with VG_(maybe_record_error)() or
- VG_(unique_error)() for them to be counted. */
-#define VALGRIND_COUNT_ERRORS \
- __extension__ \
- ({unsigned int _qyy_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qyy_res, 0 /* default return */, \
- VG_USERREQ__COUNT_ERRORS, \
- 0, 0, 0, 0, 0); \
- _qyy_res; \
- })
-
-/* Several Valgrind tools (Memcheck, Massif, Helgrind, DRD) rely on knowing
- when heap blocks are allocated in order to give accurate results. This
- happens automatically for the standard allocator functions such as
- malloc(), calloc(), realloc(), memalign(), new, new[], free(), delete,
- delete[], etc.
-
- But if your program uses a custom allocator, this doesn't automatically
- happen, and Valgrind will not do as well. For example, if you allocate
- superblocks with mmap() and then allocates chunks of the superblocks, all
- Valgrind's observations will be at the mmap() level and it won't know that
- the chunks should be considered separate entities. In Memcheck's case,
- that means you probably won't get heap block overrun detection (because
- there won't be redzones marked as unaddressable) and you definitely won't
- get any leak detection.
-
- The following client requests allow a custom allocator to be annotated so
- that it can be handled accurately by Valgrind.
-
- VALGRIND_MALLOCLIKE_BLOCK marks a region of memory as having been allocated
- by a malloc()-like function. For Memcheck (an illustrative case), this
- does two things:
-
- - It records that the block has been allocated. This means any addresses
- within the block mentioned in error messages will be
- identified as belonging to the block. It also means that if the block
- isn't freed it will be detected by the leak checker.
-
- - It marks the block as being addressable and undefined (if 'is_zeroed' is
- not set), or addressable and defined (if 'is_zeroed' is set). This
- controls how accesses to the block by the program are handled.
-
- 'addr' is the start of the usable block (ie. after any
- redzone), 'sizeB' is its size. 'rzB' is the redzone size if the allocator
- can apply redzones -- these are blocks of padding at the start and end of
- each block. Adding redzones is recommended as it makes it much more likely
- Valgrind will spot block overruns. `is_zeroed' indicates if the memory is
- zeroed (or filled with another predictable value), as is the case for
- calloc().
-
- VALGRIND_MALLOCLIKE_BLOCK should be put immediately after the point where a
- heap block -- that will be used by the client program -- is allocated.
- It's best to put it at the outermost level of the allocator if possible;
- for example, if you have a function my_alloc() which calls
- internal_alloc(), and the client request is put inside internal_alloc(),
- stack traces relating to the heap block will contain entries for both
- my_alloc() and internal_alloc(), which is probably not what you want.
-
- For Memcheck users: if you use VALGRIND_MALLOCLIKE_BLOCK to carve out
- custom blocks from within a heap block, B, that has been allocated with
- malloc/calloc/new/etc, then block B will be *ignored* during leak-checking
- -- the custom blocks will take precedence.
-
- VALGRIND_FREELIKE_BLOCK is the partner to VALGRIND_MALLOCLIKE_BLOCK. For
- Memcheck, it does two things:
-
- - It records that the block has been deallocated. This assumes that the
- block was annotated as having been allocated via
- VALGRIND_MALLOCLIKE_BLOCK. Otherwise, an error will be issued.
-
- - It marks the block as being unaddressable.
-
- VALGRIND_FREELIKE_BLOCK should be put immediately after the point where a
- heap block is deallocated.
-
- In many cases, these two client requests will not be enough to get your
- allocator working well with Memcheck. More specifically, if your allocator
- writes to freed blocks in any way then a VALGRIND_MAKE_MEM_UNDEFINED call
- will be necessary to mark the memory as addressable just before the zeroing
- occurs, otherwise you'll get a lot of invalid write errors. For example,
- you'll need to do this if your allocator recycles freed blocks, but it
- zeroes them before handing them back out (via VALGRIND_MALLOCLIKE_BLOCK).
- Alternatively, if your allocator reuses freed blocks for allocator-internal
- data structures, VALGRIND_MAKE_MEM_UNDEFINED calls will also be necessary.
-
- Really, what's happening is a blurring of the lines between the client
- program and the allocator... after VALGRIND_FREELIKE_BLOCK is called, the
- memory should be considered unaddressable to the client program, but the
- allocator knows more than the rest of the client program and so may be able
- to safely access it. Extra client requests are necessary for Valgrind to
- understand the distinction between the allocator and the rest of the
- program.
-
- Note: there is currently no VALGRIND_REALLOCLIKE_BLOCK client request; it
- has to be emulated with MALLOCLIKE/FREELIKE and memory copying.
-
- Ignored if addr == 0.
-*/
-#define VALGRIND_MALLOCLIKE_BLOCK(addr, sizeB, rzB, is_zeroed) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MALLOCLIKE_BLOCK, \
- addr, sizeB, rzB, is_zeroed, 0); \
- }
-
-/* See the comment for VALGRIND_MALLOCLIKE_BLOCK for details.
- Ignored if addr == 0.
-*/
-#define VALGRIND_FREELIKE_BLOCK(addr, rzB) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__FREELIKE_BLOCK, \
- addr, rzB, 0, 0, 0); \
- }
-
-/* Create a memory pool. */
-#define VALGRIND_CREATE_MEMPOOL(pool, rzB, is_zeroed) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__CREATE_MEMPOOL, \
- pool, rzB, is_zeroed, 0, 0); \
- }
-
-/* Destroy a memory pool. */
-#define VALGRIND_DESTROY_MEMPOOL(pool) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__DESTROY_MEMPOOL, \
- pool, 0, 0, 0, 0); \
- }
-
-/* Associate a piece of memory with a memory pool. */
-#define VALGRIND_MEMPOOL_ALLOC(pool, addr, size) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MEMPOOL_ALLOC, \
- pool, addr, size, 0, 0); \
- }
-
-/* Disassociate a piece of memory from a memory pool. */
-#define VALGRIND_MEMPOOL_FREE(pool, addr) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MEMPOOL_FREE, \
- pool, addr, 0, 0, 0); \
- }
-
-/* Disassociate any pieces outside a particular range. */
-#define VALGRIND_MEMPOOL_TRIM(pool, addr, size) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MEMPOOL_TRIM, \
- pool, addr, size, 0, 0); \
- }
-
-/* Resize and/or move a piece associated with a memory pool. */
-#define VALGRIND_MOVE_MEMPOOL(poolA, poolB) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MOVE_MEMPOOL, \
- poolA, poolB, 0, 0, 0); \
- }
-
-/* Resize and/or move a piece associated with a memory pool. */
-#define VALGRIND_MEMPOOL_CHANGE(pool, addrA, addrB, size) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MEMPOOL_CHANGE, \
- pool, addrA, addrB, size, 0); \
- }
-
-/* Return 1 if a mempool exists, else 0. */
-#define VALGRIND_MEMPOOL_EXISTS(pool) \
- __extension__ \
- ({unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MEMPOOL_EXISTS, \
- pool, 0, 0, 0, 0); \
- _qzz_res; \
- })
-
-/* Mark a piece of memory as being a stack. Returns a stack id. */
-#define VALGRIND_STACK_REGISTER(start, end) \
- __extension__ \
- ({unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__STACK_REGISTER, \
- start, end, 0, 0, 0); \
- _qzz_res; \
- })
-
-/* Unmark the piece of memory associated with a stack id as being a
- stack. */
-#define VALGRIND_STACK_DEREGISTER(id) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__STACK_DEREGISTER, \
- id, 0, 0, 0, 0); \
- }
-
-/* Change the start and end address of the stack id. */
-#define VALGRIND_STACK_CHANGE(id, start, end) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__STACK_CHANGE, \
- id, start, end, 0, 0); \
- }
-
-/* Load PDB debug info for Wine PE image_map. */
-#define VALGRIND_LOAD_PDB_DEBUGINFO(fd, ptr, total_size, delta) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__LOAD_PDB_DEBUGINFO, \
- fd, ptr, total_size, delta, 0); \
- }
-
-/* Map a code address to a source file name and line number. buf64
- must point to a 64-byte buffer in the caller's address space. The
- result will be dumped in there and is guaranteed to be zero
- terminated. If no info is found, the first byte is set to zero. */
-#define VALGRIND_MAP_IP_TO_SRCLOC(addr, buf64) \
- {unsigned int _qzz_res; \
- VALGRIND_DO_CLIENT_REQUEST(_qzz_res, 0, \
- VG_USERREQ__MAP_IP_TO_SRCLOC, \
- addr, buf64, 0, 0, 0); \
- }
-
-
-#undef PLAT_x86_linux
-#undef PLAT_amd64_linux
-#undef PLAT_ppc32_linux
-#undef PLAT_ppc64_linux
-#undef PLAT_arm_linux
-#undef PLAT_ppc32_aix5
-#undef PLAT_ppc64_aix5
-
-#endif /* __VALGRIND_H */
diff --git a/security/sandbox/chromium/base/threading/platform_thread.h b/security/sandbox/chromium/base/threading/platform_thread.h
deleted file mode 100644
index e2b09bcb5..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread.h
+++ /dev/null
@@ -1,199 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// WARNING: You should *NOT* be using this class directly. PlatformThread is
-// the low-level platform-specific abstraction to the OS's threading interface.
-// You should instead be using a message-loop driven Thread, see thread.h.
-
-#ifndef BASE_THREADING_PLATFORM_THREAD_H_
-#define BASE_THREADING_PLATFORM_THREAD_H_
-
-#include <stddef.h>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/time/time.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#elif defined(OS_POSIX)
-#include <pthread.h>
-#include <unistd.h>
-#endif
-
-namespace base {
-
-// Used for logging. Always an integer value.
-#if defined(OS_WIN)
-typedef DWORD PlatformThreadId;
-#elif defined(OS_POSIX)
-typedef pid_t PlatformThreadId;
-#endif
-
-// Used for thread checking and debugging.
-// Meant to be as fast as possible.
-// These are produced by PlatformThread::CurrentRef(), and used to later
-// check if we are on the same thread or not by using ==. These are safe
-// to copy between threads, but can't be copied to another process as they
-// have no meaning there. Also, the internal identifier can be re-used
-// after a thread dies, so a PlatformThreadRef cannot be reliably used
-// to distinguish a new thread from an old, dead thread.
-class PlatformThreadRef {
- public:
-#if defined(OS_WIN)
- typedef DWORD RefType;
-#elif defined(OS_POSIX)
- typedef pthread_t RefType;
-#endif
- PlatformThreadRef()
- : id_(0) {
- }
-
- explicit PlatformThreadRef(RefType id)
- : id_(id) {
- }
-
- bool operator==(PlatformThreadRef other) const {
- return id_ == other.id_;
- }
-
- bool is_null() const {
- return id_ == 0;
- }
- private:
- RefType id_;
-};
-
-// Used to operate on threads.
-class PlatformThreadHandle {
- public:
-#if defined(OS_WIN)
- typedef void* Handle;
-#elif defined(OS_POSIX)
- typedef pthread_t Handle;
-#endif
-
- PlatformThreadHandle() : handle_(0) {}
-
- explicit PlatformThreadHandle(Handle handle) : handle_(handle) {}
-
- bool is_equal(const PlatformThreadHandle& other) const {
- return handle_ == other.handle_;
- }
-
- bool is_null() const {
- return !handle_;
- }
-
- Handle platform_handle() const {
- return handle_;
- }
-
- private:
- Handle handle_;
-};
-
-const PlatformThreadId kInvalidThreadId(0);
-
-// Valid values for priority of Thread::Options and SimpleThread::Options, and
-// SetCurrentThreadPriority(), listed in increasing order of importance.
-enum class ThreadPriority {
- // Suitable for threads that shouldn't disrupt high priority work.
- BACKGROUND,
- // Default priority level.
- NORMAL,
- // Suitable for threads which generate data for the display (at ~60Hz).
- DISPLAY,
- // Suitable for low-latency, glitch-resistant audio.
- REALTIME_AUDIO,
-};
-
-// A namespace for low-level thread functions.
-class BASE_EXPORT PlatformThread {
- public:
- // Implement this interface to run code on a background thread. Your
- // ThreadMain method will be called on the newly created thread.
- class BASE_EXPORT Delegate {
- public:
- virtual void ThreadMain() = 0;
-
- protected:
- virtual ~Delegate() {}
- };
-
- // Gets the current thread id, which may be useful for logging purposes.
- static PlatformThreadId CurrentId();
-
- // Gets the current thread reference, which can be used to check if
- // we're on the right thread quickly.
- static PlatformThreadRef CurrentRef();
-
- // Get the handle representing the current thread. On Windows, this is a
- // pseudo handle constant which will always represent the thread using it and
- // hence should not be shared with other threads nor be used to differentiate
- // the current thread from another.
- static PlatformThreadHandle CurrentHandle();
-
- // Yield the current thread so another thread can be scheduled.
- static void YieldCurrentThread();
-
- // Sleeps for the specified duration.
- static void Sleep(base::TimeDelta duration);
-
- // Sets the thread name visible to debuggers/tools. This has no effect
- // otherwise.
- static void SetName(const std::string& name);
-
- // Gets the thread name, if previously set by SetName.
- static const char* GetName();
-
- // Creates a new thread. The |stack_size| parameter can be 0 to indicate
- // that the default stack size should be used. Upon success,
- // |*thread_handle| will be assigned a handle to the newly created thread,
- // and |delegate|'s ThreadMain method will be executed on the newly created
- // thread.
- // NOTE: When you are done with the thread handle, you must call Join to
- // release system resources associated with the thread. You must ensure that
- // the Delegate object outlives the thread.
- static bool Create(size_t stack_size,
- Delegate* delegate,
- PlatformThreadHandle* thread_handle) {
- return CreateWithPriority(stack_size, delegate, thread_handle,
- ThreadPriority::NORMAL);
- }
-
- // CreateWithPriority() does the same thing as Create() except the priority of
- // the thread is set based on |priority|.
- static bool CreateWithPriority(size_t stack_size, Delegate* delegate,
- PlatformThreadHandle* thread_handle,
- ThreadPriority priority);
-
- // CreateNonJoinable() does the same thing as Create() except the thread
- // cannot be Join()'d. Therefore, it also does not output a
- // PlatformThreadHandle.
- static bool CreateNonJoinable(size_t stack_size, Delegate* delegate);
-
- // Joins with a thread created via the Create function. This function blocks
- // the caller until the designated thread exits. This will invalidate
- // |thread_handle|.
- static void Join(PlatformThreadHandle thread_handle);
-
- // Toggles the current thread's priority at runtime. A thread may not be able
- // to raise its priority back up after lowering it if the process does not
- // have a proper permission, e.g. CAP_SYS_NICE on Linux.
- // Since changing other threads' priority is not permitted in favor of
- // security, this interface is restricted to change only the current thread
- // priority (https://crbug.com/399473).
- static void SetCurrentThreadPriority(ThreadPriority priority);
-
- static ThreadPriority GetCurrentThreadPriority();
-
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(PlatformThread);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_PLATFORM_THREAD_H_
diff --git a/security/sandbox/chromium/base/threading/platform_thread_internal_posix.cc b/security/sandbox/chromium/base/threading/platform_thread_internal_posix.cc
deleted file mode 100644
index 9af02044f..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread_internal_posix.cc
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/platform_thread_internal_posix.h"
-
-#include "base/logging.h"
-
-namespace base {
-
-namespace internal {
-
-int ThreadPriorityToNiceValue(ThreadPriority priority) {
- for (const ThreadPriorityToNiceValuePair& pair :
- kThreadPriorityToNiceValueMap) {
- if (pair.priority == priority)
- return pair.nice_value;
- }
- NOTREACHED() << "Unknown ThreadPriority";
- return 0;
-}
-
-ThreadPriority NiceValueToThreadPriority(int nice_value) {
- for (const ThreadPriorityToNiceValuePair& pair :
- kThreadPriorityToNiceValueMap) {
- if (pair.nice_value == nice_value)
- return pair.priority;
- }
- NOTREACHED() << "Unknown nice value";
- return ThreadPriority::NORMAL;
-}
-
-} // namespace internal
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/platform_thread_internal_posix.h b/security/sandbox/chromium/base/threading/platform_thread_internal_posix.h
deleted file mode 100644
index 05a8d1e26..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread_internal_posix.h
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_PLATFORM_THREAD_INTERNAL_POSIX_H_
-#define BASE_THREADING_PLATFORM_THREAD_INTERNAL_POSIX_H_
-
-#include "base/threading/platform_thread.h"
-
-namespace base {
-
-namespace internal {
-
-struct ThreadPriorityToNiceValuePair {
- ThreadPriority priority;
- int nice_value;
-};
-extern const ThreadPriorityToNiceValuePair kThreadPriorityToNiceValueMap[4];
-
-// Returns the nice value matching |priority| based on the platform-specific
-// implementation of kThreadPriorityToNiceValueMap.
-int ThreadPriorityToNiceValue(ThreadPriority priority);
-
-// Returns the ThreadPrioirty matching |nice_value| based on the platform-
-// specific implementation of kThreadPriorityToNiceValueMap.
-ThreadPriority NiceValueToThreadPriority(int nice_value);
-
-// Allows platform specific tweaks to the generic POSIX solution for
-// SetCurrentThreadPriority. Returns true if the platform-specific
-// implementation handled this |priority| change, false if the generic
-// implementation should instead proceed.
-bool SetCurrentThreadPriorityForPlatform(ThreadPriority priority);
-
-// Returns true if there is a platform-specific ThreadPriority set on the
-// current thread (and returns the actual ThreadPriority via |priority|).
-// Returns false otherwise, leaving |priority| untouched.
-bool GetCurrentThreadPriorityForPlatform(ThreadPriority* priority);
-
-} // namespace internal
-
-} // namespace base
-
-#endif // BASE_THREADING_PLATFORM_THREAD_INTERNAL_POSIX_H_
diff --git a/security/sandbox/chromium/base/threading/platform_thread_linux.cc b/security/sandbox/chromium/base/threading/platform_thread_linux.cc
deleted file mode 100644
index 4057ede94..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread_linux.cc
+++ /dev/null
@@ -1,120 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/platform_thread.h"
-
-#include <errno.h>
-#include <sched.h>
-#include <stddef.h>
-
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/threading/platform_thread_internal_posix.h"
-#include "base/threading/thread_id_name_manager.h"
-#include "base/tracked_objects.h"
-#include "build/build_config.h"
-
-#if !defined(OS_NACL)
-#include <pthread.h>
-#include <sys/prctl.h>
-#include <sys/types.h>
-#include <unistd.h>
-#endif
-
-namespace base {
-
-namespace internal {
-
-namespace {
-#if !defined(OS_NACL)
-const struct sched_param kRealTimePrio = {8};
-const struct sched_param kResetPrio = {0};
-#endif
-} // namespace
-
-const ThreadPriorityToNiceValuePair kThreadPriorityToNiceValueMap[4] = {
- {ThreadPriority::BACKGROUND, 10},
- {ThreadPriority::NORMAL, 0},
- {ThreadPriority::DISPLAY, -6},
- {ThreadPriority::REALTIME_AUDIO, -10},
-};
-
-bool SetCurrentThreadPriorityForPlatform(ThreadPriority priority) {
-#if !defined(OS_NACL)
- ThreadPriority current_priority;
- if (priority != ThreadPriority::REALTIME_AUDIO &&
- GetCurrentThreadPriorityForPlatform(&current_priority) &&
- current_priority == ThreadPriority::REALTIME_AUDIO) {
- // If the pthread's round-robin scheduler is already enabled, and the new
- // priority will use setpriority() instead, the pthread scheduler should be
- // reset to use SCHED_OTHER so that setpriority() just works.
- pthread_setschedparam(pthread_self(), SCHED_OTHER, &kResetPrio);
- return false;
- }
- return priority == ThreadPriority::REALTIME_AUDIO &&
- pthread_setschedparam(pthread_self(), SCHED_RR, &kRealTimePrio) == 0;
-#else
- return false;
-#endif
-}
-
-bool GetCurrentThreadPriorityForPlatform(ThreadPriority* priority) {
-#if !defined(OS_NACL)
- int maybe_sched_rr = 0;
- struct sched_param maybe_realtime_prio = {0};
- if (pthread_getschedparam(pthread_self(), &maybe_sched_rr,
- &maybe_realtime_prio) == 0 &&
- maybe_sched_rr == SCHED_RR &&
- maybe_realtime_prio.sched_priority == kRealTimePrio.sched_priority) {
- *priority = ThreadPriority::REALTIME_AUDIO;
- return true;
- }
-#endif
- return false;
-}
-
-} // namespace internal
-
-// static
-void PlatformThread::SetName(const std::string& name) {
- ThreadIdNameManager::GetInstance()->SetName(CurrentId(), name);
- tracked_objects::ThreadData::InitializeThreadContext(name);
-
-#if !defined(OS_NACL)
- // On linux we can get the thread names to show up in the debugger by setting
- // the process name for the LWP. We don't want to do this for the main
- // thread because that would rename the process, causing tools like killall
- // to stop working.
- if (PlatformThread::CurrentId() == getpid())
- return;
-
- // http://0pointer.de/blog/projects/name-your-threads.html
- // Set the name for the LWP (which gets truncated to 15 characters).
- // Note that glibc also has a 'pthread_setname_np' api, but it may not be
- // available everywhere and it's only benefit over using prctl directly is
- // that it can set the name of threads other than the current thread.
- int err = prctl(PR_SET_NAME, name.c_str());
- // We expect EPERM failures in sandboxed processes, just ignore those.
- if (err < 0 && errno != EPERM)
- DPLOG(ERROR) << "prctl(PR_SET_NAME)";
-#endif // !defined(OS_NACL)
-}
-
-void InitThreading() {}
-
-void InitOnThread() {}
-
-void TerminateOnThread() {}
-
-size_t GetDefaultThreadStackSize(const pthread_attr_t& attributes) {
-#if !defined(THREAD_SANITIZER)
- return 0;
-#else
- // ThreadSanitizer bloats the stack heavily. Evidence has been that the
- // default stack size isn't enough for some browser tests.
- return 2 * (1 << 23); // 2 times 8192K (the default stack size on Linux).
-#endif
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/platform_thread_posix.cc b/security/sandbox/chromium/base/threading/platform_thread_posix.cc
deleted file mode 100644
index 39a007316..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread_posix.cc
+++ /dev/null
@@ -1,263 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/platform_thread.h"
-
-#include <errno.h>
-#include <pthread.h>
-#include <sched.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <sys/resource.h>
-#include <sys/time.h>
-
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/threading/platform_thread_internal_posix.h"
-#include "base/threading/thread_id_name_manager.h"
-#include "base/threading/thread_restrictions.h"
-#include "build/build_config.h"
-
-#if defined(OS_LINUX)
-#include <sys/syscall.h>
-#elif defined(OS_ANDROID)
-#include <sys/types.h>
-#endif
-
-namespace base {
-
-void InitThreading();
-void InitOnThread();
-void TerminateOnThread();
-size_t GetDefaultThreadStackSize(const pthread_attr_t& attributes);
-
-namespace {
-
-struct ThreadParams {
- ThreadParams()
- : delegate(NULL), joinable(false), priority(ThreadPriority::NORMAL) {}
-
- PlatformThread::Delegate* delegate;
- bool joinable;
- ThreadPriority priority;
-};
-
-void* ThreadFunc(void* params) {
- base::InitOnThread();
-
- PlatformThread::Delegate* delegate = nullptr;
-
- {
- scoped_ptr<ThreadParams> thread_params(static_cast<ThreadParams*>(params));
-
- delegate = thread_params->delegate;
- if (!thread_params->joinable)
- base::ThreadRestrictions::SetSingletonAllowed(false);
-
- if (thread_params->priority != ThreadPriority::NORMAL)
- PlatformThread::SetCurrentThreadPriority(thread_params->priority);
- }
-
- ThreadIdNameManager::GetInstance()->RegisterThread(
- PlatformThread::CurrentHandle().platform_handle(),
- PlatformThread::CurrentId());
-
- delegate->ThreadMain();
-
- ThreadIdNameManager::GetInstance()->RemoveName(
- PlatformThread::CurrentHandle().platform_handle(),
- PlatformThread::CurrentId());
-
- base::TerminateOnThread();
- return NULL;
-}
-
-bool CreateThread(size_t stack_size,
- bool joinable,
- PlatformThread::Delegate* delegate,
- PlatformThreadHandle* thread_handle,
- ThreadPriority priority) {
- DCHECK(thread_handle);
- base::InitThreading();
-
- pthread_attr_t attributes;
- pthread_attr_init(&attributes);
-
- // Pthreads are joinable by default, so only specify the detached
- // attribute if the thread should be non-joinable.
- if (!joinable)
- pthread_attr_setdetachstate(&attributes, PTHREAD_CREATE_DETACHED);
-
- // Get a better default if available.
- if (stack_size == 0)
- stack_size = base::GetDefaultThreadStackSize(attributes);
-
- if (stack_size > 0)
- pthread_attr_setstacksize(&attributes, stack_size);
-
- scoped_ptr<ThreadParams> params(new ThreadParams);
- params->delegate = delegate;
- params->joinable = joinable;
- params->priority = priority;
-
- pthread_t handle;
- int err = pthread_create(&handle, &attributes, ThreadFunc, params.get());
- bool success = !err;
- if (success) {
- // ThreadParams should be deleted on the created thread after used.
- ignore_result(params.release());
- } else {
- // Value of |handle| is undefined if pthread_create fails.
- handle = 0;
- errno = err;
- PLOG(ERROR) << "pthread_create";
- }
- *thread_handle = PlatformThreadHandle(handle);
-
- pthread_attr_destroy(&attributes);
-
- return success;
-}
-
-} // namespace
-
-// static
-PlatformThreadId PlatformThread::CurrentId() {
- // Pthreads doesn't have the concept of a thread ID, so we have to reach down
- // into the kernel.
-#if defined(OS_MACOSX)
- return pthread_mach_thread_np(pthread_self());
-#elif defined(OS_LINUX)
- return syscall(__NR_gettid);
-#elif defined(OS_ANDROID)
- return gettid();
-#elif defined(OS_SOLARIS) || defined(OS_QNX)
- return pthread_self();
-#elif defined(OS_NACL) && defined(__GLIBC__)
- return pthread_self();
-#elif defined(OS_NACL) && !defined(__GLIBC__)
- // Pointers are 32-bits in NaCl.
- return reinterpret_cast<int32_t>(pthread_self());
-#elif defined(OS_POSIX)
- return reinterpret_cast<int64_t>(pthread_self());
-#endif
-}
-
-// static
-PlatformThreadRef PlatformThread::CurrentRef() {
- return PlatformThreadRef(pthread_self());
-}
-
-// static
-PlatformThreadHandle PlatformThread::CurrentHandle() {
- return PlatformThreadHandle(pthread_self());
-}
-
-// static
-void PlatformThread::YieldCurrentThread() {
- sched_yield();
-}
-
-// static
-void PlatformThread::Sleep(TimeDelta duration) {
- struct timespec sleep_time, remaining;
-
- // Break the duration into seconds and nanoseconds.
- // NOTE: TimeDelta's microseconds are int64s while timespec's
- // nanoseconds are longs, so this unpacking must prevent overflow.
- sleep_time.tv_sec = duration.InSeconds();
- duration -= TimeDelta::FromSeconds(sleep_time.tv_sec);
- sleep_time.tv_nsec = duration.InMicroseconds() * 1000; // nanoseconds
-
- while (nanosleep(&sleep_time, &remaining) == -1 && errno == EINTR)
- sleep_time = remaining;
-}
-
-// static
-const char* PlatformThread::GetName() {
- return ThreadIdNameManager::GetInstance()->GetName(CurrentId());
-}
-
-// static
-bool PlatformThread::CreateWithPriority(size_t stack_size, Delegate* delegate,
- PlatformThreadHandle* thread_handle,
- ThreadPriority priority) {
- return CreateThread(stack_size, true, // joinable thread
- delegate, thread_handle, priority);
-}
-
-// static
-bool PlatformThread::CreateNonJoinable(size_t stack_size, Delegate* delegate) {
- PlatformThreadHandle unused;
-
- bool result = CreateThread(stack_size, false /* non-joinable thread */,
- delegate, &unused, ThreadPriority::NORMAL);
- return result;
-}
-
-// static
-void PlatformThread::Join(PlatformThreadHandle thread_handle) {
- // Joining another thread may block the current thread for a long time, since
- // the thread referred to by |thread_handle| may still be running long-lived /
- // blocking tasks.
- base::ThreadRestrictions::AssertIOAllowed();
- CHECK_EQ(0, pthread_join(thread_handle.platform_handle(), NULL));
-}
-
-// Mac has its own Set/GetCurrentThreadPriority() implementations.
-#if !defined(OS_MACOSX)
-
-// static
-void PlatformThread::SetCurrentThreadPriority(ThreadPriority priority) {
-#if defined(OS_NACL)
- NOTIMPLEMENTED();
-#else
- if (internal::SetCurrentThreadPriorityForPlatform(priority))
- return;
-
- // setpriority(2) should change the whole thread group's (i.e. process)
- // priority. However, as stated in the bugs section of
- // http://man7.org/linux/man-pages/man2/getpriority.2.html: "under the current
- // Linux/NPTL implementation of POSIX threads, the nice value is a per-thread
- // attribute". Also, 0 is prefered to the current thread id since it is
- // equivalent but makes sandboxing easier (https://crbug.com/399473).
- const int nice_setting = internal::ThreadPriorityToNiceValue(priority);
- if (setpriority(PRIO_PROCESS, 0, nice_setting)) {
- DVPLOG(1) << "Failed to set nice value of thread ("
- << PlatformThread::CurrentId() << ") to " << nice_setting;
- }
-#endif // defined(OS_NACL)
-}
-
-// static
-ThreadPriority PlatformThread::GetCurrentThreadPriority() {
-#if defined(OS_NACL)
- NOTIMPLEMENTED();
- return ThreadPriority::NORMAL;
-#else
- // Mirrors SetCurrentThreadPriority()'s implementation.
- ThreadPriority platform_specific_priority;
- if (internal::GetCurrentThreadPriorityForPlatform(
- &platform_specific_priority)) {
- return platform_specific_priority;
- }
-
- // Need to clear errno before calling getpriority():
- // http://man7.org/linux/man-pages/man2/getpriority.2.html
- errno = 0;
- int nice_value = getpriority(PRIO_PROCESS, 0);
- if (errno != 0) {
- DVPLOG(1) << "Failed to get nice value of thread ("
- << PlatformThread::CurrentId() << ")";
- return ThreadPriority::NORMAL;
- }
-
- return internal::NiceValueToThreadPriority(nice_value);
-#endif // !defined(OS_NACL)
-}
-
-#endif // !defined(OS_MACOSX)
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/platform_thread_win.cc b/security/sandbox/chromium/base/threading/platform_thread_win.cc
deleted file mode 100644
index d5bd9bed0..000000000
--- a/security/sandbox/chromium/base/threading/platform_thread_win.cc
+++ /dev/null
@@ -1,284 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/platform_thread.h"
-
-#include <stddef.h>
-
-#include "base/debug/alias.h"
-#include "base/debug/profiler.h"
-#include "base/logging.h"
-#include "base/threading/thread_id_name_manager.h"
-#include "base/threading/thread_restrictions.h"
-#include "base/tracked_objects.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-
-namespace base {
-
-namespace {
-
-// The information on how to set the thread name comes from
-// a MSDN article: http://msdn2.microsoft.com/en-us/library/xcb2z8hs.aspx
-const DWORD kVCThreadNameException = 0x406D1388;
-
-typedef struct tagTHREADNAME_INFO {
- DWORD dwType; // Must be 0x1000.
- LPCSTR szName; // Pointer to name (in user addr space).
- DWORD dwThreadID; // Thread ID (-1=caller thread).
- DWORD dwFlags; // Reserved for future use, must be zero.
-} THREADNAME_INFO;
-
-// This function has try handling, so it is separated out of its caller.
-void SetNameInternal(PlatformThreadId thread_id, const char* name) {
- THREADNAME_INFO info;
- info.dwType = 0x1000;
- info.szName = name;
- info.dwThreadID = thread_id;
- info.dwFlags = 0;
-
- __try {
- RaiseException(kVCThreadNameException, 0, sizeof(info)/sizeof(DWORD),
- reinterpret_cast<DWORD_PTR*>(&info));
- } __except(EXCEPTION_CONTINUE_EXECUTION) {
- }
-}
-
-struct ThreadParams {
- PlatformThread::Delegate* delegate;
- bool joinable;
- ThreadPriority priority;
-};
-
-DWORD __stdcall ThreadFunc(void* params) {
- ThreadParams* thread_params = static_cast<ThreadParams*>(params);
- PlatformThread::Delegate* delegate = thread_params->delegate;
- if (!thread_params->joinable)
- base::ThreadRestrictions::SetSingletonAllowed(false);
-
- if (thread_params->priority != ThreadPriority::NORMAL)
- PlatformThread::SetCurrentThreadPriority(thread_params->priority);
-
- // Retrieve a copy of the thread handle to use as the key in the
- // thread name mapping.
- PlatformThreadHandle::Handle platform_handle;
- BOOL did_dup = DuplicateHandle(GetCurrentProcess(),
- GetCurrentThread(),
- GetCurrentProcess(),
- &platform_handle,
- 0,
- FALSE,
- DUPLICATE_SAME_ACCESS);
-
- win::ScopedHandle scoped_platform_handle;
-
- if (did_dup) {
- scoped_platform_handle.Set(platform_handle);
- ThreadIdNameManager::GetInstance()->RegisterThread(
- scoped_platform_handle.Get(),
- PlatformThread::CurrentId());
- }
-
- delete thread_params;
- delegate->ThreadMain();
-
- if (did_dup) {
- ThreadIdNameManager::GetInstance()->RemoveName(
- scoped_platform_handle.Get(),
- PlatformThread::CurrentId());
- }
-
- return 0;
-}
-
-// CreateThreadInternal() matches PlatformThread::CreateWithPriority(), except
-// that |out_thread_handle| may be nullptr, in which case a non-joinable thread
-// is created.
-bool CreateThreadInternal(size_t stack_size,
- PlatformThread::Delegate* delegate,
- PlatformThreadHandle* out_thread_handle,
- ThreadPriority priority) {
- unsigned int flags = 0;
- if (stack_size > 0 && base::win::GetVersion() >= base::win::VERSION_XP) {
- flags = STACK_SIZE_PARAM_IS_A_RESERVATION;
- } else {
- stack_size = 0;
- }
-
- ThreadParams* params = new ThreadParams;
- params->delegate = delegate;
- params->joinable = out_thread_handle != nullptr;
- params->priority = priority;
-
- // Using CreateThread here vs _beginthreadex makes thread creation a bit
- // faster and doesn't require the loader lock to be available. Our code will
- // have to work running on CreateThread() threads anyway, since we run code
- // on the Windows thread pool, etc. For some background on the difference:
- // http://www.microsoft.com/msj/1099/win32/win321099.aspx
- void* thread_handle =
- ::CreateThread(nullptr, stack_size, ThreadFunc, params, flags, nullptr);
- if (!thread_handle) {
- delete params;
- return false;
- }
-
- if (out_thread_handle)
- *out_thread_handle = PlatformThreadHandle(thread_handle);
- else
- CloseHandle(thread_handle);
- return true;
-}
-
-} // namespace
-
-// static
-PlatformThreadId PlatformThread::CurrentId() {
- return ::GetCurrentThreadId();
-}
-
-// static
-PlatformThreadRef PlatformThread::CurrentRef() {
- return PlatformThreadRef(::GetCurrentThreadId());
-}
-
-// static
-PlatformThreadHandle PlatformThread::CurrentHandle() {
- return PlatformThreadHandle(::GetCurrentThread());
-}
-
-// static
-void PlatformThread::YieldCurrentThread() {
- ::Sleep(0);
-}
-
-// static
-void PlatformThread::Sleep(TimeDelta duration) {
- // When measured with a high resolution clock, Sleep() sometimes returns much
- // too early. We may need to call it repeatedly to get the desired duration.
- TimeTicks end = TimeTicks::Now() + duration;
- for (TimeTicks now = TimeTicks::Now(); now < end; now = TimeTicks::Now())
- ::Sleep(static_cast<DWORD>((end - now).InMillisecondsRoundedUp()));
-}
-
-// static
-void PlatformThread::SetName(const std::string& name) {
- ThreadIdNameManager::GetInstance()->SetName(CurrentId(), name);
-
- // On Windows only, we don't need to tell the profiler about the "BrokerEvent"
- // thread, as it exists only in the chrome.exe image, and never spawns or runs
- // tasks (items which could be profiled). This test avoids the notification,
- // which would also (as a side effect) initialize the profiler in this unused
- // context, including setting up thread local storage, etc. The performance
- // impact is not terrible, but there is no reason to do initialize it.
- if (name != "BrokerEvent")
- tracked_objects::ThreadData::InitializeThreadContext(name);
-
- // The debugger needs to be around to catch the name in the exception. If
- // there isn't a debugger, we are just needlessly throwing an exception.
- // If this image file is instrumented, we raise the exception anyway
- // to provide the profiler with human-readable thread names.
- if (!::IsDebuggerPresent() && !base::debug::IsBinaryInstrumented())
- return;
-
- SetNameInternal(CurrentId(), name.c_str());
-}
-
-// static
-const char* PlatformThread::GetName() {
- return ThreadIdNameManager::GetInstance()->GetName(CurrentId());
-}
-
-// static
-bool PlatformThread::CreateWithPriority(size_t stack_size, Delegate* delegate,
- PlatformThreadHandle* thread_handle,
- ThreadPriority priority) {
- DCHECK(thread_handle);
- return CreateThreadInternal(stack_size, delegate, thread_handle, priority);
-}
-
-// static
-bool PlatformThread::CreateNonJoinable(size_t stack_size, Delegate* delegate) {
- return CreateThreadInternal(stack_size, delegate, nullptr,
- ThreadPriority::NORMAL);
-}
-
-// static
-void PlatformThread::Join(PlatformThreadHandle thread_handle) {
- DCHECK(thread_handle.platform_handle());
- // TODO(willchan): Enable this check once I can get it to work for Windows
- // shutdown.
- // Joining another thread may block the current thread for a long time, since
- // the thread referred to by |thread_handle| may still be running long-lived /
- // blocking tasks.
-#if 0
- base::ThreadRestrictions::AssertIOAllowed();
-#endif
-
- // Wait for the thread to exit. It should already have terminated but make
- // sure this assumption is valid.
- DWORD result = WaitForSingleObject(thread_handle.platform_handle(), INFINITE);
- if (result != WAIT_OBJECT_0) {
- // Debug info for bug 127931.
- DWORD error = GetLastError();
- debug::Alias(&error);
- debug::Alias(&result);
- CHECK(false);
- }
-
- CloseHandle(thread_handle.platform_handle());
-}
-
-// static
-void PlatformThread::SetCurrentThreadPriority(ThreadPriority priority) {
- int desired_priority = THREAD_PRIORITY_ERROR_RETURN;
- switch (priority) {
- case ThreadPriority::BACKGROUND:
- desired_priority = THREAD_PRIORITY_LOWEST;
- break;
- case ThreadPriority::NORMAL:
- desired_priority = THREAD_PRIORITY_NORMAL;
- break;
- case ThreadPriority::DISPLAY:
- desired_priority = THREAD_PRIORITY_ABOVE_NORMAL;
- break;
- case ThreadPriority::REALTIME_AUDIO:
- desired_priority = THREAD_PRIORITY_TIME_CRITICAL;
- break;
- default:
- NOTREACHED() << "Unknown priority.";
- break;
- }
- DCHECK_NE(desired_priority, THREAD_PRIORITY_ERROR_RETURN);
-
-#ifndef NDEBUG
- const BOOL success =
-#endif
- ::SetThreadPriority(PlatformThread::CurrentHandle().platform_handle(),
- desired_priority);
- DPLOG_IF(ERROR, !success) << "Failed to set thread priority to "
- << desired_priority;
-}
-
-// static
-ThreadPriority PlatformThread::GetCurrentThreadPriority() {
- int priority =
- ::GetThreadPriority(PlatformThread::CurrentHandle().platform_handle());
- switch (priority) {
- case THREAD_PRIORITY_LOWEST:
- return ThreadPriority::BACKGROUND;
- case THREAD_PRIORITY_NORMAL:
- return ThreadPriority::NORMAL;
- case THREAD_PRIORITY_ABOVE_NORMAL:
- return ThreadPriority::DISPLAY;
- case THREAD_PRIORITY_TIME_CRITICAL:
- return ThreadPriority::REALTIME_AUDIO;
- case THREAD_PRIORITY_ERROR_RETURN:
- DPCHECK(false) << "GetThreadPriority error"; // Falls through.
- default:
- NOTREACHED() << "Unexpected priority: " << priority;
- return ThreadPriority::NORMAL;
- }
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/sequenced_worker_pool.h b/security/sandbox/chromium/base/threading/sequenced_worker_pool.h
deleted file mode 100644
index ba0e44421..000000000
--- a/security/sandbox/chromium/base/threading/sequenced_worker_pool.h
+++ /dev/null
@@ -1,384 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_SEQUENCED_WORKER_POOL_H_
-#define BASE_THREADING_SEQUENCED_WORKER_POOL_H_
-
-#include <stddef.h>
-
-#include <cstddef>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/callback_forward.h"
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/single_thread_task_runner.h"
-#include "base/task_runner.h"
-
-namespace tracked_objects {
-class Location;
-} // namespace tracked_objects
-
-namespace base {
-
-class SingleThreadTaskRunner;
-
-template <class T> class DeleteHelper;
-
-class SequencedTaskRunner;
-
-// A worker thread pool that enforces ordering between sets of tasks. It also
-// allows you to specify what should happen to your tasks on shutdown.
-//
-// To enforce ordering, get a unique sequence token from the pool and post all
-// tasks you want to order with the token. All tasks with the same token are
-// guaranteed to execute serially, though not necessarily on the same thread.
-// This means that:
-//
-// - No two tasks with the same token will run at the same time.
-//
-// - Given two tasks T1 and T2 with the same token such that T2 will
-// run after T1, then T2 will start after T1 is destroyed.
-//
-// - If T2 will run after T1, then all memory changes in T1 and T1's
-// destruction will be visible to T2.
-//
-// Example:
-// SequencedWorkerPool::SequenceToken token =
-// SequencedWorkerPool::GetSequenceToken();
-// pool.PostSequencedWorkerTask(token, SequencedWorkerPool::SKIP_ON_SHUTDOWN,
-// FROM_HERE, base::Bind(...));
-// pool.PostSequencedWorkerTask(token, SequencedWorkerPool::SKIP_ON_SHUTDOWN,
-// FROM_HERE, base::Bind(...));
-//
-// You can make named sequence tokens to make it easier to share a token
-// across different components.
-//
-// You can also post tasks to the pool without ordering using PostWorkerTask.
-// These will be executed in an unspecified order. The order of execution
-// between tasks with different sequence tokens is also unspecified.
-//
-// This class may be leaked on shutdown to facilitate fast shutdown. The
-// expected usage, however, is to call Shutdown(), which correctly accounts
-// for CONTINUE_ON_SHUTDOWN behavior and is required for BLOCK_SHUTDOWN
-// behavior.
-//
-// Implementation note: This does not use a base::WorkerPool since that does
-// not enforce shutdown semantics or allow us to specify how many worker
-// threads to run. For the typical use case of random background work, we don't
-// necessarily want to be super aggressive about creating threads.
-//
-// Note that SequencedWorkerPool is RefCountedThreadSafe (inherited
-// from TaskRunner).
-//
-// Test-only code should wrap this in a base::SequencedWorkerPoolOwner to avoid
-// memory leaks. See http://crbug.com/273800
-class BASE_EXPORT SequencedWorkerPool : public TaskRunner {
- public:
- // Defines what should happen to a task posted to the worker pool on
- // shutdown.
- enum WorkerShutdown {
- // Tasks posted with this mode which have not run at shutdown will be
- // deleted rather than run, and any tasks with this mode running at
- // shutdown will be ignored (the worker thread will not be joined).
- //
- // This option provides a nice way to post stuff you don't want blocking
- // shutdown. For example, you might be doing a slow DNS lookup and if it's
- // blocked on the OS, you may not want to stop shutdown, since the result
- // doesn't really matter at that point.
- //
- // However, you need to be very careful what you do in your callback when
- // you use this option. Since the thread will continue to run until the OS
- // terminates the process, the app can be in the process of tearing down
- // when you're running. This means any singletons or global objects you
- // use may suddenly become invalid out from under you. For this reason,
- // it's best to use this only for slow but simple operations like the DNS
- // example.
- CONTINUE_ON_SHUTDOWN,
-
- // Tasks posted with this mode that have not started executing at
- // shutdown will be deleted rather than executed. However, any tasks that
- // have already begun executing when shutdown is called will be allowed
- // to continue, and will block shutdown until completion.
- //
- // Note: Because Shutdown() may block while these tasks are executing,
- // care must be taken to ensure that they do not block on the thread that
- // called Shutdown(), as this may lead to deadlock.
- SKIP_ON_SHUTDOWN,
-
- // Tasks posted with this mode will block shutdown until they're
- // executed. Since this can have significant performance implications,
- // use sparingly.
- //
- // Generally, this should be used only for user data, for example, a task
- // writing a preference file.
- //
- // If a task is posted during shutdown, it will not get run since the
- // workers may already be stopped. In this case, the post operation will
- // fail (return false) and the task will be deleted.
- BLOCK_SHUTDOWN,
- };
-
- // Opaque identifier that defines sequencing of tasks posted to the worker
- // pool.
- class BASE_EXPORT SequenceToken {
- public:
- SequenceToken() : id_(0) {}
- ~SequenceToken() {}
-
- bool Equals(const SequenceToken& other) const {
- return id_ == other.id_;
- }
-
- // Returns false if current thread is executing an unsequenced task.
- bool IsValid() const {
- return id_ != 0;
- }
-
- // Returns a string representation of this token. This method should only be
- // used for debugging.
- std::string ToString() const;
-
- private:
- friend class SequencedWorkerPool;
-
- explicit SequenceToken(int id) : id_(id) {}
-
- int id_;
- };
-
- // Allows tests to perform certain actions.
- class TestingObserver {
- public:
- virtual ~TestingObserver() {}
- virtual void OnHasWork() = 0;
- virtual void WillWaitForShutdown() = 0;
- virtual void OnDestruct() = 0;
- };
-
- // Gets the SequencedToken of the current thread.
- // If current thread is not a SequencedWorkerPool worker thread or is running
- // an unsequenced task, returns an invalid SequenceToken.
- static SequenceToken GetSequenceTokenForCurrentThread();
-
- // Gets a SequencedTaskRunner for the current thread. If the current thread is
- // running an unsequenced task, a new SequenceToken will be generated and set,
- // so that the returned SequencedTaskRunner is guaranteed to run tasks after
- // the current task has finished running.
- static scoped_refptr<SequencedTaskRunner>
- GetSequencedTaskRunnerForCurrentThread();
-
- // Returns a unique token that can be used to sequence tasks posted to
- // PostSequencedWorkerTask(). Valid tokens are always nonzero.
- // TODO(bauerb): Rename this to better differentiate from
- // GetSequenceTokenForCurrentThread().
- static SequenceToken GetSequenceToken();
-
- // Returns the SequencedWorkerPool that owns this thread, or null if the
- // current thread is not a SequencedWorkerPool worker thread.
- static scoped_refptr<SequencedWorkerPool> GetWorkerPoolForCurrentThread();
-
- // When constructing a SequencedWorkerPool, there must be a
- // ThreadTaskRunnerHandle on the current thread unless you plan to
- // deliberately leak it.
-
- // Pass the maximum number of threads (they will be lazily created as needed)
- // and a prefix for the thread name to aid in debugging.
- SequencedWorkerPool(size_t max_threads,
- const std::string& thread_name_prefix);
-
- // Like above, but with |observer| for testing. Does not take ownership of
- // |observer|.
- SequencedWorkerPool(size_t max_threads,
- const std::string& thread_name_prefix,
- TestingObserver* observer);
-
- // Returns the sequence token associated with the given name. Calling this
- // function multiple times with the same string will always produce the
- // same sequence token. If the name has not been used before, a new token
- // will be created.
- SequenceToken GetNamedSequenceToken(const std::string& name);
-
- // Returns a SequencedTaskRunner wrapper which posts to this
- // SequencedWorkerPool using the given sequence token. Tasks with nonzero
- // delay are posted with SKIP_ON_SHUTDOWN behavior and tasks with zero delay
- // are posted with BLOCK_SHUTDOWN behavior.
- scoped_refptr<SequencedTaskRunner> GetSequencedTaskRunner(
- SequenceToken token);
-
- // Returns a SequencedTaskRunner wrapper which posts to this
- // SequencedWorkerPool using the given sequence token. Tasks with nonzero
- // delay are posted with SKIP_ON_SHUTDOWN behavior and tasks with zero delay
- // are posted with the given shutdown behavior.
- scoped_refptr<SequencedTaskRunner> GetSequencedTaskRunnerWithShutdownBehavior(
- SequenceToken token,
- WorkerShutdown shutdown_behavior);
-
- // Returns a TaskRunner wrapper which posts to this SequencedWorkerPool using
- // the given shutdown behavior. Tasks with nonzero delay are posted with
- // SKIP_ON_SHUTDOWN behavior and tasks with zero delay are posted with the
- // given shutdown behavior.
- scoped_refptr<TaskRunner> GetTaskRunnerWithShutdownBehavior(
- WorkerShutdown shutdown_behavior);
-
- // Posts the given task for execution in the worker pool. Tasks posted with
- // this function will execute in an unspecified order on a background thread.
- // Returns true if the task was posted. If your tasks have ordering
- // requirements, see PostSequencedWorkerTask().
- //
- // This class will attempt to delete tasks that aren't run
- // (non-block-shutdown semantics) but can't guarantee that this happens. If
- // all worker threads are busy running CONTINUE_ON_SHUTDOWN tasks, there
- // will be no workers available to delete these tasks. And there may be
- // tasks with the same sequence token behind those CONTINUE_ON_SHUTDOWN
- // tasks. Deleting those tasks before the previous one has completed could
- // cause nondeterministic crashes because the task could be keeping some
- // objects alive which do work in their destructor, which could voilate the
- // assumptions of the running task.
- //
- // The task will be guaranteed to run to completion before shutdown
- // (BLOCK_SHUTDOWN semantics).
- //
- // Returns true if the task was posted successfully. This may fail during
- // shutdown regardless of the specified ShutdownBehavior.
- bool PostWorkerTask(const tracked_objects::Location& from_here,
- const Closure& task);
-
- // Same as PostWorkerTask but allows a delay to be specified (although doing
- // so changes the shutdown behavior). The task will be run after the given
- // delay has elapsed.
- //
- // If the delay is nonzero, the task won't be guaranteed to run to completion
- // before shutdown (SKIP_ON_SHUTDOWN semantics) to avoid shutdown hangs.
- // If the delay is zero, this behaves exactly like PostWorkerTask, i.e. the
- // task will be guaranteed to run to completion before shutdown
- // (BLOCK_SHUTDOWN semantics).
- bool PostDelayedWorkerTask(const tracked_objects::Location& from_here,
- const Closure& task,
- TimeDelta delay);
-
- // Same as PostWorkerTask but allows specification of the shutdown behavior.
- bool PostWorkerTaskWithShutdownBehavior(
- const tracked_objects::Location& from_here,
- const Closure& task,
- WorkerShutdown shutdown_behavior);
-
- // Like PostWorkerTask above, but provides sequencing semantics. This means
- // that tasks posted with the same sequence token (see GetSequenceToken())
- // are guaranteed to execute in order. This is useful in cases where you're
- // doing operations that may depend on previous ones, like appending to a
- // file.
- //
- // The task will be guaranteed to run to completion before shutdown
- // (BLOCK_SHUTDOWN semantics).
- //
- // Returns true if the task was posted successfully. This may fail during
- // shutdown regardless of the specified ShutdownBehavior.
- bool PostSequencedWorkerTask(SequenceToken sequence_token,
- const tracked_objects::Location& from_here,
- const Closure& task);
-
- // Like PostSequencedWorkerTask above, but allows you to specify a named
- // token, which saves an extra call to GetNamedSequenceToken.
- bool PostNamedSequencedWorkerTask(const std::string& token_name,
- const tracked_objects::Location& from_here,
- const Closure& task);
-
- // Same as PostSequencedWorkerTask but allows a delay to be specified
- // (although doing so changes the shutdown behavior). The task will be run
- // after the given delay has elapsed.
- //
- // If the delay is nonzero, the task won't be guaranteed to run to completion
- // before shutdown (SKIP_ON_SHUTDOWN semantics) to avoid shutdown hangs.
- // If the delay is zero, this behaves exactly like PostSequencedWorkerTask,
- // i.e. the task will be guaranteed to run to completion before shutdown
- // (BLOCK_SHUTDOWN semantics).
- bool PostDelayedSequencedWorkerTask(
- SequenceToken sequence_token,
- const tracked_objects::Location& from_here,
- const Closure& task,
- TimeDelta delay);
-
- // Same as PostSequencedWorkerTask but allows specification of the shutdown
- // behavior.
- bool PostSequencedWorkerTaskWithShutdownBehavior(
- SequenceToken sequence_token,
- const tracked_objects::Location& from_here,
- const Closure& task,
- WorkerShutdown shutdown_behavior);
-
- // TaskRunner implementation. Forwards to PostDelayedWorkerTask().
- bool PostDelayedTask(const tracked_objects::Location& from_here,
- const Closure& task,
- TimeDelta delay) override;
- bool RunsTasksOnCurrentThread() const override;
-
- // Returns true if the current thread is processing a task with the given
- // sequence_token.
- bool IsRunningSequenceOnCurrentThread(SequenceToken sequence_token) const;
-
- // Returns true if any thread is currently processing a task with the given
- // sequence token. Should only be called with a valid sequence token.
- bool IsRunningSequence(SequenceToken sequence_token) const;
-
- // Blocks until all pending tasks are complete. This should only be called in
- // unit tests when you want to validate something that should have happened.
- // This will not flush delayed tasks; delayed tasks get deleted.
- //
- // Note that calling this will not prevent other threads from posting work to
- // the queue while the calling thread is waiting on Flush(). In this case,
- // Flush will return only when there's no more work in the queue. Normally,
- // this doesn't come up since in a test, all the work is being posted from
- // the main thread.
- void FlushForTesting();
-
- // Spuriously signal that there is work to be done.
- void SignalHasWorkForTesting();
-
- // Implements the worker pool shutdown. This should be called during app
- // shutdown, and will discard/join with appropriate tasks before returning.
- // After this call, subsequent calls to post tasks will fail.
- //
- // Must be called from the same thread this object was constructed on.
- void Shutdown() { Shutdown(0); }
-
- // A variant that allows an arbitrary number of new blocking tasks to be
- // posted during shutdown. The tasks cannot be posted within the execution
- // context of tasks whose shutdown behavior is not BLOCKING_SHUTDOWN. Once
- // the limit is reached, subsequent calls to post task fail in all cases.
- // Must be called from the same thread this object was constructed on.
- void Shutdown(int max_new_blocking_tasks_after_shutdown);
-
- // Check if Shutdown was called for given threading pool. This method is used
- // for aborting time consuming operation to avoid blocking shutdown.
- //
- // Can be called from any thread.
- bool IsShutdownInProgress();
-
- protected:
- ~SequencedWorkerPool() override;
-
- void OnDestruct() const override;
-
- private:
- friend class RefCountedThreadSafe<SequencedWorkerPool>;
- friend class DeleteHelper<SequencedWorkerPool>;
-
- class Inner;
- class Worker;
-
- const scoped_refptr<SingleThreadTaskRunner> constructor_task_runner_;
-
- // Avoid pulling in too many headers by putting (almost) everything
- // into |inner_|.
- const scoped_ptr<Inner> inner_;
-
- DISALLOW_COPY_AND_ASSIGN(SequencedWorkerPool);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_SEQUENCED_WORKER_POOL_H_
diff --git a/security/sandbox/chromium/base/threading/thread_checker_impl.h b/security/sandbox/chromium/base/threading/thread_checker_impl.h
deleted file mode 100644
index c92e143db..000000000
--- a/security/sandbox/chromium/base/threading/thread_checker_impl.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_THREAD_CHECKER_IMPL_H_
-#define BASE_THREADING_THREAD_CHECKER_IMPL_H_
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/synchronization/lock.h"
-#include "base/threading/platform_thread.h"
-
-namespace base {
-
-// Real implementation of ThreadChecker, for use in debug mode, or
-// for temporary use in release mode (e.g. to CHECK on a threading issue
-// seen only in the wild).
-//
-// Note: You should almost always use the ThreadChecker class to get the
-// right version for your build configuration.
-class BASE_EXPORT ThreadCheckerImpl {
- public:
- ThreadCheckerImpl();
- ~ThreadCheckerImpl();
-
- bool CalledOnValidThread() const WARN_UNUSED_RESULT;
-
- // Changes the thread that is checked for in CalledOnValidThread. This may
- // be useful when an object may be created on one thread and then used
- // exclusively on another thread.
- void DetachFromThread();
-
- private:
- void EnsureThreadIdAssigned() const;
-
- mutable base::Lock lock_;
- // This is mutable so that CalledOnValidThread can set it.
- // It's guarded by |lock_|.
- mutable PlatformThreadRef valid_thread_id_;
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_CHECKER_IMPL_H_
diff --git a/security/sandbox/chromium/base/threading/thread_collision_warner.cc b/security/sandbox/chromium/base/threading/thread_collision_warner.cc
deleted file mode 100644
index 547e11ca6..000000000
--- a/security/sandbox/chromium/base/threading/thread_collision_warner.cc
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/thread_collision_warner.h"
-
-#include "base/logging.h"
-#include "base/threading/platform_thread.h"
-
-namespace base {
-
-void DCheckAsserter::warn() {
- NOTREACHED() << "Thread Collision";
-}
-
-static subtle::Atomic32 CurrentThread() {
- const PlatformThreadId current_thread_id = PlatformThread::CurrentId();
- // We need to get the thread id into an atomic data type. This might be a
- // truncating conversion, but any loss-of-information just increases the
- // chance of a fault negative, not a false positive.
- const subtle::Atomic32 atomic_thread_id =
- static_cast<subtle::Atomic32>(current_thread_id);
-
- return atomic_thread_id;
-}
-
-void ThreadCollisionWarner::EnterSelf() {
- // If the active thread is 0 then I'll write the current thread ID
- // if two or more threads arrive here only one will succeed to
- // write on valid_thread_id_ the current thread ID.
- subtle::Atomic32 current_thread_id = CurrentThread();
-
- int previous_value = subtle::NoBarrier_CompareAndSwap(&valid_thread_id_,
- 0,
- current_thread_id);
- if (previous_value != 0 && previous_value != current_thread_id) {
- // gotcha! a thread is trying to use the same class and that is
- // not current thread.
- asserter_->warn();
- }
-
- subtle::NoBarrier_AtomicIncrement(&counter_, 1);
-}
-
-void ThreadCollisionWarner::Enter() {
- subtle::Atomic32 current_thread_id = CurrentThread();
-
- if (subtle::NoBarrier_CompareAndSwap(&valid_thread_id_,
- 0,
- current_thread_id) != 0) {
- // gotcha! another thread is trying to use the same class.
- asserter_->warn();
- }
-
- subtle::NoBarrier_AtomicIncrement(&counter_, 1);
-}
-
-void ThreadCollisionWarner::Leave() {
- if (subtle::Barrier_AtomicIncrement(&counter_, -1) == 0) {
- subtle::NoBarrier_Store(&valid_thread_id_, 0);
- }
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/thread_collision_warner.h b/security/sandbox/chromium/base/threading/thread_collision_warner.h
deleted file mode 100644
index 4699a910d..000000000
--- a/security/sandbox/chromium/base/threading/thread_collision_warner.h
+++ /dev/null
@@ -1,245 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_THREAD_COLLISION_WARNER_H_
-#define BASE_THREADING_THREAD_COLLISION_WARNER_H_
-
-#include <memory>
-
-#include "base/atomicops.h"
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-
-// A helper class alongside macros to be used to verify assumptions about thread
-// safety of a class.
-//
-// Example: Queue implementation non thread-safe but still usable if clients
-// are synchronized somehow.
-//
-// In this case the macro DFAKE_SCOPED_LOCK has to be
-// used, it checks that if a thread is inside the push/pop then
-// noone else is still inside the pop/push
-//
-// class NonThreadSafeQueue {
-// public:
-// ...
-// void push(int) { DFAKE_SCOPED_LOCK(push_pop_); ... }
-// int pop() { DFAKE_SCOPED_LOCK(push_pop_); ... }
-// ...
-// private:
-// DFAKE_MUTEX(push_pop_);
-// };
-//
-//
-// Example: Queue implementation non thread-safe but still usable if clients
-// are synchronized somehow, it calls a method to "protect" from
-// a "protected" method
-//
-// In this case the macro DFAKE_SCOPED_RECURSIVE_LOCK
-// has to be used, it checks that if a thread is inside the push/pop
-// then noone else is still inside the pop/push
-//
-// class NonThreadSafeQueue {
-// public:
-// void push(int) {
-// DFAKE_SCOPED_LOCK(push_pop_);
-// ...
-// }
-// int pop() {
-// DFAKE_SCOPED_RECURSIVE_LOCK(push_pop_);
-// bar();
-// ...
-// }
-// void bar() { DFAKE_SCOPED_RECURSIVE_LOCK(push_pop_); ... }
-// ...
-// private:
-// DFAKE_MUTEX(push_pop_);
-// };
-//
-//
-// Example: Queue implementation not usable even if clients are synchronized,
-// so only one thread in the class life cycle can use the two members
-// push/pop.
-//
-// In this case the macro DFAKE_SCOPED_LOCK_THREAD_LOCKED pins the
-// specified
-// critical section the first time a thread enters push or pop, from
-// that time on only that thread is allowed to execute push or pop.
-//
-// class NonThreadSafeQueue {
-// public:
-// ...
-// void push(int) { DFAKE_SCOPED_LOCK_THREAD_LOCKED(push_pop_); ... }
-// int pop() { DFAKE_SCOPED_LOCK_THREAD_LOCKED(push_pop_); ... }
-// ...
-// private:
-// DFAKE_MUTEX(push_pop_);
-// };
-//
-//
-// Example: Class that has to be contructed/destroyed on same thread, it has
-// a "shareable" method (with external synchronization) and a not
-// shareable method (even with external synchronization).
-//
-// In this case 3 Critical sections have to be defined
-//
-// class ExoticClass {
-// public:
-// ExoticClass() { DFAKE_SCOPED_LOCK_THREAD_LOCKED(ctor_dtor_); ... }
-// ~ExoticClass() { DFAKE_SCOPED_LOCK_THREAD_LOCKED(ctor_dtor_); ... }
-//
-// void Shareable() { DFAKE_SCOPED_LOCK(shareable_section_); ... }
-// void NotShareable() { DFAKE_SCOPED_LOCK_THREAD_LOCKED(ctor_dtor_); ... }
-// ...
-// private:
-// DFAKE_MUTEX(ctor_dtor_);
-// DFAKE_MUTEX(shareable_section_);
-// };
-
-
-#if !defined(NDEBUG)
-
-// Defines a class member that acts like a mutex. It is used only as a
-// verification tool.
-#define DFAKE_MUTEX(obj) \
- mutable base::ThreadCollisionWarner obj
-// Asserts the call is never called simultaneously in two threads. Used at
-// member function scope.
-#define DFAKE_SCOPED_LOCK(obj) \
- base::ThreadCollisionWarner::ScopedCheck s_check_##obj(&obj)
-// Asserts the call is never called simultaneously in two threads. Used at
-// member function scope. Same as DFAKE_SCOPED_LOCK but allows recursive locks.
-#define DFAKE_SCOPED_RECURSIVE_LOCK(obj) \
- base::ThreadCollisionWarner::ScopedRecursiveCheck sr_check_##obj(&obj)
-// Asserts the code is always executed in the same thread.
-#define DFAKE_SCOPED_LOCK_THREAD_LOCKED(obj) \
- base::ThreadCollisionWarner::Check check_##obj(&obj)
-
-#else
-
-#define DFAKE_MUTEX(obj) typedef void InternalFakeMutexType##obj
-#define DFAKE_SCOPED_LOCK(obj) ((void)0)
-#define DFAKE_SCOPED_RECURSIVE_LOCK(obj) ((void)0)
-#define DFAKE_SCOPED_LOCK_THREAD_LOCKED(obj) ((void)0)
-
-#endif
-
-namespace base {
-
-// The class ThreadCollisionWarner uses an Asserter to notify the collision
-// AsserterBase is the interfaces and DCheckAsserter is the default asserter
-// used. During the unit tests is used another class that doesn't "DCHECK"
-// in case of collision (check thread_collision_warner_unittests.cc)
-struct BASE_EXPORT AsserterBase {
- virtual ~AsserterBase() {}
- virtual void warn() = 0;
-};
-
-struct BASE_EXPORT DCheckAsserter : public AsserterBase {
- ~DCheckAsserter() override {}
- void warn() override;
-};
-
-class BASE_EXPORT ThreadCollisionWarner {
- public:
- // The parameter asserter is there only for test purpose
- explicit ThreadCollisionWarner(AsserterBase* asserter = new DCheckAsserter())
- : valid_thread_id_(0),
- counter_(0),
- asserter_(asserter) {}
-
- ~ThreadCollisionWarner() {
- delete asserter_;
- }
-
- // This class is meant to be used through the macro
- // DFAKE_SCOPED_LOCK_THREAD_LOCKED
- // it doesn't leave the critical section, as opposed to ScopedCheck,
- // because the critical section being pinned is allowed to be used only
- // from one thread
- class BASE_EXPORT Check {
- public:
- explicit Check(ThreadCollisionWarner* warner)
- : warner_(warner) {
- warner_->EnterSelf();
- }
-
- ~Check() {}
-
- private:
- ThreadCollisionWarner* warner_;
-
- DISALLOW_COPY_AND_ASSIGN(Check);
- };
-
- // This class is meant to be used through the macro
- // DFAKE_SCOPED_LOCK
- class BASE_EXPORT ScopedCheck {
- public:
- explicit ScopedCheck(ThreadCollisionWarner* warner)
- : warner_(warner) {
- warner_->Enter();
- }
-
- ~ScopedCheck() {
- warner_->Leave();
- }
-
- private:
- ThreadCollisionWarner* warner_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedCheck);
- };
-
- // This class is meant to be used through the macro
- // DFAKE_SCOPED_RECURSIVE_LOCK
- class BASE_EXPORT ScopedRecursiveCheck {
- public:
- explicit ScopedRecursiveCheck(ThreadCollisionWarner* warner)
- : warner_(warner) {
- warner_->EnterSelf();
- }
-
- ~ScopedRecursiveCheck() {
- warner_->Leave();
- }
-
- private:
- ThreadCollisionWarner* warner_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedRecursiveCheck);
- };
-
- private:
- // This method stores the current thread identifier and does a DCHECK
- // if a another thread has already done it, it is safe if same thread
- // calls this multiple time (recursion allowed).
- void EnterSelf();
-
- // Same as EnterSelf but recursion is not allowed.
- void Enter();
-
- // Removes the thread_id stored in order to allow other threads to
- // call EnterSelf or Enter.
- void Leave();
-
- // This stores the thread id that is inside the critical section, if the
- // value is 0 then no thread is inside.
- volatile subtle::Atomic32 valid_thread_id_;
-
- // Counter to trace how many time a critical section was "pinned"
- // (when allowed) in order to unpin it when counter_ reaches 0.
- volatile subtle::Atomic32 counter_;
-
- // Here only for class unit tests purpose, during the test I need to not
- // DCHECK but notify the collision with something else.
- AsserterBase* asserter_;
-
- DISALLOW_COPY_AND_ASSIGN(ThreadCollisionWarner);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_COLLISION_WARNER_H_
diff --git a/security/sandbox/chromium/base/threading/thread_id_name_manager.cc b/security/sandbox/chromium/base/threading/thread_id_name_manager.cc
deleted file mode 100644
index 56cfa273a..000000000
--- a/security/sandbox/chromium/base/threading/thread_id_name_manager.cc
+++ /dev/null
@@ -1,112 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/thread_id_name_manager.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-#include "base/logging.h"
-#include "base/memory/singleton.h"
-#include "base/strings/string_util.h"
-
-namespace base {
-namespace {
-
-static const char kDefaultName[] = "";
-static std::string* g_default_name;
-
-}
-
-ThreadIdNameManager::ThreadIdNameManager()
- : main_process_name_(NULL),
- main_process_id_(kInvalidThreadId) {
- g_default_name = new std::string(kDefaultName);
-
- AutoLock locked(lock_);
- name_to_interned_name_[kDefaultName] = g_default_name;
-}
-
-ThreadIdNameManager::~ThreadIdNameManager() {
-}
-
-ThreadIdNameManager* ThreadIdNameManager::GetInstance() {
- return Singleton<ThreadIdNameManager,
- LeakySingletonTraits<ThreadIdNameManager> >::get();
-}
-
-const char* ThreadIdNameManager::GetDefaultInternedString() {
- return g_default_name->c_str();
-}
-
-void ThreadIdNameManager::RegisterThread(PlatformThreadHandle::Handle handle,
- PlatformThreadId id) {
- AutoLock locked(lock_);
- thread_id_to_handle_[id] = handle;
- thread_handle_to_interned_name_[handle] =
- name_to_interned_name_[kDefaultName];
-}
-
-void ThreadIdNameManager::SetName(PlatformThreadId id,
- const std::string& name) {
- AutoLock locked(lock_);
- NameToInternedNameMap::iterator iter = name_to_interned_name_.find(name);
- std::string* leaked_str = NULL;
- if (iter != name_to_interned_name_.end()) {
- leaked_str = iter->second;
- } else {
- leaked_str = new std::string(name);
- name_to_interned_name_[name] = leaked_str;
- }
-
- ThreadIdToHandleMap::iterator id_to_handle_iter =
- thread_id_to_handle_.find(id);
-
- // The main thread of a process will not be created as a Thread object which
- // means there is no PlatformThreadHandler registered.
- if (id_to_handle_iter == thread_id_to_handle_.end()) {
- main_process_name_ = leaked_str;
- main_process_id_ = id;
- return;
- }
- thread_handle_to_interned_name_[id_to_handle_iter->second] = leaked_str;
-}
-
-const char* ThreadIdNameManager::GetName(PlatformThreadId id) {
- AutoLock locked(lock_);
-
- if (id == main_process_id_)
- return main_process_name_->c_str();
-
- ThreadIdToHandleMap::iterator id_to_handle_iter =
- thread_id_to_handle_.find(id);
- if (id_to_handle_iter == thread_id_to_handle_.end())
- return name_to_interned_name_[kDefaultName]->c_str();
-
- ThreadHandleToInternedNameMap::iterator handle_to_name_iter =
- thread_handle_to_interned_name_.find(id_to_handle_iter->second);
- return handle_to_name_iter->second->c_str();
-}
-
-void ThreadIdNameManager::RemoveName(PlatformThreadHandle::Handle handle,
- PlatformThreadId id) {
- AutoLock locked(lock_);
- ThreadHandleToInternedNameMap::iterator handle_to_name_iter =
- thread_handle_to_interned_name_.find(handle);
-
- DCHECK(handle_to_name_iter != thread_handle_to_interned_name_.end());
- thread_handle_to_interned_name_.erase(handle_to_name_iter);
-
- ThreadIdToHandleMap::iterator id_to_handle_iter =
- thread_id_to_handle_.find(id);
- DCHECK((id_to_handle_iter!= thread_id_to_handle_.end()));
- // The given |id| may have been re-used by the system. Make sure the
- // mapping points to the provided |handle| before removal.
- if (id_to_handle_iter->second != handle)
- return;
-
- thread_id_to_handle_.erase(id_to_handle_iter);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/thread_id_name_manager.h b/security/sandbox/chromium/base/threading/thread_id_name_manager.h
deleted file mode 100644
index f469b605e..000000000
--- a/security/sandbox/chromium/base/threading/thread_id_name_manager.h
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_THREAD_ID_NAME_MANAGER_H_
-#define BASE_THREADING_THREAD_ID_NAME_MANAGER_H_
-
-#include <map>
-#include <string>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/synchronization/lock.h"
-#include "base/threading/platform_thread.h"
-
-namespace base {
-
-template <typename T>
-struct DefaultSingletonTraits;
-
-class BASE_EXPORT ThreadIdNameManager {
- public:
- static ThreadIdNameManager* GetInstance();
-
- static const char* GetDefaultInternedString();
-
- // Register the mapping between a thread |id| and |handle|.
- void RegisterThread(PlatformThreadHandle::Handle handle, PlatformThreadId id);
-
- // Set the name for the given id.
- void SetName(PlatformThreadId id, const std::string& name);
-
- // Get the name for the given id.
- const char* GetName(PlatformThreadId id);
-
- // Remove the name for the given id.
- void RemoveName(PlatformThreadHandle::Handle handle, PlatformThreadId id);
-
- private:
- friend struct DefaultSingletonTraits<ThreadIdNameManager>;
-
- typedef std::map<PlatformThreadId, PlatformThreadHandle::Handle>
- ThreadIdToHandleMap;
- typedef std::map<PlatformThreadHandle::Handle, std::string*>
- ThreadHandleToInternedNameMap;
- typedef std::map<std::string, std::string*> NameToInternedNameMap;
-
- ThreadIdNameManager();
- ~ThreadIdNameManager();
-
- // lock_ protects the name_to_interned_name_, thread_id_to_handle_ and
- // thread_handle_to_interned_name_ maps.
- Lock lock_;
-
- NameToInternedNameMap name_to_interned_name_;
- ThreadIdToHandleMap thread_id_to_handle_;
- ThreadHandleToInternedNameMap thread_handle_to_interned_name_;
-
- // Treat the main process specially as there is no PlatformThreadHandle.
- std::string* main_process_name_;
- PlatformThreadId main_process_id_;
-
- DISALLOW_COPY_AND_ASSIGN(ThreadIdNameManager);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_ID_NAME_MANAGER_H_
diff --git a/security/sandbox/chromium/base/threading/thread_local.h b/security/sandbox/chromium/base/threading/thread_local.h
deleted file mode 100644
index f40420cd2..000000000
--- a/security/sandbox/chromium/base/threading/thread_local.h
+++ /dev/null
@@ -1,134 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// WARNING: Thread local storage is a bit tricky to get right. Please make
-// sure that this is really the proper solution for what you're trying to
-// achieve. Don't prematurely optimize, most likely you can just use a Lock.
-//
-// These classes implement a wrapper around the platform's TLS storage
-// mechanism. On construction, they will allocate a TLS slot, and free the
-// TLS slot on destruction. No memory management (creation or destruction) is
-// handled. This means for uses of ThreadLocalPointer, you must correctly
-// manage the memory yourself, these classes will not destroy the pointer for
-// you. There are no at-thread-exit actions taken by these classes.
-//
-// ThreadLocalPointer<Type> wraps a Type*. It performs no creation or
-// destruction, so memory management must be handled elsewhere. The first call
-// to Get() on a thread will return NULL. You can update the pointer with a
-// call to Set().
-//
-// ThreadLocalBoolean wraps a bool. It will default to false if it has never
-// been set otherwise with Set().
-//
-// Thread Safety: An instance of ThreadLocalStorage is completely thread safe
-// once it has been created. If you want to dynamically create an instance,
-// you must of course properly deal with safety and race conditions. This
-// means a function-level static initializer is generally inappropiate.
-//
-// In Android, the system TLS is limited, the implementation is backed with
-// ThreadLocalStorage.
-//
-// Example usage:
-// // My class is logically attached to a single thread. We cache a pointer
-// // on the thread it was created on, so we can implement current().
-// MyClass::MyClass() {
-// DCHECK(Singleton<ThreadLocalPointer<MyClass> >::get()->Get() == NULL);
-// Singleton<ThreadLocalPointer<MyClass> >::get()->Set(this);
-// }
-//
-// MyClass::~MyClass() {
-// DCHECK(Singleton<ThreadLocalPointer<MyClass> >::get()->Get() != NULL);
-// Singleton<ThreadLocalPointer<MyClass> >::get()->Set(NULL);
-// }
-//
-// // Return the current MyClass associated with the calling thread, can be
-// // NULL if there isn't a MyClass associated.
-// MyClass* MyClass::current() {
-// return Singleton<ThreadLocalPointer<MyClass> >::get()->Get();
-// }
-
-#ifndef BASE_THREADING_THREAD_LOCAL_H_
-#define BASE_THREADING_THREAD_LOCAL_H_
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/threading/thread_local_storage.h"
-#include "build/build_config.h"
-
-#if defined(OS_POSIX)
-#include <pthread.h>
-#endif
-
-namespace base {
-namespace internal {
-
-// Helper functions that abstract the cross-platform APIs. Do not use directly.
-struct BASE_EXPORT ThreadLocalPlatform {
-#if defined(OS_WIN)
- typedef unsigned long SlotType;
-#elif defined(OS_ANDROID)
- typedef ThreadLocalStorage::StaticSlot SlotType;
-#elif defined(OS_POSIX)
- typedef pthread_key_t SlotType;
-#endif
-
- static void AllocateSlot(SlotType* slot);
- static void FreeSlot(SlotType slot);
- static void* GetValueFromSlot(SlotType slot);
- static void SetValueInSlot(SlotType slot, void* value);
-};
-
-} // namespace internal
-
-template <typename Type>
-class ThreadLocalPointer {
- public:
- ThreadLocalPointer() : slot_() {
- internal::ThreadLocalPlatform::AllocateSlot(&slot_);
- }
-
- ~ThreadLocalPointer() {
- internal::ThreadLocalPlatform::FreeSlot(slot_);
- }
-
- Type* Get() {
- return static_cast<Type*>(
- internal::ThreadLocalPlatform::GetValueFromSlot(slot_));
- }
-
- void Set(Type* ptr) {
- internal::ThreadLocalPlatform::SetValueInSlot(
- slot_, const_cast<void*>(static_cast<const void*>(ptr)));
- }
-
- private:
- typedef internal::ThreadLocalPlatform::SlotType SlotType;
-
- SlotType slot_;
-
- DISALLOW_COPY_AND_ASSIGN(ThreadLocalPointer<Type>);
-};
-
-class ThreadLocalBoolean {
- public:
- ThreadLocalBoolean() {}
- ~ThreadLocalBoolean() {}
-
- bool Get() {
- return tlp_.Get() != NULL;
- }
-
- void Set(bool val) {
- tlp_.Set(val ? this : NULL);
- }
-
- private:
- ThreadLocalPointer<void> tlp_;
-
- DISALLOW_COPY_AND_ASSIGN(ThreadLocalBoolean);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_LOCAL_H_
diff --git a/security/sandbox/chromium/base/threading/thread_local_posix.cc b/security/sandbox/chromium/base/threading/thread_local_posix.cc
deleted file mode 100644
index 8bc46ad19..000000000
--- a/security/sandbox/chromium/base/threading/thread_local_posix.cc
+++ /dev/null
@@ -1,43 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/thread_local.h"
-
-#include <pthread.h>
-
-#include "base/logging.h"
-#include "build/build_config.h"
-
-#if !defined(OS_ANDROID)
-
-namespace base {
-namespace internal {
-
-// static
-void ThreadLocalPlatform::AllocateSlot(SlotType* slot) {
- int error = pthread_key_create(slot, NULL);
- CHECK_EQ(error, 0);
-}
-
-// static
-void ThreadLocalPlatform::FreeSlot(SlotType slot) {
- int error = pthread_key_delete(slot);
- DCHECK_EQ(0, error);
-}
-
-// static
-void* ThreadLocalPlatform::GetValueFromSlot(SlotType slot) {
- return pthread_getspecific(slot);
-}
-
-// static
-void ThreadLocalPlatform::SetValueInSlot(SlotType slot, void* value) {
- int error = pthread_setspecific(slot, value);
- DCHECK_EQ(error, 0);
-}
-
-} // namespace internal
-} // namespace base
-
-#endif // !defined(OS_ANDROID)
diff --git a/security/sandbox/chromium/base/threading/thread_local_storage.h b/security/sandbox/chromium/base/threading/thread_local_storage.h
deleted file mode 100644
index 013b0aeff..000000000
--- a/security/sandbox/chromium/base/threading/thread_local_storage.h
+++ /dev/null
@@ -1,148 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_THREAD_LOCAL_STORAGE_H_
-#define BASE_THREADING_THREAD_LOCAL_STORAGE_H_
-
-#include "base/atomicops.h"
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-
-#if defined(OS_WIN)
-#include <windows.h>
-#elif defined(OS_POSIX)
-#include <pthread.h>
-#endif
-
-namespace base {
-
-namespace internal {
-
-// WARNING: You should *NOT* be using this class directly.
-// PlatformThreadLocalStorage is low-level abstraction to the OS's TLS
-// interface, you should instead be using ThreadLocalStorage::StaticSlot/Slot.
-class BASE_EXPORT PlatformThreadLocalStorage {
- public:
-
-#if defined(OS_WIN)
- typedef unsigned long TLSKey;
- enum : unsigned { TLS_KEY_OUT_OF_INDEXES = TLS_OUT_OF_INDEXES };
-#elif defined(OS_POSIX)
- typedef pthread_key_t TLSKey;
- // The following is a "reserved key" which is used in our generic Chromium
- // ThreadLocalStorage implementation. We expect that an OS will not return
- // such a key, but if it is returned (i.e., the OS tries to allocate it) we
- // will just request another key.
- enum { TLS_KEY_OUT_OF_INDEXES = 0x7FFFFFFF };
-#endif
-
- // The following methods need to be supported on each OS platform, so that
- // the Chromium ThreadLocalStore functionality can be constructed.
- // Chromium will use these methods to acquire a single OS slot, and then use
- // that to support a much larger number of Chromium slots (independent of the
- // OS restrictions).
- // The following returns true if it successfully is able to return an OS
- // key in |key|.
- static bool AllocTLS(TLSKey* key);
- // Note: FreeTLS() doesn't have to be called, it is fine with this leak, OS
- // might not reuse released slot, you might just reset the TLS value with
- // SetTLSValue().
- static void FreeTLS(TLSKey key);
- static void SetTLSValue(TLSKey key, void* value);
- static void* GetTLSValue(TLSKey key);
-
- // Each platform (OS implementation) is required to call this method on each
- // terminating thread when the thread is about to terminate. This method
- // will then call all registered destructors for slots in Chromium
- // ThreadLocalStorage, until there are no slot values remaining as having
- // been set on this thread.
- // Destructors may end up being called multiple times on a terminating
- // thread, as other destructors may re-set slots that were previously
- // destroyed.
-#if defined(OS_WIN)
- // Since Windows which doesn't support TLS destructor, the implementation
- // should use GetTLSValue() to retrieve the value of TLS slot.
- static void OnThreadExit();
-#elif defined(OS_POSIX)
- // |Value| is the data stored in TLS slot, The implementation can't use
- // GetTLSValue() to retrieve the value of slot as it has already been reset
- // in Posix.
- static void OnThreadExit(void* value);
-#endif
-};
-
-} // namespace internal
-
-// Wrapper for thread local storage. This class doesn't do much except provide
-// an API for portability.
-class BASE_EXPORT ThreadLocalStorage {
- public:
-
- // Prototype for the TLS destructor function, which can be optionally used to
- // cleanup thread local storage on thread exit. 'value' is the data that is
- // stored in thread local storage.
- typedef void (*TLSDestructorFunc)(void* value);
-
- // StaticSlot uses its own struct initializer-list style static
- // initialization, as base's LINKER_INITIALIZED requires a constructor and on
- // some compilers (notably gcc 4.4) this still ends up needing runtime
- // initialization.
- #define TLS_INITIALIZER {0}
-
- // A key representing one value stored in TLS.
- // Initialize like
- // ThreadLocalStorage::StaticSlot my_slot = TLS_INITIALIZER;
- // If you're not using a static variable, use the convenience class
- // ThreadLocalStorage::Slot (below) instead.
- struct BASE_EXPORT StaticSlot {
- // Set up the TLS slot. Called by the constructor.
- // 'destructor' is a pointer to a function to perform per-thread cleanup of
- // this object. If set to NULL, no cleanup is done for this TLS slot.
- void Initialize(TLSDestructorFunc destructor);
-
- // Free a previously allocated TLS 'slot'.
- // If a destructor was set for this slot, removes
- // the destructor so that remaining threads exiting
- // will not free data.
- void Free();
-
- // Get the thread-local value stored in slot 'slot'.
- // Values are guaranteed to initially be zero.
- void* Get() const;
-
- // Set the thread-local value stored in slot 'slot' to
- // value 'value'.
- void Set(void* value);
-
- bool initialized() const {
- return base::subtle::Acquire_Load(&initialized_) != 0;
- }
-
- // The internals of this struct should be considered private.
- base::subtle::Atomic32 initialized_;
- int slot_;
- };
-
- // A convenience wrapper around StaticSlot with a constructor. Can be used
- // as a member variable.
- class BASE_EXPORT Slot : public StaticSlot {
- public:
- // Calls StaticSlot::Initialize().
- explicit Slot(TLSDestructorFunc destructor = NULL);
-
- private:
- using StaticSlot::initialized_;
- using StaticSlot::slot_;
-
- DISALLOW_COPY_AND_ASSIGN(Slot);
- };
-
- private:
- DISALLOW_COPY_AND_ASSIGN(ThreadLocalStorage);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_LOCAL_STORAGE_H_
diff --git a/security/sandbox/chromium/base/threading/thread_local_win.cc b/security/sandbox/chromium/base/threading/thread_local_win.cc
deleted file mode 100644
index 1c74e4213..000000000
--- a/security/sandbox/chromium/base/threading/thread_local_win.cc
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/thread_local.h"
-
-#include <windows.h>
-
-#include "base/logging.h"
-
-namespace base {
-namespace internal {
-
-// static
-void ThreadLocalPlatform::AllocateSlot(SlotType* slot) {
- *slot = TlsAlloc();
- CHECK_NE(*slot, TLS_OUT_OF_INDEXES);
-}
-
-// static
-void ThreadLocalPlatform::FreeSlot(SlotType slot) {
- if (!TlsFree(slot)) {
- NOTREACHED() << "Failed to deallocate tls slot with TlsFree().";
- }
-}
-
-// static
-void* ThreadLocalPlatform::GetValueFromSlot(SlotType slot) {
- return TlsGetValue(slot);
-}
-
-// static
-void ThreadLocalPlatform::SetValueInSlot(SlotType slot, void* value) {
- if (!TlsSetValue(slot, value)) {
- LOG(FATAL) << "Failed to TlsSetValue().";
- }
-}
-
-} // namespace internal
-} // namespace base
diff --git a/security/sandbox/chromium/base/threading/thread_restrictions.cc b/security/sandbox/chromium/base/threading/thread_restrictions.cc
deleted file mode 100644
index 00306c5ae..000000000
--- a/security/sandbox/chromium/base/threading/thread_restrictions.cc
+++ /dev/null
@@ -1,85 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/threading/thread_restrictions.h"
-
-#if ENABLE_THREAD_RESTRICTIONS
-
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/threading/thread_local.h"
-
-namespace base {
-
-namespace {
-
-LazyInstance<ThreadLocalBoolean>::Leaky
- g_io_disallowed = LAZY_INSTANCE_INITIALIZER;
-
-LazyInstance<ThreadLocalBoolean>::Leaky
- g_singleton_disallowed = LAZY_INSTANCE_INITIALIZER;
-
-LazyInstance<ThreadLocalBoolean>::Leaky
- g_wait_disallowed = LAZY_INSTANCE_INITIALIZER;
-
-} // namespace
-
-// static
-bool ThreadRestrictions::SetIOAllowed(bool allowed) {
- bool previous_disallowed = g_io_disallowed.Get().Get();
- g_io_disallowed.Get().Set(!allowed);
- return !previous_disallowed;
-}
-
-// static
-void ThreadRestrictions::AssertIOAllowed() {
- if (g_io_disallowed.Get().Get()) {
- LOG(FATAL) <<
- "Function marked as IO-only was called from a thread that "
- "disallows IO! If this thread really should be allowed to "
- "make IO calls, adjust the call to "
- "base::ThreadRestrictions::SetIOAllowed() in this thread's "
- "startup.";
- }
-}
-
-// static
-bool ThreadRestrictions::SetSingletonAllowed(bool allowed) {
- bool previous_disallowed = g_singleton_disallowed.Get().Get();
- g_singleton_disallowed.Get().Set(!allowed);
- return !previous_disallowed;
-}
-
-// static
-void ThreadRestrictions::AssertSingletonAllowed() {
- if (g_singleton_disallowed.Get().Get()) {
- LOG(FATAL) << "LazyInstance/Singleton is not allowed to be used on this "
- << "thread. Most likely it's because this thread is not "
- << "joinable, so AtExitManager may have deleted the object "
- << "on shutdown, leading to a potential shutdown crash.";
- }
-}
-
-// static
-void ThreadRestrictions::DisallowWaiting() {
- g_wait_disallowed.Get().Set(true);
-}
-
-// static
-void ThreadRestrictions::AssertWaitAllowed() {
- if (g_wait_disallowed.Get().Get()) {
- LOG(FATAL) << "Waiting is not allowed to be used on this thread to prevent "
- << "jank and deadlock.";
- }
-}
-
-bool ThreadRestrictions::SetWaitAllowed(bool allowed) {
- bool previous_disallowed = g_wait_disallowed.Get().Get();
- g_wait_disallowed.Get().Set(!allowed);
- return !previous_disallowed;
-}
-
-} // namespace base
-
-#endif // ENABLE_THREAD_RESTRICTIONS
diff --git a/security/sandbox/chromium/base/threading/thread_restrictions.h b/security/sandbox/chromium/base/threading/thread_restrictions.h
deleted file mode 100644
index eec00fbb7..000000000
--- a/security/sandbox/chromium/base/threading/thread_restrictions.h
+++ /dev/null
@@ -1,266 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_THREADING_THREAD_RESTRICTIONS_H_
-#define BASE_THREADING_THREAD_RESTRICTIONS_H_
-
-#include "base/base_export.h"
-#include "base/macros.h"
-
-// See comment at top of thread_checker.h
-#if (!defined(NDEBUG) || defined(DCHECK_ALWAYS_ON))
-#define ENABLE_THREAD_RESTRICTIONS 1
-#else
-#define ENABLE_THREAD_RESTRICTIONS 0
-#endif
-
-class BrowserProcessImpl;
-class HistogramSynchronizer;
-class NativeBackendKWallet;
-class ScopedAllowWaitForLegacyWebViewApi;
-
-namespace cc {
-class CompletionEvent;
-class SingleThreadTaskGraphRunner;
-}
-namespace chromeos {
-class BlockingMethodCaller;
-namespace system {
-class StatisticsProviderImpl;
-}
-}
-namespace chrome_browser_net {
-class Predictor;
-}
-namespace content {
-class BrowserGpuChannelHostFactory;
-class BrowserGpuMemoryBufferManager;
-class BrowserShutdownProfileDumper;
-class BrowserTestBase;
-class GpuChannelHost;
-class NestedMessagePumpAndroid;
-class ScopedAllowWaitForAndroidLayoutTests;
-class ScopedAllowWaitForDebugURL;
-class SoftwareOutputDeviceMus;
-class TextInputClientMac;
-class RasterWorkerPool;
-} // namespace content
-namespace dbus {
-class Bus;
-}
-namespace disk_cache {
-class BackendImpl;
-class InFlightIO;
-}
-namespace gles2 {
-class CommandBufferClientImpl;
-}
-namespace mojo {
-namespace common {
-class MessagePumpMojo;
-}
-}
-namespace mus {
-class CommandBufferLocal;
-class GpuState;
-}
-namespace net {
-class NetworkChangeNotifierMac;
-namespace internal {
-class AddressTrackerLinux;
-}
-}
-
-namespace remoting {
-class AutoThread;
-}
-
-namespace ui {
-class WindowResizeHelperMac;
-}
-
-namespace views {
-class WindowManagerConnection;
-}
-
-namespace base {
-
-namespace android {
-class JavaHandlerThread;
-}
-
-class SequencedWorkerPool;
-class SimpleThread;
-class Thread;
-class ThreadTestHelper;
-
-// Certain behavior is disallowed on certain threads. ThreadRestrictions helps
-// enforce these rules. Examples of such rules:
-//
-// * Do not do blocking IO (makes the thread janky)
-// * Do not access Singleton/LazyInstance (may lead to shutdown crashes)
-//
-// Here's more about how the protection works:
-//
-// 1) If a thread should not be allowed to make IO calls, mark it:
-// base::ThreadRestrictions::SetIOAllowed(false);
-// By default, threads *are* allowed to make IO calls.
-// In Chrome browser code, IO calls should be proxied to the File thread.
-//
-// 2) If a function makes a call that will go out to disk, check whether the
-// current thread is allowed:
-// base::ThreadRestrictions::AssertIOAllowed();
-//
-//
-// Style tip: where should you put AssertIOAllowed checks? It's best
-// if you put them as close to the disk access as possible, at the
-// lowest level. This rule is simple to follow and helps catch all
-// callers. For example, if your function GoDoSomeBlockingDiskCall()
-// only calls other functions in Chrome and not fopen(), you should go
-// add the AssertIOAllowed checks in the helper functions.
-
-class BASE_EXPORT ThreadRestrictions {
- public:
- // Constructing a ScopedAllowIO temporarily allows IO for the current
- // thread. Doing this is almost certainly always incorrect.
- class BASE_EXPORT ScopedAllowIO {
- public:
- ScopedAllowIO() { previous_value_ = SetIOAllowed(true); }
- ~ScopedAllowIO() { SetIOAllowed(previous_value_); }
- private:
- // Whether IO is allowed when the ScopedAllowIO was constructed.
- bool previous_value_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedAllowIO);
- };
-
- // Constructing a ScopedAllowSingleton temporarily allows accessing for the
- // current thread. Doing this is almost always incorrect.
- class BASE_EXPORT ScopedAllowSingleton {
- public:
- ScopedAllowSingleton() { previous_value_ = SetSingletonAllowed(true); }
- ~ScopedAllowSingleton() { SetSingletonAllowed(previous_value_); }
- private:
- // Whether singleton use is allowed when the ScopedAllowSingleton was
- // constructed.
- bool previous_value_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedAllowSingleton);
- };
-
-#if ENABLE_THREAD_RESTRICTIONS
- // Set whether the current thread to make IO calls.
- // Threads start out in the *allowed* state.
- // Returns the previous value.
- static bool SetIOAllowed(bool allowed);
-
- // Check whether the current thread is allowed to make IO calls,
- // and DCHECK if not. See the block comment above the class for
- // a discussion of where to add these checks.
- static void AssertIOAllowed();
-
- // Set whether the current thread can use singletons. Returns the previous
- // value.
- static bool SetSingletonAllowed(bool allowed);
-
- // Check whether the current thread is allowed to use singletons (Singleton /
- // LazyInstance). DCHECKs if not.
- static void AssertSingletonAllowed();
-
- // Disable waiting on the current thread. Threads start out in the *allowed*
- // state. Returns the previous value.
- static void DisallowWaiting();
-
- // Check whether the current thread is allowed to wait, and DCHECK if not.
- static void AssertWaitAllowed();
-#else
- // Inline the empty definitions of these functions so that they can be
- // compiled out.
- static bool SetIOAllowed(bool allowed) { return true; }
- static void AssertIOAllowed() {}
- static bool SetSingletonAllowed(bool allowed) { return true; }
- static void AssertSingletonAllowed() {}
- static void DisallowWaiting() {}
- static void AssertWaitAllowed() {}
-#endif
-
- private:
- // DO NOT ADD ANY OTHER FRIEND STATEMENTS, talk to jam or brettw first.
- // BEGIN ALLOWED USAGE.
- friend class content::BrowserShutdownProfileDumper;
- friend class content::BrowserTestBase;
- friend class content::NestedMessagePumpAndroid;
- friend class content::ScopedAllowWaitForAndroidLayoutTests;
- friend class content::ScopedAllowWaitForDebugURL;
- friend class ::HistogramSynchronizer;
- friend class ::ScopedAllowWaitForLegacyWebViewApi;
- friend class cc::CompletionEvent;
- friend class cc::SingleThreadTaskGraphRunner;
- friend class content::RasterWorkerPool;
- friend class remoting::AutoThread;
- friend class ui::WindowResizeHelperMac;
- friend class MessagePumpDefault;
- friend class SequencedWorkerPool;
- friend class SimpleThread;
- friend class Thread;
- friend class ThreadTestHelper;
- friend class PlatformThread;
- friend class android::JavaHandlerThread;
- friend class gles2::CommandBufferClientImpl;
- friend class mojo::common::MessagePumpMojo;
- friend class mus::CommandBufferLocal;
- friend class mus::GpuState;
-
- // END ALLOWED USAGE.
- // BEGIN USAGE THAT NEEDS TO BE FIXED.
- friend class ::chromeos::BlockingMethodCaller; // http://crbug.com/125360
- friend class ::chromeos::system::StatisticsProviderImpl; // http://crbug.com/125385
- friend class chrome_browser_net::Predictor; // http://crbug.com/78451
- friend class
- content::BrowserGpuChannelHostFactory; // http://crbug.com/125248
- friend class
- content::BrowserGpuMemoryBufferManager; // http://crbug.com/420368
- friend class content::GpuChannelHost; // http://crbug.com/125264
- friend class content::TextInputClientMac; // http://crbug.com/121917
- friend class dbus::Bus; // http://crbug.com/125222
- friend class disk_cache::BackendImpl; // http://crbug.com/74623
- friend class disk_cache::InFlightIO; // http://crbug.com/74623
- friend class net::internal::AddressTrackerLinux; // http://crbug.com/125097
- friend class net::NetworkChangeNotifierMac; // http://crbug.com/125097
- friend class ::BrowserProcessImpl; // http://crbug.com/125207
- friend class ::NativeBackendKWallet; // http://crbug.com/125331
-#if !defined(OFFICIAL_BUILD)
- friend class content::SoftwareOutputDeviceMus; // Interim non-production code
-#endif
- friend class views::WindowManagerConnection;
-// END USAGE THAT NEEDS TO BE FIXED.
-
-#if ENABLE_THREAD_RESTRICTIONS
- static bool SetWaitAllowed(bool allowed);
-#else
- static bool SetWaitAllowed(bool allowed) { return true; }
-#endif
-
- // Constructing a ScopedAllowWait temporarily allows waiting on the current
- // thread. Doing this is almost always incorrect, which is why we limit who
- // can use this through friend. If you find yourself needing to use this, find
- // another way. Talk to jam or brettw.
- class BASE_EXPORT ScopedAllowWait {
- public:
- ScopedAllowWait() { previous_value_ = SetWaitAllowed(true); }
- ~ScopedAllowWait() { SetWaitAllowed(previous_value_); }
- private:
- // Whether singleton use is allowed when the ScopedAllowWait was
- // constructed.
- bool previous_value_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedAllowWait);
- };
-
- DISALLOW_IMPLICIT_CONSTRUCTORS(ThreadRestrictions);
-};
-
-} // namespace base
-
-#endif // BASE_THREADING_THREAD_RESTRICTIONS_H_
diff --git a/security/sandbox/chromium/base/time/time.cc b/security/sandbox/chromium/base/time/time.cc
deleted file mode 100644
index 76ffeb744..000000000
--- a/security/sandbox/chromium/base/time/time.cc
+++ /dev/null
@@ -1,347 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/time/time.h"
-
-#include <cmath>
-#include <ios>
-#include <limits>
-#include <ostream>
-#include <sstream>
-
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/strings/stringprintf.h"
-#include "base/third_party/nspr/prtime.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// TimeDelta ------------------------------------------------------------------
-
-// static
-TimeDelta TimeDelta::Max() {
- return TimeDelta(std::numeric_limits<int64_t>::max());
-}
-
-int TimeDelta::InDays() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int>::max();
- }
- return static_cast<int>(delta_ / Time::kMicrosecondsPerDay);
-}
-
-int TimeDelta::InHours() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int>::max();
- }
- return static_cast<int>(delta_ / Time::kMicrosecondsPerHour);
-}
-
-int TimeDelta::InMinutes() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int>::max();
- }
- return static_cast<int>(delta_ / Time::kMicrosecondsPerMinute);
-}
-
-double TimeDelta::InSecondsF() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<double>::infinity();
- }
- return static_cast<double>(delta_) / Time::kMicrosecondsPerSecond;
-}
-
-int64_t TimeDelta::InSeconds() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int64_t>::max();
- }
- return delta_ / Time::kMicrosecondsPerSecond;
-}
-
-double TimeDelta::InMillisecondsF() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<double>::infinity();
- }
- return static_cast<double>(delta_) / Time::kMicrosecondsPerMillisecond;
-}
-
-int64_t TimeDelta::InMilliseconds() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int64_t>::max();
- }
- return delta_ / Time::kMicrosecondsPerMillisecond;
-}
-
-int64_t TimeDelta::InMillisecondsRoundedUp() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int64_t>::max();
- }
- return (delta_ + Time::kMicrosecondsPerMillisecond - 1) /
- Time::kMicrosecondsPerMillisecond;
-}
-
-int64_t TimeDelta::InMicroseconds() const {
- if (is_max()) {
- // Preserve max to prevent overflow.
- return std::numeric_limits<int64_t>::max();
- }
- return delta_;
-}
-
-namespace time_internal {
-
-int64_t SaturatedAdd(TimeDelta delta, int64_t value) {
- CheckedNumeric<int64_t> rv(delta.delta_);
- rv += value;
- return FromCheckedNumeric(rv);
-}
-
-int64_t SaturatedSub(TimeDelta delta, int64_t value) {
- CheckedNumeric<int64_t> rv(delta.delta_);
- rv -= value;
- return FromCheckedNumeric(rv);
-}
-
-int64_t FromCheckedNumeric(const CheckedNumeric<int64_t> value) {
- if (value.IsValid())
- return value.ValueUnsafe();
-
- // We could return max/min but we don't really expose what the maximum delta
- // is. Instead, return max/(-max), which is something that clients can reason
- // about.
- // TODO(rvargas) crbug.com/332611: don't use internal values.
- int64_t limit = std::numeric_limits<int64_t>::max();
- if (value.validity() == internal::RANGE_UNDERFLOW)
- limit = -limit;
- return value.ValueOrDefault(limit);
-}
-
-} // namespace time_internal
-
-std::ostream& operator<<(std::ostream& os, TimeDelta time_delta) {
- return os << time_delta.InSecondsF() << "s";
-}
-
-// Time -----------------------------------------------------------------------
-
-// static
-Time Time::Max() {
- return Time(std::numeric_limits<int64_t>::max());
-}
-
-// static
-Time Time::FromTimeT(time_t tt) {
- if (tt == 0)
- return Time(); // Preserve 0 so we can tell it doesn't exist.
- if (tt == std::numeric_limits<time_t>::max())
- return Max();
- return Time(kTimeTToMicrosecondsOffset) + TimeDelta::FromSeconds(tt);
-}
-
-time_t Time::ToTimeT() const {
- if (is_null())
- return 0; // Preserve 0 so we can tell it doesn't exist.
- if (is_max()) {
- // Preserve max without offset to prevent overflow.
- return std::numeric_limits<time_t>::max();
- }
- if (std::numeric_limits<int64_t>::max() - kTimeTToMicrosecondsOffset <= us_) {
- DLOG(WARNING) << "Overflow when converting base::Time with internal " <<
- "value " << us_ << " to time_t.";
- return std::numeric_limits<time_t>::max();
- }
- return (us_ - kTimeTToMicrosecondsOffset) / kMicrosecondsPerSecond;
-}
-
-// static
-Time Time::FromDoubleT(double dt) {
- if (dt == 0 || std::isnan(dt))
- return Time(); // Preserve 0 so we can tell it doesn't exist.
- return Time(kTimeTToMicrosecondsOffset) + TimeDelta::FromSecondsD(dt);
-}
-
-double Time::ToDoubleT() const {
- if (is_null())
- return 0; // Preserve 0 so we can tell it doesn't exist.
- if (is_max()) {
- // Preserve max without offset to prevent overflow.
- return std::numeric_limits<double>::infinity();
- }
- return (static_cast<double>(us_ - kTimeTToMicrosecondsOffset) /
- static_cast<double>(kMicrosecondsPerSecond));
-}
-
-#if defined(OS_POSIX)
-// static
-Time Time::FromTimeSpec(const timespec& ts) {
- return FromDoubleT(ts.tv_sec +
- static_cast<double>(ts.tv_nsec) /
- base::Time::kNanosecondsPerSecond);
-}
-#endif
-
-// static
-Time Time::FromJsTime(double ms_since_epoch) {
- // The epoch is a valid time, so this constructor doesn't interpret
- // 0 as the null time.
- return Time(kTimeTToMicrosecondsOffset) +
- TimeDelta::FromMillisecondsD(ms_since_epoch);
-}
-
-double Time::ToJsTime() const {
- if (is_null()) {
- // Preserve 0 so the invalid result doesn't depend on the platform.
- return 0;
- }
- if (is_max()) {
- // Preserve max without offset to prevent overflow.
- return std::numeric_limits<double>::infinity();
- }
- return (static_cast<double>(us_ - kTimeTToMicrosecondsOffset) /
- kMicrosecondsPerMillisecond);
-}
-
-int64_t Time::ToJavaTime() const {
- if (is_null()) {
- // Preserve 0 so the invalid result doesn't depend on the platform.
- return 0;
- }
- if (is_max()) {
- // Preserve max without offset to prevent overflow.
- return std::numeric_limits<int64_t>::max();
- }
- return ((us_ - kTimeTToMicrosecondsOffset) /
- kMicrosecondsPerMillisecond);
-}
-
-// static
-Time Time::UnixEpoch() {
- Time time;
- time.us_ = kTimeTToMicrosecondsOffset;
- return time;
-}
-
-Time Time::LocalMidnight() const {
- Exploded exploded;
- LocalExplode(&exploded);
- exploded.hour = 0;
- exploded.minute = 0;
- exploded.second = 0;
- exploded.millisecond = 0;
- return FromLocalExploded(exploded);
-}
-
-// static
-bool Time::FromStringInternal(const char* time_string,
- bool is_local,
- Time* parsed_time) {
- DCHECK((time_string != NULL) && (parsed_time != NULL));
-
- if (time_string[0] == '\0')
- return false;
-
- PRTime result_time = 0;
- PRStatus result = PR_ParseTimeString(time_string,
- is_local ? PR_FALSE : PR_TRUE,
- &result_time);
- if (PR_SUCCESS != result)
- return false;
-
- result_time += kTimeTToMicrosecondsOffset;
- *parsed_time = Time(result_time);
- return true;
-}
-
-std::ostream& operator<<(std::ostream& os, Time time) {
- Time::Exploded exploded;
- time.UTCExplode(&exploded);
- // Use StringPrintf because iostreams formatting is painful.
- return os << StringPrintf("%04d-%02d-%02d %02d:%02d:%02d.%03d UTC",
- exploded.year,
- exploded.month,
- exploded.day_of_month,
- exploded.hour,
- exploded.minute,
- exploded.second,
- exploded.millisecond);
-}
-
-// Local helper class to hold the conversion from Time to TickTime at the
-// time of the Unix epoch.
-class UnixEpochSingleton {
- public:
- UnixEpochSingleton()
- : unix_epoch_(TimeTicks::Now() - (Time::Now() - Time::UnixEpoch())) {}
-
- TimeTicks unix_epoch() const { return unix_epoch_; }
-
- private:
- const TimeTicks unix_epoch_;
-
- DISALLOW_COPY_AND_ASSIGN(UnixEpochSingleton);
-};
-
-static LazyInstance<UnixEpochSingleton>::Leaky
- leaky_unix_epoch_singleton_instance = LAZY_INSTANCE_INITIALIZER;
-
-// Static
-TimeTicks TimeTicks::UnixEpoch() {
- return leaky_unix_epoch_singleton_instance.Get().unix_epoch();
-}
-
-TimeTicks TimeTicks::SnappedToNextTick(TimeTicks tick_phase,
- TimeDelta tick_interval) const {
- // |interval_offset| is the offset from |this| to the next multiple of
- // |tick_interval| after |tick_phase|, possibly negative if in the past.
- TimeDelta interval_offset = (tick_phase - *this) % tick_interval;
- // If |this| is exactly on the interval (i.e. offset==0), don't adjust.
- // Otherwise, if |tick_phase| was in the past, adjust forward to the next
- // tick after |this|.
- if (!interval_offset.is_zero() && tick_phase < *this)
- interval_offset += tick_interval;
- return *this + interval_offset;
-}
-
-std::ostream& operator<<(std::ostream& os, TimeTicks time_ticks) {
- // This function formats a TimeTicks object as "bogo-microseconds".
- // The origin and granularity of the count are platform-specific, and may very
- // from run to run. Although bogo-microseconds usually roughly correspond to
- // real microseconds, the only real guarantee is that the number never goes
- // down during a single run.
- const TimeDelta as_time_delta = time_ticks - TimeTicks();
- return os << as_time_delta.InMicroseconds() << " bogo-microseconds";
-}
-
-std::ostream& operator<<(std::ostream& os, ThreadTicks thread_ticks) {
- const TimeDelta as_time_delta = thread_ticks - ThreadTicks();
- return os << as_time_delta.InMicroseconds() << " bogo-thread-microseconds";
-}
-
-// Time::Exploded -------------------------------------------------------------
-
-inline bool is_in_range(int value, int lo, int hi) {
- return lo <= value && value <= hi;
-}
-
-bool Time::Exploded::HasValidValues() const {
- return is_in_range(month, 1, 12) &&
- is_in_range(day_of_week, 0, 6) &&
- is_in_range(day_of_month, 1, 31) &&
- is_in_range(hour, 0, 23) &&
- is_in_range(minute, 0, 59) &&
- is_in_range(second, 0, 60) &&
- is_in_range(millisecond, 0, 999);
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/time/time.h b/security/sandbox/chromium/base/time/time.h
deleted file mode 100644
index 066d91083..000000000
--- a/security/sandbox/chromium/base/time/time.h
+++ /dev/null
@@ -1,764 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Time represents an absolute point in coordinated universal time (UTC),
-// internally represented as microseconds (s/1,000,000) since the Windows epoch
-// (1601-01-01 00:00:00 UTC). System-dependent clock interface routines are
-// defined in time_PLATFORM.cc. Note that values for Time may skew and jump
-// around as the operating system makes adjustments to synchronize (e.g., with
-// NTP servers). Thus, client code that uses the Time class must account for
-// this.
-//
-// TimeDelta represents a duration of time, internally represented in
-// microseconds.
-//
-// TimeTicks and ThreadTicks represent an abstract time that is most of the time
-// incrementing, for use in measuring time durations. Internally, they are
-// represented in microseconds. They can not be converted to a human-readable
-// time, but are guaranteed not to decrease (unlike the Time class). Note that
-// TimeTicks may "stand still" (e.g., if the computer is suspended), and
-// ThreadTicks will "stand still" whenever the thread has been de-scheduled by
-// the operating system.
-//
-// All time classes are copyable, assignable, and occupy 64-bits per
-// instance. Thus, they can be efficiently passed by-value (as opposed to
-// by-reference).
-//
-// Definitions of operator<< are provided to make these types work with
-// DCHECK_EQ() and other log macros. For human-readable formatting, see
-// "base/i18n/time_formatting.h".
-//
-// So many choices! Which time class should you use? Examples:
-//
-// Time: Interpreting the wall-clock time provided by a remote
-// system. Detecting whether cached resources have
-// expired. Providing the user with a display of the current date
-// and time. Determining the amount of time between events across
-// re-boots of the machine.
-//
-// TimeTicks: Tracking the amount of time a task runs. Executing delayed
-// tasks at the right time. Computing presentation timestamps.
-// Synchronizing audio and video using TimeTicks as a common
-// reference clock (lip-sync). Measuring network round-trip
-// latency.
-//
-// ThreadTicks: Benchmarking how long the current thread has been doing actual
-// work.
-
-#ifndef BASE_TIME_TIME_H_
-#define BASE_TIME_TIME_H_
-
-#include <stdint.h>
-#include <time.h>
-
-#include <iosfwd>
-#include <limits>
-
-#include "base/base_export.h"
-#include "base/numerics/safe_math.h"
-#include "build/build_config.h"
-
-#if defined(OS_MACOSX)
-#include <CoreFoundation/CoreFoundation.h>
-// Avoid Mac system header macro leak.
-#undef TYPE_BOOL
-#endif
-
-#if defined(OS_POSIX)
-#include <unistd.h>
-#include <sys/time.h>
-#endif
-
-#if defined(OS_WIN)
-// For FILETIME in FromFileTime, until it moves to a new converter class.
-// See TODO(iyengar) below.
-#include <windows.h>
-
-#include "base/gtest_prod_util.h"
-#endif
-
-namespace base {
-
-class TimeDelta;
-
-// The functions in the time_internal namespace are meant to be used only by the
-// time classes and functions. Please use the math operators defined in the
-// time classes instead.
-namespace time_internal {
-
-// Add or subtract |value| from a TimeDelta. The int64_t argument and return
-// value are in terms of a microsecond timebase.
-BASE_EXPORT int64_t SaturatedAdd(TimeDelta delta, int64_t value);
-BASE_EXPORT int64_t SaturatedSub(TimeDelta delta, int64_t value);
-
-// Clamp |value| on overflow and underflow conditions. The int64_t argument and
-// return value are in terms of a microsecond timebase.
-BASE_EXPORT int64_t FromCheckedNumeric(const CheckedNumeric<int64_t> value);
-
-} // namespace time_internal
-
-// TimeDelta ------------------------------------------------------------------
-
-class BASE_EXPORT TimeDelta {
- public:
- TimeDelta() : delta_(0) {
- }
-
- // Converts units of time to TimeDeltas.
- static TimeDelta FromDays(int days);
- static TimeDelta FromHours(int hours);
- static TimeDelta FromMinutes(int minutes);
- static TimeDelta FromSeconds(int64_t secs);
- static TimeDelta FromMilliseconds(int64_t ms);
- static TimeDelta FromSecondsD(double secs);
- static TimeDelta FromMillisecondsD(double ms);
- static TimeDelta FromMicroseconds(int64_t us);
-#if defined(OS_WIN)
- static TimeDelta FromQPCValue(LONGLONG qpc_value);
-#endif
-
- // Converts an integer value representing TimeDelta to a class. This is used
- // when deserializing a |TimeDelta| structure, using a value known to be
- // compatible. It is not provided as a constructor because the integer type
- // may be unclear from the perspective of a caller.
- static TimeDelta FromInternalValue(int64_t delta) { return TimeDelta(delta); }
-
- // Returns the maximum time delta, which should be greater than any reasonable
- // time delta we might compare it to. Adding or subtracting the maximum time
- // delta to a time or another time delta has an undefined result.
- static TimeDelta Max();
-
- // Returns the internal numeric value of the TimeDelta object. Please don't
- // use this and do arithmetic on it, as it is more error prone than using the
- // provided operators.
- // For serializing, use FromInternalValue to reconstitute.
- int64_t ToInternalValue() const { return delta_; }
-
- // Returns the magnitude (absolute value) of this TimeDelta.
- TimeDelta magnitude() const {
- // Some toolchains provide an incomplete C++11 implementation and lack an
- // int64_t overload for std::abs(). The following is a simple branchless
- // implementation:
- const int64_t mask = delta_ >> (sizeof(delta_) * 8 - 1);
- return TimeDelta((delta_ + mask) ^ mask);
- }
-
- // Returns true if the time delta is zero.
- bool is_zero() const {
- return delta_ == 0;
- }
-
- // Returns true if the time delta is the maximum time delta.
- bool is_max() const { return delta_ == std::numeric_limits<int64_t>::max(); }
-
-#if defined(OS_POSIX)
- struct timespec ToTimeSpec() const;
-#endif
-
- // Returns the time delta in some unit. The F versions return a floating
- // point value, the "regular" versions return a rounded-down value.
- //
- // InMillisecondsRoundedUp() instead returns an integer that is rounded up
- // to the next full millisecond.
- int InDays() const;
- int InHours() const;
- int InMinutes() const;
- double InSecondsF() const;
- int64_t InSeconds() const;
- double InMillisecondsF() const;
- int64_t InMilliseconds() const;
- int64_t InMillisecondsRoundedUp() const;
- int64_t InMicroseconds() const;
-
- TimeDelta& operator=(TimeDelta other) {
- delta_ = other.delta_;
- return *this;
- }
-
- // Computations with other deltas.
- TimeDelta operator+(TimeDelta other) const {
- return TimeDelta(time_internal::SaturatedAdd(*this, other.delta_));
- }
- TimeDelta operator-(TimeDelta other) const {
- return TimeDelta(time_internal::SaturatedSub(*this, other.delta_));
- }
-
- TimeDelta& operator+=(TimeDelta other) {
- return *this = (*this + other);
- }
- TimeDelta& operator-=(TimeDelta other) {
- return *this = (*this - other);
- }
- TimeDelta operator-() const {
- return TimeDelta(-delta_);
- }
-
- // Computations with numeric types.
- template<typename T>
- TimeDelta operator*(T a) const {
- CheckedNumeric<int64_t> rv(delta_);
- rv *= a;
- return TimeDelta(time_internal::FromCheckedNumeric(rv));
- }
- template<typename T>
- TimeDelta operator/(T a) const {
- CheckedNumeric<int64_t> rv(delta_);
- rv /= a;
- return TimeDelta(time_internal::FromCheckedNumeric(rv));
- }
- template<typename T>
- TimeDelta& operator*=(T a) {
- return *this = (*this * a);
- }
- template<typename T>
- TimeDelta& operator/=(T a) {
- return *this = (*this / a);
- }
-
- int64_t operator/(TimeDelta a) const { return delta_ / a.delta_; }
- TimeDelta operator%(TimeDelta a) const {
- return TimeDelta(delta_ % a.delta_);
- }
-
- // Comparison operators.
- bool operator==(TimeDelta other) const {
- return delta_ == other.delta_;
- }
- bool operator!=(TimeDelta other) const {
- return delta_ != other.delta_;
- }
- bool operator<(TimeDelta other) const {
- return delta_ < other.delta_;
- }
- bool operator<=(TimeDelta other) const {
- return delta_ <= other.delta_;
- }
- bool operator>(TimeDelta other) const {
- return delta_ > other.delta_;
- }
- bool operator>=(TimeDelta other) const {
- return delta_ >= other.delta_;
- }
-
- private:
- friend int64_t time_internal::SaturatedAdd(TimeDelta delta, int64_t value);
- friend int64_t time_internal::SaturatedSub(TimeDelta delta, int64_t value);
-
- // Constructs a delta given the duration in microseconds. This is private
- // to avoid confusion by callers with an integer constructor. Use
- // FromSeconds, FromMilliseconds, etc. instead.
- explicit TimeDelta(int64_t delta_us) : delta_(delta_us) {}
-
- // Private method to build a delta from a double.
- static TimeDelta FromDouble(double value);
-
- // Delta in microseconds.
- int64_t delta_;
-};
-
-template<typename T>
-inline TimeDelta operator*(T a, TimeDelta td) {
- return td * a;
-}
-
-// For logging use only.
-BASE_EXPORT std::ostream& operator<<(std::ostream& os, TimeDelta time_delta);
-
-// Do not reference the time_internal::TimeBase template class directly. Please
-// use one of the time subclasses instead, and only reference the public
-// TimeBase members via those classes.
-namespace time_internal {
-
-// TimeBase--------------------------------------------------------------------
-
-// Provides value storage and comparison/math operations common to all time
-// classes. Each subclass provides for strong type-checking to ensure
-// semantically meaningful comparison/math of time values from the same clock
-// source or timeline.
-template<class TimeClass>
-class TimeBase {
- public:
- static const int64_t kHoursPerDay = 24;
- static const int64_t kMillisecondsPerSecond = 1000;
- static const int64_t kMillisecondsPerDay =
- kMillisecondsPerSecond * 60 * 60 * kHoursPerDay;
- static const int64_t kMicrosecondsPerMillisecond = 1000;
- static const int64_t kMicrosecondsPerSecond =
- kMicrosecondsPerMillisecond * kMillisecondsPerSecond;
- static const int64_t kMicrosecondsPerMinute = kMicrosecondsPerSecond * 60;
- static const int64_t kMicrosecondsPerHour = kMicrosecondsPerMinute * 60;
- static const int64_t kMicrosecondsPerDay =
- kMicrosecondsPerHour * kHoursPerDay;
- static const int64_t kMicrosecondsPerWeek = kMicrosecondsPerDay * 7;
- static const int64_t kNanosecondsPerMicrosecond = 1000;
- static const int64_t kNanosecondsPerSecond =
- kNanosecondsPerMicrosecond * kMicrosecondsPerSecond;
-
- // Returns true if this object has not been initialized.
- //
- // Warning: Be careful when writing code that performs math on time values,
- // since it's possible to produce a valid "zero" result that should not be
- // interpreted as a "null" value.
- bool is_null() const {
- return us_ == 0;
- }
-
- // Returns true if this object represents the maximum time.
- bool is_max() const { return us_ == std::numeric_limits<int64_t>::max(); }
-
- // For serializing only. Use FromInternalValue() to reconstitute. Please don't
- // use this and do arithmetic on it, as it is more error prone than using the
- // provided operators.
- int64_t ToInternalValue() const { return us_; }
-
- TimeClass& operator=(TimeClass other) {
- us_ = other.us_;
- return *(static_cast<TimeClass*>(this));
- }
-
- // Compute the difference between two times.
- TimeDelta operator-(TimeClass other) const {
- return TimeDelta::FromMicroseconds(us_ - other.us_);
- }
-
- // Return a new time modified by some delta.
- TimeClass operator+(TimeDelta delta) const {
- return TimeClass(time_internal::SaturatedAdd(delta, us_));
- }
- TimeClass operator-(TimeDelta delta) const {
- return TimeClass(-time_internal::SaturatedSub(delta, us_));
- }
-
- // Modify by some time delta.
- TimeClass& operator+=(TimeDelta delta) {
- return static_cast<TimeClass&>(*this = (*this + delta));
- }
- TimeClass& operator-=(TimeDelta delta) {
- return static_cast<TimeClass&>(*this = (*this - delta));
- }
-
- // Comparison operators
- bool operator==(TimeClass other) const {
- return us_ == other.us_;
- }
- bool operator!=(TimeClass other) const {
- return us_ != other.us_;
- }
- bool operator<(TimeClass other) const {
- return us_ < other.us_;
- }
- bool operator<=(TimeClass other) const {
- return us_ <= other.us_;
- }
- bool operator>(TimeClass other) const {
- return us_ > other.us_;
- }
- bool operator>=(TimeClass other) const {
- return us_ >= other.us_;
- }
-
- // Converts an integer value representing TimeClass to a class. This is used
- // when deserializing a |TimeClass| structure, using a value known to be
- // compatible. It is not provided as a constructor because the integer type
- // may be unclear from the perspective of a caller.
- static TimeClass FromInternalValue(int64_t us) { return TimeClass(us); }
-
- protected:
- explicit TimeBase(int64_t us) : us_(us) {}
-
- // Time value in a microsecond timebase.
- int64_t us_;
-};
-
-} // namespace time_internal
-
-template<class TimeClass>
-inline TimeClass operator+(TimeDelta delta, TimeClass t) {
- return t + delta;
-}
-
-// Time -----------------------------------------------------------------------
-
-// Represents a wall clock time in UTC. Values are not guaranteed to be
-// monotonically non-decreasing and are subject to large amounts of skew.
-class BASE_EXPORT Time : public time_internal::TimeBase<Time> {
- public:
- // The representation of Jan 1, 1970 UTC in microseconds since the
- // platform-dependent epoch.
- static const int64_t kTimeTToMicrosecondsOffset;
-
-#if !defined(OS_WIN)
- // On Mac & Linux, this value is the delta from the Windows epoch of 1601 to
- // the Posix delta of 1970. This is used for migrating between the old
- // 1970-based epochs to the new 1601-based ones. It should be removed from
- // this global header and put in the platform-specific ones when we remove the
- // migration code.
- static const int64_t kWindowsEpochDeltaMicroseconds;
-#else
- // To avoid overflow in QPC to Microseconds calculations, since we multiply
- // by kMicrosecondsPerSecond, then the QPC value should not exceed
- // (2^63 - 1) / 1E6. If it exceeds that threshold, we divide then multiply.
- enum : int64_t{kQPCOverflowThreshold = 0x8637BD05AF7};
-#endif
-
- // Represents an exploded time that can be formatted nicely. This is kind of
- // like the Win32 SYSTEMTIME structure or the Unix "struct tm" with a few
- // additions and changes to prevent errors.
- struct BASE_EXPORT Exploded {
- int year; // Four digit year "2007"
- int month; // 1-based month (values 1 = January, etc.)
- int day_of_week; // 0-based day of week (0 = Sunday, etc.)
- int day_of_month; // 1-based day of month (1-31)
- int hour; // Hour within the current day (0-23)
- int minute; // Minute within the current hour (0-59)
- int second; // Second within the current minute (0-59 plus leap
- // seconds which may take it up to 60).
- int millisecond; // Milliseconds within the current second (0-999)
-
- // A cursory test for whether the data members are within their
- // respective ranges. A 'true' return value does not guarantee the
- // Exploded value can be successfully converted to a Time value.
- bool HasValidValues() const;
- };
-
- // Contains the NULL time. Use Time::Now() to get the current time.
- Time() : TimeBase(0) {
- }
-
- // Returns the time for epoch in Unix-like system (Jan 1, 1970).
- static Time UnixEpoch();
-
- // Returns the current time. Watch out, the system might adjust its clock
- // in which case time will actually go backwards. We don't guarantee that
- // times are increasing, or that two calls to Now() won't be the same.
- static Time Now();
-
- // Returns the maximum time, which should be greater than any reasonable time
- // with which we might compare it.
- static Time Max();
-
- // Returns the current time. Same as Now() except that this function always
- // uses system time so that there are no discrepancies between the returned
- // time and system time even on virtual environments including our test bot.
- // For timing sensitive unittests, this function should be used.
- static Time NowFromSystemTime();
-
- // Converts to/from time_t in UTC and a Time class.
- // TODO(brettw) this should be removed once everybody starts using the |Time|
- // class.
- static Time FromTimeT(time_t tt);
- time_t ToTimeT() const;
-
- // Converts time to/from a double which is the number of seconds since epoch
- // (Jan 1, 1970). Webkit uses this format to represent time.
- // Because WebKit initializes double time value to 0 to indicate "not
- // initialized", we map it to empty Time object that also means "not
- // initialized".
- static Time FromDoubleT(double dt);
- double ToDoubleT() const;
-
-#if defined(OS_POSIX)
- // Converts the timespec structure to time. MacOS X 10.8.3 (and tentatively,
- // earlier versions) will have the |ts|'s tv_nsec component zeroed out,
- // having a 1 second resolution, which agrees with
- // https://developer.apple.com/legacy/library/#technotes/tn/tn1150.html#HFSPlusDates.
- static Time FromTimeSpec(const timespec& ts);
-#endif
-
- // Converts to/from the Javascript convention for times, a number of
- // milliseconds since the epoch:
- // https://developer.mozilla.org/en/JavaScript/Reference/Global_Objects/Date/getTime.
- static Time FromJsTime(double ms_since_epoch);
- double ToJsTime() const;
-
- // Converts to Java convention for times, a number of
- // milliseconds since the epoch.
- int64_t ToJavaTime() const;
-
-#if defined(OS_POSIX)
- static Time FromTimeVal(struct timeval t);
- struct timeval ToTimeVal() const;
-#endif
-
-#if defined(OS_MACOSX)
- static Time FromCFAbsoluteTime(CFAbsoluteTime t);
- CFAbsoluteTime ToCFAbsoluteTime() const;
-#endif
-
-#if defined(OS_WIN)
- static Time FromFileTime(FILETIME ft);
- FILETIME ToFileTime() const;
-
- // The minimum time of a low resolution timer. This is basically a windows
- // constant of ~15.6ms. While it does vary on some older OS versions, we'll
- // treat it as static across all windows versions.
- static const int kMinLowResolutionThresholdMs = 16;
-
- // Enable or disable Windows high resolution timer.
- static void EnableHighResolutionTimer(bool enable);
-
- // Activates or deactivates the high resolution timer based on the |activate|
- // flag. If the HighResolutionTimer is not Enabled (see
- // EnableHighResolutionTimer), this function will return false. Otherwise
- // returns true. Each successful activate call must be paired with a
- // subsequent deactivate call.
- // All callers to activate the high resolution timer must eventually call
- // this function to deactivate the high resolution timer.
- static bool ActivateHighResolutionTimer(bool activate);
-
- // Returns true if the high resolution timer is both enabled and activated.
- // This is provided for testing only, and is not tracked in a thread-safe
- // way.
- static bool IsHighResolutionTimerInUse();
-#endif
-
- // Converts an exploded structure representing either the local time or UTC
- // into a Time class.
- static Time FromUTCExploded(const Exploded& exploded) {
- return FromExploded(false, exploded);
- }
- static Time FromLocalExploded(const Exploded& exploded) {
- return FromExploded(true, exploded);
- }
-
- // Converts a string representation of time to a Time object.
- // An example of a time string which is converted is as below:-
- // "Tue, 15 Nov 1994 12:45:26 GMT". If the timezone is not specified
- // in the input string, FromString assumes local time and FromUTCString
- // assumes UTC. A timezone that cannot be parsed (e.g. "UTC" which is not
- // specified in RFC822) is treated as if the timezone is not specified.
- // TODO(iyengar) Move the FromString/FromTimeT/ToTimeT/FromFileTime to
- // a new time converter class.
- static bool FromString(const char* time_string, Time* parsed_time) {
- return FromStringInternal(time_string, true, parsed_time);
- }
- static bool FromUTCString(const char* time_string, Time* parsed_time) {
- return FromStringInternal(time_string, false, parsed_time);
- }
-
- // Fills the given exploded structure with either the local time or UTC from
- // this time structure (containing UTC).
- void UTCExplode(Exploded* exploded) const {
- return Explode(false, exploded);
- }
- void LocalExplode(Exploded* exploded) const {
- return Explode(true, exploded);
- }
-
- // Rounds this time down to the nearest day in local time. It will represent
- // midnight on that day.
- Time LocalMidnight() const;
-
- private:
- friend class time_internal::TimeBase<Time>;
-
- explicit Time(int64_t us) : TimeBase(us) {}
-
- // Explodes the given time to either local time |is_local = true| or UTC
- // |is_local = false|.
- void Explode(bool is_local, Exploded* exploded) const;
-
- // Unexplodes a given time assuming the source is either local time
- // |is_local = true| or UTC |is_local = false|.
- static Time FromExploded(bool is_local, const Exploded& exploded);
-
- // Converts a string representation of time to a Time object.
- // An example of a time string which is converted is as below:-
- // "Tue, 15 Nov 1994 12:45:26 GMT". If the timezone is not specified
- // in the input string, local time |is_local = true| or
- // UTC |is_local = false| is assumed. A timezone that cannot be parsed
- // (e.g. "UTC" which is not specified in RFC822) is treated as if the
- // timezone is not specified.
- static bool FromStringInternal(const char* time_string,
- bool is_local,
- Time* parsed_time);
-};
-
-// Inline the TimeDelta factory methods, for fast TimeDelta construction.
-
-// static
-inline TimeDelta TimeDelta::FromDays(int days) {
- if (days == std::numeric_limits<int>::max())
- return Max();
- return TimeDelta(days * Time::kMicrosecondsPerDay);
-}
-
-// static
-inline TimeDelta TimeDelta::FromHours(int hours) {
- if (hours == std::numeric_limits<int>::max())
- return Max();
- return TimeDelta(hours * Time::kMicrosecondsPerHour);
-}
-
-// static
-inline TimeDelta TimeDelta::FromMinutes(int minutes) {
- if (minutes == std::numeric_limits<int>::max())
- return Max();
- return TimeDelta(minutes * Time::kMicrosecondsPerMinute);
-}
-
-// static
-inline TimeDelta TimeDelta::FromSeconds(int64_t secs) {
- return TimeDelta(secs) * Time::kMicrosecondsPerSecond;
-}
-
-// static
-inline TimeDelta TimeDelta::FromMilliseconds(int64_t ms) {
- return TimeDelta(ms) * Time::kMicrosecondsPerMillisecond;
-}
-
-// static
-inline TimeDelta TimeDelta::FromSecondsD(double secs) {
- return FromDouble(secs * Time::kMicrosecondsPerSecond);
-}
-
-// static
-inline TimeDelta TimeDelta::FromMillisecondsD(double ms) {
- return FromDouble(ms * Time::kMicrosecondsPerMillisecond);
-}
-
-// static
-inline TimeDelta TimeDelta::FromMicroseconds(int64_t us) {
- return TimeDelta(us);
-}
-
-// static
-inline TimeDelta TimeDelta::FromDouble(double value) {
- double max_magnitude = std::numeric_limits<int64_t>::max();
- TimeDelta delta = TimeDelta(static_cast<int64_t>(value));
- if (value > max_magnitude)
- delta = Max();
- else if (value < -max_magnitude)
- delta = -Max();
- return delta;
-}
-
-// For logging use only.
-BASE_EXPORT std::ostream& operator<<(std::ostream& os, Time time);
-
-// TimeTicks ------------------------------------------------------------------
-
-// Represents monotonically non-decreasing clock time.
-class BASE_EXPORT TimeTicks : public time_internal::TimeBase<TimeTicks> {
- public:
- TimeTicks() : TimeBase(0) {
- }
-
- // Platform-dependent tick count representing "right now." When
- // IsHighResolution() returns false, the resolution of the clock could be
- // as coarse as ~15.6ms. Otherwise, the resolution should be no worse than one
- // microsecond.
- static TimeTicks Now();
-
- // Returns true if the high resolution clock is working on this system and
- // Now() will return high resolution values. Note that, on systems where the
- // high resolution clock works but is deemed inefficient, the low resolution
- // clock will be used instead.
- static bool IsHighResolution();
-
-#if defined(OS_WIN)
- // Translates an absolute QPC timestamp into a TimeTicks value. The returned
- // value has the same origin as Now(). Do NOT attempt to use this if
- // IsHighResolution() returns false.
- static TimeTicks FromQPCValue(LONGLONG qpc_value);
-#endif
-
- // Get an estimate of the TimeTick value at the time of the UnixEpoch. Because
- // Time and TimeTicks respond differently to user-set time and NTP
- // adjustments, this number is only an estimate. Nevertheless, this can be
- // useful when you need to relate the value of TimeTicks to a real time and
- // date. Note: Upon first invocation, this function takes a snapshot of the
- // realtime clock to establish a reference point. This function will return
- // the same value for the duration of the application, but will be different
- // in future application runs.
- static TimeTicks UnixEpoch();
-
- // Returns |this| snapped to the next tick, given a |tick_phase| and
- // repeating |tick_interval| in both directions. |this| may be before,
- // after, or equal to the |tick_phase|.
- TimeTicks SnappedToNextTick(TimeTicks tick_phase,
- TimeDelta tick_interval) const;
-
-#if defined(OS_WIN)
- protected:
- typedef DWORD (*TickFunctionType)(void);
- static TickFunctionType SetMockTickFunction(TickFunctionType ticker);
-#endif
-
- private:
- friend class time_internal::TimeBase<TimeTicks>;
-
- // Please use Now() to create a new object. This is for internal use
- // and testing.
- explicit TimeTicks(int64_t us) : TimeBase(us) {}
-};
-
-// For logging use only.
-BASE_EXPORT std::ostream& operator<<(std::ostream& os, TimeTicks time_ticks);
-
-// ThreadTicks ----------------------------------------------------------------
-
-// Represents a clock, specific to a particular thread, than runs only while the
-// thread is running.
-class BASE_EXPORT ThreadTicks : public time_internal::TimeBase<ThreadTicks> {
- public:
- ThreadTicks() : TimeBase(0) {
- }
-
- // Returns true if ThreadTicks::Now() is supported on this system.
- static bool IsSupported() {
-#if (defined(_POSIX_THREAD_CPUTIME) && (_POSIX_THREAD_CPUTIME >= 0)) || \
- (defined(OS_MACOSX) && !defined(OS_IOS)) || defined(OS_ANDROID)
- return true;
-#elif defined(OS_WIN)
- return IsSupportedWin();
-#else
- return false;
-#endif
- }
-
- // Waits until the initialization is completed. Needs to be guarded with a
- // call to IsSupported().
- static void WaitUntilInitialized() {
-#if defined(OS_WIN)
- WaitUntilInitializedWin();
-#endif
- }
-
- // Returns thread-specific CPU-time on systems that support this feature.
- // Needs to be guarded with a call to IsSupported(). Use this timer
- // to (approximately) measure how much time the calling thread spent doing
- // actual work vs. being de-scheduled. May return bogus results if the thread
- // migrates to another CPU between two calls. Returns an empty ThreadTicks
- // object until the initialization is completed. If a clock reading is
- // absolutely needed, call WaitUntilInitialized() before this method.
- static ThreadTicks Now();
-
- private:
- friend class time_internal::TimeBase<ThreadTicks>;
-
- // Please use Now() to create a new object. This is for internal use
- // and testing.
- explicit ThreadTicks(int64_t us) : TimeBase(us) {}
-
-#if defined(OS_WIN)
- FRIEND_TEST_ALL_PREFIXES(TimeTicks, TSCTicksPerSecond);
-
- // Returns the frequency of the TSC in ticks per second, or 0 if it hasn't
- // been measured yet. Needs to be guarded with a call to IsSupported().
- // This method is declared here rather than in the anonymous namespace to
- // allow testing.
- static double TSCTicksPerSecond();
-
- static bool IsSupportedWin();
- static void WaitUntilInitializedWin();
-#endif
-};
-
-// For logging use only.
-BASE_EXPORT std::ostream& operator<<(std::ostream& os, ThreadTicks time_ticks);
-
-} // namespace base
-
-#endif // BASE_TIME_TIME_H_
diff --git a/security/sandbox/chromium/base/time/time_posix.cc b/security/sandbox/chromium/base/time/time_posix.cc
deleted file mode 100644
index 4aadee618..000000000
--- a/security/sandbox/chromium/base/time/time_posix.cc
+++ /dev/null
@@ -1,363 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/time/time.h"
-
-#include <stdint.h>
-#include <sys/time.h>
-#include <time.h>
-#if defined(OS_ANDROID) && !defined(__LP64__)
-#include <time64.h>
-#endif
-#include <unistd.h>
-
-#include <limits>
-#include <ostream>
-
-#include "base/logging.h"
-#include "build/build_config.h"
-
-#if defined(OS_ANDROID)
-#include "base/os_compat_android.h"
-#elif defined(OS_NACL)
-#include "base/os_compat_nacl.h"
-#endif
-
-#if !defined(OS_MACOSX)
-#include "base/lazy_instance.h"
-#include "base/synchronization/lock.h"
-#endif
-
-namespace {
-
-#if !defined(OS_MACOSX)
-// This prevents a crash on traversing the environment global and looking up
-// the 'TZ' variable in libc. See: crbug.com/390567.
-base::LazyInstance<base::Lock>::Leaky
- g_sys_time_to_time_struct_lock = LAZY_INSTANCE_INITIALIZER;
-
-// Define a system-specific SysTime that wraps either to a time_t or
-// a time64_t depending on the host system, and associated convertion.
-// See crbug.com/162007
-#if defined(OS_ANDROID) && !defined(__LP64__)
-typedef time64_t SysTime;
-
-SysTime SysTimeFromTimeStruct(struct tm* timestruct, bool is_local) {
- base::AutoLock locked(g_sys_time_to_time_struct_lock.Get());
- if (is_local)
- return mktime64(timestruct);
- else
- return timegm64(timestruct);
-}
-
-void SysTimeToTimeStruct(SysTime t, struct tm* timestruct, bool is_local) {
- base::AutoLock locked(g_sys_time_to_time_struct_lock.Get());
- if (is_local)
- localtime64_r(&t, timestruct);
- else
- gmtime64_r(&t, timestruct);
-}
-
-#else // OS_ANDROID && !__LP64__
-typedef time_t SysTime;
-
-SysTime SysTimeFromTimeStruct(struct tm* timestruct, bool is_local) {
- base::AutoLock locked(g_sys_time_to_time_struct_lock.Get());
- if (is_local)
- return mktime(timestruct);
- else
- return timegm(timestruct);
-}
-
-void SysTimeToTimeStruct(SysTime t, struct tm* timestruct, bool is_local) {
- base::AutoLock locked(g_sys_time_to_time_struct_lock.Get());
- if (is_local)
- localtime_r(&t, timestruct);
- else
- gmtime_r(&t, timestruct);
-}
-#endif // OS_ANDROID
-
-int64_t ConvertTimespecToMicros(const struct timespec& ts) {
- base::CheckedNumeric<int64_t> result(ts.tv_sec);
- result *= base::Time::kMicrosecondsPerSecond;
- result += (ts.tv_nsec / base::Time::kNanosecondsPerMicrosecond);
- return result.ValueOrDie();
-}
-
-// Helper function to get results from clock_gettime() and convert to a
-// microsecond timebase. Minimum requirement is MONOTONIC_CLOCK to be supported
-// on the system. FreeBSD 6 has CLOCK_MONOTONIC but defines
-// _POSIX_MONOTONIC_CLOCK to -1.
-#if (defined(OS_POSIX) && \
- defined(_POSIX_MONOTONIC_CLOCK) && _POSIX_MONOTONIC_CLOCK >= 0) || \
- defined(OS_BSD) || defined(OS_ANDROID)
-int64_t ClockNow(clockid_t clk_id) {
- struct timespec ts;
- if (clock_gettime(clk_id, &ts) != 0) {
- NOTREACHED() << "clock_gettime(" << clk_id << ") failed.";
- return 0;
- }
- return ConvertTimespecToMicros(ts);
-}
-#else // _POSIX_MONOTONIC_CLOCK
-#error No usable tick clock function on this platform.
-#endif // _POSIX_MONOTONIC_CLOCK
-#endif // !defined(OS_MACOSX)
-
-} // namespace
-
-namespace base {
-
-struct timespec TimeDelta::ToTimeSpec() const {
- int64_t microseconds = InMicroseconds();
- time_t seconds = 0;
- if (microseconds >= Time::kMicrosecondsPerSecond) {
- seconds = InSeconds();
- microseconds -= seconds * Time::kMicrosecondsPerSecond;
- }
- struct timespec result =
- {seconds,
- static_cast<long>(microseconds * Time::kNanosecondsPerMicrosecond)};
- return result;
-}
-
-#if !defined(OS_MACOSX)
-// The Time routines in this file use standard POSIX routines, or almost-
-// standard routines in the case of timegm. We need to use a Mach-specific
-// function for TimeTicks::Now() on Mac OS X.
-
-// Time -----------------------------------------------------------------------
-
-// Windows uses a Gregorian epoch of 1601. We need to match this internally
-// so that our time representations match across all platforms. See bug 14734.
-// irb(main):010:0> Time.at(0).getutc()
-// => Thu Jan 01 00:00:00 UTC 1970
-// irb(main):011:0> Time.at(-11644473600).getutc()
-// => Mon Jan 01 00:00:00 UTC 1601
-static const int64_t kWindowsEpochDeltaSeconds = INT64_C(11644473600);
-
-// static
-const int64_t Time::kWindowsEpochDeltaMicroseconds =
- kWindowsEpochDeltaSeconds * Time::kMicrosecondsPerSecond;
-
-// Some functions in time.cc use time_t directly, so we provide an offset
-// to convert from time_t (Unix epoch) and internal (Windows epoch).
-// static
-const int64_t Time::kTimeTToMicrosecondsOffset = kWindowsEpochDeltaMicroseconds;
-
-// static
-Time Time::Now() {
- struct timeval tv;
- struct timezone tz = { 0, 0 }; // UTC
- if (gettimeofday(&tv, &tz) != 0) {
- DCHECK(0) << "Could not determine time of day";
- PLOG(ERROR) << "Call to gettimeofday failed.";
- // Return null instead of uninitialized |tv| value, which contains random
- // garbage data. This may result in the crash seen in crbug.com/147570.
- return Time();
- }
- // Combine seconds and microseconds in a 64-bit field containing microseconds
- // since the epoch. That's enough for nearly 600 centuries. Adjust from
- // Unix (1970) to Windows (1601) epoch.
- return Time((tv.tv_sec * kMicrosecondsPerSecond + tv.tv_usec) +
- kWindowsEpochDeltaMicroseconds);
-}
-
-// static
-Time Time::NowFromSystemTime() {
- // Just use Now() because Now() returns the system time.
- return Now();
-}
-
-void Time::Explode(bool is_local, Exploded* exploded) const {
- // Time stores times with microsecond resolution, but Exploded only carries
- // millisecond resolution, so begin by being lossy. Adjust from Windows
- // epoch (1601) to Unix epoch (1970);
- int64_t microseconds = us_ - kWindowsEpochDeltaMicroseconds;
- // The following values are all rounded towards -infinity.
- int64_t milliseconds; // Milliseconds since epoch.
- SysTime seconds; // Seconds since epoch.
- int millisecond; // Exploded millisecond value (0-999).
- if (microseconds >= 0) {
- // Rounding towards -infinity <=> rounding towards 0, in this case.
- milliseconds = microseconds / kMicrosecondsPerMillisecond;
- seconds = milliseconds / kMillisecondsPerSecond;
- millisecond = milliseconds % kMillisecondsPerSecond;
- } else {
- // Round these *down* (towards -infinity).
- milliseconds = (microseconds - kMicrosecondsPerMillisecond + 1) /
- kMicrosecondsPerMillisecond;
- seconds = (milliseconds - kMillisecondsPerSecond + 1) /
- kMillisecondsPerSecond;
- // Make this nonnegative (and between 0 and 999 inclusive).
- millisecond = milliseconds % kMillisecondsPerSecond;
- if (millisecond < 0)
- millisecond += kMillisecondsPerSecond;
- }
-
- struct tm timestruct;
- SysTimeToTimeStruct(seconds, &timestruct, is_local);
-
- exploded->year = timestruct.tm_year + 1900;
- exploded->month = timestruct.tm_mon + 1;
- exploded->day_of_week = timestruct.tm_wday;
- exploded->day_of_month = timestruct.tm_mday;
- exploded->hour = timestruct.tm_hour;
- exploded->minute = timestruct.tm_min;
- exploded->second = timestruct.tm_sec;
- exploded->millisecond = millisecond;
-}
-
-// static
-Time Time::FromExploded(bool is_local, const Exploded& exploded) {
- struct tm timestruct;
- timestruct.tm_sec = exploded.second;
- timestruct.tm_min = exploded.minute;
- timestruct.tm_hour = exploded.hour;
- timestruct.tm_mday = exploded.day_of_month;
- timestruct.tm_mon = exploded.month - 1;
- timestruct.tm_year = exploded.year - 1900;
- timestruct.tm_wday = exploded.day_of_week; // mktime/timegm ignore this
- timestruct.tm_yday = 0; // mktime/timegm ignore this
- timestruct.tm_isdst = -1; // attempt to figure it out
-#if !defined(OS_NACL) && !defined(OS_SOLARIS)
- timestruct.tm_gmtoff = 0; // not a POSIX field, so mktime/timegm ignore
- timestruct.tm_zone = NULL; // not a POSIX field, so mktime/timegm ignore
-#endif
-
- int64_t milliseconds;
- SysTime seconds;
-
- // Certain exploded dates do not really exist due to daylight saving times,
- // and this causes mktime() to return implementation-defined values when
- // tm_isdst is set to -1. On Android, the function will return -1, while the
- // C libraries of other platforms typically return a liberally-chosen value.
- // Handling this requires the special code below.
-
- // SysTimeFromTimeStruct() modifies the input structure, save current value.
- struct tm timestruct0 = timestruct;
-
- seconds = SysTimeFromTimeStruct(&timestruct, is_local);
- if (seconds == -1) {
- // Get the time values with tm_isdst == 0 and 1, then select the closest one
- // to UTC 00:00:00 that isn't -1.
- timestruct = timestruct0;
- timestruct.tm_isdst = 0;
- int64_t seconds_isdst0 = SysTimeFromTimeStruct(&timestruct, is_local);
-
- timestruct = timestruct0;
- timestruct.tm_isdst = 1;
- int64_t seconds_isdst1 = SysTimeFromTimeStruct(&timestruct, is_local);
-
- // seconds_isdst0 or seconds_isdst1 can be -1 for some timezones.
- // E.g. "CLST" (Chile Summer Time) returns -1 for 'tm_isdt == 1'.
- if (seconds_isdst0 < 0)
- seconds = seconds_isdst1;
- else if (seconds_isdst1 < 0)
- seconds = seconds_isdst0;
- else
- seconds = std::min(seconds_isdst0, seconds_isdst1);
- }
-
- // Handle overflow. Clamping the range to what mktime and timegm might
- // return is the best that can be done here. It's not ideal, but it's better
- // than failing here or ignoring the overflow case and treating each time
- // overflow as one second prior to the epoch.
- if (seconds == -1 &&
- (exploded.year < 1969 || exploded.year > 1970)) {
- // If exploded.year is 1969 or 1970, take -1 as correct, with the
- // time indicating 1 second prior to the epoch. (1970 is allowed to handle
- // time zone and DST offsets.) Otherwise, return the most future or past
- // time representable. Assumes the time_t epoch is 1970-01-01 00:00:00 UTC.
- //
- // The minimum and maximum representible times that mktime and timegm could
- // return are used here instead of values outside that range to allow for
- // proper round-tripping between exploded and counter-type time
- // representations in the presence of possible truncation to time_t by
- // division and use with other functions that accept time_t.
- //
- // When representing the most distant time in the future, add in an extra
- // 999ms to avoid the time being less than any other possible value that
- // this function can return.
-
- // On Android, SysTime is int64_t, special care must be taken to avoid
- // overflows.
- const int64_t min_seconds = (sizeof(SysTime) < sizeof(int64_t))
- ? std::numeric_limits<SysTime>::min()
- : std::numeric_limits<int32_t>::min();
- const int64_t max_seconds = (sizeof(SysTime) < sizeof(int64_t))
- ? std::numeric_limits<SysTime>::max()
- : std::numeric_limits<int32_t>::max();
- if (exploded.year < 1969) {
- milliseconds = min_seconds * kMillisecondsPerSecond;
- } else {
- milliseconds = max_seconds * kMillisecondsPerSecond;
- milliseconds += (kMillisecondsPerSecond - 1);
- }
- } else {
- milliseconds = seconds * kMillisecondsPerSecond + exploded.millisecond;
- }
-
- // Adjust from Unix (1970) to Windows (1601) epoch.
- return Time((milliseconds * kMicrosecondsPerMillisecond) +
- kWindowsEpochDeltaMicroseconds);
-}
-
-// TimeTicks ------------------------------------------------------------------
-// static
-TimeTicks TimeTicks::Now() {
- return TimeTicks(ClockNow(CLOCK_MONOTONIC));
-}
-
-// static
-bool TimeTicks::IsHighResolution() {
- return true;
-}
-
-// static
-ThreadTicks ThreadTicks::Now() {
-#if (defined(_POSIX_THREAD_CPUTIME) && (_POSIX_THREAD_CPUTIME >= 0)) || \
- defined(OS_ANDROID)
- return ThreadTicks(ClockNow(CLOCK_THREAD_CPUTIME_ID));
-#else
- NOTREACHED();
- return ThreadTicks();
-#endif
-}
-
-#endif // !OS_MACOSX
-
-// static
-Time Time::FromTimeVal(struct timeval t) {
- DCHECK_LT(t.tv_usec, static_cast<int>(Time::kMicrosecondsPerSecond));
- DCHECK_GE(t.tv_usec, 0);
- if (t.tv_usec == 0 && t.tv_sec == 0)
- return Time();
- if (t.tv_usec == static_cast<suseconds_t>(Time::kMicrosecondsPerSecond) - 1 &&
- t.tv_sec == std::numeric_limits<time_t>::max())
- return Max();
- return Time((static_cast<int64_t>(t.tv_sec) * Time::kMicrosecondsPerSecond) +
- t.tv_usec + kTimeTToMicrosecondsOffset);
-}
-
-struct timeval Time::ToTimeVal() const {
- struct timeval result;
- if (is_null()) {
- result.tv_sec = 0;
- result.tv_usec = 0;
- return result;
- }
- if (is_max()) {
- result.tv_sec = std::numeric_limits<time_t>::max();
- result.tv_usec = static_cast<suseconds_t>(Time::kMicrosecondsPerSecond) - 1;
- return result;
- }
- int64_t us = us_ - kTimeTToMicrosecondsOffset;
- result.tv_sec = us / Time::kMicrosecondsPerSecond;
- result.tv_usec = us % Time::kMicrosecondsPerSecond;
- return result;
-}
-
-} // namespace base
diff --git a/security/sandbox/chromium/base/time/time_win.cc b/security/sandbox/chromium/base/time/time_win.cc
deleted file mode 100644
index dc968ad63..000000000
--- a/security/sandbox/chromium/base/time/time_win.cc
+++ /dev/null
@@ -1,616 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-
-// Windows Timer Primer
-//
-// A good article: http://www.ddj.com/windows/184416651
-// A good mozilla bug: http://bugzilla.mozilla.org/show_bug.cgi?id=363258
-//
-// The default windows timer, GetSystemTimeAsFileTime is not very precise.
-// It is only good to ~15.5ms.
-//
-// QueryPerformanceCounter is the logical choice for a high-precision timer.
-// However, it is known to be buggy on some hardware. Specifically, it can
-// sometimes "jump". On laptops, QPC can also be very expensive to call.
-// It's 3-4x slower than timeGetTime() on desktops, but can be 10x slower
-// on laptops. A unittest exists which will show the relative cost of various
-// timers on any system.
-//
-// The next logical choice is timeGetTime(). timeGetTime has a precision of
-// 1ms, but only if you call APIs (timeBeginPeriod()) which affect all other
-// applications on the system. By default, precision is only 15.5ms.
-// Unfortunately, we don't want to call timeBeginPeriod because we don't
-// want to affect other applications. Further, on mobile platforms, use of
-// faster multimedia timers can hurt battery life. See the intel
-// article about this here:
-// http://softwarecommunity.intel.com/articles/eng/1086.htm
-//
-// To work around all this, we're going to generally use timeGetTime(). We
-// will only increase the system-wide timer if we're not running on battery
-// power.
-
-#include "base/time/time.h"
-
-#pragma comment(lib, "winmm.lib")
-#include <windows.h>
-#include <mmsystem.h>
-#include <stdint.h>
-
-#include "base/bit_cast.h"
-#include "base/cpu.h"
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/synchronization/lock.h"
-
-using base::ThreadTicks;
-using base::Time;
-using base::TimeDelta;
-using base::TimeTicks;
-
-namespace {
-
-// From MSDN, FILETIME "Contains a 64-bit value representing the number of
-// 100-nanosecond intervals since January 1, 1601 (UTC)."
-int64_t FileTimeToMicroseconds(const FILETIME& ft) {
- // Need to bit_cast to fix alignment, then divide by 10 to convert
- // 100-nanoseconds to microseconds. This only works on little-endian
- // machines.
- return bit_cast<int64_t, FILETIME>(ft) / 10;
-}
-
-void MicrosecondsToFileTime(int64_t us, FILETIME* ft) {
- DCHECK_GE(us, 0LL) << "Time is less than 0, negative values are not "
- "representable in FILETIME";
-
- // Multiply by 10 to convert microseconds to 100-nanoseconds. Bit_cast will
- // handle alignment problems. This only works on little-endian machines.
- *ft = bit_cast<FILETIME, int64_t>(us * 10);
-}
-
-int64_t CurrentWallclockMicroseconds() {
- FILETIME ft;
- ::GetSystemTimeAsFileTime(&ft);
- return FileTimeToMicroseconds(ft);
-}
-
-// Time between resampling the un-granular clock for this API. 60 seconds.
-const int kMaxMillisecondsToAvoidDrift = 60 * Time::kMillisecondsPerSecond;
-
-int64_t initial_time = 0;
-TimeTicks initial_ticks;
-
-void InitializeClock() {
- initial_ticks = TimeTicks::Now();
- initial_time = CurrentWallclockMicroseconds();
-}
-
-// The two values that ActivateHighResolutionTimer uses to set the systemwide
-// timer interrupt frequency on Windows. It controls how precise timers are
-// but also has a big impact on battery life.
-const int kMinTimerIntervalHighResMs = 1;
-const int kMinTimerIntervalLowResMs = 4;
-// Track if kMinTimerIntervalHighResMs or kMinTimerIntervalLowResMs is active.
-bool g_high_res_timer_enabled = false;
-// How many times the high resolution timer has been called.
-uint32_t g_high_res_timer_count = 0;
-// The lock to control access to the above two variables.
-base::LazyInstance<base::Lock>::Leaky g_high_res_lock =
- LAZY_INSTANCE_INITIALIZER;
-
-// Returns a pointer to the QueryThreadCycleTime() function from Windows.
-// Can't statically link to it because it is not available on XP.
-using QueryThreadCycleTimePtr = decltype(::QueryThreadCycleTime)*;
-QueryThreadCycleTimePtr GetQueryThreadCycleTimeFunction() {
- static const QueryThreadCycleTimePtr query_thread_cycle_time_fn =
- reinterpret_cast<QueryThreadCycleTimePtr>(::GetProcAddress(
- ::GetModuleHandle(L"kernel32.dll"), "QueryThreadCycleTime"));
- return query_thread_cycle_time_fn;
-}
-
-// Returns the current value of the performance counter.
-uint64_t QPCNowRaw() {
- LARGE_INTEGER perf_counter_now = {};
- // According to the MSDN documentation for QueryPerformanceCounter(), this
- // will never fail on systems that run XP or later.
- // https://msdn.microsoft.com/library/windows/desktop/ms644904.aspx
- ::QueryPerformanceCounter(&perf_counter_now);
- return perf_counter_now.QuadPart;
-}
-
-} // namespace
-
-// Time -----------------------------------------------------------------------
-
-// The internal representation of Time uses FILETIME, whose epoch is 1601-01-01
-// 00:00:00 UTC. ((1970-1601)*365+89)*24*60*60*1000*1000, where 89 is the
-// number of leap year days between 1601 and 1970: (1970-1601)/4 excluding
-// 1700, 1800, and 1900.
-// static
-const int64_t Time::kTimeTToMicrosecondsOffset = INT64_C(11644473600000000);
-
-// static
-Time Time::Now() {
- if (initial_time == 0)
- InitializeClock();
-
- // We implement time using the high-resolution timers so that we can get
- // timeouts which are smaller than 10-15ms. If we just used
- // CurrentWallclockMicroseconds(), we'd have the less-granular timer.
- //
- // To make this work, we initialize the clock (initial_time) and the
- // counter (initial_ctr). To compute the initial time, we can check
- // the number of ticks that have elapsed, and compute the delta.
- //
- // To avoid any drift, we periodically resync the counters to the system
- // clock.
- while (true) {
- TimeTicks ticks = TimeTicks::Now();
-
- // Calculate the time elapsed since we started our timer
- TimeDelta elapsed = ticks - initial_ticks;
-
- // Check if enough time has elapsed that we need to resync the clock.
- if (elapsed.InMilliseconds() > kMaxMillisecondsToAvoidDrift) {
- InitializeClock();
- continue;
- }
-
- return Time(elapsed + Time(initial_time));
- }
-}
-
-// static
-Time Time::NowFromSystemTime() {
- // Force resync.
- InitializeClock();
- return Time(initial_time);
-}
-
-// static
-Time Time::FromFileTime(FILETIME ft) {
- if (bit_cast<int64_t, FILETIME>(ft) == 0)
- return Time();
- if (ft.dwHighDateTime == std::numeric_limits<DWORD>::max() &&
- ft.dwLowDateTime == std::numeric_limits<DWORD>::max())
- return Max();
- return Time(FileTimeToMicroseconds(ft));
-}
-
-FILETIME Time::ToFileTime() const {
- if (is_null())
- return bit_cast<FILETIME, int64_t>(0);
- if (is_max()) {
- FILETIME result;
- result.dwHighDateTime = std::numeric_limits<DWORD>::max();
- result.dwLowDateTime = std::numeric_limits<DWORD>::max();
- return result;
- }
- FILETIME utc_ft;
- MicrosecondsToFileTime(us_, &utc_ft);
- return utc_ft;
-}
-
-// static
-void Time::EnableHighResolutionTimer(bool enable) {
- base::AutoLock lock(g_high_res_lock.Get());
- if (g_high_res_timer_enabled == enable)
- return;
- g_high_res_timer_enabled = enable;
- if (!g_high_res_timer_count)
- return;
- // Since g_high_res_timer_count != 0, an ActivateHighResolutionTimer(true)
- // was called which called timeBeginPeriod with g_high_res_timer_enabled
- // with a value which is the opposite of |enable|. With that information we
- // call timeEndPeriod with the same value used in timeBeginPeriod and
- // therefore undo the period effect.
- if (enable) {
- timeEndPeriod(kMinTimerIntervalLowResMs);
- timeBeginPeriod(kMinTimerIntervalHighResMs);
- } else {
- timeEndPeriod(kMinTimerIntervalHighResMs);
- timeBeginPeriod(kMinTimerIntervalLowResMs);
- }
-}
-
-// static
-bool Time::ActivateHighResolutionTimer(bool activating) {
- // We only do work on the transition from zero to one or one to zero so we
- // can easily undo the effect (if necessary) when EnableHighResolutionTimer is
- // called.
- const uint32_t max = std::numeric_limits<uint32_t>::max();
-
- base::AutoLock lock(g_high_res_lock.Get());
- UINT period = g_high_res_timer_enabled ? kMinTimerIntervalHighResMs
- : kMinTimerIntervalLowResMs;
- if (activating) {
- DCHECK_NE(g_high_res_timer_count, max);
- ++g_high_res_timer_count;
- if (g_high_res_timer_count == 1)
- timeBeginPeriod(period);
- } else {
- DCHECK_NE(g_high_res_timer_count, 0u);
- --g_high_res_timer_count;
- if (g_high_res_timer_count == 0)
- timeEndPeriod(period);
- }
- return (period == kMinTimerIntervalHighResMs);
-}
-
-// static
-bool Time::IsHighResolutionTimerInUse() {
- base::AutoLock lock(g_high_res_lock.Get());
- return g_high_res_timer_enabled && g_high_res_timer_count > 0;
-}
-
-// static
-Time Time::FromExploded(bool is_local, const Exploded& exploded) {
- // Create the system struct representing our exploded time. It will either be
- // in local time or UTC.
- SYSTEMTIME st;
- st.wYear = static_cast<WORD>(exploded.year);
- st.wMonth = static_cast<WORD>(exploded.month);
- st.wDayOfWeek = static_cast<WORD>(exploded.day_of_week);
- st.wDay = static_cast<WORD>(exploded.day_of_month);
- st.wHour = static_cast<WORD>(exploded.hour);
- st.wMinute = static_cast<WORD>(exploded.minute);
- st.wSecond = static_cast<WORD>(exploded.second);
- st.wMilliseconds = static_cast<WORD>(exploded.millisecond);
-
- FILETIME ft;
- bool success = true;
- // Ensure that it's in UTC.
- if (is_local) {
- SYSTEMTIME utc_st;
- success = TzSpecificLocalTimeToSystemTime(NULL, &st, &utc_st) &&
- SystemTimeToFileTime(&utc_st, &ft);
- } else {
- success = !!SystemTimeToFileTime(&st, &ft);
- }
-
- if (!success) {
- NOTREACHED() << "Unable to convert time";
- return Time(0);
- }
- return Time(FileTimeToMicroseconds(ft));
-}
-
-void Time::Explode(bool is_local, Exploded* exploded) const {
- if (us_ < 0LL) {
- // We are not able to convert it to FILETIME.
- ZeroMemory(exploded, sizeof(*exploded));
- return;
- }
-
- // FILETIME in UTC.
- FILETIME utc_ft;
- MicrosecondsToFileTime(us_, &utc_ft);
-
- // FILETIME in local time if necessary.
- bool success = true;
- // FILETIME in SYSTEMTIME (exploded).
- SYSTEMTIME st = {0};
- if (is_local) {
- SYSTEMTIME utc_st;
- // We don't use FileTimeToLocalFileTime here, since it uses the current
- // settings for the time zone and daylight saving time. Therefore, if it is
- // daylight saving time, it will take daylight saving time into account,
- // even if the time you are converting is in standard time.
- success = FileTimeToSystemTime(&utc_ft, &utc_st) &&
- SystemTimeToTzSpecificLocalTime(NULL, &utc_st, &st);
- } else {
- success = !!FileTimeToSystemTime(&utc_ft, &st);
- }
-
- if (!success) {
- NOTREACHED() << "Unable to convert time, don't know why";
- ZeroMemory(exploded, sizeof(*exploded));
- return;
- }
-
- exploded->year = st.wYear;
- exploded->month = st.wMonth;
- exploded->day_of_week = st.wDayOfWeek;
- exploded->day_of_month = st.wDay;
- exploded->hour = st.wHour;
- exploded->minute = st.wMinute;
- exploded->second = st.wSecond;
- exploded->millisecond = st.wMilliseconds;
-}
-
-// TimeTicks ------------------------------------------------------------------
-namespace {
-
-// We define a wrapper to adapt between the __stdcall and __cdecl call of the
-// mock function, and to avoid a static constructor. Assigning an import to a
-// function pointer directly would require setup code to fetch from the IAT.
-DWORD timeGetTimeWrapper() {
- return timeGetTime();
-}
-
-DWORD (*g_tick_function)(void) = &timeGetTimeWrapper;
-
-// Accumulation of time lost due to rollover (in milliseconds).
-int64_t g_rollover_ms = 0;
-
-// The last timeGetTime value we saw, to detect rollover.
-DWORD g_last_seen_now = 0;
-
-// Lock protecting rollover_ms and last_seen_now.
-// Note: this is a global object, and we usually avoid these. However, the time
-// code is low-level, and we don't want to use Singletons here (it would be too
-// easy to use a Singleton without even knowing it, and that may lead to many
-// gotchas). Its impact on startup time should be negligible due to low-level
-// nature of time code.
-base::Lock g_rollover_lock;
-
-// We use timeGetTime() to implement TimeTicks::Now(). This can be problematic
-// because it returns the number of milliseconds since Windows has started,
-// which will roll over the 32-bit value every ~49 days. We try to track
-// rollover ourselves, which works if TimeTicks::Now() is called at least every
-// 49 days.
-TimeDelta RolloverProtectedNow() {
- base::AutoLock locked(g_rollover_lock);
- // We should hold the lock while calling tick_function to make sure that
- // we keep last_seen_now stay correctly in sync.
- DWORD now = g_tick_function();
- if (now < g_last_seen_now)
- g_rollover_ms += 0x100000000I64; // ~49.7 days.
- g_last_seen_now = now;
- return TimeDelta::FromMilliseconds(now + g_rollover_ms);
-}
-
-// Discussion of tick counter options on Windows:
-//
-// (1) CPU cycle counter. (Retrieved via RDTSC)
-// The CPU counter provides the highest resolution time stamp and is the least
-// expensive to retrieve. However, on older CPUs, two issues can affect its
-// reliability: First it is maintained per processor and not synchronized
-// between processors. Also, the counters will change frequency due to thermal
-// and power changes, and stop in some states.
-//
-// (2) QueryPerformanceCounter (QPC). The QPC counter provides a high-
-// resolution (<1 microsecond) time stamp. On most hardware running today, it
-// auto-detects and uses the constant-rate RDTSC counter to provide extremely
-// efficient and reliable time stamps.
-//
-// On older CPUs where RDTSC is unreliable, it falls back to using more
-// expensive (20X to 40X more costly) alternate clocks, such as HPET or the ACPI
-// PM timer, and can involve system calls; and all this is up to the HAL (with
-// some help from ACPI). According to
-// http://blogs.msdn.com/oldnewthing/archive/2005/09/02/459952.aspx, in the
-// worst case, it gets the counter from the rollover interrupt on the
-// programmable interrupt timer. In best cases, the HAL may conclude that the
-// RDTSC counter runs at a constant frequency, then it uses that instead. On
-// multiprocessor machines, it will try to verify the values returned from
-// RDTSC on each processor are consistent with each other, and apply a handful
-// of workarounds for known buggy hardware. In other words, QPC is supposed to
-// give consistent results on a multiprocessor computer, but for older CPUs it
-// can be unreliable due bugs in BIOS or HAL.
-//
-// (3) System time. The system time provides a low-resolution (from ~1 to ~15.6
-// milliseconds) time stamp but is comparatively less expensive to retrieve and
-// more reliable. Time::EnableHighResolutionTimer() and
-// Time::ActivateHighResolutionTimer() can be called to alter the resolution of
-// this timer; and also other Windows applications can alter it, affecting this
-// one.
-
-using NowFunction = TimeDelta (*)(void);
-
-TimeDelta InitialNowFunction();
-
-// See "threading notes" in InitializeNowFunctionPointer() for details on how
-// concurrent reads/writes to these globals has been made safe.
-NowFunction g_now_function = &InitialNowFunction;
-int64_t g_qpc_ticks_per_second = 0;
-
-// As of January 2015, use of <atomic> is forbidden in Chromium code. This is
-// what std::atomic_thread_fence does on Windows on all Intel architectures when
-// the memory_order argument is anything but std::memory_order_seq_cst:
-#define ATOMIC_THREAD_FENCE(memory_order) _ReadWriteBarrier();
-
-TimeDelta QPCValueToTimeDelta(LONGLONG qpc_value) {
- // Ensure that the assignment to |g_qpc_ticks_per_second|, made in
- // InitializeNowFunctionPointer(), has happened by this point.
- ATOMIC_THREAD_FENCE(memory_order_acquire);
-
- DCHECK_GT(g_qpc_ticks_per_second, 0);
-
- // If the QPC Value is below the overflow threshold, we proceed with
- // simple multiply and divide.
- if (qpc_value < Time::kQPCOverflowThreshold) {
- return TimeDelta::FromMicroseconds(
- qpc_value * Time::kMicrosecondsPerSecond / g_qpc_ticks_per_second);
- }
- // Otherwise, calculate microseconds in a round about manner to avoid
- // overflow and precision issues.
- int64_t whole_seconds = qpc_value / g_qpc_ticks_per_second;
- int64_t leftover_ticks = qpc_value - (whole_seconds * g_qpc_ticks_per_second);
- return TimeDelta::FromMicroseconds(
- (whole_seconds * Time::kMicrosecondsPerSecond) +
- ((leftover_ticks * Time::kMicrosecondsPerSecond) /
- g_qpc_ticks_per_second));
-}
-
-TimeDelta QPCNow() {
- return QPCValueToTimeDelta(QPCNowRaw());
-}
-
-bool IsBuggyAthlon(const base::CPU& cpu) {
- // On Athlon X2 CPUs (e.g. model 15) QueryPerformanceCounter is unreliable.
- return cpu.vendor_name() == "AuthenticAMD" && cpu.family() == 15;
-}
-
-void InitializeNowFunctionPointer() {
- LARGE_INTEGER ticks_per_sec = {};
- if (!QueryPerformanceFrequency(&ticks_per_sec))
- ticks_per_sec.QuadPart = 0;
-
- // If Windows cannot provide a QPC implementation, TimeTicks::Now() must use
- // the low-resolution clock.
- //
- // If the QPC implementation is expensive and/or unreliable, TimeTicks::Now()
- // will still use the low-resolution clock. A CPU lacking a non-stop time
- // counter will cause Windows to provide an alternate QPC implementation that
- // works, but is expensive to use. Certain Athlon CPUs are known to make the
- // QPC implementation unreliable.
- //
- // Otherwise, Now uses the high-resolution QPC clock. As of 21 August 2015,
- // ~72% of users fall within this category.
- NowFunction now_function;
- base::CPU cpu;
- if (ticks_per_sec.QuadPart <= 0 ||
- !cpu.has_non_stop_time_stamp_counter() || IsBuggyAthlon(cpu)) {
- now_function = &RolloverProtectedNow;
- } else {
- now_function = &QPCNow;
- }
-
- // Threading note 1: In an unlikely race condition, it's possible for two or
- // more threads to enter InitializeNowFunctionPointer() in parallel. This is
- // not a problem since all threads should end up writing out the same values
- // to the global variables.
- //
- // Threading note 2: A release fence is placed here to ensure, from the
- // perspective of other threads using the function pointers, that the
- // assignment to |g_qpc_ticks_per_second| happens before the function pointers
- // are changed.
- g_qpc_ticks_per_second = ticks_per_sec.QuadPart;
- ATOMIC_THREAD_FENCE(memory_order_release);
- g_now_function = now_function;
-}
-
-TimeDelta InitialNowFunction() {
- InitializeNowFunctionPointer();
- return g_now_function();
-}
-
-} // namespace
-
-// static
-TimeTicks::TickFunctionType TimeTicks::SetMockTickFunction(
- TickFunctionType ticker) {
- base::AutoLock locked(g_rollover_lock);
- TickFunctionType old = g_tick_function;
- g_tick_function = ticker;
- g_rollover_ms = 0;
- g_last_seen_now = 0;
- return old;
-}
-
-// static
-TimeTicks TimeTicks::Now() {
- return TimeTicks() + g_now_function();
-}
-
-// static
-bool TimeTicks::IsHighResolution() {
- if (g_now_function == &InitialNowFunction)
- InitializeNowFunctionPointer();
- return g_now_function == &QPCNow;
-}
-
-// static
-ThreadTicks ThreadTicks::Now() {
- DCHECK(IsSupported());
-
- // Get the number of TSC ticks used by the current thread.
- ULONG64 thread_cycle_time = 0;
- GetQueryThreadCycleTimeFunction()(::GetCurrentThread(), &thread_cycle_time);
-
- // Get the frequency of the TSC.
- double tsc_ticks_per_second = TSCTicksPerSecond();
- if (tsc_ticks_per_second == 0)
- return ThreadTicks();
-
- // Return the CPU time of the current thread.
- double thread_time_seconds = thread_cycle_time / tsc_ticks_per_second;
- return ThreadTicks(
- static_cast<int64_t>(thread_time_seconds * Time::kMicrosecondsPerSecond));
-}
-
-// static
-bool ThreadTicks::IsSupportedWin() {
- static bool is_supported = GetQueryThreadCycleTimeFunction() &&
- base::CPU().has_non_stop_time_stamp_counter() &&
- !IsBuggyAthlon(base::CPU());
- return is_supported;
-}
-
-// static
-void ThreadTicks::WaitUntilInitializedWin() {
- while (TSCTicksPerSecond() == 0)
- ::Sleep(10);
-}
-
-double ThreadTicks::TSCTicksPerSecond() {
- DCHECK(IsSupported());
-
- // The value returned by QueryPerformanceFrequency() cannot be used as the TSC
- // frequency, because there is no guarantee that the TSC frequency is equal to
- // the performance counter frequency.
-
- // The TSC frequency is cached in a static variable because it takes some time
- // to compute it.
- static double tsc_ticks_per_second = 0;
- if (tsc_ticks_per_second != 0)
- return tsc_ticks_per_second;
-
- // Increase the thread priority to reduces the chances of having a context
- // switch during a reading of the TSC and the performance counter.
- int previous_priority = ::GetThreadPriority(::GetCurrentThread());
- ::SetThreadPriority(::GetCurrentThread(), THREAD_PRIORITY_HIGHEST);
-
- // The first time that this function is called, make an initial reading of the
- // TSC and the performance counter.
- static const uint64_t tsc_initial = __rdtsc();
- static const uint64_t perf_counter_initial = QPCNowRaw();
-
- // Make a another reading of the TSC and the performance counter every time
- // that this function is called.
- uint64_t tsc_now = __rdtsc();
- uint64_t perf_counter_now = QPCNowRaw();
-
- // Reset the thread priority.
- ::SetThreadPriority(::GetCurrentThread(), previous_priority);
-
- // Make sure that at least 50 ms elapsed between the 2 readings. The first
- // time that this function is called, we don't expect this to be the case.
- // Note: The longer the elapsed time between the 2 readings is, the more
- // accurate the computed TSC frequency will be. The 50 ms value was
- // chosen because local benchmarks show that it allows us to get a
- // stddev of less than 1 tick/us between multiple runs.
- // Note: According to the MSDN documentation for QueryPerformanceFrequency(),
- // this will never fail on systems that run XP or later.
- // https://msdn.microsoft.com/library/windows/desktop/ms644905.aspx
- LARGE_INTEGER perf_counter_frequency = {};
- ::QueryPerformanceFrequency(&perf_counter_frequency);
- DCHECK_GE(perf_counter_now, perf_counter_initial);
- uint64_t perf_counter_ticks = perf_counter_now - perf_counter_initial;
- double elapsed_time_seconds =
- perf_counter_ticks / static_cast<double>(perf_counter_frequency.QuadPart);
-
- const double kMinimumEvaluationPeriodSeconds = 0.05;
- if (elapsed_time_seconds < kMinimumEvaluationPeriodSeconds)
- return 0;
-
- // Compute the frequency of the TSC.
- DCHECK_GE(tsc_now, tsc_initial);
- uint64_t tsc_ticks = tsc_now - tsc_initial;
- tsc_ticks_per_second = tsc_ticks / elapsed_time_seconds;
-
- return tsc_ticks_per_second;
-}
-
-// static
-TimeTicks TimeTicks::FromQPCValue(LONGLONG qpc_value) {
- return TimeTicks() + QPCValueToTimeDelta(qpc_value);
-}
-
-// TimeDelta ------------------------------------------------------------------
-
-// static
-TimeDelta TimeDelta::FromQPCValue(LONGLONG qpc_value) {
- return QPCValueToTimeDelta(qpc_value);
-}
diff --git a/security/sandbox/chromium/base/tuple.h b/security/sandbox/chromium/base/tuple.h
deleted file mode 100644
index e5872cc4f..000000000
--- a/security/sandbox/chromium/base/tuple.h
+++ /dev/null
@@ -1,306 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// A Tuple is a generic templatized container, similar in concept to std::pair
-// and std::tuple. The convenient MakeTuple() function takes any number of
-// arguments and will construct and return the appropriate Tuple object. The
-// functions DispatchToMethod and DispatchToFunction take a function pointer or
-// instance and method pointer, and unpack a tuple into arguments to the call.
-//
-// Tuple elements are copied by value, and stored in the tuple. See the unit
-// tests for more details of how/when the values are copied.
-//
-// Example usage:
-// // These two methods of creating a Tuple are identical.
-// Tuple<int, const char*> tuple_a(1, "wee");
-// Tuple<int, const char*> tuple_b = MakeTuple(1, "wee");
-//
-// void SomeFunc(int a, const char* b) { }
-// DispatchToFunction(&SomeFunc, tuple_a); // SomeFunc(1, "wee")
-// DispatchToFunction(
-// &SomeFunc, MakeTuple(10, "foo")); // SomeFunc(10, "foo")
-//
-// struct { void SomeMeth(int a, int b, int c) { } } foo;
-// DispatchToMethod(&foo, &Foo::SomeMeth, MakeTuple(1, 2, 3));
-// // foo->SomeMeth(1, 2, 3);
-
-#ifndef BASE_TUPLE_H_
-#define BASE_TUPLE_H_
-
-#include <stddef.h>
-
-#include "base/bind_helpers.h"
-#include "build/build_config.h"
-
-namespace base {
-
-// Index sequences
-//
-// Minimal clone of the similarly-named C++14 functionality.
-
-template <size_t...>
-struct IndexSequence {};
-
-template <size_t... Ns>
-struct MakeIndexSequenceImpl;
-
-#if defined(_PREFAST_) && defined(OS_WIN)
-
-// Work around VC++ 2013 /analyze internal compiler error:
-// https://connect.microsoft.com/VisualStudio/feedback/details/1053626
-
-template <> struct MakeIndexSequenceImpl<0> {
- using Type = IndexSequence<>;
-};
-template <> struct MakeIndexSequenceImpl<1> {
- using Type = IndexSequence<0>;
-};
-template <> struct MakeIndexSequenceImpl<2> {
- using Type = IndexSequence<0,1>;
-};
-template <> struct MakeIndexSequenceImpl<3> {
- using Type = IndexSequence<0,1,2>;
-};
-template <> struct MakeIndexSequenceImpl<4> {
- using Type = IndexSequence<0,1,2,3>;
-};
-template <> struct MakeIndexSequenceImpl<5> {
- using Type = IndexSequence<0,1,2,3,4>;
-};
-template <> struct MakeIndexSequenceImpl<6> {
- using Type = IndexSequence<0,1,2,3,4,5>;
-};
-template <> struct MakeIndexSequenceImpl<7> {
- using Type = IndexSequence<0,1,2,3,4,5,6>;
-};
-template <> struct MakeIndexSequenceImpl<8> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7>;
-};
-template <> struct MakeIndexSequenceImpl<9> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7,8>;
-};
-template <> struct MakeIndexSequenceImpl<10> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7,8,9>;
-};
-template <> struct MakeIndexSequenceImpl<11> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7,8,9,10>;
-};
-template <> struct MakeIndexSequenceImpl<12> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7,8,9,10,11>;
-};
-template <> struct MakeIndexSequenceImpl<13> {
- using Type = IndexSequence<0,1,2,3,4,5,6,7,8,9,10,11,12>;
-};
-
-#else // defined(WIN) && defined(_PREFAST_)
-
-template <size_t... Ns>
-struct MakeIndexSequenceImpl<0, Ns...> {
- using Type = IndexSequence<Ns...>;
-};
-
-template <size_t N, size_t... Ns>
-struct MakeIndexSequenceImpl<N, Ns...>
- : MakeIndexSequenceImpl<N - 1, N - 1, Ns...> {};
-
-#endif // defined(WIN) && defined(_PREFAST_)
-
-template <size_t N>
-using MakeIndexSequence = typename MakeIndexSequenceImpl<N>::Type;
-
-// Traits ----------------------------------------------------------------------
-//
-// A simple traits class for tuple arguments.
-//
-// ValueType: the bare, nonref version of a type (same as the type for nonrefs).
-// RefType: the ref version of a type (same as the type for refs).
-// ParamType: what type to pass to functions (refs should not be constified).
-
-template <class P>
-struct TupleTraits {
- typedef P ValueType;
- typedef P& RefType;
- typedef const P& ParamType;
-};
-
-template <class P>
-struct TupleTraits<P&> {
- typedef P ValueType;
- typedef P& RefType;
- typedef P& ParamType;
-};
-
-// Tuple -----------------------------------------------------------------------
-//
-// This set of classes is useful for bundling 0 or more heterogeneous data types
-// into a single variable. The advantage of this is that it greatly simplifies
-// function objects that need to take an arbitrary number of parameters; see
-// RunnableMethod and IPC::MessageWithTuple.
-//
-// Tuple<> is supplied to act as a 'void' type. It can be used, for example,
-// when dispatching to a function that accepts no arguments (see the
-// Dispatchers below).
-// Tuple<A> is rarely useful. One such use is when A is non-const ref that you
-// want filled by the dispatchee, and the tuple is merely a container for that
-// output (a "tier"). See MakeRefTuple and its usages.
-
-template <typename IxSeq, typename... Ts>
-struct TupleBaseImpl;
-template <typename... Ts>
-using TupleBase = TupleBaseImpl<MakeIndexSequence<sizeof...(Ts)>, Ts...>;
-template <size_t N, typename T>
-struct TupleLeaf;
-
-template <typename... Ts>
-struct Tuple final : TupleBase<Ts...> {
- Tuple() : TupleBase<Ts...>() {}
- explicit Tuple(typename TupleTraits<Ts>::ParamType... args)
- : TupleBase<Ts...>(args...) {}
-};
-
-// Avoids ambiguity between Tuple's two constructors.
-template <>
-struct Tuple<> final {};
-
-template <size_t... Ns, typename... Ts>
-struct TupleBaseImpl<IndexSequence<Ns...>, Ts...> : TupleLeaf<Ns, Ts>... {
- TupleBaseImpl() : TupleLeaf<Ns, Ts>()... {}
- explicit TupleBaseImpl(typename TupleTraits<Ts>::ParamType... args)
- : TupleLeaf<Ns, Ts>(args)... {}
-};
-
-template <size_t N, typename T>
-struct TupleLeaf {
- TupleLeaf() {}
- explicit TupleLeaf(typename TupleTraits<T>::ParamType x) : x(x) {}
-
- T& get() { return x; }
- const T& get() const { return x; }
-
- T x;
-};
-
-// Tuple getters --------------------------------------------------------------
-//
-// Allows accessing an arbitrary tuple element by index.
-//
-// Example usage:
-// base::Tuple<int, double> t2;
-// base::get<0>(t2) = 42;
-// base::get<1>(t2) = 3.14;
-
-template <size_t I, typename T>
-T& get(TupleLeaf<I, T>& leaf) {
- return leaf.get();
-}
-
-template <size_t I, typename T>
-const T& get(const TupleLeaf<I, T>& leaf) {
- return leaf.get();
-}
-
-// Tuple types ----------------------------------------------------------------
-//
-// Allows for selection of ValueTuple/RefTuple/ParamTuple without needing the
-// definitions of class types the tuple takes as parameters.
-
-template <typename T>
-struct TupleTypes;
-
-template <typename... Ts>
-struct TupleTypes<Tuple<Ts...>> {
- using ValueTuple = Tuple<typename TupleTraits<Ts>::ValueType...>;
- using RefTuple = Tuple<typename TupleTraits<Ts>::RefType...>;
- using ParamTuple = Tuple<typename TupleTraits<Ts>::ParamType...>;
-};
-
-// Tuple creators -------------------------------------------------------------
-//
-// Helper functions for constructing tuples while inferring the template
-// argument types.
-
-template <typename... Ts>
-inline Tuple<Ts...> MakeTuple(const Ts&... arg) {
- return Tuple<Ts...>(arg...);
-}
-
-// The following set of helpers make what Boost refers to as "Tiers" - a tuple
-// of references.
-
-template <typename... Ts>
-inline Tuple<Ts&...> MakeRefTuple(Ts&... arg) {
- return Tuple<Ts&...>(arg...);
-}
-
-// Dispatchers ----------------------------------------------------------------
-//
-// Helper functions that call the given method on an object, with the unpacked
-// tuple arguments. Notice that they all have the same number of arguments,
-// so you need only write:
-// DispatchToMethod(object, &Object::method, args);
-// This is very useful for templated dispatchers, since they don't need to know
-// what type |args| is.
-
-// Non-Static Dispatchers with no out params.
-
-template <typename ObjT, typename Method, typename... Ts, size_t... Ns>
-inline void DispatchToMethodImpl(ObjT* obj,
- Method method,
- const Tuple<Ts...>& arg,
- IndexSequence<Ns...>) {
- (obj->*method)(base::internal::UnwrapTraits<Ts>::Unwrap(get<Ns>(arg))...);
-}
-
-template <typename ObjT, typename Method, typename... Ts>
-inline void DispatchToMethod(ObjT* obj,
- Method method,
- const Tuple<Ts...>& arg) {
- DispatchToMethodImpl(obj, method, arg, MakeIndexSequence<sizeof...(Ts)>());
-}
-
-// Static Dispatchers with no out params.
-
-template <typename Function, typename... Ts, size_t... Ns>
-inline void DispatchToFunctionImpl(Function function,
- const Tuple<Ts...>& arg,
- IndexSequence<Ns...>) {
- (*function)(base::internal::UnwrapTraits<Ts>::Unwrap(get<Ns>(arg))...);
-}
-
-template <typename Function, typename... Ts>
-inline void DispatchToFunction(Function function, const Tuple<Ts...>& arg) {
- DispatchToFunctionImpl(function, arg, MakeIndexSequence<sizeof...(Ts)>());
-}
-
-// Dispatchers with out parameters.
-
-template <typename ObjT,
- typename Method,
- typename... InTs,
- typename... OutTs,
- size_t... InNs,
- size_t... OutNs>
-inline void DispatchToMethodImpl(ObjT* obj,
- Method method,
- const Tuple<InTs...>& in,
- Tuple<OutTs...>* out,
- IndexSequence<InNs...>,
- IndexSequence<OutNs...>) {
- (obj->*method)(base::internal::UnwrapTraits<InTs>::Unwrap(get<InNs>(in))...,
- &get<OutNs>(*out)...);
-}
-
-template <typename ObjT, typename Method, typename... InTs, typename... OutTs>
-inline void DispatchToMethod(ObjT* obj,
- Method method,
- const Tuple<InTs...>& in,
- Tuple<OutTs...>* out) {
- DispatchToMethodImpl(obj, method, in, out,
- MakeIndexSequence<sizeof...(InTs)>(),
- MakeIndexSequence<sizeof...(OutTs)>());
-}
-
-} // namespace base
-
-#endif // BASE_TUPLE_H_
diff --git a/security/sandbox/chromium/base/values.h b/security/sandbox/chromium/base/values.h
deleted file mode 100644
index 07e5b6c83..000000000
--- a/security/sandbox/chromium/base/values.h
+++ /dev/null
@@ -1,567 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file specifies a recursive data storage class called Value intended for
-// storing settings and other persistable data.
-//
-// A Value represents something that can be stored in JSON or passed to/from
-// JavaScript. As such, it is NOT a generalized variant type, since only the
-// types supported by JavaScript/JSON are supported.
-//
-// IN PARTICULAR this means that there is no support for int64_t or unsigned
-// numbers. Writing JSON with such types would violate the spec. If you need
-// something like this, either use a double or make a string value containing
-// the number you want.
-
-#ifndef BASE_VALUES_H_
-#define BASE_VALUES_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <iosfwd>
-#include <map>
-#include <string>
-#include <utility>
-#include <vector>
-
-#include "base/base_export.h"
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/string16.h"
-#include "base/strings/string_piece.h"
-
-namespace base {
-
-class BinaryValue;
-class DictionaryValue;
-class FundamentalValue;
-class ListValue;
-class StringValue;
-class Value;
-
-typedef std::vector<Value*> ValueVector;
-typedef std::map<std::string, Value*> ValueMap;
-
-// The Value class is the base class for Values. A Value can be instantiated
-// via the Create*Value() factory methods, or by directly creating instances of
-// the subclasses.
-//
-// See the file-level comment above for more information.
-class BASE_EXPORT Value {
- public:
- enum Type {
- TYPE_NULL = 0,
- TYPE_BOOLEAN,
- TYPE_INTEGER,
- TYPE_DOUBLE,
- TYPE_STRING,
- TYPE_BINARY,
- TYPE_DICTIONARY,
- TYPE_LIST
- // Note: Do not add more types. See the file-level comment above for why.
- };
-
- virtual ~Value();
-
- static scoped_ptr<Value> CreateNullValue();
-
- // Returns the type of the value stored by the current Value object.
- // Each type will be implemented by only one subclass of Value, so it's
- // safe to use the Type to determine whether you can cast from
- // Value* to (Implementing Class)*. Also, a Value object never changes
- // its type after construction.
- Type GetType() const { return type_; }
-
- // Returns true if the current object represents a given type.
- bool IsType(Type type) const { return type == type_; }
-
- // These methods allow the convenient retrieval of the contents of the Value.
- // If the current object can be converted into the given type, the value is
- // returned through the |out_value| parameter and true is returned;
- // otherwise, false is returned and |out_value| is unchanged.
- virtual bool GetAsBoolean(bool* out_value) const;
- virtual bool GetAsInteger(int* out_value) const;
- virtual bool GetAsDouble(double* out_value) const;
- virtual bool GetAsString(std::string* out_value) const;
- virtual bool GetAsString(string16* out_value) const;
- virtual bool GetAsString(const StringValue** out_value) const;
- virtual bool GetAsBinary(const BinaryValue** out_value) const;
- virtual bool GetAsList(ListValue** out_value);
- virtual bool GetAsList(const ListValue** out_value) const;
- virtual bool GetAsDictionary(DictionaryValue** out_value);
- virtual bool GetAsDictionary(const DictionaryValue** out_value) const;
- // Note: Do not add more types. See the file-level comment above for why.
-
- // This creates a deep copy of the entire Value tree, and returns a pointer
- // to the copy. The caller gets ownership of the copy, of course.
- //
- // Subclasses return their own type directly in their overrides;
- // this works because C++ supports covariant return types.
- virtual Value* DeepCopy() const;
- // Preferred version of DeepCopy. TODO(estade): remove the above.
- scoped_ptr<Value> CreateDeepCopy() const;
-
- // Compares if two Value objects have equal contents.
- virtual bool Equals(const Value* other) const;
-
- // Compares if two Value objects have equal contents. Can handle NULLs.
- // NULLs are considered equal but different from Value::CreateNullValue().
- static bool Equals(const Value* a, const Value* b);
-
- protected:
- // These aren't safe for end-users, but they are useful for subclasses.
- explicit Value(Type type);
- Value(const Value& that);
- Value& operator=(const Value& that);
-
- private:
- Type type_;
-};
-
-// FundamentalValue represents the simple fundamental types of values.
-class BASE_EXPORT FundamentalValue : public Value {
- public:
- explicit FundamentalValue(bool in_value);
- explicit FundamentalValue(int in_value);
- explicit FundamentalValue(double in_value);
- ~FundamentalValue() override;
-
- // Overridden from Value:
- bool GetAsBoolean(bool* out_value) const override;
- bool GetAsInteger(int* out_value) const override;
- // Values of both type TYPE_INTEGER and TYPE_DOUBLE can be obtained as
- // doubles.
- bool GetAsDouble(double* out_value) const override;
- FundamentalValue* DeepCopy() const override;
- bool Equals(const Value* other) const override;
-
- private:
- union {
- bool boolean_value_;
- int integer_value_;
- double double_value_;
- };
-};
-
-class BASE_EXPORT StringValue : public Value {
- public:
- // Initializes a StringValue with a UTF-8 narrow character string.
- explicit StringValue(const std::string& in_value);
-
- // Initializes a StringValue with a string16.
- explicit StringValue(const string16& in_value);
-
- ~StringValue() override;
-
- // Returns |value_| as a pointer or reference.
- std::string* GetString();
- const std::string& GetString() const;
-
- // Overridden from Value:
- bool GetAsString(std::string* out_value) const override;
- bool GetAsString(string16* out_value) const override;
- bool GetAsString(const StringValue** out_value) const override;
- StringValue* DeepCopy() const override;
- bool Equals(const Value* other) const override;
-
- private:
- std::string value_;
-};
-
-class BASE_EXPORT BinaryValue: public Value {
- public:
- // Creates a BinaryValue with a null buffer and size of 0.
- BinaryValue();
-
- // Creates a BinaryValue, taking ownership of the bytes pointed to by
- // |buffer|.
- BinaryValue(scoped_ptr<char[]> buffer, size_t size);
-
- ~BinaryValue() override;
-
- // For situations where you want to keep ownership of your buffer, this
- // factory method creates a new BinaryValue by copying the contents of the
- // buffer that's passed in.
- static BinaryValue* CreateWithCopiedBuffer(const char* buffer, size_t size);
-
- size_t GetSize() const { return size_; }
-
- // May return NULL.
- char* GetBuffer() { return buffer_.get(); }
- const char* GetBuffer() const { return buffer_.get(); }
-
- // Overridden from Value:
- bool GetAsBinary(const BinaryValue** out_value) const override;
- BinaryValue* DeepCopy() const override;
- bool Equals(const Value* other) const override;
-
- private:
- scoped_ptr<char[]> buffer_;
- size_t size_;
-
- DISALLOW_COPY_AND_ASSIGN(BinaryValue);
-};
-
-// DictionaryValue provides a key-value dictionary with (optional) "path"
-// parsing for recursive access; see the comment at the top of the file. Keys
-// are |std::string|s and should be UTF-8 encoded.
-class BASE_EXPORT DictionaryValue : public Value {
- public:
- // Returns |value| if it is a dictionary, nullptr otherwise.
- static scoped_ptr<DictionaryValue> From(scoped_ptr<Value> value);
-
- DictionaryValue();
- ~DictionaryValue() override;
-
- // Overridden from Value:
- bool GetAsDictionary(DictionaryValue** out_value) override;
- bool GetAsDictionary(const DictionaryValue** out_value) const override;
-
- // Returns true if the current dictionary has a value for the given key.
- bool HasKey(const std::string& key) const;
-
- // Returns the number of Values in this dictionary.
- size_t size() const { return dictionary_.size(); }
-
- // Returns whether the dictionary is empty.
- bool empty() const { return dictionary_.empty(); }
-
- // Clears any current contents of this dictionary.
- void Clear();
-
- // Sets the Value associated with the given path starting from this object.
- // A path has the form "<key>" or "<key>.<key>.[...]", where "." indexes
- // into the next DictionaryValue down. Obviously, "." can't be used
- // within a key, but there are no other restrictions on keys.
- // If the key at any step of the way doesn't exist, or exists but isn't
- // a DictionaryValue, a new DictionaryValue will be created and attached
- // to the path in that location. |in_value| must be non-null.
- void Set(const std::string& path, scoped_ptr<Value> in_value);
- // Deprecated version of the above. TODO(estade): remove.
- void Set(const std::string& path, Value* in_value);
-
- // Convenience forms of Set(). These methods will replace any existing
- // value at that path, even if it has a different type.
- void SetBoolean(const std::string& path, bool in_value);
- void SetInteger(const std::string& path, int in_value);
- void SetDouble(const std::string& path, double in_value);
- void SetString(const std::string& path, const std::string& in_value);
- void SetString(const std::string& path, const string16& in_value);
-
- // Like Set(), but without special treatment of '.'. This allows e.g. URLs to
- // be used as paths.
- void SetWithoutPathExpansion(const std::string& key,
- scoped_ptr<Value> in_value);
- // Deprecated version of the above. TODO(estade): remove.
- void SetWithoutPathExpansion(const std::string& key, Value* in_value);
-
- // Convenience forms of SetWithoutPathExpansion().
- void SetBooleanWithoutPathExpansion(const std::string& path, bool in_value);
- void SetIntegerWithoutPathExpansion(const std::string& path, int in_value);
- void SetDoubleWithoutPathExpansion(const std::string& path, double in_value);
- void SetStringWithoutPathExpansion(const std::string& path,
- const std::string& in_value);
- void SetStringWithoutPathExpansion(const std::string& path,
- const string16& in_value);
-
- // Gets the Value associated with the given path starting from this object.
- // A path has the form "<key>" or "<key>.<key>.[...]", where "." indexes
- // into the next DictionaryValue down. If the path can be resolved
- // successfully, the value for the last key in the path will be returned
- // through the |out_value| parameter, and the function will return true.
- // Otherwise, it will return false and |out_value| will be untouched.
- // Note that the dictionary always owns the value that's returned.
- // |out_value| is optional and will only be set if non-NULL.
- bool Get(StringPiece path, const Value** out_value) const;
- bool Get(StringPiece path, Value** out_value);
-
- // These are convenience forms of Get(). The value will be retrieved
- // and the return value will be true if the path is valid and the value at
- // the end of the path can be returned in the form specified.
- // |out_value| is optional and will only be set if non-NULL.
- bool GetBoolean(const std::string& path, bool* out_value) const;
- bool GetInteger(const std::string& path, int* out_value) const;
- // Values of both type TYPE_INTEGER and TYPE_DOUBLE can be obtained as
- // doubles.
- bool GetDouble(const std::string& path, double* out_value) const;
- bool GetString(const std::string& path, std::string* out_value) const;
- bool GetString(const std::string& path, string16* out_value) const;
- bool GetStringASCII(const std::string& path, std::string* out_value) const;
- bool GetBinary(const std::string& path, const BinaryValue** out_value) const;
- bool GetBinary(const std::string& path, BinaryValue** out_value);
- bool GetDictionary(StringPiece path,
- const DictionaryValue** out_value) const;
- bool GetDictionary(StringPiece path, DictionaryValue** out_value);
- bool GetList(const std::string& path, const ListValue** out_value) const;
- bool GetList(const std::string& path, ListValue** out_value);
-
- // Like Get(), but without special treatment of '.'. This allows e.g. URLs to
- // be used as paths.
- bool GetWithoutPathExpansion(const std::string& key,
- const Value** out_value) const;
- bool GetWithoutPathExpansion(const std::string& key, Value** out_value);
- bool GetBooleanWithoutPathExpansion(const std::string& key,
- bool* out_value) const;
- bool GetIntegerWithoutPathExpansion(const std::string& key,
- int* out_value) const;
- bool GetDoubleWithoutPathExpansion(const std::string& key,
- double* out_value) const;
- bool GetStringWithoutPathExpansion(const std::string& key,
- std::string* out_value) const;
- bool GetStringWithoutPathExpansion(const std::string& key,
- string16* out_value) const;
- bool GetDictionaryWithoutPathExpansion(
- const std::string& key,
- const DictionaryValue** out_value) const;
- bool GetDictionaryWithoutPathExpansion(const std::string& key,
- DictionaryValue** out_value);
- bool GetListWithoutPathExpansion(const std::string& key,
- const ListValue** out_value) const;
- bool GetListWithoutPathExpansion(const std::string& key,
- ListValue** out_value);
-
- // Removes the Value with the specified path from this dictionary (or one
- // of its child dictionaries, if the path is more than just a local key).
- // If |out_value| is non-NULL, the removed Value will be passed out via
- // |out_value|. If |out_value| is NULL, the removed value will be deleted.
- // This method returns true if |path| is a valid path; otherwise it will
- // return false and the DictionaryValue object will be unchanged.
- virtual bool Remove(const std::string& path, scoped_ptr<Value>* out_value);
-
- // Like Remove(), but without special treatment of '.'. This allows e.g. URLs
- // to be used as paths.
- virtual bool RemoveWithoutPathExpansion(const std::string& key,
- scoped_ptr<Value>* out_value);
-
- // Removes a path, clearing out all dictionaries on |path| that remain empty
- // after removing the value at |path|.
- virtual bool RemovePath(const std::string& path,
- scoped_ptr<Value>* out_value);
-
- // Makes a copy of |this| but doesn't include empty dictionaries and lists in
- // the copy. This never returns NULL, even if |this| itself is empty.
- scoped_ptr<DictionaryValue> DeepCopyWithoutEmptyChildren() const;
-
- // Merge |dictionary| into this dictionary. This is done recursively, i.e. any
- // sub-dictionaries will be merged as well. In case of key collisions, the
- // passed in dictionary takes precedence and data already present will be
- // replaced. Values within |dictionary| are deep-copied, so |dictionary| may
- // be freed any time after this call.
- void MergeDictionary(const DictionaryValue* dictionary);
-
- // Swaps contents with the |other| dictionary.
- virtual void Swap(DictionaryValue* other);
-
- // This class provides an iterator over both keys and values in the
- // dictionary. It can't be used to modify the dictionary.
- class BASE_EXPORT Iterator {
- public:
- explicit Iterator(const DictionaryValue& target);
- ~Iterator();
-
- bool IsAtEnd() const { return it_ == target_.dictionary_.end(); }
- void Advance() { ++it_; }
-
- const std::string& key() const { return it_->first; }
- const Value& value() const { return *it_->second; }
-
- private:
- const DictionaryValue& target_;
- ValueMap::const_iterator it_;
- };
-
- // Overridden from Value:
- DictionaryValue* DeepCopy() const override;
- // Preferred version of DeepCopy. TODO(estade): remove the above.
- scoped_ptr<DictionaryValue> CreateDeepCopy() const;
- bool Equals(const Value* other) const override;
-
- private:
- ValueMap dictionary_;
-
- DISALLOW_COPY_AND_ASSIGN(DictionaryValue);
-};
-
-// This type of Value represents a list of other Value values.
-class BASE_EXPORT ListValue : public Value {
- public:
- typedef ValueVector::iterator iterator;
- typedef ValueVector::const_iterator const_iterator;
-
- // Returns |value| if it is a list, nullptr otherwise.
- static scoped_ptr<ListValue> From(scoped_ptr<Value> value);
-
- ListValue();
- ~ListValue() override;
-
- // Clears the contents of this ListValue
- void Clear();
-
- // Returns the number of Values in this list.
- size_t GetSize() const { return list_.size(); }
-
- // Returns whether the list is empty.
- bool empty() const { return list_.empty(); }
-
- // Sets the list item at the given index to be the Value specified by
- // the value given. If the index beyond the current end of the list, null
- // Values will be used to pad out the list.
- // Returns true if successful, or false if the index was negative or
- // the value is a null pointer.
- bool Set(size_t index, Value* in_value);
- // Preferred version of the above. TODO(estade): remove the above.
- bool Set(size_t index, scoped_ptr<Value> in_value);
-
- // Gets the Value at the given index. Modifies |out_value| (and returns true)
- // only if the index falls within the current list range.
- // Note that the list always owns the Value passed out via |out_value|.
- // |out_value| is optional and will only be set if non-NULL.
- bool Get(size_t index, const Value** out_value) const;
- bool Get(size_t index, Value** out_value);
-
- // Convenience forms of Get(). Modifies |out_value| (and returns true)
- // only if the index is valid and the Value at that index can be returned
- // in the specified form.
- // |out_value| is optional and will only be set if non-NULL.
- bool GetBoolean(size_t index, bool* out_value) const;
- bool GetInteger(size_t index, int* out_value) const;
- // Values of both type TYPE_INTEGER and TYPE_DOUBLE can be obtained as
- // doubles.
- bool GetDouble(size_t index, double* out_value) const;
- bool GetString(size_t index, std::string* out_value) const;
- bool GetString(size_t index, string16* out_value) const;
- bool GetBinary(size_t index, const BinaryValue** out_value) const;
- bool GetBinary(size_t index, BinaryValue** out_value);
- bool GetDictionary(size_t index, const DictionaryValue** out_value) const;
- bool GetDictionary(size_t index, DictionaryValue** out_value);
- bool GetList(size_t index, const ListValue** out_value) const;
- bool GetList(size_t index, ListValue** out_value);
-
- // Removes the Value with the specified index from this list.
- // If |out_value| is non-NULL, the removed Value AND ITS OWNERSHIP will be
- // passed out via |out_value|. If |out_value| is NULL, the removed value will
- // be deleted. This method returns true if |index| is valid; otherwise
- // it will return false and the ListValue object will be unchanged.
- virtual bool Remove(size_t index, scoped_ptr<Value>* out_value);
-
- // Removes the first instance of |value| found in the list, if any, and
- // deletes it. |index| is the location where |value| was found. Returns false
- // if not found.
- bool Remove(const Value& value, size_t* index);
-
- // Removes the element at |iter|. If |out_value| is NULL, the value will be
- // deleted, otherwise ownership of the value is passed back to the caller.
- // Returns an iterator pointing to the location of the element that
- // followed the erased element.
- iterator Erase(iterator iter, scoped_ptr<Value>* out_value);
-
- // Appends a Value to the end of the list.
- void Append(scoped_ptr<Value> in_value);
- // Deprecated version of the above. TODO(estade): remove.
- void Append(Value* in_value);
-
- // Convenience forms of Append.
- void AppendBoolean(bool in_value);
- void AppendInteger(int in_value);
- void AppendDouble(double in_value);
- void AppendString(const std::string& in_value);
- void AppendString(const string16& in_value);
- void AppendStrings(const std::vector<std::string>& in_values);
- void AppendStrings(const std::vector<string16>& in_values);
-
- // Appends a Value if it's not already present. Takes ownership of the
- // |in_value|. Returns true if successful, or false if the value was already
- // present. If the value was already present the |in_value| is deleted.
- bool AppendIfNotPresent(Value* in_value);
-
- // Insert a Value at index.
- // Returns true if successful, or false if the index was out of range.
- bool Insert(size_t index, Value* in_value);
-
- // Searches for the first instance of |value| in the list using the Equals
- // method of the Value type.
- // Returns a const_iterator to the found item or to end() if none exists.
- const_iterator Find(const Value& value) const;
-
- // Swaps contents with the |other| list.
- virtual void Swap(ListValue* other);
-
- // Iteration.
- iterator begin() { return list_.begin(); }
- iterator end() { return list_.end(); }
-
- const_iterator begin() const { return list_.begin(); }
- const_iterator end() const { return list_.end(); }
-
- // Overridden from Value:
- bool GetAsList(ListValue** out_value) override;
- bool GetAsList(const ListValue** out_value) const override;
- ListValue* DeepCopy() const override;
- bool Equals(const Value* other) const override;
-
- // Preferred version of DeepCopy. TODO(estade): remove DeepCopy.
- scoped_ptr<ListValue> CreateDeepCopy() const;
-
- private:
- ValueVector list_;
-
- DISALLOW_COPY_AND_ASSIGN(ListValue);
-};
-
-// This interface is implemented by classes that know how to serialize
-// Value objects.
-class BASE_EXPORT ValueSerializer {
- public:
- virtual ~ValueSerializer();
-
- virtual bool Serialize(const Value& root) = 0;
-};
-
-// This interface is implemented by classes that know how to deserialize Value
-// objects.
-class BASE_EXPORT ValueDeserializer {
- public:
- virtual ~ValueDeserializer();
-
- // This method deserializes the subclass-specific format into a Value object.
- // If the return value is non-NULL, the caller takes ownership of returned
- // Value. If the return value is NULL, and if error_code is non-NULL,
- // error_code will be set with the underlying error.
- // If |error_message| is non-null, it will be filled in with a formatted
- // error message including the location of the error if appropriate.
- virtual scoped_ptr<Value> Deserialize(int* error_code,
- std::string* error_str) = 0;
-};
-
-// Stream operator so Values can be used in assertion statements. In order that
-// gtest uses this operator to print readable output on test failures, we must
-// override each specific type. Otherwise, the default template implementation
-// is preferred over an upcast.
-BASE_EXPORT std::ostream& operator<<(std::ostream& out, const Value& value);
-
-BASE_EXPORT inline std::ostream& operator<<(std::ostream& out,
- const FundamentalValue& value) {
- return out << static_cast<const Value&>(value);
-}
-
-BASE_EXPORT inline std::ostream& operator<<(std::ostream& out,
- const StringValue& value) {
- return out << static_cast<const Value&>(value);
-}
-
-BASE_EXPORT inline std::ostream& operator<<(std::ostream& out,
- const DictionaryValue& value) {
- return out << static_cast<const Value&>(value);
-}
-
-BASE_EXPORT inline std::ostream& operator<<(std::ostream& out,
- const ListValue& value) {
- return out << static_cast<const Value&>(value);
-}
-
-} // namespace base
-
-#endif // BASE_VALUES_H_
diff --git a/security/sandbox/chromium/base/version.h b/security/sandbox/chromium/base/version.h
deleted file mode 100644
index 85c99a355..000000000
--- a/security/sandbox/chromium/base/version.h
+++ /dev/null
@@ -1,72 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_VERSION_H_
-#define BASE_VERSION_H_
-
-#include <stdint.h>
-#include <string>
-#include <vector>
-
-#include "base/base_export.h"
-
-namespace base {
-
-// Version represents a dotted version number, like "1.2.3.4", supporting
-// parsing and comparison.
-class BASE_EXPORT Version {
- public:
- // The only thing you can legally do to a default constructed
- // Version object is assign to it.
- Version();
-
- ~Version();
-
- // Initializes from a decimal dotted version number, like "0.1.1".
- // Each component is limited to a uint16_t. Call IsValid() to learn
- // the outcome.
- explicit Version(const std::string& version_str);
-
- // Returns true if the object contains a valid version number.
- bool IsValid() const;
-
- // Returns true if the version wildcard string is valid. The version wildcard
- // string may end with ".*" (e.g. 1.2.*, 1.*). Any other arrangement with "*"
- // is invalid (e.g. 1.*.3 or 1.2.3*). This functions defaults to standard
- // Version behavior (IsValid) if no wildcard is present.
- static bool IsValidWildcardString(const std::string& wildcard_string);
-
- // Commonly used pattern. Given a valid version object, compare if a
- // |version_str| results in a newer version. Returns true if the
- // string represents valid version and if the version is greater than
- // than the version of this object.
- bool IsOlderThan(const std::string& version_str) const;
-
- bool Equals(const Version& other) const;
-
- // Returns -1, 0, 1 for <, ==, >.
- int CompareTo(const Version& other) const;
-
- // Given a valid version object, compare if a |wildcard_string| results in a
- // newer version. This function will default to CompareTo if the string does
- // not end in wildcard sequence ".*". IsValidWildcard(wildcard_string) must be
- // true before using this function.
- int CompareToWildcardString(const std::string& wildcard_string) const;
-
- // Return the string representation of this version.
- const std::string GetString() const;
-
- const std::vector<uint32_t>& components() const { return components_; }
-
- private:
- std::vector<uint32_t> components_;
-};
-
-} // namespace base
-
-// TODO(xhwang) remove this when all users are updated to explicitly use the
-// namespace
-using base::Version;
-
-#endif // BASE_VERSION_H_
diff --git a/security/sandbox/chromium/base/win/pe_image.cc b/security/sandbox/chromium/base/win/pe_image.cc
deleted file mode 100644
index 4b5d62099..000000000
--- a/security/sandbox/chromium/base/win/pe_image.cc
+++ /dev/null
@@ -1,580 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file implements PEImage, a generic class to manipulate PE files.
-// This file was adapted from GreenBorder's Code.
-
-#include <stddef.h>
-
-#include "base/win/pe_image.h"
-
-namespace base {
-namespace win {
-
-// Structure to perform imports enumerations.
-struct EnumAllImportsStorage {
- PEImage::EnumImportsFunction callback;
- PVOID cookie;
-};
-
-namespace {
-
-// PdbInfo Signature
-const DWORD kPdbInfoSignature = 'SDSR';
-
-// Compare two strings byte by byte on an unsigned basis.
-// if s1 == s2, return 0
-// if s1 < s2, return negative
-// if s1 > s2, return positive
-// Exception if inputs are invalid.
-int StrCmpByByte(LPCSTR s1, LPCSTR s2) {
- while (*s1 != '\0' && *s1 == *s2) {
- ++s1;
- ++s2;
- }
-
- return (*reinterpret_cast<const unsigned char*>(s1) -
- *reinterpret_cast<const unsigned char*>(s2));
-}
-
-struct PdbInfo {
- DWORD Signature;
- GUID Guid;
- DWORD Age;
- char PdbFileName[1];
-};
-
-} // namespace
-
-// Callback used to enumerate imports. See EnumImportChunksFunction.
-bool ProcessImportChunk(const PEImage &image, LPCSTR module,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat, PVOID cookie) {
- EnumAllImportsStorage& storage =
- *reinterpret_cast<EnumAllImportsStorage*>(cookie);
-
- return image.EnumOneImportChunk(storage.callback, module, name_table, iat,
- storage.cookie);
-}
-
-// Callback used to enumerate delay imports. See EnumDelayImportChunksFunction.
-bool ProcessDelayImportChunk(const PEImage& image,
- PImgDelayDescr delay_descriptor,
- LPCSTR module,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat,
- PVOID cookie) {
- EnumAllImportsStorage& storage =
- *reinterpret_cast<EnumAllImportsStorage*>(cookie);
-
- return image.EnumOneDelayImportChunk(storage.callback, delay_descriptor,
- module, name_table, iat, storage.cookie);
-}
-
-void PEImage::set_module(HMODULE module) {
- module_ = module;
-}
-
-PIMAGE_DOS_HEADER PEImage::GetDosHeader() const {
- return reinterpret_cast<PIMAGE_DOS_HEADER>(module_);
-}
-
-PIMAGE_NT_HEADERS PEImage::GetNTHeaders() const {
- PIMAGE_DOS_HEADER dos_header = GetDosHeader();
-
- return reinterpret_cast<PIMAGE_NT_HEADERS>(
- reinterpret_cast<char*>(dos_header) + dos_header->e_lfanew);
-}
-
-PIMAGE_SECTION_HEADER PEImage::GetSectionHeader(UINT section) const {
- PIMAGE_NT_HEADERS nt_headers = GetNTHeaders();
- PIMAGE_SECTION_HEADER first_section = IMAGE_FIRST_SECTION(nt_headers);
-
- if (section < nt_headers->FileHeader.NumberOfSections)
- return first_section + section;
- else
- return NULL;
-}
-
-WORD PEImage::GetNumSections() const {
- return GetNTHeaders()->FileHeader.NumberOfSections;
-}
-
-DWORD PEImage::GetImageDirectoryEntrySize(UINT directory) const {
- PIMAGE_NT_HEADERS nt_headers = GetNTHeaders();
-
- return nt_headers->OptionalHeader.DataDirectory[directory].Size;
-}
-
-PVOID PEImage::GetImageDirectoryEntryAddr(UINT directory) const {
- PIMAGE_NT_HEADERS nt_headers = GetNTHeaders();
-
- return RVAToAddr(
- nt_headers->OptionalHeader.DataDirectory[directory].VirtualAddress);
-}
-
-PIMAGE_SECTION_HEADER PEImage::GetImageSectionFromAddr(PVOID address) const {
- PBYTE target = reinterpret_cast<PBYTE>(address);
- PIMAGE_SECTION_HEADER section;
-
- for (UINT i = 0; NULL != (section = GetSectionHeader(i)); i++) {
- // Don't use the virtual RVAToAddr.
- PBYTE start = reinterpret_cast<PBYTE>(
- PEImage::RVAToAddr(section->VirtualAddress));
-
- DWORD size = section->Misc.VirtualSize;
-
- if ((start <= target) && (start + size > target))
- return section;
- }
-
- return NULL;
-}
-
-PIMAGE_SECTION_HEADER PEImage::GetImageSectionHeaderByName(
- LPCSTR section_name) const {
- if (NULL == section_name)
- return NULL;
-
- PIMAGE_SECTION_HEADER ret = NULL;
- int num_sections = GetNumSections();
-
- for (int i = 0; i < num_sections; i++) {
- PIMAGE_SECTION_HEADER section = GetSectionHeader(i);
- if (0 == _strnicmp(reinterpret_cast<LPCSTR>(section->Name), section_name,
- sizeof(section->Name))) {
- ret = section;
- break;
- }
- }
-
- return ret;
-}
-
-bool PEImage::GetDebugId(LPGUID guid, LPDWORD age) const {
- if (NULL == guid || NULL == age) {
- return false;
- }
-
- DWORD debug_directory_size =
- GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_DEBUG);
- PIMAGE_DEBUG_DIRECTORY debug_directory =
- reinterpret_cast<PIMAGE_DEBUG_DIRECTORY>(
- GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_DEBUG));
-
- size_t directory_count =
- debug_directory_size / sizeof(IMAGE_DEBUG_DIRECTORY);
-
- for (size_t index = 0; index < directory_count; ++index) {
- if (debug_directory[index].Type == IMAGE_DEBUG_TYPE_CODEVIEW) {
- PdbInfo* pdb_info = reinterpret_cast<PdbInfo*>(
- RVAToAddr(debug_directory[index].AddressOfRawData));
- if (pdb_info->Signature != kPdbInfoSignature) {
- // Unsupported PdbInfo signature
- return false;
- }
- *guid = pdb_info->Guid;
- *age = pdb_info->Age;
- return true;
- }
- }
- return false;
-}
-
-PDWORD PEImage::GetExportEntry(LPCSTR name) const {
- PIMAGE_EXPORT_DIRECTORY exports = GetExportDirectory();
-
- if (NULL == exports)
- return NULL;
-
- WORD ordinal = 0;
- if (!GetProcOrdinal(name, &ordinal))
- return NULL;
-
- PDWORD functions = reinterpret_cast<PDWORD>(
- RVAToAddr(exports->AddressOfFunctions));
-
- return functions + ordinal - exports->Base;
-}
-
-FARPROC PEImage::GetProcAddress(LPCSTR function_name) const {
- PDWORD export_entry = GetExportEntry(function_name);
- if (NULL == export_entry)
- return NULL;
-
- PBYTE function = reinterpret_cast<PBYTE>(RVAToAddr(*export_entry));
-
- PBYTE exports = reinterpret_cast<PBYTE>(
- GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_EXPORT));
- DWORD size = GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_EXPORT);
-
- // Check for forwarded exports as a special case.
- if (exports <= function && exports + size > function)
- return reinterpret_cast<FARPROC>(-1);
-
- return reinterpret_cast<FARPROC>(function);
-}
-
-bool PEImage::GetProcOrdinal(LPCSTR function_name, WORD *ordinal) const {
- if (NULL == ordinal)
- return false;
-
- PIMAGE_EXPORT_DIRECTORY exports = GetExportDirectory();
-
- if (NULL == exports)
- return false;
-
- if (IsOrdinal(function_name)) {
- *ordinal = ToOrdinal(function_name);
- } else {
- PDWORD names = reinterpret_cast<PDWORD>(RVAToAddr(exports->AddressOfNames));
- PDWORD lower = names;
- PDWORD upper = names + exports->NumberOfNames;
- int cmp = -1;
-
- // Binary Search for the name.
- while (lower != upper) {
- PDWORD middle = lower + (upper - lower) / 2;
- LPCSTR name = reinterpret_cast<LPCSTR>(RVAToAddr(*middle));
-
- // This may be called by sandbox before MSVCRT dll loads, so can't use
- // CRT function here.
- cmp = StrCmpByByte(function_name, name);
-
- if (cmp == 0) {
- lower = middle;
- break;
- }
-
- if (cmp > 0)
- lower = middle + 1;
- else
- upper = middle;
- }
-
- if (cmp != 0)
- return false;
-
-
- PWORD ordinals = reinterpret_cast<PWORD>(
- RVAToAddr(exports->AddressOfNameOrdinals));
-
- *ordinal = ordinals[lower - names] + static_cast<WORD>(exports->Base);
- }
-
- return true;
-}
-
-bool PEImage::EnumSections(EnumSectionsFunction callback, PVOID cookie) const {
- PIMAGE_NT_HEADERS nt_headers = GetNTHeaders();
- UINT num_sections = nt_headers->FileHeader.NumberOfSections;
- PIMAGE_SECTION_HEADER section = GetSectionHeader(0);
-
- for (UINT i = 0; i < num_sections; i++, section++) {
- PVOID section_start = RVAToAddr(section->VirtualAddress);
- DWORD size = section->Misc.VirtualSize;
-
- if (!callback(*this, section, section_start, size, cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumExports(EnumExportsFunction callback, PVOID cookie) const {
- PVOID directory = GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_EXPORT);
- DWORD size = GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_EXPORT);
-
- // Check if there are any exports at all.
- if (NULL == directory || 0 == size)
- return true;
-
- PIMAGE_EXPORT_DIRECTORY exports = reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
- directory);
- UINT ordinal_base = exports->Base;
- UINT num_funcs = exports->NumberOfFunctions;
- UINT num_names = exports->NumberOfNames;
- PDWORD functions = reinterpret_cast<PDWORD>(RVAToAddr(
- exports->AddressOfFunctions));
- PDWORD names = reinterpret_cast<PDWORD>(RVAToAddr(exports->AddressOfNames));
- PWORD ordinals = reinterpret_cast<PWORD>(RVAToAddr(
- exports->AddressOfNameOrdinals));
-
- for (UINT count = 0; count < num_funcs; count++) {
- PVOID func = RVAToAddr(functions[count]);
- if (NULL == func)
- continue;
-
- // Check for a name.
- LPCSTR name = NULL;
- UINT hint;
- for (hint = 0; hint < num_names; hint++) {
- if (ordinals[hint] == count) {
- name = reinterpret_cast<LPCSTR>(RVAToAddr(names[hint]));
- break;
- }
- }
-
- if (name == NULL)
- hint = 0;
-
- // Check for forwarded exports.
- LPCSTR forward = NULL;
- if (reinterpret_cast<char*>(func) >= reinterpret_cast<char*>(directory) &&
- reinterpret_cast<char*>(func) <= reinterpret_cast<char*>(directory) +
- size) {
- forward = reinterpret_cast<LPCSTR>(func);
- func = 0;
- }
-
- if (!callback(*this, ordinal_base + count, hint, name, func, forward,
- cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumRelocs(EnumRelocsFunction callback, PVOID cookie) const {
- PVOID directory = GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_BASERELOC);
- DWORD size = GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_BASERELOC);
- PIMAGE_BASE_RELOCATION base = reinterpret_cast<PIMAGE_BASE_RELOCATION>(
- directory);
-
- if (!directory)
- return true;
-
- while (size >= sizeof(IMAGE_BASE_RELOCATION) && base->SizeOfBlock &&
- size >= base->SizeOfBlock) {
- PWORD reloc = reinterpret_cast<PWORD>(base + 1);
- UINT num_relocs = (base->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) /
- sizeof(WORD);
-
- for (UINT i = 0; i < num_relocs; i++, reloc++) {
- WORD type = *reloc >> 12;
- PVOID address = RVAToAddr(base->VirtualAddress + (*reloc & 0x0FFF));
-
- if (!callback(*this, type, address, cookie))
- return false;
- }
-
- size -= base->SizeOfBlock;
- base = reinterpret_cast<PIMAGE_BASE_RELOCATION>(
- reinterpret_cast<char*>(base) + base->SizeOfBlock);
- }
-
- return true;
-}
-
-bool PEImage::EnumImportChunks(EnumImportChunksFunction callback,
- PVOID cookie) const {
- DWORD size = GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_IMPORT);
- PIMAGE_IMPORT_DESCRIPTOR import = GetFirstImportChunk();
-
- if (import == NULL || size < sizeof(IMAGE_IMPORT_DESCRIPTOR))
- return true;
-
- for (; import->FirstThunk; import++) {
- LPCSTR module_name = reinterpret_cast<LPCSTR>(RVAToAddr(import->Name));
- PIMAGE_THUNK_DATA name_table = reinterpret_cast<PIMAGE_THUNK_DATA>(
- RVAToAddr(import->OriginalFirstThunk));
- PIMAGE_THUNK_DATA iat = reinterpret_cast<PIMAGE_THUNK_DATA>(
- RVAToAddr(import->FirstThunk));
-
- if (!callback(*this, module_name, name_table, iat, cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumOneImportChunk(EnumImportsFunction callback,
- LPCSTR module_name,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat, PVOID cookie) const {
- if (NULL == name_table)
- return false;
-
- for (; name_table && name_table->u1.Ordinal; name_table++, iat++) {
- LPCSTR name = NULL;
- WORD ordinal = 0;
- WORD hint = 0;
-
- if (IMAGE_SNAP_BY_ORDINAL(name_table->u1.Ordinal)) {
- ordinal = static_cast<WORD>(IMAGE_ORDINAL32(name_table->u1.Ordinal));
- } else {
- PIMAGE_IMPORT_BY_NAME import = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(
- RVAToAddr(name_table->u1.ForwarderString));
-
- hint = import->Hint;
- name = reinterpret_cast<LPCSTR>(&import->Name);
- }
-
- if (!callback(*this, module_name, ordinal, name, hint, iat, cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumAllImports(EnumImportsFunction callback, PVOID cookie) const {
- EnumAllImportsStorage temp = { callback, cookie };
- return EnumImportChunks(ProcessImportChunk, &temp);
-}
-
-bool PEImage::EnumDelayImportChunks(EnumDelayImportChunksFunction callback,
- PVOID cookie) const {
- PVOID directory = GetImageDirectoryEntryAddr(
- IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);
- DWORD size = GetImageDirectoryEntrySize(IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT);
- PImgDelayDescr delay_descriptor = reinterpret_cast<PImgDelayDescr>(directory);
-
- if (directory == NULL || size == 0)
- return true;
-
- for (; delay_descriptor->rvaHmod; delay_descriptor++) {
- PIMAGE_THUNK_DATA name_table;
- PIMAGE_THUNK_DATA iat;
- LPCSTR module_name;
-
- // check if VC7-style imports, using RVAs instead of
- // VC6-style addresses.
- bool rvas = (delay_descriptor->grAttrs & dlattrRva) != 0;
-
- if (rvas) {
- module_name =
- reinterpret_cast<LPCSTR>(RVAToAddr(delay_descriptor->rvaDLLName));
- name_table = reinterpret_cast<PIMAGE_THUNK_DATA>(
- RVAToAddr(delay_descriptor->rvaINT));
- iat = reinterpret_cast<PIMAGE_THUNK_DATA>(
- RVAToAddr(delay_descriptor->rvaIAT));
- } else {
- // Values in IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT are 32-bit, even on 64-bit
- // platforms. See section 4.8 of PECOFF image spec rev 8.3.
- module_name = reinterpret_cast<LPCSTR>(
- static_cast<uintptr_t>(delay_descriptor->rvaDLLName));
- name_table = reinterpret_cast<PIMAGE_THUNK_DATA>(
- static_cast<uintptr_t>(delay_descriptor->rvaINT));
- iat = reinterpret_cast<PIMAGE_THUNK_DATA>(
- static_cast<uintptr_t>(delay_descriptor->rvaIAT));
- }
-
- if (!callback(*this, delay_descriptor, module_name, name_table, iat,
- cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumOneDelayImportChunk(EnumImportsFunction callback,
- PImgDelayDescr delay_descriptor,
- LPCSTR module_name,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat,
- PVOID cookie) const {
- for (; name_table->u1.Ordinal; name_table++, iat++) {
- LPCSTR name = NULL;
- WORD ordinal = 0;
- WORD hint = 0;
-
- if (IMAGE_SNAP_BY_ORDINAL(name_table->u1.Ordinal)) {
- ordinal = static_cast<WORD>(IMAGE_ORDINAL32(name_table->u1.Ordinal));
- } else {
- PIMAGE_IMPORT_BY_NAME import;
- bool rvas = (delay_descriptor->grAttrs & dlattrRva) != 0;
-
- if (rvas) {
- import = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(
- RVAToAddr(name_table->u1.ForwarderString));
- } else {
- import = reinterpret_cast<PIMAGE_IMPORT_BY_NAME>(
- name_table->u1.ForwarderString);
- }
-
- hint = import->Hint;
- name = reinterpret_cast<LPCSTR>(&import->Name);
- }
-
- if (!callback(*this, module_name, ordinal, name, hint, iat, cookie))
- return false;
- }
-
- return true;
-}
-
-bool PEImage::EnumAllDelayImports(EnumImportsFunction callback,
- PVOID cookie) const {
- EnumAllImportsStorage temp = { callback, cookie };
- return EnumDelayImportChunks(ProcessDelayImportChunk, &temp);
-}
-
-bool PEImage::VerifyMagic() const {
- PIMAGE_DOS_HEADER dos_header = GetDosHeader();
-
- if (dos_header->e_magic != IMAGE_DOS_SIGNATURE)
- return false;
-
- PIMAGE_NT_HEADERS nt_headers = GetNTHeaders();
-
- if (nt_headers->Signature != IMAGE_NT_SIGNATURE)
- return false;
-
- if (nt_headers->FileHeader.SizeOfOptionalHeader !=
- sizeof(IMAGE_OPTIONAL_HEADER))
- return false;
-
- if (nt_headers->OptionalHeader.Magic != IMAGE_NT_OPTIONAL_HDR_MAGIC)
- return false;
-
- return true;
-}
-
-bool PEImage::ImageRVAToOnDiskOffset(DWORD rva, DWORD* on_disk_offset) const {
- LPVOID address = RVAToAddr(rva);
- return ImageAddrToOnDiskOffset(address, on_disk_offset);
-}
-
-bool PEImage::ImageAddrToOnDiskOffset(LPVOID address,
- DWORD* on_disk_offset) const {
- if (NULL == address)
- return false;
-
- // Get the section that this address belongs to.
- PIMAGE_SECTION_HEADER section_header = GetImageSectionFromAddr(address);
- if (NULL == section_header)
- return false;
-
- // Don't follow the virtual RVAToAddr, use the one on the base.
- DWORD offset_within_section =
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(address)) -
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(
- PEImage::RVAToAddr(section_header->VirtualAddress)));
-
- *on_disk_offset = section_header->PointerToRawData + offset_within_section;
- return true;
-}
-
-PVOID PEImage::RVAToAddr(DWORD rva) const {
- if (rva == 0)
- return NULL;
-
- return reinterpret_cast<char*>(module_) + rva;
-}
-
-PVOID PEImageAsData::RVAToAddr(DWORD rva) const {
- if (rva == 0)
- return NULL;
-
- PVOID in_memory = PEImage::RVAToAddr(rva);
- DWORD disk_offset;
-
- if (!ImageAddrToOnDiskOffset(in_memory, &disk_offset))
- return NULL;
-
- return PEImage::RVAToAddr(disk_offset);
-}
-
-} // namespace win
-} // namespace base
diff --git a/security/sandbox/chromium/base/win/pe_image.h b/security/sandbox/chromium/base/win/pe_image.h
deleted file mode 100644
index 4c36bcf85..000000000
--- a/security/sandbox/chromium/base/win/pe_image.h
+++ /dev/null
@@ -1,265 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file was adapted from GreenBorder's Code.
-// To understand what this class is about (for other than well known functions
-// as GetProcAddress), a good starting point is "An In-Depth Look into the
-// Win32 Portable Executable File Format" by Matt Pietrek:
-// http://msdn.microsoft.com/msdnmag/issues/02/02/PE/default.aspx
-
-#ifndef BASE_WIN_PE_IMAGE_H_
-#define BASE_WIN_PE_IMAGE_H_
-
-#include <windows.h>
-
-#if defined(_WIN32_WINNT_WIN8)
-// The Windows 8 SDK defines FACILITY_VISUALCPP in winerror.h.
-#undef FACILITY_VISUALCPP
-#endif
-#include <DelayIMP.h>
-
-namespace base {
-namespace win {
-
-// This class is a wrapper for the Portable Executable File Format (PE).
-// Its main purpose is to provide an easy way to work with imports and exports
-// from a file, mapped in memory as image.
-class PEImage {
- public:
- // Callback to enumerate sections.
- // cookie is the value passed to the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumSectionsFunction)(const PEImage &image,
- PIMAGE_SECTION_HEADER header,
- PVOID section_start, DWORD section_size,
- PVOID cookie);
-
- // Callback to enumerate exports.
- // function is the actual address of the symbol. If forward is not null, it
- // contains the dll and symbol to forward this export to. cookie is the value
- // passed to the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumExportsFunction)(const PEImage &image, DWORD ordinal,
- DWORD hint, LPCSTR name, PVOID function,
- LPCSTR forward, PVOID cookie);
-
- // Callback to enumerate import blocks.
- // name_table and iat point to the imports name table and address table for
- // this block. cookie is the value passed to the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumImportChunksFunction)(const PEImage &image, LPCSTR module,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat, PVOID cookie);
-
- // Callback to enumerate imports.
- // module is the dll that exports this symbol. cookie is the value passed to
- // the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumImportsFunction)(const PEImage &image, LPCSTR module,
- DWORD ordinal, LPCSTR name, DWORD hint,
- PIMAGE_THUNK_DATA iat, PVOID cookie);
-
- // Callback to enumerate dalayed import blocks.
- // module is the dll that exports this block of symbols. cookie is the value
- // passed to the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumDelayImportChunksFunction)(const PEImage &image,
- PImgDelayDescr delay_descriptor,
- LPCSTR module,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat,
- PVOID cookie);
-
- // Callback to enumerate relocations.
- // cookie is the value passed to the enumerate method.
- // Returns true to continue the enumeration.
- typedef bool (*EnumRelocsFunction)(const PEImage &image, WORD type,
- PVOID address, PVOID cookie);
-
- explicit PEImage(HMODULE module) : module_(module) {}
- explicit PEImage(const void* module) {
- module_ = reinterpret_cast<HMODULE>(const_cast<void*>(module));
- }
-
- virtual ~PEImage() {}
-
- // Gets the HMODULE for this object.
- HMODULE module() const;
-
- // Sets this object's HMODULE.
- void set_module(HMODULE module);
-
- // Checks if this symbol is actually an ordinal.
- static bool IsOrdinal(LPCSTR name);
-
- // Converts a named symbol to the corresponding ordinal.
- static WORD ToOrdinal(LPCSTR name);
-
- // Returns the DOS_HEADER for this PE.
- PIMAGE_DOS_HEADER GetDosHeader() const;
-
- // Returns the NT_HEADER for this PE.
- PIMAGE_NT_HEADERS GetNTHeaders() const;
-
- // Returns number of sections of this PE.
- WORD GetNumSections() const;
-
- // Returns the header for a given section.
- // returns NULL if there is no such section.
- PIMAGE_SECTION_HEADER GetSectionHeader(UINT section) const;
-
- // Returns the size of a given directory entry.
- DWORD GetImageDirectoryEntrySize(UINT directory) const;
-
- // Returns the address of a given directory entry.
- PVOID GetImageDirectoryEntryAddr(UINT directory) const;
-
- // Returns the section header for a given address.
- // Use: s = image.GetImageSectionFromAddr(a);
- // Post: 's' is the section header of the section that contains 'a'
- // or NULL if there is no such section.
- PIMAGE_SECTION_HEADER GetImageSectionFromAddr(PVOID address) const;
-
- // Returns the section header for a given section.
- PIMAGE_SECTION_HEADER GetImageSectionHeaderByName(LPCSTR section_name) const;
-
- // Returns the first block of imports.
- PIMAGE_IMPORT_DESCRIPTOR GetFirstImportChunk() const;
-
- // Returns the exports directory.
- PIMAGE_EXPORT_DIRECTORY GetExportDirectory() const;
-
- // Returns the debug id (guid+age).
- bool GetDebugId(LPGUID guid, LPDWORD age) const;
-
- // Returns a given export entry.
- // Use: e = image.GetExportEntry(f);
- // Pre: 'f' is either a zero terminated string or ordinal
- // Post: 'e' is a pointer to the export directory entry
- // that contains 'f's export RVA, or NULL if 'f'
- // is not exported from this image
- PDWORD GetExportEntry(LPCSTR name) const;
-
- // Returns the address for a given exported symbol.
- // Use: p = image.GetProcAddress(f);
- // Pre: 'f' is either a zero terminated string or ordinal.
- // Post: if 'f' is a non-forwarded export from image, 'p' is
- // the exported function. If 'f' is a forwarded export
- // then p is the special value -1. In this case
- // RVAToAddr(*GetExportEntry) can be used to resolve
- // the string that describes the forward.
- FARPROC GetProcAddress(LPCSTR function_name) const;
-
- // Retrieves the ordinal for a given exported symbol.
- // Returns true if the symbol was found.
- bool GetProcOrdinal(LPCSTR function_name, WORD *ordinal) const;
-
- // Enumerates PE sections.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumSections(EnumSectionsFunction callback, PVOID cookie) const;
-
- // Enumerates PE exports.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumExports(EnumExportsFunction callback, PVOID cookie) const;
-
- // Enumerates PE imports.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumAllImports(EnumImportsFunction callback, PVOID cookie) const;
-
- // Enumerates PE import blocks.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumImportChunks(EnumImportChunksFunction callback, PVOID cookie) const;
-
- // Enumerates the imports from a single PE import block.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumOneImportChunk(EnumImportsFunction callback, LPCSTR module_name,
- PIMAGE_THUNK_DATA name_table, PIMAGE_THUNK_DATA iat,
- PVOID cookie) const;
-
-
- // Enumerates PE delay imports.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumAllDelayImports(EnumImportsFunction callback, PVOID cookie) const;
-
- // Enumerates PE delay import blocks.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumDelayImportChunks(EnumDelayImportChunksFunction callback,
- PVOID cookie) const;
-
- // Enumerates imports from a single PE delay import block.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumOneDelayImportChunk(EnumImportsFunction callback,
- PImgDelayDescr delay_descriptor,
- LPCSTR module_name,
- PIMAGE_THUNK_DATA name_table,
- PIMAGE_THUNK_DATA iat,
- PVOID cookie) const;
-
- // Enumerates PE relocation entries.
- // cookie is a generic cookie to pass to the callback.
- // Returns true on success.
- bool EnumRelocs(EnumRelocsFunction callback, PVOID cookie) const;
-
- // Verifies the magic values on the PE file.
- // Returns true if all values are correct.
- bool VerifyMagic() const;
-
- // Converts an rva value to the appropriate address.
- virtual PVOID RVAToAddr(DWORD rva) const;
-
- // Converts an rva value to an offset on disk.
- // Returns true on success.
- bool ImageRVAToOnDiskOffset(DWORD rva, DWORD *on_disk_offset) const;
-
- // Converts an address to an offset on disk.
- // Returns true on success.
- bool ImageAddrToOnDiskOffset(LPVOID address, DWORD *on_disk_offset) const;
-
- private:
- HMODULE module_;
-};
-
-// This class is an extension to the PEImage class that allows working with PE
-// files mapped as data instead of as image file.
-class PEImageAsData : public PEImage {
- public:
- explicit PEImageAsData(HMODULE hModule) : PEImage(hModule) {}
-
- PVOID RVAToAddr(DWORD rva) const override;
-};
-
-inline bool PEImage::IsOrdinal(LPCSTR name) {
- return reinterpret_cast<uintptr_t>(name) <= 0xFFFF;
-}
-
-inline WORD PEImage::ToOrdinal(LPCSTR name) {
- return static_cast<WORD>(reinterpret_cast<intptr_t>(name));
-}
-
-inline HMODULE PEImage::module() const {
- return module_;
-}
-
-inline PIMAGE_IMPORT_DESCRIPTOR PEImage::GetFirstImportChunk() const {
- return reinterpret_cast<PIMAGE_IMPORT_DESCRIPTOR>(
- GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_IMPORT));
-}
-
-inline PIMAGE_EXPORT_DIRECTORY PEImage::GetExportDirectory() const {
- return reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(
- GetImageDirectoryEntryAddr(IMAGE_DIRECTORY_ENTRY_EXPORT));
-}
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_PE_IMAGE_H_
diff --git a/security/sandbox/chromium/base/win/scoped_handle.cc b/security/sandbox/chromium/base/win/scoped_handle.cc
deleted file mode 100644
index 9c21603a0..000000000
--- a/security/sandbox/chromium/base/win/scoped_handle.cc
+++ /dev/null
@@ -1,248 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/scoped_handle.h"
-
-#include <stddef.h>
-
-#include <unordered_map>
-
-#include "base/debug/alias.h"
-#include "base/hash.h"
-#include "base/lazy_instance.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/synchronization/lock_impl.h"
-
-extern "C" {
-__declspec(dllexport) void* GetHandleVerifier();
-typedef void* (*GetHandleVerifierFn)();
-}
-
-namespace {
-
-struct HandleHash {
- size_t operator()(const HANDLE& handle) const {
- char buffer[sizeof(handle)];
- memcpy(buffer, &handle, sizeof(handle));
- return base::Hash(buffer, sizeof(buffer));
- }
-};
-
-struct Info {
- const void* owner;
- const void* pc1;
- const void* pc2;
- DWORD thread_id;
-};
-typedef std::unordered_map<HANDLE, Info, HandleHash> HandleMap;
-
-// g_lock protects the handle map and setting g_active_verifier.
-typedef base::internal::LockImpl NativeLock;
-base::LazyInstance<NativeLock>::Leaky g_lock = LAZY_INSTANCE_INITIALIZER;
-
-bool CloseHandleWrapper(HANDLE handle) {
- if (!::CloseHandle(handle))
- CHECK(false);
- return true;
-}
-
-// Simple automatic locking using a native critical section so it supports
-// recursive locking.
-class AutoNativeLock {
- public:
- explicit AutoNativeLock(NativeLock& lock) : lock_(lock) {
- lock_.Lock();
- }
-
- ~AutoNativeLock() {
- lock_.Unlock();
- }
-
- private:
- NativeLock& lock_;
- DISALLOW_COPY_AND_ASSIGN(AutoNativeLock);
-};
-
-// Implements the actual object that is verifying handles for this process.
-// The active instance is shared across the module boundary but there is no
-// way to delete this object from the wrong side of it (or any side, actually).
-class ActiveVerifier {
- public:
- explicit ActiveVerifier(bool enabled)
- : enabled_(enabled), closing_(false), lock_(g_lock.Pointer()) {
- }
-
- // Retrieves the current verifier.
- static ActiveVerifier* Get();
-
- // The methods required by HandleTraits. They are virtual because we need to
- // forward the call execution to another module, instead of letting the
- // compiler call the version that is linked in the current module.
- virtual bool CloseHandle(HANDLE handle);
- virtual void StartTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2);
- virtual void StopTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2);
- virtual void Disable();
- virtual void OnHandleBeingClosed(HANDLE handle);
-
- private:
- ~ActiveVerifier(); // Not implemented.
-
- static void InstallVerifier();
-
- bool enabled_;
- bool closing_;
- NativeLock* lock_;
- HandleMap map_;
- DISALLOW_COPY_AND_ASSIGN(ActiveVerifier);
-};
-ActiveVerifier* g_active_verifier = NULL;
-
-// static
-ActiveVerifier* ActiveVerifier::Get() {
- if (!g_active_verifier)
- ActiveVerifier::InstallVerifier();
-
- return g_active_verifier;
-}
-
-// static
-void ActiveVerifier::InstallVerifier() {
-#if defined(COMPONENT_BUILD)
- AutoNativeLock lock(g_lock.Get());
- g_active_verifier = new ActiveVerifier(true);
-#else
- // If you are reading this, wondering why your process seems deadlocked, take
- // a look at your DllMain code and remove things that should not be done
- // there, like doing whatever gave you that nice windows handle you are trying
- // to store in a ScopedHandle.
- HMODULE main_module = ::GetModuleHandle(NULL);
- GetHandleVerifierFn get_handle_verifier =
- reinterpret_cast<GetHandleVerifierFn>(::GetProcAddress(
- main_module, "GetHandleVerifier"));
-
- if (!get_handle_verifier) {
- g_active_verifier = new ActiveVerifier(false);
- return;
- }
-
- ActiveVerifier* verifier =
- reinterpret_cast<ActiveVerifier*>(get_handle_verifier());
-
- // This lock only protects against races in this module, which is fine.
- AutoNativeLock lock(g_lock.Get());
- g_active_verifier = verifier ? verifier : new ActiveVerifier(true);
-#endif
-}
-
-bool ActiveVerifier::CloseHandle(HANDLE handle) {
- if (!enabled_)
- return CloseHandleWrapper(handle);
-
- AutoNativeLock lock(*lock_);
- closing_ = true;
- CloseHandleWrapper(handle);
- closing_ = false;
-
- return true;
-}
-
-void ActiveVerifier::StartTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {
- if (!enabled_)
- return;
-
- // Grab the thread id before the lock.
- DWORD thread_id = GetCurrentThreadId();
-
- AutoNativeLock lock(*lock_);
-
- Info handle_info = { owner, pc1, pc2, thread_id };
- std::pair<HANDLE, Info> item(handle, handle_info);
- std::pair<HandleMap::iterator, bool> result = map_.insert(item);
- if (!result.second) {
- Info other = result.first->second;
- base::debug::Alias(&other);
- CHECK(false);
- }
-}
-
-void ActiveVerifier::StopTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {
- if (!enabled_)
- return;
-
- AutoNativeLock lock(*lock_);
- HandleMap::iterator i = map_.find(handle);
- if (i == map_.end())
- CHECK(false);
-
- Info other = i->second;
- if (other.owner != owner) {
- base::debug::Alias(&other);
- CHECK(false);
- }
-
- map_.erase(i);
-}
-
-void ActiveVerifier::Disable() {
- enabled_ = false;
-}
-
-void ActiveVerifier::OnHandleBeingClosed(HANDLE handle) {
- if (!enabled_)
- return;
-
- AutoNativeLock lock(*lock_);
- if (closing_)
- return;
-
- HandleMap::iterator i = map_.find(handle);
- if (i == map_.end())
- return;
-
- Info other = i->second;
- base::debug::Alias(&other);
- CHECK(false);
-}
-
-} // namespace
-
-void* GetHandleVerifier() {
- return g_active_verifier;
-}
-
-namespace base {
-namespace win {
-
-// Static.
-bool HandleTraits::CloseHandle(HANDLE handle) {
- return ActiveVerifier::Get()->CloseHandle(handle);
-}
-
-// Static.
-void VerifierTraits::StartTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {
- return ActiveVerifier::Get()->StartTracking(handle, owner, pc1, pc2);
-}
-
-// Static.
-void VerifierTraits::StopTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {
- return ActiveVerifier::Get()->StopTracking(handle, owner, pc1, pc2);
-}
-
-void DisableHandleVerifier() {
- return ActiveVerifier::Get()->Disable();
-}
-
-void OnHandleBeingClosed(HANDLE handle) {
- return ActiveVerifier::Get()->OnHandleBeingClosed(handle);
-}
-
-} // namespace win
-} // namespace base
diff --git a/security/sandbox/chromium/base/win/scoped_handle.h b/security/sandbox/chromium/base/win/scoped_handle.h
deleted file mode 100644
index 404ab6693..000000000
--- a/security/sandbox/chromium/base/win/scoped_handle.h
+++ /dev/null
@@ -1,182 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_WIN_SCOPED_HANDLE_H_
-#define BASE_WIN_SCOPED_HANDLE_H_
-
-#include <windows.h>
-
-#include "base/base_export.h"
-#include "base/location.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/move.h"
-
-// TODO(rvargas): remove this with the rest of the verifier.
-#if defined(COMPILER_MSVC)
-#include <intrin.h>
-#define BASE_WIN_GET_CALLER _ReturnAddress()
-#elif defined(COMPILER_GCC)
-#define BASE_WIN_GET_CALLER __builtin_extract_return_addr(\\
- __builtin_return_address(0))
-#endif
-
-namespace base {
-namespace win {
-
-// Generic wrapper for raw handles that takes care of closing handles
-// automatically. The class interface follows the style of
-// the ScopedFILE class with two additions:
-// - IsValid() method can tolerate multiple invalid handle values such as NULL
-// and INVALID_HANDLE_VALUE (-1) for Win32 handles.
-// - Set() (and the constructors and assignment operators that call it)
-// preserve the Windows LastError code. This ensures that GetLastError() can
-// be called after stashing a handle in a GenericScopedHandle object. Doing
-// this explicitly is necessary because of bug 528394 and VC++ 2015.
-template <class Traits, class Verifier>
-class GenericScopedHandle {
- MOVE_ONLY_TYPE_FOR_CPP_03(GenericScopedHandle)
-
- public:
- typedef typename Traits::Handle Handle;
-
- GenericScopedHandle() : handle_(Traits::NullHandle()) {}
-
- explicit GenericScopedHandle(Handle handle) : handle_(Traits::NullHandle()) {
- Set(handle);
- }
-
- GenericScopedHandle(GenericScopedHandle&& other)
- : handle_(Traits::NullHandle()) {
- Set(other.Take());
- }
-
- ~GenericScopedHandle() {
- Close();
- }
-
- bool IsValid() const {
- return Traits::IsHandleValid(handle_);
- }
-
- GenericScopedHandle& operator=(GenericScopedHandle&& other) {
- DCHECK_NE(this, &other);
- Set(other.Take());
- return *this;
- }
-
- void Set(Handle handle) {
- if (handle_ != handle) {
- // Preserve old LastError to avoid bug 528394.
- auto last_error = ::GetLastError();
- Close();
-
- if (Traits::IsHandleValid(handle)) {
- handle_ = handle;
- Verifier::StartTracking(handle, this, BASE_WIN_GET_CALLER,
- tracked_objects::GetProgramCounter());
- }
- ::SetLastError(last_error);
- }
- }
-
- Handle Get() const {
- return handle_;
- }
-
- // Transfers ownership away from this object.
- Handle Take() {
- Handle temp = handle_;
- handle_ = Traits::NullHandle();
- if (Traits::IsHandleValid(temp)) {
- Verifier::StopTracking(temp, this, BASE_WIN_GET_CALLER,
- tracked_objects::GetProgramCounter());
- }
- return temp;
- }
-
- // Explicitly closes the owned handle.
- void Close() {
- if (Traits::IsHandleValid(handle_)) {
- Verifier::StopTracking(handle_, this, BASE_WIN_GET_CALLER,
- tracked_objects::GetProgramCounter());
-
- Traits::CloseHandle(handle_);
- handle_ = Traits::NullHandle();
- }
- }
-
- private:
- Handle handle_;
-};
-
-#undef BASE_WIN_GET_CALLER
-
-// The traits class for Win32 handles that can be closed via CloseHandle() API.
-class HandleTraits {
- public:
- typedef HANDLE Handle;
-
- // Closes the handle.
- static bool BASE_EXPORT CloseHandle(HANDLE handle);
-
- // Returns true if the handle value is valid.
- static bool IsHandleValid(HANDLE handle) {
- return handle != NULL && handle != INVALID_HANDLE_VALUE;
- }
-
- // Returns NULL handle value.
- static HANDLE NullHandle() {
- return NULL;
- }
-
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(HandleTraits);
-};
-
-// Do-nothing verifier.
-class DummyVerifierTraits {
- public:
- typedef HANDLE Handle;
-
- static void StartTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {}
- static void StopTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2) {}
-
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(DummyVerifierTraits);
-};
-
-// Performs actual run-time tracking.
-class BASE_EXPORT VerifierTraits {
- public:
- typedef HANDLE Handle;
-
- static void StartTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2);
- static void StopTracking(HANDLE handle, const void* owner,
- const void* pc1, const void* pc2);
-
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(VerifierTraits);
-};
-
-typedef GenericScopedHandle<HandleTraits, VerifierTraits> ScopedHandle;
-
-// This function may be called by the embedder to disable the use of
-// VerifierTraits at runtime. It has no effect if DummyVerifierTraits is used
-// for ScopedHandle.
-void BASE_EXPORT DisableHandleVerifier();
-
-// This should be called whenever the OS is closing a handle, if extended
-// verification of improper handle closing is desired. If |handle| is being
-// tracked by the handle verifier and ScopedHandle is not the one closing it,
-// a CHECK is generated.
-void BASE_EXPORT OnHandleBeingClosed(HANDLE handle);
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_SCOPED_HANDLE_H_
diff --git a/security/sandbox/chromium/base/win/scoped_process_information.cc b/security/sandbox/chromium/base/win/scoped_process_information.cc
deleted file mode 100644
index 634a538ee..000000000
--- a/security/sandbox/chromium/base/win/scoped_process_information.cc
+++ /dev/null
@@ -1,147 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/scoped_process_information.h"
-
-#include "base/logging.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-
-namespace base {
-namespace win {
-
-namespace {
-
-// Duplicates source into target, returning true upon success. |target| is
-// guaranteed to be untouched in case of failure. Succeeds with no side-effects
-// if source is NULL.
-bool CheckAndDuplicateHandle(HANDLE source, ScopedHandle* target) {
- if (!source)
- return true;
-
- HANDLE temp = NULL;
-
- // TODO(shrikant): Remove following code as soon as we gather some
- // information regarding AppContainer related DuplicateHandle failures that
- // only seem to happen on certain machine and only random launches (normally
- // renderer launches seem to succeed even on those machines.)
- if (base::win::GetVersion() == base::win::VERSION_WIN8 ||
- base::win::GetVersion() == base::win::VERSION_WIN8_1) {
- typedef LONG (WINAPI *NtDuplicateObject)(
- IN HANDLE SourceProcess,
- IN HANDLE SourceHandle,
- IN HANDLE TargetProcess,
- OUT PHANDLE TargetHandle,
- IN ACCESS_MASK DesiredAccess,
- IN ULONG Attributes,
- IN ULONG Options);
-
- typedef ULONG (WINAPI *RtlNtStatusToDosError)(IN LONG Status);
-
- NtDuplicateObject nt_duplicate_object =
- reinterpret_cast<NtDuplicateObject>(::GetProcAddress(
- GetModuleHandle(L"ntdll.dll"), "NtDuplicateObject"));
- if (nt_duplicate_object != NULL) {
- LONG status = nt_duplicate_object(::GetCurrentProcess(), source,
- ::GetCurrentProcess(), &temp,
- 0, FALSE, DUPLICATE_SAME_ACCESS);
- if (status < 0) {
- DPLOG(ERROR) << "Failed to duplicate a handle.";
- RtlNtStatusToDosError ntstatus_to_doserror =
- reinterpret_cast<RtlNtStatusToDosError>(::GetProcAddress(
- GetModuleHandle(L"ntdll.dll"), "RtlNtStatusToDosError"));
- if (ntstatus_to_doserror != NULL) {
- ::SetLastError(ntstatus_to_doserror(status));
- }
- return false;
- }
- }
- } else {
- if (!::DuplicateHandle(::GetCurrentProcess(), source,
- ::GetCurrentProcess(), &temp, 0, FALSE,
- DUPLICATE_SAME_ACCESS)) {
- DPLOG(ERROR) << "Failed to duplicate a handle.";
- return false;
- }
- }
- target->Set(temp);
- return true;
-}
-
-} // namespace
-
-ScopedProcessInformation::ScopedProcessInformation()
- : process_id_(0), thread_id_(0) {
-}
-
-ScopedProcessInformation::ScopedProcessInformation(
- const PROCESS_INFORMATION& process_info) : process_id_(0), thread_id_(0) {
- Set(process_info);
-}
-
-ScopedProcessInformation::~ScopedProcessInformation() {
- Close();
-}
-
-bool ScopedProcessInformation::IsValid() const {
- return process_id_ || process_handle_.Get() ||
- thread_id_ || thread_handle_.Get();
-}
-
-void ScopedProcessInformation::Close() {
- process_handle_.Close();
- thread_handle_.Close();
- process_id_ = 0;
- thread_id_ = 0;
-}
-
-void ScopedProcessInformation::Set(const PROCESS_INFORMATION& process_info) {
- if (IsValid())
- Close();
-
- process_handle_.Set(process_info.hProcess);
- thread_handle_.Set(process_info.hThread);
- process_id_ = process_info.dwProcessId;
- thread_id_ = process_info.dwThreadId;
-}
-
-bool ScopedProcessInformation::DuplicateFrom(
- const ScopedProcessInformation& other) {
- DCHECK(!IsValid()) << "target ScopedProcessInformation must be NULL";
- DCHECK(other.IsValid()) << "source ScopedProcessInformation must be valid";
-
- if (CheckAndDuplicateHandle(other.process_handle(), &process_handle_) &&
- CheckAndDuplicateHandle(other.thread_handle(), &thread_handle_)) {
- process_id_ = other.process_id();
- thread_id_ = other.thread_id();
- return true;
- }
-
- return false;
-}
-
-PROCESS_INFORMATION ScopedProcessInformation::Take() {
- PROCESS_INFORMATION process_information = {};
- process_information.hProcess = process_handle_.Take();
- process_information.hThread = thread_handle_.Take();
- process_information.dwProcessId = process_id();
- process_information.dwThreadId = thread_id();
- process_id_ = 0;
- thread_id_ = 0;
-
- return process_information;
-}
-
-HANDLE ScopedProcessInformation::TakeProcessHandle() {
- process_id_ = 0;
- return process_handle_.Take();
-}
-
-HANDLE ScopedProcessInformation::TakeThreadHandle() {
- thread_id_ = 0;
- return thread_handle_.Take();
-}
-
-} // namespace win
-} // namespace base
diff --git a/security/sandbox/chromium/base/win/scoped_process_information.h b/security/sandbox/chromium/base/win/scoped_process_information.h
deleted file mode 100644
index 01df861f0..000000000
--- a/security/sandbox/chromium/base/win/scoped_process_information.h
+++ /dev/null
@@ -1,83 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_WIN_SCOPED_PROCESS_INFORMATION_H_
-#define BASE_WIN_SCOPED_PROCESS_INFORMATION_H_
-
-#include <windows.h>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-
-namespace base {
-namespace win {
-
-// Manages the closing of process and thread handles from PROCESS_INFORMATION
-// structures. Allows clients to take ownership of either handle independently.
-class BASE_EXPORT ScopedProcessInformation {
- public:
- ScopedProcessInformation();
- explicit ScopedProcessInformation(const PROCESS_INFORMATION& process_info);
- ~ScopedProcessInformation();
-
- // Returns true iff this instance is holding a thread and/or process handle.
- bool IsValid() const;
-
- // Closes the held thread and process handles, if any.
- void Close();
-
- // Populates this instance with the provided |process_info|.
- void Set(const PROCESS_INFORMATION& process_info);
-
- // Populates this instance with duplicate handles and the thread/process IDs
- // from |other|. Returns false in case of failure, in which case this instance
- // will be completely unpopulated.
- bool DuplicateFrom(const ScopedProcessInformation& other);
-
- // Transfers ownership of the held PROCESS_INFORMATION, if any, away from this
- // instance.
- PROCESS_INFORMATION Take();
-
- // Transfers ownership of the held process handle, if any, away from this
- // instance. Note that the related process_id will also be cleared.
- HANDLE TakeProcessHandle();
-
- // Transfers ownership of the held thread handle, if any, away from this
- // instance. Note that the related thread_id will also be cleared.
- HANDLE TakeThreadHandle();
-
- // Returns the held process handle, if any, while retaining ownership.
- HANDLE process_handle() const {
- return process_handle_.Get();
- }
-
- // Returns the held thread handle, if any, while retaining ownership.
- HANDLE thread_handle() const {
- return thread_handle_.Get();
- }
-
- // Returns the held process id, if any.
- DWORD process_id() const {
- return process_id_;
- }
-
- // Returns the held thread id, if any.
- DWORD thread_id() const {
- return thread_id_;
- }
-
- private:
- ScopedHandle process_handle_;
- ScopedHandle thread_handle_;
- DWORD process_id_;
- DWORD thread_id_;
-
- DISALLOW_COPY_AND_ASSIGN(ScopedProcessInformation);
-};
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_SCOPED_PROCESS_INFORMATION_H_
diff --git a/security/sandbox/chromium/base/win/startup_information.cc b/security/sandbox/chromium/base/win/startup_information.cc
deleted file mode 100644
index aff52eb79..000000000
--- a/security/sandbox/chromium/base/win/startup_information.cc
+++ /dev/null
@@ -1,109 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/startup_information.h"
-
-#include "base/logging.h"
-#include "base/win/windows_version.h"
-
-namespace {
-
-typedef BOOL (WINAPI *InitializeProcThreadAttributeListFunction)(
- LPPROC_THREAD_ATTRIBUTE_LIST attribute_list,
- DWORD attribute_count,
- DWORD flags,
- PSIZE_T size);
-static InitializeProcThreadAttributeListFunction
- initialize_proc_thread_attribute_list;
-
-typedef BOOL (WINAPI *UpdateProcThreadAttributeFunction)(
- LPPROC_THREAD_ATTRIBUTE_LIST attribute_list,
- DWORD flags,
- DWORD_PTR attribute,
- PVOID value,
- SIZE_T size,
- PVOID previous_value,
- PSIZE_T return_size);
-static UpdateProcThreadAttributeFunction update_proc_thread_attribute_list;
-
-typedef VOID (WINAPI *DeleteProcThreadAttributeListFunction)(
- LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList);
-static DeleteProcThreadAttributeListFunction delete_proc_thread_attribute_list;
-
-} // namespace
-
-namespace base {
-namespace win {
-
-StartupInformation::StartupInformation() {
- memset(&startup_info_, 0, sizeof(startup_info_));
-
- // Pre Windows Vista doesn't support STARTUPINFOEX.
- if (base::win::GetVersion() < base::win::VERSION_VISTA) {
- startup_info_.StartupInfo.cb = sizeof(STARTUPINFO);
- return;
- }
-
- startup_info_.StartupInfo.cb = sizeof(startup_info_);
-
- // Load the attribute API functions.
- if (!initialize_proc_thread_attribute_list ||
- !update_proc_thread_attribute_list ||
- !delete_proc_thread_attribute_list) {
- HMODULE module = ::GetModuleHandleW(L"kernel32.dll");
- initialize_proc_thread_attribute_list =
- reinterpret_cast<InitializeProcThreadAttributeListFunction>(
- ::GetProcAddress(module, "InitializeProcThreadAttributeList"));
- update_proc_thread_attribute_list =
- reinterpret_cast<UpdateProcThreadAttributeFunction>(
- ::GetProcAddress(module, "UpdateProcThreadAttribute"));
- delete_proc_thread_attribute_list =
- reinterpret_cast<DeleteProcThreadAttributeListFunction>(
- ::GetProcAddress(module, "DeleteProcThreadAttributeList"));
- }
-}
-
-StartupInformation::~StartupInformation() {
- if (startup_info_.lpAttributeList) {
- delete_proc_thread_attribute_list(startup_info_.lpAttributeList);
- delete [] reinterpret_cast<BYTE*>(startup_info_.lpAttributeList);
- }
-}
-
-bool StartupInformation::InitializeProcThreadAttributeList(
- DWORD attribute_count) {
- if (startup_info_.StartupInfo.cb != sizeof(startup_info_) ||
- startup_info_.lpAttributeList)
- return false;
-
- SIZE_T size = 0;
- initialize_proc_thread_attribute_list(NULL, attribute_count, 0, &size);
- if (size == 0)
- return false;
-
- startup_info_.lpAttributeList =
- reinterpret_cast<LPPROC_THREAD_ATTRIBUTE_LIST>(new BYTE[size]);
- if (!initialize_proc_thread_attribute_list(startup_info_.lpAttributeList,
- attribute_count, 0, &size)) {
- delete [] reinterpret_cast<BYTE*>(startup_info_.lpAttributeList);
- startup_info_.lpAttributeList = NULL;
- return false;
- }
-
- return true;
-}
-
-bool StartupInformation::UpdateProcThreadAttribute(
- DWORD_PTR attribute,
- void* value,
- size_t size) {
- if (!startup_info_.lpAttributeList)
- return false;
- return !!update_proc_thread_attribute_list(startup_info_.lpAttributeList, 0,
- attribute, value, size, NULL, NULL);
-}
-
-} // namespace win
-} // namespace base
-
diff --git a/security/sandbox/chromium/base/win/startup_information.h b/security/sandbox/chromium/base/win/startup_information.h
deleted file mode 100644
index 5b777baef..000000000
--- a/security/sandbox/chromium/base/win/startup_information.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_WIN_STARTUP_INFORMATION_H_
-#define BASE_WIN_STARTUP_INFORMATION_H_
-
-#include <windows.h>
-#include <stddef.h>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-
-namespace base {
-namespace win {
-
-// Manages the lifetime of additional attributes in STARTUPINFOEX.
-class BASE_EXPORT StartupInformation {
- public:
- StartupInformation();
-
- ~StartupInformation();
-
- // Initialize the attribute list for the specified number of entries.
- bool InitializeProcThreadAttributeList(DWORD attribute_count);
-
- // Sets one entry in the initialized attribute list.
- // |value| needs to live at least as long as the StartupInformation object
- // this is called on.
- bool UpdateProcThreadAttribute(DWORD_PTR attribute,
- void* value,
- size_t size);
-
- LPSTARTUPINFOW startup_info() { return &startup_info_.StartupInfo; }
- LPSTARTUPINFOW startup_info() const {
- return const_cast<const LPSTARTUPINFOW>(&startup_info_.StartupInfo);
- }
-
- bool has_extended_startup_info() const {
- return !!startup_info_.lpAttributeList;
- }
-
- private:
- STARTUPINFOEXW startup_info_;
- DISALLOW_COPY_AND_ASSIGN(StartupInformation);
-};
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_STARTUP_INFORMATION_H_
diff --git a/security/sandbox/chromium/base/win/windows_version.cc b/security/sandbox/chromium/base/win/windows_version.cc
deleted file mode 100644
index eb3f4993d..000000000
--- a/security/sandbox/chromium/base/win/windows_version.cc
+++ /dev/null
@@ -1,225 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/windows_version.h"
-
-#include <windows.h>
-
-#include "base/file_version_info_win.h"
-#include "base/files/file_path.h"
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/utf_string_conversions.h"
-#include "base/win/registry.h"
-
-namespace {
-typedef BOOL (WINAPI *GetProductInfoPtr)(DWORD, DWORD, DWORD, DWORD, PDWORD);
-} // namespace
-
-namespace base {
-namespace win {
-
-namespace {
-
-// Helper to map a major.minor.x.build version (e.g. 6.1) to a Windows release.
-Version MajorMinorBuildToVersion(int major, int minor, int build) {
- if ((major == 5) && (minor > 0)) {
- // Treat XP Pro x64, Home Server, and Server 2003 R2 as Server 2003.
- return (minor == 1) ? VERSION_XP : VERSION_SERVER_2003;
- } else if (major == 6) {
- switch (minor) {
- case 0:
- // Treat Windows Server 2008 the same as Windows Vista.
- return VERSION_VISTA;
- case 1:
- // Treat Windows Server 2008 R2 the same as Windows 7.
- return VERSION_WIN7;
- case 2:
- // Treat Windows Server 2012 the same as Windows 8.
- return VERSION_WIN8;
- default:
- DCHECK_EQ(minor, 3);
- return VERSION_WIN8_1;
- }
- } else if (major == 10) {
- if (build < 10586) {
- return VERSION_WIN10;
- } else {
- return VERSION_WIN10_TH2;
- }
- } else if (major > 6) {
- NOTREACHED();
- return VERSION_WIN_LAST;
- }
-
- return VERSION_PRE_XP;
-}
-
-// Retrieve a version from kernel32. This is useful because when running in
-// compatibility mode for a down-level version of the OS, the file version of
-// kernel32 will still be the "real" version.
-Version GetVersionFromKernel32() {
- scoped_ptr<FileVersionInfoWin> file_version_info(
- static_cast<FileVersionInfoWin*>(
- FileVersionInfoWin::CreateFileVersionInfo(
- base::FilePath(FILE_PATH_LITERAL("kernel32.dll")))));
- if (file_version_info) {
- const int major =
- HIWORD(file_version_info->fixed_file_info()->dwFileVersionMS);
- const int minor =
- LOWORD(file_version_info->fixed_file_info()->dwFileVersionMS);
- const int build =
- HIWORD(file_version_info->fixed_file_info()->dwFileVersionLS);
- return MajorMinorBuildToVersion(major, minor, build);
- }
-
- NOTREACHED();
- return VERSION_WIN_LAST;
-}
-
-} // namespace
-
-// static
-OSInfo* OSInfo::GetInstance() {
- // Note: we don't use the Singleton class because it depends on AtExitManager,
- // and it's convenient for other modules to use this classs without it. This
- // pattern is copied from gurl.cc.
- static OSInfo* info;
- if (!info) {
- OSInfo* new_info = new OSInfo();
- if (InterlockedCompareExchangePointer(
- reinterpret_cast<PVOID*>(&info), new_info, NULL)) {
- delete new_info;
- }
- }
- return info;
-}
-
-OSInfo::OSInfo()
- : version_(VERSION_PRE_XP),
- kernel32_version_(VERSION_PRE_XP),
- got_kernel32_version_(false),
- architecture_(OTHER_ARCHITECTURE),
- wow64_status_(GetWOW64StatusForProcess(GetCurrentProcess())) {
- OSVERSIONINFOEX version_info = { sizeof version_info };
- ::GetVersionEx(reinterpret_cast<OSVERSIONINFO*>(&version_info));
- version_number_.major = version_info.dwMajorVersion;
- version_number_.minor = version_info.dwMinorVersion;
- version_number_.build = version_info.dwBuildNumber;
- version_ = MajorMinorBuildToVersion(
- version_number_.major, version_number_.minor, version_number_.build);
- service_pack_.major = version_info.wServicePackMajor;
- service_pack_.minor = version_info.wServicePackMinor;
-
- SYSTEM_INFO system_info = {};
- ::GetNativeSystemInfo(&system_info);
- switch (system_info.wProcessorArchitecture) {
- case PROCESSOR_ARCHITECTURE_INTEL: architecture_ = X86_ARCHITECTURE; break;
- case PROCESSOR_ARCHITECTURE_AMD64: architecture_ = X64_ARCHITECTURE; break;
- case PROCESSOR_ARCHITECTURE_IA64: architecture_ = IA64_ARCHITECTURE; break;
- }
- processors_ = system_info.dwNumberOfProcessors;
- allocation_granularity_ = system_info.dwAllocationGranularity;
-
- GetProductInfoPtr get_product_info;
- DWORD os_type;
-
- if (version_info.dwMajorVersion == 6 || version_info.dwMajorVersion == 10) {
- // Only present on Vista+.
- get_product_info = reinterpret_cast<GetProductInfoPtr>(
- ::GetProcAddress(::GetModuleHandle(L"kernel32.dll"), "GetProductInfo"));
-
- get_product_info(version_info.dwMajorVersion, version_info.dwMinorVersion,
- 0, 0, &os_type);
- switch (os_type) {
- case PRODUCT_CLUSTER_SERVER:
- case PRODUCT_DATACENTER_SERVER:
- case PRODUCT_DATACENTER_SERVER_CORE:
- case PRODUCT_ENTERPRISE_SERVER:
- case PRODUCT_ENTERPRISE_SERVER_CORE:
- case PRODUCT_ENTERPRISE_SERVER_IA64:
- case PRODUCT_SMALLBUSINESS_SERVER:
- case PRODUCT_SMALLBUSINESS_SERVER_PREMIUM:
- case PRODUCT_STANDARD_SERVER:
- case PRODUCT_STANDARD_SERVER_CORE:
- case PRODUCT_WEB_SERVER:
- version_type_ = SUITE_SERVER;
- break;
- case PRODUCT_PROFESSIONAL:
- case PRODUCT_ULTIMATE:
- case PRODUCT_ENTERPRISE:
- case PRODUCT_BUSINESS:
- version_type_ = SUITE_PROFESSIONAL;
- break;
- case PRODUCT_HOME_BASIC:
- case PRODUCT_HOME_PREMIUM:
- case PRODUCT_STARTER:
- default:
- version_type_ = SUITE_HOME;
- break;
- }
- } else if (version_info.dwMajorVersion == 5 &&
- version_info.dwMinorVersion == 2) {
- if (version_info.wProductType == VER_NT_WORKSTATION &&
- system_info.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64) {
- version_type_ = SUITE_PROFESSIONAL;
- } else if (version_info.wSuiteMask & VER_SUITE_WH_SERVER ) {
- version_type_ = SUITE_HOME;
- } else {
- version_type_ = SUITE_SERVER;
- }
- } else if (version_info.dwMajorVersion == 5 &&
- version_info.dwMinorVersion == 1) {
- if(version_info.wSuiteMask & VER_SUITE_PERSONAL)
- version_type_ = SUITE_HOME;
- else
- version_type_ = SUITE_PROFESSIONAL;
- } else {
- // Windows is pre XP so we don't care but pick a safe default.
- version_type_ = SUITE_HOME;
- }
-}
-
-OSInfo::~OSInfo() {
-}
-
-Version OSInfo::Kernel32Version() const {
- if (!got_kernel32_version_) {
- kernel32_version_ = GetVersionFromKernel32();
- got_kernel32_version_ = true;
- }
- return kernel32_version_;
-}
-
-std::string OSInfo::processor_model_name() {
- if (processor_model_name_.empty()) {
- const wchar_t kProcessorNameString[] =
- L"HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0";
- base::win::RegKey key(HKEY_LOCAL_MACHINE, kProcessorNameString, KEY_READ);
- string16 value;
- key.ReadValue(L"ProcessorNameString", &value);
- processor_model_name_ = UTF16ToUTF8(value);
- }
- return processor_model_name_;
-}
-
-// static
-OSInfo::WOW64Status OSInfo::GetWOW64StatusForProcess(HANDLE process_handle) {
- typedef BOOL (WINAPI* IsWow64ProcessFunc)(HANDLE, PBOOL);
- IsWow64ProcessFunc is_wow64_process = reinterpret_cast<IsWow64ProcessFunc>(
- GetProcAddress(GetModuleHandle(L"kernel32.dll"), "IsWow64Process"));
- if (!is_wow64_process)
- return WOW64_DISABLED;
- BOOL is_wow64 = FALSE;
- if (!(*is_wow64_process)(process_handle, &is_wow64))
- return WOW64_UNKNOWN;
- return is_wow64 ? WOW64_ENABLED : WOW64_DISABLED;
-}
-
-Version GetVersion() {
- return OSInfo::GetInstance()->version();
-}
-
-} // namespace win
-} // namespace base
diff --git a/security/sandbox/chromium/base/win/windows_version.h b/security/sandbox/chromium/base/win/windows_version.h
deleted file mode 100644
index 7bc8b6fe5..000000000
--- a/security/sandbox/chromium/base/win/windows_version.h
+++ /dev/null
@@ -1,133 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BASE_WIN_WINDOWS_VERSION_H_
-#define BASE_WIN_WINDOWS_VERSION_H_
-
-#include <stddef.h>
-
-#include <string>
-
-#include "base/base_export.h"
-#include "base/macros.h"
-
-typedef void* HANDLE;
-
-namespace base {
-namespace win {
-
-// The running version of Windows. This is declared outside OSInfo for
-// syntactic sugar reasons; see the declaration of GetVersion() below.
-// NOTE: Keep these in order so callers can do things like
-// "if (base::win::GetVersion() >= base::win::VERSION_VISTA) ...".
-//
-// This enum is used in metrics histograms, so they shouldn't be reordered or
-// removed. New values can be added before VERSION_WIN_LAST.
-enum Version {
- VERSION_PRE_XP = 0, // Not supported.
- VERSION_XP = 1,
- VERSION_SERVER_2003 = 2, // Also includes XP Pro x64 and Server 2003 R2.
- VERSION_VISTA = 3, // Also includes Windows Server 2008.
- VERSION_WIN7 = 4, // Also includes Windows Server 2008 R2.
- VERSION_WIN8 = 5, // Also includes Windows Server 2012.
- VERSION_WIN8_1 = 6, // Also includes Windows Server 2012 R2.
- VERSION_WIN10 = 7, // Also includes Windows 10 Server.
- VERSION_WIN10_TH2 = 8, // Threshold 2: Version 1511, Build 10586.
- VERSION_WIN_LAST, // Indicates error condition.
-};
-
-// A rough bucketing of the available types of versions of Windows. This is used
-// to distinguish enterprise enabled versions from home versions and potentially
-// server versions.
-enum VersionType {
- SUITE_HOME,
- SUITE_PROFESSIONAL,
- SUITE_SERVER,
- SUITE_LAST,
-};
-
-// A singleton that can be used to query various pieces of information about the
-// OS and process state. Note that this doesn't use the base Singleton class, so
-// it can be used without an AtExitManager.
-class BASE_EXPORT OSInfo {
- public:
- struct VersionNumber {
- int major;
- int minor;
- int build;
- };
-
- struct ServicePack {
- int major;
- int minor;
- };
-
- // The processor architecture this copy of Windows natively uses. For
- // example, given an x64-capable processor, we have three possibilities:
- // 32-bit Chrome running on 32-bit Windows: X86_ARCHITECTURE
- // 32-bit Chrome running on 64-bit Windows via WOW64: X64_ARCHITECTURE
- // 64-bit Chrome running on 64-bit Windows: X64_ARCHITECTURE
- enum WindowsArchitecture {
- X86_ARCHITECTURE,
- X64_ARCHITECTURE,
- IA64_ARCHITECTURE,
- OTHER_ARCHITECTURE,
- };
-
- // Whether a process is running under WOW64 (the wrapper that allows 32-bit
- // processes to run on 64-bit versions of Windows). This will return
- // WOW64_DISABLED for both "32-bit Chrome on 32-bit Windows" and "64-bit
- // Chrome on 64-bit Windows". WOW64_UNKNOWN means "an error occurred", e.g.
- // the process does not have sufficient access rights to determine this.
- enum WOW64Status {
- WOW64_DISABLED,
- WOW64_ENABLED,
- WOW64_UNKNOWN,
- };
-
- static OSInfo* GetInstance();
-
- Version version() const { return version_; }
- Version Kernel32Version() const;
- // The next two functions return arrays of values, [major, minor(, build)].
- VersionNumber version_number() const { return version_number_; }
- VersionType version_type() const { return version_type_; }
- ServicePack service_pack() const { return service_pack_; }
- WindowsArchitecture architecture() const { return architecture_; }
- int processors() const { return processors_; }
- size_t allocation_granularity() const { return allocation_granularity_; }
- WOW64Status wow64_status() const { return wow64_status_; }
- std::string processor_model_name();
-
- // Like wow64_status(), but for the supplied handle instead of the current
- // process. This doesn't touch member state, so you can bypass the singleton.
- static WOW64Status GetWOW64StatusForProcess(HANDLE process_handle);
-
- private:
- OSInfo();
- ~OSInfo();
-
- Version version_;
- mutable Version kernel32_version_;
- mutable bool got_kernel32_version_;
- VersionNumber version_number_;
- VersionType version_type_;
- ServicePack service_pack_;
- WindowsArchitecture architecture_;
- int processors_;
- size_t allocation_granularity_;
- WOW64Status wow64_status_;
- std::string processor_model_name_;
-
- DISALLOW_COPY_AND_ASSIGN(OSInfo);
-};
-
-// Because this is by far the most commonly-requested value from the above
-// singleton, we add a global-scope accessor here as syntactic sugar.
-BASE_EXPORT Version GetVersion();
-
-} // namespace win
-} // namespace base
-
-#endif // BASE_WIN_WINDOWS_VERSION_H_
diff --git a/security/sandbox/chromium/build/build_config.h b/security/sandbox/chromium/build/build_config.h
deleted file mode 100644
index d8c3db6ed..000000000
--- a/security/sandbox/chromium/build/build_config.h
+++ /dev/null
@@ -1,168 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file adds defines about the platform we're currently building on.
-// Operating System:
-// OS_WIN / OS_MACOSX / OS_LINUX / OS_POSIX (MACOSX or LINUX) /
-// OS_NACL (NACL_SFI or NACL_NONSFI) / OS_NACL_SFI / OS_NACL_NONSFI
-// Compiler:
-// COMPILER_MSVC / COMPILER_GCC
-// Processor:
-// ARCH_CPU_X86 / ARCH_CPU_X86_64 / ARCH_CPU_X86_FAMILY (X86 or X86_64)
-// ARCH_CPU_32_BITS / ARCH_CPU_64_BITS
-
-#ifndef BUILD_BUILD_CONFIG_H_
-#define BUILD_BUILD_CONFIG_H_
-
-// A set of macros to use for platform detection.
-#if defined(__native_client__)
-// __native_client__ must be first, so that other OS_ defines are not set.
-#define OS_NACL 1
-// OS_NACL comes in two sandboxing technology flavors, SFI or Non-SFI.
-// PNaCl toolchain defines __native_client_nonsfi__ macro in Non-SFI build
-// mode, while it does not in SFI build mode.
-#if defined(__native_client_nonsfi__)
-#define OS_NACL_NONSFI
-#else
-#define OS_NACL_SFI
-#endif
-#elif defined(ANDROID)
-#define OS_ANDROID 1
-#elif defined(__APPLE__)
-// only include TargetConditions after testing ANDROID as some android builds
-// on mac don't have this header available and it's not needed unless the target
-// is really mac/ios.
-#include <TargetConditionals.h>
-#define OS_MACOSX 1
-#if defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE
-#define OS_IOS 1
-#endif // defined(TARGET_OS_IPHONE) && TARGET_OS_IPHONE
-#elif defined(__linux__)
-#define OS_LINUX 1
-// include a system header to pull in features.h for glibc/uclibc macros.
-#include <unistd.h>
-#if defined(__GLIBC__) && !defined(__UCLIBC__)
-// we really are using glibc, not uClibc pretending to be glibc
-#define LIBC_GLIBC 1
-#endif
-#elif defined(_WIN32)
-#define OS_WIN 1
-#define TOOLKIT_VIEWS 1
-#elif defined(__FreeBSD__)
-#define OS_FREEBSD 1
-#elif defined(__OpenBSD__)
-#define OS_OPENBSD 1
-#elif defined(__sun)
-#define OS_SOLARIS 1
-#elif defined(__QNXNTO__)
-#define OS_QNX 1
-#else
-#error Please add support for your platform in build/build_config.h
-#endif
-
-#if defined(USE_OPENSSL_CERTS) && defined(USE_NSS_CERTS)
-#error Cannot use both OpenSSL and NSS for certificates
-#endif
-
-// For access to standard BSD features, use OS_BSD instead of a
-// more specific macro.
-#if defined(OS_FREEBSD) || defined(OS_OPENBSD)
-#define OS_BSD 1
-#endif
-
-// For access to standard POSIXish features, use OS_POSIX instead of a
-// more specific macro.
-#if defined(OS_MACOSX) || defined(OS_LINUX) || defined(OS_FREEBSD) || \
- defined(OS_OPENBSD) || defined(OS_SOLARIS) || defined(OS_ANDROID) || \
- defined(OS_NACL) || defined(OS_QNX)
-#define OS_POSIX 1
-#endif
-
-// Use tcmalloc
-#if (defined(OS_WIN) || defined(OS_LINUX) || defined(OS_ANDROID)) && \
- !defined(NO_TCMALLOC)
-#define USE_TCMALLOC 1
-#endif
-
-// Compiler detection.
-#if defined(__GNUC__)
-#define COMPILER_GCC 1
-#elif defined(_MSC_VER)
-#define COMPILER_MSVC 1
-#else
-#error Please add support for your compiler in build/build_config.h
-#endif
-
-// Processor architecture detection. For more info on what's defined, see:
-// http://msdn.microsoft.com/en-us/library/b0084kay.aspx
-// http://www.agner.org/optimize/calling_conventions.pdf
-// or with gcc, run: "echo | gcc -E -dM -"
-#if defined(_M_X64) || defined(__x86_64__)
-#define ARCH_CPU_X86_FAMILY 1
-#define ARCH_CPU_X86_64 1
-#define ARCH_CPU_64_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#elif defined(_M_IX86) || defined(__i386__)
-#define ARCH_CPU_X86_FAMILY 1
-#define ARCH_CPU_X86 1
-#define ARCH_CPU_32_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#elif defined(__ARMEL__)
-#define ARCH_CPU_ARM_FAMILY 1
-#define ARCH_CPU_ARMEL 1
-#define ARCH_CPU_32_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#elif defined(__aarch64__)
-#define ARCH_CPU_ARM_FAMILY 1
-#define ARCH_CPU_ARM64 1
-#define ARCH_CPU_64_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#elif defined(__pnacl__)
-#define ARCH_CPU_32_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#elif defined(__MIPSEL__)
-#if defined(__LP64__)
-#define ARCH_CPU_MIPS64_FAMILY 1
-#define ARCH_CPU_MIPS64EL 1
-#define ARCH_CPU_64_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#else
-#define ARCH_CPU_MIPS_FAMILY 1
-#define ARCH_CPU_MIPSEL 1
-#define ARCH_CPU_32_BITS 1
-#define ARCH_CPU_LITTLE_ENDIAN 1
-#endif
-#else
-#error Please add support for your architecture in build/build_config.h
-#endif
-
-// Type detection for wchar_t.
-#if defined(OS_WIN)
-#define WCHAR_T_IS_UTF16
-#elif defined(OS_POSIX) && defined(COMPILER_GCC) && \
- defined(__WCHAR_MAX__) && \
- (__WCHAR_MAX__ == 0x7fffffff || __WCHAR_MAX__ == 0xffffffff)
-#define WCHAR_T_IS_UTF32
-#elif defined(OS_POSIX) && defined(COMPILER_GCC) && \
- defined(__WCHAR_MAX__) && \
- (__WCHAR_MAX__ == 0x7fff || __WCHAR_MAX__ == 0xffff)
-// On Posix, we'll detect short wchar_t, but projects aren't guaranteed to
-// compile in this mode (in particular, Chrome doesn't). This is intended for
-// other projects using base who manage their own dependencies and make sure
-// short wchar works for them.
-#define WCHAR_T_IS_UTF16
-#else
-#error Please add support for your compiler in build/build_config.h
-#endif
-
-#if defined(OS_ANDROID)
-// The compiler thinks std::string::const_iterator and "const char*" are
-// equivalent types.
-#define STD_STRING_ITERATOR_IS_CHAR_POINTER
-// The compiler thinks base::string16::const_iterator and "char16*" are
-// equivalent types.
-#define BASE_STRING16_ITERATOR_IS_CHAR16_POINTER
-#endif
-
-#endif // BUILD_BUILD_CONFIG_H_
diff --git a/security/sandbox/chromium/build/buildflag.h b/security/sandbox/chromium/build/buildflag.h
deleted file mode 100644
index 283f5bce4..000000000
--- a/security/sandbox/chromium/build/buildflag.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef BUILD_BUILDFLAG_H_
-#define BUILD_BUILDFLAG_H_
-
-// These macros un-mangle the names of the build flags in a way that looks
-// natural, and gives errors if the flag is not defined. Normally in the
-// preprocessor it's easy to make mistakes that interpret "you haven't done
-// the setup to know what the flag is" as "flag is off". Normally you would
-// include the generated header rather than include this file directly.
-//
-// This is for use with generated headers. See build/build_header.gni.
-
-// This dance of two macros does a concatenation of two preprocessor args using
-// ## doubly indirectly because using ## directly prevents macros in that
-// parameter from being expanded.
-#define BUILDFLAG_CAT_INDIRECT(a, b) a ## b
-#define BUILDFLAG_CAT(a, b) BUILDFLAG_CAT_INDIRECT(a, b)
-
-// Accessor for build flags.
-//
-// To test for a value, if the build file specifies:
-//
-// ENABLE_FOO=true
-//
-// Then you would check at build-time in source code with:
-//
-// #include "foo_flags.h" // The header the build file specified.
-//
-// #if BUILDFLAG(ENABLE_FOO)
-// ...
-// #endif
-//
-// There will no #define called ENABLE_FOO so if you accidentally test for
-// whether that is defined, it will always be negative. You can also use
-// the value in expressions:
-//
-// const char kSpamServerName[] = BUILDFLAG(SPAM_SERVER_NAME);
-//
-// Because the flag is accessed as a preprocessor macro with (), an error
-// will be thrown if the proper header defining the internal flag value has
-// not been included.
-#define BUILDFLAG(flag) (BUILDFLAG_CAT(BUILDFLAG_INTERNAL_, flag)())
-
-#endif // BUILD_BUILDFLAG_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc
deleted file mode 100644
index 3330c4774..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc
+++ /dev/null
@@ -1,348 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <limits>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
-#include "sandbox/linux/bpf_dsl/errorcode.h"
-#include "sandbox/linux/bpf_dsl/policy_compiler.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-namespace {
-
-class ReturnResultExprImpl : public internal::ResultExprImpl {
- public:
- explicit ReturnResultExprImpl(uint32_t ret) : ret_(ret) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc) const override {
- return pc->Return(ret_);
- }
-
- bool IsAllow() const override { return IsAction(SECCOMP_RET_ALLOW); }
-
- bool IsDeny() const override {
- return IsAction(SECCOMP_RET_ERRNO) || IsAction(SECCOMP_RET_KILL);
- }
-
- private:
- ~ReturnResultExprImpl() override {}
-
- bool IsAction(uint32_t action) const {
- return (ret_ & SECCOMP_RET_ACTION) == action;
- }
-
- uint32_t ret_;
-
- DISALLOW_COPY_AND_ASSIGN(ReturnResultExprImpl);
-};
-
-class TrapResultExprImpl : public internal::ResultExprImpl {
- public:
- TrapResultExprImpl(TrapRegistry::TrapFnc func, const void* arg, bool safe)
- : func_(func), arg_(arg), safe_(safe) {
- DCHECK(func_);
- }
-
- CodeGen::Node Compile(PolicyCompiler* pc) const override {
- return pc->Trap(func_, arg_, safe_);
- }
-
- bool HasUnsafeTraps() const override { return safe_ == false; }
-
- bool IsDeny() const override { return true; }
-
- private:
- ~TrapResultExprImpl() override {}
-
- TrapRegistry::TrapFnc func_;
- const void* arg_;
- bool safe_;
-
- DISALLOW_COPY_AND_ASSIGN(TrapResultExprImpl);
-};
-
-class IfThenResultExprImpl : public internal::ResultExprImpl {
- public:
- IfThenResultExprImpl(const BoolExpr& cond,
- const ResultExpr& then_result,
- const ResultExpr& else_result)
- : cond_(cond), then_result_(then_result), else_result_(else_result) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc) const override {
- // We compile the "then" and "else" expressions in separate statements so
- // they have a defined sequencing. See https://crbug.com/529480.
- CodeGen::Node then_node = then_result_->Compile(pc);
- CodeGen::Node else_node = else_result_->Compile(pc);
- return cond_->Compile(pc, then_node, else_node);
- }
-
- bool HasUnsafeTraps() const override {
- return then_result_->HasUnsafeTraps() || else_result_->HasUnsafeTraps();
- }
-
- private:
- ~IfThenResultExprImpl() override {}
-
- BoolExpr cond_;
- ResultExpr then_result_;
- ResultExpr else_result_;
-
- DISALLOW_COPY_AND_ASSIGN(IfThenResultExprImpl);
-};
-
-class ConstBoolExprImpl : public internal::BoolExprImpl {
- public:
- ConstBoolExprImpl(bool value) : value_(value) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const override {
- return value_ ? then_node : else_node;
- }
-
- private:
- ~ConstBoolExprImpl() override {}
-
- bool value_;
-
- DISALLOW_COPY_AND_ASSIGN(ConstBoolExprImpl);
-};
-
-class MaskedEqualBoolExprImpl : public internal::BoolExprImpl {
- public:
- MaskedEqualBoolExprImpl(int argno,
- size_t width,
- uint64_t mask,
- uint64_t value)
- : argno_(argno), width_(width), mask_(mask), value_(value) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const override {
- return pc->MaskedEqual(argno_, width_, mask_, value_, then_node, else_node);
- }
-
- private:
- ~MaskedEqualBoolExprImpl() override {}
-
- int argno_;
- size_t width_;
- uint64_t mask_;
- uint64_t value_;
-
- DISALLOW_COPY_AND_ASSIGN(MaskedEqualBoolExprImpl);
-};
-
-class NegateBoolExprImpl : public internal::BoolExprImpl {
- public:
- explicit NegateBoolExprImpl(const BoolExpr& cond) : cond_(cond) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const override {
- return cond_->Compile(pc, else_node, then_node);
- }
-
- private:
- ~NegateBoolExprImpl() override {}
-
- BoolExpr cond_;
-
- DISALLOW_COPY_AND_ASSIGN(NegateBoolExprImpl);
-};
-
-class AndBoolExprImpl : public internal::BoolExprImpl {
- public:
- AndBoolExprImpl(const BoolExpr& lhs, const BoolExpr& rhs)
- : lhs_(lhs), rhs_(rhs) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const override {
- return lhs_->Compile(pc, rhs_->Compile(pc, then_node, else_node),
- else_node);
- }
-
- private:
- ~AndBoolExprImpl() override {}
-
- BoolExpr lhs_;
- BoolExpr rhs_;
-
- DISALLOW_COPY_AND_ASSIGN(AndBoolExprImpl);
-};
-
-class OrBoolExprImpl : public internal::BoolExprImpl {
- public:
- OrBoolExprImpl(const BoolExpr& lhs, const BoolExpr& rhs)
- : lhs_(lhs), rhs_(rhs) {}
-
- CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const override {
- return lhs_->Compile(pc, then_node,
- rhs_->Compile(pc, then_node, else_node));
- }
-
- private:
- ~OrBoolExprImpl() override {}
-
- BoolExpr lhs_;
- BoolExpr rhs_;
-
- DISALLOW_COPY_AND_ASSIGN(OrBoolExprImpl);
-};
-
-} // namespace
-
-namespace internal {
-
-bool ResultExprImpl::HasUnsafeTraps() const {
- return false;
-}
-
-bool ResultExprImpl::IsAllow() const {
- return false;
-}
-
-bool ResultExprImpl::IsDeny() const {
- return false;
-}
-
-uint64_t DefaultMask(size_t size) {
- switch (size) {
- case 4:
- return std::numeric_limits<uint32_t>::max();
- case 8:
- return std::numeric_limits<uint64_t>::max();
- default:
- CHECK(false) << "Unimplemented DefaultMask case";
- return 0;
- }
-}
-
-BoolExpr ArgEq(int num, size_t size, uint64_t mask, uint64_t val) {
- // If this is changed, update Arg<T>::EqualTo's static_cast rules
- // accordingly.
- CHECK(size == 4 || size == 8);
-
- return BoolExpr(new const MaskedEqualBoolExprImpl(num, size, mask, val));
-}
-
-} // namespace internal
-
-ResultExpr Allow() {
- return ResultExpr(new const ReturnResultExprImpl(SECCOMP_RET_ALLOW));
-}
-
-ResultExpr Error(int err) {
- CHECK(err >= ErrorCode::ERR_MIN_ERRNO && err <= ErrorCode::ERR_MAX_ERRNO);
- return ResultExpr(new const ReturnResultExprImpl(SECCOMP_RET_ERRNO + err));
-}
-
-ResultExpr Kill() {
- return ResultExpr(new const ReturnResultExprImpl(SECCOMP_RET_KILL));
-}
-
-ResultExpr Trace(uint16_t aux) {
- return ResultExpr(new const ReturnResultExprImpl(SECCOMP_RET_TRACE + aux));
-}
-
-ResultExpr Trap(TrapRegistry::TrapFnc trap_func, const void* aux) {
- return ResultExpr(
- new const TrapResultExprImpl(trap_func, aux, true /* safe */));
-}
-
-ResultExpr UnsafeTrap(TrapRegistry::TrapFnc trap_func, const void* aux) {
- return ResultExpr(
- new const TrapResultExprImpl(trap_func, aux, false /* unsafe */));
-}
-
-BoolExpr BoolConst(bool value) {
- return BoolExpr(new const ConstBoolExprImpl(value));
-}
-
-BoolExpr Not(const BoolExpr& cond) {
- return BoolExpr(new const NegateBoolExprImpl(cond));
-}
-
-BoolExpr AllOf() {
- return BoolConst(true);
-}
-
-BoolExpr AllOf(const BoolExpr& lhs, const BoolExpr& rhs) {
- return BoolExpr(new const AndBoolExprImpl(lhs, rhs));
-}
-
-BoolExpr AnyOf() {
- return BoolConst(false);
-}
-
-BoolExpr AnyOf(const BoolExpr& lhs, const BoolExpr& rhs) {
- return BoolExpr(new const OrBoolExprImpl(lhs, rhs));
-}
-
-Elser If(const BoolExpr& cond, const ResultExpr& then_result) {
- return Elser(nullptr).ElseIf(cond, then_result);
-}
-
-Elser::Elser(cons::List<Clause> clause_list) : clause_list_(clause_list) {
-}
-
-Elser::Elser(const Elser& elser) : clause_list_(elser.clause_list_) {
-}
-
-Elser::~Elser() {
-}
-
-Elser Elser::ElseIf(const BoolExpr& cond, const ResultExpr& then_result) const {
- return Elser(Cons(std::make_pair(cond, then_result), clause_list_));
-}
-
-ResultExpr Elser::Else(const ResultExpr& else_result) const {
- // We finally have the default result expression for this
- // if/then/else sequence. Also, we've already accumulated all
- // if/then pairs into a list of reverse order (i.e., lower priority
- // conditions are listed before higher priority ones). E.g., an
- // expression like
- //
- // If(b1, e1).ElseIf(b2, e2).ElseIf(b3, e3).Else(e4)
- //
- // will have built up a list like
- //
- // [(b3, e3), (b2, e2), (b1, e1)].
- //
- // Now that we have e4, we can walk the list and create a ResultExpr
- // tree like:
- //
- // expr = e4
- // expr = (b3 ? e3 : expr) = (b3 ? e3 : e4)
- // expr = (b2 ? e2 : expr) = (b2 ? e2 : (b3 ? e3 : e4))
- // expr = (b1 ? e1 : expr) = (b1 ? e1 : (b2 ? e2 : (b3 ? e3 : e4)))
- //
- // and end up with an appropriately chained tree.
-
- ResultExpr expr = else_result;
- for (const Clause& clause : clause_list_) {
- expr = ResultExpr(
- new const IfThenResultExprImpl(clause.first, clause.second, expr));
- }
- return expr;
-}
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-template class scoped_refptr<const sandbox::bpf_dsl::internal::BoolExprImpl>;
-template class scoped_refptr<const sandbox::bpf_dsl::internal::ResultExprImpl>;
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.h
deleted file mode 100644
index ffd20ff42..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl.h
+++ /dev/null
@@ -1,335 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
-#define SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <utility>
-#include <vector>
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
-#include "sandbox/linux/bpf_dsl/cons.h"
-#include "sandbox/linux/bpf_dsl/trap_registry.h"
-#include "sandbox/sandbox_export.h"
-
-// The sandbox::bpf_dsl namespace provides a domain-specific language
-// to make writing BPF policies more expressive. In general, the
-// object types all have value semantics (i.e., they can be copied
-// around, returned from or passed to function calls, etc. without any
-// surprising side effects), though not all support assignment.
-//
-// An idiomatic and demonstrative (albeit silly) example of this API
-// would be:
-//
-// #include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-//
-// using namespace sandbox::bpf_dsl;
-//
-// class SillyPolicy : public Policy {
-// public:
-// SillyPolicy() {}
-// ~SillyPolicy() override {}
-// ResultExpr EvaluateSyscall(int sysno) const override {
-// if (sysno == __NR_fcntl) {
-// Arg<int> fd(0), cmd(1);
-// Arg<unsigned long> flags(2);
-// const uint64_t kGoodFlags = O_ACCMODE | O_NONBLOCK;
-// return If(AllOf(fd == 0,
-// cmd == F_SETFL,
-// (flags & ~kGoodFlags) == 0),
-// Allow())
-// .ElseIf(AnyOf(cmd == F_DUPFD, cmd == F_DUPFD_CLOEXEC),
-// Error(EMFILE))
-// .Else(Trap(SetFlagHandler, NULL));
-// } else {
-// return Allow();
-// }
-// }
-//
-// private:
-// DISALLOW_COPY_AND_ASSIGN(SillyPolicy);
-// };
-//
-// More generally, the DSL currently supports the following grammar:
-//
-// result = Allow() | Error(errno) | Kill() | Trace(aux)
-// | Trap(trap_func, aux) | UnsafeTrap(trap_func, aux)
-// | If(bool, result)[.ElseIf(bool, result)].Else(result)
-// | Switch(arg)[.Case(val, result)].Default(result)
-// bool = BoolConst(boolean) | Not(bool) | AllOf(bool...) | AnyOf(bool...)
-// | arg == val | arg != val
-// arg = Arg<T>(num) | arg & mask
-//
-// The semantics of each function and operator are intended to be
-// intuitive, but are described in more detail below.
-//
-// (Credit to Sean Parent's "Inheritance is the Base Class of Evil"
-// talk at Going Native 2013 for promoting value semantics via shared
-// pointers to immutable state.)
-
-namespace sandbox {
-namespace bpf_dsl {
-
-// ResultExpr is an opaque reference to an immutable result expression tree.
-typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;
-
-// BoolExpr is an opaque reference to an immutable boolean expression tree.
-typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;
-
-// Allow specifies a result that the system call should be allowed to
-// execute normally.
-SANDBOX_EXPORT ResultExpr Allow();
-
-// Error specifies a result that the system call should fail with
-// error number |err|. As a special case, Error(0) will result in the
-// system call appearing to have succeeded, but without having any
-// side effects.
-SANDBOX_EXPORT ResultExpr Error(int err);
-
-// Kill specifies a result to kill the process (task) immediately.
-SANDBOX_EXPORT ResultExpr Kill();
-
-// Trace specifies a result to notify a tracing process via the
-// PTRACE_EVENT_SECCOMP event and allow it to change or skip the system call.
-// The value of |aux| will be available to the tracer via PTRACE_GETEVENTMSG.
-SANDBOX_EXPORT ResultExpr Trace(uint16_t aux);
-
-// Trap specifies a result that the system call should be handled by
-// trapping back into userspace and invoking |trap_func|, passing
-// |aux| as the second parameter.
-SANDBOX_EXPORT ResultExpr
- Trap(TrapRegistry::TrapFnc trap_func, const void* aux);
-
-// UnsafeTrap is like Trap, except the policy is marked as "unsafe"
-// and allowed to use SandboxSyscall to invoke any system call.
-//
-// NOTE: This feature, by definition, disables all security features of
-// the sandbox. It should never be used in production, but it can be
-// very useful to diagnose code that is incompatible with the sandbox.
-// If even a single system call returns "UnsafeTrap", the security of
-// entire sandbox should be considered compromised.
-SANDBOX_EXPORT ResultExpr
- UnsafeTrap(TrapRegistry::TrapFnc trap_func, const void* aux);
-
-// BoolConst converts a bool value into a BoolExpr.
-SANDBOX_EXPORT BoolExpr BoolConst(bool value);
-
-// Not returns a BoolExpr representing the logical negation of |cond|.
-SANDBOX_EXPORT BoolExpr Not(const BoolExpr& cond);
-
-// AllOf returns a BoolExpr representing the logical conjunction ("and")
-// of zero or more BoolExprs.
-SANDBOX_EXPORT BoolExpr AllOf();
-SANDBOX_EXPORT BoolExpr AllOf(const BoolExpr& lhs, const BoolExpr& rhs);
-template <typename... Rest>
-SANDBOX_EXPORT BoolExpr AllOf(const BoolExpr& first, const Rest&... rest);
-
-// AnyOf returns a BoolExpr representing the logical disjunction ("or")
-// of zero or more BoolExprs.
-SANDBOX_EXPORT BoolExpr AnyOf();
-SANDBOX_EXPORT BoolExpr AnyOf(const BoolExpr& lhs, const BoolExpr& rhs);
-template <typename... Rest>
-SANDBOX_EXPORT BoolExpr AnyOf(const BoolExpr& first, const Rest&... rest);
-
-template <typename T>
-class SANDBOX_EXPORT Arg {
- public:
- // Initializes the Arg to represent the |num|th system call
- // argument (indexed from 0), which is of type |T|.
- explicit Arg(int num);
-
- Arg(const Arg& arg) : num_(arg.num_), mask_(arg.mask_) {}
-
- // Returns an Arg representing the current argument, but after
- // bitwise-and'ing it with |rhs|.
- friend Arg operator&(const Arg& lhs, uint64_t rhs) {
- return Arg(lhs.num_, lhs.mask_ & rhs);
- }
-
- // Returns a boolean expression comparing whether the system call argument
- // (after applying any bitmasks, if appropriate) equals |rhs|.
- friend BoolExpr operator==(const Arg& lhs, T rhs) { return lhs.EqualTo(rhs); }
-
- // Returns a boolean expression comparing whether the system call argument
- // (after applying any bitmasks, if appropriate) does not equal |rhs|.
- friend BoolExpr operator!=(const Arg& lhs, T rhs) { return Not(lhs == rhs); }
-
- private:
- Arg(int num, uint64_t mask) : num_(num), mask_(mask) {}
-
- BoolExpr EqualTo(T val) const;
-
- int num_;
- uint64_t mask_;
-
- DISALLOW_ASSIGN(Arg);
-};
-
-// If begins a conditional result expression predicated on the
-// specified boolean expression.
-SANDBOX_EXPORT Elser If(const BoolExpr& cond, const ResultExpr& then_result);
-
-class SANDBOX_EXPORT Elser {
- public:
- Elser(const Elser& elser);
- ~Elser();
-
- // ElseIf extends the conditional result expression with another
- // "if then" clause, predicated on the specified boolean expression.
- Elser ElseIf(const BoolExpr& cond, const ResultExpr& then_result) const;
-
- // Else terminates a conditional result expression using |else_result| as
- // the default fallback result expression.
- ResultExpr Else(const ResultExpr& else_result) const;
-
- private:
- typedef std::pair<BoolExpr, ResultExpr> Clause;
-
- explicit Elser(cons::List<Clause> clause_list);
-
- cons::List<Clause> clause_list_;
-
- friend Elser If(const BoolExpr&, const ResultExpr&);
- template <typename T>
- friend Caser<T> Switch(const Arg<T>&);
- DISALLOW_ASSIGN(Elser);
-};
-
-// Switch begins a switch expression dispatched according to the
-// specified argument value.
-template <typename T>
-SANDBOX_EXPORT Caser<T> Switch(const Arg<T>& arg);
-
-template <typename T>
-class SANDBOX_EXPORT Caser {
- public:
- Caser(const Caser<T>& caser) : arg_(caser.arg_), elser_(caser.elser_) {}
- ~Caser() {}
-
- // Case adds a single-value "case" clause to the switch.
- Caser<T> Case(T value, const ResultExpr& result) const;
-
- // Cases adds a multiple-value "case" clause to the switch.
- // See also the SANDBOX_BPF_DSL_CASES macro below for a more idiomatic way
- // of using this function.
- template <typename... Values>
- Caser<T> CasesImpl(const ResultExpr& result, const Values&... values) const;
-
- // Terminate the switch with a "default" clause.
- ResultExpr Default(const ResultExpr& result) const;
-
- private:
- Caser(const Arg<T>& arg, Elser elser) : arg_(arg), elser_(elser) {}
-
- Arg<T> arg_;
- Elser elser_;
-
- template <typename U>
- friend Caser<U> Switch(const Arg<U>&);
- DISALLOW_ASSIGN(Caser);
-};
-
-// Recommended usage is to put
-// #define CASES SANDBOX_BPF_DSL_CASES
-// near the top of the .cc file (e.g., nearby any "using" statements), then
-// use like:
-// Switch(arg).CASES((3, 5, 7), result)...;
-#define SANDBOX_BPF_DSL_CASES(values, result) \
- CasesImpl(result, SANDBOX_BPF_DSL_CASES_HELPER values)
-
-// Helper macro to strip parentheses.
-#define SANDBOX_BPF_DSL_CASES_HELPER(...) __VA_ARGS__
-
-// =====================================================================
-// Official API ends here.
-// =====================================================================
-
-namespace internal {
-
-// Make argument-dependent lookup work. This is necessary because although
-// BoolExpr is defined in bpf_dsl, since it's merely a typedef for
-// scoped_refptr<const internal::BoolExplImpl>, argument-dependent lookup only
-// searches the "internal" nested namespace.
-using bpf_dsl::Not;
-using bpf_dsl::AllOf;
-using bpf_dsl::AnyOf;
-
-// Returns a boolean expression that represents whether system call
-// argument |num| of size |size| is equal to |val|, when masked
-// according to |mask|. Users should use the Arg template class below
-// instead of using this API directly.
-SANDBOX_EXPORT BoolExpr
- ArgEq(int num, size_t size, uint64_t mask, uint64_t val);
-
-// Returns the default mask for a system call argument of the specified size.
-SANDBOX_EXPORT uint64_t DefaultMask(size_t size);
-
-} // namespace internal
-
-template <typename T>
-Arg<T>::Arg(int num)
- : num_(num), mask_(internal::DefaultMask(sizeof(T))) {
-}
-
-// Definition requires ArgEq to have been declared. Moved out-of-line
-// to minimize how much internal clutter users have to ignore while
-// reading the header documentation.
-//
-// Additionally, we use this helper member function to avoid linker errors
-// caused by defining operator== out-of-line. For a more detailed explanation,
-// see http://www.parashift.com/c++-faq-lite/template-friends.html.
-template <typename T>
-BoolExpr Arg<T>::EqualTo(T val) const {
- if (sizeof(T) == 4) {
- // Prevent sign-extension of negative int32_t values.
- return internal::ArgEq(num_, sizeof(T), mask_, static_cast<uint32_t>(val));
- }
- return internal::ArgEq(num_, sizeof(T), mask_, static_cast<uint64_t>(val));
-}
-
-template <typename T>
-SANDBOX_EXPORT Caser<T> Switch(const Arg<T>& arg) {
- return Caser<T>(arg, Elser(nullptr));
-}
-
-template <typename T>
-Caser<T> Caser<T>::Case(T value, const ResultExpr& result) const {
- return SANDBOX_BPF_DSL_CASES((value), result);
-}
-
-template <typename T>
-template <typename... Values>
-Caser<T> Caser<T>::CasesImpl(const ResultExpr& result,
- const Values&... values) const {
- // Theoretically we could evaluate arg_ just once and emit a more efficient
- // dispatch table, but for now we simply translate into an equivalent
- // If/ElseIf/Else chain.
-
- return Caser<T>(arg_, elser_.ElseIf(AnyOf((arg_ == values)...), result));
-}
-
-template <typename T>
-ResultExpr Caser<T>::Default(const ResultExpr& result) const {
- return elser_.Else(result);
-}
-
-template <typename... Rest>
-BoolExpr AllOf(const BoolExpr& first, const Rest&... rest) {
- return AllOf(first, AllOf(rest...));
-}
-
-template <typename... Rest>
-BoolExpr AnyOf(const BoolExpr& first, const Rest&... rest) {
- return AnyOf(first, AnyOf(rest...));
-}
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_forward.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_forward.h
deleted file mode 100644
index 183038990..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_forward.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_FORWARD_H_
-#define SANDBOX_LINUX_BPF_DSL_BPF_DSL_FORWARD_H_
-
-#include "base/memory/ref_counted.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-// The bpf_dsl_forward.h header provides forward declarations for the
-// types defined in bpf_dsl.h. It's intended for use in user headers
-// that need to reference bpf_dsl types, but don't require definitions.
-
-namespace internal {
-class ResultExprImpl;
-class BoolExprImpl;
-}
-
-typedef scoped_refptr<const internal::ResultExprImpl> ResultExpr;
-typedef scoped_refptr<const internal::BoolExprImpl> BoolExpr;
-
-template <typename T>
-class Arg;
-
-class Elser;
-
-template <typename T>
-class Caser;
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-extern template class SANDBOX_EXPORT
- scoped_refptr<const sandbox::bpf_dsl::internal::BoolExprImpl>;
-extern template class SANDBOX_EXPORT
- scoped_refptr<const sandbox::bpf_dsl::internal::ResultExprImpl>;
-
-#endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_FORWARD_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h
deleted file mode 100644
index 0064f8a7a..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/bpf_dsl_impl.h
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_BPF_DSL_IMPL_H_
-#define SANDBOX_LINUX_BPF_DSL_BPF_DSL_IMPL_H_
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-class ErrorCode;
-class PolicyCompiler;
-
-namespace internal {
-
-// Internal interface implemented by BoolExpr implementations.
-class BoolExprImpl : public base::RefCounted<BoolExprImpl> {
- public:
- // Compile uses |pc| to emit a CodeGen::Node that conditionally continues
- // to either |then_node| or |false_node|, depending on whether the represented
- // boolean expression is true or false.
- virtual CodeGen::Node Compile(PolicyCompiler* pc,
- CodeGen::Node then_node,
- CodeGen::Node else_node) const = 0;
-
- protected:
- BoolExprImpl() {}
- virtual ~BoolExprImpl() {}
-
- private:
- friend class base::RefCounted<BoolExprImpl>;
- DISALLOW_COPY_AND_ASSIGN(BoolExprImpl);
-};
-
-// Internal interface implemented by ResultExpr implementations.
-class ResultExprImpl : public base::RefCounted<ResultExprImpl> {
- public:
- // Compile uses |pc| to emit a CodeGen::Node that executes the
- // represented result expression.
- virtual CodeGen::Node Compile(PolicyCompiler* pc) const = 0;
-
- // HasUnsafeTraps returns whether the result expression is or recursively
- // contains an unsafe trap expression.
- virtual bool HasUnsafeTraps() const;
-
- // IsAllow returns whether the result expression is an "allow" result.
- virtual bool IsAllow() const;
-
- // IsAllow returns whether the result expression is a "deny" result.
- virtual bool IsDeny() const;
-
- protected:
- ResultExprImpl() {}
- virtual ~ResultExprImpl() {}
-
- private:
- friend class base::RefCounted<ResultExprImpl>;
- DISALLOW_COPY_AND_ASSIGN(ResultExprImpl);
-};
-
-} // namespace internal
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_BPF_DSL_IMPL_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.cc
deleted file mode 100644
index 647f55aa8..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.cc
+++ /dev/null
@@ -1,161 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/codegen.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <limits>
-#include <utility>
-
-#include "base/logging.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-
-// This CodeGen implementation strives for simplicity while still
-// generating acceptable BPF programs under typical usage patterns
-// (e.g., by PolicyCompiler).
-//
-// The key to its simplicity is that BPF programs only support forward
-// jumps/branches, which allows constraining the DAG construction API
-// to make instruction nodes immutable. Immutable nodes admits a
-// simple greedy approach of emitting new instructions as needed and
-// then reusing existing ones that have already been emitted. This
-// cleanly avoids any need to compute basic blocks or apply
-// topological sorting because the API effectively sorts instructions
-// for us (e.g., before MakeInstruction() can be called to emit a
-// branch instruction, it must have already been called for each
-// branch path).
-//
-// This greedy algorithm is not without (theoretical) weakness though:
-//
-// 1. In the general case, we don't eliminate dead code. If needed,
-// we could trace back through the program in Compile() and elide
-// any unneeded instructions, but in practice we only emit live
-// instructions anyway.
-//
-// 2. By not dividing instructions into basic blocks and sorting, we
-// lose an opportunity to move non-branch/non-return instructions
-// adjacent to their successor instructions, which means we might
-// need to emit additional jumps. But in practice, they'll
-// already be nearby as long as callers don't go out of their way
-// to interleave MakeInstruction() calls for unrelated code
-// sequences.
-
-namespace sandbox {
-
-// kBranchRange is the maximum value that can be stored in
-// sock_filter's 8-bit jt and jf fields.
-const size_t kBranchRange = std::numeric_limits<uint8_t>::max();
-
-const CodeGen::Node CodeGen::kNullNode;
-
-CodeGen::CodeGen() : program_(), equivalent_(), memos_() {
-}
-
-CodeGen::~CodeGen() {
-}
-
-CodeGen::Program CodeGen::Compile(CodeGen::Node head) {
- return Program(program_.rbegin() + Offset(head), program_.rend());
-}
-
-CodeGen::Node CodeGen::MakeInstruction(uint16_t code,
- uint32_t k,
- Node jt,
- Node jf) {
- // To avoid generating redundant code sequences, we memoize the
- // results from AppendInstruction().
- auto res = memos_.insert(std::make_pair(MemoKey(code, k, jt, jf), kNullNode));
- CodeGen::Node* node = &res.first->second;
- if (res.second) { // Newly inserted memo entry.
- *node = AppendInstruction(code, k, jt, jf);
- }
- return *node;
-}
-
-CodeGen::Node CodeGen::AppendInstruction(uint16_t code,
- uint32_t k,
- Node jt,
- Node jf) {
- if (BPF_CLASS(code) == BPF_JMP) {
- CHECK_NE(BPF_JA, BPF_OP(code)) << "CodeGen inserts JAs as needed";
-
- // Optimally adding jumps is rather tricky, so we use a quick
- // approximation: by artificially reducing |jt|'s range, |jt| will
- // stay within its true range even if we add a jump for |jf|.
- jt = WithinRange(jt, kBranchRange - 1);
- jf = WithinRange(jf, kBranchRange);
- return Append(code, k, Offset(jt), Offset(jf));
- }
-
- CHECK_EQ(kNullNode, jf) << "Non-branch instructions shouldn't provide jf";
- if (BPF_CLASS(code) == BPF_RET) {
- CHECK_EQ(kNullNode, jt) << "Return instructions shouldn't provide jt";
- } else {
- // For non-branch/non-return instructions, execution always
- // proceeds to the next instruction; so we need to arrange for
- // that to be |jt|.
- jt = WithinRange(jt, 0);
- CHECK_EQ(0U, Offset(jt)) << "ICE: Failed to setup next instruction";
- }
- return Append(code, k, 0, 0);
-}
-
-CodeGen::Node CodeGen::WithinRange(Node target, size_t range) {
- // Just use |target| if it's already within range.
- if (Offset(target) <= range) {
- return target;
- }
-
- // Alternatively, look for an equivalent instruction within range.
- if (Offset(equivalent_.at(target)) <= range) {
- return equivalent_.at(target);
- }
-
- // Otherwise, fall back to emitting a jump instruction.
- Node jump = Append(BPF_JMP | BPF_JA, Offset(target), 0, 0);
- equivalent_.at(target) = jump;
- return jump;
-}
-
-CodeGen::Node CodeGen::Append(uint16_t code, uint32_t k, size_t jt, size_t jf) {
- if (BPF_CLASS(code) == BPF_JMP && BPF_OP(code) != BPF_JA) {
- CHECK_LE(jt, kBranchRange);
- CHECK_LE(jf, kBranchRange);
- } else {
- CHECK_EQ(0U, jt);
- CHECK_EQ(0U, jf);
- }
-
- CHECK_LT(program_.size(), static_cast<size_t>(BPF_MAXINSNS));
- CHECK_EQ(program_.size(), equivalent_.size());
-
- Node res = program_.size();
- program_.push_back(sock_filter{
- code, static_cast<uint8_t>(jt), static_cast<uint8_t>(jf), k});
- equivalent_.push_back(res);
- return res;
-}
-
-size_t CodeGen::Offset(Node target) const {
- CHECK_LT(target, program_.size()) << "Bogus offset target node";
- return (program_.size() - 1) - target;
-}
-
-// TODO(mdempsky): Move into a general base::Tuple helper library.
-bool CodeGen::MemoKeyLess::operator()(const MemoKey& lhs,
- const MemoKey& rhs) const {
- if (base::get<0>(lhs) != base::get<0>(rhs))
- return base::get<0>(lhs) < base::get<0>(rhs);
- if (base::get<1>(lhs) != base::get<1>(rhs))
- return base::get<1>(lhs) < base::get<1>(rhs);
- if (base::get<2>(lhs) != base::get<2>(rhs))
- return base::get<2>(lhs) < base::get<2>(rhs);
- if (base::get<3>(lhs) != base::get<3>(rhs))
- return base::get<3>(lhs) < base::get<3>(rhs);
- return false;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.h
deleted file mode 100644
index 03c3b236e..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/codegen.h
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_CODEGEN_H__
-#define SANDBOX_LINUX_BPF_DSL_CODEGEN_H__
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <map>
-#include <vector>
-
-#include "base/macros.h"
-#include "base/tuple.h"
-#include "sandbox/sandbox_export.h"
-
-struct sock_filter;
-
-namespace sandbox {
-
-// The code generator implements a basic assembler that can convert a
-// graph of BPF instructions into a well-formed array of BPF
-// instructions. Most notably, it ensures that jumps are always
-// forward and don't exceed the limit of 255 instructions imposed by
-// the instruction set.
-//
-// Callers would typically create a new CodeGen object and then use it
-// to build a DAG of instruction nodes. They'll eventually call
-// Compile() to convert this DAG to a Program.
-//
-// CodeGen gen;
-// CodeGen::Node allow, branch, dag;
-//
-// allow =
-// gen.MakeInstruction(BPF_RET+BPF_K,
-// ErrorCode(ErrorCode::ERR_ALLOWED).err()));
-// branch =
-// gen.MakeInstruction(BPF_JMP+BPF_EQ+BPF_K, __NR_getpid,
-// Trap(GetPidHandler, NULL), allow);
-// dag =
-// gen.MakeInstruction(BPF_LD+BPF_W+BPF_ABS,
-// offsetof(struct arch_seccomp_data, nr), branch);
-//
-// // Simplified code follows; in practice, it is important to avoid calling
-// // any C++ destructors after starting the sandbox.
-// CodeGen::Program program = gen.Compile(dag);
-// const struct sock_fprog prog = {
-// static_cast<unsigned short>(program.size()), &program[0] };
-// prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog);
-//
-class SANDBOX_EXPORT CodeGen {
- public:
- // A vector of BPF instructions that need to be installed as a filter
- // program in the kernel.
- typedef std::vector<struct sock_filter> Program;
-
- // Node represents a node within the instruction DAG being compiled.
- using Node = Program::size_type;
-
- // kNullNode represents the "null" node; i.e., the reserved node
- // value guaranteed to not equal any actual nodes.
- static const Node kNullNode = -1;
-
- CodeGen();
- ~CodeGen();
-
- // MakeInstruction creates a node representing the specified
- // instruction, or returns and existing equivalent node if one
- // exists. For details on the possible parameters refer to
- // https://www.kernel.org/doc/Documentation/networking/filter.txt.
- // TODO(mdempsky): Reconsider using default arguments here.
- Node MakeInstruction(uint16_t code,
- uint32_t k,
- Node jt = kNullNode,
- Node jf = kNullNode);
-
- // Compile linearizes the instruction DAG rooted at |head| into a
- // program that can be executed by a BPF virtual machine.
- Program Compile(Node head);
-
- private:
- using MemoKey = base::Tuple<uint16_t, uint32_t, Node, Node>;
- struct MemoKeyLess {
- bool operator()(const MemoKey& lhs, const MemoKey& rhs) const;
- };
-
- // AppendInstruction adds a new instruction, ensuring that |jt| and
- // |jf| are within range as necessary for |code|.
- Node AppendInstruction(uint16_t code, uint32_t k, Node jt, Node jf);
-
- // WithinRange returns a node equivalent to |next| that is at most
- // |range| instructions away from the (logical) beginning of the
- // program.
- Node WithinRange(Node next, size_t range);
-
- // Append appends a new instruction to the physical end (i.e.,
- // logical beginning) of |program_|.
- Node Append(uint16_t code, uint32_t k, size_t jt, size_t jf);
-
- // Offset returns how many instructions exist in |program_| after |target|.
- size_t Offset(Node target) const;
-
- // NOTE: program_ is the compiled program in *reverse*, so that
- // indices remain stable as we add instructions.
- Program program_;
-
- // equivalent_ stores the most recent semantically-equivalent node for each
- // instruction in program_. A node is defined as semantically-equivalent to N
- // if it has the same instruction code and constant as N and its successor
- // nodes (if any) are semantically-equivalent to N's successor nodes, or
- // if it's an unconditional jump to a node semantically-equivalent to N.
- std::vector<Node> equivalent_;
-
- std::map<MemoKey, Node, MemoKeyLess> memos_;
-
- DISALLOW_COPY_AND_ASSIGN(CodeGen);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_CODEGEN_H__
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/cons.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/cons.h
deleted file mode 100644
index be050f778..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/cons.h
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_CONS_H_
-#define SANDBOX_LINUX_BPF_DSL_CONS_H_
-
-#include "base/macros.h"
-#include "base/memory/ref_counted.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace cons {
-
-// Namespace cons provides an abstraction for immutable "cons list"
-// data structures as commonly provided in functional programming
-// languages like Lisp or Haskell.
-//
-// A cons list is a linked list consisting of "cells", each of which
-// have a "head" and a "tail" element. A cell's head element contains
-// a user specified value, while the tail element contains a (possibly
-// null) pointer to another cell.
-//
-// An empty list (idiomatically referred to as "nil") can be
-// constructed as "cons::List<Foo>()" or simply as "nullptr" if Foo
-// can be inferred from context (e.g., calling a function that has a
-// "cons::List<Foo>" parameter).
-//
-// Existing lists (including empty lists) can be extended by
-// prepending new values to the front using the "Cons(head, tail)"
-// function, which will allocate a new cons cell. Notably, cons lists
-// support creating multiple lists that share a common tail sequence.
-//
-// Lastly, lists support iteration via C++11's range-based for loop
-// construct.
-//
-// Examples:
-//
-// // basic construction
-// const cons::List<char> kNil = nullptr;
-// cons::List<char> ba = Cons('b', Cons('a', kNil));
-//
-// // common tail sequence
-// cons::List<char> cba = Cons('c', ba);
-// cons::List<char> dba = Cons('d', ba);
-//
-// // iteration
-// for (const char& ch : cba) {
-// // iterates 'c', 'b', 'a'
-// }
-// for (const char& ch : dba) {
-// // iterates 'd', 'b', 'a'
-// }
-
-// Forward declarations.
-template <typename T>
-class Cell;
-template <typename T>
-class ListIterator;
-
-// List represents a (possibly null) pointer to a cons cell.
-template <typename T>
-using List = scoped_refptr<const Cell<T>>;
-
-// Cons extends a cons list by prepending a new value to the front.
-template <typename T>
-List<T> Cons(const T& head, const List<T>& tail) {
- return List<T>(new const Cell<T>(head, tail));
-}
-
-// Cell represents an individual "cons cell" within a cons list.
-template <typename T>
-class Cell : public base::RefCounted<Cell<T>> {
- public:
- Cell(const T& head, const List<T>& tail) : head_(head), tail_(tail) {}
-
- // Head returns this cell's head element.
- const T& head() const { return head_; }
-
- // Tail returns this cell's tail element.
- const List<T>& tail() const { return tail_; }
-
- private:
- virtual ~Cell() {}
-
- T head_;
- List<T> tail_;
-
- friend class base::RefCounted<Cell<T>>;
- DISALLOW_COPY_AND_ASSIGN(Cell);
-};
-
-// Begin returns a list iterator pointing to the first element of the
-// cons list. It's provided to support range-based for loops.
-template <typename T>
-ListIterator<T> begin(const List<T>& list) {
- return ListIterator<T>(list);
-}
-
-// End returns a list iterator pointing to the "past-the-end" element
-// of the cons list (i.e., nil). It's provided to support range-based
-// for loops.
-template <typename T>
-ListIterator<T> end(const List<T>& list) {
- return ListIterator<T>();
-}
-
-// ListIterator provides C++ forward iterator semantics for traversing
-// a cons list.
-template <typename T>
-class ListIterator {
- public:
- ListIterator() : list_() {}
- explicit ListIterator(const List<T>& list) : list_(list) {}
-
- const T& operator*() const { return list_->head(); }
-
- ListIterator& operator++() {
- list_ = list_->tail();
- return *this;
- }
-
- friend bool operator==(const ListIterator& lhs, const ListIterator& rhs) {
- return lhs.list_ == rhs.list_;
- }
-
- private:
- List<T> list_;
-};
-
-template <typename T>
-bool operator!=(const ListIterator<T>& lhs, const ListIterator<T>& rhs) {
- return !(lhs == rhs);
-}
-
-} // namespace cons
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_CONS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.cc
deleted file mode 100644
index 2edf592f6..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.cc
+++ /dev/null
@@ -1,159 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/dump_bpf.h"
-
-#include <inttypes.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <stdio.h>
-
-#include <string>
-
-#include "base/strings/stringprintf.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-#include "sandbox/linux/bpf_dsl/trap_registry.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-namespace {
-
-const char* AluOpToken(uint32_t code) {
- switch (BPF_OP(code)) {
- case BPF_ADD:
- return "+";
- case BPF_SUB:
- return "-";
- case BPF_MUL:
- return "*";
- case BPF_DIV:
- return "/";
- case BPF_MOD:
- return "%";
- case BPF_OR:
- return "|";
- case BPF_XOR:
- return "^";
- case BPF_AND:
- return "&";
- case BPF_LSH:
- return "<<";
- case BPF_RSH:
- return ">>";
- default:
- return "???";
- }
-}
-
-const char* JmpOpToken(uint32_t code) {
- switch (BPF_OP(code)) {
- case BPF_JSET:
- return "&";
- case BPF_JEQ:
- return "==";
- case BPF_JGE:
- return ">=";
- default:
- return "???";
- }
-}
-
-const char* DataOffsetName(size_t off) {
- switch (off) {
- case SECCOMP_NR_IDX:
- return "System call number";
- case SECCOMP_ARCH_IDX:
- return "Architecture";
- case SECCOMP_IP_LSB_IDX:
- return "Instruction pointer (LSB)";
- case SECCOMP_IP_MSB_IDX:
- return "Instruction pointer (MSB)";
- default:
- return "???";
- }
-}
-
-void AppendInstruction(std::string* dst, size_t pc, const sock_filter& insn) {
- base::StringAppendF(dst, "%3zu) ", pc);
- switch (BPF_CLASS(insn.code)) {
- case BPF_LD:
- if (insn.code == BPF_LD + BPF_W + BPF_ABS) {
- base::StringAppendF(dst, "LOAD %" PRIu32 " // ", insn.k);
- size_t maybe_argno =
- (insn.k - offsetof(struct arch_seccomp_data, args)) /
- sizeof(uint64_t);
- if (maybe_argno < 6 && insn.k == SECCOMP_ARG_LSB_IDX(maybe_argno)) {
- base::StringAppendF(dst, "Argument %zu (LSB)\n", maybe_argno);
- } else if (maybe_argno < 6 &&
- insn.k == SECCOMP_ARG_MSB_IDX(maybe_argno)) {
- base::StringAppendF(dst, "Argument %zu (MSB)\n", maybe_argno);
- } else {
- base::StringAppendF(dst, "%s\n", DataOffsetName(insn.k));
- }
- } else {
- base::StringAppendF(dst, "Load ???\n");
- }
- break;
- case BPF_JMP:
- if (BPF_OP(insn.code) == BPF_JA) {
- base::StringAppendF(dst, "JMP %zu\n", pc + insn.k + 1);
- } else {
- base::StringAppendF(
- dst, "if A %s 0x%" PRIx32 "; then JMP %zu else JMP %zu\n",
- JmpOpToken(insn.code), insn.k, pc + insn.jt + 1, pc + insn.jf + 1);
- }
- break;
- case BPF_RET:
- base::StringAppendF(dst, "RET 0x%" PRIx32 " // ", insn.k);
- if ((insn.k & SECCOMP_RET_ACTION) == SECCOMP_RET_TRAP) {
- base::StringAppendF(dst, "Trap #%" PRIu32 "\n",
- insn.k & SECCOMP_RET_DATA);
- } else if ((insn.k & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
- base::StringAppendF(dst, "errno = %" PRIu32 "\n",
- insn.k & SECCOMP_RET_DATA);
- } else if ((insn.k & SECCOMP_RET_ACTION) == SECCOMP_RET_TRACE) {
- base::StringAppendF(dst, "Trace #%" PRIu32 "\n",
- insn.k & SECCOMP_RET_DATA);
- } else if (insn.k == SECCOMP_RET_ALLOW) {
- base::StringAppendF(dst, "Allowed\n");
- } else if (insn.k == SECCOMP_RET_KILL) {
- base::StringAppendF(dst, "Kill\n");
- } else {
- base::StringAppendF(dst, "???\n");
- }
- break;
- case BPF_ALU:
- if (BPF_OP(insn.code) == BPF_NEG) {
- base::StringAppendF(dst, "A := -A\n");
- } else {
- base::StringAppendF(dst, "A := A %s 0x%" PRIx32 "\n",
- AluOpToken(insn.code), insn.k);
- }
- break;
- default:
- base::StringAppendF(dst, "???\n");
- break;
- }
-}
-
-} // namespace
-
-void DumpBPF::PrintProgram(const CodeGen::Program& program) {
- fputs(StringPrintProgram(program).c_str(), stderr);
-}
-
-std::string DumpBPF::StringPrintProgram(const CodeGen::Program& program) {
- std::string res;
- for (size_t i = 0; i < program.size(); i++) {
- AppendInstruction(&res, i + 1, program[i]);
- }
- return res;
-}
-
-} // namespace bpf_dsl
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.h
deleted file mode 100644
index a7db58981..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/dump_bpf.h
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <string>
-
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-class SANDBOX_EXPORT DumpBPF {
- public:
- // PrintProgram writes |program| in a human-readable format to stderr.
- static void PrintProgram(const CodeGen::Program& program);
-
- // StringPrintProgram writes |program| in a human-readable format to
- // a std::string.
- static std::string StringPrintProgram(const CodeGen::Program& program);
-};
-
-} // namespace bpf_dsl
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/errorcode.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/errorcode.h
deleted file mode 100644
index 611c27dd8..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/errorcode.h
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__
-#define SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__
-
-#include "base/macros.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-// TODO(mdempsky): Find a proper home for ERR_{MIN,MAX}_ERRNO and
-// remove this header.
-class SANDBOX_EXPORT ErrorCode {
- public:
- enum {
- ERR_MIN_ERRNO = 0,
-#if defined(__mips__)
- // MIPS only supports errno up to 1133
- ERR_MAX_ERRNO = 1133,
-#else
- // TODO(markus): Android only supports errno up to 255
- // (crbug.com/181647).
- ERR_MAX_ERRNO = 4095,
-#endif
- };
-
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(ErrorCode);
-};
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_ERRORCODE_H__
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h
deleted file mode 100644
index a747770c7..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/linux_syscall_ranges.h
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_LINUX_SYSCALL_RANGES_H_
-#define SANDBOX_LINUX_BPF_DSL_LINUX_SYSCALL_RANGES_H_
-
-#if defined(__x86_64__)
-
-#define MIN_SYSCALL 0u
-#define MAX_PUBLIC_SYSCALL 1024u
-#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
-
-#elif defined(__i386__)
-
-#define MIN_SYSCALL 0u
-#define MAX_PUBLIC_SYSCALL 1024u
-#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
-
-#elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
-
-// ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|,
-// and a "ghost syscall private to the kernel", cmpxchg,
-// at |__ARM_NR_BASE+0x00fff0|.
-// See </arch/arm/include/asm/unistd.h> in the Linux kernel.
-
-// __NR_SYSCALL_BASE is 0 in thumb and ARM EABI.
-#define MIN_SYSCALL 0u
-#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u)
-// __ARM_NR_BASE is __NR_SYSCALL_BASE + 0xf0000u
-#define MIN_PRIVATE_SYSCALL 0xf0000u
-#define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u)
-#define MIN_GHOST_SYSCALL (MIN_PRIVATE_SYSCALL + 0xfff0u)
-#define MAX_SYSCALL (MIN_GHOST_SYSCALL + 4u)
-
-#elif defined(__mips__) && (_MIPS_SIM == _ABIO32)
-
-#include <asm/unistd.h> // for __NR_O32_Linux and __NR_Linux_syscalls
-#define MIN_SYSCALL __NR_O32_Linux
-#define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + __NR_Linux_syscalls)
-#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
-
-#elif defined(__mips__) && (_MIPS_SIM == _ABI64)
-
-#error "Add support to header file"
-
-#elif defined(__aarch64__)
-
-#define MIN_SYSCALL 0u
-#define MAX_PUBLIC_SYSCALL 279u
-#define MAX_SYSCALL MAX_PUBLIC_SYSCALL
-
-#else
-#error "Unsupported architecture"
-#endif
-
-#endif // SANDBOX_LINUX_BPF_DSL_LINUX_SYSCALL_RANGES_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.cc
deleted file mode 100644
index c20edc6da..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.cc
+++ /dev/null
@@ -1,19 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/policy.h"
-
-#include <errno.h>
-
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-ResultExpr Policy::InvalidSyscall() const {
- return Error(ENOSYS);
-}
-
-} // namespace bpf_dsl
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.h
deleted file mode 100644
index 6c6758945..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy.h
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_POLICY_H_
-#define SANDBOX_LINUX_BPF_DSL_POLICY_H_
-
-#include "base/macros.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-// Interface to implement to define a BPF sandbox policy.
-class SANDBOX_EXPORT Policy {
- public:
- Policy() {}
- virtual ~Policy() {}
-
- // User extension point for writing custom sandbox policies.
- // The returned ResultExpr will control how the kernel responds to the
- // specified system call number.
- virtual ResultExpr EvaluateSyscall(int sysno) const = 0;
-
- // Optional overload for specifying alternate behavior for invalid
- // system calls. The default is to return ENOSYS.
- virtual ResultExpr InvalidSyscall() const;
-
- private:
- DISALLOW_COPY_AND_ASSIGN(Policy);
-};
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_POLICY_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc
deleted file mode 100644
index 7ce517a5d..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.cc
+++ /dev/null
@@ -1,466 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/policy_compiler.h"
-
-#include <errno.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <sys/syscall.h>
-
-#include <limits>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl_impl.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-#include "sandbox/linux/bpf_dsl/syscall_set.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-
-namespace {
-
-#if defined(__i386__) || defined(__x86_64__)
-const bool kIsIntel = true;
-#else
-const bool kIsIntel = false;
-#endif
-#if defined(__x86_64__) && defined(__ILP32__)
-const bool kIsX32 = true;
-#else
-const bool kIsX32 = false;
-#endif
-
-const int kSyscallsRequiredForUnsafeTraps[] = {
- __NR_rt_sigprocmask,
- __NR_rt_sigreturn,
-#if defined(__NR_sigprocmask)
- __NR_sigprocmask,
-#endif
-#if defined(__NR_sigreturn)
- __NR_sigreturn,
-#endif
-};
-
-bool HasExactlyOneBit(uint64_t x) {
- // Common trick; e.g., see http://stackoverflow.com/a/108329.
- return x != 0 && (x & (x - 1)) == 0;
-}
-
-ResultExpr DefaultPanic(const char* error) {
- return Kill();
-}
-
-// A Trap() handler that returns an "errno" value. The value is encoded
-// in the "aux" parameter.
-intptr_t ReturnErrno(const struct arch_seccomp_data&, void* aux) {
- // TrapFnc functions report error by following the native kernel convention
- // of returning an exit code in the range of -1..-4096. They do not try to
- // set errno themselves. The glibc wrapper that triggered the SIGSYS will
- // ultimately do so for us.
- int err = reinterpret_cast<intptr_t>(aux) & SECCOMP_RET_DATA;
- return -err;
-}
-
-bool HasUnsafeTraps(const Policy* policy) {
- DCHECK(policy);
- for (uint32_t sysnum : SyscallSet::ValidOnly()) {
- if (policy->EvaluateSyscall(sysnum)->HasUnsafeTraps()) {
- return true;
- }
- }
- return policy->InvalidSyscall()->HasUnsafeTraps();
-}
-
-} // namespace
-
-struct PolicyCompiler::Range {
- uint32_t from;
- CodeGen::Node node;
-};
-
-PolicyCompiler::PolicyCompiler(const Policy* policy, TrapRegistry* registry)
- : policy_(policy),
- registry_(registry),
- escapepc_(0),
- panic_func_(DefaultPanic),
- gen_(),
- has_unsafe_traps_(HasUnsafeTraps(policy_)) {
- DCHECK(policy);
-}
-
-PolicyCompiler::~PolicyCompiler() {
-}
-
-CodeGen::Program PolicyCompiler::Compile() {
- CHECK(policy_->InvalidSyscall()->IsDeny())
- << "Policies should deny invalid system calls";
-
- // If our BPF program has unsafe traps, enable support for them.
- if (has_unsafe_traps_) {
- CHECK_NE(0U, escapepc_) << "UnsafeTrap() requires a valid escape PC";
-
- for (int sysnum : kSyscallsRequiredForUnsafeTraps) {
- CHECK(policy_->EvaluateSyscall(sysnum)->IsAllow())
- << "Policies that use UnsafeTrap() must unconditionally allow all "
- "required system calls";
- }
-
- CHECK(registry_->EnableUnsafeTraps())
- << "We'd rather die than enable unsafe traps";
- }
-
- // Assemble the BPF filter program.
- return gen_.Compile(AssemblePolicy());
-}
-
-void PolicyCompiler::DangerousSetEscapePC(uint64_t escapepc) {
- escapepc_ = escapepc;
-}
-
-void PolicyCompiler::SetPanicFunc(PanicFunc panic_func) {
- panic_func_ = panic_func;
-}
-
-CodeGen::Node PolicyCompiler::AssemblePolicy() {
- // A compiled policy consists of three logical parts:
- // 1. Check that the "arch" field matches the expected architecture.
- // 2. If the policy involves unsafe traps, check if the syscall was
- // invoked by Syscall::Call, and then allow it unconditionally.
- // 3. Check the system call number and jump to the appropriate compiled
- // system call policy number.
- return CheckArch(MaybeAddEscapeHatch(DispatchSyscall()));
-}
-
-CodeGen::Node PolicyCompiler::CheckArch(CodeGen::Node passed) {
- // If the architecture doesn't match SECCOMP_ARCH, disallow the
- // system call.
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS, SECCOMP_ARCH_IDX,
- gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, SECCOMP_ARCH, passed,
- CompileResult(panic_func_(
- "Invalid audit architecture in BPF filter"))));
-}
-
-CodeGen::Node PolicyCompiler::MaybeAddEscapeHatch(CodeGen::Node rest) {
- // If no unsafe traps, then simply return |rest|.
- if (!has_unsafe_traps_) {
- return rest;
- }
-
- // We already enabled unsafe traps in Compile, but enable them again to give
- // the trap registry a second chance to complain before we add the backdoor.
- CHECK(registry_->EnableUnsafeTraps());
-
- // Allow system calls, if they originate from our magic return address.
- const uint32_t lopc = static_cast<uint32_t>(escapepc_);
- const uint32_t hipc = static_cast<uint32_t>(escapepc_ >> 32);
-
- // BPF cannot do native 64-bit comparisons, so we have to compare
- // both 32-bit halves of the instruction pointer. If they match what
- // we expect, we return ERR_ALLOWED. If either or both don't match,
- // we continue evalutating the rest of the sandbox policy.
- //
- // For simplicity, we check the full 64-bit instruction pointer even
- // on 32-bit architectures.
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_LSB_IDX,
- gen_.MakeInstruction(
- BPF_JMP + BPF_JEQ + BPF_K, lopc,
- gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS, SECCOMP_IP_MSB_IDX,
- gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, hipc,
- CompileResult(Allow()), rest)),
- rest));
-}
-
-CodeGen::Node PolicyCompiler::DispatchSyscall() {
- // Evaluate all possible system calls and group their Nodes into
- // ranges of identical codes.
- Ranges ranges;
- FindRanges(&ranges);
-
- // Compile the system call ranges to an optimized BPF jumptable
- CodeGen::Node jumptable = AssembleJumpTable(ranges.begin(), ranges.end());
-
- // Grab the system call number, so that we can check it and then
- // execute the jump table.
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS, SECCOMP_NR_IDX, CheckSyscallNumber(jumptable));
-}
-
-CodeGen::Node PolicyCompiler::CheckSyscallNumber(CodeGen::Node passed) {
- if (kIsIntel) {
- // On Intel architectures, verify that system call numbers are in the
- // expected number range.
- CodeGen::Node invalidX32 =
- CompileResult(panic_func_("Illegal mixing of system call ABIs"));
- if (kIsX32) {
- // The newer x32 API always sets bit 30.
- return gen_.MakeInstruction(
- BPF_JMP + BPF_JSET + BPF_K, 0x40000000, passed, invalidX32);
- } else {
- // The older i386 and x86-64 APIs clear bit 30 on all system calls.
- return gen_.MakeInstruction(
- BPF_JMP + BPF_JSET + BPF_K, 0x40000000, invalidX32, passed);
- }
- }
-
- // TODO(mdempsky): Similar validation for other architectures?
- return passed;
-}
-
-void PolicyCompiler::FindRanges(Ranges* ranges) {
- // Please note that "struct seccomp_data" defines system calls as a signed
- // int32_t, but BPF instructions always operate on unsigned quantities. We
- // deal with this disparity by enumerating from MIN_SYSCALL to MAX_SYSCALL,
- // and then verifying that the rest of the number range (both positive and
- // negative) all return the same Node.
- const CodeGen::Node invalid_node = CompileResult(policy_->InvalidSyscall());
- uint32_t old_sysnum = 0;
- CodeGen::Node old_node =
- SyscallSet::IsValid(old_sysnum)
- ? CompileResult(policy_->EvaluateSyscall(old_sysnum))
- : invalid_node;
-
- for (uint32_t sysnum : SyscallSet::All()) {
- CodeGen::Node node =
- SyscallSet::IsValid(sysnum)
- ? CompileResult(policy_->EvaluateSyscall(static_cast<int>(sysnum)))
- : invalid_node;
- // N.B., here we rely on CodeGen folding (i.e., returning the same
- // node value for) identical code sequences, otherwise our jump
- // table will blow up in size.
- if (node != old_node) {
- ranges->push_back(Range{old_sysnum, old_node});
- old_sysnum = sysnum;
- old_node = node;
- }
- }
- ranges->push_back(Range{old_sysnum, old_node});
-}
-
-CodeGen::Node PolicyCompiler::AssembleJumpTable(Ranges::const_iterator start,
- Ranges::const_iterator stop) {
- // We convert the list of system call ranges into jump table that performs
- // a binary search over the ranges.
- // As a sanity check, we need to have at least one distinct ranges for us
- // to be able to build a jump table.
- CHECK(start < stop) << "Invalid iterator range";
- const auto n = stop - start;
- if (n == 1) {
- // If we have narrowed things down to a single range object, we can
- // return from the BPF filter program.
- return start->node;
- }
-
- // Pick the range object that is located at the mid point of our list.
- // We compare our system call number against the lowest valid system call
- // number in this range object. If our number is lower, it is outside of
- // this range object. If it is greater or equal, it might be inside.
- Ranges::const_iterator mid = start + n / 2;
-
- // Sub-divide the list of ranges and continue recursively.
- CodeGen::Node jf = AssembleJumpTable(start, mid);
- CodeGen::Node jt = AssembleJumpTable(mid, stop);
- return gen_.MakeInstruction(BPF_JMP + BPF_JGE + BPF_K, mid->from, jt, jf);
-}
-
-CodeGen::Node PolicyCompiler::CompileResult(const ResultExpr& res) {
- return res->Compile(this);
-}
-
-CodeGen::Node PolicyCompiler::MaskedEqual(int argno,
- size_t width,
- uint64_t mask,
- uint64_t value,
- CodeGen::Node passed,
- CodeGen::Node failed) {
- // Sanity check that arguments make sense.
- CHECK(argno >= 0 && argno < 6) << "Invalid argument number " << argno;
- CHECK(width == 4 || width == 8) << "Invalid argument width " << width;
- CHECK_NE(0U, mask) << "Zero mask is invalid";
- CHECK_EQ(value, value & mask) << "Value contains masked out bits";
- if (sizeof(void*) == 4) {
- CHECK_EQ(4U, width) << "Invalid width on 32-bit platform";
- }
- if (width == 4) {
- CHECK_EQ(0U, mask >> 32) << "Mask exceeds argument size";
- CHECK_EQ(0U, value >> 32) << "Value exceeds argument size";
- }
-
- // We want to emit code to check "(arg & mask) == value" where arg, mask, and
- // value are 64-bit values, but the BPF machine is only 32-bit. We implement
- // this by independently testing the upper and lower 32-bits and continuing to
- // |passed| if both evaluate true, or to |failed| if either evaluate false.
- return MaskedEqualHalf(argno, width, mask, value, ArgHalf::UPPER,
- MaskedEqualHalf(argno, width, mask, value,
- ArgHalf::LOWER, passed, failed),
- failed);
-}
-
-CodeGen::Node PolicyCompiler::MaskedEqualHalf(int argno,
- size_t width,
- uint64_t full_mask,
- uint64_t full_value,
- ArgHalf half,
- CodeGen::Node passed,
- CodeGen::Node failed) {
- if (width == 4 && half == ArgHalf::UPPER) {
- // Special logic for sanity checking the upper 32-bits of 32-bit system
- // call arguments.
-
- // TODO(mdempsky): Compile Unexpected64bitArgument() just per program.
- CodeGen::Node invalid_64bit = Unexpected64bitArgument();
-
- const uint32_t upper = SECCOMP_ARG_MSB_IDX(argno);
- const uint32_t lower = SECCOMP_ARG_LSB_IDX(argno);
-
- if (sizeof(void*) == 4) {
- // On 32-bit platforms, the upper 32-bits should always be 0:
- // LDW [upper]
- // JEQ 0, passed, invalid
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- upper,
- gen_.MakeInstruction(
- BPF_JMP + BPF_JEQ + BPF_K, 0, passed, invalid_64bit));
- }
-
- // On 64-bit platforms, the upper 32-bits may be 0 or ~0; but we only allow
- // ~0 if the sign bit of the lower 32-bits is set too:
- // LDW [upper]
- // JEQ 0, passed, (next)
- // JEQ ~0, (next), invalid
- // LDW [lower]
- // JSET (1<<31), passed, invalid
- //
- // TODO(mdempsky): The JSET instruction could perhaps jump to passed->next
- // instead, as the first instruction of passed should be "LDW [lower]".
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- upper,
- gen_.MakeInstruction(
- BPF_JMP + BPF_JEQ + BPF_K,
- 0,
- passed,
- gen_.MakeInstruction(
- BPF_JMP + BPF_JEQ + BPF_K,
- std::numeric_limits<uint32_t>::max(),
- gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- lower,
- gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K,
- 1U << 31,
- passed,
- invalid_64bit)),
- invalid_64bit)));
- }
-
- const uint32_t idx = (half == ArgHalf::UPPER) ? SECCOMP_ARG_MSB_IDX(argno)
- : SECCOMP_ARG_LSB_IDX(argno);
- const uint32_t mask = (half == ArgHalf::UPPER) ? full_mask >> 32 : full_mask;
- const uint32_t value =
- (half == ArgHalf::UPPER) ? full_value >> 32 : full_value;
-
- // Emit a suitable instruction sequence for (arg & mask) == value.
-
- // For (arg & 0) == 0, just return passed.
- if (mask == 0) {
- CHECK_EQ(0U, value);
- return passed;
- }
-
- // For (arg & ~0) == value, emit:
- // LDW [idx]
- // JEQ value, passed, failed
- if (mask == std::numeric_limits<uint32_t>::max()) {
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- idx,
- gen_.MakeInstruction(BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed));
- }
-
- // For (arg & mask) == 0, emit:
- // LDW [idx]
- // JSET mask, failed, passed
- // (Note: failed and passed are intentionally swapped.)
- if (value == 0) {
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- idx,
- gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, failed, passed));
- }
-
- // For (arg & x) == x where x is a single-bit value, emit:
- // LDW [idx]
- // JSET mask, passed, failed
- if (mask == value && HasExactlyOneBit(mask)) {
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- idx,
- gen_.MakeInstruction(BPF_JMP + BPF_JSET + BPF_K, mask, passed, failed));
- }
-
- // Generic fallback:
- // LDW [idx]
- // AND mask
- // JEQ value, passed, failed
- return gen_.MakeInstruction(
- BPF_LD + BPF_W + BPF_ABS,
- idx,
- gen_.MakeInstruction(
- BPF_ALU + BPF_AND + BPF_K,
- mask,
- gen_.MakeInstruction(
- BPF_JMP + BPF_JEQ + BPF_K, value, passed, failed)));
-}
-
-CodeGen::Node PolicyCompiler::Unexpected64bitArgument() {
- return CompileResult(panic_func_("Unexpected 64bit argument detected"));
-}
-
-CodeGen::Node PolicyCompiler::Return(uint32_t ret) {
- if (has_unsafe_traps_ && (ret & SECCOMP_RET_ACTION) == SECCOMP_RET_ERRNO) {
- // When inside an UnsafeTrap() callback, we want to allow all system calls.
- // This means, we must conditionally disable the sandbox -- and that's not
- // something that kernel-side BPF filters can do, as they cannot inspect
- // any state other than the syscall arguments.
- // But if we redirect all error handlers to user-space, then we can easily
- // make this decision.
- // The performance penalty for this extra round-trip to user-space is not
- // actually that bad, as we only ever pay it for denied system calls; and a
- // typical program has very few of these.
- return Trap(ReturnErrno, reinterpret_cast<void*>(ret & SECCOMP_RET_DATA),
- true);
- }
-
- return gen_.MakeInstruction(BPF_RET + BPF_K, ret);
-}
-
-CodeGen::Node PolicyCompiler::Trap(TrapRegistry::TrapFnc fnc,
- const void* aux,
- bool safe) {
- uint16_t trap_id = registry_->Add(fnc, aux, safe);
- return gen_.MakeInstruction(BPF_RET + BPF_K, SECCOMP_RET_TRAP + trap_id);
-}
-
-bool PolicyCompiler::IsRequiredForUnsafeTrap(int sysno) {
- for (size_t i = 0; i < arraysize(kSyscallsRequiredForUnsafeTraps); ++i) {
- if (sysno == kSyscallsRequiredForUnsafeTraps[i]) {
- return true;
- }
- }
- return false;
-}
-
-} // namespace bpf_dsl
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h
deleted file mode 100644
index 48b1d780d..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/policy_compiler.h
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
-#define SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <vector>
-
-#include "base/macros.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl_forward.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/linux/bpf_dsl/trap_registry.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-class Policy;
-
-// PolicyCompiler implements the bpf_dsl compiler, allowing users to
-// transform bpf_dsl policies into BPF programs to be executed by the
-// Linux kernel.
-class SANDBOX_EXPORT PolicyCompiler {
- public:
- using PanicFunc = bpf_dsl::ResultExpr (*)(const char* error);
-
- PolicyCompiler(const Policy* policy, TrapRegistry* registry);
- ~PolicyCompiler();
-
- // Compile registers any trap handlers needed by the policy and
- // compiles the policy to a BPF program, which it returns.
- CodeGen::Program Compile();
-
- // DangerousSetEscapePC sets the "escape PC" that is allowed to issue any
- // system calls, regardless of policy.
- void DangerousSetEscapePC(uint64_t escapepc);
-
- // SetPanicFunc sets the callback function used for handling faulty
- // system call conditions. The default behavior is to immediately kill
- // the process.
- // TODO(mdempsky): Move this into Policy?
- void SetPanicFunc(PanicFunc panic_func);
-
- // UnsafeTraps require some syscalls to always be allowed.
- // This helper function returns true for these calls.
- static bool IsRequiredForUnsafeTrap(int sysno);
-
- // Functions below are meant for use within bpf_dsl itself.
-
- // Return returns a CodeGen::Node that returns the specified seccomp
- // return value.
- CodeGen::Node Return(uint32_t ret);
-
- // Trap returns a CodeGen::Node to indicate the system call should
- // instead invoke a trap handler.
- CodeGen::Node Trap(TrapRegistry::TrapFnc fnc, const void* aux, bool safe);
-
- // MaskedEqual returns a CodeGen::Node that represents a conditional branch.
- // Argument "argno" (1..6) will be bitwise-AND'd with "mask" and compared
- // to "value"; if equal, then "passed" will be executed, otherwise "failed".
- // If "width" is 4, the argument must in the range of 0x0..(1u << 32 - 1)
- // If it is outside this range, the sandbox treats the system call just
- // the same as any other ABI violation (i.e., it panics).
- CodeGen::Node MaskedEqual(int argno,
- size_t width,
- uint64_t mask,
- uint64_t value,
- CodeGen::Node passed,
- CodeGen::Node failed);
-
- private:
- struct Range;
- typedef std::vector<Range> Ranges;
-
- // Used by MaskedEqualHalf to track which half of the argument it's
- // emitting instructions for.
- enum class ArgHalf {
- LOWER,
- UPPER,
- };
-
- // Compile the configured policy into a complete instruction sequence.
- CodeGen::Node AssemblePolicy();
-
- // Return an instruction sequence that checks the
- // arch_seccomp_data's "arch" field is valid, and then passes
- // control to |passed| if so.
- CodeGen::Node CheckArch(CodeGen::Node passed);
-
- // If |has_unsafe_traps_| is true, returns an instruction sequence
- // that allows all system calls from |escapepc_|, and otherwise
- // passes control to |rest|. Otherwise, simply returns |rest|.
- CodeGen::Node MaybeAddEscapeHatch(CodeGen::Node rest);
-
- // Return an instruction sequence that loads and checks the system
- // call number, performs a binary search, and then dispatches to an
- // appropriate instruction sequence compiled from the current
- // policy.
- CodeGen::Node DispatchSyscall();
-
- // Return an instruction sequence that checks the system call number
- // (expected to be loaded in register A) and if valid, passes
- // control to |passed| (with register A still valid).
- CodeGen::Node CheckSyscallNumber(CodeGen::Node passed);
-
- // Finds all the ranges of system calls that need to be handled. Ranges are
- // sorted in ascending order of system call numbers. There are no gaps in the
- // ranges. System calls with identical CodeGen::Nodes are coalesced into a
- // single
- // range.
- void FindRanges(Ranges* ranges);
-
- // Returns a BPF program snippet that implements a jump table for the
- // given range of system call numbers. This function runs recursively.
- CodeGen::Node AssembleJumpTable(Ranges::const_iterator start,
- Ranges::const_iterator stop);
-
- // CompileResult compiles an individual result expression into a
- // CodeGen node.
- CodeGen::Node CompileResult(const ResultExpr& res);
-
- // Returns a BPF program that evaluates half of a conditional expression;
- // it should only ever be called from CondExpression().
- CodeGen::Node MaskedEqualHalf(int argno,
- size_t width,
- uint64_t full_mask,
- uint64_t full_value,
- ArgHalf half,
- CodeGen::Node passed,
- CodeGen::Node failed);
-
- // Returns the fatal CodeGen::Node that is used to indicate that somebody
- // attempted to pass a 64bit value in a 32bit system call argument.
- CodeGen::Node Unexpected64bitArgument();
-
- const Policy* policy_;
- TrapRegistry* registry_;
- uint64_t escapepc_;
- PanicFunc panic_func_;
-
- CodeGen gen_;
- bool has_unsafe_traps_;
-
- DISALLOW_COPY_AND_ASSIGN(PolicyCompiler);
-};
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_POLICY_COMPILER_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/seccomp_macros.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/seccomp_macros.h
deleted file mode 100644
index af70f21cd..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/seccomp_macros.h
+++ /dev/null
@@ -1,294 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
-#define SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
-
-#include <sys/types.h> // For __BIONIC__.
-// Old Bionic versions do not have sys/user.h. The if can be removed once we no
-// longer need to support these old Bionic versions.
-// All x86_64 builds use a new enough bionic to have sys/user.h.
-#if !defined(__BIONIC__) || defined(__x86_64__)
-#if !defined(__native_client_nonsfi__)
-#include <sys/user.h>
-#endif
-#if defined(__mips__)
-// sys/user.h in eglibc misses size_t definition
-#include <stddef.h>
-#endif
-#endif
-
-#include "sandbox/linux/system_headers/linux_seccomp.h" // For AUDIT_ARCH_*
-
-// Impose some reasonable maximum BPF program size. Realistically, the
-// kernel probably has much lower limits. But by limiting to less than
-// 30 bits, we can ease requirements on some of our data types.
-#define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
-
-#if defined(__i386__)
-#define SECCOMP_ARCH AUDIT_ARCH_I386
-
-#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
-#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
-#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
-#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
-#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
-#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
-#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
-#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
-#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
-#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
-#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
-#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
-#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 4)
-#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 0)
-#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 4)
-#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 0)
-
-
-#if defined(__BIONIC__) || defined(__native_client_nonsfi__)
-// Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
-// define regs_struct directly. This can be removed once we no longer need to
-// support these old Bionic versions and PNaCl toolchain.
-struct regs_struct {
- long int ebx;
- long int ecx;
- long int edx;
- long int esi;
- long int edi;
- long int ebp;
- long int eax;
- long int xds;
- long int xes;
- long int xfs;
- long int xgs;
- long int orig_eax;
- long int eip;
- long int xcs;
- long int eflags;
- long int esp;
- long int xss;
-};
-#else
-typedef user_regs_struct regs_struct;
-#endif
-
-#define SECCOMP_PT_RESULT(_regs) (_regs).eax
-#define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_eax
-#define SECCOMP_PT_IP(_regs) (_regs).eip
-#define SECCOMP_PT_PARM1(_regs) (_regs).ebx
-#define SECCOMP_PT_PARM2(_regs) (_regs).ecx
-#define SECCOMP_PT_PARM3(_regs) (_regs).edx
-#define SECCOMP_PT_PARM4(_regs) (_regs).esi
-#define SECCOMP_PT_PARM5(_regs) (_regs).edi
-#define SECCOMP_PT_PARM6(_regs) (_regs).ebp
-
-#elif defined(__x86_64__)
-#define SECCOMP_ARCH AUDIT_ARCH_X86_64
-
-#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
-#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
-#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
-#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
-#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
-#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
-#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
-#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
-#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
-#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
-#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
-#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
-#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 4)
-#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 0)
-#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 4)
-#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 0)
-
-typedef user_regs_struct regs_struct;
-#define SECCOMP_PT_RESULT(_regs) (_regs).rax
-#define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_rax
-#define SECCOMP_PT_IP(_regs) (_regs).rip
-#define SECCOMP_PT_PARM1(_regs) (_regs).rdi
-#define SECCOMP_PT_PARM2(_regs) (_regs).rsi
-#define SECCOMP_PT_PARM3(_regs) (_regs).rdx
-#define SECCOMP_PT_PARM4(_regs) (_regs).r10
-#define SECCOMP_PT_PARM5(_regs) (_regs).r8
-#define SECCOMP_PT_PARM6(_regs) (_regs).r9
-
-#elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
-#define SECCOMP_ARCH AUDIT_ARCH_ARM
-
-// ARM sigcontext_t is different from i386/x86_64.
-// See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
-#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
-// ARM EABI syscall convention.
-#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
-#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
-#define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
-#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
-#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
-#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
-#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
-#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
-#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
-#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
-#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
-#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 4)
-#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 0)
-#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 4)
-#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 0)
-
-#if defined(__BIONIC__) || defined(__native_client_nonsfi__)
-// Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
-// define regs_struct directly. This can be removed once we no longer need to
-// support these old Bionic versions and PNaCl toolchain.
-struct regs_struct {
- unsigned long uregs[18];
-};
-#else
-typedef user_regs regs_struct;
-#endif
-
-#define REG_cpsr uregs[16]
-#define REG_pc uregs[15]
-#define REG_lr uregs[14]
-#define REG_sp uregs[13]
-#define REG_ip uregs[12]
-#define REG_fp uregs[11]
-#define REG_r10 uregs[10]
-#define REG_r9 uregs[9]
-#define REG_r8 uregs[8]
-#define REG_r7 uregs[7]
-#define REG_r6 uregs[6]
-#define REG_r5 uregs[5]
-#define REG_r4 uregs[4]
-#define REG_r3 uregs[3]
-#define REG_r2 uregs[2]
-#define REG_r1 uregs[1]
-#define REG_r0 uregs[0]
-#define REG_ORIG_r0 uregs[17]
-
-#define SECCOMP_PT_RESULT(_regs) (_regs).REG_r0
-#define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7
-#define SECCOMP_PT_IP(_regs) (_regs).REG_pc
-#define SECCOMP_PT_PARM1(_regs) (_regs).REG_r0
-#define SECCOMP_PT_PARM2(_regs) (_regs).REG_r1
-#define SECCOMP_PT_PARM3(_regs) (_regs).REG_r2
-#define SECCOMP_PT_PARM4(_regs) (_regs).REG_r3
-#define SECCOMP_PT_PARM5(_regs) (_regs).REG_r4
-#define SECCOMP_PT_PARM6(_regs) (_regs).REG_r5
-
-#elif defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
-#define SECCOMP_ARCH AUDIT_ARCH_MIPSEL
-#define SYSCALL_EIGHT_ARGS
-// MIPS sigcontext_t is different from i386/x86_64 and ARM.
-// See </arch/mips/include/uapi/asm/sigcontext.h> in the Linux kernel.
-#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[_reg])
-// Based on MIPS o32 ABI syscall convention.
-// On MIPS, when indirect syscall is being made (syscall(__NR_foo)),
-// real identificator (__NR_foo) is not in v0, but in a0
-#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 2)
-#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 2)
-#define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
-#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 4)
-#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 5)
-#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 6)
-#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 7)
-// Only the first 4 arguments of syscall are in registers.
-// The rest are on the stack.
-#define SECCOMP_STACKPARM(_ctx, n) (((long *)SECCOMP_REG(_ctx, 29))[(n)])
-#define SECCOMP_PARM5(_ctx) SECCOMP_STACKPARM(_ctx, 4)
-#define SECCOMP_PARM6(_ctx) SECCOMP_STACKPARM(_ctx, 5)
-#define SECCOMP_PARM7(_ctx) SECCOMP_STACKPARM(_ctx, 6)
-#define SECCOMP_PARM8(_ctx) SECCOMP_STACKPARM(_ctx, 7)
-#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
-#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
-#define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 4)
-#define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
- instruction_pointer) + 0)
-#define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 4)
-#define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
- 8*(nr) + 0)
-
-// On Mips we don't have structures like user_regs or user_regs_struct in
-// sys/user.h that we could use, so we just define regs_struct directly.
-struct regs_struct {
- unsigned long long regs[32];
-};
-
-#define REG_a3 regs[7]
-#define REG_a2 regs[6]
-#define REG_a1 regs[5]
-#define REG_a0 regs[4]
-#define REG_v1 regs[3]
-#define REG_v0 regs[2]
-
-#define SECCOMP_PT_RESULT(_regs) (_regs).REG_v0
-#define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_v0
-#define SECCOMP_PT_PARM1(_regs) (_regs).REG_a0
-#define SECCOMP_PT_PARM2(_regs) (_regs).REG_a1
-#define SECCOMP_PT_PARM3(_regs) (_regs).REG_a2
-#define SECCOMP_PT_PARM4(_regs) (_regs).REG_a3
-
-#elif defined(__aarch64__)
-struct regs_struct {
- unsigned long long regs[31];
- unsigned long long sp;
- unsigned long long pc;
- unsigned long long pstate;
-};
-
-#define SECCOMP_ARCH AUDIT_ARCH_AARCH64
-
-#define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.regs[_reg])
-
-#define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 0)
-#define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 8)
-#define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
-#define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 0)
-#define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 1)
-#define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 2)
-#define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 3)
-#define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, 4)
-#define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, 5)
-
-#define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
-#define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
-#define SECCOMP_IP_MSB_IDX \
- (offsetof(struct arch_seccomp_data, instruction_pointer) + 4)
-#define SECCOMP_IP_LSB_IDX \
- (offsetof(struct arch_seccomp_data, instruction_pointer) + 0)
-#define SECCOMP_ARG_MSB_IDX(nr) \
- (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 4)
-#define SECCOMP_ARG_LSB_IDX(nr) \
- (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 0)
-
-#define SECCOMP_PT_RESULT(_regs) (_regs).regs[0]
-#define SECCOMP_PT_SYSCALL(_regs) (_regs).regs[8]
-#define SECCOMP_PT_IP(_regs) (_regs).pc
-#define SECCOMP_PT_PARM1(_regs) (_regs).regs[0]
-#define SECCOMP_PT_PARM2(_regs) (_regs).regs[1]
-#define SECCOMP_PT_PARM3(_regs) (_regs).regs[2]
-#define SECCOMP_PT_PARM4(_regs) (_regs).regs[3]
-#define SECCOMP_PT_PARM5(_regs) (_regs).regs[4]
-#define SECCOMP_PT_PARM6(_regs) (_regs).regs[5]
-#else
-#error Unsupported target platform
-
-#endif
-
-#endif // SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.cc b/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.cc
deleted file mode 100644
index 3d61fa31f..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.cc
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/bpf_dsl/syscall_set.h"
-
-#include <stdint.h>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "sandbox/linux/bpf_dsl/linux_syscall_ranges.h"
-
-namespace sandbox {
-
-namespace {
-
-#if defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
-// This is true for Mips O32 ABI.
-static_assert(MIN_SYSCALL == __NR_Linux, "min syscall number should be 4000");
-#else
-// This true for supported architectures (Intel and ARM EABI).
-static_assert(MIN_SYSCALL == 0u,
- "min syscall should always be zero");
-#endif
-
-// SyscallRange represents an inclusive range of system call numbers.
-struct SyscallRange {
- uint32_t first;
- uint32_t last;
-};
-
-const SyscallRange kValidSyscallRanges[] = {
- // First we iterate up to MAX_PUBLIC_SYSCALL, which is equal to MAX_SYSCALL
- // on Intel architectures, but leaves room for private syscalls on ARM.
- {MIN_SYSCALL, MAX_PUBLIC_SYSCALL},
-#if defined(__arm__)
- // ARM EABI includes "ARM private" system calls starting at
- // MIN_PRIVATE_SYSCALL, and a "ghost syscall private to the kernel" at
- // MIN_GHOST_SYSCALL.
- {MIN_PRIVATE_SYSCALL, MAX_PRIVATE_SYSCALL},
- {MIN_GHOST_SYSCALL, MAX_SYSCALL},
-#endif
-};
-
-} // namespace
-
-SyscallSet::Iterator SyscallSet::begin() const {
- return Iterator(set_, false);
-}
-
-SyscallSet::Iterator SyscallSet::end() const {
- return Iterator(set_, true);
-}
-
-bool SyscallSet::IsValid(uint32_t num) {
- for (const SyscallRange& range : kValidSyscallRanges) {
- if (num >= range.first && num <= range.last) {
- return true;
- }
- }
- return false;
-}
-
-bool operator==(const SyscallSet& lhs, const SyscallSet& rhs) {
- return (lhs.set_ == rhs.set_);
-}
-
-SyscallSet::Iterator::Iterator(Set set, bool done)
- : set_(set), done_(done), num_(0) {
- // If the set doesn't contain 0, we need to skip to the next element.
- if (!done && set_ == (IsValid(num_) ? Set::INVALID_ONLY : Set::VALID_ONLY)) {
- ++*this;
- }
-}
-
-uint32_t SyscallSet::Iterator::operator*() const {
- DCHECK(!done_);
- return num_;
-}
-
-SyscallSet::Iterator& SyscallSet::Iterator::operator++() {
- DCHECK(!done_);
-
- num_ = NextSyscall();
- if (num_ == 0) {
- done_ = true;
- }
-
- return *this;
-}
-
-// NextSyscall returns the next system call in the iterated system
-// call set after |num_|, or 0 if no such system call exists.
-uint32_t SyscallSet::Iterator::NextSyscall() const {
- const bool want_valid = (set_ != Set::INVALID_ONLY);
- const bool want_invalid = (set_ != Set::VALID_ONLY);
-
- for (const SyscallRange& range : kValidSyscallRanges) {
- if (want_invalid && range.first > 0 && num_ < range.first - 1) {
- // Even when iterating invalid syscalls, we only include the end points;
- // so skip directly to just before the next (valid) range.
- return range.first - 1;
- }
- if (want_valid && num_ < range.first) {
- return range.first;
- }
- if (want_valid && num_ < range.last) {
- return num_ + 1;
- }
- if (want_invalid && num_ <= range.last) {
- return range.last + 1;
- }
- }
-
- if (want_invalid) {
- // BPF programs only ever operate on unsigned quantities. So,
- // that's how we iterate; we return values from
- // 0..0xFFFFFFFFu. But there are places, where the kernel might
- // interpret system call numbers as signed quantities, so the
- // boundaries between signed and unsigned values are potential
- // problem cases. We want to explicitly return these values from
- // our iterator.
- if (num_ < 0x7FFFFFFFu)
- return 0x7FFFFFFFu;
- if (num_ < 0x80000000u)
- return 0x80000000u;
-
- if (num_ < 0xFFFFFFFFu)
- return 0xFFFFFFFFu;
- }
-
- return 0;
-}
-
-bool operator==(const SyscallSet::Iterator& lhs,
- const SyscallSet::Iterator& rhs) {
- DCHECK(lhs.set_ == rhs.set_);
- return (lhs.done_ == rhs.done_) && (lhs.num_ == rhs.num_);
-}
-
-bool operator!=(const SyscallSet::Iterator& lhs,
- const SyscallSet::Iterator& rhs) {
- return !(lhs == rhs);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.h
deleted file mode 100644
index b9f076d93..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/syscall_set.h
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_SYSCALL_SET_H__
-#define SANDBOX_LINUX_BPF_DSL_SYSCALL_SET_H__
-
-#include <stdint.h>
-
-#include <iterator>
-
-#include "base/macros.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-
-// Iterates over the entire system call range from 0..0xFFFFFFFFu. This
-// iterator is aware of how system calls look like and will skip quickly
-// over ranges that can't contain system calls. It iterates more slowly
-// whenever it reaches a range that is potentially problematic, returning
-// the last invalid value before a valid range of system calls, and the
-// first invalid value after a valid range of syscalls. It iterates over
-// individual values whenever it is in the normal range for system calls
-// (typically MIN_SYSCALL..MAX_SYSCALL).
-//
-// Example usage:
-// for (uint32_t sysnum : SyscallSet::All()) {
-// // Do something with sysnum.
-// }
-class SANDBOX_EXPORT SyscallSet {
- public:
- class Iterator;
-
- SyscallSet(const SyscallSet& ss) : set_(ss.set_) {}
- ~SyscallSet() {}
-
- Iterator begin() const;
- Iterator end() const;
-
- // All returns a SyscallSet that contains both valid and invalid
- // system call numbers.
- static SyscallSet All() { return SyscallSet(Set::ALL); }
-
- // ValidOnly returns a SyscallSet that contains only valid system
- // call numbers.
- static SyscallSet ValidOnly() { return SyscallSet(Set::VALID_ONLY); }
-
- // InvalidOnly returns a SyscallSet that contains only invalid
- // system call numbers, but still omits numbers in the middle of a
- // range of invalid system call numbers.
- static SyscallSet InvalidOnly() { return SyscallSet(Set::INVALID_ONLY); }
-
- // IsValid returns whether |num| specifies a valid system call
- // number.
- static bool IsValid(uint32_t num);
-
- private:
- enum class Set { ALL, VALID_ONLY, INVALID_ONLY };
-
- explicit SyscallSet(Set set) : set_(set) {}
-
- Set set_;
-
- friend bool operator==(const SyscallSet&, const SyscallSet&);
- DISALLOW_ASSIGN(SyscallSet);
-};
-
-SANDBOX_EXPORT bool operator==(const SyscallSet& lhs, const SyscallSet& rhs);
-
-// Iterator provides C++ input iterator semantics for traversing a
-// SyscallSet.
-class SyscallSet::Iterator
- : public std::iterator<std::input_iterator_tag, uint32_t> {
- public:
- Iterator(const Iterator& it)
- : set_(it.set_), done_(it.done_), num_(it.num_) {}
- ~Iterator() {}
-
- uint32_t operator*() const;
- Iterator& operator++();
-
- private:
- Iterator(Set set, bool done);
-
- uint32_t NextSyscall() const;
-
- Set set_;
- bool done_;
- uint32_t num_;
-
- friend SyscallSet;
- friend bool operator==(const Iterator&, const Iterator&);
- DISALLOW_ASSIGN(Iterator);
-};
-
-SANDBOX_EXPORT bool operator==(const SyscallSet::Iterator& lhs,
- const SyscallSet::Iterator& rhs);
-SANDBOX_EXPORT bool operator!=(const SyscallSet::Iterator& lhs,
- const SyscallSet::Iterator& rhs);
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_SYSCALL_SET_H__
diff --git a/security/sandbox/chromium/sandbox/linux/bpf_dsl/trap_registry.h b/security/sandbox/chromium/sandbox/linux/bpf_dsl/trap_registry.h
deleted file mode 100644
index 0a5d2f14c..000000000
--- a/security/sandbox/chromium/sandbox/linux/bpf_dsl/trap_registry.h
+++ /dev/null
@@ -1,73 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_
-#define SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-
-// This must match the kernel's seccomp_data structure.
-struct arch_seccomp_data {
- int nr;
- uint32_t arch;
- uint64_t instruction_pointer;
- uint64_t args[6];
-};
-
-namespace bpf_dsl {
-
-// TrapRegistry provides an interface for registering "trap handlers"
-// by associating them with non-zero 16-bit trap IDs. Trap IDs should
-// remain valid for the lifetime of the trap registry.
-class SANDBOX_EXPORT TrapRegistry {
- public:
- // TrapFnc is a pointer to a function that fulfills the trap handler
- // function signature.
- //
- // Trap handlers follow the calling convention of native system
- // calls; e.g., to report an error, they return an exit code in the
- // range -1..-4096 instead of directly modifying errno. However,
- // modifying errno is harmless, as the original value will be
- // restored afterwards.
- //
- // Trap handlers are executed from signal context and possibly an
- // async-signal context, so they must be async-signal safe:
- // http://pubs.opengroup.org/onlinepubs/009695399/functions/xsh_chap02_04.html
- typedef intptr_t (*TrapFnc)(const struct arch_seccomp_data& args, void* aux);
-
- // Add registers the specified trap handler tuple and returns a
- // non-zero trap ID that uniquely identifies the tuple for the life
- // time of the trap registry. If the same tuple is registered
- // multiple times, the same value will be returned each time.
- virtual uint16_t Add(TrapFnc fnc, const void* aux, bool safe) = 0;
-
- // EnableUnsafeTraps tries to enable unsafe traps and returns
- // whether it was successful. This is a one-way operation.
- //
- // CAUTION: Enabling unsafe traps effectively defeats the security
- // guarantees provided by the sandbox policy. TrapRegistry
- // implementations should ensure unsafe traps are only enabled
- // during testing.
- virtual bool EnableUnsafeTraps() = 0;
-
- protected:
- TrapRegistry() {}
-
- // TrapRegistry's destructor is intentionally non-virtual so that
- // implementations can omit their destructor. Instead we protect against
- // misuse by marking it protected.
- ~TrapRegistry() {}
-
- DISALLOW_COPY_AND_ASSIGN(TrapRegistry);
-};
-
-} // namespace bpf_dsl
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_BPF_DSL_TRAP_REGISTRY_H_
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h
deleted file mode 100644
index 00d415c3f..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTER_COMPATIBILITY_DELEGATE_H_
-#define SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTER_COMPATIBILITY_DELEGATE_H_
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h"
-
-namespace sandbox {
-
-// This templated class allows building a BPFTesterDelegate from a
-// deprecated-style BPF policy (that is a SyscallEvaluator function pointer,
-// instead of a SandboxBPFPolicy class), specified in |policy_function| and a
-// function pointer to a test in |test_function|.
-// This allows both the policy and the test function to take a pointer to an
-// object of type "Aux" as a parameter. This is used to implement the BPF_TEST
-// macro and should generally not be used directly.
-template <class Policy, class Aux>
-class BPFTesterCompatibilityDelegate : public BPFTesterDelegate {
- public:
- typedef void (*TestFunction)(Aux*);
-
- explicit BPFTesterCompatibilityDelegate(TestFunction test_function)
- : aux_(), test_function_(test_function) {}
-
- ~BPFTesterCompatibilityDelegate() override {}
-
- scoped_ptr<bpf_dsl::Policy> GetSandboxBPFPolicy() override {
- // The current method is guaranteed to only run in the child process
- // running the test. In this process, the current object is guaranteed
- // to live forever. So it's ok to pass aux_pointer_for_policy_ to
- // the policy, which could in turn pass it to the kernel via Trap().
- return scoped_ptr<bpf_dsl::Policy>(new Policy(&aux_));
- }
-
- void RunTestFunction() override {
- // Run the actual test.
- // The current object is guaranteed to live forever in the child process
- // where this will run.
- test_function_(&aux_);
- }
-
- private:
- Aux aux_;
- TestFunction test_function_;
-
- DISALLOW_COPY_AND_ASSIGN(BPFTesterCompatibilityDelegate);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTER_COMPATIBILITY_DELEGATE_H_
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests.h
deleted file mode 100644
index cc4debd4c..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests.h
+++ /dev/null
@@ -1,122 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
-#define SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "build/build_config.h"
-#include "sandbox/linux/seccomp-bpf/bpf_tester_compatibility_delegate.h"
-#include "sandbox/linux/tests/unit_tests.h"
-
-namespace sandbox {
-
-// BPF_TEST_C() is a special version of SANDBOX_TEST(). It runs a test function
-// in a sub-process, under a seccomp-bpf policy specified in
-// |bpf_policy_class_name| without failing on configurations that are allowed
-// to not support seccomp-bpf in their kernels.
-// This is the preferred format for new BPF tests. |bpf_policy_class_name| is a
-// class name (which will be default-constructed) that implements the
-// Policy interface.
-// The test function's body can simply follow. Test functions should use
-// the BPF_ASSERT macros defined below, not GTEST's macros. The use of
-// CHECK* macros is supported but less robust.
-#define BPF_TEST_C(test_case_name, test_name, bpf_policy_class_name) \
- BPF_DEATH_TEST_C( \
- test_case_name, test_name, DEATH_SUCCESS(), bpf_policy_class_name)
-
-// Identical to BPF_TEST_C but allows to specify the nature of death.
-#define BPF_DEATH_TEST_C( \
- test_case_name, test_name, death, bpf_policy_class_name) \
- void BPF_TEST_C_##test_name(); \
- TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \
- sandbox::SandboxBPFTestRunner bpf_test_runner( \
- new sandbox::BPFTesterSimpleDelegate<bpf_policy_class_name>( \
- BPF_TEST_C_##test_name)); \
- sandbox::UnitTests::RunTestInProcess(&bpf_test_runner, death); \
- } \
- void BPF_TEST_C_##test_name()
-
-// This form of BPF_TEST is a little verbose and should be reserved for complex
-// tests where a lot of control is required.
-// |bpf_tester_delegate_class| must be a classname implementing the
-// BPFTesterDelegate interface.
-#define BPF_TEST_D(test_case_name, test_name, bpf_tester_delegate_class) \
- BPF_DEATH_TEST_D( \
- test_case_name, test_name, DEATH_SUCCESS(), bpf_tester_delegate_class)
-
-// Identical to BPF_TEST_D but allows to specify the nature of death.
-#define BPF_DEATH_TEST_D( \
- test_case_name, test_name, death, bpf_tester_delegate_class) \
- TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \
- sandbox::SandboxBPFTestRunner bpf_test_runner( \
- new bpf_tester_delegate_class()); \
- sandbox::UnitTests::RunTestInProcess(&bpf_test_runner, death); \
- }
-
-// Assertions are handled exactly the same as with a normal SANDBOX_TEST()
-#define BPF_ASSERT SANDBOX_ASSERT
-#define BPF_ASSERT_EQ(x, y) BPF_ASSERT((x) == (y))
-#define BPF_ASSERT_NE(x, y) BPF_ASSERT((x) != (y))
-#define BPF_ASSERT_LT(x, y) BPF_ASSERT((x) < (y))
-#define BPF_ASSERT_GT(x, y) BPF_ASSERT((x) > (y))
-#define BPF_ASSERT_LE(x, y) BPF_ASSERT((x) <= (y))
-#define BPF_ASSERT_GE(x, y) BPF_ASSERT((x) >= (y))
-
-// This form of BPF_TEST is now discouraged (but still allowed) in favor of
-// BPF_TEST_D and BPF_TEST_C.
-// The |policy| parameter should be a Policy subclass.
-// BPF_TEST() takes a C++ data type as an fourth parameter. A variable
-// of this type will be allocated and a pointer to it will be
-// available within the test function as "BPF_AUX". The pointer will
-// also be passed as an argument to the policy's constructor. Policies
-// would typically use it as an argument to SandboxBPF::Trap(), if
-// they want to communicate data between the BPF_TEST() and a Trap()
-// function. The life-time of this object is the same as the life-time
-// of the process running under the seccomp-bpf policy.
-// |aux| must not be void.
-#define BPF_TEST(test_case_name, test_name, policy, aux) \
- BPF_DEATH_TEST(test_case_name, test_name, DEATH_SUCCESS(), policy, aux)
-
-// A BPF_DEATH_TEST is just the same as a BPF_TEST, but it assumes that the
-// test will fail with a particular known error condition. Use the DEATH_XXX()
-// macros from unit_tests.h to specify the expected error condition.
-#define BPF_DEATH_TEST(test_case_name, test_name, death, policy, aux) \
- void BPF_TEST_##test_name(aux* BPF_AUX); \
- TEST(test_case_name, DISABLE_ON_TSAN(test_name)) { \
- sandbox::SandboxBPFTestRunner bpf_test_runner( \
- new sandbox::BPFTesterCompatibilityDelegate<policy, aux>( \
- BPF_TEST_##test_name)); \
- sandbox::UnitTests::RunTestInProcess(&bpf_test_runner, death); \
- } \
- void BPF_TEST_##test_name(aux* BPF_AUX)
-
-// This class takes a simple function pointer as a constructor parameter and a
-// class name as a template parameter to implement the BPFTesterDelegate
-// interface which can be used to build BPF unittests with
-// the SandboxBPFTestRunner class.
-template <class PolicyClass>
-class BPFTesterSimpleDelegate : public BPFTesterDelegate {
- public:
- explicit BPFTesterSimpleDelegate(void (*test_function)(void))
- : test_function_(test_function) {}
- ~BPFTesterSimpleDelegate() override {}
-
- scoped_ptr<bpf_dsl::Policy> GetSandboxBPFPolicy() override {
- return scoped_ptr<bpf_dsl::Policy>(new PolicyClass());
- }
- void RunTestFunction() override {
- DCHECK(test_function_);
- test_function_();
- }
-
- private:
- void (*test_function_)(void);
- DISALLOW_COPY_AND_ASSIGN(BPFTesterSimpleDelegate);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_BPF_TESTS_H__
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc
deleted file mode 100644
index e300baf9b..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/bpf_tests_unittest.cc
+++ /dev/null
@@ -1,154 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
-
-#include <errno.h>
-#include <sys/ptrace.h>
-#include <sys/syscall.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "build/build_config.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/services/syscall_wrappers.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-#include "sandbox/linux/tests/unit_tests.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-using sandbox::bpf_dsl::Allow;
-using sandbox::bpf_dsl::Error;
-using sandbox::bpf_dsl::ResultExpr;
-
-namespace sandbox {
-
-namespace {
-
-class FourtyTwo {
- public:
- static const int kMagicValue = 42;
- FourtyTwo() : value_(kMagicValue) {}
- int value() { return value_; }
-
- private:
- int value_;
- DISALLOW_COPY_AND_ASSIGN(FourtyTwo);
-};
-
-class EmptyClassTakingPolicy : public bpf_dsl::Policy {
- public:
- explicit EmptyClassTakingPolicy(FourtyTwo* fourty_two) {
- BPF_ASSERT(fourty_two);
- BPF_ASSERT(FourtyTwo::kMagicValue == fourty_two->value());
- }
- ~EmptyClassTakingPolicy() override {}
-
- ResultExpr EvaluateSyscall(int sysno) const override {
- DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
- return Allow();
- }
-};
-
-BPF_TEST(BPFTest,
- BPFAUXPointsToClass,
- EmptyClassTakingPolicy,
- FourtyTwo /* *BPF_AUX */) {
- // BPF_AUX should point to an instance of FourtyTwo.
- BPF_ASSERT(BPF_AUX);
- BPF_ASSERT(FourtyTwo::kMagicValue == BPF_AUX->value());
-}
-
-void DummyTestFunction(FourtyTwo *fourty_two) {
-}
-
-TEST(BPFTest, BPFTesterCompatibilityDelegateLeakTest) {
- // Don't do anything, simply gives dynamic tools an opportunity to detect
- // leaks.
- {
- BPFTesterCompatibilityDelegate<EmptyClassTakingPolicy, FourtyTwo>
- simple_delegate(DummyTestFunction);
- }
- {
- // Test polymorphism.
- scoped_ptr<BPFTesterDelegate> simple_delegate(
- new BPFTesterCompatibilityDelegate<EmptyClassTakingPolicy, FourtyTwo>(
- DummyTestFunction));
- }
-}
-
-class EnosysPtracePolicy : public bpf_dsl::Policy {
- public:
- EnosysPtracePolicy() { my_pid_ = sys_getpid(); }
- ~EnosysPtracePolicy() override {
- // Policies should be able to bind with the process on which they are
- // created. They should never be created in a parent process.
- BPF_ASSERT_EQ(my_pid_, sys_getpid());
- }
-
- ResultExpr EvaluateSyscall(int system_call_number) const override {
- CHECK(SandboxBPF::IsValidSyscallNumber(system_call_number));
- if (system_call_number == __NR_ptrace) {
- // The EvaluateSyscall function should run in the process that created
- // the current object.
- BPF_ASSERT_EQ(my_pid_, sys_getpid());
- return Error(ENOSYS);
- } else {
- return Allow();
- }
- }
-
- private:
- pid_t my_pid_;
- DISALLOW_COPY_AND_ASSIGN(EnosysPtracePolicy);
-};
-
-class BasicBPFTesterDelegate : public BPFTesterDelegate {
- public:
- BasicBPFTesterDelegate() {}
- ~BasicBPFTesterDelegate() override {}
-
- scoped_ptr<bpf_dsl::Policy> GetSandboxBPFPolicy() override {
- return scoped_ptr<bpf_dsl::Policy>(new EnosysPtracePolicy());
- }
- void RunTestFunction() override {
- errno = 0;
- int ret = ptrace(PTRACE_TRACEME, -1, NULL, NULL);
- BPF_ASSERT(-1 == ret);
- BPF_ASSERT(ENOSYS == errno);
- }
-
- private:
- DISALLOW_COPY_AND_ASSIGN(BasicBPFTesterDelegate);
-};
-
-// This is the most powerful and complex way to create a BPF test, but it
-// requires a full class definition (BasicBPFTesterDelegate).
-BPF_TEST_D(BPFTest, BPFTestWithDelegateClass, BasicBPFTesterDelegate);
-
-// This is the simplest form of BPF tests.
-BPF_TEST_C(BPFTest, BPFTestWithInlineTest, EnosysPtracePolicy) {
- errno = 0;
- int ret = ptrace(PTRACE_TRACEME, -1, NULL, NULL);
- BPF_ASSERT(-1 == ret);
- BPF_ASSERT(ENOSYS == errno);
-}
-
-const char kHelloMessage[] = "Hello";
-
-BPF_DEATH_TEST_C(BPFTest,
- BPFDeathTestWithInlineTest,
- DEATH_MESSAGE(kHelloMessage),
- EnosysPtracePolicy) {
- LOG(ERROR) << kHelloMessage;
- _exit(1);
-}
-
-} // namespace
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc
deleted file mode 100644
index 3baf1f13d..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.cc
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/die.h"
-
-#include <errno.h>
-#include <signal.h>
-#include <stdio.h>
-#include <sys/prctl.h>
-#include <sys/syscall.h>
-#include <unistd.h>
-
-#include <string>
-
-#include "base/logging.h"
-#include "base/posix/eintr_wrapper.h"
-#include "sandbox/linux/seccomp-bpf/syscall.h"
-#include "sandbox/linux/services/syscall_wrappers.h"
-#include "sandbox/linux/system_headers/linux_signal.h"
-
-namespace sandbox {
-
-void Die::ExitGroup() {
- // exit_group() should exit our program. After all, it is defined as a
- // function that doesn't return. But things can theoretically go wrong.
- // Especially, since we are dealing with system call filters. Continuing
- // execution would be very bad in most cases where ExitGroup() gets called.
- // So, we'll try a few other strategies too.
- Syscall::Call(__NR_exit_group, 1);
-
- // We have no idea what our run-time environment looks like. So, signal
- // handlers might or might not do the right thing. Try to reset settings
- // to a defined state; but we have not way to verify whether we actually
- // succeeded in doing so. Nonetheless, triggering a fatal signal could help
- // us terminate.
- struct sigaction sa = {};
- sa.sa_handler = LINUX_SIG_DFL;
- sa.sa_flags = LINUX_SA_RESTART;
- sys_sigaction(LINUX_SIGSEGV, &sa, nullptr);
- Syscall::Call(__NR_prctl, PR_SET_DUMPABLE, (void*)0, (void*)0, (void*)0);
- if (*(volatile char*)0) {
- }
-
- // If there is no way for us to ask for the program to exit, the next
- // best thing we can do is to loop indefinitely. Maybe, somebody will notice
- // and file a bug...
- // We in fact retry the system call inside of our loop so that it will
- // stand out when somebody tries to diagnose the problem by using "strace".
- for (;;) {
- Syscall::Call(__NR_exit_group, 1);
- }
-}
-
-void Die::SandboxDie(const char* msg, const char* file, int line) {
- if (simple_exit_) {
- LogToStderr(msg, file, line);
- } else {
- logging::LogMessage(file, line, logging::LOG_FATAL).stream() << msg;
- }
- ExitGroup();
-}
-
-void Die::RawSandboxDie(const char* msg) {
- if (!msg)
- msg = "";
- RAW_LOG(FATAL, msg);
- ExitGroup();
-}
-
-void Die::SandboxInfo(const char* msg, const char* file, int line) {
- if (!suppress_info_) {
- logging::LogMessage(file, line, logging::LOG_INFO).stream() << msg;
- }
-}
-
-void Die::LogToStderr(const char* msg, const char* file, int line) {
- if (msg) {
- char buf[40];
- snprintf(buf, sizeof(buf), "%d", line);
- std::string s = std::string(file) + ":" + buf + ":" + msg + "\n";
-
- // No need to loop. Short write()s are unlikely and if they happen we
- // probably prefer them over a loop that blocks.
- ignore_result(
- HANDLE_EINTR(Syscall::Call(__NR_write, 2, s.c_str(), s.length())));
- }
-}
-
-bool Die::simple_exit_ = false;
-bool Die::suppress_info_ = false;
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.h
deleted file mode 100644
index b3f3f72c2..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/die.h
+++ /dev/null
@@ -1,68 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
-#define SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
-
-#include "base/macros.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-
-// This is the main API for using this file. Prints a error message and
-// exits with a fatal error. This is not async-signal safe.
-#define SANDBOX_DIE(m) sandbox::Die::SandboxDie(m, __FILE__, __LINE__)
-
-// An async signal safe version of the same API. Won't print the filename
-// and line numbers.
-#define RAW_SANDBOX_DIE(m) sandbox::Die::RawSandboxDie(m)
-
-// Adds an informational message to the log file or stderr as appropriate.
-#define SANDBOX_INFO(m) sandbox::Die::SandboxInfo(m, __FILE__, __LINE__)
-
-class SANDBOX_EXPORT Die {
- public:
- // Terminate the program, even if the current sandbox policy prevents some
- // of the more commonly used functions used for exiting.
- // Most users would want to call SANDBOX_DIE() instead, as it logs extra
- // information. But calling ExitGroup() is correct and in some rare cases
- // preferable. So, we make it part of the public API.
- static void ExitGroup() __attribute__((noreturn));
-
- // This method gets called by SANDBOX_DIE(). There is normally no reason
- // to call it directly unless you are defining your own exiting macro.
- static void SandboxDie(const char* msg, const char* file, int line)
- __attribute__((noreturn));
-
- static void RawSandboxDie(const char* msg) __attribute__((noreturn));
-
- // This method gets called by SANDBOX_INFO(). There is normally no reason
- // to call it directly unless you are defining your own logging macro.
- static void SandboxInfo(const char* msg, const char* file, int line);
-
- // Writes a message to stderr. Used as a fall-back choice, if we don't have
- // any other way to report an error.
- static void LogToStderr(const char* msg, const char* file, int line);
-
- // We generally want to run all exit handlers. This means, on SANDBOX_DIE()
- // we should be calling LOG(FATAL). But there are some situations where
- // we just need to print a message and then terminate. This would typically
- // happen in cases where we consume the error message internally (e.g. in
- // unit tests or in the supportsSeccompSandbox() method).
- static void EnableSimpleExit() { simple_exit_ = true; }
-
- // Sometimes we need to disable all informational messages (e.g. from within
- // unittests).
- static void SuppressInfoMessages(bool flag) { suppress_info_ = flag; }
-
- private:
- static bool simple_exit_;
- static bool suppress_info_;
-
- DISALLOW_IMPLICIT_CONSTRUCTORS(Die);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_DIE_H__
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
deleted file mode 100644
index b48682ba9..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.cc
+++ /dev/null
@@ -1,280 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-
-#include <errno.h>
-#include <stdint.h>
-#include <sys/prctl.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "base/compiler_specific.h"
-#include "base/files/scoped_file.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/posix/eintr_wrapper.h"
-#include "base/third_party/valgrind/valgrind.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/bpf_dsl/policy_compiler.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-#include "sandbox/linux/bpf_dsl/syscall_set.h"
-#include "sandbox/linux/seccomp-bpf/die.h"
-#include "sandbox/linux/seccomp-bpf/syscall.h"
-#include "sandbox/linux/seccomp-bpf/trap.h"
-#include "sandbox/linux/services/proc_util.h"
-#include "sandbox/linux/services/syscall_wrappers.h"
-#include "sandbox/linux/services/thread_helpers.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace sandbox {
-
-namespace {
-
-bool IsRunningOnValgrind() { return RUNNING_ON_VALGRIND; }
-
-bool IsSingleThreaded(int proc_fd) {
- return ThreadHelpers::IsSingleThreaded(proc_fd);
-}
-
-// Check if the kernel supports seccomp-filter (a.k.a. seccomp mode 2) via
-// prctl().
-bool KernelSupportsSeccompBPF() {
- errno = 0;
- const int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr);
-
- if (rv == -1 && EFAULT == errno) {
- return true;
- }
- return false;
-}
-
-// LG introduced a buggy syscall, sys_set_media_ext, with the same number as
-// seccomp. Return true if the current kernel has this buggy syscall.
-//
-// We want this to work with upcoming versions of seccomp, so we pass bogus
-// flags that are unlikely to ever be used by the kernel. A normal kernel would
-// return -EINVAL, but a buggy LG kernel would return 1.
-bool KernelHasLGBug() {
-#if defined(OS_ANDROID)
- // sys_set_media will see this as NULL, which should be a safe (non-crashing)
- // way to invoke it. A genuine seccomp syscall will see it as
- // SECCOMP_SET_MODE_STRICT.
- const unsigned int operation = 0;
- // Chosen by fair dice roll. Guaranteed to be random.
- const unsigned int flags = 0xf7a46a5c;
- const int rv = sys_seccomp(operation, flags, nullptr);
- // A genuine kernel would return -EINVAL (which would set rv to -1 and errno
- // to EINVAL), or at the very least return some kind of error (which would
- // set rv to -1). Any other behavior indicates that whatever code received
- // our syscall was not the real seccomp.
- if (rv != -1) {
- return true;
- }
-#endif // defined(OS_ANDROID)
-
- return false;
-}
-
-// Check if the kernel supports seccomp-filter via the seccomp system call
-// and the TSYNC feature to enable seccomp on all threads.
-bool KernelSupportsSeccompTsync() {
- if (KernelHasLGBug()) {
- return false;
- }
-
- errno = 0;
- const int rv =
- sys_seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, nullptr);
-
- if (rv == -1 && errno == EFAULT) {
- return true;
- } else {
- // TODO(jln): turn these into DCHECK after 417888 is considered fixed.
- CHECK_EQ(-1, rv);
- CHECK(ENOSYS == errno || EINVAL == errno);
- return false;
- }
-}
-
-uint64_t EscapePC() {
- intptr_t rv = Syscall::Call(-1);
- if (rv == -1 && errno == ENOSYS) {
- return 0;
- }
- return static_cast<uint64_t>(static_cast<uintptr_t>(rv));
-}
-
-intptr_t SandboxPanicTrap(const struct arch_seccomp_data&, void* aux) {
- SANDBOX_DIE(static_cast<const char*>(aux));
-}
-
-bpf_dsl::ResultExpr SandboxPanic(const char* error) {
- return bpf_dsl::Trap(SandboxPanicTrap, error);
-}
-
-} // namespace
-
-SandboxBPF::SandboxBPF(bpf_dsl::Policy* policy)
- : proc_fd_(), sandbox_has_started_(false), policy_(policy) {
-}
-
-SandboxBPF::~SandboxBPF() {
-}
-
-// static
-bool SandboxBPF::SupportsSeccompSandbox(SeccompLevel level) {
- // Never pretend to support seccomp with Valgrind, as it
- // throws the tool off.
- if (IsRunningOnValgrind()) {
- return false;
- }
-
- switch (level) {
- case SeccompLevel::SINGLE_THREADED:
- return KernelSupportsSeccompBPF();
- case SeccompLevel::MULTI_THREADED:
- return KernelSupportsSeccompTsync();
- }
- NOTREACHED();
- return false;
-}
-
-bool SandboxBPF::StartSandbox(SeccompLevel seccomp_level) {
- DCHECK(policy_);
- CHECK(seccomp_level == SeccompLevel::SINGLE_THREADED ||
- seccomp_level == SeccompLevel::MULTI_THREADED);
-
- if (sandbox_has_started_) {
- SANDBOX_DIE(
- "Cannot repeatedly start sandbox. Create a separate Sandbox "
- "object instead.");
- return false;
- }
-
- if (!proc_fd_.is_valid()) {
- SetProcFd(ProcUtil::OpenProc());
- }
-
- const bool supports_tsync = KernelSupportsSeccompTsync();
-
- if (seccomp_level == SeccompLevel::SINGLE_THREADED) {
- // Wait for /proc/self/task/ to update if needed and assert the
- // process is single threaded.
- ThreadHelpers::AssertSingleThreaded(proc_fd_.get());
- } else if (seccomp_level == SeccompLevel::MULTI_THREADED) {
- if (IsSingleThreaded(proc_fd_.get())) {
- SANDBOX_DIE("Cannot start sandbox; "
- "process may be single-threaded when reported as not");
- return false;
- }
- if (!supports_tsync) {
- SANDBOX_DIE("Cannot start sandbox; kernel does not support synchronizing "
- "filters for a threadgroup");
- return false;
- }
- }
-
- // We no longer need access to any files in /proc. We want to do this
- // before installing the filters, just in case that our policy denies
- // close().
- if (proc_fd_.is_valid()) {
- proc_fd_.reset();
- }
-
- // Install the filters.
- InstallFilter(supports_tsync ||
- seccomp_level == SeccompLevel::MULTI_THREADED);
-
- return true;
-}
-
-void SandboxBPF::SetProcFd(base::ScopedFD proc_fd) {
- proc_fd_.swap(proc_fd);
-}
-
-// static
-bool SandboxBPF::IsValidSyscallNumber(int sysnum) {
- return SyscallSet::IsValid(sysnum);
-}
-
-// static
-bool SandboxBPF::IsRequiredForUnsafeTrap(int sysno) {
- return bpf_dsl::PolicyCompiler::IsRequiredForUnsafeTrap(sysno);
-}
-
-// static
-intptr_t SandboxBPF::ForwardSyscall(const struct arch_seccomp_data& args) {
- return Syscall::Call(
- args.nr, static_cast<intptr_t>(args.args[0]),
- static_cast<intptr_t>(args.args[1]), static_cast<intptr_t>(args.args[2]),
- static_cast<intptr_t>(args.args[3]), static_cast<intptr_t>(args.args[4]),
- static_cast<intptr_t>(args.args[5]));
-}
-
-CodeGen::Program SandboxBPF::AssembleFilter() {
- DCHECK(policy_);
-
- bpf_dsl::PolicyCompiler compiler(policy_.get(), Trap::Registry());
- if (Trap::SandboxDebuggingAllowedByUser()) {
- compiler.DangerousSetEscapePC(EscapePC());
- }
- compiler.SetPanicFunc(SandboxPanic);
- return compiler.Compile();
-}
-
-void SandboxBPF::InstallFilter(bool must_sync_threads) {
- // We want to be very careful in not imposing any requirements on the
- // policies that are set with SetSandboxPolicy(). This means, as soon as
- // the sandbox is active, we shouldn't be relying on libraries that could
- // be making system calls. This, for example, means we should avoid
- // using the heap and we should avoid using STL functions.
- // Temporarily copy the contents of the "program" vector into a
- // stack-allocated array; and then explicitly destroy that object.
- // This makes sure we don't ex- or implicitly call new/delete after we
- // installed the BPF filter program in the kernel. Depending on the
- // system memory allocator that is in effect, these operators can result
- // in system calls to things like munmap() or brk().
- CodeGen::Program program = AssembleFilter();
-
- struct sock_filter bpf[program.size()];
- const struct sock_fprog prog = {static_cast<unsigned short>(program.size()),
- bpf};
- memcpy(bpf, &program[0], sizeof(bpf));
- CodeGen::Program().swap(program); // vector swap trick
-
- // Make an attempt to release memory that is no longer needed here, rather
- // than in the destructor. Try to avoid as much as possible to presume of
- // what will be possible to do in the new (sandboxed) execution environment.
- policy_.reset();
-
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- SANDBOX_DIE("Kernel refuses to enable no-new-privs");
- }
-
- // Install BPF filter program. If the thread state indicates multi-threading
- // support, then the kernel hass the seccomp system call. Otherwise, fall
- // back on prctl, which requires the process to be single-threaded.
- if (must_sync_threads) {
- int rv =
- sys_seccomp(SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_TSYNC, &prog);
- if (rv) {
- SANDBOX_DIE(
- "Kernel refuses to turn on and synchronize threads for BPF filters");
- }
- } else {
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) {
- SANDBOX_DIE("Kernel refuses to turn on BPF filters");
- }
- }
-
- sandbox_has_started_ = true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h
deleted file mode 100644
index e758e0312..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf.h
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H_
-#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H_
-
-#include <stdint.h>
-
-#include "base/files/scoped_file.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-struct arch_seccomp_data;
-namespace bpf_dsl {
-class Policy;
-}
-
-// This class can be used to apply a syscall sandboxing policy expressed in a
-// bpf_dsl::Policy object to the current process.
-// Syscall sandboxing policies get inherited by subprocesses and, once applied,
-// can never be removed for the lifetime of the process.
-class SANDBOX_EXPORT SandboxBPF {
- public:
- enum class SeccompLevel {
- SINGLE_THREADED,
- MULTI_THREADED,
- };
-
- // Ownership of |policy| is transfered here to the sandbox object.
- // nullptr is allowed for unit tests.
- explicit SandboxBPF(bpf_dsl::Policy* policy);
- // NOTE: Setting a policy and starting the sandbox is a one-way operation.
- // The kernel does not provide any option for unloading a loaded sandbox. The
- // sandbox remains engaged even when the object is destructed.
- ~SandboxBPF();
-
- // Detect if the kernel supports the specified seccomp level.
- // See StartSandbox() for a description of these.
- static bool SupportsSeccompSandbox(SeccompLevel level);
-
- // This is the main public entry point. It sets up the resources needed by
- // the sandbox, and enters Seccomp mode.
- // The calling process must provide a |level| to tell the sandbox which type
- // of kernel support it should engage.
- // SINGLE_THREADED will only sandbox the calling thread. Since it would be a
- // security risk, the sandbox will also check that the current process is
- // single threaded and crash if it isn't the case.
- // MULTI_THREADED requires more recent kernel support and allows to sandbox
- // all the threads of the current process. Be mindful of potential races,
- // with other threads using disallowed system calls either before or after
- // the sandbox is engaged.
- //
- // It is possible to stack multiple sandboxes by creating separate "Sandbox"
- // objects and calling "StartSandbox()" on each of them. Please note, that
- // this requires special care, though, as newly stacked sandboxes can never
- // relax restrictions imposed by earlier sandboxes. Furthermore, installing
- // a new policy requires making system calls, that might already be
- // disallowed.
- // Finally, stacking does add more kernel overhead than having a single
- // combined policy. So, it should only be used if there are no alternatives.
- bool StartSandbox(SeccompLevel level) WARN_UNUSED_RESULT;
-
- // The sandbox needs to be able to access files in "/proc/self/". If
- // this directory is not accessible when "StartSandbox()" gets called, the
- // caller must provide an already opened file descriptor by calling
- // "SetProcFd()".
- // The sandbox becomes the new owner of this file descriptor and will
- // close it when "StartSandbox()" executes or when the sandbox object
- // disappears.
- void SetProcFd(base::ScopedFD proc_fd);
-
- // Checks whether a particular system call number is valid on the current
- // architecture.
- static bool IsValidSyscallNumber(int sysnum);
-
- // UnsafeTraps require some syscalls to always be allowed.
- // This helper function returns true for these calls.
- static bool IsRequiredForUnsafeTrap(int sysno);
-
- // From within an UnsafeTrap() it is often useful to be able to execute
- // the system call that triggered the trap. The ForwardSyscall() method
- // makes this easy. It is more efficient than calling glibc's syscall()
- // function, as it avoid the extra round-trip to the signal handler. And
- // it automatically does the correct thing to report kernel-style error
- // conditions, rather than setting errno. See the comments for TrapFnc for
- // details. In other words, the return value from ForwardSyscall() is
- // directly suitable as a return value for a trap handler.
- static intptr_t ForwardSyscall(const struct arch_seccomp_data& args);
-
- private:
- friend class SandboxBPFTestRunner;
-
- // Assembles a BPF filter program from the current policy. After calling this
- // function, you must not call any other sandboxing function.
- CodeGen::Program AssembleFilter();
-
- // Assembles and installs a filter based on the policy that has previously
- // been configured with SetSandboxPolicy().
- void InstallFilter(bool must_sync_threads);
-
- base::ScopedFD proc_fd_;
- bool sandbox_has_started_;
- scoped_ptr<bpf_dsl::Policy> policy_;
-
- DISALLOW_COPY_AND_ASSIGN(SandboxBPF);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_H_
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc
deleted file mode 100644
index c0193f956..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.cc
+++ /dev/null
@@ -1,65 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h"
-
-#include <fcntl.h>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/seccomp-bpf/die.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-#include "sandbox/linux/tests/unit_tests.h"
-
-namespace sandbox {
-
-SandboxBPFTestRunner::SandboxBPFTestRunner(
- BPFTesterDelegate* bpf_tester_delegate)
- : bpf_tester_delegate_(bpf_tester_delegate) {
-}
-
-SandboxBPFTestRunner::~SandboxBPFTestRunner() {
-}
-
-void SandboxBPFTestRunner::Run() {
- DCHECK(bpf_tester_delegate_);
- sandbox::Die::EnableSimpleExit();
-
- scoped_ptr<bpf_dsl::Policy> policy =
- bpf_tester_delegate_->GetSandboxBPFPolicy();
-
- if (sandbox::SandboxBPF::SupportsSeccompSandbox(
- SandboxBPF::SeccompLevel::SINGLE_THREADED)) {
- // Initialize and then start the sandbox with our custom policy
- sandbox::SandboxBPF sandbox(policy.release());
- SANDBOX_ASSERT(sandbox.StartSandbox(
- sandbox::SandboxBPF::SeccompLevel::SINGLE_THREADED));
-
- // Run the actual test.
- bpf_tester_delegate_->RunTestFunction();
- } else {
- printf("This BPF test is not fully running in this configuration!\n");
- // Android and Valgrind are the only configurations where we accept not
- // having kernel BPF support.
- if (!IsAndroid() && !IsRunningOnValgrind()) {
- const bool seccomp_bpf_is_supported = false;
- SANDBOX_ASSERT(seccomp_bpf_is_supported);
- }
- // Call the compiler and verify the policy. That's the least we can do,
- // if we don't have kernel support.
- sandbox::SandboxBPF sandbox(policy.release());
- sandbox.AssembleFilter();
- sandbox::UnitTests::IgnoreThisTest();
- }
-}
-
-bool SandboxBPFTestRunner::ShouldCheckForLeaks() const {
- // LSAN requires being able to use ptrace() and other system calls that could
- // be denied.
- return false;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h
deleted file mode 100644
index fef6240d7..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/sandbox_bpf_test_runner.h
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_TEST_RUNNER_H_
-#define SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_TEST_RUNNER_H_
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/linux/tests/sandbox_test_runner.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-class Policy;
-}
-
-// To create a SandboxBPFTestRunner object, one needs to implement this
-// interface and pass an instance to the SandboxBPFTestRunner constructor.
-// In the child process running the test, the BPFTesterDelegate object is
-// guaranteed to not be destroyed until the child process terminates.
-class BPFTesterDelegate {
- public:
- BPFTesterDelegate() {}
- virtual ~BPFTesterDelegate() {}
-
- // This will instanciate a policy suitable for the test we want to run. It is
- // guaranteed to only be called from the child process that will run the
- // test.
- virtual scoped_ptr<bpf_dsl::Policy> GetSandboxBPFPolicy() = 0;
- // This will be called from a child process with the BPF sandbox turned on.
- virtual void RunTestFunction() = 0;
-
- private:
- DISALLOW_COPY_AND_ASSIGN(BPFTesterDelegate);
-};
-
-// This class implements the SandboxTestRunner interface and Run() will
-// initialize a seccomp-bpf sandbox (specified by |bpf_tester_delegate|) and
-// run a test function (via |bpf_tester_delegate|) if the current kernel
-// configuration allows it. If it can not run the test under seccomp-bpf,
-// Run() will still compile the policy which should allow to get some coverage
-// under tools such as Valgrind.
-class SandboxBPFTestRunner : public SandboxTestRunner {
- public:
- // This constructor takes ownership of the |bpf_tester_delegate| object.
- // (It doesn't take a scoped_ptr since they make polymorphism verbose).
- explicit SandboxBPFTestRunner(BPFTesterDelegate* bpf_tester_delegate);
- ~SandboxBPFTestRunner() override;
-
- void Run() override;
-
- bool ShouldCheckForLeaks() const override;
-
- private:
- scoped_ptr<BPFTesterDelegate> bpf_tester_delegate_;
- DISALLOW_COPY_AND_ASSIGN(SandboxBPFTestRunner);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_SANDBOX_BPF_TEST_RUNNER_H_
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc
deleted file mode 100644
index bc6461f11..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.cc
+++ /dev/null
@@ -1,421 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/syscall.h"
-
-#include <errno.h>
-#include <stdint.h>
-
-#include "base/logging.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-
-namespace sandbox {
-
-namespace {
-
-#if defined(ARCH_CPU_X86_FAMILY) || defined(ARCH_CPU_ARM_FAMILY) || \
- defined(ARCH_CPU_MIPS_FAMILY)
-// Number that's not currently used by any Linux kernel ABIs.
-const int kInvalidSyscallNumber = 0x351d3;
-#else
-#error Unrecognized architecture
-#endif
-
-asm(// We need to be able to tell the kernel exactly where we made a
- // system call. The C++ compiler likes to sometimes clone or
- // inline code, which would inadvertently end up duplicating
- // the entry point.
- // "gcc" can suppress code duplication with suitable function
- // attributes, but "clang" doesn't have this ability.
- // The "clang" developer mailing list suggested that the correct
- // and portable solution is a file-scope assembly block.
- // N.B. We do mark our code as a proper function so that backtraces
- // work correctly. But we make absolutely no attempt to use the
- // ABI's calling conventions for passing arguments. We will only
- // ever be called from assembly code and thus can pick more
- // suitable calling conventions.
-#if defined(__i386__)
- ".text\n"
- ".align 16, 0x90\n"
- ".type SyscallAsm, @function\n"
- "SyscallAsm:.cfi_startproc\n"
- // Check if "%eax" is negative. If so, do not attempt to make a
- // system call. Instead, compute the return address that is visible
- // to the kernel after we execute "int $0x80". This address can be
- // used as a marker that BPF code inspects.
- "test %eax, %eax\n"
- "jge 1f\n"
- // Always, make sure that our code is position-independent, or
- // address space randomization might not work on i386. This means,
- // we can't use "lea", but instead have to rely on "call/pop".
- "call 0f; .cfi_adjust_cfa_offset 4\n"
- "0:pop %eax; .cfi_adjust_cfa_offset -4\n"
- "addl $2f-0b, %eax\n"
- "ret\n"
- // Save register that we don't want to clobber. On i386, we need to
- // save relatively aggressively, as there are a couple or registers
- // that are used internally (e.g. %ebx for position-independent
- // code, and %ebp for the frame pointer), and as we need to keep at
- // least a few registers available for the register allocator.
- "1:push %esi; .cfi_adjust_cfa_offset 4; .cfi_rel_offset esi, 0\n"
- "push %edi; .cfi_adjust_cfa_offset 4; .cfi_rel_offset edi, 0\n"
- "push %ebx; .cfi_adjust_cfa_offset 4; .cfi_rel_offset ebx, 0\n"
- "push %ebp; .cfi_adjust_cfa_offset 4; .cfi_rel_offset ebp, 0\n"
- // Copy entries from the array holding the arguments into the
- // correct CPU registers.
- "movl 0(%edi), %ebx\n"
- "movl 4(%edi), %ecx\n"
- "movl 8(%edi), %edx\n"
- "movl 12(%edi), %esi\n"
- "movl 20(%edi), %ebp\n"
- "movl 16(%edi), %edi\n"
- // Enter the kernel.
- "int $0x80\n"
- // This is our "magic" return address that the BPF filter sees.
- "2:"
- // Restore any clobbered registers that we didn't declare to the
- // compiler.
- "pop %ebp; .cfi_restore ebp; .cfi_adjust_cfa_offset -4\n"
- "pop %ebx; .cfi_restore ebx; .cfi_adjust_cfa_offset -4\n"
- "pop %edi; .cfi_restore edi; .cfi_adjust_cfa_offset -4\n"
- "pop %esi; .cfi_restore esi; .cfi_adjust_cfa_offset -4\n"
- "ret\n"
- ".cfi_endproc\n"
- "9:.size SyscallAsm, 9b-SyscallAsm\n"
-#elif defined(__x86_64__)
- ".text\n"
- ".align 16, 0x90\n"
- ".type SyscallAsm, @function\n"
- "SyscallAsm:.cfi_startproc\n"
- // Check if "%rdi" is negative. If so, do not attempt to make a
- // system call. Instead, compute the return address that is visible
- // to the kernel after we execute "syscall". This address can be
- // used as a marker that BPF code inspects.
- "test %rdi, %rdi\n"
- "jge 1f\n"
- // Always make sure that our code is position-independent, or the
- // linker will throw a hissy fit on x86-64.
- "lea 2f(%rip), %rax\n"
- "ret\n"
- // Now we load the registers used to pass arguments to the system
- // call: system call number in %rax, and arguments in %rdi, %rsi,
- // %rdx, %r10, %r8, %r9. Note: These are all caller-save registers
- // (only %rbx, %rbp, %rsp, and %r12-%r15 are callee-save), so no
- // need to worry here about spilling registers or CFI directives.
- "1:movq %rdi, %rax\n"
- "movq 0(%rsi), %rdi\n"
- "movq 16(%rsi), %rdx\n"
- "movq 24(%rsi), %r10\n"
- "movq 32(%rsi), %r8\n"
- "movq 40(%rsi), %r9\n"
- "movq 8(%rsi), %rsi\n"
- // Enter the kernel.
- "syscall\n"
- // This is our "magic" return address that the BPF filter sees.
- "2:ret\n"
- ".cfi_endproc\n"
- "9:.size SyscallAsm, 9b-SyscallAsm\n"
-#elif defined(__arm__)
- // Throughout this file, we use the same mode (ARM vs. thumb)
- // that the C++ compiler uses. This means, when transfering control
- // from C++ to assembly code, we do not need to switch modes (e.g.
- // by using the "bx" instruction). It also means that our assembly
- // code should not be invoked directly from code that lives in
- // other compilation units, as we don't bother implementing thumb
- // interworking. That's OK, as we don't make any of the assembly
- // symbols public. They are all local to this file.
- ".text\n"
- ".align 2\n"
- ".type SyscallAsm, %function\n"
-#if defined(__thumb__)
- ".thumb_func\n"
-#else
- ".arm\n"
-#endif
- "SyscallAsm:\n"
-#if !defined(__native_client_nonsfi__)
- // .fnstart and .fnend pseudo operations creates unwind table.
- // It also creates a reference to the symbol __aeabi_unwind_cpp_pr0, which
- // is not provided by PNaCl toolchain. Disable it.
- ".fnstart\n"
-#endif
- "@ args = 0, pretend = 0, frame = 8\n"
- "@ frame_needed = 1, uses_anonymous_args = 0\n"
-#if defined(__thumb__)
- ".cfi_startproc\n"
- "push {r7, lr}\n"
- ".save {r7, lr}\n"
- ".cfi_offset 14, -4\n"
- ".cfi_offset 7, -8\n"
- ".cfi_def_cfa_offset 8\n"
-#else
- "stmfd sp!, {fp, lr}\n"
- "add fp, sp, #4\n"
-#endif
- // Check if "r0" is negative. If so, do not attempt to make a
- // system call. Instead, compute the return address that is visible
- // to the kernel after we execute "swi 0". This address can be
- // used as a marker that BPF code inspects.
- "cmp r0, #0\n"
- "bge 1f\n"
- "adr r0, 2f\n"
- "b 2f\n"
- // We declared (almost) all clobbered registers to the compiler. On
- // ARM there is no particular register pressure. So, we can go
- // ahead and directly copy the entries from the arguments array
- // into the appropriate CPU registers.
- "1:ldr r5, [r6, #20]\n"
- "ldr r4, [r6, #16]\n"
- "ldr r3, [r6, #12]\n"
- "ldr r2, [r6, #8]\n"
- "ldr r1, [r6, #4]\n"
- "mov r7, r0\n"
- "ldr r0, [r6, #0]\n"
- // Enter the kernel
- "swi 0\n"
-// Restore the frame pointer. Also restore the program counter from
-// the link register; this makes us return to the caller.
-#if defined(__thumb__)
- "2:pop {r7, pc}\n"
- ".cfi_endproc\n"
-#else
- "2:ldmfd sp!, {fp, pc}\n"
-#endif
-#if !defined(__native_client_nonsfi__)
- // Do not use .fnstart and .fnend for PNaCl toolchain. See above comment,
- // for more details.
- ".fnend\n"
-#endif
- "9:.size SyscallAsm, 9b-SyscallAsm\n"
-#elif defined(__mips__)
- ".text\n"
- ".align 4\n"
- ".type SyscallAsm, @function\n"
- "SyscallAsm:.ent SyscallAsm\n"
- ".frame $sp, 40, $ra\n"
- ".set push\n"
- ".set noreorder\n"
- "addiu $sp, $sp, -40\n"
- "sw $ra, 36($sp)\n"
- // Check if "v0" is negative. If so, do not attempt to make a
- // system call. Instead, compute the return address that is visible
- // to the kernel after we execute "syscall". This address can be
- // used as a marker that BPF code inspects.
- "bgez $v0, 1f\n"
- " nop\n"
- "la $v0, 2f\n"
- "b 2f\n"
- " nop\n"
- // On MIPS first four arguments go to registers a0 - a3 and any
- // argument after that goes to stack. We can go ahead and directly
- // copy the entries from the arguments array into the appropriate
- // CPU registers and on the stack.
- "1:lw $a3, 28($a0)\n"
- "lw $a2, 24($a0)\n"
- "lw $a1, 20($a0)\n"
- "lw $t0, 16($a0)\n"
- "sw $a3, 28($sp)\n"
- "sw $a2, 24($sp)\n"
- "sw $a1, 20($sp)\n"
- "sw $t0, 16($sp)\n"
- "lw $a3, 12($a0)\n"
- "lw $a2, 8($a0)\n"
- "lw $a1, 4($a0)\n"
- "lw $a0, 0($a0)\n"
- // Enter the kernel
- "syscall\n"
- // This is our "magic" return address that the BPF filter sees.
- // Restore the return address from the stack.
- "2:lw $ra, 36($sp)\n"
- "jr $ra\n"
- " addiu $sp, $sp, 40\n"
- ".set pop\n"
- ".end SyscallAsm\n"
- ".size SyscallAsm,.-SyscallAsm\n"
-#elif defined(__aarch64__)
- ".text\n"
- ".align 2\n"
- ".type SyscallAsm, %function\n"
- "SyscallAsm:\n"
- ".cfi_startproc\n"
- "cmp x0, #0\n"
- "b.ge 1f\n"
- "adr x0,2f\n"
- "b 2f\n"
- "1:ldr x5, [x6, #40]\n"
- "ldr x4, [x6, #32]\n"
- "ldr x3, [x6, #24]\n"
- "ldr x2, [x6, #16]\n"
- "ldr x1, [x6, #8]\n"
- "mov x8, x0\n"
- "ldr x0, [x6, #0]\n"
- // Enter the kernel
- "svc 0\n"
- "2:ret\n"
- ".cfi_endproc\n"
- ".size SyscallAsm, .-SyscallAsm\n"
-#endif
- ); // asm
-
-#if defined(__x86_64__)
-extern "C" {
-intptr_t SyscallAsm(intptr_t nr, const intptr_t args[6]);
-}
-#endif
-
-} // namespace
-
-intptr_t Syscall::InvalidCall() {
- // Explicitly pass eight zero arguments just in case.
- return Call(kInvalidSyscallNumber, 0, 0, 0, 0, 0, 0, 0, 0);
-}
-
-intptr_t Syscall::Call(int nr,
- intptr_t p0,
- intptr_t p1,
- intptr_t p2,
- intptr_t p3,
- intptr_t p4,
- intptr_t p5,
- intptr_t p6,
- intptr_t p7) {
- // We rely on "intptr_t" to be the exact size as a "void *". This is
- // typically true, but just in case, we add a check. The language
- // specification allows platforms some leeway in cases, where
- // "sizeof(void *)" is not the same as "sizeof(void (*)())". We expect
- // that this would only be an issue for IA64, which we are currently not
- // planning on supporting. And it is even possible that this would work
- // on IA64, but for lack of actual hardware, I cannot test.
- static_assert(sizeof(void*) == sizeof(intptr_t),
- "pointer types and intptr_t must be exactly the same size");
-
- // TODO(nedeljko): Enable use of more than six parameters on architectures
- // where that makes sense.
-#if defined(__mips__)
- const intptr_t args[8] = {p0, p1, p2, p3, p4, p5, p6, p7};
-#else
- DCHECK_EQ(p6, 0) << " Support for syscalls with more than six arguments not "
- "added for this architecture";
- DCHECK_EQ(p7, 0) << " Support for syscalls with more than six arguments not "
- "added for this architecture";
- const intptr_t args[6] = {p0, p1, p2, p3, p4, p5};
-#endif // defined(__mips__)
-
-// Invoke our file-scope assembly code. The constraints have been picked
-// carefully to match what the rest of the assembly code expects in input,
-// output, and clobbered registers.
-#if defined(__i386__)
- intptr_t ret = nr;
- asm volatile(
- "call SyscallAsm\n"
- // N.B. These are not the calling conventions normally used by the ABI.
- : "=a"(ret)
- : "0"(ret), "D"(args)
- : "cc", "esp", "memory", "ecx", "edx");
-#elif defined(__x86_64__)
- intptr_t ret = SyscallAsm(nr, args);
-#elif defined(__arm__)
- intptr_t ret;
- {
- register intptr_t inout __asm__("r0") = nr;
- register const intptr_t* data __asm__("r6") = args;
- asm volatile(
- "bl SyscallAsm\n"
- // N.B. These are not the calling conventions normally used by the ABI.
- : "=r"(inout)
- : "0"(inout), "r"(data)
- : "cc",
- "lr",
- "memory",
- "r1",
- "r2",
- "r3",
- "r4",
- "r5"
-#if !defined(__thumb__)
- // In thumb mode, we cannot use "r7" as a general purpose register, as
- // it is our frame pointer. We have to manually manage and preserve
- // it.
- // In ARM mode, we have a dedicated frame pointer register and "r7" is
- // thus available as a general purpose register. We don't preserve it,
- // but instead mark it as clobbered.
- ,
- "r7"
-#endif // !defined(__thumb__)
- );
- ret = inout;
- }
-#elif defined(__mips__)
- int err_status;
- intptr_t ret = Syscall::SandboxSyscallRaw(nr, args, &err_status);
-
- if (err_status) {
- // On error, MIPS returns errno from syscall instead of -errno.
- // The purpose of this negation is for SandboxSyscall() to behave
- // more like it would on other architectures.
- ret = -ret;
- }
-#elif defined(__aarch64__)
- intptr_t ret;
- {
- register intptr_t inout __asm__("x0") = nr;
- register const intptr_t* data __asm__("x6") = args;
- asm volatile("bl SyscallAsm\n"
- : "=r"(inout)
- : "0"(inout), "r"(data)
- : "memory", "x1", "x2", "x3", "x4", "x5", "x8", "x30");
- ret = inout;
- }
-
-#else
-#error "Unimplemented architecture"
-#endif
- return ret;
-}
-
-void Syscall::PutValueInUcontext(intptr_t ret_val, ucontext_t* ctx) {
-#if defined(__mips__)
- // Mips ABI states that on error a3 CPU register has non zero value and if
- // there is no error, it should be zero.
- if (ret_val <= -1 && ret_val >= -4095) {
- // |ret_val| followes the Syscall::Call() convention of being -errno on
- // errors. In order to write correct value to return register this sign
- // needs to be changed back.
- ret_val = -ret_val;
- SECCOMP_PARM4(ctx) = 1;
- } else
- SECCOMP_PARM4(ctx) = 0;
-#endif
- SECCOMP_RESULT(ctx) = static_cast<greg_t>(ret_val);
-}
-
-#if defined(__mips__)
-intptr_t Syscall::SandboxSyscallRaw(int nr,
- const intptr_t* args,
- intptr_t* err_ret) {
- register intptr_t ret __asm__("v0") = nr;
- // a3 register becomes non zero on error.
- register intptr_t err_stat __asm__("a3") = 0;
- {
- register const intptr_t* data __asm__("a0") = args;
- asm volatile(
- "la $t9, SyscallAsm\n"
- "jalr $t9\n"
- " nop\n"
- : "=r"(ret), "=r"(err_stat)
- : "0"(ret),
- "r"(data)
- // a2 is in the clober list so inline assembly can not change its
- // value.
- : "memory", "ra", "t9", "a2");
- }
-
- // Set an error status so it can be used outside of this function
- *err_ret = err_stat;
-
- return ret;
-}
-#endif // defined(__mips__)
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.h
deleted file mode 100644
index ccfc88dcb..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall.h
+++ /dev/null
@@ -1,166 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
-#define SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
-
-#include <signal.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/linux/system_headers/linux_signal.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-
-// This purely static class can be used to perform system calls with some
-// low-level control.
-class SANDBOX_EXPORT Syscall {
- public:
- // InvalidCall() invokes Call() with a platform-appropriate syscall
- // number that is guaranteed to not be implemented (i.e., normally
- // returns -ENOSYS).
- // This is primarily meant to be useful for writing sandbox policy
- // unit tests.
- static intptr_t InvalidCall();
-
- // System calls can take up to six parameters (up to eight on some
- // architectures). Traditionally, glibc
- // implements this property by using variadic argument lists. This works, but
- // confuses modern tools such as valgrind, because we are nominally passing
- // uninitialized data whenever we call through this function and pass less
- // than the full six arguments.
- // So, instead, we use C++'s template system to achieve a very similar
- // effect. C++ automatically sets the unused parameters to zero for us, and
- // it also does the correct type expansion (e.g. from 32bit to 64bit) where
- // necessary.
- // We have to use C-style cast operators as we want to be able to accept both
- // integer and pointer types.
- template <class T0,
- class T1,
- class T2,
- class T3,
- class T4,
- class T5,
- class T6,
- class T7>
- static inline intptr_t
- Call(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5, T6 p6, T7 p7) {
- return Call(nr,
- (intptr_t)p0,
- (intptr_t)p1,
- (intptr_t)p2,
- (intptr_t)p3,
- (intptr_t)p4,
- (intptr_t)p5,
- (intptr_t)p6,
- (intptr_t)p7);
- }
-
- template <class T0,
- class T1,
- class T2,
- class T3,
- class T4,
- class T5,
- class T6>
- static inline intptr_t
- Call(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5, T6 p6) {
- return Call(nr,
- (intptr_t)p0,
- (intptr_t)p1,
- (intptr_t)p2,
- (intptr_t)p3,
- (intptr_t)p4,
- (intptr_t)p5,
- (intptr_t)p6,
- 0);
- }
-
- template <class T0, class T1, class T2, class T3, class T4, class T5>
- static inline intptr_t
- Call(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4, T5 p5) {
- return Call(nr,
- (intptr_t)p0,
- (intptr_t)p1,
- (intptr_t)p2,
- (intptr_t)p3,
- (intptr_t)p4,
- (intptr_t)p5,
- 0,
- 0);
- }
-
- template <class T0, class T1, class T2, class T3, class T4>
- static inline intptr_t Call(int nr, T0 p0, T1 p1, T2 p2, T3 p3, T4 p4) {
- return Call(nr, p0, p1, p2, p3, p4, 0, 0, 0);
- }
-
- template <class T0, class T1, class T2, class T3>
- static inline intptr_t Call(int nr, T0 p0, T1 p1, T2 p2, T3 p3) {
- return Call(nr, p0, p1, p2, p3, 0, 0, 0, 0);
- }
-
- template <class T0, class T1, class T2>
- static inline intptr_t Call(int nr, T0 p0, T1 p1, T2 p2) {
- return Call(nr, p0, p1, p2, 0, 0, 0, 0, 0);
- }
-
- template <class T0, class T1>
- static inline intptr_t Call(int nr, T0 p0, T1 p1) {
- return Call(nr, p0, p1, 0, 0, 0, 0, 0, 0);
- }
-
- template <class T0>
- static inline intptr_t Call(int nr, T0 p0) {
- return Call(nr, p0, 0, 0, 0, 0, 0, 0, 0);
- }
-
- static inline intptr_t Call(int nr) {
- return Call(nr, 0, 0, 0, 0, 0, 0, 0, 0);
- }
-
- // Set the registers in |ctx| to match what they would be after a system call
- // returning |ret_val|. |ret_val| must follow the Syscall::Call() convention
- // of being -errno on errors.
- static void PutValueInUcontext(intptr_t ret_val, ucontext_t* ctx);
-
- private:
- // This performs system call |nr| with the arguments p0 to p7 from a constant
- // userland address, which is for instance observable by seccomp-bpf filters.
- // The constant userland address from which these system calls are made will
- // be returned if |nr| is passed as -1.
- // On error, this function will return a value between -1 and -4095 which
- // should be interpreted as -errno.
- static intptr_t Call(int nr,
- intptr_t p0,
- intptr_t p1,
- intptr_t p2,
- intptr_t p3,
- intptr_t p4,
- intptr_t p5,
- intptr_t p6,
- intptr_t p7);
-
-#if defined(__mips__)
- // This function basically does on MIPS what SandboxSyscall() is doing on
- // other architectures. However, because of specificity of MIPS regarding
- // handling syscall errors, SandboxSyscall() is made as a wrapper for this
- // function in order for SandboxSyscall() to behave more like on other
- // architectures on places where return value from SandboxSyscall() is used
- // directly (like in most tests).
- // The syscall "nr" is called with arguments that are set in an array on which
- // pointer "args" points to and an information weather there is an error or no
- // is returned to SandboxSyscall() by err_stat.
- static intptr_t SandboxSyscallRaw(int nr,
- const intptr_t* args,
- intptr_t* err_stat);
-#endif // defined(__mips__)
-
- DISALLOW_IMPLICIT_CONSTRUCTORS(Syscall);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_SYSCALL_H__
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc
deleted file mode 100644
index 01336f9b6..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/syscall_unittest.cc
+++ /dev/null
@@ -1,244 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/syscall.h"
-
-#include <asm/unistd.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <sys/mman.h>
-#include <sys/syscall.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include <vector>
-
-#include "base/macros.h"
-#include "base/posix/eintr_wrapper.h"
-#include "build/build_config.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/seccomp-bpf/bpf_tests.h"
-#include "sandbox/linux/seccomp-bpf/sandbox_bpf.h"
-#include "sandbox/linux/tests/unit_tests.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-using sandbox::bpf_dsl::Allow;
-using sandbox::bpf_dsl::ResultExpr;
-using sandbox::bpf_dsl::Trap;
-
-namespace sandbox {
-
-namespace {
-
-// Different platforms use different symbols for the six-argument version
-// of the mmap() system call. Test for the correct symbol at compile time.
-#ifdef __NR_mmap2
-const int kMMapNr = __NR_mmap2;
-#else
-const int kMMapNr = __NR_mmap;
-#endif
-
-TEST(Syscall, InvalidCallReturnsENOSYS) {
- EXPECT_EQ(-ENOSYS, Syscall::InvalidCall());
-}
-
-TEST(Syscall, WellKnownEntryPoint) {
-// Test that Syscall::Call(-1) is handled specially. Don't do this on ARM,
-// where syscall(-1) crashes with SIGILL. Not running the test is fine, as we
-// are still testing ARM code in the next set of tests.
-#if !defined(__arm__) && !defined(__aarch64__)
- EXPECT_NE(Syscall::Call(-1), syscall(-1));
-#endif
-
-// If possible, test that Syscall::Call(-1) returns the address right
-// after
-// a kernel entry point.
-#if defined(__i386__)
- EXPECT_EQ(0x80CDu, ((uint16_t*)Syscall::Call(-1))[-1]); // INT 0x80
-#elif defined(__x86_64__)
- EXPECT_EQ(0x050Fu, ((uint16_t*)Syscall::Call(-1))[-1]); // SYSCALL
-#elif defined(__arm__)
-#if defined(__thumb__)
- EXPECT_EQ(0xDF00u, ((uint16_t*)Syscall::Call(-1))[-1]); // SWI 0
-#else
- EXPECT_EQ(0xEF000000u, ((uint32_t*)Syscall::Call(-1))[-1]); // SVC 0
-#endif
-#elif defined(__mips__)
- // Opcode for MIPS sycall is in the lower 16-bits
- EXPECT_EQ(0x0cu, (((uint32_t*)Syscall::Call(-1))[-1]) & 0x0000FFFF);
-#elif defined(__aarch64__)
- EXPECT_EQ(0xD4000001u, ((uint32_t*)Syscall::Call(-1))[-1]); // SVC 0
-#else
-#warning Incomplete test case; need port for target platform
-#endif
-}
-
-TEST(Syscall, TrivialSyscallNoArgs) {
- // Test that we can do basic system calls
- EXPECT_EQ(Syscall::Call(__NR_getpid), syscall(__NR_getpid));
-}
-
-TEST(Syscall, TrivialSyscallOneArg) {
- int new_fd;
- // Duplicate standard error and close it.
- ASSERT_GE(new_fd = Syscall::Call(__NR_dup, 2), 0);
- int close_return_value = IGNORE_EINTR(Syscall::Call(__NR_close, new_fd));
- ASSERT_EQ(close_return_value, 0);
-}
-
-TEST(Syscall, TrivialFailingSyscall) {
- errno = -42;
- int ret = Syscall::Call(__NR_dup, -1);
- ASSERT_EQ(-EBADF, ret);
- // Verify that Syscall::Call does not touch errno.
- ASSERT_EQ(-42, errno);
-}
-
-// SIGSYS trap handler that will be called on __NR_uname.
-intptr_t CopySyscallArgsToAux(const struct arch_seccomp_data& args, void* aux) {
- // |aux| is our BPF_AUX pointer.
- std::vector<uint64_t>* const seen_syscall_args =
- static_cast<std::vector<uint64_t>*>(aux);
- BPF_ASSERT(arraysize(args.args) == 6);
- seen_syscall_args->assign(args.args, args.args + arraysize(args.args));
- return -ENOMEM;
-}
-
-class CopyAllArgsOnUnamePolicy : public bpf_dsl::Policy {
- public:
- explicit CopyAllArgsOnUnamePolicy(std::vector<uint64_t>* aux) : aux_(aux) {}
- ~CopyAllArgsOnUnamePolicy() override {}
-
- ResultExpr EvaluateSyscall(int sysno) const override {
- DCHECK(SandboxBPF::IsValidSyscallNumber(sysno));
- if (sysno == __NR_uname) {
- return Trap(CopySyscallArgsToAux, aux_);
- } else {
- return Allow();
- }
- }
-
- private:
- std::vector<uint64_t>* aux_;
-
- DISALLOW_COPY_AND_ASSIGN(CopyAllArgsOnUnamePolicy);
-};
-
-// We are testing Syscall::Call() by making use of a BPF filter that
-// allows us
-// to inspect the system call arguments that the kernel saw.
-BPF_TEST(Syscall,
- SyntheticSixArgs,
- CopyAllArgsOnUnamePolicy,
- std::vector<uint64_t> /* (*BPF_AUX) */) {
- const int kExpectedValue = 42;
- // In this test we only pass integers to the kernel. We might want to make
- // additional tests to try other types. What we will see depends on
- // implementation details of kernel BPF filters and we will need to document
- // the expected behavior very clearly.
- int syscall_args[6];
- for (size_t i = 0; i < arraysize(syscall_args); ++i) {
- syscall_args[i] = kExpectedValue + i;
- }
-
- // We could use pretty much any system call we don't need here. uname() is
- // nice because it doesn't have any dangerous side effects.
- BPF_ASSERT(Syscall::Call(__NR_uname,
- syscall_args[0],
- syscall_args[1],
- syscall_args[2],
- syscall_args[3],
- syscall_args[4],
- syscall_args[5]) == -ENOMEM);
-
- // We expect the trap handler to have copied the 6 arguments.
- BPF_ASSERT(BPF_AUX->size() == 6);
-
- // Don't loop here so that we can see which argument does cause the failure
- // easily from the failing line.
- // uint64_t is the type passed to our SIGSYS handler.
- BPF_ASSERT((*BPF_AUX)[0] == static_cast<uint64_t>(syscall_args[0]));
- BPF_ASSERT((*BPF_AUX)[1] == static_cast<uint64_t>(syscall_args[1]));
- BPF_ASSERT((*BPF_AUX)[2] == static_cast<uint64_t>(syscall_args[2]));
- BPF_ASSERT((*BPF_AUX)[3] == static_cast<uint64_t>(syscall_args[3]));
- BPF_ASSERT((*BPF_AUX)[4] == static_cast<uint64_t>(syscall_args[4]));
- BPF_ASSERT((*BPF_AUX)[5] == static_cast<uint64_t>(syscall_args[5]));
-}
-
-TEST(Syscall, ComplexSyscallSixArgs) {
- int fd;
- ASSERT_LE(0,
- fd = Syscall::Call(__NR_openat, AT_FDCWD, "/dev/null", O_RDWR, 0L));
-
- // Use mmap() to allocate some read-only memory
- char* addr0;
- ASSERT_NE(
- (char*)NULL,
- addr0 = reinterpret_cast<char*>(Syscall::Call(kMMapNr,
- (void*)NULL,
- 4096,
- PROT_READ,
- MAP_PRIVATE | MAP_ANONYMOUS,
- fd,
- 0L)));
-
- // Try to replace the existing mapping with a read-write mapping
- char* addr1;
- ASSERT_EQ(addr0,
- addr1 = reinterpret_cast<char*>(
- Syscall::Call(kMMapNr,
- addr0,
- 4096L,
- PROT_READ | PROT_WRITE,
- MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED,
- fd,
- 0L)));
- ++*addr1; // This should not seg fault
-
- // Clean up
- EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr1, 4096L));
- EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd)));
-
- // Check that the offset argument (i.e. the sixth argument) is processed
- // correctly.
- ASSERT_GE(
- fd = Syscall::Call(__NR_openat, AT_FDCWD, "/proc/self/exe", O_RDONLY, 0L),
- 0);
- char* addr2, *addr3;
- ASSERT_NE((char*)NULL,
- addr2 = reinterpret_cast<char*>(Syscall::Call(
- kMMapNr, (void*)NULL, 8192L, PROT_READ, MAP_PRIVATE, fd, 0L)));
- ASSERT_NE((char*)NULL,
- addr3 = reinterpret_cast<char*>(Syscall::Call(kMMapNr,
- (void*)NULL,
- 4096L,
- PROT_READ,
- MAP_PRIVATE,
- fd,
-#if defined(__NR_mmap2)
- 1L
-#else
- 4096L
-#endif
- )));
- EXPECT_EQ(0, memcmp(addr2 + 4096, addr3, 4096));
-
- // Just to be absolutely on the safe side, also verify that the file
- // contents matches what we are getting from a read() operation.
- char buf[8192];
- EXPECT_EQ(8192, Syscall::Call(__NR_read, fd, buf, 8192L));
- EXPECT_EQ(0, memcmp(addr2, buf, 8192));
-
- // Clean up
- EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr2, 8192L));
- EXPECT_EQ(0, Syscall::Call(__NR_munmap, addr3, 4096L));
- EXPECT_EQ(0, IGNORE_EINTR(Syscall::Call(__NR_close, fd)));
-}
-
-} // namespace
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
deleted file mode 100644
index 003708d2c..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.cc
+++ /dev/null
@@ -1,387 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/seccomp-bpf/trap.h"
-
-#include <errno.h>
-#include <signal.h>
-#include <stddef.h>
-#include <stdint.h>
-#include <string.h>
-#include <sys/syscall.h>
-
-#include <algorithm>
-#include <limits>
-#include <tuple>
-
-#include "base/compiler_specific.h"
-#include "base/logging.h"
-#include "build/build_config.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-#include "sandbox/linux/seccomp-bpf/die.h"
-#include "sandbox/linux/seccomp-bpf/syscall.h"
-#include "sandbox/linux/services/syscall_wrappers.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_signal.h"
-
-namespace {
-
-struct arch_sigsys {
- void* ip;
- int nr;
- unsigned int arch;
-};
-
-const int kCapacityIncrement = 20;
-
-// Unsafe traps can only be turned on, if the user explicitly allowed them
-// by setting the CHROME_SANDBOX_DEBUGGING environment variable.
-const char kSandboxDebuggingEnv[] = "CHROME_SANDBOX_DEBUGGING";
-
-// We need to tell whether we are performing a "normal" callback, or
-// whether we were called recursively from within a UnsafeTrap() callback.
-// This is a little tricky to do, because we need to somehow get access to
-// per-thread data from within a signal context. Normal TLS storage is not
-// safely accessible at this time. We could roll our own, but that involves
-// a lot of complexity. Instead, we co-opt one bit in the signal mask.
-// If BUS is blocked, we assume that we have been called recursively.
-// There is a possibility for collision with other code that needs to do
-// this, but in practice the risks are low.
-// If SIGBUS turns out to be a problem, we could instead co-opt one of the
-// realtime signals. There are plenty of them. Unfortunately, there is no
-// way to mark a signal as allocated. So, the potential for collision is
-// possibly even worse.
-bool GetIsInSigHandler(const ucontext_t* ctx) {
- // Note: on Android, sigismember does not take a pointer to const.
- return sigismember(const_cast<sigset_t*>(&ctx->uc_sigmask), LINUX_SIGBUS);
-}
-
-void SetIsInSigHandler() {
- sigset_t mask;
- if (sigemptyset(&mask) || sigaddset(&mask, LINUX_SIGBUS) ||
- sandbox::sys_sigprocmask(LINUX_SIG_BLOCK, &mask, NULL)) {
- SANDBOX_DIE("Failed to block SIGBUS");
- }
-}
-
-bool IsDefaultSignalAction(const struct sigaction& sa) {
- if (sa.sa_flags & SA_SIGINFO || sa.sa_handler != SIG_DFL) {
- return false;
- }
- return true;
-}
-
-} // namespace
-
-namespace sandbox {
-
-Trap::Trap()
- : trap_array_(NULL),
- trap_array_size_(0),
- trap_array_capacity_(0),
- has_unsafe_traps_(false) {
- // Set new SIGSYS handler
- struct sigaction sa = {};
- // In some toolchain, sa_sigaction is not declared in struct sigaction.
- // So, here cast the pointer to the sa_handler's type. This works because
- // |sa_handler| and |sa_sigaction| shares the same memory.
- sa.sa_handler = reinterpret_cast<void (*)(int)>(SigSysAction);
- sa.sa_flags = LINUX_SA_SIGINFO | LINUX_SA_NODEFER;
- struct sigaction old_sa = {};
- if (sys_sigaction(LINUX_SIGSYS, &sa, &old_sa) < 0) {
- SANDBOX_DIE("Failed to configure SIGSYS handler");
- }
-
- if (!IsDefaultSignalAction(old_sa)) {
- static const char kExistingSIGSYSMsg[] =
- "Existing signal handler when trying to install SIGSYS. SIGSYS needs "
- "to be reserved for seccomp-bpf.";
- DLOG(FATAL) << kExistingSIGSYSMsg;
- LOG(ERROR) << kExistingSIGSYSMsg;
- }
-
- // Unmask SIGSYS
- sigset_t mask;
- if (sigemptyset(&mask) || sigaddset(&mask, LINUX_SIGSYS) ||
- sys_sigprocmask(LINUX_SIG_UNBLOCK, &mask, NULL)) {
- SANDBOX_DIE("Failed to configure SIGSYS handler");
- }
-}
-
-bpf_dsl::TrapRegistry* Trap::Registry() {
- // Note: This class is not thread safe. It is the caller's responsibility
- // to avoid race conditions. Normally, this is a non-issue as the sandbox
- // can only be initialized if there are no other threads present.
- // Also, this is not a normal singleton. Once created, the global trap
- // object must never be destroyed again.
- if (!global_trap_) {
- global_trap_ = new Trap();
- if (!global_trap_) {
- SANDBOX_DIE("Failed to allocate global trap handler");
- }
- }
- return global_trap_;
-}
-
-void Trap::SigSysAction(int nr, LinuxSigInfo* info, void* void_context) {
- if (info) {
- MSAN_UNPOISON(info, sizeof(*info));
- }
-
- // Obtain the signal context. This, most notably, gives us access to
- // all CPU registers at the time of the signal.
- ucontext_t* ctx = reinterpret_cast<ucontext_t*>(void_context);
- if (ctx) {
- MSAN_UNPOISON(ctx, sizeof(*ctx));
- }
-
- if (!global_trap_) {
- RAW_SANDBOX_DIE(
- "This can't happen. Found no global singleton instance "
- "for Trap() handling.");
- }
- global_trap_->SigSys(nr, info, ctx);
-}
-
-void Trap::SigSys(int nr, LinuxSigInfo* info, ucontext_t* ctx) {
- // Signal handlers should always preserve "errno". Otherwise, we could
- // trigger really subtle bugs.
- const int old_errno = errno;
-
- // Various sanity checks to make sure we actually received a signal
- // triggered by a BPF filter. If something else triggered SIGSYS
- // (e.g. kill()), there is really nothing we can do with this signal.
- if (nr != LINUX_SIGSYS || info->si_code != SYS_SECCOMP || !ctx ||
- info->si_errno <= 0 ||
- static_cast<size_t>(info->si_errno) > trap_array_size_) {
- // ATI drivers seem to send SIGSYS, so this cannot be FATAL.
- // See crbug.com/178166.
- // TODO(jln): add a DCHECK or move back to FATAL.
- RAW_LOG(ERROR, "Unexpected SIGSYS received.");
- errno = old_errno;
- return;
- }
-
-
- // Obtain the siginfo information that is specific to SIGSYS. Unfortunately,
- // most versions of glibc don't include this information in siginfo_t. So,
- // we need to explicitly copy it into a arch_sigsys structure.
- struct arch_sigsys sigsys;
- memcpy(&sigsys, &info->_sifields, sizeof(sigsys));
-
-#if defined(__mips__)
- // When indirect syscall (syscall(__NR_foo, ...)) is made on Mips, the
- // number in register SECCOMP_SYSCALL(ctx) is always __NR_syscall and the
- // real number of a syscall (__NR_foo) is in SECCOMP_PARM1(ctx)
- bool sigsys_nr_is_bad = sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx)) &&
- sigsys.nr != static_cast<int>(SECCOMP_PARM1(ctx));
-#else
- bool sigsys_nr_is_bad = sigsys.nr != static_cast<int>(SECCOMP_SYSCALL(ctx));
-#endif
-
- // Some more sanity checks.
- if (sigsys.ip != reinterpret_cast<void*>(SECCOMP_IP(ctx)) ||
- sigsys_nr_is_bad || sigsys.arch != SECCOMP_ARCH) {
- // TODO(markus):
- // SANDBOX_DIE() can call LOG(FATAL). This is not normally async-signal
- // safe and can lead to bugs. We should eventually implement a different
- // logging and reporting mechanism that is safe to be called from
- // the sigSys() handler.
- RAW_SANDBOX_DIE("Sanity checks are failing after receiving SIGSYS.");
- }
-
- intptr_t rc;
- if (has_unsafe_traps_ && GetIsInSigHandler(ctx)) {
- errno = old_errno;
- if (sigsys.nr == __NR_clone) {
- RAW_SANDBOX_DIE("Cannot call clone() from an UnsafeTrap() handler.");
- }
-#if defined(__mips__)
- // Mips supports up to eight arguments for syscall.
- // However, seccomp bpf can filter only up to six arguments, so using eight
- // arguments has sense only when using UnsafeTrap() handler.
- rc = Syscall::Call(SECCOMP_SYSCALL(ctx),
- SECCOMP_PARM1(ctx),
- SECCOMP_PARM2(ctx),
- SECCOMP_PARM3(ctx),
- SECCOMP_PARM4(ctx),
- SECCOMP_PARM5(ctx),
- SECCOMP_PARM6(ctx),
- SECCOMP_PARM7(ctx),
- SECCOMP_PARM8(ctx));
-#else
- rc = Syscall::Call(SECCOMP_SYSCALL(ctx),
- SECCOMP_PARM1(ctx),
- SECCOMP_PARM2(ctx),
- SECCOMP_PARM3(ctx),
- SECCOMP_PARM4(ctx),
- SECCOMP_PARM5(ctx),
- SECCOMP_PARM6(ctx));
-#endif // defined(__mips__)
- } else {
- const TrapKey& trap = trap_array_[info->si_errno - 1];
- if (!trap.safe) {
- SetIsInSigHandler();
- }
-
- // Copy the seccomp-specific data into a arch_seccomp_data structure. This
- // is what we are showing to TrapFnc callbacks that the system call
- // evaluator registered with the sandbox.
- struct arch_seccomp_data data = {
- static_cast<int>(SECCOMP_SYSCALL(ctx)),
- SECCOMP_ARCH,
- reinterpret_cast<uint64_t>(sigsys.ip),
- {static_cast<uint64_t>(SECCOMP_PARM1(ctx)),
- static_cast<uint64_t>(SECCOMP_PARM2(ctx)),
- static_cast<uint64_t>(SECCOMP_PARM3(ctx)),
- static_cast<uint64_t>(SECCOMP_PARM4(ctx)),
- static_cast<uint64_t>(SECCOMP_PARM5(ctx)),
- static_cast<uint64_t>(SECCOMP_PARM6(ctx))}};
-
- // Now call the TrapFnc callback associated with this particular instance
- // of SECCOMP_RET_TRAP.
- rc = trap.fnc(data, const_cast<void*>(trap.aux));
- }
-
- // Update the CPU register that stores the return code of the system call
- // that we just handled, and restore "errno" to the value that it had
- // before entering the signal handler.
- Syscall::PutValueInUcontext(rc, ctx);
- errno = old_errno;
-
- return;
-}
-
-bool Trap::TrapKey::operator<(const TrapKey& o) const {
- return std::tie(fnc, aux, safe) < std::tie(o.fnc, o.aux, o.safe);
-}
-
-uint16_t Trap::Add(TrapFnc fnc, const void* aux, bool safe) {
- if (!safe && !SandboxDebuggingAllowedByUser()) {
- // Unless the user set the CHROME_SANDBOX_DEBUGGING environment variable,
- // we never return an ErrorCode that is marked as "unsafe". This also
- // means, the BPF compiler will never emit code that allow unsafe system
- // calls to by-pass the filter (because they use the magic return address
- // from Syscall::Call(-1)).
-
- // This SANDBOX_DIE() can optionally be removed. It won't break security,
- // but it might make error messages from the BPF compiler a little harder
- // to understand. Removing the SANDBOX_DIE() allows callers to easily check
- // whether unsafe traps are supported (by checking whether the returned
- // ErrorCode is ET_INVALID).
- SANDBOX_DIE(
- "Cannot use unsafe traps unless CHROME_SANDBOX_DEBUGGING "
- "is enabled");
-
- return 0;
- }
-
- // Each unique pair of TrapFnc and auxiliary data make up a distinct instance
- // of a SECCOMP_RET_TRAP.
- TrapKey key(fnc, aux, safe);
-
- // We return unique identifiers together with SECCOMP_RET_TRAP. This allows
- // us to associate trap with the appropriate handler. The kernel allows us
- // identifiers in the range from 0 to SECCOMP_RET_DATA (0xFFFF). We want to
- // avoid 0, as it could be confused for a trap without any specific id.
- // The nice thing about sequentially numbered identifiers is that we can also
- // trivially look them up from our signal handler without making any system
- // calls that might be async-signal-unsafe.
- // In order to do so, we store all of our traps in a C-style trap_array_.
-
- TrapIds::const_iterator iter = trap_ids_.find(key);
- if (iter != trap_ids_.end()) {
- // We have seen this pair before. Return the same id that we assigned
- // earlier.
- return iter->second;
- }
-
- // This is a new pair. Remember it and assign a new id.
- if (trap_array_size_ >= SECCOMP_RET_DATA /* 0xFFFF */ ||
- trap_array_size_ >= std::numeric_limits<uint16_t>::max()) {
- // In practice, this is pretty much impossible to trigger, as there
- // are other kernel limitations that restrict overall BPF program sizes.
- SANDBOX_DIE("Too many SECCOMP_RET_TRAP callback instances");
- }
-
- // Our callers ensure that there are no other threads accessing trap_array_
- // concurrently (typically this is done by ensuring that we are single-
- // threaded while the sandbox is being set up). But we nonetheless are
- // modifying a live data structure that could be accessed any time a
- // system call is made; as system calls could be triggering SIGSYS.
- // So, we have to be extra careful that we update trap_array_ atomically.
- // In particular, this means we shouldn't be using realloc() to resize it.
- // Instead, we allocate a new array, copy the values, and then switch the
- // pointer. We only really care about the pointer being updated atomically
- // and the data that is pointed to being valid, as these are the only
- // values accessed from the signal handler. It is OK if trap_array_size_
- // is inconsistent with the pointer, as it is monotonously increasing.
- // Also, we only care about compiler barriers, as the signal handler is
- // triggered synchronously from a system call. We don't have to protect
- // against issues with the memory model or with completely asynchronous
- // events.
- if (trap_array_size_ >= trap_array_capacity_) {
- trap_array_capacity_ += kCapacityIncrement;
- TrapKey* old_trap_array = trap_array_;
- TrapKey* new_trap_array = new TrapKey[trap_array_capacity_];
- std::copy_n(old_trap_array, trap_array_size_, new_trap_array);
-
- // Language specs are unclear on whether the compiler is allowed to move
- // the "delete[]" above our preceding assignments and/or memory moves,
- // iff the compiler believes that "delete[]" doesn't have any other
- // global side-effects.
- // We insert optimization barriers to prevent this from happening.
- // The first barrier is probably not needed, but better be explicit in
- // what we want to tell the compiler.
- // The clang developer mailing list couldn't answer whether this is a
- // legitimate worry; but they at least thought that the barrier is
- // sufficient to prevent the (so far hypothetical) problem of re-ordering
- // of instructions by the compiler.
- //
- // TODO(mdempsky): Try to clean this up using base/atomicops or C++11
- // atomics; see crbug.com/414363.
- asm volatile("" : "=r"(new_trap_array) : "0"(new_trap_array) : "memory");
- trap_array_ = new_trap_array;
- asm volatile("" : "=r"(trap_array_) : "0"(trap_array_) : "memory");
-
- delete[] old_trap_array;
- }
-
- uint16_t id = trap_array_size_ + 1;
- trap_ids_[key] = id;
- trap_array_[trap_array_size_] = key;
- trap_array_size_++;
- return id;
-}
-
-bool Trap::SandboxDebuggingAllowedByUser() {
- const char* debug_flag = getenv(kSandboxDebuggingEnv);
- return debug_flag && *debug_flag;
-}
-
-bool Trap::EnableUnsafeTraps() {
- if (!has_unsafe_traps_) {
- // Unsafe traps are a one-way fuse. Once enabled, they can never be turned
- // off again.
- // We only allow enabling unsafe traps, if the user explicitly set an
- // appropriate environment variable. This prevents bugs that accidentally
- // disable all sandboxing for all users.
- if (SandboxDebuggingAllowedByUser()) {
- // We only ever print this message once, when we enable unsafe traps the
- // first time.
- SANDBOX_INFO("WARNING! Disabling sandbox for debugging purposes");
- has_unsafe_traps_ = true;
- } else {
- SANDBOX_INFO(
- "Cannot disable sandbox and use unsafe traps unless "
- "CHROME_SANDBOX_DEBUGGING is turned on first");
- }
- }
- // Returns the, possibly updated, value of has_unsafe_traps_.
- return has_unsafe_traps_;
-}
-
-Trap* Trap::global_trap_;
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.h b/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.h
deleted file mode 100644
index a73d2064b..000000000
--- a/security/sandbox/chromium/sandbox/linux/seccomp-bpf/trap.h
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
-#define SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <map>
-
-#include "base/macros.h"
-#include "sandbox/linux/bpf_dsl/trap_registry.h"
-#include "sandbox/linux/system_headers/linux_signal.h"
-#include "sandbox/sandbox_export.h"
-
-namespace sandbox {
-
-// The Trap class allows a BPF filter program to branch out to user space by
-// raising a SIGSYS signal.
-// N.B.: This class does not perform any synchronization operations. If
-// modifications are made to any of the traps, it is the caller's
-// responsibility to ensure that this happens in a thread-safe fashion.
-// Preferably, that means that no other threads should be running at that
-// time. For the purposes of our sandbox, this assertion should always be
-// true. Threads are incompatible with the seccomp sandbox anyway.
-class SANDBOX_EXPORT Trap : public bpf_dsl::TrapRegistry {
- public:
- uint16_t Add(TrapFnc fnc, const void* aux, bool safe) override;
-
- bool EnableUnsafeTraps() override;
-
- // Registry returns the trap registry used by Trap's SIGSYS handler,
- // creating it if necessary.
- static bpf_dsl::TrapRegistry* Registry();
-
- // SandboxDebuggingAllowedByUser returns whether the
- // "CHROME_SANDBOX_DEBUGGING" environment variable is set.
- static bool SandboxDebuggingAllowedByUser();
-
- private:
- struct TrapKey {
- TrapKey() : fnc(NULL), aux(NULL), safe(false) {}
- TrapKey(TrapFnc f, const void* a, bool s) : fnc(f), aux(a), safe(s) {}
- TrapFnc fnc;
- const void* aux;
- bool safe;
- bool operator<(const TrapKey&) const;
- };
- typedef std::map<TrapKey, uint16_t> TrapIds;
-
- // Our constructor is private. A shared global instance is created
- // automatically as needed.
- Trap();
-
- // The destructor is unimplemented as destroying this object would
- // break subsequent system calls that trigger a SIGSYS.
- ~Trap() = delete;
-
- static void SigSysAction(int nr, LinuxSigInfo* info, void* void_context);
-
- // Make sure that SigSys is not inlined in order to get slightly better crash
- // dumps.
- void SigSys(int nr, LinuxSigInfo* info, ucontext_t* ctx)
- __attribute__((noinline));
- // We have a global singleton that handles all of our SIGSYS traps. This
- // variable must never be deallocated after it has been set up initially, as
- // there is no way to reset in-kernel BPF filters that generate SIGSYS
- // events.
- static Trap* global_trap_;
-
- TrapIds trap_ids_; // Maps from TrapKeys to numeric ids
- TrapKey* trap_array_; // Array of TrapKeys indexed by ids
- size_t trap_array_size_; // Currently used size of array
- size_t trap_array_capacity_; // Currently allocated capacity of array
- bool has_unsafe_traps_; // Whether unsafe traps have been enabled
-
- // Copying and assigning is unimplemented. It doesn't make sense for a
- // singleton.
- DISALLOW_COPY_AND_ASSIGN(Trap);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SECCOMP_BPF_TRAP_H__
diff --git a/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.cc b/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.cc
deleted file mode 100644
index 9d5a6ada0..000000000
--- a/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.cc
+++ /dev/null
@@ -1,261 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/linux/services/syscall_wrappers.h"
-
-#include <pthread.h>
-#include <sched.h>
-#include <setjmp.h>
-#include <sys/resource.h>
-#include <sys/syscall.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <unistd.h>
-#include <cstring>
-
-#include "base/compiler_specific.h"
-#include "base/logging.h"
-#include "base/third_party/valgrind/valgrind.h"
-#include "build/build_config.h"
-#include "sandbox/linux/system_headers/capability.h"
-#include "sandbox/linux/system_headers/linux_signal.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace sandbox {
-
-pid_t sys_getpid(void) {
- return syscall(__NR_getpid);
-}
-
-pid_t sys_gettid(void) {
- return syscall(__NR_gettid);
-}
-
-long sys_clone(unsigned long flags,
- std::nullptr_t child_stack,
- pid_t* ptid,
- pid_t* ctid,
- std::nullptr_t tls) {
- const bool clone_tls_used = flags & CLONE_SETTLS;
- const bool invalid_ctid =
- (flags & (CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID)) && !ctid;
- const bool invalid_ptid = (flags & CLONE_PARENT_SETTID) && !ptid;
-
- // We do not support CLONE_VM.
- const bool clone_vm_used = flags & CLONE_VM;
- if (clone_tls_used || invalid_ctid || invalid_ptid || clone_vm_used) {
- RAW_LOG(FATAL, "Invalid usage of sys_clone");
- }
-
- if (ptid) MSAN_UNPOISON(ptid, sizeof(*ptid));
- if (ctid) MSAN_UNPOISON(ctid, sizeof(*ctid));
- // See kernel/fork.c in Linux. There is different ordering of sys_clone
- // parameters depending on CONFIG_CLONE_BACKWARDS* configuration options.
-#if defined(ARCH_CPU_X86_64)
- return syscall(__NR_clone, flags, child_stack, ptid, ctid, tls);
-#elif defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARM_FAMILY) || \
- defined(ARCH_CPU_MIPS_FAMILY) || defined(ARCH_CPU_MIPS64_FAMILY)
- // CONFIG_CLONE_BACKWARDS defined.
- return syscall(__NR_clone, flags, child_stack, ptid, tls, ctid);
-#endif
-}
-
-long sys_clone(unsigned long flags) {
- return sys_clone(flags, nullptr, nullptr, nullptr, nullptr);
-}
-
-void sys_exit_group(int status) {
- syscall(__NR_exit_group, status);
-}
-
-int sys_seccomp(unsigned int operation,
- unsigned int flags,
- const struct sock_fprog* args) {
- return syscall(__NR_seccomp, operation, flags, args);
-}
-
-int sys_prlimit64(pid_t pid,
- int resource,
- const struct rlimit64* new_limit,
- struct rlimit64* old_limit) {
- int res = syscall(__NR_prlimit64, pid, resource, new_limit, old_limit);
- if (res == 0 && old_limit) MSAN_UNPOISON(old_limit, sizeof(*old_limit));
- return res;
-}
-
-int sys_capget(cap_hdr* hdrp, cap_data* datap) {
- int res = syscall(__NR_capget, hdrp, datap);
- if (res == 0) {
- if (hdrp) MSAN_UNPOISON(hdrp, sizeof(*hdrp));
- if (datap) MSAN_UNPOISON(datap, sizeof(*datap));
- }
- return res;
-}
-
-int sys_capset(cap_hdr* hdrp, const cap_data* datap) {
- return syscall(__NR_capset, hdrp, datap);
-}
-
-int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid) {
- int res;
-#if defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARMEL)
- // On 32-bit x86 or 32-bit arm, getresuid supports 16bit values only.
- // Use getresuid32 instead.
- res = syscall(__NR_getresuid32, ruid, euid, suid);
-#else
- res = syscall(__NR_getresuid, ruid, euid, suid);
-#endif
- if (res == 0) {
- if (ruid) MSAN_UNPOISON(ruid, sizeof(*ruid));
- if (euid) MSAN_UNPOISON(euid, sizeof(*euid));
- if (suid) MSAN_UNPOISON(suid, sizeof(*suid));
- }
- return res;
-}
-
-int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid) {
- int res;
-#if defined(ARCH_CPU_X86) || defined(ARCH_CPU_ARMEL)
- // On 32-bit x86 or 32-bit arm, getresgid supports 16bit values only.
- // Use getresgid32 instead.
- res = syscall(__NR_getresgid32, rgid, egid, sgid);
-#else
- res = syscall(__NR_getresgid, rgid, egid, sgid);
-#endif
- if (res == 0) {
- if (rgid) MSAN_UNPOISON(rgid, sizeof(*rgid));
- if (egid) MSAN_UNPOISON(egid, sizeof(*egid));
- if (sgid) MSAN_UNPOISON(sgid, sizeof(*sgid));
- }
- return res;
-}
-
-int sys_chroot(const char* path) {
- return syscall(__NR_chroot, path);
-}
-
-int sys_unshare(int flags) {
- return syscall(__NR_unshare, flags);
-}
-
-int sys_sigprocmask(int how, const sigset_t* set, std::nullptr_t oldset) {
- // In some toolchain (in particular Android and PNaCl toolchain),
- // sigset_t is 32 bits, but the Linux ABI uses more.
- LinuxSigSet linux_value;
- std::memset(&linux_value, 0, sizeof(LinuxSigSet));
- std::memcpy(&linux_value, set, std::min(sizeof(sigset_t),
- sizeof(LinuxSigSet)));
-
- return syscall(__NR_rt_sigprocmask, how, &linux_value, nullptr,
- sizeof(linux_value));
-}
-
-// When this is built with PNaCl toolchain, we should always use sys_sigaction
-// below, because sigaction() provided by the toolchain is incompatible with
-// Linux's ABI.
-#if !defined(OS_NACL_NONSFI)
-int sys_sigaction(int signum,
- const struct sigaction* act,
- struct sigaction* oldact) {
- return sigaction(signum, act, oldact);
-}
-#else
-#if defined(ARCH_CPU_X86_FAMILY)
-
-// On x86_64, sa_restorer is required. We specify it on x86 as well in order to
-// support kernels with VDSO disabled.
-#if !defined(SA_RESTORER)
-#define SA_RESTORER 0x04000000
-#endif
-
-// XSTR(__NR_foo) expands to a string literal containing the value value of
-// __NR_foo.
-#define STR(x) #x
-#define XSTR(x) STR(x)
-
-// rt_sigreturn is a special system call that interacts with the user land
-// stack. Thus, here prologue must not be created, which implies syscall()
-// does not work properly, too. Note that rt_sigreturn does not return.
-// TODO(rickyz): These assembly functions may still break stack unwinding on
-// nonsfi NaCl builds.
-#if defined(ARCH_CPU_X86_64)
-
-extern "C" {
- void sys_rt_sigreturn();
-}
-
-asm(
- ".text\n"
- "sys_rt_sigreturn:\n"
- "mov $" XSTR(__NR_rt_sigreturn) ", %eax\n"
- "syscall\n");
-
-#elif defined(ARCH_CPU_X86)
-extern "C" {
- void sys_sigreturn();
- void sys_rt_sigreturn();
-}
-
-asm(
- ".text\n"
- "sys_rt_sigreturn:\n"
- "mov $" XSTR(__NR_rt_sigreturn) ", %eax\n"
- "int $0x80\n"
-
- "sys_sigreturn:\n"
- "pop %eax\n"
- "mov $" XSTR(__NR_sigreturn) ", %eax\n"
- "int $0x80\n");
-#else
-#error "Unsupported architecture."
-#endif
-
-#undef STR
-#undef XSTR
-
-#endif
-
-int sys_sigaction(int signum,
- const struct sigaction* act,
- struct sigaction* oldact) {
- LinuxSigAction linux_act = {};
- if (act) {
- linux_act.kernel_handler = act->sa_handler;
- std::memcpy(&linux_act.sa_mask, &act->sa_mask,
- std::min(sizeof(linux_act.sa_mask), sizeof(act->sa_mask)));
- linux_act.sa_flags = act->sa_flags;
-
-#if defined(ARCH_CPU_X86_FAMILY)
- if (!(linux_act.sa_flags & SA_RESTORER)) {
- linux_act.sa_flags |= SA_RESTORER;
-#if defined(ARCH_CPU_X86_64)
- linux_act.sa_restorer = sys_rt_sigreturn;
-#elif defined(ARCH_CPU_X86)
- linux_act.sa_restorer =
- linux_act.sa_flags & SA_SIGINFO ? sys_rt_sigreturn : sys_sigreturn;
-#else
-#error "Unsupported architecture."
-#endif
- }
-#endif
- }
-
- LinuxSigAction linux_oldact = {};
- int result = syscall(__NR_rt_sigaction, signum, act ? &linux_act : nullptr,
- oldact ? &linux_oldact : nullptr,
- sizeof(LinuxSigSet));
-
- if (result == 0 && oldact) {
- oldact->sa_handler = linux_oldact.kernel_handler;
- sigemptyset(&oldact->sa_mask);
- std::memcpy(&oldact->sa_mask, &linux_oldact.sa_mask,
- std::min(sizeof(linux_act.sa_mask), sizeof(act->sa_mask)));
- oldact->sa_flags = linux_oldact.sa_flags;
- }
- return result;
-}
-
-#endif // defined(MEMORY_SANITIZER)
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.h b/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.h
deleted file mode 100644
index 057e4c87f..000000000
--- a/security/sandbox/chromium/sandbox/linux/services/syscall_wrappers.h
+++ /dev/null
@@ -1,85 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
-#define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
-
-#include <signal.h>
-#include <stdint.h>
-#include <sys/types.h>
-
-#include <cstddef>
-
-#include "sandbox/sandbox_export.h"
-
-struct sock_fprog;
-struct rlimit64;
-struct cap_hdr;
-struct cap_data;
-
-namespace sandbox {
-
-// Provide direct system call wrappers for a few common system calls.
-// These are guaranteed to perform a system call and do not rely on things such
-// as caching the current pid (c.f. getpid()) unless otherwise specified.
-
-SANDBOX_EXPORT pid_t sys_getpid(void);
-
-SANDBOX_EXPORT pid_t sys_gettid(void);
-
-SANDBOX_EXPORT long sys_clone(unsigned long flags);
-
-// |regs| is not supported and must be passed as nullptr. |child_stack| must be
-// nullptr, since otherwise this function cannot safely return. As a
-// consequence, this function does not support CLONE_VM.
-SANDBOX_EXPORT long sys_clone(unsigned long flags,
- std::nullptr_t child_stack,
- pid_t* ptid,
- pid_t* ctid,
- std::nullptr_t regs);
-
-SANDBOX_EXPORT void sys_exit_group(int status);
-
-// The official system call takes |args| as void* (in order to be extensible),
-// but add more typing for the cases that are currently used.
-SANDBOX_EXPORT int sys_seccomp(unsigned int operation,
- unsigned int flags,
- const struct sock_fprog* args);
-
-// Some libcs do not expose a prlimit64 wrapper.
-SANDBOX_EXPORT int sys_prlimit64(pid_t pid,
- int resource,
- const struct rlimit64* new_limit,
- struct rlimit64* old_limit);
-
-// Some libcs do not expose capget/capset wrappers. We want to use these
-// directly in order to avoid pulling in libcap2.
-SANDBOX_EXPORT int sys_capget(struct cap_hdr* hdrp, struct cap_data* datap);
-SANDBOX_EXPORT int sys_capset(struct cap_hdr* hdrp,
- const struct cap_data* datap);
-
-// Some libcs do not expose getresuid/getresgid wrappers.
-SANDBOX_EXPORT int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid);
-SANDBOX_EXPORT int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid);
-
-// Some libcs do not expose a chroot wrapper.
-SANDBOX_EXPORT int sys_chroot(const char* path);
-
-// Some libcs do not expose a unshare wrapper.
-SANDBOX_EXPORT int sys_unshare(int flags);
-
-// Some libcs do not expose a sigprocmask. Note that oldset must be a nullptr,
-// because of some ABI gap between toolchain's and Linux's.
-SANDBOX_EXPORT int sys_sigprocmask(int how,
- const sigset_t* set,
- std::nullptr_t oldset);
-
-// Some libcs do not expose a sigaction().
-SANDBOX_EXPORT int sys_sigaction(int signum,
- const struct sigaction* act,
- struct sigaction* oldact);
-
-} // namespace sandbox
-
-#endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
deleted file mode 100644
index 1addd5384..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_syscalls.h
+++ /dev/null
@@ -1,1418 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Generated from the Linux kernel's calls.S.
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_SYSCALLS_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_SYSCALLS_H_
-
-#if !defined(__arm__) || !defined(__ARM_EABI__)
-#error "Including header on wrong architecture"
-#endif
-
-#if !defined(__NR_SYSCALL_BASE)
-// On ARM EABI arch, __NR_SYSCALL_BASE is 0.
-#define __NR_SYSCALL_BASE 0
-#endif
-
-// This syscall list has holes, because ARM EABI makes some syscalls obsolete.
-
-#if !defined(__NR_restart_syscall)
-#define __NR_restart_syscall (__NR_SYSCALL_BASE+0)
-#endif
-
-#if !defined(__NR_exit)
-#define __NR_exit (__NR_SYSCALL_BASE+1)
-#endif
-
-#if !defined(__NR_fork)
-#define __NR_fork (__NR_SYSCALL_BASE+2)
-#endif
-
-#if !defined(__NR_read)
-#define __NR_read (__NR_SYSCALL_BASE+3)
-#endif
-
-#if !defined(__NR_write)
-#define __NR_write (__NR_SYSCALL_BASE+4)
-#endif
-
-#if !defined(__NR_open)
-#define __NR_open (__NR_SYSCALL_BASE+5)
-#endif
-
-#if !defined(__NR_close)
-#define __NR_close (__NR_SYSCALL_BASE+6)
-#endif
-
-#if !defined(__NR_creat)
-#define __NR_creat (__NR_SYSCALL_BASE+8)
-#endif
-
-#if !defined(__NR_link)
-#define __NR_link (__NR_SYSCALL_BASE+9)
-#endif
-
-#if !defined(__NR_unlink)
-#define __NR_unlink (__NR_SYSCALL_BASE+10)
-#endif
-
-#if !defined(__NR_execve)
-#define __NR_execve (__NR_SYSCALL_BASE+11)
-#endif
-
-#if !defined(__NR_chdir)
-#define __NR_chdir (__NR_SYSCALL_BASE+12)
-#endif
-
-#if !defined(__NR_mknod)
-#define __NR_mknod (__NR_SYSCALL_BASE+14)
-#endif
-
-#if !defined(__NR_chmod)
-#define __NR_chmod (__NR_SYSCALL_BASE+15)
-#endif
-
-#if !defined(__NR_lchown)
-#define __NR_lchown (__NR_SYSCALL_BASE+16)
-#endif
-
-#if !defined(__NR_lseek)
-#define __NR_lseek (__NR_SYSCALL_BASE+19)
-#endif
-
-#if !defined(__NR_getpid)
-#define __NR_getpid (__NR_SYSCALL_BASE+20)
-#endif
-
-#if !defined(__NR_mount)
-#define __NR_mount (__NR_SYSCALL_BASE+21)
-#endif
-
-#if !defined(__NR_setuid)
-#define __NR_setuid (__NR_SYSCALL_BASE+23)
-#endif
-
-#if !defined(__NR_getuid)
-#define __NR_getuid (__NR_SYSCALL_BASE+24)
-#endif
-
-#if !defined(__NR_ptrace)
-#define __NR_ptrace (__NR_SYSCALL_BASE+26)
-#endif
-
-#if !defined(__NR_pause)
-#define __NR_pause (__NR_SYSCALL_BASE+29)
-#endif
-
-#if !defined(__NR_access)
-#define __NR_access (__NR_SYSCALL_BASE+33)
-#endif
-
-#if !defined(__NR_nice)
-#define __NR_nice (__NR_SYSCALL_BASE+34)
-#endif
-
-#if !defined(__NR_sync)
-#define __NR_sync (__NR_SYSCALL_BASE+36)
-#endif
-
-#if !defined(__NR_kill)
-#define __NR_kill (__NR_SYSCALL_BASE+37)
-#endif
-
-#if !defined(__NR_rename)
-#define __NR_rename (__NR_SYSCALL_BASE+38)
-#endif
-
-#if !defined(__NR_mkdir)
-#define __NR_mkdir (__NR_SYSCALL_BASE+39)
-#endif
-
-#if !defined(__NR_rmdir)
-#define __NR_rmdir (__NR_SYSCALL_BASE+40)
-#endif
-
-#if !defined(__NR_dup)
-#define __NR_dup (__NR_SYSCALL_BASE+41)
-#endif
-
-#if !defined(__NR_pipe)
-#define __NR_pipe (__NR_SYSCALL_BASE+42)
-#endif
-
-#if !defined(__NR_times)
-#define __NR_times (__NR_SYSCALL_BASE+43)
-#endif
-
-#if !defined(__NR_brk)
-#define __NR_brk (__NR_SYSCALL_BASE+45)
-#endif
-
-#if !defined(__NR_setgid)
-#define __NR_setgid (__NR_SYSCALL_BASE+46)
-#endif
-
-#if !defined(__NR_getgid)
-#define __NR_getgid (__NR_SYSCALL_BASE+47)
-#endif
-
-#if !defined(__NR_geteuid)
-#define __NR_geteuid (__NR_SYSCALL_BASE+49)
-#endif
-
-#if !defined(__NR_getegid)
-#define __NR_getegid (__NR_SYSCALL_BASE+50)
-#endif
-
-#if !defined(__NR_acct)
-#define __NR_acct (__NR_SYSCALL_BASE+51)
-#endif
-
-#if !defined(__NR_umount2)
-#define __NR_umount2 (__NR_SYSCALL_BASE+52)
-#endif
-
-#if !defined(__NR_ioctl)
-#define __NR_ioctl (__NR_SYSCALL_BASE+54)
-#endif
-
-#if !defined(__NR_fcntl)
-#define __NR_fcntl (__NR_SYSCALL_BASE+55)
-#endif
-
-#if !defined(__NR_setpgid)
-#define __NR_setpgid (__NR_SYSCALL_BASE+57)
-#endif
-
-#if !defined(__NR_umask)
-#define __NR_umask (__NR_SYSCALL_BASE+60)
-#endif
-
-#if !defined(__NR_chroot)
-#define __NR_chroot (__NR_SYSCALL_BASE+61)
-#endif
-
-#if !defined(__NR_ustat)
-#define __NR_ustat (__NR_SYSCALL_BASE+62)
-#endif
-
-#if !defined(__NR_dup2)
-#define __NR_dup2 (__NR_SYSCALL_BASE+63)
-#endif
-
-#if !defined(__NR_getppid)
-#define __NR_getppid (__NR_SYSCALL_BASE+64)
-#endif
-
-#if !defined(__NR_getpgrp)
-#define __NR_getpgrp (__NR_SYSCALL_BASE+65)
-#endif
-
-#if !defined(__NR_setsid)
-#define __NR_setsid (__NR_SYSCALL_BASE+66)
-#endif
-
-#if !defined(__NR_sigaction)
-#define __NR_sigaction (__NR_SYSCALL_BASE+67)
-#endif
-
-#if !defined(__NR_setreuid)
-#define __NR_setreuid (__NR_SYSCALL_BASE+70)
-#endif
-
-#if !defined(__NR_setregid)
-#define __NR_setregid (__NR_SYSCALL_BASE+71)
-#endif
-
-#if !defined(__NR_sigsuspend)
-#define __NR_sigsuspend (__NR_SYSCALL_BASE+72)
-#endif
-
-#if !defined(__NR_sigpending)
-#define __NR_sigpending (__NR_SYSCALL_BASE+73)
-#endif
-
-#if !defined(__NR_sethostname)
-#define __NR_sethostname (__NR_SYSCALL_BASE+74)
-#endif
-
-#if !defined(__NR_setrlimit)
-#define __NR_setrlimit (__NR_SYSCALL_BASE+75)
-#endif
-
-#if !defined(__NR_getrusage)
-#define __NR_getrusage (__NR_SYSCALL_BASE+77)
-#endif
-
-#if !defined(__NR_gettimeofday)
-#define __NR_gettimeofday (__NR_SYSCALL_BASE+78)
-#endif
-
-#if !defined(__NR_settimeofday)
-#define __NR_settimeofday (__NR_SYSCALL_BASE+79)
-#endif
-
-#if !defined(__NR_getgroups)
-#define __NR_getgroups (__NR_SYSCALL_BASE+80)
-#endif
-
-#if !defined(__NR_setgroups)
-#define __NR_setgroups (__NR_SYSCALL_BASE+81)
-#endif
-
-#if !defined(__NR_symlink)
-#define __NR_symlink (__NR_SYSCALL_BASE+83)
-#endif
-
-#if !defined(__NR_readlink)
-#define __NR_readlink (__NR_SYSCALL_BASE+85)
-#endif
-
-#if !defined(__NR_uselib)
-#define __NR_uselib (__NR_SYSCALL_BASE+86)
-#endif
-
-#if !defined(__NR_swapon)
-#define __NR_swapon (__NR_SYSCALL_BASE+87)
-#endif
-
-#if !defined(__NR_reboot)
-#define __NR_reboot (__NR_SYSCALL_BASE+88)
-#endif
-
-#if !defined(__NR_munmap)
-#define __NR_munmap (__NR_SYSCALL_BASE+91)
-#endif
-
-#if !defined(__NR_truncate)
-#define __NR_truncate (__NR_SYSCALL_BASE+92)
-#endif
-
-#if !defined(__NR_ftruncate)
-#define __NR_ftruncate (__NR_SYSCALL_BASE+93)
-#endif
-
-#if !defined(__NR_fchmod)
-#define __NR_fchmod (__NR_SYSCALL_BASE+94)
-#endif
-
-#if !defined(__NR_fchown)
-#define __NR_fchown (__NR_SYSCALL_BASE+95)
-#endif
-
-#if !defined(__NR_getpriority)
-#define __NR_getpriority (__NR_SYSCALL_BASE+96)
-#endif
-
-#if !defined(__NR_setpriority)
-#define __NR_setpriority (__NR_SYSCALL_BASE+97)
-#endif
-
-#if !defined(__NR_statfs)
-#define __NR_statfs (__NR_SYSCALL_BASE+99)
-#endif
-
-#if !defined(__NR_fstatfs)
-#define __NR_fstatfs (__NR_SYSCALL_BASE+100)
-#endif
-
-#if !defined(__NR_syslog)
-#define __NR_syslog (__NR_SYSCALL_BASE+103)
-#endif
-
-#if !defined(__NR_setitimer)
-#define __NR_setitimer (__NR_SYSCALL_BASE+104)
-#endif
-
-#if !defined(__NR_getitimer)
-#define __NR_getitimer (__NR_SYSCALL_BASE+105)
-#endif
-
-#if !defined(__NR_stat)
-#define __NR_stat (__NR_SYSCALL_BASE+106)
-#endif
-
-#if !defined(__NR_lstat)
-#define __NR_lstat (__NR_SYSCALL_BASE+107)
-#endif
-
-#if !defined(__NR_fstat)
-#define __NR_fstat (__NR_SYSCALL_BASE+108)
-#endif
-
-#if !defined(__NR_vhangup)
-#define __NR_vhangup (__NR_SYSCALL_BASE+111)
-#endif
-
-#if !defined(__NR_wait4)
-#define __NR_wait4 (__NR_SYSCALL_BASE+114)
-#endif
-
-#if !defined(__NR_swapoff)
-#define __NR_swapoff (__NR_SYSCALL_BASE+115)
-#endif
-
-#if !defined(__NR_sysinfo)
-#define __NR_sysinfo (__NR_SYSCALL_BASE+116)
-#endif
-
-#if !defined(__NR_fsync)
-#define __NR_fsync (__NR_SYSCALL_BASE+118)
-#endif
-
-#if !defined(__NR_sigreturn)
-#define __NR_sigreturn (__NR_SYSCALL_BASE+119)
-#endif
-
-#if !defined(__NR_clone)
-#define __NR_clone (__NR_SYSCALL_BASE+120)
-#endif
-
-#if !defined(__NR_setdomainname)
-#define __NR_setdomainname (__NR_SYSCALL_BASE+121)
-#endif
-
-#if !defined(__NR_uname)
-#define __NR_uname (__NR_SYSCALL_BASE+122)
-#endif
-
-#if !defined(__NR_adjtimex)
-#define __NR_adjtimex (__NR_SYSCALL_BASE+124)
-#endif
-
-#if !defined(__NR_mprotect)
-#define __NR_mprotect (__NR_SYSCALL_BASE+125)
-#endif
-
-#if !defined(__NR_sigprocmask)
-#define __NR_sigprocmask (__NR_SYSCALL_BASE+126)
-#endif
-
-#if !defined(__NR_init_module)
-#define __NR_init_module (__NR_SYSCALL_BASE+128)
-#endif
-
-#if !defined(__NR_delete_module)
-#define __NR_delete_module (__NR_SYSCALL_BASE+129)
-#endif
-
-#if !defined(__NR_quotactl)
-#define __NR_quotactl (__NR_SYSCALL_BASE+131)
-#endif
-
-#if !defined(__NR_getpgid)
-#define __NR_getpgid (__NR_SYSCALL_BASE+132)
-#endif
-
-#if !defined(__NR_fchdir)
-#define __NR_fchdir (__NR_SYSCALL_BASE+133)
-#endif
-
-#if !defined(__NR_bdflush)
-#define __NR_bdflush (__NR_SYSCALL_BASE+134)
-#endif
-
-#if !defined(__NR_sysfs)
-#define __NR_sysfs (__NR_SYSCALL_BASE+135)
-#endif
-
-#if !defined(__NR_personality)
-#define __NR_personality (__NR_SYSCALL_BASE+136)
-#endif
-
-#if !defined(__NR_setfsuid)
-#define __NR_setfsuid (__NR_SYSCALL_BASE+138)
-#endif
-
-#if !defined(__NR_setfsgid)
-#define __NR_setfsgid (__NR_SYSCALL_BASE+139)
-#endif
-
-#if !defined(__NR__llseek)
-#define __NR__llseek (__NR_SYSCALL_BASE+140)
-#endif
-
-#if !defined(__NR_getdents)
-#define __NR_getdents (__NR_SYSCALL_BASE+141)
-#endif
-
-#if !defined(__NR__newselect)
-#define __NR__newselect (__NR_SYSCALL_BASE+142)
-#endif
-
-#if !defined(__NR_flock)
-#define __NR_flock (__NR_SYSCALL_BASE+143)
-#endif
-
-#if !defined(__NR_msync)
-#define __NR_msync (__NR_SYSCALL_BASE+144)
-#endif
-
-#if !defined(__NR_readv)
-#define __NR_readv (__NR_SYSCALL_BASE+145)
-#endif
-
-#if !defined(__NR_writev)
-#define __NR_writev (__NR_SYSCALL_BASE+146)
-#endif
-
-#if !defined(__NR_getsid)
-#define __NR_getsid (__NR_SYSCALL_BASE+147)
-#endif
-
-#if !defined(__NR_fdatasync)
-#define __NR_fdatasync (__NR_SYSCALL_BASE+148)
-#endif
-
-#if !defined(__NR__sysctl)
-#define __NR__sysctl (__NR_SYSCALL_BASE+149)
-#endif
-
-#if !defined(__NR_mlock)
-#define __NR_mlock (__NR_SYSCALL_BASE+150)
-#endif
-
-#if !defined(__NR_munlock)
-#define __NR_munlock (__NR_SYSCALL_BASE+151)
-#endif
-
-#if !defined(__NR_mlockall)
-#define __NR_mlockall (__NR_SYSCALL_BASE+152)
-#endif
-
-#if !defined(__NR_munlockall)
-#define __NR_munlockall (__NR_SYSCALL_BASE+153)
-#endif
-
-#if !defined(__NR_sched_setparam)
-#define __NR_sched_setparam (__NR_SYSCALL_BASE+154)
-#endif
-
-#if !defined(__NR_sched_getparam)
-#define __NR_sched_getparam (__NR_SYSCALL_BASE+155)
-#endif
-
-#if !defined(__NR_sched_setscheduler)
-#define __NR_sched_setscheduler (__NR_SYSCALL_BASE+156)
-#endif
-
-#if !defined(__NR_sched_getscheduler)
-#define __NR_sched_getscheduler (__NR_SYSCALL_BASE+157)
-#endif
-
-#if !defined(__NR_sched_yield)
-#define __NR_sched_yield (__NR_SYSCALL_BASE+158)
-#endif
-
-#if !defined(__NR_sched_get_priority_max)
-#define __NR_sched_get_priority_max (__NR_SYSCALL_BASE+159)
-#endif
-
-#if !defined(__NR_sched_get_priority_min)
-#define __NR_sched_get_priority_min (__NR_SYSCALL_BASE+160)
-#endif
-
-#if !defined(__NR_sched_rr_get_interval)
-#define __NR_sched_rr_get_interval (__NR_SYSCALL_BASE+161)
-#endif
-
-#if !defined(__NR_nanosleep)
-#define __NR_nanosleep (__NR_SYSCALL_BASE+162)
-#endif
-
-#if !defined(__NR_mremap)
-#define __NR_mremap (__NR_SYSCALL_BASE+163)
-#endif
-
-#if !defined(__NR_setresuid)
-#define __NR_setresuid (__NR_SYSCALL_BASE+164)
-#endif
-
-#if !defined(__NR_getresuid)
-#define __NR_getresuid (__NR_SYSCALL_BASE+165)
-#endif
-
-#if !defined(__NR_poll)
-#define __NR_poll (__NR_SYSCALL_BASE+168)
-#endif
-
-#if !defined(__NR_nfsservctl)
-#define __NR_nfsservctl (__NR_SYSCALL_BASE+169)
-#endif
-
-#if !defined(__NR_setresgid)
-#define __NR_setresgid (__NR_SYSCALL_BASE+170)
-#endif
-
-#if !defined(__NR_getresgid)
-#define __NR_getresgid (__NR_SYSCALL_BASE+171)
-#endif
-
-#if !defined(__NR_prctl)
-#define __NR_prctl (__NR_SYSCALL_BASE+172)
-#endif
-
-#if !defined(__NR_rt_sigreturn)
-#define __NR_rt_sigreturn (__NR_SYSCALL_BASE+173)
-#endif
-
-#if !defined(__NR_rt_sigaction)
-#define __NR_rt_sigaction (__NR_SYSCALL_BASE+174)
-#endif
-
-#if !defined(__NR_rt_sigprocmask)
-#define __NR_rt_sigprocmask (__NR_SYSCALL_BASE+175)
-#endif
-
-#if !defined(__NR_rt_sigpending)
-#define __NR_rt_sigpending (__NR_SYSCALL_BASE+176)
-#endif
-
-#if !defined(__NR_rt_sigtimedwait)
-#define __NR_rt_sigtimedwait (__NR_SYSCALL_BASE+177)
-#endif
-
-#if !defined(__NR_rt_sigqueueinfo)
-#define __NR_rt_sigqueueinfo (__NR_SYSCALL_BASE+178)
-#endif
-
-#if !defined(__NR_rt_sigsuspend)
-#define __NR_rt_sigsuspend (__NR_SYSCALL_BASE+179)
-#endif
-
-#if !defined(__NR_pread64)
-#define __NR_pread64 (__NR_SYSCALL_BASE+180)
-#endif
-
-#if !defined(__NR_pwrite64)
-#define __NR_pwrite64 (__NR_SYSCALL_BASE+181)
-#endif
-
-#if !defined(__NR_chown)
-#define __NR_chown (__NR_SYSCALL_BASE+182)
-#endif
-
-#if !defined(__NR_getcwd)
-#define __NR_getcwd (__NR_SYSCALL_BASE+183)
-#endif
-
-#if !defined(__NR_capget)
-#define __NR_capget (__NR_SYSCALL_BASE+184)
-#endif
-
-#if !defined(__NR_capset)
-#define __NR_capset (__NR_SYSCALL_BASE+185)
-#endif
-
-#if !defined(__NR_sigaltstack)
-#define __NR_sigaltstack (__NR_SYSCALL_BASE+186)
-#endif
-
-#if !defined(__NR_sendfile)
-#define __NR_sendfile (__NR_SYSCALL_BASE+187)
-#endif
-
-#if !defined(__NR_vfork)
-#define __NR_vfork (__NR_SYSCALL_BASE+190)
-#endif
-
-#if !defined(__NR_ugetrlimit)
-#define __NR_ugetrlimit (__NR_SYSCALL_BASE+191)
-#endif
-
-#if !defined(__NR_mmap2)
-#define __NR_mmap2 (__NR_SYSCALL_BASE+192)
-#endif
-
-#if !defined(__NR_truncate64)
-#define __NR_truncate64 (__NR_SYSCALL_BASE+193)
-#endif
-
-#if !defined(__NR_ftruncate64)
-#define __NR_ftruncate64 (__NR_SYSCALL_BASE+194)
-#endif
-
-#if !defined(__NR_stat64)
-#define __NR_stat64 (__NR_SYSCALL_BASE+195)
-#endif
-
-#if !defined(__NR_lstat64)
-#define __NR_lstat64 (__NR_SYSCALL_BASE+196)
-#endif
-
-#if !defined(__NR_fstat64)
-#define __NR_fstat64 (__NR_SYSCALL_BASE+197)
-#endif
-
-#if !defined(__NR_lchown32)
-#define __NR_lchown32 (__NR_SYSCALL_BASE+198)
-#endif
-
-#if !defined(__NR_getuid32)
-#define __NR_getuid32 (__NR_SYSCALL_BASE+199)
-#endif
-
-#if !defined(__NR_getgid32)
-#define __NR_getgid32 (__NR_SYSCALL_BASE+200)
-#endif
-
-#if !defined(__NR_geteuid32)
-#define __NR_geteuid32 (__NR_SYSCALL_BASE+201)
-#endif
-
-#if !defined(__NR_getegid32)
-#define __NR_getegid32 (__NR_SYSCALL_BASE+202)
-#endif
-
-#if !defined(__NR_setreuid32)
-#define __NR_setreuid32 (__NR_SYSCALL_BASE+203)
-#endif
-
-#if !defined(__NR_setregid32)
-#define __NR_setregid32 (__NR_SYSCALL_BASE+204)
-#endif
-
-#if !defined(__NR_getgroups32)
-#define __NR_getgroups32 (__NR_SYSCALL_BASE+205)
-#endif
-
-#if !defined(__NR_setgroups32)
-#define __NR_setgroups32 (__NR_SYSCALL_BASE+206)
-#endif
-
-#if !defined(__NR_fchown32)
-#define __NR_fchown32 (__NR_SYSCALL_BASE+207)
-#endif
-
-#if !defined(__NR_setresuid32)
-#define __NR_setresuid32 (__NR_SYSCALL_BASE+208)
-#endif
-
-#if !defined(__NR_getresuid32)
-#define __NR_getresuid32 (__NR_SYSCALL_BASE+209)
-#endif
-
-#if !defined(__NR_setresgid32)
-#define __NR_setresgid32 (__NR_SYSCALL_BASE+210)
-#endif
-
-#if !defined(__NR_getresgid32)
-#define __NR_getresgid32 (__NR_SYSCALL_BASE+211)
-#endif
-
-#if !defined(__NR_chown32)
-#define __NR_chown32 (__NR_SYSCALL_BASE+212)
-#endif
-
-#if !defined(__NR_setuid32)
-#define __NR_setuid32 (__NR_SYSCALL_BASE+213)
-#endif
-
-#if !defined(__NR_setgid32)
-#define __NR_setgid32 (__NR_SYSCALL_BASE+214)
-#endif
-
-#if !defined(__NR_setfsuid32)
-#define __NR_setfsuid32 (__NR_SYSCALL_BASE+215)
-#endif
-
-#if !defined(__NR_setfsgid32)
-#define __NR_setfsgid32 (__NR_SYSCALL_BASE+216)
-#endif
-
-#if !defined(__NR_getdents64)
-#define __NR_getdents64 (__NR_SYSCALL_BASE+217)
-#endif
-
-#if !defined(__NR_pivot_root)
-#define __NR_pivot_root (__NR_SYSCALL_BASE+218)
-#endif
-
-#if !defined(__NR_mincore)
-#define __NR_mincore (__NR_SYSCALL_BASE+219)
-#endif
-
-#if !defined(__NR_madvise)
-#define __NR_madvise (__NR_SYSCALL_BASE+220)
-#endif
-
-#if !defined(__NR_fcntl64)
-#define __NR_fcntl64 (__NR_SYSCALL_BASE+221)
-#endif
-
-#if !defined(__NR_gettid)
-#define __NR_gettid (__NR_SYSCALL_BASE+224)
-#endif
-
-#if !defined(__NR_readahead)
-#define __NR_readahead (__NR_SYSCALL_BASE+225)
-#endif
-
-#if !defined(__NR_setxattr)
-#define __NR_setxattr (__NR_SYSCALL_BASE+226)
-#endif
-
-#if !defined(__NR_lsetxattr)
-#define __NR_lsetxattr (__NR_SYSCALL_BASE+227)
-#endif
-
-#if !defined(__NR_fsetxattr)
-#define __NR_fsetxattr (__NR_SYSCALL_BASE+228)
-#endif
-
-#if !defined(__NR_getxattr)
-#define __NR_getxattr (__NR_SYSCALL_BASE+229)
-#endif
-
-#if !defined(__NR_lgetxattr)
-#define __NR_lgetxattr (__NR_SYSCALL_BASE+230)
-#endif
-
-#if !defined(__NR_fgetxattr)
-#define __NR_fgetxattr (__NR_SYSCALL_BASE+231)
-#endif
-
-#if !defined(__NR_listxattr)
-#define __NR_listxattr (__NR_SYSCALL_BASE+232)
-#endif
-
-#if !defined(__NR_llistxattr)
-#define __NR_llistxattr (__NR_SYSCALL_BASE+233)
-#endif
-
-#if !defined(__NR_flistxattr)
-#define __NR_flistxattr (__NR_SYSCALL_BASE+234)
-#endif
-
-#if !defined(__NR_removexattr)
-#define __NR_removexattr (__NR_SYSCALL_BASE+235)
-#endif
-
-#if !defined(__NR_lremovexattr)
-#define __NR_lremovexattr (__NR_SYSCALL_BASE+236)
-#endif
-
-#if !defined(__NR_fremovexattr)
-#define __NR_fremovexattr (__NR_SYSCALL_BASE+237)
-#endif
-
-#if !defined(__NR_tkill)
-#define __NR_tkill (__NR_SYSCALL_BASE+238)
-#endif
-
-#if !defined(__NR_sendfile64)
-#define __NR_sendfile64 (__NR_SYSCALL_BASE+239)
-#endif
-
-#if !defined(__NR_futex)
-#define __NR_futex (__NR_SYSCALL_BASE+240)
-#endif
-
-#if !defined(__NR_sched_setaffinity)
-#define __NR_sched_setaffinity (__NR_SYSCALL_BASE+241)
-#endif
-
-#if !defined(__NR_sched_getaffinity)
-#define __NR_sched_getaffinity (__NR_SYSCALL_BASE+242)
-#endif
-
-#if !defined(__NR_io_setup)
-#define __NR_io_setup (__NR_SYSCALL_BASE+243)
-#endif
-
-#if !defined(__NR_io_destroy)
-#define __NR_io_destroy (__NR_SYSCALL_BASE+244)
-#endif
-
-#if !defined(__NR_io_getevents)
-#define __NR_io_getevents (__NR_SYSCALL_BASE+245)
-#endif
-
-#if !defined(__NR_io_submit)
-#define __NR_io_submit (__NR_SYSCALL_BASE+246)
-#endif
-
-#if !defined(__NR_io_cancel)
-#define __NR_io_cancel (__NR_SYSCALL_BASE+247)
-#endif
-
-#if !defined(__NR_exit_group)
-#define __NR_exit_group (__NR_SYSCALL_BASE+248)
-#endif
-
-#if !defined(__NR_lookup_dcookie)
-#define __NR_lookup_dcookie (__NR_SYSCALL_BASE+249)
-#endif
-
-#if !defined(__NR_epoll_create)
-#define __NR_epoll_create (__NR_SYSCALL_BASE+250)
-#endif
-
-#if !defined(__NR_epoll_ctl)
-#define __NR_epoll_ctl (__NR_SYSCALL_BASE+251)
-#endif
-
-#if !defined(__NR_epoll_wait)
-#define __NR_epoll_wait (__NR_SYSCALL_BASE+252)
-#endif
-
-#if !defined(__NR_remap_file_pages)
-#define __NR_remap_file_pages (__NR_SYSCALL_BASE+253)
-#endif
-
-#if !defined(__NR_set_tid_address)
-#define __NR_set_tid_address (__NR_SYSCALL_BASE+256)
-#endif
-
-#if !defined(__NR_timer_create)
-#define __NR_timer_create (__NR_SYSCALL_BASE+257)
-#endif
-
-#if !defined(__NR_timer_settime)
-#define __NR_timer_settime (__NR_SYSCALL_BASE+258)
-#endif
-
-#if !defined(__NR_timer_gettime)
-#define __NR_timer_gettime (__NR_SYSCALL_BASE+259)
-#endif
-
-#if !defined(__NR_timer_getoverrun)
-#define __NR_timer_getoverrun (__NR_SYSCALL_BASE+260)
-#endif
-
-#if !defined(__NR_timer_delete)
-#define __NR_timer_delete (__NR_SYSCALL_BASE+261)
-#endif
-
-#if !defined(__NR_clock_settime)
-#define __NR_clock_settime (__NR_SYSCALL_BASE+262)
-#endif
-
-#if !defined(__NR_clock_gettime)
-#define __NR_clock_gettime (__NR_SYSCALL_BASE+263)
-#endif
-
-#if !defined(__NR_clock_getres)
-#define __NR_clock_getres (__NR_SYSCALL_BASE+264)
-#endif
-
-#if !defined(__NR_clock_nanosleep)
-#define __NR_clock_nanosleep (__NR_SYSCALL_BASE+265)
-#endif
-
-#if !defined(__NR_statfs64)
-#define __NR_statfs64 (__NR_SYSCALL_BASE+266)
-#endif
-
-#if !defined(__NR_fstatfs64)
-#define __NR_fstatfs64 (__NR_SYSCALL_BASE+267)
-#endif
-
-#if !defined(__NR_tgkill)
-#define __NR_tgkill (__NR_SYSCALL_BASE+268)
-#endif
-
-#if !defined(__NR_utimes)
-#define __NR_utimes (__NR_SYSCALL_BASE+269)
-#endif
-
-#if !defined(__NR_arm_fadvise64_64)
-#define __NR_arm_fadvise64_64 (__NR_SYSCALL_BASE+270)
-#endif
-
-#if !defined(__NR_pciconfig_iobase)
-#define __NR_pciconfig_iobase (__NR_SYSCALL_BASE+271)
-#endif
-
-#if !defined(__NR_pciconfig_read)
-#define __NR_pciconfig_read (__NR_SYSCALL_BASE+272)
-#endif
-
-#if !defined(__NR_pciconfig_write)
-#define __NR_pciconfig_write (__NR_SYSCALL_BASE+273)
-#endif
-
-#if !defined(__NR_mq_open)
-#define __NR_mq_open (__NR_SYSCALL_BASE+274)
-#endif
-
-#if !defined(__NR_mq_unlink)
-#define __NR_mq_unlink (__NR_SYSCALL_BASE+275)
-#endif
-
-#if !defined(__NR_mq_timedsend)
-#define __NR_mq_timedsend (__NR_SYSCALL_BASE+276)
-#endif
-
-#if !defined(__NR_mq_timedreceive)
-#define __NR_mq_timedreceive (__NR_SYSCALL_BASE+277)
-#endif
-
-#if !defined(__NR_mq_notify)
-#define __NR_mq_notify (__NR_SYSCALL_BASE+278)
-#endif
-
-#if !defined(__NR_mq_getsetattr)
-#define __NR_mq_getsetattr (__NR_SYSCALL_BASE+279)
-#endif
-
-#if !defined(__NR_waitid)
-#define __NR_waitid (__NR_SYSCALL_BASE+280)
-#endif
-
-#if !defined(__NR_socket)
-#define __NR_socket (__NR_SYSCALL_BASE+281)
-#endif
-
-#if !defined(__NR_bind)
-#define __NR_bind (__NR_SYSCALL_BASE+282)
-#endif
-
-#if !defined(__NR_connect)
-#define __NR_connect (__NR_SYSCALL_BASE+283)
-#endif
-
-#if !defined(__NR_listen)
-#define __NR_listen (__NR_SYSCALL_BASE+284)
-#endif
-
-#if !defined(__NR_accept)
-#define __NR_accept (__NR_SYSCALL_BASE+285)
-#endif
-
-#if !defined(__NR_getsockname)
-#define __NR_getsockname (__NR_SYSCALL_BASE+286)
-#endif
-
-#if !defined(__NR_getpeername)
-#define __NR_getpeername (__NR_SYSCALL_BASE+287)
-#endif
-
-#if !defined(__NR_socketpair)
-#define __NR_socketpair (__NR_SYSCALL_BASE+288)
-#endif
-
-#if !defined(__NR_send)
-#define __NR_send (__NR_SYSCALL_BASE+289)
-#endif
-
-#if !defined(__NR_sendto)
-#define __NR_sendto (__NR_SYSCALL_BASE+290)
-#endif
-
-#if !defined(__NR_recv)
-#define __NR_recv (__NR_SYSCALL_BASE+291)
-#endif
-
-#if !defined(__NR_recvfrom)
-#define __NR_recvfrom (__NR_SYSCALL_BASE+292)
-#endif
-
-#if !defined(__NR_shutdown)
-#define __NR_shutdown (__NR_SYSCALL_BASE+293)
-#endif
-
-#if !defined(__NR_setsockopt)
-#define __NR_setsockopt (__NR_SYSCALL_BASE+294)
-#endif
-
-#if !defined(__NR_getsockopt)
-#define __NR_getsockopt (__NR_SYSCALL_BASE+295)
-#endif
-
-#if !defined(__NR_sendmsg)
-#define __NR_sendmsg (__NR_SYSCALL_BASE+296)
-#endif
-
-#if !defined(__NR_recvmsg)
-#define __NR_recvmsg (__NR_SYSCALL_BASE+297)
-#endif
-
-#if !defined(__NR_semop)
-#define __NR_semop (__NR_SYSCALL_BASE+298)
-#endif
-
-#if !defined(__NR_semget)
-#define __NR_semget (__NR_SYSCALL_BASE+299)
-#endif
-
-#if !defined(__NR_semctl)
-#define __NR_semctl (__NR_SYSCALL_BASE+300)
-#endif
-
-#if !defined(__NR_msgsnd)
-#define __NR_msgsnd (__NR_SYSCALL_BASE+301)
-#endif
-
-#if !defined(__NR_msgrcv)
-#define __NR_msgrcv (__NR_SYSCALL_BASE+302)
-#endif
-
-#if !defined(__NR_msgget)
-#define __NR_msgget (__NR_SYSCALL_BASE+303)
-#endif
-
-#if !defined(__NR_msgctl)
-#define __NR_msgctl (__NR_SYSCALL_BASE+304)
-#endif
-
-#if !defined(__NR_shmat)
-#define __NR_shmat (__NR_SYSCALL_BASE+305)
-#endif
-
-#if !defined(__NR_shmdt)
-#define __NR_shmdt (__NR_SYSCALL_BASE+306)
-#endif
-
-#if !defined(__NR_shmget)
-#define __NR_shmget (__NR_SYSCALL_BASE+307)
-#endif
-
-#if !defined(__NR_shmctl)
-#define __NR_shmctl (__NR_SYSCALL_BASE+308)
-#endif
-
-#if !defined(__NR_add_key)
-#define __NR_add_key (__NR_SYSCALL_BASE+309)
-#endif
-
-#if !defined(__NR_request_key)
-#define __NR_request_key (__NR_SYSCALL_BASE+310)
-#endif
-
-#if !defined(__NR_keyctl)
-#define __NR_keyctl (__NR_SYSCALL_BASE+311)
-#endif
-
-#if !defined(__NR_semtimedop)
-#define __NR_semtimedop (__NR_SYSCALL_BASE+312)
-#endif
-
-#if !defined(__NR_vserver)
-#define __NR_vserver (__NR_SYSCALL_BASE+313)
-#endif
-
-#if !defined(__NR_ioprio_set)
-#define __NR_ioprio_set (__NR_SYSCALL_BASE+314)
-#endif
-
-#if !defined(__NR_ioprio_get)
-#define __NR_ioprio_get (__NR_SYSCALL_BASE+315)
-#endif
-
-#if !defined(__NR_inotify_init)
-#define __NR_inotify_init (__NR_SYSCALL_BASE+316)
-#endif
-
-#if !defined(__NR_inotify_add_watch)
-#define __NR_inotify_add_watch (__NR_SYSCALL_BASE+317)
-#endif
-
-#if !defined(__NR_inotify_rm_watch)
-#define __NR_inotify_rm_watch (__NR_SYSCALL_BASE+318)
-#endif
-
-#if !defined(__NR_mbind)
-#define __NR_mbind (__NR_SYSCALL_BASE+319)
-#endif
-
-#if !defined(__NR_get_mempolicy)
-#define __NR_get_mempolicy (__NR_SYSCALL_BASE+320)
-#endif
-
-#if !defined(__NR_set_mempolicy)
-#define __NR_set_mempolicy (__NR_SYSCALL_BASE+321)
-#endif
-
-#if !defined(__NR_openat)
-#define __NR_openat (__NR_SYSCALL_BASE+322)
-#endif
-
-#if !defined(__NR_mkdirat)
-#define __NR_mkdirat (__NR_SYSCALL_BASE+323)
-#endif
-
-#if !defined(__NR_mknodat)
-#define __NR_mknodat (__NR_SYSCALL_BASE+324)
-#endif
-
-#if !defined(__NR_fchownat)
-#define __NR_fchownat (__NR_SYSCALL_BASE+325)
-#endif
-
-#if !defined(__NR_futimesat)
-#define __NR_futimesat (__NR_SYSCALL_BASE+326)
-#endif
-
-#if !defined(__NR_fstatat64)
-#define __NR_fstatat64 (__NR_SYSCALL_BASE+327)
-#endif
-
-#if !defined(__NR_unlinkat)
-#define __NR_unlinkat (__NR_SYSCALL_BASE+328)
-#endif
-
-#if !defined(__NR_renameat)
-#define __NR_renameat (__NR_SYSCALL_BASE+329)
-#endif
-
-#if !defined(__NR_linkat)
-#define __NR_linkat (__NR_SYSCALL_BASE+330)
-#endif
-
-#if !defined(__NR_symlinkat)
-#define __NR_symlinkat (__NR_SYSCALL_BASE+331)
-#endif
-
-#if !defined(__NR_readlinkat)
-#define __NR_readlinkat (__NR_SYSCALL_BASE+332)
-#endif
-
-#if !defined(__NR_fchmodat)
-#define __NR_fchmodat (__NR_SYSCALL_BASE+333)
-#endif
-
-#if !defined(__NR_faccessat)
-#define __NR_faccessat (__NR_SYSCALL_BASE+334)
-#endif
-
-#if !defined(__NR_pselect6)
-#define __NR_pselect6 (__NR_SYSCALL_BASE+335)
-#endif
-
-#if !defined(__NR_ppoll)
-#define __NR_ppoll (__NR_SYSCALL_BASE+336)
-#endif
-
-#if !defined(__NR_unshare)
-#define __NR_unshare (__NR_SYSCALL_BASE+337)
-#endif
-
-#if !defined(__NR_set_robust_list)
-#define __NR_set_robust_list (__NR_SYSCALL_BASE+338)
-#endif
-
-#if !defined(__NR_get_robust_list)
-#define __NR_get_robust_list (__NR_SYSCALL_BASE+339)
-#endif
-
-#if !defined(__NR_splice)
-#define __NR_splice (__NR_SYSCALL_BASE+340)
-#endif
-
-#if !defined(__NR_arm_sync_file_range)
-#define __NR_arm_sync_file_range (__NR_SYSCALL_BASE+341)
-#endif
-
-#if !defined(__NR_sync_file_range2)
-#define __NR_sync_file_range2 (__NR_SYSCALL_BASE+341)
-#endif
-
-#if !defined(__NR_tee)
-#define __NR_tee (__NR_SYSCALL_BASE+342)
-#endif
-
-#if !defined(__NR_vmsplice)
-#define __NR_vmsplice (__NR_SYSCALL_BASE+343)
-#endif
-
-#if !defined(__NR_move_pages)
-#define __NR_move_pages (__NR_SYSCALL_BASE+344)
-#endif
-
-#if !defined(__NR_getcpu)
-#define __NR_getcpu (__NR_SYSCALL_BASE+345)
-#endif
-
-#if !defined(__NR_epoll_pwait)
-#define __NR_epoll_pwait (__NR_SYSCALL_BASE+346)
-#endif
-
-#if !defined(__NR_kexec_load)
-#define __NR_kexec_load (__NR_SYSCALL_BASE+347)
-#endif
-
-#if !defined(__NR_utimensat)
-#define __NR_utimensat (__NR_SYSCALL_BASE+348)
-#endif
-
-#if !defined(__NR_signalfd)
-#define __NR_signalfd (__NR_SYSCALL_BASE+349)
-#endif
-
-#if !defined(__NR_timerfd_create)
-#define __NR_timerfd_create (__NR_SYSCALL_BASE+350)
-#endif
-
-#if !defined(__NR_eventfd)
-#define __NR_eventfd (__NR_SYSCALL_BASE+351)
-#endif
-
-#if !defined(__NR_fallocate)
-#define __NR_fallocate (__NR_SYSCALL_BASE+352)
-#endif
-
-#if !defined(__NR_timerfd_settime)
-#define __NR_timerfd_settime (__NR_SYSCALL_BASE+353)
-#endif
-
-#if !defined(__NR_timerfd_gettime)
-#define __NR_timerfd_gettime (__NR_SYSCALL_BASE+354)
-#endif
-
-#if !defined(__NR_signalfd4)
-#define __NR_signalfd4 (__NR_SYSCALL_BASE+355)
-#endif
-
-#if !defined(__NR_eventfd2)
-#define __NR_eventfd2 (__NR_SYSCALL_BASE+356)
-#endif
-
-#if !defined(__NR_epoll_create1)
-#define __NR_epoll_create1 (__NR_SYSCALL_BASE+357)
-#endif
-
-#if !defined(__NR_dup3)
-#define __NR_dup3 (__NR_SYSCALL_BASE+358)
-#endif
-
-#if !defined(__NR_pipe2)
-#define __NR_pipe2 (__NR_SYSCALL_BASE+359)
-#endif
-
-#if !defined(__NR_inotify_init1)
-#define __NR_inotify_init1 (__NR_SYSCALL_BASE+360)
-#endif
-
-#if !defined(__NR_preadv)
-#define __NR_preadv (__NR_SYSCALL_BASE+361)
-#endif
-
-#if !defined(__NR_pwritev)
-#define __NR_pwritev (__NR_SYSCALL_BASE+362)
-#endif
-
-#if !defined(__NR_rt_tgsigqueueinfo)
-#define __NR_rt_tgsigqueueinfo (__NR_SYSCALL_BASE+363)
-#endif
-
-#if !defined(__NR_perf_event_open)
-#define __NR_perf_event_open (__NR_SYSCALL_BASE+364)
-#endif
-
-#if !defined(__NR_recvmmsg)
-#define __NR_recvmmsg (__NR_SYSCALL_BASE+365)
-#endif
-
-#if !defined(__NR_accept4)
-#define __NR_accept4 (__NR_SYSCALL_BASE+366)
-#endif
-
-#if !defined(__NR_fanotify_init)
-#define __NR_fanotify_init (__NR_SYSCALL_BASE+367)
-#endif
-
-#if !defined(__NR_fanotify_mark)
-#define __NR_fanotify_mark (__NR_SYSCALL_BASE+368)
-#endif
-
-#if !defined(__NR_prlimit64)
-#define __NR_prlimit64 (__NR_SYSCALL_BASE+369)
-#endif
-
-#if !defined(__NR_name_to_handle_at)
-#define __NR_name_to_handle_at (__NR_SYSCALL_BASE+370)
-#endif
-
-#if !defined(__NR_open_by_handle_at)
-#define __NR_open_by_handle_at (__NR_SYSCALL_BASE+371)
-#endif
-
-#if !defined(__NR_clock_adjtime)
-#define __NR_clock_adjtime (__NR_SYSCALL_BASE+372)
-#endif
-
-#if !defined(__NR_syncfs)
-#define __NR_syncfs (__NR_SYSCALL_BASE+373)
-#endif
-
-#if !defined(__NR_sendmmsg)
-#define __NR_sendmmsg (__NR_SYSCALL_BASE+374)
-#endif
-
-#if !defined(__NR_setns)
-#define __NR_setns (__NR_SYSCALL_BASE+375)
-#endif
-
-#if !defined(__NR_process_vm_readv)
-#define __NR_process_vm_readv (__NR_SYSCALL_BASE+376)
-#endif
-
-#if !defined(__NR_process_vm_writev)
-#define __NR_process_vm_writev (__NR_SYSCALL_BASE+377)
-#endif
-
-#if !defined(__NR_kcmp)
-#define __NR_kcmp (__NR_SYSCALL_BASE+378)
-#endif
-
-#if !defined(__NR_finit_module)
-#define __NR_finit_module (__NR_SYSCALL_BASE+379)
-#endif
-
-#if !defined(__NR_sched_setattr)
-#define __NR_sched_setattr (__NR_SYSCALL_BASE+380)
-#endif
-
-#if !defined(__NR_sched_getattr)
-#define __NR_sched_getattr (__NR_SYSCALL_BASE+381)
-#endif
-
-#if !defined(__NR_renameat2)
-#define __NR_renameat2 (__NR_SYSCALL_BASE+382)
-#endif
-
-#if !defined(__NR_seccomp)
-#define __NR_seccomp (__NR_SYSCALL_BASE+383)
-#endif
-
-#if !defined(__NR_getrandom)
-#define __NR_getrandom (__NR_SYSCALL_BASE+384)
-#endif
-
-#if !defined(__NR_memfd_create)
-#define __NR_memfd_create (__NR_SYSCALL_BASE+385)
-#endif
-
-// ARM private syscalls.
-#if !defined(__ARM_NR_BASE)
-#define __ARM_NR_BASE (__NR_SYSCALL_BASE + 0xF0000)
-#endif
-
-#if !defined(__ARM_NR_breakpoint)
-#define __ARM_NR_breakpoint (__ARM_NR_BASE+1)
-#endif
-
-#if !defined(__ARM_NR_cacheflush)
-#define __ARM_NR_cacheflush (__ARM_NR_BASE+2)
-#endif
-
-#if !defined(__ARM_NR_usr26)
-#define __ARM_NR_usr26 (__ARM_NR_BASE+3)
-#endif
-
-#if !defined(__ARM_NR_usr32)
-#define __ARM_NR_usr32 (__ARM_NR_BASE+4)
-#endif
-
-#if !defined(__ARM_NR_set_tls)
-#define __ARM_NR_set_tls (__ARM_NR_BASE+5)
-#endif
-
-// ARM kernel private syscall.
-#if !defined(__ARM_NR_cmpxchg)
-#define __ARM_NR_cmpxchg (__ARM_NR_BASE+0x00fff0)
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_SYSCALLS_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_ucontext.h b/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_ucontext.h
deleted file mode 100644
index 35208fa2a..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/arm_linux_ucontext.h
+++ /dev/null
@@ -1,69 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_UCONTEXT_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_UCONTEXT_H_
-
-#include <stddef.h>
-
-#if !defined(__BIONIC_HAVE_UCONTEXT_T)
-#if !defined(__native_client_nonsfi__)
-#include <asm/sigcontext.h>
-#else
-// In PNaCl toolchain, sigcontext and stack_t is not defined. So here declare
-// them.
-struct sigcontext {
- unsigned long trap_no;
- unsigned long error_code;
- unsigned long oldmask;
- unsigned long arm_r0;
- unsigned long arm_r1;
- unsigned long arm_r2;
- unsigned long arm_r3;
- unsigned long arm_r4;
- unsigned long arm_r5;
- unsigned long arm_r6;
- unsigned long arm_r7;
- unsigned long arm_r8;
- unsigned long arm_r9;
- unsigned long arm_r10;
- unsigned long arm_fp;
- unsigned long arm_ip;
- unsigned long arm_sp;
- unsigned long arm_lr;
- unsigned long arm_pc;
- unsigned long arm_cpsr;
- unsigned long fault_address;
-};
-
-typedef struct sigaltstack {
- void* ss_sp;
- int ss_flags;
- size_t ss_size;
-} stack_t;
-
-#endif
-
-// We also need greg_t for the sandbox, include it in this header as well.
-typedef unsigned long greg_t;
-
-// typedef unsigned long sigset_t;
-typedef struct ucontext {
- unsigned long uc_flags;
- struct ucontext* uc_link;
- stack_t uc_stack;
- struct sigcontext uc_mcontext;
- sigset_t uc_sigmask;
- /* Allow for uc_sigmask growth. Glibc uses a 1024-bit sigset_t. */
- int __not_used[32 - (sizeof(sigset_t) / sizeof(int))];
- /* Last for extensibility. Eight byte aligned because some
- coprocessors require eight byte alignment. */
- unsigned long uc_regspace[128] __attribute__((__aligned__(8)));
-} ucontext_t;
-
-#else
-#include <sys/ucontext.h>
-#endif // __BIONIC_HAVE_UCONTEXT_T
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_ARM_LINUX_UCONTEXT_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/capability.h b/security/sandbox/chromium/sandbox/linux/system_headers/capability.h
deleted file mode 100644
index f91fcf78a..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/capability.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_
-
-#include <stdint.h>
-
-// The following macros are taken from linux/capability.h.
-// We only support capability version 3, which was introduced in Linux 2.6.26.
-#ifndef _LINUX_CAPABILITY_VERSION_3
-#define _LINUX_CAPABILITY_VERSION_3 0x20080522
-#endif
-#ifndef _LINUX_CAPABILITY_U32S_3
-#define _LINUX_CAPABILITY_U32S_3 2
-#endif
-#ifndef CAP_TO_INDEX
-#define CAP_TO_INDEX(x) ((x) >> 5) // 1 << 5 == bits in __u32
-#endif
-#ifndef CAP_TO_MASK
-#define CAP_TO_MASK(x) (1 << ((x) & 31)) // mask for indexed __u32
-#endif
-#ifndef CAP_SYS_CHROOT
-#define CAP_SYS_CHROOT 18
-#endif
-#ifndef CAP_SYS_ADMIN
-#define CAP_SYS_ADMIN 21
-#endif
-
-struct cap_hdr {
- uint32_t version;
- int pid;
-};
-
-struct cap_data {
- uint32_t effective;
- uint32_t permitted;
- uint32_t inheritable;
-};
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_CAPABILITY_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h b/security/sandbox/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h
deleted file mode 100644
index f4380339d..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/i386_linux_ucontext.h
+++ /dev/null
@@ -1,96 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-// We do something compatible with glibc. Hopefully, at some point Android will
-// provide that for us, and __BIONIC_HAVE_UCONTEXT_T should be defined.
-// This is mostly copied from breakpad (common/android/include/sys/ucontext.h),
-// except we do use sigset_t for uc_sigmask instead of a custom type.
-
-#if !defined(__BIONIC_HAVE_UCONTEXT_T)
-#if !defined(__native_client_nonsfi__)
-#include <asm/sigcontext.h>
-#else
-// In PNaCl toolchain, sigcontext is not defined. So here declare it.
-typedef struct sigaltstack {
- void* ss_sp;
- int ss_flags;
- size_t ss_size;
-} stack_t;
-#endif
-
-/* 80-bit floating-point register */
-struct _libc_fpreg {
- unsigned short significand[4];
- unsigned short exponent;
-};
-
-/* Simple floating-point state, see FNSTENV instruction */
-struct _libc_fpstate {
- unsigned long cw;
- unsigned long sw;
- unsigned long tag;
- unsigned long ipoff;
- unsigned long cssel;
- unsigned long dataoff;
- unsigned long datasel;
- struct _libc_fpreg _st[8];
- unsigned long status;
-};
-
-typedef uint32_t greg_t;
-
-typedef struct {
- uint32_t gregs[19];
- struct _libc_fpstate* fpregs;
- uint32_t oldmask;
- uint32_t cr2;
-} mcontext_t;
-
-enum {
- REG_GS = 0,
- REG_FS,
- REG_ES,
- REG_DS,
- REG_EDI,
- REG_ESI,
- REG_EBP,
- REG_ESP,
- REG_EBX,
- REG_EDX,
- REG_ECX,
- REG_EAX,
- REG_TRAPNO,
- REG_ERR,
- REG_EIP,
- REG_CS,
- REG_EFL,
- REG_UESP,
- REG_SS,
-};
-
-typedef struct ucontext {
- uint32_t uc_flags;
- struct ucontext* uc_link;
- stack_t uc_stack;
- mcontext_t uc_mcontext;
- // Android and PNaCl toolchain's sigset_t has only 32 bits, though Linux
- // ABI requires 64 bits.
- union {
- sigset_t uc_sigmask;
- uint32_t kernel_sigmask[2];
- };
- struct _libc_fpstate __fpregs_mem;
-} ucontext_t;
-
-#else
-#include <sys/ucontext.h>
-#endif // __BIONIC_HAVE_UCONTEXT_T
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_ANDROID_I386_UCONTEXT_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_filter.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_filter.h
deleted file mode 100644
index b23b6eb0c..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_filter.h
+++ /dev/null
@@ -1,140 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FILTER_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FILTER_H_
-
-#include <stdint.h>
-
-// The following structs and macros are taken from linux/filter.h,
-// as some toolchain does not expose them.
-struct sock_filter {
- uint16_t code;
- uint8_t jt;
- uint8_t jf;
- uint32_t k;
-};
-
-struct sock_fprog {
- uint16_t len;
- struct sock_filter *filter;
-};
-
-#ifndef BPF_CLASS
-#define BPF_CLASS(code) ((code) & 0x07)
-#endif
-
-#ifndef BPF_LD
-#define BPF_LD 0x00
-#endif
-
-#ifndef BPF_ALU
-#define BPF_ALU 0x04
-#endif
-
-#ifndef BPF_JMP
-#define BPF_JMP 0x05
-#endif
-
-#ifndef BPF_RET
-#define BPF_RET 0x06
-#endif
-
-#ifndef BPF_SIZE
-#define BPF_SIZE(code) ((code) & 0x18)
-#endif
-
-#ifndef BPF_W
-#define BPF_W 0x00
-#endif
-
-#ifndef BPF_MODE
-#define BPF_MODE(code) ((code) & 0xe0)
-#endif
-
-#ifndef BPF_ABS
-#define BPF_ABS 0x20
-#endif
-
-#ifndef BPF_OP
-#define BPF_OP(code) ((code) & 0xf0)
-#endif
-
-#ifndef BPF_ADD
-#define BPF_ADD 0x00
-#endif
-
-#ifndef BPF_SUB
-#define BPF_SUB 0x10
-#endif
-
-#ifndef BPF_MUL
-#define BPF_MUL 0x20
-#endif
-
-#ifndef BPF_DIV
-#define BPF_DIV 0x30
-#endif
-
-#ifndef BPF_OR
-#define BPF_OR 0x40
-#endif
-
-#ifndef BPF_AND
-#define BPF_AND 0x50
-#endif
-
-#ifndef BPF_LSH
-#define BPF_LSH 0x60
-#endif
-
-#ifndef BPF_RSH
-#define BPF_RSH 0x70
-#endif
-
-#ifndef BPF_NEG
-#define BPF_NEG 0x80
-#endif
-
-#ifndef BPF_MOD
-#define BPF_MOD 0x90
-#endif
-
-#ifndef BPF_XOR
-#define BPF_XOR 0xA0
-#endif
-
-#ifndef BPF_JA
-#define BPF_JA 0x00
-#endif
-
-#ifndef BPF_JEQ
-#define BPF_JEQ 0x10
-#endif
-
-#ifndef BPF_JGT
-#define BPF_JGT 0x20
-#endif
-
-#ifndef BPF_JGE
-#define BPF_JGE 0x30
-#endif
-
-#ifndef BPF_JSET
-#define BPF_JSET 0x40
-#endif
-
-#ifndef BPF_SRC
-#define BPF_SRC(code) ((code) & 0x08)
-#endif
-
-#ifndef BPF_K
-#define BPF_K 0x00
-#endif
-
-#ifndef BPF_MAXINSNS
-#define BPF_MAXINSNS 4096
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FILTER_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_futex.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_futex.h
deleted file mode 100644
index 4e2840333..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_futex.h
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FUTEX_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FUTEX_H_
-
-#if !defined(__native_client_nonsfi__)
-#include <linux/futex.h>
-#endif // !defined(__native_client_nonsfi__)
-
-#if !defined(FUTEX_WAIT)
-#define FUTEX_WAIT 0
-#endif
-
-#if !defined(FUTEX_WAKE)
-#define FUTEX_WAKE 1
-#endif
-
-#if !defined(FUTEX_FD)
-#define FUTEX_FD 2
-#endif
-
-#if !defined(FUTEX_REQUEUE)
-#define FUTEX_REQUEUE 3
-#endif
-
-#if !defined(FUTEX_CMP_REQUEUE)
-#define FUTEX_CMP_REQUEUE 4
-#endif
-
-#if !defined(FUTEX_WAKE_OP)
-#define FUTEX_WAKE_OP 5
-#endif
-
-#if !defined(FUTEX_LOCK_PI)
-#define FUTEX_LOCK_PI 6
-#endif
-
-#if !defined(FUTEX_UNLOCK_PI)
-#define FUTEX_UNLOCK_PI 7
-#endif
-
-#if !defined(FUTEX_TRYLOCK_PI)
-#define FUTEX_TRYLOCK_PI 8
-#endif
-
-#if !defined(FUTEX_WAIT_BITSET)
-#define FUTEX_WAIT_BITSET 9
-#endif
-
-#if !defined(FUTEX_WAKE_BITSET)
-#define FUTEX_WAKE_BITSET 10
-#endif
-
-#if !defined(FUTEX_WAIT_REQUEUE_PI)
-#define FUTEX_WAIT_REQUEUE_PI 11
-#endif
-
-#if !defined(FUTEX_CMP_REQUEUE_PI)
-#define FUTEX_CMP_REQUEUE_PI 12
-#endif
-
-#if !defined(FUTEX_PRIVATE_FLAG)
-#define FUTEX_PRIVATE_FLAG 128
-#endif
-
-#if !defined FUTEX_CLOCK_REALTIME
-#define FUTEX_CLOCK_REALTIME 256
-#endif
-
-#if !defined(FUTEX_CMD_MASK)
-#define FUTEX_CMD_MASK ~(FUTEX_PRIVATE_FLAG | FUTEX_CLOCK_REALTIME)
-#endif
-
-#if !defined(FUTEX_CMP_REQUEUE_PI_PRIVATE)
-#define FUTEX_CMP_REQUEUE_PI_PRIVATE (FUTEX_CMP_REQUEUE_PI | FUTEX_PRIVATE_FLAG)
-#endif
-
-#if !defined(FUTEX_UNLOCK_PI_PRIVATE)
-#define FUTEX_UNLOCK_PI_PRIVATE (FUTEX_UNLOCK_PI | FUTEX_PRIVATE_FLAG)
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_FUTEX_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_seccomp.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_seccomp.h
deleted file mode 100644
index 3deb3d225..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_seccomp.h
+++ /dev/null
@@ -1,107 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
-
-// The Seccomp2 kernel ABI is not part of older versions of glibc.
-// As we can't break compilation with these versions of the library,
-// we explicitly define all missing symbols.
-// If we ever decide that we can now rely on system headers, the following
-// include files should be enabled:
-// #include <linux/audit.h>
-// #include <linux/seccomp.h>
-
-// For audit.h
-#ifndef EM_ARM
-#define EM_ARM 40
-#endif
-#ifndef EM_386
-#define EM_386 3
-#endif
-#ifndef EM_X86_64
-#define EM_X86_64 62
-#endif
-#ifndef EM_MIPS
-#define EM_MIPS 8
-#endif
-#ifndef EM_AARCH64
-#define EM_AARCH64 183
-#endif
-
-#ifndef __AUDIT_ARCH_64BIT
-#define __AUDIT_ARCH_64BIT 0x80000000
-#endif
-#ifndef __AUDIT_ARCH_LE
-#define __AUDIT_ARCH_LE 0x40000000
-#endif
-#ifndef AUDIT_ARCH_ARM
-#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
-#endif
-#ifndef AUDIT_ARCH_I386
-#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
-#endif
-#ifndef AUDIT_ARCH_X86_64
-#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
-#endif
-#ifndef AUDIT_ARCH_MIPSEL
-#define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
-#endif
-#ifndef AUDIT_ARCH_AARCH64
-#define AUDIT_ARCH_AARCH64 (EM_AARCH64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
-#endif
-
-// For prctl.h
-#ifndef PR_SET_SECCOMP
-#define PR_SET_SECCOMP 22
-#define PR_GET_SECCOMP 21
-#endif
-#ifndef PR_SET_NO_NEW_PRIVS
-#define PR_SET_NO_NEW_PRIVS 38
-#define PR_GET_NO_NEW_PRIVS 39
-#endif
-#ifndef IPC_64
-#define IPC_64 0x0100
-#endif
-
-// In order to build will older tool chains, we currently have to avoid
-// including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on
-// our own definitions of the seccomp kernel ABI.
-#ifndef SECCOMP_MODE_FILTER
-#define SECCOMP_MODE_DISABLED 0
-#define SECCOMP_MODE_STRICT 1
-#define SECCOMP_MODE_FILTER 2 // User user-supplied filter
-#endif
-
-#ifndef SECCOMP_SET_MODE_STRICT
-#define SECCOMP_SET_MODE_STRICT 0
-#endif
-#ifndef SECCOMP_SET_MODE_FILTER
-#define SECCOMP_SET_MODE_FILTER 1
-#endif
-#ifndef SECCOMP_FILTER_FLAG_TSYNC
-#define SECCOMP_FILTER_FLAG_TSYNC 1
-#endif
-
-#ifndef SECCOMP_RET_KILL
-// Return values supported for BPF filter programs. Please note that the
-// "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
-// ever be used internally, and would result in the kernel killing our process.
-#define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately
-#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
-#define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS
-#define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno
-#define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow
-#define SECCOMP_RET_ALLOW 0x7fff0000U // Allow
-#define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value
-#define SECCOMP_RET_DATA 0x0000ffffU // sections
-#else
-#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value
-#endif
-
-#ifndef SYS_SECCOMP
-#define SYS_SECCOMP 1
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_signal.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_signal.h
deleted file mode 100644
index fb9a47b8d..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_signal.h
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SIGNAL_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SIGNAL_H_
-
-#include <stdint.h>
-
-// NOTE: On some toolchains, signal related ABI is incompatible with Linux's
-// (not undefined, but defined different values and in different memory
-// layouts). So, fill the gap here.
-#if defined(__i386__) || defined(__x86_64__) || defined(__arm__) || \
- defined(__aarch64__)
-
-#define LINUX_SIGHUP 1
-#define LINUX_SIGINT 2
-#define LINUX_SIGQUIT 3
-#define LINUX_SIGABRT 6
-#define LINUX_SIGBUS 7
-#define LINUX_SIGUSR1 10
-#define LINUX_SIGSEGV 11
-#define LINUX_SIGUSR2 12
-#define LINUX_SIGPIPE 13
-#define LINUX_SIGTERM 15
-#define LINUX_SIGCHLD 17
-#define LINUX_SIGSYS 31
-
-#define LINUX_SIG_BLOCK 0
-#define LINUX_SIG_UNBLOCK 1
-
-#define LINUX_SA_SIGINFO 4
-#define LINUX_SA_NODEFER 0x40000000
-#define LINUX_SA_RESTART 0x10000000
-
-#define LINUX_SIG_DFL 0
-
-#elif defined(__mips__)
-
-#define LINUX_SIGHUP 1
-#define LINUX_SIGINT 2
-#define LINUX_SIGQUIT 3
-#define LINUX_SIGABRT 6
-#define LINUX_SIGBUS 10
-#define LINUX_SIGSEGV 11
-#define LINUX_SIGSYS 12
-#define LINUX_SIGPIPE 13
-#define LINUX_SIGTERM 15
-#define LINUX_SIGUSR1 16
-#define LINUX_SIGUSR2 17
-#define LINUX_SIGCHLD 18
-
-#define LINUX_SIG_BLOCK 1
-#define LINUX_SIG_UNBLOCK 2
-
-#define LINUX_SA_SIGINFO 0x00000008
-#define LINUX_SA_NODEFER 0x40000000
-#define LINUX_SA_RESTART 0x10000000
-
-#define LINUX_SIG_DFL 0
-
-#else
-#error "Unsupported platform"
-#endif
-
-#if defined(__native_client_nonsfi__)
-#if !defined(__i386__) && !defined(__arm__)
-#error "Unsupported platform"
-#endif
-
-#include <signal.h>
-
-struct LinuxSigInfo {
- int si_signo;
- int si_errno;
- int si_code;
-
- // Extra data is followed by the |si_code|. The length depends on the
- // signal number.
- char _sifields[1];
-};
-
-#include "sandbox/linux/system_headers/linux_ucontext.h"
-
-#else // !defined(__native_client_nonsfi__)
-
-#include <signal.h>
-
-static_assert(LINUX_SIGHUP == SIGHUP, "LINUX_SIGHUP == SIGHUP");
-static_assert(LINUX_SIGINT == SIGINT, "LINUX_SIGINT == SIGINT");
-static_assert(LINUX_SIGQUIT == SIGQUIT, "LINUX_SIGQUIT == SIGQUIT");
-static_assert(LINUX_SIGABRT == SIGABRT, "LINUX_SIGABRT == SIGABRT");
-static_assert(LINUX_SIGBUS == SIGBUS, "LINUX_SIGBUS == SIGBUS");
-static_assert(LINUX_SIGUSR1 == SIGUSR1, "LINUX_SIGUSR1 == SIGUSR1");
-static_assert(LINUX_SIGSEGV == SIGSEGV, "LINUX_SIGSEGV == SIGSEGV");
-static_assert(LINUX_SIGUSR2 == SIGUSR2, "LINUX_SIGUSR2 == SIGUSR2");
-static_assert(LINUX_SIGPIPE == SIGPIPE, "LINUX_SIGPIPE == SIGPIPE");
-static_assert(LINUX_SIGTERM == SIGTERM, "LINUX_SIGTERM == SIGTERM");
-static_assert(LINUX_SIGCHLD == SIGCHLD, "LINUX_SIGCHLD == SIGCHLD");
-static_assert(LINUX_SIGSYS == SIGSYS, "LINUX_SIGSYS == SIGSYS");
-static_assert(LINUX_SIG_BLOCK == SIG_BLOCK, "LINUX_SIG_BLOCK == SIG_BLOCK");
-static_assert(LINUX_SIG_UNBLOCK == SIG_UNBLOCK,
- "LINUX_SIG_UNBLOCK == SIG_UNBLOCK");
-static_assert(LINUX_SA_SIGINFO == SA_SIGINFO, "LINUX_SA_SIGINFO == SA_SIGINFO");
-static_assert(LINUX_SA_NODEFER == SA_NODEFER, "LINUX_SA_NODEFER == SA_NODEFER");
-static_assert(LINUX_SA_RESTART == SA_RESTART, "LINUX_SA_RESTART == SA_RESTART");
-static_assert(LINUX_SIG_DFL == SIG_DFL, "LINUX_SIG_DFL == SIG_DFL");
-
-typedef siginfo_t LinuxSigInfo;
-
-#if defined(__ANDROID__)
-// Android's signal.h doesn't define ucontext etc.
-#include "sandbox/linux/system_headers/linux_ucontext.h"
-#endif // defined(__ANDROID__)
-
-#endif // !defined(__native_client_nonsfi__)
-
-// struct sigset_t is different size in PNaCl from the Linux's.
-#if defined(__mips__)
-#if !defined(_NSIG_WORDS)
-#define _NSIG_WORDS 4
-#endif
-struct LinuxSigSet {
- unsigned long sig[_NSIG_WORDS];
-};
-#else
-typedef uint64_t LinuxSigSet;
-#endif
-
-// struct sigaction is different in PNaCl from the Linux's.
-#if defined(__mips__)
-struct LinuxSigAction {
- unsigned int sa_flags;
- void (*kernel_handler)(int);
- LinuxSigSet sa_mask;
-};
-#else
-struct LinuxSigAction {
- void (*kernel_handler)(int);
- uint32_t sa_flags;
- void (*sa_restorer)(void);
- LinuxSigSet sa_mask;
-};
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SIGNAL_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h
deleted file mode 100644
index 2b441e47e..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_syscalls.h
+++ /dev/null
@@ -1,37 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This header will be kept up to date so that we can compile system-call
-// policies even when system headers are old.
-// System call numbers are accessible through __NR_syscall_name.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
-
-#if defined(__x86_64__)
-#include "sandbox/linux/system_headers/x86_64_linux_syscalls.h"
-#endif
-
-#if defined(__i386__)
-#include "sandbox/linux/system_headers/x86_32_linux_syscalls.h"
-#endif
-
-#if defined(__arm__) && defined(__ARM_EABI__)
-#include "sandbox/linux/system_headers/arm_linux_syscalls.h"
-#endif
-
-#if defined(__mips__) && (_MIPS_SIM == _ABIO32)
-#include "sandbox/linux/system_headers/mips_linux_syscalls.h"
-#endif
-
-#if defined(__mips__) && (_MIPS_SIM == _ABI64)
-#include "sandbox/linux/system_headers/mips64_linux_syscalls.h"
-#endif
-
-#if defined(__aarch64__)
-#include "sandbox/linux/system_headers/arm64_linux_syscalls.h"
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SYSCALLS_H_
-
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/linux_ucontext.h b/security/sandbox/chromium/sandbox/linux/system_headers/linux_ucontext.h
deleted file mode 100644
index ea4d8a6c1..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/linux_ucontext.h
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_UCONTEXT_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_UCONTEXT_H_
-
-#if defined(__ANDROID__) || defined(__native_client_nonsfi__)
-
-#if defined(__arm__)
-#include "sandbox/linux/system_headers/arm_linux_ucontext.h"
-#elif defined(__i386__)
-#include "sandbox/linux/system_headers/i386_linux_ucontext.h"
-#elif defined(__x86_64__)
-#include "sandbox/linux/system_headers/x86_64_linux_ucontext.h"
-#elif defined(__mips__)
-#include "sandbox/linux/system_headers/mips_linux_ucontext.h"
-#elif defined(__aarch64__)
-#include "sandbox/linux/system_headers/arm64_linux_ucontext.h"
-#else
-#error "No support for your architecture in Android or PNaCl header"
-#endif
-
-#else // defined(__ANDROID__) || defined(__native_client_nonsfi__)
-#error "The header file included on non Android and non PNaCl."
-#endif // defined(__ANDROID__) || defined(__native_client_nonsfi__)
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_UCONTEXT_H_
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
deleted file mode 100644
index d9b7afc9b..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+++ /dev/null
@@ -1,1494 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Generated from the Linux kernel's syscall_32.tbl.
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
-
-#if !defined(__i386__)
-#error "Including header on wrong architecture"
-#endif
-
-#if !defined(__NR_restart_syscall)
-#define __NR_restart_syscall 0
-#endif
-
-#if !defined(__NR_exit)
-#define __NR_exit 1
-#endif
-
-#if !defined(__NR_fork)
-#define __NR_fork 2
-#endif
-
-#if !defined(__NR_read)
-#define __NR_read 3
-#endif
-
-#if !defined(__NR_write)
-#define __NR_write 4
-#endif
-
-#if !defined(__NR_open)
-#define __NR_open 5
-#endif
-
-#if !defined(__NR_close)
-#define __NR_close 6
-#endif
-
-#if !defined(__NR_waitpid)
-#define __NR_waitpid 7
-#endif
-
-#if !defined(__NR_creat)
-#define __NR_creat 8
-#endif
-
-#if !defined(__NR_link)
-#define __NR_link 9
-#endif
-
-#if !defined(__NR_unlink)
-#define __NR_unlink 10
-#endif
-
-#if !defined(__NR_execve)
-#define __NR_execve 11
-#endif
-
-#if !defined(__NR_chdir)
-#define __NR_chdir 12
-#endif
-
-#if !defined(__NR_time)
-#define __NR_time 13
-#endif
-
-#if !defined(__NR_mknod)
-#define __NR_mknod 14
-#endif
-
-#if !defined(__NR_chmod)
-#define __NR_chmod 15
-#endif
-
-#if !defined(__NR_lchown)
-#define __NR_lchown 16
-#endif
-
-#if !defined(__NR_break)
-#define __NR_break 17
-#endif
-
-#if !defined(__NR_oldstat)
-#define __NR_oldstat 18
-#endif
-
-#if !defined(__NR_lseek)
-#define __NR_lseek 19
-#endif
-
-#if !defined(__NR_getpid)
-#define __NR_getpid 20
-#endif
-
-#if !defined(__NR_mount)
-#define __NR_mount 21
-#endif
-
-#if !defined(__NR_umount)
-#define __NR_umount 22
-#endif
-
-#if !defined(__NR_setuid)
-#define __NR_setuid 23
-#endif
-
-#if !defined(__NR_getuid)
-#define __NR_getuid 24
-#endif
-
-#if !defined(__NR_stime)
-#define __NR_stime 25
-#endif
-
-#if !defined(__NR_ptrace)
-#define __NR_ptrace 26
-#endif
-
-#if !defined(__NR_alarm)
-#define __NR_alarm 27
-#endif
-
-#if !defined(__NR_oldfstat)
-#define __NR_oldfstat 28
-#endif
-
-#if !defined(__NR_pause)
-#define __NR_pause 29
-#endif
-
-#if !defined(__NR_utime)
-#define __NR_utime 30
-#endif
-
-#if !defined(__NR_stty)
-#define __NR_stty 31
-#endif
-
-#if !defined(__NR_gtty)
-#define __NR_gtty 32
-#endif
-
-#if !defined(__NR_access)
-#define __NR_access 33
-#endif
-
-#if !defined(__NR_nice)
-#define __NR_nice 34
-#endif
-
-#if !defined(__NR_ftime)
-#define __NR_ftime 35
-#endif
-
-#if !defined(__NR_sync)
-#define __NR_sync 36
-#endif
-
-#if !defined(__NR_kill)
-#define __NR_kill 37
-#endif
-
-#if !defined(__NR_rename)
-#define __NR_rename 38
-#endif
-
-#if !defined(__NR_mkdir)
-#define __NR_mkdir 39
-#endif
-
-#if !defined(__NR_rmdir)
-#define __NR_rmdir 40
-#endif
-
-#if !defined(__NR_dup)
-#define __NR_dup 41
-#endif
-
-#if !defined(__NR_pipe)
-#define __NR_pipe 42
-#endif
-
-#if !defined(__NR_times)
-#define __NR_times 43
-#endif
-
-#if !defined(__NR_prof)
-#define __NR_prof 44
-#endif
-
-#if !defined(__NR_brk)
-#define __NR_brk 45
-#endif
-
-#if !defined(__NR_setgid)
-#define __NR_setgid 46
-#endif
-
-#if !defined(__NR_getgid)
-#define __NR_getgid 47
-#endif
-
-#if !defined(__NR_signal)
-#define __NR_signal 48
-#endif
-
-#if !defined(__NR_geteuid)
-#define __NR_geteuid 49
-#endif
-
-#if !defined(__NR_getegid)
-#define __NR_getegid 50
-#endif
-
-#if !defined(__NR_acct)
-#define __NR_acct 51
-#endif
-
-#if !defined(__NR_umount2)
-#define __NR_umount2 52
-#endif
-
-#if !defined(__NR_lock)
-#define __NR_lock 53
-#endif
-
-#if !defined(__NR_ioctl)
-#define __NR_ioctl 54
-#endif
-
-#if !defined(__NR_fcntl)
-#define __NR_fcntl 55
-#endif
-
-#if !defined(__NR_mpx)
-#define __NR_mpx 56
-#endif
-
-#if !defined(__NR_setpgid)
-#define __NR_setpgid 57
-#endif
-
-#if !defined(__NR_ulimit)
-#define __NR_ulimit 58
-#endif
-
-#if !defined(__NR_oldolduname)
-#define __NR_oldolduname 59
-#endif
-
-#if !defined(__NR_umask)
-#define __NR_umask 60
-#endif
-
-#if !defined(__NR_chroot)
-#define __NR_chroot 61
-#endif
-
-#if !defined(__NR_ustat)
-#define __NR_ustat 62
-#endif
-
-#if !defined(__NR_dup2)
-#define __NR_dup2 63
-#endif
-
-#if !defined(__NR_getppid)
-#define __NR_getppid 64
-#endif
-
-#if !defined(__NR_getpgrp)
-#define __NR_getpgrp 65
-#endif
-
-#if !defined(__NR_setsid)
-#define __NR_setsid 66
-#endif
-
-#if !defined(__NR_sigaction)
-#define __NR_sigaction 67
-#endif
-
-#if !defined(__NR_sgetmask)
-#define __NR_sgetmask 68
-#endif
-
-#if !defined(__NR_ssetmask)
-#define __NR_ssetmask 69
-#endif
-
-#if !defined(__NR_setreuid)
-#define __NR_setreuid 70
-#endif
-
-#if !defined(__NR_setregid)
-#define __NR_setregid 71
-#endif
-
-#if !defined(__NR_sigsuspend)
-#define __NR_sigsuspend 72
-#endif
-
-#if !defined(__NR_sigpending)
-#define __NR_sigpending 73
-#endif
-
-#if !defined(__NR_sethostname)
-#define __NR_sethostname 74
-#endif
-
-#if !defined(__NR_setrlimit)
-#define __NR_setrlimit 75
-#endif
-
-#if !defined(__NR_getrlimit)
-#define __NR_getrlimit 76
-#endif
-
-#if !defined(__NR_getrusage)
-#define __NR_getrusage 77
-#endif
-
-#if !defined(__NR_gettimeofday)
-#define __NR_gettimeofday 78
-#endif
-
-#if !defined(__NR_settimeofday)
-#define __NR_settimeofday 79
-#endif
-
-#if !defined(__NR_getgroups)
-#define __NR_getgroups 80
-#endif
-
-#if !defined(__NR_setgroups)
-#define __NR_setgroups 81
-#endif
-
-#if !defined(__NR_select)
-#define __NR_select 82
-#endif
-
-#if !defined(__NR_symlink)
-#define __NR_symlink 83
-#endif
-
-#if !defined(__NR_oldlstat)
-#define __NR_oldlstat 84
-#endif
-
-#if !defined(__NR_readlink)
-#define __NR_readlink 85
-#endif
-
-#if !defined(__NR_uselib)
-#define __NR_uselib 86
-#endif
-
-#if !defined(__NR_swapon)
-#define __NR_swapon 87
-#endif
-
-#if !defined(__NR_reboot)
-#define __NR_reboot 88
-#endif
-
-#if !defined(__NR_readdir)
-#define __NR_readdir 89
-#endif
-
-#if !defined(__NR_mmap)
-#define __NR_mmap 90
-#endif
-
-#if !defined(__NR_munmap)
-#define __NR_munmap 91
-#endif
-
-#if !defined(__NR_truncate)
-#define __NR_truncate 92
-#endif
-
-#if !defined(__NR_ftruncate)
-#define __NR_ftruncate 93
-#endif
-
-#if !defined(__NR_fchmod)
-#define __NR_fchmod 94
-#endif
-
-#if !defined(__NR_fchown)
-#define __NR_fchown 95
-#endif
-
-#if !defined(__NR_getpriority)
-#define __NR_getpriority 96
-#endif
-
-#if !defined(__NR_setpriority)
-#define __NR_setpriority 97
-#endif
-
-#if !defined(__NR_profil)
-#define __NR_profil 98
-#endif
-
-#if !defined(__NR_statfs)
-#define __NR_statfs 99
-#endif
-
-#if !defined(__NR_fstatfs)
-#define __NR_fstatfs 100
-#endif
-
-#if !defined(__NR_ioperm)
-#define __NR_ioperm 101
-#endif
-
-#if !defined(__NR_socketcall)
-#define __NR_socketcall 102
-#endif
-
-#if !defined(__NR_syslog)
-#define __NR_syslog 103
-#endif
-
-#if !defined(__NR_setitimer)
-#define __NR_setitimer 104
-#endif
-
-#if !defined(__NR_getitimer)
-#define __NR_getitimer 105
-#endif
-
-#if !defined(__NR_stat)
-#define __NR_stat 106
-#endif
-
-#if !defined(__NR_lstat)
-#define __NR_lstat 107
-#endif
-
-#if !defined(__NR_fstat)
-#define __NR_fstat 108
-#endif
-
-#if !defined(__NR_olduname)
-#define __NR_olduname 109
-#endif
-
-#if !defined(__NR_iopl)
-#define __NR_iopl 110
-#endif
-
-#if !defined(__NR_vhangup)
-#define __NR_vhangup 111
-#endif
-
-#if !defined(__NR_idle)
-#define __NR_idle 112
-#endif
-
-#if !defined(__NR_vm86old)
-#define __NR_vm86old 113
-#endif
-
-#if !defined(__NR_wait4)
-#define __NR_wait4 114
-#endif
-
-#if !defined(__NR_swapoff)
-#define __NR_swapoff 115
-#endif
-
-#if !defined(__NR_sysinfo)
-#define __NR_sysinfo 116
-#endif
-
-#if !defined(__NR_ipc)
-#define __NR_ipc 117
-#endif
-
-#if !defined(__NR_fsync)
-#define __NR_fsync 118
-#endif
-
-#if !defined(__NR_sigreturn)
-#define __NR_sigreturn 119
-#endif
-
-#if !defined(__NR_clone)
-#define __NR_clone 120
-#endif
-
-#if !defined(__NR_setdomainname)
-#define __NR_setdomainname 121
-#endif
-
-#if !defined(__NR_uname)
-#define __NR_uname 122
-#endif
-
-#if !defined(__NR_modify_ldt)
-#define __NR_modify_ldt 123
-#endif
-
-#if !defined(__NR_adjtimex)
-#define __NR_adjtimex 124
-#endif
-
-#if !defined(__NR_mprotect)
-#define __NR_mprotect 125
-#endif
-
-#if !defined(__NR_sigprocmask)
-#define __NR_sigprocmask 126
-#endif
-
-#if !defined(__NR_create_module)
-#define __NR_create_module 127
-#endif
-
-#if !defined(__NR_init_module)
-#define __NR_init_module 128
-#endif
-
-#if !defined(__NR_delete_module)
-#define __NR_delete_module 129
-#endif
-
-#if !defined(__NR_get_kernel_syms)
-#define __NR_get_kernel_syms 130
-#endif
-
-#if !defined(__NR_quotactl)
-#define __NR_quotactl 131
-#endif
-
-#if !defined(__NR_getpgid)
-#define __NR_getpgid 132
-#endif
-
-#if !defined(__NR_fchdir)
-#define __NR_fchdir 133
-#endif
-
-#if !defined(__NR_bdflush)
-#define __NR_bdflush 134
-#endif
-
-#if !defined(__NR_sysfs)
-#define __NR_sysfs 135
-#endif
-
-#if !defined(__NR_personality)
-#define __NR_personality 136
-#endif
-
-#if !defined(__NR_afs_syscall)
-#define __NR_afs_syscall 137
-#endif
-
-#if !defined(__NR_setfsuid)
-#define __NR_setfsuid 138
-#endif
-
-#if !defined(__NR_setfsgid)
-#define __NR_setfsgid 139
-#endif
-
-#if !defined(__NR__llseek)
-#define __NR__llseek 140
-#endif
-
-#if !defined(__NR_getdents)
-#define __NR_getdents 141
-#endif
-
-#if !defined(__NR__newselect)
-#define __NR__newselect 142
-#endif
-
-#if !defined(__NR_flock)
-#define __NR_flock 143
-#endif
-
-#if !defined(__NR_msync)
-#define __NR_msync 144
-#endif
-
-#if !defined(__NR_readv)
-#define __NR_readv 145
-#endif
-
-#if !defined(__NR_writev)
-#define __NR_writev 146
-#endif
-
-#if !defined(__NR_getsid)
-#define __NR_getsid 147
-#endif
-
-#if !defined(__NR_fdatasync)
-#define __NR_fdatasync 148
-#endif
-
-#if !defined(__NR__sysctl)
-#define __NR__sysctl 149
-#endif
-
-#if !defined(__NR_mlock)
-#define __NR_mlock 150
-#endif
-
-#if !defined(__NR_munlock)
-#define __NR_munlock 151
-#endif
-
-#if !defined(__NR_mlockall)
-#define __NR_mlockall 152
-#endif
-
-#if !defined(__NR_munlockall)
-#define __NR_munlockall 153
-#endif
-
-#if !defined(__NR_sched_setparam)
-#define __NR_sched_setparam 154
-#endif
-
-#if !defined(__NR_sched_getparam)
-#define __NR_sched_getparam 155
-#endif
-
-#if !defined(__NR_sched_setscheduler)
-#define __NR_sched_setscheduler 156
-#endif
-
-#if !defined(__NR_sched_getscheduler)
-#define __NR_sched_getscheduler 157
-#endif
-
-#if !defined(__NR_sched_yield)
-#define __NR_sched_yield 158
-#endif
-
-#if !defined(__NR_sched_get_priority_max)
-#define __NR_sched_get_priority_max 159
-#endif
-
-#if !defined(__NR_sched_get_priority_min)
-#define __NR_sched_get_priority_min 160
-#endif
-
-#if !defined(__NR_sched_rr_get_interval)
-#define __NR_sched_rr_get_interval 161
-#endif
-
-#if !defined(__NR_nanosleep)
-#define __NR_nanosleep 162
-#endif
-
-#if !defined(__NR_mremap)
-#define __NR_mremap 163
-#endif
-
-#if !defined(__NR_setresuid)
-#define __NR_setresuid 164
-#endif
-
-#if !defined(__NR_getresuid)
-#define __NR_getresuid 165
-#endif
-
-#if !defined(__NR_vm86)
-#define __NR_vm86 166
-#endif
-
-#if !defined(__NR_query_module)
-#define __NR_query_module 167
-#endif
-
-#if !defined(__NR_poll)
-#define __NR_poll 168
-#endif
-
-#if !defined(__NR_nfsservctl)
-#define __NR_nfsservctl 169
-#endif
-
-#if !defined(__NR_setresgid)
-#define __NR_setresgid 170
-#endif
-
-#if !defined(__NR_getresgid)
-#define __NR_getresgid 171
-#endif
-
-#if !defined(__NR_prctl)
-#define __NR_prctl 172
-#endif
-
-#if !defined(__NR_rt_sigreturn)
-#define __NR_rt_sigreturn 173
-#endif
-
-#if !defined(__NR_rt_sigaction)
-#define __NR_rt_sigaction 174
-#endif
-
-#if !defined(__NR_rt_sigprocmask)
-#define __NR_rt_sigprocmask 175
-#endif
-
-#if !defined(__NR_rt_sigpending)
-#define __NR_rt_sigpending 176
-#endif
-
-#if !defined(__NR_rt_sigtimedwait)
-#define __NR_rt_sigtimedwait 177
-#endif
-
-#if !defined(__NR_rt_sigqueueinfo)
-#define __NR_rt_sigqueueinfo 178
-#endif
-
-#if !defined(__NR_rt_sigsuspend)
-#define __NR_rt_sigsuspend 179
-#endif
-
-#if !defined(__NR_pread64)
-#define __NR_pread64 180
-#endif
-
-#if !defined(__NR_pwrite64)
-#define __NR_pwrite64 181
-#endif
-
-#if !defined(__NR_chown)
-#define __NR_chown 182
-#endif
-
-#if !defined(__NR_getcwd)
-#define __NR_getcwd 183
-#endif
-
-#if !defined(__NR_capget)
-#define __NR_capget 184
-#endif
-
-#if !defined(__NR_capset)
-#define __NR_capset 185
-#endif
-
-#if !defined(__NR_sigaltstack)
-#define __NR_sigaltstack 186
-#endif
-
-#if !defined(__NR_sendfile)
-#define __NR_sendfile 187
-#endif
-
-#if !defined(__NR_getpmsg)
-#define __NR_getpmsg 188
-#endif
-
-#if !defined(__NR_putpmsg)
-#define __NR_putpmsg 189
-#endif
-
-#if !defined(__NR_vfork)
-#define __NR_vfork 190
-#endif
-
-#if !defined(__NR_ugetrlimit)
-#define __NR_ugetrlimit 191
-#endif
-
-#if !defined(__NR_mmap2)
-#define __NR_mmap2 192
-#endif
-
-#if !defined(__NR_truncate64)
-#define __NR_truncate64 193
-#endif
-
-#if !defined(__NR_ftruncate64)
-#define __NR_ftruncate64 194
-#endif
-
-#if !defined(__NR_stat64)
-#define __NR_stat64 195
-#endif
-
-#if !defined(__NR_lstat64)
-#define __NR_lstat64 196
-#endif
-
-#if !defined(__NR_fstat64)
-#define __NR_fstat64 197
-#endif
-
-#if !defined(__NR_lchown32)
-#define __NR_lchown32 198
-#endif
-
-#if !defined(__NR_getuid32)
-#define __NR_getuid32 199
-#endif
-
-#if !defined(__NR_getgid32)
-#define __NR_getgid32 200
-#endif
-
-#if !defined(__NR_geteuid32)
-#define __NR_geteuid32 201
-#endif
-
-#if !defined(__NR_getegid32)
-#define __NR_getegid32 202
-#endif
-
-#if !defined(__NR_setreuid32)
-#define __NR_setreuid32 203
-#endif
-
-#if !defined(__NR_setregid32)
-#define __NR_setregid32 204
-#endif
-
-#if !defined(__NR_getgroups32)
-#define __NR_getgroups32 205
-#endif
-
-#if !defined(__NR_setgroups32)
-#define __NR_setgroups32 206
-#endif
-
-#if !defined(__NR_fchown32)
-#define __NR_fchown32 207
-#endif
-
-#if !defined(__NR_setresuid32)
-#define __NR_setresuid32 208
-#endif
-
-#if !defined(__NR_getresuid32)
-#define __NR_getresuid32 209
-#endif
-
-#if !defined(__NR_setresgid32)
-#define __NR_setresgid32 210
-#endif
-
-#if !defined(__NR_getresgid32)
-#define __NR_getresgid32 211
-#endif
-
-#if !defined(__NR_chown32)
-#define __NR_chown32 212
-#endif
-
-#if !defined(__NR_setuid32)
-#define __NR_setuid32 213
-#endif
-
-#if !defined(__NR_setgid32)
-#define __NR_setgid32 214
-#endif
-
-#if !defined(__NR_setfsuid32)
-#define __NR_setfsuid32 215
-#endif
-
-#if !defined(__NR_setfsgid32)
-#define __NR_setfsgid32 216
-#endif
-
-#if !defined(__NR_pivot_root)
-#define __NR_pivot_root 217
-#endif
-
-#if !defined(__NR_mincore)
-#define __NR_mincore 218
-#endif
-
-#if !defined(__NR_madvise)
-#define __NR_madvise 219
-#endif
-
-#if !defined(__NR_getdents64)
-#define __NR_getdents64 220
-#endif
-
-#if !defined(__NR_fcntl64)
-#define __NR_fcntl64 221
-#endif
-
-#if !defined(__NR_gettid)
-#define __NR_gettid 224
-#endif
-
-#if !defined(__NR_readahead)
-#define __NR_readahead 225
-#endif
-
-#if !defined(__NR_setxattr)
-#define __NR_setxattr 226
-#endif
-
-#if !defined(__NR_lsetxattr)
-#define __NR_lsetxattr 227
-#endif
-
-#if !defined(__NR_fsetxattr)
-#define __NR_fsetxattr 228
-#endif
-
-#if !defined(__NR_getxattr)
-#define __NR_getxattr 229
-#endif
-
-#if !defined(__NR_lgetxattr)
-#define __NR_lgetxattr 230
-#endif
-
-#if !defined(__NR_fgetxattr)
-#define __NR_fgetxattr 231
-#endif
-
-#if !defined(__NR_listxattr)
-#define __NR_listxattr 232
-#endif
-
-#if !defined(__NR_llistxattr)
-#define __NR_llistxattr 233
-#endif
-
-#if !defined(__NR_flistxattr)
-#define __NR_flistxattr 234
-#endif
-
-#if !defined(__NR_removexattr)
-#define __NR_removexattr 235
-#endif
-
-#if !defined(__NR_lremovexattr)
-#define __NR_lremovexattr 236
-#endif
-
-#if !defined(__NR_fremovexattr)
-#define __NR_fremovexattr 237
-#endif
-
-#if !defined(__NR_tkill)
-#define __NR_tkill 238
-#endif
-
-#if !defined(__NR_sendfile64)
-#define __NR_sendfile64 239
-#endif
-
-#if !defined(__NR_futex)
-#define __NR_futex 240
-#endif
-
-#if !defined(__NR_sched_setaffinity)
-#define __NR_sched_setaffinity 241
-#endif
-
-#if !defined(__NR_sched_getaffinity)
-#define __NR_sched_getaffinity 242
-#endif
-
-#if !defined(__NR_set_thread_area)
-#define __NR_set_thread_area 243
-#endif
-
-#if !defined(__NR_get_thread_area)
-#define __NR_get_thread_area 244
-#endif
-
-#if !defined(__NR_io_setup)
-#define __NR_io_setup 245
-#endif
-
-#if !defined(__NR_io_destroy)
-#define __NR_io_destroy 246
-#endif
-
-#if !defined(__NR_io_getevents)
-#define __NR_io_getevents 247
-#endif
-
-#if !defined(__NR_io_submit)
-#define __NR_io_submit 248
-#endif
-
-#if !defined(__NR_io_cancel)
-#define __NR_io_cancel 249
-#endif
-
-#if !defined(__NR_fadvise64)
-#define __NR_fadvise64 250
-#endif
-
-#if !defined(__NR_exit_group)
-#define __NR_exit_group 252
-#endif
-
-#if !defined(__NR_lookup_dcookie)
-#define __NR_lookup_dcookie 253
-#endif
-
-#if !defined(__NR_epoll_create)
-#define __NR_epoll_create 254
-#endif
-
-#if !defined(__NR_epoll_ctl)
-#define __NR_epoll_ctl 255
-#endif
-
-#if !defined(__NR_epoll_wait)
-#define __NR_epoll_wait 256
-#endif
-
-#if !defined(__NR_remap_file_pages)
-#define __NR_remap_file_pages 257
-#endif
-
-#if !defined(__NR_set_tid_address)
-#define __NR_set_tid_address 258
-#endif
-
-#if !defined(__NR_timer_create)
-#define __NR_timer_create 259
-#endif
-
-#if !defined(__NR_timer_settime)
-#define __NR_timer_settime 260
-#endif
-
-#if !defined(__NR_timer_gettime)
-#define __NR_timer_gettime 261
-#endif
-
-#if !defined(__NR_timer_getoverrun)
-#define __NR_timer_getoverrun 262
-#endif
-
-#if !defined(__NR_timer_delete)
-#define __NR_timer_delete 263
-#endif
-
-#if !defined(__NR_clock_settime)
-#define __NR_clock_settime 264
-#endif
-
-#if !defined(__NR_clock_gettime)
-#define __NR_clock_gettime 265
-#endif
-
-#if !defined(__NR_clock_getres)
-#define __NR_clock_getres 266
-#endif
-
-#if !defined(__NR_clock_nanosleep)
-#define __NR_clock_nanosleep 267
-#endif
-
-#if !defined(__NR_statfs64)
-#define __NR_statfs64 268
-#endif
-
-#if !defined(__NR_fstatfs64)
-#define __NR_fstatfs64 269
-#endif
-
-#if !defined(__NR_tgkill)
-#define __NR_tgkill 270
-#endif
-
-#if !defined(__NR_utimes)
-#define __NR_utimes 271
-#endif
-
-#if !defined(__NR_fadvise64_64)
-#define __NR_fadvise64_64 272
-#endif
-
-#if !defined(__NR_vserver)
-#define __NR_vserver 273
-#endif
-
-#if !defined(__NR_mbind)
-#define __NR_mbind 274
-#endif
-
-#if !defined(__NR_get_mempolicy)
-#define __NR_get_mempolicy 275
-#endif
-
-#if !defined(__NR_set_mempolicy)
-#define __NR_set_mempolicy 276
-#endif
-
-#if !defined(__NR_mq_open)
-#define __NR_mq_open 277
-#endif
-
-#if !defined(__NR_mq_unlink)
-#define __NR_mq_unlink 278
-#endif
-
-#if !defined(__NR_mq_timedsend)
-#define __NR_mq_timedsend 279
-#endif
-
-#if !defined(__NR_mq_timedreceive)
-#define __NR_mq_timedreceive 280
-#endif
-
-#if !defined(__NR_mq_notify)
-#define __NR_mq_notify 281
-#endif
-
-#if !defined(__NR_mq_getsetattr)
-#define __NR_mq_getsetattr 282
-#endif
-
-#if !defined(__NR_kexec_load)
-#define __NR_kexec_load 283
-#endif
-
-#if !defined(__NR_waitid)
-#define __NR_waitid 284
-#endif
-
-#if !defined(__NR_add_key)
-#define __NR_add_key 286
-#endif
-
-#if !defined(__NR_request_key)
-#define __NR_request_key 287
-#endif
-
-#if !defined(__NR_keyctl)
-#define __NR_keyctl 288
-#endif
-
-#if !defined(__NR_ioprio_set)
-#define __NR_ioprio_set 289
-#endif
-
-#if !defined(__NR_ioprio_get)
-#define __NR_ioprio_get 290
-#endif
-
-#if !defined(__NR_inotify_init)
-#define __NR_inotify_init 291
-#endif
-
-#if !defined(__NR_inotify_add_watch)
-#define __NR_inotify_add_watch 292
-#endif
-
-#if !defined(__NR_inotify_rm_watch)
-#define __NR_inotify_rm_watch 293
-#endif
-
-#if !defined(__NR_migrate_pages)
-#define __NR_migrate_pages 294
-#endif
-
-#if !defined(__NR_openat)
-#define __NR_openat 295
-#endif
-
-#if !defined(__NR_mkdirat)
-#define __NR_mkdirat 296
-#endif
-
-#if !defined(__NR_mknodat)
-#define __NR_mknodat 297
-#endif
-
-#if !defined(__NR_fchownat)
-#define __NR_fchownat 298
-#endif
-
-#if !defined(__NR_futimesat)
-#define __NR_futimesat 299
-#endif
-
-#if !defined(__NR_fstatat64)
-#define __NR_fstatat64 300
-#endif
-
-#if !defined(__NR_unlinkat)
-#define __NR_unlinkat 301
-#endif
-
-#if !defined(__NR_renameat)
-#define __NR_renameat 302
-#endif
-
-#if !defined(__NR_linkat)
-#define __NR_linkat 303
-#endif
-
-#if !defined(__NR_symlinkat)
-#define __NR_symlinkat 304
-#endif
-
-#if !defined(__NR_readlinkat)
-#define __NR_readlinkat 305
-#endif
-
-#if !defined(__NR_fchmodat)
-#define __NR_fchmodat 306
-#endif
-
-#if !defined(__NR_faccessat)
-#define __NR_faccessat 307
-#endif
-
-#if !defined(__NR_pselect6)
-#define __NR_pselect6 308
-#endif
-
-#if !defined(__NR_ppoll)
-#define __NR_ppoll 309
-#endif
-
-#if !defined(__NR_unshare)
-#define __NR_unshare 310
-#endif
-
-#if !defined(__NR_set_robust_list)
-#define __NR_set_robust_list 311
-#endif
-
-#if !defined(__NR_get_robust_list)
-#define __NR_get_robust_list 312
-#endif
-
-#if !defined(__NR_splice)
-#define __NR_splice 313
-#endif
-
-#if !defined(__NR_sync_file_range)
-#define __NR_sync_file_range 314
-#endif
-
-#if !defined(__NR_tee)
-#define __NR_tee 315
-#endif
-
-#if !defined(__NR_vmsplice)
-#define __NR_vmsplice 316
-#endif
-
-#if !defined(__NR_move_pages)
-#define __NR_move_pages 317
-#endif
-
-#if !defined(__NR_getcpu)
-#define __NR_getcpu 318
-#endif
-
-#if !defined(__NR_epoll_pwait)
-#define __NR_epoll_pwait 319
-#endif
-
-#if !defined(__NR_utimensat)
-#define __NR_utimensat 320
-#endif
-
-#if !defined(__NR_signalfd)
-#define __NR_signalfd 321
-#endif
-
-#if !defined(__NR_timerfd_create)
-#define __NR_timerfd_create 322
-#endif
-
-#if !defined(__NR_eventfd)
-#define __NR_eventfd 323
-#endif
-
-#if !defined(__NR_fallocate)
-#define __NR_fallocate 324
-#endif
-
-#if !defined(__NR_timerfd_settime)
-#define __NR_timerfd_settime 325
-#endif
-
-#if !defined(__NR_timerfd_gettime)
-#define __NR_timerfd_gettime 326
-#endif
-
-#if !defined(__NR_signalfd4)
-#define __NR_signalfd4 327
-#endif
-
-#if !defined(__NR_eventfd2)
-#define __NR_eventfd2 328
-#endif
-
-#if !defined(__NR_epoll_create1)
-#define __NR_epoll_create1 329
-#endif
-
-#if !defined(__NR_dup3)
-#define __NR_dup3 330
-#endif
-
-#if !defined(__NR_pipe2)
-#define __NR_pipe2 331
-#endif
-
-#if !defined(__NR_inotify_init1)
-#define __NR_inotify_init1 332
-#endif
-
-#if !defined(__NR_preadv)
-#define __NR_preadv 333
-#endif
-
-#if !defined(__NR_pwritev)
-#define __NR_pwritev 334
-#endif
-
-#if !defined(__NR_rt_tgsigqueueinfo)
-#define __NR_rt_tgsigqueueinfo 335
-#endif
-
-#if !defined(__NR_perf_event_open)
-#define __NR_perf_event_open 336
-#endif
-
-#if !defined(__NR_recvmmsg)
-#define __NR_recvmmsg 337
-#endif
-
-#if !defined(__NR_fanotify_init)
-#define __NR_fanotify_init 338
-#endif
-
-#if !defined(__NR_fanotify_mark)
-#define __NR_fanotify_mark 339
-#endif
-
-#if !defined(__NR_prlimit64)
-#define __NR_prlimit64 340
-#endif
-
-#if !defined(__NR_name_to_handle_at)
-#define __NR_name_to_handle_at 341
-#endif
-
-#if !defined(__NR_open_by_handle_at)
-#define __NR_open_by_handle_at 342
-#endif
-
-#if !defined(__NR_clock_adjtime)
-#define __NR_clock_adjtime 343
-#endif
-
-#if !defined(__NR_syncfs)
-#define __NR_syncfs 344
-#endif
-
-#if !defined(__NR_sendmmsg)
-#define __NR_sendmmsg 345
-#endif
-
-#if !defined(__NR_setns)
-#define __NR_setns 346
-#endif
-
-#if !defined(__NR_process_vm_readv)
-#define __NR_process_vm_readv 347
-#endif
-
-#if !defined(__NR_process_vm_writev)
-#define __NR_process_vm_writev 348
-#endif
-
-#if !defined(__NR_kcmp)
-#define __NR_kcmp 349
-#endif
-
-#if !defined(__NR_finit_module)
-#define __NR_finit_module 350
-#endif
-
-#if !defined(__NR_sched_setattr)
-#define __NR_sched_setattr 351
-#endif
-
-#if !defined(__NR_sched_getattr)
-#define __NR_sched_getattr 352
-#endif
-
-#if !defined(__NR_renameat2)
-#define __NR_renameat2 353
-#endif
-
-#if !defined(__NR_seccomp)
-#define __NR_seccomp 354
-#endif
-
-#if !defined(__NR_getrandom)
-#define __NR_getrandom 355
-#endif
-
-#if !defined(__NR_memfd_create)
-#define __NR_memfd_create 356
-#endif
-
-#if !defined(__NR_bpf)
-#define __NR_bpf 357
-#endif
-
-#if !defined(__NR_execveat)
-#define __NR_execveat 358
-#endif
-
-#if !defined(__NR_socket)
-#define __NR_socket 359
-#endif
-
-#if !defined(__NR_socketpair)
-#define __NR_socketpair 360
-#endif
-
-#if !defined(__NR_bind)
-#define __NR_bind 361
-#endif
-
-#if !defined(__NR_connect)
-#define __NR_connect 362
-#endif
-
-#if !defined(__NR_listen)
-#define __NR_listen 363
-#endif
-
-#if !defined(__NR_accept4)
-#define __NR_accept4 364
-#endif
-
-#if !defined(__NR_getsockopt)
-#define __NR_getsockopt 365
-#endif
-
-#if !defined(__NR_setsockopt)
-#define __NR_setsockopt 366
-#endif
-
-#if !defined(__NR_getsockname)
-#define __NR_getsockname 367
-#endif
-
-#if !defined(__NR_getpeername)
-#define __NR_getpeername 368
-#endif
-
-#if !defined(__NR_sendto)
-#define __NR_sendto 369
-#endif
-
-#if !defined(__NR_sendmsg)
-#define __NR_sendmsg 370
-#endif
-
-#if !defined(__NR_recvfrom)
-#define __NR_recvfrom 371
-#endif
-
-#if !defined(__NR_recvmsg)
-#define __NR_recvmsg 372
-#endif
-
-#if !defined(__NR_shutdown)
-#define __NR_shutdown 373
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
-
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
deleted file mode 100644
index 349504aee..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_syscalls.h
+++ /dev/null
@@ -1,1294 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Generated from the Linux kernel's syscall_64.tbl.
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-
-#if !defined(__x86_64__)
-#error "Including header on wrong architecture"
-#endif
-
-#if !defined(__NR_read)
-#define __NR_read 0
-#endif
-
-#if !defined(__NR_write)
-#define __NR_write 1
-#endif
-
-#if !defined(__NR_open)
-#define __NR_open 2
-#endif
-
-#if !defined(__NR_close)
-#define __NR_close 3
-#endif
-
-#if !defined(__NR_stat)
-#define __NR_stat 4
-#endif
-
-#if !defined(__NR_fstat)
-#define __NR_fstat 5
-#endif
-
-#if !defined(__NR_lstat)
-#define __NR_lstat 6
-#endif
-
-#if !defined(__NR_poll)
-#define __NR_poll 7
-#endif
-
-#if !defined(__NR_lseek)
-#define __NR_lseek 8
-#endif
-
-#if !defined(__NR_mmap)
-#define __NR_mmap 9
-#endif
-
-#if !defined(__NR_mprotect)
-#define __NR_mprotect 10
-#endif
-
-#if !defined(__NR_munmap)
-#define __NR_munmap 11
-#endif
-
-#if !defined(__NR_brk)
-#define __NR_brk 12
-#endif
-
-#if !defined(__NR_rt_sigaction)
-#define __NR_rt_sigaction 13
-#endif
-
-#if !defined(__NR_rt_sigprocmask)
-#define __NR_rt_sigprocmask 14
-#endif
-
-#if !defined(__NR_rt_sigreturn)
-#define __NR_rt_sigreturn 15
-#endif
-
-#if !defined(__NR_ioctl)
-#define __NR_ioctl 16
-#endif
-
-#if !defined(__NR_pread64)
-#define __NR_pread64 17
-#endif
-
-#if !defined(__NR_pwrite64)
-#define __NR_pwrite64 18
-#endif
-
-#if !defined(__NR_readv)
-#define __NR_readv 19
-#endif
-
-#if !defined(__NR_writev)
-#define __NR_writev 20
-#endif
-
-#if !defined(__NR_access)
-#define __NR_access 21
-#endif
-
-#if !defined(__NR_pipe)
-#define __NR_pipe 22
-#endif
-
-#if !defined(__NR_select)
-#define __NR_select 23
-#endif
-
-#if !defined(__NR_sched_yield)
-#define __NR_sched_yield 24
-#endif
-
-#if !defined(__NR_mremap)
-#define __NR_mremap 25
-#endif
-
-#if !defined(__NR_msync)
-#define __NR_msync 26
-#endif
-
-#if !defined(__NR_mincore)
-#define __NR_mincore 27
-#endif
-
-#if !defined(__NR_madvise)
-#define __NR_madvise 28
-#endif
-
-#if !defined(__NR_shmget)
-#define __NR_shmget 29
-#endif
-
-#if !defined(__NR_shmat)
-#define __NR_shmat 30
-#endif
-
-#if !defined(__NR_shmctl)
-#define __NR_shmctl 31
-#endif
-
-#if !defined(__NR_dup)
-#define __NR_dup 32
-#endif
-
-#if !defined(__NR_dup2)
-#define __NR_dup2 33
-#endif
-
-#if !defined(__NR_pause)
-#define __NR_pause 34
-#endif
-
-#if !defined(__NR_nanosleep)
-#define __NR_nanosleep 35
-#endif
-
-#if !defined(__NR_getitimer)
-#define __NR_getitimer 36
-#endif
-
-#if !defined(__NR_alarm)
-#define __NR_alarm 37
-#endif
-
-#if !defined(__NR_setitimer)
-#define __NR_setitimer 38
-#endif
-
-#if !defined(__NR_getpid)
-#define __NR_getpid 39
-#endif
-
-#if !defined(__NR_sendfile)
-#define __NR_sendfile 40
-#endif
-
-#if !defined(__NR_socket)
-#define __NR_socket 41
-#endif
-
-#if !defined(__NR_connect)
-#define __NR_connect 42
-#endif
-
-#if !defined(__NR_accept)
-#define __NR_accept 43
-#endif
-
-#if !defined(__NR_sendto)
-#define __NR_sendto 44
-#endif
-
-#if !defined(__NR_recvfrom)
-#define __NR_recvfrom 45
-#endif
-
-#if !defined(__NR_sendmsg)
-#define __NR_sendmsg 46
-#endif
-
-#if !defined(__NR_recvmsg)
-#define __NR_recvmsg 47
-#endif
-
-#if !defined(__NR_shutdown)
-#define __NR_shutdown 48
-#endif
-
-#if !defined(__NR_bind)
-#define __NR_bind 49
-#endif
-
-#if !defined(__NR_listen)
-#define __NR_listen 50
-#endif
-
-#if !defined(__NR_getsockname)
-#define __NR_getsockname 51
-#endif
-
-#if !defined(__NR_getpeername)
-#define __NR_getpeername 52
-#endif
-
-#if !defined(__NR_socketpair)
-#define __NR_socketpair 53
-#endif
-
-#if !defined(__NR_setsockopt)
-#define __NR_setsockopt 54
-#endif
-
-#if !defined(__NR_getsockopt)
-#define __NR_getsockopt 55
-#endif
-
-#if !defined(__NR_clone)
-#define __NR_clone 56
-#endif
-
-#if !defined(__NR_fork)
-#define __NR_fork 57
-#endif
-
-#if !defined(__NR_vfork)
-#define __NR_vfork 58
-#endif
-
-#if !defined(__NR_execve)
-#define __NR_execve 59
-#endif
-
-#if !defined(__NR_exit)
-#define __NR_exit 60
-#endif
-
-#if !defined(__NR_wait4)
-#define __NR_wait4 61
-#endif
-
-#if !defined(__NR_kill)
-#define __NR_kill 62
-#endif
-
-#if !defined(__NR_uname)
-#define __NR_uname 63
-#endif
-
-#if !defined(__NR_semget)
-#define __NR_semget 64
-#endif
-
-#if !defined(__NR_semop)
-#define __NR_semop 65
-#endif
-
-#if !defined(__NR_semctl)
-#define __NR_semctl 66
-#endif
-
-#if !defined(__NR_shmdt)
-#define __NR_shmdt 67
-#endif
-
-#if !defined(__NR_msgget)
-#define __NR_msgget 68
-#endif
-
-#if !defined(__NR_msgsnd)
-#define __NR_msgsnd 69
-#endif
-
-#if !defined(__NR_msgrcv)
-#define __NR_msgrcv 70
-#endif
-
-#if !defined(__NR_msgctl)
-#define __NR_msgctl 71
-#endif
-
-#if !defined(__NR_fcntl)
-#define __NR_fcntl 72
-#endif
-
-#if !defined(__NR_flock)
-#define __NR_flock 73
-#endif
-
-#if !defined(__NR_fsync)
-#define __NR_fsync 74
-#endif
-
-#if !defined(__NR_fdatasync)
-#define __NR_fdatasync 75
-#endif
-
-#if !defined(__NR_truncate)
-#define __NR_truncate 76
-#endif
-
-#if !defined(__NR_ftruncate)
-#define __NR_ftruncate 77
-#endif
-
-#if !defined(__NR_getdents)
-#define __NR_getdents 78
-#endif
-
-#if !defined(__NR_getcwd)
-#define __NR_getcwd 79
-#endif
-
-#if !defined(__NR_chdir)
-#define __NR_chdir 80
-#endif
-
-#if !defined(__NR_fchdir)
-#define __NR_fchdir 81
-#endif
-
-#if !defined(__NR_rename)
-#define __NR_rename 82
-#endif
-
-#if !defined(__NR_mkdir)
-#define __NR_mkdir 83
-#endif
-
-#if !defined(__NR_rmdir)
-#define __NR_rmdir 84
-#endif
-
-#if !defined(__NR_creat)
-#define __NR_creat 85
-#endif
-
-#if !defined(__NR_link)
-#define __NR_link 86
-#endif
-
-#if !defined(__NR_unlink)
-#define __NR_unlink 87
-#endif
-
-#if !defined(__NR_symlink)
-#define __NR_symlink 88
-#endif
-
-#if !defined(__NR_readlink)
-#define __NR_readlink 89
-#endif
-
-#if !defined(__NR_chmod)
-#define __NR_chmod 90
-#endif
-
-#if !defined(__NR_fchmod)
-#define __NR_fchmod 91
-#endif
-
-#if !defined(__NR_chown)
-#define __NR_chown 92
-#endif
-
-#if !defined(__NR_fchown)
-#define __NR_fchown 93
-#endif
-
-#if !defined(__NR_lchown)
-#define __NR_lchown 94
-#endif
-
-#if !defined(__NR_umask)
-#define __NR_umask 95
-#endif
-
-#if !defined(__NR_gettimeofday)
-#define __NR_gettimeofday 96
-#endif
-
-#if !defined(__NR_getrlimit)
-#define __NR_getrlimit 97
-#endif
-
-#if !defined(__NR_getrusage)
-#define __NR_getrusage 98
-#endif
-
-#if !defined(__NR_sysinfo)
-#define __NR_sysinfo 99
-#endif
-
-#if !defined(__NR_times)
-#define __NR_times 100
-#endif
-
-#if !defined(__NR_ptrace)
-#define __NR_ptrace 101
-#endif
-
-#if !defined(__NR_getuid)
-#define __NR_getuid 102
-#endif
-
-#if !defined(__NR_syslog)
-#define __NR_syslog 103
-#endif
-
-#if !defined(__NR_getgid)
-#define __NR_getgid 104
-#endif
-
-#if !defined(__NR_setuid)
-#define __NR_setuid 105
-#endif
-
-#if !defined(__NR_setgid)
-#define __NR_setgid 106
-#endif
-
-#if !defined(__NR_geteuid)
-#define __NR_geteuid 107
-#endif
-
-#if !defined(__NR_getegid)
-#define __NR_getegid 108
-#endif
-
-#if !defined(__NR_setpgid)
-#define __NR_setpgid 109
-#endif
-
-#if !defined(__NR_getppid)
-#define __NR_getppid 110
-#endif
-
-#if !defined(__NR_getpgrp)
-#define __NR_getpgrp 111
-#endif
-
-#if !defined(__NR_setsid)
-#define __NR_setsid 112
-#endif
-
-#if !defined(__NR_setreuid)
-#define __NR_setreuid 113
-#endif
-
-#if !defined(__NR_setregid)
-#define __NR_setregid 114
-#endif
-
-#if !defined(__NR_getgroups)
-#define __NR_getgroups 115
-#endif
-
-#if !defined(__NR_setgroups)
-#define __NR_setgroups 116
-#endif
-
-#if !defined(__NR_setresuid)
-#define __NR_setresuid 117
-#endif
-
-#if !defined(__NR_getresuid)
-#define __NR_getresuid 118
-#endif
-
-#if !defined(__NR_setresgid)
-#define __NR_setresgid 119
-#endif
-
-#if !defined(__NR_getresgid)
-#define __NR_getresgid 120
-#endif
-
-#if !defined(__NR_getpgid)
-#define __NR_getpgid 121
-#endif
-
-#if !defined(__NR_setfsuid)
-#define __NR_setfsuid 122
-#endif
-
-#if !defined(__NR_setfsgid)
-#define __NR_setfsgid 123
-#endif
-
-#if !defined(__NR_getsid)
-#define __NR_getsid 124
-#endif
-
-#if !defined(__NR_capget)
-#define __NR_capget 125
-#endif
-
-#if !defined(__NR_capset)
-#define __NR_capset 126
-#endif
-
-#if !defined(__NR_rt_sigpending)
-#define __NR_rt_sigpending 127
-#endif
-
-#if !defined(__NR_rt_sigtimedwait)
-#define __NR_rt_sigtimedwait 128
-#endif
-
-#if !defined(__NR_rt_sigqueueinfo)
-#define __NR_rt_sigqueueinfo 129
-#endif
-
-#if !defined(__NR_rt_sigsuspend)
-#define __NR_rt_sigsuspend 130
-#endif
-
-#if !defined(__NR_sigaltstack)
-#define __NR_sigaltstack 131
-#endif
-
-#if !defined(__NR_utime)
-#define __NR_utime 132
-#endif
-
-#if !defined(__NR_mknod)
-#define __NR_mknod 133
-#endif
-
-#if !defined(__NR_uselib)
-#define __NR_uselib 134
-#endif
-
-#if !defined(__NR_personality)
-#define __NR_personality 135
-#endif
-
-#if !defined(__NR_ustat)
-#define __NR_ustat 136
-#endif
-
-#if !defined(__NR_statfs)
-#define __NR_statfs 137
-#endif
-
-#if !defined(__NR_fstatfs)
-#define __NR_fstatfs 138
-#endif
-
-#if !defined(__NR_sysfs)
-#define __NR_sysfs 139
-#endif
-
-#if !defined(__NR_getpriority)
-#define __NR_getpriority 140
-#endif
-
-#if !defined(__NR_setpriority)
-#define __NR_setpriority 141
-#endif
-
-#if !defined(__NR_sched_setparam)
-#define __NR_sched_setparam 142
-#endif
-
-#if !defined(__NR_sched_getparam)
-#define __NR_sched_getparam 143
-#endif
-
-#if !defined(__NR_sched_setscheduler)
-#define __NR_sched_setscheduler 144
-#endif
-
-#if !defined(__NR_sched_getscheduler)
-#define __NR_sched_getscheduler 145
-#endif
-
-#if !defined(__NR_sched_get_priority_max)
-#define __NR_sched_get_priority_max 146
-#endif
-
-#if !defined(__NR_sched_get_priority_min)
-#define __NR_sched_get_priority_min 147
-#endif
-
-#if !defined(__NR_sched_rr_get_interval)
-#define __NR_sched_rr_get_interval 148
-#endif
-
-#if !defined(__NR_mlock)
-#define __NR_mlock 149
-#endif
-
-#if !defined(__NR_munlock)
-#define __NR_munlock 150
-#endif
-
-#if !defined(__NR_mlockall)
-#define __NR_mlockall 151
-#endif
-
-#if !defined(__NR_munlockall)
-#define __NR_munlockall 152
-#endif
-
-#if !defined(__NR_vhangup)
-#define __NR_vhangup 153
-#endif
-
-#if !defined(__NR_modify_ldt)
-#define __NR_modify_ldt 154
-#endif
-
-#if !defined(__NR_pivot_root)
-#define __NR_pivot_root 155
-#endif
-
-#if !defined(__NR__sysctl)
-#define __NR__sysctl 156
-#endif
-
-#if !defined(__NR_prctl)
-#define __NR_prctl 157
-#endif
-
-#if !defined(__NR_arch_prctl)
-#define __NR_arch_prctl 158
-#endif
-
-#if !defined(__NR_adjtimex)
-#define __NR_adjtimex 159
-#endif
-
-#if !defined(__NR_setrlimit)
-#define __NR_setrlimit 160
-#endif
-
-#if !defined(__NR_chroot)
-#define __NR_chroot 161
-#endif
-
-#if !defined(__NR_sync)
-#define __NR_sync 162
-#endif
-
-#if !defined(__NR_acct)
-#define __NR_acct 163
-#endif
-
-#if !defined(__NR_settimeofday)
-#define __NR_settimeofday 164
-#endif
-
-#if !defined(__NR_mount)
-#define __NR_mount 165
-#endif
-
-#if !defined(__NR_umount2)
-#define __NR_umount2 166
-#endif
-
-#if !defined(__NR_swapon)
-#define __NR_swapon 167
-#endif
-
-#if !defined(__NR_swapoff)
-#define __NR_swapoff 168
-#endif
-
-#if !defined(__NR_reboot)
-#define __NR_reboot 169
-#endif
-
-#if !defined(__NR_sethostname)
-#define __NR_sethostname 170
-#endif
-
-#if !defined(__NR_setdomainname)
-#define __NR_setdomainname 171
-#endif
-
-#if !defined(__NR_iopl)
-#define __NR_iopl 172
-#endif
-
-#if !defined(__NR_ioperm)
-#define __NR_ioperm 173
-#endif
-
-#if !defined(__NR_create_module)
-#define __NR_create_module 174
-#endif
-
-#if !defined(__NR_init_module)
-#define __NR_init_module 175
-#endif
-
-#if !defined(__NR_delete_module)
-#define __NR_delete_module 176
-#endif
-
-#if !defined(__NR_get_kernel_syms)
-#define __NR_get_kernel_syms 177
-#endif
-
-#if !defined(__NR_query_module)
-#define __NR_query_module 178
-#endif
-
-#if !defined(__NR_quotactl)
-#define __NR_quotactl 179
-#endif
-
-#if !defined(__NR_nfsservctl)
-#define __NR_nfsservctl 180
-#endif
-
-#if !defined(__NR_getpmsg)
-#define __NR_getpmsg 181
-#endif
-
-#if !defined(__NR_putpmsg)
-#define __NR_putpmsg 182
-#endif
-
-#if !defined(__NR_afs_syscall)
-#define __NR_afs_syscall 183
-#endif
-
-#if !defined(__NR_tuxcall)
-#define __NR_tuxcall 184
-#endif
-
-#if !defined(__NR_security)
-#define __NR_security 185
-#endif
-
-#if !defined(__NR_gettid)
-#define __NR_gettid 186
-#endif
-
-#if !defined(__NR_readahead)
-#define __NR_readahead 187
-#endif
-
-#if !defined(__NR_setxattr)
-#define __NR_setxattr 188
-#endif
-
-#if !defined(__NR_lsetxattr)
-#define __NR_lsetxattr 189
-#endif
-
-#if !defined(__NR_fsetxattr)
-#define __NR_fsetxattr 190
-#endif
-
-#if !defined(__NR_getxattr)
-#define __NR_getxattr 191
-#endif
-
-#if !defined(__NR_lgetxattr)
-#define __NR_lgetxattr 192
-#endif
-
-#if !defined(__NR_fgetxattr)
-#define __NR_fgetxattr 193
-#endif
-
-#if !defined(__NR_listxattr)
-#define __NR_listxattr 194
-#endif
-
-#if !defined(__NR_llistxattr)
-#define __NR_llistxattr 195
-#endif
-
-#if !defined(__NR_flistxattr)
-#define __NR_flistxattr 196
-#endif
-
-#if !defined(__NR_removexattr)
-#define __NR_removexattr 197
-#endif
-
-#if !defined(__NR_lremovexattr)
-#define __NR_lremovexattr 198
-#endif
-
-#if !defined(__NR_fremovexattr)
-#define __NR_fremovexattr 199
-#endif
-
-#if !defined(__NR_tkill)
-#define __NR_tkill 200
-#endif
-
-#if !defined(__NR_time)
-#define __NR_time 201
-#endif
-
-#if !defined(__NR_futex)
-#define __NR_futex 202
-#endif
-
-#if !defined(__NR_sched_setaffinity)
-#define __NR_sched_setaffinity 203
-#endif
-
-#if !defined(__NR_sched_getaffinity)
-#define __NR_sched_getaffinity 204
-#endif
-
-#if !defined(__NR_set_thread_area)
-#define __NR_set_thread_area 205
-#endif
-
-#if !defined(__NR_io_setup)
-#define __NR_io_setup 206
-#endif
-
-#if !defined(__NR_io_destroy)
-#define __NR_io_destroy 207
-#endif
-
-#if !defined(__NR_io_getevents)
-#define __NR_io_getevents 208
-#endif
-
-#if !defined(__NR_io_submit)
-#define __NR_io_submit 209
-#endif
-
-#if !defined(__NR_io_cancel)
-#define __NR_io_cancel 210
-#endif
-
-#if !defined(__NR_get_thread_area)
-#define __NR_get_thread_area 211
-#endif
-
-#if !defined(__NR_lookup_dcookie)
-#define __NR_lookup_dcookie 212
-#endif
-
-#if !defined(__NR_epoll_create)
-#define __NR_epoll_create 213
-#endif
-
-#if !defined(__NR_epoll_ctl_old)
-#define __NR_epoll_ctl_old 214
-#endif
-
-#if !defined(__NR_epoll_wait_old)
-#define __NR_epoll_wait_old 215
-#endif
-
-#if !defined(__NR_remap_file_pages)
-#define __NR_remap_file_pages 216
-#endif
-
-#if !defined(__NR_getdents64)
-#define __NR_getdents64 217
-#endif
-
-#if !defined(__NR_set_tid_address)
-#define __NR_set_tid_address 218
-#endif
-
-#if !defined(__NR_restart_syscall)
-#define __NR_restart_syscall 219
-#endif
-
-#if !defined(__NR_semtimedop)
-#define __NR_semtimedop 220
-#endif
-
-#if !defined(__NR_fadvise64)
-#define __NR_fadvise64 221
-#endif
-
-#if !defined(__NR_timer_create)
-#define __NR_timer_create 222
-#endif
-
-#if !defined(__NR_timer_settime)
-#define __NR_timer_settime 223
-#endif
-
-#if !defined(__NR_timer_gettime)
-#define __NR_timer_gettime 224
-#endif
-
-#if !defined(__NR_timer_getoverrun)
-#define __NR_timer_getoverrun 225
-#endif
-
-#if !defined(__NR_timer_delete)
-#define __NR_timer_delete 226
-#endif
-
-#if !defined(__NR_clock_settime)
-#define __NR_clock_settime 227
-#endif
-
-#if !defined(__NR_clock_gettime)
-#define __NR_clock_gettime 228
-#endif
-
-#if !defined(__NR_clock_getres)
-#define __NR_clock_getres 229
-#endif
-
-#if !defined(__NR_clock_nanosleep)
-#define __NR_clock_nanosleep 230
-#endif
-
-#if !defined(__NR_exit_group)
-#define __NR_exit_group 231
-#endif
-
-#if !defined(__NR_epoll_wait)
-#define __NR_epoll_wait 232
-#endif
-
-#if !defined(__NR_epoll_ctl)
-#define __NR_epoll_ctl 233
-#endif
-
-#if !defined(__NR_tgkill)
-#define __NR_tgkill 234
-#endif
-
-#if !defined(__NR_utimes)
-#define __NR_utimes 235
-#endif
-
-#if !defined(__NR_vserver)
-#define __NR_vserver 236
-#endif
-
-#if !defined(__NR_mbind)
-#define __NR_mbind 237
-#endif
-
-#if !defined(__NR_set_mempolicy)
-#define __NR_set_mempolicy 238
-#endif
-
-#if !defined(__NR_get_mempolicy)
-#define __NR_get_mempolicy 239
-#endif
-
-#if !defined(__NR_mq_open)
-#define __NR_mq_open 240
-#endif
-
-#if !defined(__NR_mq_unlink)
-#define __NR_mq_unlink 241
-#endif
-
-#if !defined(__NR_mq_timedsend)
-#define __NR_mq_timedsend 242
-#endif
-
-#if !defined(__NR_mq_timedreceive)
-#define __NR_mq_timedreceive 243
-#endif
-
-#if !defined(__NR_mq_notify)
-#define __NR_mq_notify 244
-#endif
-
-#if !defined(__NR_mq_getsetattr)
-#define __NR_mq_getsetattr 245
-#endif
-
-#if !defined(__NR_kexec_load)
-#define __NR_kexec_load 246
-#endif
-
-#if !defined(__NR_waitid)
-#define __NR_waitid 247
-#endif
-
-#if !defined(__NR_add_key)
-#define __NR_add_key 248
-#endif
-
-#if !defined(__NR_request_key)
-#define __NR_request_key 249
-#endif
-
-#if !defined(__NR_keyctl)
-#define __NR_keyctl 250
-#endif
-
-#if !defined(__NR_ioprio_set)
-#define __NR_ioprio_set 251
-#endif
-
-#if !defined(__NR_ioprio_get)
-#define __NR_ioprio_get 252
-#endif
-
-#if !defined(__NR_inotify_init)
-#define __NR_inotify_init 253
-#endif
-
-#if !defined(__NR_inotify_add_watch)
-#define __NR_inotify_add_watch 254
-#endif
-
-#if !defined(__NR_inotify_rm_watch)
-#define __NR_inotify_rm_watch 255
-#endif
-
-#if !defined(__NR_migrate_pages)
-#define __NR_migrate_pages 256
-#endif
-
-#if !defined(__NR_openat)
-#define __NR_openat 257
-#endif
-
-#if !defined(__NR_mkdirat)
-#define __NR_mkdirat 258
-#endif
-
-#if !defined(__NR_mknodat)
-#define __NR_mknodat 259
-#endif
-
-#if !defined(__NR_fchownat)
-#define __NR_fchownat 260
-#endif
-
-#if !defined(__NR_futimesat)
-#define __NR_futimesat 261
-#endif
-
-#if !defined(__NR_newfstatat)
-#define __NR_newfstatat 262
-#endif
-
-#if !defined(__NR_unlinkat)
-#define __NR_unlinkat 263
-#endif
-
-#if !defined(__NR_renameat)
-#define __NR_renameat 264
-#endif
-
-#if !defined(__NR_linkat)
-#define __NR_linkat 265
-#endif
-
-#if !defined(__NR_symlinkat)
-#define __NR_symlinkat 266
-#endif
-
-#if !defined(__NR_readlinkat)
-#define __NR_readlinkat 267
-#endif
-
-#if !defined(__NR_fchmodat)
-#define __NR_fchmodat 268
-#endif
-
-#if !defined(__NR_faccessat)
-#define __NR_faccessat 269
-#endif
-
-#if !defined(__NR_pselect6)
-#define __NR_pselect6 270
-#endif
-
-#if !defined(__NR_ppoll)
-#define __NR_ppoll 271
-#endif
-
-#if !defined(__NR_unshare)
-#define __NR_unshare 272
-#endif
-
-#if !defined(__NR_set_robust_list)
-#define __NR_set_robust_list 273
-#endif
-
-#if !defined(__NR_get_robust_list)
-#define __NR_get_robust_list 274
-#endif
-
-#if !defined(__NR_splice)
-#define __NR_splice 275
-#endif
-
-#if !defined(__NR_tee)
-#define __NR_tee 276
-#endif
-
-#if !defined(__NR_sync_file_range)
-#define __NR_sync_file_range 277
-#endif
-
-#if !defined(__NR_vmsplice)
-#define __NR_vmsplice 278
-#endif
-
-#if !defined(__NR_move_pages)
-#define __NR_move_pages 279
-#endif
-
-#if !defined(__NR_utimensat)
-#define __NR_utimensat 280
-#endif
-
-#if !defined(__NR_epoll_pwait)
-#define __NR_epoll_pwait 281
-#endif
-
-#if !defined(__NR_signalfd)
-#define __NR_signalfd 282
-#endif
-
-#if !defined(__NR_timerfd_create)
-#define __NR_timerfd_create 283
-#endif
-
-#if !defined(__NR_eventfd)
-#define __NR_eventfd 284
-#endif
-
-#if !defined(__NR_fallocate)
-#define __NR_fallocate 285
-#endif
-
-#if !defined(__NR_timerfd_settime)
-#define __NR_timerfd_settime 286
-#endif
-
-#if !defined(__NR_timerfd_gettime)
-#define __NR_timerfd_gettime 287
-#endif
-
-#if !defined(__NR_accept4)
-#define __NR_accept4 288
-#endif
-
-#if !defined(__NR_signalfd4)
-#define __NR_signalfd4 289
-#endif
-
-#if !defined(__NR_eventfd2)
-#define __NR_eventfd2 290
-#endif
-
-#if !defined(__NR_epoll_create1)
-#define __NR_epoll_create1 291
-#endif
-
-#if !defined(__NR_dup3)
-#define __NR_dup3 292
-#endif
-
-#if !defined(__NR_pipe2)
-#define __NR_pipe2 293
-#endif
-
-#if !defined(__NR_inotify_init1)
-#define __NR_inotify_init1 294
-#endif
-
-#if !defined(__NR_preadv)
-#define __NR_preadv 295
-#endif
-
-#if !defined(__NR_pwritev)
-#define __NR_pwritev 296
-#endif
-
-#if !defined(__NR_rt_tgsigqueueinfo)
-#define __NR_rt_tgsigqueueinfo 297
-#endif
-
-#if !defined(__NR_perf_event_open)
-#define __NR_perf_event_open 298
-#endif
-
-#if !defined(__NR_recvmmsg)
-#define __NR_recvmmsg 299
-#endif
-
-#if !defined(__NR_fanotify_init)
-#define __NR_fanotify_init 300
-#endif
-
-#if !defined(__NR_fanotify_mark)
-#define __NR_fanotify_mark 301
-#endif
-
-#if !defined(__NR_prlimit64)
-#define __NR_prlimit64 302
-#endif
-
-#if !defined(__NR_name_to_handle_at)
-#define __NR_name_to_handle_at 303
-#endif
-
-#if !defined(__NR_open_by_handle_at)
-#define __NR_open_by_handle_at 304
-#endif
-
-#if !defined(__NR_clock_adjtime)
-#define __NR_clock_adjtime 305
-#endif
-
-#if !defined(__NR_syncfs)
-#define __NR_syncfs 306
-#endif
-
-#if !defined(__NR_sendmmsg)
-#define __NR_sendmmsg 307
-#endif
-
-#if !defined(__NR_setns)
-#define __NR_setns 308
-#endif
-
-#if !defined(__NR_getcpu)
-#define __NR_getcpu 309
-#endif
-
-#if !defined(__NR_process_vm_readv)
-#define __NR_process_vm_readv 310
-#endif
-
-#if !defined(__NR_process_vm_writev)
-#define __NR_process_vm_writev 311
-#endif
-
-#if !defined(__NR_kcmp)
-#define __NR_kcmp 312
-#endif
-
-#if !defined(__NR_finit_module)
-#define __NR_finit_module 313
-#endif
-
-#if !defined(__NR_sched_setattr)
-#define __NR_sched_setattr 314
-#endif
-
-#if !defined(__NR_sched_getattr)
-#define __NR_sched_getattr 315
-#endif
-
-#if !defined(__NR_renameat2)
-#define __NR_renameat2 316
-#endif
-
-#if !defined(__NR_seccomp)
-#define __NR_seccomp 317
-#endif
-
-#if !defined(__NR_getrandom)
-#define __NR_getrandom 318
-#endif
-
-#if !defined(__NR_memfd_create)
-#define __NR_memfd_create 319
-#endif
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_SYSCALLS_H_
-
diff --git a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_ucontext.h b/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_ucontext.h
deleted file mode 100644
index 1f1abe642..000000000
--- a/security/sandbox/chromium/sandbox/linux/system_headers/x86_64_linux_ucontext.h
+++ /dev/null
@@ -1,90 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_UCONTEXT_H_
-#define SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_UCONTEXT_H_
-
-#include <stdint.h>
-
-// We do something compatible with glibc. Hopefully, at some point Android will
-// provide that for us, and __BIONIC_HAVE_UCONTEXT_T should be defined.
-// Spec:
-// http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-AMD64/LSB-Core-AMD64/libc-ddefs.html#AEN5668
-
-#if !defined(__BIONIC_HAVE_UCONTEXT_T)
-#include <asm/sigcontext.h>
-
-struct _libc_fpxreg {
- unsigned short significand[4];
- unsigned short exponent;
- unsigned short padding[3];
-};
-
-struct _libc_xmmreg {
- uint32_t element[4];
-};
-
-struct _libc_fpstate {
- uint16_t cwd;
- uint16_t swd;
- uint16_t twd;
- uint16_t fop;
- uint64_t rip;
- uint64_t rdp;
- uint32_t mxcsr;
- uint32_t mxcsr_mask;
- struct _libc_fpxreg _st[8];
- struct _libc_xmmreg _xmm[16];
- uint32_t padding[24];
-};
-
-typedef uint64_t greg_t;
-
-typedef struct {
- greg_t gregs[23];
- struct _libc_fpstate* fpregs;
- unsigned long __reserved1[8];
-} mcontext_t;
-
-enum {
- REG_R8 = 0,
- REG_R9,
- REG_R10,
- REG_R11,
- REG_R12,
- REG_R13,
- REG_R14,
- REG_R15,
- REG_RDI,
- REG_RSI,
- REG_RBP,
- REG_RBX,
- REG_RDX,
- REG_RAX,
- REG_RCX,
- REG_RSP,
- REG_RIP,
- REG_EFL,
- REG_CSGSFS,
- REG_ERR,
- REG_TRAPNO,
- REG_OLDMASK,
- REG_CR2,
- NGREG,
-};
-
-typedef struct ucontext {
- unsigned long uc_flags;
- struct ucontext* uc_link;
- stack_t uc_stack;
- mcontext_t uc_mcontext;
- sigset_t uc_sigmask;
- struct _libc_fpstate __fpregs_mem;
-} ucontext_t;
-
-#else
-#include <sys/ucontext.h>
-#endif // __BIONIC_HAVE_UCONTEXT_T
-
-#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_64_LINUX_UCONTEXT_H_
diff --git a/security/sandbox/chromium/sandbox/sandbox_export.h b/security/sandbox/chromium/sandbox/sandbox_export.h
deleted file mode 100644
index 35d6a1ba2..000000000
--- a/security/sandbox/chromium/sandbox/sandbox_export.h
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SANDBOX_EXPORT_H_
-#define SANDBOX_SANDBOX_EXPORT_H_
-
-#if defined(WIN32)
-#error "sandbox_export.h does not support WIN32."
-#endif
-
-#if defined(COMPONENT_BUILD)
-
-#if defined(SANDBOX_IMPLEMENTATION)
-#define SANDBOX_EXPORT __attribute__((visibility("default")))
-#else
-#define SANDBOX_EXPORT
-#endif // defined(SANDBOX_IMPLEMENTATION)
-
-#else // defined(COMPONENT_BUILD)
-
-#define SANDBOX_EXPORT
-
-#endif // defined(COMPONENT_BUILD)
-
-#endif // SANDBOX_SANDBOX_EXPORT_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/Wow64.cc b/security/sandbox/chromium/sandbox/win/src/Wow64.cc
deleted file mode 100644
index c5984d629..000000000
--- a/security/sandbox/chromium/sandbox/win/src/Wow64.cc
+++ /dev/null
@@ -1,226 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/Wow64.h"
-
-#include <stddef.h>
-
-#include <sstream>
-
-#include "base/bit_cast.h"
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/scoped_process_information.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/target_process.h"
-
-namespace {
-
-// Holds the information needed for the interception of NtMapViewOfSection on
-// 64 bits.
-// Warning: do not modify this definition without changing also the code on the
-// 64 bit helper process.
-struct PatchInfo32 {
- HANDLE dll_load; // Event to signal the broker.
- ULONG pad1;
- HANDLE continue_load; // Event to wait for the broker.
- ULONG pad2;
- HANDLE section; // First argument of the call.
- ULONG pad3;
- void* orig_MapViewOfSection;
- ULONG original_high;
- void* signal_and_wait;
- ULONG pad4;
- void* patch_location;
- ULONG patch_high;
-};
-
-// Size of the 64 bit service entry.
-const SIZE_T kServiceEntry64Size = 0x10;
-
-// Removes the interception of ntdll64.
-bool Restore64Code(HANDLE child, PatchInfo32* patch_info) {
- PatchInfo32 local_patch_info;
- SIZE_T actual;
- if (!::ReadProcessMemory(child, patch_info, &local_patch_info,
- sizeof(local_patch_info), &actual))
- return false;
- if (sizeof(local_patch_info) != actual)
- return false;
-
- if (local_patch_info.original_high)
- return false;
- if (local_patch_info.patch_high)
- return false;
-
- char buffer[kServiceEntry64Size];
-
- if (!::ReadProcessMemory(child, local_patch_info.orig_MapViewOfSection,
- &buffer, kServiceEntry64Size, &actual))
- return false;
- if (kServiceEntry64Size != actual)
- return false;
-
- if (!::WriteProcessMemory(child, local_patch_info.patch_location, &buffer,
- kServiceEntry64Size, &actual))
- return false;
- if (kServiceEntry64Size != actual)
- return false;
- return true;
-}
-
-typedef BOOL (WINAPI* IsWow64ProcessFunction)(HANDLE process, BOOL* wow64);
-
-} // namespace
-
-namespace sandbox {
-
-Wow64::Wow64(TargetProcess* child, HMODULE ntdll)
- : child_(child), ntdll_(ntdll), dll_load_(NULL), continue_load_(NULL) {
-}
-
-Wow64::~Wow64() {
-}
-
-// The basic idea is to allocate one page of memory on the child, and initialize
-// the first part of it with our version of PatchInfo32. Then launch the helper
-// process passing it that address on the child. The helper process will patch
-// the 64 bit version of NtMapViewOfFile, and the interception will signal the
-// first event on the buffer. We'll be waiting on that event and after the 32
-// bit version of ntdll is loaded, we'll remove the interception and return to
-// our caller.
-bool Wow64::WaitForNtdll() {
- if (base::win::OSInfo::GetInstance()->wow64_status() !=
- base::win::OSInfo::WOW64_ENABLED)
- return true;
-
- const size_t page_size = 4096;
-
- // Create some default manual reset un-named events, not signaled.
- dll_load_.Set(::CreateEvent(NULL, TRUE, FALSE, NULL));
- continue_load_.Set(::CreateEvent(NULL, TRUE, FALSE, NULL));
- HANDLE current_process = ::GetCurrentProcess();
- HANDLE remote_load, remote_continue;
- DWORD access = EVENT_MODIFY_STATE | SYNCHRONIZE;
- if (!::DuplicateHandle(current_process, dll_load_.Get(), child_->Process(),
- &remote_load, access, FALSE, 0)) {
- return false;
- }
- if (!::DuplicateHandle(current_process, continue_load_.Get(),
- child_->Process(), &remote_continue, access, FALSE,
- 0)) {
- return false;
- }
-
- void* buffer = ::VirtualAllocEx(child_->Process(), NULL, page_size,
- MEM_COMMIT, PAGE_EXECUTE_READWRITE);
- DCHECK(buffer);
- if (!buffer)
- return false;
-
- PatchInfo32* patch_info = reinterpret_cast<PatchInfo32*>(buffer);
- PatchInfo32 local_patch_info = {0};
- local_patch_info.dll_load = remote_load;
- local_patch_info.continue_load = remote_continue;
- SIZE_T written;
- if (!::WriteProcessMemory(child_->Process(), patch_info, &local_patch_info,
- offsetof(PatchInfo32, section), &written))
- return false;
- if (offsetof(PatchInfo32, section) != written)
- return false;
-
- if (!RunWowHelper(buffer))
- return false;
-
- // The child is intercepted on 64 bit, go on and wait for our event.
- if (!DllMapped())
- return false;
-
- // The 32 bit version is available, cleanup the child.
- return Restore64Code(child_->Process(), patch_info);
-}
-
-bool Wow64::RunWowHelper(void* buffer) {
- static_assert(sizeof(buffer) <= sizeof(DWORD), "unsupported 64 bits");
-
- // Get the path to the helper (beside the exe).
- wchar_t prog_name[MAX_PATH];
- GetModuleFileNameW(NULL, prog_name, MAX_PATH);
- base::string16 path(prog_name);
- size_t name_pos = path.find_last_of(L"\\");
- if (base::string16::npos == name_pos)
- return false;
- path.resize(name_pos + 1);
-
- std::basic_stringstream<base::char16> command;
- command << std::hex << std::showbase << L"\"" << path <<
- L"wow_helper.exe\" " << child_->ProcessId() << " " <<
- bit_cast<ULONG>(buffer);
-
- scoped_ptr<wchar_t, base::FreeDeleter>
- writable_command(_wcsdup(command.str().c_str()));
-
- STARTUPINFO startup_info = {0};
- startup_info.cb = sizeof(startup_info);
- PROCESS_INFORMATION temp_process_info = {};
- if (!::CreateProcess(NULL, writable_command.get(), NULL, NULL, FALSE, 0, NULL,
- NULL, &startup_info, &temp_process_info))
- return false;
- base::win::ScopedProcessInformation process_info(temp_process_info);
-
- DWORD reason = ::WaitForSingleObject(process_info.process_handle(), INFINITE);
-
- DWORD code;
- bool ok =
- ::GetExitCodeProcess(process_info.process_handle(), &code) ? true : false;
-
- if (WAIT_TIMEOUT == reason)
- return false;
-
- return ok && (0 == code);
-}
-
-// First we must wake up the child, then wait for dll loads on the child until
-// the one we care is loaded; at that point we must suspend the child again.
-bool Wow64::DllMapped() {
- if (1 != ::ResumeThread(child_->MainThread())) {
- NOTREACHED();
- return false;
- }
-
- for (;;) {
- DWORD reason = ::WaitForSingleObject(dll_load_.Get(), INFINITE);
- if (WAIT_TIMEOUT == reason || WAIT_ABANDONED == reason)
- return false;
-
- if (!::ResetEvent(dll_load_.Get()))
- return false;
-
- bool found = NtdllPresent();
- if (found) {
- if (::SuspendThread(child_->MainThread()))
- return false;
- }
-
- if (!::SetEvent(continue_load_.Get()))
- return false;
-
- if (found)
- return true;
- }
-}
-
-bool Wow64::NtdllPresent() {
- const size_t kBufferSize = 512;
- char buffer[kBufferSize];
- SIZE_T read;
- if (!::ReadProcessMemory(child_->Process(), ntdll_, &buffer, kBufferSize,
- &read))
- return false;
- if (kBufferSize != read)
- return false;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/Wow64.h b/security/sandbox/chromium/sandbox/win/src/Wow64.h
deleted file mode 100644
index acabc3565..000000000
--- a/security/sandbox/chromium/sandbox/win/src/Wow64.h
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_WOW64_H__
-#define SANDBOX_SRC_WOW64_H__
-
-#include <windows.h>
-
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-class TargetProcess;
-
-// This class wraps the code needed to interact with the Windows On Windows
-// subsystem on 64 bit OSes, from the point of view of interceptions.
-class Wow64 {
- public:
- Wow64(TargetProcess* child, HMODULE ntdll);
- ~Wow64();
-
- // Waits for the 32 bit DLL to get loaded on the child process. This function
- // will return immediately if not running under WOW, or launch the helper
- // process and wait until ntdll is ready.
- bool WaitForNtdll();
-
- private:
- // Runs the WOW helper process, passing the address of a buffer allocated on
- // the child (one page).
- bool RunWowHelper(void* buffer);
-
- // This method receives "notifications" whenever a DLL is mapped on the child.
- bool DllMapped();
-
- // Returns true if ntdll.dll is mapped on the child.
- bool NtdllPresent();
-
- TargetProcess* child_; // Child process.
- HMODULE ntdll_; // ntdll on the parent.
- // Event that is signaled on dll load.
- base::win::ScopedHandle dll_load_;
- // Event to signal to continue execution on the child.
- base::win::ScopedHandle continue_load_;
- DISALLOW_IMPLICIT_CONSTRUCTORS(Wow64);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_WOW64_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/Wow64_64.cc b/security/sandbox/chromium/sandbox/win/src/Wow64_64.cc
deleted file mode 100644
index 357deb855..000000000
--- a/security/sandbox/chromium/sandbox/win/src/Wow64_64.cc
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Wow64 implementation for native 64-bit Windows (in other words, never WOW).
-
-#include "sandbox/win/src/wow64.h"
-
-namespace sandbox {
-
-Wow64::Wow64(TargetProcess* child, HMODULE ntdll)
- : child_(child), ntdll_(ntdll), dll_load_(NULL), continue_load_(NULL) {
-}
-
-Wow64::~Wow64() {
-}
-
-bool Wow64::WaitForNtdll() {
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/acl.cc b/security/sandbox/chromium/sandbox/win/src/acl.cc
deleted file mode 100644
index f140c7e6c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/acl.cc
+++ /dev/null
@@ -1,125 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/acl.h"
-
-#include <aclapi.h>
-#include <sddl.h>
-
-#include "base/logging.h"
-
-namespace sandbox {
-
-bool GetDefaultDacl(
- HANDLE token,
- scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter>* default_dacl) {
- if (token == NULL)
- return false;
-
- DCHECK(default_dacl != NULL);
-
- unsigned long length = 0;
- ::GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &length);
- if (length == 0) {
- NOTREACHED();
- return false;
- }
-
- TOKEN_DEFAULT_DACL* acl =
- reinterpret_cast<TOKEN_DEFAULT_DACL*>(malloc(length));
- default_dacl->reset(acl);
-
- if (!::GetTokenInformation(token, TokenDefaultDacl, default_dacl->get(),
- length, &length))
- return false;
-
- return true;
-}
-
-bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MODE access_mode,
- ACCESS_MASK access, ACL** new_dacl) {
- EXPLICIT_ACCESS new_access = {0};
- new_access.grfAccessMode = access_mode;
- new_access.grfAccessPermissions = access;
- new_access.grfInheritance = NO_INHERITANCE;
-
- new_access.Trustee.pMultipleTrustee = NULL;
- new_access.Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
- new_access.Trustee.TrusteeForm = TRUSTEE_IS_SID;
- new_access.Trustee.ptstrName = reinterpret_cast<LPWSTR>(
- const_cast<SID*>(sid.GetPSID()));
-
- if (ERROR_SUCCESS != ::SetEntriesInAcl(1, &new_access, old_dacl, new_dacl))
- return false;
-
- return true;
-}
-
-bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access) {
- if (token == NULL)
- return false;
-
- scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter> default_dacl;
- if (!GetDefaultDacl(token, &default_dacl))
- return false;
-
- ACL* new_dacl = NULL;
- if (!AddSidToDacl(sid, default_dacl->DefaultDacl, GRANT_ACCESS, access,
- &new_dacl))
- return false;
-
- TOKEN_DEFAULT_DACL new_token_dacl = {0};
- new_token_dacl.DefaultDacl = new_dacl;
-
- BOOL ret = ::SetTokenInformation(token, TokenDefaultDacl, &new_token_dacl,
- sizeof(new_token_dacl));
- ::LocalFree(new_dacl);
- return (TRUE == ret);
-}
-
-bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access) {
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(malloc(size));
-
- scoped_ptr<TOKEN_USER, base::FreeDeleter> token_user_ptr(token_user);
-
- if (!::GetTokenInformation(token, TokenUser, token_user, size, &size))
- return false;
-
- return AddSidToDefaultDacl(token,
- reinterpret_cast<SID*>(token_user->User.Sid),
- access);
-}
-
-bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type,
- const Sid& sid, ACCESS_MODE access_mode,
- ACCESS_MASK access) {
- PSECURITY_DESCRIPTOR descriptor = NULL;
- PACL old_dacl = NULL;
- PACL new_dacl = NULL;
-
- if (ERROR_SUCCESS != ::GetSecurityInfo(object, object_type,
- DACL_SECURITY_INFORMATION, NULL, NULL,
- &old_dacl, NULL, &descriptor))
- return false;
-
- if (!AddSidToDacl(sid.GetPSID(), old_dacl, access_mode, access, &new_dacl)) {
- ::LocalFree(descriptor);
- return false;
- }
-
- DWORD result = ::SetSecurityInfo(object, object_type,
- DACL_SECURITY_INFORMATION, NULL, NULL,
- new_dacl, NULL);
-
- ::LocalFree(new_dacl);
- ::LocalFree(descriptor);
-
- if (ERROR_SUCCESS != result)
- return false;
-
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/acl.h b/security/sandbox/chromium/sandbox/win/src/acl.h
deleted file mode 100644
index b5021e7be..000000000
--- a/security/sandbox/chromium/sandbox/win/src/acl.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_ACL_H_
-#define SANDBOX_SRC_ACL_H_
-
-#include <AccCtrl.h>
-#include <windows.h>
-
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/sid.h"
-
-namespace sandbox {
-
-// Returns the default dacl from the token passed in.
-bool GetDefaultDacl(
- HANDLE token,
- scoped_ptr<TOKEN_DEFAULT_DACL, base::FreeDeleter>* default_dacl);
-
-// Appends an ACE represented by |sid|, |access_mode|, and |access| to
-// |old_dacl|. If the function succeeds, new_dacl contains the new dacl and
-// must be freed using LocalFree.
-bool AddSidToDacl(const Sid& sid, ACL* old_dacl, ACCESS_MODE access_mode,
- ACCESS_MASK access, ACL** new_dacl);
-
-// Adds and ACE represented by |sid| and |access| to the default dacl present
-// in the token.
-bool AddSidToDefaultDacl(HANDLE token, const Sid& sid, ACCESS_MASK access);
-
-// Adds an ACE represented by the user sid and |access| to the default dacl
-// present in the token.
-bool AddUserSidToDefaultDacl(HANDLE token, ACCESS_MASK access);
-
-// Adds an ACE represented by |known_sid|, |access_mode|, and |access| to
-// the dacl of the kernel object referenced by |object| and of |object_type|.
-bool AddKnownSidToObject(HANDLE object, SE_OBJECT_TYPE object_type,
- const Sid& sid, ACCESS_MODE access_mode,
- ACCESS_MASK access);
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_ACL_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/app_container.cc b/security/sandbox/chromium/sandbox/win/src/app_container.cc
deleted file mode 100644
index a51f09208..000000000
--- a/security/sandbox/chromium/sandbox/win/src/app_container.cc
+++ /dev/null
@@ -1,184 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/app_container.h"
-
-#include <Sddl.h>
-#include <stddef.h>
-#include <vector>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/startup_information.h"
-#include "sandbox/win/src/internal_types.h"
-
-namespace {
-
-// Converts the passed in sid string to a PSID that must be relased with
-// LocalFree.
-PSID ConvertSid(const base::string16& sid) {
- PSID local_sid;
- if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
- return NULL;
- return local_sid;
-}
-
-template <typename T>
-T BindFunction(const char* name) {
- HMODULE module = GetModuleHandle(sandbox::kKerneldllName);
- void* function = GetProcAddress(module, name);
- if (!function) {
- module = GetModuleHandle(sandbox::kKernelBasedllName);
- function = GetProcAddress(module, name);
- }
- return reinterpret_cast<T>(function);
-}
-
-} // namespace
-
-namespace sandbox {
-
-AppContainerAttributes::AppContainerAttributes() {
- memset(&capabilities_, 0, sizeof(capabilities_));
-}
-
-AppContainerAttributes::~AppContainerAttributes() {
- for (size_t i = 0; i < attributes_.size(); i++)
- LocalFree(attributes_[i].Sid);
- LocalFree(capabilities_.AppContainerSid);
-}
-
-ResultCode AppContainerAttributes::SetAppContainer(
- const base::string16& app_container_sid,
- const std::vector<base::string16>& capabilities) {
- DCHECK(!capabilities_.AppContainerSid);
- DCHECK(attributes_.empty());
- capabilities_.AppContainerSid = ConvertSid(app_container_sid);
- if (!capabilities_.AppContainerSid)
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- for (size_t i = 0; i < capabilities.size(); i++) {
- SID_AND_ATTRIBUTES sid_and_attributes;
- sid_and_attributes.Sid = ConvertSid(capabilities[i]);
- if (!sid_and_attributes.Sid)
- return SBOX_ERROR_INVALID_CAPABILITY;
-
- sid_and_attributes.Attributes = SE_GROUP_ENABLED;
- attributes_.push_back(sid_and_attributes);
- }
-
- if (capabilities.size()) {
- capabilities_.CapabilityCount = static_cast<DWORD>(capabilities.size());
- capabilities_.Capabilities = &attributes_[0];
- }
- return SBOX_ALL_OK;
-}
-
-ResultCode AppContainerAttributes::ShareForStartup(
- base::win::StartupInformation* startup_information) const {
- // The only thing we support so far is an AppContainer.
- if (!capabilities_.AppContainerSid)
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- if (!startup_information->UpdateProcThreadAttribute(
- PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES,
- const_cast<SECURITY_CAPABILITIES*>(&capabilities_),
- sizeof(capabilities_))) {
- DPLOG(ERROR) << "Failed UpdateProcThreadAttribute";
- return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
- }
- return SBOX_ALL_OK;
-}
-
-bool AppContainerAttributes::HasAppContainer() const {
- return (capabilities_.AppContainerSid != NULL);
-}
-
-ResultCode CreateAppContainer(const base::string16& sid,
- const base::string16& name) {
- PSID local_sid;
- if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- typedef HRESULT (WINAPI* AppContainerRegisterSidPtr)(PSID sid,
- LPCWSTR moniker,
- LPCWSTR display_name);
- static AppContainerRegisterSidPtr AppContainerRegisterSid = NULL;
-
- if (!AppContainerRegisterSid) {
- AppContainerRegisterSid =
- BindFunction<AppContainerRegisterSidPtr>("AppContainerRegisterSid");
- }
-
- ResultCode operation_result = SBOX_ERROR_GENERIC;
- if (AppContainerRegisterSid) {
- HRESULT rv = AppContainerRegisterSid(local_sid, name.c_str(), name.c_str());
- if (SUCCEEDED(rv))
- operation_result = SBOX_ALL_OK;
- else
- DLOG(ERROR) << "AppContainerRegisterSid error:" << std::hex << rv;
- }
- LocalFree(local_sid);
- return operation_result;
-}
-
-ResultCode DeleteAppContainer(const base::string16& sid) {
- PSID local_sid;
- if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- typedef HRESULT (WINAPI* AppContainerUnregisterSidPtr)(PSID sid);
- static AppContainerUnregisterSidPtr AppContainerUnregisterSid = NULL;
-
- if (!AppContainerUnregisterSid) {
- AppContainerUnregisterSid =
- BindFunction<AppContainerUnregisterSidPtr>("AppContainerUnregisterSid");
- }
-
- ResultCode operation_result = SBOX_ERROR_GENERIC;
- if (AppContainerUnregisterSid) {
- HRESULT rv = AppContainerUnregisterSid(local_sid);
- if (SUCCEEDED(rv))
- operation_result = SBOX_ALL_OK;
- else
- DLOG(ERROR) << "AppContainerUnregisterSid error:" << std::hex << rv;
- }
- LocalFree(local_sid);
- return operation_result;
-}
-
-base::string16 LookupAppContainer(const base::string16& sid) {
- PSID local_sid;
- if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
- return base::string16();
-
- typedef HRESULT (WINAPI* AppContainerLookupMonikerPtr)(PSID sid,
- LPWSTR* moniker);
- typedef BOOLEAN (WINAPI* AppContainerFreeMemoryPtr)(void* ptr);
-
- static AppContainerLookupMonikerPtr AppContainerLookupMoniker = NULL;
- static AppContainerFreeMemoryPtr AppContainerFreeMemory = NULL;
-
- if (!AppContainerLookupMoniker || !AppContainerFreeMemory) {
- AppContainerLookupMoniker =
- BindFunction<AppContainerLookupMonikerPtr>("AppContainerLookupMoniker");
- AppContainerFreeMemory =
- BindFunction<AppContainerFreeMemoryPtr>("AppContainerFreeMemory");
- }
-
- if (!AppContainerLookupMoniker || !AppContainerFreeMemory)
- return base::string16();
-
- wchar_t* buffer = NULL;
- HRESULT rv = AppContainerLookupMoniker(local_sid, &buffer);
- if (FAILED(rv))
- return base::string16();
-
- base::string16 name(buffer);
- if (!AppContainerFreeMemory(buffer))
- NOTREACHED();
- return name;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/app_container.h b/security/sandbox/chromium/sandbox/win/src/app_container.h
deleted file mode 100644
index fe2b18933..000000000
--- a/security/sandbox/chromium/sandbox/win/src/app_container.h
+++ /dev/null
@@ -1,70 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_APP_CONTAINER_H_
-#define SANDBOX_WIN_SRC_APP_CONTAINER_H_
-
-#include <windows.h>
-
-#include <vector>
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace base {
-namespace win {
-class StartupInformation;
-}
-}
-
-namespace sandbox {
-
-// Maintains an attribute list to be used during creation of a new sandboxed
-// process.
-class AppContainerAttributes {
- public:
- AppContainerAttributes();
- ~AppContainerAttributes();
-
- // Sets the AppContainer and capabilities to be used with the new process.
- ResultCode SetAppContainer(const base::string16& app_container_sid,
- const std::vector<base::string16>& capabilities);
-
- // Updates the proc_thred attribute list of the provided startup_information
- // with the app container related data.
- // WARNING: startup_information just points back to our internal memory, so
- // the lifetime of this object has to be greater than the lifetime of the
- // provided startup_information.
- ResultCode ShareForStartup(
- base::win::StartupInformation* startup_information) const;
-
- bool HasAppContainer() const;
-
- private:
- SECURITY_CAPABILITIES capabilities_;
- std::vector<SID_AND_ATTRIBUTES> attributes_;
-
- DISALLOW_COPY_AND_ASSIGN(AppContainerAttributes);
-};
-
-// Creates a new AppContainer on the system. |sid| is the identifier of the new
-// AppContainer, and |name| will be used as both the display name and moniker.
-// This function fails if the OS doesn't support AppContainers, or if there is
-// an AppContainer registered with the same id.
-ResultCode CreateAppContainer(const base::string16& sid,
- const base::string16& name);
-
-// Deletes an AppContainer previously created with a successful call to
-// CreateAppContainer.
-ResultCode DeleteAppContainer(const base::string16& sid);
-
-// Retrieves the name associated with the provided AppContainer sid. Returns an
-// empty string if the AppContainer is not registered with the system.
-base::string16 LookupAppContainer(const base::string16& sid);
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_APP_CONTAINER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_test.cc b/security/sandbox/chromium/sandbox/win/src/app_container_test.cc
deleted file mode 100644
index ced5cbde7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/app_container_test.cc
+++ /dev/null
@@ -1,161 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <windows.h>
-
-#define _ATL_NO_EXCEPTIONS
-#include <atlbase.h>
-#include <atlsecurity.h>
-
-#include "base/strings/string16.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/sync_policy_test.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-const wchar_t kAppContainerName[] = L"sbox_test";
-const wchar_t kAppContainerSid[] =
- L"S-1-15-2-3251537155-1984446955-2931258699-841473695-1938553385-"
- L"924012148-2839372144";
-
-const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE;
-
-HANDLE CreateTaggedEvent(const base::string16& name,
- const base::string16& sid) {
- base::win::ScopedHandle event(CreateEvent(NULL, FALSE, FALSE, name.c_str()));
- if (!event.IsValid())
- return NULL;
-
- wchar_t file_name[MAX_PATH] = {};
- wchar_t temp_directory[MAX_PATH] = {};
- GetTempPath(MAX_PATH, temp_directory);
- GetTempFileName(temp_directory, L"test", 0, file_name);
-
- base::win::ScopedHandle file;
- file.Set(CreateFile(file_name, GENERIC_READ | STANDARD_RIGHTS_READ, kSharing,
- NULL, OPEN_EXISTING, 0, NULL));
- DeleteFile(file_name);
- if (!file.IsValid())
- return NULL;
-
- CSecurityDesc sd;
- if (!AtlGetSecurityDescriptor(file.Get(), SE_FILE_OBJECT, &sd,
- OWNER_SECURITY_INFORMATION |
- GROUP_SECURITY_INFORMATION |
- DACL_SECURITY_INFORMATION)) {
- return NULL;
- }
-
- PSID local_sid;
- if (!ConvertStringSidToSid(sid.c_str(), &local_sid))
- return NULL;
-
- CDacl new_dacl;
- sd.GetDacl(&new_dacl);
- CSid csid(reinterpret_cast<SID*>(local_sid));
- new_dacl.AddAllowedAce(csid, EVENT_ALL_ACCESS);
- if (!AtlSetDacl(event.Get(), SE_KERNEL_OBJECT, new_dacl))
- event.Close();
-
- LocalFree(local_sid);
- return event.IsValid() ? event.Take() : NULL;
-}
-
-} // namespace
-
-namespace sandbox {
-
-TEST(AppContainerTest, AllowOpenEvent) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED);
-
- const wchar_t capability[] = L"S-1-15-3-12345678-87654321";
- base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability));
- ASSERT_TRUE(handle.IsValid());
-
- EXPECT_EQ(SBOX_ALL_OK,
- runner.broker()->InstallAppContainer(kAppContainerSid,
- kAppContainerName));
- EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetCapability(capability));
- EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open f test"));
- EXPECT_EQ(SBOX_ALL_OK,
- runner.broker()->UninstallAppContainer(kAppContainerSid));
-}
-
-TEST(AppContainerTest, DenyOpenEvent) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED);
-
- const wchar_t capability[] = L"S-1-15-3-12345678-87654321";
- base::win::ScopedHandle handle(CreateTaggedEvent(L"test", capability));
- ASSERT_TRUE(handle.IsValid());
-
- EXPECT_EQ(SBOX_ALL_OK,
- runner.broker()->InstallAppContainer(kAppContainerSid,
- kAppContainerName));
- EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test"));
- EXPECT_EQ(SBOX_ALL_OK,
- runner.broker()->UninstallAppContainer(kAppContainerSid));
-}
-
-TEST(AppContainerTest, NoImpersonation) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_LIMITED, USER_LIMITED);
- EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetAppContainer(kAppContainerSid));
-}
-
-TEST(AppContainerTest, WantsImpersonation) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_NON_ADMIN);
- EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER,
- runner.GetPolicy()->SetAppContainer(kAppContainerSid));
-}
-
-TEST(AppContainerTest, RequiresImpersonation) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_RESTRICTED, USER_RESTRICTED);
- EXPECT_EQ(SBOX_ERROR_CANNOT_INIT_APPCONTAINER,
- runner.GetPolicy()->SetAppContainer(kAppContainerSid));
-}
-
-TEST(AppContainerTest, DenyOpenEventForLowBox) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner(JOB_UNPROTECTED, USER_UNPROTECTED, USER_UNPROTECTED);
-
- base::win::ScopedHandle event(CreateEvent(NULL, FALSE, FALSE, L"test"));
- ASSERT_TRUE(event.IsValid());
-
- EXPECT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetLowBox(kAppContainerSid));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test"));
-}
-
-// TODO(shrikant): Please add some tests to prove usage of lowbox token like
-// socket connection to local server in lock down mode.
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/app_container_unittest.cc b/security/sandbox/chromium/sandbox/win/src/app_container_unittest.cc
deleted file mode 100644
index 4bce16a42..000000000
--- a/security/sandbox/chromium/sandbox/win/src/app_container_unittest.cc
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/app_container.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Tests the low level AppContainer interface.
-TEST(AppContainerTest, CreateAppContainer) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- const wchar_t kName[] = L"Test";
- const wchar_t kValidSid[] = L"S-1-15-2-12345-234-567-890-123-456-789";
-
- EXPECT_TRUE(LookupAppContainer(kValidSid).empty());
- EXPECT_EQ(SBOX_ERROR_GENERIC, DeleteAppContainer(kValidSid));
-
- EXPECT_EQ(SBOX_ALL_OK, CreateAppContainer(kValidSid, kName));
- EXPECT_EQ(SBOX_ERROR_GENERIC, CreateAppContainer(kValidSid, kName));
- EXPECT_EQ(kName, LookupAppContainer(kValidSid));
- EXPECT_EQ(SBOX_ALL_OK, DeleteAppContainer(kValidSid));
-
- EXPECT_TRUE(LookupAppContainer(kValidSid).empty());
- EXPECT_EQ(SBOX_ERROR_GENERIC, DeleteAppContainer(kValidSid));
-
- EXPECT_EQ(SBOX_ERROR_INVALID_APP_CONTAINER,
- CreateAppContainer(L"Foo", kName));
-}
-
-// Tests handling of security capabilities on the attribute list.
-TEST(AppContainerTest, SecurityCapabilities) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return;
-
- scoped_ptr<AppContainerAttributes> attributes(new AppContainerAttributes);
- std::vector<base::string16> capabilities;
- EXPECT_EQ(SBOX_ERROR_INVALID_APP_CONTAINER,
- attributes->SetAppContainer(L"S-1-foo", capabilities));
-
- EXPECT_EQ(SBOX_ALL_OK,
- attributes->SetAppContainer(L"S-1-15-2-12345-234", capabilities));
- EXPECT_TRUE(attributes->HasAppContainer());
-
- attributes.reset(new AppContainerAttributes);
- capabilities.push_back(L"S-1-15-3-12345678-87654321");
- capabilities.push_back(L"S-1-15-3-1");
- capabilities.push_back(L"S-1-15-3-2");
- capabilities.push_back(L"S-1-15-3-3");
- EXPECT_EQ(SBOX_ALL_OK,
- attributes->SetAppContainer(L"S-1-15-2-1-2", capabilities));
- EXPECT_TRUE(attributes->HasAppContainer());
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.cc b/security/sandbox/chromium/sandbox/win/src/broker_services.cc
deleted file mode 100644
index d6acb66fd..000000000
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.cc
+++ /dev/null
@@ -1,558 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/broker_services.h"
-
-#include <AclAPI.h>
-#include <stddef.h>
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/stl_util.h"
-#include "base/threading/platform_thread.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/scoped_process_information.h"
-#include "base/win/startup_information.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/app_container.h"
-#include "sandbox/win/src/process_mitigations.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-#include "sandbox/win/src/target_process.h"
-#include "sandbox/win/src/win2k_threadpool.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-// Utility function to associate a completion port to a job object.
-bool AssociateCompletionPort(HANDLE job, HANDLE port, void* key) {
- JOBOBJECT_ASSOCIATE_COMPLETION_PORT job_acp = { key, port };
- return ::SetInformationJobObject(job,
- JobObjectAssociateCompletionPortInformation,
- &job_acp, sizeof(job_acp))? true : false;
-}
-
-// Utility function to do the cleanup necessary when something goes wrong
-// while in SpawnTarget and we must terminate the target process.
-sandbox::ResultCode SpawnCleanup(sandbox::TargetProcess* target, DWORD error) {
- if (0 == error)
- error = ::GetLastError();
-
- target->Terminate();
- delete target;
- ::SetLastError(error);
- return sandbox::SBOX_ERROR_GENERIC;
-}
-
-// the different commands that you can send to the worker thread that
-// executes TargetEventsThread().
-enum {
- THREAD_CTRL_NONE,
- THREAD_CTRL_REMOVE_PEER,
- THREAD_CTRL_QUIT,
- THREAD_CTRL_LAST,
-};
-
-// Helper structure that allows the Broker to associate a job notification
-// with a job object and with a policy.
-struct JobTracker {
- JobTracker(base::win::ScopedHandle job, sandbox::PolicyBase* policy)
- : job(job.Pass()), policy(policy) {
- }
- ~JobTracker() {
- FreeResources();
- }
-
- // Releases the Job and notifies the associated Policy object to release its
- // resources as well.
- void FreeResources();
-
- base::win::ScopedHandle job;
- sandbox::PolicyBase* policy;
-};
-
-void JobTracker::FreeResources() {
- if (policy) {
- BOOL res = ::TerminateJobObject(job.Get(), sandbox::SBOX_ALL_OK);
- DCHECK(res);
- // Closing the job causes the target process to be destroyed so this needs
- // to happen before calling OnJobEmpty().
- HANDLE stale_job_handle = job.Get();
- job.Close();
-
- // In OnJobEmpty() we don't actually use the job handle directly.
- policy->OnJobEmpty(stale_job_handle);
- policy->Release();
- policy = NULL;
- }
-}
-
-// Helper structure that allows the broker to track peer processes
-struct PeerTracker {
- PeerTracker(DWORD process_id, HANDLE broker_job_port)
- : wait_object(NULL), id(process_id), job_port(broker_job_port) {
- }
-
- HANDLE wait_object;
- base::win::ScopedHandle process;
- DWORD id;
- HANDLE job_port;
-};
-
-void DeregisterPeerTracker(PeerTracker* peer) {
- // Deregistration shouldn't fail, but we leak rather than crash if it does.
- if (::UnregisterWaitEx(peer->wait_object, INVALID_HANDLE_VALUE)) {
- delete peer;
- } else {
- NOTREACHED();
- }
-}
-
-} // namespace
-
-namespace sandbox {
-
-BrokerServicesBase::BrokerServicesBase() : thread_pool_(NULL) {
-}
-
-// The broker uses a dedicated worker thread that services the job completion
-// port to perform policy notifications and associated cleanup tasks.
-ResultCode BrokerServicesBase::Init() {
- if (job_port_.IsValid() || (NULL != thread_pool_))
- return SBOX_ERROR_UNEXPECTED_CALL;
-
- ::InitializeCriticalSection(&lock_);
-
- job_port_.Set(::CreateIoCompletionPort(INVALID_HANDLE_VALUE, NULL, 0, 0));
- if (!job_port_.IsValid())
- return SBOX_ERROR_GENERIC;
-
- no_targets_.Set(::CreateEventW(NULL, TRUE, FALSE, NULL));
-
- job_thread_.Set(::CreateThread(NULL, 0, // Default security and stack.
- TargetEventsThread, this, NULL, NULL));
- if (!job_thread_.IsValid())
- return SBOX_ERROR_GENERIC;
-
- return SBOX_ALL_OK;
-}
-
-// The destructor should only be called when the Broker process is terminating.
-// Since BrokerServicesBase is a singleton, this is called from the CRT
-// termination handlers, if this code lives on a DLL it is called during
-// DLL_PROCESS_DETACH in other words, holding the loader lock, so we cannot
-// wait for threads here.
-BrokerServicesBase::~BrokerServicesBase() {
- // If there is no port Init() was never called successfully.
- if (!job_port_.IsValid())
- return;
-
- // Closing the port causes, that no more Job notifications are delivered to
- // the worker thread and also causes the thread to exit. This is what we
- // want to do since we are going to close all outstanding Jobs and notifying
- // the policy objects ourselves.
- ::PostQueuedCompletionStatus(job_port_.Get(), 0, THREAD_CTRL_QUIT, FALSE);
-
- if (job_thread_.IsValid() &&
- WAIT_TIMEOUT == ::WaitForSingleObject(job_thread_.Get(), 1000)) {
- // Cannot clean broker services.
- NOTREACHED();
- return;
- }
-
- STLDeleteElements(&tracker_list_);
- delete thread_pool_;
-
- // Cancel the wait events and delete remaining peer trackers.
- for (PeerTrackerMap::iterator it = peer_map_.begin();
- it != peer_map_.end(); ++it) {
- DeregisterPeerTracker(it->second);
- }
-
- ::DeleteCriticalSection(&lock_);
-}
-
-TargetPolicy* BrokerServicesBase::CreatePolicy() {
- // If you change the type of the object being created here you must also
- // change the downcast to it in SpawnTarget().
- return new PolicyBase;
-}
-
-// The worker thread stays in a loop waiting for asynchronous notifications
-// from the job objects. Right now we only care about knowing when the last
-// process on a job terminates, but in general this is the place to tell
-// the policy about events.
-DWORD WINAPI BrokerServicesBase::TargetEventsThread(PVOID param) {
- if (NULL == param)
- return 1;
-
- base::PlatformThread::SetName("BrokerEvent");
-
- BrokerServicesBase* broker = reinterpret_cast<BrokerServicesBase*>(param);
- HANDLE port = broker->job_port_.Get();
- HANDLE no_targets = broker->no_targets_.Get();
-
- int target_counter = 0;
- ::ResetEvent(no_targets);
-
- while (true) {
- DWORD events = 0;
- ULONG_PTR key = 0;
- LPOVERLAPPED ovl = NULL;
-
- if (!::GetQueuedCompletionStatus(port, &events, &key, &ovl, INFINITE)) {
- // this call fails if the port has been closed before we have a
- // chance to service the last packet which is 'exit' anyway so
- // this is not an error.
- return 1;
- }
-
- if (key > THREAD_CTRL_LAST) {
- // The notification comes from a job object. There are nine notifications
- // that jobs can send and some of them depend on the job attributes set.
- JobTracker* tracker = reinterpret_cast<JobTracker*>(key);
-
- switch (events) {
- case JOB_OBJECT_MSG_ACTIVE_PROCESS_ZERO: {
- // The job object has signaled that the last process associated
- // with it has terminated. Assuming there is no way for a process
- // to appear out of thin air in this job, it safe to assume that
- // we can tell the policy to destroy the target object, and for
- // us to release our reference to the policy object.
- tracker->FreeResources();
- break;
- }
-
- case JOB_OBJECT_MSG_NEW_PROCESS: {
- ++target_counter;
- if (1 == target_counter) {
- ::ResetEvent(no_targets);
- }
- break;
- }
-
- case JOB_OBJECT_MSG_EXIT_PROCESS:
- case JOB_OBJECT_MSG_ABNORMAL_EXIT_PROCESS: {
- {
- AutoLock lock(&broker->lock_);
- broker->child_process_ids_.erase(
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
- }
- --target_counter;
- if (0 == target_counter)
- ::SetEvent(no_targets);
-
- DCHECK(target_counter >= 0);
- break;
- }
-
- case JOB_OBJECT_MSG_ACTIVE_PROCESS_LIMIT: {
- break;
- }
-
- case JOB_OBJECT_MSG_PROCESS_MEMORY_LIMIT: {
- BOOL res = ::TerminateJobObject(tracker->job.Get(),
- SBOX_FATAL_MEMORY_EXCEEDED);
- DCHECK(res);
- break;
- }
-
- default: {
- NOTREACHED();
- break;
- }
- }
- } else if (THREAD_CTRL_REMOVE_PEER == key) {
- // Remove a process from our list of peers.
- AutoLock lock(&broker->lock_);
- PeerTrackerMap::iterator it = broker->peer_map_.find(
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(ovl)));
- DeregisterPeerTracker(it->second);
- broker->peer_map_.erase(it);
- } else if (THREAD_CTRL_QUIT == key) {
- // The broker object is being destroyed so the thread needs to exit.
- return 0;
- } else {
- // We have not implemented more commands.
- NOTREACHED();
- }
- }
-
- NOTREACHED();
- return 0;
-}
-
-// SpawnTarget does all the interesting sandbox setup and creates the target
-// process inside the sandbox.
-ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
- const wchar_t* command_line,
- TargetPolicy* policy,
- PROCESS_INFORMATION* target_info) {
- if (!exe_path)
- return SBOX_ERROR_BAD_PARAMS;
-
- if (!policy)
- return SBOX_ERROR_BAD_PARAMS;
-
- // Even though the resources touched by SpawnTarget can be accessed in
- // multiple threads, the method itself cannot be called from more than
- // 1 thread. This is to protect the global variables used while setting up
- // the child process.
- static DWORD thread_id = ::GetCurrentThreadId();
- DCHECK(thread_id == ::GetCurrentThreadId());
-
- AutoLock lock(&lock_);
-
- // This downcast is safe as long as we control CreatePolicy()
- PolicyBase* policy_base = static_cast<PolicyBase*>(policy);
-
- if (policy_base->GetAppContainer() && policy_base->GetLowBoxSid())
- return SBOX_ERROR_BAD_PARAMS;
-
- // Construct the tokens and the job object that we are going to associate
- // with the soon to be created target process.
- base::win::ScopedHandle initial_token;
- base::win::ScopedHandle lockdown_token;
- base::win::ScopedHandle lowbox_token;
- ResultCode result = SBOX_ALL_OK;
-
- result =
- policy_base->MakeTokens(&initial_token, &lockdown_token, &lowbox_token);
- if (SBOX_ALL_OK != result)
- return result;
-
- base::win::ScopedHandle job;
- result = policy_base->MakeJobObject(&job);
- if (SBOX_ALL_OK != result)
- return result;
-
- // Initialize the startup information from the policy.
- base::win::StartupInformation startup_info;
- // The liftime of |mitigations| and |inherit_handle_list| have to be at least
- // as long as |startup_info| because |UpdateProcThreadAttribute| requires that
- // its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
- // called; StartupInformation's destructor makes such a call.
- DWORD64 mitigations;
-
- std::vector<HANDLE> inherited_handle_list;
-
- base::string16 desktop = policy_base->GetAlternateDesktop();
- if (!desktop.empty()) {
- startup_info.startup_info()->lpDesktop =
- const_cast<wchar_t*>(desktop.c_str());
- }
-
- bool inherit_handles = false;
-
- if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
- int attribute_count = 0;
- const AppContainerAttributes* app_container =
- policy_base->GetAppContainer();
- if (app_container)
- ++attribute_count;
-
- size_t mitigations_size;
- ConvertProcessMitigationsToPolicy(policy->GetProcessMitigations(),
- &mitigations, &mitigations_size);
- if (mitigations)
- ++attribute_count;
-
- HANDLE stdout_handle = policy_base->GetStdoutHandle();
- HANDLE stderr_handle = policy_base->GetStderrHandle();
-
- if (stdout_handle != INVALID_HANDLE_VALUE)
- inherited_handle_list.push_back(stdout_handle);
-
- // Handles in the list must be unique.
- if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE)
- inherited_handle_list.push_back(stderr_handle);
-
- const HandleList& policy_handle_list = policy_base->GetHandlesBeingShared();
-
- for (auto handle : policy_handle_list)
- inherited_handle_list.push_back(handle->Get());
-
- if (inherited_handle_list.size())
- ++attribute_count;
-
- if (!startup_info.InitializeProcThreadAttributeList(attribute_count))
- return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
-
- if (app_container) {
- result = app_container->ShareForStartup(&startup_info);
- if (SBOX_ALL_OK != result)
- return result;
- }
-
- if (mitigations) {
- if (!startup_info.UpdateProcThreadAttribute(
- PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &mitigations,
- mitigations_size)) {
- return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
- }
- }
-
- if (inherited_handle_list.size()) {
- if (!startup_info.UpdateProcThreadAttribute(
- PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
- &inherited_handle_list[0],
- sizeof(HANDLE) * inherited_handle_list.size())) {
- return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
- }
- startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES;
- startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE;
- startup_info.startup_info()->hStdOutput = stdout_handle;
- startup_info.startup_info()->hStdError = stderr_handle;
- // Allowing inheritance of handles is only secure now that we
- // have limited which handles will be inherited.
- inherit_handles = true;
- }
- } else if (getenv("MOZ_WIN_INHERIT_STD_HANDLES_PRE_VISTA")) {
- // On pre-Vista versions even if we can't limit what gets inherited, we
- // sometimes want to inherit stdout/err for testing purposes.
- startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES;
- startup_info.startup_info()->hStdInput = INVALID_HANDLE_VALUE;
- startup_info.startup_info()->hStdOutput = policy_base->GetStdoutHandle();
- startup_info.startup_info()->hStdError = policy_base->GetStderrHandle();
- inherit_handles = true;
- }
-
- // Construct the thread pool here in case it is expensive.
- // The thread pool is shared by all the targets
- if (NULL == thread_pool_)
- thread_pool_ = new Win2kThreadPool();
-
- // Create the TargetProces object and spawn the target suspended. Note that
- // Brokerservices does not own the target object. It is owned by the Policy.
- base::win::ScopedProcessInformation process_info;
- TargetProcess* target =
- new TargetProcess(initial_token.Pass(), lockdown_token.Pass(),
- lowbox_token.Pass(), job.Get(), thread_pool_);
-
- DWORD win_result = target->Create(exe_path, command_line, inherit_handles,
- startup_info, &process_info);
-
- policy_base->ClearSharedHandles();
-
- if (ERROR_SUCCESS != win_result) {
- SpawnCleanup(target, win_result);
- return SBOX_ERROR_CREATE_PROCESS;
- }
-
- // Now the policy is the owner of the target.
- if (!policy_base->AddTarget(target)) {
- return SpawnCleanup(target, 0);
- }
-
- // We are going to keep a pointer to the policy because we'll call it when
- // the job object generates notifications using the completion port.
- policy_base->AddRef();
- if (job.IsValid()) {
- scoped_ptr<JobTracker> tracker(new JobTracker(job.Pass(), policy_base));
-
- // There is no obvious recovery after failure here. Previous version with
- // SpawnCleanup() caused deletion of TargetProcess twice. crbug.com/480639
- CHECK(AssociateCompletionPort(tracker->job.Get(), job_port_.Get(),
- tracker.get()));
-
- // Save the tracker because in cleanup we might need to force closing
- // the Jobs.
- tracker_list_.push_back(tracker.release());
- child_process_ids_.insert(process_info.process_id());
- } else {
- // We have to signal the event once here because the completion port will
- // never get a message that this target is being terminated thus we should
- // not block WaitForAllTargets until we have at least one target with job.
- if (child_process_ids_.empty())
- ::SetEvent(no_targets_.Get());
- // We can not track the life time of such processes and it is responsibility
- // of the host application to make sure that spawned targets without jobs
- // are terminated when the main application don't need them anymore.
- // Sandbox policy engine needs to know that these processes are valid
- // targets for e.g. BrokerDuplicateHandle so track them as peer processes.
- AddTargetPeer(process_info.process_handle());
- }
-
- *target_info = process_info.Take();
- return SBOX_ALL_OK;
-}
-
-
-ResultCode BrokerServicesBase::WaitForAllTargets() {
- ::WaitForSingleObject(no_targets_.Get(), INFINITE);
- return SBOX_ALL_OK;
-}
-
-bool BrokerServicesBase::IsActiveTarget(DWORD process_id) {
- AutoLock lock(&lock_);
- return child_process_ids_.find(process_id) != child_process_ids_.end() ||
- peer_map_.find(process_id) != peer_map_.end();
-}
-
-VOID CALLBACK BrokerServicesBase::RemovePeer(PVOID parameter, BOOLEAN timeout) {
- PeerTracker* peer = reinterpret_cast<PeerTracker*>(parameter);
- // Don't check the return code because we this may fail (safely) at shutdown.
- ::PostQueuedCompletionStatus(
- peer->job_port, 0, THREAD_CTRL_REMOVE_PEER,
- reinterpret_cast<LPOVERLAPPED>(static_cast<uintptr_t>(peer->id)));
-}
-
-ResultCode BrokerServicesBase::AddTargetPeer(HANDLE peer_process) {
- scoped_ptr<PeerTracker> peer(new PeerTracker(::GetProcessId(peer_process),
- job_port_.Get()));
- if (!peer->id)
- return SBOX_ERROR_GENERIC;
-
- HANDLE process_handle;
- if (!::DuplicateHandle(::GetCurrentProcess(), peer_process,
- ::GetCurrentProcess(), &process_handle,
- SYNCHRONIZE, FALSE, 0)) {
- return SBOX_ERROR_GENERIC;
- }
- peer->process.Set(process_handle);
-
- AutoLock lock(&lock_);
- if (!peer_map_.insert(std::make_pair(peer->id, peer.get())).second)
- return SBOX_ERROR_BAD_PARAMS;
-
- if (!::RegisterWaitForSingleObject(
- &peer->wait_object, peer->process.Get(), RemovePeer, peer.get(),
- INFINITE, WT_EXECUTEONLYONCE | WT_EXECUTEINWAITTHREAD)) {
- peer_map_.erase(peer->id);
- return SBOX_ERROR_GENERIC;
- }
-
- // Release the pointer since it will be cleaned up by the callback.
- ignore_result(peer.release());
- return SBOX_ALL_OK;
-}
-
-ResultCode BrokerServicesBase::InstallAppContainer(const wchar_t* sid,
- const wchar_t* name) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return SBOX_ERROR_UNSUPPORTED;
-
- base::string16 old_name = LookupAppContainer(sid);
- if (old_name.empty())
- return CreateAppContainer(sid, name);
-
- if (old_name != name)
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- return SBOX_ALL_OK;
-}
-
-ResultCode BrokerServicesBase::UninstallAppContainer(const wchar_t* sid) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return SBOX_ERROR_UNSUPPORTED;
-
- base::string16 name = LookupAppContainer(sid);
- if (name.empty())
- return SBOX_ERROR_INVALID_APP_CONTAINER;
-
- return DeleteAppContainer(sid);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/broker_services.h b/security/sandbox/chromium/sandbox/win/src/broker_services.h
deleted file mode 100644
index 6c8f5231c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/broker_services.h
+++ /dev/null
@@ -1,112 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_BROKER_SERVICES_H_
-#define SANDBOX_WIN_SRC_BROKER_SERVICES_H_
-
-#include <list>
-#include <map>
-#include <set>
-#include <utility>
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/job.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sharedmem_ipc_server.h"
-#include "sandbox/win/src/win2k_threadpool.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-struct JobTracker;
-struct PeerTracker;
-
-} // namespace
-
-namespace sandbox {
-
-class PolicyBase;
-
-// BrokerServicesBase ---------------------------------------------------------
-// Broker implementation version 0
-//
-// This is an implementation of the interface BrokerServices and
-// of the associated TargetProcess interface. In this implementation
-// TargetProcess is a friend of BrokerServices where the later manages a
-// collection of the former.
-class BrokerServicesBase final : public BrokerServices,
- public SingletonBase<BrokerServicesBase> {
- public:
- BrokerServicesBase();
-
- ~BrokerServicesBase();
-
- // BrokerServices interface.
- ResultCode Init() override;
- TargetPolicy* CreatePolicy() override;
- ResultCode SpawnTarget(const wchar_t* exe_path,
- const wchar_t* command_line,
- TargetPolicy* policy,
- PROCESS_INFORMATION* target) override;
- ResultCode WaitForAllTargets() override;
- ResultCode AddTargetPeer(HANDLE peer_process) override;
- ResultCode InstallAppContainer(const wchar_t* sid,
- const wchar_t* name) override;
- ResultCode UninstallAppContainer(const wchar_t* sid) override;
-
- // Checks if the supplied process ID matches one of the broker's active
- // target processes
- // Returns:
- // true if there is an active target process for this ID, otherwise false.
- bool IsActiveTarget(DWORD process_id);
-
- private:
- typedef std::list<JobTracker*> JobTrackerList;
- typedef std::map<DWORD, PeerTracker*> PeerTrackerMap;
-
- // The routine that the worker thread executes. It is in charge of
- // notifications and cleanup-related tasks.
- static DWORD WINAPI TargetEventsThread(PVOID param);
-
- // Removes a target peer from the process list if it expires.
- static VOID CALLBACK RemovePeer(PVOID parameter, BOOLEAN timeout);
-
- // The completion port used by the job objects to communicate events to
- // the worker thread.
- base::win::ScopedHandle job_port_;
-
- // Handle to a manual-reset event that is signaled when the total target
- // process count reaches zero.
- base::win::ScopedHandle no_targets_;
-
- // Handle to the worker thread that reacts to job notifications.
- base::win::ScopedHandle job_thread_;
-
- // Lock used to protect the list of targets from being modified by 2
- // threads at the same time.
- CRITICAL_SECTION lock_;
-
- // provides a pool of threads that are used to wait on the IPC calls.
- ThreadProvider* thread_pool_;
-
- // List of the trackers for closing and cleanup purposes.
- JobTrackerList tracker_list_;
-
- // Maps peer process IDs to the saved handle and wait event.
- // Prevents peer callbacks from accessing the broker after destruction.
- PeerTrackerMap peer_map_;
-
- // Provides a fast lookup to identify sandboxed processes that belong to a
- // job. Consult |jobless_process_handles_| for handles of pocess without job.
- std::set<DWORD> child_process_ids_;
-
- DISALLOW_COPY_AND_ASSIGN(BrokerServicesBase);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_WIN_SRC_BROKER_SERVICES_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_client.h b/security/sandbox/chromium/sandbox/win/src/crosscall_client.h
deleted file mode 100644
index 60ff2437a..000000000
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_client.h
+++ /dev/null
@@ -1,526 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_CROSSCALL_CLIENT_H_
-#define SANDBOX_SRC_CROSSCALL_CLIENT_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_params.h"
-#include "sandbox/win/src/sandbox.h"
-
-// This header defines the CrossCall(..) family of templated functions
-// Their purpose is to simulate the syntax of regular call but to generate
-// and IPC from the client-side.
-//
-// The basic pattern is to
-// 1) use template argument deduction to compute the size of each
-// parameter and the appropriate copy method
-// 2) pack the parameters in the appropriate ActualCallParams< > object
-// 3) call the IPC interface IPCProvider::DoCall( )
-//
-// The general interface of CrossCall is:
-// ResultCode CrossCall(IPCProvider& ipc_provider,
-// uint32_t tag,
-// const Par1& p1, const Par2& p2,...pn
-// CrossCallReturn* answer)
-//
-// where:
-// ipc_provider: is a specific implementation of the ipc transport see
-// sharedmem_ipc_server.h for an example.
-// tag : is the unique id for this IPC call. Is used to route the call to
-// the appropriate service.
-// p1, p2,.. pn : The input parameters of the IPC. Use only simple types
-// and wide strings (can add support for others).
-// answer : If the IPC was successful. The server-side answer is here. The
-// interpretation of the answer is private to client and server.
-//
-// The return value is ALL_OK if the IPC was delivered to the server, other
-// return codes indicate that the IPC transport failed to deliver it.
-namespace sandbox {
-
-// this is the assumed channel size. This can be overridden in a given
-// IPC implementation.
-const uint32_t kIPCChannelSize = 1024;
-
-// The copy helper uses templates to deduce the appropriate copy function to
-// copy the input parameters in the buffer that is going to be send across the
-// IPC. These template facility can be made more sophisticated as need arises.
-
-// The default copy helper. It catches the general case where no other
-// specialized template matches better. We set the type to UINT32_TYPE, so this
-// only works with objects whose size is 32 bits.
-template<typename T>
-class CopyHelper {
- public:
- CopyHelper(const T& t) : t_(t) {}
-
- // Returns the pointer to the start of the input.
- const void* GetStart() const {
- return &t_;
- }
-
- // Update the stored value with the value in the buffer. This is not
- // supported for this type.
- bool Update(void* buffer) {
- // Not supported;
- return true;
- }
-
- // Returns the size of the input in bytes.
- uint32_t GetSize() const { return sizeof(T); }
-
- // Returns true if the current type is used as an In or InOut parameter.
- bool IsInOut() {
- return false;
- }
-
- // Returns this object's type.
- ArgType GetType() {
- static_assert(sizeof(T) == sizeof(uint32_t), "specialization needed");
- return UINT32_TYPE;
- }
-
- private:
- const T& t_;
-};
-
-// This copy helper template specialization if for the void pointer
-// case both 32 and 64 bit.
-template<>
-class CopyHelper<void*> {
- public:
- CopyHelper(void* t) : t_(t) {}
-
- // Returns the pointer to the start of the input.
- const void* GetStart() const {
- return &t_;
- }
-
- // Update the stored value with the value in the buffer. This is not
- // supported for this type.
- bool Update(void* buffer) {
- // Not supported;
- return true;
- }
-
- // Returns the size of the input in bytes.
- uint32_t GetSize() const { return sizeof(t_); }
-
- // Returns true if the current type is used as an In or InOut parameter.
- bool IsInOut() {
- return false;
- }
-
- // Returns this object's type.
- ArgType GetType() {
- return VOIDPTR_TYPE;
- }
-
- private:
- const void* t_;
-};
-
-// This copy helper template specialization catches the cases where the
-// parameter is a pointer to a string.
-template<>
-class CopyHelper<const wchar_t*> {
- public:
- CopyHelper(const wchar_t* t)
- : t_(t) {
- }
-
- // Returns the pointer to the start of the string.
- const void* GetStart() const {
- return t_;
- }
-
- // Update the stored value with the value in the buffer. This is not
- // supported for this type.
- bool Update(void* buffer) {
- // Not supported;
- return true;
- }
-
- // Returns the size of the string in bytes. We define a NULL string to
- // be of zero length.
- uint32_t GetSize() const {
- __try {
- return (!t_) ? 0
- : static_cast<uint32_t>(StringLength(t_) * sizeof(t_[0]));
- }
- __except(EXCEPTION_EXECUTE_HANDLER) {
- return UINT32_MAX;
- }
- }
-
- // Returns true if the current type is used as an In or InOut parameter.
- bool IsInOut() {
- return false;
- }
-
- ArgType GetType() {
- return WCHAR_TYPE;
- }
-
- private:
- // We provide our not very optimized version of wcslen(), since we don't
- // want to risk having the linker use the version in the CRT since the CRT
- // might not be present when we do an early IPC call.
- static size_t __cdecl StringLength(const wchar_t* wcs) {
- const wchar_t *eos = wcs;
- while (*eos++);
- return static_cast<size_t>(eos - wcs - 1);
- }
-
- const wchar_t* t_;
-};
-
-// Specialization for non-const strings. We just reuse the implementation of the
-// const string specialization.
-template<>
-class CopyHelper<wchar_t*> : public CopyHelper<const wchar_t*> {
- public:
- typedef CopyHelper<const wchar_t*> Base;
- CopyHelper(wchar_t* t) : Base(t) {}
-
- const void* GetStart() const {
- return Base::GetStart();
- }
-
- bool Update(void* buffer) {
- return Base::Update(buffer);
- }
-
- uint32_t GetSize() const { return Base::GetSize(); }
-
- bool IsInOut() {
- return Base::IsInOut();
- }
-
- ArgType GetType() {
- return Base::GetType();
- }
-};
-
-// Specialization for wchar_t arrays strings. We just reuse the implementation
-// of the const string specialization.
-template<size_t n>
-class CopyHelper<const wchar_t[n]> : public CopyHelper<const wchar_t*> {
- public:
- typedef const wchar_t array[n];
- typedef CopyHelper<const wchar_t*> Base;
- CopyHelper(array t) : Base(t) {}
-
- const void* GetStart() const {
- return Base::GetStart();
- }
-
- bool Update(void* buffer) {
- return Base::Update(buffer);
- }
-
- uint32_t GetSize() const { return Base::GetSize(); }
-
- bool IsInOut() {
- return Base::IsInOut();
- }
-
- ArgType GetType() {
- return Base::GetType();
- }
-};
-
-// Generic encapsulation class containing a pointer to a buffer and the
-// size of the buffer. It is used by the IPC to be able to pass in/out
-// parameters.
-class InOutCountedBuffer : public CountedBuffer {
- public:
- InOutCountedBuffer(void* buffer, uint32_t size)
- : CountedBuffer(buffer, size) {}
-};
-
-// This copy helper template specialization catches the cases where the
-// parameter is a an input/output buffer.
-template<>
-class CopyHelper<InOutCountedBuffer> {
- public:
- CopyHelper(const InOutCountedBuffer t) : t_(t) {}
-
- // Returns the pointer to the start of the string.
- const void* GetStart() const {
- return t_.Buffer();
- }
-
- // Updates the buffer with the value from the new buffer in parameter.
- bool Update(void* buffer) {
- // We are touching user memory, this has to be done from inside a try
- // except.
- __try {
- memcpy(t_.Buffer(), buffer, t_.Size());
- }
- __except(EXCEPTION_EXECUTE_HANDLER) {
- return false;
- }
- return true;
- }
-
- // Returns the size of the string in bytes. We define a NULL string to
- // be of zero length.
- uint32_t GetSize() const { return t_.Size(); }
-
- // Returns true if the current type is used as an In or InOut parameter.
- bool IsInOut() {
- return true;
- }
-
- ArgType GetType() {
- return INOUTPTR_TYPE;
- }
-
- private:
- const InOutCountedBuffer t_;
-};
-
-// The following two macros make it less error prone the generation
-// of CrossCall functions with ever more input parameters.
-
-#define XCALL_GEN_PARAMS_OBJ(num, params) \
- typedef ActualCallParams<num, kIPCChannelSize> ActualParams; \
- void* raw_mem = ipc_provider.GetBuffer(); \
- if (NULL == raw_mem) \
- return SBOX_ERROR_NO_SPACE; \
- ActualParams* params = new(raw_mem) ActualParams(tag);
-
-#define XCALL_GEN_COPY_PARAM(num, params) \
- static_assert(kMaxIpcParams >= num, "too many parameters"); \
- CopyHelper<Par##num> ch##num(p##num); \
- if (!params->CopyParamIn(num - 1, ch##num.GetStart(), ch##num.GetSize(), \
- ch##num.IsInOut(), ch##num.GetType())) \
- return SBOX_ERROR_NO_SPACE;
-
-#define XCALL_GEN_UPDATE_PARAM(num, params) \
- if (!ch##num.Update(params->GetParamPtr(num-1))) {\
- ipc_provider.FreeBuffer(raw_mem); \
- return SBOX_ERROR_BAD_PARAMS; \
- }
-
-#define XCALL_GEN_FREE_CHANNEL() \
- ipc_provider.FreeBuffer(raw_mem);
-
-// CrossCall template with one input parameter
-template <typename IPCProvider, typename Par1>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(1, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
-
- return result;
-}
-
-// CrossCall template with two input parameters.
-template <typename IPCProvider, typename Par1, typename Par2>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(2, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-
-// CrossCall template with three input parameters.
-template <typename IPCProvider, typename Par1, typename Par2, typename Par3>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- const Par3& p3,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(3, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
- XCALL_GEN_COPY_PARAM(3, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_UPDATE_PARAM(3, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-
-// CrossCall template with four input parameters.
-template <typename IPCProvider,
- typename Par1,
- typename Par2,
- typename Par3,
- typename Par4>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- const Par3& p3,
- const Par4& p4,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(4, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
- XCALL_GEN_COPY_PARAM(3, call_params);
- XCALL_GEN_COPY_PARAM(4, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_UPDATE_PARAM(3, call_params);
- XCALL_GEN_UPDATE_PARAM(4, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-
-// CrossCall template with five input parameters.
-template <typename IPCProvider,
- typename Par1,
- typename Par2,
- typename Par3,
- typename Par4,
- typename Par5>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- const Par3& p3,
- const Par4& p4,
- const Par5& p5,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(5, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
- XCALL_GEN_COPY_PARAM(3, call_params);
- XCALL_GEN_COPY_PARAM(4, call_params);
- XCALL_GEN_COPY_PARAM(5, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_UPDATE_PARAM(3, call_params);
- XCALL_GEN_UPDATE_PARAM(4, call_params);
- XCALL_GEN_UPDATE_PARAM(5, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-
-// CrossCall template with six input parameters.
-template <typename IPCProvider,
- typename Par1,
- typename Par2,
- typename Par3,
- typename Par4,
- typename Par5,
- typename Par6>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- const Par3& p3,
- const Par4& p4,
- const Par5& p5,
- const Par6& p6,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(6, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
- XCALL_GEN_COPY_PARAM(3, call_params);
- XCALL_GEN_COPY_PARAM(4, call_params);
- XCALL_GEN_COPY_PARAM(5, call_params);
- XCALL_GEN_COPY_PARAM(6, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_UPDATE_PARAM(3, call_params);
- XCALL_GEN_UPDATE_PARAM(4, call_params);
- XCALL_GEN_UPDATE_PARAM(5, call_params);
- XCALL_GEN_UPDATE_PARAM(6, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-
-// CrossCall template with seven input parameters.
-template <typename IPCProvider,
- typename Par1,
- typename Par2,
- typename Par3,
- typename Par4,
- typename Par5,
- typename Par6,
- typename Par7>
-ResultCode CrossCall(IPCProvider& ipc_provider,
- uint32_t tag,
- const Par1& p1,
- const Par2& p2,
- const Par3& p3,
- const Par4& p4,
- const Par5& p5,
- const Par6& p6,
- const Par7& p7,
- CrossCallReturn* answer) {
- XCALL_GEN_PARAMS_OBJ(7, call_params);
- XCALL_GEN_COPY_PARAM(1, call_params);
- XCALL_GEN_COPY_PARAM(2, call_params);
- XCALL_GEN_COPY_PARAM(3, call_params);
- XCALL_GEN_COPY_PARAM(4, call_params);
- XCALL_GEN_COPY_PARAM(5, call_params);
- XCALL_GEN_COPY_PARAM(6, call_params);
- XCALL_GEN_COPY_PARAM(7, call_params);
-
- ResultCode result = ipc_provider.DoCall(call_params, answer);
-
- if (SBOX_ERROR_CHANNEL_ERROR != result) {
- XCALL_GEN_UPDATE_PARAM(1, call_params);
- XCALL_GEN_UPDATE_PARAM(2, call_params);
- XCALL_GEN_UPDATE_PARAM(3, call_params);
- XCALL_GEN_UPDATE_PARAM(4, call_params);
- XCALL_GEN_UPDATE_PARAM(5, call_params);
- XCALL_GEN_UPDATE_PARAM(6, call_params);
- XCALL_GEN_UPDATE_PARAM(7, call_params);
- XCALL_GEN_FREE_CHANNEL();
- }
- return result;
-}
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_CROSSCALL_CLIENT_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
deleted file mode 100644
index eb59c4423..000000000
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
+++ /dev/null
@@ -1,287 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_CROSSCALL_PARAMS_H__
-#define SANDBOX_SRC_CROSSCALL_PARAMS_H__
-
-#include <windows.h>
-#include <lmaccess.h>
-#include <stddef.h>
-#include <stdint.h>
-
-#include <memory>
-
-#include "base/macros.h"
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-// Increases |value| until there is no need for padding given an int64_t
-// alignment. Returns the increased value.
-inline uint32_t Align(uint32_t value) {
- uint32_t alignment = sizeof(int64_t);
- return ((value + alignment - 1) / alignment) * alignment;
-}
-
-// This header is part of CrossCall: the sandbox inter-process communication.
-// This header defines the basic types used both in the client IPC and in the
-// server IPC code. CrossCallParams and ActualCallParams model the input
-// parameters of an IPC call and CrossCallReturn models the output params and
-// the return value.
-//
-// An IPC call is defined by its 'tag' which is a (uint32_t) unique identifier
-// that is used to route the IPC call to the proper server. Every tag implies
-// a complete call signature including the order and type of each parameter.
-//
-// Like most IPC systems. CrossCall is designed to take as inputs 'simple'
-// types such as integers and strings. Classes, generic arrays or pointers to
-// them are not supported.
-//
-// Another limitation of CrossCall is that the return value and output
-// parameters can only be uint32_t integers. Returning complex structures or
-// strings is not supported.
-
-namespace sandbox {
-
-// max number of extended return parameters. See CrossCallReturn
-const size_t kExtendedReturnCount = 8;
-
-// Union of multiple types to be used as extended results
-// in the CrossCallReturn.
-union MultiType {
- uint32_t unsigned_int;
- void* pointer;
- HANDLE handle;
- ULONG_PTR ulong_ptr;
-};
-
-// Maximum number of IPC parameters currently supported.
-// To increase this value, we have to:
-// - Add another Callback typedef to Dispatcher.
-// - Add another case to the switch on SharedMemIPCServer::InvokeCallback.
-// - Add another case to the switch in GetActualAndMaxBufferSize
-const int kMaxIpcParams = 9;
-
-// Contains the information about a parameter in the ipc buffer.
-struct ParamInfo {
- ArgType type_;
- uint32_t offset_;
- uint32_t size_;
-};
-
-// Models the return value and the return parameters of an IPC call
-// currently limited to one status code and eight generic return values
-// which cannot be pointers to other data. For x64 ports this structure
-// might have to use other integer types.
-struct CrossCallReturn {
- // the IPC tag. It should match the original IPC tag.
- uint32_t tag;
- // The result of the IPC operation itself.
- ResultCode call_outcome;
- // the result of the IPC call as executed in the server. The interpretation
- // of this value depends on the specific service.
- union {
- NTSTATUS nt_status;
- DWORD win32_result;
- };
- // Number of extended return values.
- uint32_t extended_count;
- // for calls that should return a windows handle. It is found here.
- HANDLE handle;
- // The array of extended values.
- MultiType extended[kExtendedReturnCount];
-};
-
-// CrossCallParams base class that models the input params all packed in a
-// single compact memory blob. The representation can vary but in general a
-// given child of this class is meant to represent all input parameters
-// necessary to make a IPC call.
-//
-// This class cannot have virtual members because its assumed the IPC
-// parameters start from the 'this' pointer to the end, which is defined by
-// one of the subclasses
-//
-// Objects of this class cannot be constructed directly. Only derived
-// classes have the proper knowledge to construct it.
-class CrossCallParams {
- public:
- // Returns the tag (ipc unique id) associated with this IPC.
- uint32_t GetTag() const { return tag_; }
-
- // Returns the beggining of the buffer where the IPC params can be stored.
- // prior to an IPC call
- const void* GetBuffer() const {
- return this;
- }
-
- // Returns how many parameter this IPC call should have.
- uint32_t GetParamsCount() const { return params_count_; }
-
- // Returns a pointer to the CrossCallReturn structure.
- CrossCallReturn* GetCallReturn() {
- return &call_return;
- }
-
- // Returns TRUE if this call contains InOut parameters.
- bool IsInOut() const { return (1 == is_in_out_); }
-
- // Tells the CrossCall object if it contains InOut parameters.
- void SetIsInOut(bool value) {
- if (value)
- is_in_out_ = 1;
- else
- is_in_out_ = 0;
- }
-
- protected:
- // constructs the IPC call params. Called only from the derived classes
- CrossCallParams(uint32_t tag, uint32_t params_count)
- : tag_(tag), is_in_out_(0), params_count_(params_count) {}
-
- private:
- uint32_t tag_;
- uint32_t is_in_out_;
- CrossCallReturn call_return;
- const uint32_t params_count_;
- DISALLOW_COPY_AND_ASSIGN(CrossCallParams);
-};
-
-// ActualCallParams models an specific IPC call parameters with respect to the
-// storage allocation that the packed parameters should need.
-// NUMBER_PARAMS: the number of parameters, valid from 1 to N
-// BLOCK_SIZE: the total storage that the NUMBER_PARAMS parameters can take,
-// typically the block size is defined by the channel size of the underlying
-// ipc mechanism.
-// In practice this class is used to levergage C++ capacity to properly
-// calculate sizes and displacements given the possibility of the packed params
-// blob to be complex.
-//
-// As is, this class assumes that the layout of the blob is as follows. Assume
-// that NUMBER_PARAMS = 2 and a 32-bit build:
-//
-// [ tag 4 bytes]
-// [ IsOnOut 4 bytes]
-// [ call return 52 bytes]
-// [ params count 4 bytes]
-// [ parameter 0 type 4 bytes]
-// [ parameter 0 offset 4 bytes] ---delta to ---\
-// [ parameter 0 size 4 bytes] |
-// [ parameter 1 type 4 bytes] |
-// [ parameter 1 offset 4 bytes] ---------------|--\
-// [ parameter 1 size 4 bytes] | |
-// [ parameter 2 type 4 bytes] | |
-// [ parameter 2 offset 4 bytes] ----------------------\
-// [ parameter 2 size 4 bytes] | | |
-// |---------------------------| | | |
-// | value 0 (x bytes) | <--------------/ | |
-// | value 1 (y bytes) | <-----------------/ |
-// | | |
-// | end of buffer | <---------------------/
-// |---------------------------|
-//
-// Note that the actual number of params is NUMBER_PARAMS + 1
-// so that the size of each actual param can be computed from the difference
-// between one parameter and the next down. The offset of the last param
-// points to the end of the buffer and the type and size are undefined.
-//
-template <size_t NUMBER_PARAMS, size_t BLOCK_SIZE>
-class ActualCallParams : public CrossCallParams {
- public:
- // constructor. Pass the ipc unique tag as input
- explicit ActualCallParams(uint32_t tag)
- : CrossCallParams(tag, NUMBER_PARAMS) {
- param_info_[0].offset_ =
- static_cast<uint32_t>(parameters_ - reinterpret_cast<char*>(this));
- }
-
- // Testing-only constructor. Allows setting the |number_params| to a
- // wrong value.
- ActualCallParams(uint32_t tag, uint32_t number_params)
- : CrossCallParams(tag, number_params) {
- param_info_[0].offset_ =
- static_cast<uint32_t>(parameters_ - reinterpret_cast<char*>(this));
- }
-
- // Testing-only method. Allows setting the apparent size to a wrong value.
- // returns the previous size.
- uint32_t OverrideSize(uint32_t new_size) {
- uint32_t previous_size = param_info_[NUMBER_PARAMS].offset_;
- param_info_[NUMBER_PARAMS].offset_ = new_size;
- return previous_size;
- }
-
- // Copies each paramter into the internal buffer. For each you must supply:
- // index: 0 for the first param, 1 for the next an so on
- bool CopyParamIn(uint32_t index,
- const void* parameter_address,
- uint32_t size,
- bool is_in_out,
- ArgType type) {
- if (index >= NUMBER_PARAMS) {
- return false;
- }
-
- if (UINT32_MAX == size) {
- // Memory error while getting the size.
- return false;
- }
-
- if (size && !parameter_address) {
- return false;
- }
-
- if ((size > sizeof(*this)) ||
- (param_info_[index].offset_ > (sizeof(*this) - size))) {
- // It does not fit, abort copy.
- return false;
- }
-
- char* dest = reinterpret_cast<char*>(this) + param_info_[index].offset_;
-
- // We might be touching user memory, this has to be done from inside a try
- // except.
- __try {
- memcpy(dest, parameter_address, size);
- }
- __except(EXCEPTION_EXECUTE_HANDLER) {
- return false;
- }
-
- // Set the flag to tell the broker to update the buffer once the call is
- // made.
- if (is_in_out)
- SetIsInOut(true);
-
- param_info_[index + 1].offset_ = Align(param_info_[index].offset_ +
- size);
- param_info_[index].size_ = size;
- param_info_[index].type_ = type;
- return true;
- }
-
- // Returns a pointer to a parameter in the memory section.
- void* GetParamPtr(size_t index) {
- return reinterpret_cast<char*>(this) + param_info_[index].offset_;
- }
-
- // Returns the total size of the buffer. Only valid once all the paramters
- // have been copied in with CopyParamIn.
- uint32_t GetSize() const { return param_info_[NUMBER_PARAMS].offset_; }
-
- protected:
- ActualCallParams() : CrossCallParams(0, NUMBER_PARAMS) { }
-
- private:
- ParamInfo param_info_[NUMBER_PARAMS + 1];
- char parameters_[BLOCK_SIZE - sizeof(CrossCallParams)
- - sizeof(ParamInfo) * (NUMBER_PARAMS + 1)];
- DISALLOW_COPY_AND_ASSIGN(ActualCallParams);
-};
-
-static_assert(sizeof(ActualCallParams<1, 1024>) == 1024, "bad size buffer");
-static_assert(sizeof(ActualCallParams<2, 1024>) == 1024, "bad size buffer");
-static_assert(sizeof(ActualCallParams<3, 1024>) == 1024, "bad size buffer");
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_CROSSCALL_PARAMS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc
deleted file mode 100644
index 9f71f333f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc
+++ /dev/null
@@ -1,314 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/crosscall_server.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-#include <vector>
-
-#include "base/logging.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/crosscall_params.h"
-
-// This code performs the ipc message validation. Potential security flaws
-// on the ipc are likelier to be found in this code than in the rest of
-// the ipc code.
-
-namespace {
-
-// The buffer for a message must match the max channel size.
-const size_t kMaxBufferSize = sandbox::kIPCChannelSize;
-
-}
-
-namespace sandbox {
-
-// Returns the actual size for the parameters in an IPC buffer. Returns
-// zero if the |param_count| is zero or too big.
-uint32_t GetActualBufferSize(uint32_t param_count, void* buffer_base) {
- // The template types are used to calculate the maximum expected size.
- typedef ActualCallParams<1, kMaxBufferSize> ActualCP1;
- typedef ActualCallParams<2, kMaxBufferSize> ActualCP2;
- typedef ActualCallParams<3, kMaxBufferSize> ActualCP3;
- typedef ActualCallParams<4, kMaxBufferSize> ActualCP4;
- typedef ActualCallParams<5, kMaxBufferSize> ActualCP5;
- typedef ActualCallParams<6, kMaxBufferSize> ActualCP6;
- typedef ActualCallParams<7, kMaxBufferSize> ActualCP7;
- typedef ActualCallParams<8, kMaxBufferSize> ActualCP8;
- typedef ActualCallParams<9, kMaxBufferSize> ActualCP9;
-
- // Retrieve the actual size and the maximum size of the params buffer.
- switch (param_count) {
- case 0:
- return 0;
- case 1:
- return reinterpret_cast<ActualCP1*>(buffer_base)->GetSize();
- case 2:
- return reinterpret_cast<ActualCP2*>(buffer_base)->GetSize();
- case 3:
- return reinterpret_cast<ActualCP3*>(buffer_base)->GetSize();
- case 4:
- return reinterpret_cast<ActualCP4*>(buffer_base)->GetSize();
- case 5:
- return reinterpret_cast<ActualCP5*>(buffer_base)->GetSize();
- case 6:
- return reinterpret_cast<ActualCP6*>(buffer_base)->GetSize();
- case 7:
- return reinterpret_cast<ActualCP7*>(buffer_base)->GetSize();
- case 8:
- return reinterpret_cast<ActualCP8*>(buffer_base)->GetSize();
- case 9:
- return reinterpret_cast<ActualCP9*>(buffer_base)->GetSize();
- default:
- return 0;
- }
-}
-
-// Verifies that the declared sizes of an IPC buffer are within range.
-bool IsSizeWithinRange(uint32_t buffer_size,
- uint32_t min_declared_size,
- uint32_t declared_size) {
- if ((buffer_size < min_declared_size) ||
- (sizeof(CrossCallParamsEx) > min_declared_size)) {
- // Minimal computed size bigger than existing buffer or param_count
- // integer overflow.
- return false;
- }
-
- if ((declared_size > buffer_size) || (declared_size < min_declared_size)) {
- // Declared size is bigger than buffer or smaller than computed size
- // or param_count is equal to 0 or bigger than 9.
- return false;
- }
-
- return true;
-}
-
-CrossCallParamsEx::CrossCallParamsEx()
- :CrossCallParams(0, 0) {
-}
-
-// We override the delete operator because the object's backing memory
-// is hand allocated in CreateFromBuffer. We don't override the new operator
-// because the constructors are private so there is no way to mismatch
-// new & delete.
-void CrossCallParamsEx::operator delete(void* raw_memory) throw() {
- if (NULL == raw_memory) {
- // C++ standard allows 'delete 0' behavior.
- return;
- }
- delete[] reinterpret_cast<char*>(raw_memory);
-}
-
-// This function uses a SEH try block so cannot use C++ objects that
-// have destructors or else you get Compiler Error C2712. So no DCHECKs
-// inside this function.
-CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
- uint32_t buffer_size,
- uint32_t* output_size) {
- // IMPORTANT: Everything inside buffer_base and derived from it such
- // as param_count and declared_size is untrusted.
- if (NULL == buffer_base) {
- return NULL;
- }
- if (buffer_size < sizeof(CrossCallParams)) {
- return NULL;
- }
- if (buffer_size > kMaxBufferSize) {
- return NULL;
- }
-
- char* backing_mem = NULL;
- uint32_t param_count = 0;
- uint32_t declared_size;
- uint32_t min_declared_size;
- CrossCallParamsEx* copied_params = NULL;
-
- // Touching the untrusted buffer is done under a SEH try block. This
- // will catch memory access violations so we don't crash.
- __try {
- CrossCallParams* call_params =
- reinterpret_cast<CrossCallParams*>(buffer_base);
-
- // Check against the minimum size given the number of stated params
- // if too small we bail out.
- param_count = call_params->GetParamsCount();
- min_declared_size = sizeof(CrossCallParams) +
- ((param_count + 1) * sizeof(ParamInfo));
-
- // Retrieve the declared size which if it fails returns 0.
- declared_size = GetActualBufferSize(param_count, buffer_base);
-
- if (!IsSizeWithinRange(buffer_size, min_declared_size, declared_size))
- return NULL;
-
- // Now we copy the actual amount of the message.
- *output_size = declared_size;
- backing_mem = new char[declared_size];
- copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem);
- memcpy(backing_mem, call_params, declared_size);
-
- // Avoid compiler optimizations across this point. Any value stored in
- // memory should be stored for real, and values previously read from memory
- // should be actually read.
- _ReadWriteBarrier();
-
- min_declared_size = sizeof(CrossCallParams) +
- ((param_count + 1) * sizeof(ParamInfo));
-
- // Check that the copied buffer is still valid.
- if (copied_params->GetParamsCount() != param_count ||
- GetActualBufferSize(param_count, backing_mem) != declared_size ||
- !IsSizeWithinRange(buffer_size, min_declared_size, declared_size)) {
- delete [] backing_mem;
- return NULL;
- }
-
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- // In case of a windows exception we know it occurred while touching the
- // untrusted buffer so we bail out as is.
- delete [] backing_mem;
- return NULL;
- }
-
- const char* last_byte = &backing_mem[declared_size];
- const char* first_byte = &backing_mem[min_declared_size];
-
- // Verify here that all and each parameters make sense. This is done in the
- // local copy.
- for (uint32_t ix = 0; ix != param_count; ++ix) {
- uint32_t size = 0;
- ArgType type;
- char* address = reinterpret_cast<char*>(
- copied_params->GetRawParameter(ix, &size, &type));
- if ((NULL == address) || // No null params.
- (INVALID_TYPE >= type) || (LAST_TYPE <= type) || // Unknown type.
- (address < backing_mem) || // Start cannot point before buffer.
- (address < first_byte) || // Start cannot point too low.
- (address > last_byte) || // Start cannot point past buffer.
- ((address + size) < address) || // Invalid size.
- ((address + size) > last_byte)) { // End cannot point past buffer.
- // Malformed.
- delete[] backing_mem;
- return NULL;
- }
- }
- // The parameter buffer looks good.
- return copied_params;
-}
-
-// Accessors to the parameters in the raw buffer.
-void* CrossCallParamsEx::GetRawParameter(uint32_t index,
- uint32_t* size,
- ArgType* type) {
- if (index >= GetParamsCount()) {
- return NULL;
- }
- // The size is always computed from the parameter minus the next
- // parameter, this works because the message has an extra parameter slot
- *size = param_info_[index].size_;
- *type = param_info_[index].type_;
-
- return param_info_[index].offset_ + reinterpret_cast<char*>(this);
-}
-
-// Covers common case for 32 bit integers.
-bool CrossCallParamsEx::GetParameter32(uint32_t index, uint32_t* param) {
- uint32_t size = 0;
- ArgType type;
- void* start = GetRawParameter(index, &size, &type);
- if ((NULL == start) || (4 != size) || (UINT32_TYPE != type)) {
- return false;
- }
- // Copy the 4 bytes.
- *(reinterpret_cast<uint32_t*>(param)) = *(reinterpret_cast<uint32_t*>(start));
- return true;
-}
-
-bool CrossCallParamsEx::GetParameterVoidPtr(uint32_t index, void** param) {
- uint32_t size = 0;
- ArgType type;
- void* start = GetRawParameter(index, &size, &type);
- if ((NULL == start) || (sizeof(void*) != size) || (VOIDPTR_TYPE != type)) {
- return false;
- }
- *param = *(reinterpret_cast<void**>(start));
- return true;
-}
-
-// Covers the common case of reading a string. Note that the string is not
-// scanned for invalid characters.
-bool CrossCallParamsEx::GetParameterStr(uint32_t index,
- base::string16* string) {
- uint32_t size = 0;
- ArgType type;
- void* start = GetRawParameter(index, &size, &type);
- if (WCHAR_TYPE != type) {
- return false;
- }
-
- // Check if this is an empty string.
- if (size == 0) {
- *string = L"";
- return true;
- }
-
- if ((NULL == start) || ((size % sizeof(wchar_t)) != 0)) {
- return false;
- }
- string->append(reinterpret_cast<wchar_t*>(start), size/(sizeof(wchar_t)));
- return true;
-}
-
-bool CrossCallParamsEx::GetParameterPtr(uint32_t index,
- uint32_t expected_size,
- void** pointer) {
- uint32_t size = 0;
- ArgType type;
- void* start = GetRawParameter(index, &size, &type);
-
- if ((size != expected_size) || (INOUTPTR_TYPE != type)) {
- return false;
- }
-
- if (NULL == start) {
- return false;
- }
-
- *pointer = start;
- return true;
-}
-
-void SetCallError(ResultCode error, CrossCallReturn* call_return) {
- call_return->call_outcome = error;
- call_return->extended_count = 0;
-}
-
-void SetCallSuccess(CrossCallReturn* call_return) {
- call_return->call_outcome = SBOX_ALL_OK;
-}
-
-Dispatcher* Dispatcher::OnMessageReady(IPCParams* ipc,
- CallbackGeneric* callback) {
- DCHECK(callback);
- std::vector<IPCCall>::iterator it = ipc_calls_.begin();
- for (; it != ipc_calls_.end(); ++it) {
- if (it->params.Matches(ipc)) {
- *callback = it->callback;
- return this;
- }
- }
- return NULL;
-}
-
-Dispatcher::Dispatcher() {
-}
-
-Dispatcher::~Dispatcher() {
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.h b/security/sandbox/chromium/sandbox/win/src/crosscall_server.h
deleted file mode 100644
index 0820ac440..000000000
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_server.h
+++ /dev/null
@@ -1,228 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_CROSSCALL_SERVER_H_
-#define SANDBOX_SRC_CROSSCALL_SERVER_H_
-
-#include <stdint.h>
-
-#include <string>
-#include <vector>
-
-#include "base/callback.h"
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_params.h"
-
-// This is the IPC server interface for CrossCall: The IPC for the Sandbox
-// On the server, CrossCall needs two things:
-// 1) threads: Or better said, someone to provide them, that is what the
-// ThreadProvider interface is defined for. These thread(s) are
-// the ones that will actually execute the IPC data retrieval.
-//
-// 2) a dispatcher: This interface represents the way to route and process
-// an IPC call given the IPC tag.
-//
-// The other class included here CrossCallParamsEx is the server side version
-// of the CrossCallParams class of /sandbox/crosscall_params.h The difference
-// is that the sever version is paranoid about the correctness of the IPC
-// message and will do all sorts of verifications.
-//
-// A general diagram of the interaction is as follows:
-//
-// ------------
-// | |
-// ThreadProvider <--(1)Register--| IPC |
-// | | Implemen |
-// | | -tation |
-// (2) | | OnMessage
-// IPC fired --callback ------>| |--(3)---> Dispatcher
-// | |
-// ------------
-//
-// The IPC implementation sits as a middleman between the handling of the
-// specifics of scheduling a thread to service the IPC and the multiple
-// entities that can potentially serve each particular IPC.
-namespace sandbox {
-
-class InterceptionManager;
-
-// This function signature is required as the callback when an IPC call fires.
-// context: a user-defined pointer that was set using ThreadProvider
-// reason: 0 if the callback was fired because of a timeout.
-// 1 if the callback was fired because of an event.
-typedef void (__stdcall * CrossCallIPCCallback)(void* context,
- unsigned char reason);
-
-// ThreadProvider models a thread factory. The idea is to decouple thread
-// creation and lifetime from the inner guts of the IPC. The contract is
-// simple:
-// - the IPC implementation calls RegisterWait with a waitable object that
-// becomes signaled when an IPC arrives and needs to be serviced.
-// - when the waitable object becomes signaled, the thread provider conjures
-// a thread that calls the callback (CrossCallIPCCallback) function
-// - the callback function tries its best not to block and return quickly
-// and should not assume that the next callback will use the same thread
-// - when the callback returns the ThreadProvider owns again the thread
-// and can destroy it or keep it around.
-class ThreadProvider {
- public:
- // Registers a waitable object with the thread provider.
- // client: A number to associate with all the RegisterWait calls, typically
- // this is the address of the caller object. This parameter cannot
- // be zero.
- // waitable_object : a kernel object that can be waited on
- // callback: a function pointer which is the function that will be called
- // when the waitable object fires
- // context: a user-provider pointer that is passed back to the callback
- // when its called
- virtual bool RegisterWait(const void* client, HANDLE waitable_object,
- CrossCallIPCCallback callback,
- void* context) = 0;
-
- // Removes all the registrations done with the same cookie parameter.
- // This frees internal thread pool resources.
- virtual bool UnRegisterWaits(void* cookie) = 0;
- virtual ~ThreadProvider() {}
-};
-
-// Models the server-side of the original input parameters.
-// Provides IPC buffer validation and it is capable of reading the parameters
-// out of the IPC buffer.
-class CrossCallParamsEx : public CrossCallParams {
- public:
- // Factory constructor. Pass an IPCbuffer (and buffer size) that contains a
- // pending IPCcall. This constructor will:
- // 1) validate the IPC buffer. returns NULL is the IPCbuffer is malformed.
- // 2) make a copy of the IPCbuffer (parameter capture)
- static CrossCallParamsEx* CreateFromBuffer(void* buffer_base,
- uint32_t buffer_size,
- uint32_t* output_size);
-
- // Provides IPCinput parameter raw access:
- // index : the parameter to read; 0 is the first parameter
- // returns NULL if the parameter is non-existent. If it exists it also
- // returns the size in *size
- void* GetRawParameter(uint32_t index, uint32_t* size, ArgType* type);
-
- // Gets a parameter that is four bytes in size.
- // Returns false if the parameter does not exist or is not 32 bits wide.
- bool GetParameter32(uint32_t index, uint32_t* param);
-
- // Gets a parameter that is void pointer in size.
- // Returns false if the parameter does not exist or is not void pointer sized.
- bool GetParameterVoidPtr(uint32_t index, void** param);
-
- // Gets a parameter that is a string. Returns false if the parameter does not
- // exist.
- bool GetParameterStr(uint32_t index, base::string16* string);
-
- // Gets a parameter that is an in/out buffer. Returns false is the parameter
- // does not exist or if the size of the actual parameter is not equal to the
- // expected size.
- bool GetParameterPtr(uint32_t index, uint32_t expected_size, void** pointer);
-
- // Frees the memory associated with the IPC parameters.
- static void operator delete(void* raw_memory) throw();
-
- private:
- // Only the factory method CreateFromBuffer can construct these objects.
- CrossCallParamsEx();
-
- ParamInfo param_info_[1];
- DISALLOW_COPY_AND_ASSIGN(CrossCallParamsEx);
-};
-
-// Simple helper function that sets the members of CrossCallReturn
-// to the proper state to signal a basic error.
-void SetCallError(ResultCode error, CrossCallReturn* call_return);
-
-// Sets the internal status of call_return to signify the that IPC call
-// completed successfully.
-void SetCallSuccess(CrossCallReturn* call_return);
-
-// Represents the client process that initiated the IPC which boils down to the
-// process handle and the job object handle that contains the client process.
-struct ClientInfo {
- HANDLE process;
- DWORD process_id;
-};
-
-// All IPC-related information to be passed to the IPC handler.
-struct IPCInfo {
- int ipc_tag;
- const ClientInfo* client_info;
- CrossCallReturn return_info;
-};
-
-// This structure identifies IPC signatures.
-struct IPCParams {
- int ipc_tag;
- ArgType args[kMaxIpcParams];
-
- bool Matches(IPCParams* other) const {
- return !memcmp(this, other, sizeof(*other));
- }
-};
-
-// Models an entity that can process an IPC message or it can route to another
-// one that could handle it. When an IPC arrives the IPC implementation will:
-// 1) call OnMessageReady() with the tag of the pending IPC. If the dispatcher
-// returns NULL it means that it cannot handle this IPC but if it returns
-// non-null, it must be the pointer to a dispatcher that can handle it.
-// 2) When the IPC finally obtains a valid Dispatcher the IPC
-// implementation creates a CrossCallParamsEx from the raw IPC buffer.
-// 3) It calls the returned callback, with the IPC info and arguments.
-class Dispatcher {
- public:
- // Called from the IPC implementation to handle a specific IPC message.
- typedef bool (Dispatcher::*CallbackGeneric)();
- typedef bool (Dispatcher::*Callback0)(IPCInfo* ipc);
- typedef bool (Dispatcher::*Callback1)(IPCInfo* ipc, void* p1);
- typedef bool (Dispatcher::*Callback2)(IPCInfo* ipc, void* p1, void* p2);
- typedef bool (Dispatcher::*Callback3)(IPCInfo* ipc, void* p1, void* p2,
- void* p3);
- typedef bool (Dispatcher::*Callback4)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4);
- typedef bool (Dispatcher::*Callback5)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4, void* p5);
- typedef bool (Dispatcher::*Callback6)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4, void* p5, void* p6);
- typedef bool (Dispatcher::*Callback7)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4, void* p5, void* p6,
- void* p7);
- typedef bool (Dispatcher::*Callback8)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4, void* p5, void* p6,
- void* p7, void* p8);
- typedef bool (Dispatcher::*Callback9)(IPCInfo* ipc, void* p1, void* p2,
- void* p3, void* p4, void* p5, void* p6,
- void* p7, void* p8, void* p9);
-
- // Called from the IPC implementation when an IPC message is ready override
- // on a derived class to handle a set of IPC messages. Return NULL if your
- // subclass does not handle the message or return the pointer to the subclass
- // that can handle it.
- virtual Dispatcher* OnMessageReady(IPCParams* ipc, CallbackGeneric* callback);
-
- // Called when a target proces is created, to setup the interceptions related
- // with the given service (IPC).
- virtual bool SetupService(InterceptionManager* manager, int service) = 0;
-
- Dispatcher();
- virtual ~Dispatcher();
-
- protected:
- // Structure that defines an IPC Call with all the parameters and the handler.
- struct IPCCall {
- IPCParams params;
- CallbackGeneric callback;
- };
-
- // List of IPC Calls supported by the class.
- std::vector<IPCCall> ipc_calls_;
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_CROSSCALL_SERVER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/eat_resolver.cc b/security/sandbox/chromium/sandbox/win/src/eat_resolver.cc
deleted file mode 100644
index 48681e83b..000000000
--- a/security/sandbox/chromium/sandbox/win/src/eat_resolver.cc
+++ /dev/null
@@ -1,88 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/eat_resolver.h"
-
-#include <stddef.h>
-
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace sandbox {
-
-NTSTATUS EatResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = Init(target_module, interceptor_module, target_name,
- interceptor_name, interceptor_entry_point,
- thunk_storage, storage_bytes);
- if (!NT_SUCCESS(ret))
- return ret;
-
- if (!eat_entry_)
- return STATUS_INVALID_PARAMETER;
-
-#if defined(_WIN64)
- // We have two thunks, in order: the return path and the forward path.
- if (!SetInternalThunk(thunk_storage, storage_bytes, NULL, target_))
- return STATUS_BUFFER_TOO_SMALL;
-
- size_t thunk_bytes = GetInternalThunkSize();
- storage_bytes -= thunk_bytes;
- thunk_storage = reinterpret_cast<char*>(thunk_storage) + thunk_bytes;
-#endif
-
- if (!SetInternalThunk(thunk_storage, storage_bytes, target_, interceptor_))
- return STATUS_BUFFER_TOO_SMALL;
-
- AutoProtectMemory memory;
- ret = memory.ChangeProtection(eat_entry_, sizeof(DWORD), PAGE_READWRITE);
- if (!NT_SUCCESS(ret))
- return ret;
-
- // Perform the patch.
- *eat_entry_ = static_cast<DWORD>(reinterpret_cast<uintptr_t>(thunk_storage)) -
- static_cast<DWORD>(reinterpret_cast<uintptr_t>(target_module));
-
- if (NULL != storage_used)
- *storage_used = GetThunkSize();
-
- return ret;
-}
-
-NTSTATUS EatResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- DCHECK_NT(address);
- if (!module)
- return STATUS_INVALID_PARAMETER;
-
- base::win::PEImage pe(module);
- if (!pe.VerifyMagic())
- return STATUS_INVALID_IMAGE_FORMAT;
-
- eat_entry_ = pe.GetExportEntry(function_name);
-
- if (!eat_entry_)
- return STATUS_PROCEDURE_NOT_FOUND;
-
- *address = pe.RVAToAddr(*eat_entry_);
-
- return STATUS_SUCCESS;
-}
-
-size_t EatResolverThunk::GetThunkSize() const {
-#if defined(_WIN64)
- return GetInternalThunkSize() * 2;
-#else
- return GetInternalThunkSize();
-#endif
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/eat_resolver.h b/security/sandbox/chromium/sandbox/win/src/eat_resolver.h
deleted file mode 100644
index a45d0063b..000000000
--- a/security/sandbox/chromium/sandbox/win/src/eat_resolver.h
+++ /dev/null
@@ -1,50 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_EAT_RESOLVER_H__
-#define SANDBOX_SRC_EAT_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform exports table interceptions.
-class EatResolverThunk : public ResolverThunk {
- public:
- EatResolverThunk() : eat_entry_(NULL) {}
- ~EatResolverThunk() override {}
-
- // Implementation of Resolver::Setup.
- NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) override;
-
- // Implementation of Resolver::ResolveTarget.
- NTSTATUS ResolveTarget(const void* module,
- const char* function_name,
- void** address) override;
-
- // Implementation of Resolver::GetThunkSize.
- size_t GetThunkSize() const override;
-
- private:
- // The entry to patch.
- DWORD* eat_entry_;
-
- DISALLOW_COPY_AND_ASSIGN(EatResolverThunk);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_EAT_RESOLVER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/file_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/file_policy_test.cc
deleted file mode 100644
index f7509bd36..000000000
--- a/security/sandbox/chromium/sandbox/win/src/file_policy_test.cc
+++ /dev/null
@@ -1,673 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <algorithm>
-#include <cctype>
-
-#include <windows.h>
-#include <winioctl.h>
-
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/filesystem_policy.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "sandbox/win/tests/common/test_utils.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-#define BINDNTDLL(name) \
- name ## Function name = reinterpret_cast<name ## Function>( \
- ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name))
-
-namespace sandbox {
-
-const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE;
-
-// Creates a file using different desired access. Returns if the call succeeded
-// or not. The first argument in argv is the filename. The second argument
-// determines the type of access and the dispositino of the file.
-SBOX_TESTS_COMMAND int File_Create(int argc, wchar_t **argv) {
- if (argc != 2)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- std::wstring operation(argv[0]);
-
- if (operation == L"Read") {
- base::win::ScopedHandle file1(CreateFile(
- argv[1], GENERIC_READ, kSharing, NULL, OPEN_EXISTING, 0, NULL));
- base::win::ScopedHandle file2(CreateFile(
- argv[1], FILE_EXECUTE, kSharing, NULL, OPEN_EXISTING, 0, NULL));
-
- if (file1.IsValid() == file2.IsValid())
- return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED;
- return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR;
-
- } else if (operation == L"Write") {
- base::win::ScopedHandle file1(CreateFile(
- argv[1], GENERIC_ALL, kSharing, NULL, OPEN_EXISTING, 0, NULL));
- base::win::ScopedHandle file2(CreateFile(
- argv[1], GENERIC_READ | FILE_WRITE_DATA, kSharing, NULL, OPEN_EXISTING,
- 0, NULL));
-
- if (file1.IsValid() == file2.IsValid())
- return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED;
- return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR;
-
- } else if (operation == L"ReadCreate") {
- base::win::ScopedHandle file2(CreateFile(
- argv[1], GENERIC_READ, kSharing, NULL, CREATE_NEW, 0, NULL));
- base::win::ScopedHandle file1(CreateFile(
- argv[1], GENERIC_READ, kSharing, NULL, CREATE_ALWAYS, 0, NULL));
-
- if (file1.IsValid() == file2.IsValid())
- return file1.IsValid() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED;
- return file1.IsValid() ? SBOX_TEST_FIRST_ERROR : SBOX_TEST_SECOND_ERROR;
- }
-
- return SBOX_TEST_INVALID_PARAMETER;
-}
-
-SBOX_TESTS_COMMAND int File_Win32Create(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- base::string16 full_path = MakePathToSys(argv[0], false);
- if (full_path.empty()) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- HANDLE file = ::CreateFileW(full_path.c_str(), GENERIC_READ, kSharing,
- NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
-
- if (INVALID_HANDLE_VALUE != file) {
- ::CloseHandle(file);
- return SBOX_TEST_SUCCEEDED;
- } else {
- if (ERROR_ACCESS_DENIED == ::GetLastError()) {
- return SBOX_TEST_DENIED;
- } else {
- return SBOX_TEST_FAILED;
- }
- }
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Creates the file in parameter using the NtCreateFile api and returns if the
-// call succeeded or not.
-SBOX_TESTS_COMMAND int File_CreateSys32(int argc, wchar_t **argv) {
- BINDNTDLL(NtCreateFile);
- BINDNTDLL(RtlInitUnicodeString);
- if (!NtCreateFile || !RtlInitUnicodeString)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- base::string16 file(argv[0]);
- if (0 != _wcsnicmp(file.c_str(), kNTDevicePrefix, kNTDevicePrefixLen))
- file = MakePathToSys(argv[0], true);
-
- UNICODE_STRING object_name;
- RtlInitUnicodeString(&object_name, file.c_str());
-
- OBJECT_ATTRIBUTES obj_attributes = {};
- InitializeObjectAttributes(&obj_attributes, &object_name,
- OBJ_CASE_INSENSITIVE, NULL, NULL);
-
- HANDLE handle;
- IO_STATUS_BLOCK io_block = {};
- NTSTATUS status = NtCreateFile(&handle, FILE_READ_DATA, &obj_attributes,
- &io_block, NULL, 0, kSharing, FILE_OPEN,
- 0, NULL, 0);
- if (NT_SUCCESS(status)) {
- ::CloseHandle(handle);
- return SBOX_TEST_SUCCEEDED;
- } else if (STATUS_ACCESS_DENIED == status) {
- return SBOX_TEST_DENIED;
- } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) {
- return SBOX_TEST_NOT_FOUND;
- }
- return SBOX_TEST_FAILED;
-}
-
-// Opens the file in parameter using the NtOpenFile api and returns if the
-// call succeeded or not.
-SBOX_TESTS_COMMAND int File_OpenSys32(int argc, wchar_t **argv) {
- BINDNTDLL(NtOpenFile);
- BINDNTDLL(RtlInitUnicodeString);
- if (!NtOpenFile || !RtlInitUnicodeString)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- base::string16 file = MakePathToSys(argv[0], true);
- UNICODE_STRING object_name;
- RtlInitUnicodeString(&object_name, file.c_str());
-
- OBJECT_ATTRIBUTES obj_attributes = {};
- InitializeObjectAttributes(&obj_attributes, &object_name,
- OBJ_CASE_INSENSITIVE, NULL, NULL);
-
- HANDLE handle;
- IO_STATUS_BLOCK io_block = {};
- NTSTATUS status = NtOpenFile(&handle, FILE_READ_DATA, &obj_attributes,
- &io_block, kSharing, 0);
- if (NT_SUCCESS(status)) {
- ::CloseHandle(handle);
- return SBOX_TEST_SUCCEEDED;
- } else if (STATUS_ACCESS_DENIED == status) {
- return SBOX_TEST_DENIED;
- } else if (STATUS_OBJECT_NAME_NOT_FOUND == status) {
- return SBOX_TEST_NOT_FOUND;
- }
- return SBOX_TEST_FAILED;
-}
-
-SBOX_TESTS_COMMAND int File_GetDiskSpace(int argc, wchar_t **argv) {
- base::string16 sys_path = MakePathToSys(L"", false);
- if (sys_path.empty()) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- ULARGE_INTEGER free_user = {};
- ULARGE_INTEGER total = {};
- ULARGE_INTEGER free_total = {};
- if (::GetDiskFreeSpaceExW(sys_path.c_str(), &free_user, &total,
- &free_total)) {
- if ((total.QuadPart != 0) && (free_total.QuadPart !=0)) {
- return SBOX_TEST_SUCCEEDED;
- }
- } else {
- if (ERROR_ACCESS_DENIED == ::GetLastError()) {
- return SBOX_TEST_DENIED;
- } else {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- }
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Move a file using the MoveFileEx api and returns if the call succeeded or
-// not.
-SBOX_TESTS_COMMAND int File_Rename(int argc, wchar_t **argv) {
- if (argc != 2)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- if (::MoveFileEx(argv[0], argv[1], 0))
- return SBOX_TEST_SUCCEEDED;
-
- if (::GetLastError() != ERROR_ACCESS_DENIED)
- return SBOX_TEST_FAILED;
-
- return SBOX_TEST_DENIED;
-}
-
-// Query the attributes of file in parameter using the NtQueryAttributesFile api
-// and NtQueryFullAttributesFile and returns if the call succeeded or not. The
-// second argument in argv is "d" or "f" telling if we expect the attributes to
-// specify a file or a directory. The expected attribute has to match the real
-// attributes for the call to be successful.
-SBOX_TESTS_COMMAND int File_QueryAttributes(int argc, wchar_t **argv) {
- BINDNTDLL(NtQueryAttributesFile);
- BINDNTDLL(NtQueryFullAttributesFile);
- BINDNTDLL(RtlInitUnicodeString);
- if (!NtQueryAttributesFile || !NtQueryFullAttributesFile ||
- !RtlInitUnicodeString)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- if (argc != 2)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- bool expect_directory = (L'd' == argv[1][0]);
-
- UNICODE_STRING object_name;
- base::string16 file = MakePathToSys(argv[0], true);
- RtlInitUnicodeString(&object_name, file.c_str());
-
- OBJECT_ATTRIBUTES obj_attributes = {};
- InitializeObjectAttributes(&obj_attributes, &object_name,
- OBJ_CASE_INSENSITIVE, NULL, NULL);
-
- FILE_BASIC_INFORMATION info = {};
- FILE_NETWORK_OPEN_INFORMATION full_info = {};
- NTSTATUS status1 = NtQueryAttributesFile(&obj_attributes, &info);
- NTSTATUS status2 = NtQueryFullAttributesFile(&obj_attributes, &full_info);
-
- if (status1 != status2)
- return SBOX_TEST_FAILED;
-
- if (NT_SUCCESS(status1)) {
- if (info.FileAttributes != full_info.FileAttributes)
- return SBOX_TEST_FAILED;
-
- bool is_directory1 = (info.FileAttributes & FILE_ATTRIBUTE_DIRECTORY) != 0;
- if (expect_directory == is_directory1)
- return SBOX_TEST_SUCCEEDED;
- } else if (STATUS_ACCESS_DENIED == status1) {
- return SBOX_TEST_DENIED;
- } else if (STATUS_OBJECT_NAME_NOT_FOUND == status1) {
- return SBOX_TEST_NOT_FOUND;
- }
-
- return SBOX_TEST_FAILED;
-}
-
-TEST(FilePolicyTest, DenyNtCreateCalc) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY,
- L"calc.exe"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 calc.exe"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
-}
-
-TEST(FilePolicyTest, AllowNtCreateCalc) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"calc.exe"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_CreateSys32 calc.exe"));
-}
-
-TEST(FilePolicyTest, AllowNtCreateWithNativePath) {
- if (base::win::GetVersion() < base::win::VERSION_WIN7)
- return;
-
- base::string16 calc = MakePathToSys(L"calc.exe", false);
- base::string16 nt_path;
- ASSERT_TRUE(GetNtPathFromWin32Path(calc, &nt_path));
- TestRunner runner;
- runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY, nt_path.c_str());
-
- wchar_t buff[MAX_PATH];
- ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str());
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff));
-
- std::transform(nt_path.begin(), nt_path.end(), nt_path.begin(), std::tolower);
- ::wsprintfW(buff, L"File_CreateSys32 %s", nt_path.c_str());
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(buff));
-}
-
-TEST(FilePolicyTest, AllowReadOnly) {
- TestRunner runner;
-
- // Create a temp file because we need write access to it.
- wchar_t temp_directory[MAX_PATH];
- wchar_t temp_file_name[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
-
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
- temp_file_name));
-
- wchar_t command_read[MAX_PATH + 20] = {};
- wsprintf(command_read, L"File_Create Read \"%ls\"", temp_file_name);
- wchar_t command_read_create[MAX_PATH + 20] = {};
- wsprintf(command_read_create, L"File_Create ReadCreate \"%ls\"",
- temp_file_name);
- wchar_t command_write[MAX_PATH + 20] = {};
- wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name);
-
- // Verify that we cannot create the file after revert.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_read_create));
-
- // Verify that we don't have write access after revert.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write));
-
- // Verify that we have read access after revert.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_read));
-
- // Verify that we really have write access to the file.
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write));
-
- DeleteFile(temp_file_name);
-}
-
-// Tests support of "\\\\.\\DeviceName" kind of paths.
-TEST(FilePolicyTest, AllowImplicitDeviceName) {
- if (base::win::GetVersion() < base::win::VERSION_WIN7)
- return;
-
- TestRunner runner;
-
- wchar_t temp_directory[MAX_PATH];
- wchar_t temp_file_name[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
-
- std::wstring path(temp_file_name);
- EXPECT_TRUE(ConvertToLongPath(&path));
- EXPECT_TRUE(GetNtPathFromWin32Path(path, &path));
- path = path.substr(sandbox::kNTDevicePrefixLen);
-
- wchar_t command[MAX_PATH + 20] = {};
- wsprintf(command, L"File_Create Read \"\\\\.\\%ls\"", path.c_str());
- path = std::wstring(kNTPrefix) + path;
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, path.c_str()));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command));
-
- DeleteFile(temp_file_name);
-}
-
-TEST(FilePolicyTest, AllowWildcard) {
- TestRunner runner;
-
- // Create a temp file because we need write access to it.
- wchar_t temp_directory[MAX_PATH];
- wchar_t temp_file_name[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
-
- wcscat_s(temp_directory, MAX_PATH, L"*");
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_directory));
-
- wchar_t command_write[MAX_PATH + 20] = {};
- wsprintf(command_write, L"File_Create Write \"%ls\"", temp_file_name);
-
- // Verify that we have write access after revert.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write));
-
- DeleteFile(temp_file_name);
-}
-
-TEST(FilePolicyTest, AllowNtCreatePatternRule) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"App*.dll"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_OpenSys32 appmgmts.dll"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_OpenSys32 appwiz.cpl"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_OpenSys32 appmgmts.dll"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_OpenSys32 appwiz.cpl"));
-}
-
-TEST(FilePolicyTest, CheckNotFound) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"n*.dll"));
-
- EXPECT_EQ(SBOX_TEST_NOT_FOUND,
- runner.RunTest(L"File_OpenSys32 notfound.dll"));
-}
-
-TEST(FilePolicyTest, CheckNoLeak) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_CreateSys32 notfound.exe"));
-}
-
-TEST(FilePolicyTest, TestQueryAttributesFile) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
- L"appmgmts.dll"));
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
- L"notfound.exe"));
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY, L"drivers"));
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_QUERY,
- L"ipconfig.exe"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_QueryAttributes drivers d"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_QueryAttributes appmgmts.dll f"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_QueryAttributes ipconfig.exe f"));
-
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"File_QueryAttributes ftp.exe f"));
-
- EXPECT_EQ(SBOX_TEST_NOT_FOUND,
- runner.RunTest(L"File_QueryAttributes notfound.exe f"));
-}
-
-// Makes sure that we don't leak information when there is not policy to allow
-// a path.
-TEST(FilePolicyTest, TestQueryAttributesFileNoPolicy) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"File_QueryAttributes ftp.exe f"));
-
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"File_QueryAttributes notfound.exe f"));
-}
-
-TEST(FilePolicyTest, TestRename) {
- TestRunner runner;
-
- // Give access to the temp directory.
- wchar_t temp_directory[MAX_PATH];
- wchar_t temp_file_name1[MAX_PATH];
- wchar_t temp_file_name2[MAX_PATH];
- wchar_t temp_file_name3[MAX_PATH];
- wchar_t temp_file_name4[MAX_PATH];
- wchar_t temp_file_name5[MAX_PATH];
- wchar_t temp_file_name6[MAX_PATH];
- wchar_t temp_file_name7[MAX_PATH];
- wchar_t temp_file_name8[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name1), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name2), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name3), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name4), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name5), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name6), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name7), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name8), 0u);
-
-
- // Add rules to make file1->file2 succeed.
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name1));
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name2));
-
- // Add rules to make file3->file4 fail.
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name3));
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
- temp_file_name4));
-
- // Add rules to make file5->file6 fail.
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_READONLY,
- temp_file_name5));
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name6));
-
- // Add rules to make file7->no_pol_file fail.
- ASSERT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY, temp_file_name7));
-
- // Delete the files where the files are going to be renamed to.
- ::DeleteFile(temp_file_name2);
- ::DeleteFile(temp_file_name4);
- ::DeleteFile(temp_file_name6);
- ::DeleteFile(temp_file_name8);
-
- wchar_t command[MAX_PATH * 2 + 20] = {};
- wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name1,
- temp_file_name2);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command));
-
- wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name3,
- temp_file_name4);
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
-
- wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name5,
- temp_file_name6);
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
-
- wsprintf(command, L"File_Rename \"%ls\" \"%ls\"", temp_file_name7,
- temp_file_name8);
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command));
-
-
- // Delete all the files in case they are still there.
- ::DeleteFile(temp_file_name1);
- ::DeleteFile(temp_file_name2);
- ::DeleteFile(temp_file_name3);
- ::DeleteFile(temp_file_name4);
- ::DeleteFile(temp_file_name5);
- ::DeleteFile(temp_file_name6);
- ::DeleteFile(temp_file_name7);
- ::DeleteFile(temp_file_name8);
-}
-
-TEST(FilePolicyTest, OpenSys32FilesDenyBecauseOfDir) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY,
- L"notepad.exe"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_Win32Create notepad.exe"));
-}
-
-TEST(FilePolicyTest, OpenSys32FilesAllowNotepad) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_ANY,
- L"notepad.exe"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_Win32Create notepad.exe"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create calc.exe"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"File_Win32Create notepad.exe"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_Win32Create calc.exe"));
-}
-
-TEST(FilePolicyTest, FileGetDiskSpace) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_GetDiskSpace"));
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
-
- // Add an 'allow' rule in the windows\system32 such that GetDiskFreeSpaceEx
- // succeeds (it does an NtOpenFile) but windows\system32\notepad.exe is
- // denied since there is no wild card in the rule.
- EXPECT_TRUE(runner.AddRuleSys32(TargetPolicy::FILES_ALLOW_DIR_ANY, L""));
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
-
- runner.SetTestState(AFTER_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"File_GetDiskSpace"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"File_Win32Create notepad.exe"));
-}
-
-TEST(FilePolicyTest, TestReparsePoint) {
- TestRunner runner;
-
- // Create a temp file because we need write access to it.
- wchar_t temp_directory[MAX_PATH];
- wchar_t temp_file_name[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, temp_file_name), 0u);
-
- // Delete the file and create a directory instead.
- ASSERT_TRUE(::DeleteFile(temp_file_name));
- ASSERT_TRUE(::CreateDirectory(temp_file_name, NULL));
-
- // Create a temporary file in the subfolder.
- base::string16 subfolder = temp_file_name;
- base::string16 temp_file_title = subfolder.substr(subfolder.rfind(L"\\") + 1);
- base::string16 temp_file = subfolder + L"\\file_" + temp_file_title;
-
- HANDLE file = ::CreateFile(temp_file.c_str(), FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
- CREATE_ALWAYS, 0, NULL);
- ASSERT_TRUE(INVALID_HANDLE_VALUE != file);
- ASSERT_TRUE(::CloseHandle(file));
-
- // Create a temporary file in the temp directory.
- base::string16 temp_dir = temp_directory;
- base::string16 temp_file_in_temp = temp_dir + L"file_" + temp_file_title;
- file = ::CreateFile(temp_file_in_temp.c_str(), FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
- CREATE_ALWAYS, 0, NULL);
- ASSERT_TRUE(file != NULL);
- ASSERT_TRUE(::CloseHandle(file));
-
- // Give write access to the temp directory.
- base::string16 temp_dir_wildcard = temp_dir + L"*";
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_ANY,
- temp_dir_wildcard.c_str()));
-
- // Prepare the command to execute.
- base::string16 command_write;
- command_write += L"File_Create Write \"";
- command_write += temp_file;
- command_write += L"\"";
-
- // Verify that we have write access to the original file
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command_write.c_str()));
-
- // Replace the subfolder by a reparse point to %temp%.
- ::DeleteFile(temp_file.c_str());
- HANDLE dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
- OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
- EXPECT_TRUE(INVALID_HANDLE_VALUE != dir);
-
- base::string16 temp_dir_nt;
- temp_dir_nt += L"\\??\\";
- temp_dir_nt += temp_dir;
- EXPECT_TRUE(SetReparsePoint(dir, temp_dir_nt.c_str()));
- EXPECT_TRUE(::CloseHandle(dir));
-
- // Try to open the file again.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(command_write.c_str()));
-
- // Remove the reparse point.
- dir = ::CreateFile(subfolder.c_str(), FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING,
- FILE_FLAG_BACKUP_SEMANTICS | FILE_FLAG_OPEN_REPARSE_POINT,
- NULL);
- EXPECT_TRUE(INVALID_HANDLE_VALUE != dir);
- EXPECT_TRUE(DeleteReparsePoint(dir));
- EXPECT_TRUE(::CloseHandle(dir));
-
- // Cleanup.
- EXPECT_TRUE(::DeleteFile(temp_file_in_temp.c_str()));
- EXPECT_TRUE(::RemoveDirectory(subfolder.c_str()));
-}
-
-TEST(FilePolicyTest, CheckExistingNTPrefixEscape) {
- base::string16 name = L"\\??\\NAME";
-
- base::string16 result = FixNTPrefixForMatch(name);
-
- EXPECT_STREQ(result.c_str(), L"\\/?/?\\NAME");
-}
-
-TEST(FilePolicyTest, CheckEscapedNTPrefixNoEscape) {
- base::string16 name = L"\\/?/?\\NAME";
-
- base::string16 result = FixNTPrefixForMatch(name);
-
- EXPECT_STREQ(result.c_str(), name.c_str());
-}
-
-TEST(FilePolicyTest, CheckMissingNTPrefixEscape) {
- base::string16 name = L"C:\\NAME";
-
- base::string16 result = FixNTPrefixForMatch(name);
-
- EXPECT_STREQ(result.c_str(), L"\\/?/?\\C:\\NAME");
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
deleted file mode 100644
index 6f96be240..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.cc
+++ /dev/null
@@ -1,318 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/filesystem_dispatcher.h"
-
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/filesystem_interception.h"
-#include "sandbox/win/src/filesystem_policy.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace sandbox {
-
-FilesystemDispatcher::FilesystemDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall create_params = {
- {IPC_NTCREATEFILE_TAG,
- {WCHAR_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&FilesystemDispatcher::NtCreateFile)};
-
- static const IPCCall open_file = {
- {IPC_NTOPENFILE_TAG,
- {WCHAR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&FilesystemDispatcher::NtOpenFile)};
-
- static const IPCCall attribs = {
- {IPC_NTQUERYATTRIBUTESFILE_TAG, {WCHAR_TYPE, UINT32_TYPE, INOUTPTR_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &FilesystemDispatcher::NtQueryAttributesFile)};
-
- static const IPCCall full_attribs = {
- {IPC_NTQUERYFULLATTRIBUTESFILE_TAG,
- {WCHAR_TYPE, UINT32_TYPE, INOUTPTR_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &FilesystemDispatcher::NtQueryFullAttributesFile)};
-
- static const IPCCall set_info = {
- {IPC_NTSETINFO_RENAME_TAG,
- {VOIDPTR_TYPE, INOUTPTR_TYPE, INOUTPTR_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &FilesystemDispatcher::NtSetInformationFile)};
-
- ipc_calls_.push_back(create_params);
- ipc_calls_.push_back(open_file);
- ipc_calls_.push_back(attribs);
- ipc_calls_.push_back(full_attribs);
- ipc_calls_.push_back(set_info);
-}
-
-bool FilesystemDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- switch (service) {
- case IPC_NTCREATEFILE_TAG:
- return INTERCEPT_NT(manager, NtCreateFile, CREATE_FILE_ID, 48);
-
- case IPC_NTOPENFILE_TAG:
- return INTERCEPT_NT(manager, NtOpenFile, OPEN_FILE_ID, 28);
-
- case IPC_NTQUERYATTRIBUTESFILE_TAG:
- return INTERCEPT_NT(manager, NtQueryAttributesFile, QUERY_ATTRIB_FILE_ID,
- 12);
-
- case IPC_NTQUERYFULLATTRIBUTESFILE_TAG:
- return INTERCEPT_NT(manager, NtQueryFullAttributesFile,
- QUERY_FULL_ATTRIB_FILE_ID, 12);
-
- case IPC_NTSETINFO_RENAME_TAG:
- return INTERCEPT_NT(manager, NtSetInformationFile, SET_INFO_FILE_ID, 24);
-
- default:
- return false;
- }
-}
-
-bool FilesystemDispatcher::NtCreateFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t file_attributes,
- uint32_t share_access,
- uint32_t create_disposition,
- uint32_t create_options) {
- if (!PreProcessName(name)) {
- // The path requested might contain a reparse point.
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- const wchar_t* filename = name->c_str();
-
- uint32_t broker = TRUE;
- CountedParameterSet<OpenFile> params;
- params[OpenFile::NAME] = ParamPickerMake(filename);
- params[OpenFile::ACCESS] = ParamPickerMake(desired_access);
- params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition);
- params[OpenFile::OPTIONS] = ParamPickerMake(create_options);
- params[OpenFile::BROKER] = ParamPickerMake(broker);
-
- // To evaluate the policy we need to call back to the policy object. We
- // are just middlemen in the operation since is the FileSystemPolicy which
- // knows what to do.
- EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEFILE_TAG,
- params.GetBase());
- HANDLE handle;
- ULONG_PTR io_information = 0;
- NTSTATUS nt_status;
- if (!FileSystemPolicy::CreateFileAction(result, *ipc->client_info, *name,
- attributes, desired_access,
- file_attributes, share_access,
- create_disposition, create_options,
- &handle, &nt_status,
- &io_information)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
- // Return operation status on the IPC.
- ipc->return_info.extended[0].ulong_ptr = io_information;
- ipc->return_info.nt_status = nt_status;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool FilesystemDispatcher::NtOpenFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t share_access,
- uint32_t open_options) {
- if (!PreProcessName(name)) {
- // The path requested might contain a reparse point.
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- const wchar_t* filename = name->c_str();
-
- uint32_t broker = TRUE;
- uint32_t create_disposition = FILE_OPEN;
- CountedParameterSet<OpenFile> params;
- params[OpenFile::NAME] = ParamPickerMake(filename);
- params[OpenFile::ACCESS] = ParamPickerMake(desired_access);
- params[OpenFile::DISPOSITION] = ParamPickerMake(create_disposition);
- params[OpenFile::OPTIONS] = ParamPickerMake(open_options);
- params[OpenFile::BROKER] = ParamPickerMake(broker);
-
- // To evaluate the policy we need to call back to the policy object. We
- // are just middlemen in the operation since is the FileSystemPolicy which
- // knows what to do.
- EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENFILE_TAG,
- params.GetBase());
- HANDLE handle;
- ULONG_PTR io_information = 0;
- NTSTATUS nt_status;
- if (!FileSystemPolicy::OpenFileAction(result, *ipc->client_info, *name,
- attributes, desired_access,
- share_access, open_options, &handle,
- &nt_status, &io_information)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
- // Return operation status on the IPC.
- ipc->return_info.extended[0].ulong_ptr = io_information;
- ipc->return_info.nt_status = nt_status;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool FilesystemDispatcher::NtQueryAttributesFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- CountedBuffer* info) {
- if (sizeof(FILE_BASIC_INFORMATION) != info->Size())
- return false;
-
- if (!PreProcessName(name)) {
- // The path requested might contain a reparse point.
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- uint32_t broker = TRUE;
- const wchar_t* filename = name->c_str();
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(filename);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- // To evaluate the policy we need to call back to the policy object. We
- // are just middlemen in the operation since is the FileSystemPolicy which
- // knows what to do.
- EvalResult result = policy_base_->EvalPolicy(IPC_NTQUERYATTRIBUTESFILE_TAG,
- params.GetBase());
-
- FILE_BASIC_INFORMATION* information =
- reinterpret_cast<FILE_BASIC_INFORMATION*>(info->Buffer());
- NTSTATUS nt_status;
- if (!FileSystemPolicy::QueryAttributesFileAction(result, *ipc->client_info,
- *name, attributes,
- information, &nt_status)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- // Return operation status on the IPC.
- ipc->return_info.nt_status = nt_status;
- return true;
-}
-
-bool FilesystemDispatcher::NtQueryFullAttributesFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- CountedBuffer* info) {
- if (sizeof(FILE_NETWORK_OPEN_INFORMATION) != info->Size())
- return false;
-
- if (!PreProcessName(name)) {
- // The path requested might contain a reparse point.
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- uint32_t broker = TRUE;
- const wchar_t* filename = name->c_str();
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(filename);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- // To evaluate the policy we need to call back to the policy object. We
- // are just middlemen in the operation since is the FileSystemPolicy which
- // knows what to do.
- EvalResult result = policy_base_->EvalPolicy(
- IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase());
-
- FILE_NETWORK_OPEN_INFORMATION* information =
- reinterpret_cast<FILE_NETWORK_OPEN_INFORMATION*>(info->Buffer());
- NTSTATUS nt_status;
- if (!FileSystemPolicy::QueryFullAttributesFileAction(result,
- *ipc->client_info,
- *name, attributes,
- information,
- &nt_status)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- // Return operation status on the IPC.
- ipc->return_info.nt_status = nt_status;
- return true;
-}
-
-bool FilesystemDispatcher::NtSetInformationFile(IPCInfo* ipc,
- HANDLE handle,
- CountedBuffer* status,
- CountedBuffer* info,
- uint32_t length,
- uint32_t info_class) {
- if (sizeof(IO_STATUS_BLOCK) != status->Size())
- return false;
- if (length != info->Size())
- return false;
-
- FILE_RENAME_INFORMATION* rename_info =
- reinterpret_cast<FILE_RENAME_INFORMATION*>(info->Buffer());
-
- if (!IsSupportedRenameCall(rename_info, length, info_class))
- return false;
-
- base::string16 name;
- name.assign(rename_info->FileName, rename_info->FileNameLength /
- sizeof(rename_info->FileName[0]));
- if (!PreProcessName(&name)) {
- // The path requested might contain a reparse point.
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- uint32_t broker = TRUE;
- const wchar_t* filename = name.c_str();
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(filename);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- // To evaluate the policy we need to call back to the policy object. We
- // are just middlemen in the operation since is the FileSystemPolicy which
- // knows what to do.
- EvalResult result = policy_base_->EvalPolicy(IPC_NTSETINFO_RENAME_TAG,
- params.GetBase());
-
- IO_STATUS_BLOCK* io_status =
- reinterpret_cast<IO_STATUS_BLOCK*>(status->Buffer());
- NTSTATUS nt_status;
- if (!FileSystemPolicy::SetInformationFileAction(result, *ipc->client_info,
- handle, rename_info, length,
- info_class, io_status,
- &nt_status)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- // Return operation status on the IPC.
- ipc->return_info.nt_status = nt_status;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.h
deleted file mode 100644
index 61d918ed0..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_dispatcher.h
+++ /dev/null
@@ -1,74 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__
-#define SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles file system-related IPC calls.
-class FilesystemDispatcher : public Dispatcher {
- public:
- explicit FilesystemDispatcher(PolicyBase* policy_base);
- ~FilesystemDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Processes IPC requests coming from calls to NtCreateFile in the target.
- bool NtCreateFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t file_attributes,
- uint32_t share_access,
- uint32_t create_disposition,
- uint32_t create_options);
-
- // Processes IPC requests coming from calls to NtOpenFile in the target.
- bool NtOpenFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t share_access,
- uint32_t create_options);
-
- // Processes IPC requests coming from calls to NtQueryAttributesFile in the
- // target.
- bool NtQueryAttributesFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- CountedBuffer* info);
-
- // Processes IPC requests coming from calls to NtQueryFullAttributesFile in
- // the target.
- bool NtQueryFullAttributesFile(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- CountedBuffer* info);
-
- // Processes IPC requests coming from calls to NtSetInformationFile with the
- // rename information class.
- bool NtSetInformationFile(IPCInfo* ipc,
- HANDLE handle,
- CountedBuffer* status,
- CountedBuffer* info,
- uint32_t length,
- uint32_t info_class);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(FilesystemDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_FILESYSTEM_DISPATCHER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
deleted file mode 100644
index 1da2b43db..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.cc
+++ /dev/null
@@ -1,402 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/filesystem_interception.h"
-
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-NTSTATUS WINAPI TargetNtCreateFile(NtCreateFileFunction orig_CreateFile,
- PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- PIO_STATUS_BLOCK io_status,
- PLARGE_INTEGER allocation_size,
- ULONG file_attributes, ULONG sharing,
- ULONG disposition, ULONG options,
- PVOID ea_buffer, ULONG ea_length) {
- // Check if the process can open it first.
- NTSTATUS status = orig_CreateFile(file, desired_access, object_attributes,
- io_status, allocation_size,
- file_attributes, sharing, disposition,
- options, ea_buffer, ea_length);
- if (STATUS_ACCESS_DENIED != status)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtCreateFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- wchar_t* name = NULL;
- do {
- if (!ValidParameter(file, sizeof(HANDLE), WRITE))
- break;
- if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- uint32_t attributes = 0;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- uint32_t desired_access_uint32 = desired_access;
- uint32_t options_uint32 = options;
- uint32_t disposition_uint32 = disposition;
- uint32_t broker = FALSE;
- CountedParameterSet<OpenFile> params;
- params[OpenFile::NAME] = ParamPickerMake(name);
- params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
- params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
- params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
- params[OpenFile::BROKER] = ParamPickerMake(broker);
-
- if (!QueryBroker(IPC_NTCREATEFILE_TAG, params.GetBase()))
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- // The following call must match in the parameters with
- // FilesystemDispatcher::ProcessNtCreateFile.
- ResultCode code = CrossCall(ipc, IPC_NTCREATEFILE_TAG, name, attributes,
- desired_access_uint32, file_attributes, sharing,
- disposition, options_uint32, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- status = answer.nt_status;
-
- if (!NT_SUCCESS(answer.nt_status))
- break;
-
- __try {
- *file = answer.handle;
- io_status->Status = answer.nt_status;
- io_status->Information = answer.extended[0].ulong_ptr;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtCreateFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- if (name)
- operator delete(name, NT_ALLOC);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtOpenFile(NtOpenFileFunction orig_OpenFile, PHANDLE file,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- PIO_STATUS_BLOCK io_status, ULONG sharing,
- ULONG options) {
- // Check if the process can open it first.
- NTSTATUS status = orig_OpenFile(file, desired_access, object_attributes,
- io_status, sharing, options);
- if (STATUS_ACCESS_DENIED != status)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtOpenFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- wchar_t* name = NULL;
- do {
- if (!ValidParameter(file, sizeof(HANDLE), WRITE))
- break;
- if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- uint32_t attributes;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- uint32_t desired_access_uint32 = desired_access;
- uint32_t options_uint32 = options;
- uint32_t disposition_uint32 = FILE_OPEN;
- uint32_t broker = FALSE;
- CountedParameterSet<OpenFile> params;
- params[OpenFile::NAME] = ParamPickerMake(name);
- params[OpenFile::ACCESS] = ParamPickerMake(desired_access_uint32);
- params[OpenFile::DISPOSITION] = ParamPickerMake(disposition_uint32);
- params[OpenFile::OPTIONS] = ParamPickerMake(options_uint32);
- params[OpenFile::BROKER] = ParamPickerMake(broker);
-
- if (!QueryBroker(IPC_NTOPENFILE_TAG, params.GetBase()))
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENFILE_TAG, name, attributes,
- desired_access_uint32, sharing, options_uint32,
- &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- status = answer.nt_status;
-
- if (!NT_SUCCESS(answer.nt_status))
- break;
-
- __try {
- *file = answer.handle;
- io_status->Status = answer.nt_status;
- io_status->Information = answer.extended[0].ulong_ptr;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtOpenFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- if (name)
- operator delete(name, NT_ALLOC);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtQueryAttributesFile(
- NtQueryAttributesFileFunction orig_QueryAttributes,
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_BASIC_INFORMATION file_attributes) {
- // Check if the process can query it first.
- NTSTATUS status = orig_QueryAttributes(object_attributes, file_attributes);
- if (STATUS_ACCESS_DENIED != status)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtQueryAttributesFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- wchar_t* name = NULL;
- do {
- if (!ValidParameter(file_attributes, sizeof(FILE_BASIC_INFORMATION), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- uint32_t attributes = 0;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- InOutCountedBuffer file_info(file_attributes,
- sizeof(FILE_BASIC_INFORMATION));
-
- uint32_t broker = FALSE;
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(name);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- if (!QueryBroker(IPC_NTQUERYATTRIBUTESFILE_TAG, params.GetBase()))
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTQUERYATTRIBUTESFILE_TAG, name,
- attributes, file_info, &answer);
-
- if (SBOX_ALL_OK != code)
- break;
-
- status = answer.nt_status;
-
- mozilla::sandboxing::LogAllowed("NtQueryAttributesFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- if (name)
- operator delete(name, NT_ALLOC);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
- NtQueryFullAttributesFileFunction orig_QueryFullAttributes,
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_NETWORK_OPEN_INFORMATION file_attributes) {
- // Check if the process can query it first.
- NTSTATUS status = orig_QueryFullAttributes(object_attributes,
- file_attributes);
- if (STATUS_ACCESS_DENIED != status)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtQueryFullAttributesFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- wchar_t* name = NULL;
- do {
- if (!ValidParameter(file_attributes, sizeof(FILE_NETWORK_OPEN_INFORMATION),
- WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- uint32_t attributes = 0;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- InOutCountedBuffer file_info(file_attributes,
- sizeof(FILE_NETWORK_OPEN_INFORMATION));
-
- uint32_t broker = FALSE;
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(name);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- if (!QueryBroker(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, params.GetBase()))
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTQUERYFULLATTRIBUTESFILE_TAG, name,
- attributes, file_info, &answer);
-
- if (SBOX_ALL_OK != code)
- break;
-
- status = answer.nt_status;
-
- mozilla::sandboxing::LogAllowed("NtQueryFullAttributesFile",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- if (name)
- operator delete(name, NT_ALLOC);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtSetInformationFile(
- NtSetInformationFileFunction orig_SetInformationFile, HANDLE file,
- PIO_STATUS_BLOCK io_status, PVOID file_info, ULONG length,
- FILE_INFORMATION_CLASS file_info_class) {
- // Check if the process can open it first.
- NTSTATUS status = orig_SetInformationFile(file, io_status, file_info, length,
- file_info_class);
- if (STATUS_ACCESS_DENIED != status)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtSetInformationFile");
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- wchar_t* name = NULL;
- do {
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- if (!ValidParameter(io_status, sizeof(IO_STATUS_BLOCK), WRITE))
- break;
-
- if (!ValidParameter(file_info, length, READ))
- break;
-
- FILE_RENAME_INFORMATION* file_rename_info =
- reinterpret_cast<FILE_RENAME_INFORMATION*>(file_info);
- OBJECT_ATTRIBUTES object_attributes;
- UNICODE_STRING object_name;
- InitializeObjectAttributes(&object_attributes, &object_name, 0, NULL, NULL);
-
- __try {
- if (!IsSupportedRenameCall(file_rename_info, length, file_info_class))
- break;
-
- object_attributes.RootDirectory = file_rename_info->RootDirectory;
- object_name.Buffer = file_rename_info->FileName;
- object_name.Length = object_name.MaximumLength =
- static_cast<USHORT>(file_rename_info->FileNameLength);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- NTSTATUS ret = AllocAndCopyName(&object_attributes, &name, NULL, NULL);
- if (!NT_SUCCESS(ret) || !name)
- break;
-
- uint32_t broker = FALSE;
- CountedParameterSet<FileName> params;
- params[FileName::NAME] = ParamPickerMake(name);
- params[FileName::BROKER] = ParamPickerMake(broker);
-
- if (!QueryBroker(IPC_NTSETINFO_RENAME_TAG, params.GetBase()))
- break;
-
- InOutCountedBuffer io_status_buffer(io_status, sizeof(IO_STATUS_BLOCK));
- // This is actually not an InOut buffer, only In, but using InOut facility
- // really helps to simplify the code.
- InOutCountedBuffer file_info_buffer(file_info, length);
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTSETINFO_RENAME_TAG, file,
- io_status_buffer, file_info_buffer, length,
- file_info_class, &answer);
-
- if (SBOX_ALL_OK != code)
- break;
-
- status = answer.nt_status;
- mozilla::sandboxing::LogAllowed("NtSetInformationFile");
- } while (false);
-
- if (name)
- operator delete(name, NT_ALLOC);
-
- return status;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.h b/security/sandbox/chromium/sandbox/win/src/filesystem_interception.h
deleted file mode 100644
index 2fafb4499..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_interception.h
+++ /dev/null
@@ -1,53 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_FILESYSTEM_INTERCEPTION_H__
-#define SANDBOX_SRC_FILESYSTEM_INTERCEPTION_H__
-
-namespace sandbox {
-
-extern "C" {
-
-// Interception of NtCreateFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile(
- NtCreateFileFunction orig_CreateFile, PHANDLE file,
- ACCESS_MASK desired_access, POBJECT_ATTRIBUTES object_attributes,
- PIO_STATUS_BLOCK io_status, PLARGE_INTEGER allocation_size,
- ULONG file_attributes, ULONG sharing, ULONG disposition, ULONG options,
- PVOID ea_buffer, ULONG ea_length);
-
-// Interception of NtOpenFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile(
- NtOpenFileFunction orig_OpenFile, PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status,
- ULONG sharing, ULONG options);
-
-// Interception of NtQueryAtttributesFile on the child process.
-// It should never be called directly.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile(
- NtQueryAttributesFileFunction orig_QueryAttributes,
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_BASIC_INFORMATION file_attributes);
-
-// Interception of NtQueryFullAtttributesFile on the child process.
-// It should never be called directly.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile(
- NtQueryFullAttributesFileFunction orig_QueryAttributes,
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_NETWORK_OPEN_INFORMATION file_attributes);
-
-// Interception of NtSetInformationFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile(
- NtSetInformationFileFunction orig_SetInformationFile, HANDLE file,
- PIO_STATUS_BLOCK io_status, PVOID file_information, ULONG length,
- FILE_INFORMATION_CLASS file_information_class);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_FILESYSTEM_INTERCEPTION_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc
deleted file mode 100644
index fe7f62fc2..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.cc
+++ /dev/null
@@ -1,435 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdint.h>
-
-#include <string>
-
-#include "sandbox/win/src/filesystem_policy.h"
-
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-NTSTATUS NtCreateFileInTarget(HANDLE* target_file_handle,
- ACCESS_MASK desired_access,
- OBJECT_ATTRIBUTES* obj_attributes,
- IO_STATUS_BLOCK* io_status_block,
- ULONG file_attributes,
- ULONG share_access,
- ULONG create_disposition,
- ULONG create_options,
- PVOID ea_buffer,
- ULONG ea_lenght,
- HANDLE target_process) {
- NtCreateFileFunction NtCreateFile = NULL;
- ResolveNTFunctionPtr("NtCreateFile", &NtCreateFile);
-
- HANDLE local_handle = INVALID_HANDLE_VALUE;
- NTSTATUS status = NtCreateFile(&local_handle, desired_access, obj_attributes,
- io_status_block, NULL, file_attributes,
- share_access, create_disposition,
- create_options, ea_buffer, ea_lenght);
- if (!NT_SUCCESS(status)) {
- return status;
- }
-
- if (!sandbox::SameObject(local_handle, obj_attributes->ObjectName->Buffer)) {
- // The handle points somewhere else. Fail the operation.
- ::CloseHandle(local_handle);
- return STATUS_ACCESS_DENIED;
- }
-
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- target_process, target_file_handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- return STATUS_SUCCESS;
-}
-
-// Get an initialized anonymous level Security QOS.
-SECURITY_QUALITY_OF_SERVICE GetAnonymousQOS() {
- SECURITY_QUALITY_OF_SERVICE security_qos = {0};
- security_qos.Length = sizeof(security_qos);
- security_qos.ImpersonationLevel = SecurityAnonymous;
- // Set dynamic tracking so that a pipe doesn't capture the broker's token
- security_qos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
- security_qos.EffectiveOnly = TRUE;
-
- return security_qos;
-}
-
-} // namespace.
-
-namespace sandbox {
-
-bool FileSystemPolicy::GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- base::string16 mod_name(name);
- if (mod_name.empty()) {
- return false;
- }
-
- if (!PreProcessName(&mod_name)) {
- // The path to be added might contain a reparse point.
- NOTREACHED();
- return false;
- }
-
- // TODO(cpu) bug 32224: This prefix add is a hack because we don't have the
- // infrastructure to normalize names. In any case we need to escape the
- // question marks.
- if (_wcsnicmp(mod_name.c_str(), kNTDevicePrefix, kNTDevicePrefixLen)) {
- mod_name = FixNTPrefixForMatch(mod_name);
- name = mod_name.c_str();
- }
-
- EvalResult result = ASK_BROKER;
-
- // List of supported calls for the filesystem.
- const unsigned kCallNtCreateFile = 0x1;
- const unsigned kCallNtOpenFile = 0x2;
- const unsigned kCallNtQueryAttributesFile = 0x4;
- const unsigned kCallNtQueryFullAttributesFile = 0x8;
- const unsigned kCallNtSetInfoRename = 0x10;
-
- DWORD rule_to_add = kCallNtOpenFile | kCallNtCreateFile |
- kCallNtQueryAttributesFile |
- kCallNtQueryFullAttributesFile | kCallNtSetInfoRename;
-
- PolicyRule create(result);
- PolicyRule open(result);
- PolicyRule query(result);
- PolicyRule query_full(result);
- PolicyRule rename(result);
-
- switch (semantics) {
- case TargetPolicy::FILES_ALLOW_DIR_ANY: {
- open.AddNumberMatch(IF, OpenFile::OPTIONS, FILE_DIRECTORY_FILE, AND);
- create.AddNumberMatch(IF, OpenFile::OPTIONS, FILE_DIRECTORY_FILE, AND);
- break;
- }
- case TargetPolicy::FILES_ALLOW_READONLY: {
- // We consider all flags that are not known to be readonly as potentially
- // used for write.
- DWORD allowed_flags = FILE_READ_DATA | FILE_READ_ATTRIBUTES |
- FILE_READ_EA | SYNCHRONIZE | FILE_EXECUTE |
- GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL;
- DWORD restricted_flags = ~allowed_flags;
- open.AddNumberMatch(IF_NOT, OpenFile::ACCESS, restricted_flags, AND);
- open.AddNumberMatch(IF, OpenFile::DISPOSITION, FILE_OPEN, EQUAL);
- create.AddNumberMatch(IF_NOT, OpenFile::ACCESS, restricted_flags, AND);
- create.AddNumberMatch(IF, OpenFile::DISPOSITION, FILE_OPEN, EQUAL);
-
- // Read only access don't work for rename.
- rule_to_add &= ~kCallNtSetInfoRename;
- break;
- }
- case TargetPolicy::FILES_ALLOW_QUERY: {
- // Here we don't want to add policy for the open or the create.
- rule_to_add &= ~(kCallNtOpenFile | kCallNtCreateFile |
- kCallNtSetInfoRename);
- break;
- }
- case TargetPolicy::FILES_ALLOW_ANY: {
- break;
- }
- default: {
- NOTREACHED();
- return false;
- }
- }
-
- if ((rule_to_add & kCallNtCreateFile) &&
- (!create.AddStringMatch(IF, OpenFile::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTCREATEFILE_TAG, &create))) {
- return false;
- }
-
- if ((rule_to_add & kCallNtOpenFile) &&
- (!open.AddStringMatch(IF, OpenFile::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTOPENFILE_TAG, &open))) {
- return false;
- }
-
- if ((rule_to_add & kCallNtQueryAttributesFile) &&
- (!query.AddStringMatch(IF, FileName::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTQUERYATTRIBUTESFILE_TAG, &query))) {
- return false;
- }
-
- if ((rule_to_add & kCallNtQueryFullAttributesFile) &&
- (!query_full.AddStringMatch(IF, FileName::NAME, name, CASE_INSENSITIVE)
- || !policy->AddRule(IPC_NTQUERYFULLATTRIBUTESFILE_TAG,
- &query_full))) {
- return false;
- }
-
- if ((rule_to_add & kCallNtSetInfoRename) &&
- (!rename.AddStringMatch(IF, FileName::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTSETINFO_RENAME_TAG, &rename))) {
- return false;
- }
-
- return true;
-}
-
-// Right now we insert two rules, to be evaluated before any user supplied rule:
-// - go to the broker if the path doesn't look like the paths that we push on
-// the policy (namely \??\something).
-// - go to the broker if it looks like this is a short-name path.
-//
-// It is possible to add a rule to go to the broker in any case; it would look
-// something like:
-// rule = new PolicyRule(ASK_BROKER);
-// rule->AddNumberMatch(IF_NOT, FileName::BROKER, TRUE, AND);
-// policy->AddRule(service, rule);
-bool FileSystemPolicy::SetInitialRules(LowLevelPolicy* policy) {
- PolicyRule format(ASK_BROKER);
- PolicyRule short_name(ASK_BROKER);
-
- bool rv = format.AddNumberMatch(IF_NOT, FileName::BROKER, TRUE, AND);
- rv &= format.AddStringMatch(IF_NOT, FileName::NAME, L"\\/?/?\\*",
- CASE_SENSITIVE);
-
- rv &= short_name.AddNumberMatch(IF_NOT, FileName::BROKER, TRUE, AND);
- rv &= short_name.AddStringMatch(IF, FileName::NAME, L"*~*", CASE_SENSITIVE);
-
- if (!rv || !policy->AddRule(IPC_NTCREATEFILE_TAG, &format))
- return false;
-
- if (!policy->AddRule(IPC_NTCREATEFILE_TAG, &short_name))
- return false;
-
- if (!policy->AddRule(IPC_NTOPENFILE_TAG, &format))
- return false;
-
- if (!policy->AddRule(IPC_NTOPENFILE_TAG, &short_name))
- return false;
-
- if (!policy->AddRule(IPC_NTQUERYATTRIBUTESFILE_TAG, &format))
- return false;
-
- if (!policy->AddRule(IPC_NTQUERYATTRIBUTESFILE_TAG, &short_name))
- return false;
-
- if (!policy->AddRule(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, &format))
- return false;
-
- if (!policy->AddRule(IPC_NTQUERYFULLATTRIBUTESFILE_TAG, &short_name))
- return false;
-
- if (!policy->AddRule(IPC_NTSETINFO_RENAME_TAG, &format))
- return false;
-
- if (!policy->AddRule(IPC_NTSETINFO_RENAME_TAG, &short_name))
- return false;
-
- return true;
-}
-
-bool FileSystemPolicy::CreateFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t file_attributes,
- uint32_t share_access,
- uint32_t create_disposition,
- uint32_t create_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG_PTR* io_information) {
- // The only action supported is ASK_BROKER which means create the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return false;
- }
- IO_STATUS_BLOCK io_block = {};
- UNICODE_STRING uni_name = {};
- OBJECT_ATTRIBUTES obj_attributes = {};
- SECURITY_QUALITY_OF_SERVICE security_qos = GetAnonymousQOS();
-
- InitObjectAttribs(file, attributes, NULL, &obj_attributes,
- &uni_name, IsPipe(file) ? &security_qos : NULL);
- *nt_status = NtCreateFileInTarget(handle, desired_access, &obj_attributes,
- &io_block, file_attributes, share_access,
- create_disposition, create_options, NULL,
- 0, client_info.process);
-
- *io_information = io_block.Information;
- return true;
-}
-
-bool FileSystemPolicy::OpenFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t share_access,
- uint32_t open_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG_PTR* io_information) {
- // The only action supported is ASK_BROKER which means open the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
- // An NtOpen is equivalent to an NtCreate with FileAttributes = 0 and
- // CreateDisposition = FILE_OPEN.
- IO_STATUS_BLOCK io_block = {};
- UNICODE_STRING uni_name = {};
- OBJECT_ATTRIBUTES obj_attributes = {};
- SECURITY_QUALITY_OF_SERVICE security_qos = GetAnonymousQOS();
-
- InitObjectAttribs(file, attributes, NULL, &obj_attributes,
- &uni_name, IsPipe(file) ? &security_qos : NULL);
- *nt_status = NtCreateFileInTarget(handle, desired_access, &obj_attributes,
- &io_block, 0, share_access, FILE_OPEN,
- open_options, NULL, 0,
- client_info.process);
-
- *io_information = io_block.Information;
- return true;
-}
-
-bool FileSystemPolicy::QueryAttributesFileAction(
- EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- FILE_BASIC_INFORMATION* file_info,
- NTSTATUS* nt_status) {
- // The only action supported is ASK_BROKER which means query the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- NtQueryAttributesFileFunction NtQueryAttributesFile = NULL;
- ResolveNTFunctionPtr("NtQueryAttributesFile", &NtQueryAttributesFile);
-
- UNICODE_STRING uni_name = {0};
- OBJECT_ATTRIBUTES obj_attributes = {0};
- SECURITY_QUALITY_OF_SERVICE security_qos = GetAnonymousQOS();
-
- InitObjectAttribs(file, attributes, NULL, &obj_attributes,
- &uni_name, IsPipe(file) ? &security_qos : NULL);
- *nt_status = NtQueryAttributesFile(&obj_attributes, file_info);
-
- return true;
-}
-
-bool FileSystemPolicy::QueryFullAttributesFileAction(
- EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- FILE_NETWORK_OPEN_INFORMATION* file_info,
- NTSTATUS* nt_status) {
- // The only action supported is ASK_BROKER which means query the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- NtQueryFullAttributesFileFunction NtQueryFullAttributesFile = NULL;
- ResolveNTFunctionPtr("NtQueryFullAttributesFile", &NtQueryFullAttributesFile);
-
- UNICODE_STRING uni_name = {0};
- OBJECT_ATTRIBUTES obj_attributes = {0};
- SECURITY_QUALITY_OF_SERVICE security_qos = GetAnonymousQOS();
-
- InitObjectAttribs(file, attributes, NULL, &obj_attributes,
- &uni_name, IsPipe(file) ? &security_qos : NULL);
- *nt_status = NtQueryFullAttributesFile(&obj_attributes, file_info);
-
- return true;
-}
-
-bool FileSystemPolicy::SetInformationFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- HANDLE target_file_handle,
- void* file_info,
- uint32_t length,
- uint32_t info_class,
- IO_STATUS_BLOCK* io_block,
- NTSTATUS* nt_status) {
- // The only action supported is ASK_BROKER which means open the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- NtSetInformationFileFunction NtSetInformationFile = NULL;
- ResolveNTFunctionPtr("NtSetInformationFile", &NtSetInformationFile);
-
- HANDLE local_handle = NULL;
- if (!::DuplicateHandle(client_info.process, target_file_handle,
- ::GetCurrentProcess(), &local_handle, 0, FALSE,
- DUPLICATE_SAME_ACCESS)) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- base::win::ScopedHandle handle(local_handle);
-
- FILE_INFORMATION_CLASS file_info_class =
- static_cast<FILE_INFORMATION_CLASS>(info_class);
- *nt_status = NtSetInformationFile(local_handle, io_block, file_info, length,
- file_info_class);
-
- return true;
-}
-
-bool PreProcessName(base::string16* path) {
- ConvertToLongPath(path);
-
- if (ERROR_NOT_A_REPARSE_POINT == IsReparsePoint(*path))
- return true;
-
- // We can't process a reparsed file.
- return false;
-}
-
-base::string16 FixNTPrefixForMatch(const base::string16& name) {
- base::string16 mod_name = name;
-
- // NT prefix escaped for rule matcher
- const wchar_t kNTPrefixEscaped[] = L"\\/?/?\\";
- const int kNTPrefixEscapedLen = arraysize(kNTPrefixEscaped) - 1;
-
- if (0 != mod_name.compare(0, kNTPrefixLen, kNTPrefix)) {
- if (0 != mod_name.compare(0, kNTPrefixEscapedLen, kNTPrefixEscaped)) {
- // TODO(nsylvain): Find a better way to do name resolution. Right now we
- // take the name and we expand it.
- mod_name.insert(0, kNTPrefixEscaped);
- }
- } else {
- // Start of name matches NT prefix, replace with escaped format
- // Fixes bug: 334882
- mod_name.replace(0, kNTPrefixLen, kNTPrefixEscaped);
- }
-
- return mod_name;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.h b/security/sandbox/chromium/sandbox/win/src/filesystem_policy.h
deleted file mode 100644
index c2ee160d5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/filesystem_policy.h
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_FILESYSTEM_POLICY_H__
-#define SANDBOX_SRC_FILESYSTEM_POLICY_H__
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to file system policy
-class FileSystemPolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for File IO, in particular open or create actions.
- // 'name' is the file or directory name.
- // 'semantics' is the desired semantics for the open or create.
- // 'policy' is the policy generator to which the rules are going to be added.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Add basic file system rules.
- static bool SetInitialRules(LowLevelPolicy* policy);
-
- // Performs the desired policy action on a create request with an
- // API that is compatible with the IPC-received parameters.
- // 'client_info' : the target process that is making the request.
- // 'eval_result' : The desired policy action to accomplish.
- // 'file' : The target file or directory.
- static bool CreateFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t file_attributes,
- uint32_t share_access,
- uint32_t create_disposition,
- uint32_t create_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG_PTR* io_information);
-
- // Performs the desired policy action on an open request with an
- // API that is compatible with the IPC-received parameters.
- // 'client_info' : the target process that is making the request.
- // 'eval_result' : The desired policy action to accomplish.
- // 'file' : The target file or directory.
- static bool OpenFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- uint32_t desired_access,
- uint32_t share_access,
- uint32_t open_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG_PTR* io_information);
-
- // Performs the desired policy action on a query request with an
- // API that is compatible with the IPC-received parameters.
- static bool QueryAttributesFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- FILE_BASIC_INFORMATION* file_info,
- NTSTATUS* nt_status);
-
- // Performs the desired policy action on a query request with an
- // API that is compatible with the IPC-received parameters.
- static bool QueryFullAttributesFileAction(
- EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& file,
- uint32_t attributes,
- FILE_NETWORK_OPEN_INFORMATION* file_info,
- NTSTATUS* nt_status);
-
- // Performs the desired policy action on a set_info request with an
- // API that is compatible with the IPC-received parameters.
- static bool SetInformationFileAction(EvalResult eval_result,
- const ClientInfo& client_info,
- HANDLE target_file_handle,
- void* file_info,
- uint32_t length,
- uint32_t info_class,
- IO_STATUS_BLOCK* io_block,
- NTSTATUS* nt_status);
-};
-
-// Expands the path and check if it's a reparse point. Returns false if the path
-// cannot be trusted.
-bool PreProcessName(base::string16* path);
-
-// Corrects global paths to have a correctly escaped NT prefix at the
-// beginning. If the name has no NT prefix (either normal or escaped)
-// add the escaped form to the string
-base::string16 FixNTPrefixForMatch(const base::string16& name);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_FILESYSTEM_POLICY_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_closer.cc b/security/sandbox/chromium/sandbox/win/src/handle_closer.cc
deleted file mode 100644
index f2012b7e0..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_closer.cc
+++ /dev/null
@@ -1,196 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_closer.h"
-
-#include <stddef.h>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/process_thread_interception.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-template<typename T> T RoundUpToWordSize(T v) {
- if (size_t mod = v % sizeof(size_t))
- v += sizeof(size_t) - mod;
- return v;
-}
-
-template<typename T> T* RoundUpToWordSize(T* v) {
- return reinterpret_cast<T*>(RoundUpToWordSize(reinterpret_cast<size_t>(v)));
-}
-
-} // namespace
-
-namespace sandbox {
-
-// Memory buffer mapped from the parent, with the list of handles.
-SANDBOX_INTERCEPT HandleCloserInfo* g_handles_to_close;
-
-HandleCloser::HandleCloser() {
-}
-
-HandleCloser::~HandleCloser() {
-}
-
-ResultCode HandleCloser::AddHandle(const base::char16* handle_type,
- const base::char16* handle_name) {
- if (!handle_type)
- return SBOX_ERROR_BAD_PARAMS;
-
- base::string16 resolved_name;
- if (handle_name) {
- resolved_name = handle_name;
- if (handle_type == base::string16(L"Key"))
- if (!ResolveRegistryName(resolved_name, &resolved_name))
- return SBOX_ERROR_BAD_PARAMS;
- }
-
- HandleMap::iterator names = handles_to_close_.find(handle_type);
- if (names == handles_to_close_.end()) { // We have no entries for this type.
- std::pair<HandleMap::iterator, bool> result = handles_to_close_.insert(
- HandleMap::value_type(handle_type, HandleMap::mapped_type()));
- names = result.first;
- if (handle_name)
- names->second.insert(resolved_name);
- } else if (!handle_name) { // Now we need to close all handles of this type.
- names->second.clear();
- } else if (!names->second.empty()) { // Add another name for this type.
- names->second.insert(resolved_name);
- } // If we're already closing all handles of type then we're done.
-
- return SBOX_ALL_OK;
-}
-
-size_t HandleCloser::GetBufferSize() {
- size_t bytes_total = offsetof(HandleCloserInfo, handle_entries);
-
- for (HandleMap::iterator i = handles_to_close_.begin();
- i != handles_to_close_.end(); ++i) {
- size_t bytes_entry = offsetof(HandleListEntry, handle_type) +
- (i->first.size() + 1) * sizeof(base::char16);
- for (HandleMap::mapped_type::iterator j = i->second.begin();
- j != i->second.end(); ++j) {
- bytes_entry += ((*j).size() + 1) * sizeof(base::char16);
- }
-
- // Round up to the nearest multiple of word size.
- bytes_entry = RoundUpToWordSize(bytes_entry);
- bytes_total += bytes_entry;
- }
-
- return bytes_total;
-}
-
-bool HandleCloser::InitializeTargetHandles(TargetProcess* target) {
- // Do nothing on an empty list (global pointer already initialized to NULL).
- if (handles_to_close_.empty())
- return true;
-
- size_t bytes_needed = GetBufferSize();
- scoped_ptr<size_t[]> local_buffer(
- new size_t[bytes_needed / sizeof(size_t)]);
-
- if (!SetupHandleList(local_buffer.get(), bytes_needed))
- return false;
-
- HANDLE child = target->Process();
-
- // Allocate memory in the target process without specifying the address
- void* remote_data = ::VirtualAllocEx(child, NULL, bytes_needed,
- MEM_COMMIT, PAGE_READWRITE);
- if (NULL == remote_data)
- return false;
-
- // Copy the handle buffer over.
- SIZE_T bytes_written;
- BOOL result = ::WriteProcessMemory(child, remote_data, local_buffer.get(),
- bytes_needed, &bytes_written);
- if (!result || bytes_written != bytes_needed) {
- ::VirtualFreeEx(child, remote_data, 0, MEM_RELEASE);
- return false;
- }
-
- g_handles_to_close = reinterpret_cast<HandleCloserInfo*>(remote_data);
-
- ResultCode rc = target->TransferVariable("g_handles_to_close",
- &g_handles_to_close,
- sizeof(g_handles_to_close));
-
- return (SBOX_ALL_OK == rc);
-}
-
-bool HandleCloser::SetupHandleList(void* buffer, size_t buffer_bytes) {
- ::ZeroMemory(buffer, buffer_bytes);
- HandleCloserInfo* handle_info = reinterpret_cast<HandleCloserInfo*>(buffer);
- handle_info->record_bytes = buffer_bytes;
- handle_info->num_handle_types = handles_to_close_.size();
-
- base::char16* output = reinterpret_cast<base::char16*>(
- &handle_info->handle_entries[0]);
- base::char16* end = reinterpret_cast<base::char16*>(
- reinterpret_cast<char*>(buffer) + buffer_bytes);
- for (HandleMap::iterator i = handles_to_close_.begin();
- i != handles_to_close_.end(); ++i) {
- if (output >= end)
- return false;
- HandleListEntry* list_entry = reinterpret_cast<HandleListEntry*>(output);
- output = &list_entry->handle_type[0];
-
- // Copy the typename and set the offset and count.
- i->first._Copy_s(output, i->first.size(), i->first.size());
- *(output += i->first.size()) = L'\0';
- output++;
- list_entry->offset_to_names = reinterpret_cast<char*>(output) -
- reinterpret_cast<char*>(list_entry);
- list_entry->name_count = i->second.size();
-
- // Copy the handle names.
- for (HandleMap::mapped_type::iterator j = i->second.begin();
- j != i->second.end(); ++j) {
- output = std::copy((*j).begin(), (*j).end(), output) + 1;
- }
-
- // Round up to the nearest multiple of sizeof(size_t).
- output = RoundUpToWordSize(output);
- list_entry->record_bytes = reinterpret_cast<char*>(output) -
- reinterpret_cast<char*>(list_entry);
- }
-
- DCHECK_EQ(reinterpret_cast<size_t>(output), reinterpret_cast<size_t>(end));
- return output <= end;
-}
-
-bool GetHandleName(HANDLE handle, base::string16* handle_name) {
- static NtQueryObject QueryObject = NULL;
- if (!QueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
-
- ULONG size = MAX_PATH;
- scoped_ptr<UNICODE_STRING, base::FreeDeleter> name;
- NTSTATUS result;
-
- do {
- name.reset(static_cast<UNICODE_STRING*>(malloc(size)));
- DCHECK(name.get());
- result = QueryObject(handle, ObjectNameInformation, name.get(),
- size, &size);
- } while (result == STATUS_INFO_LENGTH_MISMATCH ||
- result == STATUS_BUFFER_OVERFLOW);
-
- if (NT_SUCCESS(result) && name->Buffer && name->Length)
- handle_name->assign(name->Buffer, name->Length / sizeof(wchar_t));
- else
- handle_name->clear();
-
- return NT_SUCCESS(result);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_closer.h b/security/sandbox/chromium/sandbox/win/src/handle_closer.h
deleted file mode 100644
index 9592230a0..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_closer.h
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_CLOSER_H_
-#define SANDBOX_SRC_HANDLE_CLOSER_H_
-
-#include <stddef.h>
-
-#include <map>
-#include <set>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/target_process.h"
-
-namespace sandbox {
-
-// This is a map of handle-types to names that we need to close in the
-// target process. A null set means we need to close all handles of the
-// given type.
-typedef std::map<const base::string16, std::set<base::string16> > HandleMap;
-
-// Type and set of corresponding handle names to close.
-struct HandleListEntry {
- size_t record_bytes; // Rounded to sizeof(size_t) bytes.
- size_t offset_to_names; // Nul terminated strings of name_count names.
- size_t name_count;
- base::char16 handle_type[1];
-};
-
-// Global parameters and a pointer to the list of entries.
-struct HandleCloserInfo {
- size_t record_bytes; // Rounded to sizeof(size_t) bytes.
- size_t num_handle_types;
- struct HandleListEntry handle_entries[1];
-};
-
-SANDBOX_INTERCEPT HandleCloserInfo* g_handle_closer_info;
-
-// Adds handles to close after lockdown.
-class HandleCloser {
- public:
- HandleCloser();
- ~HandleCloser();
-
- // Adds a handle that will be closed in the target process after lockdown.
- // A NULL value for handle_name indicates all handles of the specified type.
- // An empty string for handle_name indicates the handle is unnamed.
- ResultCode AddHandle(const base::char16* handle_type,
- const base::char16* handle_name);
-
- // Serializes and copies the closer table into the target process.
- bool InitializeTargetHandles(TargetProcess* target);
-
- private:
- // Calculates the memory needed to copy the serialized handles list (rounded
- // to the nearest machine-word size).
- size_t GetBufferSize();
-
- // Serializes the handle list into the target process.
- bool SetupHandleList(void* buffer, size_t buffer_bytes);
-
- HandleMap handles_to_close_;
-
- DISALLOW_COPY_AND_ASSIGN(HandleCloser);
-};
-
-// Returns the object manager's name associated with a handle
-bool GetHandleName(HANDLE handle, base::string16* handle_name);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_CLOSER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc b/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc
deleted file mode 100644
index 6b17f6547..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.cc
+++ /dev/null
@@ -1,203 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_closer_agent.h"
-
-#include <limits.h>
-#include <stddef.h>
-
-#include "base/logging.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-// Returns type infomation for an NT object. This routine is expected to be
-// called for invalid handles so it catches STATUS_INVALID_HANDLE exceptions
-// that can be generated when handle tracing is enabled.
-NTSTATUS QueryObjectTypeInformation(HANDLE handle,
- void* buffer,
- ULONG* size) {
- static NtQueryObject QueryObject = NULL;
- if (!QueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
-
- NTSTATUS status = STATUS_UNSUCCESSFUL;
- __try {
- status = QueryObject(handle, ObjectTypeInformation, buffer, *size, size);
- } __except(GetExceptionCode() == STATUS_INVALID_HANDLE ?
- EXCEPTION_EXECUTE_HANDLER : EXCEPTION_CONTINUE_SEARCH) {
- status = STATUS_INVALID_HANDLE;
- }
- return status;
-}
-
-} // namespace
-
-namespace sandbox {
-
-// Memory buffer mapped from the parent, with the list of handles.
-SANDBOX_INTERCEPT HandleCloserInfo* g_handles_to_close = NULL;
-
-bool HandleCloserAgent::NeedsHandlesClosed() {
- return g_handles_to_close != NULL;
-}
-
-HandleCloserAgent::HandleCloserAgent()
- : dummy_handle_(::CreateEvent(NULL, FALSE, FALSE, NULL)) {
-}
-
-HandleCloserAgent::~HandleCloserAgent() {
-}
-
-// Attempts to stuff |closed_handle| with a duplicated handle for a dummy Event
-// with no access. This should allow the handle to be closed, to avoid
-// generating EXCEPTION_INVALID_HANDLE on shutdown, but nothing else. For now
-// the only supported |type| is Event or File.
-bool HandleCloserAgent::AttemptToStuffHandleSlot(HANDLE closed_handle,
- const base::string16& type) {
- // Only attempt to stuff Files and Events at the moment.
- if (type != L"Event" && type != L"File") {
- return true;
- }
-
- if (!dummy_handle_.IsValid())
- return false;
-
- // This should never happen, as g_dummy is created before closing to_stuff.
- DCHECK(dummy_handle_.Get() != closed_handle);
-
- std::vector<HANDLE> to_close;
- HANDLE dup_dummy = NULL;
- size_t count = 16;
-
- do {
- if (!::DuplicateHandle(::GetCurrentProcess(), dummy_handle_.Get(),
- ::GetCurrentProcess(), &dup_dummy, 0, FALSE, 0))
- break;
- if (dup_dummy != closed_handle)
- to_close.push_back(dup_dummy);
- } while (count-- &&
- reinterpret_cast<uintptr_t>(dup_dummy) <
- reinterpret_cast<uintptr_t>(closed_handle));
-
- for (auto h : to_close)
- ::CloseHandle(h);
-
- // Useful to know when we're not able to stuff handles.
- DCHECK(dup_dummy == closed_handle);
-
- return dup_dummy == closed_handle;
-}
-
-// Reads g_handles_to_close and creates the lookup map.
-void HandleCloserAgent::InitializeHandlesToClose(bool* is_csrss_connected) {
- CHECK(g_handles_to_close != NULL);
-
- // Default to connected state
- *is_csrss_connected = true;
-
- // Grab the header.
- HandleListEntry* entry = g_handles_to_close->handle_entries;
- for (size_t i = 0; i < g_handles_to_close->num_handle_types; ++i) {
- // Set the type name.
- base::char16* input = entry->handle_type;
- if (!wcscmp(input, L"ALPC Port")) {
- *is_csrss_connected = false;
- }
- HandleMap::mapped_type& handle_names = handles_to_close_[input];
- input = reinterpret_cast<base::char16*>(reinterpret_cast<char*>(entry)
- + entry->offset_to_names);
- // Grab all the handle names.
- for (size_t j = 0; j < entry->name_count; ++j) {
- std::pair<HandleMap::mapped_type::iterator, bool> name
- = handle_names.insert(input);
- CHECK(name.second);
- input += name.first->size() + 1;
- }
-
- // Move on to the next entry.
- entry = reinterpret_cast<HandleListEntry*>(reinterpret_cast<char*>(entry)
- + entry->record_bytes);
-
- DCHECK(reinterpret_cast<base::char16*>(entry) >= input);
- DCHECK(reinterpret_cast<base::char16*>(entry) - input <
- static_cast<ptrdiff_t>(sizeof(size_t) / sizeof(base::char16)));
- }
-
- // Clean up the memory we copied over.
- ::VirtualFree(g_handles_to_close, 0, MEM_RELEASE);
- g_handles_to_close = NULL;
-}
-
-bool HandleCloserAgent::CloseHandles() {
- DWORD handle_count = UINT_MAX;
- const int kInvalidHandleThreshold = 100;
- const size_t kHandleOffset = 4; // Handles are always a multiple of 4.
-
- if (!::GetProcessHandleCount(::GetCurrentProcess(), &handle_count))
- return false;
-
- // Set up buffers for the type info and the name.
- std::vector<BYTE> type_info_buffer(sizeof(OBJECT_TYPE_INFORMATION) +
- 32 * sizeof(wchar_t));
- OBJECT_TYPE_INFORMATION* type_info =
- reinterpret_cast<OBJECT_TYPE_INFORMATION*>(&(type_info_buffer[0]));
- base::string16 handle_name;
- HANDLE handle = NULL;
- int invalid_count = 0;
-
- // Keep incrementing until we hit the number of handles reported by
- // GetProcessHandleCount(). If we hit a very long sequence of invalid
- // handles we assume that we've run past the end of the table.
- while (handle_count && invalid_count < kInvalidHandleThreshold) {
- reinterpret_cast<size_t&>(handle) += kHandleOffset;
- NTSTATUS rc;
-
- // Get the type name, reusing the buffer.
- ULONG size = static_cast<ULONG>(type_info_buffer.size());
- rc = QueryObjectTypeInformation(handle, type_info, &size);
- while (rc == STATUS_INFO_LENGTH_MISMATCH ||
- rc == STATUS_BUFFER_OVERFLOW) {
- type_info_buffer.resize(size + sizeof(wchar_t));
- type_info = reinterpret_cast<OBJECT_TYPE_INFORMATION*>(
- &(type_info_buffer[0]));
- rc = QueryObjectTypeInformation(handle, type_info, &size);
- // Leave padding for the nul terminator.
- if (NT_SUCCESS(rc) && size == type_info_buffer.size())
- rc = STATUS_INFO_LENGTH_MISMATCH;
- }
- if (!NT_SUCCESS(rc) || !type_info->Name.Buffer) {
- ++invalid_count;
- continue;
- }
-
- --handle_count;
- type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
-
- // Check if we're looking for this type of handle.
- HandleMap::iterator result =
- handles_to_close_.find(type_info->Name.Buffer);
- if (result != handles_to_close_.end()) {
- HandleMap::mapped_type& names = result->second;
- // Empty set means close all handles of this type; otherwise check name.
- if (!names.empty()) {
- // Move on to the next handle if this name doesn't match.
- if (!GetHandleName(handle, &handle_name) || !names.count(handle_name))
- continue;
- }
-
- if (!::SetHandleInformation(handle, HANDLE_FLAG_PROTECT_FROM_CLOSE, 0))
- return false;
- if (!::CloseHandle(handle))
- return false;
- // Attempt to stuff this handle with a new dummy Event.
- AttemptToStuffHandleSlot(handle, result->first);
- }
- }
-
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.h b/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.h
deleted file mode 100644
index 042c98eaf..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_closer_agent.h
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_
-#define SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/handle_closer.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/target_services.h"
-
-
-namespace sandbox {
-
-// Target process code to close the handle list copied over from the broker.
-class HandleCloserAgent {
- public:
- HandleCloserAgent();
- ~HandleCloserAgent();
-
- // Reads the serialized list from the broker and creates the lookup map.
- // Updates is_csrss_connected based on type of handles closed.
- void InitializeHandlesToClose(bool* is_csrss_connected);
-
- // Closes any handles matching those in the lookup map.
- bool CloseHandles();
-
- // True if we have handles waiting to be closed.
- static bool NeedsHandlesClosed();
-
- private:
- // Attempt to stuff a closed handle with a dummy Event.
- bool AttemptToStuffHandleSlot(HANDLE closed_handle,
- const base::string16& type);
-
- HandleMap handles_to_close_;
- base::win::ScopedHandle dummy_handle_;
-
- DISALLOW_COPY_AND_ASSIGN(HandleCloserAgent);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_CLOSER_AGENT_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_closer_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_closer_test.cc
deleted file mode 100644
index ceba818a7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_closer_test.cc
+++ /dev/null
@@ -1,300 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <limits.h>
-#include <stddef.h>
-
-#include "base/strings/stringprintf.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/handle_closer_agent.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-const wchar_t *kFileExtensions[] = { L".1", L".2", L".3", L".4" };
-
-// Returns a handle to a unique marker file that can be retrieved between runs.
-HANDLE GetMarkerFile(const wchar_t *extension) {
- wchar_t path_buffer[MAX_PATH + 1];
- CHECK(::GetTempPath(MAX_PATH, path_buffer));
- base::string16 marker_path = path_buffer;
- marker_path += L"\\sbox_marker_";
-
- // Generate a unique value from the exe's size and timestamp.
- CHECK(::GetModuleFileName(NULL, path_buffer, MAX_PATH));
- base::win::ScopedHandle module(::CreateFile(path_buffer,
- FILE_READ_ATTRIBUTES, FILE_SHARE_READ, NULL,
- OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL));
- CHECK(module.IsValid());
- FILETIME timestamp;
- CHECK(::GetFileTime(module.Get(), &timestamp, NULL, NULL));
- marker_path += base::StringPrintf(L"%08x%08x%08x",
- ::GetFileSize(module.Get(), NULL),
- timestamp.dwLowDateTime,
- timestamp.dwHighDateTime);
- marker_path += extension;
-
- // Make the file delete-on-close so cleanup is automatic.
- return CreateFile(marker_path.c_str(), FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
- NULL, OPEN_ALWAYS, FILE_FLAG_DELETE_ON_CLOSE, NULL);
-}
-
-// Returns type infomation for an NT object. This routine is expected to be
-// called for invalid handles so it catches STATUS_INVALID_HANDLE exceptions
-// that can be generated when handle tracing is enabled.
-NTSTATUS QueryObjectTypeInformation(HANDLE handle, void* buffer, ULONG* size) {
- static NtQueryObject QueryObject = NULL;
- if (!QueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
-
- NTSTATUS status = STATUS_UNSUCCESSFUL;
- __try {
- status = QueryObject(handle, ObjectTypeInformation, buffer, *size, size);
- }
- __except(GetExceptionCode() == STATUS_INVALID_HANDLE
- ? EXCEPTION_EXECUTE_HANDLER
- : EXCEPTION_CONTINUE_SEARCH) {
- status = STATUS_INVALID_HANDLE;
- }
- return status;
-}
-
-// Used by the thread pool tests.
-HANDLE finish_event;
-const int kWaitCount = 20;
-
-} // namespace
-
-namespace sandbox {
-
-// Checks for the presence of a list of files (in object path form).
-// Format: CheckForFileHandle (Y|N) \path\to\file1 [\path\to\file2 ...]
-// - Y or N depending if the file should exist or not.
-SBOX_TESTS_COMMAND int CheckForFileHandles(int argc, wchar_t **argv) {
- if (argc < 2)
- return SBOX_TEST_FAILED_TO_RUN_TEST;
- bool should_find = argv[0][0] == L'Y';
- if (argv[0][1] != L'\0' || (!should_find && argv[0][0] != L'N'))
- return SBOX_TEST_FAILED_TO_RUN_TEST;
-
- static int state = BEFORE_INIT;
- switch (state++) {
- case BEFORE_INIT:
- // Create a unique marker file that is open while the test is running.
- // The handles leak, but it will be closed by the test or on exit.
- for (const wchar_t* kExtension : kFileExtensions)
- CHECK_NE(GetMarkerFile(kExtension), INVALID_HANDLE_VALUE);
- return SBOX_TEST_SUCCEEDED;
-
- case AFTER_REVERT: {
- // Brute force the handle table to find what we're looking for.
- DWORD handle_count = UINT_MAX;
- const int kInvalidHandleThreshold = 100;
- const size_t kHandleOffset = 4; // Handles are always a multiple of 4.
- HANDLE handle = NULL;
- int invalid_count = 0;
- base::string16 handle_name;
-
- if (!::GetProcessHandleCount(::GetCurrentProcess(), &handle_count))
- return SBOX_TEST_FAILED_TO_RUN_TEST;
-
- while (handle_count && invalid_count < kInvalidHandleThreshold) {
- reinterpret_cast<size_t&>(handle) += kHandleOffset;
- if (GetHandleName(handle, &handle_name)) {
- for (int i = 1; i < argc; ++i) {
- if (handle_name == argv[i])
- return should_find ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FAILED;
- }
- --handle_count;
- } else {
- ++invalid_count;
- }
- }
-
- return should_find ? SBOX_TEST_FAILED : SBOX_TEST_SUCCEEDED;
- }
-
- default: // Do nothing.
- break;
- }
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Checks that supplied handle is an Event and it's not waitable.
-// Format: CheckForEventHandles
-SBOX_TESTS_COMMAND int CheckForEventHandles(int argc, wchar_t** argv) {
- static int state = BEFORE_INIT;
- static std::vector<HANDLE> to_check;
-
- switch (state++) {
- case BEFORE_INIT:
- // Create a unique marker file that is open while the test is running.
- for (const wchar_t* kExtension : kFileExtensions) {
- HANDLE handle = GetMarkerFile(kExtension);
- CHECK_NE(handle, INVALID_HANDLE_VALUE);
- to_check.push_back(handle);
- }
- return SBOX_TEST_SUCCEEDED;
-
- case AFTER_REVERT:
- for (auto handle : to_check) {
- // Set up buffers for the type info and the name.
- std::vector<BYTE> type_info_buffer(sizeof(OBJECT_TYPE_INFORMATION) +
- 32 * sizeof(wchar_t));
- OBJECT_TYPE_INFORMATION* type_info =
- reinterpret_cast<OBJECT_TYPE_INFORMATION*>(&(type_info_buffer[0]));
- NTSTATUS rc;
-
- // Get the type name, reusing the buffer.
- ULONG size = static_cast<ULONG>(type_info_buffer.size());
- rc = QueryObjectTypeInformation(handle, type_info, &size);
- while (rc == STATUS_INFO_LENGTH_MISMATCH ||
- rc == STATUS_BUFFER_OVERFLOW) {
- type_info_buffer.resize(size + sizeof(wchar_t));
- type_info = reinterpret_cast<OBJECT_TYPE_INFORMATION*>(
- &(type_info_buffer[0]));
- rc = QueryObjectTypeInformation(handle, type_info, &size);
- // Leave padding for the nul terminator.
- if (NT_SUCCESS(rc) && size == type_info_buffer.size())
- rc = STATUS_INFO_LENGTH_MISMATCH;
- }
-
- CHECK(NT_SUCCESS(rc));
- CHECK(type_info->Name.Buffer);
-
- type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] =
- L'\0';
-
- // Should be an Event now.
- CHECK_EQ(wcslen(type_info->Name.Buffer), 5U);
- CHECK_EQ(wcscmp(L"Event", type_info->Name.Buffer), 0);
-
- // Should not be able to wait.
- CHECK_EQ(WaitForSingleObject(handle, INFINITE), WAIT_FAILED);
-
- // Should be able to close.
- CHECK_EQ(TRUE, CloseHandle(handle));
- }
- return SBOX_TEST_SUCCEEDED;
-
- default: // Do nothing.
- break;
- }
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-TEST(HandleCloserTest, CheckForMarkerFiles) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(EVERY_STATE);
-
- base::string16 command = base::string16(L"CheckForFileHandles Y");
- for (const wchar_t* kExtension : kFileExtensions) {
- base::string16 handle_name;
- base::win::ScopedHandle marker(GetMarkerFile(kExtension));
- CHECK(marker.IsValid());
- CHECK(sandbox::GetHandleName(marker.Get(), &handle_name));
- command += (L" ");
- command += handle_name;
- }
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command.c_str())) <<
- "Failed: " << command;
-}
-
-TEST(HandleCloserTest, CloseMarkerFiles) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(EVERY_STATE);
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- base::string16 command = base::string16(L"CheckForFileHandles N");
- for (const wchar_t* kExtension : kFileExtensions) {
- base::string16 handle_name;
- base::win::ScopedHandle marker(GetMarkerFile(kExtension));
- CHECK(marker.IsValid());
- CHECK(sandbox::GetHandleName(marker.Get(), &handle_name));
- CHECK_EQ(policy->AddKernelObjectToClose(L"File", handle_name.c_str()),
- SBOX_ALL_OK);
- command += (L" ");
- command += handle_name;
- }
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(command.c_str())) <<
- "Failed: " << command;
-}
-
-TEST(HandleCloserTest, CheckStuffedHandle) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(EVERY_STATE);
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- for (const wchar_t* kExtension : kFileExtensions) {
- base::string16 handle_name;
- base::win::ScopedHandle marker(GetMarkerFile(kExtension));
- CHECK(marker.IsValid());
- CHECK(sandbox::GetHandleName(marker.Get(), &handle_name));
- CHECK_EQ(policy->AddKernelObjectToClose(L"File", handle_name.c_str()),
- SBOX_ALL_OK);
- }
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckForEventHandles"));
-}
-
-void WINAPI ThreadPoolTask(void* event, BOOLEAN timeout) {
- static volatile LONG waiters_remaining = kWaitCount;
- CHECK(!timeout);
- CHECK(::CloseHandle(event));
- if (::InterlockedDecrement(&waiters_remaining) == 0)
- CHECK(::SetEvent(finish_event));
-}
-
-// Run a thread pool inside a sandbox without a CSRSS connection.
-SBOX_TESTS_COMMAND int RunThreadPool(int argc, wchar_t **argv) {
- HANDLE wait_list[20];
- finish_event = ::CreateEvent(NULL, TRUE, FALSE, NULL);
- CHECK(finish_event);
-
- // Set up a bunch of waiters.
- HANDLE pool = NULL;
- for (int i = 0; i < kWaitCount; ++i) {
- HANDLE event = ::CreateEvent(NULL, TRUE, FALSE, NULL);
- CHECK(event);
- CHECK(::RegisterWaitForSingleObject(&pool, event, ThreadPoolTask, event,
- INFINITE, WT_EXECUTEONLYONCE));
- wait_list[i] = event;
- }
-
- // Signal all the waiters.
- for (int i = 0; i < kWaitCount; ++i)
- CHECK(::SetEvent(wait_list[i]));
-
- CHECK_EQ(::WaitForSingleObject(finish_event, INFINITE), WAIT_OBJECT_0);
- CHECK(::CloseHandle(finish_event));
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-TEST(HandleCloserTest, RunThreadPool) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(AFTER_REVERT);
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- // Sever the CSRSS connection by closing ALPC ports inside the sandbox.
- CHECK_EQ(policy->AddKernelObjectToClose(L"ALPC Port", NULL), SBOX_ALL_OK);
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"RunThreadPool"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
deleted file mode 100644
index 4b98acd4c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.cc
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_dispatcher.h"
-
-#include <stdint.h>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/handle_interception.h"
-#include "sandbox/win/src/handle_policy.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-
-namespace sandbox {
-
-HandleDispatcher::HandleDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall duplicate_handle_proxy = {
- {IPC_DUPLICATEHANDLEPROXY_TAG,
- {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &HandleDispatcher::DuplicateHandleProxy)};
-
- ipc_calls_.push_back(duplicate_handle_proxy);
-}
-
-bool HandleDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- // We perform no interceptions for handles right now.
- switch (service) {
- case IPC_DUPLICATEHANDLEPROXY_TAG:
- return true;
- }
-
- return false;
-}
-
-bool HandleDispatcher::DuplicateHandleProxy(IPCInfo* ipc,
- HANDLE source_handle,
- uint32_t target_process_id,
- uint32_t desired_access,
- uint32_t options) {
- static NtQueryObject QueryObject = NULL;
- if (!QueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &QueryObject);
-
- // Get a copy of the handle for use in the broker process.
- HANDLE handle_temp;
- if (!::DuplicateHandle(ipc->client_info->process, source_handle,
- ::GetCurrentProcess(), &handle_temp,
- 0, FALSE, DUPLICATE_SAME_ACCESS | options)) {
- ipc->return_info.win32_result = ::GetLastError();
- return false;
- }
- options &= ~DUPLICATE_CLOSE_SOURCE;
- base::win::ScopedHandle handle(handle_temp);
-
- // Get the object type (32 characters is safe; current max is 14).
- BYTE buffer[sizeof(OBJECT_TYPE_INFORMATION) + 32 * sizeof(wchar_t)];
- OBJECT_TYPE_INFORMATION* type_info =
- reinterpret_cast<OBJECT_TYPE_INFORMATION*>(buffer);
- ULONG size = sizeof(buffer) - sizeof(wchar_t);
- NTSTATUS error =
- QueryObject(handle.Get(), ObjectTypeInformation, type_info, size, &size);
- if (!NT_SUCCESS(error)) {
- ipc->return_info.nt_status = error;
- return false;
- }
- type_info->Name.Buffer[type_info->Name.Length / sizeof(wchar_t)] = L'\0';
-
- CountedParameterSet<HandleTarget> params;
- params[HandleTarget::NAME] = ParamPickerMake(type_info->Name.Buffer);
- params[HandleTarget::TARGET] = ParamPickerMake(target_process_id);
-
- EvalResult eval = policy_base_->EvalPolicy(IPC_DUPLICATEHANDLEPROXY_TAG,
- params.GetBase());
- ipc->return_info.win32_result =
- HandlePolicy::DuplicateHandleProxyAction(eval, handle.Get(),
- target_process_id,
- &ipc->return_info.handle,
- desired_access, options);
- return true;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h
deleted file mode 100644
index 24dcdac2a..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_dispatcher.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_DISPATCHER_H_
-#define SANDBOX_SRC_HANDLE_DISPATCHER_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles handle-related IPC calls.
-class HandleDispatcher : public Dispatcher {
- public:
- explicit HandleDispatcher(PolicyBase* policy_base);
- ~HandleDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Processes IPC requests coming from calls to
- // TargetServices::DuplicateHandle() in the target.
- bool DuplicateHandleProxy(IPCInfo* ipc,
- HANDLE source_handle,
- uint32_t target_process_id,
- uint32_t desired_access,
- uint32_t options);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(HandleDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_DISPATCHER_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_inheritance_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_inheritance_test.cc
deleted file mode 100644
index d8c2808da..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_inheritance_test.cc
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdio.h>
-
-#include "base/files/file_util.h"
-#include "base/files/scoped_temp_dir.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-SBOX_TESTS_COMMAND int HandleInheritanceTests_PrintToStdout(int argc,
- wchar_t** argv) {
- printf("Example output to stdout\n");
- return SBOX_TEST_SUCCEEDED;
-}
-
-TEST(HandleInheritanceTests, TestStdoutInheritance) {
- base::ScopedTempDir temp_directory;
- base::FilePath temp_file_name;
- ASSERT_TRUE(temp_directory.CreateUniqueTempDir());
- ASSERT_TRUE(CreateTemporaryFileInDir(temp_directory.path(), &temp_file_name));
-
- SECURITY_ATTRIBUTES attrs = {};
- attrs.nLength = sizeof(attrs);
- attrs.bInheritHandle = TRUE;
- base::win::ScopedHandle tmp_handle(
- CreateFile(temp_file_name.value().c_str(), GENERIC_WRITE,
- FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE,
- &attrs, OPEN_EXISTING, 0, NULL));
- ASSERT_TRUE(tmp_handle.IsValid());
-
- TestRunner runner;
- ASSERT_EQ(SBOX_ALL_OK, runner.GetPolicy()->SetStdoutHandle(tmp_handle.Get()));
- int result = runner.RunTest(L"HandleInheritanceTests_PrintToStdout");
- ASSERT_EQ(SBOX_TEST_SUCCEEDED, result);
-
- std::string data;
- ASSERT_TRUE(base::ReadFileToString(base::FilePath(temp_file_name), &data));
- // Redirection uses a feature that was added in Windows Vista.
- if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
- ASSERT_EQ("Example output to stdout\r\n", data);
- } else {
- ASSERT_EQ("", data);
- }
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc b/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
deleted file mode 100644
index 6fe2f117d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.cc
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_interception.h"
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-ResultCode DuplicateHandleProxy(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- *target_handle = NULL;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- return SBOX_ERROR_NO_SPACE;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_DUPLICATEHANDLEPROXY_TAG,
- source_handle, target_process_id,
- desired_access, options, &answer);
- if (SBOX_ALL_OK != code)
- return code;
-
- if (answer.win32_result) {
- ::SetLastError(answer.win32_result);
- mozilla::sandboxing::LogBlocked("DuplicateHandle");
- return SBOX_ERROR_GENERIC;
- }
-
- *target_handle = answer.handle;
- mozilla::sandboxing::LogAllowed("DuplicateHandle");
- return SBOX_ALL_OK;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_interception.h b/security/sandbox/chromium/sandbox/win/src/handle_interception.h
deleted file mode 100644
index 6f60811f1..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_interception.h
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-#define SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-
-namespace sandbox {
-
-// TODO(jschuh) Add an interception to catch dangerous DuplicateHandle calls.
-
-ResultCode DuplicateHandleProxy(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_INTERCEPTION_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy.cc
deleted file mode 100644
index 102303079..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy.cc
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/handle_policy.h"
-
-#include <string>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/broker_services.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-
-namespace sandbox {
-
-bool HandlePolicy::GenerateRules(const wchar_t* type_name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- PolicyRule duplicate_rule(ASK_BROKER);
-
- switch (semantics) {
- case TargetPolicy::HANDLES_DUP_ANY: {
- if (!duplicate_rule.AddNumberMatch(IF_NOT, HandleTarget::TARGET,
- ::GetCurrentProcessId(), EQUAL)) {
- return false;
- }
- break;
- }
-
- case TargetPolicy::HANDLES_DUP_BROKER: {
- if (!duplicate_rule.AddNumberMatch(IF, HandleTarget::TARGET,
- ::GetCurrentProcessId(), EQUAL)) {
- return false;
- }
- break;
- }
-
- default:
- return false;
- }
- if (!duplicate_rule.AddStringMatch(IF, HandleTarget::NAME, type_name,
- CASE_INSENSITIVE)) {
- return false;
- }
- if (!policy->AddRule(IPC_DUPLICATEHANDLEPROXY_TAG, &duplicate_rule)) {
- return false;
- }
- return true;
-}
-
-DWORD HandlePolicy::DuplicateHandleProxyAction(EvalResult eval_result,
- HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- // The only action supported is ASK_BROKER which means duplicate the handle.
- if (ASK_BROKER != eval_result) {
- return ERROR_ACCESS_DENIED;
- }
-
- base::win::ScopedHandle remote_target_process;
- if (target_process_id != ::GetCurrentProcessId()) {
- // Sandboxed children are dynamic, so we check that manually.
- if (!BrokerServicesBase::GetInstance()->IsActiveTarget(target_process_id)) {
- return ERROR_ACCESS_DENIED;
- }
-
- remote_target_process.Set(::OpenProcess(PROCESS_DUP_HANDLE, FALSE,
- target_process_id));
- if (!remote_target_process.IsValid())
- return ::GetLastError();
- }
-
- // If the policy didn't block us and we have no valid target, then the broker
- // (this process) is the valid target.
- HANDLE target_process = remote_target_process.IsValid() ?
- remote_target_process.Get() : ::GetCurrentProcess();
- if (!::DuplicateHandle(::GetCurrentProcess(), source_handle, target_process,
- target_handle, desired_access, FALSE,
- options)) {
- return ::GetLastError();
- }
-
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy.h b/security/sandbox/chromium/sandbox/win/src/handle_policy.h
deleted file mode 100644
index 29ce5ab66..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy.h
+++ /dev/null
@@ -1,39 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_HANDLE_POLICY_H_
-#define SANDBOX_SRC_HANDLE_POLICY_H_
-
-#include <string>
-
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to handle policy.
-class HandlePolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for handles, in particular duplicate action.
- static bool GenerateRules(const wchar_t* type_name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Processes a 'TargetPolicy::DuplicateHandle()' request from the target.
- static DWORD DuplicateHandleProxyAction(EvalResult eval_result,
- HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_HANDLE_POLICY_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc
deleted file mode 100644
index 11382da81..000000000
--- a/security/sandbox/chromium/sandbox/win/src/handle_policy_test.cc
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/stringprintf.h"
-#include "sandbox/win/src/handle_policy.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Just waits for the supplied number of milliseconds.
-SBOX_TESTS_COMMAND int Handle_WaitProcess(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- ::Sleep(::wcstoul(argv[0], NULL, 10));
- return SBOX_TEST_TIMED_OUT;
-}
-
-// Attempts to duplicate an event handle into the target process.
-SBOX_TESTS_COMMAND int Handle_DuplicateEvent(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- // Create a test event to use as a handle.
- base::win::ScopedHandle test_event;
- test_event.Set(::CreateEvent(NULL, TRUE, TRUE, NULL));
- if (!test_event.IsValid())
- return SBOX_TEST_FIRST_ERROR;
-
- // Get the target process ID.
- DWORD target_process_id = ::wcstoul(argv[0], NULL, 10);
-
- HANDLE handle = NULL;
- ResultCode result = SandboxFactory::GetTargetServices()->DuplicateHandle(
- test_event.Get(), target_process_id, &handle, 0, DUPLICATE_SAME_ACCESS);
-
- return (result == SBOX_ALL_OK) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_DENIED;
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicateHandle) {
- TestRunner target;
- TestRunner runner;
-
- // Kick off an asynchronous target process for testing.
- target.SetAsynchronous(true);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000"));
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- target.process_id());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Now successfully open the event after adding a duplicate handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicatePeerHandle) {
- TestRunner target;
- TestRunner runner;
-
- // Kick off an asynchronous target process for testing.
- target.SetAsynchronous(true);
- target.SetUnsandboxed(true);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, target.RunTest(L"Handle_WaitProcess 30000"));
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- target.process_id());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Now successfully open the event after adding a duplicate handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-// Tests that duplicating an object works only when the policy allows it.
-TEST(HandlePolicyTest, DuplicateBrokerHandle) {
- TestRunner runner;
-
- // First test that we fail to open the event.
- base::string16 cmd_line = base::StringPrintf(L"Handle_DuplicateEvent %d",
- ::GetCurrentProcessId());
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
- // Add the peer rule and make sure we fail again.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_ANY,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(cmd_line.c_str()));
-
-
- // Now successfully open the event after adding a broker handle rule.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_HANDLES,
- TargetPolicy::HANDLES_DUP_BROKER,
- L"Event"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(cmd_line.c_str()));
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/integrity_level_test.cc b/security/sandbox/chromium/sandbox/win/src/integrity_level_test.cc
deleted file mode 100644
index f962033ca..000000000
--- a/security/sandbox/chromium/sandbox/win/src/integrity_level_test.cc
+++ /dev/null
@@ -1,91 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <windows.h>
-#include <atlsecurity.h>
-
-#include "base/win/windows_version.h"
-#include "testing/gtest/include/gtest/gtest.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/tests/common/controller.h"
-
-namespace sandbox {
-
-
-SBOX_TESTS_COMMAND int CheckIntegrityLevel(int argc, wchar_t **argv) {
- ATL::CAccessToken token;
- if (!token.GetEffectiveToken(TOKEN_READ))
- return SBOX_TEST_FAILED;
-
- char* buffer[100];
- DWORD buf_size = 100;
- if (!::GetTokenInformation(token.GetHandle(), TokenIntegrityLevel,
- reinterpret_cast<void*>(buffer), buf_size,
- &buf_size))
- return SBOX_TEST_FAILED;
-
- TOKEN_MANDATORY_LABEL* label =
- reinterpret_cast<TOKEN_MANDATORY_LABEL*>(buffer);
-
- PSID sid_low = NULL;
- if (!::ConvertStringSidToSid(L"S-1-16-4096", &sid_low))
- return SBOX_TEST_FAILED;
-
- BOOL is_low_sid = ::EqualSid(label->Label.Sid, sid_low);
-
- ::LocalFree(sid_low);
-
- if (is_low_sid)
- return SBOX_TEST_SUCCEEDED;
-
- return SBOX_TEST_DENIED;
-}
-
-TEST(IntegrityLevelTest, TestLowILReal) {
- if (base::win::GetVersion() != base::win::VERSION_VISTA)
- return;
-
- TestRunner runner(JOB_LOCKDOWN, USER_INTERACTIVE, USER_INTERACTIVE);
-
- runner.SetTimeout(INFINITE);
-
- runner.GetPolicy()->SetAlternateDesktop(true);
- runner.GetPolicy()->SetIntegrityLevel(INTEGRITY_LEVEL_LOW);
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckIntegrityLevel"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckIntegrityLevel"));
-}
-
-TEST(DelayedIntegrityLevelTest, TestLowILDelayed) {
- if (base::win::GetVersion() != base::win::VERSION_VISTA)
- return;
-
- TestRunner runner(JOB_LOCKDOWN, USER_INTERACTIVE, USER_INTERACTIVE);
-
- runner.SetTimeout(INFINITE);
-
- runner.GetPolicy()->SetDelayedIntegrityLevel(INTEGRITY_LEVEL_LOW);
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckIntegrityLevel"));
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"CheckIntegrityLevel"));
-}
-
-TEST(IntegrityLevelTest, TestNoILChange) {
- if (base::win::GetVersion() != base::win::VERSION_VISTA)
- return;
-
- TestRunner runner(JOB_LOCKDOWN, USER_INTERACTIVE, USER_INTERACTIVE);
-
- runner.SetTimeout(INFINITE);
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"CheckIntegrityLevel"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/interception.cc b/security/sandbox/chromium/sandbox/win/src/interception.cc
deleted file mode 100644
index f0a2a61fb..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception.cc
+++ /dev/null
@@ -1,560 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// For information about interceptions as a whole see
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#include <stddef.h>
-
-#include <set>
-
-#include "sandbox/win/src/interception.h"
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/string16.h"
-#include "base/win/pe_image.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/interception_internal.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_rand.h"
-#include "sandbox/win/src/service_resolver.h"
-#include "sandbox/win/src/target_interceptions.h"
-#include "sandbox/win/src/target_process.h"
-#include "sandbox/win/src/wow64.h"
-
-namespace sandbox {
-
-namespace {
-
-// Standard allocation granularity and page size for Windows.
-const size_t kAllocGranularity = 65536;
-const size_t kPageSize = 4096;
-
-} // namespace
-
-namespace internal {
-
-// Find a random offset within 64k and aligned to ceil(log2(size)).
-size_t GetGranularAlignedRandomOffset(size_t size) {
- CHECK_LE(size, kAllocGranularity);
- unsigned int offset;
-
- do {
- GetRandom(&offset);
- offset &= (kAllocGranularity - 1);
- } while (offset > (kAllocGranularity - size));
-
- // Find an alignment between 64 and the page size (4096).
- size_t align_size = kPageSize;
- for (size_t new_size = align_size / 2; new_size >= size; new_size /= 2) {
- align_size = new_size;
- }
- return offset & ~(align_size - 1);
-}
-
-} // namespace internal
-
-SANDBOX_INTERCEPT SharedMemory* g_interceptions;
-
-// Table of the unpatched functions that we intercept. Mapped from the parent.
-SANDBOX_INTERCEPT OriginalFunctions g_originals = { NULL };
-
-// Magic constant that identifies that this function is not to be patched.
-const char kUnloadDLLDummyFunction[] = "@";
-
-InterceptionManager::InterceptionData::InterceptionData() {
-}
-
-InterceptionManager::InterceptionData::~InterceptionData() {
-}
-
-InterceptionManager::InterceptionManager(TargetProcess* child_process,
- bool relaxed)
- : child_(child_process), names_used_(false), relaxed_(relaxed) {
- child_->AddRef();
-}
-InterceptionManager::~InterceptionManager() {
- child_->Release();
-}
-
-bool InterceptionManager::AddToPatchedFunctions(
- const wchar_t* dll_name, const char* function_name,
- InterceptionType interception_type, const void* replacement_code_address,
- InterceptorId id) {
- InterceptionData function;
- function.type = interception_type;
- function.id = id;
- function.dll = dll_name;
- function.function = function_name;
- function.interceptor_address = replacement_code_address;
-
- interceptions_.push_back(function);
- return true;
-}
-
-bool InterceptionManager::AddToPatchedFunctions(
- const wchar_t* dll_name, const char* function_name,
- InterceptionType interception_type, const char* replacement_function_name,
- InterceptorId id) {
- InterceptionData function;
- function.type = interception_type;
- function.id = id;
- function.dll = dll_name;
- function.function = function_name;
- function.interceptor = replacement_function_name;
- function.interceptor_address = NULL;
-
- interceptions_.push_back(function);
- names_used_ = true;
- return true;
-}
-
-bool InterceptionManager::AddToUnloadModules(const wchar_t* dll_name) {
- InterceptionData module_to_unload;
- module_to_unload.type = INTERCEPTION_UNLOAD_MODULE;
- module_to_unload.dll = dll_name;
- // The next two are dummy values that make the structures regular, instead
- // of having special cases. They should not be used.
- module_to_unload.function = kUnloadDLLDummyFunction;
- module_to_unload.interceptor_address = reinterpret_cast<void*>(1);
-
- interceptions_.push_back(module_to_unload);
- return true;
-}
-
-bool InterceptionManager::InitializeInterceptions() {
- if (interceptions_.empty())
- return true; // Nothing to do here
-
- size_t buffer_bytes = GetBufferSize();
- scoped_ptr<char[]> local_buffer(new char[buffer_bytes]);
-
- if (!SetupConfigBuffer(local_buffer.get(), buffer_bytes))
- return false;
-
- void* remote_buffer;
- if (!CopyDataToChild(local_buffer.get(), buffer_bytes, &remote_buffer))
- return false;
-
- bool hot_patch_needed = (0 != buffer_bytes);
- if (!PatchNtdll(hot_patch_needed))
- return false;
-
- g_interceptions = reinterpret_cast<SharedMemory*>(remote_buffer);
- ResultCode rc = child_->TransferVariable("g_interceptions",
- &g_interceptions,
- sizeof(g_interceptions));
- return (SBOX_ALL_OK == rc);
-}
-
-size_t InterceptionManager::GetBufferSize() const {
- std::set<base::string16> dlls;
- size_t buffer_bytes = 0;
-
- std::list<InterceptionData>::const_iterator it = interceptions_.begin();
- for (; it != interceptions_.end(); ++it) {
- // skip interceptions that are performed from the parent
- if (!IsInterceptionPerformedByChild(*it))
- continue;
-
- if (!dlls.count(it->dll)) {
- // NULL terminate the dll name on the structure
- size_t dll_name_bytes = (it->dll.size() + 1) * sizeof(wchar_t);
-
- // include the dll related size
- buffer_bytes += RoundUpToMultiple(offsetof(DllPatchInfo, dll_name) +
- dll_name_bytes, sizeof(size_t));
- dlls.insert(it->dll);
- }
-
- // we have to NULL terminate the strings on the structure
- size_t strings_chars = it->function.size() + it->interceptor.size() + 2;
-
- // a new FunctionInfo is required per function
- size_t record_bytes = offsetof(FunctionInfo, function) + strings_chars;
- record_bytes = RoundUpToMultiple(record_bytes, sizeof(size_t));
- buffer_bytes += record_bytes;
- }
-
- if (0 != buffer_bytes)
- // add the part of SharedMemory that we have not counted yet
- buffer_bytes += offsetof(SharedMemory, dll_list);
-
- return buffer_bytes;
-}
-
-// Basically, walk the list of interceptions moving them to the config buffer,
-// but keeping together all interceptions that belong to the same dll.
-// The config buffer is a local buffer, not the one allocated on the child.
-bool InterceptionManager::SetupConfigBuffer(void* buffer, size_t buffer_bytes) {
- if (0 == buffer_bytes)
- return true;
-
- DCHECK(buffer_bytes > sizeof(SharedMemory));
-
- SharedMemory* shared_memory = reinterpret_cast<SharedMemory*>(buffer);
- DllPatchInfo* dll_info = shared_memory->dll_list;
- int num_dlls = 0;
-
- shared_memory->interceptor_base = names_used_ ? child_->MainModule() : NULL;
-
- buffer_bytes -= offsetof(SharedMemory, dll_list);
- buffer = dll_info;
-
- std::list<InterceptionData>::iterator it = interceptions_.begin();
- for (; it != interceptions_.end();) {
- // skip interceptions that are performed from the parent
- if (!IsInterceptionPerformedByChild(*it)) {
- ++it;
- continue;
- }
-
- const base::string16 dll = it->dll;
- if (!SetupDllInfo(*it, &buffer, &buffer_bytes))
- return false;
-
- // walk the interceptions from this point, saving the ones that are
- // performed on this dll, and removing the entry from the list.
- // advance the iterator before removing the element from the list
- std::list<InterceptionData>::iterator rest = it;
- for (; rest != interceptions_.end();) {
- if (rest->dll == dll) {
- if (!SetupInterceptionInfo(*rest, &buffer, &buffer_bytes, dll_info))
- return false;
- if (it == rest)
- ++it;
- rest = interceptions_.erase(rest);
- } else {
- ++rest;
- }
- }
- dll_info = reinterpret_cast<DllPatchInfo*>(buffer);
- ++num_dlls;
- }
-
- shared_memory->num_intercepted_dlls = num_dlls;
- return true;
-}
-
-// Fills up just the part that depends on the dll, not the info that depends on
-// the actual interception.
-bool InterceptionManager::SetupDllInfo(const InterceptionData& data,
- void** buffer,
- size_t* buffer_bytes) const {
- DCHECK(buffer_bytes);
- DCHECK(buffer);
- DCHECK(*buffer);
-
- DllPatchInfo* dll_info = reinterpret_cast<DllPatchInfo*>(*buffer);
-
- // the strings have to be zero terminated
- size_t required = offsetof(DllPatchInfo, dll_name) +
- (data.dll.size() + 1) * sizeof(wchar_t);
- required = RoundUpToMultiple(required, sizeof(size_t));
- if (*buffer_bytes < required)
- return false;
-
- *buffer_bytes -= required;
- *buffer = reinterpret_cast<char*>(*buffer) + required;
-
- // set up the dll info to be what we know about it at this time
- dll_info->unload_module = (data.type == INTERCEPTION_UNLOAD_MODULE);
- dll_info->record_bytes = required;
- dll_info->offset_to_functions = required;
- dll_info->num_functions = 0;
- data.dll._Copy_s(dll_info->dll_name, data.dll.size(), data.dll.size());
- dll_info->dll_name[data.dll.size()] = L'\0';
-
- return true;
-}
-
-bool InterceptionManager::SetupInterceptionInfo(const InterceptionData& data,
- void** buffer,
- size_t* buffer_bytes,
- DllPatchInfo* dll_info) const {
- DCHECK(buffer_bytes);
- DCHECK(buffer);
- DCHECK(*buffer);
-
- if ((dll_info->unload_module) &&
- (data.function != kUnloadDLLDummyFunction)) {
- // Can't specify a dll for both patch and unload.
- NOTREACHED();
- }
-
- FunctionInfo* function = reinterpret_cast<FunctionInfo*>(*buffer);
-
- size_t name_bytes = data.function.size();
- size_t interceptor_bytes = data.interceptor.size();
-
- // the strings at the end of the structure are zero terminated
- size_t required = offsetof(FunctionInfo, function) +
- name_bytes + interceptor_bytes + 2;
- required = RoundUpToMultiple(required, sizeof(size_t));
- if (*buffer_bytes < required)
- return false;
-
- // update the caller's values
- *buffer_bytes -= required;
- *buffer = reinterpret_cast<char*>(*buffer) + required;
-
- function->record_bytes = required;
- function->type = data.type;
- function->id = data.id;
- function->interceptor_address = data.interceptor_address;
- char* names = function->function;
-
- data.function._Copy_s(names, name_bytes, name_bytes);
- names += name_bytes;
- *names++ = '\0';
-
- // interceptor follows the function_name
- data.interceptor._Copy_s(names, interceptor_bytes, interceptor_bytes);
- names += interceptor_bytes;
- *names++ = '\0';
-
- // update the dll table
- dll_info->num_functions++;
- dll_info->record_bytes += required;
-
- return true;
-}
-
-bool InterceptionManager::CopyDataToChild(const void* local_buffer,
- size_t buffer_bytes,
- void** remote_buffer) const {
- DCHECK(NULL != remote_buffer);
- if (0 == buffer_bytes) {
- *remote_buffer = NULL;
- return true;
- }
-
- HANDLE child = child_->Process();
-
- // Allocate memory on the target process without specifying the address
- void* remote_data = ::VirtualAllocEx(child, NULL, buffer_bytes,
- MEM_COMMIT, PAGE_READWRITE);
- if (NULL == remote_data)
- return false;
-
- SIZE_T bytes_written;
- BOOL success = ::WriteProcessMemory(child, remote_data, local_buffer,
- buffer_bytes, &bytes_written);
- if (FALSE == success || bytes_written != buffer_bytes) {
- ::VirtualFreeEx(child, remote_data, 0, MEM_RELEASE);
- return false;
- }
-
- *remote_buffer = remote_data;
-
- return true;
-}
-
-// Only return true if the child should be able to perform this interception.
-bool InterceptionManager::IsInterceptionPerformedByChild(
- const InterceptionData& data) const {
- if (INTERCEPTION_INVALID == data.type)
- return false;
-
- if (INTERCEPTION_SERVICE_CALL == data.type)
- return false;
-
- if (data.type >= INTERCEPTION_LAST)
- return false;
-
- base::string16 ntdll(kNtdllName);
- if (ntdll == data.dll)
- return false; // ntdll has to be intercepted from the parent
-
- return true;
-}
-
-bool InterceptionManager::PatchNtdll(bool hot_patch_needed) {
- // Maybe there is nothing to do
- if (!hot_patch_needed && interceptions_.empty())
- return true;
-
- if (hot_patch_needed) {
-#if SANDBOX_EXPORTS
- // Make sure the functions are not excluded by the linker.
-#if defined(_WIN64)
- #pragma comment(linker, "/include:TargetNtMapViewOfSection64")
- #pragma comment(linker, "/include:TargetNtUnmapViewOfSection64")
-#else
- #pragma comment(linker, "/include:_TargetNtMapViewOfSection@44")
- #pragma comment(linker, "/include:_TargetNtUnmapViewOfSection@12")
-#endif
-#endif
- ADD_NT_INTERCEPTION(NtMapViewOfSection, MAP_VIEW_OF_SECTION_ID, 44);
- ADD_NT_INTERCEPTION(NtUnmapViewOfSection, UNMAP_VIEW_OF_SECTION_ID, 12);
- }
-
- // Reserve a full 64k memory range in the child process.
- HANDLE child = child_->Process();
- BYTE* thunk_base = reinterpret_cast<BYTE*>(
- ::VirtualAllocEx(child, NULL, kAllocGranularity,
- MEM_RESERVE, PAGE_NOACCESS));
-
- // Find an aligned, random location within the reserved range.
- size_t thunk_bytes = interceptions_.size() * sizeof(ThunkData) +
- sizeof(DllInterceptionData);
- size_t thunk_offset = internal::GetGranularAlignedRandomOffset(thunk_bytes);
-
- // Split the base and offset along page boundaries.
- thunk_base += thunk_offset & ~(kPageSize - 1);
- thunk_offset &= kPageSize - 1;
-
- // Make an aligned, padded allocation, and move the pointer to our chunk.
- size_t thunk_bytes_padded = (thunk_bytes + kPageSize - 1) & ~(kPageSize - 1);
- thunk_base = reinterpret_cast<BYTE*>(
- ::VirtualAllocEx(child, thunk_base, thunk_bytes_padded,
- MEM_COMMIT, PAGE_EXECUTE_READWRITE));
- CHECK(thunk_base); // If this fails we'd crash anyway on an invalid access.
- DllInterceptionData* thunks = reinterpret_cast<DllInterceptionData*>(
- thunk_base + thunk_offset);
-
- DllInterceptionData dll_data;
- dll_data.data_bytes = thunk_bytes;
- dll_data.num_thunks = 0;
- dll_data.used_bytes = offsetof(DllInterceptionData, thunks);
-
- // Reset all helpers for a new child.
- memset(g_originals, 0, sizeof(g_originals));
-
- // this should write all the individual thunks to the child's memory
- if (!PatchClientFunctions(thunks, thunk_bytes, &dll_data))
- return false;
-
- // and now write the first part of the table to the child's memory
- SIZE_T written;
- bool ok = FALSE != ::WriteProcessMemory(child, thunks, &dll_data,
- offsetof(DllInterceptionData, thunks),
- &written);
-
- if (!ok || (offsetof(DllInterceptionData, thunks) != written))
- return false;
-
- // Attempt to protect all the thunks, but ignore failure
- DWORD old_protection;
- ::VirtualProtectEx(child, thunks, thunk_bytes,
- PAGE_EXECUTE_READ, &old_protection);
-
- ResultCode ret = child_->TransferVariable("g_originals", g_originals,
- sizeof(g_originals));
- return (SBOX_ALL_OK == ret);
-}
-
-bool InterceptionManager::PatchClientFunctions(DllInterceptionData* thunks,
- size_t thunk_bytes,
- DllInterceptionData* dll_data) {
- DCHECK(NULL != thunks);
- DCHECK(NULL != dll_data);
-
- HMODULE ntdll_base = ::GetModuleHandle(kNtdllName);
- if (!ntdll_base)
- return false;
-
- base::win::PEImage ntdll_image(ntdll_base);
-
- // Bypass purify's interception.
- wchar_t* loader_get = reinterpret_cast<wchar_t*>(
- ntdll_image.GetProcAddress("LdrGetDllHandle"));
- if (loader_get) {
- if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
- GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
- loader_get, &ntdll_base))
- return false;
- }
-
- if (base::win::GetVersion() <= base::win::VERSION_VISTA) {
- Wow64 WowHelper(child_, ntdll_base);
- if (!WowHelper.WaitForNtdll())
- return false;
- }
-
- char* interceptor_base = NULL;
-
-#if SANDBOX_EXPORTS
- interceptor_base = reinterpret_cast<char*>(child_->MainModule());
- HMODULE local_interceptor = ::LoadLibrary(child_->Name());
-#endif
-
- ServiceResolverThunk* thunk;
-#if defined(_WIN64)
- thunk = new ServiceResolverThunk(child_->Process(), relaxed_);
-#else
- base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
- if (os_info->wow64_status() == base::win::OSInfo::WOW64_ENABLED) {
- if (os_info->version() >= base::win::VERSION_WIN10)
- thunk = new Wow64W10ResolverThunk(child_->Process(), relaxed_);
- else if (os_info->version() >= base::win::VERSION_WIN8)
- thunk = new Wow64W8ResolverThunk(child_->Process(), relaxed_);
- else
- thunk = new Wow64ResolverThunk(child_->Process(), relaxed_);
- } else if (os_info->version() >= base::win::VERSION_WIN8) {
- thunk = new Win8ResolverThunk(child_->Process(), relaxed_);
- } else {
- thunk = new ServiceResolverThunk(child_->Process(), relaxed_);
- }
-#endif
-
- std::list<InterceptionData>::iterator it = interceptions_.begin();
- for (; it != interceptions_.end(); ++it) {
- const base::string16 ntdll(kNtdllName);
- if (it->dll != ntdll)
- break;
-
- if (INTERCEPTION_SERVICE_CALL != it->type)
- break;
-
-#if SANDBOX_EXPORTS
- // We may be trying to patch by function name.
- if (NULL == it->interceptor_address) {
- const char* address;
- NTSTATUS ret = thunk->ResolveInterceptor(local_interceptor,
- it->interceptor.c_str(),
- reinterpret_cast<const void**>(
- &address));
- if (!NT_SUCCESS(ret))
- break;
-
- // Translate the local address to an address on the child.
- it->interceptor_address = interceptor_base + (address -
- reinterpret_cast<char*>(local_interceptor));
- }
-#endif
- NTSTATUS ret = thunk->Setup(ntdll_base,
- interceptor_base,
- it->function.c_str(),
- it->interceptor.c_str(),
- it->interceptor_address,
- &thunks->thunks[dll_data->num_thunks],
- thunk_bytes - dll_data->used_bytes,
- NULL);
- if (!NT_SUCCESS(ret))
- break;
-
- DCHECK(!g_originals[it->id]);
- g_originals[it->id] = &thunks->thunks[dll_data->num_thunks];
-
- dll_data->num_thunks++;
- dll_data->used_bytes += sizeof(ThunkData);
- }
-
- delete(thunk);
-
-#if SANDBOX_EXPORTS
- if (NULL != local_interceptor)
- ::FreeLibrary(local_interceptor);
-#endif
-
- if (it != interceptions_.end())
- return false;
-
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/interception.h b/security/sandbox/chromium/sandbox/win/src/interception.h
deleted file mode 100644
index 4d1ee82ba..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception.h
+++ /dev/null
@@ -1,286 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Defines InterceptionManager, the class in charge of setting up interceptions
-// for the sandboxed process. For more details see
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#ifndef SANDBOX_SRC_INTERCEPTION_H_
-#define SANDBOX_SRC_INTERCEPTION_H_
-
-#include <stddef.h>
-
-#include <list>
-#include <string>
-
-#include "base/gtest_prod_util.h"
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-class TargetProcess;
-enum InterceptorId;
-
-// Internal structures used for communication between the broker and the target.
-struct DllPatchInfo;
-struct DllInterceptionData;
-
-// The InterceptionManager executes on the parent application, and it is in
-// charge of setting up the desired interceptions, and placing the Interception
-// Agent into the child application.
-//
-// The exposed API consists of two methods: AddToPatchedFunctions to set up a
-// particular interception, and InitializeInterceptions to actually go ahead and
-// perform all interceptions and transfer data to the child application.
-//
-// The typical usage is something like this:
-//
-// InterceptionManager interception_manager(child);
-// if (!interception_manager.AddToPatchedFunctions(
-// L"ntdll.dll", "NtCreateFile",
-// sandbox::INTERCEPTION_SERVICE_CALL, &MyNtCreateFile, MY_ID_1))
-// return false;
-//
-// if (!interception_manager.AddToPatchedFunctions(
-// L"kernel32.dll", "CreateDirectoryW",
-// sandbox::INTERCEPTION_EAT, L"MyCreateDirectoryW@12", MY_ID_2))
-// return false;
-//
-// if (!interception_manager.InitializeInterceptions()) {
-// DWORD error = ::GetLastError();
-// return false;
-// }
-//
-// Any required syncronization must be performed outside this class. Also, it is
-// not possible to perform further interceptions after InitializeInterceptions
-// is called.
-//
-class InterceptionManager {
- // The unit test will access private members.
- // Allow tests to be marked DISABLED_. Note that FLAKY_ and FAILS_ prefixes
- // do not work with sandbox tests.
- FRIEND_TEST_ALL_PREFIXES(InterceptionManagerTest, BufferLayout1);
- FRIEND_TEST_ALL_PREFIXES(InterceptionManagerTest, BufferLayout2);
-
- public:
- // An interception manager performs interceptions on a given child process.
- // If we are allowed to intercept functions that have been patched by somebody
- // else, relaxed should be set to true.
- // Note: We increase the child's reference count internally.
- InterceptionManager(TargetProcess* child_process, bool relaxed);
- ~InterceptionManager();
-
- // Patches function_name inside dll_name to point to replacement_code_address.
- // function_name has to be an exported symbol of dll_name.
- // Returns true on success.
- //
- // The new function should match the prototype and calling convention of the
- // function to intercept except for one extra argument (the first one) that
- // contains a pointer to the original function, to simplify the development
- // of interceptors (for IA32). In x64, there is no extra argument to the
- // interceptor, so the provided InterceptorId is used to keep a table of
- // intercepted functions so that the interceptor can index that table to get
- // the pointer that would have been the first argument (g_originals[id]).
- //
- // For example, to intercept NtClose, the following code could be used:
- //
- // typedef NTSTATUS (WINAPI *NtCloseFunction) (IN HANDLE Handle);
- // NTSTATUS WINAPI MyNtCose(IN NtCloseFunction OriginalClose,
- // IN HANDLE Handle) {
- // // do something
- // // call the original function
- // return OriginalClose(Handle);
- // }
- //
- // And in x64:
- //
- // typedef NTSTATUS (WINAPI *NtCloseFunction) (IN HANDLE Handle);
- // NTSTATUS WINAPI MyNtCose64(IN HANDLE Handle) {
- // // do something
- // // call the original function
- // NtCloseFunction OriginalClose = g_originals[NT_CLOSE_ID];
- // return OriginalClose(Handle);
- // }
- bool AddToPatchedFunctions(const wchar_t* dll_name,
- const char* function_name,
- InterceptionType interception_type,
- const void* replacement_code_address,
- InterceptorId id);
-
- // Patches function_name inside dll_name to point to
- // replacement_function_name.
- bool AddToPatchedFunctions(const wchar_t* dll_name,
- const char* function_name,
- InterceptionType interception_type,
- const char* replacement_function_name,
- InterceptorId id);
-
- // The interception agent will unload the dll with dll_name.
- bool AddToUnloadModules(const wchar_t* dll_name);
-
- // Initializes all interceptions on the client.
- // Returns true on success.
- //
- // The child process must be created suspended, and cannot be resumed until
- // after this method returns. In addition, no action should be performed on
- // the child that may cause it to resume momentarily, such as injecting
- // threads or APCs.
- //
- // This function must be called only once, after all interceptions have been
- // set up using AddToPatchedFunctions.
- bool InitializeInterceptions();
-
- private:
- // Used to store the interception information until the actual set-up.
- struct InterceptionData {
- InterceptionData();
- ~InterceptionData();
-
- InterceptionType type; // Interception type.
- InterceptorId id; // Interceptor id.
- base::string16 dll; // Name of dll to intercept.
- std::string function; // Name of function to intercept.
- std::string interceptor; // Name of interceptor function.
- const void* interceptor_address; // Interceptor's entry point.
- };
-
- // Calculates the size of the required configuration buffer.
- size_t GetBufferSize() const;
-
- // Rounds up the size of a given buffer, considering alignment (padding).
- // value is the current size of the buffer, and alignment is specified in
- // bytes.
- static inline size_t RoundUpToMultiple(size_t value, size_t alignment) {
- return ((value + alignment -1) / alignment) * alignment;
- }
-
- // Sets up a given buffer with all the information that has to be transfered
- // to the child.
- // Returns true on success.
- //
- // The buffer size should be at least the value returned by GetBufferSize
- bool SetupConfigBuffer(void* buffer, size_t buffer_bytes);
-
- // Fills up the part of the transfer buffer that corresponds to information
- // about one dll to patch.
- // data is the first recorded interception for this dll.
- // Returns true on success.
- //
- // On successful return, buffer will be advanced from it's current position
- // to the point where the next block of configuration data should be written
- // (the actual interception info), and the current size of the buffer will
- // decrease to account the space used by this method.
- bool SetupDllInfo(const InterceptionData& data,
- void** buffer, size_t* buffer_bytes) const;
-
- // Fills up the part of the transfer buffer that corresponds to a single
- // function to patch.
- // dll_info points to the dll being updated with the interception stored on
- // data. The buffer pointer and remaining size are updated by this call.
- // Returns true on success.
- bool SetupInterceptionInfo(const InterceptionData& data, void** buffer,
- size_t* buffer_bytes,
- DllPatchInfo* dll_info) const;
-
- // Returns true if this interception is to be performed by the child
- // as opposed to from the parent.
- bool IsInterceptionPerformedByChild(const InterceptionData& data) const;
-
- // Allocates a buffer on the child's address space (returned on
- // remote_buffer), and fills it with the contents of a local buffer.
- // Returns true on success.
- bool CopyDataToChild(const void* local_buffer, size_t buffer_bytes,
- void** remote_buffer) const;
-
- // Performs the cold patch (from the parent) of ntdll.
- // Returns true on success.
- //
- // This method will insert additional interceptions to launch the interceptor
- // agent on the child process, if there are additional interceptions to do.
- bool PatchNtdll(bool hot_patch_needed);
-
- // Peforms the actual interceptions on ntdll.
- // thunks is the memory to store all the thunks for this dll (on the child),
- // and dll_data is a local buffer to hold global dll interception info.
- // Returns true on success.
- bool PatchClientFunctions(DllInterceptionData* thunks,
- size_t thunk_bytes,
- DllInterceptionData* dll_data);
-
- // The process to intercept.
- TargetProcess* child_;
- // Holds all interception info until the call to initialize (perform the
- // actual patch).
- std::list<InterceptionData> interceptions_;
-
- // Keep track of patches added by name.
- bool names_used_;
-
- // true if we are allowed to patch already-patched functions.
- bool relaxed_;
-
- DISALLOW_COPY_AND_ASSIGN(InterceptionManager);
-};
-
-// This macro simply calls interception_manager.AddToPatchedFunctions with
-// the given service to intercept (INTERCEPTION_SERVICE_CALL), and assumes that
-// the interceptor is called "TargetXXX", where XXX is the name of the service.
-// Note that num_params is the number of bytes to pop out of the stack for
-// the exported interceptor, following the calling convention of a service call
-// (WINAPI = with the "C" underscore).
-#if SANDBOX_EXPORTS
-#if defined(_WIN64)
-#define MAKE_SERVICE_NAME(service, params) "Target" # service "64"
-#else
-#define MAKE_SERVICE_NAME(service, params) "_Target" # service "@" # params
-#endif
-
-#define ADD_NT_INTERCEPTION(service, id, num_params) \
- AddToPatchedFunctions(kNtdllName, #service, \
- sandbox::INTERCEPTION_SERVICE_CALL, \
- MAKE_SERVICE_NAME(service, num_params), id)
-
-#define INTERCEPT_NT(manager, service, id, num_params) \
- ((&Target##service) ? \
- manager->ADD_NT_INTERCEPTION(service, id, num_params) : false)
-
-// When intercepting the EAT it is important that the patched version of the
-// function not call any functions imported from system libraries unless
-// |TargetServices::InitCalled()| returns true, because it is only then that
-// we are guaranteed that our IAT has been initialized.
-#define INTERCEPT_EAT(manager, dll, function, id, num_params) \
- ((&Target##function) ? \
- manager->AddToPatchedFunctions(dll, #function, sandbox::INTERCEPTION_EAT, \
- MAKE_SERVICE_NAME(function, num_params), \
- id) : \
- false)
-#else // SANDBOX_EXPORTS
-#if defined(_WIN64)
-#define MAKE_SERVICE_NAME(service) &Target##service##64
-#else
-#define MAKE_SERVICE_NAME(service) &Target##service
-#endif
-
-#define ADD_NT_INTERCEPTION(service, id, num_params) \
- AddToPatchedFunctions(kNtdllName, #service, \
- sandbox::INTERCEPTION_SERVICE_CALL, \
- MAKE_SERVICE_NAME(service), id)
-
-#define INTERCEPT_NT(manager, service, id, num_params) \
- manager->ADD_NT_INTERCEPTION(service, id, num_params)
-
-// When intercepting the EAT it is important that the patched version of the
-// function not call any functions imported from system libraries unless
-// |TargetServices::InitCalled()| returns true, because it is only then that
-// we are guaranteed that our IAT has been initialized.
-#define INTERCEPT_EAT(manager, dll, function, id, num_params) \
- manager->AddToPatchedFunctions(dll, #function, sandbox::INTERCEPTION_EAT, \
- MAKE_SERVICE_NAME(function), id)
-#endif // SANDBOX_EXPORTS
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_INTERCEPTION_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/interception_agent.cc b/security/sandbox/chromium/sandbox/win/src/interception_agent.cc
deleted file mode 100644
index 1ef688638..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception_agent.cc
+++ /dev/null
@@ -1,235 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// For information about interceptions as a whole see
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#include "sandbox/win/src/interception_agent.h"
-
-#include <stddef.h>
-
-#include "sandbox/win/src/eat_resolver.h"
-#include "sandbox/win/src/interception_internal.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sidestep_resolver.h"
-
-namespace {
-
-// Returns true if target lies between base and base + range.
-bool IsWithinRange(const void* base, size_t range, const void* target) {
- const char* end = reinterpret_cast<const char*>(base) + range;
- return reinterpret_cast<const char*>(target) < end;
-}
-
-} // namespace
-
-namespace sandbox {
-
-// This is the list of all imported symbols from ntdll.dll.
-SANDBOX_INTERCEPT NtExports g_nt;
-
-// The list of intercepted functions back-pointers.
-SANDBOX_INTERCEPT OriginalFunctions g_originals;
-
-// Memory buffer mapped from the parent, with the list of interceptions.
-SANDBOX_INTERCEPT SharedMemory* g_interceptions = NULL;
-
-InterceptionAgent* InterceptionAgent::GetInterceptionAgent() {
- static InterceptionAgent* s_singleton = NULL;
- if (!s_singleton) {
- if (!g_interceptions)
- return NULL;
-
- size_t array_bytes = g_interceptions->num_intercepted_dlls * sizeof(void*);
- s_singleton = reinterpret_cast<InterceptionAgent*>(
- new(NT_ALLOC) char[array_bytes + sizeof(InterceptionAgent)]);
-
- bool success = s_singleton->Init(g_interceptions);
- if (!success) {
- operator delete(s_singleton, NT_ALLOC);
- s_singleton = NULL;
- }
- }
- return s_singleton;
-}
-
-bool InterceptionAgent::Init(SharedMemory* shared_memory) {
- interceptions_ = shared_memory;
- for (int i = 0 ; i < shared_memory->num_intercepted_dlls; i++)
- dlls_[i] = NULL;
- return true;
-}
-
-bool InterceptionAgent::DllMatch(const UNICODE_STRING* full_path,
- const UNICODE_STRING* name,
- const DllPatchInfo* dll_info) {
- UNICODE_STRING current_name;
- current_name.Length = static_cast<USHORT>(g_nt.wcslen(dll_info->dll_name) *
- sizeof(wchar_t));
- current_name.MaximumLength = current_name.Length;
- current_name.Buffer = const_cast<wchar_t*>(dll_info->dll_name);
-
- BOOLEAN case_insensitive = TRUE;
- if (full_path &&
- !g_nt.RtlCompareUnicodeString(&current_name, full_path, case_insensitive))
- return true;
-
- if (name &&
- !g_nt.RtlCompareUnicodeString(&current_name, name, case_insensitive))
- return true;
-
- return false;
-}
-
-bool InterceptionAgent::OnDllLoad(const UNICODE_STRING* full_path,
- const UNICODE_STRING* name,
- void* base_address) {
- DllPatchInfo* dll_info = interceptions_->dll_list;
- int i = 0;
- for (; i < interceptions_->num_intercepted_dlls; i++) {
- if (DllMatch(full_path, name, dll_info))
- break;
-
- dll_info = reinterpret_cast<DllPatchInfo*>(
- reinterpret_cast<char*>(dll_info) + dll_info->record_bytes);
- }
-
- // Return now if the dll is not in our list of interest.
- if (i == interceptions_->num_intercepted_dlls)
- return true;
-
- // The dll must be unloaded.
- if (dll_info->unload_module)
- return false;
-
- // Purify causes this condition to trigger.
- if (dlls_[i])
- return true;
-
- size_t buffer_bytes = offsetof(DllInterceptionData, thunks) +
- dll_info->num_functions * sizeof(ThunkData);
- dlls_[i] = reinterpret_cast<DllInterceptionData*>(
- new(NT_PAGE, base_address) char[buffer_bytes]);
-
- DCHECK_NT(dlls_[i]);
- if (!dlls_[i])
- return true;
-
- dlls_[i]->data_bytes = buffer_bytes;
- dlls_[i]->num_thunks = 0;
- dlls_[i]->base = base_address;
- dlls_[i]->used_bytes = offsetof(DllInterceptionData, thunks);
-
- VERIFY(PatchDll(dll_info, dlls_[i]));
-
- ULONG old_protect;
- SIZE_T real_size = buffer_bytes;
- void* to_protect = dlls_[i];
- VERIFY_SUCCESS(g_nt.ProtectVirtualMemory(NtCurrentProcess, &to_protect,
- &real_size, PAGE_EXECUTE_READ,
- &old_protect));
- return true;
-}
-
-void InterceptionAgent::OnDllUnload(void* base_address) {
- for (int i = 0; i < interceptions_->num_intercepted_dlls; i++) {
- if (dlls_[i] && dlls_[i]->base == base_address) {
- operator delete(dlls_[i], NT_PAGE);
- dlls_[i] = NULL;
- break;
- }
- }
-}
-
-// TODO(rvargas): We have to deal with prebinded dlls. I see two options: change
-// the timestamp of the patched dll, or modify the info on the prebinded dll.
-// the first approach messes matching of debug symbols, the second one is more
-// complicated.
-bool InterceptionAgent::PatchDll(const DllPatchInfo* dll_info,
- DllInterceptionData* thunks) {
- DCHECK_NT(NULL != thunks);
- DCHECK_NT(NULL != dll_info);
-
- const FunctionInfo* function = reinterpret_cast<const FunctionInfo*>(
- reinterpret_cast<const char*>(dll_info) + dll_info->offset_to_functions);
-
- for (int i = 0; i < dll_info->num_functions; i++) {
- if (!IsWithinRange(dll_info, dll_info->record_bytes, function->function)) {
- NOTREACHED_NT();
- return false;
- }
-
- ResolverThunk* resolver = GetResolver(function->type);
- if (!resolver)
- return false;
-
- const char* interceptor = function->function +
- g_nt.strlen(function->function) + 1;
-
- if (!IsWithinRange(function, function->record_bytes, interceptor) ||
- !IsWithinRange(dll_info, dll_info->record_bytes, interceptor)) {
- NOTREACHED_NT();
- return false;
- }
-
- NTSTATUS ret = resolver->Setup(thunks->base,
- interceptions_->interceptor_base,
- function->function,
- interceptor,
- function->interceptor_address,
- &thunks->thunks[i],
- sizeof(ThunkData),
- NULL);
- if (!NT_SUCCESS(ret)) {
- NOTREACHED_NT();
- return false;
- }
-
- DCHECK_NT(!g_originals[function->id]);
- g_originals[function->id] = &thunks->thunks[i];
-
- thunks->num_thunks++;
- thunks->used_bytes += sizeof(ThunkData);
-
- function = reinterpret_cast<const FunctionInfo*>(
- reinterpret_cast<const char*>(function) + function->record_bytes);
- }
-
- return true;
-}
-
-// This method is called from within the loader lock
-ResolverThunk* InterceptionAgent::GetResolver(InterceptionType type) {
- static EatResolverThunk* eat_resolver = NULL;
- static SidestepResolverThunk* sidestep_resolver = NULL;
- static SmartSidestepResolverThunk* smart_sidestep_resolver = NULL;
-
- if (!eat_resolver)
- eat_resolver = new(NT_ALLOC) EatResolverThunk;
-
-#if !defined(_WIN64)
- // Sidestep is not supported for x64.
- if (!sidestep_resolver)
- sidestep_resolver = new(NT_ALLOC) SidestepResolverThunk;
-
- if (!smart_sidestep_resolver)
- smart_sidestep_resolver = new(NT_ALLOC) SmartSidestepResolverThunk;
-#endif
-
- switch (type) {
- case INTERCEPTION_EAT:
- return eat_resolver;
- case INTERCEPTION_SIDESTEP:
- return sidestep_resolver;
- case INTERCEPTION_SMART_SIDESTEP:
- return smart_sidestep_resolver;
- default:
- NOTREACHED_NT();
- }
-
- return NULL;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/interception_agent.h b/security/sandbox/chromium/sandbox/win/src/interception_agent.h
deleted file mode 100644
index b2bce08b0..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception_agent.h
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Defines InterceptionAgent, the class in charge of setting up interceptions
-// from the inside of the sandboxed process. For more details see
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#ifndef SANDBOX_SRC_INTERCEPTION_AGENT_H__
-#define SANDBOX_SRC_INTERCEPTION_AGENT_H__
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-// Internal structures used for communication between the broker and the target.
-struct DllInterceptionData;
-struct SharedMemory;
-struct DllPatchInfo;
-
-class ResolverThunk;
-
-// The InterceptionAgent executes on the target application, and it is in charge
-// of setting up the desired interceptions or indicating what module needs to
-// be unloaded.
-//
-// The exposed API consists of three methods: GetInterceptionAgent to retrieve
-// the single class instance, OnDllLoad and OnDllUnload to process a dll being
-// loaded and unloaded respectively.
-//
-// This class assumes that it will get called for every dll being loaded,
-// starting with kernel32, so the singleton will be instantiated from within the
-// loader lock.
-class InterceptionAgent {
- public:
- // Returns the single InterceptionAgent object for this process.
- static InterceptionAgent* GetInterceptionAgent();
-
- // This method should be invoked whenever a new dll is loaded to perform the
- // required patches. If the return value is false, this dll should not be
- // allowed to load.
- //
- // full_path is the (optional) full name of the module being loaded and name
- // is the internal module name. If full_path is provided, it will be used
- // before the internal name to determine if we care about this dll.
- bool OnDllLoad(const UNICODE_STRING* full_path, const UNICODE_STRING* name,
- void* base_address);
-
- // Performs cleanup when a dll is unloaded.
- void OnDllUnload(void* base_address);
-
- private:
- ~InterceptionAgent() {}
-
- // Performs initialization of the singleton.
- bool Init(SharedMemory* shared_memory);
-
- // Returns true if we are interested on this dll. dll_info is an entry of the
- // list of intercepted dlls.
- bool DllMatch(const UNICODE_STRING* full_path, const UNICODE_STRING* name,
- const DllPatchInfo* dll_info);
-
- // Performs the patching of the dll loaded at base_address.
- // The patches to perform are described on dll_info, and thunks is the thunk
- // storage for the whole dll.
- // Returns true on success.
- bool PatchDll(const DllPatchInfo* dll_info, DllInterceptionData* thunks);
-
- // Returns a resolver for a given interception type.
- ResolverThunk* GetResolver(InterceptionType type);
-
- // Shared memory containing the list of functions to intercept.
- SharedMemory* interceptions_;
-
- // Array of thunk data buffers for the intercepted dlls. This object singleton
- // is allocated with a placement new with enough space to hold the complete
- // array of pointers, not just the first element.
- DllInterceptionData* dlls_[1];
-
- DISALLOW_IMPLICIT_CONSTRUCTORS(InterceptionAgent);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_INTERCEPTION_AGENT_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/interception_internal.h b/security/sandbox/chromium/sandbox/win/src/interception_internal.h
deleted file mode 100644
index 45a0557e5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception_internal.h
+++ /dev/null
@@ -1,78 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Defines InterceptionManager, the class in charge of setting up interceptions
-// for the sandboxed process. For more details see:
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#ifndef SANDBOX_SRC_INTERCEPTION_INTERNAL_H_
-#define SANDBOX_SRC_INTERCEPTION_INTERNAL_H_
-
-#include <stddef.h>
-
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-const int kMaxThunkDataBytes = 64;
-
-enum InterceptorId;
-
-// The following structures contain variable size fields at the end, and will be
-// used to transfer information between two processes. In order to guarantee
-// our ability to follow the chain of structures, the alignment should be fixed,
-// hence this pragma.
-#pragma pack(push, 4)
-
-// Structures for the shared memory that contains patching information
-// for the InterceptionAgent.
-// A single interception:
-struct FunctionInfo {
- size_t record_bytes; // rounded to sizeof(size_t) bytes
- InterceptionType type;
- InterceptorId id;
- const void* interceptor_address;
- char function[1]; // placeholder for null terminated name
- // char interceptor[] // followed by the interceptor function
-};
-
-// A single dll:
-struct DllPatchInfo {
- size_t record_bytes; // rounded to sizeof(size_t) bytes
- size_t offset_to_functions;
- int num_functions;
- bool unload_module;
- wchar_t dll_name[1]; // placeholder for null terminated name
- // FunctionInfo function_info[] // followed by the functions to intercept
-};
-
-// All interceptions:
-struct SharedMemory {
- int num_intercepted_dlls;
- void* interceptor_base;
- DllPatchInfo dll_list[1]; // placeholder for the list of dlls
-};
-
-// Dummy single thunk:
-struct ThunkData {
- char data[kMaxThunkDataBytes];
-};
-
-// In-memory representation of the interceptions for a given dll:
-struct DllInterceptionData {
- size_t data_bytes;
- size_t used_bytes;
- void* base;
- int num_thunks;
-#if defined(_WIN64)
- int dummy; // Improve alignment.
-#endif
- ThunkData thunks[1];
-};
-
-#pragma pack(pop)
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_INTERCEPTION_INTERNAL_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/interception_unittest.cc b/security/sandbox/chromium/sandbox/win/src/interception_unittest.cc
deleted file mode 100644
index 7b7932af6..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interception_unittest.cc
+++ /dev/null
@@ -1,260 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for InterceptionManager.
-// The tests require private information so the whole interception.cc file is
-// included from this file.
-
-#include <windows.h>
-#include <stddef.h>
-
-#include <algorithm>
-#include <set>
-
-#include "base/bits.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interception_internal.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/target_process.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-namespace internal {
-size_t GetGranularAlignedRandomOffset(size_t size);
-}
-
-// Walks the settings buffer, verifying that the values make sense and counting
-// objects.
-// Arguments:
-// buffer (in): the buffer to walk.
-// size (in): buffer size
-// num_dlls (out): count of the dlls on the buffer.
-// num_function (out): count of intercepted functions.
-// num_names (out): count of named interceptor functions.
-void WalkBuffer(void* buffer, size_t size, int* num_dlls, int* num_functions,
- int* num_names) {
- ASSERT_TRUE(NULL != buffer);
- ASSERT_TRUE(NULL != num_functions);
- ASSERT_TRUE(NULL != num_names);
- *num_dlls = *num_functions = *num_names = 0;
- SharedMemory *memory = reinterpret_cast<SharedMemory*>(buffer);
-
- ASSERT_GT(size, sizeof(SharedMemory));
- DllPatchInfo *dll = &memory->dll_list[0];
-
- for (int i = 0; i < memory->num_intercepted_dlls; i++) {
- ASSERT_NE(0u, wcslen(dll->dll_name));
- ASSERT_EQ(0u, dll->record_bytes % sizeof(size_t));
- ASSERT_EQ(0u, dll->offset_to_functions % sizeof(size_t));
- ASSERT_NE(0, dll->num_functions);
-
- FunctionInfo *function = reinterpret_cast<FunctionInfo*>(
- reinterpret_cast<char*>(dll) + dll->offset_to_functions);
-
- for (int j = 0; j < dll->num_functions; j++) {
- ASSERT_EQ(0u, function->record_bytes % sizeof(size_t));
-
- char* name = function->function;
- size_t length = strlen(name);
- ASSERT_NE(0u, length);
- name += length + 1;
-
- // look for overflows
- ASSERT_GT(reinterpret_cast<char*>(buffer) + size, name + strlen(name));
-
- // look for a named interceptor
- if (strlen(name)) {
- (*num_names)++;
- EXPECT_TRUE(NULL == function->interceptor_address);
- } else {
- EXPECT_TRUE(NULL != function->interceptor_address);
- }
-
- (*num_functions)++;
- function = reinterpret_cast<FunctionInfo*>(
- reinterpret_cast<char*>(function) + function->record_bytes);
- }
-
- (*num_dlls)++;
- dll = reinterpret_cast<DllPatchInfo*>(reinterpret_cast<char*>(dll) +
- dll->record_bytes);
- }
-}
-
-TEST(InterceptionManagerTest, GetGranularAlignedRandomOffset) {
- std::set<size_t> sizes;
-
- // 544 is current value of interceptions_.size() * sizeof(ThunkData) +
- // sizeof(DllInterceptionData).
- const size_t kThunkBytes = 544;
-
- // ciel(log2(544)) = 10.
- // Alignment must be 2^10 = 1024.
- const size_t kAlignmentBits = base::bits::Log2Ceiling(kThunkBytes);
- const size_t kAlignment = static_cast<size_t>(1) << kAlignmentBits;
-
- const size_t kAllocGranularity = 65536;
-
- // Generate enough sample data to ensure there is at least one value in each
- // potential bucket.
- for (size_t i = 0; i < 1000000; i++)
- sizes.insert(internal::GetGranularAlignedRandomOffset(kThunkBytes));
-
- size_t prev_val = 0;
- size_t min_val = kAllocGranularity;
- size_t min_nonzero_val = kAllocGranularity;
- size_t max_val = 0;
-
- for (size_t val : sizes) {
- ASSERT_LT(val, kAllocGranularity);
- if (prev_val)
- ASSERT_EQ(val - prev_val, kAlignment);
- if (val)
- min_nonzero_val = std::min(val, min_nonzero_val);
- min_val = std::min(val, min_val);
- prev_val = val;
- max_val = std::max(val, max_val);
- }
- ASSERT_EQ(max_val, kAllocGranularity - kAlignment);
- ASSERT_EQ(0u, min_val);
- ASSERT_EQ(min_nonzero_val, kAlignment);
-}
-
-TEST(InterceptionManagerTest, BufferLayout1) {
- wchar_t exe_name[MAX_PATH];
- ASSERT_NE(0u, GetModuleFileName(NULL, exe_name, MAX_PATH - 1));
-
- TargetProcess *target = MakeTestTargetProcess(::GetCurrentProcess(),
- ::GetModuleHandle(exe_name));
-
- InterceptionManager interceptions(target, true);
-
- // Any pointer will do for a function pointer.
- void* function = &interceptions;
-
- // We don't care about the interceptor id.
- interceptions.AddToPatchedFunctions(L"ntdll.dll", "NtCreateFile",
- INTERCEPTION_SERVICE_CALL, function,
- OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"kernel32.dll", "CreateFileEx",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"kernel32.dll", "SomeFileEx",
- INTERCEPTION_SMART_SIDESTEP, function,
- OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"user32.dll", "FindWindow",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"kernel32.dll", "CreateMutex",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"user32.dll", "PostMsg",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"user32.dll", "PostMsg",
- INTERCEPTION_EAT, "replacement",
- OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"comctl.dll", "SaveAsDlg",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"ntdll.dll", "NtClose",
- INTERCEPTION_SERVICE_CALL, function,
- OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"ntdll.dll", "NtOpenFile",
- INTERCEPTION_SIDESTEP, function,
- OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"some.dll", "Superfn",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"comctl.dll", "SaveAsDlg",
- INTERCEPTION_EAT, "a", OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"comctl.dll", "SaveAsDlg",
- INTERCEPTION_SIDESTEP, "ab", OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"comctl.dll", "SaveAsDlg",
- INTERCEPTION_EAT, "abc", OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"a.dll", "p",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"b.dll",
- "TheIncredibleCallToSaveTheWorld",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"a.dll", "BIsLame",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
- interceptions.AddToPatchedFunctions(L"a.dll", "ARules",
- INTERCEPTION_EAT, function, OPEN_KEY_ID);
-
- // Verify that all interceptions were added
- ASSERT_EQ(18u, interceptions.interceptions_.size());
-
- size_t buffer_size = interceptions.GetBufferSize();
- scoped_ptr<BYTE[]> local_buffer(new BYTE[buffer_size]);
-
- ASSERT_TRUE(interceptions.SetupConfigBuffer(local_buffer.get(),
- buffer_size));
-
- // At this point, the interceptions should have been separated into two
- // groups: one group with the local ("cold") interceptions, consisting of
- // everything from ntdll and stuff set as INTRECEPTION_SERVICE_CALL, and
- // another group with the interceptions belonging to dlls that will be "hot"
- // patched on the client. The second group lives on local_buffer, and the
- // first group remains on the list of interceptions (inside the object
- // "interceptions"). There are 3 local interceptions (of ntdll); the
- // other 15 have to be sent to the child to be performed "hot".
- EXPECT_EQ(3u, interceptions.interceptions_.size());
-
- int num_dlls, num_functions, num_names;
- WalkBuffer(local_buffer.get(), buffer_size, &num_dlls, &num_functions,
- &num_names);
-
- // The 15 interceptions on the buffer (to the child) should be grouped on 6
- // dlls. Only four interceptions are using an explicit name for the
- // interceptor function.
- EXPECT_EQ(6, num_dlls);
- EXPECT_EQ(15, num_functions);
- EXPECT_EQ(4, num_names);
-}
-
-TEST(InterceptionManagerTest, BufferLayout2) {
- wchar_t exe_name[MAX_PATH];
- ASSERT_NE(0u, GetModuleFileName(NULL, exe_name, MAX_PATH - 1));
-
- TargetProcess *target = MakeTestTargetProcess(::GetCurrentProcess(),
- ::GetModuleHandle(exe_name));
-
- InterceptionManager interceptions(target, true);
-
- // Any pointer will do for a function pointer.
- void* function = &interceptions;
- interceptions.AddToUnloadModules(L"some01.dll");
- // We don't care about the interceptor id.
- interceptions.AddToPatchedFunctions(L"ntdll.dll", "NtCreateFile",
- INTERCEPTION_SERVICE_CALL, function,
- OPEN_FILE_ID);
- interceptions.AddToPatchedFunctions(L"kernel32.dll", "CreateFileEx",
- INTERCEPTION_EAT, function, OPEN_FILE_ID);
- interceptions.AddToUnloadModules(L"some02.dll");
- interceptions.AddToPatchedFunctions(L"kernel32.dll", "SomeFileEx",
- INTERCEPTION_SMART_SIDESTEP, function,
- OPEN_FILE_ID);
- // Verify that all interceptions were added
- ASSERT_EQ(5u, interceptions.interceptions_.size());
-
- size_t buffer_size = interceptions.GetBufferSize();
- scoped_ptr<BYTE[]> local_buffer(new BYTE[buffer_size]);
-
- ASSERT_TRUE(interceptions.SetupConfigBuffer(local_buffer.get(),
- buffer_size));
-
- // At this point, the interceptions should have been separated into two
- // groups: one group with the local ("cold") interceptions, and another
- // group with the interceptions belonging to dlls that will be "hot"
- // patched on the client. The second group lives on local_buffer, and the
- // first group remains on the list of interceptions, in this case just one.
- EXPECT_EQ(1u, interceptions.interceptions_.size());
-
- int num_dlls, num_functions, num_names;
- WalkBuffer(local_buffer.get(), buffer_size, &num_dlls, &num_functions,
- &num_names);
-
- EXPECT_EQ(3, num_dlls);
- EXPECT_EQ(4, num_functions);
- EXPECT_EQ(0, num_names);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/interceptors.h b/security/sandbox/chromium/sandbox/win/src/interceptors.h
deleted file mode 100644
index a17447aa1..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interceptors.h
+++ /dev/null
@@ -1,55 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_INTERCEPTORS_H_
-#define SANDBOX_SRC_INTERCEPTORS_H_
-
-#if defined(_WIN64)
-#include "sandbox/win/src/interceptors_64.h"
-#endif
-
-namespace sandbox {
-
-enum InterceptorId {
- // Internal use:
- MAP_VIEW_OF_SECTION_ID = 0,
- UNMAP_VIEW_OF_SECTION_ID,
- // Policy broker:
- SET_INFORMATION_THREAD_ID,
- OPEN_THREAD_TOKEN_ID,
- OPEN_THREAD_TOKEN_EX_ID,
- OPEN_TREAD_ID,
- OPEN_PROCESS_ID,
- OPEN_PROCESS_TOKEN_ID,
- OPEN_PROCESS_TOKEN_EX_ID,
- // Filesystem dispatcher:
- CREATE_FILE_ID,
- OPEN_FILE_ID,
- QUERY_ATTRIB_FILE_ID,
- QUERY_FULL_ATTRIB_FILE_ID,
- SET_INFO_FILE_ID,
- // Named pipe dispatcher:
- CREATE_NAMED_PIPE_ID,
- // Process-thread dispatcher:
- CREATE_PROCESSW_ID,
- CREATE_PROCESSA_ID,
- // Registry dispatcher:
- CREATE_KEY_ID,
- OPEN_KEY_ID,
- OPEN_KEY_EX_ID,
- // Sync dispatcher:
- CREATE_EVENT_ID,
- OPEN_EVENT_ID,
- // Process mitigations Win32k dispatcher:
- GDIINITIALIZE_ID,
- GETSTOCKOBJECT_ID,
- REGISTERCLASSW_ID,
- INTERCEPTOR_MAX_ID
-};
-
-typedef void* OriginalFunctions[INTERCEPTOR_MAX_ID];
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_INTERCEPTORS_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/interceptors_64.cc b/security/sandbox/chromium/sandbox/win/src/interceptors_64.cc
deleted file mode 100644
index ef0b5f001..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interceptors_64.cc
+++ /dev/null
@@ -1,278 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/interceptors_64.h"
-
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/filesystem_interception.h"
-#include "sandbox/win/src/named_pipe_interception.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/process_mitigations_win32k_interception.h"
-#include "sandbox/win/src/process_thread_interception.h"
-#include "sandbox/win/src/registry_interception.h"
-#include "sandbox/win/src/sandbox_nt_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sync_interception.h"
-#include "sandbox/win/src/target_interceptions.h"
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT NtExports g_nt;
-SANDBOX_INTERCEPT OriginalFunctions g_originals;
-
-NTSTATUS WINAPI TargetNtMapViewOfSection64(
- HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
- SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
- SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) {
- NtMapViewOfSectionFunction orig_fn = reinterpret_cast<
- NtMapViewOfSectionFunction>(g_originals[MAP_VIEW_OF_SECTION_ID]);
-
- return TargetNtMapViewOfSection(orig_fn, section, process, base, zero_bits,
- commit_size, offset, view_size, inherit,
- allocation_type, protect);
-}
-
-NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process, PVOID base) {
- NtUnmapViewOfSectionFunction orig_fn = reinterpret_cast<
- NtUnmapViewOfSectionFunction>(g_originals[UNMAP_VIEW_OF_SECTION_ID]);
- return TargetNtUnmapViewOfSection(orig_fn, process, base);
-}
-
-// -----------------------------------------------------------------------
-
-NTSTATUS WINAPI TargetNtSetInformationThread64(
- HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class,
- PVOID thread_information, ULONG thread_information_bytes) {
- NtSetInformationThreadFunction orig_fn = reinterpret_cast<
- NtSetInformationThreadFunction>(g_originals[SET_INFORMATION_THREAD_ID]);
- return TargetNtSetInformationThread(orig_fn, thread, thread_info_class,
- thread_information,
- thread_information_bytes);
-}
-
-NTSTATUS WINAPI TargetNtOpenThreadToken64(
- HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self,
- PHANDLE token) {
- NtOpenThreadTokenFunction orig_fn = reinterpret_cast<
- NtOpenThreadTokenFunction>(g_originals[OPEN_THREAD_TOKEN_ID]);
- return TargetNtOpenThreadToken(orig_fn, thread, desired_access, open_as_self,
- token);
-}
-
-NTSTATUS WINAPI TargetNtOpenThreadTokenEx64(
- HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self,
- ULONG handle_attributes, PHANDLE token) {
- NtOpenThreadTokenExFunction orig_fn = reinterpret_cast<
- NtOpenThreadTokenExFunction>(g_originals[OPEN_THREAD_TOKEN_EX_ID]);
- return TargetNtOpenThreadTokenEx(orig_fn, thread, desired_access,
- open_as_self, handle_attributes, token);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64(
- PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status,
- PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing,
- ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length) {
- NtCreateFileFunction orig_fn = reinterpret_cast<
- NtCreateFileFunction>(g_originals[CREATE_FILE_ID]);
- return TargetNtCreateFile(orig_fn, file, desired_access, object_attributes,
- io_status, allocation_size, file_attributes,
- sharing, disposition, options, ea_buffer,
- ea_length);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64(
- PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status,
- ULONG sharing, ULONG options) {
- NtOpenFileFunction orig_fn = reinterpret_cast<
- NtOpenFileFunction>(g_originals[OPEN_FILE_ID]);
- return TargetNtOpenFile(orig_fn, file, desired_access, object_attributes,
- io_status, sharing, options);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64(
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_BASIC_INFORMATION file_attributes) {
- NtQueryAttributesFileFunction orig_fn = reinterpret_cast<
- NtQueryAttributesFileFunction>(g_originals[QUERY_ATTRIB_FILE_ID]);
- return TargetNtQueryAttributesFile(orig_fn, object_attributes,
- file_attributes);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64(
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_NETWORK_OPEN_INFORMATION file_attributes) {
- NtQueryFullAttributesFileFunction orig_fn = reinterpret_cast<
- NtQueryFullAttributesFileFunction>(
- g_originals[QUERY_FULL_ATTRIB_FILE_ID]);
- return TargetNtQueryFullAttributesFile(orig_fn, object_attributes,
- file_attributes);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64(
- HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information,
- ULONG length, FILE_INFORMATION_CLASS file_information_class) {
- NtSetInformationFileFunction orig_fn = reinterpret_cast<
- NtSetInformationFileFunction>(g_originals[SET_INFO_FILE_ID]);
- return TargetNtSetInformationFile(orig_fn, file, io_status, file_information,
- length, file_information_class);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64(
- LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance,
- DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout,
- LPSECURITY_ATTRIBUTES security_attributes) {
- CreateNamedPipeWFunction orig_fn = reinterpret_cast<
- CreateNamedPipeWFunction>(g_originals[CREATE_NAMED_PIPE_ID]);
- return TargetCreateNamedPipeW(orig_fn, pipe_name, open_mode, pipe_mode,
- max_instance, out_buffer_size, in_buffer_size,
- default_timeout, security_attributes);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64(
- PHANDLE thread, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id) {
- NtOpenThreadFunction orig_fn = reinterpret_cast<
- NtOpenThreadFunction>(g_originals[OPEN_TREAD_ID]);
- return TargetNtOpenThread(orig_fn, thread, desired_access, object_attributes,
- client_id);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64(
- PHANDLE process, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id) {
- NtOpenProcessFunction orig_fn = reinterpret_cast<
- NtOpenProcessFunction>(g_originals[OPEN_PROCESS_ID]);
- return TargetNtOpenProcess(orig_fn, process, desired_access,
- object_attributes, client_id);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64(
- HANDLE process, ACCESS_MASK desired_access, PHANDLE token) {
- NtOpenProcessTokenFunction orig_fn = reinterpret_cast<
- NtOpenProcessTokenFunction>(g_originals[OPEN_PROCESS_TOKEN_ID]);
- return TargetNtOpenProcessToken(orig_fn, process, desired_access, token);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64(
- HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes,
- PHANDLE token) {
- NtOpenProcessTokenExFunction orig_fn = reinterpret_cast<
- NtOpenProcessTokenExFunction>(g_originals[OPEN_PROCESS_TOKEN_EX_ID]);
- return TargetNtOpenProcessTokenEx(orig_fn, process, desired_access,
- handle_attributes, token);
-}
-
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64(
- LPCWSTR application_name, LPWSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info,
- LPPROCESS_INFORMATION process_information) {
- CreateProcessWFunction orig_fn = reinterpret_cast<
- CreateProcessWFunction>(g_originals[CREATE_PROCESSW_ID]);
- return TargetCreateProcessW(orig_fn, application_name, command_line,
- process_attributes, thread_attributes,
- inherit_handles, flags, environment,
- current_directory, startup_info,
- process_information);
-}
-
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64(
- LPCSTR application_name, LPSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info,
- LPPROCESS_INFORMATION process_information) {
- CreateProcessAFunction orig_fn = reinterpret_cast<
- CreateProcessAFunction>(g_originals[CREATE_PROCESSA_ID]);
- return TargetCreateProcessA(orig_fn, application_name, command_line,
- process_attributes, thread_attributes,
- inherit_handles, flags, environment,
- current_directory, startup_info,
- process_information);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG title_index,
- PUNICODE_STRING class_name, ULONG create_options, PULONG disposition) {
- NtCreateKeyFunction orig_fn = reinterpret_cast<
- NtCreateKeyFunction>(g_originals[CREATE_KEY_ID]);
- return TargetNtCreateKey(orig_fn, key, desired_access, object_attributes,
- title_index, class_name, create_options,
- disposition);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes) {
- NtOpenKeyFunction orig_fn = reinterpret_cast<
- NtOpenKeyFunction>(g_originals[OPEN_KEY_ID]);
- return TargetNtOpenKey(orig_fn, key, desired_access, object_attributes);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG open_options) {
- NtOpenKeyExFunction orig_fn = reinterpret_cast<
- NtOpenKeyExFunction>(g_originals[OPEN_KEY_EX_ID]);
- return TargetNtOpenKeyEx(orig_fn, key, desired_access, object_attributes,
- open_options);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64(
- PHANDLE event_handle, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type,
- BOOLEAN initial_state) {
- NtCreateEventFunction orig_fn = reinterpret_cast<
- NtCreateEventFunction>(g_originals[CREATE_EVENT_ID]);
- return TargetNtCreateEvent(orig_fn, event_handle, desired_access,
- object_attributes, event_type, initial_state);
-}
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64(
- PHANDLE event_handle, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes) {
- NtOpenEventFunction orig_fn = reinterpret_cast<
- NtOpenEventFunction>(g_originals[OPEN_EVENT_ID]);
- return TargetNtOpenEvent(orig_fn, event_handle, desired_access,
- object_attributes);
-}
-
-// -----------------------------------------------------------------------
-
-SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64(
- HANDLE dll,
- DWORD reason) {
- GdiDllInitializeFunction orig_fn = reinterpret_cast<
- GdiDllInitializeFunction>(g_originals[GDIINITIALIZE_ID]);
- return TargetGdiDllInitialize(orig_fn, dll, reason);
-}
-
-SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object) {
- GetStockObjectFunction orig_fn = reinterpret_cast<
- GetStockObjectFunction>(g_originals[GETSTOCKOBJECT_ID]);
- return TargetGetStockObject(orig_fn, object);
-}
-
-SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64(
- const WNDCLASS* wnd_class) {
- RegisterClassWFunction orig_fn = reinterpret_cast<
- RegisterClassWFunction>(g_originals[REGISTERCLASSW_ID]);
- return TargetRegisterClassW(orig_fn, wnd_class);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/interceptors_64.h b/security/sandbox/chromium/sandbox/win/src/interceptors_64.h
deleted file mode 100644
index 7368ceb84..000000000
--- a/security/sandbox/chromium/sandbox/win/src/interceptors_64.h
+++ /dev/null
@@ -1,175 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_INTERCEPTORS_64_H_
-#define SANDBOX_SRC_INTERCEPTORS_64_H_
-
-namespace sandbox {
-
-extern "C" {
-
-// Interception of NtMapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being loaded, so we can patch them if needed.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection64(
- HANDLE section, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
- SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
- SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect);
-
-// Interception of NtUnmapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being unloaded, so we can clean up our interceptions.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection64(HANDLE process,
- PVOID base);
-
-// -----------------------------------------------------------------------
-// Interceptors without IPC.
-
-// Interception of NtSetInformationThread on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread64(
- HANDLE thread, NT_THREAD_INFORMATION_CLASS thread_info_class,
- PVOID thread_information, ULONG thread_information_bytes);
-
-// Interception of NtOpenThreadToken on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken64(
- HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self,
- PHANDLE token);
-
-// Interception of NtOpenThreadTokenEx on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx64(
- HANDLE thread, ACCESS_MASK desired_access, BOOLEAN open_as_self,
- ULONG handle_attributes, PHANDLE token);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the file system dispatcher.
-
-// Interception of NtCreateFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateFile64(
- PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status,
- PLARGE_INTEGER allocation_size, ULONG file_attributes, ULONG sharing,
- ULONG disposition, ULONG options, PVOID ea_buffer, ULONG ea_length);
-
-// Interception of NtOpenFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenFile64(
- PHANDLE file, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status,
- ULONG sharing, ULONG options);
-
-// Interception of NtQueryAtttributesFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryAttributesFile64(
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_BASIC_INFORMATION file_attributes);
-
-// Interception of NtQueryFullAtttributesFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtQueryFullAttributesFile64(
- POBJECT_ATTRIBUTES object_attributes,
- PFILE_NETWORK_OPEN_INFORMATION file_attributes);
-
-// Interception of NtSetInformationFile on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationFile64(
- HANDLE file, PIO_STATUS_BLOCK io_status, PVOID file_information,
- ULONG length, FILE_INFORMATION_CLASS file_information_class);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the named pipe dispatcher.
-
-// Interception of CreateNamedPipeW in kernel32.dll
-SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW64(
- LPCWSTR pipe_name, DWORD open_mode, DWORD pipe_mode, DWORD max_instance,
- DWORD out_buffer_size, DWORD in_buffer_size, DWORD default_timeout,
- LPSECURITY_ATTRIBUTES security_attributes);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the process-thread dispatcher.
-
-// Interception of NtOpenThread on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread64(
- PHANDLE thread, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id);
-
-// Interception of NtOpenProcess on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess64(
- PHANDLE process, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id);
-
-// Interception of NtOpenProcessToken on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken64(
- HANDLE process, ACCESS_MASK desired_access, PHANDLE token);
-
-// Interception of NtOpenProcessTokenEx on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx64(
- HANDLE process, ACCESS_MASK desired_access, ULONG handle_attributes,
- PHANDLE token);
-
-// Interception of CreateProcessW in kernel32.dll.
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW64(
- LPCWSTR application_name, LPWSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info,
- LPPROCESS_INFORMATION process_information);
-
-// Interception of CreateProcessA in kernel32.dll.
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA64(
- LPCSTR application_name, LPSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info,
- LPPROCESS_INFORMATION process_information);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the registry dispatcher.
-
-// Interception of NtCreateKey on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG title_index,
- PUNICODE_STRING class_name, ULONG create_options, PULONG disposition);
-
-// Interception of NtOpenKey on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes);
-
-// Interception of NtOpenKeyEx on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx64(
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG open_options);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the sync dispatcher.
-
-// Interception of NtCreateEvent/NtOpenEvent on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent64(
- PHANDLE event_handle, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, EVENT_TYPE event_type,
- BOOLEAN initial_state);
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent64(
- PHANDLE event_handle, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes);
-
-// -----------------------------------------------------------------------
-// Interceptors handled by the process mitigations win32k lockdown code.
-
-// Interceptor for the GdiDllInitialize function.
-SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize64(
- HANDLE dll,
- DWORD reason);
-
-// Interceptor for the GetStockObject function.
-SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject64(int object);
-
-// Interceptor for the RegisterClassW function.
-SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW64(const WNDCLASS* wnd_class);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_INTERCEPTORS_64_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/internal_types.h b/security/sandbox/chromium/sandbox/win/src/internal_types.h
deleted file mode 100644
index e1028189d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/internal_types.h
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_INTERNAL_TYPES_H_
-#define SANDBOX_WIN_SRC_INTERNAL_TYPES_H_
-
-#include <stdint.h>
-
-namespace sandbox {
-
-const wchar_t kNtdllName[] = L"ntdll.dll";
-const wchar_t kKerneldllName[] = L"kernel32.dll";
-const wchar_t kKernelBasedllName[] = L"kernelbase.dll";
-
-// Defines the supported C++ types encoding to numeric id. Like a poor's man
-// RTTI. Note that true C++ RTTI will not work because the types are not
-// polymorphic anyway.
-enum ArgType {
- INVALID_TYPE = 0,
- WCHAR_TYPE,
- UINT32_TYPE,
- UNISTR_TYPE,
- VOIDPTR_TYPE,
- INPTR_TYPE,
- INOUTPTR_TYPE,
- LAST_TYPE
-};
-
-// Encapsulates a pointer to a buffer and the size of the buffer.
-class CountedBuffer {
- public:
- CountedBuffer(void* buffer, uint32_t size) : size_(size), buffer_(buffer) {}
-
- uint32_t Size() const { return size_; }
-
- void* Buffer() const {
- return buffer_;
- }
-
- private:
- uint32_t size_;
- void* buffer_;
-};
-
-// Helper class to convert void-pointer packed ints for both
-// 32 and 64 bit builds. This construct is non-portable.
-class IPCInt {
- public:
- explicit IPCInt(void* buffer) {
- buffer_.vp = buffer;
- }
-
- explicit IPCInt(unsigned __int32 i32) {
- buffer_.vp = NULL;
- buffer_.i32 = i32;
- }
-
- unsigned __int32 As32Bit() const {
- return buffer_.i32;
- }
-
- void* AsVoidPtr() const {
- return buffer_.vp;
- }
-
- private:
- union U {
- void* vp;
- unsigned __int32 i32;
- } buffer_;
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_INTERNAL_TYPES_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_ping_test.cc b/security/sandbox/chromium/sandbox/win/src/ipc_ping_test.cc
deleted file mode 100644
index 64e3de6c5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/ipc_ping_test.cc
+++ /dev/null
@@ -1,58 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "testing/gtest/include/gtest/gtest.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/tests/common/controller.h"
-
-namespace sandbox {
-
-// Tests that the IPC is working by issuing a special IPC that is not exposed
-// in the public API.
-SBOX_TESTS_COMMAND int IPC_Ping(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED;
-
- TargetServices* ts = SandboxFactory::GetTargetServices();
- if (NULL == ts)
- return SBOX_TEST_FAILED;
-
- // Downcast because we have internal knowledge of the object returned.
- TargetServicesBase* ts_base = reinterpret_cast<TargetServicesBase*>(ts);
-
- int version = 0;
- if (L'1' == argv[0][0])
- version = 1;
- else
- version = 2;
-
- if (!ts_base->TestIPCPing(version))
- return SBOX_TEST_FAILED;
-
- ::Sleep(1);
- if (!ts_base->TestIPCPing(version))
- return SBOX_TEST_FAILED;
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-// The IPC ping test should work before and after the token drop.
-TEST(IPCTest, IPCPingTestSimple) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(EVERY_STATE);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"IPC_Ping 1"));
-}
-
-TEST(IPCTest, IPCPingTestWithOutput) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(EVERY_STATE);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"IPC_Ping 2"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"IPC_Ping 2"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h b/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
deleted file mode 100644
index d680411da..000000000
--- a/security/sandbox/chromium/sandbox/win/src/ipc_tags.h
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_IPC_TAGS_H__
-#define SANDBOX_SRC_IPC_TAGS_H__
-
-namespace sandbox {
-
-enum {
- IPC_UNUSED_TAG = 0,
- IPC_PING1_TAG, // Takes a cookie in parameters and returns the cookie
- // multiplied by 2 and the tick_count. Used for testing only.
- IPC_PING2_TAG, // Takes an in/out cookie in parameters and modify the cookie
- // to be multiplied by 3. Used for testing only.
- IPC_NTCREATEFILE_TAG,
- IPC_NTOPENFILE_TAG,
- IPC_NTQUERYATTRIBUTESFILE_TAG,
- IPC_NTQUERYFULLATTRIBUTESFILE_TAG,
- IPC_NTSETINFO_RENAME_TAG,
- IPC_CREATENAMEDPIPEW_TAG,
- IPC_NTOPENTHREAD_TAG,
- IPC_NTOPENPROCESS_TAG,
- IPC_NTOPENPROCESSTOKEN_TAG,
- IPC_NTOPENPROCESSTOKENEX_TAG,
- IPC_CREATEPROCESSW_TAG,
- IPC_CREATEEVENT_TAG,
- IPC_OPENEVENT_TAG,
- IPC_NTCREATEKEY_TAG,
- IPC_NTOPENKEY_TAG,
- IPC_DUPLICATEHANDLEPROXY_TAG,
- IPC_GDI_GDIDLLINITIALIZE_TAG,
- IPC_GDI_GETSTOCKOBJECT_TAG,
- IPC_USER_REGISTERCLASSW_TAG,
- IPC_LAST_TAG
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_IPC_TAGS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/ipc_unittest.cc b/security/sandbox/chromium/sandbox/win/src/ipc_unittest.cc
deleted file mode 100644
index c41720da3..000000000
--- a/security/sandbox/chromium/sandbox/win/src/ipc_unittest.cc
+++ /dev/null
@@ -1,632 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/sharedmem_ipc_server.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Helper function to make the fake shared memory with some
-// basic elements initialized.
-IPCControl* MakeChannels(size_t channel_size, size_t total_shared_size,
- size_t* base_start) {
- // Allocate memory
- char* mem = new char[total_shared_size];
- memset(mem, 0, total_shared_size);
- // Calculate how many channels we can fit in the shared memory.
- total_shared_size -= offsetof(IPCControl, channels);
- size_t channel_count =
- total_shared_size / (sizeof(ChannelControl) + channel_size);
- // Calculate the start of the first channel.
- *base_start = (sizeof(ChannelControl)* channel_count) +
- offsetof(IPCControl, channels);
- // Setup client structure.
- IPCControl* client_control = reinterpret_cast<IPCControl*>(mem);
- client_control->channels_count = channel_count;
- return client_control;
-}
-
-enum TestFixMode {
- FIX_NO_EVENTS,
- FIX_PONG_READY,
- FIX_PONG_NOT_READY
-};
-
-void FixChannels(IPCControl* client_control, size_t base_start,
- size_t channel_size, TestFixMode mode) {
- for (size_t ix = 0; ix != client_control->channels_count; ++ix) {
- ChannelControl& channel = client_control->channels[ix];
- channel.channel_base = base_start;
- channel.state = kFreeChannel;
- if (mode != FIX_NO_EVENTS) {
- BOOL signaled = (FIX_PONG_READY == mode)? TRUE : FALSE;
- channel.ping_event = ::CreateEventW(NULL, FALSE, FALSE, NULL);
- channel.pong_event = ::CreateEventW(NULL, FALSE, signaled, NULL);
- }
- base_start += channel_size;
- }
-}
-
-void CloseChannelEvents(IPCControl* client_control) {
- for (size_t ix = 0; ix != client_control->channels_count; ++ix) {
- ChannelControl& channel = client_control->channels[ix];
- ::CloseHandle(channel.ping_event);
- ::CloseHandle(channel.pong_event);
- }
-}
-
-TEST(IPCTest, ChannelMaker) {
- // Test that our testing rig is computing offsets properly. We should have
- // 5 channnels and the offset to the first channel is 108 bytes in 32 bits
- // and 216 in 64 bits.
- size_t channel_start = 0;
- IPCControl* client_control = MakeChannels(12 * 64, 4096, &channel_start);
- ASSERT_TRUE(NULL != client_control);
- EXPECT_EQ(5u, client_control->channels_count);
-#if defined(_WIN64)
- EXPECT_EQ(216u, channel_start);
-#else
- EXPECT_EQ(108u, channel_start);
-#endif
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-TEST(IPCTest, ClientLockUnlock) {
- // Make 7 channels of kIPCChannelSize (1kb) each. Test that we lock and
- // unlock channels properly.
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(kIPCChannelSize, 4096 * 2, &base_start);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_NO_EVENTS);
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- // Test that we lock the first 3 channels in sequence.
- void* buff0 = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[0].channel_base == buff0);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- void* buff1 = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[1].channel_base == buff1);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- void* buff2 = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[2].channel_base == buff2);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[1].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- // Test that we unlock and re-lock the right channel.
- client.FreeBuffer(buff1);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[1].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- void* buff2b = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[1].channel_base == buff2b);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[1].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- client.FreeBuffer(buff0);
- EXPECT_EQ(kFreeChannel, client_control->channels[0].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[1].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[2].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[3].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[4].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[5].state);
-
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-TEST(IPCTest, CrossCallStrPacking) {
- // This test tries the CrossCall object with null and non-null string
- // combination of parameters, integer types and verifies that the unpacker
- // can read them properly.
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(kIPCChannelSize, 4096 * 4, &base_start);
- client_control->server_alive = HANDLE(1);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_PONG_READY);
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- CrossCallReturn answer;
- uint32_t tag1 = 666;
- const wchar_t *text = L"98765 - 43210";
- base::string16 copied_text;
- CrossCallParamsEx* actual_params;
-
- CrossCall(client, tag1, text, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(1u, actual_params->GetParamsCount());
- EXPECT_EQ(tag1, actual_params->GetTag());
- EXPECT_TRUE(actual_params->GetParameterStr(0, &copied_text));
- EXPECT_STREQ(text, copied_text.c_str());
-
- // Check with an empty string.
- uint32_t tag2 = 777;
- const wchar_t* null_text = NULL;
- CrossCall(client, tag2, null_text, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(1u, actual_params->GetParamsCount());
- EXPECT_EQ(tag2, actual_params->GetTag());
- uint32_t param_size = 1;
- ArgType type = INVALID_TYPE;
- void* param_addr = actual_params->GetRawParameter(0, &param_size, &type);
- EXPECT_TRUE(NULL != param_addr);
- EXPECT_EQ(0u, param_size);
- EXPECT_EQ(WCHAR_TYPE, type);
- EXPECT_TRUE(actual_params->GetParameterStr(0, &copied_text));
-
- uint32_t tag3 = 888;
- param_size = 1;
- copied_text.clear();
-
- // Check with an empty string and a non-empty string.
- CrossCall(client, tag3, null_text, text, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(2u, actual_params->GetParamsCount());
- EXPECT_EQ(tag3, actual_params->GetTag());
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(0, &param_size, &type);
- EXPECT_TRUE(NULL != param_addr);
- EXPECT_EQ(0u, param_size);
- EXPECT_EQ(WCHAR_TYPE, type);
- EXPECT_TRUE(actual_params->GetParameterStr(0, &copied_text));
- EXPECT_TRUE(actual_params->GetParameterStr(1, &copied_text));
- EXPECT_STREQ(text, copied_text.c_str());
-
- param_size = 1;
- base::string16 copied_text_p0, copied_text_p2;
-
- const wchar_t *text2 = L"AeFG";
- CrossCall(client, tag1, text2, null_text, text, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(3u, actual_params->GetParamsCount());
- EXPECT_EQ(tag1, actual_params->GetTag());
- EXPECT_TRUE(actual_params->GetParameterStr(0, &copied_text_p0));
- EXPECT_STREQ(text2, copied_text_p0.c_str());
- EXPECT_TRUE(actual_params->GetParameterStr(2, &copied_text_p2));
- EXPECT_STREQ(text, copied_text_p2.c_str());
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(1, &param_size, &type);
- EXPECT_TRUE(NULL != param_addr);
- EXPECT_EQ(0u, param_size);
- EXPECT_EQ(WCHAR_TYPE, type);
-
- CloseChannelEvents(client_control);
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-TEST(IPCTest, CrossCallIntPacking) {
- // Check handling for regular 32 bit integers used in Windows.
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(kIPCChannelSize, 4096 * 4, &base_start);
- client_control->server_alive = HANDLE(1);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_PONG_READY);
-
- uint32_t tag1 = 999;
- uint32_t tag2 = 111;
- const wchar_t *text = L"godzilla";
- CrossCallParamsEx* actual_params;
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- CrossCallReturn answer;
- DWORD dw = 0xE6578;
- CrossCall(client, tag2, dw, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(1u, actual_params->GetParamsCount());
- EXPECT_EQ(tag2, actual_params->GetTag());
- ArgType type = INVALID_TYPE;
- uint32_t param_size = 1;
- void* param_addr = actual_params->GetRawParameter(0, &param_size, &type);
- ASSERT_EQ(sizeof(dw), param_size);
- EXPECT_EQ(UINT32_TYPE, type);
- ASSERT_TRUE(NULL != param_addr);
- EXPECT_EQ(0, memcmp(&dw, param_addr, param_size));
-
- // Check handling for windows HANDLES.
- HANDLE h = HANDLE(0x70000500);
- CrossCall(client, tag1, text, h, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(2u, actual_params->GetParamsCount());
- EXPECT_EQ(tag1, actual_params->GetTag());
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(1, &param_size, &type);
- ASSERT_EQ(sizeof(h), param_size);
- EXPECT_EQ(VOIDPTR_TYPE, type);
- ASSERT_TRUE(NULL != param_addr);
- EXPECT_EQ(0, memcmp(&h, param_addr, param_size));
-
- // Check combination of 32 and 64 bits.
- CrossCall(client, tag2, h, dw, h, &answer);
- actual_params = reinterpret_cast<CrossCallParamsEx*>(client.GetBuffer());
- EXPECT_EQ(3u, actual_params->GetParamsCount());
- EXPECT_EQ(tag2, actual_params->GetTag());
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(0, &param_size, &type);
- ASSERT_EQ(sizeof(h), param_size);
- EXPECT_EQ(VOIDPTR_TYPE, type);
- ASSERT_TRUE(NULL != param_addr);
- EXPECT_EQ(0, memcmp(&h, param_addr, param_size));
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(1, &param_size, &type);
- ASSERT_EQ(sizeof(dw), param_size);
- EXPECT_EQ(UINT32_TYPE, type);
- ASSERT_TRUE(NULL != param_addr);
- EXPECT_EQ(0, memcmp(&dw, param_addr, param_size));
- type = INVALID_TYPE;
- param_addr = actual_params->GetRawParameter(2, &param_size, &type);
- ASSERT_EQ(sizeof(h), param_size);
- EXPECT_EQ(VOIDPTR_TYPE, type);
- ASSERT_TRUE(NULL != param_addr);
- EXPECT_EQ(0, memcmp(&h, param_addr, param_size));
-
- CloseChannelEvents(client_control);
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-TEST(IPCTest, CrossCallValidation) {
- // First a sanity test with a well formed parameter object.
- unsigned long value = 124816;
- const uint32_t kTag = 33;
- const uint32_t kBufferSize = 256;
- ActualCallParams<1, kBufferSize> params_1(kTag);
- params_1.CopyParamIn(0, &value, sizeof(value), false, UINT32_TYPE);
- void* buffer = const_cast<void*>(params_1.GetBuffer());
-
- uint32_t out_size = 0;
- CrossCallParamsEx* ccp = 0;
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, params_1.GetSize(),
- &out_size);
- ASSERT_TRUE(NULL != ccp);
- EXPECT_TRUE(ccp->GetBuffer() != buffer);
- EXPECT_EQ(kTag, ccp->GetTag());
- EXPECT_EQ(1u, ccp->GetParamsCount());
- delete[] (reinterpret_cast<char*>(ccp));
-
- // Test that we handle integer overflow on the number of params
- // correctly. We use a test-only ctor for ActualCallParams that
- // allows to create malformed cross-call buffers.
- const int32_t kPtrDiffSz = sizeof(ptrdiff_t);
- for (int32_t ix = -1; ix != 3; ++ix) {
- uint32_t fake_num_params = (UINT32_MAX / kPtrDiffSz) + ix;
- ActualCallParams<1, kBufferSize> params_2(kTag, fake_num_params);
- params_2.CopyParamIn(0, &value, sizeof(value), false, UINT32_TYPE);
- buffer = const_cast<void*>(params_2.GetBuffer());
-
- EXPECT_TRUE(NULL != buffer);
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, params_1.GetSize(),
- &out_size);
- // If the buffer is malformed the return is NULL.
- EXPECT_TRUE(NULL == ccp);
- }
-
- ActualCallParams<1, kBufferSize> params_3(kTag, 1);
- params_3.CopyParamIn(0, &value, sizeof(value), false, UINT32_TYPE);
- buffer = const_cast<void*>(params_3.GetBuffer());
- EXPECT_TRUE(NULL != buffer);
-
- uint32_t correct_size = params_3.OverrideSize(1);
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, kBufferSize, &out_size);
- EXPECT_TRUE(NULL == ccp);
-
- // The correct_size is 8 bytes aligned.
- params_3.OverrideSize(correct_size - 7);
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, kBufferSize, &out_size);
- EXPECT_TRUE(NULL == ccp);
-
- params_3.OverrideSize(correct_size);
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, kBufferSize, &out_size);
- EXPECT_TRUE(NULL != ccp);
-
- // Make sure that two parameters work as expected.
- ActualCallParams<2, kBufferSize> params_4(kTag, 2);
- params_4.CopyParamIn(0, &value, sizeof(value), false, UINT32_TYPE);
- params_4.CopyParamIn(1, buffer, sizeof(buffer), false, VOIDPTR_TYPE);
- buffer = const_cast<void*>(params_4.GetBuffer());
- EXPECT_TRUE(NULL != buffer);
-
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, kBufferSize, &out_size);
- EXPECT_TRUE(NULL != ccp);
-
-#if defined(_WIN64)
- correct_size = params_4.OverrideSize(1);
- params_4.OverrideSize(correct_size - 1);
- ccp = CrossCallParamsEx::CreateFromBuffer(buffer, kBufferSize, &out_size);
- EXPECT_TRUE(NULL == ccp);
-#endif
-}
-
-// This structure is passed to the mock server threads to simulate
-// the server side IPC so it has the required kernel objects.
-struct ServerEvents {
- HANDLE ping;
- HANDLE pong;
- volatile LONG* state;
- HANDLE mutex;
-};
-
-// This is the server thread that quicky answers an IPC and exits.
-DWORD WINAPI QuickResponseServer(PVOID param) {
- ServerEvents* events = reinterpret_cast<ServerEvents*>(param);
- DWORD wait_result = 0;
- wait_result = ::WaitForSingleObject(events->ping, INFINITE);
- ::InterlockedExchange(events->state, kAckChannel);
- ::SetEvent(events->pong);
- return wait_result;
-}
-
-class CrossCallParamsMock : public CrossCallParams {
- public:
- CrossCallParamsMock(uint32_t tag, uint32_t params_count)
- : CrossCallParams(tag, params_count) {}
-};
-
-void FakeOkAnswerInChannel(void* channel) {
- CrossCallReturn* answer = reinterpret_cast<CrossCallReturn*>(channel);
- answer->call_outcome = SBOX_ALL_OK;
-}
-
-// Create two threads that will quickly answer IPCs; the first one
-// using channel 1 (channel 0 is busy) and one using channel 0. No time-out
-// should occur.
-TEST(IPCTest, ClientFastServer) {
- const size_t channel_size = kIPCChannelSize;
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(channel_size, 4096 * 2, &base_start);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_PONG_NOT_READY);
- client_control->server_alive = ::CreateMutex(NULL, FALSE, NULL);
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- ServerEvents events = {0};
- events.ping = client_control->channels[1].ping_event;
- events.pong = client_control->channels[1].pong_event;
- events.state = &client_control->channels[1].state;
-
- HANDLE t1 = ::CreateThread(NULL, 0, QuickResponseServer, &events, 0, NULL);
- ASSERT_TRUE(NULL != t1);
- ::CloseHandle(t1);
-
- void* buff0 = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[0].channel_base == buff0);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
-
- void* buff1 = client.GetBuffer();
- EXPECT_TRUE(mem + client_control->channels[1].channel_base == buff1);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kBusyChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
-
- EXPECT_EQ(0u, client_control->channels[1].ipc_tag);
-
- uint32_t tag = 7654;
- CrossCallReturn answer;
- CrossCallParamsMock* params1 = new(buff1) CrossCallParamsMock(tag, 1);
- FakeOkAnswerInChannel(buff1);
-
- ResultCode result = client.DoCall(params1, &answer);
- if (SBOX_ERROR_CHANNEL_ERROR != result)
- client.FreeBuffer(buff1);
-
- EXPECT_TRUE(SBOX_ALL_OK == result);
- EXPECT_EQ(tag, client_control->channels[1].ipc_tag);
- EXPECT_EQ(kBusyChannel, client_control->channels[0].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
-
- HANDLE t2 = ::CreateThread(NULL, 0, QuickResponseServer, &events, 0, NULL);
- ASSERT_TRUE(NULL != t2);
- ::CloseHandle(t2);
-
- client.FreeBuffer(buff0);
- events.ping = client_control->channels[0].ping_event;
- events.pong = client_control->channels[0].pong_event;
- events.state = &client_control->channels[0].state;
-
- tag = 4567;
- CrossCallParamsMock* params2 = new(buff0) CrossCallParamsMock(tag, 1);
- FakeOkAnswerInChannel(buff0);
-
- result = client.DoCall(params2, &answer);
- if (SBOX_ERROR_CHANNEL_ERROR != result)
- client.FreeBuffer(buff0);
-
- EXPECT_TRUE(SBOX_ALL_OK == result);
- EXPECT_EQ(tag, client_control->channels[0].ipc_tag);
- EXPECT_EQ(kFreeChannel, client_control->channels[0].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[1].state);
- EXPECT_EQ(kFreeChannel, client_control->channels[2].state);
-
- CloseChannelEvents(client_control);
- ::CloseHandle(client_control->server_alive);
-
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-// This is the server thread that very slowly answers an IPC and exits. Note
-// that the pong event needs to be signaled twice.
-DWORD WINAPI SlowResponseServer(PVOID param) {
- ServerEvents* events = reinterpret_cast<ServerEvents*>(param);
- DWORD wait_result = 0;
- wait_result = ::WaitForSingleObject(events->ping, INFINITE);
- ::Sleep(kIPCWaitTimeOut1 + kIPCWaitTimeOut2 + 200);
- ::InterlockedExchange(events->state, kAckChannel);
- ::SetEvent(events->pong);
- return wait_result;
-}
-
-// This thread's job is to keep the mutex locked.
-DWORD WINAPI MainServerThread(PVOID param) {
- ServerEvents* events = reinterpret_cast<ServerEvents*>(param);
- DWORD wait_result = 0;
- wait_result = ::WaitForSingleObject(events->mutex, INFINITE);
- Sleep(kIPCWaitTimeOut1 * 20);
- return wait_result;
-}
-
-// Creates a server thread that answers the IPC so slow that is guaranteed to
-// trigger the time-out code path in the client. A second thread is created
-// to hold locked the server_alive mutex: this signals the client that the
-// server is not dead and it retries the wait.
-TEST(IPCTest, ClientSlowServer) {
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(kIPCChannelSize, 4096*2, &base_start);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_PONG_NOT_READY);
- client_control->server_alive = ::CreateMutex(NULL, FALSE, NULL);
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- ServerEvents events = {0};
- events.ping = client_control->channels[0].ping_event;
- events.pong = client_control->channels[0].pong_event;
- events.state = &client_control->channels[0].state;
-
- HANDLE t1 = ::CreateThread(NULL, 0, SlowResponseServer, &events, 0, NULL);
- ASSERT_TRUE(NULL != t1);
- ::CloseHandle(t1);
-
- ServerEvents events2 = {0};
- events2.pong = events.pong;
- events2.mutex = client_control->server_alive;
-
- HANDLE t2 = ::CreateThread(NULL, 0, MainServerThread, &events2, 0, NULL);
- ASSERT_TRUE(NULL != t2);
- ::CloseHandle(t2);
-
- ::Sleep(1);
-
- void* buff0 = client.GetBuffer();
- uint32_t tag = 4321;
- CrossCallReturn answer;
- CrossCallParamsMock* params1 = new(buff0) CrossCallParamsMock(tag, 1);
- FakeOkAnswerInChannel(buff0);
-
- ResultCode result = client.DoCall(params1, &answer);
- if (SBOX_ERROR_CHANNEL_ERROR != result)
- client.FreeBuffer(buff0);
-
- EXPECT_TRUE(SBOX_ALL_OK == result);
- EXPECT_EQ(tag, client_control->channels[0].ipc_tag);
- EXPECT_EQ(kFreeChannel, client_control->channels[0].state);
-
- CloseChannelEvents(client_control);
- ::CloseHandle(client_control->server_alive);
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-// This test-only IPC dispatcher has two handlers with the same signature
-// but only CallOneHandler should be used.
-class UnitTestIPCDispatcher : public Dispatcher {
- public:
- enum {
- CALL_ONE_TAG = 78,
- CALL_TWO_TAG = 87
- };
-
- UnitTestIPCDispatcher();
- ~UnitTestIPCDispatcher() override{};
-
- bool SetupService(InterceptionManager* manager, int service) override {
- return true;
- }
-
- private:
- bool CallOneHandler(IPCInfo* ipc, HANDLE p1, uint32_t p2) {
- ipc->return_info.extended[0].handle = p1;
- ipc->return_info.extended[1].unsigned_int = p2;
- return true;
- }
-
- bool CallTwoHandler(IPCInfo* ipc, HANDLE p1, uint32_t p2) { return true; }
-};
-
-UnitTestIPCDispatcher::UnitTestIPCDispatcher() {
- static const IPCCall call_one = {{CALL_ONE_TAG, {VOIDPTR_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &UnitTestIPCDispatcher::CallOneHandler)};
- static const IPCCall call_two = {{CALL_TWO_TAG, {VOIDPTR_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &UnitTestIPCDispatcher::CallTwoHandler)};
- ipc_calls_.push_back(call_one);
- ipc_calls_.push_back(call_two);
-}
-
-// This test does most of the shared memory IPC client-server roundtrip
-// and tests the packing, unpacking and call dispatching.
-TEST(IPCTest, SharedMemServerTests) {
- size_t base_start = 0;
- IPCControl* client_control =
- MakeChannels(kIPCChannelSize, 4096, &base_start);
- client_control->server_alive = HANDLE(1);
- FixChannels(client_control, base_start, kIPCChannelSize, FIX_PONG_READY);
-
- char* mem = reinterpret_cast<char*>(client_control);
- SharedMemIPCClient client(mem);
-
- CrossCallReturn answer;
- HANDLE bar = HANDLE(191919);
- DWORD foo = 6767676;
- CrossCall(client, UnitTestIPCDispatcher::CALL_ONE_TAG, bar, foo, &answer);
- void* buff = client.GetBuffer();
- ASSERT_TRUE(NULL != buff);
-
- UnitTestIPCDispatcher dispatcher;
- // Since we are directly calling InvokeCallback, most of this structure
- // can be set to NULL.
- sandbox::SharedMemIPCServer::ServerControl srv_control = {};
- srv_control.channel_size = kIPCChannelSize;
- srv_control.shared_base = reinterpret_cast<char*>(client_control);
- srv_control.dispatcher = &dispatcher;
-
- sandbox::CrossCallReturn call_return = {0};
- EXPECT_TRUE(SharedMemIPCServer::InvokeCallback(&srv_control, buff,
- &call_return));
- EXPECT_EQ(SBOX_ALL_OK, call_return.call_outcome);
- EXPECT_TRUE(bar == call_return.extended[0].handle);
- EXPECT_EQ(foo, call_return.extended[1].unsigned_int);
-
- CloseChannelEvents(client_control);
- delete[] reinterpret_cast<char*>(client_control);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/job.cc b/security/sandbox/chromium/sandbox/win/src/job.cc
deleted file mode 100644
index adf392ddd..000000000
--- a/security/sandbox/chromium/sandbox/win/src/job.cc
+++ /dev/null
@@ -1,119 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/job.h"
-
-#include <stddef.h>
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/restricted_token.h"
-
-namespace sandbox {
-
-Job::Job() : job_handle_(NULL) {
-};
-
-Job::~Job() {
-};
-
-DWORD Job::Init(JobLevel security_level,
- const wchar_t* job_name,
- DWORD ui_exceptions,
- size_t memory_limit) {
- if (job_handle_.IsValid())
- return ERROR_ALREADY_INITIALIZED;
-
- job_handle_.Set(::CreateJobObject(NULL, // No security attribute
- job_name));
- if (!job_handle_.IsValid())
- return ::GetLastError();
-
- JOBOBJECT_EXTENDED_LIMIT_INFORMATION jeli = {};
- JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {};
-
- // Set the settings for the different security levels. Note: The higher levels
- // inherit from the lower levels.
- switch (security_level) {
- case JOB_LOCKDOWN: {
- jeli.BasicLimitInformation.LimitFlags |=
- JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION;
- }
- case JOB_RESTRICTED: {
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_WRITECLIPBOARD;
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_READCLIPBOARD;
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_HANDLES;
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_GLOBALATOMS;
- }
- case JOB_LIMITED_USER: {
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DISPLAYSETTINGS;
- jeli.BasicLimitInformation.LimitFlags |= JOB_OBJECT_LIMIT_ACTIVE_PROCESS;
- jeli.BasicLimitInformation.ActiveProcessLimit = 1;
- }
- case JOB_INTERACTIVE: {
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS;
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_DESKTOP;
- jbur.UIRestrictionsClass |= JOB_OBJECT_UILIMIT_EXITWINDOWS;
- }
- case JOB_UNPROTECTED: {
- if (memory_limit) {
- jeli.BasicLimitInformation.LimitFlags |=
- JOB_OBJECT_LIMIT_PROCESS_MEMORY;
- jeli.ProcessMemoryLimit = memory_limit;
- }
-
- jeli.BasicLimitInformation.LimitFlags |=
- JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE;
- break;
- }
- default: {
- return ERROR_BAD_ARGUMENTS;
- }
- }
-
- if (FALSE == ::SetInformationJobObject(job_handle_.Get(),
- JobObjectExtendedLimitInformation,
- &jeli,
- sizeof(jeli))) {
- return ::GetLastError();
- }
-
- jbur.UIRestrictionsClass = jbur.UIRestrictionsClass & (~ui_exceptions);
- if (FALSE == ::SetInformationJobObject(job_handle_.Get(),
- JobObjectBasicUIRestrictions,
- &jbur,
- sizeof(jbur))) {
- return ::GetLastError();
- }
-
- return ERROR_SUCCESS;
-}
-
-DWORD Job::UserHandleGrantAccess(HANDLE handle) {
- if (!job_handle_.IsValid())
- return ERROR_NO_DATA;
-
- if (!::UserHandleGrantAccess(handle,
- job_handle_.Get(),
- TRUE)) { // Access allowed.
- return ::GetLastError();
- }
-
- return ERROR_SUCCESS;
-}
-
-base::win::ScopedHandle Job::Take() {
- return job_handle_.Pass();
-}
-
-DWORD Job::AssignProcessToJob(HANDLE process_handle) {
- if (!job_handle_.IsValid())
- return ERROR_NO_DATA;
-
- if (FALSE == ::AssignProcessToJobObject(job_handle_.Get(), process_handle))
- return ::GetLastError();
-
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/job.h b/security/sandbox/chromium/sandbox/win/src/job.h
deleted file mode 100644
index ad3dd41f2..000000000
--- a/security/sandbox/chromium/sandbox/win/src/job.h
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_JOB_H_
-#define SANDBOX_SRC_JOB_H_
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/restricted_token_utils.h"
-
-namespace sandbox {
-
-// Handles the creation of job objects based on a security profile.
-// Sample usage:
-// Job job;
-// job.Init(JOB_LOCKDOWN, NULL); //no job name
-// job.AssignProcessToJob(process_handle);
-class Job {
- public:
- Job();
-
- ~Job();
-
- // Initializes and creates the job object. The security of the job is based
- // on the security_level parameter.
- // job_name can be NULL if the job is unnamed.
- // If the chosen profile has too many ui restrictions, you can disable some
- // by specifying them in the ui_exceptions parameters.
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD Init(JobLevel security_level,
- const wchar_t* job_name,
- DWORD ui_exceptions,
- size_t memory_limit);
-
- // Assigns the process referenced by process_handle to the job.
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD AssignProcessToJob(HANDLE process_handle);
-
- // Grants access to "handle" to the job. All processes in the job can
- // subsequently recognize and use the handle.
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD UserHandleGrantAccess(HANDLE handle);
-
- // Revokes ownership to the job handle and returns it.
- // If the object is not yet initialized, it returns an invalid handle.
- base::win::ScopedHandle Take();
-
- private:
- // Handle to the job referenced by the object.
- base::win::ScopedHandle job_handle_;
-
- DISALLOW_COPY_AND_ASSIGN(Job);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_JOB_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/job_unittest.cc b/security/sandbox/chromium/sandbox/win/src/job_unittest.cc
deleted file mode 100644
index 7ed9cf0d7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/job_unittest.cc
+++ /dev/null
@@ -1,204 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for the job object.
-
-#include "base/win/scoped_process_information.h"
-#include "sandbox/win/src/job.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Tests the creation and destruction of the job.
-TEST(JobTest, TestCreation) {
- // Scope the creation of Job.
- {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_LOCKDOWN, L"my_test_job_name", 0, 0));
-
- // check if the job exists.
- HANDLE job_handle = ::OpenJobObjectW(GENERIC_ALL, FALSE,
- L"my_test_job_name");
- ASSERT_TRUE(job_handle != NULL);
-
- if (job_handle)
- CloseHandle(job_handle);
- }
-
- // Check if the job is destroyed when the object goes out of scope.
- HANDLE job_handle = ::OpenJobObjectW(GENERIC_ALL, FALSE, L"my_test_job_name");
- ASSERT_TRUE(job_handle == NULL);
- ASSERT_EQ(static_cast<DWORD>(ERROR_FILE_NOT_FOUND), ::GetLastError());
-}
-
-// Tests the method "Take".
-TEST(JobTest, Take) {
- base::win::ScopedHandle job_handle;
- // Scope the creation of Job.
- {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_LOCKDOWN, L"my_test_job_name", 0, 0));
-
- job_handle = job.Take();
- ASSERT_TRUE(job_handle.IsValid());
- }
-
- // Check to be sure that the job is still alive even after the object is gone
- // out of scope.
- HANDLE job_handle_dup = ::OpenJobObjectW(GENERIC_ALL, FALSE,
- L"my_test_job_name");
- ASSERT_TRUE(job_handle_dup != NULL);
-
- // Remove all references.
- if (job_handle_dup)
- ::CloseHandle(job_handle_dup);
-
- job_handle.Close();
-
- // Check if the jbo is really dead.
- job_handle_dup = ::OpenJobObjectW(GENERIC_ALL, FALSE, L"my_test_job_name");
- ASSERT_TRUE(job_handle_dup == NULL);
- ASSERT_EQ(static_cast<DWORD>(ERROR_FILE_NOT_FOUND), ::GetLastError());
-}
-
-// Tests the ui exceptions
-TEST(JobTest, TestExceptions) {
- base::win::ScopedHandle job_handle;
- // Scope the creation of Job.
- {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_LOCKDOWN, L"my_test_job_name",
- JOB_OBJECT_UILIMIT_READCLIPBOARD, 0));
-
- job_handle = job.Take();
- ASSERT_TRUE(job_handle.IsValid());
-
- JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {0};
- DWORD size = sizeof(jbur);
- BOOL result = ::QueryInformationJobObject(job_handle.Get(),
- JobObjectBasicUIRestrictions,
- &jbur, size, &size);
- ASSERT_TRUE(result);
-
- ASSERT_EQ(0u, jbur.UIRestrictionsClass & JOB_OBJECT_UILIMIT_READCLIPBOARD);
- job_handle.Close();
- }
-
- // Scope the creation of Job.
- {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_LOCKDOWN, L"my_test_job_name", 0, 0));
-
- job_handle = job.Take();
- ASSERT_TRUE(job_handle.IsValid());
-
- JOBOBJECT_BASIC_UI_RESTRICTIONS jbur = {0};
- DWORD size = sizeof(jbur);
- BOOL result = ::QueryInformationJobObject(job_handle.Get(),
- JobObjectBasicUIRestrictions,
- &jbur, size, &size);
- ASSERT_TRUE(result);
-
- ASSERT_EQ(static_cast<DWORD>(JOB_OBJECT_UILIMIT_READCLIPBOARD),
- jbur.UIRestrictionsClass & JOB_OBJECT_UILIMIT_READCLIPBOARD);
- }
-}
-
-// Tests the error case when the job is initialized twice.
-TEST(JobTest, DoubleInit) {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_LOCKDOWN, L"my_test_job_name", 0, 0));
- ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED),
- job.Init(JOB_LOCKDOWN, L"test", 0, 0));
-}
-
-// Tests the error case when we use a method and the object is not yet
-// initialized.
-TEST(JobTest, NoInit) {
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_NO_DATA), job.UserHandleGrantAccess(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_NO_DATA), job.AssignProcessToJob(NULL));
- ASSERT_FALSE(job.Take().IsValid());
-}
-
-// Tests the initialization of the job with different security level.
-TEST(JobTest, SecurityLevel) {
- Job job1;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job1.Init(JOB_LOCKDOWN, L"job1", 0, 0));
-
- Job job2;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job2.Init(JOB_RESTRICTED, L"job2", 0, 0));
-
- Job job3;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job3.Init(JOB_LIMITED_USER, L"job3", 0, 0));
-
- Job job4;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job4.Init(JOB_INTERACTIVE, L"job4", 0, 0));
-
- Job job5;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job5.Init(JOB_UNPROTECTED, L"job5", 0, 0));
-
- // JOB_NONE means we run without a job object so Init should fail.
- Job job6;
- ASSERT_EQ(static_cast<DWORD>(ERROR_BAD_ARGUMENTS),
- job6.Init(JOB_NONE, L"job6", 0, 0));
-
- Job job7;
- ASSERT_EQ(static_cast<DWORD>(ERROR_BAD_ARGUMENTS),
- job7.Init(static_cast<JobLevel>(JOB_NONE + 1), L"job7", 0, 0));
-}
-
-// Tests the method "AssignProcessToJob".
-TEST(JobTest, ProcessInJob) {
- // Create the job.
- Job job;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.Init(JOB_UNPROTECTED, L"job_test_process", 0, 0));
-
- BOOL result = FALSE;
-
- wchar_t notepad[] = L"notepad";
- STARTUPINFO si = { sizeof(si) };
- PROCESS_INFORMATION temp_process_info = {};
- result = ::CreateProcess(NULL, notepad, NULL, NULL, FALSE, 0, NULL, NULL, &si,
- &temp_process_info);
- ASSERT_TRUE(result);
- base::win::ScopedProcessInformation pi(temp_process_info);
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- job.AssignProcessToJob(pi.process_handle()));
-
- // Get the job handle.
- base::win::ScopedHandle job_handle = job.Take();
-
- // Check if the process is in the job.
- JOBOBJECT_BASIC_PROCESS_ID_LIST jbpidl = {0};
- DWORD size = sizeof(jbpidl);
- result = ::QueryInformationJobObject(job_handle.Get(),
- JobObjectBasicProcessIdList,
- &jbpidl, size, &size);
- EXPECT_TRUE(result);
-
- EXPECT_EQ(1u, jbpidl.NumberOfAssignedProcesses);
- EXPECT_EQ(1u, jbpidl.NumberOfProcessIdsInList);
- EXPECT_EQ(pi.process_id(), jbpidl.ProcessIdList[0]);
-
- EXPECT_TRUE(::TerminateProcess(pi.process_handle(), 0));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.cc
deleted file mode 100644
index ea8d38035..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.cc
+++ /dev/null
@@ -1,103 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/named_pipe_dispatcher.h"
-
-#include <stdint.h>
-
-#include "base/strings/string_split.h"
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/named_pipe_interception.h"
-#include "sandbox/win/src/named_pipe_policy.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox.h"
-
-
-namespace sandbox {
-
-NamedPipeDispatcher::NamedPipeDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall create_params = {
- {IPC_CREATENAMEDPIPEW_TAG,
- {WCHAR_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&NamedPipeDispatcher::CreateNamedPipe)};
-
- ipc_calls_.push_back(create_params);
-}
-
-bool NamedPipeDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- if (IPC_CREATENAMEDPIPEW_TAG == service)
- return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW,
- CREATE_NAMED_PIPE_ID, 36);
-
- return false;
-}
-
-bool NamedPipeDispatcher::CreateNamedPipe(IPCInfo* ipc,
- base::string16* name,
- uint32_t open_mode,
- uint32_t pipe_mode,
- uint32_t max_instances,
- uint32_t out_buffer_size,
- uint32_t in_buffer_size,
- uint32_t default_timeout) {
- ipc->return_info.win32_result = ERROR_ACCESS_DENIED;
- ipc->return_info.handle = INVALID_HANDLE_VALUE;
-
- base::StringPiece16 dotdot(L"..");
-
- for (const base::StringPiece16& path : base::SplitStringPiece(
- *name, base::string16(1, '/'),
- base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) {
- for (const base::StringPiece16& inner : base::SplitStringPiece(
- path, base::string16(1, '\\'),
- base::TRIM_WHITESPACE, base::SPLIT_WANT_ALL)) {
- if (inner == dotdot)
- return true;
- }
- }
-
- const wchar_t* pipe_name = name->c_str();
- CountedParameterSet<NameBased> params;
- params[NameBased::NAME] = ParamPickerMake(pipe_name);
-
- EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG,
- params.GetBase());
-
- // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
- // disable all string parsing and to send the string that follows it straight
- // to the file system."
- // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
- // This ensures even if there is a path traversal in the pipe name, and it is
- // able to get past the checks above, it will still not be allowed to escape
- // our whitelisted namespace.
- if (name->compare(0, 4, L"\\\\.\\") == 0)
- name->replace(0, 4, L"\\\\\?\\");
-
- HANDLE pipe;
- DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info,
- *name, open_mode,
- pipe_mode, max_instances,
- out_buffer_size,
- in_buffer_size,
- default_timeout, &pipe);
-
- ipc->return_info.win32_result = ret;
- ipc->return_info.handle = pipe;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.h
deleted file mode 100644
index 83f45e093..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_dispatcher.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__
-#define SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles named pipe related IPC calls.
-class NamedPipeDispatcher : public Dispatcher {
- public:
- explicit NamedPipeDispatcher(PolicyBase* policy_base);
- ~NamedPipeDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Processes IPC requests coming from calls to CreateNamedPipeW() in the
- // target.
- bool CreateNamedPipe(IPCInfo* ipc,
- base::string16* name,
- uint32_t open_mode,
- uint32_t pipe_mode,
- uint32_t max_instances,
- uint32_t out_buffer_size,
- uint32_t in_buffer_size,
- uint32_t default_timeout);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(NamedPipeDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_NAMED_PIPE_DISPATCHER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
deleted file mode 100644
index a18327308..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.cc
+++ /dev/null
@@ -1,76 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/named_pipe_interception.h"
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-HANDLE WINAPI TargetCreateNamedPipeW(
- CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
- DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
- DWORD in_buffer_size, DWORD default_timeout,
- LPSECURITY_ATTRIBUTES security_attributes) {
- HANDLE pipe = orig_CreateNamedPipeW(pipe_name, open_mode, pipe_mode,
- max_instance, out_buffer_size,
- in_buffer_size, default_timeout,
- security_attributes);
- if (INVALID_HANDLE_VALUE != pipe)
- return pipe;
-
- mozilla::sandboxing::LogBlocked("CreateNamedPipeW", pipe_name);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return INVALID_HANDLE_VALUE;
-
- DWORD original_error = ::GetLastError();
-
- // We don't support specific Security Attributes.
- if (security_attributes)
- return INVALID_HANDLE_VALUE;
-
- do {
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- CountedParameterSet<NameBased> params;
- params[NameBased::NAME] = ParamPickerMake(pipe_name);
-
- if (!QueryBroker(IPC_CREATENAMEDPIPEW_TAG, params.GetBase()))
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_CREATENAMEDPIPEW_TAG, pipe_name,
- open_mode, pipe_mode, max_instance,
- out_buffer_size, in_buffer_size,
- default_timeout, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- ::SetLastError(answer.win32_result);
-
- if (ERROR_SUCCESS != answer.win32_result)
- return INVALID_HANDLE_VALUE;
-
- mozilla::sandboxing::LogAllowed("CreateNamedPipeW", pipe_name);
- return answer.handle;
- } while (false);
-
- ::SetLastError(original_error);
- return INVALID_HANDLE_VALUE;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.h b/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.h
deleted file mode 100644
index fdbee1976..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_interception.h
+++ /dev/null
@@ -1,36 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_NAMED_PIPE_INTERCEPTION_H__
-#define SANDBOX_SRC_NAMED_PIPE_INTERCEPTION_H__
-
-namespace sandbox {
-
-extern "C" {
-
-typedef HANDLE (WINAPI *CreateNamedPipeWFunction) (
- LPCWSTR lpName,
- DWORD dwOpenMode,
- DWORD dwPipeMode,
- DWORD nMaxInstances,
- DWORD nOutBufferSize,
- DWORD nInBufferSize,
- DWORD nDefaultTimeOut,
- LPSECURITY_ATTRIBUTES lpSecurityAttributes);
-
-// Interception of CreateNamedPipeW in kernel32.dll
-SANDBOX_INTERCEPT HANDLE WINAPI TargetCreateNamedPipeW(
- CreateNamedPipeWFunction orig_CreateNamedPipeW, LPCWSTR pipe_name,
- DWORD open_mode, DWORD pipe_mode, DWORD max_instance, DWORD out_buffer_size,
- DWORD in_buffer_size, DWORD default_timeout,
- LPSECURITY_ATTRIBUTES security_attributes);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_NAMED_PIPE_INTERCEPTION_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.cc
deleted file mode 100644
index eee719e50..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.cc
+++ /dev/null
@@ -1,86 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/named_pipe_policy.h"
-
-#include <string>
-
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace {
-
-// Creates a named pipe and duplicates the handle to 'target_process'. The
-// remaining parameters are the same as CreateNamedPipeW().
-HANDLE CreateNamedPipeHelper(HANDLE target_process, LPCWSTR pipe_name,
- DWORD open_mode, DWORD pipe_mode,
- DWORD max_instances, DWORD out_buffer_size,
- DWORD in_buffer_size, DWORD default_timeout,
- LPSECURITY_ATTRIBUTES security_attributes) {
- HANDLE pipe = ::CreateNamedPipeW(pipe_name, open_mode, pipe_mode,
- max_instances, out_buffer_size,
- in_buffer_size, default_timeout,
- security_attributes);
- if (INVALID_HANDLE_VALUE == pipe)
- return pipe;
-
- HANDLE new_pipe;
- if (!::DuplicateHandle(::GetCurrentProcess(), pipe,
- target_process, &new_pipe,
- 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return INVALID_HANDLE_VALUE;
- }
-
- return new_pipe;
-}
-
-} // namespace
-
-namespace sandbox {
-
-bool NamedPipePolicy::GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- if (TargetPolicy::NAMEDPIPES_ALLOW_ANY != semantics) {
- return false;
- }
- PolicyRule pipe(ASK_BROKER);
- if (!pipe.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) {
- return false;
- }
- if (!policy->AddRule(IPC_CREATENAMEDPIPEW_TAG, &pipe)) {
- return false;
- }
- return true;
-}
-
-DWORD NamedPipePolicy::CreateNamedPipeAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16 &name,
- DWORD open_mode, DWORD pipe_mode,
- DWORD max_instances,
- DWORD out_buffer_size,
- DWORD in_buffer_size,
- DWORD default_timeout,
- HANDLE* pipe) {
- // The only action supported is ASK_BROKER which means create the pipe.
- if (ASK_BROKER != eval_result) {
- return ERROR_ACCESS_DENIED;
- }
-
- *pipe = CreateNamedPipeHelper(client_info.process, name.c_str(),
- open_mode, pipe_mode, max_instances,
- out_buffer_size, in_buffer_size,
- default_timeout, NULL);
-
- if (INVALID_HANDLE_VALUE == *pipe)
- return ERROR_ACCESS_DENIED;
-
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.h b/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.h
deleted file mode 100644
index 02aa26c61..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy.h
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_NAMED_PIPE_POLICY_H__
-#define SANDBOX_SRC_NAMED_PIPE_POLICY_H__
-
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to named pipe creation.
-class NamedPipePolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level.
- // policy rule for named pipe creation
- // 'name' is the named pipe to be created
- // 'semantics' is the desired semantics.
- // 'policy' is the policy generator to which the rules are going to be added.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Processes a 'CreateNamedPipeW()' request from the target.
- static DWORD CreateNamedPipeAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16 &name,
- DWORD open_mode, DWORD pipe_mode,
- DWORD max_instances,
- DWORD out_buffer_size,
- DWORD in_buffer_size,
- DWORD default_timeout, HANDLE* pipe);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_NAMED_PIPE_POLICY_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/named_pipe_policy_test.cc
deleted file mode 100644
index 813cf1f46..000000000
--- a/security/sandbox/chromium/sandbox/win/src/named_pipe_policy_test.cc
+++ /dev/null
@@ -1,140 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/handle_closer.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-
-SBOX_TESTS_COMMAND int NamedPipe_Create(int argc, wchar_t **argv) {
- if (argc < 1 || argc > 2) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- HANDLE pipe = ::CreateNamedPipeW(argv[0],
- PIPE_ACCESS_DUPLEX | FILE_FLAG_OVERLAPPED,
- PIPE_TYPE_BYTE | PIPE_READMODE_BYTE, 1, 4096,
- 4096, 2000, NULL);
- if (INVALID_HANDLE_VALUE == pipe)
- return SBOX_TEST_DENIED;
-
- // The second parameter allows us to enforce a whitelist for where the
- // pipe should be in the object namespace after creation.
- if (argc == 2) {
- base::string16 handle_name;
- if (GetHandleName(pipe, &handle_name)) {
- if (handle_name.compare(0, wcslen(argv[1]), argv[1]) != 0)
- return SBOX_TEST_FAILED;
- } else {
- return SBOX_TEST_FAILED;
- }
- }
-
- OVERLAPPED overlapped = {0};
- overlapped.hEvent = ::CreateEvent(NULL, TRUE, TRUE, NULL);
- BOOL result = ::ConnectNamedPipe(pipe, &overlapped);
-
- if (!result) {
- DWORD error = ::GetLastError();
- if (ERROR_PIPE_CONNECTED != error &&
- ERROR_IO_PENDING != error) {
- return SBOX_TEST_FAILED;
- }
- }
-
- if (!::CloseHandle(pipe))
- return SBOX_TEST_FAILED;
-
- ::CloseHandle(overlapped.hEvent);
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Tests if we can create a pipe in the sandbox.
-TEST(NamedPipePolicyTest, CreatePipe) {
- TestRunner runner;
- // TODO(nsylvain): This policy is wrong because "*" is a valid char in a
- // namedpipe name. Here we apply it like a wildcard. http://b/893603
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
- TargetPolicy::NAMEDPIPES_ALLOW_ANY,
- L"\\\\.\\pipe\\test*"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh"));
-
- // On XP, the sandbox can create a pipe without any help but it fails on
- // Vista+, this is why we do not test the "denied" case.
- if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh"));
- }
-}
-
-// Tests if we can create a pipe with a path traversal in the sandbox.
-TEST(NamedPipePolicyTest, CreatePipeTraversal) {
- TestRunner runner;
- // TODO(nsylvain): This policy is wrong because "*" is a valid char in a
- // namedpipe name. Here we apply it like a wildcard. http://b/893603
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
- TargetPolicy::NAMEDPIPES_ALLOW_ANY,
- L"\\\\.\\pipe\\test*"));
-
- // On XP, the sandbox can create a pipe without any help but it fails on
- // Vista+, this is why we do not test the "denied" case.
- if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\..\\bleh"));
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/../bleh"));
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test\\../bleh"));
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\test/..\\bleh"));
- }
-}
-
-// This tests that path canonicalization is actually disabled if we use \\?\
-// syntax.
-TEST(NamedPipePolicyTest, CreatePipeCanonicalization) {
- // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
- // disable all string parsing and to send the string that follows it straight
- // to the file system."
- // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
- const wchar_t* argv[2] = { L"\\\\?\\pipe\\test\\..\\bleh",
- L"\\Device\\NamedPipe\\test" };
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- NamedPipe_Create(2, const_cast<wchar_t**>(argv)));
-}
-
-// The same test as CreatePipe but this time using strict interceptions.
-TEST(NamedPipePolicyTest, CreatePipeStrictInterceptions) {
- TestRunner runner;
- runner.GetPolicy()->SetStrictInterceptions();
-
- // TODO(nsylvain): This policy is wrong because "*" is a valid char in a
- // namedpipe name. Here we apply it like a wildcard. http://b/893603
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_NAMED_PIPES,
- TargetPolicy::NAMEDPIPES_ALLOW_ANY,
- L"\\\\.\\pipe\\test*"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\testbleh"));
-
- // On XP, the sandbox can create a pipe without any help but it fails on
- // Vista+, this is why we do not test the "denied" case.
- if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"NamedPipe_Create \\\\.\\pipe\\bleh"));
- }
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/nt_internals.h b/security/sandbox/chromium/sandbox/win/src/nt_internals.h
deleted file mode 100644
index 2a39d5b94..000000000
--- a/security/sandbox/chromium/sandbox/win/src/nt_internals.h
+++ /dev/null
@@ -1,703 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file holds definitions related to the ntdll API.
-
-#ifndef SANDBOX_WIN_SRC_NT_INTERNALS_H__
-#define SANDBOX_WIN_SRC_NT_INTERNALS_H__
-
-#include <windows.h>
-#include <stddef.h>
-
-typedef LONG NTSTATUS;
-#define NT_SUCCESS(st) (st >= 0)
-
-#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
-#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
-#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
-#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
-#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
-#ifndef STATUS_INVALID_PARAMETER
-// It is now defined in Windows 2008 SDK.
-#define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL)
-#endif
-#define STATUS_CONFLICTING_ADDRESSES ((NTSTATUS)0xC0000018L)
-#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
-#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
-#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)
-#define STATUS_OBJECT_NAME_COLLISION ((NTSTATUS)0xC0000035L)
-#define STATUS_PROCEDURE_NOT_FOUND ((NTSTATUS)0xC000007AL)
-#define STATUS_INVALID_IMAGE_FORMAT ((NTSTATUS)0xC000007BL)
-#define STATUS_NO_TOKEN ((NTSTATUS)0xC000007CL)
-
-#define CURRENT_PROCESS ((HANDLE) -1)
-#define CURRENT_THREAD ((HANDLE) -2)
-#define NtCurrentProcess CURRENT_PROCESS
-
-typedef struct _UNICODE_STRING {
- USHORT Length;
- USHORT MaximumLength;
- PWSTR Buffer;
-} UNICODE_STRING;
-typedef UNICODE_STRING *PUNICODE_STRING;
-typedef const UNICODE_STRING *PCUNICODE_STRING;
-
-typedef struct _STRING {
- USHORT Length;
- USHORT MaximumLength;
- PCHAR Buffer;
-} STRING;
-typedef STRING *PSTRING;
-
-typedef STRING ANSI_STRING;
-typedef PSTRING PANSI_STRING;
-typedef CONST PSTRING PCANSI_STRING;
-
-typedef STRING OEM_STRING;
-typedef PSTRING POEM_STRING;
-typedef CONST STRING* PCOEM_STRING;
-
-#define OBJ_CASE_INSENSITIVE 0x00000040L
-#define OBJ_OPENIF 0x00000080L
-
-typedef struct _OBJECT_ATTRIBUTES {
- ULONG Length;
- HANDLE RootDirectory;
- PUNICODE_STRING ObjectName;
- ULONG Attributes;
- PVOID SecurityDescriptor;
- PVOID SecurityQualityOfService;
-} OBJECT_ATTRIBUTES;
-typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
-
-#define InitializeObjectAttributes(p, n, a, r, s) { \
- (p)->Length = sizeof(OBJECT_ATTRIBUTES);\
- (p)->RootDirectory = r;\
- (p)->Attributes = a;\
- (p)->ObjectName = n;\
- (p)->SecurityDescriptor = s;\
- (p)->SecurityQualityOfService = NULL;\
-}
-
-typedef struct _IO_STATUS_BLOCK {
- union {
- NTSTATUS Status;
- PVOID Pointer;
- };
- ULONG_PTR Information;
-} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
-
-// -----------------------------------------------------------------------
-// File IO
-
-// Create disposition values.
-
-#define FILE_SUPERSEDE 0x00000000
-#define FILE_OPEN 0x00000001
-#define FILE_CREATE 0x00000002
-#define FILE_OPEN_IF 0x00000003
-#define FILE_OVERWRITE 0x00000004
-#define FILE_OVERWRITE_IF 0x00000005
-#define FILE_MAXIMUM_DISPOSITION 0x00000005
-
-// Create/open option flags.
-
-#define FILE_DIRECTORY_FILE 0x00000001
-#define FILE_WRITE_THROUGH 0x00000002
-#define FILE_SEQUENTIAL_ONLY 0x00000004
-#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
-
-#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
-#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
-#define FILE_NON_DIRECTORY_FILE 0x00000040
-#define FILE_CREATE_TREE_CONNECTION 0x00000080
-
-#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
-#define FILE_NO_EA_KNOWLEDGE 0x00000200
-#define FILE_OPEN_REMOTE_INSTANCE 0x00000400
-#define FILE_RANDOM_ACCESS 0x00000800
-
-#define FILE_DELETE_ON_CLOSE 0x00001000
-#define FILE_OPEN_BY_FILE_ID 0x00002000
-#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
-#define FILE_NO_COMPRESSION 0x00008000
-
-#define FILE_RESERVE_OPFILTER 0x00100000
-#define FILE_OPEN_REPARSE_POINT 0x00200000
-#define FILE_OPEN_NO_RECALL 0x00400000
-#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
-
-// Create/open result values. These are the disposition values returned on the
-// io status information.
-#define FILE_SUPERSEDED 0x00000000
-#define FILE_OPENED 0x00000001
-#define FILE_CREATED 0x00000002
-#define FILE_OVERWRITTEN 0x00000003
-#define FILE_EXISTS 0x00000004
-#define FILE_DOES_NOT_EXIST 0x00000005
-
-typedef NTSTATUS (WINAPI *NtCreateFileFunction)(
- OUT PHANDLE FileHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN PLARGE_INTEGER AllocationSize OPTIONAL,
- IN ULONG FileAttributes,
- IN ULONG ShareAccess,
- IN ULONG CreateDisposition,
- IN ULONG CreateOptions,
- IN PVOID EaBuffer OPTIONAL,
- IN ULONG EaLength);
-
-typedef NTSTATUS (WINAPI *NtOpenFileFunction)(
- OUT PHANDLE FileHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN ULONG ShareAccess,
- IN ULONG OpenOptions);
-
-typedef NTSTATUS (WINAPI *NtCloseFunction)(
- IN HANDLE Handle);
-
-typedef enum _FILE_INFORMATION_CLASS {
- FileRenameInformation = 10
-} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS;
-
-typedef struct _FILE_RENAME_INFORMATION {
- BOOLEAN ReplaceIfExists;
- HANDLE RootDirectory;
- ULONG FileNameLength;
- WCHAR FileName[1];
-} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtSetInformationFileFunction)(
- IN HANDLE FileHandle,
- OUT PIO_STATUS_BLOCK IoStatusBlock,
- IN PVOID FileInformation,
- IN ULONG Length,
- IN FILE_INFORMATION_CLASS FileInformationClass);
-
-typedef struct FILE_BASIC_INFORMATION {
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- ULONG FileAttributes;
-} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtQueryAttributesFileFunction)(
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PFILE_BASIC_INFORMATION FileAttributes);
-
-typedef struct _FILE_NETWORK_OPEN_INFORMATION {
- LARGE_INTEGER CreationTime;
- LARGE_INTEGER LastAccessTime;
- LARGE_INTEGER LastWriteTime;
- LARGE_INTEGER ChangeTime;
- LARGE_INTEGER AllocationSize;
- LARGE_INTEGER EndOfFile;
- ULONG FileAttributes;
-} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtQueryFullAttributesFileFunction)(
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- OUT PFILE_NETWORK_OPEN_INFORMATION FileAttributes);
-
-// -----------------------------------------------------------------------
-// Sections
-
-typedef NTSTATUS (WINAPI *NtCreateSectionFunction)(
- OUT PHANDLE SectionHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL,
- IN PLARGE_INTEGER MaximumSize OPTIONAL,
- IN ULONG SectionPageProtection,
- IN ULONG AllocationAttributes,
- IN HANDLE FileHandle OPTIONAL);
-
-typedef ULONG SECTION_INHERIT;
-#define ViewShare 1
-#define ViewUnmap 2
-
-typedef NTSTATUS (WINAPI *NtMapViewOfSectionFunction)(
- IN HANDLE SectionHandle,
- IN HANDLE ProcessHandle,
- IN OUT PVOID *BaseAddress,
- IN ULONG_PTR ZeroBits,
- IN SIZE_T CommitSize,
- IN OUT PLARGE_INTEGER SectionOffset OPTIONAL,
- IN OUT PSIZE_T ViewSize,
- IN SECTION_INHERIT InheritDisposition,
- IN ULONG AllocationType,
- IN ULONG Win32Protect);
-
-typedef NTSTATUS (WINAPI *NtUnmapViewOfSectionFunction)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress);
-
-typedef enum _SECTION_INFORMATION_CLASS {
- SectionBasicInformation = 0,
- SectionImageInformation
-} SECTION_INFORMATION_CLASS;
-
-typedef struct _SECTION_BASIC_INFORMATION {
- PVOID BaseAddress;
- ULONG Attributes;
- LARGE_INTEGER Size;
-} SECTION_BASIC_INFORMATION, *PSECTION_BASIC_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtQuerySectionFunction)(
- IN HANDLE SectionHandle,
- IN SECTION_INFORMATION_CLASS SectionInformationClass,
- OUT PVOID SectionInformation,
- IN SIZE_T SectionInformationLength,
- OUT PSIZE_T ReturnLength OPTIONAL);
-
-// -----------------------------------------------------------------------
-// Process and Thread
-
-typedef struct _CLIENT_ID {
- PVOID UniqueProcess;
- PVOID UniqueThread;
-} CLIENT_ID, *PCLIENT_ID;
-
-typedef NTSTATUS (WINAPI *NtOpenThreadFunction) (
- OUT PHANDLE ThreadHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN PCLIENT_ID ClientId);
-
-typedef NTSTATUS (WINAPI *NtOpenProcessFunction) (
- OUT PHANDLE ProcessHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN PCLIENT_ID ClientId);
-
-typedef enum _NT_THREAD_INFORMATION_CLASS {
- ThreadBasicInformation,
- ThreadTimes,
- ThreadPriority,
- ThreadBasePriority,
- ThreadAffinityMask,
- ThreadImpersonationToken,
- ThreadDescriptorTableEntry,
- ThreadEnableAlignmentFaultFixup,
- ThreadEventPair,
- ThreadQuerySetWin32StartAddress,
- ThreadZeroTlsCell,
- ThreadPerformanceCount,
- ThreadAmILastThread,
- ThreadIdealProcessor,
- ThreadPriorityBoost,
- ThreadSetTlsArrayAddress,
- ThreadIsIoPending,
- ThreadHideFromDebugger
-} NT_THREAD_INFORMATION_CLASS, *PNT_THREAD_INFORMATION_CLASS;
-
-typedef NTSTATUS (WINAPI *NtSetInformationThreadFunction) (
- IN HANDLE ThreadHandle,
- IN NT_THREAD_INFORMATION_CLASS ThreadInformationClass,
- IN PVOID ThreadInformation,
- IN ULONG ThreadInformationLength);
-
-// Partial definition only:
-typedef enum _PROCESSINFOCLASS {
- ProcessBasicInformation = 0,
- ProcessExecuteFlags = 0x22
-} PROCESSINFOCLASS;
-
-typedef PVOID PPEB;
-typedef LONG KPRIORITY;
-
-typedef struct _PROCESS_BASIC_INFORMATION {
- union {
- NTSTATUS ExitStatus;
- PVOID padding_for_x64_0;
- };
- PPEB PebBaseAddress;
- KAFFINITY AffinityMask;
- union {
- KPRIORITY BasePriority;
- PVOID padding_for_x64_1;
- };
- union {
- DWORD UniqueProcessId;
- PVOID padding_for_x64_2;
- };
- union {
- DWORD InheritedFromUniqueProcessId;
- PVOID padding_for_x64_3;
- };
-} PROCESS_BASIC_INFORMATION, *PPROCESS_BASIC_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtQueryInformationProcessFunction)(
- IN HANDLE ProcessHandle,
- IN PROCESSINFOCLASS ProcessInformationClass,
- OUT PVOID ProcessInformation,
- IN ULONG ProcessInformationLength,
- OUT PULONG ReturnLength OPTIONAL);
-
-typedef NTSTATUS (WINAPI *NtSetInformationProcessFunction)(
- HANDLE ProcessHandle,
- IN PROCESSINFOCLASS ProcessInformationClass,
- IN PVOID ProcessInformation,
- IN ULONG ProcessInformationLength);
-
-typedef NTSTATUS (WINAPI *NtOpenThreadTokenFunction) (
- IN HANDLE ThreadHandle,
- IN ACCESS_MASK DesiredAccess,
- IN BOOLEAN OpenAsSelf,
- OUT PHANDLE TokenHandle);
-
-typedef NTSTATUS (WINAPI *NtOpenThreadTokenExFunction) (
- IN HANDLE ThreadHandle,
- IN ACCESS_MASK DesiredAccess,
- IN BOOLEAN OpenAsSelf,
- IN ULONG HandleAttributes,
- OUT PHANDLE TokenHandle);
-
-typedef NTSTATUS (WINAPI *NtOpenProcessTokenFunction) (
- IN HANDLE ProcessHandle,
- IN ACCESS_MASK DesiredAccess,
- OUT PHANDLE TokenHandle);
-
-typedef NTSTATUS (WINAPI *NtOpenProcessTokenExFunction) (
- IN HANDLE ProcessHandle,
- IN ACCESS_MASK DesiredAccess,
- IN ULONG HandleAttributes,
- OUT PHANDLE TokenHandle);
-
-typedef NTSTATUS (WINAPI * RtlCreateUserThreadFunction)(
- IN HANDLE Process,
- IN PSECURITY_DESCRIPTOR ThreadSecurityDescriptor,
- IN BOOLEAN CreateSuspended,
- IN ULONG ZeroBits,
- IN SIZE_T MaximumStackSize,
- IN SIZE_T CommittedStackSize,
- IN LPTHREAD_START_ROUTINE StartAddress,
- IN PVOID Parameter,
- OUT PHANDLE Thread,
- OUT PCLIENT_ID ClientId);
-
-// -----------------------------------------------------------------------
-// Registry
-
-typedef NTSTATUS (WINAPI *NtCreateKeyFunction)(
- OUT PHANDLE KeyHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN ULONG TitleIndex,
- IN PUNICODE_STRING Class OPTIONAL,
- IN ULONG CreateOptions,
- OUT PULONG Disposition OPTIONAL);
-
-typedef NTSTATUS (WINAPI *NtOpenKeyFunction)(
- OUT PHANDLE KeyHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes);
-
-typedef NTSTATUS (WINAPI *NtOpenKeyExFunction)(
- OUT PHANDLE KeyHandle,
- IN ACCESS_MASK DesiredAccess,
- IN POBJECT_ATTRIBUTES ObjectAttributes,
- IN DWORD open_options);
-
-typedef NTSTATUS (WINAPI *NtDeleteKeyFunction)(
- IN HANDLE KeyHandle);
-
-// -----------------------------------------------------------------------
-// Memory
-
-// Don't really need this structure right now.
-typedef PVOID PRTL_HEAP_PARAMETERS;
-
-typedef PVOID (WINAPI *RtlCreateHeapFunction)(
- IN ULONG Flags,
- IN PVOID HeapBase OPTIONAL,
- IN SIZE_T ReserveSize OPTIONAL,
- IN SIZE_T CommitSize OPTIONAL,
- IN PVOID Lock OPTIONAL,
- IN PRTL_HEAP_PARAMETERS Parameters OPTIONAL);
-
-typedef PVOID (WINAPI *RtlDestroyHeapFunction)(
- IN PVOID HeapHandle);
-
-typedef PVOID (WINAPI *RtlAllocateHeapFunction)(
- IN PVOID HeapHandle,
- IN ULONG Flags,
- IN SIZE_T Size);
-
-typedef BOOLEAN (WINAPI *RtlFreeHeapFunction)(
- IN PVOID HeapHandle,
- IN ULONG Flags,
- IN PVOID HeapBase);
-
-typedef NTSTATUS (WINAPI *NtAllocateVirtualMemoryFunction) (
- IN HANDLE ProcessHandle,
- IN OUT PVOID *BaseAddress,
- IN ULONG_PTR ZeroBits,
- IN OUT PSIZE_T RegionSize,
- IN ULONG AllocationType,
- IN ULONG Protect);
-
-typedef NTSTATUS (WINAPI *NtFreeVirtualMemoryFunction) (
- IN HANDLE ProcessHandle,
- IN OUT PVOID *BaseAddress,
- IN OUT PSIZE_T RegionSize,
- IN ULONG FreeType);
-
-typedef enum _MEMORY_INFORMATION_CLASS {
- MemoryBasicInformation = 0,
- MemoryWorkingSetList,
- MemorySectionName,
- MemoryBasicVlmInformation
-} MEMORY_INFORMATION_CLASS;
-
-typedef struct _MEMORY_SECTION_NAME { // Information Class 2
- UNICODE_STRING SectionFileName;
-} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
-
-typedef NTSTATUS (WINAPI *NtQueryVirtualMemoryFunction)(
- IN HANDLE ProcessHandle,
- IN PVOID BaseAddress,
- IN MEMORY_INFORMATION_CLASS MemoryInformationClass,
- OUT PVOID MemoryInformation,
- IN SIZE_T MemoryInformationLength,
- OUT PSIZE_T ReturnLength OPTIONAL);
-
-typedef NTSTATUS (WINAPI *NtProtectVirtualMemoryFunction)(
- IN HANDLE ProcessHandle,
- IN OUT PVOID* BaseAddress,
- IN OUT PSIZE_T ProtectSize,
- IN ULONG NewProtect,
- OUT PULONG OldProtect);
-
-// -----------------------------------------------------------------------
-// Objects
-
-typedef enum _OBJECT_INFORMATION_CLASS {
- ObjectBasicInformation,
- ObjectNameInformation,
- ObjectTypeInformation,
- ObjectAllInformation,
- ObjectDataInformation
-} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS;
-
-typedef struct _OBJDIR_INFORMATION {
- UNICODE_STRING ObjectName;
- UNICODE_STRING ObjectTypeName;
- BYTE Data[1];
-} OBJDIR_INFORMATION;
-
-typedef struct _PUBLIC_OBJECT_BASIC_INFORMATION {
- ULONG Attributes;
- ACCESS_MASK GrantedAccess;
- ULONG HandleCount;
- ULONG PointerCount;
- ULONG Reserved[10]; // reserved for internal use
-} PUBLIC_OBJECT_BASIC_INFORMATION, *PPUBLIC_OBJECT_BASIC_INFORMATION;
-
-typedef struct __PUBLIC_OBJECT_TYPE_INFORMATION {
- UNICODE_STRING TypeName;
- ULONG Reserved[22]; // reserved for internal use
-} PUBLIC_OBJECT_TYPE_INFORMATION, *PPUBLIC_OBJECT_TYPE_INFORMATION;
-
-typedef enum _POOL_TYPE {
- NonPagedPool,
- PagedPool,
- NonPagedPoolMustSucceed,
- ReservedType,
- NonPagedPoolCacheAligned,
- PagedPoolCacheAligned,
- NonPagedPoolCacheAlignedMustS
-} POOL_TYPE;
-
-typedef struct _OBJECT_BASIC_INFORMATION {
- ULONG Attributes;
- ACCESS_MASK GrantedAccess;
- ULONG HandleCount;
- ULONG PointerCount;
- ULONG PagedPoolUsage;
- ULONG NonPagedPoolUsage;
- ULONG Reserved[3];
- ULONG NameInformationLength;
- ULONG TypeInformationLength;
- ULONG SecurityDescriptorLength;
- LARGE_INTEGER CreateTime;
-} OBJECT_BASIC_INFORMATION, *POBJECT_BASIC_INFORMATION;
-
-typedef struct _OBJECT_TYPE_INFORMATION {
- UNICODE_STRING Name;
- ULONG TotalNumberOfObjects;
- ULONG TotalNumberOfHandles;
- ULONG TotalPagedPoolUsage;
- ULONG TotalNonPagedPoolUsage;
- ULONG TotalNamePoolUsage;
- ULONG TotalHandleTableUsage;
- ULONG HighWaterNumberOfObjects;
- ULONG HighWaterNumberOfHandles;
- ULONG HighWaterPagedPoolUsage;
- ULONG HighWaterNonPagedPoolUsage;
- ULONG HighWaterNamePoolUsage;
- ULONG HighWaterHandleTableUsage;
- ULONG InvalidAttributes;
- GENERIC_MAPPING GenericMapping;
- ULONG ValidAccess;
- BOOLEAN SecurityRequired;
- BOOLEAN MaintainHandleCount;
- USHORT MaintainTypeList;
- POOL_TYPE PoolType;
- ULONG PagedPoolUsage;
- ULONG NonPagedPoolUsage;
-} OBJECT_TYPE_INFORMATION, *POBJECT_TYPE_INFORMATION;
-
-typedef enum _SYSTEM_INFORMATION_CLASS {
- SystemHandleInformation = 16
-} SYSTEM_INFORMATION_CLASS;
-
-typedef struct _SYSTEM_HANDLE_INFORMATION {
- USHORT ProcessId;
- USHORT CreatorBackTraceIndex;
- UCHAR ObjectTypeNumber;
- UCHAR Flags;
- USHORT Handle;
- PVOID Object;
- ACCESS_MASK GrantedAccess;
-} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
-
-typedef struct _SYSTEM_HANDLE_INFORMATION_EX {
- ULONG NumberOfHandles;
- SYSTEM_HANDLE_INFORMATION Information[1];
-} SYSTEM_HANDLE_INFORMATION_EX, *PSYSTEM_HANDLE_INFORMATION_EX;
-
-typedef struct _OBJECT_NAME_INFORMATION {
- UNICODE_STRING ObjectName;
-} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
-
-typedef NTSTATUS (WINAPI *NtQueryObjectFunction)(
- IN HANDLE Handle,
- IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
- OUT PVOID ObjectInformation OPTIONAL,
- IN ULONG ObjectInformationLength,
- OUT PULONG ReturnLength OPTIONAL);
-
-typedef NTSTATUS (WINAPI *NtDuplicateObjectFunction)(
- IN HANDLE SourceProcess,
- IN HANDLE SourceHandle,
- IN HANDLE TargetProcess,
- OUT PHANDLE TargetHandle,
- IN ACCESS_MASK DesiredAccess,
- IN ULONG Attributes,
- IN ULONG Options);
-
-typedef NTSTATUS (WINAPI *NtSignalAndWaitForSingleObjectFunction)(
- IN HANDLE HandleToSignal,
- IN HANDLE HandleToWait,
- IN BOOLEAN Alertable,
- IN PLARGE_INTEGER Timeout OPTIONAL);
-
-typedef NTSTATUS (WINAPI *NtQuerySystemInformation)(
- IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
- OUT PVOID SystemInformation,
- IN ULONG SystemInformationLength,
- OUT PULONG ReturnLength);
-
-typedef NTSTATUS (WINAPI *NtQueryObject)(
- IN HANDLE Handle,
- IN OBJECT_INFORMATION_CLASS ObjectInformationClass,
- OUT PVOID ObjectInformation,
- IN ULONG ObjectInformationLength,
- OUT PULONG ReturnLength);
-
-// -----------------------------------------------------------------------
-// Strings
-
-typedef int (__cdecl *_strnicmpFunction)(
- IN const char* _Str1,
- IN const char* _Str2,
- IN size_t _MaxCount);
-
-typedef size_t (__cdecl *strlenFunction)(
- IN const char * _Str);
-
-typedef size_t (__cdecl *wcslenFunction)(
- IN const wchar_t* _Str);
-
-typedef void* (__cdecl *memcpyFunction)(
- IN void* dest,
- IN const void* src,
- IN size_t count);
-
-typedef NTSTATUS (WINAPI *RtlAnsiStringToUnicodeStringFunction)(
- IN OUT PUNICODE_STRING DestinationString,
- IN PANSI_STRING SourceString,
- IN BOOLEAN AllocateDestinationString);
-
-typedef LONG (WINAPI *RtlCompareUnicodeStringFunction)(
- IN PCUNICODE_STRING String1,
- IN PCUNICODE_STRING String2,
- IN BOOLEAN CaseInSensitive);
-
-typedef VOID (WINAPI *RtlInitUnicodeStringFunction) (
- IN OUT PUNICODE_STRING DestinationString,
- IN PCWSTR SourceString);
-
-typedef enum _EVENT_TYPE {
- NotificationEvent,
- SynchronizationEvent
-} EVENT_TYPE, *PEVENT_TYPE;
-
-typedef NTSTATUS (WINAPI* NtCreateDirectoryObjectFunction) (
- PHANDLE DirectoryHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes);
-
-typedef NTSTATUS (WINAPI* NtOpenDirectoryObjectFunction) (
- PHANDLE DirectoryHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes);
-
-typedef NTSTATUS (WINAPI* NtQuerySymbolicLinkObjectFunction) (
- HANDLE LinkHandle,
- PUNICODE_STRING LinkTarget,
- PULONG ReturnedLength);
-
-typedef NTSTATUS (WINAPI* NtOpenSymbolicLinkObjectFunction) (
- PHANDLE LinkHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes);
-
-#define DIRECTORY_QUERY 0x0001
-#define DIRECTORY_TRAVERSE 0x0002
-#define DIRECTORY_CREATE_OBJECT 0x0004
-#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
-#define DIRECTORY_ALL_ACCESS 0x000F
-
-typedef NTSTATUS (WINAPI* NtCreateLowBoxToken)(
- OUT PHANDLE token,
- IN HANDLE original_handle,
- IN ACCESS_MASK access,
- IN POBJECT_ATTRIBUTES object_attribute,
- IN PSID appcontainer_sid,
- IN DWORD capabilityCount,
- IN PSID_AND_ATTRIBUTES capabilities,
- IN DWORD handle_count,
- IN PHANDLE handles);
-
-typedef NTSTATUS(WINAPI *NtSetInformationProcess)(
- IN HANDLE process_handle,
- IN ULONG info_class,
- IN PVOID process_information,
- IN ULONG information_length);
-
-struct PROCESS_ACCESS_TOKEN {
- HANDLE token;
- HANDLE thread;
-};
-
-const unsigned int NtProcessInformationAccessToken = 9;
-
-#endif // SANDBOX_WIN_SRC_NT_INTERNALS_H__
-
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_broker.cc b/security/sandbox/chromium/sandbox/win/src/policy_broker.cc
deleted file mode 100644
index a946ebc76..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_broker.cc
+++ /dev/null
@@ -1,126 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-
-#include <map>
-
-#include "sandbox/win/src/policy_broker.h"
-
-#include "base/logging.h"
-#include "base/win/pe_image.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/process_thread_interception.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/target_process.h"
-
-// This code executes on the broker side, as a callback from the policy on the
-// target side (the child).
-
-namespace sandbox {
-
-// This is the list of all imported symbols from ntdll.dll.
-SANDBOX_INTERCEPT NtExports g_nt;
-
-#define INIT_GLOBAL_NT(member) \
- g_nt.member = reinterpret_cast<Nt##member##Function>( \
- ntdll_image.GetProcAddress("Nt" #member)); \
- if (NULL == g_nt.member) \
- return false
-
-#define INIT_GLOBAL_RTL(member) \
- g_nt.member = reinterpret_cast<member##Function>( \
- ntdll_image.GetProcAddress(#member)); \
- if (NULL == g_nt.member) \
- return false
-
-bool InitGlobalNt() {
- HMODULE ntdll = ::GetModuleHandle(kNtdllName);
- base::win::PEImage ntdll_image(ntdll);
-
- // Bypass purify's interception.
- wchar_t* loader_get = reinterpret_cast<wchar_t*>(
- ntdll_image.GetProcAddress("LdrGetDllHandle"));
- if (loader_get) {
- GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
- GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
- loader_get, &ntdll);
- }
-
- INIT_GLOBAL_NT(AllocateVirtualMemory);
- INIT_GLOBAL_NT(Close);
- INIT_GLOBAL_NT(DuplicateObject);
- INIT_GLOBAL_NT(FreeVirtualMemory);
- INIT_GLOBAL_NT(MapViewOfSection);
- INIT_GLOBAL_NT(ProtectVirtualMemory);
- INIT_GLOBAL_NT(QueryInformationProcess);
- INIT_GLOBAL_NT(QueryObject);
- INIT_GLOBAL_NT(QuerySection);
- INIT_GLOBAL_NT(QueryVirtualMemory);
- INIT_GLOBAL_NT(UnmapViewOfSection);
-
- INIT_GLOBAL_RTL(RtlAllocateHeap);
- INIT_GLOBAL_RTL(RtlAnsiStringToUnicodeString);
- INIT_GLOBAL_RTL(RtlCompareUnicodeString);
- INIT_GLOBAL_RTL(RtlCreateHeap);
- INIT_GLOBAL_RTL(RtlCreateUserThread);
- INIT_GLOBAL_RTL(RtlDestroyHeap);
- INIT_GLOBAL_RTL(RtlFreeHeap);
- INIT_GLOBAL_RTL(_strnicmp);
- INIT_GLOBAL_RTL(strlen);
- INIT_GLOBAL_RTL(wcslen);
- INIT_GLOBAL_RTL(memcpy);
-
- return true;
-}
-
-bool SetupNtdllImports(TargetProcess *child) {
- if (!InitGlobalNt()) {
- return false;
- }
-
-#ifndef NDEBUG
- // Verify that the structure is fully initialized.
- for (size_t i = 0; i < sizeof(g_nt)/sizeof(void*); i++)
- DCHECK(reinterpret_cast<char**>(&g_nt)[i]);
-#endif
- return (SBOX_ALL_OK == child->TransferVariable("g_nt", &g_nt, sizeof(g_nt)));
-}
-
-#undef INIT_GLOBAL_NT
-#undef INIT_GLOBAL_RTL
-
-bool SetupBasicInterceptions(InterceptionManager* manager) {
- // Interceptions provided by process_thread_policy, without actual policy.
- if (!INTERCEPT_NT(manager, NtOpenThread, OPEN_TREAD_ID, 20) ||
- !INTERCEPT_NT(manager, NtOpenProcess, OPEN_PROCESS_ID, 20) ||
- !INTERCEPT_NT(manager, NtOpenProcessToken, OPEN_PROCESS_TOKEN_ID, 16))
- return false;
-
- // Interceptions with neither policy nor IPC.
- if (!INTERCEPT_NT(manager, NtSetInformationThread, SET_INFORMATION_THREAD_ID,
- 20) ||
- !INTERCEPT_NT(manager, NtOpenThreadToken, OPEN_THREAD_TOKEN_ID, 20))
- return false;
-
- if (base::win::GetVersion() >= base::win::VERSION_XP) {
- // Bug 27218: We don't have dispatch for some x64 syscalls.
- // This one is also provided by process_thread_policy.
- if (!INTERCEPT_NT(manager, NtOpenProcessTokenEx, OPEN_PROCESS_TOKEN_EX_ID,
- 20))
- return false;
-
- return INTERCEPT_NT(manager, NtOpenThreadTokenEx, OPEN_THREAD_TOKEN_EX_ID,
- 24);
- }
-
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_broker.h b/security/sandbox/chromium/sandbox/win/src/policy_broker.h
deleted file mode 100644
index 15d3b21ef..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_broker.h
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_POLICY_BROKER_H_
-#define SANDBOX_SRC_POLICY_BROKER_H_
-
-#include "sandbox/win/src/interception.h"
-
-namespace sandbox {
-
-class TargetProcess;
-
-// Initializes global imported symbols from ntdll.
-bool InitGlobalNt();
-
-// Sets up interceptions not controlled by explicit policies.
-bool SetupBasicInterceptions(InterceptionManager* manager);
-
-// Sets up imports from NTDLL for the given target process so the interceptions
-// can work.
-bool SetupNtdllImports(TargetProcess *child);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_BROKER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc b/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc
deleted file mode 100644
index 8dca0d9d6..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.cc
+++ /dev/null
@@ -1,446 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/policy_engine_opcodes.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/sandbox_nt_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace {
-const unsigned short kMaxUniStrSize = 0xfffc / sizeof(wchar_t);
-
-bool InitStringUnicode(const wchar_t* source, size_t length,
- UNICODE_STRING* ustring) {
- if (length > kMaxUniStrSize) {
- return false;
- }
- ustring->Buffer = const_cast<wchar_t*>(source);
- ustring->Length = static_cast<USHORT>(length) * sizeof(wchar_t);
- ustring->MaximumLength = (NULL != source) ?
- ustring->Length + sizeof(wchar_t) : 0;
- return true;
-}
-
-} // namespace
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT NtExports g_nt;
-
-// Note: The opcodes are implemented as functions (as opposed to classes derived
-// from PolicyOpcode) because you should not add more member variables to the
-// PolicyOpcode class since it would cause object slicing on the target. So to
-// enforce that (instead of just trusting the developer) the opcodes became
-// just functions.
-//
-// In the code that follows I have keep the evaluation function and the factory
-// function together to stress the close relationship between both. For example,
-// only the factory method and the evaluation function know the stored argument
-// order and meaning.
-
-template <int>
-EvalResult OpcodeEval(PolicyOpcode* opcode, const ParameterSet* pp,
- MatchContext* match);
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpAlwaysFalse:
-// Does not require input parameter.
-
-PolicyOpcode* OpcodeFactory::MakeOpAlwaysFalse(uint32_t options) {
- return MakeBase(OP_ALWAYS_FALSE, options, -1);
-}
-
-template <>
-EvalResult OpcodeEval<OP_ALWAYS_FALSE>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- return EVAL_FALSE;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpAlwaysTrue:
-// Does not require input parameter.
-
-PolicyOpcode* OpcodeFactory::MakeOpAlwaysTrue(uint32_t options) {
- return MakeBase(OP_ALWAYS_TRUE, options, -1);
-}
-
-template <>
-EvalResult OpcodeEval<OP_ALWAYS_TRUE>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- return EVAL_TRUE;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpAction:
-// Does not require input parameter.
-// Argument 0 contains the actual action to return.
-
-PolicyOpcode* OpcodeFactory::MakeOpAction(EvalResult action, uint32_t options) {
- PolicyOpcode* opcode = MakeBase(OP_ACTION, options, 0);
- if (NULL == opcode) return NULL;
- opcode->SetArgument(0, action);
- return opcode;
-}
-
-template <>
-EvalResult OpcodeEval<OP_ACTION>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- int action = 0;
- opcode->GetArgument(0, &action);
- return static_cast<EvalResult>(action);
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpNumberMatch:
-// Requires a uint32_t or void* in selected_param
-// Argument 0 is the stored number to match.
-// Argument 1 is the C++ type of the 0th argument.
-
-PolicyOpcode* OpcodeFactory::MakeOpNumberMatch(int16_t selected_param,
- uint32_t match,
- uint32_t options) {
- PolicyOpcode* opcode = MakeBase(OP_NUMBER_MATCH, options, selected_param);
- if (NULL == opcode) return NULL;
- opcode->SetArgument(0, match);
- opcode->SetArgument(1, UINT32_TYPE);
- return opcode;
-}
-
-PolicyOpcode* OpcodeFactory::MakeOpVoidPtrMatch(int16_t selected_param,
- const void* match,
- uint32_t options) {
- PolicyOpcode* opcode = MakeBase(OP_NUMBER_MATCH, options, selected_param);
- if (NULL == opcode) return NULL;
- opcode->SetArgument(0, match);
- opcode->SetArgument(1, VOIDPTR_TYPE);
- return opcode;
-}
-
-template <>
-EvalResult OpcodeEval<OP_NUMBER_MATCH>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- uint32_t value_uint32 = 0;
- if (param->Get(&value_uint32)) {
- uint32_t match_uint32 = 0;
- opcode->GetArgument(0, &match_uint32);
- return (match_uint32 != value_uint32)? EVAL_FALSE : EVAL_TRUE;
- } else {
- const void* value_ptr = NULL;
- if (param->Get(&value_ptr)) {
- const void* match_ptr = NULL;
- opcode->GetArgument(0, &match_ptr);
- return (match_ptr != value_ptr)? EVAL_FALSE : EVAL_TRUE;
- }
- }
- return EVAL_ERROR;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpNumberMatchRange
-// Requires a uint32_t in selected_param.
-// Argument 0 is the stored lower bound to match.
-// Argument 1 is the stored upper bound to match.
-
-PolicyOpcode* OpcodeFactory::MakeOpNumberMatchRange(int16_t selected_param,
- uint32_t lower_bound,
- uint32_t upper_bound,
- uint32_t options) {
- if (lower_bound > upper_bound) {
- return NULL;
- }
- PolicyOpcode* opcode = MakeBase(OP_NUMBER_MATCH_RANGE, options,
- selected_param);
- if (NULL == opcode) return NULL;
- opcode->SetArgument(0, lower_bound);
- opcode->SetArgument(1, upper_bound);
- return opcode;
-}
-
-template <>
-EvalResult OpcodeEval<OP_NUMBER_MATCH_RANGE>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- uint32_t value = 0;
- if (!param->Get(&value)) return EVAL_ERROR;
-
- uint32_t lower_bound = 0;
- uint32_t upper_bound = 0;
- opcode->GetArgument(0, &lower_bound);
- opcode->GetArgument(1, &upper_bound);
- return((lower_bound <= value) && (upper_bound >= value))?
- EVAL_TRUE : EVAL_FALSE;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpNumberAndMatch:
-// Requires a uint32_t in selected_param.
-// Argument 0 is the stored number to match.
-
-PolicyOpcode* OpcodeFactory::MakeOpNumberAndMatch(int16_t selected_param,
- uint32_t match,
- uint32_t options) {
- PolicyOpcode* opcode = MakeBase(OP_NUMBER_AND_MATCH, options, selected_param);
- if (NULL == opcode) return NULL;
- opcode->SetArgument(0, match);
- return opcode;
-}
-
-template <>
-EvalResult OpcodeEval<OP_NUMBER_AND_MATCH>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- uint32_t value = 0;
- if (!param->Get(&value)) return EVAL_ERROR;
-
- uint32_t number = 0;
- opcode->GetArgument(0, &number);
- return (number & value)? EVAL_TRUE : EVAL_FALSE;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode OpWStringMatch:
-// Requires a wchar_t* in selected_param.
-// Argument 0 is the byte displacement of the stored string.
-// Argument 1 is the lenght in chars of the stored string.
-// Argument 2 is the offset to apply on the input string. It has special values.
-// as noted in the header file.
-// Argument 3 is the string matching options.
-
-PolicyOpcode* OpcodeFactory::MakeOpWStringMatch(int16_t selected_param,
- const wchar_t* match_str,
- int start_position,
- StringMatchOptions match_opts,
- uint32_t options) {
- if (NULL == match_str) {
- return NULL;
- }
- if ('\0' == match_str[0]) {
- return NULL;
- }
-
- int lenght = lstrlenW(match_str);
-
- PolicyOpcode* opcode = MakeBase(OP_WSTRING_MATCH, options, selected_param);
- if (NULL == opcode) {
- return NULL;
- }
- ptrdiff_t delta_str = AllocRelative(opcode, match_str, wcslen(match_str)+1);
- if (0 == delta_str) {
- return NULL;
- }
- opcode->SetArgument(0, delta_str);
- opcode->SetArgument(1, lenght);
- opcode->SetArgument(2, start_position);
- opcode->SetArgument(3, match_opts);
- return opcode;
-}
-
-template<>
-EvalResult OpcodeEval<OP_WSTRING_MATCH>(PolicyOpcode* opcode,
- const ParameterSet* param,
- MatchContext* context) {
- if (NULL == context) {
- return EVAL_ERROR;
- }
- const wchar_t* source_str = NULL;
- if (!param->Get(&source_str)) return EVAL_ERROR;
-
- int start_position = 0;
- int match_len = 0;
- unsigned int match_opts = 0;
- opcode->GetArgument(1, &match_len);
- opcode->GetArgument(2, &start_position);
- opcode->GetArgument(3, &match_opts);
-
- const wchar_t* match_str = opcode->GetRelativeString(0);
- // Advance the source string to the last successfully evaluated position
- // according to the match context.
- source_str = &source_str[context->position];
- int source_len = static_cast<int>(g_nt.wcslen(source_str));
-
- if (0 == source_len) {
- // If we reached the end of the source string there is nothing we can
- // match against.
- return EVAL_FALSE;
- }
- if (match_len > source_len) {
- // There can't be a positive match when the target string is bigger than
- // the source string
- return EVAL_FALSE;
- }
-
- BOOLEAN case_sensitive = (match_opts & CASE_INSENSITIVE) ? TRUE : FALSE;
-
- // We have three cases, depending on the value of start_pos:
- // Case 1. We skip N characters and compare once.
- // Case 2: We skip to the end and compare once.
- // Case 3: We match the first substring (if we find any).
- if (start_position >= 0) {
- if (kSeekToEnd == start_position) {
- start_position = source_len - match_len;
- } else if (match_opts & EXACT_LENGHT) {
- // A sub-case of case 3 is when the EXACT_LENGHT flag is on
- // the match needs to be not just substring but full match.
- if ((match_len + start_position) != source_len) {
- return EVAL_FALSE;
- }
- }
-
- // Advance start_pos characters. Warning! this does not consider
- // utf16 encodings (surrogate pairs) or other Unicode 'features'.
- source_str += start_position;
-
- // Since we skipped, lets reevaluate just the lengths again.
- if ((match_len + start_position) > source_len) {
- return EVAL_FALSE;
- }
-
- UNICODE_STRING match_ustr;
- UNICODE_STRING source_ustr;
- if (!InitStringUnicode(match_str, match_len, &match_ustr) ||
- !InitStringUnicode(source_str, match_len, &source_ustr))
- return EVAL_ERROR;
-
- if (0 == g_nt.RtlCompareUnicodeString(&match_ustr, &source_ustr,
- case_sensitive)) {
- // Match! update the match context.
- context->position += start_position + match_len;
- return EVAL_TRUE;
- } else {
- return EVAL_FALSE;
- }
- } else if (start_position < 0) {
- UNICODE_STRING match_ustr;
- UNICODE_STRING source_ustr;
- if (!InitStringUnicode(match_str, match_len, &match_ustr) ||
- !InitStringUnicode(source_str, match_len, &source_ustr))
- return EVAL_ERROR;
-
- do {
- if (0 == g_nt.RtlCompareUnicodeString(&match_ustr, &source_ustr,
- case_sensitive)) {
- // Match! update the match context.
- context->position += (source_ustr.Buffer - source_str) + match_len;
- return EVAL_TRUE;
- }
- ++source_ustr.Buffer;
- --source_len;
- } while (source_len >= match_len);
- }
- return EVAL_FALSE;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// OpcodeMaker (other member functions).
-
-PolicyOpcode* OpcodeFactory::MakeBase(OpcodeID opcode_id,
- uint32_t options,
- int16_t selected_param) {
- if (memory_size() < sizeof(PolicyOpcode)) {
- return NULL;
- }
-
- // Create opcode using placement-new on the buffer memory.
- PolicyOpcode* opcode = new(memory_top_) PolicyOpcode();
-
- // Fill in the standard fields, that every opcode has.
- memory_top_ += sizeof(PolicyOpcode);
- opcode->opcode_id_ = opcode_id;
- opcode->SetOptions(options);
- opcode->parameter_ = selected_param;
- return opcode;
-}
-
-ptrdiff_t OpcodeFactory::AllocRelative(void* start, const wchar_t* str,
- size_t lenght) {
- size_t bytes = lenght * sizeof(wchar_t);
- if (memory_size() < bytes) {
- return 0;
- }
- memory_bottom_ -= bytes;
- if (reinterpret_cast<UINT_PTR>(memory_bottom_) & 1) {
- // TODO(cpu) replace this for something better.
- ::DebugBreak();
- }
- memcpy(memory_bottom_, str, bytes);
- ptrdiff_t delta = memory_bottom_ - reinterpret_cast<char*>(start);
- return delta;
-}
-
-//////////////////////////////////////////////////////////////////////////////
-// Opcode evaluation dispatchers.
-
-// This function is the one and only entry for evaluating any opcode. It is
-// in charge of applying any relevant opcode options and calling EvaluateInner
-// were the actual dispatch-by-id is made. It would seem at first glance that
-// the dispatch should be done by virtual function (vtable) calls but you have
-// to remember that the opcodes are made in the broker process and copied as
-// raw memory to the target process.
-
-EvalResult PolicyOpcode::Evaluate(const ParameterSet* call_params,
- size_t param_count, MatchContext* match) {
- if (NULL == call_params) {
- return EVAL_ERROR;
- }
- const ParameterSet* selected_param = NULL;
- if (parameter_ >= 0) {
- if (static_cast<size_t>(parameter_) >= param_count) {
- return EVAL_ERROR;
- }
- selected_param = &call_params[parameter_];
- }
- EvalResult result = EvaluateHelper(selected_param, match);
-
- // Apply the general options regardless of the particular type of opcode.
- if (kPolNone == options_) {
- return result;
- }
-
- if (options_ & kPolNegateEval) {
- if (EVAL_TRUE == result) {
- result = EVAL_FALSE;
- } else if (EVAL_FALSE == result) {
- result = EVAL_TRUE;
- } else if (EVAL_ERROR != result) {
- result = EVAL_ERROR;
- }
- }
- if (NULL != match) {
- if (options_ & kPolClearContext) {
- match->Clear();
- }
- if (options_ & kPolUseOREval) {
- match->options = kPolUseOREval;
- }
- }
- return result;
-}
-
-#define OPCODE_EVAL(op, x, y, z) case op: return OpcodeEval<op>(x, y, z)
-
-EvalResult PolicyOpcode::EvaluateHelper(const ParameterSet* parameters,
- MatchContext* match) {
- switch (opcode_id_) {
- OPCODE_EVAL(OP_ALWAYS_FALSE, this, parameters, match);
- OPCODE_EVAL(OP_ALWAYS_TRUE, this, parameters, match);
- OPCODE_EVAL(OP_NUMBER_MATCH, this, parameters, match);
- OPCODE_EVAL(OP_NUMBER_MATCH_RANGE, this, parameters, match);
- OPCODE_EVAL(OP_NUMBER_AND_MATCH, this, parameters, match);
- OPCODE_EVAL(OP_WSTRING_MATCH, this, parameters, match);
- OPCODE_EVAL(OP_ACTION, this, parameters, match);
- default:
- return EVAL_ERROR;
- }
-}
-
-#undef OPCODE_EVAL
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.h b/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.h
deleted file mode 100644
index 11a9c813e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_opcodes.h
+++ /dev/null
@@ -1,388 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_POLICY_ENGINE_OPCODES_H_
-#define SANDBOX_WIN_SRC_POLICY_ENGINE_OPCODES_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/numerics/safe_conversions.h"
-#include "sandbox/win/src/policy_engine_params.h"
-
-// The low-level policy is implemented using the concept of policy 'opcodes'.
-// An opcode is a structure that contains enough information to perform one
-// comparison against one single input parameter. For example, an opcode can
-// encode just one of the following comparison:
-//
-// - Is input parameter 3 not equal to NULL?
-// - Does input parameter 2 start with L"c:\\"?
-// - Is input parameter 5, bit 3 is equal 1?
-//
-// Each opcode is in fact equivalent to a function invocation where all
-// the parameters are known by the opcode except one. So say you have a
-// function of this form:
-// bool fn(a, b, c, d) with 4 arguments
-//
-// Then an opcode is:
-// op(fn, b, c, d)
-// Which stores the function to call and its 3 last arguments
-//
-// Then and opcode evaluation is:
-// op.eval(a) ------------------------> fn(a,b,c,d)
-// internally calls
-//
-// The idea is that complex policy rules can be split into streams of
-// opcodes which are evaluated in sequence. The evaluation is done in
-// groups of opcodes that have N comparison opcodes plus 1 action opcode:
-//
-// [comparison 1][comparison 2]...[comparison N][action][comparison 1]...
-// ----- evaluation order----------->
-//
-// Each opcode group encodes one high-level policy rule. The rule applies
-// only if all the conditions on the group evaluate to true. The action
-// opcode contains the policy outcome for that particular rule.
-//
-// Note that this header contains the main building blocks of low-level policy
-// but not the low level policy class.
-namespace sandbox {
-
-// These are the possible policy outcomes. Note that some of them might
-// not apply and can be removed. Also note that The following values only
-// specify what to do, not how to do it and it is acceptable given specific
-// cases to ignore the policy outcome.
-enum EvalResult {
- // Comparison opcode values:
- EVAL_TRUE, // Opcode condition evaluated true.
- EVAL_FALSE, // Opcode condition evaluated false.
- EVAL_ERROR, // Opcode condition generated an error while evaluating.
- // Action opcode values:
- ASK_BROKER, // The target must generate an IPC to the broker. On the broker
- // side, this means grant access to the resource.
- DENY_ACCESS, // No access granted to the resource.
- GIVE_READONLY, // Give readonly access to the resource.
- GIVE_ALLACCESS, // Give full access to the resource.
- GIVE_CACHED, // IPC is not required. Target can return a cached handle.
- GIVE_FIRST, // TODO(cpu)
- SIGNAL_ALARM, // Unusual activity. Generate an alarm.
- FAKE_SUCCESS, // Do not call original function. Just return 'success'.
- FAKE_ACCESS_DENIED, // Do not call original function. Just return 'denied'
- // and do not do IPC.
- TERMINATE_PROCESS, // Destroy target process. Do IPC as well.
-};
-
-// The following are the implemented opcodes.
-enum OpcodeID {
- OP_ALWAYS_FALSE, // Evaluates to false (EVAL_FALSE).
- OP_ALWAYS_TRUE, // Evaluates to true (EVAL_TRUE).
- OP_NUMBER_MATCH, // Match a 32-bit integer as n == a.
- OP_NUMBER_MATCH_RANGE, // Match a 32-bit integer as a <= n <= b.
- OP_NUMBER_AND_MATCH, // Match using bitwise AND; as in: n & a != 0.
- OP_WSTRING_MATCH, // Match a string for equality.
- OP_ACTION // Evaluates to an action opcode.
-};
-
-// Options that apply to every opcode. They are specified when creating
-// each opcode using OpcodeFactory::MakeOpXXXXX() family of functions
-// Do nothing special.
-const uint32_t kPolNone = 0;
-
-// Convert EVAL_TRUE into EVAL_FALSE and vice-versa. This allows to express
-// negated conditions such as if ( a && !b).
-const uint32_t kPolNegateEval = 1;
-
-// Zero the MatchContext context structure. This happens after the opcode
-// is evaluated.
-const uint32_t kPolClearContext = 2;
-
-// Use OR when evaluating this set of opcodes. The policy evaluator by default
-// uses AND when evaluating. Very helpful when
-// used with kPolNegateEval. For example if you have a condition best expressed
-// as if(! (a && b && c)), the use of this flags allows it to be expressed as
-// if ((!a) || (!b) || (!c)).
-const uint32_t kPolUseOREval = 4;
-
-// Keeps the evaluation state between opcode evaluations. This is used
-// for string matching where the next opcode needs to continue matching
-// from the last character position from the current opcode. The match
-// context is preserved across opcode evaluation unless an opcode specifies
-// as an option kPolClearContext.
-struct MatchContext {
- size_t position;
- uint32_t options;
-
- MatchContext() {
- Clear();
- }
-
- void Clear() {
- position = 0;
- options = 0;
- }
-};
-
-// Models a policy opcode; that is a condition evaluation were all the
-// arguments but one are stored in objects of this class. Use OpcodeFactory
-// to create objects of this type.
-// This class is just an implementation artifact and not exposed to the
-// API clients or visible in the intercepted service. Internally, an
-// opcode is just:
-// - An integer that identifies the actual opcode.
-// - An index to indicate which one is the input argument
-// - An array of arguments.
-// While an OO hierarchy of objects would have been a natural choice, the fact
-// that 1) this code can execute before the CRT is loaded, presents serious
-// problems in terms of guarantees about the actual state of the vtables and
-// 2) because the opcode objects are generated in the broker process, we need to
-// use plain objects. To preserve some minimal type safety templates are used
-// when possible.
-class PolicyOpcode {
- friend class OpcodeFactory;
- public:
- // Evaluates the opcode. For a typical comparison opcode the return value
- // is EVAL_TRUE or EVAL_FALSE. If there was an error in the evaluation the
- // the return is EVAL_ERROR. If the opcode is an action opcode then the
- // return can take other values such as ASK_BROKER.
- // parameters: An array of all input parameters. This argument is normally
- // created by the macros POLPARAMS_BEGIN() POLPARAMS_END.
- // count: The number of parameters passed as first argument.
- // match: The match context that is persisted across the opcode evaluation
- // sequence.
- EvalResult Evaluate(const ParameterSet* parameters, size_t count,
- MatchContext* match);
-
- // Retrieves a stored argument by index. Valid index values are
- // from 0 to < kArgumentCount.
- template <typename T>
- void GetArgument(size_t index, T* argument) const {
- static_assert(sizeof(T) <= sizeof(arguments_[0]), "invalid size");
- *argument = *reinterpret_cast<const T*>(&arguments_[index].mem);
- }
-
- // Sets a stored argument by index. Valid index values are
- // from 0 to < kArgumentCount.
- template <typename T>
- void SetArgument(size_t index, const T& argument) {
- static_assert(sizeof(T) <= sizeof(arguments_[0]), "invalid size");
- *reinterpret_cast<T*>(&arguments_[index].mem) = argument;
- }
-
- // Retrieves the actual address of an string argument. When using
- // GetArgument() to retrieve an index that contains a string, the returned
- // value is just an offset to the actual string.
- // index: the stored string index. Valid values are from 0
- // to < kArgumentCount.
- const wchar_t* GetRelativeString(size_t index) const {
- ptrdiff_t str_delta = 0;
- GetArgument(index, &str_delta);
- const char* delta = reinterpret_cast<const char*>(this) + str_delta;
- return reinterpret_cast<const wchar_t*>(delta);
- }
-
- // Returns true if this opcode is an action opcode without actually
- // evaluating it. Used to do a quick scan forward to the next opcode group.
- bool IsAction() const {
- return (OP_ACTION == opcode_id_);
- };
-
- // Returns the opcode type.
- OpcodeID GetID() const {
- return opcode_id_;
- }
-
- // Returns the stored options such as kPolNegateEval and others.
- uint32_t GetOptions() const { return options_; }
-
- // Sets the stored options such as kPolNegateEval.
- void SetOptions(uint32_t options) {
- options_ = base::checked_cast<uint16_t>(options);
- }
-
- private:
-
- static const size_t kArgumentCount = 4; // The number of supported argument.
-
- struct OpcodeArgument {
- UINT_PTR mem;
- };
-
- // Better define placement new in the class instead of relying on the
- // global definition which seems to be fubared.
- void* operator new(size_t, void* location) {
- return location;
- }
-
- // Helper function to evaluate the opcode. The parameters have the same
- // meaning that in Evaluate().
- EvalResult EvaluateHelper(const ParameterSet* parameters,
- MatchContext* match);
- OpcodeID opcode_id_;
- int16_t parameter_;
- // TODO(cpu): Making |options_| a uint32_t would avoid casting, but causes
- // test failures. Somewhere code is relying on the size of this struct.
- // http://crbug.com/420296
- uint16_t options_;
- OpcodeArgument arguments_[PolicyOpcode::kArgumentCount];
-};
-
-enum StringMatchOptions {
- CASE_SENSITIVE = 0, // Pay or Not attention to the case as defined by
- CASE_INSENSITIVE = 1, // RtlCompareUnicodeString windows API.
- EXACT_LENGHT = 2 // Don't do substring match. Do full string match.
-};
-
-// Opcodes that do string comparisons take a parameter that is the starting
-// position to perform the comparison so we can do substring matching. There
-// are two special values:
-//
-// Start from the current position and compare strings advancing forward until
-// a match is found if any. Similar to CRT strstr().
-const int kSeekForward = -1;
-// Perform a match with the end of the string. It only does a single comparison.
-const int kSeekToEnd = 0xfffff;
-
-
-// A PolicyBuffer is a variable size structure that contains all the opcodes
-// that are to be created or evaluated in sequence.
-struct PolicyBuffer {
- size_t opcode_count;
- PolicyOpcode opcodes[1];
-};
-
-// Helper class to create any opcode sequence. This class is normally invoked
-// only by the high level policy module or when you need to handcraft a special
-// policy.
-// The factory works by creating the opcodes using a chunk of memory given
-// in the constructor. The opcodes themselves are allocated from the beginning
-// (top) of the memory, while any string that an opcode needs is allocated from
-// the end (bottom) of the memory.
-//
-// In essence:
-//
-// low address ---> [opcode 1]
-// [opcode 2]
-// [opcode 3]
-// | | <--- memory_top_
-// | free |
-// | |
-// | | <--- memory_bottom_
-// [string 1]
-// high address --> [string 2]
-//
-// Note that this class does not keep track of the number of opcodes made and
-// it is designed to be a building block for low-level policy.
-//
-// Note that any of the MakeOpXXXXX member functions below can return NULL on
-// failure. When that happens opcode sequence creation must be aborted.
-class OpcodeFactory {
- public:
- // memory: base pointer to a chunk of memory where the opcodes are created.
- // memory_size: the size in bytes of the memory chunk.
- OpcodeFactory(char* memory, size_t memory_size)
- : memory_top_(memory) {
- memory_bottom_ = &memory_top_[memory_size];
- }
-
- // policy: contains the raw memory where the opcodes are created.
- // memory_size: contains the actual size of the policy argument.
- OpcodeFactory(PolicyBuffer* policy, size_t memory_size) {
- memory_top_ = reinterpret_cast<char*>(&policy->opcodes[0]);
- memory_bottom_ = &memory_top_[memory_size];
- }
-
- // Returns the available memory to make opcodes.
- size_t memory_size() const {
- return memory_bottom_ - memory_top_;
- }
-
- // Creates an OpAlwaysFalse opcode.
- PolicyOpcode* MakeOpAlwaysFalse(uint32_t options);
-
- // Creates an OpAlwaysFalse opcode.
- PolicyOpcode* MakeOpAlwaysTrue(uint32_t options);
-
- // Creates an OpAction opcode.
- // action: The action to return when Evaluate() is called.
- PolicyOpcode* MakeOpAction(EvalResult action, uint32_t options);
-
- // Creates an OpNumberMatch opcode.
- // selected_param: index of the input argument. It must be a uint32_t or the
- // evaluation result will generate a EVAL_ERROR.
- // match: the number to compare against the selected_param.
- PolicyOpcode* MakeOpNumberMatch(int16_t selected_param,
- uint32_t match,
- uint32_t options);
-
- // Creates an OpNumberMatch opcode (void pointers are cast to numbers).
- // selected_param: index of the input argument. It must be an void* or the
- // evaluation result will generate a EVAL_ERROR.
- // match: the pointer numeric value to compare against selected_param.
- PolicyOpcode* MakeOpVoidPtrMatch(int16_t selected_param,
- const void* match,
- uint32_t options);
-
- // Creates an OpNumberMatchRange opcode using the memory passed in the ctor.
- // selected_param: index of the input argument. It must be a uint32_t or the
- // evaluation result will generate a EVAL_ERROR.
- // lower_bound, upper_bound: the range to compare against selected_param.
- PolicyOpcode* MakeOpNumberMatchRange(int16_t selected_param,
- uint32_t lower_bound,
- uint32_t upper_bound,
- uint32_t options);
-
- // Creates an OpWStringMatch opcode using the raw memory passed in the ctor.
- // selected_param: index of the input argument. It must be a wide string
- // pointer or the evaluation result will generate a EVAL_ERROR.
- // match_str: string to compare against selected_param.
- // start_position: when its value is from 0 to < 0x7fff it indicates an
- // offset from the selected_param string where to perform the comparison. If
- // the value is SeekForward then a substring search is performed. If the
- // value is SeekToEnd the comparison is performed against the last part of
- // the selected_param string.
- // Note that the range in the position (0 to 0x7fff) is dictated by the
- // current implementation.
- // match_opts: Indicates additional matching flags. Currently CaseInsensitive
- // is supported.
- PolicyOpcode* MakeOpWStringMatch(int16_t selected_param,
- const wchar_t* match_str,
- int start_position,
- StringMatchOptions match_opts,
- uint32_t options);
-
- // Creates an OpNumberAndMatch opcode using the raw memory passed in the ctor.
- // selected_param: index of the input argument. It must be uint32_t or the
- // evaluation result will generate a EVAL_ERROR.
- // match: the value to bitwise AND against selected_param.
- PolicyOpcode* MakeOpNumberAndMatch(int16_t selected_param,
- uint32_t match,
- uint32_t options);
-
- private:
- // Constructs the common part of every opcode. selected_param is the index
- // of the input param to use when evaluating the opcode. Pass -1 in
- // selected_param to indicate that no input parameter is required.
- PolicyOpcode* MakeBase(OpcodeID opcode_id,
- uint32_t options,
- int16_t selected_param);
-
- // Allocates (and copies) a string (of size length) inside the buffer and
- // returns the displacement with respect to start.
- ptrdiff_t AllocRelative(void* start, const wchar_t* str, size_t lenght);
-
- // Points to the lowest currently available address of the memory
- // used to make the opcodes. This pointer increments as opcodes are made.
- char* memory_top_;
-
- // Points to the highest currently available address of the memory
- // used to make the opcodes. This pointer decrements as opcode strings are
- // allocated.
- char* memory_bottom_;
-
- DISALLOW_COPY_AND_ASSIGN(OpcodeFactory);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_POLICY_ENGINE_OPCODES_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_params.h b/security/sandbox/chromium/sandbox/win/src/policy_engine_params.h
deleted file mode 100644
index fb4c00e3d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_params.h
+++ /dev/null
@@ -1,202 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__
-#define SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__
-
-#include <stdint.h>
-
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-// This header defines the classes that allow the low level policy to select
-// the input parameters. In order to better make sense of this header is
-// recommended that you check policy_engine_opcodes.h first.
-
-namespace sandbox {
-
-// Models the set of interesting parameters of an intercepted system call
-// normally you don't create objects of this class directly, instead you
-// use the POLPARAMS_XXX macros.
-// For example, if an intercepted function has the following signature:
-//
-// NTSTATUS NtOpenFileFunction (PHANDLE FileHandle,
-// ACCESS_MASK DesiredAccess,
-// POBJECT_ATTRIBUTES ObjectAttributes,
-// PIO_STATUS_BLOCK IoStatusBlock,
-// ULONG ShareAccess,
-// ULONG OpenOptions);
-//
-// You could say that the following parameters are of interest to policy:
-//
-// POLPARAMS_BEGIN(open_params)
-// POLPARAM(DESIRED_ACCESS)
-// POLPARAM(OBJECT_NAME)
-// POLPARAM(SECURITY_DESCRIPTOR)
-// POLPARAM(IO_STATUS)
-// POLPARAM(OPEN_OPTIONS)
-// POLPARAMS_END;
-//
-// and the actual code will use this for defining the parameters:
-//
-// CountedParameterSet<open_params> p;
-// p[open_params::DESIRED_ACCESS] = ParamPickerMake(DesiredAccess);
-// p[open_params::OBJECT_NAME] =
-// ParamPickerMake(ObjectAttributes->ObjectName);
-// p[open_params::SECURITY_DESCRIPTOR] =
-// ParamPickerMake(ObjectAttributes->SecurityDescriptor);
-// p[open_params::IO_STATUS] = ParamPickerMake(IoStatusBlock);
-// p[open_params::OPEN_OPTIONS] = ParamPickerMake(OpenOptions);
-//
-// These will create an stack-allocated array of ParameterSet objects which
-// have each 1) the address of the parameter 2) a numeric id that encodes the
-// original C++ type. This allows the policy to treat any set of supported
-// argument types uniformily and with some type safety.
-//
-// TODO(cpu): support not fully implemented yet for unicode string and will
-// probably add other types as well.
-class ParameterSet {
- public:
- ParameterSet() : real_type_(INVALID_TYPE), address_(NULL) {}
-
- // Retrieve the stored parameter. If the type does not match ulong fail.
- bool Get(uint32_t* destination) const {
- if (real_type_ != UINT32_TYPE) {
- return false;
- }
- *destination = Void2TypePointerCopy<uint32_t>();
- return true;
- }
-
- // Retrieve the stored parameter. If the type does not match void* fail.
- bool Get(const void** destination) const {
- if (real_type_ != VOIDPTR_TYPE) {
- return false;
- }
- *destination = Void2TypePointerCopy<void*>();
- return true;
- }
-
- // Retrieve the stored parameter. If the type does not match wchar_t* fail.
- bool Get(const wchar_t** destination) const {
- if (real_type_ != WCHAR_TYPE) {
- return false;
- }
- *destination = Void2TypePointerCopy<const wchar_t*>();
- return true;
- }
-
- // False if the parameter is not properly initialized.
- bool IsValid() const {
- return real_type_ != INVALID_TYPE;
- }
-
- protected:
- // The constructor can only be called by derived types, which should
- // safely provide the real_type and the address of the argument.
- ParameterSet(ArgType real_type, const void* address)
- : real_type_(real_type), address_(address) {
- }
-
- private:
- // This template provides the same functionality as bits_cast but
- // it works with pointer while the former works only with references.
- template <typename T>
- T Void2TypePointerCopy() const {
- return *(reinterpret_cast<const T*>(address_));
- }
-
- ArgType real_type_;
- const void* address_;
-};
-
-// To safely infer the type, we use a set of template specializations
-// in ParameterSetEx with a template function ParamPickerMake to do the
-// parameter type deduction.
-
-// Base template class. Not implemented so using unsupported types should
-// fail to compile.
-template <typename T>
-class ParameterSetEx : public ParameterSet {
- public:
- ParameterSetEx(const void* address);
-};
-
-template<>
-class ParameterSetEx<void const*> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(VOIDPTR_TYPE, address) {}
-};
-
-template<>
-class ParameterSetEx<void*> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(VOIDPTR_TYPE, address) {}
-};
-
-
-template<>
-class ParameterSetEx<wchar_t*> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(WCHAR_TYPE, address) {}
-};
-
-template<>
-class ParameterSetEx<wchar_t const*> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(WCHAR_TYPE, address) {}
-};
-
-template <>
-class ParameterSetEx<uint32_t> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(UINT32_TYPE, address) {}
-};
-
-template<>
-class ParameterSetEx<UNICODE_STRING> : public ParameterSet {
- public:
- ParameterSetEx(const void* address)
- : ParameterSet(UNISTR_TYPE, address) {}
-};
-
-template <typename T>
-ParameterSet ParamPickerMake(T& parameter) {
- return ParameterSetEx<T>(&parameter);
-};
-
-struct CountedParameterSetBase {
- int count;
- ParameterSet parameters[1];
-};
-
-// This template defines the actual list of policy parameters for a given
-// interception.
-// Warning: This template stores the address to the actual variables, in
-// other words, the values are not copied.
-template <typename T>
-struct CountedParameterSet {
- CountedParameterSet() : count(T::PolParamLast) {}
-
- ParameterSet& operator[](typename T::Args n) {
- return parameters[n];
- }
-
- CountedParameterSetBase* GetBase() {
- return reinterpret_cast<CountedParameterSetBase*>(this);
- }
-
- int count;
- ParameterSet parameters[T::PolParamLast];
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_ENGINE_PARAMS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc b/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc
deleted file mode 100644
index 960db085c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.cc
+++ /dev/null
@@ -1,110 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/policy_engine_processor.h"
-
-namespace sandbox {
-
-void PolicyProcessor::SetInternalState(size_t index, EvalResult result) {
- state_.current_index_ = index;
- state_.current_result_ = result;
-}
-
-EvalResult PolicyProcessor::GetAction() const {
- return state_.current_result_;
-}
-
-// Decides if an opcode can be skipped (not evaluated) or not. The function
-// takes as inputs the opcode and the current evaluation context and returns
-// true if the opcode should be skipped or not and also can set keep_skipping
-// to false to signal that the current instruction should be skipped but not
-// the next after the current one.
-bool SkipOpcode(const PolicyOpcode& opcode, MatchContext* context,
- bool* keep_skipping) {
- if (opcode.IsAction()) {
- uint32_t options = context->options;
- context->Clear();
- *keep_skipping = false;
- return (kPolUseOREval != options);
- }
- *keep_skipping = true;
- return true;
-}
-
-PolicyResult PolicyProcessor::Evaluate(uint32_t options,
- ParameterSet* parameters,
- size_t param_count) {
- if (NULL == policy_) {
- return NO_POLICY_MATCH;
- }
- if (0 == policy_->opcode_count) {
- return NO_POLICY_MATCH;
- }
- if (!(kShortEval & options)) {
- return POLICY_ERROR;
- }
-
- MatchContext context;
- bool evaluation = false;
- bool skip_group = false;
- SetInternalState(0, EVAL_FALSE);
- size_t count = policy_->opcode_count;
-
- // Loop over all the opcodes Evaluating in sequence. Since we only support
- // short circuit evaluation, we stop as soon as we find an 'action' opcode
- // and the current evaluation is true.
- //
- // Skipping opcodes can happen when we are in AND mode (!kPolUseOREval) and
- // have got EVAL_FALSE or when we are in OR mode (kPolUseOREval) and got
- // EVAL_TRUE. Skipping will stop at the next action opcode or at the opcode
- // after the action depending on kPolUseOREval.
-
- for (size_t ix = 0; ix != count; ++ix) {
- PolicyOpcode& opcode = policy_->opcodes[ix];
- // Skipping block.
- if (skip_group) {
- if (SkipOpcode(opcode, &context, &skip_group)) {
- continue;
- }
- }
- // Evaluation block.
- EvalResult result = opcode.Evaluate(parameters, param_count, &context);
- switch (result) {
- case EVAL_FALSE:
- evaluation = false;
- if (kPolUseOREval != context.options) {
- skip_group = true;
- }
- break;
- case EVAL_ERROR:
- if (kStopOnErrors & options) {
- return POLICY_ERROR;
- }
- break;
- case EVAL_TRUE:
- evaluation = true;
- if (kPolUseOREval == context.options) {
- skip_group = true;
- }
- break;
- default:
- // We have evaluated an action.
- SetInternalState(ix, result);
- return POLICY_MATCH;
- }
- }
-
- if (evaluation) {
- // Reaching the end of the policy with a positive evaluation is probably
- // an error: we did not find a final action opcode?
- return POLICY_ERROR;
- }
- return NO_POLICY_MATCH;
-}
-
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.h b/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.h
deleted file mode 100644
index 0d5689604..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_processor.h
+++ /dev/null
@@ -1,148 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
-#define SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_engine_params.h"
-
-namespace sandbox {
-
-// This header contains the core policy evaluator. In its simplest form
-// it evaluates a stream of opcodes assuming that they are laid out in
-// memory as opcode groups.
-//
-// An opcode group has N comparison opcodes plus 1 action opcode. For
-// example here we have 3 opcode groups (A, B,C):
-//
-// [comparison 1] <-- group A start
-// [comparison 2]
-// [comparison 3]
-// [action A ]
-// [comparison 1] <-- group B start
-// [action B ]
-// [comparison 1] <-- group C start
-// [comparison 2]
-// [action C ]
-//
-// The opcode evaluator proceeds from the top, evaluating each opcode in
-// sequence. An opcode group is evaluated until the first comparison that
-// returns false. At that point the rest of the group is skipped and evaluation
-// resumes with the first comparison of the next group. When all the comparisons
-// in a group have evaluated to true and the action is reached. The group is
-// considered a matching group.
-//
-// In the 'ShortEval' mode evaluation stops when it reaches the end or the first
-// matching group. The action opcode from this group is the resulting policy
-// action.
-//
-// In the 'RankedEval' mode evaluation stops only when it reaches the end of the
-// the opcode stream. In the process all matching groups are saved and at the
-// end the 'best' group is selected (what makes the best is TBD) and the action
-// from this group is the resulting policy action.
-//
-// As explained above, the policy evaluation of a group is a logical AND of
-// the evaluation of each opcode. However an opcode can request kPolUseOREval
-// which makes the evaluation to use logical OR. Given that each opcode can
-// request its evaluation result to be negated with kPolNegateEval you can
-// achieve the negation of the total group evaluation. This means that if you
-// need to express:
-// if (!(c1 && c2 && c3))
-// You can do it by:
-// if ((!c1) || (!c2) || (!c3))
-//
-
-// Possible outcomes of policy evaluation.
-enum PolicyResult {
- NO_POLICY_MATCH,
- POLICY_MATCH,
- POLICY_ERROR
-};
-
-// Policy evaluation flags
-// TODO(cpu): implement the options kStopOnErrors & kRankedEval.
-//
-// Stop evaluating as soon as an error is encountered.
-const uint32_t kStopOnErrors = 1;
-// Ignore all non fatal opcode evaluation errors.
-const uint32_t kIgnoreErrors = 2;
-// Short-circuit evaluation: Only evaluate until opcode group that
-// evaluated to true has been found.
-const uint32_t kShortEval = 4;
-// Discussed briefly at the policy design meeting. It will evaluate
-// all rules and then return the 'best' rule that evaluated true.
-const uint32_t kRankedEval = 8;
-
-// This class evaluates a policy-opcode stream given the memory where the
-// opcodes are and an input 'parameter set'.
-//
-// This class is designed to be callable from interception points
-// as low as the NtXXXX service level (it is not currently safe, but
-// it is designed to be made safe).
-//
-// Its usage in an interception is:
-//
-// POLPARAMS_BEGIN(eval_params)
-// POLPARAM(param1)
-// POLPARAM(param2)
-// POLPARAM(param3)
-// POLPARAM(param4)
-// POLPARAM(param5)
-// POLPARAMS_END;
-//
-// PolicyProcessor pol_evaluator(policy_memory);
-// PolicyResult pr = pol_evaluator.Evaluate(ShortEval, eval_params,
-// _countof(eval_params));
-// if (NO_POLICY_MATCH == pr) {
-// EvalResult policy_action = pol_evaluator.GetAction();
-// // apply policy here...
-// }
-//
-// Where the POLPARAM() arguments are derived from the intercepted function
-// arguments, and represent all the 'interesting' policy inputs, and
-// policy_memory is a memory buffer containing the opcode stream that is the
-// relevant policy for this intercept.
-class PolicyProcessor {
- public:
- // policy_buffer contains opcodes made with OpcodeFactory. They are usually
- // created in the broker process and evaluated in the target process.
-
- // This constructor is just a variant of the previous constructor.
- explicit PolicyProcessor(PolicyBuffer* policy)
- : policy_(policy) {
- SetInternalState(0, EVAL_FALSE);
- }
-
- // Evaluates a policy-opcode stream. See the comments at the top of this
- // class for more info. Returns POLICY_MATCH if a rule set was found that
- // matches an active policy.
- PolicyResult Evaluate(uint32_t options,
- ParameterSet* parameters,
- size_t parameter_count);
-
- // If the result of Evaluate() was POLICY_MATCH, calling this function returns
- // the recommended policy action.
- EvalResult GetAction() const;
-
- private:
- struct {
- size_t current_index_;
- EvalResult current_result_;
- } state_;
-
- // Sets the currently matching action result.
- void SetInternalState(size_t index, EvalResult result);
-
- PolicyBuffer* policy_;
- DISALLOW_COPY_AND_ASSIGN(PolicyProcessor);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_ENGINE_PROCESSOR_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc b/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc
deleted file mode 100644
index 5572bdcd3..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_engine_unittest.cc
+++ /dev/null
@@ -1,105 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/policy_engine_params.h"
-#include "sandbox/win/src/policy_engine_processor.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
-#define POLPARAM(p) sandbox::ParamPickerMake(p),
-#define POLPARAMS_END }
-
-namespace sandbox {
-
-bool SetupNtdllImports();
-
-TEST(PolicyEngineTest, Rules1) {
- SetupNtdllImports();
-
- // Construct two policy rules that say:
- //
- // #1
- // If the path is c:\\documents and settings\\* AND
- // If the creation mode is 'open existing' AND
- // If the security descriptor is null THEN
- // Ask the broker.
- //
- // #2
- // If the security descriptor is null AND
- // If the path ends with *.txt AND
- // If the creation mode is not 'create new' THEN
- // return Access Denied.
-
- enum FileCreateArgs {
- FileNameArg,
- CreationDispositionArg,
- FlagsAndAttributesArg,
- SecurityAttributes
- };
-
- const size_t policy_sz = 1024;
- PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(new char[policy_sz]);
- OpcodeFactory opcode_maker(policy, policy_sz - 0x40);
-
- // Add rule set #1
- opcode_maker.MakeOpWStringMatch(FileNameArg,
- L"c:\\documents and settings\\",
- 0, CASE_INSENSITIVE, kPolNone);
- opcode_maker.MakeOpNumberMatch(CreationDispositionArg, OPEN_EXISTING,
- kPolNone);
- opcode_maker.MakeOpVoidPtrMatch(SecurityAttributes, (void*)NULL,
- kPolNone);
- opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
-
- // Add rule set #2
- opcode_maker.MakeOpWStringMatch(FileNameArg, L".TXT",
- kSeekToEnd, CASE_INSENSITIVE, kPolNone);
- opcode_maker.MakeOpNumberMatch(CreationDispositionArg, CREATE_NEW,
- kPolNegateEval);
- opcode_maker.MakeOpAction(FAKE_ACCESS_DENIED, kPolNone);
- policy->opcode_count = 7;
-
- const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
- uint32_t creation_mode = OPEN_EXISTING;
- uint32_t flags = FILE_ATTRIBUTE_NORMAL;
- void* security_descriptor = NULL;
-
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename)
- POLPARAM(creation_mode)
- POLPARAM(flags)
- POLPARAM(security_descriptor)
- POLPARAMS_END;
-
- PolicyResult pr;
- PolicyProcessor pol_ev(policy);
-
- // Test should match the first rule set.
- pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, pr);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- // Test should still match the first rule set.
- pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, pr);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- // Changing creation_mode such that evaluation should not match any rule.
- creation_mode = CREATE_NEW;
- pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, pr);
-
- // Changing creation_mode such that evaluation should match rule #2.
- creation_mode = OPEN_ALWAYS;
- pr = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, pr);
- EXPECT_EQ(FAKE_ACCESS_DENIED, pol_ev.GetAction());
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_low_level.cc b/security/sandbox/chromium/sandbox/win/src/policy_low_level.cc
deleted file mode 100644
index 526b23d6b..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_low_level.cc
+++ /dev/null
@@ -1,360 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/policy_low_level.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <map>
-#include <string>
-
-namespace {
-
- // A single rule can use at most this amount of memory.
- const size_t kRuleBufferSize = 1024*4;
-
- // The possible states of the string matching opcode generator.
- enum {
- PENDING_NONE,
- PENDING_ASTERISK, // Have seen an '*' but have not generated an opcode.
- PENDING_QMARK, // Have seen an '?' but have not generated an opcode.
- };
-
- // The category of the last character seen by the string matching opcode
- // generator.
- const uint32_t kLastCharIsNone = 0;
- const uint32_t kLastCharIsAlpha = 1;
- const uint32_t kLastCharIsWild = 2;
- const uint32_t kLastCharIsAsterisk = kLastCharIsWild + 4;
- const uint32_t kLastCharIsQuestionM = kLastCharIsWild + 8;
-}
-
-namespace sandbox {
-
-LowLevelPolicy::LowLevelPolicy(PolicyGlobal* policy_store)
- : policy_store_(policy_store) {
-}
-
-// Adding a rule is nothing more than pushing it into an stl container. Done()
-// is called for the rule in case the code that made the rule in the first
-// place has not done it.
-bool LowLevelPolicy::AddRule(int service, PolicyRule* rule) {
- if (!rule->Done()) {
- return false;
- }
-
- PolicyRule* local_rule = new PolicyRule(*rule);
- RuleNode node = {local_rule, service};
- rules_.push_back(node);
- return true;
-}
-
-LowLevelPolicy::~LowLevelPolicy() {
- // Delete all the rules.
- typedef std::list<RuleNode> RuleNodes;
- for (RuleNodes::iterator it = rules_.begin(); it != rules_.end(); ++it) {
- delete it->rule;
- }
-}
-
-// Here is where the heavy byte shuffling is done. We take all the rules and
-// 'compile' them into a single memory region. Now, the rules are in random
-// order so the first step is to reorganize them into a stl map that is keyed
-// by the service id and as a value contains a list with all the rules that
-// belong to that service. Then we enter the big for-loop where we carve a
-// memory zone for the opcodes and the data and call RebindCopy on each rule
-// so they all end up nicely packed in the policy_store_.
-bool LowLevelPolicy::Done() {
- typedef std::list<RuleNode> RuleNodes;
- typedef std::list<const PolicyRule*> RuleList;
- typedef std::map<uint32_t, RuleList> Mmap;
- Mmap mmap;
-
- for (RuleNodes::iterator it = rules_.begin(); it != rules_.end(); ++it) {
- mmap[it->service].push_back(it->rule);
- }
-
- PolicyBuffer* current_buffer = &policy_store_->data[0];
- char* buffer_end = reinterpret_cast<char*>(current_buffer) +
- policy_store_->data_size;
- size_t avail_size = policy_store_->data_size;
-
- for (Mmap::iterator it = mmap.begin(); it != mmap.end(); ++it) {
- uint32_t service = (*it).first;
- if (service >= kMaxServiceCount) {
- return false;
- }
- policy_store_->entry[service] = current_buffer;
-
- RuleList::iterator rules_it = (*it).second.begin();
- RuleList::iterator rules_it_end = (*it).second.end();
-
- size_t svc_opcode_count = 0;
-
- for (; rules_it != rules_it_end; ++rules_it) {
- const PolicyRule* rule = (*rules_it);
- size_t op_count = rule->GetOpcodeCount();
-
- size_t opcodes_size = op_count * sizeof(PolicyOpcode);
- if (avail_size < opcodes_size) {
- return false;
- }
- size_t data_size = avail_size - opcodes_size;
- PolicyOpcode* opcodes_start = &current_buffer->opcodes[svc_opcode_count];
- if (!rule->RebindCopy(opcodes_start, opcodes_size,
- buffer_end, &data_size)) {
- return false;
- }
- size_t used = avail_size - data_size;
- buffer_end -= used;
- avail_size -= used;
- svc_opcode_count += op_count;
- }
-
- current_buffer->opcode_count += svc_opcode_count;
- size_t policy_byte_count = (svc_opcode_count * sizeof(PolicyOpcode))
- / sizeof(current_buffer[0]);
- current_buffer = &current_buffer[policy_byte_count + 1];
- }
-
- return true;
-}
-
-PolicyRule::PolicyRule(EvalResult action)
- : action_(action), done_(false) {
- char* memory = new char[sizeof(PolicyBuffer) + kRuleBufferSize];
- buffer_ = reinterpret_cast<PolicyBuffer*>(memory);
- buffer_->opcode_count = 0;
- opcode_factory_ = new OpcodeFactory(buffer_,
- kRuleBufferSize + sizeof(PolicyOpcode));
-}
-
-PolicyRule::PolicyRule(const PolicyRule& other) {
- if (this == &other)
- return;
- action_ = other.action_;
- done_ = other.done_;
- size_t buffer_size = sizeof(PolicyBuffer) + kRuleBufferSize;
- char* memory = new char[buffer_size];
- buffer_ = reinterpret_cast<PolicyBuffer*>(memory);
- memcpy(buffer_, other.buffer_, buffer_size);
-
- char* opcode_buffer = reinterpret_cast<char*>(&buffer_->opcodes[0]);
- char* next_opcode = &opcode_buffer[GetOpcodeCount() * sizeof(PolicyOpcode)];
- opcode_factory_ =
- new OpcodeFactory(next_opcode, other.opcode_factory_->memory_size());
-}
-
-// This function get called from a simple state machine implemented in
-// AddStringMatch() which passes the current state (in state) and it passes
-// true in last_call if AddStringMatch() has finished processing the input
-// pattern string and this would be the last call to generate any pending
-// opcode. The skip_count is the currently accumulated number of '?' seen so
-// far and once the associated opcode is generated this function sets it back
-// to zero.
-bool PolicyRule::GenStringOpcode(RuleType rule_type,
- StringMatchOptions match_opts,
- uint16_t parameter,
- int state,
- bool last_call,
- int* skip_count,
- base::string16* fragment) {
- // The last opcode must:
- // 1) Always clear the context.
- // 2) Preserve the negation.
- // 3) Remove the 'OR' mode flag.
- uint32_t options = kPolNone;
- if (last_call) {
- if (IF_NOT == rule_type) {
- options = kPolClearContext | kPolNegateEval;
- } else {
- options = kPolClearContext;
- }
- } else if (IF_NOT == rule_type) {
- options = kPolUseOREval | kPolNegateEval;
- }
-
- PolicyOpcode* op = NULL;
-
- // The fragment string contains the accumulated characters to match with, it
- // never contains wildcards (unless they have been escaped) and while there
- // is no fragment there is no new string match opcode to generate.
- if (fragment->empty()) {
- // There is no new opcode to generate but in the last call we have to fix
- // the previous opcode because it was really the last but we did not know
- // it at that time.
- if (last_call && (buffer_->opcode_count > 0)) {
- op = &buffer_->opcodes[buffer_->opcode_count - 1];
- op->SetOptions(options);
- }
- return true;
- }
-
- if (PENDING_ASTERISK == state) {
- if (last_call) {
- op = opcode_factory_->MakeOpWStringMatch(parameter, fragment->c_str(),
- kSeekToEnd, match_opts,
- options);
- } else {
- op = opcode_factory_->MakeOpWStringMatch(parameter, fragment->c_str(),
- kSeekForward, match_opts,
- options);
- }
-
- } else if (PENDING_QMARK == state) {
- op = opcode_factory_->MakeOpWStringMatch(parameter, fragment->c_str(),
- *skip_count, match_opts, options);
- *skip_count = 0;
- } else {
- if (last_call) {
- match_opts = static_cast<StringMatchOptions>(EXACT_LENGHT | match_opts);
- }
- op = opcode_factory_->MakeOpWStringMatch(parameter, fragment->c_str(), 0,
- match_opts, options);
- }
- if (NULL == op) {
- return false;
- }
- ++buffer_->opcode_count;
- fragment->clear();
- return true;
-}
-
-bool PolicyRule::AddStringMatch(RuleType rule_type,
- int16_t parameter,
- const wchar_t* string,
- StringMatchOptions match_opts) {
- if (done_) {
- // Do not allow to add more rules after generating the action opcode.
- return false;
- }
-
- const wchar_t* current_char = string;
- uint32_t last_char = kLastCharIsNone;
- int state = PENDING_NONE;
- int skip_count = 0; // counts how many '?' we have seen in a row.
- base::string16 fragment; // accumulates the non-wildcard part.
-
- while (L'\0' != *current_char) {
- switch (*current_char) {
- case L'*':
- if (kLastCharIsWild & last_char) {
- // '**' and '&*' is an error.
- return false;
- }
- if (!GenStringOpcode(rule_type, match_opts, parameter,
- state, false, &skip_count, &fragment)) {
- return false;
- }
- last_char = kLastCharIsAsterisk;
- state = PENDING_ASTERISK;
- break;
- case L'?':
- if (kLastCharIsAsterisk == last_char) {
- // '*?' is an error.
- return false;
- }
- if (!GenStringOpcode(rule_type, match_opts, parameter,
- state, false, &skip_count, &fragment)) {
- return false;
- }
- ++skip_count;
- last_char = kLastCharIsQuestionM;
- state = PENDING_QMARK;
- break;
- case L'/':
- // Note: "/?" is an escaped '?'. Eat the slash and fall through.
- if (L'?' == current_char[1]) {
- ++current_char;
- }
- default:
- fragment += *current_char;
- last_char = kLastCharIsAlpha;
- }
- ++current_char;
- }
-
- if (!GenStringOpcode(rule_type, match_opts, parameter,
- state, true, &skip_count, &fragment)) {
- return false;
- }
- return true;
-}
-
-bool PolicyRule::AddNumberMatch(RuleType rule_type,
- int16_t parameter,
- uint32_t number,
- RuleOp comparison_op) {
- if (done_) {
- // Do not allow to add more rules after generating the action opcode.
- return false;
- }
- uint32_t opts = (rule_type == IF_NOT) ? kPolNegateEval : kPolNone;
-
- if (EQUAL == comparison_op) {
- if (NULL == opcode_factory_->MakeOpNumberMatch(parameter, number, opts)) {
- return false;
- }
- } else if (AND == comparison_op) {
- if (NULL == opcode_factory_->MakeOpNumberAndMatch(parameter, number,
- opts)) {
- return false;
- }
- }
- ++buffer_->opcode_count;
- return true;
-}
-
-bool PolicyRule::Done() {
- if (done_) {
- return true;
- }
- if (NULL == opcode_factory_->MakeOpAction(action_, kPolNone)) {
- return false;
- }
- ++buffer_->opcode_count;
- done_ = true;
- return true;
-}
-
-bool PolicyRule::RebindCopy(PolicyOpcode* opcode_start, size_t opcode_size,
- char* data_start, size_t* data_size) const {
- size_t count = buffer_->opcode_count;
- for (size_t ix = 0; ix != count; ++ix) {
- if (opcode_size < sizeof(PolicyOpcode)) {
- return false;
- }
- PolicyOpcode& opcode = buffer_->opcodes[ix];
- *opcode_start = opcode;
- if (OP_WSTRING_MATCH == opcode.GetID()) {
- // For this opcode argument 0 is a delta to the string and argument 1
- // is the length (in chars) of the string.
- const wchar_t* str = opcode.GetRelativeString(0);
- size_t str_len;
- opcode.GetArgument(1, &str_len);
- str_len = str_len * sizeof(wchar_t);
- if ((*data_size) < str_len) {
- return false;
- }
- *data_size -= str_len;
- data_start -= str_len;
- memcpy(data_start, str, str_len);
- // Recompute the string displacement
- ptrdiff_t delta = data_start - reinterpret_cast<char*>(opcode_start);
- opcode_start->SetArgument(0, delta);
- }
- ++opcode_start;
- opcode_size -= sizeof(PolicyOpcode);
- }
-
- return true;
-}
-
-PolicyRule::~PolicyRule() {
- delete [] reinterpret_cast<char*>(buffer_);
- delete opcode_factory_;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_low_level.h b/security/sandbox/chromium/sandbox/win/src/policy_low_level.h
deleted file mode 100644
index f77787c77..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_low_level.h
+++ /dev/null
@@ -1,193 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_POLICY_LOW_LEVEL_H__
-#define SANDBOX_SRC_POLICY_LOW_LEVEL_H__
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <list>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_engine_params.h"
-
-// Low level policy classes.
-// Built on top of the PolicyOpcode and OpcodeFatory, the low level policy
-// provides a way to define rules on strings and numbers but it is unaware
-// of Windows specific details or how the Interceptions must be set up.
-// To use these classes you construct one or more rules and add them to the
-// LowLevelPolicy object like this:
-//
-// PolicyRule rule1(ASK_BROKER);
-// rule1.AddStringMatch(IF, 0, L"\\\\/?/?\\c:\\*Microsoft*\\*.exe", true);
-// rule1.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL);
-// rule1.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL);
-//
-// PolicyRule rule2(FAKE_SUCCESS);
-// rule2.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*", false));
-// rule2.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL));
-//
-// LowLevelPolicy policyGen(*policy_memory);
-// policyGen.AddRule(kNtCreateFileSvc, &rule1);
-// policyGen.AddRule(kNtCreateFileSvc, &rule2);
-// policyGen.Done();
-//
-// At this point (error checking omitted) the policy_memory can be copied
-// to the target process where it can be evaluated.
-
-namespace sandbox {
-
-// TODO(cpu): Move this constant to crosscall_client.h.
-const size_t kMaxServiceCount = 32;
-static_assert(IPC_LAST_TAG <= kMaxServiceCount,
- "kMaxServiceCount is too low");
-
-// Defines the memory layout of the policy. This memory is filled by
-// LowLevelPolicy object.
-// For example:
-//
-// [Service 0] --points to---\
-// [Service 1] --------------|-----\
-// ...... | |
-// [Service N] | |
-// [data_size] | |
-// [Policy Buffer 0] <-------/ |
-// [opcodes of] |
-// ....... |
-// [Policy Buffer 1] <-------------/
-// [opcodes]
-// .......
-// .......
-// [Policy Buffer N]
-// [opcodes]
-// .......
-// <possibly unused space here>
-// .......
-// [opcode string ]
-// [opcode string ]
-// .......
-// [opcode string ]
-struct PolicyGlobal {
- PolicyBuffer* entry[kMaxServiceCount];
- size_t data_size;
- PolicyBuffer data[1];
-};
-
-class PolicyRule;
-
-// Provides the means to collect rules into a policy store (memory)
-class LowLevelPolicy {
- public:
- // policy_store: must contain allocated memory and the internal
- // size fields set to correct values.
- explicit LowLevelPolicy(PolicyGlobal* policy_store);
-
- // Destroys all the policy rules.
- ~LowLevelPolicy();
-
- // Adds a rule to be generated when Done() is called.
- // service: The id of the service that this rule is associated with,
- // for example the 'Open Thread' service or the "Create File" service.
- // returns false on error.
- bool AddRule(int service, PolicyRule* rule);
-
- // Generates all the rules added with AddRule() into the memory area
- // passed on the constructor. Returns false on error.
- bool Done();
-
- private:
- struct RuleNode {
- const PolicyRule* rule;
- int service;
- };
- std::list<RuleNode> rules_;
- PolicyGlobal* policy_store_;
- DISALLOW_IMPLICIT_CONSTRUCTORS(LowLevelPolicy);
-};
-
-// There are 'if' rules and 'if not' comparisons
-enum RuleType {
- IF = 0,
- IF_NOT = 1,
-};
-
-// Possible comparisons for numbers
-enum RuleOp {
- EQUAL,
- AND,
- RANGE // TODO(cpu): Implement this option.
-};
-
-// Provides the means to collect a set of comparisons into a single
-// rule and its associated action.
-class PolicyRule {
- friend class LowLevelPolicy;
-
- public:
- explicit PolicyRule(EvalResult action);
- PolicyRule(const PolicyRule& other);
- ~PolicyRule();
-
- // Adds a string comparison to the rule.
- // rule_type: possible values are IF and IF_NOT.
- // parameter: the expected index of the argument for this rule. For example
- // in a 'create file' service the file name argument can be at index 0.
- // string: is the desired matching pattern.
- // match_opts: if the pattern matching is case sensitive or not.
- bool AddStringMatch(RuleType rule_type,
- int16_t parameter,
- const wchar_t* string,
- StringMatchOptions match_opts);
-
- // Adds a number match comparison to the rule.
- // rule_type: possible values are IF and IF_NOT.
- // parameter: the expected index of the argument for this rule.
- // number: the value to compare the input to.
- // comparison_op: the comparison kind (equal, logical and, etc).
- bool AddNumberMatch(RuleType rule_type,
- int16_t parameter,
- uint32_t number,
- RuleOp comparison_op);
-
- // Returns the number of opcodes generated so far.
- size_t GetOpcodeCount() const {
- return buffer_->opcode_count;
- }
-
- // Called when there is no more comparisons to add. Internally it generates
- // the last opcode (the action opcode). Returns false if this operation fails.
- bool Done();
-
- private:
- void operator=(const PolicyRule&);
- // Called in a loop from AddStringMatch to generate the required string
- // match opcodes. rule_type, match_opts and parameter are the same as
- // in AddStringMatch.
- bool GenStringOpcode(RuleType rule_type,
- StringMatchOptions match_opts,
- uint16_t parameter,
- int state,
- bool last_call,
- int* skip_count,
- base::string16* fragment);
-
- // Loop over all generated opcodes and copy them to increasing memory
- // addresses from opcode_start and copy the extra data (strings usually) into
- // decreasing addresses from data_start. Extra data is only present in the
- // string evaluation opcodes.
- bool RebindCopy(PolicyOpcode* opcode_start, size_t opcode_size,
- char* data_start, size_t* data_size) const;
- PolicyBuffer* buffer_;
- OpcodeFactory* opcode_factory_;
- EvalResult action_;
- bool done_;
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_LOW_LEVEL_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_low_level_unittest.cc b/security/sandbox/chromium/sandbox/win/src/policy_low_level_unittest.cc
deleted file mode 100644
index fd67469f7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_low_level_unittest.cc
+++ /dev/null
@@ -1,621 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/policy_engine_params.h"
-#include "sandbox/win/src/policy_engine_processor.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-#define POLPARAMS_BEGIN(x) sandbox::ParameterSet x[] = {
-#define POLPARAM(p) sandbox::ParamPickerMake(p),
-#define POLPARAMS_END }
-
-namespace sandbox {
-
-bool SetupNtdllImports();
-
-// Testing that we allow opcode generation on valid string patterns.
-TEST(PolicyEngineTest, StringPatternsOK) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\adobe\\ver??\\", CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"*.tmp", CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*.doc", CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\windows\\*", CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"d:\\adobe\\acrobat.exe",
- CASE_SENSITIVE));
-}
-
-// Testing that we signal invalid string patterns.
-TEST(PolicyEngineTest, StringPatternsBAD) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"one**two", CASE_SENSITIVE));
- EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"**three", CASE_SENSITIVE));
- EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"five?six*?seven", CASE_SENSITIVE));
- EXPECT_FALSE(pr.AddStringMatch(IF, 0, L"eight?*nine", CASE_SENSITIVE));
-}
-
-// Helper function to allocate space (on the heap) for policy.
-PolicyGlobal* MakePolicyMemory() {
- const size_t kTotalPolicySz = 4096*8;
- char* mem = new char[kTotalPolicySz];
- memset(mem, 0, kTotalPolicySz);
- PolicyGlobal* policy = reinterpret_cast<PolicyGlobal*>(mem);
- policy->data_size = kTotalPolicySz - sizeof(PolicyGlobal);
- return policy;
-}
-
-// The simplest test using LowLevelPolicy it should test a single opcode which
-// does a exact string comparison.
-TEST(PolicyEngineTest, SimpleStrMatch) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"z:\\Directory\\domo.txt",
- CASE_INSENSITIVE));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 2;
-
- LowLevelPolicy policyGen(policy);
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = L"Z:\\Directory\\domo.txt";
-
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"Z:\\Directory\\domo.txt.tmp";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, SimpleIfNotStrMatch) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\",
- CASE_SENSITIVE));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 2;
- LowLevelPolicy policyGen(policy);
-
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = NULL;
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- filename = L"c:\\Microsoft\\";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\MicroNerd\\";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Microsoft\\domo.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, SimpleIfNotStrMatchWild1) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
- CASE_SENSITIVE));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 3;
- LowLevelPolicy policyGen(policy);
-
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = NULL;
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- filename = L"c:\\Microsoft\\domo.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\MicroNerd\\domo.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, SimpleIfNotStrMatchWild2) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*.txt",
- CASE_SENSITIVE));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 3;
- LowLevelPolicy policyGen(policy);
-
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = NULL;
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- filename = L"c:\\Microsoft\\domo.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\MicroNerd\\domo.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Microsoft\\domo.bmp";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild1) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\Microsoft\\*",
- CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 3;
- LowLevelPolicy policyGen(policy);
-
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = NULL;
- uint32_t access = 0;
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAM(access) // Argument 1
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- filename = L"c:\\Microsoft\\domo.txt";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\Microsoft\\domo.txt";
- access = 42;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\MicroNerd\\domo.txt";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Micronesia\\domo.txt";
- access = 42;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, IfNotStrMatchTwoRulesWild2) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddNumberMatch(IF, 1, 24, EQUAL));
- EXPECT_TRUE(pr.AddStringMatch(IF_NOT, 0, L"c:\\GoogleV?\\*.txt",
- CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddNumberMatch(IF, 2, 66, EQUAL));
-
- PolicyGlobal* policy = MakePolicyMemory();
- const uint32_t kFakeService = 3;
- LowLevelPolicy policyGen(policy);
-
- EXPECT_TRUE(policyGen.AddRule(kFakeService, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = NULL;
- uint32_t access = 0;
- uint32_t sharing = 66;
-
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAM(access) // Argument 1
- POLPARAM(sharing) // Argument 2
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kFakeService]);
-
- filename = L"c:\\GoogleV2\\domo.txt";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\GoogleV2\\domo.bmp";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\GoogleV23\\domo.txt";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
-
- filename = L"c:\\GoogleV2\\domo.txt";
- access = 42;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\Google\\domo.txt";
- access = 24;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Micronesia\\domo.txt";
- access = 42;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\GoogleV2\\domo.bmp";
- access = 24;
- sharing = 0;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-// Testing one single rule in one single service. The service is made to
-// resemble NtCreateFile.
-TEST(PolicyEngineTest, OneRuleTest) {
- SetupNtdllImports();
- PolicyRule pr(ASK_BROKER);
- EXPECT_TRUE(pr.AddStringMatch(IF, 0, L"c:\\*Microsoft*\\*.txt",
- CASE_SENSITIVE));
- EXPECT_TRUE(pr.AddNumberMatch(IF_NOT, 1, CREATE_ALWAYS, EQUAL));
- EXPECT_TRUE(pr.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
-
- PolicyGlobal* policy = MakePolicyMemory();
-
- const uint32_t kNtFakeCreateFile = 7;
-
- LowLevelPolicy policyGen(policy);
- EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* filename = L"c:\\Documents and Settings\\Microsoft\\BLAH.txt";
- uint32_t creation_mode = OPEN_EXISTING;
- uint32_t flags = FILE_ATTRIBUTE_NORMAL;
- void* security_descriptor = NULL;
-
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(filename) // Argument 0
- POLPARAM(creation_mode) // Argument 1
- POLPARAM(flags) // Argument 2
- POLPARAM(security_descriptor)
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev(policy->entry[kNtFakeCreateFile]);
-
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- creation_mode = CREATE_ALWAYS;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- creation_mode = OPEN_EXISTING;
- filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Other\\Path\\Microsoft\\Another file.txt.tmp";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- flags = FILE_ATTRIBUTE_DEVICE;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\Other\\Macrosoft\\Another file.txt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\Microsoft\\1.txt";
- flags = FILE_ATTRIBUTE_NORMAL;
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev.GetAction());
-
- filename = L"c:\\Microsoft\\1.ttt";
- result = pol_ev.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-// Testing 3 rules in 3 services. Two of the services resemble File services.
-TEST(PolicyEngineTest, ThreeRulesTest) {
- SetupNtdllImports();
- PolicyRule pr_pipe(FAKE_SUCCESS);
- EXPECT_TRUE(pr_pipe.AddStringMatch(IF, 0, L"\\\\/?/?\\Pipe\\Chrome.*",
- CASE_INSENSITIVE));
- EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 1, OPEN_EXISTING, EQUAL));
- EXPECT_TRUE(pr_pipe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
-
- size_t opc1 = pr_pipe.GetOpcodeCount();
- EXPECT_EQ(3u, opc1);
-
- PolicyRule pr_dump(ASK_BROKER);
- EXPECT_TRUE(pr_dump.AddStringMatch(IF, 0, L"\\\\/?/?\\*\\Crash Reports\\*",
- CASE_INSENSITIVE));
- EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 1, CREATE_ALWAYS, EQUAL));
- EXPECT_TRUE(pr_dump.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
-
- size_t opc2 = pr_dump.GetOpcodeCount();
- EXPECT_EQ(4u, opc2);
-
- PolicyRule pr_winexe(SIGNAL_ALARM);
- EXPECT_TRUE(pr_winexe.AddStringMatch(IF, 0, L"\\\\/?/?\\C:\\Windows\\*.exe",
- CASE_INSENSITIVE));
- EXPECT_TRUE(pr_winexe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
-
- size_t opc3 = pr_winexe.GetOpcodeCount();
- EXPECT_EQ(3u, opc3);
-
- PolicyRule pr_adobe(GIVE_CACHED);
- EXPECT_TRUE(pr_adobe.AddStringMatch(IF, 0, L"c:\\adobe\\ver?.?\\",
- CASE_SENSITIVE));
- EXPECT_TRUE(pr_adobe.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_NORMAL, EQUAL));
-
- size_t opc4 = pr_adobe.GetOpcodeCount();
- EXPECT_EQ(4u, opc4);
-
- PolicyRule pr_none(GIVE_FIRST);
- EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_READONLY, AND));
- EXPECT_TRUE(pr_none.AddNumberMatch(IF, 2, FILE_ATTRIBUTE_SYSTEM, AND));
-
- size_t opc5 = pr_none.GetOpcodeCount();
- EXPECT_EQ(2u, opc5);
-
- PolicyGlobal* policy = MakePolicyMemory();
-
- const uint32_t kNtFakeNone = 4;
- const uint32_t kNtFakeCreateFile = 5;
- const uint32_t kNtFakeOpenFile = 6;
-
- LowLevelPolicy policyGen(policy);
- EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_pipe));
- EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_dump));
- EXPECT_TRUE(policyGen.AddRule(kNtFakeCreateFile, &pr_winexe));
-
- EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_adobe));
- EXPECT_TRUE(policyGen.AddRule(kNtFakeOpenFile, &pr_pipe));
-
- EXPECT_TRUE(policyGen.AddRule(kNtFakeNone, &pr_none));
-
- EXPECT_TRUE(policyGen.Done());
-
- // Inspect the policy structure manually.
- EXPECT_TRUE(NULL == policy->entry[0]);
- EXPECT_TRUE(NULL == policy->entry[1]);
- EXPECT_TRUE(NULL == policy->entry[2]);
- EXPECT_TRUE(NULL == policy->entry[3]);
- EXPECT_TRUE(NULL != policy->entry[4]); // kNtFakeNone.
- EXPECT_TRUE(NULL != policy->entry[5]); // kNtFakeCreateFile.
- EXPECT_TRUE(NULL != policy->entry[6]); // kNtFakeOpenFile.
- EXPECT_TRUE(NULL == policy->entry[7]);
-
- // The total per service opcode counts now must take in account one
- // extra opcode (action opcode) per rule.
- ++opc1;
- ++opc2;
- ++opc3;
- ++opc4;
- ++opc5;
-
- size_t tc1 = policy->entry[kNtFakeNone]->opcode_count;
- size_t tc2 = policy->entry[kNtFakeCreateFile]->opcode_count;
- size_t tc3 = policy->entry[kNtFakeOpenFile]->opcode_count;
-
- EXPECT_EQ(opc5, tc1);
- EXPECT_EQ((opc1 + opc2 + opc3), tc2);
- EXPECT_EQ((opc1 + opc4), tc3);
-
- // Check the type of the first and last opcode of each service.
-
- EXPECT_EQ(OP_NUMBER_AND_MATCH,
- policy->entry[kNtFakeNone]->opcodes[0].GetID());
- EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeNone]->opcodes[tc1-1].GetID());
- EXPECT_EQ(OP_WSTRING_MATCH,
- policy->entry[kNtFakeCreateFile]->opcodes[0].GetID());
- EXPECT_EQ(OP_ACTION,
- policy->entry[kNtFakeCreateFile]->opcodes[tc2-1].GetID());
- EXPECT_EQ(OP_WSTRING_MATCH,
- policy->entry[kNtFakeOpenFile]->opcodes[0].GetID());
- EXPECT_EQ(OP_ACTION, policy->entry[kNtFakeOpenFile]->opcodes[tc3-1].GetID());
-
- // Test the policy evaluation.
-
- const wchar_t* filename = L"";
- uint32_t creation_mode = OPEN_EXISTING;
- uint32_t flags = FILE_ATTRIBUTE_NORMAL;
- void* security_descriptor = NULL;
-
- POLPARAMS_BEGIN(params)
- POLPARAM(filename) // Argument 0
- POLPARAM(creation_mode) // Argument 1
- POLPARAM(flags) // Argument 2
- POLPARAM(security_descriptor)
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor eval_CreateFile(policy->entry[kNtFakeCreateFile]);
- PolicyProcessor eval_OpenFile(policy->entry[kNtFakeOpenFile]);
- PolicyProcessor eval_None(policy->entry[kNtFakeNone]);
-
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"\\\\??\\c:\\Windows\\System32\\calc.exe";
- flags = FILE_ATTRIBUTE_SYSTEM;
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- flags += FILE_ATTRIBUTE_READONLY;
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(GIVE_FIRST, eval_None.GetAction());
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- flags = FILE_ATTRIBUTE_NORMAL;
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(SIGNAL_ALARM, eval_CreateFile.GetAction());
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"c:\\adobe\\ver3.2\\temp";
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(GIVE_CACHED, eval_OpenFile.GetAction());
-
- filename = L"c:\\adobe\\ver3.22\\temp";
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"\\\\??\\c:\\some path\\other path\\crash reports\\some path";
- creation_mode = CREATE_ALWAYS;
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, eval_CreateFile.GetAction());
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- filename = L"\\\\??\\Pipe\\Chrome.12345";
- creation_mode = OPEN_EXISTING;
- result = eval_CreateFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(FAKE_SUCCESS, eval_CreateFile.GetAction());
- result = eval_None.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
- result = eval_OpenFile.Evaluate(kShortEval, params, _countof(params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(FAKE_SUCCESS, eval_OpenFile.GetAction());
-
- delete [] reinterpret_cast<char*>(policy);
-}
-
-TEST(PolicyEngineTest, PolicyRuleCopyConstructorTwoStrings) {
- SetupNtdllImports();
- // Both pr_orig and pr_copy should allow hello.* but not *.txt files.
- PolicyRule pr_orig(ASK_BROKER);
- EXPECT_TRUE(pr_orig.AddStringMatch(IF, 0, L"hello.*", CASE_SENSITIVE));
-
- PolicyRule pr_copy(pr_orig);
- EXPECT_TRUE(pr_orig.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
- EXPECT_TRUE(pr_copy.AddStringMatch(IF_NOT, 0, L"*.txt", CASE_SENSITIVE));
-
- PolicyGlobal* policy = MakePolicyMemory();
- LowLevelPolicy policyGen(policy);
- EXPECT_TRUE(policyGen.AddRule(1, &pr_orig));
- EXPECT_TRUE(policyGen.AddRule(2, &pr_copy));
- EXPECT_TRUE(policyGen.Done());
-
- const wchar_t* name = NULL;
- POLPARAMS_BEGIN(eval_params)
- POLPARAM(name)
- POLPARAMS_END;
-
- PolicyResult result;
- PolicyProcessor pol_ev_orig(policy->entry[1]);
- name = L"domo.txt";
- result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- name = L"hello.bmp";
- result = pol_ev_orig.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev_orig.GetAction());
-
- PolicyProcessor pol_ev_copy(policy->entry[2]);
- name = L"domo.txt";
- result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(NO_POLICY_MATCH, result);
-
- name = L"hello.bmp";
- result = pol_ev_copy.Evaluate(kShortEval, eval_params, _countof(eval_params));
- EXPECT_EQ(POLICY_MATCH, result);
- EXPECT_EQ(ASK_BROKER, pol_ev_copy.GetAction());
-}
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_opcodes_unittest.cc b/security/sandbox/chromium/sandbox/win/src/policy_opcodes_unittest.cc
deleted file mode 100644
index f8c210e87..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_opcodes_unittest.cc
+++ /dev/null
@@ -1,372 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_engine_params.h"
-#include "sandbox/win/src/sandbox_nt_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-
-#define INIT_GLOBAL_RTL(member) \
- g_nt.member = reinterpret_cast<member##Function>( \
- ::GetProcAddress(ntdll, #member)); \
- if (NULL == g_nt.member) \
- return false
-
-namespace sandbox {
-
-const size_t kOpcodeMemory = 1024;
-
-SANDBOX_INTERCEPT NtExports g_nt;
-
-bool SetupNtdllImports() {
- HMODULE ntdll = ::GetModuleHandle(kNtdllName);
-
- INIT_GLOBAL_RTL(RtlAllocateHeap);
- INIT_GLOBAL_RTL(RtlAnsiStringToUnicodeString);
- INIT_GLOBAL_RTL(RtlCompareUnicodeString);
- INIT_GLOBAL_RTL(RtlCreateHeap);
- INIT_GLOBAL_RTL(RtlDestroyHeap);
- INIT_GLOBAL_RTL(RtlFreeHeap);
- INIT_GLOBAL_RTL(_strnicmp);
- INIT_GLOBAL_RTL(strlen);
- INIT_GLOBAL_RTL(wcslen);
-
- return true;
-}
-
-TEST(PolicyEngineTest, ParameterSetTest) {
- void* pv1 = reinterpret_cast<void*>(0x477EAA5);
- const void* pv2 = reinterpret_cast<void*>(0x987654);
- ParameterSet pset1 = ParamPickerMake(pv1);
- ParameterSet pset2 = ParamPickerMake(pv2);
-
- // Test that we can store and retrieve a void pointer:
- const void* result1 =0;
- uint32_t result2 = 0;
- EXPECT_TRUE(pset1.Get(&result1));
- EXPECT_TRUE(pv1 == result1);
- EXPECT_FALSE(pset1.Get(&result2));
- EXPECT_TRUE(pset2.Get(&result1));
- EXPECT_TRUE(pv2 == result1);
- EXPECT_FALSE(pset2.Get(&result2));
-
- // Test that we can store and retrieve a uint32_t:
- uint32_t number = 12747;
- ParameterSet pset3 = ParamPickerMake(number);
- EXPECT_FALSE(pset3.Get(&result1));
- EXPECT_TRUE(pset3.Get(&result2));
- EXPECT_EQ(number, result2);
-
- // Test that we can store and retrieve a string:
- const wchar_t* txt = L"S231L";
- ParameterSet pset4 = ParamPickerMake(txt);
- const wchar_t* result3 = NULL;
- EXPECT_TRUE(pset4.Get(&result3));
- EXPECT_EQ(0, wcscmp(txt, result3));
-}
-
-TEST(PolicyEngineTest, OpcodeConstraints) {
- // Test that PolicyOpcode has no virtual functions
- // because these objects are copied over to other processes
- // so they cannot have vtables.
- EXPECT_FALSE(__is_polymorphic(PolicyOpcode));
- // Keep developers from adding smarts to the opcodes which should
- // be pretty much a bag of bytes with a OO interface.
- EXPECT_TRUE(__has_trivial_destructor(PolicyOpcode));
- EXPECT_TRUE(__has_trivial_constructor(PolicyOpcode));
- EXPECT_TRUE(__has_trivial_copy(PolicyOpcode));
-}
-
-TEST(PolicyEngineTest, TrueFalseOpcodes) {
- void* dummy = NULL;
- ParameterSet ppb1 = ParamPickerMake(dummy);
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
-
- // This opcode always evaluates to true.
- PolicyOpcode* op1 = opcode_maker.MakeOpAlwaysFalse(kPolNone);
- ASSERT_NE(nullptr, op1);
- EXPECT_EQ(EVAL_FALSE, op1->Evaluate(&ppb1, 1, NULL));
- EXPECT_FALSE(op1->IsAction());
-
- // This opcode always evaluates to false.
- PolicyOpcode* op2 = opcode_maker.MakeOpAlwaysTrue(kPolNone);
- ASSERT_NE(nullptr, op2);
- EXPECT_EQ(EVAL_TRUE, op2->Evaluate(&ppb1, 1, NULL));
-
- // Nulls not allowed on the params.
- EXPECT_EQ(EVAL_ERROR, op2->Evaluate(NULL, 0, NULL));
- EXPECT_EQ(EVAL_ERROR, op2->Evaluate(NULL, 1, NULL));
-
- // True and False opcodes do not 'require' a number of parameters
- EXPECT_EQ(EVAL_TRUE, op2->Evaluate(&ppb1, 0, NULL));
- EXPECT_EQ(EVAL_TRUE, op2->Evaluate(&ppb1, 1, NULL));
-
- // Test Inverting the logic. Note that inversion is done outside
- // any particular opcode evaluation so no need to repeat for all
- // opcodes.
- PolicyOpcode* op3 = opcode_maker.MakeOpAlwaysFalse(kPolNegateEval);
- ASSERT_NE(nullptr, op3);
- EXPECT_EQ(EVAL_TRUE, op3->Evaluate(&ppb1, 1, NULL));
- PolicyOpcode* op4 = opcode_maker.MakeOpAlwaysTrue(kPolNegateEval);
- ASSERT_NE(nullptr, op4);
- EXPECT_EQ(EVAL_FALSE, op4->Evaluate(&ppb1, 1, NULL));
-
- // Test that we clear the match context
- PolicyOpcode* op5 = opcode_maker.MakeOpAlwaysTrue(kPolClearContext);
- ASSERT_NE(nullptr, op5);
- MatchContext context;
- context.position = 1;
- context.options = kPolUseOREval;
- EXPECT_EQ(EVAL_TRUE, op5->Evaluate(&ppb1, 1, &context));
- EXPECT_EQ(0u, context.position);
- MatchContext context2;
- EXPECT_EQ(context2.options, context.options);
-}
-
-TEST(PolicyEngineTest, OpcodeMakerCase1) {
- // Testing that the opcode maker does not overrun the
- // supplied buffer. It should only be able to make 'count' opcodes.
- void* dummy = NULL;
- ParameterSet ppb1 = ParamPickerMake(dummy);
-
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
- size_t count = sizeof(memory) / sizeof(PolicyOpcode);
-
- for (size_t ix =0; ix != count; ++ix) {
- PolicyOpcode* op = opcode_maker.MakeOpAlwaysFalse(kPolNone);
- ASSERT_NE(nullptr, op);
- EXPECT_EQ(EVAL_FALSE, op->Evaluate(&ppb1, 1, NULL));
- }
- // There should be no room more another opcode:
- PolicyOpcode* op1 = opcode_maker.MakeOpAlwaysFalse(kPolNone);
- ASSERT_EQ(nullptr, op1);
-}
-
-TEST(PolicyEngineTest, OpcodeMakerCase2) {
- SetupNtdllImports();
- // Testing that the opcode maker does not overrun the
- // supplied buffer. It should only be able to make 'count' opcodes.
- // The difference with the previous test is that this opcodes allocate
- // the string 'txt2' inside the same buffer.
- const wchar_t* txt1 = L"1234";
- const wchar_t txt2[] = L"123";
-
- ParameterSet ppb1 = ParamPickerMake(txt1);
- MatchContext mc1;
-
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
- size_t count = sizeof(memory) / (sizeof(PolicyOpcode) + sizeof(txt2));
-
- // Test that it does not overrun the buffer.
- for (size_t ix =0; ix != count; ++ix) {
- PolicyOpcode* op = opcode_maker.MakeOpWStringMatch(0, txt2, 0,
- CASE_SENSITIVE,
- kPolClearContext);
- ASSERT_NE(nullptr, op);
- EXPECT_EQ(EVAL_TRUE, op->Evaluate(&ppb1, 1, &mc1));
- }
-
- // There should be no room more another opcode:
- PolicyOpcode* op1 = opcode_maker.MakeOpWStringMatch(0, txt2, 0,
- CASE_SENSITIVE,
- kPolNone);
- ASSERT_EQ(nullptr, op1);
-}
-
-TEST(PolicyEngineTest, IntegerOpcodes) {
- const wchar_t* txt = L"abcdef";
- uint32_t num1 = 42;
- uint32_t num2 = 113377;
-
- ParameterSet pp_wrong1 = ParamPickerMake(txt);
- ParameterSet pp_num1 = ParamPickerMake(num1);
- ParameterSet pp_num2 = ParamPickerMake(num2);
-
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
-
- // Test basic match for uint32s 42 == 42 and 42 != 113377.
- PolicyOpcode* op_m42 = opcode_maker.MakeOpNumberMatch(0, 42UL, kPolNone);
- ASSERT_NE(nullptr, op_m42);
- EXPECT_EQ(EVAL_TRUE, op_m42->Evaluate(&pp_num1, 1, NULL));
- EXPECT_EQ(EVAL_FALSE, op_m42->Evaluate(&pp_num2, 1, NULL));
- EXPECT_EQ(EVAL_ERROR, op_m42->Evaluate(&pp_wrong1, 1, NULL));
-
- // Test basic match for void pointers.
- const void* vp = NULL;
- ParameterSet pp_num3 = ParamPickerMake(vp);
- PolicyOpcode* op_vp_null = opcode_maker.MakeOpVoidPtrMatch(0, NULL,
- kPolNone);
- ASSERT_NE(nullptr, op_vp_null);
- EXPECT_EQ(EVAL_TRUE, op_vp_null->Evaluate(&pp_num3, 1, NULL));
- EXPECT_EQ(EVAL_FALSE, op_vp_null->Evaluate(&pp_num1, 1, NULL));
- EXPECT_EQ(EVAL_ERROR, op_vp_null->Evaluate(&pp_wrong1, 1, NULL));
-
- // Basic range test [41 43] (inclusive).
- PolicyOpcode* op_range1 =
- opcode_maker.MakeOpNumberMatchRange(0, 41, 43, kPolNone);
- ASSERT_NE(nullptr, op_range1);
- EXPECT_EQ(EVAL_TRUE, op_range1->Evaluate(&pp_num1, 1, NULL));
- EXPECT_EQ(EVAL_FALSE, op_range1->Evaluate(&pp_num2, 1, NULL));
- EXPECT_EQ(EVAL_ERROR, op_range1->Evaluate(&pp_wrong1, 1, NULL));
-}
-
-TEST(PolicyEngineTest, LogicalOpcodes) {
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
-
- uint32_t num1 = 0x10100702;
- ParameterSet pp_num1 = ParamPickerMake(num1);
-
- PolicyOpcode* op_and1 =
- opcode_maker.MakeOpNumberAndMatch(0, 0x00100000, kPolNone);
- ASSERT_NE(nullptr, op_and1);
- EXPECT_EQ(EVAL_TRUE, op_and1->Evaluate(&pp_num1, 1, NULL));
- PolicyOpcode* op_and2 =
- opcode_maker.MakeOpNumberAndMatch(0, 0x00000001, kPolNone);
- ASSERT_NE(nullptr, op_and2);
- EXPECT_EQ(EVAL_FALSE, op_and2->Evaluate(&pp_num1, 1, NULL));
-}
-
-TEST(PolicyEngineTest, WCharOpcodes1) {
- SetupNtdllImports();
-
- const wchar_t* txt1 = L"the quick fox jumps over the lazy dog";
- const wchar_t txt2[] = L"the quick";
- const wchar_t txt3[] = L" fox jumps";
- const wchar_t txt4[] = L"the lazy dog";
- const wchar_t txt5[] = L"jumps over";
- const wchar_t txt6[] = L"g";
-
- ParameterSet pp_tc1 = ParamPickerMake(txt1);
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
-
- PolicyOpcode* op1 = opcode_maker.MakeOpWStringMatch(0, txt2, 0,
- CASE_SENSITIVE,
- kPolNone);
- ASSERT_NE(nullptr, op1);
-
- // Simplest substring match from pos 0. It should be a successful match
- // and the match context should be updated.
- MatchContext mc1;
- EXPECT_EQ(EVAL_TRUE, op1->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_TRUE(_countof(txt2) == mc1.position + 1);
-
- // Matching again should fail and the context should be unmodified.
- EXPECT_EQ(EVAL_FALSE, op1->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_TRUE(_countof(txt2) == mc1.position + 1);
-
- // Using the same match context we should continue where we left
- // in the previous successful match,
- PolicyOpcode* op3 = opcode_maker.MakeOpWStringMatch(0, txt3, 0,
- CASE_SENSITIVE,
- kPolNone);
- ASSERT_NE(nullptr, op3);
- EXPECT_EQ(EVAL_TRUE, op3->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_TRUE(_countof(txt3) + _countof(txt2) == mc1.position + 2);
-
- // We now keep on matching but now we skip 6 characters which means
- // we skip the string ' over '. And we zero the match context. This is
- // the primitive that we use to build '??'.
- PolicyOpcode* op4 = opcode_maker.MakeOpWStringMatch(0, txt4, 6,
- CASE_SENSITIVE,
- kPolClearContext);
- ASSERT_NE(nullptr, op4);
- EXPECT_EQ(EVAL_TRUE, op4->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(0u, mc1.position);
-
- // Test that we can properly match the last part of the string
- PolicyOpcode* op4b = opcode_maker.MakeOpWStringMatch(0, txt4, kSeekToEnd,
- CASE_SENSITIVE,
- kPolClearContext);
- ASSERT_NE(nullptr, op4b);
- EXPECT_EQ(EVAL_TRUE, op4b->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(0u, mc1.position);
-
- // Test matching 'jumps over' over the entire string. This is the
- // primitive we build '*' from.
- PolicyOpcode* op5 = opcode_maker.MakeOpWStringMatch(0, txt5, kSeekForward,
- CASE_SENSITIVE, kPolNone);
- ASSERT_NE(nullptr, op5);
- EXPECT_EQ(EVAL_TRUE, op5->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(24u, mc1.position);
-
- // Test that we don't match because it is not at the end of the string
- PolicyOpcode* op5b = opcode_maker.MakeOpWStringMatch(0, txt5, kSeekToEnd,
- CASE_SENSITIVE,
- kPolNone);
- ASSERT_NE(nullptr, op5b);
- EXPECT_EQ(EVAL_FALSE, op5b->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(24u, mc1.position);
-
- // Test that we function if the string does not fit. In this case we
- // try to match 'the lazy dog' against 'he lazy dog'.
- PolicyOpcode* op6 = opcode_maker.MakeOpWStringMatch(0, txt4, 2,
- CASE_SENSITIVE, kPolNone);
- ASSERT_NE(nullptr, op6);
- EXPECT_EQ(EVAL_FALSE, op6->Evaluate(&pp_tc1, 1, &mc1));
-
- // Testing matching against 'g' which should be the last char.
- MatchContext mc2;
- PolicyOpcode* op7 = opcode_maker.MakeOpWStringMatch(0, txt6, kSeekForward,
- CASE_SENSITIVE, kPolNone);
- ASSERT_NE(nullptr, op7);
- EXPECT_EQ(EVAL_TRUE, op7->Evaluate(&pp_tc1, 1, &mc2));
- EXPECT_EQ(37u, mc2.position);
-
- // Trying to match again should fail since we are in the last char.
- // This also covers a couple of boundary conditions.
- EXPECT_EQ(EVAL_FALSE, op7->Evaluate(&pp_tc1, 1, &mc2));
- EXPECT_EQ(37u, mc2.position);
-}
-
-TEST(PolicyEngineTest, WCharOpcodes2) {
- SetupNtdllImports();
-
- const wchar_t* path1 = L"c:\\documents and settings\\Microsoft\\BLAH.txt";
- const wchar_t txt1[] = L"Settings\\microsoft";
- ParameterSet pp_tc1 = ParamPickerMake(path1);
-
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
- MatchContext mc1;
-
- // Testing case-insensitive does not buy us much since it this option
- // is just passed to the Microsoft API that we use normally, but just for
- // coverage, here it is:
- PolicyOpcode* op1s = opcode_maker.MakeOpWStringMatch(0, txt1, kSeekForward,
- CASE_SENSITIVE, kPolNone);
- ASSERT_NE(nullptr, op1s);
- PolicyOpcode* op1i = opcode_maker.MakeOpWStringMatch(0, txt1, kSeekForward,
- CASE_INSENSITIVE,
- kPolNone);
- ASSERT_NE(nullptr, op1i);
- EXPECT_EQ(EVAL_FALSE, op1s->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(EVAL_TRUE, op1i->Evaluate(&pp_tc1, 1, &mc1));
- EXPECT_EQ(35u, mc1.position);
-}
-
-TEST(PolicyEngineTest, ActionOpcodes) {
- char memory[kOpcodeMemory];
- OpcodeFactory opcode_maker(memory, sizeof(memory));
- MatchContext mc1;
- void* dummy = NULL;
- ParameterSet ppb1 = ParamPickerMake(dummy);
-
- PolicyOpcode* op1 = opcode_maker.MakeOpAction(ASK_BROKER, kPolNone);
- ASSERT_NE(nullptr, op1);
- EXPECT_TRUE(op1->IsAction());
- EXPECT_EQ(ASK_BROKER, op1->Evaluate(&ppb1, 1, &mc1));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_params.h b/security/sandbox/chromium/sandbox/win/src/policy_params.h
deleted file mode 100644
index e051d2b59..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_params.h
+++ /dev/null
@@ -1,67 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_POLICY_PARAMS_H__
-#define SANDBOX_SRC_POLICY_PARAMS_H__
-
-#include "sandbox/win/src/policy_engine_params.h"
-
-namespace sandbox {
-
-class ParameterSet;
-
-// Warning: The following macros store the address to the actual variables, in
-// other words, the values are not copied.
-#define POLPARAMS_BEGIN(type) class type { public: enum Args {
-#define POLPARAM(arg) arg,
-#define POLPARAMS_END(type) PolParamLast }; }; \
- typedef sandbox::ParameterSet type##Array [type::PolParamLast];
-
-// Policy parameters for file open / create.
-POLPARAMS_BEGIN(OpenFile)
- POLPARAM(NAME)
- POLPARAM(BROKER) // TRUE if called from the broker.
- POLPARAM(ACCESS)
- POLPARAM(DISPOSITION)
- POLPARAM(OPTIONS)
-POLPARAMS_END(OpenFile)
-
-// Policy parameter for name-based policies.
-POLPARAMS_BEGIN(FileName)
- POLPARAM(NAME)
- POLPARAM(BROKER) // TRUE if called from the broker.
-POLPARAMS_END(FileName)
-
-static_assert(OpenFile::NAME == static_cast<int>(FileName::NAME),
- "to simplify fs policies");
-static_assert(OpenFile::BROKER == static_cast<int>(FileName::BROKER),
- "to simplify fs policies");
-
-// Policy parameter for name-based policies.
-POLPARAMS_BEGIN(NameBased)
- POLPARAM(NAME)
-POLPARAMS_END(NameBased)
-
-// Policy parameters for open event.
-POLPARAMS_BEGIN(OpenEventParams)
- POLPARAM(NAME)
- POLPARAM(ACCESS)
-POLPARAMS_END(OpenEventParams)
-
-// Policy Parameters for reg open / create.
-POLPARAMS_BEGIN(OpenKey)
- POLPARAM(NAME)
- POLPARAM(ACCESS)
-POLPARAMS_END(OpenKey)
-
-// Policy parameter for name-based policies.
-POLPARAMS_BEGIN(HandleTarget)
- POLPARAM(NAME)
- POLPARAM(TARGET)
-POLPARAMS_END(HandleTarget)
-
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_PARAMS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_target.cc b/security/sandbox/chromium/sandbox/win/src/policy_target.cc
deleted file mode 100644
index 800302805..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_target.cc
+++ /dev/null
@@ -1,129 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/policy_target.h"
-
-#include <stddef.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_processor.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-
-namespace sandbox {
-
-// Handle for our private heap.
-extern void* g_heap;
-
-// This is the list of all imported symbols from ntdll.dll.
-SANDBOX_INTERCEPT NtExports g_nt;
-
-// Policy data.
-extern void* volatile g_shared_policy_memory;
-SANDBOX_INTERCEPT size_t g_shared_policy_size;
-
-bool QueryBroker(int ipc_id, CountedParameterSetBase* params) {
- DCHECK_NT(static_cast<size_t>(ipc_id) < kMaxServiceCount);
- DCHECK_NT(g_shared_policy_memory);
- DCHECK_NT(g_shared_policy_size > 0);
-
- if (static_cast<size_t>(ipc_id) >= kMaxServiceCount)
- return false;
-
- PolicyGlobal* global_policy =
- reinterpret_cast<PolicyGlobal*>(g_shared_policy_memory);
-
- if (!global_policy->entry[ipc_id])
- return false;
-
- PolicyBuffer* policy = reinterpret_cast<PolicyBuffer*>(
- reinterpret_cast<char*>(g_shared_policy_memory) +
- reinterpret_cast<size_t>(global_policy->entry[ipc_id]));
-
- if ((reinterpret_cast<size_t>(global_policy->entry[ipc_id]) >
- global_policy->data_size) ||
- (g_shared_policy_size < global_policy->data_size)) {
- NOTREACHED_NT();
- return false;
- }
-
- for (int i = 0; i < params->count; i++) {
- if (!params->parameters[i].IsValid()) {
- NOTREACHED_NT();
- return false;
- }
- }
-
- PolicyProcessor processor(policy);
- PolicyResult result = processor.Evaluate(kShortEval, params->parameters,
- params->count);
- DCHECK_NT(POLICY_ERROR != result);
-
- return POLICY_MATCH == result && ASK_BROKER == processor.GetAction();
-}
-
-// -----------------------------------------------------------------------
-
-// Hooks NtSetInformationThread to block RevertToSelf from being
-// called before the actual call to LowerToken.
-NTSTATUS WINAPI TargetNtSetInformationThread(
- NtSetInformationThreadFunction orig_SetInformationThread, HANDLE thread,
- NT_THREAD_INFORMATION_CLASS thread_info_class, PVOID thread_information,
- ULONG thread_information_bytes) {
- do {
- if (SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
- break;
- if (ThreadImpersonationToken != thread_info_class)
- break;
- if (!thread_information)
- break;
- HANDLE token;
- if (sizeof(token) > thread_information_bytes)
- break;
-
- NTSTATUS ret = CopyData(&token, thread_information, sizeof(token));
- if (!NT_SUCCESS(ret) || NULL != token)
- break;
-
- // This is a revert to self.
- return STATUS_SUCCESS;
- } while (false);
-
- return orig_SetInformationThread(thread, thread_info_class,
- thread_information,
- thread_information_bytes);
-}
-
-// Hooks NtOpenThreadToken to force the open_as_self parameter to be set to
-// FALSE if we are still running with the impersonation token. open_as_self set
-// to TRUE means that the token will be open using the process token instead of
-// the impersonation token. This is bad because the process token does not have
-// access to open the thread token.
-NTSTATUS WINAPI TargetNtOpenThreadToken(
- NtOpenThreadTokenFunction orig_OpenThreadToken, HANDLE thread,
- ACCESS_MASK desired_access, BOOLEAN open_as_self, PHANDLE token) {
- if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
- open_as_self = FALSE;
-
- return orig_OpenThreadToken(thread, desired_access, open_as_self, token);
-}
-
-// See comment for TargetNtOpenThreadToken
-NTSTATUS WINAPI TargetNtOpenThreadTokenEx(
- NtOpenThreadTokenExFunction orig_OpenThreadTokenEx, HANDLE thread,
- ACCESS_MASK desired_access, BOOLEAN open_as_self, ULONG handle_attributes,
- PHANDLE token) {
- if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf())
- open_as_self = FALSE;
-
- return orig_OpenThreadTokenEx(thread, desired_access, open_as_self,
- handle_attributes, token);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_target.h b/security/sandbox/chromium/sandbox/win/src/policy_target.h
deleted file mode 100644
index 8a2b43709..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_target.h
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_POLICY_TARGET_H__
-#define SANDBOX_SRC_POLICY_TARGET_H__
-
-namespace sandbox {
-
-struct CountedParameterSetBase;
-
-// Performs a policy lookup and returns true if the request should be passed to
-// the broker process.
-bool QueryBroker(int ipc_id, CountedParameterSetBase* params);
-
-extern "C" {
-
-// Interception of NtSetInformationThread on the child process.
-// It should never be called directly.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtSetInformationThread(
- NtSetInformationThreadFunction orig_SetInformationThread, HANDLE thread,
- NT_THREAD_INFORMATION_CLASS thread_info_class, PVOID thread_information,
- ULONG thread_information_bytes);
-
-// Interception of NtOpenThreadToken on the child process.
-// It should never be called directly
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadToken(
- NtOpenThreadTokenFunction orig_OpenThreadToken, HANDLE thread,
- ACCESS_MASK desired_access, BOOLEAN open_as_self, PHANDLE token);
-
-// Interception of NtOpenThreadTokenEx on the child process.
-// It should never be called directly
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThreadTokenEx(
- NtOpenThreadTokenExFunction orig_OpenThreadTokenEx, HANDLE thread,
- ACCESS_MASK desired_access, BOOLEAN open_as_self, ULONG handle_attributes,
- PHANDLE token);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_POLICY_TARGET_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/policy_target_test.cc b/security/sandbox/chromium/sandbox/win/src/policy_target_test.cc
deleted file mode 100644
index d1a82e54d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/policy_target_test.cc
+++ /dev/null
@@ -1,417 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/memory/shared_memory.h"
-#include "base/strings/string_number_conversions.h"
-#include "base/strings/string_piece.h"
-#include "base/win/scoped_process_information.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-#if defined(OS_WIN)
-#include "base/win/win_util.h"
-#endif
-
-namespace sandbox {
-
-#define BINDNTDLL(name) \
- name ## Function name = reinterpret_cast<name ## Function>( \
- ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name))
-
-// Reverts to self and verify that SetInformationToken was faked. Returns
-// SBOX_TEST_SUCCEEDED if faked and SBOX_TEST_FAILED if not faked.
-SBOX_TESTS_COMMAND int PolicyTargetTest_token(int argc, wchar_t **argv) {
- HANDLE thread_token;
- // Get the thread token, using impersonation.
- if (!::OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE |
- TOKEN_DUPLICATE, FALSE, &thread_token))
- return ::GetLastError();
-
- ::RevertToSelf();
- ::CloseHandle(thread_token);
-
- int ret = SBOX_TEST_FAILED;
- if (::OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_DUPLICATE,
- FALSE, &thread_token)) {
- ret = SBOX_TEST_SUCCEEDED;
- ::CloseHandle(thread_token);
- }
- return ret;
-}
-
-// Stores the high privilege token on a static variable, change impersonation
-// again to that one and verify that we are not interfering anymore with
-// RevertToSelf.
-SBOX_TESTS_COMMAND int PolicyTargetTest_steal(int argc, wchar_t **argv) {
- static HANDLE thread_token;
- if (!SandboxFactory::GetTargetServices()->GetState()->RevertedToSelf()) {
- if (!::OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE |
- TOKEN_DUPLICATE, FALSE, &thread_token))
- return ::GetLastError();
- } else {
- if (!::SetThreadToken(NULL, thread_token))
- return ::GetLastError();
-
- // See if we fake the call again.
- int ret = PolicyTargetTest_token(argc, argv);
- ::CloseHandle(thread_token);
- return ret;
- }
- return 0;
-}
-
-// Opens the thread token with and without impersonation.
-SBOX_TESTS_COMMAND int PolicyTargetTest_token2(int argc, wchar_t **argv) {
- HANDLE thread_token;
- // Get the thread token, using impersonation.
- if (!::OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE |
- TOKEN_DUPLICATE, FALSE, &thread_token))
- return ::GetLastError();
- ::CloseHandle(thread_token);
-
- // Get the thread token, without impersonation.
- if (!OpenThreadToken(GetCurrentThread(), TOKEN_IMPERSONATE | TOKEN_DUPLICATE,
- TRUE, &thread_token))
- return ::GetLastError();
- ::CloseHandle(thread_token);
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Opens the thread token with and without impersonation, using
-// NtOpenThreadTokenEX.
-SBOX_TESTS_COMMAND int PolicyTargetTest_token3(int argc, wchar_t **argv) {
- BINDNTDLL(NtOpenThreadTokenEx);
- if (!NtOpenThreadTokenEx)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- HANDLE thread_token;
- // Get the thread token, using impersonation.
- NTSTATUS status = NtOpenThreadTokenEx(GetCurrentThread(),
- TOKEN_IMPERSONATE | TOKEN_DUPLICATE,
- FALSE, 0, &thread_token);
- if (status == STATUS_NO_TOKEN)
- return ERROR_NO_TOKEN;
- if (!NT_SUCCESS(status))
- return SBOX_TEST_FAILED;
-
- ::CloseHandle(thread_token);
-
- // Get the thread token, without impersonation.
- status = NtOpenThreadTokenEx(GetCurrentThread(),
- TOKEN_IMPERSONATE | TOKEN_DUPLICATE, TRUE, 0,
- &thread_token);
- if (!NT_SUCCESS(status))
- return SBOX_TEST_FAILED;
-
- ::CloseHandle(thread_token);
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Tests that we can open the current thread.
-SBOX_TESTS_COMMAND int PolicyTargetTest_thread(int argc, wchar_t **argv) {
- DWORD thread_id = ::GetCurrentThreadId();
- HANDLE thread = ::OpenThread(SYNCHRONIZE, FALSE, thread_id);
- if (!thread)
- return ::GetLastError();
- if (!::CloseHandle(thread))
- return ::GetLastError();
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-// New thread entry point: do nothing.
-DWORD WINAPI PolicyTargetTest_thread_main(void* param) {
- ::Sleep(INFINITE);
- return 0;
-}
-
-// Tests that we can create a new thread, and open it.
-SBOX_TESTS_COMMAND int PolicyTargetTest_thread2(int argc, wchar_t **argv) {
- // Use default values to create a new thread.
- DWORD thread_id;
- HANDLE thread = ::CreateThread(NULL, 0, &PolicyTargetTest_thread_main, 0, 0,
- &thread_id);
- if (!thread)
- return ::GetLastError();
- if (!::CloseHandle(thread))
- return ::GetLastError();
-
- thread = ::OpenThread(SYNCHRONIZE, FALSE, thread_id);
- if (!thread)
- return ::GetLastError();
-
- if (!::CloseHandle(thread))
- return ::GetLastError();
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-// Tests that we can call CreateProcess.
-SBOX_TESTS_COMMAND int PolicyTargetTest_process(int argc, wchar_t **argv) {
- // Use default values to create a new process.
- STARTUPINFO startup_info = {0};
- startup_info.cb = sizeof(startup_info);
- PROCESS_INFORMATION temp_process_info = {};
- // Note: CreateProcessW() can write to its lpCommandLine, don't pass a
- // raw string literal.
- base::string16 writable_cmdline_str(L"foo.exe");
- if (!::CreateProcessW(L"foo.exe", &writable_cmdline_str[0], NULL, NULL, FALSE,
- 0, NULL, NULL, &startup_info, &temp_process_info))
- return SBOX_TEST_SUCCEEDED;
- base::win::ScopedProcessInformation process_info(temp_process_info);
- return SBOX_TEST_FAILED;
-}
-
-TEST(PolicyTargetTest, SetInformationThread) {
- TestRunner runner;
- if (base::win::GetVersion() >= base::win::VERSION_XP) {
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_token"));
- }
-
- runner.SetTestState(AFTER_REVERT);
- EXPECT_EQ(ERROR_NO_TOKEN, runner.RunTest(L"PolicyTargetTest_token"));
-
- runner.SetTestState(EVERY_STATE);
- if (base::win::GetVersion() >= base::win::VERSION_XP)
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(L"PolicyTargetTest_steal"));
-}
-
-TEST(PolicyTargetTest, OpenThreadToken) {
- TestRunner runner;
- if (base::win::GetVersion() >= base::win::VERSION_XP) {
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_token2"));
- }
-
- runner.SetTestState(AFTER_REVERT);
- EXPECT_EQ(ERROR_NO_TOKEN, runner.RunTest(L"PolicyTargetTest_token2"));
-}
-
-TEST(PolicyTargetTest, OpenThreadTokenEx) {
- TestRunner runner;
- if (base::win::GetVersion() < base::win::VERSION_XP)
- return;
-
- runner.SetTestState(BEFORE_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_token3"));
-
- runner.SetTestState(AFTER_REVERT);
- EXPECT_EQ(ERROR_NO_TOKEN, runner.RunTest(L"PolicyTargetTest_token3"));
-}
-
-TEST(PolicyTargetTest, OpenThread) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_thread")) <<
- "Opens the current thread";
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_thread2")) <<
- "Creates a new thread and opens it";
-}
-
-TEST(PolicyTargetTest, OpenProcess) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"PolicyTargetTest_process")) <<
- "Opens a process";
-}
-
-// Launches the app in the sandbox and ask it to wait in an
-// infinite loop. Waits for 2 seconds and then check if the
-// desktop associated with the app thread is not the same as the
-// current desktop.
-TEST(PolicyTargetTest, DesktopPolicy) {
- BrokerServices* broker = GetBroker();
-
- // Precreate the desktop.
- TargetPolicy* temp_policy = broker->CreatePolicy();
- temp_policy->CreateAlternateDesktop(false);
- temp_policy->Release();
-
- ASSERT_TRUE(broker != NULL);
-
- // Get the path to the sandboxed app.
- wchar_t prog_name[MAX_PATH];
- GetModuleFileNameW(NULL, prog_name, MAX_PATH);
-
- base::string16 arguments(L"\"");
- arguments += prog_name;
- arguments += L"\" -child 0 wait"; // Don't care about the "state" argument.
-
- // Launch the app.
- ResultCode result = SBOX_ALL_OK;
- base::win::ScopedProcessInformation target;
-
- TargetPolicy* policy = broker->CreatePolicy();
- policy->SetAlternateDesktop(false);
- policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
- PROCESS_INFORMATION temp_process_info = {};
- result = broker->SpawnTarget(prog_name, arguments.c_str(), policy,
- &temp_process_info);
- base::string16 desktop_name = policy->GetAlternateDesktop();
- policy->Release();
-
- EXPECT_EQ(SBOX_ALL_OK, result);
- if (result == SBOX_ALL_OK)
- target.Set(temp_process_info);
-
- EXPECT_EQ(1u, ::ResumeThread(target.thread_handle()));
-
- EXPECT_EQ(static_cast<DWORD>(WAIT_TIMEOUT),
- ::WaitForSingleObject(target.process_handle(), 2000));
-
- EXPECT_NE(::GetThreadDesktop(target.thread_id()),
- ::GetThreadDesktop(::GetCurrentThreadId()));
-
- HDESK desk = ::OpenDesktop(desktop_name.c_str(), 0, FALSE, DESKTOP_ENUMERATE);
- EXPECT_TRUE(NULL != desk);
- EXPECT_TRUE(::CloseDesktop(desk));
- EXPECT_TRUE(::TerminateProcess(target.process_handle(), 0));
-
- ::WaitForSingleObject(target.process_handle(), INFINITE);
-
- // Close the desktop handle.
- temp_policy = broker->CreatePolicy();
- temp_policy->DestroyAlternateDesktop();
- temp_policy->Release();
-
- // Make sure the desktop does not exist anymore.
- desk = ::OpenDesktop(desktop_name.c_str(), 0, FALSE, DESKTOP_ENUMERATE);
- EXPECT_TRUE(NULL == desk);
-}
-
-// Launches the app in the sandbox and ask it to wait in an
-// infinite loop. Waits for 2 seconds and then check if the
-// winstation associated with the app thread is not the same as the
-// current desktop.
-TEST(PolicyTargetTest, WinstaPolicy) {
- BrokerServices* broker = GetBroker();
-
- // Precreate the desktop.
- TargetPolicy* temp_policy = broker->CreatePolicy();
- temp_policy->CreateAlternateDesktop(true);
- temp_policy->Release();
-
- ASSERT_TRUE(broker != NULL);
-
- // Get the path to the sandboxed app.
- wchar_t prog_name[MAX_PATH];
- GetModuleFileNameW(NULL, prog_name, MAX_PATH);
-
- base::string16 arguments(L"\"");
- arguments += prog_name;
- arguments += L"\" -child 0 wait"; // Don't care about the "state" argument.
-
- // Launch the app.
- ResultCode result = SBOX_ALL_OK;
- base::win::ScopedProcessInformation target;
-
- TargetPolicy* policy = broker->CreatePolicy();
- policy->SetAlternateDesktop(true);
- policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
- PROCESS_INFORMATION temp_process_info = {};
- result = broker->SpawnTarget(prog_name, arguments.c_str(), policy,
- &temp_process_info);
- base::string16 desktop_name = policy->GetAlternateDesktop();
- policy->Release();
-
- EXPECT_EQ(SBOX_ALL_OK, result);
- if (result == SBOX_ALL_OK)
- target.Set(temp_process_info);
-
- EXPECT_EQ(1u, ::ResumeThread(target.thread_handle()));
-
- EXPECT_EQ(static_cast<DWORD>(WAIT_TIMEOUT),
- ::WaitForSingleObject(target.process_handle(), 2000));
-
- EXPECT_NE(::GetThreadDesktop(target.thread_id()),
- ::GetThreadDesktop(::GetCurrentThreadId()));
-
- ASSERT_FALSE(desktop_name.empty());
-
- // Make sure there is a backslash, for the window station name.
- EXPECT_NE(desktop_name.find_first_of(L'\\'), base::string16::npos);
-
- // Isolate the desktop name.
- desktop_name = desktop_name.substr(desktop_name.find_first_of(L'\\') + 1);
-
- HDESK desk = ::OpenDesktop(desktop_name.c_str(), 0, FALSE, DESKTOP_ENUMERATE);
- // This should fail if the desktop is really on another window station.
- EXPECT_FALSE(NULL != desk);
- EXPECT_TRUE(::TerminateProcess(target.process_handle(), 0));
-
- ::WaitForSingleObject(target.process_handle(), INFINITE);
-
- // Close the desktop handle.
- temp_policy = broker->CreatePolicy();
- temp_policy->DestroyAlternateDesktop();
- temp_policy->Release();
-}
-
-// Launches the app in the sandbox and share a handle with it. The app should
-// be able to use the handle.
-TEST(PolicyTargetTest, ShareHandleTest) {
- // The way we share handles via STARTUPINFOEX does not work on XP.
- if (base::win::GetVersion() < base::win::VERSION_VISTA)
- return;
-
- BrokerServices* broker = GetBroker();
- ASSERT_TRUE(broker != NULL);
-
- base::StringPiece contents = "Hello World";
- std::string name = "TestSharedMemory";
- base::SharedMemoryCreateOptions options;
- options.size = contents.size();
- options.share_read_only = true;
- options.name_deprecated = &name;
- base::SharedMemory writable_shmem;
- ASSERT_TRUE(writable_shmem.Create(options));
- ASSERT_TRUE(writable_shmem.Map(options.size));
- memcpy(writable_shmem.memory(), contents.data(), contents.size());
-
- base::SharedMemory read_only_view;
- ASSERT_TRUE(read_only_view.Open(name, true));
-
- // Get the path to the sandboxed app.
- wchar_t prog_name[MAX_PATH];
- GetModuleFileNameW(NULL, prog_name, MAX_PATH);
-
- TargetPolicy* policy = broker->CreatePolicy();
- void* shared_handle =
- policy->AddHandleToShare(read_only_view.handle().GetHandle());
-
- base::string16 arguments(L"\"");
- arguments += prog_name;
- arguments += L"\" -child 0 shared_memory_handle ";
- arguments += base::UintToString16(base::win::HandleToUint32(shared_handle));
-
- // Launch the app.
- ResultCode result = SBOX_ALL_OK;
- base::win::ScopedProcessInformation target;
-
- policy->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
- PROCESS_INFORMATION temp_process_info = {};
- result = broker->SpawnTarget(prog_name, arguments.c_str(), policy,
- &temp_process_info);
- policy->Release();
-
- EXPECT_EQ(SBOX_ALL_OK, result);
- if (result == SBOX_ALL_OK)
- target.Set(temp_process_info);
-
- EXPECT_EQ(1u, ::ResumeThread(target.thread_handle()));
-
- EXPECT_EQ(static_cast<DWORD>(WAIT_TIMEOUT),
- ::WaitForSingleObject(target.process_handle(), 2000));
-
- EXPECT_TRUE(::TerminateProcess(target.process_handle(), 0));
-
- ::WaitForSingleObject(target.process_handle(), INFINITE);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
deleted file mode 100644
index 6ca8a8d7e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.cc
+++ /dev/null
@@ -1,333 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_mitigations.h"
-
-#include <stddef.h>
-
-#include <algorithm>
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/restricted_token_utils.h"
-#include "sandbox/win/src/sandbox_rand.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-// Functions for enabling policies.
-typedef BOOL (WINAPI *SetProcessDEPPolicyFunction)(DWORD dwFlags);
-
-typedef BOOL (WINAPI *SetProcessMitigationPolicyFunction)(
- PROCESS_MITIGATION_POLICY mitigation_policy,
- PVOID buffer,
- SIZE_T length);
-
-typedef BOOL (WINAPI *SetDefaultDllDirectoriesFunction)(
- DWORD DirectoryFlags);
-
-} // namespace
-
-namespace sandbox {
-
-bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags) {
- if (!CanSetProcessMitigationsPostStartup(flags))
- return false;
-
- base::win::Version version = base::win::GetVersion();
- HMODULE module = ::GetModuleHandleA("kernel32.dll");
-
- if (version >= base::win::VERSION_VISTA &&
- (flags & MITIGATION_DLL_SEARCH_ORDER)) {
- SetDefaultDllDirectoriesFunction set_default_dll_directories =
- reinterpret_cast<SetDefaultDllDirectoriesFunction>(
- ::GetProcAddress(module, "SetDefaultDllDirectories"));
-
- // Check for SetDefaultDllDirectories since it requires KB2533623.
- if (set_default_dll_directories) {
- if (!set_default_dll_directories(LOAD_LIBRARY_SEARCH_DEFAULT_DIRS) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
- }
-
- // Set the heap to terminate on corruption
- if (version >= base::win::VERSION_VISTA &&
- (flags & MITIGATION_HEAP_TERMINATE)) {
- if (!::HeapSetInformation(NULL, HeapEnableTerminationOnCorruption,
- NULL, 0) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
-
- if (version >= base::win::VERSION_WIN7 &&
- (flags & MITIGATION_HARDEN_TOKEN_IL_POLICY)) {
- DWORD error = HardenProcessIntegrityLevelPolicy();
- if ((error != ERROR_SUCCESS) && (error != ERROR_ACCESS_DENIED))
- return false;
- }
-
-#if !defined(_WIN64) // DEP is always enabled on 64-bit.
- if (flags & MITIGATION_DEP) {
- DWORD dep_flags = PROCESS_DEP_ENABLE;
- // DEP support is quirky on XP, so don't force a failure in that case.
- const bool return_on_fail = version >= base::win::VERSION_VISTA;
-
- if (flags & MITIGATION_DEP_NO_ATL_THUNK)
- dep_flags |= PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION;
-
- SetProcessDEPPolicyFunction set_process_dep_policy =
- reinterpret_cast<SetProcessDEPPolicyFunction>(
- ::GetProcAddress(module, "SetProcessDEPPolicy"));
- if (set_process_dep_policy) {
- if (!set_process_dep_policy(dep_flags) &&
- ERROR_ACCESS_DENIED != ::GetLastError() && return_on_fail) {
- return false;
- }
- } else {
- // We're on XP sp2, so use the less standard approach.
- // For reference: http://www.uninformed.org/?v=2&a=4
- static const int MEM_EXECUTE_OPTION_DISABLE = 2;
- static const int MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION = 4;
- static const int MEM_EXECUTE_OPTION_PERMANENT = 8;
-
- NtSetInformationProcessFunction set_information_process = NULL;
- ResolveNTFunctionPtr("NtSetInformationProcess",
- &set_information_process);
- if (!set_information_process)
- return false;
- ULONG dep = MEM_EXECUTE_OPTION_DISABLE | MEM_EXECUTE_OPTION_PERMANENT;
- if (!(dep_flags & PROCESS_DEP_DISABLE_ATL_THUNK_EMULATION))
- dep |= MEM_EXECUTE_OPTION_ATL7_THUNK_EMULATION;
- if (!SUCCEEDED(set_information_process(GetCurrentProcess(),
- ProcessExecuteFlags,
- &dep, sizeof(dep))) &&
- ERROR_ACCESS_DENIED != ::GetLastError() && return_on_fail) {
- return false;
- }
- }
- }
-#endif
-
- // This is all we can do in Win7 and below.
- if (version < base::win::VERSION_WIN8)
- return true;
-
- SetProcessMitigationPolicyFunction set_process_mitigation_policy =
- reinterpret_cast<SetProcessMitigationPolicyFunction>(
- ::GetProcAddress(module, "SetProcessMitigationPolicy"));
- if (!set_process_mitigation_policy)
- return false;
-
- // Enable ASLR policies.
- if (flags & MITIGATION_RELOCATE_IMAGE) {
- PROCESS_MITIGATION_ASLR_POLICY policy = {};
- policy.EnableForceRelocateImages = true;
- policy.DisallowStrippedImages = (flags &
- MITIGATION_RELOCATE_IMAGE_REQUIRED) ==
- MITIGATION_RELOCATE_IMAGE_REQUIRED;
-
- if (!set_process_mitigation_policy(ProcessASLRPolicy, &policy,
- sizeof(policy)) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
-
- // Enable strict handle policies.
- if (flags & MITIGATION_STRICT_HANDLE_CHECKS) {
- PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {};
- policy.HandleExceptionsPermanentlyEnabled =
- policy.RaiseExceptionOnInvalidHandleReference = true;
-
- if (!set_process_mitigation_policy(ProcessStrictHandleCheckPolicy, &policy,
- sizeof(policy)) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
-
- // Enable system call policies.
- if (flags & MITIGATION_WIN32K_DISABLE) {
- PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {};
- policy.DisallowWin32kSystemCalls = true;
-
- if (!set_process_mitigation_policy(ProcessSystemCallDisablePolicy, &policy,
- sizeof(policy)) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
-
- // Enable system call policies.
- if (flags & MITIGATION_EXTENSION_DLL_DISABLE) {
- PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
- policy.DisableExtensionPoints = true;
-
- if (!set_process_mitigation_policy(ProcessExtensionPointDisablePolicy,
- &policy, sizeof(policy)) &&
- ERROR_ACCESS_DENIED != ::GetLastError()) {
- return false;
- }
- }
-
- return true;
-}
-
-void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
- DWORD64* policy_flags, size_t* size) {
- base::win::Version version = base::win::GetVersion();
-
- *policy_flags = 0;
-#if defined(_WIN64)
- *size = sizeof(*policy_flags);
-#elif defined(_M_IX86)
- // A 64-bit flags attribute is illegal on 32-bit Win 7 and below.
- if (version < base::win::VERSION_WIN8)
- *size = sizeof(DWORD);
- else
- *size = sizeof(*policy_flags);
-#else
-#error This platform is not supported.
-#endif
-
- // Nothing for Win XP or Vista.
- if (version <= base::win::VERSION_VISTA)
- return;
-
- // DEP and SEHOP are not valid for 64-bit Windows
-#if !defined(_WIN64)
- if (flags & MITIGATION_DEP) {
- *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE;
- if (!(flags & MITIGATION_DEP_NO_ATL_THUNK))
- *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE;
- }
-
- if (flags & MITIGATION_SEHOP)
- *policy_flags |= PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE;
-#endif
-
- // Win 7
- if (version < base::win::VERSION_WIN8)
- return;
-
- if (flags & MITIGATION_RELOCATE_IMAGE) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON;
- if (flags & MITIGATION_RELOCATE_IMAGE_REQUIRED) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS;
- }
- }
-
- if (flags & MITIGATION_HEAP_TERMINATE) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON;
- }
-
- if (flags & MITIGATION_BOTTOM_UP_ASLR) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON;
- }
-
- if (flags & MITIGATION_HIGH_ENTROPY_ASLR) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON;
- }
-
- if (flags & MITIGATION_STRICT_HANDLE_CHECKS) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON;
- }
-
- if (flags & MITIGATION_WIN32K_DISABLE) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON;
- }
-
- if (flags & MITIGATION_EXTENSION_DLL_DISABLE) {
- *policy_flags |=
- PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON;
- }
-}
-
-MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags) {
- base::win::Version version = base::win::GetVersion();
-
- // Windows XP SP2+.
- if (version < base::win::VERSION_VISTA) {
- return flags & (MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK);
- }
-
- // Windows Vista
- if (version < base::win::VERSION_WIN7) {
- return flags & (MITIGATION_BOTTOM_UP_ASLR |
- MITIGATION_DLL_SEARCH_ORDER |
- MITIGATION_HEAP_TERMINATE);
- }
-
- // Windows 7.
- if (version < base::win::VERSION_WIN8) {
- return flags & (MITIGATION_BOTTOM_UP_ASLR |
- MITIGATION_DLL_SEARCH_ORDER |
- MITIGATION_HEAP_TERMINATE);
- }
-
- // Windows 8 and above.
- return flags & (MITIGATION_BOTTOM_UP_ASLR |
- MITIGATION_DLL_SEARCH_ORDER);
-}
-
-bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
- MitigationFlags flags) {
-// This is a hack to fake a weak bottom-up ASLR on 32-bit Windows.
-#if !defined(_WIN64)
- if (flags & MITIGATION_BOTTOM_UP_ASLR) {
- unsigned int limit;
- GetRandom(&limit);
- char* ptr = 0;
- const size_t kMask64k = 0xFFFF;
- // Random range (512k-16.5mb) in 64k steps.
- const char* end = ptr + ((((limit % 16384) + 512) * 1024) & ~kMask64k);
- while (ptr < end) {
- MEMORY_BASIC_INFORMATION memory_info;
- if (!::VirtualQueryEx(process, ptr, &memory_info, sizeof(memory_info)))
- break;
- size_t size = std::min((memory_info.RegionSize + kMask64k) & ~kMask64k,
- static_cast<SIZE_T>(end - ptr));
- if (ptr && memory_info.State == MEM_FREE)
- ::VirtualAllocEx(process, ptr, size, MEM_RESERVE, PAGE_NOACCESS);
- ptr += size;
- }
- }
-#endif
-
- return true;
-}
-
-bool CanSetProcessMitigationsPostStartup(MitigationFlags flags) {
- // All of these mitigations can be enabled after startup.
- return !(flags & ~(MITIGATION_HEAP_TERMINATE |
- MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_RELOCATE_IMAGE |
- MITIGATION_RELOCATE_IMAGE_REQUIRED |
- MITIGATION_BOTTOM_UP_ASLR |
- MITIGATION_STRICT_HANDLE_CHECKS |
- MITIGATION_EXTENSION_DLL_DISABLE |
- MITIGATION_DLL_SEARCH_ORDER |
- MITIGATION_HARDEN_TOKEN_IL_POLICY));
-}
-
-bool CanSetProcessMitigationsPreStartup(MitigationFlags flags) {
- // These mitigations cannot be enabled prior to startup.
- return !(flags & (MITIGATION_STRICT_HANDLE_CHECKS |
- MITIGATION_DLL_SEARCH_ORDER));
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations.h b/security/sandbox/chromium/sandbox/win/src/process_mitigations.h
deleted file mode 100644
index 8bee0245a..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_
-#define SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_
-
-#include <windows.h>
-#include <stddef.h>
-
-#include "sandbox/win/src/security_level.h"
-
-namespace sandbox {
-
-// Sets the mitigation policy for the current process, ignoring any settings
-// that are invalid for the current version of Windows.
-bool ApplyProcessMitigationsToCurrentProcess(MitigationFlags flags);
-
-// Returns the flags that must be enforced after startup for the current OS
-// version.
-MitigationFlags FilterPostStartupProcessMitigations(MitigationFlags flags);
-
-// Converts sandbox flags to the PROC_THREAD_ATTRIBUTE_SECURITY_CAPABILITIES
-// policy flags used by UpdateProcThreadAttribute(). The size field varies
-// between a 32-bit and a 64-bit type based on the exact build and version of
-// Windows, so the returned size must be passed to UpdateProcThreadAttribute().
-void ConvertProcessMitigationsToPolicy(MitigationFlags flags,
- DWORD64* policy_flags, size_t* size);
-
-// Adds mitigations that need to be performed on the suspended target process
-// before execution begins.
-bool ApplyProcessMitigationsToSuspendedProcess(HANDLE process,
- MitigationFlags flags);
-
-// Returns true if all the supplied flags can be set after a process starts.
-bool CanSetProcessMitigationsPostStartup(MitigationFlags flags);
-
-// Returns true if all the supplied flags can be set before a process starts.
-bool CanSetProcessMitigationsPreStartup(MitigationFlags flags);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_WIN_PROCESS_MITIGATIONS_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_test.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations_test.cc
deleted file mode 100644
index 080d8eca3..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_test.cc
+++ /dev/null
@@ -1,252 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/strings/stringprintf.h"
-#include "base/win/scoped_handle.h"
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/process_mitigations.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-typedef BOOL (WINAPI *GetProcessDEPPolicyFunction)(
- HANDLE process,
- LPDWORD flags,
- PBOOL permanent);
-
-typedef BOOL (WINAPI *GetProcessMitigationPolicyFunction)(
- HANDLE process,
- PROCESS_MITIGATION_POLICY mitigation_policy,
- PVOID buffer,
- SIZE_T length);
-
-GetProcessMitigationPolicyFunction get_process_mitigation_policy;
-
-#if !defined(_WIN64)
-bool CheckWin8DepPolicy() {
- PROCESS_MITIGATION_DEP_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessDEPPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.Enable && policy.Permanent;
-}
-#endif // !defined(_WIN64)
-
-#if defined(NDEBUG)
-bool CheckWin8AslrPolicy() {
- PROCESS_MITIGATION_ASLR_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(), ProcessASLRPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.EnableForceRelocateImages && policy.DisallowStrippedImages;
-}
-#endif // defined(NDEBUG)
-
-bool CheckWin8StrictHandlePolicy() {
- PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessStrictHandleCheckPolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.RaiseExceptionOnInvalidHandleReference &&
- policy.HandleExceptionsPermanentlyEnabled;
-}
-
-bool CheckWin8Win32CallPolicy() {
- PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessSystemCallDisablePolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.DisallowWin32kSystemCalls;
-}
-
-bool CheckWin8DllExtensionPolicy() {
- PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY policy = {};
- if (!get_process_mitigation_policy(::GetCurrentProcess(),
- ProcessExtensionPointDisablePolicy,
- &policy, sizeof(policy))) {
- return false;
- }
- return policy.DisableExtensionPoints;
-}
-
-} // namespace
-
-namespace sandbox {
-
-SBOX_TESTS_COMMAND int CheckWin8(int argc, wchar_t **argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
-#if !defined(_WIN64) // DEP is always enabled on 64-bit.
- if (!CheckWin8DepPolicy())
- return SBOX_TEST_FIRST_ERROR;
-#endif
-
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
- if (!CheckWin8AslrPolicy())
- return SBOX_TEST_SECOND_ERROR;
-#endif
-
- if (!CheckWin8StrictHandlePolicy())
- return SBOX_TEST_THIRD_ERROR;
-
- if (!CheckWin8DllExtensionPolicy())
- return SBOX_TEST_FIFTH_ERROR;
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-TEST(ProcessMitigationsTest, CheckWin8) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- sandbox::MitigationFlags mitigations = MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_EXTENSION_DLL_DISABLE;
-#if defined(NDEBUG) // ASLR cannot be forced in debug builds.
- mitigations |= MITIGATION_RELOCATE_IMAGE |
- MITIGATION_RELOCATE_IMAGE_REQUIRED;
-#endif
-
- EXPECT_EQ(policy->SetProcessMitigations(mitigations), SBOX_ALL_OK);
-
- mitigations |= MITIGATION_STRICT_HANDLE_CHECKS;
-
- EXPECT_EQ(policy->SetDelayedProcessMitigations(mitigations), SBOX_ALL_OK);
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8"));
-}
-
-
-SBOX_TESTS_COMMAND int CheckDep(int argc, wchar_t **argv) {
- GetProcessDEPPolicyFunction get_process_dep_policy =
- reinterpret_cast<GetProcessDEPPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessDEPPolicy"));
- if (get_process_dep_policy) {
- BOOL is_permanent = FALSE;
- DWORD dep_flags = 0;
-
- if (!get_process_dep_policy(::GetCurrentProcess(), &dep_flags,
- &is_permanent)) {
- return SBOX_TEST_FIRST_ERROR;
- }
-
- if (!(dep_flags & PROCESS_DEP_ENABLE) || !is_permanent)
- return SBOX_TEST_SECOND_ERROR;
-
- } else {
- NtQueryInformationProcessFunction query_information_process = NULL;
- ResolveNTFunctionPtr("NtQueryInformationProcess",
- &query_information_process);
- if (!query_information_process)
- return SBOX_TEST_NOT_FOUND;
-
- ULONG size = 0;
- ULONG dep_flags = 0;
- if (!SUCCEEDED(query_information_process(::GetCurrentProcess(),
- ProcessExecuteFlags, &dep_flags,
- sizeof(dep_flags), &size))) {
- return SBOX_TEST_THIRD_ERROR;
- }
-
- static const int MEM_EXECUTE_OPTION_DISABLE = 2;
- static const int MEM_EXECUTE_OPTION_PERMANENT = 8;
- dep_flags &= 0xff;
-
- if (dep_flags != (MEM_EXECUTE_OPTION_DISABLE |
- MEM_EXECUTE_OPTION_PERMANENT)) {
- return SBOX_TEST_FOURTH_ERROR;
- }
- }
-
- return SBOX_TEST_SUCCEEDED;
-}
-
-#if !defined(_WIN64) // DEP is always enabled on 64-bit.
-TEST(ProcessMitigationsTest, CheckDep) {
- if (base::win::GetVersion() > base::win::VERSION_WIN7)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(
- MITIGATION_DEP |
- MITIGATION_DEP_NO_ATL_THUNK |
- MITIGATION_SEHOP),
- SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckDep"));
-}
-#endif
-
-SBOX_TESTS_COMMAND int CheckWin8Lockdown(int argc, wchar_t **argv) {
- get_process_mitigation_policy =
- reinterpret_cast<GetProcessMitigationPolicyFunction>(
- ::GetProcAddress(::GetModuleHandleW(L"kernel32.dll"),
- "GetProcessMitigationPolicy"));
- if (!get_process_mitigation_policy)
- return SBOX_TEST_NOT_FOUND;
-
- if (!CheckWin8Win32CallPolicy())
- return SBOX_TEST_FIRST_ERROR;
- return SBOX_TEST_SUCCEEDED;
-}
-
-// This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation on
-// the target process causes the launch to fail in process initialization.
-// The test process itself links against user32/gdi32.
-TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownFailure) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
- SBOX_ALL_OK);
- EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
-}
-
-// This test validates that setting the MITIGATION_WIN32K_DISABLE mitigation
-// along with the policy to fake user32 and gdi32 initialization successfully
-// launches the target process.
-// The test process itself links against user32/gdi32.
-TEST(ProcessMitigationsTest, CheckWin8Win32KLockDownSuccess) {
- if (base::win::GetVersion() < base::win::VERSION_WIN8)
- return;
-
- TestRunner runner;
- sandbox::TargetPolicy* policy = runner.GetPolicy();
-
- EXPECT_EQ(policy->SetProcessMitigations(MITIGATION_WIN32K_DISABLE),
- SBOX_ALL_OK);
- EXPECT_EQ(policy->AddRule(sandbox::TargetPolicy::SUBSYS_WIN32K_LOCKDOWN,
- sandbox::TargetPolicy::FAKE_USER_GDI_INIT, NULL),
- sandbox::SBOX_ALL_OK);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"CheckWin8Lockdown"));
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc
deleted file mode 100644
index e426084f8..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc
+++ /dev/null
@@ -1,57 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/process_mitigations_win32k_interception.h"
-
-namespace sandbox {
-
-ProcessMitigationsWin32KDispatcher::ProcessMitigationsWin32KDispatcher(
- PolicyBase* policy_base)
- : policy_base_(policy_base) {
-}
-
-bool ProcessMitigationsWin32KDispatcher::SetupService(
- InterceptionManager* manager, int service) {
- if (!(policy_base_->GetProcessMitigations() &
- sandbox::MITIGATION_WIN32K_DISABLE)) {
- return false;
- }
-
- switch (service) {
- case IPC_GDI_GDIDLLINITIALIZE_TAG: {
- if (!INTERCEPT_EAT(manager, L"gdi32.dll", GdiDllInitialize,
- GDIINITIALIZE_ID, 12)) {
- return false;
- }
- return true;
- }
-
- case IPC_GDI_GETSTOCKOBJECT_TAG: {
- if (!INTERCEPT_EAT(manager, L"gdi32.dll", GetStockObject,
- GETSTOCKOBJECT_ID, 8)) {
- return false;
- }
- return true;
- }
-
- case IPC_USER_REGISTERCLASSW_TAG: {
- if (!INTERCEPT_EAT(manager, L"user32.dll", RegisterClassW,
- REGISTERCLASSW_ID, 8)) {
- return false;
- }
- return true;
- }
-
- default:
- break;
- }
- return false;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h
deleted file mode 100644
index 55a84a76e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.h
+++ /dev/null
@@ -1,31 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_
-#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_
-
-#include "base/macros.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class sets up intercepts for the Win32K lockdown policy which is set
-// on Windows 8 and beyond.
-class ProcessMitigationsWin32KDispatcher : public Dispatcher {
- public:
- explicit ProcessMitigationsWin32KDispatcher(PolicyBase* policy_base);
- ~ProcessMitigationsWin32KDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- PolicyBase* policy_base_;
-
- DISALLOW_COPY_AND_ASSIGN(ProcessMitigationsWin32KDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_DISPATCHER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.cc
deleted file mode 100644
index ee24fbf43..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.cc
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_mitigations_win32k_interception.h"
-
-namespace sandbox {
-
-BOOL WINAPI TargetGdiDllInitialize(
- GdiDllInitializeFunction orig_gdi_dll_initialize,
- HANDLE dll,
- DWORD reason) {
- return TRUE;
-}
-
-HGDIOBJ WINAPI TargetGetStockObject(
- GetStockObjectFunction orig_get_stock_object,
- int object) {
- return reinterpret_cast<HGDIOBJ>(NULL);
-}
-
-ATOM WINAPI TargetRegisterClassW(
- RegisterClassWFunction orig_register_class_function,
- const WNDCLASS* wnd_class) {
- return TRUE;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.h b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.h
deleted file mode 100644
index 0b295eacd..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_interception.h
+++ /dev/null
@@ -1,45 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_
-#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_
-
-#include <windows.h>
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-extern "C" {
-
-typedef BOOL (WINAPI* GdiDllInitializeFunction) (
- HANDLE dll,
- DWORD reason,
- LPVOID reserved);
-
-typedef HGDIOBJ (WINAPI *GetStockObjectFunction) (int object);
-
-typedef ATOM (WINAPI *RegisterClassWFunction) (const WNDCLASS* wnd_class);
-
-// Interceptor for the GdiDllInitialize function.
-SANDBOX_INTERCEPT BOOL WINAPI TargetGdiDllInitialize(
- GdiDllInitializeFunction orig_gdi_dll_initialize,
- HANDLE dll,
- DWORD reason);
-
-// Interceptor for the GetStockObject function.
-SANDBOX_INTERCEPT HGDIOBJ WINAPI TargetGetStockObject(
- GetStockObjectFunction orig_get_stock_object,
- int object);
-
-// Interceptor for the RegisterClassW function.
-SANDBOX_INTERCEPT ATOM WINAPI TargetRegisterClassW(
- RegisterClassWFunction orig_register_class_function,
- const WNDCLASS* wnd_class);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_INTERCEPTION_H_
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.cc b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.cc
deleted file mode 100644
index af18c5413..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.cc
+++ /dev/null
@@ -1,24 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_mitigations_win32k_policy.h"
-
-namespace sandbox {
-
-bool ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
- const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- PolicyRule rule(FAKE_SUCCESS);
- if (!policy->AddRule(IPC_GDI_GDIDLLINITIALIZE_TAG, &rule))
- return false;
- if (!policy->AddRule(IPC_GDI_GETSTOCKOBJECT_TAG, &rule))
- return false;
- if (!policy->AddRule(IPC_USER_REGISTERCLASSW_TAG, &rule))
- return false;
- return true;
-}
-
-} // namespace sandbox
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.h b/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.h
deleted file mode 100644
index 32af16864..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_mitigations_win32k_policy.h
+++ /dev/null
@@ -1,34 +0,0 @@
-// Copyright 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_
-#define SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_
-
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to the process
-// mitigations Win32K lockdown policy.
-class ProcessMitigationsWin32KLockdownPolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for the Win32K process mitigation policy.
- // name is the object name, semantics is the desired semantics for the
- // open or create and policy is the policy generator to which the rules are
- // going to be added.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_PROCESS_MITIGATIONS_WIN32K_POLICY_H_
-
-
diff --git a/security/sandbox/chromium/sandbox/win/src/process_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/process_policy_test.cc
deleted file mode 100644
index 44effa363..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_policy_test.cc
+++ /dev/null
@@ -1,385 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <memory>
-#include <string>
-
-#include "base/strings/string16.h"
-#include "base/strings/sys_string_conversions.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/scoped_process_information.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-// While the shell API provides better calls than this home brew function
-// we use GetSystemWindowsDirectoryW which does not query the registry so
-// it is safe to use after revert.
-base::string16 MakeFullPathToSystem32(const wchar_t* name) {
- wchar_t windows_path[MAX_PATH] = {0};
- ::GetSystemWindowsDirectoryW(windows_path, MAX_PATH);
- base::string16 full_path(windows_path);
- if (full_path.empty()) {
- return full_path;
- }
- full_path += L"\\system32\\";
- full_path += name;
- return full_path;
-}
-
-// Creates a process with the |exe| and |command| parameter using the
-// unicode and ascii version of the api.
-sandbox::SboxTestResult CreateProcessHelper(const base::string16& exe,
- const base::string16& command) {
- base::win::ScopedProcessInformation pi;
- STARTUPINFOW si = {sizeof(si)};
-
- const wchar_t *exe_name = NULL;
- if (!exe.empty())
- exe_name = exe.c_str();
-
- base::string16 writable_command = command;
-
- // Create the process with the unicode version of the API.
- sandbox::SboxTestResult ret1 = sandbox::SBOX_TEST_FAILED;
- PROCESS_INFORMATION temp_process_info = {};
- if (::CreateProcessW(exe_name,
- command.empty() ? NULL : &writable_command[0],
- NULL,
- NULL,
- FALSE,
- 0,
- NULL,
- NULL,
- &si,
- &temp_process_info)) {
- pi.Set(temp_process_info);
- ret1 = sandbox::SBOX_TEST_SUCCEEDED;
- } else {
- DWORD last_error = GetLastError();
- if ((ERROR_NOT_ENOUGH_QUOTA == last_error) ||
- (ERROR_ACCESS_DENIED == last_error) ||
- (ERROR_FILE_NOT_FOUND == last_error)) {
- ret1 = sandbox::SBOX_TEST_DENIED;
- } else {
- ret1 = sandbox::SBOX_TEST_FAILED;
- }
- }
-
- pi.Close();
-
- // Do the same with the ansi version of the api
- STARTUPINFOA sia = {sizeof(sia)};
- sandbox::SboxTestResult ret2 = sandbox::SBOX_TEST_FAILED;
-
- std::string narrow_cmd_line =
- base::SysWideToMultiByte(command.c_str(), CP_UTF8);
- if (::CreateProcessA(
- exe_name ? base::SysWideToMultiByte(exe_name, CP_UTF8).c_str() : NULL,
- command.empty() ? NULL : &narrow_cmd_line[0],
- NULL, NULL, FALSE, 0, NULL, NULL, &sia, &temp_process_info)) {
- pi.Set(temp_process_info);
- ret2 = sandbox::SBOX_TEST_SUCCEEDED;
- } else {
- DWORD last_error = GetLastError();
- if ((ERROR_NOT_ENOUGH_QUOTA == last_error) ||
- (ERROR_ACCESS_DENIED == last_error) ||
- (ERROR_FILE_NOT_FOUND == last_error)) {
- ret2 = sandbox::SBOX_TEST_DENIED;
- } else {
- ret2 = sandbox::SBOX_TEST_FAILED;
- }
- }
-
- if (ret1 == ret2)
- return ret1;
-
- return sandbox::SBOX_TEST_FAILED;
-}
-
-} // namespace
-
-namespace sandbox {
-
-SBOX_TESTS_COMMAND int Process_RunApp1(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- base::string16 path = MakeFullPathToSystem32(argv[0]);
-
- // TEST 1: Try with the path in the app_name.
- return CreateProcessHelper(path, base::string16());
-}
-
-SBOX_TESTS_COMMAND int Process_RunApp2(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- base::string16 path = MakeFullPathToSystem32(argv[0]);
-
- // TEST 2: Try with the path in the cmd_line.
- base::string16 cmd_line = L"\"";
- cmd_line += path;
- cmd_line += L"\"";
- return CreateProcessHelper(base::string16(), cmd_line);
-}
-
-SBOX_TESTS_COMMAND int Process_RunApp3(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- // TEST 3: Try file name in the cmd_line.
- return CreateProcessHelper(base::string16(), argv[0]);
-}
-
-SBOX_TESTS_COMMAND int Process_RunApp4(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- // TEST 4: Try file name in the app_name and current directory sets correctly.
- base::string16 system32 = MakeFullPathToSystem32(L"");
- wchar_t current_directory[MAX_PATH + 1];
- DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory);
- if (!ret)
- return SBOX_TEST_FIRST_ERROR;
- if (ret >= MAX_PATH)
- return SBOX_TEST_FAILED;
-
- current_directory[ret] = L'\\';
- current_directory[ret+1] = L'\0';
- if (!::SetCurrentDirectory(system32.c_str())) {
- return SBOX_TEST_SECOND_ERROR;
- }
-
- const int result4 = CreateProcessHelper(argv[0], base::string16());
- return ::SetCurrentDirectory(current_directory) ? result4 : SBOX_TEST_FAILED;
-}
-
-SBOX_TESTS_COMMAND int Process_RunApp5(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- base::string16 path = MakeFullPathToSystem32(argv[0]);
-
- // TEST 5: Try with the path in the cmd_line and arguments.
- base::string16 cmd_line = L"\"";
- cmd_line += path;
- cmd_line += L"\" /I";
- return CreateProcessHelper(base::string16(), cmd_line);
-}
-
-SBOX_TESTS_COMMAND int Process_RunApp6(int argc, wchar_t **argv) {
- if (argc != 1) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
- if ((NULL == argv) || (NULL == argv[0])) {
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
- }
-
- // TEST 6: Try with the file_name in the cmd_line and arguments.
- base::string16 cmd_line = argv[0];
- cmd_line += L" /I";
- return CreateProcessHelper(base::string16(), cmd_line);
-}
-
-// Creates a process and checks if it's possible to get a handle to it's token.
-SBOX_TESTS_COMMAND int Process_GetChildProcessToken(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- if ((NULL == argv) || (NULL == argv[0]))
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- base::string16 path = MakeFullPathToSystem32(argv[0]);
-
- STARTUPINFOW si = {sizeof(si)};
-
- PROCESS_INFORMATION temp_process_info = {};
- if (!::CreateProcessW(path.c_str(), NULL, NULL, NULL, FALSE, CREATE_SUSPENDED,
- NULL, NULL, &si, &temp_process_info)) {
- return SBOX_TEST_FAILED;
- }
- base::win::ScopedProcessInformation pi(temp_process_info);
-
- HANDLE token = NULL;
- BOOL result =
- ::OpenProcessToken(pi.process_handle(), TOKEN_IMPERSONATE, &token);
- DWORD error = ::GetLastError();
-
- base::win::ScopedHandle token_handle(token);
-
- if (!::TerminateProcess(pi.process_handle(), 0))
- return SBOX_TEST_FAILED;
-
- if (result && token)
- return SBOX_TEST_SUCCEEDED;
-
- if (ERROR_ACCESS_DENIED == error)
- return SBOX_TEST_DENIED;
-
- return SBOX_TEST_FAILED;
-}
-
-
-SBOX_TESTS_COMMAND int Process_OpenToken(int argc, wchar_t **argv) {
- HANDLE token;
- if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS, &token)) {
- if (ERROR_ACCESS_DENIED == ::GetLastError()) {
- return SBOX_TEST_DENIED;
- }
- } else {
- ::CloseHandle(token);
- return SBOX_TEST_SUCCEEDED;
- }
-
- return SBOX_TEST_FAILED;
-}
-
-TEST(ProcessPolicyTest, TestAllAccess) {
- // Check if the "all access" rule fails to be added when the token is too
- // powerful.
- TestRunner runner;
-
- // Check the failing case.
- runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_LOCKDOWN);
- EXPECT_EQ(SBOX_ERROR_UNSUPPORTED,
- runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_ALL_EXEC,
- L"this is not important"));
-
- // Check the working case.
- runner.GetPolicy()->SetTokenLevel(USER_INTERACTIVE, USER_INTERACTIVE);
-
- EXPECT_EQ(SBOX_ALL_OK,
- runner.GetPolicy()->AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_ALL_EXEC,
- L"this is not important"));
-}
-
-TEST(ProcessPolicyTest, CreateProcessAW) {
- TestRunner runner;
- base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
- base::string16 system32 = MakeFullPathToSystem32(L"");
- ASSERT_TRUE(!exe_path.empty());
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_MIN_EXEC,
- exe_path.c_str()));
-
- // Need to add directory rules for the directories that we use in
- // SetCurrentDirectory.
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY,
- system32.c_str()));
-
- wchar_t current_directory[MAX_PATH];
- DWORD ret = ::GetCurrentDirectory(MAX_PATH, current_directory);
- ASSERT_TRUE(0 != ret && ret < MAX_PATH);
-
- wcscat_s(current_directory, MAX_PATH, L"\\");
- EXPECT_TRUE(runner.AddFsRule(TargetPolicy::FILES_ALLOW_DIR_ANY,
- current_directory));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp1 calc.exe"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp2 calc.exe"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp3 calc.exe"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp5 calc.exe"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Process_RunApp6 calc.exe"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_RunApp1 findstr.exe"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_RunApp2 findstr.exe"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_RunApp3 findstr.exe"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_RunApp5 findstr.exe"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_RunApp6 findstr.exe"));
-
-#if !defined(_WIN64)
- if (base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
- // WinXP results are not reliable.
- EXPECT_EQ(SBOX_TEST_SECOND_ERROR,
- runner.RunTest(L"Process_RunApp4 calc.exe"));
- EXPECT_EQ(SBOX_TEST_SECOND_ERROR,
- runner.RunTest(L"Process_RunApp4 findstr.exe"));
- }
-#endif
-}
-
-TEST(ProcessPolicyTest, OpenToken) {
- TestRunner runner;
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Process_OpenToken"));
-}
-
-TEST(ProcessPolicyTest, TestGetProcessTokenMinAccess) {
- TestRunner runner;
- base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
- ASSERT_TRUE(!exe_path.empty());
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_MIN_EXEC,
- exe_path.c_str()));
-
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
-}
-
-TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccess) {
- TestRunner runner(JOB_UNPROTECTED, USER_INTERACTIVE, USER_INTERACTIVE);
- base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
- ASSERT_TRUE(!exe_path.empty());
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_ALL_EXEC,
- exe_path.c_str()));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
-}
-
-TEST(ProcessPolicyTest, TestGetProcessTokenMinAccessNoJob) {
- TestRunner runner(JOB_NONE, USER_RESTRICTED_SAME_ACCESS, USER_LOCKDOWN);
- base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
- ASSERT_TRUE(!exe_path.empty());
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_MIN_EXEC,
- exe_path.c_str()));
-
- EXPECT_EQ(SBOX_TEST_DENIED,
- runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
-}
-
-TEST(ProcessPolicyTest, TestGetProcessTokenMaxAccessNoJob) {
- TestRunner runner(JOB_NONE, USER_INTERACTIVE, USER_INTERACTIVE);
- base::string16 exe_path = MakeFullPathToSystem32(L"findstr.exe");
- ASSERT_TRUE(!exe_path.empty());
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_PROCESS,
- TargetPolicy::PROCESS_ALL_EXEC,
- exe_path.c_str()));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED,
- runner.RunTest(L"Process_GetChildProcessToken findstr.exe"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.cc
deleted file mode 100644
index 8debd1e0f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.cc
+++ /dev/null
@@ -1,247 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_thread_dispatcher.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/logging.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/process_thread_interception.h"
-#include "sandbox/win/src/process_thread_policy.h"
-#include "sandbox/win/src/sandbox.h"
-
-namespace {
-
-// Extracts the application name from a command line.
-//
-// The application name is the first element of the command line. If
-// there is no quotes, the first element is delimited by the first space.
-// If there are quotes, the first element is delimited by the quotes.
-//
-// The create process call is smarter than us. It tries really hard to launch
-// the process even if the command line is wrong. For example:
-// "c:\program files\test param" will first try to launch c:\program.exe then
-// c:\program files\test.exe. We don't do that, we stop after at the first
-// space when there is no quotes.
-base::string16 GetPathFromCmdLine(const base::string16 &cmd_line) {
- base::string16 exe_name;
- // Check if it starts with '"'.
- if (cmd_line[0] == L'\"') {
- // Find the position of the second '"', this terminates the path.
- base::string16::size_type pos = cmd_line.find(L'\"', 1);
- if (base::string16::npos == pos)
- return cmd_line;
- exe_name = cmd_line.substr(1, pos - 1);
- } else {
- // There is no '"', that means that the appname is terminated at the
- // first space.
- base::string16::size_type pos = cmd_line.find(L' ');
- if (base::string16::npos == pos) {
- // There is no space, the cmd_line contains only the app_name
- exe_name = cmd_line;
- } else {
- exe_name = cmd_line.substr(0, pos);
- }
- }
-
- return exe_name;
-}
-
-// Returns true is the path in parameter is relative. False if it's
-// absolute.
-bool IsPathRelative(const base::string16 &path) {
- // A path is Relative if it's not a UNC path beginnning with \\ or a
- // path beginning with a drive. (i.e. X:\)
- if (path.find(L"\\\\") == 0 || path.find(L":\\") == 1)
- return false;
- return true;
-}
-
-// Converts a relative path to an absolute path.
-bool ConvertToAbsolutePath(const base::string16& child_current_directory,
- bool use_env_path, base::string16 *path) {
- wchar_t file_buffer[MAX_PATH];
- wchar_t *file_part = NULL;
-
- // Here we should start by looking at the path where the child application was
- // started. We don't have this information yet.
- DWORD result = 0;
- if (use_env_path) {
- // Try with the complete path
- result = ::SearchPath(NULL, path->c_str(), NULL, MAX_PATH, file_buffer,
- &file_part);
- }
-
- if (0 == result) {
- // Try with the current directory of the child
- result = ::SearchPath(child_current_directory.c_str(), path->c_str(), NULL,
- MAX_PATH, file_buffer, &file_part);
- }
-
- if (0 == result || result >= MAX_PATH)
- return false;
-
- *path = file_buffer;
- return true;
-}
-
-} // namespace
-namespace sandbox {
-
-ThreadProcessDispatcher::ThreadProcessDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall open_thread = {
- {IPC_NTOPENTHREAD_TAG, {UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &ThreadProcessDispatcher::NtOpenThread)};
-
- static const IPCCall open_process = {
- {IPC_NTOPENPROCESS_TAG, {UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &ThreadProcessDispatcher::NtOpenProcess)};
-
- static const IPCCall process_token = {
- {IPC_NTOPENPROCESSTOKEN_TAG, {VOIDPTR_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &ThreadProcessDispatcher::NtOpenProcessToken)};
-
- static const IPCCall process_tokenex = {
- {IPC_NTOPENPROCESSTOKENEX_TAG, {VOIDPTR_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &ThreadProcessDispatcher::NtOpenProcessTokenEx)};
-
- static const IPCCall create_params = {
- {IPC_CREATEPROCESSW_TAG,
- {WCHAR_TYPE, WCHAR_TYPE, WCHAR_TYPE, INOUTPTR_TYPE}},
- reinterpret_cast<CallbackGeneric>(
- &ThreadProcessDispatcher::CreateProcessW)};
-
- ipc_calls_.push_back(open_thread);
- ipc_calls_.push_back(open_process);
- ipc_calls_.push_back(process_token);
- ipc_calls_.push_back(process_tokenex);
- ipc_calls_.push_back(create_params);
-}
-
-bool ThreadProcessDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- switch (service) {
- case IPC_NTOPENTHREAD_TAG:
- case IPC_NTOPENPROCESS_TAG:
- case IPC_NTOPENPROCESSTOKEN_TAG:
- case IPC_NTOPENPROCESSTOKENEX_TAG:
- // There is no explicit policy for these services.
- NOTREACHED();
- return false;
-
- case IPC_CREATEPROCESSW_TAG:
- return INTERCEPT_EAT(manager, kKerneldllName, CreateProcessW,
- CREATE_PROCESSW_ID, 44) &&
- INTERCEPT_EAT(manager, L"kernel32.dll", CreateProcessA,
- CREATE_PROCESSA_ID, 44);
-
- default:
- return false;
- }
-}
-
-bool ThreadProcessDispatcher::NtOpenThread(IPCInfo* ipc,
- uint32_t desired_access,
- uint32_t thread_id) {
- HANDLE handle;
- NTSTATUS ret = ProcessPolicy::OpenThreadAction(*ipc->client_info,
- desired_access, thread_id,
- &handle);
- ipc->return_info.nt_status = ret;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool ThreadProcessDispatcher::NtOpenProcess(IPCInfo* ipc,
- uint32_t desired_access,
- uint32_t process_id) {
- HANDLE handle;
- NTSTATUS ret = ProcessPolicy::OpenProcessAction(*ipc->client_info,
- desired_access, process_id,
- &handle);
- ipc->return_info.nt_status = ret;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool ThreadProcessDispatcher::NtOpenProcessToken(IPCInfo* ipc,
- HANDLE process,
- uint32_t desired_access) {
- HANDLE handle;
- NTSTATUS ret = ProcessPolicy::OpenProcessTokenAction(*ipc->client_info,
- process, desired_access,
- &handle);
- ipc->return_info.nt_status = ret;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool ThreadProcessDispatcher::NtOpenProcessTokenEx(IPCInfo* ipc,
- HANDLE process,
- uint32_t desired_access,
- uint32_t attributes) {
- HANDLE handle;
- NTSTATUS ret = ProcessPolicy::OpenProcessTokenExAction(*ipc->client_info,
- process,
- desired_access,
- attributes, &handle);
- ipc->return_info.nt_status = ret;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool ThreadProcessDispatcher::CreateProcessW(IPCInfo* ipc, base::string16* name,
- base::string16* cmd_line,
- base::string16* cur_dir,
- CountedBuffer* info) {
- if (sizeof(PROCESS_INFORMATION) != info->Size())
- return false;
-
- // Check if there is an application name.
- base::string16 exe_name;
- if (!name->empty())
- exe_name = *name;
- else
- exe_name = GetPathFromCmdLine(*cmd_line);
-
- if (IsPathRelative(exe_name)) {
- if (!ConvertToAbsolutePath(*cur_dir, name->empty(), &exe_name)) {
- // Cannot find the path. Maybe the file does not exist.
- ipc->return_info.win32_result = ERROR_FILE_NOT_FOUND;
- return true;
- }
- }
-
- const wchar_t* const_exe_name = exe_name.c_str();
- CountedParameterSet<NameBased> params;
- params[NameBased::NAME] = ParamPickerMake(const_exe_name);
-
- EvalResult eval = policy_base_->EvalPolicy(IPC_CREATEPROCESSW_TAG,
- params.GetBase());
-
- PROCESS_INFORMATION* proc_info =
- reinterpret_cast<PROCESS_INFORMATION*>(info->Buffer());
- // Here we force the app_name to be the one we used for the policy lookup.
- // If our logic was wrong, at least we wont allow create a random process.
- DWORD ret = ProcessPolicy::CreateProcessWAction(eval, *ipc->client_info,
- exe_name, *cmd_line,
- proc_info);
-
- ipc->return_info.win32_result = ret;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.h
deleted file mode 100644
index 008385f42..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_dispatcher.h
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_
-#define SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles process and thread-related IPC calls.
-class ThreadProcessDispatcher : public Dispatcher {
- public:
- explicit ThreadProcessDispatcher(PolicyBase* policy_base);
- ~ThreadProcessDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Processes IPC requests coming from calls to NtOpenThread() in the target.
- bool NtOpenThread(IPCInfo* ipc, uint32_t desired_access, uint32_t thread_id);
-
- // Processes IPC requests coming from calls to NtOpenProcess() in the target.
- bool NtOpenProcess(IPCInfo* ipc,
- uint32_t desired_access,
- uint32_t process_id);
-
- // Processes IPC requests from calls to NtOpenProcessToken() in the target.
- bool NtOpenProcessToken(IPCInfo* ipc,
- HANDLE process,
- uint32_t desired_access);
-
- // Processes IPC requests from calls to NtOpenProcessTokenEx() in the target.
- bool NtOpenProcessTokenEx(IPCInfo* ipc,
- HANDLE process,
- uint32_t desired_access,
- uint32_t attributes);
-
- // Processes IPC requests coming from calls to CreateProcessW() in the target.
- bool CreateProcessW(IPCInfo* ipc,
- base::string16* name,
- base::string16* cmd_line,
- base::string16* cur_dir,
- CountedBuffer* info);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(ThreadProcessDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_PROCESS_THREAD_DISPATCHER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
deleted file mode 100644
index 6507da3f7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.cc
+++ /dev/null
@@ -1,423 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_thread_interception.h"
-
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT NtExports g_nt;
-
-// Hooks NtOpenThread and proxy the call to the broker if it's trying to
-// open a thread in the same process.
-NTSTATUS WINAPI TargetNtOpenThread(NtOpenThreadFunction orig_OpenThread,
- PHANDLE thread, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- PCLIENT_ID client_id) {
- NTSTATUS status = orig_OpenThread(thread, desired_access, object_attributes,
- client_id);
- if (NT_SUCCESS(status))
- return status;
-
- mozilla::sandboxing::LogBlocked("NtOpenThread");
- do {
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- break;
- if (!client_id)
- break;
-
- uint32_t thread_id = 0;
- bool should_break = false;
- __try {
- // We support only the calls for the current process
- if (NULL != client_id->UniqueProcess)
- should_break = true;
-
- // Object attributes should be NULL or empty.
- if (!should_break && NULL != object_attributes) {
- if (0 != object_attributes->Attributes ||
- NULL != object_attributes->ObjectName ||
- NULL != object_attributes->RootDirectory ||
- NULL != object_attributes->SecurityDescriptor ||
- NULL != object_attributes->SecurityQualityOfService) {
- should_break = true;
- }
- }
-
- thread_id = static_cast<uint32_t>(
- reinterpret_cast<ULONG_PTR>(client_id->UniqueThread));
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- if (should_break)
- break;
-
- if (!ValidParameter(thread, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENTHREAD_TAG, desired_access,
- thread_id, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- // The nt_status here is most likely STATUS_INVALID_CID because
- // in the broker we set the process id in the CID (client ID) param
- // to be the current process. If you try to open a thread from another
- // process you will get this INVALID_CID error. On the other hand, if you
- // try to open a thread in your own process, it should return success.
- // We don't want to return STATUS_INVALID_CID here, so we return the
- // return of the original open thread status, which is most likely
- // STATUS_ACCESS_DENIED.
- break;
-
- __try {
- // Write the output parameters.
- *thread = answer.handle;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- mozilla::sandboxing::LogAllowed("NtOpenThread");
- return answer.nt_status;
- } while (false);
-
- return status;
-}
-
-// Hooks NtOpenProcess and proxy the call to the broker if it's trying to
-// open the current process.
-NTSTATUS WINAPI TargetNtOpenProcess(NtOpenProcessFunction orig_OpenProcess,
- PHANDLE process, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- PCLIENT_ID client_id) {
- NTSTATUS status = orig_OpenProcess(process, desired_access, object_attributes,
- client_id);
- if (NT_SUCCESS(status))
- return status;
-
- do {
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- break;
- if (!client_id)
- break;
-
- uint32_t process_id = 0;
- bool should_break = false;
- __try {
- // Object attributes should be NULL or empty.
- if (!should_break && NULL != object_attributes) {
- if (0 != object_attributes->Attributes ||
- NULL != object_attributes->ObjectName ||
- NULL != object_attributes->RootDirectory ||
- NULL != object_attributes->SecurityDescriptor ||
- NULL != object_attributes->SecurityQualityOfService) {
- should_break = true;
- }
- }
-
- process_id = static_cast<uint32_t>(
- reinterpret_cast<ULONG_PTR>(client_id->UniqueProcess));
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- if (should_break)
- break;
-
- if (!ValidParameter(process, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESS_TAG, desired_access,
- process_id, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- return answer.nt_status;
-
- __try {
- // Write the output parameters.
- *process = answer.handle;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- return answer.nt_status;
- } while (false);
-
- return status;
-}
-
-
-NTSTATUS WINAPI TargetNtOpenProcessToken(
- NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
- ACCESS_MASK desired_access, PHANDLE token) {
- NTSTATUS status = orig_OpenProcessToken(process, desired_access, token);
- if (NT_SUCCESS(status))
- return status;
-
- mozilla::sandboxing::LogBlocked("NtOpenProcessToken");
- do {
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- break;
-
- if (CURRENT_PROCESS != process)
- break;
-
- if (!ValidParameter(token, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESSTOKEN_TAG, process,
- desired_access, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- return answer.nt_status;
-
- __try {
- // Write the output parameters.
- *token = answer.handle;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- mozilla::sandboxing::LogAllowed("NtOpenProcessToken");
- return answer.nt_status;
- } while (false);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
- NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
- ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token) {
- NTSTATUS status = orig_OpenProcessTokenEx(process, desired_access,
- handle_attributes, token);
- if (NT_SUCCESS(status))
- return status;
-
- mozilla::sandboxing::LogBlocked("NtOpenProcessTokenEx");
- do {
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- break;
-
- if (CURRENT_PROCESS != process)
- break;
-
- if (!ValidParameter(token, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENPROCESSTOKENEX_TAG, process,
- desired_access, handle_attributes, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- return answer.nt_status;
-
- __try {
- // Write the output parameters.
- *token = answer.handle;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
-
- mozilla::sandboxing::LogAllowed("NtOpenProcessTokenEx");
- return answer.nt_status;
- } while (false);
-
- return status;
-}
-
-BOOL WINAPI TargetCreateProcessW(CreateProcessWFunction orig_CreateProcessW,
- LPCWSTR application_name, LPWSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes,
- BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCWSTR current_directory,
- LPSTARTUPINFOW startup_info,
- LPPROCESS_INFORMATION process_information) {
- if (SandboxFactory::GetTargetServices()->GetState()->IsCsrssConnected() &&
- orig_CreateProcessW(application_name, command_line, process_attributes,
- thread_attributes, inherit_handles, flags,
- environment, current_directory, startup_info,
- process_information)) {
- return TRUE;
- }
-
- mozilla::sandboxing::LogBlocked("CreateProcessW", application_name);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return FALSE;
-
- // Don't call GetLastError before InitCalled() succeeds because kernel32 may
- // not be mapped yet.
- DWORD original_error = ::GetLastError();
-
- do {
- if (!ValidParameter(process_information, sizeof(PROCESS_INFORMATION),
- WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- const wchar_t* cur_dir = NULL;
-
- wchar_t current_directory[MAX_PATH];
- DWORD result = ::GetCurrentDirectory(MAX_PATH, current_directory);
- if (0 != result && result < MAX_PATH)
- cur_dir = current_directory;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
-
- InOutCountedBuffer proc_info(process_information,
- sizeof(PROCESS_INFORMATION));
-
- ResultCode code = CrossCall(ipc, IPC_CREATEPROCESSW_TAG, application_name,
- command_line, cur_dir, proc_info, &answer);
- if (SBOX_ALL_OK != code)
- break;
-
- ::SetLastError(answer.win32_result);
- if (ERROR_SUCCESS != answer.win32_result)
- return FALSE;
-
- mozilla::sandboxing::LogAllowed("CreateProcessW", application_name);
- return TRUE;
- } while (false);
-
- ::SetLastError(original_error);
- return FALSE;
-}
-
-BOOL WINAPI TargetCreateProcessA(CreateProcessAFunction orig_CreateProcessA,
- LPCSTR application_name, LPSTR command_line,
- LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes,
- BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCSTR current_directory,
- LPSTARTUPINFOA startup_info,
- LPPROCESS_INFORMATION process_information) {
- if (orig_CreateProcessA(application_name, command_line, process_attributes,
- thread_attributes, inherit_handles, flags,
- environment, current_directory, startup_info,
- process_information)) {
- return TRUE;
- }
-
- mozilla::sandboxing::LogBlocked("CreateProcessA", application_name);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return FALSE;
-
- // Don't call GetLastError before InitCalled() succeeds because kernel32 may
- // not be mapped yet.
- DWORD original_error = ::GetLastError();
-
- do {
- if (!ValidParameter(process_information, sizeof(PROCESS_INFORMATION),
- WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- // Convert the input params to unicode.
- UNICODE_STRING *cmd_unicode = NULL;
- UNICODE_STRING *app_unicode = NULL;
- if (command_line) {
- cmd_unicode = AnsiToUnicode(command_line);
- if (!cmd_unicode)
- break;
- }
-
- if (application_name) {
- app_unicode = AnsiToUnicode(application_name);
- if (!app_unicode) {
- operator delete(cmd_unicode, NT_ALLOC);
- break;
- }
- }
-
- const wchar_t* cmd_line = cmd_unicode ? cmd_unicode->Buffer : NULL;
- const wchar_t* app_name = app_unicode ? app_unicode->Buffer : NULL;
- const wchar_t* cur_dir = NULL;
-
- wchar_t current_directory[MAX_PATH];
- DWORD result = ::GetCurrentDirectory(MAX_PATH, current_directory);
- if (0 != result && result < MAX_PATH)
- cur_dir = current_directory;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
-
- InOutCountedBuffer proc_info(process_information,
- sizeof(PROCESS_INFORMATION));
-
- ResultCode code = CrossCall(ipc, IPC_CREATEPROCESSW_TAG, app_name,
- cmd_line, cur_dir, proc_info, &answer);
-
- operator delete(cmd_unicode, NT_ALLOC);
- operator delete(app_unicode, NT_ALLOC);
-
- if (SBOX_ALL_OK != code)
- break;
-
- ::SetLastError(answer.win32_result);
- if (ERROR_SUCCESS != answer.win32_result)
- return FALSE;
-
- mozilla::sandboxing::LogAllowed("CreateProcessA", application_name);
- return TRUE;
- } while (false);
-
- ::SetLastError(original_error);
- return FALSE;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.h b/security/sandbox/chromium/sandbox/win/src/process_thread_interception.h
deleted file mode 100644
index 31dc23154..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_interception.h
+++ /dev/null
@@ -1,90 +0,0 @@
-// Copyright (c) 2014 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_PROCESS_THREAD_INTERCEPTION_H__
-#define SANDBOX_SRC_PROCESS_THREAD_INTERCEPTION_H__
-
-namespace sandbox {
-
-extern "C" {
-
-typedef BOOL (WINAPI *CreateProcessWFunction)(
- LPCWSTR lpApplicationName,
- LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation);
-
-typedef BOOL (WINAPI *CreateProcessAFunction)(
- LPCSTR lpApplicationName,
- LPSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles,
- DWORD dwCreationFlags,
- LPVOID lpEnvironment,
- LPCSTR lpCurrentDirectory,
- LPSTARTUPINFOA lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation);
-
-typedef HANDLE (WINAPI *CreateThreadFunction)(
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- SIZE_T dwStackSize,
- LPTHREAD_START_ROUTINE lpStartAddress,
- PVOID lpParameter,
- DWORD dwCreationFlags,
- LPDWORD lpThreadId);
-
-typedef LCID (WINAPI *GetUserDefaultLCIDFunction)();
-
-// Interception of NtOpenThread on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenThread(
- NtOpenThreadFunction orig_OpenThread, PHANDLE thread,
- ACCESS_MASK desired_access, POBJECT_ATTRIBUTES object_attributes,
- PCLIENT_ID client_id);
-
-// Interception of NtOpenProcess on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcess(
- NtOpenProcessFunction orig_OpenProcess, PHANDLE process,
- ACCESS_MASK desired_access, POBJECT_ATTRIBUTES object_attributes,
- PCLIENT_ID client_id);
-
-// Interception of NtOpenProcessToken on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessToken(
- NtOpenProcessTokenFunction orig_OpenProcessToken, HANDLE process,
- ACCESS_MASK desired_access, PHANDLE token);
-
-// Interception of NtOpenProcessTokenEx on the child process.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenProcessTokenEx(
- NtOpenProcessTokenExFunction orig_OpenProcessTokenEx, HANDLE process,
- ACCESS_MASK desired_access, ULONG handle_attributes, PHANDLE token);
-
-// Interception of CreateProcessW and A in kernel32.dll.
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessW(
- CreateProcessWFunction orig_CreateProcessW, LPCWSTR application_name,
- LPWSTR command_line, LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCWSTR current_directory, LPSTARTUPINFOW startup_info,
- LPPROCESS_INFORMATION process_information);
-
-SANDBOX_INTERCEPT BOOL WINAPI TargetCreateProcessA(
- CreateProcessAFunction orig_CreateProcessA, LPCSTR application_name,
- LPSTR command_line, LPSECURITY_ATTRIBUTES process_attributes,
- LPSECURITY_ATTRIBUTES thread_attributes, BOOL inherit_handles, DWORD flags,
- LPVOID environment, LPCSTR current_directory, LPSTARTUPINFOA startup_info,
- LPPROCESS_INFORMATION process_information);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_PROCESS_THREAD_INTERCEPTION_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_policy.cc b/security/sandbox/chromium/sandbox/win/src/process_thread_policy.cc
deleted file mode 100644
index b4976c0bb..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_policy.cc
+++ /dev/null
@@ -1,241 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/process_thread_policy.h"
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-// These are the only safe rights that can be given to a sandboxed
-// process for the process created by the broker. All others are potential
-// vectors of privilege elevation.
-const DWORD kProcessRights = SYNCHRONIZE |
- PROCESS_QUERY_INFORMATION |
- PROCESS_QUERY_LIMITED_INFORMATION |
- PROCESS_TERMINATE |
- PROCESS_SUSPEND_RESUME;
-
-const DWORD kThreadRights = SYNCHRONIZE |
- THREAD_TERMINATE |
- THREAD_SUSPEND_RESUME |
- THREAD_QUERY_INFORMATION |
- THREAD_QUERY_LIMITED_INFORMATION |
- THREAD_SET_LIMITED_INFORMATION;
-
-// Creates a child process and duplicates the handles to 'target_process'. The
-// remaining parameters are the same as CreateProcess().
-BOOL CreateProcessExWHelper(HANDLE target_process, BOOL give_full_access,
- LPCWSTR lpApplicationName, LPWSTR lpCommandLine,
- LPSECURITY_ATTRIBUTES lpProcessAttributes,
- LPSECURITY_ATTRIBUTES lpThreadAttributes,
- BOOL bInheritHandles, DWORD dwCreationFlags,
- LPVOID lpEnvironment, LPCWSTR lpCurrentDirectory,
- LPSTARTUPINFOW lpStartupInfo,
- LPPROCESS_INFORMATION lpProcessInformation) {
- if (!::CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes,
- lpThreadAttributes, bInheritHandles, dwCreationFlags,
- lpEnvironment, lpCurrentDirectory, lpStartupInfo,
- lpProcessInformation)) {
- return FALSE;
- }
-
- DWORD process_access = kProcessRights;
- DWORD thread_access = kThreadRights;
- if (give_full_access) {
- process_access = PROCESS_ALL_ACCESS;
- thread_access = THREAD_ALL_ACCESS;
- }
- if (!::DuplicateHandle(::GetCurrentProcess(), lpProcessInformation->hProcess,
- target_process, &lpProcessInformation->hProcess,
- process_access, FALSE, DUPLICATE_CLOSE_SOURCE)) {
- ::CloseHandle(lpProcessInformation->hThread);
- return FALSE;
- }
- if (!::DuplicateHandle(::GetCurrentProcess(), lpProcessInformation->hThread,
- target_process, &lpProcessInformation->hThread,
- thread_access, FALSE, DUPLICATE_CLOSE_SOURCE)) {
- return FALSE;
- }
- return TRUE;
-}
-
-}
-
-namespace sandbox {
-
-bool ProcessPolicy::GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- scoped_ptr<PolicyRule> process;
- switch (semantics) {
- case TargetPolicy::PROCESS_MIN_EXEC: {
- process.reset(new PolicyRule(GIVE_READONLY));
- break;
- };
- case TargetPolicy::PROCESS_ALL_EXEC: {
- process.reset(new PolicyRule(GIVE_ALLACCESS));
- break;
- };
- default: {
- return false;
- };
- }
-
- if (!process->AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE)) {
- return false;
- }
- if (!policy->AddRule(IPC_CREATEPROCESSW_TAG, process.get())) {
- return false;
- }
- return true;
-}
-
-NTSTATUS ProcessPolicy::OpenThreadAction(const ClientInfo& client_info,
- uint32_t desired_access,
- uint32_t thread_id,
- HANDLE* handle) {
- *handle = NULL;
-
- NtOpenThreadFunction NtOpenThread = NULL;
- ResolveNTFunctionPtr("NtOpenThread", &NtOpenThread);
-
- OBJECT_ATTRIBUTES attributes = {0};
- attributes.Length = sizeof(attributes);
- CLIENT_ID client_id = {0};
- client_id.UniqueProcess = reinterpret_cast<PVOID>(
- static_cast<ULONG_PTR>(client_info.process_id));
- client_id.UniqueThread =
- reinterpret_cast<PVOID>(static_cast<ULONG_PTR>(thread_id));
-
- HANDLE local_handle = NULL;
- NTSTATUS status = NtOpenThread(&local_handle, desired_access, &attributes,
- &client_id);
- if (NT_SUCCESS(status)) {
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- }
-
- return status;
-}
-
-NTSTATUS ProcessPolicy::OpenProcessAction(const ClientInfo& client_info,
- uint32_t desired_access,
- uint32_t process_id,
- HANDLE* handle) {
- *handle = NULL;
-
- NtOpenProcessFunction NtOpenProcess = NULL;
- ResolveNTFunctionPtr("NtOpenProcess", &NtOpenProcess);
-
- if (client_info.process_id != process_id)
- return STATUS_ACCESS_DENIED;
-
- OBJECT_ATTRIBUTES attributes = {0};
- attributes.Length = sizeof(attributes);
- CLIENT_ID client_id = {0};
- client_id.UniqueProcess = reinterpret_cast<PVOID>(
- static_cast<ULONG_PTR>(client_info.process_id));
- HANDLE local_handle = NULL;
- NTSTATUS status = NtOpenProcess(&local_handle, desired_access, &attributes,
- &client_id);
- if (NT_SUCCESS(status)) {
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- }
-
- return status;
-}
-
-NTSTATUS ProcessPolicy::OpenProcessTokenAction(const ClientInfo& client_info,
- HANDLE process,
- uint32_t desired_access,
- HANDLE* handle) {
- *handle = NULL;
- NtOpenProcessTokenFunction NtOpenProcessToken = NULL;
- ResolveNTFunctionPtr("NtOpenProcessToken", &NtOpenProcessToken);
-
- if (CURRENT_PROCESS != process)
- return STATUS_ACCESS_DENIED;
-
- HANDLE local_handle = NULL;
- NTSTATUS status = NtOpenProcessToken(client_info.process, desired_access,
- &local_handle);
- if (NT_SUCCESS(status)) {
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- }
- return status;
-}
-
-NTSTATUS ProcessPolicy::OpenProcessTokenExAction(const ClientInfo& client_info,
- HANDLE process,
- uint32_t desired_access,
- uint32_t attributes,
- HANDLE* handle) {
- *handle = NULL;
- NtOpenProcessTokenExFunction NtOpenProcessTokenEx = NULL;
- ResolveNTFunctionPtr("NtOpenProcessTokenEx", &NtOpenProcessTokenEx);
-
- if (CURRENT_PROCESS != process)
- return STATUS_ACCESS_DENIED;
-
- HANDLE local_handle = NULL;
- NTSTATUS status = NtOpenProcessTokenEx(client_info.process, desired_access,
- attributes, &local_handle);
- if (NT_SUCCESS(status)) {
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- }
- return status;
-}
-
-DWORD ProcessPolicy::CreateProcessWAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16 &app_name,
- const base::string16 &command_line,
- PROCESS_INFORMATION* process_info) {
- // The only action supported is ASK_BROKER which means create the process.
- if (GIVE_ALLACCESS != eval_result && GIVE_READONLY != eval_result) {
- return ERROR_ACCESS_DENIED;
- }
-
- STARTUPINFO startup_info = {0};
- startup_info.cb = sizeof(startup_info);
- scoped_ptr<wchar_t, base::FreeDeleter>
- cmd_line(_wcsdup(command_line.c_str()));
-
- BOOL should_give_full_access = (GIVE_ALLACCESS == eval_result);
- if (!CreateProcessExWHelper(client_info.process, should_give_full_access,
- app_name.c_str(), cmd_line.get(), NULL, NULL,
- FALSE, 0, NULL, NULL, &startup_info,
- process_info)) {
- return ERROR_ACCESS_DENIED;
- }
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/process_thread_policy.h b/security/sandbox/chromium/sandbox/win/src/process_thread_policy.h
deleted file mode 100644
index a66b52eb2..000000000
--- a/security/sandbox/chromium/sandbox/win/src/process_thread_policy.h
+++ /dev/null
@@ -1,84 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_PROCESS_THREAD_POLICY_H_
-#define SANDBOX_SRC_PROCESS_THREAD_POLICY_H_
-
-#include <stdint.h>
-
-#include <string>
-
-#include "sandbox/win/src/policy_low_level.h"
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to process execution.
-class ProcessPolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level.
- // policy rule for process creation
- // 'name' is the executable to be spawn.
- // 'semantics' is the desired semantics.
- // 'policy' is the policy generator to which the rules are going to be added.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Opens a thread from the child process and returns the handle.
- // client_info contains the information about the child process,
- // desired_access is the access requested by the child and thread_id
- // is the thread_id to be opened.
- // The function returns the return value of NtOpenThread.
- static NTSTATUS OpenThreadAction(const ClientInfo& client_info,
- uint32_t desired_access,
- uint32_t thread_id,
- HANDLE* handle);
-
- // Opens the process id passed in and returns the duplicated handle to
- // the child. We only allow the child processes to open themselves. Any other
- // pid open is denied.
- static NTSTATUS OpenProcessAction(const ClientInfo& client_info,
- uint32_t desired_access,
- uint32_t process_id,
- HANDLE* handle);
-
- // Opens the token associated with the process and returns the duplicated
- // handle to the child. We only allow the child processes to open his own
- // token (using ::GetCurrentProcess()).
- static NTSTATUS OpenProcessTokenAction(const ClientInfo& client_info,
- HANDLE process,
- uint32_t desired_access,
- HANDLE* handle);
-
- // Opens the token associated with the process and returns the duplicated
- // handle to the child. We only allow the child processes to open his own
- // token (using ::GetCurrentProcess()).
- static NTSTATUS OpenProcessTokenExAction(const ClientInfo& client_info,
- HANDLE process,
- uint32_t desired_access,
- uint32_t attributes,
- HANDLE* handle);
-
- // Processes a 'CreateProcessW()' request from the target.
- // 'client_info' : the target process that is making the request.
- // 'eval_result' : The desired policy action to accomplish.
- // 'app_name' : The full path of the process to be created.
- // 'command_line' : The command line passed to the created process.
- static DWORD CreateProcessWAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16 &app_name,
- const base::string16 &command_line,
- PROCESS_INFORMATION* process_info);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_PROCESS_THREAD_POLICY_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.cc
deleted file mode 100644
index fef727dac..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.cc
+++ /dev/null
@@ -1,175 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/registry_dispatcher.h"
-
-#include <stdint.h>
-
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/registry_interception.h"
-#include "sandbox/win/src/registry_policy.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace {
-
-// Builds a path using the root directory and the name.
-bool GetCompletePath(HANDLE root, const base::string16& name,
- base::string16* complete_name) {
- if (root) {
- if (!sandbox::GetPathFromHandle(root, complete_name))
- return false;
-
- *complete_name += L"\\";
- *complete_name += name;
- } else {
- *complete_name = name;
- }
-
- return true;
-}
-
-}
-
-namespace sandbox {
-
-RegistryDispatcher::RegistryDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall create_params = {
- {IPC_NTCREATEKEY_TAG,
- {WCHAR_TYPE,
- UINT32_TYPE,
- VOIDPTR_TYPE,
- UINT32_TYPE,
- UINT32_TYPE,
- UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&RegistryDispatcher::NtCreateKey)};
-
- static const IPCCall open_params = {
- {IPC_NTOPENKEY_TAG, {WCHAR_TYPE, UINT32_TYPE, VOIDPTR_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&RegistryDispatcher::NtOpenKey)};
-
- ipc_calls_.push_back(create_params);
- ipc_calls_.push_back(open_params);
-}
-
-bool RegistryDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- if (IPC_NTCREATEKEY_TAG == service)
- return INTERCEPT_NT(manager, NtCreateKey, CREATE_KEY_ID, 32);
-
- if (IPC_NTOPENKEY_TAG == service) {
- bool result = INTERCEPT_NT(manager, NtOpenKey, OPEN_KEY_ID, 16);
- if (base::win::GetVersion() >= base::win::VERSION_WIN7 ||
- (base::win::GetVersion() == base::win::VERSION_VISTA &&
- base::win::OSInfo::GetInstance()->version_type() ==
- base::win::SUITE_SERVER))
- result &= INTERCEPT_NT(manager, NtOpenKeyEx, OPEN_KEY_EX_ID, 20);
- return result;
- }
-
- return false;
-}
-
-bool RegistryDispatcher::NtCreateKey(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- HANDLE root,
- uint32_t desired_access,
- uint32_t title_index,
- uint32_t create_options) {
- base::win::ScopedHandle root_handle;
- base::string16 real_path = *name;
-
- // If there is a root directory, we need to duplicate the handle to make
- // it valid in this process.
- if (root) {
- if (!::DuplicateHandle(ipc->client_info->process, root,
- ::GetCurrentProcess(), &root, 0, FALSE,
- DUPLICATE_SAME_ACCESS))
- return false;
-
- root_handle.Set(root);
- }
-
- if (!GetCompletePath(root, *name, &real_path))
- return false;
-
- const wchar_t* regname = real_path.c_str();
- CountedParameterSet<OpenKey> params;
- params[OpenKey::NAME] = ParamPickerMake(regname);
- params[OpenKey::ACCESS] = ParamPickerMake(desired_access);
-
- EvalResult result = policy_base_->EvalPolicy(IPC_NTCREATEKEY_TAG,
- params.GetBase());
-
- HANDLE handle;
- NTSTATUS nt_status;
- ULONG disposition = 0;
- if (!RegistryPolicy::CreateKeyAction(result, *ipc->client_info, *name,
- attributes, root, desired_access,
- title_index, create_options, &handle,
- &nt_status, &disposition)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- // Return operation status on the IPC.
- ipc->return_info.extended[0].unsigned_int = disposition;
- ipc->return_info.nt_status = nt_status;
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool RegistryDispatcher::NtOpenKey(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- HANDLE root,
- uint32_t desired_access) {
- base::win::ScopedHandle root_handle;
- base::string16 real_path = *name;
-
- // If there is a root directory, we need to duplicate the handle to make
- // it valid in this process.
- if (root) {
- if (!::DuplicateHandle(ipc->client_info->process, root,
- ::GetCurrentProcess(), &root, 0, FALSE,
- DUPLICATE_SAME_ACCESS))
- return false;
- root_handle.Set(root);
- }
-
- if (!GetCompletePath(root, *name, &real_path))
- return false;
-
- const wchar_t* regname = real_path.c_str();
- CountedParameterSet<OpenKey> params;
- params[OpenKey::NAME] = ParamPickerMake(regname);
- params[OpenKey::ACCESS] = ParamPickerMake(desired_access);
-
- EvalResult result = policy_base_->EvalPolicy(IPC_NTOPENKEY_TAG,
- params.GetBase());
- HANDLE handle;
- NTSTATUS nt_status;
- if (!RegistryPolicy::OpenKeyAction(result, *ipc->client_info, *name,
- attributes, root, desired_access, &handle,
- &nt_status)) {
- ipc->return_info.nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- // Return operation status on the IPC.
- ipc->return_info.nt_status = nt_status;
- ipc->return_info.handle = handle;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.h
deleted file mode 100644
index cb5af0c3d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_dispatcher.h
+++ /dev/null
@@ -1,49 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_REGISTRY_DISPATCHER_H_
-#define SANDBOX_SRC_REGISTRY_DISPATCHER_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles registry-related IPC calls.
-class RegistryDispatcher : public Dispatcher {
- public:
- explicit RegistryDispatcher(PolicyBase* policy_base);
- ~RegistryDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Processes IPC requests coming from calls to NtCreateKey in the target.
- bool NtCreateKey(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- HANDLE root,
- uint32_t desired_access,
- uint32_t title_index,
- uint32_t create_options);
-
- // Processes IPC requests coming from calls to NtOpenKey in the target.
- bool NtOpenKey(IPCInfo* ipc,
- base::string16* name,
- uint32_t attributes,
- HANDLE root,
- uint32_t desired_access);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(RegistryDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_REGISTRY_DISPATCHER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc b/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
deleted file mode 100644
index 2ff1b33f8..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.cc
+++ /dev/null
@@ -1,251 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/registry_interception.h"
-
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-NTSTATUS WINAPI TargetNtCreateKey(NtCreateKeyFunction orig_CreateKey,
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- ULONG title_index, PUNICODE_STRING class_name,
- ULONG create_options, PULONG disposition) {
- // Check if the process can create it first.
- NTSTATUS status = orig_CreateKey(key, desired_access, object_attributes,
- title_index, class_name, create_options,
- disposition);
- if (NT_SUCCESS(status))
- return status;
-
- if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
- mozilla::sandboxing::LogBlocked("NtCreateKey",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- }
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- do {
- if (!ValidParameter(key, sizeof(HANDLE), WRITE))
- break;
-
- if (disposition && !ValidParameter(disposition, sizeof(ULONG), WRITE))
- break;
-
- // At this point we don't support class_name.
- if (class_name && class_name->Buffer && class_name->Length)
- break;
-
- // We don't support creating link keys, volatile keys and backup/restore.
- if (create_options)
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- wchar_t* name;
- uint32_t attributes = 0;
- HANDLE root_directory = 0;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- &root_directory);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- uint32_t desired_access_uint32 = desired_access;
- CountedParameterSet<OpenKey> params;
- params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32);
-
- wchar_t* full_name = NULL;
-
- if (root_directory) {
- ret = sandbox::AllocAndGetFullPath(root_directory, name, &full_name);
- if (!NT_SUCCESS(ret) || NULL == full_name)
- break;
- params[OpenKey::NAME] = ParamPickerMake(full_name);
- } else {
- params[OpenKey::NAME] = ParamPickerMake(name);
- }
-
- bool query_broker = QueryBroker(IPC_NTCREATEKEY_TAG, params.GetBase());
-
- if (full_name != NULL)
- operator delete(full_name, NT_ALLOC);
-
- if (!query_broker)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
-
- ResultCode code = CrossCall(ipc, IPC_NTCREATEKEY_TAG, name, attributes,
- root_directory, desired_access, title_index,
- create_options, &answer);
-
- operator delete(name, NT_ALLOC);
-
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- // TODO(nsylvain): We should return answer.nt_status here instead
- // of status. We can do this only after we checked the policy.
- // otherwise we will returns ACCESS_DENIED for all paths
- // that are not specified by a policy, even though your token allows
- // access to that path, and the original call had a more meaningful
- // error. Bug 4369
- break;
-
- __try {
- *key = answer.handle;
-
- if (disposition)
- *disposition = answer.extended[0].unsigned_int;
-
- status = answer.nt_status;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtCreateKey",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- return status;
-}
-
-NTSTATUS WINAPI CommonNtOpenKey(NTSTATUS status, PHANDLE key,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes) {
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- do {
- if (!ValidParameter(key, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory)
- break;
-
- wchar_t* name;
- uint32_t attributes;
- HANDLE root_directory;
- NTSTATUS ret = AllocAndCopyName(object_attributes, &name, &attributes,
- &root_directory);
- if (!NT_SUCCESS(ret) || NULL == name)
- break;
-
- uint32_t desired_access_uint32 = desired_access;
- CountedParameterSet<OpenKey> params;
- params[OpenKey::ACCESS] = ParamPickerMake(desired_access_uint32);
-
- wchar_t* full_name = NULL;
-
- if (root_directory) {
- ret = sandbox::AllocAndGetFullPath(root_directory, name, &full_name);
- if (!NT_SUCCESS(ret) || NULL == full_name)
- break;
- params[OpenKey::NAME] = ParamPickerMake(full_name);
- } else {
- params[OpenKey::NAME] = ParamPickerMake(name);
- }
-
- bool query_broker = QueryBroker(IPC_NTOPENKEY_TAG, params.GetBase());
-
- if (full_name != NULL)
- operator delete(full_name, NT_ALLOC);
-
- if (!query_broker)
- break;
-
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
- ResultCode code = CrossCall(ipc, IPC_NTOPENKEY_TAG, name, attributes,
- root_directory, desired_access, &answer);
-
- operator delete(name, NT_ALLOC);
-
- if (SBOX_ALL_OK != code)
- break;
-
- if (!NT_SUCCESS(answer.nt_status))
- // TODO(nsylvain): We should return answer.nt_status here instead
- // of status. We can do this only after we checked the policy.
- // otherwise we will returns ACCESS_DENIED for all paths
- // that are not specified by a policy, even though your token allows
- // access to that path, and the original call had a more meaningful
- // error. Bug 4369
- break;
-
- __try {
- *key = answer.handle;
- status = answer.nt_status;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtOpenKey[Ex]",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtOpenKey(NtOpenKeyFunction orig_OpenKey, PHANDLE key,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes) {
- // Check if the process can open it first.
- NTSTATUS status = orig_OpenKey(key, desired_access, object_attributes);
- if (NT_SUCCESS(status))
- return status;
-
- if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
- mozilla::sandboxing::LogBlocked("NtOpenKey",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- }
-
- return CommonNtOpenKey(status, key, desired_access, object_attributes);
-}
-
-NTSTATUS WINAPI TargetNtOpenKeyEx(NtOpenKeyExFunction orig_OpenKeyEx,
- PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- ULONG open_options) {
- // Check if the process can open it first.
- NTSTATUS status = orig_OpenKeyEx(key, desired_access, object_attributes,
- open_options);
-
- // We do not support open_options at this time. The 2 current known values
- // are REG_OPTION_CREATE_LINK, to open a symbolic link, and
- // REG_OPTION_BACKUP_RESTORE to open the key with special privileges.
- if (NT_SUCCESS(status) || open_options != 0)
- return status;
-
- if (STATUS_OBJECT_NAME_NOT_FOUND != status) {
- mozilla::sandboxing::LogBlocked("NtOpenKeyEx",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- }
-
- return CommonNtOpenKey(status, key, desired_access, object_attributes);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_interception.h b/security/sandbox/chromium/sandbox/win/src/registry_interception.h
deleted file mode 100644
index c3cbde02e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_interception.h
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_REGISTRY_INTERCEPTION_H__
-#define SANDBOX_SRC_REGISTRY_INTERCEPTION_H__
-
-namespace sandbox {
-
-extern "C" {
-
-// Interception of NtCreateKey on the child process.
-// It should never be called directly
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateKey(
- NtCreateKeyFunction orig_CreateKey, PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG title_index,
- PUNICODE_STRING class_name, ULONG create_options, PULONG disposition);
-
-// Interception of NtOpenKey on the child process.
-// It should never be called directly
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKey(
- NtOpenKeyFunction orig_OpenKey, PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes);
-
-// Interception of NtOpenKeyEx on the child process.
-// It should never be called directly
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenKeyEx(
- NtOpenKeyExFunction orig_OpenKeyEx, PHANDLE key, ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes, ULONG open_options);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_REGISTRY_INTERCEPTION_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc b/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
deleted file mode 100644
index d056c9c59..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_policy.cc
+++ /dev/null
@@ -1,228 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdint.h>
-
-#include <string>
-
-#include "sandbox/win/src/registry_policy.h"
-
-#include "base/logging.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-static const uint32_t kAllowedRegFlags =
- KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS | KEY_NOTIFY | KEY_READ |
- GENERIC_READ | GENERIC_EXECUTE | READ_CONTROL | KEY_WOW64_64KEY |
- KEY_WOW64_32KEY;
-
-// Opens the key referenced by |obj_attributes| with |access| and
-// checks what permission was given. Remove the WRITE flags and update
-// |access| with the new value.
-NTSTATUS TranslateMaximumAllowed(OBJECT_ATTRIBUTES* obj_attributes,
- DWORD* access) {
- NtOpenKeyFunction NtOpenKey = NULL;
- ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey);
-
- NtCloseFunction NtClose = NULL;
- ResolveNTFunctionPtr("NtClose", &NtClose);
-
- NtQueryObjectFunction NtQueryObject = NULL;
- ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject);
-
- // Open the key.
- HANDLE handle;
- NTSTATUS status = NtOpenKey(&handle, *access, obj_attributes);
- if (!NT_SUCCESS(status))
- return status;
-
- OBJECT_BASIC_INFORMATION info = {0};
- status = NtQueryObject(handle, ObjectBasicInformation, &info, sizeof(info),
- NULL);
- CHECK(NT_SUCCESS(NtClose(handle)));
- if (!NT_SUCCESS(status))
- return status;
-
- *access = info.GrantedAccess & kAllowedRegFlags;
- return STATUS_SUCCESS;
-}
-
-NTSTATUS NtCreateKeyInTarget(HANDLE* target_key_handle,
- ACCESS_MASK desired_access,
- OBJECT_ATTRIBUTES* obj_attributes,
- ULONG title_index,
- UNICODE_STRING* class_name,
- ULONG create_options,
- ULONG* disposition,
- HANDLE target_process) {
- NtCreateKeyFunction NtCreateKey = NULL;
- ResolveNTFunctionPtr("NtCreateKey", &NtCreateKey);
-
- if (MAXIMUM_ALLOWED & desired_access) {
- NTSTATUS status = TranslateMaximumAllowed(obj_attributes, &desired_access);
- if (!NT_SUCCESS(status))
- return STATUS_ACCESS_DENIED;
- }
-
- HANDLE local_handle = INVALID_HANDLE_VALUE;
- NTSTATUS status = NtCreateKey(&local_handle, desired_access, obj_attributes,
- title_index, class_name, create_options,
- disposition);
- if (!NT_SUCCESS(status))
- return status;
-
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- target_process, target_key_handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- return STATUS_SUCCESS;
-}
-
-NTSTATUS NtOpenKeyInTarget(HANDLE* target_key_handle,
- ACCESS_MASK desired_access,
- OBJECT_ATTRIBUTES* obj_attributes,
- HANDLE target_process) {
- NtOpenKeyFunction NtOpenKey = NULL;
- ResolveNTFunctionPtr("NtOpenKey", &NtOpenKey);
-
- if (MAXIMUM_ALLOWED & desired_access) {
- NTSTATUS status = TranslateMaximumAllowed(obj_attributes, &desired_access);
- if (!NT_SUCCESS(status))
- return STATUS_ACCESS_DENIED;
- }
-
- HANDLE local_handle = INVALID_HANDLE_VALUE;
- NTSTATUS status = NtOpenKey(&local_handle, desired_access, obj_attributes);
-
- if (!NT_SUCCESS(status))
- return status;
-
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- target_process, target_key_handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- return STATUS_SUCCESS;
-}
-
-}
-
-namespace sandbox {
-
-bool RegistryPolicy::GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- base::string16 resovled_name(name);
- if (resovled_name.empty()) {
- return false;
- }
-
- if (!ResolveRegistryName(resovled_name, &resovled_name))
- return false;
-
- name = resovled_name.c_str();
-
- EvalResult result = ASK_BROKER;
-
- PolicyRule open(result);
- PolicyRule create(result);
-
- switch (semantics) {
- case TargetPolicy::REG_ALLOW_READONLY: {
- // We consider all flags that are not known to be readonly as potentially
- // used for write. Here we also support MAXIMUM_ALLOWED, but we are going
- // to expand it to read-only before the call.
- uint32_t restricted_flags = ~(kAllowedRegFlags | MAXIMUM_ALLOWED);
- open.AddNumberMatch(IF_NOT, OpenKey::ACCESS, restricted_flags, AND);
- create.AddNumberMatch(IF_NOT, OpenKey::ACCESS, restricted_flags, AND);
- break;
- }
- case TargetPolicy::REG_ALLOW_ANY: {
- break;
- }
- default: {
- NOTREACHED();
- return false;
- }
- }
-
- if (!create.AddStringMatch(IF, OpenKey::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTCREATEKEY_TAG, &create)) {
- return false;
- }
-
- if (!open.AddStringMatch(IF, OpenKey::NAME, name, CASE_INSENSITIVE) ||
- !policy->AddRule(IPC_NTOPENKEY_TAG, &open)) {
- return false;
- }
-
- return true;
-}
-
-bool RegistryPolicy::CreateKeyAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& key,
- uint32_t attributes,
- HANDLE root_directory,
- uint32_t desired_access,
- uint32_t title_index,
- uint32_t create_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG* disposition) {
- // The only action supported is ASK_BROKER which means create the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return false;
- }
-
- // We don't support creating link keys, volatile keys or backup/restore.
- if (create_options) {
- *nt_status = STATUS_ACCESS_DENIED;
- return false;
- }
-
- UNICODE_STRING uni_name = {0};
- OBJECT_ATTRIBUTES obj_attributes = {0};
- InitObjectAttribs(key, attributes, root_directory, &obj_attributes,
- &uni_name, NULL);
- *nt_status = NtCreateKeyInTarget(handle, desired_access, &obj_attributes,
- title_index, NULL, create_options,
- disposition, client_info.process);
- return true;
-}
-
-bool RegistryPolicy::OpenKeyAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& key,
- uint32_t attributes,
- HANDLE root_directory,
- uint32_t desired_access,
- HANDLE* handle,
- NTSTATUS* nt_status) {
- // The only action supported is ASK_BROKER which means open the requested
- // file as specified.
- if (ASK_BROKER != eval_result) {
- *nt_status = STATUS_ACCESS_DENIED;
- return true;
- }
-
- UNICODE_STRING uni_name = {0};
- OBJECT_ATTRIBUTES obj_attributes = {0};
- InitObjectAttribs(key, attributes, root_directory, &obj_attributes,
- &uni_name, NULL);
- *nt_status = NtOpenKeyInTarget(handle, desired_access, &obj_attributes,
- client_info.process);
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy.h b/security/sandbox/chromium/sandbox/win/src/registry_policy.h
deleted file mode 100644
index ddea1bf5a..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_policy.h
+++ /dev/null
@@ -1,59 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_REGISTRY_POLICY_H__
-#define SANDBOX_SRC_REGISTRY_POLICY_H__
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to registry policy
-class RegistryPolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for registry IO, in particular open or create actions.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Performs the desired policy action on a create request with an
- // API that is compatible with the IPC-received parameters.
- static bool CreateKeyAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& key,
- uint32_t attributes,
- HANDLE root_directory,
- uint32_t desired_access,
- uint32_t title_index,
- uint32_t create_options,
- HANDLE* handle,
- NTSTATUS* nt_status,
- ULONG* disposition);
-
- // Performs the desired policy action on an open request with an
- // API that is compatible with the IPC-received parameters.
- static bool OpenKeyAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& key,
- uint32_t attributes,
- HANDLE root_directory,
- uint32_t desired_access,
- HANDLE* handle,
- NTSTATUS* nt_status);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_REGISTRY_POLICY_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/registry_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/registry_policy_test.cc
deleted file mode 100644
index d8ee34b06..000000000
--- a/security/sandbox/chromium/sandbox/win/src/registry_policy_test.cc
+++ /dev/null
@@ -1,289 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <shlobj.h>
-
-#include "testing/gtest/include/gtest/gtest.h"
-#include "sandbox/win/src/registry_policy.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/controller.h"
-
-namespace {
-
-static const DWORD kAllowedRegFlags = KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS |
- KEY_NOTIFY | KEY_READ | GENERIC_READ |
- GENERIC_EXECUTE | READ_CONTROL;
-
-#define BINDNTDLL(name) \
- name ## Function name = reinterpret_cast<name ## Function>( \
- ::GetProcAddress(::GetModuleHandle(L"ntdll.dll"), #name))
-
-bool IsKeyOpenForRead(HKEY handle) {
- BINDNTDLL(NtQueryObject);
-
- OBJECT_BASIC_INFORMATION info = {0};
- NTSTATUS status = NtQueryObject(handle, ObjectBasicInformation, &info,
- sizeof(info), NULL);
-
- if (!NT_SUCCESS(status))
- return false;
-
- if ((info.GrantedAccess & (~kAllowedRegFlags)) != 0)
- return false;
- return true;
-}
-
-}
-
-namespace sandbox {
-
-SBOX_TESTS_COMMAND int Reg_OpenKey(int argc, wchar_t **argv) {
- if (argc != 4)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- REGSAM desired_access = 0;
- ULONG options = 0;
- if (wcscmp(argv[1], L"read") == 0) {
- desired_access = KEY_READ;
- } else if (wcscmp(argv[1], L"write") == 0) {
- desired_access = KEY_ALL_ACCESS;
- } else if (wcscmp(argv[1], L"link") == 0) {
- options = REG_OPTION_CREATE_LINK;
- desired_access = KEY_ALL_ACCESS;
- } else {
- desired_access = MAXIMUM_ALLOWED;
- }
-
- HKEY root = GetReservedKeyFromName(argv[2]);
- HKEY key;
- LRESULT result = 0;
-
- if (wcscmp(argv[0], L"create") == 0)
- result = ::RegCreateKeyEx(root, argv[3], 0, NULL, options, desired_access,
- NULL, &key, NULL);
- else
- result = ::RegOpenKeyEx(root, argv[3], 0, desired_access, &key);
-
- if (ERROR_SUCCESS == result) {
- if (MAXIMUM_ALLOWED == desired_access) {
- if (!IsKeyOpenForRead(key)) {
- ::RegCloseKey(key);
- return SBOX_TEST_FAILED;
- }
- }
- ::RegCloseKey(key);
- return SBOX_TEST_SUCCEEDED;
- } else if (ERROR_ACCESS_DENIED == result) {
- return SBOX_TEST_DENIED;
- }
-
- return SBOX_TEST_FAILED;
-}
-
-TEST(RegistryPolicyTest, TestKeyAnyAccess) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Microsoft"));
-
- // Tests read access on key allowed for read-write.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software\\microsoft"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software\\microsoft"));
-
- if (::IsUserAnAdmin()) {
- // Tests write access on key allowed for read-write.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey create write HKEY_LOCAL_MACHINE software\\microsoft"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey open write HKEY_LOCAL_MACHINE software\\microsoft"));
- }
-
- // Tests subdirectory access on keys where we don't have subdirectory acess.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create read "
- L"HKEY_LOCAL_MACHINE software\\microsoft\\Windows"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey open read "
- L"HKEY_LOCAL_MACHINE software\\microsoft\\windows"));
-
- // Tests to see if we can create keys where we dont have subdirectory access.
- // This is denied.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create write "
- L"HKEY_LOCAL_MACHINE software\\Microsoft\\google_unit_tests"));
-
- RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Microsoft\\google_unit_tests");
-
- // Tests if we need to handle differently the "\\" at the end.
- // This is denied. We need to add both rules.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software\\microsoft\\"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software\\microsoft\\"));
-}
-
-TEST(RegistryPolicyTest, TestKeyNoAccess) {
- TestRunner runner;
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE"));
-
- // Tests read access where we don't have access at all.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey create read HKEY_LOCAL_MACHINE software"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey open read HKEY_LOCAL_MACHINE software"));
-}
-
-TEST(RegistryPolicyTest, TestKeyReadOnlyAccess) {
- TestRunner runner;
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*"));
-
- // Tests subdirectory acess on keys where we have subdirectory acess.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create read "
- L"HKEY_LOCAL_MACHINE software\\Policies\\microsoft"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey open read "
- L"HKEY_LOCAL_MACHINE software\\Policies\\microsoft"));
-
- // Tests to see if we can create keys where we have subdirectory access.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Reg_OpenKey create write "
- L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests"));
-
- RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Policies\\google_unit_tests");
-}
-
-TEST(RegistryPolicyTest, TestKeyAllAccessSubDir) {
- TestRunner runner;
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*"));
-
- if (::IsUserAnAdmin()) {
- // Tests to see if we can create keys where we have subdirectory access.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create write "
- L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests"));
-
- RegDeleteKey(HKEY_LOCAL_MACHINE, L"software\\Policies\\google_unit_tests");
- }
-}
-
-TEST(RegistryPolicyTest, TestKeyCreateLink) {
- TestRunner runner;
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Policies\\*"));
-
- // Tests to see if we can create a registry link key.
- // NOTE: In theory here we should make sure to check for SBOX_TEST_DENIED
- // instead of !SBOX_TEST_SUCCEEDED, but unfortunately the result is not
- // access denied. Internally RegCreateKeyEx (At least on Vista 64) tries to
- // create the link, and we return successfully access denied, then, it
- // decides to try to break the path in multiple chunks, and create the links
- // one by one. In this scenario, it tries to create "HKLM\Software" as a
- // link key, which obviously fail with STATUS_OBJECT_NAME_COLLISION, and
- // this is what is returned to the user.
- EXPECT_NE(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Reg_OpenKey create link "
- L"HKEY_LOCAL_MACHINE software\\Policies\\google_unit_tests"));
-
- // In case our code fails, and the call works, we need to delete the new
- // link. There is no api for this, so we need to use the NT call.
- HKEY key = NULL;
- LRESULT result = ::RegOpenKeyEx(HKEY_LOCAL_MACHINE,
- L"software\\Policies\\google_unit_tests",
- REG_OPTION_OPEN_LINK, MAXIMUM_ALLOWED,
- &key);
-
- if (!result) {
- HMODULE ntdll = GetModuleHandle(L"ntdll.dll");
- NtDeleteKeyFunction NtDeleteKey =
- reinterpret_cast<NtDeleteKeyFunction>(GetProcAddress(ntdll,
- "NtDeleteKey"));
- NtDeleteKey(key);
- }
-}
-
-TEST(RegistryPolicyTest, TestKeyReadOnlyHKCU) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\Software"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_USERS\\.default"));
-
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_USERS\\.default\\software"));
-
- // Tests read access where we only have read-only access.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey create read HKEY_CURRENT_USER software"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey open read HKEY_CURRENT_USER software"));
-
- // Tests write access where we only have read-only acess.
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey create write HKEY_CURRENT_USER software"));
-
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(
- L"Reg_OpenKey open write HKEY_CURRENT_USER software"));
-
- // Tests maximum allowed access where we only have read-only access.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey create maximum_allowed HKEY_CURRENT_USER software"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(
- L"Reg_OpenKey open maximum_allowed HKEY_CURRENT_USER software"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/resolver.cc b/security/sandbox/chromium/sandbox/win/src/resolver.cc
deleted file mode 100644
index d1719da51..000000000
--- a/security/sandbox/chromium/sandbox/win/src/resolver.cc
+++ /dev/null
@@ -1,64 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/resolver.h"
-
-#include <stddef.h>
-
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace sandbox {
-
-NTSTATUS ResolverThunk::Init(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes) {
- if (NULL == thunk_storage || 0 == storage_bytes ||
- NULL == target_module || NULL == target_name)
- return STATUS_INVALID_PARAMETER;
-
- if (storage_bytes < GetThunkSize())
- return STATUS_BUFFER_TOO_SMALL;
-
- NTSTATUS ret = STATUS_SUCCESS;
- if (NULL == interceptor_entry_point) {
- ret = ResolveInterceptor(interceptor_module, interceptor_name,
- &interceptor_entry_point);
- if (!NT_SUCCESS(ret))
- return ret;
- }
-
- ret = ResolveTarget(target_module, target_name, &target_);
- if (!NT_SUCCESS(ret))
- return ret;
-
- interceptor_ = interceptor_entry_point;
-
- return ret;
-}
-
-NTSTATUS ResolverThunk::ResolveInterceptor(const void* interceptor_module,
- const char* interceptor_name,
- const void** address) {
- DCHECK_NT(address);
- if (!interceptor_module)
- return STATUS_INVALID_PARAMETER;
-
- base::win::PEImage pe(interceptor_module);
- if (!pe.VerifyMagic())
- return STATUS_INVALID_IMAGE_FORMAT;
-
- *address = pe.GetProcAddress(interceptor_name);
-
- if (!(*address))
- return STATUS_PROCEDURE_NOT_FOUND;
-
- return STATUS_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/resolver.h b/security/sandbox/chromium/sandbox/win/src/resolver.h
deleted file mode 100644
index 9424060a3..000000000
--- a/security/sandbox/chromium/sandbox/win/src/resolver.h
+++ /dev/null
@@ -1,107 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Defines ResolverThunk, the interface for classes that perform interceptions.
-// For more details see
-// http://dev.chromium.org/developers/design-documents/sandbox .
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-
-#ifndef SANDBOX_SRC_RESOLVER_H__
-#define SANDBOX_SRC_RESOLVER_H__
-
-namespace sandbox {
-
-// A resolver is the object in charge of performing the actual interception of
-// a function. There should be a concrete implementation of a resolver roughly
-// per type of interception.
-class ResolverThunk {
- public:
- ResolverThunk() {}
- virtual ~ResolverThunk() {}
-
- // Performs the actual interception of a function.
- // target_name is an exported function from the module loaded at
- // target_module, and must be replaced by interceptor_name, exported from
- // interceptor_module. interceptor_entry_point can be provided instead of
- // interceptor_name / interceptor_module.
- // thunk_storage must point to a buffer on the child's address space, to hold
- // the patch thunk, and related data. If provided, storage_used will receive
- // the number of bytes used from thunk_storage.
- //
- // Example: (without error checking)
- //
- // size_t size = resolver.GetThunkSize();
- // char* buffer = ::VirtualAllocEx(child_process, NULL, size,
- // MEM_COMMIT, PAGE_READWRITE);
- // resolver.Setup(ntdll_module, NULL, L"NtCreateFile", NULL,
- // &MyReplacementFunction, buffer, size, NULL);
- //
- // In general, the idea is to allocate a single big buffer for all
- // interceptions on the same dll, and call Setup n times.
- // WARNING: This means that any data member that is specific to a single
- // interception must be reset within this method.
- virtual NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) = 0;
-
- // Gets the address of function_name inside module (main exe).
- virtual NTSTATUS ResolveInterceptor(const void* module,
- const char* function_name,
- const void** address);
-
- // Gets the address of an exported function_name inside module.
- virtual NTSTATUS ResolveTarget(const void* module,
- const char* function_name,
- void** address);
-
- // Gets the required buffer size for this type of thunk.
- virtual size_t GetThunkSize() const = 0;
-
- protected:
- // Performs basic initialization on behalf of a concrete instance of a
- // resolver. That is, parameter validation and resolution of the target
- // and the interceptor into the member variables.
- //
- // target_name is an exported function from the module loaded at
- // target_module, and must be replaced by interceptor_name, exported from
- // interceptor_module. interceptor_entry_point can be provided instead of
- // interceptor_name / interceptor_module.
- // thunk_storage must point to a buffer on the child's address space, to hold
- // the patch thunk, and related data.
- virtual NTSTATUS Init(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes);
-
- // Gets the required buffer size for the internal part of the thunk.
- size_t GetInternalThunkSize() const;
-
- // Initializes the internal part of the thunk.
- // interceptor is the function to be called instead of original_function.
- bool SetInternalThunk(void* storage, size_t storage_bytes,
- const void* original_function, const void* interceptor);
-
- // Holds the resolved interception target.
- void* target_;
- // Holds the resolved interception interceptor.
- const void* interceptor_;
-
- DISALLOW_COPY_AND_ASSIGN(ResolverThunk);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_RESOLVER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/resolver_32.cc b/security/sandbox/chromium/sandbox/win/src/resolver_32.cc
deleted file mode 100644
index 25df11cc4..000000000
--- a/security/sandbox/chromium/sandbox/win/src/resolver_32.cc
+++ /dev/null
@@ -1,94 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/resolver.h"
-
-#include <stddef.h>
-
-// For placement new. This file must not depend on the CRT at runtime, but
-// placement operator new is inline.
-#include <new>
-
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace {
-
-#pragma pack(push, 1)
-struct InternalThunk {
- // This struct contains roughly the following code:
- // sub esp, 8 // Create working space
- // push edx // Save register
- // mov edx, [esp + 0xc] // Get return adddress
- // mov [esp + 8], edx // Store return address
- // mov dword ptr [esp + 0xc], 0x7c401200 // Store extra argument
- // mov dword ptr [esp + 4], 0x40010203 // Store address to jump to
- // pop edx // Restore register
- // ret // Jump to interceptor
- //
- // This code only modifies esp and eip so it must work with to normal calling
- // convention. It is assembled as:
- //
- // 00 83ec08 sub esp,8
- // 03 52 push edx
- // 04 8b54240c mov edx,dword ptr [esp + 0Ch]
- // 08 89542408 mov dword ptr [esp + 8], edx
- // 0c c744240c0012407c mov dword ptr [esp + 0Ch], 7C401200h
- // 14 c744240403020140 mov dword ptr [esp + 4], 40010203h
- // 1c 5a pop edx
- // 1d c3 ret
- InternalThunk() {
- opcodes_1 = 0x5208ec83;
- opcodes_2 = 0x0c24548b;
- opcodes_3 = 0x08245489;
- opcodes_4 = 0x0c2444c7;
- opcodes_5 = 0x042444c7;
- opcodes_6 = 0xc35a;
- extra_argument = 0;
- interceptor_function = 0;
- };
- ULONG opcodes_1; // = 0x5208ec83
- ULONG opcodes_2; // = 0x0c24548b
- ULONG opcodes_3; // = 0x08245489
- ULONG opcodes_4; // = 0x0c2444c7
- ULONG extra_argument;
- ULONG opcodes_5; // = 0x042444c7
- ULONG interceptor_function;
- USHORT opcodes_6; // = 0xc35a
-};
-#pragma pack(pop)
-
-}; // namespace
-
-namespace sandbox {
-
-bool ResolverThunk::SetInternalThunk(void* storage, size_t storage_bytes,
- const void* original_function,
- const void* interceptor) {
- if (storage_bytes < sizeof(InternalThunk))
- return false;
-
- InternalThunk* thunk = new(storage) InternalThunk;
-
-#pragma warning(push)
-#pragma warning(disable: 4311)
- // These casts generate warnings because they are 32 bit specific.
- thunk->interceptor_function = reinterpret_cast<ULONG>(interceptor);
- thunk->extra_argument = reinterpret_cast<ULONG>(original_function);
-#pragma warning(pop)
-
- return true;
-}
-
-size_t ResolverThunk::GetInternalThunkSize() const {
- return sizeof(InternalThunk);
-}
-
-NTSTATUS ResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- const void** casted = const_cast<const void**>(address);
- return ResolverThunk::ResolveInterceptor(module, function_name, casted);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/resolver_64.cc b/security/sandbox/chromium/sandbox/win/src/resolver_64.cc
deleted file mode 100644
index 6a9973544..000000000
--- a/security/sandbox/chromium/sandbox/win/src/resolver_64.cc
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/resolver.h"
-
-#include <stddef.h>
-
-// For placement new. This file must not depend on the CRT at runtime, but
-// placement operator new is inline.
-#include <new>
-
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace {
-
-const USHORT kMovRax = 0xB848;
-const USHORT kJmpRax = 0xe0ff;
-
-#pragma pack(push, 1)
-struct InternalThunk {
- // This struct contains roughly the following code:
- // 01 48b8f0debc9a78563412 mov rax,123456789ABCDEF0h
- // ff e0 jmp rax
- //
- // The code modifies rax, but that's fine for x64 ABI.
-
- InternalThunk() {
- mov_rax = kMovRax;
- jmp_rax = kJmpRax;
- interceptor_function = 0;
- };
- USHORT mov_rax; // = 48 B8
- ULONG_PTR interceptor_function;
- USHORT jmp_rax; // = ff e0
-};
-#pragma pack(pop)
-
-} // namespace.
-
-namespace sandbox {
-
-size_t ResolverThunk::GetInternalThunkSize() const {
- return sizeof(InternalThunk);
-}
-
-bool ResolverThunk::SetInternalThunk(void* storage, size_t storage_bytes,
- const void* original_function,
- const void* interceptor) {
- if (storage_bytes < sizeof(InternalThunk))
- return false;
-
- InternalThunk* thunk = new(storage) InternalThunk;
- thunk->interceptor_function = reinterpret_cast<ULONG_PTR>(interceptor);
-
- return true;
-}
-
-NTSTATUS ResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- // We don't support sidestep & co.
- return STATUS_NOT_IMPLEMENTED;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
deleted file mode 100644
index 607795240..000000000
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.cc
+++ /dev/null
@@ -1,458 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/restricted_token.h"
-
-#include <stddef.h>
-
-#include <vector>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/acl.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-// Calls GetTokenInformation with the desired |info_class| and returns a buffer
-// with the result.
-scoped_ptr<BYTE[]> GetTokenInfo(const base::win::ScopedHandle& token,
- TOKEN_INFORMATION_CLASS info_class,
- DWORD* error) {
- // Get the required buffer size.
- DWORD size = 0;
- ::GetTokenInformation(token.Get(), info_class, NULL, 0, &size);
- if (!size) {
- *error = ::GetLastError();
- return nullptr;
- }
-
- scoped_ptr<BYTE[]> buffer(new BYTE[size]);
- if (!::GetTokenInformation(token.Get(), info_class, buffer.get(), size,
- &size)) {
- *error = ::GetLastError();
- return nullptr;
- }
-
- *error = ERROR_SUCCESS;
- return buffer.Pass();
-}
-
-} // namespace
-
-namespace sandbox {
-
-RestrictedToken::RestrictedToken()
- : integrity_level_(INTEGRITY_LEVEL_LAST),
- init_(false) {
-}
-
-RestrictedToken::~RestrictedToken() {
-}
-
-DWORD RestrictedToken::Init(const HANDLE effective_token) {
- if (init_)
- return ERROR_ALREADY_INITIALIZED;
-
- HANDLE temp_token;
- if (effective_token) {
- // We duplicate the handle to be able to use it even if the original handle
- // is closed.
- if (!::DuplicateHandle(::GetCurrentProcess(), effective_token,
- ::GetCurrentProcess(), &temp_token,
- 0, FALSE, DUPLICATE_SAME_ACCESS)) {
- return ::GetLastError();
- }
- } else {
- if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
- &temp_token)) {
- return ::GetLastError();
- }
- }
- effective_token_.Set(temp_token);
-
- init_ = true;
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::GetRestrictedToken(
- base::win::ScopedHandle* token) const {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- size_t deny_size = sids_for_deny_only_.size();
- size_t restrict_size = sids_to_restrict_.size();
- size_t privileges_size = privileges_to_disable_.size();
-
- SID_AND_ATTRIBUTES *deny_only_array = NULL;
- if (deny_size) {
- deny_only_array = new SID_AND_ATTRIBUTES[deny_size];
-
- for (unsigned int i = 0; i < sids_for_deny_only_.size() ; ++i) {
- deny_only_array[i].Attributes = SE_GROUP_USE_FOR_DENY_ONLY;
- deny_only_array[i].Sid =
- const_cast<SID*>(sids_for_deny_only_[i].GetPSID());
- }
- }
-
- SID_AND_ATTRIBUTES *sids_to_restrict_array = NULL;
- if (restrict_size) {
- sids_to_restrict_array = new SID_AND_ATTRIBUTES[restrict_size];
-
- for (unsigned int i = 0; i < restrict_size; ++i) {
- sids_to_restrict_array[i].Attributes = 0;
- sids_to_restrict_array[i].Sid =
- const_cast<SID*>(sids_to_restrict_[i].GetPSID());
- }
- }
-
- LUID_AND_ATTRIBUTES *privileges_to_disable_array = NULL;
- if (privileges_size) {
- privileges_to_disable_array = new LUID_AND_ATTRIBUTES[privileges_size];
-
- for (unsigned int i = 0; i < privileges_size; ++i) {
- privileges_to_disable_array[i].Attributes = 0;
- privileges_to_disable_array[i].Luid = privileges_to_disable_[i];
- }
- }
-
- BOOL result = TRUE;
- HANDLE new_token_handle = NULL;
- // The SANDBOX_INERT flag did nothing in XP and it was just a way to tell
- // if a token has ben restricted given the limiations of IsTokenRestricted()
- // but it appears that in Windows 7 it hints the AppLocker subsystem to
- // leave us alone.
- if (deny_size || restrict_size || privileges_size) {
- result = ::CreateRestrictedToken(effective_token_.Get(),
- SANDBOX_INERT,
- static_cast<DWORD>(deny_size),
- deny_only_array,
- static_cast<DWORD>(privileges_size),
- privileges_to_disable_array,
- static_cast<DWORD>(restrict_size),
- sids_to_restrict_array,
- &new_token_handle);
- } else {
- // Duplicate the token even if it's not modified at this point
- // because any subsequent changes to this token would also affect the
- // current process.
- result = ::DuplicateTokenEx(effective_token_.Get(), TOKEN_ALL_ACCESS, NULL,
- SecurityIdentification, TokenPrimary,
- &new_token_handle);
- }
- auto last_error = ::GetLastError();
-
- if (deny_only_array)
- delete[] deny_only_array;
-
- if (sids_to_restrict_array)
- delete[] sids_to_restrict_array;
-
- if (privileges_to_disable_array)
- delete[] privileges_to_disable_array;
-
- if (!result)
- return last_error;
-
- base::win::ScopedHandle new_token(new_token_handle);
-
- // Modify the default dacl on the token to contain Restricted and the user.
- if (!AddSidToDefaultDacl(new_token.Get(), WinRestrictedCodeSid, GENERIC_ALL))
- return ::GetLastError();
-
- if (!AddUserSidToDefaultDacl(new_token.Get(), GENERIC_ALL))
- return ::GetLastError();
-
- DWORD error = SetTokenIntegrityLevel(new_token.Get(), integrity_level_);
- if (ERROR_SUCCESS != error)
- return error;
-
- HANDLE token_handle;
- if (!::DuplicateHandle(::GetCurrentProcess(), new_token.Get(),
- ::GetCurrentProcess(), &token_handle,
- TOKEN_ALL_ACCESS, FALSE, // Don't inherit.
- 0)) {
- return ::GetLastError();
- }
-
- token->Set(token_handle);
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::GetRestrictedTokenForImpersonation(
- base::win::ScopedHandle* token) const {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- base::win::ScopedHandle restricted_token;
- DWORD err_code = GetRestrictedToken(&restricted_token);
- if (ERROR_SUCCESS != err_code)
- return err_code;
-
- HANDLE impersonation_token_handle;
- if (!::DuplicateToken(restricted_token.Get(),
- SecurityImpersonation,
- &impersonation_token_handle)) {
- return ::GetLastError();
- }
- base::win::ScopedHandle impersonation_token(impersonation_token_handle);
-
- HANDLE token_handle;
- if (!::DuplicateHandle(::GetCurrentProcess(), impersonation_token.Get(),
- ::GetCurrentProcess(), &token_handle,
- TOKEN_ALL_ACCESS, FALSE, // Don't inherit.
- 0)) {
- return ::GetLastError();
- }
-
- token->Set(token_handle);
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddAllSidsForDenyOnly(std::vector<Sid> *exceptions) {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- DWORD error;
- scoped_ptr<BYTE[]> buffer =
- GetTokenInfo(effective_token_, TokenGroups, &error);
-
- if (!buffer)
- return error;
-
- TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
-
- // Build the list of the deny only group SIDs
- for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
- if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 &&
- (token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) {
- bool should_ignore = false;
- if (exceptions) {
- for (unsigned int j = 0; j < exceptions->size(); ++j) {
- if (::EqualSid(const_cast<SID*>((*exceptions)[j].GetPSID()),
- token_groups->Groups[i].Sid)) {
- should_ignore = true;
- break;
- }
- }
- }
- if (!should_ignore) {
- sids_for_deny_only_.push_back(
- reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
- }
- }
- }
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddDenyOnlySids(const std::vector<Sid>& deny_only_sids) {
- DCHECK(init_);
- if (!init_) {
- return ERROR_NO_TOKEN;
- }
-
- DWORD error;
- scoped_ptr<BYTE[]> buffer = GetTokenInfo(effective_token_, TokenGroups, &error);
-
- if (!buffer) {
- return error;
- }
-
- TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
-
- // Build the list of the deny only group SIDs
- for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
- if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0 &&
- (token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) == 0) {
- for (unsigned int j = 0; j < deny_only_sids.size(); ++j) {
- if (::EqualSid(const_cast<SID*>(deny_only_sids[j].GetPSID()),
- token_groups->Groups[i].Sid)) {
- sids_for_deny_only_.push_back(
- reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
- break;
- }
- }
- }
- }
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddSidForDenyOnly(const Sid &sid) {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- sids_for_deny_only_.push_back(sid);
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddUserSidForDenyOnly() {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- scoped_ptr<BYTE[]> buffer(new BYTE[size]);
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(buffer.get());
-
- BOOL result = ::GetTokenInformation(effective_token_.Get(), TokenUser,
- token_user, size, &size);
-
- if (!result)
- return ::GetLastError();
-
- Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
- sids_for_deny_only_.push_back(user);
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::DeleteAllPrivileges(
- const std::vector<base::string16> *exceptions) {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- DWORD error;
- scoped_ptr<BYTE[]> buffer =
- GetTokenInfo(effective_token_, TokenPrivileges, &error);
-
- if (!buffer)
- return error;
-
- TOKEN_PRIVILEGES* token_privileges =
- reinterpret_cast<TOKEN_PRIVILEGES*>(buffer.get());
-
- // Build the list of privileges to disable
- for (unsigned int i = 0; i < token_privileges->PrivilegeCount; ++i) {
- bool should_ignore = false;
- if (exceptions) {
- for (unsigned int j = 0; j < exceptions->size(); ++j) {
- LUID luid = {0};
- ::LookupPrivilegeValue(NULL, (*exceptions)[j].c_str(), &luid);
- if (token_privileges->Privileges[i].Luid.HighPart == luid.HighPart &&
- token_privileges->Privileges[i].Luid.LowPart == luid.LowPart) {
- should_ignore = true;
- break;
- }
- }
- }
- if (!should_ignore) {
- privileges_to_disable_.push_back(token_privileges->Privileges[i].Luid);
- }
- }
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::DeletePrivilege(const wchar_t *privilege) {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- LUID luid = {0};
- if (LookupPrivilegeValue(NULL, privilege, &luid))
- privileges_to_disable_.push_back(luid);
- else
- return ::GetLastError();
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddRestrictingSid(const Sid &sid) {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- sids_to_restrict_.push_back(sid); // No attributes
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddRestrictingSidLogonSession() {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- DWORD error;
- scoped_ptr<BYTE[]> buffer =
- GetTokenInfo(effective_token_, TokenGroups, &error);
-
- if (!buffer)
- return error;
-
- TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
-
- SID *logon_sid = NULL;
- for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
- if ((token_groups->Groups[i].Attributes & SE_GROUP_LOGON_ID) != 0) {
- logon_sid = static_cast<SID*>(token_groups->Groups[i].Sid);
- break;
- }
- }
-
- if (logon_sid)
- sids_to_restrict_.push_back(logon_sid);
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddRestrictingSidCurrentUser() {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
- scoped_ptr<BYTE[]> buffer(new BYTE[size]);
- TOKEN_USER* token_user = reinterpret_cast<TOKEN_USER*>(buffer.get());
-
- BOOL result = ::GetTokenInformation(effective_token_.Get(), TokenUser,
- token_user, size, &size);
-
- if (!result)
- return ::GetLastError();
-
- Sid user = reinterpret_cast<SID*>(token_user->User.Sid);
- sids_to_restrict_.push_back(user);
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::AddRestrictingSidAllSids() {
- DCHECK(init_);
- if (!init_)
- return ERROR_NO_TOKEN;
-
- // Add the current user to the list.
- DWORD error = AddRestrictingSidCurrentUser();
- if (ERROR_SUCCESS != error)
- return error;
-
- scoped_ptr<BYTE[]> buffer =
- GetTokenInfo(effective_token_, TokenGroups, &error);
-
- if (!buffer)
- return error;
-
- TOKEN_GROUPS* token_groups = reinterpret_cast<TOKEN_GROUPS*>(buffer.get());
-
- // Build the list of restricting sids from all groups.
- for (unsigned int i = 0; i < token_groups->GroupCount ; ++i) {
- if ((token_groups->Groups[i].Attributes & SE_GROUP_INTEGRITY) == 0)
- AddRestrictingSid(reinterpret_cast<SID*>(token_groups->Groups[i].Sid));
- }
-
- return ERROR_SUCCESS;
-}
-
-DWORD RestrictedToken::SetIntegrityLevel(IntegrityLevel integrity_level) {
- integrity_level_ = integrity_level;
- return ERROR_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token.h b/security/sandbox/chromium/sandbox/win/src/restricted_token.h
deleted file mode 100644
index 623c885fc..000000000
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token.h
+++ /dev/null
@@ -1,201 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_H_
-#define SANDBOX_SRC_RESTRICTED_TOKEN_H_
-
-#include <windows.h>
-#include <vector>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/restricted_token_utils.h"
-#include "sandbox/win/src/security_level.h"
-#include "sandbox/win/src/sid.h"
-
-// Flags present in the Group SID list. These 2 flags are new in Windows Vista
-#ifndef SE_GROUP_INTEGRITY
-#define SE_GROUP_INTEGRITY (0x00000020L)
-#endif
-#ifndef SE_GROUP_INTEGRITY_ENABLED
-#define SE_GROUP_INTEGRITY_ENABLED (0x00000040L)
-#endif
-
-namespace sandbox {
-
-// Handles the creation of a restricted token using the effective token or
-// any token handle.
-// Sample usage:
-// RestrictedToken restricted_token;
-// DWORD err_code = restricted_token.Init(NULL); // Use the current
-// // effective token
-// if (ERROR_SUCCESS != err_code) {
-// // handle error.
-// }
-//
-// restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID());
-// base::win::ScopedHandle token_handle;
-// err_code = restricted_token.GetRestrictedToken(&token_handle);
-// if (ERROR_SUCCESS != err_code) {
-// // handle error.
-// }
-// [...]
-class RestrictedToken {
- public:
- // Init() has to be called before calling any other method in the class.
- RestrictedToken();
- ~RestrictedToken();
-
- // Initializes the RestrictedToken object with effective_token.
- // If effective_token is NULL, it initializes the RestrictedToken object with
- // the effective token of the current process.
- DWORD Init(HANDLE effective_token);
-
- // Creates a restricted token.
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD GetRestrictedToken(base::win::ScopedHandle* token) const;
-
- // Creates a restricted token and uses this new token to create a new token
- // for impersonation. Returns this impersonation token.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- //
- // The sample usage is the same as the GetRestrictedToken function.
- DWORD GetRestrictedTokenForImpersonation(
- base::win::ScopedHandle* token) const;
-
- // Lists all sids in the token and mark them as Deny Only except for those
- // present in the exceptions parameter. If there is no exception needed,
- // the caller can pass an empty list or NULL for the exceptions
- // parameter.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- //
- // Sample usage:
- // std::vector<Sid> sid_exceptions;
- // sid_exceptions.push_back(ATL::Sids::Users().GetPSID());
- // sid_exceptions.push_back(ATL::Sids::World().GetPSID());
- // restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
- // Note: A Sid marked for Deny Only in a token cannot be used to grant
- // access to any resource. It can only be used to deny access.
- DWORD AddAllSidsForDenyOnly(std::vector<Sid> *exceptions);
-
- // Lists all sids in the token and mark them as Deny Only if present in the
- // deny_only_sids parameter.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- //
- // Note: A Sid marked for Deny Only in a token cannot be used to grant
- // access to any resource. It can only be used to deny access.
- DWORD AddDenyOnlySids(const std::vector<Sid>& deny_only_sids);
-
- // Adds a user or group SID for Deny Only in the restricted token.
- // Parameter: sid is the SID to add in the Deny Only list.
- // The return value is always ERROR_SUCCESS.
- //
- // Sample Usage:
- // restricted_token.AddSidForDenyOnly(ATL::Sids::Admins().GetPSID());
- DWORD AddSidForDenyOnly(const Sid &sid);
-
- // Adds the user sid of the token for Deny Only in the restricted token.
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD AddUserSidForDenyOnly();
-
- // Lists all privileges in the token and add them to the list of privileges
- // to remove except for those present in the exceptions parameter. If
- // there is no exception needed, the caller can pass an empty list or NULL
- // for the exceptions parameter.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- //
- // Sample usage:
- // std::vector<base::string16> privilege_exceptions;
- // privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- // restricted_token.DeleteAllPrivileges(&privilege_exceptions);
- DWORD DeleteAllPrivileges(const std::vector<base::string16> *exceptions);
-
- // Adds a privilege to the list of privileges to remove in the restricted
- // token.
- // Parameter: privilege is the privilege name to remove. This is the string
- // representing the privilege. (e.g. "SeChangeNotifyPrivilege").
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- //
- // Sample usage:
- // restricted_token.DeletePrivilege(SE_LOAD_DRIVER_NAME);
- DWORD DeletePrivilege(const wchar_t *privilege);
-
- // Adds a SID to the list of restricting sids in the restricted token.
- // Parameter: sid is the sid to add to the list restricting sids.
- // The return value is always ERROR_SUCCESS.
- //
- // Sample usage:
- // restricted_token.AddRestrictingSid(ATL::Sids::Users().GetPSID());
- // Note: The list of restricting is used to force Windows to perform all
- // access checks twice. The first time using your user SID and your groups,
- // and the second time using your list of restricting sids. The access has
- // to be granted in both places to get access to the resource requested.
- DWORD AddRestrictingSid(const Sid &sid);
-
- // Adds the logon sid of the token in the list of restricting sids for the
- // restricted token.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD AddRestrictingSidLogonSession();
-
- // Adds the owner sid of the token in the list of restricting sids for the
- // restricted token.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD AddRestrictingSidCurrentUser();
-
- // Adds all group sids and the user sid to the restricting sids list.
- //
- // If the function succeeds, the return value is ERROR_SUCCESS. If the
- // function fails, the return value is the win32 error code corresponding to
- // the error.
- DWORD AddRestrictingSidAllSids();
-
- // Sets the token integrity level. This is only valid on Vista. The integrity
- // level cannot be higher than your current integrity level.
- DWORD SetIntegrityLevel(IntegrityLevel integrity_level);
-
- private:
- // The list of restricting sids in the restricted token.
- std::vector<Sid> sids_to_restrict_;
- // The list of privileges to remove in the restricted token.
- std::vector<LUID> privileges_to_disable_;
- // The list of sids to mark as Deny Only in the restricted token.
- std::vector<Sid> sids_for_deny_only_;
- // The token to restrict. Can only be set in a constructor.
- base::win::ScopedHandle effective_token_;
- // The token integrity level. Only valid on Vista.
- IntegrityLevel integrity_level_;
- // Tells if the object is initialized or not (if Init() has been called)
- bool init_;
-
- DISALLOW_COPY_AND_ASSIGN(RestrictedToken);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_RESTRICTED_TOKEN_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_unittest.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_unittest.cc
deleted file mode 100644
index b11948e9f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_unittest.cc
+++ /dev/null
@@ -1,620 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for the RestrictedToken.
-
-#define _ATL_NO_EXCEPTIONS
-#include <atlbase.h>
-#include <atlsecurity.h>
-#include <vector>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/restricted_token.h"
-#include "sandbox/win/src/sid.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Tests the initializatioin with an invalid token handle.
-TEST(RestrictedTokenTest, InvalidHandle) {
- RestrictedToken token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_INVALID_HANDLE),
- token.Init(reinterpret_cast<HANDLE>(0x5555)));
-}
-
-// Tests the initialization with NULL as parameter.
-TEST(RestrictedTokenTest, DefaultInit) {
- // Get the current process token.
- HANDLE token_handle = INVALID_HANDLE_VALUE;
- ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
- &token_handle));
-
- ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
-
- ATL::CAccessToken access_token;
- access_token.Attach(token_handle);
-
- // Create the token using the current token.
- RestrictedToken token_default;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token_default.Init(NULL));
-
- // Get the handle to the restricted token.
-
- base::win::ScopedHandle restricted_token_handle;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token_default.GetRestrictedToken(&restricted_token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(restricted_token_handle.Take());
-
- ATL::CSid sid_user_restricted;
- ATL::CSid sid_user_default;
- ATL::CSid sid_owner_restricted;
- ATL::CSid sid_owner_default;
- ASSERT_TRUE(restricted_token.GetUser(&sid_user_restricted));
- ASSERT_TRUE(access_token.GetUser(&sid_user_default));
- ASSERT_TRUE(restricted_token.GetOwner(&sid_owner_restricted));
- ASSERT_TRUE(access_token.GetOwner(&sid_owner_default));
-
- // Check if both token have the same owner and user.
- ASSERT_EQ(sid_user_restricted, sid_user_default);
- ASSERT_EQ(sid_owner_restricted, sid_owner_default);
-}
-
-// Tests the initialization with a custom token as parameter.
-TEST(RestrictedTokenTest, CustomInit) {
- // Get the current process token.
- HANDLE token_handle = INVALID_HANDLE_VALUE;
- ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
- &token_handle));
-
- ASSERT_NE(INVALID_HANDLE_VALUE, token_handle);
-
- ATL::CAccessToken access_token;
- access_token.Attach(token_handle);
-
- // Change the primary group.
- access_token.SetPrimaryGroup(ATL::Sids::World());
-
- // Create the token using the current token.
- RestrictedToken token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.Init(access_token.GetHandle()));
-
- // Get the handle to the restricted token.
-
- base::win::ScopedHandle restricted_token_handle;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&restricted_token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(restricted_token_handle.Take());
-
- ATL::CSid sid_restricted;
- ATL::CSid sid_default;
- ASSERT_TRUE(restricted_token.GetPrimaryGroup(&sid_restricted));
- ASSERT_TRUE(access_token.GetPrimaryGroup(&sid_default));
-
- // Check if both token have the same owner.
- ASSERT_EQ(sid_restricted, sid_default);
-}
-
-// Verifies that the token created by the object are valid.
-TEST(RestrictedTokenTest, ResultToken) {
- RestrictedToken token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
-
- base::win::ScopedHandle restricted_token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&restricted_token));
-
- ASSERT_TRUE(::IsTokenRestricted(restricted_token.Get()));
-
- DWORD length = 0;
- TOKEN_TYPE type;
- ASSERT_TRUE(::GetTokenInformation(restricted_token.Get(),
- ::TokenType,
- &type,
- sizeof(type),
- &length));
-
- ASSERT_EQ(type, TokenPrimary);
-
- base::win::ScopedHandle impersonation_token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedTokenForImpersonation(&impersonation_token));
-
- ASSERT_TRUE(::IsTokenRestricted(impersonation_token.Get()));
-
- ASSERT_TRUE(::GetTokenInformation(impersonation_token.Get(),
- ::TokenType,
- &type,
- sizeof(type),
- &length));
-
- ASSERT_EQ(type, TokenImpersonation);
-}
-
-// Verifies that the token created has "Restricted" in its default dacl.
-TEST(RestrictedTokenTest, DefaultDacl) {
- RestrictedToken token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
-
- base::win::ScopedHandle handle;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(handle.Take());
-
- ATL::CDacl dacl;
- ASSERT_TRUE(restricted_token.GetDefaultDacl(&dacl));
-
- bool restricted_found = false;
-
- unsigned int ace_count = dacl.GetAceCount();
- for (unsigned int i = 0; i < ace_count ; ++i) {
- ATL::CSid sid;
- ACCESS_MASK mask = 0;
- dacl.GetAclEntry(i, &sid, &mask);
- if (sid == ATL::Sids::RestrictedCode() && mask == GENERIC_ALL) {
- restricted_found = true;
- break;
- }
- }
-
- ASSERT_TRUE(restricted_found);
-}
-
-// Tests the method "AddSidForDenyOnly".
-TEST(RestrictedTokenTest, DenySid) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddSidForDenyOnly(Sid(WinWorldSid)));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- for (unsigned int i = 0; i < sids.GetCount(); i++) {
- if (ATL::Sids::World() == sids[i]) {
- ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY),
- attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- }
- }
-}
-
-// Tests the method "AddAllSidsForDenyOnly".
-TEST(RestrictedTokenTest, DenySids) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddAllSidsForDenyOnly(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- // Verify that all sids are really gone.
- for (unsigned int i = 0; i < sids.GetCount(); i++) {
- if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&
- (attributes[i] & SE_GROUP_INTEGRITY) == 0) {
- ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY),
- attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- }
- }
-}
-
-// Tests the method "AddAllSidsForDenyOnly" using an exception list.
-TEST(RestrictedTokenTest, DenySidsException) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- std::vector<Sid> sids_exception;
- sids_exception.push_back(Sid(WinWorldSid));
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddAllSidsForDenyOnly(&sids_exception));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- // Verify that all sids are really gone.
- for (unsigned int i = 0; i < sids.GetCount(); i++) {
- if ((attributes[i] & SE_GROUP_LOGON_ID) == 0 &&
- (attributes[i] & SE_GROUP_INTEGRITY) == 0) {
- if (ATL::Sids::World() == sids[i]) {
- ASSERT_EQ(0u, attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- } else {
- ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY),
- attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- }
- }
- }
-}
-
-// Tests test method AddOwnerSidForDenyOnly.
-TEST(RestrictedTokenTest, DenyOwnerSid) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.AddUserSidForDenyOnly());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- ATL::CSid user_sid;
- ASSERT_TRUE(restricted_token.GetUser(&user_sid));
-
- for (unsigned int i = 0; i < sids.GetCount(); ++i) {
- if (user_sid == sids[i]) {
- ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY),
- attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- }
- }
-}
-
-// Tests test method AddOwnerSidForDenyOnly with a custom effective token.
-TEST(RestrictedTokenTest, DenyOwnerSidCustom) {
- // Get the current process token.
- HANDLE access_handle = INVALID_HANDLE_VALUE;
- ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
- &access_handle));
-
- ASSERT_NE(INVALID_HANDLE_VALUE, access_handle);
-
- ATL::CAccessToken access_token;
- access_token.Attach(access_handle);
-
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.Init(access_token.GetHandle()));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.AddUserSidForDenyOnly());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- ATL::CSid user_sid;
- ASSERT_TRUE(restricted_token.GetUser(&user_sid));
-
- for (unsigned int i = 0; i < sids.GetCount(); ++i) {
- if (user_sid == sids[i]) {
- ASSERT_EQ(static_cast<DWORD>(SE_GROUP_USE_FOR_DENY_ONLY),
- attributes[i] & SE_GROUP_USE_FOR_DENY_ONLY);
- }
- }
-}
-
-// Tests the method DeleteAllPrivileges.
-TEST(RestrictedTokenTest, DeleteAllPrivileges) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.DeleteAllPrivileges(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenPrivileges privileges;
- ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
-
- ASSERT_EQ(0u, privileges.GetCount());
-}
-
-// Tests the method DeleteAllPrivileges with an exception list.
-TEST(RestrictedTokenTest, DeleteAllPrivilegesException) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- std::vector<base::string16> exceptions;
- exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.DeleteAllPrivileges(&exceptions));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenPrivileges privileges;
- ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
-
- ATL::CTokenPrivileges::CNames privilege_names;
- ATL::CTokenPrivileges::CAttributes privilege_name_attributes;
- privileges.GetNamesAndAttributes(&privilege_names,
- &privilege_name_attributes);
-
- ASSERT_EQ(1u, privileges.GetCount());
-
- for (unsigned int i = 0; i < privileges.GetCount(); ++i) {
- ASSERT_EQ(privilege_names[i], SE_CHANGE_NOTIFY_NAME);
- }
-}
-
-// Tests the method DeletePrivilege.
-TEST(RestrictedTokenTest, DeletePrivilege) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.DeletePrivilege(SE_CHANGE_NOTIFY_NAME));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenPrivileges privileges;
- ASSERT_TRUE(restricted_token.GetPrivileges(&privileges));
-
- ATL::CTokenPrivileges::CNames privilege_names;
- ATL::CTokenPrivileges::CAttributes privilege_name_attributes;
- privileges.GetNamesAndAttributes(&privilege_names,
- &privilege_name_attributes);
-
- for (unsigned int i = 0; i < privileges.GetCount(); ++i) {
- ASSERT_NE(privilege_names[i], SE_CHANGE_NOTIFY_NAME);
- }
-}
-
-// Checks if a sid is in the restricting list of the restricted token.
-// Asserts if it's not the case. If count is a positive number, the number of
-// elements in the restricting sids list has to be equal.
-void CheckRestrictingSid(const ATL::CAccessToken &restricted_token,
- ATL::CSid sid, int count) {
- DWORD length = 8192;
- BYTE *memory = new BYTE[length];
- TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory);
- ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),
- TokenRestrictedSids,
- groups,
- length,
- &length));
-
- ATL::CTokenGroups atl_groups(*groups);
- delete[] memory;
-
- if (count >= 0)
- ASSERT_EQ(static_cast<unsigned>(count), atl_groups.GetCount());
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- atl_groups.GetSidsAndAttributes(&sids, &attributes);
-
- bool present = false;
- for (unsigned int i = 0; i < sids.GetCount(); ++i) {
- if (sids[i] == sid) {
- present = true;
- break;
- }
- }
-
- ASSERT_TRUE(present);
-}
-
-// Tests the method AddRestrictingSid.
-TEST(RestrictedTokenTest, AddRestrictingSid) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- CheckRestrictingSid(restricted_token, ATL::Sids::World(), 1);
-}
-
-// Tests the method AddRestrictingSidCurrentUser.
-TEST(RestrictedTokenTest, AddRestrictingSidCurrentUser) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidCurrentUser());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
- ATL::CSid user;
- restricted_token.GetUser(&user);
-
- CheckRestrictingSid(restricted_token, user, 1);
-}
-
-// Tests the method AddRestrictingSidCurrentUser with a custom effective token.
-TEST(RestrictedTokenTest, AddRestrictingSidCurrentUserCustom) {
- // Get the current process token.
- HANDLE access_handle = INVALID_HANDLE_VALUE;
- ASSERT_TRUE(::OpenProcessToken(::GetCurrentProcess(), TOKEN_ALL_ACCESS,
- &access_handle));
-
- ASSERT_NE(INVALID_HANDLE_VALUE, access_handle);
-
- ATL::CAccessToken access_token;
- access_token.Attach(access_handle);
-
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.Init(access_token.GetHandle()));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidCurrentUser());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
- ATL::CSid user;
- restricted_token.GetUser(&user);
-
- CheckRestrictingSid(restricted_token, user, 1);
-}
-
-// Tests the method AddRestrictingSidLogonSession.
-TEST(RestrictedTokenTest, AddRestrictingSidLogonSession) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidLogonSession());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
- ATL::CSid session;
- restricted_token.GetLogonSid(&session);
-
- CheckRestrictingSid(restricted_token, session, 1);
-}
-
-// Tests adding a lot of restricting sids.
-TEST(RestrictedTokenTest, AddMultipleRestrictingSids) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidCurrentUser());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidLogonSession());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSid(ATL::Sids::World().GetPSID()));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
- ATL::CSid session;
- restricted_token.GetLogonSid(&session);
-
- DWORD length = 8192;
- BYTE *memory = new BYTE[length];
- TOKEN_GROUPS *groups = reinterpret_cast<TOKEN_GROUPS*>(memory);
- ASSERT_TRUE(::GetTokenInformation(restricted_token.GetHandle(),
- TokenRestrictedSids,
- groups,
- length,
- &length));
-
- ATL::CTokenGroups atl_groups(*groups);
- delete[] memory;
-
- ASSERT_EQ(3u, atl_groups.GetCount());
-}
-
-// Tests the method "AddRestrictingSidAllSids".
-TEST(RestrictedTokenTest, AddAllSidToRestrictingSids) {
- RestrictedToken token;
- base::win::ScopedHandle token_handle;
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.AddRestrictingSidAllSids());
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS),
- token.GetRestrictedToken(&token_handle));
-
- ATL::CAccessToken restricted_token;
- restricted_token.Attach(token_handle.Take());
-
- ATL::CTokenGroups groups;
- ASSERT_TRUE(restricted_token.GetGroups(&groups));
-
- ATL::CSid::CSidArray sids;
- ATL::CAtlArray<DWORD> attributes;
- groups.GetSidsAndAttributes(&sids, &attributes);
-
- // Verify that all group sids are in the restricting sid list.
- for (unsigned int i = 0; i < sids.GetCount(); i++) {
- if ((attributes[i] & SE_GROUP_INTEGRITY) == 0) {
- CheckRestrictingSid(restricted_token, sids[i], -1);
- }
- }
-
- // Verify that the user is in the restricting sid list.
- ATL::CSid user;
- restricted_token.GetUser(&user);
- CheckRestrictingSid(restricted_token, user, -1);
-}
-
-// Checks the error code when the object is initialized twice.
-TEST(RestrictedTokenTest, DoubleInit) {
- RestrictedToken token;
- ASSERT_EQ(static_cast<DWORD>(ERROR_SUCCESS), token.Init(NULL));
-
- ASSERT_EQ(static_cast<DWORD>(ERROR_ALREADY_INITIALIZED), token.Init(NULL));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
deleted file mode 100644
index d5b0e13c3..000000000
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.cc
+++ /dev/null
@@ -1,323 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <aclapi.h>
-#include <sddl.h>
-#include <vector>
-
-#include "sandbox/win/src/restricted_token_utils.h"
-
-#include "base/logging.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/job.h"
-#include "sandbox/win/src/restricted_token.h"
-#include "sandbox/win/src/security_level.h"
-#include "sandbox/win/src/sid.h"
-
-namespace sandbox {
-
-DWORD CreateRestrictedToken(TokenLevel security_level,
- IntegrityLevel integrity_level,
- TokenType token_type,
- base::win::ScopedHandle* token) {
- RestrictedToken restricted_token;
- restricted_token.Init(NULL); // Initialized with the current process token
-
- std::vector<base::string16> privilege_exceptions;
- std::vector<Sid> sid_exceptions;
- std::vector<Sid> deny_only_sids;
-
- bool deny_sids = true;
- bool remove_privileges = true;
-
- switch (security_level) {
- case USER_UNPROTECTED: {
- deny_sids = false;
- remove_privileges = false;
- break;
- }
- case USER_RESTRICTED_SAME_ACCESS: {
- deny_sids = false;
- remove_privileges = false;
-
- unsigned err_code = restricted_token.AddRestrictingSidAllSids();
- if (ERROR_SUCCESS != err_code)
- return err_code;
-
- break;
- }
- case USER_NON_ADMIN: {
- deny_sids = false;
- deny_only_sids.push_back(WinBuiltinAdministratorsSid);
- deny_only_sids.push_back(WinAccountAdministratorSid);
- deny_only_sids.push_back(WinAccountDomainAdminsSid);
- deny_only_sids.push_back(WinAccountCertAdminsSid);
- deny_only_sids.push_back(WinAccountSchemaAdminsSid);
- deny_only_sids.push_back(WinAccountEnterpriseAdminsSid);
- deny_only_sids.push_back(WinAccountPolicyAdminsSid);
- deny_only_sids.push_back(WinBuiltinHyperVAdminsSid);
- deny_only_sids.push_back(WinLocalAccountAndAdministratorSid);
- privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- break;
- }
- case USER_INTERACTIVE: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
- sid_exceptions.push_back(WinAuthenticatedUserSid);
- privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
- restricted_token.AddRestrictingSid(WinWorldSid);
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
- restricted_token.AddRestrictingSidCurrentUser();
- restricted_token.AddRestrictingSidLogonSession();
- break;
- }
- case USER_LIMITED: {
- sid_exceptions.push_back(WinBuiltinUsersSid);
- sid_exceptions.push_back(WinWorldSid);
- sid_exceptions.push_back(WinInteractiveSid);
- privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddRestrictingSid(WinBuiltinUsersSid);
- restricted_token.AddRestrictingSid(WinWorldSid);
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
-
- // This token has to be able to create objects in BNO.
- // Unfortunately, on vista, it needs the current logon sid
- // in the token to achieve this. You should also set the process to be
- // low integrity level so it can't access object created by other
- // processes.
- if (base::win::GetVersion() >= base::win::VERSION_VISTA)
- restricted_token.AddRestrictingSidLogonSession();
- break;
- }
- case USER_RESTRICTED: {
- privilege_exceptions.push_back(SE_CHANGE_NOTIFY_NAME);
- restricted_token.AddUserSidForDenyOnly();
- restricted_token.AddRestrictingSid(WinRestrictedCodeSid);
- break;
- }
- case USER_LOCKDOWN: {
- restricted_token.AddUserSidForDenyOnly();
- restricted_token.AddRestrictingSid(WinNullSid);
- break;
- }
- default: {
- return ERROR_BAD_ARGUMENTS;
- }
- }
-
- DWORD err_code = ERROR_SUCCESS;
- if (deny_sids) {
- err_code = restricted_token.AddAllSidsForDenyOnly(&sid_exceptions);
- if (ERROR_SUCCESS != err_code)
- return err_code;
- } else if (!deny_only_sids.empty()) {
- err_code = restricted_token.AddDenyOnlySids(deny_only_sids);
- if (ERROR_SUCCESS != err_code) {
- return err_code;
- }
- }
-
- if (remove_privileges) {
- err_code = restricted_token.DeleteAllPrivileges(&privilege_exceptions);
- if (ERROR_SUCCESS != err_code)
- return err_code;
- }
-
- restricted_token.SetIntegrityLevel(integrity_level);
-
- switch (token_type) {
- case PRIMARY: {
- err_code = restricted_token.GetRestrictedToken(token);
- break;
- }
- case IMPERSONATION: {
- err_code = restricted_token.GetRestrictedTokenForImpersonation(token);
- break;
- }
- default: {
- err_code = ERROR_BAD_ARGUMENTS;
- break;
- }
- }
-
- return err_code;
-}
-
-DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type,
- const wchar_t* ace_access,
- const wchar_t* integrity_level_sid) {
- // Build the SDDL string for the label.
- base::string16 sddl = L"S:("; // SDDL for a SACL.
- sddl += SDDL_MANDATORY_LABEL; // Ace Type is "Mandatory Label".
- sddl += L";;"; // No Ace Flags.
- sddl += ace_access; // Add the ACE access.
- sddl += L";;;"; // No ObjectType and Inherited Object Type.
- sddl += integrity_level_sid; // Trustee Sid.
- sddl += L")";
-
- DWORD error = ERROR_SUCCESS;
- PSECURITY_DESCRIPTOR sec_desc = NULL;
-
- PACL sacl = NULL;
- BOOL sacl_present = FALSE;
- BOOL sacl_defaulted = FALSE;
-
- if (::ConvertStringSecurityDescriptorToSecurityDescriptorW(sddl.c_str(),
- SDDL_REVISION,
- &sec_desc, NULL)) {
- if (::GetSecurityDescriptorSacl(sec_desc, &sacl_present, &sacl,
- &sacl_defaulted)) {
- error = ::SetSecurityInfo(handle, type,
- LABEL_SECURITY_INFORMATION, NULL, NULL, NULL,
- sacl);
- } else {
- error = ::GetLastError();
- }
-
- ::LocalFree(sec_desc);
- } else {
- return::GetLastError();
- }
-
- return error;
-}
-
-const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level) {
- switch (integrity_level) {
- case INTEGRITY_LEVEL_SYSTEM:
- return L"S-1-16-16384";
- case INTEGRITY_LEVEL_HIGH:
- return L"S-1-16-12288";
- case INTEGRITY_LEVEL_MEDIUM:
- return L"S-1-16-8192";
- case INTEGRITY_LEVEL_MEDIUM_LOW:
- return L"S-1-16-6144";
- case INTEGRITY_LEVEL_LOW:
- return L"S-1-16-4096";
- case INTEGRITY_LEVEL_BELOW_LOW:
- return L"S-1-16-2048";
- case INTEGRITY_LEVEL_UNTRUSTED:
- return L"S-1-16-0";
- case INTEGRITY_LEVEL_LAST:
- return NULL;
- }
-
- NOTREACHED();
- return NULL;
-}
-DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level) {
- if (base::win::GetVersion() < base::win::VERSION_VISTA)
- return ERROR_SUCCESS;
-
- const wchar_t* integrity_level_str = GetIntegrityLevelString(integrity_level);
- if (!integrity_level_str) {
- // No mandatory level specified, we don't change it.
- return ERROR_SUCCESS;
- }
-
- PSID integrity_sid = NULL;
- if (!::ConvertStringSidToSid(integrity_level_str, &integrity_sid))
- return ::GetLastError();
-
- TOKEN_MANDATORY_LABEL label = {};
- label.Label.Attributes = SE_GROUP_INTEGRITY;
- label.Label.Sid = integrity_sid;
-
- DWORD size = sizeof(TOKEN_MANDATORY_LABEL) + ::GetLengthSid(integrity_sid);
- BOOL result = ::SetTokenInformation(token, TokenIntegrityLevel, &label,
- size);
- auto last_error = ::GetLastError();
- ::LocalFree(integrity_sid);
-
- return result ? ERROR_SUCCESS : last_error;
-}
-
-DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level) {
- if (base::win::GetVersion() < base::win::VERSION_VISTA)
- return ERROR_SUCCESS;
-
- // We don't check for an invalid level here because we'll just let it
- // fail on the SetTokenIntegrityLevel call later on.
- if (integrity_level == INTEGRITY_LEVEL_LAST) {
- // No mandatory level specified, we don't change it.
- return ERROR_SUCCESS;
- }
-
- HANDLE token_handle;
- if (!::OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_DEFAULT,
- &token_handle))
- return ::GetLastError();
-
- base::win::ScopedHandle token(token_handle);
-
- return SetTokenIntegrityLevel(token.Get(), integrity_level);
-}
-
-DWORD HardenTokenIntegrityLevelPolicy(HANDLE token) {
- if (base::win::GetVersion() < base::win::VERSION_WIN7)
- return ERROR_SUCCESS;
-
- DWORD last_error = 0;
- DWORD length_needed = 0;
-
- ::GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
- NULL, 0, &length_needed);
-
- last_error = ::GetLastError();
- if (last_error != ERROR_INSUFFICIENT_BUFFER)
- return last_error;
-
- std::vector<char> security_desc_buffer(length_needed);
- PSECURITY_DESCRIPTOR security_desc =
- reinterpret_cast<PSECURITY_DESCRIPTOR>(&security_desc_buffer[0]);
-
- if (!::GetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
- security_desc, length_needed,
- &length_needed))
- return ::GetLastError();
-
- PACL sacl = NULL;
- BOOL sacl_present = FALSE;
- BOOL sacl_defaulted = FALSE;
-
- if (!::GetSecurityDescriptorSacl(security_desc, &sacl_present,
- &sacl, &sacl_defaulted))
- return ::GetLastError();
-
- for (DWORD ace_index = 0; ace_index < sacl->AceCount; ++ace_index) {
- PSYSTEM_MANDATORY_LABEL_ACE ace;
-
- if (::GetAce(sacl, ace_index, reinterpret_cast<LPVOID*>(&ace))
- && ace->Header.AceType == SYSTEM_MANDATORY_LABEL_ACE_TYPE) {
- ace->Mask |= SYSTEM_MANDATORY_LABEL_NO_READ_UP
- | SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP;
- break;
- }
- }
-
- if (!::SetKernelObjectSecurity(token, LABEL_SECURITY_INFORMATION,
- security_desc))
- return ::GetLastError();
-
- return ERROR_SUCCESS;
-}
-
-DWORD HardenProcessIntegrityLevelPolicy() {
- if (base::win::GetVersion() < base::win::VERSION_WIN7)
- return ERROR_SUCCESS;
-
- HANDLE token_handle;
- if (!::OpenProcessToken(GetCurrentProcess(), READ_CONTROL | WRITE_OWNER,
- &token_handle))
- return ::GetLastError();
-
- base::win::ScopedHandle token(token_handle);
-
- return HardenTokenIntegrityLevelPolicy(token.Get());
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h b/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
deleted file mode 100644
index b4e4fded9..000000000
--- a/security/sandbox/chromium/sandbox/win/src/restricted_token_utils.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
-#define SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
-
-#include <accctrl.h>
-#include <windows.h>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/restricted_token.h"
-#include "sandbox/win/src/security_level.h"
-
-// Contains the utility functions to be able to create restricted tokens based
-// on a security profiles.
-
-namespace sandbox {
-
-// The type of the token returned by the CreateNakedToken.
-enum TokenType {
- IMPERSONATION = 0,
- PRIMARY
-};
-
-// Creates a restricted token based on the effective token of the current
-// process. The parameter security_level determines how much the token is
-// restricted. The token_type determines if the token will be used as a primary
-// token or impersonation token. The integrity level of the token is set to
-// |integrity level| on Vista only.
-// |token| is the output value containing the handle of the newly created
-// restricted token.
-// If the function succeeds, the return value is ERROR_SUCCESS. If the
-// function fails, the return value is the win32 error code corresponding to
-// the error.
-DWORD CreateRestrictedToken(TokenLevel security_level,
- IntegrityLevel integrity_level,
- TokenType token_type,
- base::win::ScopedHandle* token);
-
-// Sets the integrity label on a object handle.
-DWORD SetObjectIntegrityLabel(HANDLE handle, SE_OBJECT_TYPE type,
- const wchar_t* ace_access,
- const wchar_t* integrity_level_sid);
-
-// Sets the integrity level on a token. This is only valid on Vista. It returns
-// without failing on XP. If the integrity level that you specify is greater
-// than the current integrity level, the function will fail.
-DWORD SetTokenIntegrityLevel(HANDLE token, IntegrityLevel integrity_level);
-
-// Returns the integrity level SDDL string associated with a given
-// IntegrityLevel value.
-const wchar_t* GetIntegrityLevelString(IntegrityLevel integrity_level);
-
-// Sets the integrity level on the current process on Vista. It returns without
-// failing on XP. If the integrity level that you specify is greater than the
-// current integrity level, the function will fail.
-DWORD SetProcessIntegrityLevel(IntegrityLevel integrity_level);
-
-// Hardens the integrity level policy on a token. This is only valid on Win 7
-// and above. Specifically it sets the policy to block read and execute so
-// that a lower privileged process cannot open the token for impersonate or
-// duplicate permissions. This should limit potential security holes.
-DWORD HardenTokenIntegrityLevelPolicy(HANDLE token);
-
-// Hardens the integrity level policy on the current process. This is only
-// valid on Win 7 and above. Specifically it sets the policy to block read
-// and execute so that a lower privileged process cannot open the token for
-// impersonate or duplicate permissions. This should limit potential security
-// holes.
-DWORD HardenProcessIntegrityLevelPolicy();
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_RESTRICTED_TOKEN_UTILS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.cc b/security/sandbox/chromium/sandbox/win/src/sandbox.cc
deleted file mode 100644
index 984dfecec..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.cc
+++ /dev/null
@@ -1,48 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdio.h>
-#include <windows.h>
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/broker_services.h"
-#include "sandbox/win/src/target_services.h"
-
-namespace sandbox {
-// The section for IPC and policy.
-SANDBOX_INTERCEPT HANDLE g_shared_section;
-static bool s_is_broker = false;
-
-// GetBrokerServices: the current implementation relies on a shared section
-// that is created by the broker and opened by the target.
-BrokerServices* SandboxFactory::GetBrokerServices() {
- // Can't be the broker if the shared section is open.
- if (NULL != g_shared_section) {
- return NULL;
- }
- // If the shared section does not exist we are the broker, then create
- // the broker object.
- s_is_broker = true;
- return BrokerServicesBase::GetInstance();
-}
-
-// GetTargetServices implementation must follow the same technique as the
-// GetBrokerServices, but in this case the logic is the opposite.
-TargetServices* SandboxFactory::GetTargetServices() {
- // Can't be the target if the section handle is not valid.
- if (NULL == g_shared_section) {
- return NULL;
- }
- // We are the target
- s_is_broker = false;
- // Creates and returns the target services implementation.
- return TargetServicesBase::GetInstance();
-}
-
-} // namespace sandbox
-
-// Allows querying for whether the current process has been sandboxed.
-extern "C" bool __declspec(dllexport) IsSandboxedProcess() {
- return sandbox::g_shared_section != NULL;
-}
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.h b/security/sandbox/chromium/sandbox/win/src/sandbox.h
deleted file mode 100644
index 193605d1e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.h
+++ /dev/null
@@ -1,164 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Sandbox is a sandbox library for windows processes. Use when you want a
-// 'privileged' process and a 'locked down process' to interact with.
-// The privileged process is called the broker and it is started by external
-// means (such as the user starting it). The 'sandboxed' process is called the
-// target and it is started by the broker. There can be many target processes
-// started by a single broker process. This library provides facilities
-// for both the broker and the target.
-//
-// The design rationale and relevant documents can be found at http://go/sbox.
-//
-// Note: this header does not include the SandboxFactory definitions because
-// there are cases where the Sandbox library is linked against the main .exe
-// while its API needs to be used in a DLL.
-
-#ifndef SANDBOX_WIN_SRC_SANDBOX_H_
-#define SANDBOX_WIN_SRC_SANDBOX_H_
-
-#include <windows.h>
-
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-// sandbox: Google User-Land Application Sandbox
-namespace sandbox {
-
-class BrokerServices;
-class ProcessState;
-class TargetPolicy;
-class TargetServices;
-
-// BrokerServices exposes all the broker API.
-// The basic use is to start the target(s) and wait for them to end.
-//
-// This API is intended to be called in the following order
-// (error checking omitted):
-// BrokerServices* broker = SandboxFactory::GetBrokerServices();
-// broker->Init();
-// PROCESS_INFORMATION target;
-// broker->SpawnTarget(target_exe_path, target_args, &target);
-// ::ResumeThread(target->hThread);
-// // -- later you can call:
-// broker->WaitForAllTargets(option);
-//
-class BrokerServices {
- public:
- // Initializes the broker. Must be called before any other on this class.
- // returns ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode Init() = 0;
-
- // Returns the interface pointer to a new, empty policy object. Use this
- // interface to specify the sandbox policy for new processes created by
- // SpawnTarget()
- virtual TargetPolicy* CreatePolicy() = 0;
-
- // Creates a new target (child process) in a suspended state.
- // Parameters:
- // exe_path: This is the full path to the target binary. This parameter
- // can be null and in this case the exe path must be the first argument
- // of the command_line.
- // command_line: The arguments to be passed as command line to the new
- // process. This can be null if the exe_path parameter is not null.
- // policy: This is the pointer to the policy object for the sandbox to
- // be created.
- // target: returns the resulting target process information such as process
- // handle and PID just as if CreateProcess() had been called. The caller is
- // responsible for closing the handles returned in this structure.
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- virtual ResultCode SpawnTarget(const wchar_t* exe_path,
- const wchar_t* command_line,
- TargetPolicy* policy,
- PROCESS_INFORMATION* target) = 0;
-
- // This call blocks (waits) for all the targets to terminate.
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode WaitForAllTargets() = 0;
-
- // Adds an unsandboxed process as a peer for policy decisions (e.g.
- // HANDLES_DUP_ANY policy).
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode AddTargetPeer(HANDLE peer_process) = 0;
-
- // Install the AppContainer with the specified sid an name. Returns ALL_OK if
- // successful or an error code if the AppContainer cannot be installed.
- virtual ResultCode InstallAppContainer(const wchar_t* sid,
- const wchar_t* name) = 0;
-
- // Removes from the system the AppContainer with the specified sid.
- // Returns ALL_OK if successful or an error code otherwise.
- virtual ResultCode UninstallAppContainer(const wchar_t* sid) = 0;
-};
-
-// TargetServices models the current process from the perspective
-// of a target process. To obtain a pointer to it use
-// Sandbox::GetTargetServices(). Note that this call returns a non-null
-// pointer only if this process is in fact a target. A process is a target
-// only if the process was spawned by a call to BrokerServices::SpawnTarget().
-//
-// This API allows the target to gain access to resources with a high
-// privilege token and then when it is ready to perform dangerous activities
-// (such as download content from the web) it can lower its token and
-// enter into locked-down (sandbox) mode.
-// The typical usage is as follows:
-//
-// TargetServices* target_services = Sandbox::GetTargetServices();
-// if (NULL != target_services) {
-// // We are the target.
-// target_services->Init();
-// // Do work that requires high privileges here.
-// // ....
-// // When ready to enter lock-down mode call LowerToken:
-// target_services->LowerToken();
-// }
-//
-// For more information see the BrokerServices API documentation.
-class TargetServices {
- public:
- // Initializes the target. Must call this function before any other.
- // returns ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode Init() = 0;
-
- // Discards the impersonation token and uses the lower token, call before
- // processing any untrusted data or running third-party code. If this call
- // fails the current process could be terminated immediately.
- virtual void LowerToken() = 0;
-
- // Returns the ProcessState object. Through that object it's possible to have
- // information about the current state of the process, such as whether
- // LowerToken has been called or not.
- virtual ProcessState* GetState() = 0;
-
- // Requests the broker to duplicate the supplied handle into the target
- // process. The target process must be an active sandbox child process
- // and the source process must have a corresponding policy allowing
- // handle duplication for this object type.
- // Returns:
- // ALL_OK if successful. All other return values imply failure.
- // If the return is ERROR_GENERIC, you can call ::GetLastError() to get
- // more information.
- virtual ResultCode DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) = 0;
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_WIN_SRC_SANDBOX_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox.vcproj b/security/sandbox/chromium/sandbox/win/src/sandbox.vcproj
deleted file mode 100644
index f206e01a1..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox.vcproj
+++ /dev/null
@@ -1,658 +0,0 @@
-<?xml version="1.0" encoding="Windows-1252"?>
-<VisualStudioProject
- ProjectType="Visual C++"
- Version="8.00"
- Name="sandbox"
- ProjectGUID="{881F6A97-D539-4C48-B401-DF04385B2343}"
- RootNamespace="sandbox"
- Keyword="Win32Proj"
- >
- <Platforms>
- <Platform
- Name="Win32"
- />
- </Platforms>
- <ToolFiles>
- </ToolFiles>
- <Configurations>
- <Configuration
- Name="Debug|Win32"
- ConfigurationType="4"
- InheritedPropertySheets="$(SolutionDir)..\build\debug.vsprops;$(SolutionDir)..\build\common.vsprops;$(SolutionDir)..\testing\using_gtest.vsprops"
- >
- <Tool
- Name="VCPreBuildEventTool"
- />
- <Tool
- Name="VCCustomBuildTool"
- />
- <Tool
- Name="VCXMLDataGeneratorTool"
- />
- <Tool
- Name="VCWebServiceProxyGeneratorTool"
- />
- <Tool
- Name="VCMIDLTool"
- />
- <Tool
- Name="VCCLCompilerTool"
- UsePrecompiledHeader="2"
- ForcedIncludeFiles="stdafx.h"
- />
- <Tool
- Name="VCManagedResourceCompilerTool"
- />
- <Tool
- Name="VCResourceCompilerTool"
- />
- <Tool
- Name="VCPreLinkEventTool"
- />
- <Tool
- Name="VCLibrarianTool"
- />
- <Tool
- Name="VCALinkTool"
- />
- <Tool
- Name="VCXDCMakeTool"
- />
- <Tool
- Name="VCBscMakeTool"
- />
- <Tool
- Name="VCFxCopTool"
- />
- <Tool
- Name="VCPostBuildEventTool"
- Description="Copy wow_helper to output directory"
- CommandLine="copy $(ProjectDir)\..\wow_helper\wow_helper.exe $(OutDir) &amp;&amp; copy $(ProjectDir)\..\wow_helper\wow_helper.pdb $(OutDir)"
- />
- </Configuration>
- <Configuration
- Name="Release|Win32"
- ConfigurationType="4"
- InheritedPropertySheets="$(SolutionDir)..\build\release.vsprops;$(SolutionDir)..\build\common.vsprops;$(SolutionDir)..\testing\using_gtest.vsprops"
- >
- <Tool
- Name="VCPreBuildEventTool"
- />
- <Tool
- Name="VCCustomBuildTool"
- />
- <Tool
- Name="VCXMLDataGeneratorTool"
- />
- <Tool
- Name="VCWebServiceProxyGeneratorTool"
- />
- <Tool
- Name="VCMIDLTool"
- />
- <Tool
- Name="VCCLCompilerTool"
- UsePrecompiledHeader="0"
- />
- <Tool
- Name="VCManagedResourceCompilerTool"
- />
- <Tool
- Name="VCResourceCompilerTool"
- />
- <Tool
- Name="VCPreLinkEventTool"
- />
- <Tool
- Name="VCLibrarianTool"
- />
- <Tool
- Name="VCALinkTool"
- />
- <Tool
- Name="VCXDCMakeTool"
- />
- <Tool
- Name="VCBscMakeTool"
- />
- <Tool
- Name="VCFxCopTool"
- />
- <Tool
- Name="VCPostBuildEventTool"
- Description="Copy wow_helper to output directory"
- CommandLine="copy $(ProjectDir)\..\wow_helper\wow_helper.exe $(OutDir) &amp;&amp; copy $(ProjectDir)\..\wow_helper\wow_helper.pdb $(OutDir)"
- />
- </Configuration>
- </Configurations>
- <References>
- </References>
- <Files>
- <Filter
- Name="security"
- >
- <File
- RelativePath=".\acl.cc"
- >
- </File>
- <File
- RelativePath=".\acl.h"
- >
- </File>
- <File
- RelativePath=".\dep.cc"
- >
- </File>
- <File
- RelativePath=".\dep.h"
- >
- </File>
- <File
- RelativePath=".\job.cc"
- >
- </File>
- <File
- RelativePath=".\job.h"
- >
- </File>
- <File
- RelativePath=".\restricted_token.cc"
- >
- </File>
- <File
- RelativePath=".\restricted_token.h"
- >
- </File>
- <File
- RelativePath=".\restricted_token_utils.cc"
- >
- </File>
- <File
- RelativePath=".\restricted_token_utils.h"
- >
- </File>
- <File
- RelativePath=".\security_level.h"
- >
- </File>
- <File
- RelativePath=".\sid.cc"
- >
- </File>
- <File
- RelativePath=".\sid.h"
- >
- </File>
- <File
- RelativePath=".\window.cc"
- >
- </File>
- <File
- RelativePath=".\window.h"
- >
- </File>
- </Filter>
- <Filter
- Name="Interception"
- >
- <File
- RelativePath=".\eat_resolver.cc"
- >
- </File>
- <File
- RelativePath=".\eat_resolver.h"
- >
- </File>
- <File
- RelativePath=".\interception.cc"
- >
- </File>
- <File
- RelativePath=".\interception.h"
- >
- </File>
- <File
- RelativePath=".\interception_agent.cc"
- >
- </File>
- <File
- RelativePath=".\interception_agent.h"
- >
- </File>
- <File
- RelativePath=".\interception_internal.h"
- >
- </File>
- <File
- RelativePath=".\pe_image.cc"
- >
- </File>
- <File
- RelativePath=".\pe_image.h"
- >
- </File>
- <File
- RelativePath=".\resolver.cc"
- >
- </File>
- <File
- RelativePath=".\resolver.h"
- >
- </File>
- <File
- RelativePath=".\service_resolver.cc"
- >
- </File>
- <File
- RelativePath=".\service_resolver.h"
- >
- </File>
- <File
- RelativePath=".\sidestep_resolver.cc"
- >
- </File>
- <File
- RelativePath=".\sidestep_resolver.h"
- >
- </File>
- <File
- RelativePath=".\target_interceptions.cc"
- >
- </File>
- <File
- RelativePath=".\target_interceptions.h"
- >
- </File>
- <File
- RelativePath=".\Wow64.cc"
- >
- </File>
- <File
- RelativePath=".\Wow64.h"
- >
- </File>
- <Filter
- Name="sidestep"
- >
- <File
- RelativePath=".\sidestep\ia32_modrm_map.cpp"
- >
- </File>
- <File
- RelativePath=".\sidestep\ia32_opcode_map.cpp"
- >
- </File>
- <File
- RelativePath=".\sidestep\mini_disassembler.cpp"
- >
- </File>
- <File
- RelativePath=".\sidestep\mini_disassembler.h"
- >
- </File>
- <File
- RelativePath=".\sidestep\mini_disassembler_types.h"
- >
- </File>
- <File
- RelativePath=".\sidestep\preamble_patcher.h"
- >
- </File>
- <File
- RelativePath=".\sidestep\preamble_patcher_with_stub.cpp"
- >
- </File>
- </Filter>
- </Filter>
- <Filter
- Name="nt_level"
- >
- <File
- RelativePath=".\nt_internals.h"
- >
- </File>
- <File
- RelativePath=".\policy_target.cc"
- >
- </File>
- <File
- RelativePath=".\policy_target.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_nt_types.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_nt_util.cc"
- >
- </File>
- <File
- RelativePath=".\sandbox_nt_util.h"
- >
- </File>
- </Filter>
- <Filter
- Name="Policy_handlers"
- >
- <File
- RelativePath=".\filesystem_dispatcher.cc"
- >
- </File>
- <File
- RelativePath=".\filesystem_dispatcher.h"
- >
- </File>
- <File
- RelativePath=".\filesystem_interception.cc"
- >
- </File>
- <File
- RelativePath=".\filesystem_interception.h"
- >
- </File>
- <File
- RelativePath=".\filesystem_policy.cc"
- >
- </File>
- <File
- RelativePath=".\filesystem_policy.h"
- >
- </File>
- <File
- RelativePath=".\named_pipe_dispatcher.cc"
- >
- </File>
- <File
- RelativePath=".\named_pipe_dispatcher.h"
- >
- </File>
- <File
- RelativePath=".\named_pipe_interception.cc"
- >
- </File>
- <File
- RelativePath=".\named_pipe_interception.h"
- >
- </File>
- <File
- RelativePath=".\named_pipe_policy.cc"
- >
- </File>
- <File
- RelativePath=".\named_pipe_policy.h"
- >
- </File>
- <File
- RelativePath=".\policy_params.h"
- >
- </File>
- <File
- RelativePath=".\process_thread_dispatcher.cc"
- >
- </File>
- <File
- RelativePath=".\process_thread_dispatcher.h"
- >
- </File>
- <File
- RelativePath=".\process_thread_interception.cc"
- >
- </File>
- <File
- RelativePath=".\process_thread_interception.h"
- >
- </File>
- <File
- RelativePath=".\process_thread_policy.cc"
- >
- </File>
- <File
- RelativePath=".\process_thread_policy.h"
- >
- </File>
- <File
- RelativePath=".\registry_dispatcher.cc"
- >
- </File>
- <File
- RelativePath=".\registry_dispatcher.h"
- >
- </File>
- <File
- RelativePath=".\registry_interception.cc"
- >
- </File>
- <File
- RelativePath=".\registry_interception.h"
- >
- </File>
- <File
- RelativePath=".\registry_policy.cc"
- >
- </File>
- <File
- RelativePath=".\registry_policy.h"
- >
- </File>
- <File
- RelativePath=".\sync_dispatcher.cc"
- >
- </File>
- <File
- RelativePath=".\sync_dispatcher.h"
- >
- </File>
- <File
- RelativePath=".\sync_interception.cc"
- >
- </File>
- <File
- RelativePath=".\sync_interception.h"
- >
- </File>
- <File
- RelativePath=".\sync_policy.cc"
- >
- </File>
- <File
- RelativePath=".\sync_policy.h"
- >
- </File>
- </Filter>
- <Filter
- Name="IPC"
- >
- <File
- RelativePath=".\crosscall_client.h"
- >
- </File>
- <File
- RelativePath=".\crosscall_params.h"
- >
- </File>
- <File
- RelativePath=".\crosscall_server.cc"
- >
- </File>
- <File
- RelativePath=".\crosscall_server.h"
- >
- </File>
- <File
- RelativePath=".\ipc_tags.h"
- >
- </File>
- <File
- RelativePath=".\sharedmem_ipc_client.cc"
- >
- </File>
- <File
- RelativePath=".\sharedmem_ipc_client.h"
- >
- </File>
- <File
- RelativePath=".\sharedmem_ipc_server.cc"
- >
- </File>
- <File
- RelativePath=".\sharedmem_ipc_server.h"
- >
- </File>
- </Filter>
- <Filter
- Name="Policy_base"
- >
- <File
- RelativePath=".\policy_engine_opcodes.cc"
- >
- </File>
- <File
- RelativePath=".\policy_engine_opcodes.h"
- >
- </File>
- <File
- RelativePath=".\policy_engine_params.h"
- >
- </File>
- <File
- RelativePath=".\policy_engine_processor.cc"
- >
- </File>
- <File
- RelativePath=".\policy_engine_processor.h"
- >
- </File>
- <File
- RelativePath=".\policy_low_level.cc"
- >
- </File>
- <File
- RelativePath=".\policy_low_level.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_policy_base.cc"
- >
- </File>
- <File
- RelativePath=".\sandbox_policy_base.h"
- >
- </File>
- </Filter>
- <File
- RelativePath=".\broker_services.cc"
- >
- </File>
- <File
- RelativePath=".\broker_services.h"
- >
- </File>
- <File
- RelativePath=".\internal_types.h"
- >
- </File>
- <File
- RelativePath=".\policy_broker.cc"
- >
- </File>
- <File
- RelativePath=".\policy_broker.h"
- >
- </File>
- <File
- RelativePath=".\sandbox.cc"
- >
- </File>
- <File
- RelativePath=".\sandbox.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_factory.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_policy.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_types.h"
- >
- </File>
- <File
- RelativePath=".\sandbox_utils.cc"
- >
- </File>
- <File
- RelativePath=".\sandbox_utils.h"
- >
- </File>
- <File
- RelativePath=".\shared_handles.cc"
- >
- </File>
- <File
- RelativePath=".\shared_handles.h"
- >
- </File>
- <File
- RelativePath=".\stdafx.cc"
- >
- <FileConfiguration
- Name="Debug|Win32"
- >
- <Tool
- Name="VCCLCompilerTool"
- UsePrecompiledHeader="1"
- />
- </FileConfiguration>
- <FileConfiguration
- Name="Release|Win32"
- >
- <Tool
- Name="VCCLCompilerTool"
- UsePrecompiledHeader="0"
- />
- </FileConfiguration>
- </File>
- <File
- RelativePath=".\stdafx.h"
- >
- </File>
- <File
- RelativePath=".\target_process.cc"
- >
- </File>
- <File
- RelativePath=".\target_process.h"
- >
- </File>
- <File
- RelativePath=".\target_services.cc"
- >
- </File>
- <File
- RelativePath=".\target_services.h"
- >
- </File>
- <File
- RelativePath=".\win2k_threadpool.cc"
- >
- </File>
- <File
- RelativePath=".\win2k_threadpool.h"
- >
- </File>
- <File
- RelativePath=".\win_utils.cc"
- >
- </File>
- <File
- RelativePath=".\win_utils.h"
- >
- </File>
- </Files>
- <Globals>
- </Globals>
-</VisualStudioProject>
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_factory.h b/security/sandbox/chromium/sandbox/win/src/sandbox_factory.h
deleted file mode 100644
index f5888ffcd..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_factory.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SANDBOX_FACTORY_H__
-#define SANDBOX_SRC_SANDBOX_FACTORY_H__
-
-#include "base/macros.h"
-#include "sandbox/win/src/sandbox.h"
-
-// SandboxFactory is a set of static methods to get access to the broker
-// or target services object. Only one of the two methods (GetBrokerServices,
-// GetTargetServices) will return a non-null pointer and that should be used
-// as the indication that the process is the broker or the target:
-//
-// BrokerServices* broker_services = SandboxFactory::GetBrokerServices();
-// if (NULL != broker_services) {
-// //we are the broker, call broker api here
-// broker_services->Init();
-// } else {
-// TargetServices* target_services = SandboxFactory::GetTargetServices();
-// if (NULL != target_services) {
-// //we are the target, call target api here
-// target_services->Init();
-// }
-//
-// The methods in this class are expected to be called from a single thread
-//
-// The Sandbox library needs to be linked against the main executable, but
-// sometimes the API calls are issued from a DLL that loads into the exe
-// process. These factory methods then need to be called from the main
-// exe and the interface pointers then can be safely passed to the DLL where
-// the Sandbox API calls are made.
-namespace sandbox {
-
-class SandboxFactory {
- public:
- // Returns the Broker API interface, returns NULL if this process is the
- // target.
- static BrokerServices* GetBrokerServices();
-
- // Returns the Target API interface, returns NULL if this process is the
- // broker.
- static TargetServices* GetTargetServices();
- private:
- DISALLOW_IMPLICIT_CONSTRUCTORS(SandboxFactory);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SANDBOX_FACTORY_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_globals.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_globals.cc
deleted file mode 100644
index b4ab52392..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_globals.cc
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <windows.h>
-
-#include "sandbox/win/src/sandbox_nt_types.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
-// The section for IPC and policy.
-SANDBOX_INTERCEPT HANDLE g_shared_section = NULL;
-
-// This is the list of all imported symbols from ntdll.dll.
-SANDBOX_INTERCEPT NtExports g_nt = {};
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_types.h b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_types.h
deleted file mode 100644
index a4a88bba7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_types.h
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SANDBOX_NT_TYPES_H__
-#define SANDBOX_SRC_SANDBOX_NT_TYPES_H__
-
-#include "sandbox/win/src/nt_internals.h"
-
-namespace sandbox {
-
-struct NtExports {
- NtAllocateVirtualMemoryFunction AllocateVirtualMemory;
- NtCloseFunction Close;
- NtDuplicateObjectFunction DuplicateObject;
- NtFreeVirtualMemoryFunction FreeVirtualMemory;
- NtMapViewOfSectionFunction MapViewOfSection;
- NtProtectVirtualMemoryFunction ProtectVirtualMemory;
- NtQueryInformationProcessFunction QueryInformationProcess;
- NtQueryObjectFunction QueryObject;
- NtQuerySectionFunction QuerySection;
- NtQueryVirtualMemoryFunction QueryVirtualMemory;
- NtUnmapViewOfSectionFunction UnmapViewOfSection;
- RtlAllocateHeapFunction RtlAllocateHeap;
- RtlAnsiStringToUnicodeStringFunction RtlAnsiStringToUnicodeString;
- RtlCompareUnicodeStringFunction RtlCompareUnicodeString;
- RtlCreateHeapFunction RtlCreateHeap;
- RtlCreateUserThreadFunction RtlCreateUserThread;
- RtlDestroyHeapFunction RtlDestroyHeap;
- RtlFreeHeapFunction RtlFreeHeap;
- _strnicmpFunction _strnicmp;
- strlenFunction strlen;
- wcslenFunction wcslen;
- memcpyFunction memcpy;
-};
-
-// This is the value used for the ntdll level allocator.
-enum AllocationType {
- NT_ALLOC,
- NT_PAGE
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_SANDBOX_NT_TYPES_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc
deleted file mode 100644
index 62f2422ca..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.cc
+++ /dev/null
@@ -1,676 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-
-namespace sandbox {
-
-// This is the list of all imported symbols from ntdll.dll.
-SANDBOX_INTERCEPT NtExports g_nt;
-
-} // namespace sandbox
-
-namespace {
-
-#if defined(_WIN64)
-void* AllocateNearTo(void* source, size_t size) {
- using sandbox::g_nt;
-
- // Start with 1 GB above the source.
- const size_t kOneGB = 0x40000000;
- void* base = reinterpret_cast<char*>(source) + kOneGB;
- SIZE_T actual_size = size;
- ULONG_PTR zero_bits = 0; // Not the correct type if used.
- ULONG type = MEM_RESERVE;
-
- NTSTATUS ret;
- int attempts = 0;
- for (; attempts < 41; attempts++) {
- ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, zero_bits,
- &actual_size, type, PAGE_READWRITE);
- if (NT_SUCCESS(ret)) {
- if (base < source ||
- base >= reinterpret_cast<char*>(source) + 4 * kOneGB) {
- // We won't be able to patch this dll.
- VERIFY_SUCCESS(g_nt.FreeVirtualMemory(NtCurrentProcess, &base, &size,
- MEM_RELEASE));
- return NULL;
- }
- break;
- }
-
- if (attempts == 30) {
- // Try the first GB.
- base = reinterpret_cast<char*>(source);
- } else if (attempts == 40) {
- // Try the highest available address.
- base = NULL;
- type |= MEM_TOP_DOWN;
- }
-
- // Try 100 MB higher.
- base = reinterpret_cast<char*>(base) + 100 * 0x100000;
- }
-
- if (attempts == 41)
- return NULL;
-
- ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, zero_bits,
- &actual_size, MEM_COMMIT, PAGE_READWRITE);
-
- if (!NT_SUCCESS(ret)) {
- VERIFY_SUCCESS(g_nt.FreeVirtualMemory(NtCurrentProcess, &base, &size,
- MEM_RELEASE));
- base = NULL;
- }
-
- return base;
-}
-#else // defined(_WIN64).
-void* AllocateNearTo(void* source, size_t size) {
- using sandbox::g_nt;
-
- // In 32-bit processes allocations below 512k are predictable, so mark
- // anything in that range as reserved and retry until we get a good address.
- const void* const kMinAddress = reinterpret_cast<void*>(512 * 1024);
- NTSTATUS ret;
- SIZE_T actual_size;
- void* base;
- do {
- base = NULL;
- actual_size = 64 * 1024;
- ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, 0, &actual_size,
- MEM_RESERVE, PAGE_NOACCESS);
- if (!NT_SUCCESS(ret))
- return NULL;
- } while (base < kMinAddress);
-
- actual_size = size;
- ret = g_nt.AllocateVirtualMemory(NtCurrentProcess, &base, 0, &actual_size,
- MEM_COMMIT, PAGE_READWRITE);
- if (!NT_SUCCESS(ret))
- return NULL;
- return base;
-}
-#endif // defined(_WIN64).
-
-} // namespace.
-
-namespace sandbox {
-
-// Handle for our private heap.
-void* g_heap = NULL;
-
-SANDBOX_INTERCEPT HANDLE g_shared_section;
-SANDBOX_INTERCEPT size_t g_shared_IPC_size = 0;
-SANDBOX_INTERCEPT size_t g_shared_policy_size = 0;
-
-void* volatile g_shared_policy_memory = NULL;
-void* volatile g_shared_IPC_memory = NULL;
-
-// Both the IPC and the policy share a single region of memory in which the IPC
-// memory is first and the policy memory is last.
-bool MapGlobalMemory() {
- if (NULL == g_shared_IPC_memory) {
- void* memory = NULL;
- SIZE_T size = 0;
- // Map the entire shared section from the start.
- NTSTATUS ret = g_nt.MapViewOfSection(g_shared_section, NtCurrentProcess,
- &memory, 0, 0, NULL, &size, ViewUnmap,
- 0, PAGE_READWRITE);
-
- if (!NT_SUCCESS(ret) || NULL == memory) {
- NOTREACHED_NT();
- return false;
- }
-
- if (NULL != _InterlockedCompareExchangePointer(&g_shared_IPC_memory,
- memory, NULL)) {
- // Somebody beat us to the memory setup.
- VERIFY_SUCCESS(g_nt.UnmapViewOfSection(NtCurrentProcess, memory));
- }
- DCHECK_NT(g_shared_IPC_size > 0);
- g_shared_policy_memory = reinterpret_cast<char*>(g_shared_IPC_memory)
- + g_shared_IPC_size;
- }
- DCHECK_NT(g_shared_policy_memory);
- DCHECK_NT(g_shared_policy_size > 0);
- return true;
-}
-
-void* GetGlobalIPCMemory() {
- if (!MapGlobalMemory())
- return NULL;
- return g_shared_IPC_memory;
-}
-
-void* GetGlobalPolicyMemory() {
- if (!MapGlobalMemory())
- return NULL;
- return g_shared_policy_memory;
-}
-
-bool InitHeap() {
- if (!g_heap) {
- // Create a new heap using default values for everything.
- void* heap = g_nt.RtlCreateHeap(HEAP_GROWABLE, NULL, 0, 0, NULL, NULL);
- if (!heap)
- return false;
-
- if (NULL != _InterlockedCompareExchangePointer(&g_heap, heap, NULL)) {
- // Somebody beat us to the memory setup.
- g_nt.RtlDestroyHeap(heap);
- }
- }
- return (g_heap != NULL);
-}
-
-// Physically reads or writes from memory to verify that (at this time), it is
-// valid. Returns a dummy value.
-int TouchMemory(void* buffer, size_t size_bytes, RequiredAccess intent) {
- const int kPageSize = 4096;
- int dummy = 0;
- char* start = reinterpret_cast<char*>(buffer);
- char* end = start + size_bytes - 1;
-
- if (WRITE == intent) {
- for (; start < end; start += kPageSize) {
- *start = 0;
- }
- *end = 0;
- } else {
- for (; start < end; start += kPageSize) {
- dummy += *start;
- }
- dummy += *end;
- }
-
- return dummy;
-}
-
-bool ValidParameter(void* buffer, size_t size, RequiredAccess intent) {
- DCHECK_NT(size);
- __try {
- TouchMemory(buffer, size, intent);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- return false;
- }
- return true;
-}
-
-NTSTATUS CopyData(void* destination, const void* source, size_t bytes) {
- NTSTATUS ret = STATUS_SUCCESS;
- __try {
- g_nt.memcpy(destination, source, bytes);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- ret = GetExceptionCode();
- }
- return ret;
-}
-
-NTSTATUS AllocAndGetFullPath(HANDLE root,
- wchar_t* path,
- wchar_t** full_path) {
- if (!InitHeap())
- return STATUS_NO_MEMORY;
-
- DCHECK_NT(full_path);
- DCHECK_NT(path);
- *full_path = NULL;
- OBJECT_NAME_INFORMATION* handle_name = NULL;
- NTSTATUS ret = STATUS_UNSUCCESSFUL;
- __try {
- do {
- static NtQueryObjectFunction NtQueryObject = NULL;
- if (!NtQueryObject)
- ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject);
-
- ULONG size = 0;
- // Query the name information a first time to get the size of the name.
- ret = NtQueryObject(root, ObjectNameInformation, NULL, 0, &size);
-
- if (size) {
- handle_name = reinterpret_cast<OBJECT_NAME_INFORMATION*>(
- new(NT_ALLOC) BYTE[size]);
-
- // Query the name information a second time to get the name of the
- // object referenced by the handle.
- ret = NtQueryObject(root, ObjectNameInformation, handle_name, size,
- &size);
- }
-
- if (STATUS_SUCCESS != ret)
- break;
-
- // Space for path + '\' + name + '\0'.
- size_t name_length = handle_name->ObjectName.Length +
- (wcslen(path) + 2) * sizeof(wchar_t);
- *full_path = new(NT_ALLOC) wchar_t[name_length/sizeof(wchar_t)];
- if (NULL == *full_path)
- break;
- wchar_t* off = *full_path;
- ret = CopyData(off, handle_name->ObjectName.Buffer,
- handle_name->ObjectName.Length);
- if (!NT_SUCCESS(ret))
- break;
- off += handle_name->ObjectName.Length / sizeof(wchar_t);
- *off = L'\\';
- off += 1;
- ret = CopyData(off, path, wcslen(path) * sizeof(wchar_t));
- if (!NT_SUCCESS(ret))
- break;
- off += wcslen(path);
- *off = L'\0';
- } while (false);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- ret = GetExceptionCode();
- }
-
- if (!NT_SUCCESS(ret)) {
- if (*full_path) {
- operator delete(*full_path, NT_ALLOC);
- *full_path = NULL;
- }
- if (handle_name) {
- operator delete(handle_name, NT_ALLOC);
- handle_name = NULL;
- }
- }
-
- return ret;
-}
-
-// Hacky code... replace with AllocAndCopyObjectAttributes.
-NTSTATUS AllocAndCopyName(const OBJECT_ATTRIBUTES* in_object,
- wchar_t** out_name,
- uint32_t* attributes,
- HANDLE* root) {
- if (!InitHeap())
- return STATUS_NO_MEMORY;
-
- DCHECK_NT(out_name);
- *out_name = NULL;
- NTSTATUS ret = STATUS_UNSUCCESSFUL;
- __try {
- do {
- if (in_object->RootDirectory != static_cast<HANDLE>(0) && !root)
- break;
- if (NULL == in_object->ObjectName)
- break;
- if (NULL == in_object->ObjectName->Buffer)
- break;
-
- size_t size = in_object->ObjectName->Length + sizeof(wchar_t);
- *out_name = new(NT_ALLOC) wchar_t[size/sizeof(wchar_t)];
- if (NULL == *out_name)
- break;
-
- ret = CopyData(*out_name, in_object->ObjectName->Buffer,
- size - sizeof(wchar_t));
- if (!NT_SUCCESS(ret))
- break;
-
- (*out_name)[size / sizeof(wchar_t) - 1] = L'\0';
-
- if (attributes)
- *attributes = in_object->Attributes;
-
- if (root)
- *root = in_object->RootDirectory;
- ret = STATUS_SUCCESS;
- } while (false);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- ret = GetExceptionCode();
- }
-
- if (!NT_SUCCESS(ret) && *out_name) {
- operator delete(*out_name, NT_ALLOC);
- *out_name = NULL;
- }
-
- return ret;
-}
-
-NTSTATUS GetProcessId(HANDLE process, DWORD *process_id) {
- PROCESS_BASIC_INFORMATION proc_info;
- ULONG bytes_returned;
-
- NTSTATUS ret = g_nt.QueryInformationProcess(process, ProcessBasicInformation,
- &proc_info, sizeof(proc_info),
- &bytes_returned);
- if (!NT_SUCCESS(ret) || sizeof(proc_info) != bytes_returned)
- return ret;
-
- *process_id = proc_info.UniqueProcessId;
- return STATUS_SUCCESS;
-}
-
-bool IsSameProcess(HANDLE process) {
- if (NtCurrentProcess == process)
- return true;
-
- static DWORD s_process_id = 0;
-
- if (!s_process_id) {
- NTSTATUS ret = GetProcessId(NtCurrentProcess, &s_process_id);
- if (!NT_SUCCESS(ret))
- return false;
- }
-
- DWORD process_id;
- NTSTATUS ret = GetProcessId(process, &process_id);
- if (!NT_SUCCESS(ret))
- return false;
-
- return (process_id == s_process_id);
-}
-
-bool IsValidImageSection(HANDLE section, PVOID *base, PLARGE_INTEGER offset,
- PSIZE_T view_size) {
- if (!section || !base || !view_size || offset)
- return false;
-
- HANDLE query_section;
-
- NTSTATUS ret = g_nt.DuplicateObject(NtCurrentProcess, section,
- NtCurrentProcess, &query_section,
- SECTION_QUERY, 0, 0);
- if (!NT_SUCCESS(ret))
- return false;
-
- SECTION_BASIC_INFORMATION basic_info;
- SIZE_T bytes_returned;
- ret = g_nt.QuerySection(query_section, SectionBasicInformation, &basic_info,
- sizeof(basic_info), &bytes_returned);
-
- VERIFY_SUCCESS(g_nt.Close(query_section));
-
- if (!NT_SUCCESS(ret) || sizeof(basic_info) != bytes_returned)
- return false;
-
- if (!(basic_info.Attributes & SEC_IMAGE))
- return false;
-
- return true;
-}
-
-UNICODE_STRING* AnsiToUnicode(const char* string) {
- ANSI_STRING ansi_string;
- ansi_string.Length = static_cast<USHORT>(g_nt.strlen(string));
- ansi_string.MaximumLength = ansi_string.Length + 1;
- ansi_string.Buffer = const_cast<char*>(string);
-
- if (ansi_string.Length > ansi_string.MaximumLength)
- return NULL;
-
- size_t name_bytes = ansi_string.MaximumLength * sizeof(wchar_t) +
- sizeof(UNICODE_STRING);
-
- UNICODE_STRING* out_string = reinterpret_cast<UNICODE_STRING*>(
- new(NT_ALLOC) char[name_bytes]);
- if (!out_string)
- return NULL;
-
- out_string->MaximumLength = ansi_string.MaximumLength * sizeof(wchar_t);
- out_string->Buffer = reinterpret_cast<wchar_t*>(&out_string[1]);
-
- BOOLEAN alloc_destination = FALSE;
- NTSTATUS ret = g_nt.RtlAnsiStringToUnicodeString(out_string, &ansi_string,
- alloc_destination);
- DCHECK_NT(STATUS_BUFFER_OVERFLOW != ret);
- if (!NT_SUCCESS(ret)) {
- operator delete(out_string, NT_ALLOC);
- return NULL;
- }
-
- return out_string;
-}
-
-UNICODE_STRING* GetImageInfoFromModule(HMODULE module, uint32_t* flags) {
- // PEImage's dtor won't be run during SEH unwinding, but that's OK.
-#pragma warning(push)
-#pragma warning(disable: 4509)
- UNICODE_STRING* out_name = NULL;
- __try {
- do {
- *flags = 0;
- base::win::PEImage pe(module);
-
- if (!pe.VerifyMagic())
- break;
- *flags |= MODULE_IS_PE_IMAGE;
-
- PIMAGE_EXPORT_DIRECTORY exports = pe.GetExportDirectory();
- if (exports) {
- char* name = reinterpret_cast<char*>(pe.RVAToAddr(exports->Name));
- out_name = AnsiToUnicode(name);
- }
-
- PIMAGE_NT_HEADERS headers = pe.GetNTHeaders();
- if (headers) {
- if (headers->OptionalHeader.AddressOfEntryPoint)
- *flags |= MODULE_HAS_ENTRY_POINT;
- if (headers->OptionalHeader.SizeOfCode)
- *flags |= MODULE_HAS_CODE;
- }
- } while (false);
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- }
-
- return out_name;
-#pragma warning(pop)
-}
-
-UNICODE_STRING* GetBackingFilePath(PVOID address) {
- // We'll start with something close to max_path charactes for the name.
- SIZE_T buffer_bytes = MAX_PATH * 2;
-
- for (;;) {
- MEMORY_SECTION_NAME* section_name = reinterpret_cast<MEMORY_SECTION_NAME*>(
- new(NT_ALLOC) char[buffer_bytes]);
-
- if (!section_name)
- return NULL;
-
- SIZE_T returned_bytes;
- NTSTATUS ret = g_nt.QueryVirtualMemory(NtCurrentProcess, address,
- MemorySectionName, section_name,
- buffer_bytes, &returned_bytes);
-
- if (STATUS_BUFFER_OVERFLOW == ret) {
- // Retry the call with the given buffer size.
- operator delete(section_name, NT_ALLOC);
- section_name = NULL;
- buffer_bytes = returned_bytes;
- continue;
- }
- if (!NT_SUCCESS(ret)) {
- operator delete(section_name, NT_ALLOC);
- return NULL;
- }
-
- return reinterpret_cast<UNICODE_STRING*>(section_name);
- }
-}
-
-UNICODE_STRING* ExtractModuleName(const UNICODE_STRING* module_path) {
- if ((!module_path) || (!module_path->Buffer))
- return NULL;
-
- wchar_t* sep = NULL;
- int start_pos = module_path->Length / sizeof(wchar_t) - 1;
- int ix = start_pos;
-
- for (; ix >= 0; --ix) {
- if (module_path->Buffer[ix] == L'\\') {
- sep = &module_path->Buffer[ix];
- break;
- }
- }
-
- // Ends with path separator. Not a valid module name.
- if ((ix == start_pos) && sep)
- return NULL;
-
- // No path separator found. Use the entire name.
- if (!sep) {
- sep = &module_path->Buffer[-1];
- }
-
- // Add one to the size so we can null terminate the string.
- size_t size_bytes = (start_pos - ix + 1) * sizeof(wchar_t);
-
- // Based on the code above, size_bytes should always be small enough
- // to make the static_cast below safe.
- DCHECK_NT(UINT16_MAX > size_bytes);
- char* str_buffer = new(NT_ALLOC) char[size_bytes + sizeof(UNICODE_STRING)];
- if (!str_buffer)
- return NULL;
-
- UNICODE_STRING* out_string = reinterpret_cast<UNICODE_STRING*>(str_buffer);
- out_string->Buffer = reinterpret_cast<wchar_t*>(&out_string[1]);
- out_string->Length = static_cast<USHORT>(size_bytes - sizeof(wchar_t));
- out_string->MaximumLength = static_cast<USHORT>(size_bytes);
-
- NTSTATUS ret = CopyData(out_string->Buffer, &sep[1], out_string->Length);
- if (!NT_SUCCESS(ret)) {
- operator delete(out_string, NT_ALLOC);
- return NULL;
- }
-
- out_string->Buffer[out_string->Length / sizeof(wchar_t)] = L'\0';
- return out_string;
-}
-
-NTSTATUS AutoProtectMemory::ChangeProtection(void* address, size_t bytes,
- ULONG protect) {
- DCHECK_NT(!changed_);
- SIZE_T new_bytes = bytes;
- NTSTATUS ret = g_nt.ProtectVirtualMemory(NtCurrentProcess, &address,
- &new_bytes, protect, &old_protect_);
- if (NT_SUCCESS(ret)) {
- changed_ = true;
- address_ = address;
- bytes_ = new_bytes;
- }
-
- return ret;
-}
-
-NTSTATUS AutoProtectMemory::RevertProtection() {
- if (!changed_)
- return STATUS_SUCCESS;
-
- DCHECK_NT(address_);
- DCHECK_NT(bytes_);
-
- SIZE_T new_bytes = bytes_;
- NTSTATUS ret = g_nt.ProtectVirtualMemory(NtCurrentProcess, &address_,
- &new_bytes, old_protect_,
- &old_protect_);
- DCHECK_NT(NT_SUCCESS(ret));
-
- changed_ = false;
- address_ = NULL;
- bytes_ = 0;
- old_protect_ = 0;
-
- return ret;
-}
-
-bool IsSupportedRenameCall(FILE_RENAME_INFORMATION* file_info,
- DWORD length,
- uint32_t file_info_class) {
- if (FileRenameInformation != file_info_class)
- return false;
-
- if (length < sizeof(FILE_RENAME_INFORMATION))
- return false;
-
- // Make sure file name length doesn't exceed the message length
- if (length - offsetof(FILE_RENAME_INFORMATION, FileName) <
- file_info->FileNameLength)
- return false;
-
- // We don't support a root directory.
- if (file_info->RootDirectory)
- return false;
-
- static const wchar_t kPathPrefix[] = { L'\\', L'?', L'?', L'\\'};
-
- // Check if it starts with \\??\\. We don't support relative paths.
- if (file_info->FileNameLength < sizeof(kPathPrefix) ||
- file_info->FileNameLength > UINT16_MAX)
- return false;
-
- if (file_info->FileName[0] != kPathPrefix[0] ||
- file_info->FileName[1] != kPathPrefix[1] ||
- file_info->FileName[2] != kPathPrefix[2] ||
- file_info->FileName[3] != kPathPrefix[3])
- return false;
-
- return true;
-}
-
-} // namespace sandbox
-
-void* operator new(size_t size, sandbox::AllocationType type,
- void* near_to) {
- void* result = NULL;
- if (type == sandbox::NT_ALLOC) {
- if (sandbox::InitHeap()) {
- // Use default flags for the allocation.
- result = sandbox::g_nt.RtlAllocateHeap(sandbox::g_heap, 0, size);
- }
- } else if (type == sandbox::NT_PAGE) {
- result = AllocateNearTo(near_to, size);
- } else {
- NOTREACHED_NT();
- }
-
- // TODO: Returning NULL from operator new has undefined behavior, but
- // the Allocate() functions called above can return NULL. Consider checking
- // for NULL here and crashing or throwing.
-
- return result;
-}
-
-void operator delete(void* memory, sandbox::AllocationType type) {
- if (type == sandbox::NT_ALLOC) {
- // Use default flags.
- VERIFY(sandbox::g_nt.RtlFreeHeap(sandbox::g_heap, 0, memory));
- } else if (type == sandbox::NT_PAGE) {
- void* base = memory;
- SIZE_T size = 0;
- VERIFY_SUCCESS(sandbox::g_nt.FreeVirtualMemory(NtCurrentProcess, &base,
- &size, MEM_RELEASE));
- } else {
- NOTREACHED_NT();
- }
-}
-
-void operator delete(void* memory,
- sandbox::AllocationType type,
- void* near_to) {
- operator delete(memory, type);
-}
-
-void* __cdecl operator new(size_t size,
- void* buffer,
- sandbox::AllocationType type) {
- return buffer;
-}
-
-void __cdecl operator delete(void* memory,
- void* buffer,
- sandbox::AllocationType type) {}
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h b/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h
deleted file mode 100644
index 3e0238206..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_nt_util.h
+++ /dev/null
@@ -1,196 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SANDBOX_NT_UTIL_H_
-#define SANDBOX_SRC_SANDBOX_NT_UTIL_H_
-
-#include <intrin.h>
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_nt_types.h"
-
-// Placement new and delete to be used from ntdll interception code.
-void* __cdecl operator new(size_t size, sandbox::AllocationType type,
- void* near_to = NULL);
-void __cdecl operator delete(void* memory, sandbox::AllocationType type);
-// Add operator delete that matches the placement form of the operator new
-// above. This is required by compiler to generate code to call operator delete
-// in case the object's constructor throws an exception.
-// See http://msdn.microsoft.com/en-us/library/cxdxz3x6.aspx
-void __cdecl operator delete(void* memory, sandbox::AllocationType type,
- void* near_to);
-
-// Regular placement new and delete
-void* __cdecl operator new(size_t size, void* buffer,
- sandbox::AllocationType type);
-void __cdecl operator delete(void* memory, void* buffer,
- sandbox::AllocationType type);
-
-// DCHECK_NT is defined to be pretty much an assert at this time because we
-// don't have logging from the ntdll layer on the child.
-//
-// VERIFY_NT and VERIFY_SUCCESS are the standard asserts on debug, but
-// execute the actual argument on release builds. VERIFY_NT expects an action
-// returning a bool, while VERIFY_SUCCESS expects an action returning
-// NTSTATUS.
-#ifndef NDEBUG
-#define DCHECK_NT(condition) { (condition) ? (void)0 : __debugbreak(); }
-#define VERIFY(action) DCHECK_NT(action)
-#define VERIFY_SUCCESS(action) DCHECK_NT(NT_SUCCESS(action))
-#else
-#define DCHECK_NT(condition)
-#define VERIFY(action) (action)
-#define VERIFY_SUCCESS(action) (action)
-#endif
-
-#define CHECK_NT(condition) { (condition) ? (void)0 : __debugbreak(); }
-
-#define NOTREACHED_NT() DCHECK_NT(false)
-
-namespace sandbox {
-
-#if defined(_M_X64)
-#pragma intrinsic(_InterlockedCompareExchange)
-#pragma intrinsic(_InterlockedCompareExchangePointer)
-
-#elif defined(_M_IX86)
-extern "C" long _InterlockedCompareExchange(long volatile* destination,
- long exchange, long comperand);
-
-#pragma intrinsic(_InterlockedCompareExchange)
-
-// We want to make sure that we use an intrinsic version of the function, not
-// the one provided by kernel32.
-__forceinline void* _InterlockedCompareExchangePointer(
- void* volatile* destination, void* exchange, void* comperand) {
- size_t ret = _InterlockedCompareExchange(
- reinterpret_cast<long volatile*>(destination),
- static_cast<long>(reinterpret_cast<size_t>(exchange)),
- static_cast<long>(reinterpret_cast<size_t>(comperand)));
-
- return reinterpret_cast<void*>(static_cast<size_t>(ret));
-}
-
-#else
-#error Architecture not supported.
-
-#endif
-
-// Returns a pointer to the IPC shared memory.
-void* GetGlobalIPCMemory();
-
-// Returns a pointer to the Policy shared memory.
-void* GetGlobalPolicyMemory();
-
-enum RequiredAccess {
- READ,
- WRITE
-};
-
-// Performs basic user mode buffer validation. In any case, buffers access must
-// be protected by SEH. intent specifies if the buffer should be tested for read
-// or write.
-// Note that write intent implies destruction of the buffer content (we actually
-// write)
-bool ValidParameter(void* buffer, size_t size, RequiredAccess intent);
-
-// Copies data from a user buffer to our buffer. Returns the operation status.
-NTSTATUS CopyData(void* destination, const void* source, size_t bytes);
-
-// Copies the name from an object attributes.
-NTSTATUS AllocAndCopyName(const OBJECT_ATTRIBUTES* in_object,
- wchar_t** out_name,
- uint32_t* attributes,
- HANDLE* root);
-
-// Determine full path name from object root and path.
-NTSTATUS AllocAndGetFullPath(HANDLE root,
- wchar_t* path,
- wchar_t** full_path);
-
-// Initializes our ntdll level heap
-bool InitHeap();
-
-// Returns true if the provided handle refers to the current process.
-bool IsSameProcess(HANDLE process);
-
-enum MappedModuleFlags {
- MODULE_IS_PE_IMAGE = 1, // Module is an executable.
- MODULE_HAS_ENTRY_POINT = 2, // Execution entry point found.
- MODULE_HAS_CODE = 4 // Non zero size of executable sections.
-};
-
-// Returns the name and characteristics for a given PE module. The return
-// value is the name as defined by the export table and the flags is any
-// combination of the MappedModuleFlags enumeration.
-//
-// The returned buffer must be freed with a placement delete from the ntdll
-// level allocator:
-//
-// UNICODE_STRING* name = GetPEImageInfoFromModule(HMODULE module, &flags);
-// if (!name) {
-// // probably not a valid dll
-// return;
-// }
-// InsertYourLogicHere(name);
-// operator delete(name, NT_ALLOC);
-UNICODE_STRING* GetImageInfoFromModule(HMODULE module, uint32_t* flags);
-
-// Returns the full path and filename for a given dll.
-// May return NULL if the provided address is not backed by a named section, or
-// if the current OS version doesn't support the call. The returned buffer must
-// be freed with a placement delete (see GetImageNameFromModule example).
-UNICODE_STRING* GetBackingFilePath(PVOID address);
-
-// Returns the last component of a path that contains the module name.
-// It will return NULL if the path ends with the path separator. The returned
-// buffer must be freed with a placement delete (see GetImageNameFromModule
-// example).
-UNICODE_STRING* ExtractModuleName(const UNICODE_STRING* module_path);
-
-// Returns true if the parameters correspond to a dll mapped as code.
-bool IsValidImageSection(HANDLE section, PVOID *base, PLARGE_INTEGER offset,
- PSIZE_T view_size);
-
-// Converts an ansi string to an UNICODE_STRING.
-UNICODE_STRING* AnsiToUnicode(const char* string);
-
-// Provides a simple way to temporarily change the protection of a memory page.
-class AutoProtectMemory {
- public:
- AutoProtectMemory()
- : changed_(false), address_(NULL), bytes_(0), old_protect_(0) {}
-
- ~AutoProtectMemory() {
- RevertProtection();
- }
-
- // Sets the desired protection of a given memory range.
- NTSTATUS ChangeProtection(void* address, size_t bytes, ULONG protect);
-
- // Restores the original page protection.
- NTSTATUS RevertProtection();
-
- private:
- bool changed_;
- void* address_;
- size_t bytes_;
- ULONG old_protect_;
-
- DISALLOW_COPY_AND_ASSIGN(AutoProtectMemory);
-};
-
-// Returns true if the file_rename_information structure is supported by our
-// rename handler.
-bool IsSupportedRenameCall(FILE_RENAME_INFORMATION* file_info,
- DWORD length,
- uint32_t file_info_class);
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_SANDBOX_NT_UTIL_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
deleted file mode 100644
index cc39c6283..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy.h
+++ /dev/null
@@ -1,259 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
-#define SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/security_level.h"
-
-namespace sandbox {
-
-class TargetPolicy {
- public:
- // Windows subsystems that can have specific rules.
- // Note: The process subsystem(SUBSY_PROCESS) does not evaluate the request
- // exactly like the CreateProcess API does. See the comment at the top of
- // process_thread_dispatcher.cc for more details.
- enum SubSystem {
- SUBSYS_FILES, // Creation and opening of files and pipes.
- SUBSYS_NAMED_PIPES, // Creation of named pipes.
- SUBSYS_PROCESS, // Creation of child processes.
- SUBSYS_REGISTRY, // Creation and opening of registry keys.
- SUBSYS_SYNC, // Creation of named sync objects.
- SUBSYS_HANDLES, // Duplication of handles to other processes.
- SUBSYS_WIN32K_LOCKDOWN // Win32K Lockdown related policy.
- };
-
- // Allowable semantics when a rule is matched.
- enum Semantics {
- FILES_ALLOW_ANY, // Allows open or create for any kind of access that
- // the file system supports.
- FILES_ALLOW_READONLY, // Allows open or create with read access only.
- FILES_ALLOW_QUERY, // Allows access to query the attributes of a file.
- FILES_ALLOW_DIR_ANY, // Allows open or create with directory semantics
- // only.
- HANDLES_DUP_ANY, // Allows duplicating handles opened with any
- // access permissions.
- HANDLES_DUP_BROKER, // Allows duplicating handles to the broker process.
- NAMEDPIPES_ALLOW_ANY, // Allows creation of a named pipe.
- PROCESS_MIN_EXEC, // Allows to create a process with minimal rights
- // over the resulting process and thread handles.
- // No other parameters besides the command line are
- // passed to the child process.
- PROCESS_ALL_EXEC, // Allows the creation of a process and return fill
- // access on the returned handles.
- // This flag can be used only when the main token of
- // the sandboxed application is at least INTERACTIVE.
- EVENTS_ALLOW_ANY, // Allows the creation of an event with full access.
- EVENTS_ALLOW_READONLY, // Allows opening an even with synchronize access.
- REG_ALLOW_READONLY, // Allows readonly access to a registry key.
- REG_ALLOW_ANY, // Allows read and write access to a registry key.
- FAKE_USER_GDI_INIT // Fakes user32 and gdi32 initialization. This can
- // be used to allow the DLLs to load and initialize
- // even if the process cannot access that subsystem.
- };
-
- // Increments the reference count of this object. The reference count must
- // be incremented if this interface is given to another component.
- virtual void AddRef() = 0;
-
- // Decrements the reference count of this object. When the reference count
- // is zero the object is automatically destroyed.
- // Indicates that the caller is done with this interface. After calling
- // release no other method should be called.
- virtual void Release() = 0;
-
- // Sets the security level for the target process' two tokens.
- // This setting is permanent and cannot be changed once the target process is
- // spawned.
- // initial: the security level for the initial token. This is the token that
- // is used by the process from the creation of the process until the moment
- // the process calls TargetServices::LowerToken() or the process calls
- // win32's RevertToSelf(). Once this happens the initial token is no longer
- // available and the lockdown token is in effect. Using an initial token is
- // not compatible with AppContainer, see SetAppContainer.
- // lockdown: the security level for the token that comes into force after the
- // process calls TargetServices::LowerToken() or the process calls
- // RevertToSelf(). See the explanation of each level in the TokenLevel
- // definition.
- // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
- // Returns false if the lockdown value is more permissive than the initial
- // value.
- //
- // Important: most of the sandbox-provided security relies on this single
- // setting. The caller should strive to set the lockdown level as restricted
- // as possible.
- virtual ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) = 0;
-
- // Returns the initial token level.
- virtual TokenLevel GetInitialTokenLevel() const = 0;
-
- // Returns the lockdown token level.
- virtual TokenLevel GetLockdownTokenLevel() const = 0;
-
- // Sets the security level of the Job Object to which the target process will
- // belong. This setting is permanent and cannot be changed once the target
- // process is spawned. The job controls the global security settings which
- // can not be specified in the token security profile.
- // job_level: the security level for the job. See the explanation of each
- // level in the JobLevel definition.
- // ui_exceptions: specify what specific rights that are disabled in the
- // chosen job_level that need to be granted. Use this parameter to avoid
- // selecting the next permissive job level unless you need all the rights
- // that are granted in such level.
- // The exceptions can be specified as a combination of the following
- // constants:
- // JOB_OBJECT_UILIMIT_HANDLES : grant access to all user-mode handles. These
- // include windows, icons, menus and various GDI objects. In addition the
- // target process can set hooks, and broadcast messages to other processes
- // that belong to the same desktop.
- // JOB_OBJECT_UILIMIT_READCLIPBOARD : grant read-only access to the clipboard.
- // JOB_OBJECT_UILIMIT_WRITECLIPBOARD : grant write access to the clipboard.
- // JOB_OBJECT_UILIMIT_SYSTEMPARAMETERS : allow changes to the system-wide
- // parameters as defined by the Win32 call SystemParametersInfo().
- // JOB_OBJECT_UILIMIT_DISPLAYSETTINGS : allow programmatic changes to the
- // display settings.
- // JOB_OBJECT_UILIMIT_GLOBALATOMS : allow access to the global atoms table.
- // JOB_OBJECT_UILIMIT_DESKTOP : allow the creation of new desktops.
- // JOB_OBJECT_UILIMIT_EXITWINDOWS : allow the call to ExitWindows().
- //
- // Return value: SBOX_ALL_OK if the setting succeeds and false otherwise.
- //
- // Note: JOB_OBJECT_XXXX constants are defined in winnt.h and documented at
- // length in:
- // http://msdn2.microsoft.com/en-us/library/ms684152.aspx
- //
- // Note: the recommended level is JOB_RESTRICTED or JOB_LOCKDOWN.
- virtual ResultCode SetJobLevel(JobLevel job_level,
- uint32_t ui_exceptions) = 0;
-
- // Sets a hard limit on the size of the commit set for the sandboxed process.
- // If the limit is reached, the process will be terminated with
- // SBOX_FATAL_MEMORY_EXCEEDED (7012).
- virtual ResultCode SetJobMemoryLimit(size_t memory_limit) = 0;
-
- // Specifies the desktop on which the application is going to run. If the
- // desktop does not exist, it will be created. If alternate_winstation is
- // set to true, the desktop will be created on an alternate window station.
- virtual ResultCode SetAlternateDesktop(bool alternate_winstation) = 0;
-
- // Returns the name of the alternate desktop used. If an alternate window
- // station is specified, the name is prepended by the window station name,
- // followed by a backslash.
- virtual base::string16 GetAlternateDesktop() const = 0;
-
- // Precreates the desktop and window station, if any.
- virtual ResultCode CreateAlternateDesktop(bool alternate_winstation) = 0;
-
- // Destroys the desktop and windows station.
- virtual void DestroyAlternateDesktop() = 0;
-
- // Sets the integrity level of the process in the sandbox. Both the initial
- // token and the main token will be affected by this. If the integrity level
- // is set to a level higher than the current level, the sandbox will fail
- // to start.
- virtual ResultCode SetIntegrityLevel(IntegrityLevel level) = 0;
-
- // Returns the initial integrity level used.
- virtual IntegrityLevel GetIntegrityLevel() const = 0;
-
- // Sets the integrity level of the process in the sandbox. The integrity level
- // will not take effect before you call LowerToken. User Interface Privilege
- // Isolation is not affected by this setting and will remain off for the
- // process in the sandbox. If the integrity level is set to a level higher
- // than the current level, the sandbox will fail to start.
- virtual ResultCode SetDelayedIntegrityLevel(IntegrityLevel level) = 0;
-
- // Sets the AppContainer to be used for the sandboxed process. Any capability
- // to be enabled for the process should be added before this method is invoked
- // (by calling SetCapability() as many times as needed).
- // The desired AppContainer must be already installed on the system, otherwise
- // launching the sandboxed process will fail. See BrokerServices for details
- // about installing an AppContainer.
- // Note that currently Windows restricts the use of impersonation within
- // AppContainers, so this function is incompatible with the use of an initial
- // token.
- virtual ResultCode SetAppContainer(const wchar_t* sid) = 0;
-
- // Sets a capability to be enabled for the sandboxed process' AppContainer.
- virtual ResultCode SetCapability(const wchar_t* sid) = 0;
-
- // Sets the LowBox token for sandboxed process. This is mutually exclusive
- // with SetAppContainer method.
- virtual ResultCode SetLowBox(const wchar_t* sid) = 0;
-
- // Sets the mitigations enabled when the process is created. Most of these
- // are implemented as attributes passed via STARTUPINFOEX. So they take
- // effect before any thread in the target executes. The declaration of
- // MitigationFlags is followed by a detailed description of each flag.
- virtual ResultCode SetProcessMitigations(MitigationFlags flags) = 0;
-
- // Returns the currently set mitigation flags.
- virtual MitigationFlags GetProcessMitigations() = 0;
-
- // Sets process mitigation flags that don't take effect before the call to
- // LowerToken().
- virtual ResultCode SetDelayedProcessMitigations(MitigationFlags flags) = 0;
-
- // Returns the currently set delayed mitigation flags.
- virtual MitigationFlags GetDelayedProcessMitigations() const = 0;
-
- // Sets the interceptions to operate in strict mode. By default, interceptions
- // are performed in "relaxed" mode, where if something inside NTDLL.DLL is
- // already patched we attempt to intercept it anyway. Setting interceptions
- // to strict mode means that when we detect that the function is patched we'll
- // refuse to perform the interception.
- virtual void SetStrictInterceptions() = 0;
-
- // Set the handles the target process should inherit for stdout and
- // stderr. The handles the caller passes must remain valid for the
- // lifetime of the policy object. This only has an effect on
- // Windows Vista and later versions. These methods accept pipe and
- // file handles, but not console handles.
- virtual ResultCode SetStdoutHandle(HANDLE handle) = 0;
- virtual ResultCode SetStderrHandle(HANDLE handle) = 0;
-
- // Adds a policy rule effective for processes spawned using this policy.
- // subsystem: One of the above enumerated windows subsystems.
- // semantics: One of the above enumerated FileSemantics.
- // pattern: A specific full path or a full path with wildcard patterns.
- // The valid wildcards are:
- // '*' : Matches zero or more character. Only one in series allowed.
- // '?' : Matches a single character. One or more in series are allowed.
- // Examples:
- // "c:\\documents and settings\\vince\\*.dmp"
- // "c:\\documents and settings\\*\\crashdumps\\*.dmp"
- // "c:\\temp\\app_log_?????_chrome.txt"
- virtual ResultCode AddRule(SubSystem subsystem, Semantics semantics,
- const wchar_t* pattern) = 0;
-
- // Adds a dll that will be unloaded in the target process before it gets
- // a chance to initialize itself. Typically, dlls that cause the target
- // to crash go here.
- virtual ResultCode AddDllToUnload(const wchar_t* dll_name) = 0;
-
- // Adds a handle that will be closed in the target process after lockdown.
- // A NULL value for handle_name indicates all handles of the specified type.
- // An empty string for handle_name indicates the handle is unnamed.
- virtual ResultCode AddKernelObjectToClose(const wchar_t* handle_type,
- const wchar_t* handle_name) = 0;
-
- // Adds a handle that will be shared with the target process.
- // Returns the handle which was actually shared with the target. This is
- // achieved by duplicating the handle to ensure that it is inheritable by
- // the target. The caller should treat this as an opaque value.
- virtual void* AddHandleToShare(HANDLE handle) = 0;
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
deleted file mode 100644
index 28662b42d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.cc
+++ /dev/null
@@ -1,770 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-#include <sddl.h>
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/callback.h"
-#include "base/logging.h"
-#include "base/macros.h"
-#include "base/stl_util.h"
-#include "base/strings/stringprintf.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/app_container.h"
-#include "sandbox/win/src/filesystem_policy.h"
-#include "sandbox/win/src/handle_policy.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/job.h"
-#include "sandbox/win/src/named_pipe_policy.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_engine_processor.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/process_mitigations.h"
-#include "sandbox/win/src/process_mitigations_win32k_policy.h"
-#include "sandbox/win/src/process_thread_policy.h"
-#include "sandbox/win/src/registry_policy.h"
-#include "sandbox/win/src/restricted_token_utils.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/sync_policy.h"
-#include "sandbox/win/src/target_process.h"
-#include "sandbox/win/src/top_level_dispatcher.h"
-#include "sandbox/win/src/window.h"
-
-namespace {
-
-// The standard windows size for one memory page.
-const size_t kOneMemPage = 4096;
-// The IPC and Policy shared memory sizes.
-const size_t kIPCMemSize = kOneMemPage * 2;
-const size_t kPolMemSize = kOneMemPage * 14;
-
-// Helper function to allocate space (on the heap) for policy.
-sandbox::PolicyGlobal* MakeBrokerPolicyMemory() {
- const size_t kTotalPolicySz = kPolMemSize;
- sandbox::PolicyGlobal* policy = static_cast<sandbox::PolicyGlobal*>
- (::operator new(kTotalPolicySz));
- DCHECK(policy);
- memset(policy, 0, kTotalPolicySz);
- policy->data_size = kTotalPolicySz - sizeof(sandbox::PolicyGlobal);
- return policy;
-}
-
-bool IsInheritableHandle(HANDLE handle) {
- if (!handle)
- return false;
- if (handle == INVALID_HANDLE_VALUE)
- return false;
- // File handles (FILE_TYPE_DISK) and pipe handles are known to be
- // inheritable. Console handles (FILE_TYPE_CHAR) are not
- // inheritable via PROC_THREAD_ATTRIBUTE_HANDLE_LIST.
- DWORD handle_type = GetFileType(handle);
- return handle_type == FILE_TYPE_DISK || handle_type == FILE_TYPE_PIPE;
-}
-
-HANDLE CreateLowBoxObjectDirectory(PSID lowbox_sid) {
- DWORD session_id = 0;
- if (!::ProcessIdToSessionId(::GetCurrentProcessId(), &session_id))
- return NULL;
-
- LPWSTR sid_string = NULL;
- if (!::ConvertSidToStringSid(lowbox_sid, &sid_string))
- return NULL;
-
- base::string16 directory_path = base::StringPrintf(
- L"\\Sessions\\%d\\AppContainerNamedObjects\\%ls",
- session_id, sid_string).c_str();
- ::LocalFree(sid_string);
-
- NtCreateDirectoryObjectFunction CreateObjectDirectory = NULL;
- ResolveNTFunctionPtr("NtCreateDirectoryObject", &CreateObjectDirectory);
-
- OBJECT_ATTRIBUTES obj_attr;
- UNICODE_STRING obj_name;
- sandbox::InitObjectAttribs(directory_path,
- OBJ_CASE_INSENSITIVE | OBJ_OPENIF,
- NULL,
- &obj_attr,
- &obj_name,
- NULL);
-
- HANDLE handle = NULL;
- NTSTATUS status = CreateObjectDirectory(&handle,
- DIRECTORY_ALL_ACCESS,
- &obj_attr);
-
- if (!NT_SUCCESS(status))
- return NULL;
-
- return handle;
-}
-
-} // namespace
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level;
-SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations;
-
-// Initializes static members.
-HWINSTA PolicyBase::alternate_winstation_handle_ = NULL;
-HDESK PolicyBase::alternate_desktop_handle_ = NULL;
-IntegrityLevel PolicyBase::alternate_desktop_integrity_level_label_ =
- INTEGRITY_LEVEL_SYSTEM;
-
-PolicyBase::PolicyBase()
- : ref_count(1),
- lockdown_level_(USER_LOCKDOWN),
- initial_level_(USER_LOCKDOWN),
- job_level_(JOB_LOCKDOWN),
- ui_exceptions_(0),
- memory_limit_(0),
- use_alternate_desktop_(false),
- use_alternate_winstation_(false),
- file_system_init_(false),
- relaxed_interceptions_(true),
- stdout_handle_(INVALID_HANDLE_VALUE),
- stderr_handle_(INVALID_HANDLE_VALUE),
- integrity_level_(INTEGRITY_LEVEL_LAST),
- delayed_integrity_level_(INTEGRITY_LEVEL_LAST),
- mitigations_(0),
- delayed_mitigations_(0),
- policy_maker_(NULL),
- policy_(NULL),
- lowbox_sid_(NULL) {
- ::InitializeCriticalSection(&lock_);
- dispatcher_.reset(new TopLevelDispatcher(this));
-}
-
-PolicyBase::~PolicyBase() {
- ClearSharedHandles();
-
- TargetSet::iterator it;
- for (it = targets_.begin(); it != targets_.end(); ++it) {
- TargetProcess* target = (*it);
- delete target;
- }
- delete policy_maker_;
- delete policy_;
-
- if (lowbox_sid_)
- ::LocalFree(lowbox_sid_);
-
- ::DeleteCriticalSection(&lock_);
-}
-
-void PolicyBase::AddRef() {
- ::InterlockedIncrement(&ref_count);
-}
-
-void PolicyBase::Release() {
- if (0 == ::InterlockedDecrement(&ref_count))
- delete this;
-}
-
-ResultCode PolicyBase::SetTokenLevel(TokenLevel initial, TokenLevel lockdown) {
- if (initial < lockdown) {
- return SBOX_ERROR_BAD_PARAMS;
- }
- initial_level_ = initial;
- lockdown_level_ = lockdown;
- return SBOX_ALL_OK;
-}
-
-TokenLevel PolicyBase::GetInitialTokenLevel() const {
- return initial_level_;
-}
-
-TokenLevel PolicyBase::GetLockdownTokenLevel() const{
- return lockdown_level_;
-}
-
-ResultCode PolicyBase::SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) {
- if (memory_limit_ && job_level == JOB_NONE) {
- return SBOX_ERROR_BAD_PARAMS;
- }
- job_level_ = job_level;
- ui_exceptions_ = ui_exceptions;
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetJobMemoryLimit(size_t memory_limit) {
- if (memory_limit && job_level_ == JOB_NONE) {
- return SBOX_ERROR_BAD_PARAMS;
- }
- memory_limit_ = memory_limit;
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetAlternateDesktop(bool alternate_winstation) {
- use_alternate_desktop_ = true;
- use_alternate_winstation_ = alternate_winstation;
- return CreateAlternateDesktop(alternate_winstation);
-}
-
-base::string16 PolicyBase::GetAlternateDesktop() const {
- // No alternate desktop or winstation. Return an empty string.
- if (!use_alternate_desktop_ && !use_alternate_winstation_) {
- return base::string16();
- }
-
- // The desktop and winstation should have been created by now.
- // If we hit this scenario, it means that the user ignored the failure
- // during SetAlternateDesktop, so we ignore it here too.
- if (use_alternate_desktop_ && !alternate_desktop_handle_) {
- return base::string16();
- }
- if (use_alternate_winstation_ && (!alternate_desktop_handle_ ||
- !alternate_winstation_handle_)) {
- return base::string16();
- }
-
- return GetFullDesktopName(alternate_winstation_handle_,
- alternate_desktop_handle_);
-}
-
-ResultCode PolicyBase::CreateAlternateDesktop(bool alternate_winstation) {
- if (alternate_winstation) {
- // Previously called with alternate_winstation = false?
- if (!alternate_winstation_handle_ && alternate_desktop_handle_)
- return SBOX_ERROR_UNSUPPORTED;
-
- // Check if it's already created.
- if (alternate_winstation_handle_ && alternate_desktop_handle_)
- return SBOX_ALL_OK;
-
- DCHECK(!alternate_winstation_handle_);
- // Create the window station.
- ResultCode result = CreateAltWindowStation(&alternate_winstation_handle_);
- if (SBOX_ALL_OK != result)
- return result;
-
- // Verify that everything is fine.
- if (!alternate_winstation_handle_ ||
- GetWindowObjectName(alternate_winstation_handle_).empty())
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
-
- // Create the destkop.
- result = CreateAltDesktop(alternate_winstation_handle_,
- &alternate_desktop_handle_);
- if (SBOX_ALL_OK != result)
- return result;
-
- // Verify that everything is fine.
- if (!alternate_desktop_handle_ ||
- GetWindowObjectName(alternate_desktop_handle_).empty())
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
- } else {
- // Previously called with alternate_winstation = true?
- if (alternate_winstation_handle_)
- return SBOX_ERROR_UNSUPPORTED;
-
- // Check if it already exists.
- if (alternate_desktop_handle_)
- return SBOX_ALL_OK;
-
- // Create the destkop.
- ResultCode result = CreateAltDesktop(NULL, &alternate_desktop_handle_);
- if (SBOX_ALL_OK != result)
- return result;
-
- // Verify that everything is fine.
- if (!alternate_desktop_handle_ ||
- GetWindowObjectName(alternate_desktop_handle_).empty())
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
- }
-
- return SBOX_ALL_OK;
-}
-
-void PolicyBase::DestroyAlternateDesktop() {
- if (alternate_desktop_handle_) {
- ::CloseDesktop(alternate_desktop_handle_);
- alternate_desktop_handle_ = NULL;
- }
-
- if (alternate_winstation_handle_) {
- ::CloseWindowStation(alternate_winstation_handle_);
- alternate_winstation_handle_ = NULL;
- }
-}
-
-ResultCode PolicyBase::SetIntegrityLevel(IntegrityLevel integrity_level) {
- integrity_level_ = integrity_level;
- return SBOX_ALL_OK;
-}
-
-IntegrityLevel PolicyBase::GetIntegrityLevel() const {
- return integrity_level_;
-}
-
-ResultCode PolicyBase::SetDelayedIntegrityLevel(
- IntegrityLevel integrity_level) {
- delayed_integrity_level_ = integrity_level;
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetAppContainer(const wchar_t* sid) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return SBOX_ALL_OK;
-
- // SetLowBox and SetAppContainer are mutually exclusive.
- if (lowbox_sid_)
- return SBOX_ERROR_UNSUPPORTED;
-
- // Windows refuses to work with an impersonation token for a process inside
- // an AppContainer. If the caller wants to use a more privileged initial
- // token, or if the lockdown level will prevent the process from starting,
- // we have to fail the operation.
- if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
- return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
-
- DCHECK(!appcontainer_list_.get());
- appcontainer_list_.reset(new AppContainerAttributes);
- ResultCode rv = appcontainer_list_->SetAppContainer(sid, capabilities_);
- if (rv != SBOX_ALL_OK)
- return rv;
-
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetCapability(const wchar_t* sid) {
- capabilities_.push_back(sid);
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetLowBox(const wchar_t* sid) {
- if (base::win::OSInfo::GetInstance()->version() < base::win::VERSION_WIN8)
- return SBOX_ERROR_UNSUPPORTED;
-
- // SetLowBox and SetAppContainer are mutually exclusive.
- if (appcontainer_list_.get())
- return SBOX_ERROR_UNSUPPORTED;
-
- DCHECK(sid);
-
- if (lowbox_sid_)
- return SBOX_ERROR_BAD_PARAMS;
-
- if (!ConvertStringSidToSid(sid, &lowbox_sid_))
- return SBOX_ERROR_GENERIC;
-
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetProcessMitigations(
- MitigationFlags flags) {
- if (!CanSetProcessMitigationsPreStartup(flags))
- return SBOX_ERROR_BAD_PARAMS;
- mitigations_ = flags;
- return SBOX_ALL_OK;
-}
-
-MitigationFlags PolicyBase::GetProcessMitigations() {
- return mitigations_;
-}
-
-ResultCode PolicyBase::SetDelayedProcessMitigations(
- MitigationFlags flags) {
- if (!CanSetProcessMitigationsPostStartup(flags))
- return SBOX_ERROR_BAD_PARAMS;
- delayed_mitigations_ = flags;
- return SBOX_ALL_OK;
-}
-
-MitigationFlags PolicyBase::GetDelayedProcessMitigations() const {
- return delayed_mitigations_;
-}
-
-void PolicyBase::SetStrictInterceptions() {
- relaxed_interceptions_ = false;
-}
-
-ResultCode PolicyBase::SetStdoutHandle(HANDLE handle) {
- if (!IsInheritableHandle(handle))
- return SBOX_ERROR_BAD_PARAMS;
- stdout_handle_ = handle;
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::SetStderrHandle(HANDLE handle) {
- if (!IsInheritableHandle(handle))
- return SBOX_ERROR_BAD_PARAMS;
- stderr_handle_ = handle;
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::AddRule(SubSystem subsystem,
- Semantics semantics,
- const wchar_t* pattern) {
- ResultCode result = AddRuleInternal(subsystem, semantics, pattern);
- LOG_IF(ERROR, result != SBOX_ALL_OK) << "Failed to add sandbox rule."
- << " error = " << result
- << ", subsystem = " << subsystem
- << ", semantics = " << semantics
- << ", pattern = '" << pattern << "'";
- return result;
-}
-
-ResultCode PolicyBase::AddDllToUnload(const wchar_t* dll_name) {
- blacklisted_dlls_.push_back(dll_name);
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::AddKernelObjectToClose(const base::char16* handle_type,
- const base::char16* handle_name) {
- return handle_closer_.AddHandle(handle_type, handle_name);
-}
-
-void* PolicyBase::AddHandleToShare(HANDLE handle) {
- if (base::win::GetVersion() < base::win::VERSION_VISTA)
- return nullptr;
-
- if (!handle)
- return nullptr;
-
- HANDLE duped_handle = nullptr;
- if (!::DuplicateHandle(::GetCurrentProcess(), handle, ::GetCurrentProcess(),
- &duped_handle, 0, TRUE, DUPLICATE_SAME_ACCESS)) {
- return nullptr;
- }
- handles_to_share_.push_back(new base::win::ScopedHandle(duped_handle));
- return duped_handle;
-}
-
-const HandleList& PolicyBase::GetHandlesBeingShared() {
- return handles_to_share_;
-}
-
-void PolicyBase::ClearSharedHandles() {
- STLDeleteElements(&handles_to_share_);
-}
-
-ResultCode PolicyBase::MakeJobObject(base::win::ScopedHandle* job) {
- if (job_level_ != JOB_NONE) {
- // Create the windows job object.
- Job job_obj;
- DWORD result = job_obj.Init(job_level_, NULL, ui_exceptions_,
- memory_limit_);
- if (ERROR_SUCCESS != result)
- return SBOX_ERROR_GENERIC;
-
- *job = job_obj.Take();
- } else {
- *job = base::win::ScopedHandle();
- }
- return SBOX_ALL_OK;
-}
-
-ResultCode PolicyBase::MakeTokens(base::win::ScopedHandle* initial,
- base::win::ScopedHandle* lockdown,
- base::win::ScopedHandle* lowbox) {
- if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer() &&
- lowbox_sid_) {
- return SBOX_ERROR_BAD_PARAMS;
- }
-
- // Create the 'naked' token. This will be the permanent token associated
- // with the process and therefore with any thread that is not impersonating.
- DWORD result = CreateRestrictedToken(lockdown_level_, integrity_level_,
- PRIMARY, lockdown);
- if (ERROR_SUCCESS != result)
- return SBOX_ERROR_GENERIC;
-
- // If we're launching on the alternate desktop we need to make sure the
- // integrity label on the object is no higher than the sandboxed process's
- // integrity level. So, we lower the label on the desktop process if it's
- // not already low enough for our process.
- if (alternate_desktop_handle_ && use_alternate_desktop_ &&
- integrity_level_ != INTEGRITY_LEVEL_LAST &&
- alternate_desktop_integrity_level_label_ < integrity_level_ &&
- base::win::OSInfo::GetInstance()->version() >= base::win::VERSION_VISTA) {
- // Integrity label enum is reversed (higher level is a lower value).
- static_assert(INTEGRITY_LEVEL_SYSTEM < INTEGRITY_LEVEL_UNTRUSTED,
- "Integrity level ordering reversed.");
- result = SetObjectIntegrityLabel(alternate_desktop_handle_,
- SE_WINDOW_OBJECT,
- L"",
- GetIntegrityLevelString(integrity_level_));
- if (ERROR_SUCCESS != result)
- return SBOX_ERROR_GENERIC;
-
- alternate_desktop_integrity_level_label_ = integrity_level_;
- }
-
- // We are maintaining two mutually exclusive approaches. One is to start an
- // AppContainer process through StartupInfoEx and other is replacing
- // existing token with LowBox token after process creation.
- if (appcontainer_list_.get() && appcontainer_list_->HasAppContainer()) {
- // Windows refuses to work with an impersonation token. See SetAppContainer
- // implementation for more details.
- if (lockdown_level_ < USER_LIMITED || lockdown_level_ != initial_level_)
- return SBOX_ERROR_CANNOT_INIT_APPCONTAINER;
-
- *initial = base::win::ScopedHandle();
- return SBOX_ALL_OK;
- }
-
- if (lowbox_sid_) {
- NtCreateLowBoxToken CreateLowBoxToken = NULL;
- ResolveNTFunctionPtr("NtCreateLowBoxToken", &CreateLowBoxToken);
- OBJECT_ATTRIBUTES obj_attr;
- InitializeObjectAttributes(&obj_attr, NULL, 0, NULL, NULL);
- HANDLE token_lowbox = NULL;
-
- if (!lowbox_directory_.IsValid())
- lowbox_directory_.Set(CreateLowBoxObjectDirectory(lowbox_sid_));
- DCHECK(lowbox_directory_.IsValid());
-
- // The order of handles isn't important in the CreateLowBoxToken call.
- // The kernel will maintain a reference to the object directory handle.
- HANDLE saved_handles[1] = {lowbox_directory_.Get()};
- DWORD saved_handles_count = lowbox_directory_.IsValid() ? 1 : 0;
-
- NTSTATUS status = CreateLowBoxToken(&token_lowbox, lockdown->Get(),
- TOKEN_ALL_ACCESS, &obj_attr,
- lowbox_sid_, 0, NULL,
- saved_handles_count, saved_handles);
- if (!NT_SUCCESS(status))
- return SBOX_ERROR_GENERIC;
-
- DCHECK(token_lowbox);
- lowbox->Set(token_lowbox);
- }
-
- // Create the 'better' token. We use this token as the one that the main
- // thread uses when booting up the process. It should contain most of
- // what we need (before reaching main( ))
- result = CreateRestrictedToken(initial_level_, integrity_level_,
- IMPERSONATION, initial);
- if (ERROR_SUCCESS != result)
- return SBOX_ERROR_GENERIC;
-
- return SBOX_ALL_OK;
-}
-
-const AppContainerAttributes* PolicyBase::GetAppContainer() const {
- if (!appcontainer_list_.get() || !appcontainer_list_->HasAppContainer())
- return NULL;
-
- return appcontainer_list_.get();
-}
-
-PSID PolicyBase::GetLowBoxSid() const {
- return lowbox_sid_;
-}
-
-bool PolicyBase::AddTarget(TargetProcess* target) {
- if (NULL != policy_)
- policy_maker_->Done();
-
- if (!ApplyProcessMitigationsToSuspendedProcess(target->Process(),
- mitigations_)) {
- return false;
- }
-
- if (!SetupAllInterceptions(target))
- return false;
-
- if (!SetupHandleCloser(target))
- return false;
-
- // Initialize the sandbox infrastructure for the target.
- if (ERROR_SUCCESS !=
- target->Init(dispatcher_.get(), policy_, kIPCMemSize, kPolMemSize))
- return false;
-
- g_shared_delayed_integrity_level = delayed_integrity_level_;
- ResultCode ret = target->TransferVariable(
- "g_shared_delayed_integrity_level",
- &g_shared_delayed_integrity_level,
- sizeof(g_shared_delayed_integrity_level));
- g_shared_delayed_integrity_level = INTEGRITY_LEVEL_LAST;
- if (SBOX_ALL_OK != ret)
- return false;
-
- // Add in delayed mitigations and pseudo-mitigations enforced at startup.
- g_shared_delayed_mitigations = delayed_mitigations_ |
- FilterPostStartupProcessMitigations(mitigations_);
- if (!CanSetProcessMitigationsPostStartup(g_shared_delayed_mitigations))
- return false;
-
- ret = target->TransferVariable("g_shared_delayed_mitigations",
- &g_shared_delayed_mitigations,
- sizeof(g_shared_delayed_mitigations));
- g_shared_delayed_mitigations = 0;
- if (SBOX_ALL_OK != ret)
- return false;
-
- AutoLock lock(&lock_);
- targets_.push_back(target);
- return true;
-}
-
-bool PolicyBase::OnJobEmpty(HANDLE job) {
- AutoLock lock(&lock_);
- TargetSet::iterator it;
- for (it = targets_.begin(); it != targets_.end(); ++it) {
- if ((*it)->Job() == job)
- break;
- }
- if (it == targets_.end()) {
- return false;
- }
- TargetProcess* target = *it;
- targets_.erase(it);
- delete target;
- return true;
-}
-
-EvalResult PolicyBase::EvalPolicy(int service,
- CountedParameterSetBase* params) {
- if (NULL != policy_) {
- if (NULL == policy_->entry[service]) {
- // There is no policy for this particular service. This is not a big
- // deal.
- return DENY_ACCESS;
- }
- for (int i = 0; i < params->count; i++) {
- if (!params->parameters[i].IsValid()) {
- NOTREACHED();
- return SIGNAL_ALARM;
- }
- }
- PolicyProcessor pol_evaluator(policy_->entry[service]);
- PolicyResult result = pol_evaluator.Evaluate(kShortEval,
- params->parameters,
- params->count);
- if (POLICY_MATCH == result) {
- return pol_evaluator.GetAction();
- }
- DCHECK(POLICY_ERROR != result);
- }
-
- return DENY_ACCESS;
-}
-
-HANDLE PolicyBase::GetStdoutHandle() {
- return stdout_handle_;
-}
-
-HANDLE PolicyBase::GetStderrHandle() {
- return stderr_handle_;
-}
-
-bool PolicyBase::SetupAllInterceptions(TargetProcess* target) {
- InterceptionManager manager(target, relaxed_interceptions_);
-
- if (policy_) {
- for (int i = 0; i < IPC_LAST_TAG; i++) {
- if (policy_->entry[i] && !dispatcher_->SetupService(&manager, i))
- return false;
- }
- }
-
- if (!blacklisted_dlls_.empty()) {
- std::vector<base::string16>::iterator it = blacklisted_dlls_.begin();
- for (; it != blacklisted_dlls_.end(); ++it) {
- manager.AddToUnloadModules(it->c_str());
- }
- }
-
- if (!SetupBasicInterceptions(&manager))
- return false;
-
- if (!manager.InitializeInterceptions())
- return false;
-
- // Finally, setup imports on the target so the interceptions can work.
- return SetupNtdllImports(target);
-}
-
-bool PolicyBase::SetupHandleCloser(TargetProcess* target) {
- return handle_closer_.InitializeTargetHandles(target);
-}
-
-ResultCode PolicyBase::AddRuleInternal(SubSystem subsystem,
- Semantics semantics,
- const wchar_t* pattern) {
- if (NULL == policy_) {
- policy_ = MakeBrokerPolicyMemory();
- DCHECK(policy_);
- policy_maker_ = new LowLevelPolicy(policy_);
- DCHECK(policy_maker_);
- }
-
- switch (subsystem) {
- case SUBSYS_FILES: {
- if (!file_system_init_) {
- if (!FileSystemPolicy::SetInitialRules(policy_maker_))
- return SBOX_ERROR_BAD_PARAMS;
- file_system_init_ = true;
- }
- if (!FileSystemPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
- case SUBSYS_SYNC: {
- if (!SyncPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
- case SUBSYS_PROCESS: {
- if (lockdown_level_ < USER_INTERACTIVE &&
- TargetPolicy::PROCESS_ALL_EXEC == semantics) {
- // This is unsupported. This is a huge security risk to give full access
- // to a process handle.
- return SBOX_ERROR_UNSUPPORTED;
- }
- if (!ProcessPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
- case SUBSYS_NAMED_PIPES: {
- if (!NamedPipePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
- case SUBSYS_REGISTRY: {
- if (!RegistryPolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
- case SUBSYS_HANDLES: {
- if (!HandlePolicy::GenerateRules(pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
-
- case SUBSYS_WIN32K_LOCKDOWN: {
- if (!ProcessMitigationsWin32KLockdownPolicy::GenerateRules(
- pattern, semantics, policy_maker_)) {
- NOTREACHED();
- return SBOX_ERROR_BAD_PARAMS;
- }
- break;
- }
-
- default: { return SBOX_ERROR_UNSUPPORTED; }
- }
-
- return SBOX_ALL_OK;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h b/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
deleted file mode 100644
index b2d1b7c85..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_policy_base.h
+++ /dev/null
@@ -1,177 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_
-#define SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_
-
-#include <windows.h>
-#include <stddef.h>
-#include <stdint.h>
-
-#include <list>
-#include <vector>
-
-#include "base/compiler_specific.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/string16.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/handle_closer.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_engine_params.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace sandbox {
-
-class AppContainerAttributes;
-class LowLevelPolicy;
-class TargetProcess;
-struct PolicyGlobal;
-
-typedef std::vector<base::win::ScopedHandle*> HandleList;
-
-class PolicyBase final : public TargetPolicy {
- public:
- PolicyBase();
-
- // TargetPolicy:
- void AddRef() override;
- void Release() override;
- ResultCode SetTokenLevel(TokenLevel initial, TokenLevel lockdown) override;
- TokenLevel GetInitialTokenLevel() const override;
- TokenLevel GetLockdownTokenLevel() const override;
- ResultCode SetJobLevel(JobLevel job_level, uint32_t ui_exceptions) override;
- ResultCode SetJobMemoryLimit(size_t memory_limit) override;
- ResultCode SetAlternateDesktop(bool alternate_winstation) override;
- base::string16 GetAlternateDesktop() const override;
- ResultCode CreateAlternateDesktop(bool alternate_winstation) override;
- void DestroyAlternateDesktop() override;
- ResultCode SetIntegrityLevel(IntegrityLevel integrity_level) override;
- IntegrityLevel GetIntegrityLevel() const override;
- ResultCode SetDelayedIntegrityLevel(IntegrityLevel integrity_level) override;
- ResultCode SetAppContainer(const wchar_t* sid) override;
- ResultCode SetCapability(const wchar_t* sid) override;
- ResultCode SetLowBox(const wchar_t* sid) override;
- ResultCode SetProcessMitigations(MitigationFlags flags) override;
- MitigationFlags GetProcessMitigations() override;
- ResultCode SetDelayedProcessMitigations(MitigationFlags flags) override;
- MitigationFlags GetDelayedProcessMitigations() const override;
- void SetStrictInterceptions() override;
- ResultCode SetStdoutHandle(HANDLE handle) override;
- ResultCode SetStderrHandle(HANDLE handle) override;
- ResultCode AddRule(SubSystem subsystem,
- Semantics semantics,
- const wchar_t* pattern) override;
- ResultCode AddDllToUnload(const wchar_t* dll_name) override;
- ResultCode AddKernelObjectToClose(const base::char16* handle_type,
- const base::char16* handle_name) override;
- void* AddHandleToShare(HANDLE handle) override;
-
- // Creates a Job object with the level specified in a previous call to
- // SetJobLevel().
- ResultCode MakeJobObject(base::win::ScopedHandle* job);
-
- // Creates the two tokens with the levels specified in a previous call to
- // SetTokenLevel(). Also creates a lowbox token if specified based on the
- // lowbox SID.
- ResultCode MakeTokens(base::win::ScopedHandle* initial,
- base::win::ScopedHandle* lockdown,
- base::win::ScopedHandle* lowbox);
-
- const AppContainerAttributes* GetAppContainer() const;
-
- PSID GetLowBoxSid() const;
-
- // Adds a target process to the internal list of targets. Internally a
- // call to TargetProcess::Init() is issued.
- bool AddTarget(TargetProcess* target);
-
- // Called when there are no more active processes in a Job.
- // Removes a Job object associated with this policy and the target associated
- // with the job.
- bool OnJobEmpty(HANDLE job);
-
- EvalResult EvalPolicy(int service, CountedParameterSetBase* params);
-
- HANDLE GetStdoutHandle();
- HANDLE GetStderrHandle();
-
- // Returns the list of handles being shared with the target process.
- const HandleList& GetHandlesBeingShared();
-
- // Closes the handles being shared with the target and clears out the list.
- void ClearSharedHandles();
-
- private:
- ~PolicyBase();
-
- // Sets up interceptions for a new target.
- bool SetupAllInterceptions(TargetProcess* target);
-
- // Sets up the handle closer for a new target.
- bool SetupHandleCloser(TargetProcess* target);
-
- ResultCode AddRuleInternal(SubSystem subsystem,
- Semantics semantics,
- const wchar_t* pattern);
-
- // This lock synchronizes operations on the targets_ collection.
- CRITICAL_SECTION lock_;
- // Maintains the list of target process associated with this policy.
- // The policy takes ownership of them.
- typedef std::list<TargetProcess*> TargetSet;
- TargetSet targets_;
- // Standard object-lifetime reference counter.
- volatile LONG ref_count;
- // The user-defined global policy settings.
- TokenLevel lockdown_level_;
- TokenLevel initial_level_;
- JobLevel job_level_;
- uint32_t ui_exceptions_;
- size_t memory_limit_;
- bool use_alternate_desktop_;
- bool use_alternate_winstation_;
- // Helps the file system policy initialization.
- bool file_system_init_;
- bool relaxed_interceptions_;
- HANDLE stdout_handle_;
- HANDLE stderr_handle_;
- IntegrityLevel integrity_level_;
- IntegrityLevel delayed_integrity_level_;
- MitigationFlags mitigations_;
- MitigationFlags delayed_mitigations_;
- // Object in charge of generating the low level policy.
- LowLevelPolicy* policy_maker_;
- // Memory structure that stores the low level policy.
- PolicyGlobal* policy_;
- // The list of dlls to unload in the target process.
- std::vector<base::string16> blacklisted_dlls_;
- // This is a map of handle-types to names that we need to close in the
- // target process. A null set means we need to close all handles of the
- // given type.
- HandleCloser handle_closer_;
- std::vector<base::string16> capabilities_;
- scoped_ptr<AppContainerAttributes> appcontainer_list_;
- PSID lowbox_sid_;
- base::win::ScopedHandle lowbox_directory_;
- scoped_ptr<Dispatcher> dispatcher_;
-
- static HDESK alternate_desktop_handle_;
- static HWINSTA alternate_winstation_handle_;
- static IntegrityLevel alternate_desktop_integrity_level_label_;
-
- // Contains the list of handles being shared with the target process.
- // This list contains handles other than the stderr/stdout handles which are
- // shared with the target at times.
- HandleList handles_to_share_;
-
- DISALLOW_COPY_AND_ASSIGN(PolicyBase);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_SANDBOX_POLICY_BASE_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc
deleted file mode 100644
index b3f977374..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.cc
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sandbox_rand.h"
-
-#include <windows.h>
-
-// #define needed to link in RtlGenRandom(), a.k.a. SystemFunction036. See the
-// "Community Additions" comment on MSDN here:
-// http://msdn.microsoft.com/en-us/library/windows/desktop/aa387694.aspx
-#define SystemFunction036 NTAPI SystemFunction036
-#include <NTSecAPI.h>
-#undef SystemFunction036
-
-namespace sandbox {
-
-bool GetRandom(unsigned int* random_value) {
- return RtlGenRandom(random_value, sizeof(unsigned int)) != FALSE;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.h b/security/sandbox/chromium/sandbox/win/src/sandbox_rand.h
deleted file mode 100644
index 7c4febcd5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_rand.h
+++ /dev/null
@@ -1,16 +0,0 @@
-// Copyright (c) 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SANDBOX_RAND_H_
-#define SANDBOX_SRC_SANDBOX_RAND_H_
-
-
-namespace sandbox {
-
-// Generate a random value in |random_value|. Returns true on success.
-bool GetRandom(unsigned int* random_value);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SANDBOX_RAND_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_types.h b/security/sandbox/chromium/sandbox/win/src/sandbox_types.h
deleted file mode 100644
index b749b9ca5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_types.h
+++ /dev/null
@@ -1,95 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SANDBOX_TYPES_H_
-#define SANDBOX_WIN_SRC_SANDBOX_TYPES_H_
-
-namespace sandbox {
-
-// Operation result codes returned by the sandbox API.
-enum ResultCode {
- SBOX_ALL_OK = 0,
- // Error is originating on the win32 layer. Call GetlastError() for more
- // information.
- SBOX_ERROR_GENERIC = 1,
- // An invalid combination of parameters was given to the API.
- SBOX_ERROR_BAD_PARAMS = 2,
- // The desired operation is not supported at this time.
- SBOX_ERROR_UNSUPPORTED = 3,
- // The request requires more memory that allocated or available.
- SBOX_ERROR_NO_SPACE = 4,
- // The ipc service requested does not exist.
- SBOX_ERROR_INVALID_IPC = 5,
- // The ipc service did not complete.
- SBOX_ERROR_FAILED_IPC = 6,
- // The requested handle was not found.
- SBOX_ERROR_NO_HANDLE = 7,
- // This function was not expected to be called at this time.
- SBOX_ERROR_UNEXPECTED_CALL = 8,
- // WaitForAllTargets is already called.
- SBOX_ERROR_WAIT_ALREADY_CALLED = 9,
- // A channel error prevented DoCall from executing.
- SBOX_ERROR_CHANNEL_ERROR = 10,
- // Failed to create the alternate desktop.
- SBOX_ERROR_CANNOT_CREATE_DESKTOP = 11,
- // Failed to create the alternate window station.
- SBOX_ERROR_CANNOT_CREATE_WINSTATION = 12,
- // Failed to switch back to the interactive window station.
- SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION = 13,
- // The supplied AppContainer is not valid.
- SBOX_ERROR_INVALID_APP_CONTAINER = 14,
- // The supplied capability is not valid.
- SBOX_ERROR_INVALID_CAPABILITY = 15,
- // There is a failure initializing the AppContainer.
- SBOX_ERROR_CANNOT_INIT_APPCONTAINER = 16,
- // Initializing or updating ProcThreadAttributes failed.
- SBOX_ERROR_PROC_THREAD_ATTRIBUTES = 17,
- // Error in creating process.
- SBOX_ERROR_CREATE_PROCESS = 18,
- // Placeholder for last item of the enum.
- SBOX_ERROR_LAST
-};
-
-// If the sandbox cannot create a secure environment for the target, the
-// target will be forcibly terminated. These are the process exit codes.
-enum TerminationCodes {
- SBOX_FATAL_INTEGRITY = 7006, // Could not set the integrity level.
- SBOX_FATAL_DROPTOKEN = 7007, // Could not lower the token.
- SBOX_FATAL_FLUSHANDLES = 7008, // Failed to flush registry handles.
- SBOX_FATAL_CACHEDISABLE = 7009, // Failed to forbid HCKU caching.
- SBOX_FATAL_CLOSEHANDLES = 7010, // Failed to close pending handles.
- SBOX_FATAL_MITIGATION = 7011, // Could not set the mitigation policy.
- SBOX_FATAL_MEMORY_EXCEEDED = 7012, // Exceeded the job memory limit.
- SBOX_FATAL_WARMUP = 7013, // Failed to warmup.
- SBOX_FATAL_LAST
-};
-
-class BrokerServices;
-class TargetServices;
-
-// Contains the pointer to a target or broker service.
-struct SandboxInterfaceInfo {
- BrokerServices* broker_services;
- TargetServices* target_services;
-};
-
-#if SANDBOX_EXPORTS
-#define SANDBOX_INTERCEPT extern "C" __declspec(dllexport)
-#else
-#define SANDBOX_INTERCEPT extern "C"
-#endif
-
-enum InterceptionType {
- INTERCEPTION_INVALID = 0,
- INTERCEPTION_SERVICE_CALL, // Trampoline of an NT native call
- INTERCEPTION_EAT,
- INTERCEPTION_SIDESTEP, // Preamble patch
- INTERCEPTION_SMART_SIDESTEP, // Preamble patch but bypass internal calls
- INTERCEPTION_UNLOAD_MODULE, // Unload the module (don't patch)
- INTERCEPTION_LAST // Placeholder for last item in the enumeration
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_SANDBOX_TYPES_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_utils.cc b/security/sandbox/chromium/sandbox/win/src/sandbox_utils.cc
deleted file mode 100644
index 6057caffc..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_utils.cc
+++ /dev/null
@@ -1,32 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sandbox_utils.h"
-
-#include <windows.h>
-
-#include "base/logging.h"
-#include "sandbox/win/src/internal_types.h"
-
-namespace sandbox {
-
-void InitObjectAttribs(const base::string16& name,
- ULONG attributes,
- HANDLE root,
- OBJECT_ATTRIBUTES* obj_attr,
- UNICODE_STRING* uni_name,
- SECURITY_QUALITY_OF_SERVICE* security_qos) {
- static RtlInitUnicodeStringFunction RtlInitUnicodeString;
- if (!RtlInitUnicodeString) {
- HMODULE ntdll = ::GetModuleHandle(kNtdllName);
- RtlInitUnicodeString = reinterpret_cast<RtlInitUnicodeStringFunction>(
- GetProcAddress(ntdll, "RtlInitUnicodeString"));
- DCHECK(RtlInitUnicodeString);
- }
- RtlInitUnicodeString(uni_name, name.c_str());
- InitializeObjectAttributes(obj_attr, uni_name, attributes, root, NULL);
- obj_attr->SecurityQualityOfService = security_qos;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sandbox_utils.h b/security/sandbox/chromium/sandbox/win/src/sandbox_utils.h
deleted file mode 100644
index b1c1f3134..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sandbox_utils.h
+++ /dev/null
@@ -1,25 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SANDBOX_UTILS_H_
-#define SANDBOX_SRC_SANDBOX_UTILS_H_
-
-#include <windows.h>
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/nt_internals.h"
-
-namespace sandbox {
-
-void InitObjectAttribs(const base::string16& name,
- ULONG attributes,
- HANDLE root,
- OBJECT_ATTRIBUTES* obj_attr,
- UNICODE_STRING* uni_name,
- SECURITY_QUALITY_OF_SERVICE* security_qos);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SANDBOX_UTILS_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/security_level.h b/security/sandbox/chromium/sandbox/win/src/security_level.h
deleted file mode 100644
index 26ec306a6..000000000
--- a/security/sandbox/chromium/sandbox/win/src/security_level.h
+++ /dev/null
@@ -1,209 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SECURITY_LEVEL_H_
-#define SANDBOX_SRC_SECURITY_LEVEL_H_
-
-#include <stdint.h>
-
-namespace sandbox {
-
-// List of all the integrity levels supported in the sandbox. This is used
-// only on Windows Vista. You can't set the integrity level of the process
-// in the sandbox to a level higher than yours.
-enum IntegrityLevel {
- INTEGRITY_LEVEL_SYSTEM,
- INTEGRITY_LEVEL_HIGH,
- INTEGRITY_LEVEL_MEDIUM,
- INTEGRITY_LEVEL_MEDIUM_LOW,
- INTEGRITY_LEVEL_LOW,
- INTEGRITY_LEVEL_BELOW_LOW,
- INTEGRITY_LEVEL_UNTRUSTED,
- INTEGRITY_LEVEL_LAST
-};
-
-// The Token level specifies a set of security profiles designed to
-// provide the bulk of the security of sandbox.
-//
-// TokenLevel |Restricting |Deny Only |Privileges|
-// |Sids |Sids | |
-// ----------------------------|--------------|----------------|----------|
-// USER_LOCKDOWN | Null Sid | All | None |
-// ----------------------------|--------------|----------------|----------|
-// USER_RESTRICTED | RESTRICTED | All | Traverse |
-// ----------------------------|--------------|----------------|----------|
-// USER_LIMITED | Users | All except: | Traverse |
-// | Everyone | Users | |
-// | RESTRICTED | Everyone | |
-// | | Interactive | |
-// ----------------------------|--------------|----------------|----------|
-// USER_INTERACTIVE | Users | All except: | Traverse |
-// | Everyone | Users | |
-// | RESTRICTED | Everyone | |
-// | Owner | Interactive | |
-// | | Local | |
-// | | Authent-users | |
-// | | User | |
-// ----------------------------|--------------|----------------|----------|
-// USER_NON_ADMIN | None | All except: | Traverse |
-// | | Users | |
-// | | Everyone | |
-// | | Interactive | |
-// | | Local | |
-// | | Authent-users | |
-// | | User | |
-// ----------------------------|--------------|----------------|----------|
-// USER_RESTRICTED_SAME_ACCESS | All | None | All |
-// ----------------------------|--------------|----------------|----------|
-// USER_UNPROTECTED | None | None | All |
-// ----------------------------|--------------|----------------|----------|
-//
-// The above restrictions are actually a transformation that is applied to
-// the existing broker process token. The resulting token that will be
-// applied to the target process depends both on the token level selected
-// and on the broker token itself.
-//
-// The LOCKDOWN and RESTRICTED are designed to allow access to almost
-// nothing that has security associated with and they are the recommended
-// levels to run sandboxed code specially if there is a chance that the
-// broker is process might be started by a user that belongs to the Admins
-// or power users groups.
-enum TokenLevel {
- USER_LOCKDOWN = 0,
- USER_RESTRICTED,
- USER_LIMITED,
- USER_INTERACTIVE,
- USER_NON_ADMIN,
- USER_RESTRICTED_SAME_ACCESS,
- USER_UNPROTECTED,
- USER_LAST
-};
-
-// The Job level specifies a set of decreasing security profiles for the
-// Job object that the target process will be placed into.
-// This table summarizes the security associated with each level:
-//
-// JobLevel |General |Quota |
-// |restrictions |restrictions |
-// -----------------|---------------------------------- |--------------------|
-// JOB_NONE | No job is assigned to the | None |
-// | sandboxed process. | |
-// -----------------|---------------------------------- |--------------------|
-// JOB_UNPROTECTED | None | *Kill on Job close.|
-// -----------------|---------------------------------- |--------------------|
-// JOB_INTERACTIVE | *Forbid system-wide changes using | |
-// | SystemParametersInfo(). | *Kill on Job close.|
-// | *Forbid the creation/switch of | |
-// | Desktops. | |
-// | *Forbids calls to ExitWindows(). | |
-// -----------------|---------------------------------- |--------------------|
-// JOB_LIMITED_USER | Same as INTERACTIVE_USER plus: | *One active process|
-// | *Forbid changes to the display | limit. |
-// | settings. | *Kill on Job close.|
-// -----------------|---------------------------------- |--------------------|
-// JOB_RESTRICTED | Same as LIMITED_USER plus: | *One active process|
-// | * No read/write to the clipboard. | limit. |
-// | * No access to User Handles that | *Kill on Job close.|
-// | belong to other processes. | |
-// | * Forbid message broadcasts. | |
-// | * Forbid setting global hooks. | |
-// | * No access to the global atoms | |
-// | table. | |
-// -----------------|-----------------------------------|--------------------|
-// JOB_LOCKDOWN | Same as RESTRICTED | *One active process|
-// | | limit. |
-// | | *Kill on Job close.|
-// | | *Kill on unhandled |
-// | | exception. |
-// | | |
-// In the context of the above table, 'user handles' refers to the handles of
-// windows, bitmaps, menus, etc. Files, treads and registry handles are kernel
-// handles and are not affected by the job level settings.
-enum JobLevel {
- JOB_LOCKDOWN = 0,
- JOB_RESTRICTED,
- JOB_LIMITED_USER,
- JOB_INTERACTIVE,
- JOB_UNPROTECTED,
- JOB_NONE
-};
-
-// These flags correspond to various process-level mitigations (eg. ASLR and
-// DEP). Most are implemented via UpdateProcThreadAttribute() plus flags for
-// the PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY attribute argument; documented
-// here: http://msdn.microsoft.com/en-us/library/windows/desktop/ms686880
-// Some mitigations are implemented directly by the sandbox or emulated to
-// the greatest extent possible when not directly supported by the OS.
-// Flags that are unsupported for the target OS will be silently ignored.
-// Flags that are invalid for their application (pre or post startup) will
-// return SBOX_ERROR_BAD_PARAMS.
-typedef uint64_t MitigationFlags;
-
-// Permanently enables DEP for the target process. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE.
-const MitigationFlags MITIGATION_DEP = 0x00000001;
-
-// Permanently Disables ATL thunk emulation when DEP is enabled. Valid
-// only when MITIGATION_DEP is passed. Corresponds to not passing
-// PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE.
-const MitigationFlags MITIGATION_DEP_NO_ATL_THUNK = 0x00000002;
-
-// Enables Structured exception handling override prevention. Must be
-// enabled prior to process start. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE.
-const MitigationFlags MITIGATION_SEHOP = 0x00000004;
-
-// Forces ASLR on all images in the child process. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON .
-const MitigationFlags MITIGATION_RELOCATE_IMAGE = 0x00000008;
-
-// Refuses to load DLLs that cannot support ASLR. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON_REQ_RELOCS.
-const MitigationFlags MITIGATION_RELOCATE_IMAGE_REQUIRED = 0x00000010;
-
-// Terminates the process on Windows heap corruption. Coresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_HEAP_TERMINATE_ALWAYS_ON.
-const MitigationFlags MITIGATION_HEAP_TERMINATE = 0x00000020;
-
-// Sets a random lower bound as the minimum user address. Must be
-// enabled prior to process start. On 32-bit processes this is
-// emulated to a much smaller degree. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON.
-const MitigationFlags MITIGATION_BOTTOM_UP_ASLR = 0x00000040;
-
-// Increases the randomness range of bottom-up ASLR to up to 1TB. Must be
-// enabled prior to process start and with MITIGATION_BOTTOM_UP_ASLR.
-// Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_HIGH_ENTROPY_ASLR_ALWAYS_ON
-const MitigationFlags MITIGATION_HIGH_ENTROPY_ASLR = 0x00000080;
-
-// Immediately raises an exception on a bad handle reference. Must be
-// enabled after startup. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_STRICT_HANDLE_CHECKS_ALWAYS_ON.
-const MitigationFlags MITIGATION_STRICT_HANDLE_CHECKS = 0x00000100;
-
-// Prevents the process from making Win32k calls. Must be enabled after
-// startup. Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_WIN32K_SYSTEM_CALL_DISABLE_ALWAYS_ON.
-const MitigationFlags MITIGATION_WIN32K_DISABLE = 0x00000200;
-
-// Disables common DLL injection methods (e.g. window hooks and
-// App_InitDLLs). Corresponds to
-// PROCESS_CREATION_MITIGATION_POLICY_EXTENSION_POINT_DISABLE_ALWAYS_ON.
-const MitigationFlags MITIGATION_EXTENSION_DLL_DISABLE = 0x00000400;
-
-// Sets the DLL search order to LOAD_LIBRARY_SEARCH_DEFAULT_DIRS. Additional
-// directories can be added via the Windows AddDllDirectory() function.
-// http://msdn.microsoft.com/en-us/library/windows/desktop/hh310515
-// Must be enabled after startup.
-const MitigationFlags MITIGATION_DLL_SEARCH_ORDER = 0x00000001ULL << 32;
-
-// Changes the mandatory integrity level policy on the current process' token
-// to enable no-read and no-execute up. This prevents a lower IL process from
-// opening the process token for impersonate/duplicate/assignment.
-const MitigationFlags MITIGATION_HARDEN_TOKEN_IL_POLICY = 0x00000001ULL << 33;
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SECURITY_LEVEL_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/service_resolver.cc b/security/sandbox/chromium/sandbox/win/src/service_resolver.cc
deleted file mode 100644
index 92f21a7c2..000000000
--- a/security/sandbox/chromium/sandbox/win/src/service_resolver.cc
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/service_resolver.h"
-
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace sandbox {
-
-NTSTATUS ServiceResolverThunk::ResolveInterceptor(
- const void* interceptor_module,
- const char* interceptor_name,
- const void** address) {
- // After all, we are using a locally mapped version of the exe, so the
- // action is the same as for a target function.
- return ResolveTarget(interceptor_module, interceptor_name,
- const_cast<void**>(address));
-}
-
-// In this case all the work is done from the parent, so resolve is
-// just a simple GetProcAddress.
-NTSTATUS ServiceResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- if (NULL == module)
- return STATUS_UNSUCCESSFUL;
-
- base::win::PEImage module_image(module);
- *address = module_image.GetProcAddress(function_name);
-
- if (NULL == *address) {
- NOTREACHED_NT();
- return STATUS_UNSUCCESSFUL;
- }
-
- return STATUS_SUCCESS;
-}
-
-void ServiceResolverThunk::AllowLocalPatches() {
- ntdll_base_ = ::GetModuleHandle(kNtdllName);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/service_resolver.h b/security/sandbox/chromium/sandbox/win/src/service_resolver.h
deleted file mode 100644
index 7ac5a2490..000000000
--- a/security/sandbox/chromium/sandbox/win/src/service_resolver.h
+++ /dev/null
@@ -1,159 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SERVICE_RESOLVER_H__
-#define SANDBOX_SRC_SERVICE_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll.
-class ServiceResolverThunk : public ResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- ServiceResolverThunk(HANDLE process, bool relaxed)
- : ntdll_base_(NULL),
- process_(process),
- relaxed_(relaxed),
- relative_jump_(0) {}
- ~ServiceResolverThunk() override {}
-
- // Implementation of Resolver::Setup.
- NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) override;
-
- // Implementation of Resolver::ResolveInterceptor.
- NTSTATUS ResolveInterceptor(const void* module,
- const char* function_name,
- const void** address) override;
-
- // Implementation of Resolver::ResolveTarget.
- NTSTATUS ResolveTarget(const void* module,
- const char* function_name,
- void** address) override;
-
- // Implementation of Resolver::GetThunkSize.
- size_t GetThunkSize() const override;
-
- // Call this to set up ntdll_base_ which will allow for local patches.
- virtual void AllowLocalPatches();
-
- // Verifies that the function specified by |target_name| in |target_module| is
- // a service and copies the data from that function into |thunk_storage|. If
- // |storage_bytes| is too small, then the method fails.
- virtual NTSTATUS CopyThunk(const void* target_module,
- const char* target_name,
- BYTE* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used);
-
- protected:
- // The unit test will use this member to allow local patch on a buffer.
- HMODULE ntdll_base_;
-
- // Handle of the child process.
- HANDLE process_;
-
- private:
- // Returns true if the code pointer by target_ corresponds to the expected
- // type of function. Saves that code on the first part of the thunk pointed
- // by local_thunk (should be directly accessible from the parent).
- virtual bool IsFunctionAService(void* local_thunk) const;
-
- // Performs the actual patch of target_.
- // local_thunk must be already fully initialized, and the first part must
- // contain the original code. The real type of this buffer is ServiceFullThunk
- // (yes, private). remote_thunk (real type ServiceFullThunk), must be
- // allocated on the child, and will contain the thunk data, after this call.
- // Returns the apropriate status code.
- virtual NTSTATUS PerformPatch(void* local_thunk, void* remote_thunk);
-
- // Provides basically the same functionality as IsFunctionAService but it
- // continues even if it does not recognize the function code. remote_thunk
- // is the address of our memory on the child.
- bool SaveOriginalFunction(void* local_thunk, void* remote_thunk);
-
- // true if we are allowed to patch already-patched functions.
- bool relaxed_;
- ULONG relative_jump_;
-
- DISALLOW_COPY_AND_ASSIGN(ServiceResolverThunk);
-};
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll on WOW64 (32 bit ntdll on 64 bit Vista).
-class Wow64ResolverThunk : public ServiceResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- Wow64ResolverThunk(HANDLE process, bool relaxed)
- : ServiceResolverThunk(process, relaxed) {}
- ~Wow64ResolverThunk() override {}
-
- private:
- bool IsFunctionAService(void* local_thunk) const override;
-
- DISALLOW_COPY_AND_ASSIGN(Wow64ResolverThunk);
-};
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll on WOW64 for Windows 8.
-class Wow64W8ResolverThunk : public ServiceResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- Wow64W8ResolverThunk(HANDLE process, bool relaxed)
- : ServiceResolverThunk(process, relaxed) {}
- ~Wow64W8ResolverThunk() override {}
-
- private:
- bool IsFunctionAService(void* local_thunk) const override;
-
- DISALLOW_COPY_AND_ASSIGN(Wow64W8ResolverThunk);
-};
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll on Windows 8.
-class Win8ResolverThunk : public ServiceResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- Win8ResolverThunk(HANDLE process, bool relaxed)
- : ServiceResolverThunk(process, relaxed) {}
- ~Win8ResolverThunk() override {}
-
- private:
- bool IsFunctionAService(void* local_thunk) const override;
-
- DISALLOW_COPY_AND_ASSIGN(Win8ResolverThunk);
-};
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll on WOW64 for Windows 10.
-class Wow64W10ResolverThunk : public ServiceResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- Wow64W10ResolverThunk(HANDLE process, bool relaxed)
- : ServiceResolverThunk(process, relaxed) {}
- ~Wow64W10ResolverThunk() override {}
-
- private:
- bool IsFunctionAService(void* local_thunk) const override;
-
- DISALLOW_COPY_AND_ASSIGN(Wow64W10ResolverThunk);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_SERVICE_RESOLVER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/service_resolver_32.cc b/security/sandbox/chromium/sandbox/win/src/service_resolver_32.cc
deleted file mode 100644
index f809227e9..000000000
--- a/security/sandbox/chromium/sandbox/win/src/service_resolver_32.cc
+++ /dev/null
@@ -1,478 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/service_resolver.h"
-
-#include <stddef.h>
-
-#include "base/bit_cast.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-#pragma pack(push, 1)
-
-const BYTE kMovEax = 0xB8;
-const BYTE kMovEdx = 0xBA;
-const USHORT kMovEdxEsp = 0xD48B;
-const USHORT kCallPtrEdx = 0x12FF;
-const USHORT kCallEdx = 0xD2FF;
-const BYTE kCallEip = 0xE8;
-const BYTE kRet = 0xC2;
-const BYTE kRet2 = 0xC3;
-const USHORT kJmpEdx = 0xE2FF;
-const USHORT kXorEcx = 0xC933;
-const ULONG kLeaEdx = 0x0424548D;
-const ULONG kCallFs1 = 0xC015FF64;
-const USHORT kCallFs2 = 0;
-const BYTE kCallFs3 = 0;
-const BYTE kAddEsp1 = 0x83;
-const USHORT kAddEsp2 = 0x4C4;
-const BYTE kJmp32 = 0xE9;
-const USHORT kSysenter = 0x340F;
-
-// Service code for 32 bit systems.
-// NOTE: on win2003 "call dword ptr [edx]" is "call edx".
-struct ServiceEntry {
- // This struct contains roughly the following code:
- // 00 mov eax,25h
- // 05 mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
- // 0a call dword ptr [edx]
- // 0c ret 2Ch
- // 0f nop
- BYTE mov_eax; // = B8
- ULONG service_id;
- BYTE mov_edx; // = BA
- ULONG stub;
- USHORT call_ptr_edx; // = FF 12
- BYTE ret; // = C2
- USHORT num_params;
- BYTE nop;
-};
-
-// Service code for 32 bit Windows 8.
-struct ServiceEntryW8 {
- // This struct contains the following code:
- // 00 b825000000 mov eax,25h
- // 05 e803000000 call eip+3
- // 0a c22c00 ret 2Ch
- // 0d 8bd4 mov edx,esp
- // 0f 0f34 sysenter
- // 11 c3 ret
- // 12 8bff mov edi,edi
- BYTE mov_eax; // = B8
- ULONG service_id;
- BYTE call_eip; // = E8
- ULONG call_offset;
- BYTE ret_p; // = C2
- USHORT num_params;
- USHORT mov_edx_esp; // = BD D4
- USHORT sysenter; // = 0F 34
- BYTE ret; // = C3
- USHORT nop;
-};
-
-// Service code for a 32 bit process running on a 64 bit os.
-struct Wow64Entry {
- // This struct may contain one of two versions of code:
- // 1. For XP, Vista and 2K3:
- // 00 b825000000 mov eax, 25h
- // 05 33c9 xor ecx, ecx
- // 07 8d542404 lea edx, [esp + 4]
- // 0b 64ff15c0000000 call dword ptr fs:[0C0h]
- // 12 c22c00 ret 2Ch
- //
- // 2. For Windows 7:
- // 00 b825000000 mov eax, 25h
- // 05 33c9 xor ecx, ecx
- // 07 8d542404 lea edx, [esp + 4]
- // 0b 64ff15c0000000 call dword ptr fs:[0C0h]
- // 12 83c404 add esp, 4
- // 15 c22c00 ret 2Ch
- //
- // So we base the structure on the bigger one:
- BYTE mov_eax; // = B8
- ULONG service_id;
- USHORT xor_ecx; // = 33 C9
- ULONG lea_edx; // = 8D 54 24 04
- ULONG call_fs1; // = 64 FF 15 C0
- USHORT call_fs2; // = 00 00
- BYTE call_fs3; // = 00
- BYTE add_esp1; // = 83 or ret
- USHORT add_esp2; // = C4 04 or num_params
- BYTE ret; // = C2
- USHORT num_params;
-};
-
-// Service code for a 32 bit process running on 64 bit Windows 8.
-struct Wow64EntryW8 {
- // 00 b825000000 mov eax, 25h
- // 05 64ff15c0000000 call dword ptr fs:[0C0h]
- // 0b c22c00 ret 2Ch
- // 0f 90 nop
- BYTE mov_eax; // = B8
- ULONG service_id;
- ULONG call_fs1; // = 64 FF 15 C0
- USHORT call_fs2; // = 00 00
- BYTE call_fs3; // = 00
- BYTE ret; // = C2
- USHORT num_params;
- BYTE nop;
-};
-
-// Service code for a 32 bit process running on 64 bit Windows 10.
-struct Wow64EntryW10 {
- // 00 b828000000 mov eax, 28h
- // 05 bab0d54877 mov edx, 7748D5B0h
- // 09 ffd2 call edx
- // 0b c22800 ret 28h
- BYTE mov_eax; // = B8
- ULONG service_id;
- BYTE mov_edx; // = BA
- ULONG mov_edx_param;
- USHORT call_edx; // = FF D2
- BYTE ret; // = C2
- USHORT num_params;
-};
-
-// Make sure that relaxed patching works as expected.
-const size_t kMinServiceSize = offsetof(ServiceEntry, ret);
-static_assert(sizeof(ServiceEntryW8) >= kMinServiceSize,
- "wrong service length");
-static_assert(sizeof(Wow64Entry) >= kMinServiceSize, "wrong service length");
-static_assert(sizeof(Wow64EntryW8) >= kMinServiceSize, "wrong service length");
-
-struct ServiceFullThunk {
- union {
- ServiceEntry original;
- ServiceEntryW8 original_w8;
- Wow64Entry wow_64;
- Wow64EntryW8 wow_64_w8;
- };
- int internal_thunk; // Dummy member to the beginning of the internal thunk.
-};
-
-#pragma pack(pop)
-
-}; // namespace
-
-namespace sandbox {
-
-NTSTATUS ServiceResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = Init(target_module, interceptor_module, target_name,
- interceptor_name, interceptor_entry_point,
- thunk_storage, storage_bytes);
- if (!NT_SUCCESS(ret))
- return ret;
-
- relative_jump_ = 0;
- size_t thunk_bytes = GetThunkSize();
- scoped_ptr<char[]> thunk_buffer(new char[thunk_bytes]);
- ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(
- thunk_buffer.get());
-
- if (!IsFunctionAService(&thunk->original) &&
- (!relaxed_ || !SaveOriginalFunction(&thunk->original, thunk_storage))) {
- return STATUS_UNSUCCESSFUL;
- }
-
- ret = PerformPatch(thunk, thunk_storage);
-
- if (NULL != storage_used)
- *storage_used = thunk_bytes;
-
- return ret;
-}
-
-size_t ServiceResolverThunk::GetThunkSize() const {
- return offsetof(ServiceFullThunk, internal_thunk) + GetInternalThunkSize();
-}
-
-NTSTATUS ServiceResolverThunk::CopyThunk(const void* target_module,
- const char* target_name,
- BYTE* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = ResolveTarget(target_module, target_name, &target_);
- if (!NT_SUCCESS(ret))
- return ret;
-
- size_t thunk_bytes = GetThunkSize();
- if (storage_bytes < thunk_bytes)
- return STATUS_UNSUCCESSFUL;
-
- ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(thunk_storage);
-
- if (!IsFunctionAService(&thunk->original) &&
- (!relaxed_ || !SaveOriginalFunction(&thunk->original, thunk_storage))) {
- return STATUS_UNSUCCESSFUL;
- }
-
- if (NULL != storage_used)
- *storage_used = thunk_bytes;
-
- return ret;
-}
-
-bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const {
- ServiceEntry function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax ||
- kMovEdx != function_code.mov_edx ||
- (kCallPtrEdx != function_code.call_ptr_edx &&
- kCallEdx != function_code.call_ptr_edx) ||
- kRet != function_code.ret) {
- return false;
- }
-
- // Find the system call pointer if we don't already have it.
- if (kCallEdx != function_code.call_ptr_edx) {
- DWORD ki_system_call;
- if (!::ReadProcessMemory(process_,
- bit_cast<const void*>(function_code.stub),
- &ki_system_call, sizeof(ki_system_call), &read)) {
- return false;
- }
-
- if (sizeof(ki_system_call) != read)
- return false;
-
- HMODULE module_1, module_2;
- // last check, call_stub should point to a KiXXSystemCall function on ntdll
- if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
- GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
- bit_cast<const wchar_t*>(ki_system_call),
- &module_1)) {
- return false;
- }
-
- if (NULL != ntdll_base_) {
- // This path is only taken when running the unit tests. We want to be
- // able to patch a buffer in memory, so target_ is not inside ntdll.
- module_2 = ntdll_base_;
- } else {
- if (!GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS |
- GET_MODULE_HANDLE_EX_FLAG_UNCHANGED_REFCOUNT,
- reinterpret_cast<const wchar_t*>(target_),
- &module_2))
- return false;
- }
-
- if (module_1 != module_2)
- return false;
- }
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
-NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk,
- void* remote_thunk) {
- ServiceEntry intercepted_code;
- size_t bytes_to_write = sizeof(intercepted_code);
- ServiceFullThunk *full_local_thunk = reinterpret_cast<ServiceFullThunk*>(
- local_thunk);
- ServiceFullThunk *full_remote_thunk = reinterpret_cast<ServiceFullThunk*>(
- remote_thunk);
-
- // patch the original code
- memcpy(&intercepted_code, &full_local_thunk->original,
- sizeof(intercepted_code));
- intercepted_code.mov_eax = kMovEax;
- intercepted_code.service_id = full_local_thunk->original.service_id;
- intercepted_code.mov_edx = kMovEdx;
- intercepted_code.stub = bit_cast<ULONG>(&full_remote_thunk->internal_thunk);
- intercepted_code.call_ptr_edx = kJmpEdx;
- bytes_to_write = kMinServiceSize;
-
- if (relative_jump_) {
- intercepted_code.mov_eax = kJmp32;
- intercepted_code.service_id = relative_jump_;
- bytes_to_write = offsetof(ServiceEntry, mov_edx);
- }
-
- // setup the thunk
- SetInternalThunk(&full_local_thunk->internal_thunk, GetInternalThunkSize(),
- remote_thunk, interceptor_);
-
- size_t thunk_size = GetThunkSize();
-
- // copy the local thunk buffer to the child
- SIZE_T written;
- if (!::WriteProcessMemory(process_, remote_thunk, local_thunk,
- thunk_size, &written)) {
- return STATUS_UNSUCCESSFUL;
- }
-
- if (thunk_size != written)
- return STATUS_UNSUCCESSFUL;
-
- // and now change the function to intercept, on the child
- if (NULL != ntdll_base_) {
- // running a unit test
- if (!::WriteProcessMemory(process_, target_, &intercepted_code,
- bytes_to_write, &written))
- return STATUS_UNSUCCESSFUL;
- } else {
- if (!WriteProtectedChildMemory(process_, target_, &intercepted_code,
- bytes_to_write))
- return STATUS_UNSUCCESSFUL;
- }
-
- return STATUS_SUCCESS;
-}
-
-bool ServiceResolverThunk::SaveOriginalFunction(void* local_thunk,
- void* remote_thunk) {
- ServiceEntry function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kJmp32 == function_code.mov_eax) {
- // Plain old entry point patch. The relative jump address follows it.
- ULONG relative = function_code.service_id;
-
- // First, fix our copy of their patch.
- relative += bit_cast<ULONG>(target_) - bit_cast<ULONG>(remote_thunk);
-
- function_code.service_id = relative;
-
- // And now, remember how to re-patch it.
- ServiceFullThunk *full_thunk =
- reinterpret_cast<ServiceFullThunk*>(remote_thunk);
-
- const ULONG kJmp32Size = 5;
-
- relative_jump_ = bit_cast<ULONG>(&full_thunk->internal_thunk) -
- bit_cast<ULONG>(target_) - kJmp32Size;
- }
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
-bool Wow64ResolverThunk::IsFunctionAService(void* local_thunk) const {
- Wow64Entry function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax || kXorEcx != function_code.xor_ecx ||
- kLeaEdx != function_code.lea_edx || kCallFs1 != function_code.call_fs1 ||
- kCallFs2 != function_code.call_fs2 ||
- kCallFs3 != function_code.call_fs3) {
- return false;
- }
-
- if ((kAddEsp1 == function_code.add_esp1 &&
- kAddEsp2 == function_code.add_esp2 &&
- kRet == function_code.ret) || kRet == function_code.add_esp1) {
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
- return true;
- }
-
- return false;
-}
-
-bool Wow64W8ResolverThunk::IsFunctionAService(void* local_thunk) const {
- Wow64EntryW8 function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax || kCallFs1 != function_code.call_fs1 ||
- kCallFs2 != function_code.call_fs2 ||
- kCallFs3 != function_code.call_fs3 || kRet != function_code.ret) {
- return false;
- }
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
- return true;
-}
-
-bool Win8ResolverThunk::IsFunctionAService(void* local_thunk) const {
- ServiceEntryW8 function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax || kCallEip != function_code.call_eip ||
- function_code.call_offset != 3 || kRet != function_code.ret_p ||
- kMovEdxEsp != function_code.mov_edx_esp ||
- kSysenter != function_code.sysenter || kRet2 != function_code.ret) {
- return false;
- }
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
-bool Wow64W10ResolverThunk::IsFunctionAService(void* local_thunk) const {
- Wow64EntryW10 function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read)) {
- return false;
- }
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMovEax != function_code.mov_eax ||
- kMovEdx != function_code.mov_edx ||
- kCallEdx != function_code.call_edx ||
- kRet != function_code.ret) {
- return false;
- }
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/service_resolver_64.cc b/security/sandbox/chromium/sandbox/win/src/service_resolver_64.cc
deleted file mode 100644
index 25ee9db26..000000000
--- a/security/sandbox/chromium/sandbox/win/src/service_resolver_64.cc
+++ /dev/null
@@ -1,252 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/service_resolver.h"
-
-#include <stddef.h>
-
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-#pragma pack(push, 1)
-
-const ULONG kMmovR10EcxMovEax = 0xB8D18B4C;
-const USHORT kSyscall = 0x050F;
-const BYTE kRetNp = 0xC3;
-const ULONG64 kMov1 = 0x54894808244C8948;
-const ULONG64 kMov2 = 0x4C182444894C1024;
-const ULONG kMov3 = 0x20244C89;
-const USHORT kTestByte = 0x04F6;
-const BYTE kPtr = 0x25;
-const BYTE kRet = 0xC3;
-const USHORT kJne = 0x0375;
-
-// Service code for 64 bit systems.
-struct ServiceEntry {
- // This struct contains roughly the following code:
- // 00 mov r10,rcx
- // 03 mov eax,52h
- // 08 syscall
- // 0a ret
- // 0b xchg ax,ax
- // 0e xchg ax,ax
-
- ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8
- ULONG service_id;
- USHORT syscall; // = 0F 05
- BYTE ret; // = C3
- BYTE pad; // = 66
- USHORT xchg_ax_ax1; // = 66 90
- USHORT xchg_ax_ax2; // = 66 90
-};
-
-// Service code for 64 bit Windows 8.
-struct ServiceEntryW8 {
- // This struct contains the following code:
- // 00 48894c2408 mov [rsp+8], rcx
- // 05 4889542410 mov [rsp+10], rdx
- // 0a 4c89442418 mov [rsp+18], r8
- // 0f 4c894c2420 mov [rsp+20], r9
- // 14 4c8bd1 mov r10,rcx
- // 17 b825000000 mov eax,25h
- // 1c 0f05 syscall
- // 1e c3 ret
- // 1f 90 nop
-
- ULONG64 mov_1; // = 48 89 4C 24 08 48 89 54
- ULONG64 mov_2; // = 24 10 4C 89 44 24 18 4C
- ULONG mov_3; // = 89 4C 24 20
- ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8
- ULONG service_id;
- USHORT syscall; // = 0F 05
- BYTE ret; // = C3
- BYTE nop; // = 90
-};
-
-// Service code for 64 bit systems with int 2e fallback.
-struct ServiceEntryWithInt2E {
- // This struct contains roughly the following code:
- // 00 4c8bd1 mov r10,rcx
- // 03 b855000000 mov eax,52h
- // 08 f604250803fe7f01 test byte ptr SharedUserData!308, 1
- // 10 7503 jne [over syscall]
- // 12 0f05 syscall
- // 14 c3 ret
- // 15 cd2e int 2e
- // 17 c3 ret
-
- ULONG mov_r10_rcx_mov_eax; // = 4C 8B D1 B8
- ULONG service_id;
- USHORT test_byte; // = F6 04
- BYTE ptr; // = 25
- ULONG user_shared_data_ptr;
- BYTE one; // = 01
- USHORT jne_over_syscall; // = 75 03
- USHORT syscall; // = 0F 05
- BYTE ret; // = C3
- USHORT int2e; // = CD 2E
- BYTE ret2; // = C3
-};
-
-// We don't have an internal thunk for x64.
-struct ServiceFullThunk {
- union {
- ServiceEntry original;
- ServiceEntryW8 original_w8;
- ServiceEntryWithInt2E original_int2e_fallback;
- };
-};
-
-#pragma pack(pop)
-
-bool IsService(const void* source) {
- const ServiceEntry* service =
- reinterpret_cast<const ServiceEntry*>(source);
-
- return (kMmovR10EcxMovEax == service->mov_r10_rcx_mov_eax &&
- kSyscall == service->syscall && kRetNp == service->ret);
-}
-
-bool IsServiceW8(const void* source) {
- const ServiceEntryW8* service =
- reinterpret_cast<const ServiceEntryW8*>(source);
-
- return (kMmovR10EcxMovEax == service->mov_r10_rcx_mov_eax &&
- kMov1 == service->mov_1 && kMov2 == service->mov_2 &&
- kMov3 == service->mov_3);
-}
-
-bool IsServiceWithInt2E(const void* source) {
- const ServiceEntryWithInt2E* service =
- reinterpret_cast<const ServiceEntryWithInt2E*>(source);
-
- return (kMmovR10EcxMovEax == service->mov_r10_rcx_mov_eax &&
- kTestByte == service->test_byte && kPtr == service->ptr &&
- kJne == service->jne_over_syscall && kSyscall == service->syscall &&
- kRet == service->ret && kRet == service->ret2);
-}
-
-}; // namespace
-
-namespace sandbox {
-
-NTSTATUS ServiceResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret =
- Init(target_module, interceptor_module, target_name, interceptor_name,
- interceptor_entry_point, thunk_storage, storage_bytes);
- if (!NT_SUCCESS(ret))
- return ret;
-
- size_t thunk_bytes = GetThunkSize();
- scoped_ptr<char[]> thunk_buffer(new char[thunk_bytes]);
- ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(
- thunk_buffer.get());
-
- if (!IsFunctionAService(&thunk->original))
- return STATUS_UNSUCCESSFUL;
-
- ret = PerformPatch(thunk, thunk_storage);
-
- if (NULL != storage_used)
- *storage_used = thunk_bytes;
-
- return ret;
-}
-
-size_t ServiceResolverThunk::GetThunkSize() const {
- return sizeof(ServiceFullThunk);
-}
-
-NTSTATUS ServiceResolverThunk::CopyThunk(const void* target_module,
- const char* target_name,
- BYTE* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = ResolveTarget(target_module, target_name, &target_);
- if (!NT_SUCCESS(ret))
- return ret;
-
- size_t thunk_bytes = GetThunkSize();
- if (storage_bytes < thunk_bytes)
- return STATUS_UNSUCCESSFUL;
-
- ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(thunk_storage);
-
- if (!IsFunctionAService(&thunk->original))
- return STATUS_UNSUCCESSFUL;
-
- if (NULL != storage_used)
- *storage_used = thunk_bytes;
-
- return ret;
-}
-
-bool ServiceResolverThunk::IsFunctionAService(void* local_thunk) const {
- ServiceFullThunk function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read))
- return false;
-
- if (sizeof(function_code) != read)
- return false;
-
- if (!IsService(&function_code) && !IsServiceW8(&function_code) &&
- !IsServiceWithInt2E(&function_code))
- return false;
-
- // Save the verified code.
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
-NTSTATUS ServiceResolverThunk::PerformPatch(void* local_thunk,
- void* remote_thunk) {
- // Patch the original code.
- ServiceEntry local_service;
- DCHECK_NT(GetInternalThunkSize() <= sizeof(local_service));
- if (!SetInternalThunk(&local_service, sizeof(local_service), NULL,
- interceptor_))
- return STATUS_UNSUCCESSFUL;
-
- // Copy the local thunk buffer to the child.
- SIZE_T actual;
- if (!::WriteProcessMemory(process_, remote_thunk, local_thunk,
- sizeof(ServiceFullThunk), &actual))
- return STATUS_UNSUCCESSFUL;
-
- if (sizeof(ServiceFullThunk) != actual)
- return STATUS_UNSUCCESSFUL;
-
- // And now change the function to intercept, on the child.
- if (NULL != ntdll_base_) {
- // Running a unit test.
- if (!::WriteProcessMemory(process_, target_, &local_service,
- sizeof(local_service), &actual))
- return STATUS_UNSUCCESSFUL;
- } else {
- if (!WriteProtectedChildMemory(process_, target_, &local_service,
- sizeof(local_service)))
- return STATUS_UNSUCCESSFUL;
- }
-
- return STATUS_SUCCESS;
-}
-
-bool Wow64ResolverThunk::IsFunctionAService(void* local_thunk) const {
- NOTREACHED_NT();
- return false;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/service_resolver_unittest.cc b/security/sandbox/chromium/sandbox/win/src/service_resolver_unittest.cc
deleted file mode 100644
index 25d087573..000000000
--- a/security/sandbox/chromium/sandbox/win/src/service_resolver_unittest.cc
+++ /dev/null
@@ -1,268 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for ServiceResolverThunk.
-
-#include <stddef.h>
-
-#include "base/bit_cast.h"
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/resolver.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/service_resolver.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace {
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll.
-template<typename T>
-class ResolverThunkTest : public T {
- public:
- // The service resolver needs a child process to write to.
- explicit ResolverThunkTest(bool relaxed)
- : T(::GetCurrentProcess(), relaxed) {}
-
- // Sets the interception target to the desired address.
- void set_target(void* target) {
- fake_target_ = target;
- }
-
- protected:
- // Overrides Resolver::Init
- virtual NTSTATUS Init(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes) {
- NTSTATUS ret = STATUS_SUCCESS;
- ret = T::Init(target_module, interceptor_module, target_name,
- interceptor_name, interceptor_entry_point, thunk_storage,
- storage_bytes);
- EXPECT_EQ(STATUS_SUCCESS, ret);
-
- this->target_ = fake_target_;
-
- return ret;
- };
-
- private:
- // Holds the address of the fake target.
- void* fake_target_;
-
- DISALLOW_COPY_AND_ASSIGN(ResolverThunkTest);
-};
-
-typedef ResolverThunkTest<sandbox::ServiceResolverThunk> WinXpResolverTest;
-
-#if !defined(_WIN64)
-typedef ResolverThunkTest<sandbox::Win8ResolverThunk> Win8ResolverTest;
-typedef ResolverThunkTest<sandbox::Wow64ResolverThunk> Wow64ResolverTest;
-typedef ResolverThunkTest<sandbox::Wow64W8ResolverThunk> Wow64W8ResolverTest;
-typedef ResolverThunkTest<sandbox::Wow64W10ResolverThunk> Wow64W10ResolverTest;
-#endif
-
-const BYTE kJump32 = 0xE9;
-
-void CheckJump(void* source, void* target) {
-#pragma pack(push)
-#pragma pack(1)
- struct Code {
- BYTE jump;
- ULONG delta;
- };
-#pragma pack(pop)
-
-#if defined(_WIN64)
- FAIL() << "Running 32-bit codepath";
-#else
- Code* patched = reinterpret_cast<Code*>(source);
- EXPECT_EQ(kJump32, patched->jump);
-
- ULONG source_addr = bit_cast<ULONG>(source);
- ULONG target_addr = bit_cast<ULONG>(target);
- EXPECT_EQ(target_addr + 19 - source_addr, patched->delta);
-#endif
-}
-
-NTSTATUS PatchNtdllWithResolver(const char* function, bool relaxed,
- sandbox::ServiceResolverThunk* resolver) {
- HMODULE ntdll_base = ::GetModuleHandle(L"ntdll.dll");
- EXPECT_TRUE(NULL != ntdll_base);
-
- void* target = ::GetProcAddress(ntdll_base, function);
- EXPECT_TRUE(NULL != target);
- if (NULL == target)
- return STATUS_UNSUCCESSFUL;
-
- BYTE service[50];
- memcpy(service, target, sizeof(service));
-
- static_cast<WinXpResolverTest*>(resolver)->set_target(service);
-
- // Any pointer will do as an interception_entry_point
- void* function_entry = resolver;
- size_t thunk_size = resolver->GetThunkSize();
- scoped_ptr<char[]> thunk(new char[thunk_size]);
- size_t used;
-
- resolver->AllowLocalPatches();
-
- NTSTATUS ret = resolver->Setup(ntdll_base, NULL, function, NULL,
- function_entry, thunk.get(), thunk_size,
- &used);
- if (NT_SUCCESS(ret)) {
- EXPECT_EQ(thunk_size, used);
- EXPECT_NE(0, memcmp(service, target, sizeof(service)));
- EXPECT_NE(kJump32, service[0]);
-
- if (relaxed) {
- // It's already patched, let's patch again, and simulate a direct patch.
- service[0] = kJump32;
- ret = resolver->Setup(ntdll_base, NULL, function, NULL, function_entry,
- thunk.get(), thunk_size, &used);
- CheckJump(service, thunk.get());
- }
- }
-
- return ret;
-}
-
-sandbox::ServiceResolverThunk* GetTestResolver(bool relaxed) {
-#if defined(_WIN64)
- return new WinXpResolverTest(relaxed);
-#else
- base::win::OSInfo* os_info = base::win::OSInfo::GetInstance();
- if (os_info->wow64_status() == base::win::OSInfo::WOW64_ENABLED) {
- if (os_info->version() >= base::win::VERSION_WIN10)
- return new Wow64W10ResolverTest(relaxed);
- if (os_info->version() >= base::win::VERSION_WIN8)
- return new Wow64W8ResolverTest(relaxed);
- return new Wow64ResolverTest(relaxed);
- }
-
- if (os_info->version() >= base::win::VERSION_WIN8)
- return new Win8ResolverTest(relaxed);
-
- return new WinXpResolverTest(relaxed);
-#endif
-}
-
-NTSTATUS PatchNtdll(const char* function, bool relaxed) {
- sandbox::ServiceResolverThunk* resolver = GetTestResolver(relaxed);
-
- NTSTATUS ret = PatchNtdllWithResolver(function, relaxed, resolver);
- delete resolver;
- return ret;
-}
-
-TEST(ServiceResolverTest, PatchesServices) {
- NTSTATUS ret = PatchNtdll("NtClose", false);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtClose, last error: " << ::GetLastError();
-
- ret = PatchNtdll("NtCreateFile", false);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateFile, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdll("NtCreateMutant", false);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateMutant, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdll("NtMapViewOfSection", false);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtMapViewOfSection, last error: " <<
- ::GetLastError();
-}
-
-TEST(ServiceResolverTest, FailsIfNotService) {
-#if !defined(_WIN64)
- EXPECT_NE(STATUS_SUCCESS, PatchNtdll("RtlUlongByteSwap", false));
-#endif
-
- EXPECT_NE(STATUS_SUCCESS, PatchNtdll("LdrLoadDll", false));
-}
-
-TEST(ServiceResolverTest, PatchesPatchedServices) {
-// We don't support "relaxed mode" for Win64 apps.
-#if !defined(_WIN64)
- NTSTATUS ret = PatchNtdll("NtClose", true);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtClose, last error: " << ::GetLastError();
-
- ret = PatchNtdll("NtCreateFile", true);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateFile, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdll("NtCreateMutant", true);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateMutant, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdll("NtMapViewOfSection", true);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtMapViewOfSection, last error: " <<
- ::GetLastError();
-#endif
-}
-
-TEST(ServiceResolverTest, MultiplePatchedServices) {
-// We don't support "relaxed mode" for Win64 apps.
-#if !defined(_WIN64)
- sandbox::ServiceResolverThunk* resolver = GetTestResolver(true);
- NTSTATUS ret = PatchNtdllWithResolver("NtClose", true, resolver);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtClose, last error: " << ::GetLastError();
-
- ret = PatchNtdllWithResolver("NtCreateFile", true, resolver);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateFile, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdllWithResolver("NtCreateMutant", true, resolver);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtCreateMutant, last error: " <<
- ::GetLastError();
-
- ret = PatchNtdllWithResolver("NtMapViewOfSection", true, resolver);
- EXPECT_EQ(STATUS_SUCCESS, ret) << "NtMapViewOfSection, last error: " <<
- ::GetLastError();
- delete resolver;
-#endif
-}
-
-TEST(ServiceResolverTest, LocalPatchesAllowed) {
- sandbox::ServiceResolverThunk* resolver = GetTestResolver(true);
-
- HMODULE ntdll_base = ::GetModuleHandle(L"ntdll.dll");
- ASSERT_TRUE(NULL != ntdll_base);
-
- const char kFunctionName[] = "NtClose";
-
- void* target = ::GetProcAddress(ntdll_base, kFunctionName);
- ASSERT_TRUE(NULL != target);
-
- BYTE service[50];
- memcpy(service, target, sizeof(service));
- static_cast<WinXpResolverTest*>(resolver)->set_target(service);
-
- // Any pointer will do as an interception_entry_point
- void* function_entry = resolver;
- size_t thunk_size = resolver->GetThunkSize();
- scoped_ptr<char[]> thunk(new char[thunk_size]);
- size_t used;
-
- NTSTATUS ret = STATUS_UNSUCCESSFUL;
-
- // First try patching without having allowed local patches.
- ret = resolver->Setup(ntdll_base, NULL, kFunctionName, NULL,
- function_entry, thunk.get(), thunk_size,
- &used);
- EXPECT_FALSE(NT_SUCCESS(ret));
-
- // Now allow local patches and check that things work.
- resolver->AllowLocalPatches();
- ret = resolver->Setup(ntdll_base, NULL, kFunctionName, NULL,
- function_entry, thunk.get(), thunk_size,
- &used);
- EXPECT_EQ(STATUS_SUCCESS, ret);
-}
-
-} // namespace
diff --git a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.cc b/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.cc
deleted file mode 100644
index eac13937c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.cc
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <string.h>
-
-#include "base/logging.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/crosscall_params.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-
-namespace sandbox {
-
-// Get the base of the data buffer of the channel; this is where the input
-// parameters get serialized. Since they get serialized directly into the
-// channel we avoid one copy.
-void* SharedMemIPCClient::GetBuffer() {
- bool failure = false;
- size_t ix = LockFreeChannel(&failure);
- if (failure) {
- return NULL;
- }
- return reinterpret_cast<char*>(control_) +
- control_->channels[ix].channel_base;
-}
-
-// If we need to cancel an IPC before issuing DoCall
-// our client should call FreeBuffer with the same pointer
-// returned by GetBuffer.
-void SharedMemIPCClient::FreeBuffer(void* buffer) {
- size_t num = ChannelIndexFromBuffer(buffer);
- ChannelControl* channel = control_->channels;
- LONG result = ::InterlockedExchange(&channel[num].state, kFreeChannel);
- DCHECK_NE(kFreeChannel, static_cast<ChannelState>(result));
-}
-
-// The constructor simply casts the shared memory to the internal
-// structures. This is a cheap step that is why this IPC object can
-// and should be constructed per call.
-SharedMemIPCClient::SharedMemIPCClient(void* shared_mem)
- : control_(reinterpret_cast<IPCControl*>(shared_mem)) {
- first_base_ = reinterpret_cast<char*>(shared_mem) +
- control_->channels[0].channel_base;
- // There must be at least one channel.
- DCHECK(0 != control_->channels_count);
-}
-
-// Do the IPC. At this point the channel should have already been
-// filled with the serialized input parameters.
-// We follow the pattern explained in the header file.
-ResultCode SharedMemIPCClient::DoCall(CrossCallParams* params,
- CrossCallReturn* answer) {
- if (!control_->server_alive)
- return SBOX_ERROR_CHANNEL_ERROR;
-
- size_t num = ChannelIndexFromBuffer(params->GetBuffer());
- ChannelControl* channel = control_->channels;
- // Note that the IPC tag goes outside the buffer as well inside
- // the buffer. This should enable the server to prioritize based on
- // IPC tags without having to de-serialize the entire message.
- channel[num].ipc_tag = params->GetTag();
-
- // Wait for the server to service this IPC call. After kIPCWaitTimeOut1
- // we check if the server_alive mutex was abandoned which will indicate
- // that the server has died.
-
- // While the atomic signaling and waiting is not a requirement, it
- // is nice because we save a trip to kernel.
- DWORD wait = ::SignalObjectAndWait(channel[num].ping_event,
- channel[num].pong_event,
- kIPCWaitTimeOut1, FALSE);
- if (WAIT_TIMEOUT == wait) {
- // The server is taking too long. Enter a loop were we check if the
- // server_alive mutex has been abandoned which would signal a server crash
- // or else we keep waiting for a response.
- while (true) {
- wait = ::WaitForSingleObject(control_->server_alive, 0);
- if (WAIT_TIMEOUT == wait) {
- // Server seems still alive. We already signaled so here we just wait.
- wait = ::WaitForSingleObject(channel[num].pong_event, kIPCWaitTimeOut1);
- if (WAIT_OBJECT_0 == wait) {
- // The server took a long time but responded.
- break;
- } else if (WAIT_TIMEOUT == wait) {
- continue;
- } else {
- return SBOX_ERROR_CHANNEL_ERROR;
- }
- } else {
- // The server has crashed and windows has signaled the mutex as
- // abandoned.
- ::InterlockedExchange(&channel[num].state, kAbandonedChannel);
- control_->server_alive = 0;
- return SBOX_ERROR_CHANNEL_ERROR;
- }
- }
- } else if (WAIT_OBJECT_0 != wait) {
- // Probably the server crashed before the kIPCWaitTimeOut1 occurred.
- return SBOX_ERROR_CHANNEL_ERROR;
- }
-
- // The server has returned an answer, copy it and free the channel.
- memcpy(answer, params->GetCallReturn(), sizeof(CrossCallReturn));
-
- // Return the IPC state It can indicate that while the IPC has
- // completed some error in the Broker has caused to not return valid
- // results.
- return answer->call_outcome;
-}
-
-// Locking a channel is a simple as looping over all the channels
-// looking for one that is has state = kFreeChannel and atomically
-// swapping it to kBusyChannel.
-// If there is no free channel, then we must back off so some other
-// thread makes progress and frees a channel. To back off we sleep.
-size_t SharedMemIPCClient::LockFreeChannel(bool* severe_failure) {
- if (0 == control_->channels_count) {
- *severe_failure = true;
- return 0;
- }
- ChannelControl* channel = control_->channels;
- do {
- for (size_t ix = 0; ix != control_->channels_count; ++ix) {
- if (kFreeChannel == ::InterlockedCompareExchange(&channel[ix].state,
- kBusyChannel,
- kFreeChannel)) {
- *severe_failure = false;
- return ix;
- }
- }
- // We did not find any available channel, maybe the server is dead.
- DWORD wait = ::WaitForSingleObject(control_->server_alive,
- kIPCWaitTimeOut2);
- if (WAIT_TIMEOUT != wait) {
- // The server is dead and we outlive it enough to get in trouble.
- *severe_failure = true;
- return 0;
- }
- }
- while (true);
-}
-
-// Find out which channel we are from the pointer returned by GetBuffer.
-size_t SharedMemIPCClient::ChannelIndexFromBuffer(const void* buffer) {
- ptrdiff_t d = reinterpret_cast<const char*>(buffer) - first_base_;
- size_t num = d/kIPCChannelSize;
- DCHECK_LT(num, control_->channels_count);
- return (num);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.h b/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.h
deleted file mode 100644
index 67fd06359..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_client.h
+++ /dev/null
@@ -1,139 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__
-#define SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_params.h"
-#include "sandbox/win/src/sandbox.h"
-
-// IPC transport implementation that uses shared memory.
-// This is the client side
-//
-// The shared memory is divided on blocks called channels, and potentially
-// it can perform as many concurrent IPC calls as channels. The IPC over
-// each channel is strictly synchronous for the client.
-//
-// Each channel as a channel control section associated with. Each control
-// section has two kernel events (known as ping and pong) and a integer
-// variable that maintains a state
-//
-// this is the state diagram of a channel:
-//
-// locked in service
-// kFreeChannel---------->BusyChannel-------------->kAckChannel
-// ^ |
-// |_________________________________________________|
-// answer ready
-//
-// The protocol is as follows:
-// 1) client finds a free channel: state = kFreeChannel
-// 2) does an atomic compare-and-swap, now state = BusyChannel
-// 3) client writes the data into the channel buffer
-// 4) client signals the ping event and waits (blocks) on the pong event
-// 5) eventually the server signals the pong event
-// 6) the client awakes and reads the answer from the same channel
-// 7) the client updates its InOut parameters with the new data from the
-// shared memory section.
-// 8) the client atomically sets the state = kFreeChannel
-//
-// In the shared memory the layout is as follows:
-//
-// [ channel count ]
-// [ channel control 0]
-// [ channel control 1]
-// [ channel control N]
-// [ channel buffer 0 ] 1024 bytes
-// [ channel buffer 1 ] 1024 bytes
-// [ channel buffer N ] 1024 bytes
-//
-// By default each channel buffer is 1024 bytes
-namespace sandbox {
-
-// the possible channel states as described above
-enum ChannelState {
- // channel is free
- kFreeChannel = 1,
- // IPC in progress client side
- kBusyChannel,
- // IPC in progress server side
- kAckChannel,
- // not used right now
- kReadyChannel,
- // IPC abandoned by client side
- kAbandonedChannel
-};
-
-// The next two constants control the time outs for the IPC.
-const DWORD kIPCWaitTimeOut1 = 1000; // Milliseconds.
-const DWORD kIPCWaitTimeOut2 = 50; // Milliseconds.
-
-// the channel control structure
-struct ChannelControl {
- // points to be beginning of the channel buffer, where data goes
- size_t channel_base;
- // maintains the state from the ChannelState enumeration
- volatile LONG state;
- // the ping event is signaled by the client when the IPC data is ready on
- // the buffer
- HANDLE ping_event;
- // the client waits on the pong event for the IPC answer back
- HANDLE pong_event;
- // the IPC unique identifier
- uint32_t ipc_tag;
-};
-
-struct IPCControl {
- // total number of channels available, some might be busy at a given time
- size_t channels_count;
- // handle to a shared mutex to detect when the server is dead
- HANDLE server_alive;
- // array of channel control structures
- ChannelControl channels[1];
-};
-
-// the actual shared memory IPC implementation class. This object is designed
-// to be lightweight so it can be constructed on-site (at the calling place)
-// wherever an IPC call is needed.
-class SharedMemIPCClient {
- public:
- // Creates the IPC client.
- // as parameter it takes the base address of the shared memory
- explicit SharedMemIPCClient(void* shared_mem);
-
- // locks a free channel and returns the channel buffer memory base. This call
- // blocks until there is a free channel
- void* GetBuffer();
-
- // releases the lock on the channel, for other to use. call this if you have
- // called GetBuffer and you want to abort but have not called yet DoCall()
- void FreeBuffer(void* buffer);
-
- // Performs the actual IPC call.
- // params: The blob of packed input parameters.
- // answer: upon IPC completion, it contains the server answer to the IPC.
- // If the return value is not SBOX_ERROR_CHANNEL_ERROR, the caller has to free
- // the channel.
- // returns ALL_OK if the IPC mechanism successfully delivered. You still need
- // to check on the answer structure to see the actual IPC result.
- ResultCode DoCall(CrossCallParams* params, CrossCallReturn* answer);
-
- private:
- // Returns the index of the first free channel. It sets 'severe_failure'
- // to true if there is an unrecoverable error that does not allow to
- // find a channel.
- size_t LockFreeChannel(bool* severe_failure);
- // Return the channel index given the address of the buffer.
- size_t ChannelIndexFromBuffer(const void* buffer);
- IPCControl* control_;
- // point to the first channel base
- char* first_base_;
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SHAREDMEM_IPC_CLIENT_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc b/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc
deleted file mode 100644
index cf2d800e5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.cc
+++ /dev/null
@@ -1,430 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/callback.h"
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/stl_util.h"
-#include "sandbox/win/src/crosscall_params.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/sharedmem_ipc_server.h"
-
-namespace {
-// This handle must not be closed.
-volatile HANDLE g_alive_mutex = NULL;
-}
-
-namespace sandbox {
-
-SharedMemIPCServer::ServerControl::ServerControl() {
-}
-
-SharedMemIPCServer::ServerControl::~ServerControl() {
-}
-
-SharedMemIPCServer::SharedMemIPCServer(HANDLE target_process,
- DWORD target_process_id,
- ThreadProvider* thread_provider,
- Dispatcher* dispatcher)
- : client_control_(NULL),
- thread_provider_(thread_provider),
- target_process_(target_process),
- target_process_id_(target_process_id),
- call_dispatcher_(dispatcher) {
- // We create a initially owned mutex. If the server dies unexpectedly,
- // the thread that owns it will fail to release the lock and windows will
- // report to the target (when it tries to acquire it) that the wait was
- // abandoned. Note: We purposely leak the local handle because we want it to
- // be closed by Windows itself so it is properly marked as abandoned if the
- // server dies.
- if (!g_alive_mutex) {
- HANDLE mutex = ::CreateMutexW(NULL, TRUE, NULL);
- if (::InterlockedCompareExchangePointer(&g_alive_mutex, mutex, NULL)) {
- // We lost the race to create the mutex.
- ::CloseHandle(mutex);
- }
- }
-}
-
-SharedMemIPCServer::~SharedMemIPCServer() {
- // Free the wait handles associated with the thread pool.
- if (!thread_provider_->UnRegisterWaits(this)) {
- // Better to leak than to crash.
- return;
- }
- STLDeleteElements(&server_contexts_);
-
- if (client_control_)
- ::UnmapViewOfFile(client_control_);
-}
-
-bool SharedMemIPCServer::Init(void* shared_mem,
- uint32_t shared_size,
- uint32_t channel_size) {
- // The shared memory needs to be at least as big as a channel.
- if (shared_size < channel_size) {
- return false;
- }
- // The channel size should be aligned.
- if (0 != (channel_size % 32)) {
- return false;
- }
-
- // Calculate how many channels we can fit in the shared memory.
- shared_size -= offsetof(IPCControl, channels);
- size_t channel_count = shared_size / (sizeof(ChannelControl) + channel_size);
-
- // If we cannot fit even one channel we bail out.
- if (0 == channel_count) {
- return false;
- }
- // Calculate the start of the first channel.
- size_t base_start = (sizeof(ChannelControl)* channel_count) +
- offsetof(IPCControl, channels);
-
- client_control_ = reinterpret_cast<IPCControl*>(shared_mem);
- client_control_->channels_count = 0;
-
- // This is the initialization that we do per-channel. Basically:
- // 1) make two events (ping & pong)
- // 2) create handles to the events for the client and the server.
- // 3) initialize the channel (client_context) with the state.
- // 4) initialize the server side of the channel (service_context).
- // 5) call the thread provider RegisterWait to register the ping events.
- for (size_t ix = 0; ix != channel_count; ++ix) {
- ChannelControl* client_context = &client_control_->channels[ix];
- ServerControl* service_context = new ServerControl;
- server_contexts_.push_back(service_context);
-
- if (!MakeEvents(&service_context->ping_event,
- &service_context->pong_event,
- &client_context->ping_event,
- &client_context->pong_event)) {
- return false;
- }
-
- client_context->channel_base = base_start;
- client_context->state = kFreeChannel;
-
- // Note that some of these values are available as members of this object
- // but we put them again into the service_context because we will be called
- // on a static method (ThreadPingEventReady). In particular, target_process_
- // is a raw handle that is not owned by this object (it's owned by the
- // owner of this object), and we are storing it in multiple places.
- service_context->shared_base = reinterpret_cast<char*>(shared_mem);
- service_context->channel_size = channel_size;
- service_context->channel = client_context;
- service_context->channel_buffer = service_context->shared_base +
- client_context->channel_base;
- service_context->dispatcher = call_dispatcher_;
- service_context->target_info.process = target_process_;
- service_context->target_info.process_id = target_process_id_;
- // Advance to the next channel.
- base_start += channel_size;
- // Register the ping event with the threadpool.
- thread_provider_->RegisterWait(this, service_context->ping_event.Get(),
- ThreadPingEventReady, service_context);
- }
- if (!::DuplicateHandle(::GetCurrentProcess(), g_alive_mutex,
- target_process_, &client_control_->server_alive,
- SYNCHRONIZE | EVENT_MODIFY_STATE, FALSE, 0)) {
- return false;
- }
- // This last setting indicates to the client all is setup.
- client_control_->channels_count = channel_count;
- return true;
-}
-
-// Releases memory allocated for IPC arguments, if needed.
-void ReleaseArgs(const IPCParams* ipc_params, void* args[kMaxIpcParams]) {
- for (size_t i = 0; i < kMaxIpcParams; i++) {
- switch (ipc_params->args[i]) {
- case WCHAR_TYPE: {
- delete reinterpret_cast<base::string16*>(args[i]);
- args[i] = NULL;
- break;
- }
- case INOUTPTR_TYPE: {
- delete reinterpret_cast<CountedBuffer*>(args[i]);
- args[i] = NULL;
- break;
- }
- default: break;
- }
- }
-}
-
-// Fills up the list of arguments (args and ipc_params) for an IPC call.
-bool GetArgs(CrossCallParamsEx* params, IPCParams* ipc_params,
- void* args[kMaxIpcParams]) {
- if (kMaxIpcParams < params->GetParamsCount())
- return false;
-
- for (uint32_t i = 0; i < params->GetParamsCount(); i++) {
- uint32_t size;
- ArgType type;
- args[i] = params->GetRawParameter(i, &size, &type);
- if (args[i]) {
- ipc_params->args[i] = type;
- switch (type) {
- case WCHAR_TYPE: {
- scoped_ptr<base::string16> data(new base::string16);
- if (!params->GetParameterStr(i, data.get())) {
- args[i] = 0;
- ReleaseArgs(ipc_params, args);
- return false;
- }
- args[i] = data.release();
- break;
- }
- case UINT32_TYPE: {
- uint32_t data;
- if (!params->GetParameter32(i, &data)) {
- ReleaseArgs(ipc_params, args);
- return false;
- }
- IPCInt ipc_int(data);
- args[i] = ipc_int.AsVoidPtr();
- break;
- }
- case VOIDPTR_TYPE : {
- void* data;
- if (!params->GetParameterVoidPtr(i, &data)) {
- ReleaseArgs(ipc_params, args);
- return false;
- }
- args[i] = data;
- break;
- }
- case INOUTPTR_TYPE: {
- if (!args[i]) {
- ReleaseArgs(ipc_params, args);
- return false;
- }
- CountedBuffer* buffer = new CountedBuffer(args[i] , size);
- args[i] = buffer;
- break;
- }
- default: break;
- }
- }
- }
- return true;
-}
-
-bool SharedMemIPCServer::InvokeCallback(const ServerControl* service_context,
- void* ipc_buffer,
- CrossCallReturn* call_result) {
- // Set the default error code;
- SetCallError(SBOX_ERROR_INVALID_IPC, call_result);
- uint32_t output_size = 0;
- // Parse, verify and copy the message. The handler operates on a copy
- // of the message so the client cannot play dirty tricks by changing the
- // data in the channel while the IPC is being processed.
- scoped_ptr<CrossCallParamsEx> params(
- CrossCallParamsEx::CreateFromBuffer(ipc_buffer,
- service_context->channel_size,
- &output_size));
- if (!params.get())
- return false;
-
- uint32_t tag = params->GetTag();
- static_assert(0 == INVALID_TYPE, "incorrect type enum");
- IPCParams ipc_params = {0};
- ipc_params.ipc_tag = tag;
-
- void* args[kMaxIpcParams];
- if (!GetArgs(params.get(), &ipc_params, args))
- return false;
-
- IPCInfo ipc_info = {0};
- ipc_info.ipc_tag = tag;
- ipc_info.client_info = &service_context->target_info;
- Dispatcher* dispatcher = service_context->dispatcher;
- DCHECK(dispatcher);
- bool error = true;
- Dispatcher* handler = NULL;
-
- Dispatcher::CallbackGeneric callback_generic;
- handler = dispatcher->OnMessageReady(&ipc_params, &callback_generic);
- if (handler) {
- switch (params->GetParamsCount()) {
- case 0: {
- // Ask the IPC dispatcher if she can service this IPC.
- Dispatcher::Callback0 callback =
- reinterpret_cast<Dispatcher::Callback0>(callback_generic);
- if (!(handler->*callback)(&ipc_info))
- break;
- error = false;
- break;
- }
- case 1: {
- Dispatcher::Callback1 callback =
- reinterpret_cast<Dispatcher::Callback1>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0]))
- break;
- error = false;
- break;
- }
- case 2: {
- Dispatcher::Callback2 callback =
- reinterpret_cast<Dispatcher::Callback2>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1]))
- break;
- error = false;
- break;
- }
- case 3: {
- Dispatcher::Callback3 callback =
- reinterpret_cast<Dispatcher::Callback3>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2]))
- break;
- error = false;
- break;
- }
- case 4: {
- Dispatcher::Callback4 callback =
- reinterpret_cast<Dispatcher::Callback4>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2],
- args[3]))
- break;
- error = false;
- break;
- }
- case 5: {
- Dispatcher::Callback5 callback =
- reinterpret_cast<Dispatcher::Callback5>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2], args[3],
- args[4]))
- break;
- error = false;
- break;
- }
- case 6: {
- Dispatcher::Callback6 callback =
- reinterpret_cast<Dispatcher::Callback6>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2], args[3],
- args[4], args[5]))
- break;
- error = false;
- break;
- }
- case 7: {
- Dispatcher::Callback7 callback =
- reinterpret_cast<Dispatcher::Callback7>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2], args[3],
- args[4], args[5], args[6]))
- break;
- error = false;
- break;
- }
- case 8: {
- Dispatcher::Callback8 callback =
- reinterpret_cast<Dispatcher::Callback8>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2], args[3],
- args[4], args[5], args[6], args[7]))
- break;
- error = false;
- break;
- }
- case 9: {
- Dispatcher::Callback9 callback =
- reinterpret_cast<Dispatcher::Callback9>(callback_generic);
- if (!(handler->*callback)(&ipc_info, args[0], args[1], args[2], args[3],
- args[4], args[5], args[6], args[7], args[8]))
- break;
- error = false;
- break;
- }
- default: {
- NOTREACHED();
- break;
- }
- }
- }
-
- if (error) {
- if (handler)
- SetCallError(SBOX_ERROR_FAILED_IPC, call_result);
- } else {
- memcpy(call_result, &ipc_info.return_info, sizeof(*call_result));
- SetCallSuccess(call_result);
- if (params->IsInOut()) {
- // Maybe the params got changed by the broker. We need to upadte the
- // memory section.
- memcpy(ipc_buffer, params.get(), output_size);
- }
- }
-
- ReleaseArgs(&ipc_params, args);
-
- return !error;
-}
-
-// This function gets called by a thread from the thread pool when a
-// ping event fires. The context is the same as passed in the RegisterWait()
-// call above.
-void __stdcall SharedMemIPCServer::ThreadPingEventReady(void* context,
- unsigned char) {
- if (NULL == context) {
- DCHECK(false);
- return;
- }
- ServerControl* service_context = reinterpret_cast<ServerControl*>(context);
- // Since the event fired, the channel *must* be busy. Change to kAckChannel
- // while we service it.
- LONG last_state =
- ::InterlockedCompareExchange(&service_context->channel->state,
- kAckChannel, kBusyChannel);
- if (kBusyChannel != last_state) {
- DCHECK(false);
- return;
- }
-
- // Prepare the result structure. At this point we will return some result
- // even if the IPC is invalid, malformed or has no handler.
- CrossCallReturn call_result = {0};
- void* buffer = service_context->channel_buffer;
-
- InvokeCallback(service_context, buffer, &call_result);
-
- // Copy the answer back into the channel and signal the pong event. This
- // should wake up the client so he can finish the the ipc cycle.
- CrossCallParams* call_params = reinterpret_cast<CrossCallParams*>(buffer);
- memcpy(call_params->GetCallReturn(), &call_result, sizeof(call_result));
- ::InterlockedExchange(&service_context->channel->state, kAckChannel);
- ::SetEvent(service_context->pong_event.Get());
-}
-
-bool SharedMemIPCServer::MakeEvents(base::win::ScopedHandle* server_ping,
- base::win::ScopedHandle* server_pong,
- HANDLE* client_ping, HANDLE* client_pong) {
- // Note that the IPC client has no right to delete the events. That would
- // cause problems. The server *owns* the events.
- const DWORD kDesiredAccess = SYNCHRONIZE | EVENT_MODIFY_STATE;
-
- // The events are auto reset, and start not signaled.
- server_ping->Set(::CreateEventW(NULL, FALSE, FALSE, NULL));
- if (!::DuplicateHandle(::GetCurrentProcess(), server_ping->Get(),
- target_process_, client_ping, kDesiredAccess, FALSE,
- 0)) {
- return false;
- }
-
- server_pong->Set(::CreateEventW(NULL, FALSE, FALSE, NULL));
- if (!::DuplicateHandle(::GetCurrentProcess(), server_pong->Get(),
- target_process_, client_pong, kDesiredAccess, FALSE,
- 0)) {
- return false;
- }
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.h b/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.h
deleted file mode 100644
index 5afca1d6c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sharedmem_ipc_server.h
+++ /dev/null
@@ -1,134 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_
-#define SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_
-
-#include <stdint.h>
-
-#include <list>
-
-#include "base/gtest_prod_util.h"
-#include "base/macros.h"
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/crosscall_params.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-
-// IPC transport implementation that uses shared memory.
-// This is the server side
-//
-// The server side has knowledge about the layout of the shared memory
-// and the state transitions. Both are explained in sharedmem_ipc_client.h
-//
-// As opposed to SharedMemIPClient, the Server object should be one for the
-// entire lifetime of the target process. The server is in charge of creating
-// the events (ping, pong) both for the client and for the target that are used
-// to signal the IPC and also in charge of setting the initial state of the
-// channels.
-//
-// When an IPC is ready, the server relies on being called by on the
-// ThreadPingEventReady callback. The IPC server then retrieves the buffer,
-// marshals it into a CrossCallParam object and calls the Dispatcher, who is in
-// charge of fulfilling the IPC request.
-namespace sandbox {
-
-// the shared memory implementation of the IPC server. There should be one
-// of these objects per target (IPC client) process
-class SharedMemIPCServer {
- public:
- // Creates the IPC server.
- // target_process: handle to the target process. It must be suspended. It is
- // unfortunate to receive a raw handle (and store it inside this object) as
- // that dilutes ownership of the process, but in practice a SharedMemIPCServer
- // is owned by TargetProcess, which calls this method, and owns the handle, so
- // everything is safe. If that changes, we should break this dependency and
- // duplicate the handle instead.
- // target_process_id: process id of the target process.
- // thread_provider: a thread provider object.
- // dispatcher: an object that can service IPC calls.
- SharedMemIPCServer(HANDLE target_process, DWORD target_process_id,
- ThreadProvider* thread_provider, Dispatcher* dispatcher);
-
- ~SharedMemIPCServer();
-
- // Initializes the server structures, shared memory structures and
- // creates the kernels events used to signal the IPC.
- bool Init(void* shared_mem, uint32_t shared_size, uint32_t channel_size);
-
- private:
- // Allow tests to be marked DISABLED_. Note that FLAKY_ and FAILS_ prefixes
- // do not work with sandbox tests.
- FRIEND_TEST_ALL_PREFIXES(IPCTest, SharedMemServerTests);
- // When an event fires (IPC request). A thread from the ThreadProvider
- // will call this function. The context parameter should be the same as
- // provided when ThreadProvider::RegisterWait was called.
- static void __stdcall ThreadPingEventReady(void* context,
- unsigned char);
-
- // Makes the client and server events. This function is called once
- // per channel.
- bool MakeEvents(base::win::ScopedHandle* server_ping,
- base::win::ScopedHandle* server_pong,
- HANDLE* client_ping, HANDLE* client_pong);
-
- // A copy this structure is maintained per channel.
- // Note that a lot of the fields are just the same of what we have in the IPC
- // object itself. It is better to have the copies since we can dispatch in the
- // static method without worrying about converting back to a member function
- // call or about threading issues.
- struct ServerControl {
- ServerControl();
- ~ServerControl();
-
- // This channel server ping event.
- base::win::ScopedHandle ping_event;
- // This channel server pong event.
- base::win::ScopedHandle pong_event;
- // The size of this channel.
- uint32_t channel_size;
- // The pointer to the actual channel data.
- char* channel_buffer;
- // The pointer to the base of the shared memory.
- char* shared_base;
- // A pointer to this channel's client-side control structure this structure
- // lives in the shared memory.
- ChannelControl* channel;
- // the IPC dispatcher associated with this channel.
- Dispatcher* dispatcher;
- // The target process information associated with this channel.
- ClientInfo target_info;
- };
-
- // Looks for the appropriate handler for this IPC and invokes it.
- static bool InvokeCallback(const ServerControl* service_context,
- void* ipc_buffer, CrossCallReturn* call_result);
-
- // Points to the shared memory channel control which lives at
- // the start of the shared section.
- IPCControl* client_control_;
-
- // Keeps track of the server side objects that are used to answer an IPC.
- typedef std::list<ServerControl*> ServerContexts;
- ServerContexts server_contexts_;
-
- // The thread provider provides the threads that call back into this object
- // when the IPC events fire.
- ThreadProvider* thread_provider_;
-
- // The IPC object is associated with a target process.
- HANDLE target_process_;
-
- // The target process id associated with the IPC object.
- DWORD target_process_id_;
-
- // The dispatcher handles 'ready' IPC calls.
- Dispatcher* call_dispatcher_;
-
- DISALLOW_COPY_AND_ASSIGN(SharedMemIPCServer);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SHAREDMEM_IPC_SERVER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sid.cc b/security/sandbox/chromium/sandbox/win/src/sid.cc
deleted file mode 100644
index 19c645bf6..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sid.cc
+++ /dev/null
@@ -1,26 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sid.h"
-
-#include "base/logging.h"
-
-namespace sandbox {
-
-Sid::Sid(const SID *sid) {
- ::CopySid(SECURITY_MAX_SID_SIZE, sid_, const_cast<SID*>(sid));
-};
-
-Sid::Sid(WELL_KNOWN_SID_TYPE type) {
- DWORD size_sid = SECURITY_MAX_SID_SIZE;
- BOOL result = ::CreateWellKnownSid(type, NULL, sid_, &size_sid);
- DCHECK(result);
- (void)result;
-}
-
-const SID *Sid::GetPSID() const {
- return reinterpret_cast<SID*>(const_cast<BYTE*>(sid_));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sid.h b/security/sandbox/chromium/sandbox/win/src/sid.h
deleted file mode 100644
index 4656859be..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sid.h
+++ /dev/null
@@ -1,29 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SID_H_
-#define SANDBOX_SRC_SID_H_
-
-#include <windows.h>
-
-namespace sandbox {
-
-// This class is used to hold and generate SIDS.
-class Sid {
- public:
- // Constructors initializing the object with the SID passed.
- // This is a converting constructor. It is not explicit.
- Sid(const SID *sid);
- Sid(WELL_KNOWN_SID_TYPE type);
-
- // Returns sid_.
- const SID *GetPSID() const;
-
- private:
- BYTE sid_[SECURITY_MAX_SID_SIZE];
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SID_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc b/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc
deleted file mode 100644
index 76d61e82f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sid_unittest.cc
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// This file contains unit tests for the sid class.
-
-#define _ATL_NO_EXCEPTIONS
-#include <atlbase.h>
-#include <atlsecurity.h>
-
-#include "sandbox/win/src/sid.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Calls ::EqualSid. This function exists only to simplify the calls to
-// ::EqualSid by removing the need to cast the input params.
-BOOL EqualSid(const SID *sid1, const SID *sid2) {
- return ::EqualSid(const_cast<SID*>(sid1), const_cast<SID*>(sid2));
-}
-
-// Tests the creation if a Sid
-TEST(SidTest, Constructors) {
- ATL::CSid sid_world = ATL::Sids::World();
- SID *sid_world_pointer = const_cast<SID*>(sid_world.GetPSID());
-
- // Check the SID* constructor
- Sid sid_sid_star(sid_world_pointer);
- ASSERT_TRUE(EqualSid(sid_world_pointer, sid_sid_star.GetPSID()));
-
- // Check the copy constructor
- Sid sid_copy(sid_sid_star);
- ASSERT_TRUE(EqualSid(sid_world_pointer, sid_copy.GetPSID()));
-
- // Note that the WELL_KNOWN_SID_TYPE constructor is tested in the GetPSID
- // test.
-}
-
-// Tests the method GetPSID
-TEST(SidTest, GetPSID) {
- // Check for non-null result;
- ASSERT_NE(static_cast<SID*>(NULL), Sid(::WinLocalSid).GetPSID());
- ASSERT_NE(static_cast<SID*>(NULL), Sid(::WinCreatorOwnerSid).GetPSID());
- ASSERT_NE(static_cast<SID*>(NULL), Sid(::WinBatchSid).GetPSID());
-
- ASSERT_TRUE(EqualSid(Sid(::WinNullSid).GetPSID(),
- ATL::Sids::Null().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinWorldSid).GetPSID(),
- ATL::Sids::World().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinDialupSid).GetPSID(),
- ATL::Sids::Dialup().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinNetworkSid).GetPSID(),
- ATL::Sids::Network().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinBuiltinAdministratorsSid).GetPSID(),
- ATL::Sids::Admins().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinBuiltinUsersSid).GetPSID(),
- ATL::Sids::Users().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinBuiltinGuestsSid).GetPSID(),
- ATL::Sids::Guests().GetPSID()));
-
- ASSERT_TRUE(EqualSid(Sid(::WinProxySid).GetPSID(),
- ATL::Sids::Proxy().GetPSID()));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_modrm_map.cpp b/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_modrm_map.cpp
deleted file mode 100644
index 89bc1895e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_modrm_map.cpp
+++ /dev/null
@@ -1,92 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Table of relevant information about how to decode the ModR/M byte.
-// Based on information in the IA-32 Intel Architecture
-// Software Developer's Manual Volume 2: Instruction Set Reference.
-
-#include "sandbox/win/src/sidestep/mini_disassembler.h"
-#include "sandbox/win/src/sidestep/mini_disassembler_types.h"
-
-namespace sidestep {
-
-const ModrmEntry MiniDisassembler::s_ia16_modrm_map_[] = {
-// mod == 00
- /* r/m == 000 */ { false, false, OS_ZERO },
- /* r/m == 001 */ { false, false, OS_ZERO },
- /* r/m == 010 */ { false, false, OS_ZERO },
- /* r/m == 011 */ { false, false, OS_ZERO },
- /* r/m == 100 */ { false, false, OS_ZERO },
- /* r/m == 101 */ { false, false, OS_ZERO },
- /* r/m == 110 */ { true, false, OS_WORD },
- /* r/m == 111 */ { false, false, OS_ZERO },
-// mod == 01
- /* r/m == 000 */ { true, false, OS_BYTE },
- /* r/m == 001 */ { true, false, OS_BYTE },
- /* r/m == 010 */ { true, false, OS_BYTE },
- /* r/m == 011 */ { true, false, OS_BYTE },
- /* r/m == 100 */ { true, false, OS_BYTE },
- /* r/m == 101 */ { true, false, OS_BYTE },
- /* r/m == 110 */ { true, false, OS_BYTE },
- /* r/m == 111 */ { true, false, OS_BYTE },
-// mod == 10
- /* r/m == 000 */ { true, false, OS_WORD },
- /* r/m == 001 */ { true, false, OS_WORD },
- /* r/m == 010 */ { true, false, OS_WORD },
- /* r/m == 011 */ { true, false, OS_WORD },
- /* r/m == 100 */ { true, false, OS_WORD },
- /* r/m == 101 */ { true, false, OS_WORD },
- /* r/m == 110 */ { true, false, OS_WORD },
- /* r/m == 111 */ { true, false, OS_WORD },
-// mod == 11
- /* r/m == 000 */ { false, false, OS_ZERO },
- /* r/m == 001 */ { false, false, OS_ZERO },
- /* r/m == 010 */ { false, false, OS_ZERO },
- /* r/m == 011 */ { false, false, OS_ZERO },
- /* r/m == 100 */ { false, false, OS_ZERO },
- /* r/m == 101 */ { false, false, OS_ZERO },
- /* r/m == 110 */ { false, false, OS_ZERO },
- /* r/m == 111 */ { false, false, OS_ZERO }
-};
-
-const ModrmEntry MiniDisassembler::s_ia32_modrm_map_[] = {
-// mod == 00
- /* r/m == 000 */ { false, false, OS_ZERO },
- /* r/m == 001 */ { false, false, OS_ZERO },
- /* r/m == 010 */ { false, false, OS_ZERO },
- /* r/m == 011 */ { false, false, OS_ZERO },
- /* r/m == 100 */ { false, true, OS_ZERO },
- /* r/m == 101 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 110 */ { false, false, OS_ZERO },
- /* r/m == 111 */ { false, false, OS_ZERO },
-// mod == 01
- /* r/m == 000 */ { true, false, OS_BYTE },
- /* r/m == 001 */ { true, false, OS_BYTE },
- /* r/m == 010 */ { true, false, OS_BYTE },
- /* r/m == 011 */ { true, false, OS_BYTE },
- /* r/m == 100 */ { true, true, OS_BYTE },
- /* r/m == 101 */ { true, false, OS_BYTE },
- /* r/m == 110 */ { true, false, OS_BYTE },
- /* r/m == 111 */ { true, false, OS_BYTE },
-// mod == 10
- /* r/m == 000 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 001 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 010 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 011 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 100 */ { true, true, OS_DOUBLE_WORD },
- /* r/m == 101 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 110 */ { true, false, OS_DOUBLE_WORD },
- /* r/m == 111 */ { true, false, OS_DOUBLE_WORD },
-// mod == 11
- /* r/m == 000 */ { false, false, OS_ZERO },
- /* r/m == 001 */ { false, false, OS_ZERO },
- /* r/m == 010 */ { false, false, OS_ZERO },
- /* r/m == 011 */ { false, false, OS_ZERO },
- /* r/m == 100 */ { false, false, OS_ZERO },
- /* r/m == 101 */ { false, false, OS_ZERO },
- /* r/m == 110 */ { false, false, OS_ZERO },
- /* r/m == 111 */ { false, false, OS_ZERO },
-};
-
-}; // namespace sidestep
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_opcode_map.cpp b/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_opcode_map.cpp
deleted file mode 100644
index b7d8a60bc..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/ia32_opcode_map.cpp
+++ /dev/null
@@ -1,1159 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Opcode decoding maps. Based on the IA-32 Intel Architecture
-// Software Developer's Manual Volume 2: Instruction Set Reference. Idea
-// for how to lay out the tables in memory taken from the implementation
-// in the Bastard disassembly environment.
-
-#include "sandbox/win/src/sidestep/mini_disassembler.h"
-
-namespace sidestep {
-
-/*
-* This is the first table to be searched; the first field of each
-* Opcode in the table is either 0 to indicate you're in the
-* right table, or an index to the correct table, in the global
-* map g_pentiumOpcodeMap
-*/
-const Opcode s_first_opcode_byte[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF */ { 1, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x10 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x11 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x12 */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x13 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x14 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x15 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x16 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x17 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x18 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x19 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1A */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1C */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1D */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1E */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1F */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x20 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x21 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x22 */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x23 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x24 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x25 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x26 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x27 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "daa", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x28 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x29 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2A */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2C */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2D */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2E */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2F */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "das", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x30 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x31 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x32 */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x33 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x34 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x35 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x36 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x37 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "aaa", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x38 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x39 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3A */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3C */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3D */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3E */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3F */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "aas", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x40 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x41 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x42 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x43 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x44 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x45 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x46 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x47 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x48 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x49 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4A */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4B */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4C */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4D */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4E */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4F */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x50 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x51 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x52 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x53 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x54 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x55 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x56 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x57 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x58 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x59 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5A */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5B */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5C */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5D */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5E */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5F */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x60 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "pushad", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x61 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "popad", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x62 */ { 0, IT_GENERIC, AM_G | OT_V, AM_M | OT_A, AM_NOT_USED, "bound", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x63 */ { 0, IT_GENERIC, AM_E | OT_W, AM_G | OT_W, AM_NOT_USED, "arpl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x64 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x65 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x66 */ { 0, IT_PREFIX_OPERAND, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x67 */ { 0, IT_PREFIX_ADDRESS, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x68 */ { 0, IT_GENERIC, AM_I | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x69 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_I | OT_V, "imul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6A */ { 0, IT_GENERIC, AM_I | OT_B, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_I | OT_B, "imul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6C */ { 0, IT_GENERIC, AM_Y | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "insb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6D */ { 0, IT_GENERIC, AM_Y | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "insd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6E */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_X | OT_B, AM_NOT_USED, "outsb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6F */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_X | OT_V, AM_NOT_USED, "outsb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x70 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x71 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jno", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x72 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x73 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jnc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x74 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x75 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jnz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x76 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jbe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x77 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "ja", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x78 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "js", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x79 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jns", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7A */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jpe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7B */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jpo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7C */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7D */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jge", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7E */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jle", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7F */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x80 */ { 2, IT_REFERENCE, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x81 */ { 3, IT_REFERENCE, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x82 */ { 4, IT_REFERENCE, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x83 */ { 5, IT_REFERENCE, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x84 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x85 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x86 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x87 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x88 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x89 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8A */ { 0, IT_GENERIC, AM_G | OT_B, AM_E | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8C */ { 0, IT_GENERIC, AM_E | OT_W, AM_S | OT_W, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8D */ { 0, IT_GENERIC, AM_G | OT_V, AM_M | OT_ADDRESS_MODE_M, AM_NOT_USED, "lea", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8E */ { 0, IT_GENERIC, AM_S | OT_W, AM_E | OT_W, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8F */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x90 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "nop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x91 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x92 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x93 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x94 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x95 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x96 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x97 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "xchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x98 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cwde", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x99 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cdq", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9A */ { 0, IT_JUMP, AM_A | OT_P, AM_NOT_USED, AM_NOT_USED, "callf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9B */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "wait", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9C */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "pushfd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9D */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "popfd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9E */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "sahf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9F */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "lahf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA0 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_O | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA1 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_O | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA2 */ { 0, IT_GENERIC, AM_O | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA3 */ { 0, IT_GENERIC, AM_O | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA4 */ { 0, IT_GENERIC, AM_X | OT_B, AM_Y | OT_B, AM_NOT_USED, "movsb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA5 */ { 0, IT_GENERIC, AM_X | OT_V, AM_Y | OT_V, AM_NOT_USED, "movsd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA6 */ { 0, IT_GENERIC, AM_X | OT_B, AM_Y | OT_B, AM_NOT_USED, "cmpsb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA7 */ { 0, IT_GENERIC, AM_X | OT_V, AM_Y | OT_V, AM_NOT_USED, "cmpsd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA8 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA9 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAA */ { 0, IT_GENERIC, AM_Y | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "stosb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAB */ { 0, IT_GENERIC, AM_Y | OT_V, AM_REGISTER | OT_V, AM_NOT_USED, "stosd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAC */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_X| OT_B, AM_NOT_USED, "lodsb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAD */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_X| OT_V, AM_NOT_USED, "lodsd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAE */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_Y | OT_B, AM_NOT_USED, "scasb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAF */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_Y | OT_V, AM_NOT_USED, "scasd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB0 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB1 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB2 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB3 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB4 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB5 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB6 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB7 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB8 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB9 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBA */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBB */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBC */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBD */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBE */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBF */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC0 */ { 6, IT_REFERENCE, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC1 */ { 7, IT_REFERENCE, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC2 */ { 0, IT_RETURN, AM_I | OT_W, AM_NOT_USED, AM_NOT_USED, "ret", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC3 */ { 0, IT_RETURN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "ret", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC4 */ { 0, IT_GENERIC, AM_G | OT_V, AM_M | OT_P, AM_NOT_USED, "les", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC5 */ { 0, IT_GENERIC, AM_G | OT_V, AM_M | OT_P, AM_NOT_USED, "lds", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC6 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC8 */ { 0, IT_GENERIC, AM_I | OT_W, AM_I | OT_B, AM_NOT_USED, "enter", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC9 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "leave", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCA */ { 0, IT_RETURN, AM_I | OT_W, AM_NOT_USED, AM_NOT_USED, "retf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCB */ { 0, IT_RETURN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "retf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCC */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "int3", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCD */ { 0, IT_GENERIC, AM_I | OT_B, AM_NOT_USED, AM_NOT_USED, "int", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCE */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "into", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCF */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "iret", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD0 */ { 8, IT_REFERENCE, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD1 */ { 9, IT_REFERENCE, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD2 */ { 10, IT_REFERENCE, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD3 */ { 11, IT_REFERENCE, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD4 */ { 0, IT_GENERIC, AM_I | OT_B, AM_NOT_USED, AM_NOT_USED, "aam", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD5 */ { 0, IT_GENERIC, AM_I | OT_B, AM_NOT_USED, AM_NOT_USED, "aad", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD6 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD7 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "xlat", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
-
- // The following 8 lines would be references to the FPU tables, but we currently
- // do not support the FPU instructions in this disassembler.
-
- /* 0xD8 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD9 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDA */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDB */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDC */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDD */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDE */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xDF */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
-
-
- /* 0xE0 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "loopnz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE1 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "loopz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE2 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "loop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE3 */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jcxz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE4 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "in", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE5 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_I | OT_B, AM_NOT_USED, "in", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE6 */ { 0, IT_GENERIC, AM_I | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "out", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE7 */ { 0, IT_GENERIC, AM_I | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "out", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE8 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "call", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE9 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xEA */ { 0, IT_JUMP, AM_A | OT_P, AM_NOT_USED, AM_NOT_USED, "jmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xEB */ { 0, IT_JUMP, AM_J | OT_B, AM_NOT_USED, AM_NOT_USED, "jmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xEC */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_REGISTER | OT_W, AM_NOT_USED, "in", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xED */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_REGISTER | OT_W, AM_NOT_USED, "in", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xEE */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_REGISTER | OT_B, AM_NOT_USED, "out", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xEF */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_REGISTER | OT_V, AM_NOT_USED, "out", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF0 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "lock:", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF1 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF2 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "repne:", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF3 */ { 0, IT_PREFIX, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "rep:", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF4 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "hlt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF5 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cmc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF6 */ { 12, IT_REFERENCE, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF7 */ { 13, IT_REFERENCE, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF8 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "clc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF9 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "stc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFA */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cli", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFB */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "sti", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFC */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cld", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFD */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "std", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFE */ { 14, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xFF */ { 15, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f[] = {
- /* 0x0 */ { 16, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 17, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_W, AM_NOT_USED, "lar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_W, AM_NOT_USED, "lsl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "clts", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "invd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "wbinvd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "ud2", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xE */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x10 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "movups", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "movsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "movss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "movupd" } },
- /* 0x11 */ { 0, IT_GENERIC, AM_W | OT_PS, AM_V | OT_PS, AM_NOT_USED, "movups", true,
- /* F2h */ { 0, IT_GENERIC, AM_W | OT_SD, AM_V | OT_SD, AM_NOT_USED, "movsd" },
- /* F3h */ { 0, IT_GENERIC, AM_W | OT_SS, AM_V | OT_SS, AM_NOT_USED, "movss" },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_PD, AM_V | OT_PD, AM_NOT_USED, "movupd" } },
- /* 0x12 */ { 0, IT_GENERIC, AM_W | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movlps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movhlps" }, // only one of ...
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movhlps" }, // ...these two is correct, Intel doesn't specify which
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_S, AM_NOT_USED, "movlpd" } },
- /* 0x13 */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movlps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movlpd" } },
- /* 0x14 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_Q, AM_NOT_USED, "unpcklps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_Q, AM_NOT_USED, "unpcklpd" } },
- /* 0x15 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_Q, AM_NOT_USED, "unpckhps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_Q, AM_NOT_USED, "unpckhpd" } },
- /* 0x16 */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movhps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movlhps" }, // only one of...
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movlhps" }, // ...these two is correct, Intel doesn't specify which
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movhpd" } },
- /* 0x17 */ { 0, IT_GENERIC, AM_W | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movhps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movhpd" } },
- /* 0x18 */ { 18, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x19 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1A */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1B */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1C */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1D */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1E */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1F */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x20 */ { 0, IT_GENERIC, AM_R | OT_D, AM_C | OT_D, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x21 */ { 0, IT_GENERIC, AM_R | OT_D, AM_D | OT_D, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x22 */ { 0, IT_GENERIC, AM_C | OT_D, AM_R | OT_D, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x23 */ { 0, IT_GENERIC, AM_D | OT_D, AM_R | OT_D, AM_NOT_USED, "mov", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x24 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x25 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x26 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x27 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x28 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "movaps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "movapd" } },
- /* 0x29 */ { 0, IT_GENERIC, AM_W | OT_PS, AM_V | OT_PS, AM_NOT_USED, "movaps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_PD, AM_V | OT_PD, AM_NOT_USED, "movapd" } },
- /* 0x2A */ { 0, IT_GENERIC, AM_V | OT_PS, AM_Q | OT_Q, AM_NOT_USED, "cvtpi2ps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_E | OT_D, AM_NOT_USED, "cvtsi2sd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_E | OT_D, AM_NOT_USED, "cvtsi2ss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_Q | OT_DQ, AM_NOT_USED, "cvtpi2pd" } },
- /* 0x2B */ { 0, IT_GENERIC, AM_W | OT_PS, AM_V | OT_PS, AM_NOT_USED, "movntps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_PD, AM_V | OT_PD, AM_NOT_USED, "movntpd" } },
- /* 0x2C */ { 0, IT_GENERIC, AM_Q | OT_Q, AM_W | OT_PS, AM_NOT_USED, "cvttps2pi", true,
- /* F2h */ { 0, IT_GENERIC, AM_G | OT_D, AM_W | OT_SD, AM_NOT_USED, "cvttsd2si" },
- /* F3h */ { 0, IT_GENERIC, AM_G | OT_D, AM_W | OT_SS, AM_NOT_USED, "cvttss2si" },
- /* 66h */ { 0, IT_GENERIC, AM_Q | OT_DQ, AM_W | OT_PD, AM_NOT_USED, "cvttpd2pi" } },
- /* 0x2D */ { 0, IT_GENERIC, AM_Q | OT_Q, AM_W | OT_PS, AM_NOT_USED, "cvtps2pi", true,
- /* F2h */ { 0, IT_GENERIC, AM_G | OT_D, AM_W | OT_SD, AM_NOT_USED, "cvtsd2si" },
- /* F3h */ { 0, IT_GENERIC, AM_G | OT_D, AM_W | OT_SS, AM_NOT_USED, "cvtss2si" },
- /* 66h */ { 0, IT_GENERIC, AM_Q | OT_DQ, AM_W | OT_PD, AM_NOT_USED, "cvtpd2pi" } },
- /* 0x2E */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "ucomiss", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "ucomisd" } },
- /* 0x2F */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_SS, AM_NOT_USED, "comiss", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "comisd" } },
- /* 0x30 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "wrmsr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x31 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "rdtsc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x32 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "rdmsr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x33 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "rdpmc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x34 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "sysenter", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x35 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "sysexit", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x36 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x37 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x38 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x39 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3A */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3B */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3C */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "movnti", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3D */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3E */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3F */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x40 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x41 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovno", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x42 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x43 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovnc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x44 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x45 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovnz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x46 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovbe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x47 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmova", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x48 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovs", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x49 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovns", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4A */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovpe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4B */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovpo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4C */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4D */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovge", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4E */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovle", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4F */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "cmovg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x50 */ { 0, IT_GENERIC, AM_E | OT_D, AM_V | OT_PS, AM_NOT_USED, "movmskps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_E | OT_D, AM_V | OT_PD, AM_NOT_USED, "movmskpd" } },
- /* 0x51 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "sqrtps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "sqrtsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "sqrtss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "sqrtpd" } },
- /* 0x52 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "rsqrtps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "rsqrtss" },
- /* 66h */ { 0 } },
- /* 0x53 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "rcpps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "rcpss" },
- /* 66h */ { 0 } },
- /* 0x54 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "andps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "andpd" } },
- /* 0x55 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "andnps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "andnpd" } },
- /* 0x56 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "orps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "orpd" } },
- /* 0x57 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "xorps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "xorpd" } },
- /* 0x58 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "addps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "addsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "addss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "addpd" } },
- /* 0x59 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "mulps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "mulsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "mulss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "mulpd" } },
- /* 0x5A */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PS, AM_NOT_USED, "cvtps2pd", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "cvtsd2ss" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "cvtss2sd" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PD, AM_NOT_USED, "cvtpd2ps" } },
- /* 0x5B */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_DQ, AM_NOT_USED, "cvtdq2ps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_PS, AM_NOT_USED, "cvttps2dq" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_PS, AM_NOT_USED, "cvtps2dq" } },
- /* 0x5C */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "subps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "subsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "subss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "subpd" } },
- /* 0x5D */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "minps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "minsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "minss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "minpd" } },
- /* 0x5E */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "divps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "divsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "divss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "divpd" } },
- /* 0x5F */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_NOT_USED, "maxps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_NOT_USED, "maxsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_NOT_USED, "maxss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_NOT_USED, "maxpd" } },
- /* 0x60 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpcklbw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "punpcklbw" } },
- /* 0x61 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpcklwd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "punpcklwd" } },
- /* 0x62 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpckldq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "punpckldq" } },
- /* 0x63 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "packsswb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "packsswb" } },
- /* 0x64 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "pcmpgtb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpgtb" } },
- /* 0x65 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "pcmpgtw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpgtw" } },
- /* 0x66 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "pcmpgtd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpgtd" } },
- /* 0x67 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "packuswb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "packuswb" } },
- /* 0x68 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpckhbw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_Q | OT_DQ, AM_NOT_USED, "punpckhbw" } },
- /* 0x69 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpckhwd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_Q | OT_DQ, AM_NOT_USED, "punpckhwd" } },
- /* 0x6A */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "punpckhdq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_Q | OT_DQ, AM_NOT_USED, "punpckhdq" } },
- /* 0x6B */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "packssdw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_Q | OT_DQ, AM_NOT_USED, "packssdw" } },
- /* 0x6C */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "not used without prefix", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "punpcklqdq" } },
- /* 0x6D */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "not used without prefix", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "punpcklqdq" } },
- /* 0x6E */ { 0, IT_GENERIC, AM_P | OT_D, AM_E | OT_D, AM_NOT_USED, "movd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_E | OT_D, AM_NOT_USED, "movd" } },
- /* 0x6F */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_D, AM_NOT_USED, "movq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "movdqu" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "movdqa" } },
- /* 0x70 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_I | OT_B, "pshuf", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_I | OT_B, "pshuflw" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_I | OT_B, "pshufhw" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_I | OT_B, "pshufd" } },
- /* 0x71 */ { 19, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x72 */ { 20, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x73 */ { 21, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x74 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pcmpeqb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpeqb" } },
- /* 0x75 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pcmpeqw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpeqw" } },
- /* 0x76 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pcmpeqd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pcmpeqd" } },
- /* 0x77 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "emms", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
-
- // The following six opcodes are escapes into the MMX stuff, which this disassembler does not support.
- /* 0x78 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x79 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7A */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7B */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7C */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7D */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
-
- /* 0x7E */ { 0, IT_GENERIC, AM_E | OT_D, AM_P | OT_D, AM_NOT_USED, "movd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movq" },
- /* 66h */ { 0, IT_GENERIC, AM_E | OT_D, AM_V | OT_DQ, AM_NOT_USED, "movd" } },
- /* 0x7F */ { 0, IT_GENERIC, AM_Q | OT_Q, AM_P | OT_Q, AM_NOT_USED, "movq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_V | OT_DQ, AM_NOT_USED, "movdqu" },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_V | OT_DQ, AM_NOT_USED, "movdqa" } },
- /* 0x80 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x81 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jno", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x82 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x83 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jnc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x84 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x85 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jnz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x86 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jbe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x87 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "ja", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x88 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "js", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x89 */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jns", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8A */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jpe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8B */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jpo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8C */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8D */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jge", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8E */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jle", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x8F */ { 0, IT_JUMP, AM_J | OT_V, AM_NOT_USED, AM_NOT_USED, "jg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x90 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "seto", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x91 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setno", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x92 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x93 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setnc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x94 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x95 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setnz", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x96 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setbe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x97 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "seta", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x98 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "sets", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x99 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setns", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9A */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setpe", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9B */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setpo", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9C */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9D */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setge", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9E */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setle", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x9F */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "setg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA0 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA1 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA2 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "cpuid", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "bt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_I | OT_B, "shld", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_I | OT_B | AM_REGISTER, "shld", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA6 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA7 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA8 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xA9 */ { 0, IT_GENERIC, AM_REGISTER | OT_W, AM_NOT_USED, AM_NOT_USED, "pop", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAA */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "rsm", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAB */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "bts", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAC */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_I | OT_B, "shrd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAD */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_I | OT_B | AM_REGISTER, "shrd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAE */ { 22, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xAF */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "imul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "cmpxchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "cmpxchg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB2 */ { 0, IT_GENERIC, AM_M | OT_P, AM_NOT_USED, AM_NOT_USED, "lss", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "btr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB4 */ { 0, IT_GENERIC, AM_M | OT_P, AM_NOT_USED, AM_NOT_USED, "lfs", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB5 */ { 0, IT_GENERIC, AM_M | OT_P, AM_NOT_USED, AM_NOT_USED, "lgs", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB6 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_B, AM_NOT_USED, "movzx", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB7 */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_W, AM_NOT_USED, "movzx", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB8 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xB9 */ { 0, IT_UNKNOWN, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "ud1", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBA */ { 23, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBB */ { 0, IT_GENERIC, AM_E | OT_V, AM_G | OT_V, AM_NOT_USED, "btc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBC */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "bsf", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBD */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_V, AM_NOT_USED, "bsr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBE */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_B, AM_NOT_USED, "movsx", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xBF */ { 0, IT_GENERIC, AM_G | OT_V, AM_E | OT_W, AM_NOT_USED, "movsx", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_G | OT_B, AM_NOT_USED, "xadd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "xadd", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC2 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_I | OT_B, "cmpps", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_SD, AM_W | OT_SD, AM_I | OT_B, "cmpsd" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_SS, AM_W | OT_SS, AM_I | OT_B, "cmpss" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_I | OT_B, "cmppd" } },
- /* 0xC3 */ { 0, IT_GENERIC, AM_E | OT_D, AM_G | OT_D, AM_NOT_USED, "movnti", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_E | OT_D, AM_I | OT_B, "pinsrw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_E | OT_D, AM_I | OT_B, "pinsrw" } },
- /* 0xC5 */ { 0, IT_GENERIC, AM_G | OT_D, AM_P | OT_Q, AM_I | OT_B, "pextrw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_G | OT_D, AM_V | OT_DQ, AM_I | OT_B, "pextrw" } },
- /* 0xC6 */ { 0, IT_GENERIC, AM_V | OT_PS, AM_W | OT_PS, AM_I | OT_B, "shufps", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_PD, AM_I | OT_B, "shufpd" } },
- /* 0xC7 */ { 24, IT_REFERENCE, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC8 */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xC9 */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCA */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCB */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCC */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCD */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCE */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xCF */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "bswap", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xD1 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psrlw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psrlw" } },
- /* 0xD2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psrld", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psrld" } },
- /* 0xD3 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psrlq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psrlq" } },
- /* 0xD4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddq" } },
- /* 0xD5 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmullw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmullw" } },
- /* 0xD6 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "unused without prefix", true,
- /* F2h */ { 0, IT_GENERIC, AM_P | OT_Q, AM_W | OT_Q, AM_NOT_USED, "movdq2q" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_Q | OT_Q, AM_NOT_USED, "movq2dq" },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movq" } },
- /* 0xD7 */ { 0, IT_GENERIC, AM_G | OT_D, AM_P | OT_Q, AM_NOT_USED, "pmovmskb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_G | OT_D, AM_V | OT_DQ, AM_NOT_USED, "pmovmskb" } },
- /* 0xD8 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubusb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubusb" } },
- /* 0xD9 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubusw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubusw" } },
- /* 0xDA */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pminub", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pminub" } },
- /* 0xDB */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pand", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pand" } },
- /* 0xDC */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddusb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddusb" } },
- /* 0xDD */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddusw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddusw" } },
- /* 0xDE */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmaxub", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmaxub" } },
- /* 0xDF */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pandn", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pandn" } },
- /* 0xE0 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pavgb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pavgb" } },
- /* 0xE1 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psraw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psrqw" } },
- /* 0xE2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psrad", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psrad" } },
- /* 0xE3 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pavgw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pavgw" } },
- /* 0xE4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmulhuw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmulhuw" } },
- /* 0xE5 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmulhuw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmulhw" } },
- /* 0xE6 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "not used without prefix", true,
- /* F2h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_PD, AM_NOT_USED, "cvtpd2dq" },
- /* F3h */ { 0, IT_GENERIC, AM_V | OT_PD, AM_W | OT_DQ, AM_NOT_USED, "cvtdq2pd" },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_PD, AM_NOT_USED, "cvttpd2dq" } },
- /* 0xE7 */ { 0, IT_GENERIC, AM_W | OT_Q, AM_V | OT_Q, AM_NOT_USED, "movntq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_V | OT_DQ, AM_NOT_USED, "movntdq" } },
- /* 0xE8 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubsb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubsb" } },
- /* 0xE9 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubsw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubsw" } },
- /* 0xEA */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pminsw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pminsw" } },
- /* 0xEB */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "por", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "por" } },
- /* 0xEC */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddsb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddsb" } },
- /* 0xED */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddsw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddsw" } },
- /* 0xEE */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmaxsw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmaxsw" } },
- /* 0xEF */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pxor", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pxor" } },
- /* 0xF0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0xF1 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psllw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psllw" } },
- /* 0xF2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pslld", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pslld" } },
- /* 0xF3 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psllq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psllq" } },
- /* 0xF4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmuludq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmuludq" } },
- /* 0xF5 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "pmaddwd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "pmaddwd" } },
- /* 0xF6 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psadbw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psadbw" } },
- /* 0xF7 */ { 0, IT_GENERIC, AM_P | OT_PI, AM_Q | OT_PI, AM_NOT_USED, "maskmovq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "maskmovdqu" } },
- /* 0xF8 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubb" } },
- /* 0xF9 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubw" } },
- /* 0xFA */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubd" } },
- /* 0xFB */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "psubq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "psubq" } },
- /* 0xFC */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddb", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddb" } },
- /* 0xFD */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddw" } },
- /* 0xFE */ { 0, IT_GENERIC, AM_P | OT_Q, AM_Q | OT_Q, AM_NOT_USED, "paddd", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_V | OT_DQ, AM_W | OT_DQ, AM_NOT_USED, "paddd" } },
- /* 0xFF */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f00[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "sldt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "str", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "lldt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "ltr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "verr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "verw", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f01[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_M | OT_S, AM_NOT_USED, AM_NOT_USED, "sgdt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_M | OT_S, AM_NOT_USED, AM_NOT_USED, "sidt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_M | OT_S, AM_NOT_USED, AM_NOT_USED, "lgdt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_M | OT_S, AM_NOT_USED, AM_NOT_USED, "lidt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "smsw", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_W, AM_NOT_USED, AM_NOT_USED, "lmsw", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_M | OT_B, AM_NOT_USED, AM_NOT_USED, "invlpg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f18[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_M | OT_ADDRESS_MODE_M, AM_NOT_USED, AM_NOT_USED, "prefetch", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "prefetch", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "prefetch", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_REGISTER | OT_D, AM_NOT_USED, AM_NOT_USED, "prefetch", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f71[] = {
- /* 0x0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psrlw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psrlw" } },
- /* 0x3 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psraw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psraw" } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psllw", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_P | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psllw" } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f72[] = {
- /* 0x0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psrld", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psrld" } },
- /* 0x3 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psrad", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psrad" } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "pslld", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "pslld" } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0f73[] = {
- /* 0x0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psrlq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psrlq" } },
- /* 0x3 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_P | OT_Q, AM_I | OT_B, AM_NOT_USED, "psllq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "psllq" } },
- /* 0x7 */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "pslldq", true,
- /* F2h */ { 0 },
- /* F3h */ { 0 },
- /* 66h */ { 0, IT_GENERIC, AM_W | OT_DQ, AM_I | OT_B, AM_NOT_USED, "pslldq" } },
-};
-
-const Opcode s_opcode_byte_after_0fae[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "fxsave", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "fxrstor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "ldmxcsr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "stmxcsr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "lfence", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "mfence", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, "clflush/sfence", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
-};
-
-const Opcode s_opcode_byte_after_0fba[] = {
- /* 0x0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "bt", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "bts", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "btr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "btc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_0fc7[] = {
- /* 0x0 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_M | OT_Q, AM_NOT_USED, AM_NOT_USED, "cmpxch8b", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_80[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_81[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_82[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_83[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "add", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "or", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "adc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sbb", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "and", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sub", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "xor", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "cmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_c0[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_c1[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_B, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_d0[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_B, AM_IMPLICIT, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_d1[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_IMPLICIT, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_d2[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_B, AM_REGISTER | OT_B, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_d3[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "rol", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "ror", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "rcl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "rcr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "shl", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "shr", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "sal", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_E | OT_V, AM_REGISTER | OT_B, AM_NOT_USED, "sar", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_f6[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_I | OT_B, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "not", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "neg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, OT_B | AM_REGISTER, AM_E | OT_B, AM_NOT_USED, "mul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, OT_B | AM_REGISTER, AM_E | OT_B, AM_NOT_USED, "imul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_E | OT_B, AM_NOT_USED, "div", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_REGISTER | OT_B, AM_E | OT_B, AM_NOT_USED, "idiv", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_f7[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_I | OT_V, AM_NOT_USED, "test", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "not", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "neg", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_E | OT_V, AM_NOT_USED, "mul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_E | OT_V, AM_NOT_USED, "imul", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_E | OT_V, AM_NOT_USED, "div", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_GENERIC, AM_REGISTER | OT_V, AM_E | OT_V, AM_NOT_USED, "idiv", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_fe[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_B, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-const Opcode s_opcode_byte_after_ff[] = {
- /* 0x0 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "inc", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x1 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "dec", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x2 */ { 0, IT_JUMP, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "call", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x3 */ { 0, IT_JUMP, AM_E | OT_P, AM_NOT_USED, AM_NOT_USED, "call", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x4 */ { 0, IT_JUMP, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "jmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x5 */ { 0, IT_JUMP, AM_E | OT_P, AM_NOT_USED, AM_NOT_USED, "jmp", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x6 */ { 0, IT_GENERIC, AM_E | OT_V, AM_NOT_USED, AM_NOT_USED, "push", false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } },
- /* 0x7 */ { 0, IT_UNUSED, AM_NOT_USED, AM_NOT_USED, AM_NOT_USED, 0, false, /* F2h */ { 0 }, /* F3h */ { 0 }, /* 66h */ { 0 } }
-};
-
-/*
-* A table of all the other tables, containing some extra information, e.g.
-* how to mask out the byte we're looking at.
-*/
-const OpcodeTable MiniDisassembler::s_ia32_opcode_map_[]={
- // One-byte opcodes and jumps to larger
- /* 0 */ {s_first_opcode_byte, 0, 0xff, 0, 0xff},
- // Two-byte opcodes (second byte)
- /* 1 */ {s_opcode_byte_after_0f, 0, 0xff, 0, 0xff},
- // Start of tables for opcodes using ModR/M bits as extension
- /* 2 */ {s_opcode_byte_after_80, 3, 0x07, 0, 0x07},
- /* 3 */ {s_opcode_byte_after_81, 3, 0x07, 0, 0x07},
- /* 4 */ {s_opcode_byte_after_82, 3, 0x07, 0, 0x07},
- /* 5 */ {s_opcode_byte_after_83, 3, 0x07, 0, 0x07},
- /* 6 */ {s_opcode_byte_after_c0, 3, 0x07, 0, 0x07},
- /* 7 */ {s_opcode_byte_after_c1, 3, 0x07, 0, 0x07},
- /* 8 */ {s_opcode_byte_after_d0, 3, 0x07, 0, 0x07},
- /* 9 */ {s_opcode_byte_after_d1, 3, 0x07, 0, 0x07},
- /* 10 */ {s_opcode_byte_after_d2, 3, 0x07, 0, 0x07},
- /* 11 */ {s_opcode_byte_after_d3, 3, 0x07, 0, 0x07},
- /* 12 */ {s_opcode_byte_after_f6, 3, 0x07, 0, 0x07},
- /* 13 */ {s_opcode_byte_after_f7, 3, 0x07, 0, 0x07},
- /* 14 */ {s_opcode_byte_after_fe, 3, 0x07, 0, 0x01},
- /* 15 */ {s_opcode_byte_after_ff, 3, 0x07, 0, 0x07},
- /* 16 */ {s_opcode_byte_after_0f00, 3, 0x07, 0, 0x07},
- /* 17 */ {s_opcode_byte_after_0f01, 3, 0x07, 0, 0x07},
- /* 18 */ {s_opcode_byte_after_0f18, 3, 0x07, 0, 0x07},
- /* 19 */ {s_opcode_byte_after_0f71, 3, 0x07, 0, 0x07},
- /* 20 */ {s_opcode_byte_after_0f72, 3, 0x07, 0, 0x07},
- /* 21 */ {s_opcode_byte_after_0f73, 3, 0x07, 0, 0x07},
- /* 22 */ {s_opcode_byte_after_0fae, 3, 0x07, 0, 0x07},
- /* 23 */ {s_opcode_byte_after_0fba, 3, 0x07, 0, 0x07},
- /* 24 */ {s_opcode_byte_after_0fc7, 3, 0x07, 0, 0x01}
-};
-
-}; // namespace sidestep
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.cpp b/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.cpp
deleted file mode 100644
index 1e8e0bd97..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.cpp
+++ /dev/null
@@ -1,395 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Implementation of MiniDisassembler.
-
-#ifdef _WIN64
-#error The code in this file should not be used on 64-bit Windows.
-#endif
-
-#include "sandbox/win/src/sidestep/mini_disassembler.h"
-
-namespace sidestep {
-
-MiniDisassembler::MiniDisassembler(bool operand_default_is_32_bits,
- bool address_default_is_32_bits)
- : operand_default_is_32_bits_(operand_default_is_32_bits),
- address_default_is_32_bits_(address_default_is_32_bits) {
- Initialize();
-}
-
-MiniDisassembler::MiniDisassembler()
- : operand_default_is_32_bits_(true),
- address_default_is_32_bits_(true) {
- Initialize();
-}
-
-InstructionType MiniDisassembler::Disassemble(
- unsigned char* start_byte,
- unsigned int* instruction_bytes) {
- // Clean up any state from previous invocations.
- Initialize();
-
- // Start by processing any prefixes.
- unsigned char* current_byte = start_byte;
- unsigned int size = 0;
- InstructionType instruction_type = ProcessPrefixes(current_byte, &size);
-
- if (IT_UNKNOWN == instruction_type)
- return instruction_type;
-
- current_byte += size;
- size = 0;
-
- // Invariant: We have stripped all prefixes, and the operand_is_32_bits_
- // and address_is_32_bits_ flags are correctly set.
-
- instruction_type = ProcessOpcode(current_byte, 0, &size);
-
- // Check for error processing instruction
- if ((IT_UNKNOWN == instruction_type_) || (IT_UNUSED == instruction_type_)) {
- return IT_UNKNOWN;
- }
-
- current_byte += size;
-
- // Invariant: operand_bytes_ indicates the total size of operands
- // specified by the opcode and/or ModR/M byte and/or SIB byte.
- // pCurrentByte points to the first byte after the ModR/M byte, or after
- // the SIB byte if it is present (i.e. the first byte of any operands
- // encoded in the instruction).
-
- // We get the total length of any prefixes, the opcode, and the ModR/M and
- // SIB bytes if present, by taking the difference of the original starting
- // address and the current byte (which points to the first byte of the
- // operands if present, or to the first byte of the next instruction if
- // they are not). Adding the count of bytes in the operands encoded in
- // the instruction gives us the full length of the instruction in bytes.
- *instruction_bytes += operand_bytes_ + (current_byte - start_byte);
-
- // Return the instruction type, which was set by ProcessOpcode().
- return instruction_type_;
-}
-
-void MiniDisassembler::Initialize() {
- operand_is_32_bits_ = operand_default_is_32_bits_;
- address_is_32_bits_ = address_default_is_32_bits_;
- operand_bytes_ = 0;
- have_modrm_ = false;
- should_decode_modrm_ = false;
- instruction_type_ = IT_UNKNOWN;
- got_f2_prefix_ = false;
- got_f3_prefix_ = false;
- got_66_prefix_ = false;
-}
-
-InstructionType MiniDisassembler::ProcessPrefixes(unsigned char* start_byte,
- unsigned int* size) {
- InstructionType instruction_type = IT_GENERIC;
- const Opcode& opcode = s_ia32_opcode_map_[0].table_[*start_byte];
-
- switch (opcode.type_) {
- case IT_PREFIX_ADDRESS:
- address_is_32_bits_ = !address_default_is_32_bits_;
- goto nochangeoperand;
- case IT_PREFIX_OPERAND:
- operand_is_32_bits_ = !operand_default_is_32_bits_;
- nochangeoperand:
- case IT_PREFIX:
-
- if (0xF2 == (*start_byte))
- got_f2_prefix_ = true;
- else if (0xF3 == (*start_byte))
- got_f3_prefix_ = true;
- else if (0x66 == (*start_byte))
- got_66_prefix_ = true;
-
- instruction_type = opcode.type_;
- (*size)++;
- // we got a prefix, so add one and check next byte
- ProcessPrefixes(start_byte + 1, size);
- default:
- break; // not a prefix byte
- }
-
- return instruction_type;
-}
-
-InstructionType MiniDisassembler::ProcessOpcode(unsigned char* start_byte,
- unsigned int table_index,
- unsigned int* size) {
- const OpcodeTable& table = s_ia32_opcode_map_[table_index]; // Get our table
- unsigned char current_byte = (*start_byte) >> table.shift_;
- current_byte = current_byte & table.mask_; // Mask out the bits we will use
-
- // Check whether the byte we have is inside the table we have.
- if (current_byte < table.min_lim_ || current_byte > table.max_lim_) {
- instruction_type_ = IT_UNKNOWN;
- return instruction_type_;
- }
-
- const Opcode& opcode = table.table_[current_byte];
- if (IT_UNUSED == opcode.type_) {
- // This instruction is not used by the IA-32 ISA, so we indicate
- // this to the user. Probably means that we were pointed to
- // a byte in memory that was not the start of an instruction.
- instruction_type_ = IT_UNUSED;
- return instruction_type_;
- } else if (IT_REFERENCE == opcode.type_) {
- // We are looking at an opcode that has more bytes (or is continued
- // in the ModR/M byte). Recursively find the opcode definition in
- // the table for the opcode's next byte.
- (*size)++;
- ProcessOpcode(start_byte + 1, opcode.table_index_, size);
- return instruction_type_;
- }
-
- const SpecificOpcode* specific_opcode = reinterpret_cast<
- const SpecificOpcode*>(&opcode);
- if (opcode.is_prefix_dependent_) {
- if (got_f2_prefix_ && opcode.opcode_if_f2_prefix_.mnemonic_ != 0) {
- specific_opcode = &opcode.opcode_if_f2_prefix_;
- } else if (got_f3_prefix_ && opcode.opcode_if_f3_prefix_.mnemonic_ != 0) {
- specific_opcode = &opcode.opcode_if_f3_prefix_;
- } else if (got_66_prefix_ && opcode.opcode_if_66_prefix_.mnemonic_ != 0) {
- specific_opcode = &opcode.opcode_if_66_prefix_;
- }
- }
-
- // Inv: The opcode type is known.
- instruction_type_ = specific_opcode->type_;
-
- // Let's process the operand types to see if we have any immediate
- // operands, and/or a ModR/M byte.
-
- ProcessOperand(specific_opcode->flag_dest_);
- ProcessOperand(specific_opcode->flag_source_);
- ProcessOperand(specific_opcode->flag_aux_);
-
- // Inv: We have processed the opcode and incremented operand_bytes_
- // by the number of bytes of any operands specified by the opcode
- // that are stored in the instruction (not registers etc.). Now
- // we need to return the total number of bytes for the opcode and
- // for the ModR/M or SIB bytes if they are present.
-
- if (table.mask_ != 0xff) {
- if (have_modrm_) {
- // we're looking at a ModR/M byte so we're not going to
- // count that into the opcode size
- ProcessModrm(start_byte, size);
- return IT_GENERIC;
- } else {
- // need to count the ModR/M byte even if it's just being
- // used for opcode extension
- (*size)++;
- return IT_GENERIC;
- }
- } else {
- if (have_modrm_) {
- // The ModR/M byte is the next byte.
- (*size)++;
- ProcessModrm(start_byte + 1, size);
- return IT_GENERIC;
- } else {
- (*size)++;
- return IT_GENERIC;
- }
- }
-}
-
-bool MiniDisassembler::ProcessOperand(int flag_operand) {
- bool succeeded = true;
- if (AM_NOT_USED == flag_operand)
- return succeeded;
-
- // Decide what to do based on the addressing mode.
- switch (flag_operand & AM_MASK) {
- // No ModR/M byte indicated by these addressing modes, and no
- // additional (e.g. immediate) parameters.
- case AM_A: // Direct address
- case AM_F: // EFLAGS register
- case AM_X: // Memory addressed by the DS:SI register pair
- case AM_Y: // Memory addressed by the ES:DI register pair
- case AM_IMPLICIT: // Parameter is implicit, occupies no space in
- // instruction
- break;
-
- // There is a ModR/M byte but it does not necessarily need
- // to be decoded.
- case AM_C: // reg field of ModR/M selects a control register
- case AM_D: // reg field of ModR/M selects a debug register
- case AM_G: // reg field of ModR/M selects a general register
- case AM_P: // reg field of ModR/M selects an MMX register
- case AM_R: // mod field of ModR/M may refer only to a general register
- case AM_S: // reg field of ModR/M selects a segment register
- case AM_T: // reg field of ModR/M selects a test register
- case AM_V: // reg field of ModR/M selects a 128-bit XMM register
- have_modrm_ = true;
- break;
-
- // In these addressing modes, there is a ModR/M byte and it needs to be
- // decoded. No other (e.g. immediate) params than indicated in ModR/M.
- case AM_E: // Operand is either a general-purpose register or memory,
- // specified by ModR/M byte
- case AM_M: // ModR/M byte will refer only to memory
- case AM_Q: // Operand is either an MMX register or memory (complex
- // evaluation), specified by ModR/M byte
- case AM_W: // Operand is either a 128-bit XMM register or memory (complex
- // eval), specified by ModR/M byte
- have_modrm_ = true;
- should_decode_modrm_ = true;
- break;
-
- // These addressing modes specify an immediate or an offset value
- // directly, so we need to look at the operand type to see how many
- // bytes.
- case AM_I: // Immediate data.
- case AM_J: // Jump to offset.
- case AM_O: // Operand is at offset.
- switch (flag_operand & OT_MASK) {
- case OT_B: // Byte regardless of operand-size attribute.
- operand_bytes_ += OS_BYTE;
- break;
- case OT_C: // Byte or word, depending on operand-size attribute.
- if (operand_is_32_bits_)
- operand_bytes_ += OS_WORD;
- else
- operand_bytes_ += OS_BYTE;
- break;
- case OT_D: // Doubleword, regardless of operand-size attribute.
- operand_bytes_ += OS_DOUBLE_WORD;
- break;
- case OT_DQ: // Double-quadword, regardless of operand-size attribute.
- operand_bytes_ += OS_DOUBLE_QUAD_WORD;
- break;
- case OT_P: // 32-bit or 48-bit pointer, depending on operand-size
- // attribute.
- if (operand_is_32_bits_)
- operand_bytes_ += OS_48_BIT_POINTER;
- else
- operand_bytes_ += OS_32_BIT_POINTER;
- break;
- case OT_PS: // 128-bit packed single-precision floating-point data.
- operand_bytes_ += OS_128_BIT_PACKED_SINGLE_PRECISION_FLOATING;
- break;
- case OT_Q: // Quadword, regardless of operand-size attribute.
- operand_bytes_ += OS_QUAD_WORD;
- break;
- case OT_S: // 6-byte pseudo-descriptor.
- operand_bytes_ += OS_PSEUDO_DESCRIPTOR;
- break;
- case OT_SD: // Scalar Double-Precision Floating-Point Value
- case OT_PD: // Unaligned packed double-precision floating point value
- operand_bytes_ += OS_DOUBLE_PRECISION_FLOATING;
- break;
- case OT_SS:
- // Scalar element of a 128-bit packed single-precision
- // floating data.
- // We simply return enItUnknown since we don't have to support
- // floating point
- succeeded = false;
- break;
- case OT_V: // Word or doubleword, depending on operand-size attribute.
- if (operand_is_32_bits_)
- operand_bytes_ += OS_DOUBLE_WORD;
- else
- operand_bytes_ += OS_WORD;
- break;
- case OT_W: // Word, regardless of operand-size attribute.
- operand_bytes_ += OS_WORD;
- break;
-
- // Can safely ignore these.
- case OT_A: // Two one-word operands in memory or two double-word
- // operands in memory
- case OT_PI: // Quadword MMX technology register (e.g. mm0)
- case OT_SI: // Doubleword integer register (e.g., eax)
- break;
-
- default:
- break;
- }
- break;
-
- default:
- break;
- }
-
- return succeeded;
-}
-
-bool MiniDisassembler::ProcessModrm(unsigned char* start_byte,
- unsigned int* size) {
- // If we don't need to decode, we just return the size of the ModR/M
- // byte (there is never a SIB byte in this case).
- if (!should_decode_modrm_) {
- (*size)++;
- return true;
- }
-
- // We never care about the reg field, only the combination of the mod
- // and r/m fields, so let's start by packing those fields together into
- // 5 bits.
- unsigned char modrm = (*start_byte);
- unsigned char mod = modrm & 0xC0; // mask out top two bits to get mod field
- modrm = modrm & 0x07; // mask out bottom 3 bits to get r/m field
- mod = mod >> 3; // shift the mod field to the right place
- modrm = mod | modrm; // combine the r/m and mod fields as discussed
- mod = mod >> 3; // shift the mod field to bits 2..0
-
- // Invariant: modrm contains the mod field in bits 4..3 and the r/m field
- // in bits 2..0, and mod contains the mod field in bits 2..0
-
- const ModrmEntry* modrm_entry = 0;
- if (address_is_32_bits_)
- modrm_entry = &s_ia32_modrm_map_[modrm];
- else
- modrm_entry = &s_ia16_modrm_map_[modrm];
-
- // Invariant: modrm_entry points to information that we need to decode
- // the ModR/M byte.
-
- // Add to the count of operand bytes, if the ModR/M byte indicates
- // that some operands are encoded in the instruction.
- if (modrm_entry->is_encoded_in_instruction_)
- operand_bytes_ += modrm_entry->operand_size_;
-
- // Process the SIB byte if necessary, and return the count
- // of ModR/M and SIB bytes.
- if (modrm_entry->use_sib_byte_) {
- (*size)++;
- return ProcessSib(start_byte + 1, mod, size);
- } else {
- (*size)++;
- return true;
- }
-}
-
-bool MiniDisassembler::ProcessSib(unsigned char* start_byte,
- unsigned char mod,
- unsigned int* size) {
- // get the mod field from the 2..0 bits of the SIB byte
- unsigned char sib_base = (*start_byte) & 0x07;
- if (0x05 == sib_base) {
- switch (mod) {
- case 0x00: // mod == 00
- case 0x02: // mod == 10
- operand_bytes_ += OS_DOUBLE_WORD;
- break;
- case 0x01: // mod == 01
- operand_bytes_ += OS_BYTE;
- break;
- case 0x03: // mod == 11
- // According to the IA-32 docs, there does not seem to be a disp
- // value for this value of mod
- default:
- break;
- }
- }
-
- (*size)++;
- return true;
-}
-
-}; // namespace sidestep
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.h b/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.h
deleted file mode 100644
index 202c4ecc2..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler.h
+++ /dev/null
@@ -1,156 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Definition of MiniDisassembler.
-
-#ifndef SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__
-#define SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__
-
-#include "sandbox/win/src/sidestep/mini_disassembler_types.h"
-
-namespace sidestep {
-
-// This small disassembler is very limited
-// in its functionality, and in fact does only the bare minimum required by the
-// preamble patching utility. It may be useful for other purposes, however.
-//
-// The limitations include at least the following:
-// -# No support for coprocessor opcodes, MMX, etc.
-// -# No machine-readable identification of opcodes or decoding of
-// assembly parameters. The name of the opcode (as a string) is given,
-// however, to aid debugging.
-//
-// You may ask what this little disassembler actually does, then? The answer is
-// that it does the following, which is exactly what the patching utility needs:
-// -# Indicates if opcode is a jump (any kind) or a return (any kind)
-// because this is important for the patching utility to determine if
-// a function is too short or there are jumps too early in it for it
-// to be preamble patched.
-// -# The opcode length is always calculated, so that the patching utility
-// can figure out where the next instruction starts, and whether it
-// already has enough instructions to replace with the absolute jump
-// to the patching code.
-//
-// The usage is quite simple; just create a MiniDisassembler and use its
-// Disassemble() method.
-//
-// If you would like to extend this disassembler, please refer to the
-// IA-32 Intel Architecture Software Developer's Manual Volume 2:
-// Instruction Set Reference for information about operand decoding
-// etc.
-class MiniDisassembler {
- public:
-
- // Creates a new instance and sets defaults.
- //
- // operand_default_32_bits: If true, the default operand size is
- // set to 32 bits, which is the default under Win32. Otherwise it is 16 bits.
- // address_default_32_bits: If true, the default address size is
- // set to 32 bits, which is the default under Win32. Otherwise it is 16 bits.
- MiniDisassembler(bool operand_default_32_bits,
- bool address_default_32_bits);
-
- // Equivalent to MiniDisassembler(true, true);
- MiniDisassembler();
-
- // Attempts to disassemble a single instruction starting from the
- // address in memory it is pointed to.
- //
- // start: Address where disassembly should start.
- // instruction_bytes: Variable that will be incremented by
- // the length in bytes of the instruction.
- // Returns enItJump, enItReturn or enItGeneric on success. enItUnknown
- // if unable to disassemble, enItUnused if this seems to be an unused
- // opcode. In the last two (error) cases, cbInstruction will be set
- // to 0xffffffff.
- //
- // Postcondition: This instance of the disassembler is ready to be used again,
- // with unchanged defaults from creation time.
- InstructionType Disassemble(unsigned char* start,
- unsigned int* instruction_bytes);
-
- private:
-
- // Makes the disassembler ready for reuse.
- void Initialize();
-
- // Sets the flags for address and operand sizes.
- // Returns Number of prefix bytes.
- InstructionType ProcessPrefixes(unsigned char* start, unsigned int* size);
-
- // Sets the flag for whether we have ModR/M, and increments
- // operand_bytes_ if any are specifies by the opcode directly.
- // Returns Number of opcode bytes.
- InstructionType ProcessOpcode(unsigned char* start,
- unsigned int table,
- unsigned int* size);
-
- // Checks the type of the supplied operand. Increments
- // operand_bytes_ if it directly indicates an immediate etc.
- // operand. Asserts have_modrm_ if the operand specifies
- // a ModR/M byte.
- bool ProcessOperand(int flag_operand);
-
- // Increments operand_bytes_ by size specified by ModR/M and
- // by SIB if present.
- // Returns 0 in case of error, 1 if there is just a ModR/M byte,
- // 2 if there is a ModR/M byte and a SIB byte.
- bool ProcessModrm(unsigned char* start, unsigned int* size);
-
- // Processes the SIB byte that it is pointed to.
- // start: Pointer to the SIB byte.
- // mod: The mod field from the ModR/M byte.
- // Returns 1 to indicate success (indicates 1 SIB byte)
- bool ProcessSib(unsigned char* start, unsigned char mod, unsigned int* size);
-
- // The instruction type we have decoded from the opcode.
- InstructionType instruction_type_;
-
- // Counts the number of bytes that is occupied by operands in
- // the current instruction (note: we don't care about how large
- // operands stored in registers etc. are).
- unsigned int operand_bytes_;
-
- // True iff there is a ModR/M byte in this instruction.
- bool have_modrm_;
-
- // True iff we need to decode the ModR/M byte (sometimes it just
- // points to a register, we can tell by the addressing mode).
- bool should_decode_modrm_;
-
- // Current operand size is 32 bits if true, 16 bits if false.
- bool operand_is_32_bits_;
-
- // Default operand size is 32 bits if true, 16 bits if false.
- bool operand_default_is_32_bits_;
-
- // Current address size is 32 bits if true, 16 bits if false.
- bool address_is_32_bits_;
-
- // Default address size is 32 bits if true, 16 bits if false.
- bool address_default_is_32_bits_;
-
- // Huge big opcode table based on the IA-32 manual, defined
- // in Ia32OpcodeMap.cpp
- static const OpcodeTable s_ia32_opcode_map_[];
-
- // Somewhat smaller table to help with decoding ModR/M bytes
- // when 16-bit addressing mode is being used. Defined in
- // Ia32ModrmMap.cpp
- static const ModrmEntry s_ia16_modrm_map_[];
-
- // Somewhat smaller table to help with decoding ModR/M bytes
- // when 32-bit addressing mode is being used. Defined in
- // Ia32ModrmMap.cpp
- static const ModrmEntry s_ia32_modrm_map_[];
-
- // Indicators of whether we got certain prefixes that certain
- // silly Intel instructions depend on in nonstandard ways for
- // their behaviors.
- bool got_f2_prefix_, got_f3_prefix_, got_66_prefix_;
-};
-
-}; // namespace sidestep
-
-#endif // SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h b/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h
deleted file mode 100644
index 1c1062631..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/mini_disassembler_types.h
+++ /dev/null
@@ -1,197 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-//
-// Several simple types used by the disassembler and some of the patching
-// mechanisms.
-
-#ifndef SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__
-#define SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__
-
-namespace sidestep {
-
-// Categories of instructions that we care about
-enum InstructionType {
- // This opcode is not used
- IT_UNUSED,
- // This disassembler does not recognize this opcode (error)
- IT_UNKNOWN,
- // This is not an instruction but a reference to another table
- IT_REFERENCE,
- // This byte is a prefix byte that we can ignore
- IT_PREFIX,
- // This is a prefix byte that switches to the nondefault address size
- IT_PREFIX_ADDRESS,
- // This is a prefix byte that switches to the nondefault operand size
- IT_PREFIX_OPERAND,
- // A jump or call instruction
- IT_JUMP,
- // A return instruction
- IT_RETURN,
- // Any other type of instruction (in this case we don't care what it is)
- IT_GENERIC,
-};
-
-// Lists IA-32 operand sizes in multiples of 8 bits
-enum OperandSize {
- OS_ZERO = 0,
- OS_BYTE = 1,
- OS_WORD = 2,
- OS_DOUBLE_WORD = 4,
- OS_QUAD_WORD = 8,
- OS_DOUBLE_QUAD_WORD = 16,
- OS_32_BIT_POINTER = 32/8,
- OS_48_BIT_POINTER = 48/8,
- OS_SINGLE_PRECISION_FLOATING = 32/8,
- OS_DOUBLE_PRECISION_FLOATING = 64/8,
- OS_DOUBLE_EXTENDED_PRECISION_FLOATING = 80/8,
- OS_128_BIT_PACKED_SINGLE_PRECISION_FLOATING = 128/8,
- OS_PSEUDO_DESCRIPTOR = 6
-};
-
-// Operand addressing methods from the IA-32 manual. The enAmMask value
-// is a mask for the rest. The other enumeration values are named for the
-// names given to the addressing methods in the manual, e.g. enAm_D is for
-// the D addressing method.
-//
-// The reason we use a full 4 bytes and a mask, is that we need to combine
-// these flags with the enOperandType to store the details
-// on the operand in a single integer.
-enum AddressingMethod {
- AM_NOT_USED = 0, // This operand is not used for this instruction
- AM_MASK = 0x00FF0000, // Mask for the rest of the values in this enumeration
- AM_A = 0x00010000, // A addressing type
- AM_C = 0x00020000, // C addressing type
- AM_D = 0x00030000, // D addressing type
- AM_E = 0x00040000, // E addressing type
- AM_F = 0x00050000, // F addressing type
- AM_G = 0x00060000, // G addressing type
- AM_I = 0x00070000, // I addressing type
- AM_J = 0x00080000, // J addressing type
- AM_M = 0x00090000, // M addressing type
- AM_O = 0x000A0000, // O addressing type
- AM_P = 0x000B0000, // P addressing type
- AM_Q = 0x000C0000, // Q addressing type
- AM_R = 0x000D0000, // R addressing type
- AM_S = 0x000E0000, // S addressing type
- AM_T = 0x000F0000, // T addressing type
- AM_V = 0x00100000, // V addressing type
- AM_W = 0x00110000, // W addressing type
- AM_X = 0x00120000, // X addressing type
- AM_Y = 0x00130000, // Y addressing type
- AM_REGISTER = 0x00140000, // Specific register is always used as this op
- AM_IMPLICIT = 0x00150000, // An implicit, fixed value is used
-};
-
-// Operand types from the IA-32 manual. The enOtMask value is
-// a mask for the rest. The rest of the values are named for the
-// names given to these operand types in the manual, e.g. enOt_ps
-// is for the ps operand type in the manual.
-//
-// The reason we use a full 4 bytes and a mask, is that we need
-// to combine these flags with the enAddressingMethod to store the details
-// on the operand in a single integer.
-enum OperandType {
- OT_MASK = 0xFF000000,
- OT_A = 0x01000000,
- OT_B = 0x02000000,
- OT_C = 0x03000000,
- OT_D = 0x04000000,
- OT_DQ = 0x05000000,
- OT_P = 0x06000000,
- OT_PI = 0x07000000,
- OT_PS = 0x08000000, // actually unsupported for (we don't know its size)
- OT_Q = 0x09000000,
- OT_S = 0x0A000000,
- OT_SS = 0x0B000000,
- OT_SI = 0x0C000000,
- OT_V = 0x0D000000,
- OT_W = 0x0E000000,
- OT_SD = 0x0F000000, // scalar double-precision floating-point value
- OT_PD = 0x10000000, // double-precision floating point
- // dummy "operand type" for address mode M - which doesn't specify
- // operand type
- OT_ADDRESS_MODE_M = 0x80000000
-};
-
-// Everything that's in an Opcode (see below) except the three
-// alternative opcode structs for different prefixes.
-struct SpecificOpcode {
- // Index to continuation table, or 0 if this is the last
- // byte in the opcode.
- int table_index_;
-
- // The opcode type
- InstructionType type_;
-
- // Description of the type of the dest, src and aux operands,
- // put together from an enOperandType flag and an enAddressingMethod
- // flag.
- int flag_dest_;
- int flag_source_;
- int flag_aux_;
-
- // We indicate the mnemonic for debugging purposes
- const char* mnemonic_;
-};
-
-// The information we keep in our tables about each of the different
-// valid instructions recognized by the IA-32 architecture.
-struct Opcode {
- // Index to continuation table, or 0 if this is the last
- // byte in the opcode.
- int table_index_;
-
- // The opcode type
- InstructionType type_;
-
- // Description of the type of the dest, src and aux operands,
- // put together from an enOperandType flag and an enAddressingMethod
- // flag.
- int flag_dest_;
- int flag_source_;
- int flag_aux_;
-
- // We indicate the mnemonic for debugging purposes
- const char* mnemonic_;
-
- // Alternative opcode info if certain prefixes are specified.
- // In most cases, all of these are zeroed-out. Only used if
- // bPrefixDependent is true.
- bool is_prefix_dependent_;
- SpecificOpcode opcode_if_f2_prefix_;
- SpecificOpcode opcode_if_f3_prefix_;
- SpecificOpcode opcode_if_66_prefix_;
-};
-
-// Information about each table entry.
-struct OpcodeTable {
- // Table of instruction entries
- const Opcode* table_;
- // How many bytes left to shift ModR/M byte <b>before</b> applying mask
- unsigned char shift_;
- // Mask to apply to byte being looked at before comparing to table
- unsigned char mask_;
- // Minimum/maximum indexes in table.
- unsigned char min_lim_;
- unsigned char max_lim_;
-};
-
-// Information about each entry in table used to decode ModR/M byte.
-struct ModrmEntry {
- // Is the operand encoded as bytes in the instruction (rather than
- // if it's e.g. a register in which case it's just encoded in the
- // ModR/M byte)
- bool is_encoded_in_instruction_;
-
- // Is there a SIB byte? In this case we always need to decode it.
- bool use_sib_byte_;
-
- // What is the size of the operand (only important if it's encoded
- // in the instruction)?
- OperandSize operand_size_;
-};
-
-}; // namespace sidestep
-
-#endif // SANDBOX_SRC_SIDESTEP_MINI_DISASSEMBLER_TYPES_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher.h b/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher.h
deleted file mode 100644
index 3a0985ce9..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher.h
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Definition of PreamblePatcher
-
-#ifndef SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__
-#define SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__
-
-#include <stddef.h>
-
-namespace sidestep {
-
-// Maximum size of the preamble stub. We overwrite at least the first 5
-// bytes of the function. Considering the worst case scenario, we need 4
-// bytes + the max instruction size + 5 more bytes for our jump back to
-// the original code. With that in mind, 32 is a good number :)
-const size_t kMaxPreambleStubSize = 32;
-
-// Possible results of patching/unpatching
-enum SideStepError {
- SIDESTEP_SUCCESS = 0,
- SIDESTEP_INVALID_PARAMETER,
- SIDESTEP_INSUFFICIENT_BUFFER,
- SIDESTEP_JUMP_INSTRUCTION,
- SIDESTEP_FUNCTION_TOO_SMALL,
- SIDESTEP_UNSUPPORTED_INSTRUCTION,
- SIDESTEP_NO_SUCH_MODULE,
- SIDESTEP_NO_SUCH_FUNCTION,
- SIDESTEP_ACCESS_DENIED,
- SIDESTEP_UNEXPECTED,
-};
-
-// Implements a patching mechanism that overwrites the first few bytes of
-// a function preamble with a jump to our hook function, which is then
-// able to call the original function via a specially-made preamble-stub
-// that imitates the action of the original preamble.
-//
-// Note that there are a number of ways that this method of patching can
-// fail. The most common are:
-// - If there is a jump (jxx) instruction in the first 5 bytes of
-// the function being patched, we cannot patch it because in the
-// current implementation we do not know how to rewrite relative
-// jumps after relocating them to the preamble-stub. Note that
-// if you really really need to patch a function like this, it
-// would be possible to add this functionality (but at some cost).
-// - If there is a return (ret) instruction in the first 5 bytes
-// we cannot patch the function because it may not be long enough
-// for the jmp instruction we use to inject our patch.
-// - If there is another thread currently executing within the bytes
-// that are copied to the preamble stub, it will crash in an undefined
-// way.
-//
-// If you get any other error than the above, you're either pointing the
-// patcher at an invalid instruction (e.g. into the middle of a multi-
-// byte instruction, or not at memory containing executable instructions)
-// or, there may be a bug in the disassembler we use to find
-// instruction boundaries.
-class PreamblePatcher {
- public:
- // Patches target_function to point to replacement_function using a provided
- // preamble_stub of stub_size bytes.
- // Returns An error code indicating the result of patching.
- template <class T>
- static SideStepError Patch(T target_function, T replacement_function,
- void* preamble_stub, size_t stub_size) {
- return RawPatchWithStub(target_function, replacement_function,
- reinterpret_cast<unsigned char*>(preamble_stub),
- stub_size, NULL);
- }
-
- private:
-
- // Patches a function by overwriting its first few bytes with
- // a jump to a different function. This is similar to the RawPatch
- // function except that it uses the stub allocated by the caller
- // instead of allocating it.
- //
- // To use this function, you first have to call VirtualProtect to make the
- // target function writable at least for the duration of the call.
- //
- // target_function: A pointer to the function that should be
- // patched.
- //
- // replacement_function: A pointer to the function that should
- // replace the target function. The replacement function must have
- // exactly the same calling convention and parameters as the original
- // function.
- //
- // preamble_stub: A pointer to a buffer where the preamble stub
- // should be copied. The size of the buffer should be sufficient to
- // hold the preamble bytes.
- //
- // stub_size: Size in bytes of the buffer allocated for the
- // preamble_stub
- //
- // bytes_needed: Pointer to a variable that receives the minimum
- // number of bytes required for the stub. Can be set to NULL if you're
- // not interested.
- //
- // Returns An error code indicating the result of patching.
- static SideStepError RawPatchWithStub(void* target_function,
- void *replacement_function,
- unsigned char* preamble_stub,
- size_t stub_size,
- size_t* bytes_needed);
-};
-
-}; // namespace sidestep
-
-#endif // SANDBOX_SRC_SIDESTEP_PREAMBLE_PATCHER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher_with_stub.cpp b/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher_with_stub.cpp
deleted file mode 100644
index b5016009d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep/preamble_patcher_with_stub.cpp
+++ /dev/null
@@ -1,181 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Implementation of PreamblePatcher
-
-#include "sandbox/win/src/sidestep/preamble_patcher.h"
-
-#include <stddef.h>
-
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sidestep/mini_disassembler.h"
-
-// Definitions of assembly statements we need
-#define ASM_JMP32REL 0xE9
-#define ASM_INT3 0xCC
-
-namespace {
-
-// Very basic memcpy. We are copying 4 to 12 bytes most of the time, so there
-// is no attempt to optimize this code or have a general purpose function.
-// We don't want to call the crt from this code.
-inline void* RawMemcpy(void* destination, const void* source, size_t bytes) {
- const char* from = reinterpret_cast<const char*>(source);
- char* to = reinterpret_cast<char*>(destination);
-
- for (size_t i = 0; i < bytes ; i++)
- to[i] = from[i];
-
- return destination;
-}
-
-// Very basic memset. We are filling 1 to 7 bytes most of the time, so there
-// is no attempt to optimize this code or have a general purpose function.
-// We don't want to call the crt from this code.
-inline void* RawMemset(void* destination, int value, size_t bytes) {
- char* to = reinterpret_cast<char*>(destination);
-
- for (size_t i = 0; i < bytes ; i++)
- to[i] = static_cast<char>(value);
-
- return destination;
-}
-
-} // namespace
-
-#define ASSERT(a, b) DCHECK_NT(a)
-
-namespace sidestep {
-
-SideStepError PreamblePatcher::RawPatchWithStub(
- void* target_function,
- void* replacement_function,
- unsigned char* preamble_stub,
- size_t stub_size,
- size_t* bytes_needed) {
- if ((NULL == target_function) ||
- (NULL == replacement_function) ||
- (NULL == preamble_stub)) {
- ASSERT(false, (L"Invalid parameters - either pTargetFunction or "
- L"pReplacementFunction or pPreambleStub were NULL."));
- return SIDESTEP_INVALID_PARAMETER;
- }
-
- // TODO(V7:joi) Siggi and I just had a discussion and decided that both
- // patching and unpatching are actually unsafe. We also discussed a
- // method of making it safe, which is to freeze all other threads in the
- // process, check their thread context to see if their eip is currently
- // inside the block of instructions we need to copy to the stub, and if so
- // wait a bit and try again, then unfreeze all threads once we've patched.
- // Not implementing this for now since we're only using SideStep for unit
- // testing, but if we ever use it for production code this is what we
- // should do.
- //
- // NOTE: Stoyan suggests we can write 8 or even 10 bytes atomically using
- // FPU instructions, and on newer processors we could use cmpxchg8b or
- // cmpxchg16b. So it might be possible to do the patching/unpatching
- // atomically and avoid having to freeze other threads. Note though, that
- // doing it atomically does not help if one of the other threads happens
- // to have its eip in the middle of the bytes you change while you change
- // them.
- unsigned char* target = reinterpret_cast<unsigned char*>(target_function);
-
- // Let's disassemble the preamble of the target function to see if we can
- // patch, and to see how much of the preamble we need to take. We need 5
- // bytes for our jmp instruction, so let's find the minimum number of
- // instructions to get 5 bytes.
- MiniDisassembler disassembler;
- unsigned int preamble_bytes = 0;
- while (preamble_bytes < 5) {
- InstructionType instruction_type =
- disassembler.Disassemble(target + preamble_bytes, &preamble_bytes);
- if (IT_JUMP == instruction_type) {
- ASSERT(false, (L"Unable to patch because there is a jump instruction "
- L"in the first 5 bytes."));
- return SIDESTEP_JUMP_INSTRUCTION;
- } else if (IT_RETURN == instruction_type) {
- ASSERT(false, (L"Unable to patch because function is too short"));
- return SIDESTEP_FUNCTION_TOO_SMALL;
- } else if (IT_GENERIC != instruction_type) {
- ASSERT(false, (L"Disassembler encountered unsupported instruction "
- L"(either unused or unknown"));
- return SIDESTEP_UNSUPPORTED_INSTRUCTION;
- }
- }
-
- if (NULL != bytes_needed)
- *bytes_needed = preamble_bytes + 5;
-
- // Inv: preamble_bytes is the number of bytes (at least 5) that we need to
- // take from the preamble to have whole instructions that are 5 bytes or more
- // in size total. The size of the stub required is cbPreamble + size of
- // jmp (5)
- if (preamble_bytes + 5 > stub_size) {
- NOTREACHED_NT();
- return SIDESTEP_INSUFFICIENT_BUFFER;
- }
-
- // First, copy the preamble that we will overwrite.
- RawMemcpy(reinterpret_cast<void*>(preamble_stub),
- reinterpret_cast<void*>(target), preamble_bytes);
-
- // Now, make a jmp instruction to the rest of the target function (minus the
- // preamble bytes we moved into the stub) and copy it into our preamble-stub.
- // find address to jump to, relative to next address after jmp instruction
-#pragma warning(push)
-#pragma warning(disable:4244)
- // This assignment generates a warning because it is 32 bit specific.
- int relative_offset_to_target_rest
- = ((reinterpret_cast<unsigned char*>(target) + preamble_bytes) -
- (preamble_stub + preamble_bytes + 5));
-#pragma warning(pop)
- // jmp (Jump near, relative, displacement relative to next instruction)
- preamble_stub[preamble_bytes] = ASM_JMP32REL;
- // copy the address
- RawMemcpy(reinterpret_cast<void*>(preamble_stub + preamble_bytes + 1),
- reinterpret_cast<void*>(&relative_offset_to_target_rest), 4);
-
- // Inv: preamble_stub points to assembly code that will execute the
- // original function by first executing the first cbPreamble bytes of the
- // preamble, then jumping to the rest of the function.
-
- // Overwrite the first 5 bytes of the target function with a jump to our
- // replacement function.
- // (Jump near, relative, displacement relative to next instruction)
- target[0] = ASM_JMP32REL;
-
- // Find offset from instruction after jmp, to the replacement function.
-#pragma warning(push)
-#pragma warning(disable:4244)
- int offset_to_replacement_function =
- reinterpret_cast<unsigned char*>(replacement_function) -
- reinterpret_cast<unsigned char*>(target) - 5;
-#pragma warning(pop)
- // complete the jmp instruction
- RawMemcpy(reinterpret_cast<void*>(target + 1),
- reinterpret_cast<void*>(&offset_to_replacement_function), 4);
- // Set any remaining bytes that were moved to the preamble-stub to INT3 so
- // as not to cause confusion (otherwise you might see some strange
- // instructions if you look at the disassembly, or even invalid
- // instructions). Also, by doing this, we will break into the debugger if
- // some code calls into this portion of the code. If this happens, it
- // means that this function cannot be patched using this patcher without
- // further thought.
- if (preamble_bytes > 5) {
- RawMemset(reinterpret_cast<void*>(target + 5), ASM_INT3,
- preamble_bytes - 5);
- }
-
- // Inv: The memory pointed to by target_function now points to a relative
- // jump instruction that jumps over to the preamble_stub. The preamble
- // stub contains the first stub_size bytes of the original target
- // function's preamble code, followed by a relative jump back to the next
- // instruction after the first cbPreamble bytes.
-
- return SIDESTEP_SUCCESS;
-}
-
-}; // namespace sidestep
-
-#undef ASSERT
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.cc b/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.cc
deleted file mode 100644
index d5da2fbe9..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.cc
+++ /dev/null
@@ -1,204 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sidestep_resolver.h"
-
-#include <stddef.h>
-
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sidestep/preamble_patcher.h"
-
-namespace {
-
-const size_t kSizeOfSidestepStub = sidestep::kMaxPreambleStubSize;
-
-struct SidestepThunk {
- char sidestep[kSizeOfSidestepStub]; // Storage for the sidestep stub.
- int internal_thunk; // Dummy member to the beginning of the internal thunk.
-};
-
-struct SmartThunk {
- const void* module_base; // Target module's base.
- const void* interceptor; // Real interceptor.
- SidestepThunk sidestep; // Standard sidestep thunk.
-};
-
-} // namespace
-
-namespace sandbox {
-
-NTSTATUS SidestepResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = Init(target_module, interceptor_module, target_name,
- interceptor_name, interceptor_entry_point,
- thunk_storage, storage_bytes);
- if (!NT_SUCCESS(ret))
- return ret;
-
- SidestepThunk* thunk = reinterpret_cast<SidestepThunk*>(thunk_storage);
-
- size_t internal_bytes = storage_bytes - kSizeOfSidestepStub;
- if (!SetInternalThunk(&thunk->internal_thunk, internal_bytes, thunk_storage,
- interceptor_))
- return STATUS_BUFFER_TOO_SMALL;
-
- AutoProtectMemory memory;
- ret = memory.ChangeProtection(target_, kSizeOfSidestepStub, PAGE_READWRITE);
- if (!NT_SUCCESS(ret))
- return ret;
-
- sidestep::SideStepError rv = sidestep::PreamblePatcher::Patch(
- target_, reinterpret_cast<void*>(&thunk->internal_thunk), thunk_storage,
- kSizeOfSidestepStub);
-
- if (sidestep::SIDESTEP_INSUFFICIENT_BUFFER == rv)
- return STATUS_BUFFER_TOO_SMALL;
-
- if (sidestep::SIDESTEP_SUCCESS != rv)
- return STATUS_UNSUCCESSFUL;
-
- if (storage_used)
- *storage_used = GetThunkSize();
-
- return ret;
-}
-
-size_t SidestepResolverThunk::GetThunkSize() const {
- return GetInternalThunkSize() + kSizeOfSidestepStub;
-}
-
-// This is basically a wrapper around the normal sidestep patch that extends
-// the thunk to use a chained interceptor. It uses the fact that
-// SetInternalThunk generates the code to pass as the first parameter whatever
-// it receives as original_function; we let SidestepResolverThunk set this value
-// to its saved code, and then we change it to our thunk data.
-NTSTATUS SmartSidestepResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- if (storage_bytes < GetThunkSize())
- return STATUS_BUFFER_TOO_SMALL;
-
- SmartThunk* thunk = reinterpret_cast<SmartThunk*>(thunk_storage);
- thunk->module_base = target_module;
-
- NTSTATUS ret;
- if (interceptor_entry_point) {
- thunk->interceptor = interceptor_entry_point;
- } else {
- ret = ResolveInterceptor(interceptor_module, interceptor_name,
- &thunk->interceptor);
- if (!NT_SUCCESS(ret))
- return ret;
- }
-
- // Perform a standard sidestep patch on the last part of the thunk, but point
- // to our internal smart interceptor.
- size_t standard_bytes = storage_bytes - offsetof(SmartThunk, sidestep);
- ret = SidestepResolverThunk::Setup(target_module, interceptor_module,
- target_name, NULL, &SmartStub,
- &thunk->sidestep, standard_bytes, NULL);
- if (!NT_SUCCESS(ret))
- return ret;
-
- // Fix the internal thunk to pass the whole buffer to the interceptor.
- SetInternalThunk(&thunk->sidestep.internal_thunk, GetInternalThunkSize(),
- thunk_storage, &SmartStub);
-
- if (storage_used)
- *storage_used = GetThunkSize();
-
- return ret;
-}
-
-size_t SmartSidestepResolverThunk::GetThunkSize() const {
- return GetInternalThunkSize() + kSizeOfSidestepStub +
- offsetof(SmartThunk, sidestep);
-}
-
-// This code must basically either call the intended interceptor or skip the
-// call and invoke instead the original function. In any case, we are saving
-// the registers that may be trashed by our c++ code.
-//
-// This function is called with a first parameter inserted by us, that points
-// to our SmartThunk. When we call the interceptor we have to replace this
-// parameter with the one expected by that function (stored inside our
-// structure); on the other hand, when we skip the interceptor we have to remove
-// that extra argument before calling the original function.
-//
-// When we skip the interceptor, the transformation of the stack looks like:
-// On Entry: On Use: On Exit:
-// [param 2] = first real argument [param 2] (esp+1c) [param 2]
-// [param 1] = our SmartThunk [param 1] (esp+18) [ret address]
-// [ret address] = real caller [ret address] (esp+14) [xxx]
-// [xxx] [addr to jump to] (esp+10) [xxx]
-// [xxx] [saved eax] [xxx]
-// [xxx] [saved ebx] [xxx]
-// [xxx] [saved ecx] [xxx]
-// [xxx] [saved edx] [xxx]
-__declspec(naked)
-void SmartSidestepResolverThunk::SmartStub() {
- __asm {
- push eax // Space for the jump.
- push eax // Save registers.
- push ebx
- push ecx
- push edx
- mov ebx, [esp + 0x18] // First parameter = SmartThunk.
- mov edx, [esp + 0x14] // Get the return address.
- mov eax, [ebx]SmartThunk.module_base
- push edx
- push eax
- call SmartSidestepResolverThunk::IsInternalCall
- add esp, 8
-
- test eax, eax
- lea edx, [ebx]SmartThunk.sidestep // The original function.
- jz call_interceptor
-
- // Skip this call
- mov ecx, [esp + 0x14] // Return address.
- mov [esp + 0x18], ecx // Remove first parameter.
- mov [esp + 0x10], edx
- pop edx // Restore registers.
- pop ecx
- pop ebx
- pop eax
- ret 4 // Jump to original function.
-
- call_interceptor:
- mov ecx, [ebx]SmartThunk.interceptor
- mov [esp + 0x18], edx // Replace first parameter.
- mov [esp + 0x10], ecx
- pop edx // Restore registers.
- pop ecx
- pop ebx
- pop eax
- ret // Jump to original function.
- }
-}
-
-bool SmartSidestepResolverThunk::IsInternalCall(const void* base,
- void* return_address) {
- DCHECK_NT(base);
- DCHECK_NT(return_address);
-
- base::win::PEImage pe(base);
- if (pe.GetImageSectionFromAddr(return_address))
- return true;
- return false;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.h b/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.h
deleted file mode 100644
index 8088272ee..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sidestep_resolver.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SIDESTEP_RESOLVER_H__
-#define SANDBOX_SRC_SIDESTEP_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform sidestep interceptions.
-class SidestepResolverThunk : public ResolverThunk {
- public:
- SidestepResolverThunk() {}
- ~SidestepResolverThunk() override {}
-
- // Implementation of Resolver::Setup.
- NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) override;
-
- // Implementation of Resolver::GetThunkSize.
- size_t GetThunkSize() const override;
-
- private:
- DISALLOW_COPY_AND_ASSIGN(SidestepResolverThunk);
-};
-
-// This is the concrete resolver used to perform smart sidestep interceptions.
-// This means basically a sidestep interception that skips the interceptor when
-// the caller resides on the same dll being intercepted. It is intended as
-// a helper only, because that determination is not infallible.
-class SmartSidestepResolverThunk : public SidestepResolverThunk {
- public:
- SmartSidestepResolverThunk() {}
- ~SmartSidestepResolverThunk() override {}
-
- // Implementation of Resolver::Setup.
- NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) override;
-
- // Implementation of Resolver::GetThunkSize.
- size_t GetThunkSize() const override;
-
- private:
- // Performs the actual call to the interceptor if the conditions are correct
- // (as determined by IsInternalCall).
- static void SmartStub();
-
- // Returns true if return_address is inside the module loaded at base.
- static bool IsInternalCall(const void* base, void* return_address);
-
- DISALLOW_COPY_AND_ASSIGN(SmartSidestepResolverThunk);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_SRC_SIDESTEP_RESOLVER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.cc
deleted file mode 100644
index 2e5d1c50f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.cc
+++ /dev/null
@@ -1,82 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sync_dispatcher.h"
-
-#include <stdint.h>
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/interceptors.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_broker.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sync_interception.h"
-#include "sandbox/win/src/sync_policy.h"
-
-namespace sandbox {
-
-SyncDispatcher::SyncDispatcher(PolicyBase* policy_base)
- : policy_base_(policy_base) {
- static const IPCCall create_params = {
- {IPC_CREATEEVENT_TAG, {WCHAR_TYPE, UINT32_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&SyncDispatcher::CreateEvent)};
-
- static const IPCCall open_params = {
- {IPC_OPENEVENT_TAG, {WCHAR_TYPE, UINT32_TYPE}},
- reinterpret_cast<CallbackGeneric>(&SyncDispatcher::OpenEvent)};
-
- ipc_calls_.push_back(create_params);
- ipc_calls_.push_back(open_params);
-}
-
-bool SyncDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- if (service == IPC_CREATEEVENT_TAG) {
- return INTERCEPT_NT(manager, NtCreateEvent, CREATE_EVENT_ID, 24);
- }
- return (service == IPC_OPENEVENT_TAG) &&
- INTERCEPT_NT(manager, NtOpenEvent, OPEN_EVENT_ID, 16);
-}
-
-bool SyncDispatcher::CreateEvent(IPCInfo* ipc,
- base::string16* name,
- uint32_t event_type,
- uint32_t initial_state) {
- const wchar_t* event_name = name->c_str();
- CountedParameterSet<NameBased> params;
- params[NameBased::NAME] = ParamPickerMake(event_name);
-
- EvalResult result = policy_base_->EvalPolicy(IPC_CREATEEVENT_TAG,
- params.GetBase());
- HANDLE handle = NULL;
- // Return operation status on the IPC.
- ipc->return_info.nt_status = SyncPolicy::CreateEventAction(
- result, *ipc->client_info, *name, event_type, initial_state, &handle);
- ipc->return_info.handle = handle;
- return true;
-}
-
-bool SyncDispatcher::OpenEvent(IPCInfo* ipc,
- base::string16* name,
- uint32_t desired_access) {
- const wchar_t* event_name = name->c_str();
-
- CountedParameterSet<OpenEventParams> params;
- params[OpenEventParams::NAME] = ParamPickerMake(event_name);
- params[OpenEventParams::ACCESS] = ParamPickerMake(desired_access);
-
- EvalResult result = policy_base_->EvalPolicy(IPC_OPENEVENT_TAG,
- params.GetBase());
- HANDLE handle = NULL;
- // Return operation status on the IPC.
- ipc->return_info.nt_status = SyncPolicy::OpenEventAction(
- result, *ipc->client_info, *name, desired_access, &handle);
- ipc->return_info.handle = handle;
- return true;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.h
deleted file mode 100644
index 8a2a0e582..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_dispatcher.h
+++ /dev/null
@@ -1,42 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SYNC_DISPATCHER_H_
-#define SANDBOX_SRC_SYNC_DISPATCHER_H_
-
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// This class handles sync-related IPC calls.
-class SyncDispatcher : public Dispatcher {
- public:
- explicit SyncDispatcher(PolicyBase* policy_base);
- ~SyncDispatcher() override {}
-
- // Dispatcher interface.
- bool SetupService(InterceptionManager* manager, int service) override;
-
-private:
- // Processes IPC requests coming from calls to CreateEvent in the target.
- bool CreateEvent(IPCInfo* ipc,
- base::string16* name,
- uint32_t event_type,
- uint32_t initial_state);
-
- // Processes IPC requests coming from calls to OpenEvent in the target.
- bool OpenEvent(IPCInfo* ipc, base::string16* name, uint32_t desired_access);
-
- PolicyBase* policy_base_;
- DISALLOW_COPY_AND_ASSIGN(SyncDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SYNC_DISPATCHER_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc b/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
deleted file mode 100644
index 35d092492..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.cc
+++ /dev/null
@@ -1,178 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sync_interception.h"
-
-#include <stdint.h>
-
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/policy_target.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-#include "sandbox/win/src/target_services.h"
-#include "mozilla/sandboxing/sandboxLogging.h"
-
-namespace sandbox {
-
-ResultCode ProxyCreateEvent(LPCWSTR name,
- uint32_t initial_state,
- EVENT_TYPE event_type,
- void* ipc_memory,
- CrossCallReturn* answer) {
- CountedParameterSet<NameBased> params;
- params[NameBased::NAME] = ParamPickerMake(name);
-
- if (!QueryBroker(IPC_CREATEEVENT_TAG, params.GetBase()))
- return SBOX_ERROR_GENERIC;
-
- SharedMemIPCClient ipc(ipc_memory);
- ResultCode code = CrossCall(ipc, IPC_CREATEEVENT_TAG, name, event_type,
- initial_state, answer);
- return code;
-}
-
-ResultCode ProxyOpenEvent(LPCWSTR name,
- uint32_t desired_access,
- void* ipc_memory,
- CrossCallReturn* answer) {
- CountedParameterSet<OpenEventParams> params;
- params[OpenEventParams::NAME] = ParamPickerMake(name);
- params[OpenEventParams::ACCESS] = ParamPickerMake(desired_access);
-
- if (!QueryBroker(IPC_OPENEVENT_TAG, params.GetBase()))
- return SBOX_ERROR_GENERIC;
-
- SharedMemIPCClient ipc(ipc_memory);
- ResultCode code = CrossCall(ipc, IPC_OPENEVENT_TAG, name, desired_access,
- answer);
-
- return code;
-}
-
-NTSTATUS WINAPI TargetNtCreateEvent(NtCreateEventFunction orig_CreateEvent,
- PHANDLE event_handle,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- EVENT_TYPE event_type,
- BOOLEAN initial_state) {
- NTSTATUS status = orig_CreateEvent(event_handle, desired_access,
- object_attributes, event_type,
- initial_state);
- if (status != STATUS_ACCESS_DENIED || !object_attributes)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtCreatEvent",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
-
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- do {
- if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (memory == NULL)
- break;
-
- OBJECT_ATTRIBUTES object_attribs_copy = *object_attributes;
- // The RootDirectory points to BaseNamedObjects. We can ignore it.
- object_attribs_copy.RootDirectory = NULL;
-
- wchar_t* name = NULL;
- uint32_t attributes = 0;
- NTSTATUS ret = AllocAndCopyName(&object_attribs_copy, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || name == NULL)
- break;
-
- CrossCallReturn answer = {0};
- answer.nt_status = status;
- ResultCode code = ProxyCreateEvent(name, initial_state, event_type, memory,
- &answer);
- operator delete(name, NT_ALLOC);
-
- if (code != SBOX_ALL_OK) {
- status = answer.nt_status;
- break;
- }
- __try {
- *event_handle = answer.handle;
- status = STATUS_SUCCESS;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtCreateEvent",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- return status;
-}
-
-NTSTATUS WINAPI TargetNtOpenEvent(NtOpenEventFunction orig_OpenEvent,
- PHANDLE event_handle,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes) {
- NTSTATUS status = orig_OpenEvent(event_handle, desired_access,
- object_attributes);
- if (status != STATUS_ACCESS_DENIED || !object_attributes)
- return status;
-
- mozilla::sandboxing::LogBlocked("NtOpenEvent",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- //
- // We don't trust that the IPC can work this early.
- if (!SandboxFactory::GetTargetServices()->GetState()->InitCalled())
- return status;
-
- do {
- if (!ValidParameter(event_handle, sizeof(HANDLE), WRITE))
- break;
-
- void* memory = GetGlobalIPCMemory();
- if (memory == NULL)
- break;
-
- OBJECT_ATTRIBUTES object_attribs_copy = *object_attributes;
- // The RootDirectory points to BaseNamedObjects. We can ignore it.
- object_attribs_copy.RootDirectory = NULL;
-
- wchar_t* name = NULL;
- uint32_t attributes = 0;
- NTSTATUS ret = AllocAndCopyName(&object_attribs_copy, &name, &attributes,
- NULL);
- if (!NT_SUCCESS(ret) || name == NULL)
- break;
-
- CrossCallReturn answer = {0};
- answer.nt_status = status;
- ResultCode code = ProxyOpenEvent(name, desired_access, memory, &answer);
- operator delete(name, NT_ALLOC);
-
- if (code != SBOX_ALL_OK) {
- status = answer.nt_status;
- break;
- }
- __try {
- *event_handle = answer.handle;
- status = STATUS_SUCCESS;
- } __except(EXCEPTION_EXECUTE_HANDLER) {
- break;
- }
- mozilla::sandboxing::LogAllowed("NtOpenEvent",
- object_attributes->ObjectName->Buffer,
- object_attributes->ObjectName->Length);
- } while (false);
-
- return status;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_interception.h b/security/sandbox/chromium/sandbox/win/src/sync_interception.h
deleted file mode 100644
index 0f985a8ed..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_interception.h
+++ /dev/null
@@ -1,46 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_SYNC_INTERCEPTION_H__
-#define SANDBOX_SRC_SYNC_INTERCEPTION_H__
-
-namespace sandbox {
-
-extern "C" {
-
-typedef NTSTATUS (WINAPI* NtCreateEventFunction) (
- PHANDLE EventHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes,
- EVENT_TYPE EventType,
- BOOLEAN InitialState);
-
-typedef NTSTATUS (WINAPI *NtOpenEventFunction) (
- PHANDLE EventHandle,
- ACCESS_MASK DesiredAccess,
- POBJECT_ATTRIBUTES ObjectAttributes);
-
-// Interceptors for NtCreateEvent/NtOpenEvent
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtCreateEvent(
- NtCreateEventFunction orig_CreateEvent,
- PHANDLE event_handle,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes,
- EVENT_TYPE event_type,
- BOOLEAN initial_state);
-
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtOpenEvent(
- NtOpenEventFunction orig_OpenEvent,
- PHANDLE event_handle,
- ACCESS_MASK desired_access,
- POBJECT_ATTRIBUTES object_attributes);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SYNC_INTERCEPTION_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_policy.cc b/security/sandbox/chromium/sandbox/win/src/sync_policy.cc
deleted file mode 100644
index 7ef094ff7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_policy.cc
+++ /dev/null
@@ -1,246 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdint.h>
-
-#include <string>
-
-#include "sandbox/win/src/sync_policy.h"
-
-#include "base/logging.h"
-#include "base/strings/stringprintf.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/policy_engine_opcodes.h"
-#include "sandbox/win/src/policy_params.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sandbox_utils.h"
-#include "sandbox/win/src/sync_interception.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace sandbox {
-
-// Provides functionality to resolve a symbolic link within the object
-// directory passed in.
-NTSTATUS ResolveSymbolicLink(const base::string16& directory_name,
- const base::string16& name,
- base::string16* target) {
- NtOpenDirectoryObjectFunction NtOpenDirectoryObject = NULL;
- ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject);
-
- NtQuerySymbolicLinkObjectFunction NtQuerySymbolicLinkObject = NULL;
- ResolveNTFunctionPtr("NtQuerySymbolicLinkObject",
- &NtQuerySymbolicLinkObject);
-
- NtOpenSymbolicLinkObjectFunction NtOpenSymbolicLinkObject = NULL;
- ResolveNTFunctionPtr("NtOpenSymbolicLinkObject", &NtOpenSymbolicLinkObject);
-
- NtCloseFunction NtClose = NULL;
- ResolveNTFunctionPtr("NtClose", &NtClose);
-
- OBJECT_ATTRIBUTES symbolic_link_directory_attributes = {};
- UNICODE_STRING symbolic_link_directory_string = {};
- InitObjectAttribs(directory_name, OBJ_CASE_INSENSITIVE, NULL,
- &symbolic_link_directory_attributes,
- &symbolic_link_directory_string, NULL);
-
- HANDLE symbolic_link_directory = NULL;
- NTSTATUS status = NtOpenDirectoryObject(&symbolic_link_directory,
- DIRECTORY_QUERY,
- &symbolic_link_directory_attributes);
- if (!NT_SUCCESS(status))
- return status;
-
- OBJECT_ATTRIBUTES symbolic_link_attributes = {};
- UNICODE_STRING name_string = {};
- InitObjectAttribs(name, OBJ_CASE_INSENSITIVE, symbolic_link_directory,
- &symbolic_link_attributes, &name_string, NULL);
-
- HANDLE symbolic_link = NULL;
- status = NtOpenSymbolicLinkObject(&symbolic_link, GENERIC_READ,
- &symbolic_link_attributes);
- CHECK(NT_SUCCESS(NtClose(symbolic_link_directory)));
- if (!NT_SUCCESS(status))
- return status;
-
- UNICODE_STRING target_path = {};
- unsigned long target_length = 0;
- status = NtQuerySymbolicLinkObject(symbolic_link, &target_path,
- &target_length);
- if (status != STATUS_BUFFER_TOO_SMALL) {
- CHECK(NT_SUCCESS(NtClose(symbolic_link)));
- return status;
- }
-
- target_path.Length = 0;
- target_path.MaximumLength = static_cast<USHORT>(target_length);
- target_path.Buffer = new wchar_t[target_path.MaximumLength + 1];
- status = NtQuerySymbolicLinkObject(symbolic_link, &target_path,
- &target_length);
- if (NT_SUCCESS(status))
- target->assign(target_path.Buffer, target_length);
-
- CHECK(NT_SUCCESS(NtClose(symbolic_link)));
- delete[] target_path.Buffer;
- return status;
-}
-
-NTSTATUS GetBaseNamedObjectsDirectory(HANDLE* directory) {
- static HANDLE base_named_objects_handle = NULL;
- if (base_named_objects_handle) {
- *directory = base_named_objects_handle;
- return STATUS_SUCCESS;
- }
-
- NtOpenDirectoryObjectFunction NtOpenDirectoryObject = NULL;
- ResolveNTFunctionPtr("NtOpenDirectoryObject", &NtOpenDirectoryObject);
-
- DWORD session_id = 0;
- ProcessIdToSessionId(::GetCurrentProcessId(), &session_id);
-
- base::string16 base_named_objects_path;
-
- NTSTATUS status = ResolveSymbolicLink(L"\\Sessions\\BNOLINKS",
- base::StringPrintf(L"%d", session_id),
- &base_named_objects_path);
- if (!NT_SUCCESS(status)) {
- DLOG(ERROR) << "Failed to resolve BaseNamedObjects path. Error: "
- << status;
- return status;
- }
-
- UNICODE_STRING directory_name = {};
- OBJECT_ATTRIBUTES object_attributes = {};
- InitObjectAttribs(base_named_objects_path, OBJ_CASE_INSENSITIVE, NULL,
- &object_attributes, &directory_name, NULL);
- status = NtOpenDirectoryObject(&base_named_objects_handle,
- DIRECTORY_ALL_ACCESS,
- &object_attributes);
- if (NT_SUCCESS(status))
- *directory = base_named_objects_handle;
- return status;
-}
-
-bool SyncPolicy::GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy) {
- base::string16 mod_name(name);
- if (mod_name.empty()) {
- return false;
- }
-
- if (TargetPolicy::EVENTS_ALLOW_ANY != semantics &&
- TargetPolicy::EVENTS_ALLOW_READONLY != semantics) {
- // Other flags are not valid for sync policy yet.
- NOTREACHED();
- return false;
- }
-
- // Add the open rule.
- EvalResult result = ASK_BROKER;
- PolicyRule open(result);
-
- if (!open.AddStringMatch(IF, OpenEventParams::NAME, name, CASE_INSENSITIVE))
- return false;
-
- if (TargetPolicy::EVENTS_ALLOW_READONLY == semantics) {
- // We consider all flags that are not known to be readonly as potentially
- // used for write.
- uint32_t allowed_flags = SYNCHRONIZE | GENERIC_READ | READ_CONTROL;
- uint32_t restricted_flags = ~allowed_flags;
- open.AddNumberMatch(IF_NOT, OpenEventParams::ACCESS, restricted_flags, AND);
- }
-
- if (!policy->AddRule(IPC_OPENEVENT_TAG, &open))
- return false;
-
- // If it's not a read only, add the create rule.
- if (TargetPolicy::EVENTS_ALLOW_READONLY != semantics) {
- PolicyRule create(result);
- if (!create.AddStringMatch(IF, NameBased::NAME, name, CASE_INSENSITIVE))
- return false;
-
- if (!policy->AddRule(IPC_CREATEEVENT_TAG, &create))
- return false;
- }
-
- return true;
-}
-
-NTSTATUS SyncPolicy::CreateEventAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& event_name,
- uint32_t event_type,
- uint32_t initial_state,
- HANDLE* handle) {
- NtCreateEventFunction NtCreateEvent = NULL;
- ResolveNTFunctionPtr("NtCreateEvent", &NtCreateEvent);
-
- // The only action supported is ASK_BROKER which means create the requested
- // file as specified.
- if (ASK_BROKER != eval_result)
- return false;
-
- HANDLE object_directory = NULL;
- NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory);
- if (status != STATUS_SUCCESS)
- return status;
-
- UNICODE_STRING unicode_event_name = {};
- OBJECT_ATTRIBUTES object_attributes = {};
- InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory,
- &object_attributes, &unicode_event_name, NULL);
-
- HANDLE local_handle = NULL;
- status = NtCreateEvent(&local_handle, EVENT_ALL_ACCESS, &object_attributes,
- static_cast<EVENT_TYPE>(event_type),
- static_cast<BOOLEAN>(initial_state));
- if (NULL == local_handle)
- return status;
-
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- return status;
-}
-
-NTSTATUS SyncPolicy::OpenEventAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& event_name,
- uint32_t desired_access,
- HANDLE* handle) {
- NtOpenEventFunction NtOpenEvent = NULL;
- ResolveNTFunctionPtr("NtOpenEvent", &NtOpenEvent);
-
- // The only action supported is ASK_BROKER which means create the requested
- // event as specified.
- if (ASK_BROKER != eval_result)
- return false;
-
- HANDLE object_directory = NULL;
- NTSTATUS status = GetBaseNamedObjectsDirectory(&object_directory);
- if (status != STATUS_SUCCESS)
- return status;
-
- UNICODE_STRING unicode_event_name = {};
- OBJECT_ATTRIBUTES object_attributes = {};
- InitObjectAttribs(event_name, OBJ_CASE_INSENSITIVE, object_directory,
- &object_attributes, &unicode_event_name, NULL);
-
- HANDLE local_handle = NULL;
- status = NtOpenEvent(&local_handle, desired_access, &object_attributes);
- if (NULL == local_handle)
- return status;
-
- if (!::DuplicateHandle(::GetCurrentProcess(), local_handle,
- client_info.process, handle, 0, FALSE,
- DUPLICATE_CLOSE_SOURCE | DUPLICATE_SAME_ACCESS)) {
- return STATUS_ACCESS_DENIED;
- }
- return status;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_policy.h b/security/sandbox/chromium/sandbox/win/src/sync_policy.h
deleted file mode 100644
index 24e5c7d87..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_policy.h
+++ /dev/null
@@ -1,52 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_SYNC_POLICY_H__
-#define SANDBOX_SRC_SYNC_POLICY_H__
-
-#include <stdint.h>
-
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_policy.h"
-
-namespace sandbox {
-
-enum EvalResult;
-
-// This class centralizes most of the knowledge related to sync policy
-class SyncPolicy {
- public:
- // Creates the required low-level policy rules to evaluate a high-level
- // policy rule for sync calls, in particular open or create actions.
- // name is the sync object name, semantics is the desired semantics for the
- // open or create and policy is the policy generator to which the rules are
- // going to be added.
- static bool GenerateRules(const wchar_t* name,
- TargetPolicy::Semantics semantics,
- LowLevelPolicy* policy);
-
- // Performs the desired policy action on a request.
- // client_info is the target process that is making the request and
- // eval_result is the desired policy action to accomplish.
- static NTSTATUS CreateEventAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& event_name,
- uint32_t event_type,
- uint32_t initial_state,
- HANDLE* handle);
- static NTSTATUS OpenEventAction(EvalResult eval_result,
- const ClientInfo& client_info,
- const base::string16& event_name,
- uint32_t desired_access,
- HANDLE* handle);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_SYNC_POLICY_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_policy_test.cc b/security/sandbox/chromium/sandbox/win/src/sync_policy_test.cc
deleted file mode 100644
index 875bc4b2c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_policy_test.cc
+++ /dev/null
@@ -1,149 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/sync_policy_test.h"
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_policy.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-SBOX_TESTS_COMMAND int Event_Open(int argc, wchar_t **argv) {
- if (argc != 2)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- DWORD desired_access = SYNCHRONIZE;
- if (L'f' == argv[0][0])
- desired_access = EVENT_ALL_ACCESS;
-
- base::win::ScopedHandle event_open(::OpenEvent(
- desired_access, FALSE, argv[1]));
- DWORD error_open = ::GetLastError();
-
- if (event_open.IsValid())
- return SBOX_TEST_SUCCEEDED;
-
- if (ERROR_ACCESS_DENIED == error_open ||
- ERROR_BAD_PATHNAME == error_open ||
- ERROR_FILE_NOT_FOUND == error_open)
- return SBOX_TEST_DENIED;
-
- return SBOX_TEST_FAILED;
-}
-
-SBOX_TESTS_COMMAND int Event_CreateOpen(int argc, wchar_t **argv) {
- if (argc < 2 || argc > 3)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- wchar_t *event_name = NULL;
- if (3 == argc)
- event_name = argv[2];
-
- BOOL manual_reset = FALSE;
- BOOL initial_state = FALSE;
- if (L't' == argv[0][0])
- manual_reset = TRUE;
- if (L't' == argv[1][0])
- initial_state = TRUE;
-
- base::win::ScopedHandle event_create(::CreateEvent(
- NULL, manual_reset, initial_state, event_name));
- DWORD error_create = ::GetLastError();
- base::win::ScopedHandle event_open;
- if (event_name)
- event_open.Set(::OpenEvent(EVENT_ALL_ACCESS, FALSE, event_name));
-
- if (event_create.IsValid()) {
- DWORD wait = ::WaitForSingleObject(event_create.Get(), 0);
- if (initial_state && WAIT_OBJECT_0 != wait)
- return SBOX_TEST_FAILED;
-
- if (!initial_state && WAIT_TIMEOUT != wait)
- return SBOX_TEST_FAILED;
- }
-
- if (event_name) {
- // Both event_open and event_create have to be valid.
- if (event_open.IsValid() && event_create.IsValid())
- return SBOX_TEST_SUCCEEDED;
-
- if ((event_open.IsValid() && !event_create.IsValid()) ||
- (!event_open.IsValid() && event_create.IsValid())) {
- return SBOX_TEST_FAILED;
- }
- } else {
- // Only event_create has to be valid.
- if (event_create.Get())
- return SBOX_TEST_SUCCEEDED;
- }
-
- if (ERROR_ACCESS_DENIED == error_create ||
- ERROR_BAD_PATHNAME == error_create)
- return SBOX_TEST_DENIED;
-
- return SBOX_TEST_FAILED;
-}
-
-// Tests the creation of events using all the possible combinations.
-TEST(SyncPolicyTest, TestEvent) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_ANY,
- L"test1"));
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_ANY,
- L"test2"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen f f"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen t f"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen f t"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen t t"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen f f test1"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen t f test2"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen f t test1"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen t t test2"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen f f test3"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen t f test4"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen f t test3"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen t t test4"));
-}
-
-// Tests opening events with read only access.
-TEST(SyncPolicyTest, TestEventReadOnly) {
- TestRunner runner;
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_READONLY,
- L"test1"));
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_READONLY,
- L"test2"));
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_READONLY,
- L"test5"));
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_READONLY,
- L"test6"));
-
- base::win::ScopedHandle handle1(::CreateEvent(NULL, FALSE, FALSE, L"test1"));
- base::win::ScopedHandle handle2(::CreateEvent(NULL, FALSE, FALSE, L"test2"));
- base::win::ScopedHandle handle3(::CreateEvent(NULL, FALSE, FALSE, L"test3"));
- base::win::ScopedHandle handle4(::CreateEvent(NULL, FALSE, FALSE, L"test4"));
-
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen f f"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_CreateOpen t f"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test1"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"Event_Open s test2"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open f test3"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_Open s test4"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen f f test5"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen t f test6"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen f t test5"));
- EXPECT_EQ(SBOX_TEST_DENIED, runner.RunTest(L"Event_CreateOpen t t test6"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/sync_policy_test.h b/security/sandbox/chromium/sandbox/win/src/sync_policy_test.h
deleted file mode 100644
index 4f354b35b..000000000
--- a/security/sandbox/chromium/sandbox/win/src/sync_policy_test.h
+++ /dev/null
@@ -1,18 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_SYNC_POLICY_TEST_H_
-#define SANDBOX_WIN_SRC_SYNC_POLICY_TEST_H_
-
-#include "sandbox/win/tests/common/controller.h"
-
-namespace sandbox {
-
-// Opens the named event received on argv[1]. The requested access is
-// EVENT_ALL_ACCESS if argv[0] starts with 'f', or SYNCHRONIZE otherwise.
-SBOX_TESTS_COMMAND int Event_Open(int argc, wchar_t **argv);
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_SYNC_POLICY_TEST_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/target_interceptions.cc b/security/sandbox/chromium/sandbox/win/src/target_interceptions.cc
deleted file mode 100644
index e6b0dcf78..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_interceptions.cc
+++ /dev/null
@@ -1,100 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/target_interceptions.h"
-
-#include "sandbox/win/src/interception_agent.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/target_services.h"
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT NtExports g_nt;
-
-// Hooks NtMapViewOfSection to detect the load of DLLs. If hot patching is
-// required for this dll, this functions patches it.
-NTSTATUS WINAPI TargetNtMapViewOfSection(
- NtMapViewOfSectionFunction orig_MapViewOfSection, HANDLE section,
- HANDLE process, PVOID *base, ULONG_PTR zero_bits, SIZE_T commit_size,
- PLARGE_INTEGER offset, PSIZE_T view_size, SECTION_INHERIT inherit,
- ULONG allocation_type, ULONG protect) {
- NTSTATUS ret = orig_MapViewOfSection(section, process, base, zero_bits,
- commit_size, offset, view_size, inherit,
- allocation_type, protect);
-
- static int s_load_count = 0;
- if (1 == s_load_count) {
- SandboxFactory::GetTargetServices()->GetState()->SetKernel32Loaded();
- s_load_count = 2;
- }
-
- do {
- if (!NT_SUCCESS(ret))
- break;
-
- if (!InitHeap())
- break;
-
- if (!IsSameProcess(process))
- break;
-
- if (!IsValidImageSection(section, base, offset, view_size))
- break;
-
- UINT image_flags;
- UNICODE_STRING* module_name =
- GetImageInfoFromModule(reinterpret_cast<HMODULE>(*base), &image_flags);
- UNICODE_STRING* file_name = GetBackingFilePath(*base);
-
- if ((!module_name) && (image_flags & MODULE_HAS_CODE)) {
- // If the module has no exports we retrieve the module name from the
- // full path of the mapped section.
- module_name = ExtractModuleName(file_name);
- }
-
- InterceptionAgent* agent = InterceptionAgent::GetInterceptionAgent();
-
- if (agent) {
- if (!agent->OnDllLoad(file_name, module_name, *base)) {
- // Interception agent is demanding to un-map the module.
- g_nt.UnmapViewOfSection(process, *base);
- ret = STATUS_UNSUCCESSFUL;
- }
- }
-
- if (module_name)
- operator delete(module_name, NT_ALLOC);
-
- if (file_name)
- operator delete(file_name, NT_ALLOC);
-
- } while (false);
-
- if (!s_load_count)
- s_load_count = 1;
-
- return ret;
-}
-
-NTSTATUS WINAPI TargetNtUnmapViewOfSection(
- NtUnmapViewOfSectionFunction orig_UnmapViewOfSection, HANDLE process,
- PVOID base) {
- NTSTATUS ret = orig_UnmapViewOfSection(process, base);
-
- if (!NT_SUCCESS(ret))
- return ret;
-
- if (!IsSameProcess(process))
- return ret;
-
- InterceptionAgent* agent = InterceptionAgent::GetInterceptionAgent();
-
- if (agent)
- agent->OnDllUnload(base);
-
- return ret;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/target_interceptions.h b/security/sandbox/chromium/sandbox/win/src/target_interceptions.h
deleted file mode 100644
index f4805fec5..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_interceptions.h
+++ /dev/null
@@ -1,35 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-#ifndef SANDBOX_SRC_TARGET_INTERCEPTIONS_H__
-#define SANDBOX_SRC_TARGET_INTERCEPTIONS_H__
-
-namespace sandbox {
-
-extern "C" {
-
-// Interception of NtMapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being loaded, so we can patch them if needed.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtMapViewOfSection(
- NtMapViewOfSectionFunction orig_MapViewOfSection, HANDLE section,
- HANDLE process, PVOID *base, ULONG_PTR zero_bits, SIZE_T commit_size,
- PLARGE_INTEGER offset, PSIZE_T view_size, SECTION_INHERIT inherit,
- ULONG allocation_type, ULONG protect);
-
-// Interception of NtUnmapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being unloaded, so we can clean up our interceptions.
-SANDBOX_INTERCEPT NTSTATUS WINAPI TargetNtUnmapViewOfSection(
- NtUnmapViewOfSectionFunction orig_UnmapViewOfSection, HANDLE process,
- PVOID base);
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_TARGET_INTERCEPTIONS_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.cc b/security/sandbox/chromium/sandbox/win/src/target_process.cc
deleted file mode 100644
index e27655e7e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_process.cc
+++ /dev/null
@@ -1,368 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/target_process.h"
-
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/pe_image.h"
-#include "base/win/startup_information.h"
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/policy_low_level.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sharedmem_ipc_server.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace {
-
-void CopyPolicyToTarget(const void* source, size_t size, void* dest) {
- if (!source || !size)
- return;
- memcpy(dest, source, size);
- sandbox::PolicyGlobal* policy =
- reinterpret_cast<sandbox::PolicyGlobal*>(dest);
-
- size_t offset = reinterpret_cast<size_t>(source);
-
- for (size_t i = 0; i < sandbox::kMaxServiceCount; i++) {
- size_t buffer = reinterpret_cast<size_t>(policy->entry[i]);
- if (buffer) {
- buffer -= offset;
- policy->entry[i] = reinterpret_cast<sandbox::PolicyBuffer*>(buffer);
- }
- }
-}
-
-} // namespace
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT HANDLE g_shared_section;
-SANDBOX_INTERCEPT size_t g_shared_IPC_size;
-SANDBOX_INTERCEPT size_t g_shared_policy_size;
-
-// Returns the address of the main exe module in memory taking in account
-// address space layout randomization.
-void* GetBaseAddress(const wchar_t* exe_name, void* entry_point) {
- HMODULE exe = ::LoadLibrary(exe_name);
- if (NULL == exe)
- return exe;
-
- base::win::PEImage pe(exe);
- if (!pe.VerifyMagic()) {
- ::FreeLibrary(exe);
- return exe;
- }
- PIMAGE_NT_HEADERS nt_header = pe.GetNTHeaders();
- char* base = reinterpret_cast<char*>(entry_point) -
- nt_header->OptionalHeader.AddressOfEntryPoint;
-
- ::FreeLibrary(exe);
- return base;
-}
-
-TargetProcess::TargetProcess(base::win::ScopedHandle initial_token,
- base::win::ScopedHandle lockdown_token,
- base::win::ScopedHandle lowbox_token,
- HANDLE job,
- ThreadProvider* thread_pool)
- // This object owns everything initialized here except thread_pool and
- // the job_ handle. The Job handle is closed by BrokerServices and results
- // eventually in a call to our dtor.
- : lockdown_token_(lockdown_token.Pass()),
- initial_token_(initial_token.Pass()),
- lowbox_token_(lowbox_token.Pass()),
- job_(job),
- thread_pool_(thread_pool),
- base_address_(NULL) {}
-
-TargetProcess::~TargetProcess() {
- DWORD exit_code = 0;
- // Give a chance to the process to die. In most cases the JOB_KILL_ON_CLOSE
- // will take effect only when the context changes. As far as the testing went,
- // this wait was enough to switch context and kill the processes in the job.
- // If this process is already dead, the function will return without waiting.
- // TODO(nsylvain): If the process is still alive at the end, we should kill
- // it. http://b/893891
- // For now, this wait is there only to do a best effort to prevent some leaks
- // from showing up in purify.
- if (sandbox_process_info_.IsValid()) {
- ::WaitForSingleObject(sandbox_process_info_.process_handle(), 50);
- // At this point, the target process should have been killed. Check.
- if (!::GetExitCodeProcess(sandbox_process_info_.process_handle(),
- &exit_code) || (STILL_ACTIVE == exit_code)) {
- // Something went wrong. We don't know if the target is in a state where
- // it can manage to do another IPC call. If it can, and we've destroyed
- // the |ipc_server_|, it will crash the broker. So we intentionally leak
- // that.
- if (shared_section_.IsValid())
- shared_section_.Take();
- ignore_result(ipc_server_.release());
- sandbox_process_info_.TakeProcessHandle();
- return;
- }
- }
-
- // ipc_server_ references our process handle, so make sure the former is shut
- // down before the latter is closed (by ScopedProcessInformation).
- ipc_server_.reset();
-}
-
-// Creates the target (child) process suspended and assigns it to the job
-// object.
-DWORD TargetProcess::Create(const wchar_t* exe_path,
- const wchar_t* command_line,
- bool inherit_handles,
- const base::win::StartupInformation& startup_info,
- base::win::ScopedProcessInformation* target_info) {
- if (lowbox_token_.IsValid() &&
- base::win::GetVersion() < base::win::VERSION_WIN8) {
- // We don't allow lowbox_token below Windows 8.
- return ERROR_INVALID_PARAMETER;
- }
-
- exe_name_.reset(_wcsdup(exe_path));
-
- // the command line needs to be writable by CreateProcess().
- scoped_ptr<wchar_t, base::FreeDeleter> cmd_line(_wcsdup(command_line));
-
- // Start the target process suspended.
- DWORD flags =
- CREATE_SUSPENDED | CREATE_UNICODE_ENVIRONMENT | DETACHED_PROCESS;
-
- if (startup_info.has_extended_startup_info())
- flags |= EXTENDED_STARTUPINFO_PRESENT;
-
- if (job_ && base::win::GetVersion() < base::win::VERSION_WIN8) {
- // Windows 8 implements nested jobs, but for older systems we need to
- // break out of any job we're in to enforce our restrictions.
- flags |= CREATE_BREAKAWAY_FROM_JOB;
- }
-
- PROCESS_INFORMATION temp_process_info = {};
- if (!::CreateProcessAsUserW(lockdown_token_.Get(), exe_path, cmd_line.get(),
- NULL, // No security attribute.
- NULL, // No thread attribute.
- inherit_handles, flags,
- NULL, // Use the environment of the caller.
- NULL, // Use current directory of the caller.
- startup_info.startup_info(),
- &temp_process_info)) {
- return ::GetLastError();
- }
- base::win::ScopedProcessInformation process_info(temp_process_info);
-
- DWORD win_result = ERROR_SUCCESS;
-
- if (job_) {
- // Assign the suspended target to the windows job object.
- if (!::AssignProcessToJobObject(job_, process_info.process_handle())) {
- win_result = ::GetLastError();
- ::TerminateProcess(process_info.process_handle(), 0);
- return win_result;
- }
- }
-
- if (initial_token_.IsValid()) {
- // Change the token of the main thread of the new process for the
- // impersonation token with more rights. This allows the target to start;
- // otherwise it will crash too early for us to help.
- HANDLE temp_thread = process_info.thread_handle();
- if (!::SetThreadToken(&temp_thread, initial_token_.Get())) {
- win_result = ::GetLastError();
- // It might be a security breach if we let the target run outside the job
- // so kill it before it causes damage.
- ::TerminateProcess(process_info.process_handle(), 0);
- return win_result;
- }
- initial_token_.Close();
- }
-
- CONTEXT context;
- context.ContextFlags = CONTEXT_ALL;
- if (!::GetThreadContext(process_info.thread_handle(), &context)) {
- win_result = ::GetLastError();
- ::TerminateProcess(process_info.process_handle(), 0);
- return win_result;
- }
-
-#if defined(_WIN64)
- void* entry_point = reinterpret_cast<void*>(context.Rcx);
-#else
-#pragma warning(push)
-#pragma warning(disable: 4312)
- // This cast generates a warning because it is 32 bit specific.
- void* entry_point = reinterpret_cast<void*>(context.Eax);
-#pragma warning(pop)
-#endif // _WIN64
-
- if (!target_info->DuplicateFrom(process_info)) {
- win_result = ::GetLastError(); // This may or may not be correct.
- ::TerminateProcess(process_info.process_handle(), 0);
- return win_result;
- }
-
- if (lowbox_token_.IsValid()) {
- PROCESS_ACCESS_TOKEN process_access_token;
- process_access_token.thread = process_info.thread_handle();
- process_access_token.token = lowbox_token_.Get();
-
- NtSetInformationProcess SetInformationProcess = NULL;
- ResolveNTFunctionPtr("NtSetInformationProcess", &SetInformationProcess);
-
- NTSTATUS status = SetInformationProcess(
- process_info.process_handle(),
- static_cast<PROCESS_INFORMATION_CLASS>(NtProcessInformationAccessToken),
- &process_access_token, sizeof(process_access_token));
- if (!NT_SUCCESS(status)) {
- win_result = ERROR_INVALID_TOKEN;
- ::TerminateProcess(process_info.process_handle(), 0); // exit code
- return win_result;
- }
- }
-
- base_address_ = GetBaseAddress(exe_path, entry_point);
- sandbox_process_info_.Set(process_info.Take());
- return win_result;
-}
-
-ResultCode TargetProcess::TransferVariable(const char* name, void* address,
- size_t size) {
- if (!sandbox_process_info_.IsValid())
- return SBOX_ERROR_UNEXPECTED_CALL;
-
- void* child_var = address;
-
-#if SANDBOX_EXPORTS
- HMODULE module = ::LoadLibrary(exe_name_.get());
- if (NULL == module)
- return SBOX_ERROR_GENERIC;
-
- child_var = ::GetProcAddress(module, name);
- ::FreeLibrary(module);
-
- if (NULL == child_var)
- return SBOX_ERROR_GENERIC;
-
- size_t offset = reinterpret_cast<char*>(child_var) -
- reinterpret_cast<char*>(module);
- child_var = reinterpret_cast<char*>(MainModule()) + offset;
-#endif
-
- SIZE_T written;
- if (!::WriteProcessMemory(sandbox_process_info_.process_handle(),
- child_var, address, size, &written))
- return SBOX_ERROR_GENERIC;
-
- if (written != size)
- return SBOX_ERROR_GENERIC;
-
- return SBOX_ALL_OK;
-}
-
-// Construct the IPC server and the IPC dispatcher. When the target does
-// an IPC it will eventually call the dispatcher.
-DWORD TargetProcess::Init(Dispatcher* ipc_dispatcher,
- void* policy,
- uint32_t shared_IPC_size,
- uint32_t shared_policy_size) {
- // We need to map the shared memory on the target. This is necessary for
- // any IPC that needs to take place, even if the target has not yet hit
- // the main( ) function or even has initialized the CRT. So here we set
- // the handle to the shared section. The target on the first IPC must do
- // the rest, which boils down to calling MapViewofFile()
-
- // We use this single memory pool for IPC and for policy.
- DWORD shared_mem_size = static_cast<DWORD>(shared_IPC_size +
- shared_policy_size);
- shared_section_.Set(::CreateFileMappingW(INVALID_HANDLE_VALUE, NULL,
- PAGE_READWRITE | SEC_COMMIT,
- 0, shared_mem_size, NULL));
- if (!shared_section_.IsValid()) {
- return ::GetLastError();
- }
-
- DWORD access = FILE_MAP_READ | FILE_MAP_WRITE | SECTION_QUERY;
- HANDLE target_shared_section;
- if (!::DuplicateHandle(::GetCurrentProcess(), shared_section_.Get(),
- sandbox_process_info_.process_handle(),
- &target_shared_section, access, FALSE, 0)) {
- return ::GetLastError();
- }
-
- void* shared_memory = ::MapViewOfFile(shared_section_.Get(),
- FILE_MAP_WRITE|FILE_MAP_READ,
- 0, 0, 0);
- if (NULL == shared_memory) {
- return ::GetLastError();
- }
-
- CopyPolicyToTarget(policy, shared_policy_size,
- reinterpret_cast<char*>(shared_memory) + shared_IPC_size);
-
- ResultCode ret;
- // Set the global variables in the target. These are not used on the broker.
- g_shared_section = target_shared_section;
- ret = TransferVariable("g_shared_section", &g_shared_section,
- sizeof(g_shared_section));
- g_shared_section = NULL;
- if (SBOX_ALL_OK != ret) {
- return (SBOX_ERROR_GENERIC == ret)?
- ::GetLastError() : ERROR_INVALID_FUNCTION;
- }
- g_shared_IPC_size = shared_IPC_size;
- ret = TransferVariable("g_shared_IPC_size", &g_shared_IPC_size,
- sizeof(g_shared_IPC_size));
- g_shared_IPC_size = 0;
- if (SBOX_ALL_OK != ret) {
- return (SBOX_ERROR_GENERIC == ret) ?
- ::GetLastError() : ERROR_INVALID_FUNCTION;
- }
- g_shared_policy_size = shared_policy_size;
- ret = TransferVariable("g_shared_policy_size", &g_shared_policy_size,
- sizeof(g_shared_policy_size));
- g_shared_policy_size = 0;
- if (SBOX_ALL_OK != ret) {
- return (SBOX_ERROR_GENERIC == ret) ?
- ::GetLastError() : ERROR_INVALID_FUNCTION;
- }
-
- ipc_server_.reset(
- new SharedMemIPCServer(sandbox_process_info_.process_handle(),
- sandbox_process_info_.process_id(),
- thread_pool_, ipc_dispatcher));
-
- if (!ipc_server_->Init(shared_memory, shared_IPC_size, kIPCChannelSize))
- return ERROR_NOT_ENOUGH_MEMORY;
-
- // After this point we cannot use this handle anymore.
- ::CloseHandle(sandbox_process_info_.TakeThreadHandle());
-
- return ERROR_SUCCESS;
-}
-
-void TargetProcess::Terminate() {
- if (!sandbox_process_info_.IsValid())
- return;
-
- ::TerminateProcess(sandbox_process_info_.process_handle(), 0);
-}
-
-TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address) {
- TargetProcess* target =
- new TargetProcess(base::win::ScopedHandle(), base::win::ScopedHandle(),
- base::win::ScopedHandle(), NULL, NULL);
- PROCESS_INFORMATION process_info = {};
- process_info.hProcess = process;
- target->sandbox_process_info_.Set(process_info);
- target->base_address_ = base_address;
- return target;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/target_process.h b/security/sandbox/chromium/sandbox/win/src/target_process.h
deleted file mode 100644
index c00f2cea8..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_process.h
+++ /dev/null
@@ -1,143 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WIN_SRC_TARGET_PROCESS_H_
-#define SANDBOX_WIN_SRC_TARGET_PROCESS_H_
-
-#include <windows.h>
-#include <stddef.h>
-#include <stdint.h>
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/win/scoped_handle.h"
-#include "base/win/scoped_process_information.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace base {
-namespace win {
-
-class StartupInformation;
-
-}; // namespace win
-}; // namespace base
-
-namespace sandbox {
-
-class AttributeList;
-class SharedMemIPCServer;
-class ThreadProvider;
-
-// TargetProcess models a target instance (child process). Objects of this
-// class are owned by the Policy used to create them.
-class TargetProcess {
- public:
- // The constructor takes ownership of |initial_token|, |lockdown_token|
- // and |lowbox_token|.
- TargetProcess(base::win::ScopedHandle initial_token,
- base::win::ScopedHandle lockdown_token,
- base::win::ScopedHandle lowbox_token,
- HANDLE job,
- ThreadProvider* thread_pool);
- ~TargetProcess();
-
- // TODO(cpu): Currently there does not seem to be a reason to implement
- // reference counting for this class since is internal, but kept the
- // the same interface so the interception framework does not need to be
- // touched at this point.
- void AddRef() {}
- void Release() {}
-
- // Creates the new target process. The process is created suspended.
- DWORD Create(const wchar_t* exe_path,
- const wchar_t* command_line,
- bool inherit_handles,
- const base::win::StartupInformation& startup_info,
- base::win::ScopedProcessInformation* target_info);
-
- // Destroys the target process.
- void Terminate();
-
- // Creates the IPC objects such as the BrokerDispatcher and the
- // IPC server. The IPC server uses the services of the thread_pool.
- DWORD Init(Dispatcher* ipc_dispatcher,
- void* policy,
- uint32_t shared_IPC_size,
- uint32_t shared_policy_size);
-
- // Returns the handle to the target process.
- HANDLE Process() const {
- return sandbox_process_info_.process_handle();
- }
-
- // Returns the handle to the job object that the target process belongs to.
- HANDLE Job() const {
- return job_;
- }
-
- // Returns the address of the target main exe. This is used by the
- // interceptions framework.
- HMODULE MainModule() const {
- return reinterpret_cast<HMODULE>(base_address_);
- }
-
- // Returns the name of the executable.
- const wchar_t* Name() const {
- return exe_name_.get();
- }
-
- // Returns the process id.
- DWORD ProcessId() const {
- return sandbox_process_info_.process_id();
- }
-
- // Returns the handle to the main thread.
- HANDLE MainThread() const {
- return sandbox_process_info_.thread_handle();
- }
-
- // Transfers a 32-bit variable between the broker and the target.
- ResultCode TransferVariable(const char* name, void* address, size_t size);
-
- private:
- // Details of the target process.
- base::win::ScopedProcessInformation sandbox_process_info_;
- // The token associated with the process. It provides the core of the
- // sbox security.
- base::win::ScopedHandle lockdown_token_;
- // The token given to the initial thread so that the target process can
- // start. It has more powers than the lockdown_token.
- base::win::ScopedHandle initial_token_;
- // The lowbox token associated with the process. This token is set after the
- // process creation.
- base::win::ScopedHandle lowbox_token_;
- // Kernel handle to the shared memory used by the IPC server.
- base::win::ScopedHandle shared_section_;
- // Job object containing the target process.
- HANDLE job_;
- // Reference to the IPC subsystem.
- scoped_ptr<SharedMemIPCServer> ipc_server_;
- // Provides the threads used by the IPC. This class does not own this pointer.
- ThreadProvider* thread_pool_;
- // Base address of the main executable
- void* base_address_;
- // Full name of the target executable.
- scoped_ptr<wchar_t, base::FreeDeleter> exe_name_;
-
- // Function used for testing.
- friend TargetProcess* MakeTestTargetProcess(HANDLE process,
- HMODULE base_address);
-
- DISALLOW_IMPLICIT_CONSTRUCTORS(TargetProcess);
-};
-
-// Creates a mock TargetProcess used for testing interceptions.
-// TODO(cpu): It seems that this method is not going to be used anymore.
-TargetProcess* MakeTestTargetProcess(HANDLE process, HMODULE base_address);
-
-
-} // namespace sandbox
-
-#endif // SANDBOX_WIN_SRC_TARGET_PROCESS_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.cc b/security/sandbox/chromium/sandbox/win/src/target_services.cc
deleted file mode 100644
index 7537245b6..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_services.cc
+++ /dev/null
@@ -1,261 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/target_services.h"
-
-#include <new>
-
-#include <process.h>
-#include <stdint.h>
-
-#include "base/win/windows_version.h"
-#include "sandbox/win/src/crosscall_client.h"
-#include "sandbox/win/src/handle_closer_agent.h"
-#include "sandbox/win/src/handle_interception.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/process_mitigations.h"
-#include "sandbox/win/src/restricted_token_utils.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-#include "sandbox/win/src/sandbox_types.h"
-#include "sandbox/win/src/sharedmem_ipc_client.h"
-
-namespace {
-
-// Flushing a cached key is triggered by just opening the key and closing the
-// resulting handle. RegDisablePredefinedCache() is the documented way to flush
-// HKCU so do not use it with this function.
-bool FlushRegKey(HKEY root) {
- HKEY key;
- if (ERROR_SUCCESS == ::RegOpenKeyExW(root, NULL, 0, MAXIMUM_ALLOWED, &key)) {
- if (ERROR_SUCCESS != ::RegCloseKey(key))
- return false;
- }
- return true;
-}
-
-// This function forces advapi32.dll to release some internally cached handles
-// that were made during calls to RegOpenkey and RegOpenKeyEx if it is called
-// with a more restrictive token. Returns true if the flushing is succesful
-// although this behavior is undocumented and there is no guarantee that in
-// fact this will happen in future versions of windows.
-bool FlushCachedRegHandles() {
- return (FlushRegKey(HKEY_LOCAL_MACHINE) &&
- FlushRegKey(HKEY_CLASSES_ROOT) &&
- FlushRegKey(HKEY_USERS));
-}
-
-// Checks if we have handle entries pending and runs the closer.
-// Updates is_csrss_connected based on which handle types are closed.
-bool CloseOpenHandles(bool* is_csrss_connected) {
- if (sandbox::HandleCloserAgent::NeedsHandlesClosed()) {
- sandbox::HandleCloserAgent handle_closer;
- handle_closer.InitializeHandlesToClose(is_csrss_connected);
- if (!handle_closer.CloseHandles())
- return false;
- }
-
- return true;
-}
-
-// GetUserDefaultLocaleName is not available on WIN XP. So we'll
-// load it on-the-fly.
-const wchar_t kKernel32DllName[] = L"kernel32.dll";
-typedef decltype(GetUserDefaultLocaleName)* GetUserDefaultLocaleNameFunction;
-
-// Warm up language subsystems before the sandbox is turned on.
-// Tested on Win8.1 x64:
-// This needs to happen after RevertToSelf() is called, because (at least) in
-// the case of GetUserDefaultLCID() it checks the TEB to see if the process is
-// impersonating (TEB!IsImpersonating). If it is, the cached locale information
-// is not used, nor is it set. Therefore, calls after RevertToSelf() will not
-// have warmed-up values to use.
-bool WarmupWindowsLocales() {
- // NOTE(liamjm): When last checked (Win 8.1 x64) it wasn't necessary to
- // warmup all of these functions, but let's not assume that.
- ::GetUserDefaultLangID();
- ::GetUserDefaultLCID();
- if (base::win::GetVersion() >= base::win::VERSION_VISTA) {
- static GetUserDefaultLocaleNameFunction GetUserDefaultLocaleName_func =
- NULL;
- if (!GetUserDefaultLocaleName_func) {
- HMODULE kernel32_dll = ::GetModuleHandle(kKernel32DllName);
- if (!kernel32_dll) {
- return false;
- }
- GetUserDefaultLocaleName_func =
- reinterpret_cast<GetUserDefaultLocaleNameFunction>(
- GetProcAddress(kernel32_dll, "GetUserDefaultLocaleName"));
- if (!GetUserDefaultLocaleName_func) {
- return false;
- }
- }
- wchar_t localeName[LOCALE_NAME_MAX_LENGTH] = {0};
- return (0 != GetUserDefaultLocaleName_func(
- localeName, LOCALE_NAME_MAX_LENGTH * sizeof(wchar_t)));
- }
- return true;
-}
-
-// Used as storage for g_target_services, because other allocation facilities
-// are not available early. We can't use a regular function static because on
-// VS2015, because the CRT tries to acquire a lock to guard initialization, but
-// this code runs before the CRT is initialized.
-char g_target_services_memory[sizeof(sandbox::TargetServicesBase)];
-sandbox::TargetServicesBase* g_target_services = nullptr;
-
-} // namespace
-
-namespace sandbox {
-
-SANDBOX_INTERCEPT IntegrityLevel g_shared_delayed_integrity_level =
- INTEGRITY_LEVEL_LAST;
-SANDBOX_INTERCEPT MitigationFlags g_shared_delayed_mitigations = 0;
-
-TargetServicesBase::TargetServicesBase() {
-}
-
-ResultCode TargetServicesBase::Init() {
- process_state_.SetInitCalled();
- return SBOX_ALL_OK;
-}
-
-// Failure here is a breach of security so the process is terminated.
-void TargetServicesBase::LowerToken() {
- if (ERROR_SUCCESS !=
- SetProcessIntegrityLevel(g_shared_delayed_integrity_level))
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_INTEGRITY);
- process_state_.SetRevertedToSelf();
- // If the client code as called RegOpenKey, advapi32.dll has cached some
- // handles. The following code gets rid of them.
- if (!::RevertToSelf())
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_DROPTOKEN);
- if (!FlushCachedRegHandles())
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_FLUSHANDLES);
- if (ERROR_SUCCESS != ::RegDisablePredefinedCache())
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CACHEDISABLE);
- if (!WarmupWindowsLocales())
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_WARMUP);
- bool is_csrss_connected = true;
- if (!CloseOpenHandles(&is_csrss_connected))
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_CLOSEHANDLES);
- process_state_.SetCsrssConnected(is_csrss_connected);
- // Enabling mitigations must happen last otherwise handle closing breaks
- if (g_shared_delayed_mitigations &&
- !ApplyProcessMitigationsToCurrentProcess(g_shared_delayed_mitigations))
- ::TerminateProcess(::GetCurrentProcess(), SBOX_FATAL_MITIGATION);
-}
-
-ProcessState* TargetServicesBase::GetState() {
- return &process_state_;
-}
-
-TargetServicesBase* TargetServicesBase::GetInstance() {
- // Leak on purpose TargetServicesBase.
- if (!g_target_services)
- g_target_services = new (g_target_services_memory) TargetServicesBase;
- return g_target_services;
-}
-
-// The broker services a 'test' IPC service with the IPC_PING_TAG tag.
-bool TargetServicesBase::TestIPCPing(int version) {
- void* memory = GetGlobalIPCMemory();
- if (NULL == memory) {
- return false;
- }
- SharedMemIPCClient ipc(memory);
- CrossCallReturn answer = {0};
-
- if (1 == version) {
- uint32_t tick1 = ::GetTickCount();
- uint32_t cookie = 717115;
- ResultCode code = CrossCall(ipc, IPC_PING1_TAG, cookie, &answer);
-
- if (SBOX_ALL_OK != code) {
- return false;
- }
- // We should get two extended returns values from the IPC, one is the
- // tick count on the broker and the other is the cookie times two.
- if ((answer.extended_count != 2)) {
- return false;
- }
- // We test the first extended answer to be within the bounds of the tick
- // count only if there was no tick count wraparound.
- uint32_t tick2 = ::GetTickCount();
- if (tick2 >= tick1) {
- if ((answer.extended[0].unsigned_int < tick1) ||
- (answer.extended[0].unsigned_int > tick2)) {
- return false;
- }
- }
-
- if (answer.extended[1].unsigned_int != cookie * 2) {
- return false;
- }
- } else if (2 == version) {
- uint32_t cookie = 717111;
- InOutCountedBuffer counted_buffer(&cookie, sizeof(cookie));
- ResultCode code = CrossCall(ipc, IPC_PING2_TAG, counted_buffer, &answer);
-
- if (SBOX_ALL_OK != code) {
- return false;
- }
- if (cookie != 717111 * 3) {
- return false;
- }
- } else {
- return false;
- }
- return true;
-}
-
-ProcessState::ProcessState() : process_state_(0), csrss_connected_(true) {
-}
-
-bool ProcessState::IsKernel32Loaded() const {
- return process_state_ != 0;
-}
-
-bool ProcessState::InitCalled() const {
- return process_state_ > 1;
-}
-
-bool ProcessState::RevertedToSelf() const {
- return process_state_ > 2;
-}
-
-bool ProcessState::IsCsrssConnected() const {
- return csrss_connected_;
-}
-
-void ProcessState::SetKernel32Loaded() {
- if (!process_state_)
- process_state_ = 1;
-}
-
-void ProcessState::SetInitCalled() {
- if (process_state_ < 2)
- process_state_ = 2;
-}
-
-void ProcessState::SetRevertedToSelf() {
- if (process_state_ < 3)
- process_state_ = 3;
-}
-
-void ProcessState::SetCsrssConnected(bool csrss_connected) {
- csrss_connected_ = csrss_connected;
-}
-
-
-ResultCode TargetServicesBase::DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) {
- return sandbox::DuplicateHandleProxy(source_handle, target_process_id,
- target_handle, desired_access, options);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/target_services.h b/security/sandbox/chromium/sandbox/win/src/target_services.h
deleted file mode 100644
index 37169485d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/target_services.h
+++ /dev/null
@@ -1,71 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_TARGET_SERVICES_H__
-#define SANDBOX_SRC_TARGET_SERVICES_H__
-
-#include "base/macros.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/win_utils.h"
-
-namespace sandbox {
-
-class ProcessState {
- public:
- ProcessState();
- // Returns true if kernel32.dll has been loaded.
- bool IsKernel32Loaded() const;
- // Returns true if main has been called.
- bool InitCalled() const;
- // Returns true if LowerToken has been called.
- bool RevertedToSelf() const;
- // Returns true if Csrss is connected.
- bool IsCsrssConnected() const;
- // Set the current state.
- void SetKernel32Loaded();
- void SetInitCalled();
- void SetRevertedToSelf();
- void SetCsrssConnected(bool csrss_connected);
-
- private:
- int process_state_;
- bool csrss_connected_;
- DISALLOW_COPY_AND_ASSIGN(ProcessState);
-};
-
-// This class is an implementation of the TargetServices.
-// Look in the documentation of sandbox::TargetServices for more info.
-// Do NOT add a destructor to this class without changing the implementation of
-// the factory method.
-class TargetServicesBase : public TargetServices {
- public:
- TargetServicesBase();
-
- // Public interface of TargetServices.
- ResultCode Init() override;
- void LowerToken() override;
- ProcessState* GetState() override;
- ResultCode DuplicateHandle(HANDLE source_handle,
- DWORD target_process_id,
- HANDLE* target_handle,
- DWORD desired_access,
- DWORD options) override;
-
- // Factory method.
- static TargetServicesBase* GetInstance();
-
- // Sends a simple IPC Message that has a well-known answer. Returns true
- // if the IPC was successful and false otherwise. There are 2 versions of
- // this test: 1 and 2. The first one send a simple message while the
- // second one send a message with an in/out param.
- bool TestIPCPing(int version);
-
- private:
- ProcessState process_state_;
- DISALLOW_COPY_AND_ASSIGN(TargetServicesBase);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_TARGET_SERVICES_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/threadpool_unittest.cc b/security/sandbox/chromium/sandbox/win/src/threadpool_unittest.cc
deleted file mode 100644
index d32fdda5b..000000000
--- a/security/sandbox/chromium/sandbox/win/src/threadpool_unittest.cc
+++ /dev/null
@@ -1,97 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <stdint.h>
-
-#include "sandbox/win/src/win2k_threadpool.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-void __stdcall EmptyCallBack(void*, unsigned char) {
-}
-
-void __stdcall TestCallBack(void* context, unsigned char) {
- HANDLE event = reinterpret_cast<HANDLE>(context);
- ::SetEvent(event);
-}
-
-namespace sandbox {
-
-// Test that register and unregister work, part 1.
-TEST(IPCTest, ThreadPoolRegisterTest1) {
- Win2kThreadPool thread_pool;
-
- EXPECT_EQ(0u, thread_pool.OutstandingWaits());
-
- HANDLE event1 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
- HANDLE event2 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
-
- uint32_t context = 0;
- EXPECT_FALSE(thread_pool.RegisterWait(0, event1, EmptyCallBack, &context));
- EXPECT_EQ(0u, thread_pool.OutstandingWaits());
-
- EXPECT_TRUE(thread_pool.RegisterWait(this, event1, EmptyCallBack, &context));
- EXPECT_EQ(1u, thread_pool.OutstandingWaits());
- EXPECT_TRUE(thread_pool.RegisterWait(this, event2, EmptyCallBack, &context));
- EXPECT_EQ(2u, thread_pool.OutstandingWaits());
-
- EXPECT_TRUE(thread_pool.UnRegisterWaits(this));
- EXPECT_EQ(0u, thread_pool.OutstandingWaits());
-
- EXPECT_EQ(TRUE, ::CloseHandle(event1));
- EXPECT_EQ(TRUE, ::CloseHandle(event2));
-}
-
-// Test that register and unregister work, part 2.
-TEST(IPCTest, ThreadPoolRegisterTest2) {
- Win2kThreadPool thread_pool;
-
- HANDLE event1 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
- HANDLE event2 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
-
- uint32_t context = 0;
- uint32_t c1 = 0;
- uint32_t c2 = 0;
-
- EXPECT_TRUE(thread_pool.RegisterWait(&c1, event1, EmptyCallBack, &context));
- EXPECT_EQ(1u, thread_pool.OutstandingWaits());
- EXPECT_TRUE(thread_pool.RegisterWait(&c2, event2, EmptyCallBack, &context));
- EXPECT_EQ(2u, thread_pool.OutstandingWaits());
-
- EXPECT_TRUE(thread_pool.UnRegisterWaits(&c2));
- EXPECT_EQ(1u, thread_pool.OutstandingWaits());
- EXPECT_TRUE(thread_pool.UnRegisterWaits(&c2));
- EXPECT_EQ(1u, thread_pool.OutstandingWaits());
-
- EXPECT_TRUE(thread_pool.UnRegisterWaits(&c1));
- EXPECT_EQ(0u, thread_pool.OutstandingWaits());
-
- EXPECT_EQ(TRUE, ::CloseHandle(event1));
- EXPECT_EQ(TRUE, ::CloseHandle(event2));
-}
-
-// Test that the thread pool has at least a thread that services an event.
-// Test that when the event is un-registered is no longer serviced.
-TEST(IPCTest, ThreadPoolSignalAndWaitTest) {
- Win2kThreadPool thread_pool;
-
- // The events are auto reset and start not signaled.
- HANDLE event1 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
- HANDLE event2 = ::CreateEventW(NULL, FALSE, FALSE, NULL);
-
- EXPECT_TRUE(thread_pool.RegisterWait(this, event1, TestCallBack, event2));
-
- EXPECT_EQ(WAIT_OBJECT_0, ::SignalObjectAndWait(event1, event2, 5000, FALSE));
- EXPECT_EQ(WAIT_OBJECT_0, ::SignalObjectAndWait(event1, event2, 5000, FALSE));
-
- EXPECT_TRUE(thread_pool.UnRegisterWaits(this));
- EXPECT_EQ(0u, thread_pool.OutstandingWaits());
-
- EXPECT_EQ(static_cast<DWORD>(WAIT_TIMEOUT),
- ::SignalObjectAndWait(event1, event2, 1000, FALSE));
-
- EXPECT_EQ(TRUE, ::CloseHandle(event1));
- EXPECT_EQ(TRUE, ::CloseHandle(event2));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc
deleted file mode 100644
index e6e224b4d..000000000
--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.cc
+++ /dev/null
@@ -1,146 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/top_level_dispatcher.h"
-
-#include <stdint.h>
-#include <string.h>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/filesystem_dispatcher.h"
-#include "sandbox/win/src/handle_dispatcher.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/named_pipe_dispatcher.h"
-#include "sandbox/win/src/process_mitigations_win32k_dispatcher.h"
-#include "sandbox/win/src/process_thread_dispatcher.h"
-#include "sandbox/win/src/registry_dispatcher.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-#include "sandbox/win/src/sync_dispatcher.h"
-
-namespace sandbox {
-
-TopLevelDispatcher::TopLevelDispatcher(PolicyBase* policy) : policy_(policy) {
- // Initialize the IPC dispatcher array.
- memset(ipc_targets_, 0, sizeof(ipc_targets_));
- Dispatcher* dispatcher;
-
- dispatcher = new FilesystemDispatcher(policy_);
- ipc_targets_[IPC_NTCREATEFILE_TAG] = dispatcher;
- ipc_targets_[IPC_NTOPENFILE_TAG] = dispatcher;
- ipc_targets_[IPC_NTSETINFO_RENAME_TAG] = dispatcher;
- ipc_targets_[IPC_NTQUERYATTRIBUTESFILE_TAG] = dispatcher;
- ipc_targets_[IPC_NTQUERYFULLATTRIBUTESFILE_TAG] = dispatcher;
- filesystem_dispatcher_.reset(dispatcher);
-
- dispatcher = new NamedPipeDispatcher(policy_);
- ipc_targets_[IPC_CREATENAMEDPIPEW_TAG] = dispatcher;
- named_pipe_dispatcher_.reset(dispatcher);
-
- dispatcher = new ThreadProcessDispatcher(policy_);
- ipc_targets_[IPC_NTOPENTHREAD_TAG] = dispatcher;
- ipc_targets_[IPC_NTOPENPROCESS_TAG] = dispatcher;
- ipc_targets_[IPC_CREATEPROCESSW_TAG] = dispatcher;
- ipc_targets_[IPC_NTOPENPROCESSTOKEN_TAG] = dispatcher;
- ipc_targets_[IPC_NTOPENPROCESSTOKENEX_TAG] = dispatcher;
- thread_process_dispatcher_.reset(dispatcher);
-
- dispatcher = new SyncDispatcher(policy_);
- ipc_targets_[IPC_CREATEEVENT_TAG] = dispatcher;
- ipc_targets_[IPC_OPENEVENT_TAG] = dispatcher;
- sync_dispatcher_.reset(dispatcher);
-
- dispatcher = new RegistryDispatcher(policy_);
- ipc_targets_[IPC_NTCREATEKEY_TAG] = dispatcher;
- ipc_targets_[IPC_NTOPENKEY_TAG] = dispatcher;
- registry_dispatcher_.reset(dispatcher);
-
- dispatcher = new HandleDispatcher(policy_);
- ipc_targets_[IPC_DUPLICATEHANDLEPROXY_TAG] = dispatcher;
- handle_dispatcher_.reset(dispatcher);
-
- dispatcher = new ProcessMitigationsWin32KDispatcher(policy_);
- ipc_targets_[IPC_GDI_GDIDLLINITIALIZE_TAG] = dispatcher;
- ipc_targets_[IPC_GDI_GETSTOCKOBJECT_TAG] = dispatcher;
- ipc_targets_[IPC_USER_REGISTERCLASSW_TAG] = dispatcher;
- process_mitigations_win32k_dispatcher_.reset(dispatcher);
-}
-
-TopLevelDispatcher::~TopLevelDispatcher() {}
-
-// When an IPC is ready in any of the targets we get called. We manage an array
-// of IPC dispatchers which are keyed on the IPC tag so we normally delegate
-// to the appropriate dispatcher unless we can handle the IPC call ourselves.
-Dispatcher* TopLevelDispatcher::OnMessageReady(IPCParams* ipc,
- CallbackGeneric* callback) {
- DCHECK(callback);
- static const IPCParams ping1 = {IPC_PING1_TAG, {UINT32_TYPE}};
- static const IPCParams ping2 = {IPC_PING2_TAG, {INOUTPTR_TYPE}};
-
- if (ping1.Matches(ipc) || ping2.Matches(ipc)) {
- *callback = reinterpret_cast<CallbackGeneric>(
- static_cast<Callback1>(&TopLevelDispatcher::Ping));
- return this;
- }
-
- Dispatcher* dispatcher = GetDispatcher(ipc->ipc_tag);
- if (!dispatcher) {
- NOTREACHED();
- return NULL;
- }
- return dispatcher->OnMessageReady(ipc, callback);
-}
-
-// Delegate to the appropriate dispatcher.
-bool TopLevelDispatcher::SetupService(InterceptionManager* manager,
- int service) {
- if (IPC_PING1_TAG == service || IPC_PING2_TAG == service)
- return true;
-
- Dispatcher* dispatcher = GetDispatcher(service);
- if (!dispatcher) {
- NOTREACHED();
- return false;
- }
- return dispatcher->SetupService(manager, service);
-}
-
-// We service IPC_PING_TAG message which is a way to test a round trip of the
-// IPC subsystem. We receive a integer cookie and we are expected to return the
-// cookie times two (or three) and the current tick count.
-bool TopLevelDispatcher::Ping(IPCInfo* ipc, void* arg1) {
- switch (ipc->ipc_tag) {
- case IPC_PING1_TAG: {
- IPCInt ipc_int(arg1);
- uint32_t cookie = ipc_int.As32Bit();
- ipc->return_info.extended_count = 2;
- ipc->return_info.extended[0].unsigned_int = ::GetTickCount();
- ipc->return_info.extended[1].unsigned_int = 2 * cookie;
- return true;
- }
- case IPC_PING2_TAG: {
- CountedBuffer* io_buffer = reinterpret_cast<CountedBuffer*>(arg1);
- if (sizeof(uint32_t) != io_buffer->Size())
- return false;
-
- uint32_t* cookie = reinterpret_cast<uint32_t*>(io_buffer->Buffer());
- *cookie = (*cookie) * 3;
- return true;
- }
- default:
- return false;
- }
-}
-
-Dispatcher* TopLevelDispatcher::GetDispatcher(int ipc_tag) {
- if (ipc_tag >= IPC_LAST_TAG || ipc_tag <= IPC_UNUSED_TAG)
- return NULL;
-
- return ipc_targets_[ipc_tag];
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h b/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h
deleted file mode 100644
index c9306de1c..000000000
--- a/security/sandbox/chromium/sandbox/win/src/top_level_dispatcher.h
+++ /dev/null
@@ -1,51 +0,0 @@
-// Copyright 2015 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__
-#define SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/crosscall_server.h"
-#include "sandbox/win/src/interception.h"
-#include "sandbox/win/src/ipc_tags.h"
-#include "sandbox/win/src/sandbox_policy_base.h"
-
-namespace sandbox {
-
-// Top level dispatcher which hands requests to the appropriate service
-// dispatchers.
-class TopLevelDispatcher : public Dispatcher {
- public:
- // |policy| must outlive this class.
- explicit TopLevelDispatcher(PolicyBase* policy);
- ~TopLevelDispatcher() override;
-
- Dispatcher* OnMessageReady(IPCParams* ipc,
- CallbackGeneric* callback) override;
- bool SetupService(InterceptionManager* manager, int service) override;
-
- private:
- // Test IPC provider.
- bool Ping(IPCInfo* ipc, void* cookie);
-
- // Returns a dispatcher from ipc_targets_.
- Dispatcher* GetDispatcher(int ipc_tag);
-
- PolicyBase* policy_;
- scoped_ptr<Dispatcher> filesystem_dispatcher_;
- scoped_ptr<Dispatcher> named_pipe_dispatcher_;
- scoped_ptr<Dispatcher> thread_process_dispatcher_;
- scoped_ptr<Dispatcher> sync_dispatcher_;
- scoped_ptr<Dispatcher> registry_dispatcher_;
- scoped_ptr<Dispatcher> handle_dispatcher_;
- scoped_ptr<Dispatcher> process_mitigations_win32k_dispatcher_;
- Dispatcher* ipc_targets_[IPC_LAST_TAG];
-
- DISALLOW_COPY_AND_ASSIGN(TopLevelDispatcher);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_TOP_LEVEL_DISPATCHER_H__
diff --git a/security/sandbox/chromium/sandbox/win/src/unload_dll_test.cc b/security/sandbox/chromium/sandbox/win/src/unload_dll_test.cc
deleted file mode 100644
index 7e398f686..000000000
--- a/security/sandbox/chromium/sandbox/win/src/unload_dll_test.cc
+++ /dev/null
@@ -1,93 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/sandbox_factory.h"
-#include "sandbox/win/src/target_services.h"
-#include "sandbox/win/tests/common/controller.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace sandbox {
-
-// Loads and or unloads a DLL passed in the second parameter of argv.
-// The first parameter of argv is 'L' = load, 'U' = unload or 'B' for both.
-SBOX_TESTS_COMMAND int UseOneDLL(int argc, wchar_t **argv) {
- if (argc != 2)
- return SBOX_TEST_FAILED_TO_RUN_TEST;
- int rv = SBOX_TEST_FAILED_TO_RUN_TEST;
-
- wchar_t option = (argv[0])[0];
- if ((option == L'L') || (option == L'B')) {
- HMODULE module1 = ::LoadLibraryW(argv[1]);
- rv = (module1 == NULL) ? SBOX_TEST_FAILED : SBOX_TEST_SUCCEEDED;
- }
-
- if ((option == L'U') || (option == L'B')) {
- HMODULE module2 = ::GetModuleHandleW(argv[1]);
- rv = ::FreeLibrary(module2) ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FAILED;
- }
- return rv;
-}
-
-// Opens an event passed as the first parameter of argv.
-SBOX_TESTS_COMMAND int SimpleOpenEvent(int argc, wchar_t **argv) {
- if (argc != 1)
- return SBOX_TEST_FAILED_TO_EXECUTE_COMMAND;
-
- base::win::ScopedHandle event_open(::OpenEvent(SYNCHRONIZE, FALSE, argv[0]));
- return event_open.Get() ? SBOX_TEST_SUCCEEDED : SBOX_TEST_FAILED;
-}
-
-TEST(UnloadDllTest, BaselineAvicapDll) {
- TestRunner runner;
- runner.SetTestState(BEFORE_REVERT);
- runner.SetTimeout(2000);
- // Add a sync rule, because that ensures that the interception agent has
- // more than one item in its internal table.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_ANY, L"t0001"));
-
- // Note for the puzzled: avicap32.dll is a 64-bit dll in 64-bit versions of
- // windows so this test and the others just work.
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"UseOneDLL L avicap32.dll"));
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"UseOneDLL B avicap32.dll"));
-}
-
-TEST(UnloadDllTest, UnloadAviCapDllNoPatching) {
- TestRunner runner;
- runner.SetTestState(BEFORE_REVERT);
- runner.SetTimeout(2000);
- sandbox::TargetPolicy* policy = runner.GetPolicy();
- policy->AddDllToUnload(L"avicap32.dll");
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(L"UseOneDLL L avicap32.dll"));
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(L"UseOneDLL B avicap32.dll"));
-}
-
-TEST(UnloadDllTest, UnloadAviCapDllWithPatching) {
- TestRunner runner;
- runner.SetTimeout(2000);
- runner.SetTestState(BEFORE_REVERT);
- sandbox::TargetPolicy* policy = runner.GetPolicy();
- policy->AddDllToUnload(L"avicap32.dll");
-
- base::win::ScopedHandle handle1(::CreateEvent(
- NULL, FALSE, FALSE, L"tst0001"));
-
- // Add a couple of rules that ensures that the interception agent add EAT
- // patching on the client which makes sure that the unload dll record does
- // not interact badly with them.
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_REGISTRY,
- TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_LOCAL_MACHINE\\Software\\Microsoft"));
- EXPECT_TRUE(runner.AddRule(TargetPolicy::SUBSYS_SYNC,
- TargetPolicy::EVENTS_ALLOW_ANY, L"tst0001"));
-
- EXPECT_EQ(SBOX_TEST_FAILED, runner.RunTest(L"UseOneDLL L avicap32.dll"));
-
- runner.SetTestState(AFTER_REVERT);
- EXPECT_EQ(SBOX_TEST_SUCCEEDED, runner.RunTest(L"SimpleOpenEvent tst0001"));
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.cc b/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.cc
deleted file mode 100644
index 35de38a0f..000000000
--- a/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.cc
+++ /dev/null
@@ -1,66 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/win2k_threadpool.h"
-
-#include <stddef.h>
-
-#include "sandbox/win/src/win_utils.h"
-
-namespace sandbox {
-
-Win2kThreadPool::Win2kThreadPool() {
- ::InitializeCriticalSection(&lock_);
-}
-
-bool Win2kThreadPool::RegisterWait(const void* cookie, HANDLE waitable_object,
- CrossCallIPCCallback callback,
- void* context) {
- if (0 == cookie) {
- return false;
- }
- HANDLE pool_object = NULL;
- // create a wait for a kernel object, with no timeout
- if (!::RegisterWaitForSingleObject(&pool_object, waitable_object, callback,
- context, INFINITE, WT_EXECUTEDEFAULT)) {
- return false;
- }
- PoolObject pool_obj = {cookie, pool_object};
- AutoLock lock(&lock_);
- pool_objects_.push_back(pool_obj);
- return true;
-}
-
-bool Win2kThreadPool::UnRegisterWaits(void* cookie) {
- if (0 == cookie) {
- return false;
- }
- AutoLock lock(&lock_);
- bool success = true;
- PoolObjects::iterator it = pool_objects_.begin();
- while (it != pool_objects_.end()) {
- if (it->cookie == cookie) {
- HANDLE wait = it->wait;
- it = pool_objects_.erase(it);
- success &= (::UnregisterWaitEx(wait, INVALID_HANDLE_VALUE) != 0);
- } else {
- ++it;
- }
- }
- return success;
-}
-
-size_t Win2kThreadPool::OutstandingWaits() {
- AutoLock lock(&lock_);
- return pool_objects_.size();
-}
-
-Win2kThreadPool::~Win2kThreadPool() {
- // Here we used to unregister all the pool wait handles. Now, following the
- // rest of the code we avoid lengthy or blocking calls given that the process
- // is being torn down.
- ::DeleteCriticalSection(&lock_);
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.h b/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.h
deleted file mode 100644
index c4d539dd7..000000000
--- a/security/sandbox/chromium/sandbox/win/src/win2k_threadpool.h
+++ /dev/null
@@ -1,61 +0,0 @@
-// Copyright (c) 2012 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_WIN2K_THREADPOOL_H_
-#define SANDBOX_SRC_WIN2K_THREADPOOL_H_
-
-#include <stddef.h>
-
-#include <algorithm>
-#include <list>
-#include "base/macros.h"
-#include "sandbox/win/src/crosscall_server.h"
-
-namespace sandbox {
-
-// Win2kThreadPool a simple implementation of a thread provider as required
-// for the sandbox IPC subsystem. See sandbox\crosscall_server.h for the details
-// and requirements of this interface.
-//
-// Implementing the thread provider as a thread pool is desirable in the case
-// of shared memory IPC because it can generate a large number of waitable
-// events: as many as channels. A thread pool does not create a thread per
-// event, instead maintains a few idle threads but can create more if the need
-// arises.
-//
-// This implementation simply thunks to the nice thread pool API of win2k.
-class Win2kThreadPool : public ThreadProvider {
- public:
- Win2kThreadPool();
- ~Win2kThreadPool() override;
-
- bool RegisterWait(const void* cookie,
- HANDLE waitable_object,
- CrossCallIPCCallback callback,
- void* context) override;
-
- bool UnRegisterWaits(void* cookie) override;
-
- // Returns the total number of wait objects associated with
- // the thread pool.
- size_t OutstandingWaits();
-
- private:
- // record to keep track of a wait and its associated cookie.
- struct PoolObject {
- const void* cookie;
- HANDLE wait;
- };
- // The list of pool wait objects.
- typedef std::list<PoolObject> PoolObjects;
- PoolObjects pool_objects_;
- // This lock protects the list of pool wait objects.
- CRITICAL_SECTION lock_;
-
- DISALLOW_COPY_AND_ASSIGN(Win2kThreadPool);
-};
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_WIN2K_THREADPOOL_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.cc b/security/sandbox/chromium/sandbox/win/src/win_utils.cc
deleted file mode 100644
index 1e4675f8e..000000000
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.cc
+++ /dev/null
@@ -1,437 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/win_utils.h"
-
-#include <stddef.h>
-
-#include <map>
-
-#include "base/macros.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/strings/string_util.h"
-#include "base/win/pe_image.h"
-#include "sandbox/win/src/internal_types.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/sandbox_nt_util.h"
-
-namespace {
-
-// Holds the information about a known registry key.
-struct KnownReservedKey {
- const wchar_t* name;
- HKEY key;
-};
-
-// Contains all the known registry key by name and by handle.
-const KnownReservedKey kKnownKey[] = {
- { L"HKEY_CLASSES_ROOT", HKEY_CLASSES_ROOT },
- { L"HKEY_CURRENT_USER", HKEY_CURRENT_USER },
- { L"HKEY_LOCAL_MACHINE", HKEY_LOCAL_MACHINE},
- { L"HKEY_USERS", HKEY_USERS},
- { L"HKEY_PERFORMANCE_DATA", HKEY_PERFORMANCE_DATA},
- { L"HKEY_PERFORMANCE_TEXT", HKEY_PERFORMANCE_TEXT},
- { L"HKEY_PERFORMANCE_NLSTEXT", HKEY_PERFORMANCE_NLSTEXT},
- { L"HKEY_CURRENT_CONFIG", HKEY_CURRENT_CONFIG},
- { L"HKEY_DYN_DATA", HKEY_DYN_DATA}
-};
-
-// These functions perform case independent path comparisons.
-bool EqualPath(const base::string16& first, const base::string16& second) {
- return _wcsicmp(first.c_str(), second.c_str()) == 0;
-}
-
-bool EqualPath(const base::string16& first, size_t first_offset,
- const base::string16& second, size_t second_offset) {
- return _wcsicmp(first.c_str() + first_offset,
- second.c_str() + second_offset) == 0;
-}
-
-bool EqualPath(const base::string16& first,
- const wchar_t* second, size_t second_len) {
- return _wcsnicmp(first.c_str(), second, second_len) == 0;
-}
-
-bool EqualPath(const base::string16& first, size_t first_offset,
- const wchar_t* second, size_t second_len) {
- return _wcsnicmp(first.c_str() + first_offset, second, second_len) == 0;
-}
-
-// Returns true if |path| starts with "\??\" and returns a path without that
-// component.
-bool IsNTPath(const base::string16& path, base::string16* trimmed_path ) {
- if ((path.size() < sandbox::kNTPrefixLen) ||
- (0 != path.compare(0, sandbox::kNTPrefixLen, sandbox::kNTPrefix))) {
- *trimmed_path = path;
- return false;
- }
-
- *trimmed_path = path.substr(sandbox::kNTPrefixLen);
- return true;
-}
-
-// Returns true if |path| starts with "\Device\" and returns a path without that
-// component.
-bool IsDevicePath(const base::string16& path, base::string16* trimmed_path ) {
- if ((path.size() < sandbox::kNTDevicePrefixLen) ||
- (!EqualPath(path, sandbox::kNTDevicePrefix,
- sandbox::kNTDevicePrefixLen))) {
- *trimmed_path = path;
- return false;
- }
-
- *trimmed_path = path.substr(sandbox::kNTDevicePrefixLen);
- return true;
-}
-
-bool StartsWithDriveLetter(const base::string16& path) {
- if (path.size() < 3)
- return false;
-
- if (path[1] != L':' || path[2] != L'\\')
- return false;
-
- return (path[0] >= 'a' && path[0] <= 'z') ||
- (path[0] >= 'A' && path[0] <= 'Z');
-}
-
-const wchar_t kNTDotPrefix[] = L"\\\\.\\";
-const size_t kNTDotPrefixLen = arraysize(kNTDotPrefix) - 1;
-
-// Removes "\\\\.\\" from the path.
-void RemoveImpliedDevice(base::string16* path) {
- if (0 == path->compare(0, kNTDotPrefixLen, kNTDotPrefix))
- *path = path->substr(kNTDotPrefixLen);
-}
-
-} // namespace
-
-namespace sandbox {
-
-// Returns true if the provided path points to a pipe.
-bool IsPipe(const base::string16& path) {
- size_t start = 0;
- if (0 == path.compare(0, sandbox::kNTPrefixLen, sandbox::kNTPrefix))
- start = sandbox::kNTPrefixLen;
-
- const wchar_t kPipe[] = L"pipe\\";
- if (path.size() < start + arraysize(kPipe) - 1)
- return false;
-
- return EqualPath(path, start, kPipe, arraysize(kPipe) - 1);
-}
-
-HKEY GetReservedKeyFromName(const base::string16& name) {
- for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
- if (name == kKnownKey[i].name)
- return kKnownKey[i].key;
- }
-
- return NULL;
-}
-
-bool ResolveRegistryName(base::string16 name, base::string16* resolved_name) {
- for (size_t i = 0; i < arraysize(kKnownKey); ++i) {
- if (name.find(kKnownKey[i].name) == 0) {
- HKEY key;
- DWORD disposition;
- if (ERROR_SUCCESS != ::RegCreateKeyEx(kKnownKey[i].key, L"", 0, NULL, 0,
- MAXIMUM_ALLOWED, NULL, &key,
- &disposition))
- return false;
-
- bool result = GetPathFromHandle(key, resolved_name);
- ::RegCloseKey(key);
-
- if (!result)
- return false;
-
- *resolved_name += name.substr(wcslen(kKnownKey[i].name));
- return true;
- }
- }
-
- return false;
-}
-
-// |full_path| can have any of the following forms:
-// \??\c:\some\foo\bar
-// \Device\HarddiskVolume0\some\foo\bar
-// \??\HarddiskVolume0\some\foo\bar
-// \??\UNC\SERVER\Share\some\foo\bar
-DWORD IsReparsePoint(const base::string16& full_path) {
- // Check if it's a pipe. We can't query the attributes of a pipe.
- if (IsPipe(full_path))
- return ERROR_NOT_A_REPARSE_POINT;
-
- base::string16 path;
- bool nt_path = IsNTPath(full_path, &path);
- bool has_drive = StartsWithDriveLetter(path);
- bool is_device_path = IsDevicePath(path, &path);
-
- if (!has_drive && !is_device_path && !nt_path)
- return ERROR_INVALID_NAME;
-
- if (!has_drive) {
- // Add Win32 device namespace prefix, required for some Windows APIs.
- path.insert(0, kNTDotPrefix);
- }
-
- // Ensure that volume path matches start of path.
- wchar_t vol_path[MAX_PATH];
- if (!::GetVolumePathNameW(path.c_str(), vol_path, MAX_PATH)) {
- // This will fail if this is a device that isn't volume related, which can't
- // then be a reparse point.
- return is_device_path ? ERROR_NOT_A_REPARSE_POINT : ERROR_INVALID_NAME;
- }
-
- // vol_path includes a trailing slash, so reduce size for path and loop check.
- size_t vol_path_len = wcslen(vol_path) - 1;
- if (!EqualPath(path, vol_path, vol_path_len)) {
- return ERROR_INVALID_NAME;
- }
-
- do {
- DWORD attributes = ::GetFileAttributes(path.c_str());
- if (INVALID_FILE_ATTRIBUTES == attributes) {
- DWORD error = ::GetLastError();
- if (error != ERROR_FILE_NOT_FOUND &&
- error != ERROR_PATH_NOT_FOUND &&
- error != ERROR_INVALID_FUNCTION &&
- error != ERROR_INVALID_NAME) {
- // Unexpected error.
- NOTREACHED_NT();
- return error;
- }
- } else if (FILE_ATTRIBUTE_REPARSE_POINT & attributes) {
- // This is a reparse point.
- return ERROR_SUCCESS;
- }
-
- path.resize(path.rfind(L'\\'));
- } while (path.size() > vol_path_len); // Skip root dir.
-
- return ERROR_NOT_A_REPARSE_POINT;
-}
-
-// We get a |full_path| of the forms accepted by IsReparsePoint(), and the name
-// we'll get from |handle| will be \device\harddiskvolume1\some\foo\bar.
-bool SameObject(HANDLE handle, const wchar_t* full_path) {
- // Check if it's a pipe.
- if (IsPipe(full_path))
- return true;
-
- base::string16 actual_path;
- if (!GetPathFromHandle(handle, &actual_path))
- return false;
-
- base::string16 path(full_path);
- DCHECK_NT(!path.empty());
-
- // This may end with a backslash.
- if (path.back() == L'\\') {
- path.pop_back();
- }
-
- // Perfect match (case-insensitive check).
- if (EqualPath(actual_path, path))
- return true;
-
- bool nt_path = IsNTPath(path, &path);
- bool has_drive = StartsWithDriveLetter(path);
-
- if (!has_drive && nt_path) {
- base::string16 simple_actual_path;
- if (IsDevicePath(path, &path)) {
- if (IsDevicePath(actual_path, &simple_actual_path)) {
- // Perfect match (case-insensitive check).
- return (EqualPath(simple_actual_path, path));
- } else {
- return false;
- }
- } else {
- // Add Win32 device namespace for GetVolumePathName.
- path.insert(0, kNTDotPrefix);
- }
- }
-
- // Get the volume path in the same format as actual_path.
- wchar_t vol_path[MAX_PATH];
- if (!::GetVolumePathName(path.c_str(), vol_path, MAX_PATH)) {
- return false;
- }
- size_t vol_path_len = wcslen(vol_path);
- base::string16 nt_vol;
- if (!GetNtPathFromWin32Path(vol_path, &nt_vol)) {
- return false;
- }
-
- // The two paths should be the same length.
- if (nt_vol.size() + path.size() - vol_path_len != actual_path.size()) {
- return false;
- }
-
- // Check the volume matches.
- if (!EqualPath(actual_path, nt_vol.c_str(), nt_vol.size())) {
- return false;
- }
-
- // Check the path after the volume matches.
- if (!EqualPath(actual_path, nt_vol.size(), path, vol_path_len)) {
- return false;
- }
-
- return true;
-}
-
-// Paths like \Device\HarddiskVolume0\some\foo\bar are assumed to be already
-// expanded.
-bool ConvertToLongPath(base::string16* path) {
- if (IsPipe(*path))
- return true;
-
- base::string16 temp_path;
- if (IsDevicePath(*path, &temp_path))
- return false;
-
- bool is_nt_path = IsNTPath(temp_path, &temp_path);
- bool added_implied_device = false;
- if (!StartsWithDriveLetter(temp_path) && is_nt_path) {
- temp_path = base::string16(kNTDotPrefix) + temp_path;
- added_implied_device = true;
- }
-
- DWORD size = MAX_PATH;
- scoped_ptr<wchar_t[]> long_path_buf(new wchar_t[size]);
-
- DWORD return_value = ::GetLongPathName(temp_path.c_str(), long_path_buf.get(),
- size);
- while (return_value >= size) {
- size *= 2;
- long_path_buf.reset(new wchar_t[size]);
- return_value = ::GetLongPathName(temp_path.c_str(), long_path_buf.get(),
- size);
- }
-
- DWORD last_error = ::GetLastError();
- if (0 == return_value && (ERROR_FILE_NOT_FOUND == last_error ||
- ERROR_PATH_NOT_FOUND == last_error ||
- ERROR_INVALID_NAME == last_error)) {
- // The file does not exist, but maybe a sub path needs to be expanded.
- base::string16::size_type last_slash = temp_path.rfind(L'\\');
- if (base::string16::npos == last_slash)
- return false;
-
- base::string16 begin = temp_path.substr(0, last_slash);
- base::string16 end = temp_path.substr(last_slash);
- if (!ConvertToLongPath(&begin))
- return false;
-
- // Ok, it worked. Let's reset the return value.
- temp_path = begin + end;
- return_value = 1;
- } else if (0 != return_value) {
- temp_path = long_path_buf.get();
- }
-
- if (return_value != 0) {
- if (added_implied_device)
- RemoveImpliedDevice(&temp_path);
-
- if (is_nt_path) {
- *path = kNTPrefix;
- *path += temp_path;
- } else {
- *path = temp_path;
- }
-
- return true;
- }
-
- return false;
-}
-
-bool GetPathFromHandle(HANDLE handle, base::string16* path) {
- NtQueryObjectFunction NtQueryObject = NULL;
- ResolveNTFunctionPtr("NtQueryObject", &NtQueryObject);
-
- OBJECT_NAME_INFORMATION initial_buffer;
- OBJECT_NAME_INFORMATION* name = &initial_buffer;
- ULONG size = sizeof(initial_buffer);
- // Query the name information a first time to get the size of the name.
- // Windows XP requires that the size of the buffer passed in here be != 0.
- NTSTATUS status = NtQueryObject(handle, ObjectNameInformation, name, size,
- &size);
-
- scoped_ptr<BYTE[]> name_ptr;
- if (size) {
- name_ptr.reset(new BYTE[size]);
- name = reinterpret_cast<OBJECT_NAME_INFORMATION*>(name_ptr.get());
-
- // Query the name information a second time to get the name of the
- // object referenced by the handle.
- status = NtQueryObject(handle, ObjectNameInformation, name, size, &size);
- }
-
- if (STATUS_SUCCESS != status)
- return false;
-
- path->assign(name->ObjectName.Buffer, name->ObjectName.Length /
- sizeof(name->ObjectName.Buffer[0]));
- return true;
-}
-
-bool GetNtPathFromWin32Path(const base::string16& path,
- base::string16* nt_path) {
- HANDLE file = ::CreateFileW(path.c_str(), 0,
- FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL,
- OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
- if (file == INVALID_HANDLE_VALUE)
- return false;
- bool rv = GetPathFromHandle(file, nt_path);
- ::CloseHandle(file);
- return rv;
-}
-
-bool WriteProtectedChildMemory(HANDLE child_process, void* address,
- const void* buffer, size_t length) {
- // First, remove the protections.
- DWORD old_protection;
- if (!::VirtualProtectEx(child_process, address, length,
- PAGE_WRITECOPY, &old_protection))
- return false;
-
- SIZE_T written;
- bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
- &written) && (length == written);
-
- // Always attempt to restore the original protection.
- if (!::VirtualProtectEx(child_process, address, length,
- old_protection, &old_protection))
- return false;
-
- return ok;
-}
-
-}; // namespace sandbox
-
-void ResolveNTFunctionPtr(const char* name, void* ptr) {
- static volatile HMODULE ntdll = NULL;
-
- if (!ntdll) {
- HMODULE ntdll_local = ::GetModuleHandle(sandbox::kNtdllName);
- // Use PEImage to sanity-check that we have a valid ntdll handle.
- base::win::PEImage ntdll_peimage(ntdll_local);
- CHECK_NT(ntdll_peimage.VerifyMagic());
- // Race-safe way to set static ntdll.
- ::InterlockedCompareExchangePointer(
- reinterpret_cast<PVOID volatile*>(&ntdll), ntdll_local, NULL);
-
- }
-
- CHECK_NT(ntdll);
- FARPROC* function_ptr = reinterpret_cast<FARPROC*>(ptr);
- *function_ptr = ::GetProcAddress(ntdll, name);
- CHECK_NT(*function_ptr);
-}
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils.h b/security/sandbox/chromium/sandbox/win/src/win_utils.h
deleted file mode 100644
index f7895c1b8..000000000
--- a/security/sandbox/chromium/sandbox/win/src/win_utils.h
+++ /dev/null
@@ -1,117 +0,0 @@
-// Copyright (c) 2006-2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_WIN_UTILS_H_
-#define SANDBOX_SRC_WIN_UTILS_H_
-
-#include <windows.h>
-#include <stddef.h>
-#include <string>
-
-#include "base/macros.h"
-#include "base/strings/string16.h"
-
-namespace sandbox {
-
-// Prefix for path used by NT calls.
-const wchar_t kNTPrefix[] = L"\\??\\";
-const size_t kNTPrefixLen = arraysize(kNTPrefix) - 1;
-
-const wchar_t kNTDevicePrefix[] = L"\\Device\\";
-const size_t kNTDevicePrefixLen = arraysize(kNTDevicePrefix) - 1;
-
-// Automatically acquires and releases a lock when the object is
-// is destroyed.
-class AutoLock {
- public:
- // Acquires the lock.
- explicit AutoLock(CRITICAL_SECTION *lock) : lock_(lock) {
- ::EnterCriticalSection(lock);
- };
-
- // Releases the lock;
- ~AutoLock() {
- ::LeaveCriticalSection(lock_);
- };
-
- private:
- CRITICAL_SECTION *lock_;
- DISALLOW_IMPLICIT_CONSTRUCTORS(AutoLock);
-};
-
-// Basic implementation of a singleton which calls the destructor
-// when the exe is shutting down or the DLL is being unloaded.
-template <typename Derived>
-class SingletonBase {
- public:
- static Derived* GetInstance() {
- static Derived* instance = NULL;
- if (NULL == instance) {
- instance = new Derived();
- // Microsoft CRT extension. In an exe this this called after
- // winmain returns, in a dll is called in DLL_PROCESS_DETACH
- _onexit(OnExit);
- }
- return instance;
- }
-
- private:
- // this is the function that gets called by the CRT when the
- // process is shutting down.
- static int __cdecl OnExit() {
- delete GetInstance();
- return 0;
- }
-};
-
-// Convert a short path (C:\path~1 or \\??\\c:\path~1) to the long version of
-// the path. If the path is not a valid filesystem path, the function returns
-// false and argument is not modified.
-bool ConvertToLongPath(base::string16* path);
-
-// Returns ERROR_SUCCESS if the path contains a reparse point,
-// ERROR_NOT_A_REPARSE_POINT if there's no reparse point in this path, or an
-// error code when the function fails.
-// This function is not smart. It looks for each element in the path and
-// returns true if any of them is a reparse point.
-DWORD IsReparsePoint(const base::string16& full_path);
-
-// Returns true if the handle corresponds to the object pointed by this path.
-bool SameObject(HANDLE handle, const wchar_t* full_path);
-
-// Resolves a handle to an nt path. Returns true if the handle can be resolved.
-bool GetPathFromHandle(HANDLE handle, base::string16* path);
-
-// Resolves a win32 path to an nt path using GetPathFromHandle. The path must
-// exist. Returs true if the translation was succesful.
-bool GetNtPathFromWin32Path(const base::string16& path,
- base::string16* nt_path);
-
-// Translates a reserved key name to its handle.
-// For example "HKEY_LOCAL_MACHINE" returns HKEY_LOCAL_MACHINE.
-// Returns NULL if the name does not represent any reserved key name.
-HKEY GetReservedKeyFromName(const base::string16& name);
-
-// Resolves a user-readable registry path to a system-readable registry path.
-// For example, HKEY_LOCAL_MACHINE\\Software\\microsoft is translated to
-// \\registry\\machine\\software\\microsoft. Returns false if the path
-// cannot be resolved.
-bool ResolveRegistryName(base::string16 name, base::string16* resolved_name);
-
-// Writes |length| bytes from the provided |buffer| into the address space of
-// |child_process|, at the specified |address|, preserving the original write
-// protection attributes. Returns true on success.
-bool WriteProtectedChildMemory(HANDLE child_process, void* address,
- const void* buffer, size_t length);
-
-// Returns true if the provided path points to a pipe.
-bool IsPipe(const base::string16& path);
-
-} // namespace sandbox
-
-// Resolves a function name in NTDLL to a function pointer. The second parameter
-// is a pointer to the function pointer.
-void ResolveNTFunctionPtr(const char* name, void* ptr);
-
-#endif // SANDBOX_SRC_WIN_UTILS_H_
diff --git a/security/sandbox/chromium/sandbox/win/src/win_utils_unittest.cc b/security/sandbox/chromium/sandbox/win/src/win_utils_unittest.cc
deleted file mode 100644
index fb72eb338..000000000
--- a/security/sandbox/chromium/sandbox/win/src/win_utils_unittest.cc
+++ /dev/null
@@ -1,111 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include <windows.h>
-
-#include "base/win/scoped_handle.h"
-#include "sandbox/win/src/win_utils.h"
-#include "sandbox/win/tests/common/test_utils.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-TEST(WinUtils, IsReparsePoint) {
- using sandbox::IsReparsePoint;
-
- // Create a temp file because we need write access to it.
- wchar_t temp_directory[MAX_PATH];
- wchar_t my_folder[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, my_folder), 0u);
-
- // Delete the file and create a directory instead.
- ASSERT_TRUE(::DeleteFile(my_folder));
- ASSERT_TRUE(::CreateDirectory(my_folder, NULL));
-
- EXPECT_EQ(static_cast<DWORD>(ERROR_NOT_A_REPARSE_POINT),
- IsReparsePoint(my_folder));
-
- base::string16 not_found = base::string16(my_folder) + L"\\foo\\bar";
- EXPECT_EQ(static_cast<DWORD>(ERROR_NOT_A_REPARSE_POINT),
- IsReparsePoint(not_found));
-
- base::string16 new_file = base::string16(my_folder) + L"\\foo";
- EXPECT_EQ(static_cast<DWORD>(ERROR_NOT_A_REPARSE_POINT),
- IsReparsePoint(new_file));
-
- // Replace the directory with a reparse point to %temp%.
- HANDLE dir = ::CreateFile(my_folder, FILE_ALL_ACCESS,
- FILE_SHARE_READ | FILE_SHARE_WRITE, NULL,
- OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
- EXPECT_NE(INVALID_HANDLE_VALUE, dir);
-
- base::string16 temp_dir_nt = base::string16(L"\\??\\") + temp_directory;
- EXPECT_TRUE(SetReparsePoint(dir, temp_dir_nt.c_str()));
-
- EXPECT_EQ(static_cast<DWORD>(ERROR_SUCCESS), IsReparsePoint(new_file));
-
- EXPECT_TRUE(DeleteReparsePoint(dir));
- EXPECT_TRUE(::CloseHandle(dir));
- EXPECT_TRUE(::RemoveDirectory(my_folder));
-}
-
-TEST(WinUtils, SameObject) {
- using sandbox::SameObject;
-
- // Create a temp file because we need write access to it.
- wchar_t temp_directory[MAX_PATH];
- wchar_t my_folder[MAX_PATH];
- ASSERT_NE(::GetTempPath(MAX_PATH, temp_directory), 0u);
- ASSERT_NE(::GetTempFileName(temp_directory, L"test", 0, my_folder), 0u);
-
- // Delete the file and create a directory instead.
- ASSERT_TRUE(::DeleteFile(my_folder));
- ASSERT_TRUE(::CreateDirectory(my_folder, NULL));
-
- base::string16 folder(my_folder);
- base::string16 file_name = folder + L"\\foo.txt";
- const ULONG kSharing = FILE_SHARE_WRITE | FILE_SHARE_READ | FILE_SHARE_DELETE;
- base::win::ScopedHandle file(CreateFile(
- file_name.c_str(), GENERIC_WRITE, kSharing, NULL, CREATE_ALWAYS,
- FILE_FLAG_DELETE_ON_CLOSE, NULL));
-
- EXPECT_TRUE(file.IsValid());
- base::string16 file_name_nt1 = base::string16(L"\\??\\") + file_name;
- base::string16 file_name_nt2 =
- base::string16(L"\\??\\") + folder + L"\\FOO.txT";
- EXPECT_TRUE(SameObject(file.Get(), file_name_nt1.c_str()));
- EXPECT_TRUE(SameObject(file.Get(), file_name_nt2.c_str()));
-
- file.Close();
- EXPECT_TRUE(::RemoveDirectory(my_folder));
-}
-
-TEST(WinUtils, IsPipe) {
- using sandbox::IsPipe;
-
- base::string16 pipe_name = L"\\??\\pipe\\mypipe";
- EXPECT_TRUE(IsPipe(pipe_name));
-
- pipe_name = L"\\??\\PiPe\\mypipe";
- EXPECT_TRUE(IsPipe(pipe_name));
-
- pipe_name = L"\\??\\pipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-
- pipe_name = L"\\??\\_pipe_\\mypipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-
- pipe_name = L"\\??\\ABCD\\mypipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-
-
- // Written as two strings to prevent trigraph '?' '?' '/'.
- pipe_name = L"/?" L"?/pipe/mypipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-
- pipe_name = L"\\XX\\pipe\\mypipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-
- pipe_name = L"\\Device\\NamedPipe\\mypipe";
- EXPECT_FALSE(IsPipe(pipe_name));
-}
diff --git a/security/sandbox/chromium/sandbox/win/src/window.cc b/security/sandbox/chromium/sandbox/win/src/window.cc
deleted file mode 100644
index cfbf280d9..000000000
--- a/security/sandbox/chromium/sandbox/win/src/window.cc
+++ /dev/null
@@ -1,161 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/src/window.h"
-
-#include <aclapi.h>
-
-#include "base/logging.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/src/acl.h"
-#include "sandbox/win/src/sid.h"
-
-namespace {
-
-// Gets the security attributes of a window object referenced by |handle|. The
-// lpSecurityDescriptor member of the SECURITY_ATTRIBUTES parameter returned
-// must be freed using LocalFree by the caller.
-bool GetSecurityAttributes(HANDLE handle, SECURITY_ATTRIBUTES* attributes) {
- attributes->bInheritHandle = FALSE;
- attributes->nLength = sizeof(SECURITY_ATTRIBUTES);
-
- PACL dacl = NULL;
- DWORD result = ::GetSecurityInfo(handle, SE_WINDOW_OBJECT,
- DACL_SECURITY_INFORMATION, NULL, NULL, &dacl,
- NULL, &attributes->lpSecurityDescriptor);
- if (ERROR_SUCCESS == result)
- return true;
-
- return false;
-}
-
-}
-
-namespace sandbox {
-
-ResultCode CreateAltWindowStation(HWINSTA* winsta) {
- // Get the security attributes from the current window station; we will
- // use this as the base security attributes for the new window station.
- SECURITY_ATTRIBUTES attributes = {0};
- if (!GetSecurityAttributes(::GetProcessWindowStation(), &attributes)) {
- return SBOX_ERROR_CANNOT_CREATE_WINSTATION;
- }
-
- // Create the window station using NULL for the name to ask the os to
- // generate it.
- *winsta = ::CreateWindowStationW(
- NULL, 0, GENERIC_READ | WINSTA_CREATEDESKTOP, &attributes);
- LocalFree(attributes.lpSecurityDescriptor);
-
- if (*winsta)
- return SBOX_ALL_OK;
-
- return SBOX_ERROR_CANNOT_CREATE_WINSTATION;
-}
-
-ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop) {
- base::string16 desktop_name = L"sbox_alternate_desktop_";
-
- // Append the current PID to the desktop name.
- wchar_t buffer[16];
- _snwprintf_s(buffer, sizeof(buffer) / sizeof(wchar_t), L"0x%X",
- ::GetCurrentProcessId());
- desktop_name += buffer;
-
- // Get the security attributes from the current desktop, we will use this as
- // the base security attributes for the new desktop.
- SECURITY_ATTRIBUTES attributes = {0};
- if (!GetSecurityAttributes(GetThreadDesktop(GetCurrentThreadId()),
- &attributes)) {
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
- }
-
- // Back up the current window station, in case we need to switch it.
- HWINSTA current_winsta = ::GetProcessWindowStation();
-
- if (winsta) {
- // We need to switch to the alternate window station before creating the
- // desktop.
- if (!::SetProcessWindowStation(winsta)) {
- ::LocalFree(attributes.lpSecurityDescriptor);
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
- }
- }
-
- // Create the destkop.
- *desktop = ::CreateDesktop(desktop_name.c_str(),
- NULL,
- NULL,
- 0,
- DESKTOP_CREATEWINDOW | DESKTOP_READOBJECTS |
- READ_CONTROL | WRITE_DAC | WRITE_OWNER,
- &attributes);
- ::LocalFree(attributes.lpSecurityDescriptor);
-
- if (winsta) {
- // Revert to the right window station.
- if (!::SetProcessWindowStation(current_winsta)) {
- return SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION;
- }
- }
-
- if (*desktop) {
- // Replace the DACL on the new Desktop with a reduced privilege version.
- // We can soft fail on this for now, as it's just an extra mitigation.
- static const ACCESS_MASK kDesktopDenyMask = WRITE_DAC | WRITE_OWNER |
- DELETE |
- DESKTOP_CREATEMENU |
- DESKTOP_CREATEWINDOW |
- DESKTOP_HOOKCONTROL |
- DESKTOP_JOURNALPLAYBACK |
- DESKTOP_JOURNALRECORD |
- DESKTOP_SWITCHDESKTOP;
- AddKnownSidToObject(*desktop, SE_WINDOW_OBJECT, Sid(WinRestrictedCodeSid),
- DENY_ACCESS, kDesktopDenyMask);
- return SBOX_ALL_OK;
- }
-
- return SBOX_ERROR_CANNOT_CREATE_DESKTOP;
-}
-
-base::string16 GetWindowObjectName(HANDLE handle) {
- // Get the size of the name.
- DWORD size = 0;
- ::GetUserObjectInformation(handle, UOI_NAME, NULL, 0, &size);
-
- if (!size) {
- NOTREACHED();
- return base::string16();
- }
-
- // Create the buffer that will hold the name.
- scoped_ptr<wchar_t[]> name_buffer(new wchar_t[size]);
-
- // Query the name of the object.
- if (!::GetUserObjectInformation(handle, UOI_NAME, name_buffer.get(), size,
- &size)) {
- NOTREACHED();
- return base::string16();
- }
-
- return base::string16(name_buffer.get());
-}
-
-base::string16 GetFullDesktopName(HWINSTA winsta, HDESK desktop) {
- if (!desktop) {
- NOTREACHED();
- return base::string16();
- }
-
- base::string16 name;
- if (winsta) {
- name = GetWindowObjectName(winsta);
- name += L'\\';
- }
-
- name += GetWindowObjectName(desktop);
- return name;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/src/window.h b/security/sandbox/chromium/sandbox/win/src/window.h
deleted file mode 100644
index 62fe7c474..000000000
--- a/security/sandbox/chromium/sandbox/win/src/window.h
+++ /dev/null
@@ -1,40 +0,0 @@
-// Copyright (c) 2009 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_SRC_WINDOW_H_
-#define SANDBOX_SRC_WINDOW_H_
-
-#include <windows.h>
-#include <string>
-
-#include "base/strings/string16.h"
-#include "sandbox/win/src/sandbox_types.h"
-
-namespace sandbox {
-
- // Creates a window station. The name is generated by the OS. The security
- // descriptor is based on the security descriptor of the current window
- // station.
- ResultCode CreateAltWindowStation(HWINSTA* winsta);
-
- // Creates a desktop. The name is a static string followed by the pid of the
- // current process. The security descriptor on the new desktop is based on the
- // security descriptor of the desktop associated with the current thread.
- // If a winsta is specified, the function will switch to it before creating
- // the desktop. If the functions fails the switch back to the current winsta,
- // the function will return SBOX_ERROR_FAILED_TO_SWITCH_BACK_WINSTATION.
- ResultCode CreateAltDesktop(HWINSTA winsta, HDESK* desktop);
-
- // Returns the name of a desktop or a window station.
- base::string16 GetWindowObjectName(HANDLE handle);
-
- // Returns the name of the desktop referenced by |desktop|. If a window
- // station is specified, the name is prepended with the window station name,
- // followed by a backslash. This name can be used as the lpDesktop parameter
- // to CreateProcess.
- base::string16 GetFullDesktopName(HWINSTA winsta, HDESK desktop);
-
-} // namespace sandbox
-
-#endif // SANDBOX_SRC_WINDOW_H_
diff --git a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc b/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
deleted file mode 100644
index 0424d9fdd..000000000
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.cc
+++ /dev/null
@@ -1,346 +0,0 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-
-#include <limits.h>
-#include <stddef.h>
-
-#include "base/bit_cast.h"
-#include "base/memory/scoped_ptr.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace {
-#pragma pack(push, 1)
-
-const BYTE kMovEax = 0xB8;
-const BYTE kMovEdx = 0xBA;
-const USHORT kCallPtrEdx = 0x12FF;
-const BYTE kRet = 0xC2;
-const BYTE kNop = 0x90;
-const USHORT kJmpEdx = 0xE2FF;
-const USHORT kXorEcx = 0xC933;
-const ULONG kLeaEdx = 0x0424548D;
-const ULONG kCallFs1 = 0xC015FF64;
-const ULONG kCallFs2Ret = 0xC2000000;
-const BYTE kPopEdx = 0x5A;
-const BYTE kPushEdx = 0x52;
-const BYTE kPush32 = 0x68;
-
-const ULONG kMmovR10EcxMovEax = 0xB8D18B4C;
-const USHORT kSyscall = 0x050F;
-const BYTE kRetNp = 0xC3;
-const BYTE kPad = 0x66;
-const USHORT kNop16 = 0x9066;
-const BYTE kRelJmp = 0xE9;
-
-const ULONG kXorRaxMovEax = 0xB8C03148;
-const ULONG kSaveRcx = 0x10488948;
-const ULONG kMovRcxRaxJmp = 0xE9C88B48;
-
-// Service code for 64 bit systems.
-struct ServiceEntry {
- // this struct contains roughly the following code:
- // mov r10,rcx
- // mov eax,52h
- // syscall
- // ret
- // xchg ax,ax
- // xchg ax,ax
-
- ULONG mov_r10_ecx_mov_eax; // = 4C 8B D1 B8
- ULONG service_id;
- USHORT syscall; // = 0F 05
- BYTE ret; // = C3
- BYTE pad; // = 66
- USHORT xchg_ax_ax1; // = 66 90
- USHORT xchg_ax_ax2; // = 66 90
-};
-
-struct Redirected {
- // this struct contains roughly the following code:
- // jmp relative_32
- // xchg ax,ax // 3 byte nop
-
- Redirected() {
- jmp = kRelJmp;
- relative = 0;
- pad = kPad;
- xchg_ax_ax = kNop16;
- };
- BYTE jmp; // = E9
- ULONG relative;
- BYTE pad; // = 66
- USHORT xchg_ax_ax; // = 66 90
-};
-
-struct InternalThunk {
- // this struct contains roughly the following code:
- // xor rax,rax
- // mov eax, 0x00080000 // Thunk storage.
- // mov [rax]PatchInfo.service, rcx // Save first argument.
- // mov rcx, rax
- // jmp relative_to_interceptor
-
- InternalThunk() {
- xor_rax_mov_eax = kXorRaxMovEax;
- patch_info = 0;
- save_rcx = kSaveRcx;
- mov_rcx_rax_jmp = kMovRcxRaxJmp;
- relative = 0;
- };
- ULONG xor_rax_mov_eax; // = 48 31 C0 B8
- ULONG patch_info;
- ULONG save_rcx; // = 48 89 48 10
- ULONG mov_rcx_rax_jmp; // = 48 8b c8 e9
- ULONG relative;
-};
-
-struct ServiceFullThunk {
- sandbox::PatchInfo patch_info;
- ServiceEntry original;
- InternalThunk internal_thunk;
-};
-
-#pragma pack(pop)
-
-// Simple utility function to write to a buffer on the child, if the memery has
-// write protection attributes.
-// Arguments:
-// child_process (in): process to write to.
-// address (out): memory position on the child to write to.
-// buffer (in): local buffer with the data to write .
-// length (in): number of bytes to write.
-// Returns true on success.
-bool WriteProtectedChildMemory(HANDLE child_process,
- void* address,
- const void* buffer,
- size_t length) {
- // first, remove the protections
- DWORD old_protection;
- if (!::VirtualProtectEx(child_process, address, length,
- PAGE_WRITECOPY, &old_protection))
- return false;
-
- SIZE_T written;
- bool ok = ::WriteProcessMemory(child_process, address, buffer, length,
- &written) && (length == written);
-
- // always attempt to restore the original protection
- if (!::VirtualProtectEx(child_process, address, length,
- old_protection, &old_protection))
- return false;
-
- return ok;
-}
-
-// Get pointers to the functions that we need from ntdll.dll.
-NTSTATUS ResolveNtdll(sandbox::PatchInfo* patch_info) {
- wchar_t* ntdll_name = L"ntdll.dll";
- HMODULE ntdll = ::GetModuleHandle(ntdll_name);
- if (!ntdll)
- return STATUS_PROCEDURE_NOT_FOUND;
-
- void* signal = ::GetProcAddress(ntdll, "NtSignalAndWaitForSingleObject");
- if (!signal)
- return STATUS_PROCEDURE_NOT_FOUND;
-
- patch_info->signal_and_wait =
- reinterpret_cast<NtSignalAndWaitForSingleObjectFunction>(signal);
-
- return STATUS_SUCCESS;
-}
-
-}; // namespace
-
-namespace sandbox {
-
-NTSTATUS ResolverThunk::Init(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes) {
- if (NULL == thunk_storage || 0 == storage_bytes ||
- NULL == target_module || NULL == target_name)
- return STATUS_INVALID_PARAMETER;
-
- if (storage_bytes < GetThunkSize())
- return STATUS_BUFFER_TOO_SMALL;
-
- NTSTATUS ret = STATUS_SUCCESS;
- if (NULL == interceptor_entry_point) {
- ret = ResolveInterceptor(interceptor_module, interceptor_name,
- &interceptor_entry_point);
- if (!NT_SUCCESS(ret))
- return ret;
- }
-
- ret = ResolveTarget(target_module, target_name, &target_);
- if (!NT_SUCCESS(ret))
- return ret;
-
- interceptor_ = interceptor_entry_point;
-
- return ret;
-}
-
-NTSTATUS ResolverThunk::ResolveInterceptor(const void* interceptor_module,
- const char* interceptor_name,
- const void** address) {
- return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS ResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- return STATUS_NOT_IMPLEMENTED;
-}
-
-NTSTATUS Service64ResolverThunk::Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used) {
- NTSTATUS ret = Init(target_module, interceptor_module, target_name,
- interceptor_name, interceptor_entry_point,
- thunk_storage, storage_bytes);
- if (!NT_SUCCESS(ret))
- return ret;
-
- size_t thunk_bytes = GetThunkSize();
- scoped_ptr<char[]> thunk_buffer(new char[thunk_bytes]);
- ServiceFullThunk* thunk = reinterpret_cast<ServiceFullThunk*>(
- thunk_buffer.get());
-
- if (!IsFunctionAService(&thunk->original))
- return STATUS_UNSUCCESSFUL;
-
- ret = PerformPatch(thunk, thunk_storage);
-
- if (NULL != storage_used)
- *storage_used = thunk_bytes;
-
- return ret;
-}
-
-NTSTATUS Service64ResolverThunk::ResolveInterceptor(
- const void* interceptor_module,
- const char* interceptor_name,
- const void** address) {
- // After all, we are using a locally mapped version of the exe, so the
- // action is the same as for a target function.
- return ResolveTarget(interceptor_module, interceptor_name,
- const_cast<void**>(address));
-}
-
-// In this case all the work is done from the parent, so resolve is
-// just a simple GetProcAddress.
-NTSTATUS Service64ResolverThunk::ResolveTarget(const void* module,
- const char* function_name,
- void** address) {
- if (NULL == module)
- return STATUS_UNSUCCESSFUL;
-
- *address = ::GetProcAddress(bit_cast<HMODULE>(module), function_name);
-
- if (NULL == *address)
- return STATUS_UNSUCCESSFUL;
-
- return STATUS_SUCCESS;
-}
-
-size_t Service64ResolverThunk::GetThunkSize() const {
- return sizeof(ServiceFullThunk);
-}
-
-bool Service64ResolverThunk::IsFunctionAService(void* local_thunk) const {
- ServiceEntry function_code;
- SIZE_T read;
- if (!::ReadProcessMemory(process_, target_, &function_code,
- sizeof(function_code), &read))
- return false;
-
- if (sizeof(function_code) != read)
- return false;
-
- if (kMmovR10EcxMovEax != function_code.mov_r10_ecx_mov_eax ||
- kSyscall != function_code.syscall || kRetNp != function_code.ret)
- return false;
-
- // Save the verified code
- memcpy(local_thunk, &function_code, sizeof(function_code));
-
- return true;
-}
-
-NTSTATUS Service64ResolverThunk::PerformPatch(void* local_thunk,
- void* remote_thunk) {
- ServiceFullThunk* full_local_thunk = reinterpret_cast<ServiceFullThunk*>(
- local_thunk);
- ServiceFullThunk* full_remote_thunk = reinterpret_cast<ServiceFullThunk*>(
- remote_thunk);
-
- // If the source or target are above 4GB we cannot do this relative jump.
- if (reinterpret_cast<ULONG_PTR>(full_remote_thunk) >
- static_cast<ULONG_PTR>(ULONG_MAX))
- return STATUS_CONFLICTING_ADDRESSES;
-
- if (reinterpret_cast<ULONG_PTR>(target_) > static_cast<ULONG_PTR>(ULONG_MAX))
- return STATUS_CONFLICTING_ADDRESSES;
-
- // Patch the original code.
- Redirected local_service;
- Redirected* remote_service = reinterpret_cast<Redirected*>(target_);
- ULONG_PTR diff = reinterpret_cast<BYTE*>(&full_remote_thunk->internal_thunk) -
- &remote_service->pad;
- local_service.relative = static_cast<ULONG>(diff);
-
- // Setup the PatchInfo structure.
- SIZE_T actual;
- if (!::ReadProcessMemory(process_, remote_thunk, local_thunk,
- sizeof(PatchInfo), &actual))
- return STATUS_UNSUCCESSFUL;
- if (sizeof(PatchInfo) != actual)
- return STATUS_UNSUCCESSFUL;
-
- full_local_thunk->patch_info.orig_MapViewOfSection = reinterpret_cast<
- NtMapViewOfSectionFunction>(&full_remote_thunk->original);
- full_local_thunk->patch_info.patch_location = target_;
- NTSTATUS ret = ResolveNtdll(&full_local_thunk->patch_info);
- if (!NT_SUCCESS(ret))
- return ret;
-
- // Setup the thunk. The jump out is performed from right after the end of the
- // thunk (full_remote_thunk + 1).
- InternalThunk my_thunk;
- ULONG_PTR patch_info = reinterpret_cast<ULONG_PTR>(remote_thunk);
- my_thunk.patch_info = static_cast<ULONG>(patch_info);
- diff = reinterpret_cast<const BYTE*>(interceptor_) -
- reinterpret_cast<BYTE*>(full_remote_thunk + 1);
- my_thunk.relative = static_cast<ULONG>(diff);
-
- memcpy(&full_local_thunk->internal_thunk, &my_thunk, sizeof(my_thunk));
-
- // copy the local thunk buffer to the child
- if (!::WriteProcessMemory(process_, remote_thunk, local_thunk,
- sizeof(ServiceFullThunk), &actual))
- return STATUS_UNSUCCESSFUL;
-
- if (sizeof(ServiceFullThunk) != actual)
- return STATUS_UNSUCCESSFUL;
-
- // and now change the function to intercept, on the child
- if (!::WriteProtectedChildMemory(process_, target_, &local_service,
- sizeof(local_service)))
- return STATUS_UNSUCCESSFUL;
-
- return STATUS_SUCCESS;
-}
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h b/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
deleted file mode 100644
index 32ee46f8e..000000000
--- a/security/sandbox/chromium/sandbox/win/wow_helper/service64_resolver.h
+++ /dev/null
@@ -1,75 +0,0 @@
-// Copyright (c) 2010 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-#define SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
-
-#include <stddef.h>
-
-#include "base/macros.h"
-#include "sandbox/win/src/nt_internals.h"
-#include "sandbox/win/src/resolver.h"
-
-namespace sandbox {
-
-// This is the concrete resolver used to perform service-call type functions
-// inside ntdll.dll (64-bit).
-class Service64ResolverThunk : public ResolverThunk {
- public:
- // The service resolver needs a child process to write to.
- explicit Service64ResolverThunk(HANDLE process)
- : process_(process), ntdll_base_(NULL) {}
- virtual ~Service64ResolverThunk() {}
-
- // Implementation of Resolver::Setup.
- virtual NTSTATUS Setup(const void* target_module,
- const void* interceptor_module,
- const char* target_name,
- const char* interceptor_name,
- const void* interceptor_entry_point,
- void* thunk_storage,
- size_t storage_bytes,
- size_t* storage_used);
-
- // Implementation of Resolver::ResolveInterceptor.
- virtual NTSTATUS ResolveInterceptor(const void* module,
- const char* function_name,
- const void** address);
-
- // Implementation of Resolver::ResolveTarget.
- virtual NTSTATUS ResolveTarget(const void* module,
- const char* function_name,
- void** address);
-
- // Implementation of Resolver::GetThunkSize.
- virtual size_t GetThunkSize() const;
-
- protected:
- // The unit test will use this member to allow local patch on a buffer.
- HMODULE ntdll_base_;
-
- // Handle of the child process.
- HANDLE process_;
-
- private:
- // Returns true if the code pointer by target_ corresponds to the expected
- // type of function. Saves that code on the first part of the thunk pointed
- // by local_thunk (should be directly accessible from the parent).
- virtual bool IsFunctionAService(void* local_thunk) const;
-
- // Performs the actual patch of target_.
- // local_thunk must be already fully initialized, and the first part must
- // contain the original code. The real type of this buffer is ServiceFullThunk
- // (yes, private). remote_thunk (real type ServiceFullThunk), must be
- // allocated on the child, and will contain the thunk data, after this call.
- // Returns the apropriate status code.
- virtual NTSTATUS PerformPatch(void* local_thunk, void* remote_thunk);
-
- DISALLOW_COPY_AND_ASSIGN(Service64ResolverThunk);
-};
-
-} // namespace sandbox
-
-
-#endif // SANDBOX_WOW_HELPER_SERVICE64_RESOLVER_H__
diff --git a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc b/security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
deleted file mode 100644
index ce44eeba2..000000000
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.cc
+++ /dev/null
@@ -1,38 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Hooks NtMapViewOfSection to detect the load of dlls.
-#pragma code_seg(push, code, ".TargetCode$A")
-NTSTATUS WINAPI TargetNtMapViewOfSection(
- PatchInfo *patch_info, HANDLE process, PVOID *base, ULONG_PTR zero_bits,
- SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
- SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect) {
- NTSTATUS ret = patch_info->orig_MapViewOfSection(patch_info->section, process,
- base, zero_bits, commit_size,
- offset, view_size, inherit,
- allocation_type, protect);
-
- LARGE_INTEGER timeout;
- timeout.QuadPart = -(5 * 10000000); // 5 seconds.
-
- // The wait is alertable.
- patch_info->signal_and_wait(patch_info->dll_load, patch_info->continue_load,
- TRUE, &timeout);
-
- return ret;
-}
-#pragma code_seg(pop, code)
-
-// Marks the end of the code to copy to the target process.
-#pragma code_seg(push, code, ".TargetCode$B")
-NTSTATUS WINAPI TargetEnd() {
- return STATUS_SUCCESS;
-}
-#pragma code_seg(pop, code)
-
-} // namespace sandbox
diff --git a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.h b/security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
deleted file mode 100644
index c198a852e..000000000
--- a/security/sandbox/chromium/sandbox/win/wow_helper/target_code.h
+++ /dev/null
@@ -1,41 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#ifndef SANDBOX_WOW_HELPER_TARGET_CODE_H__
-#define SANDBOX_WOW_HELPER_TARGET_CODE_H__
-
-#include "sandbox/win/src/nt_internals.h"
-
-namespace sandbox {
-
-extern "C" {
-
-// Holds the information needed for the interception of NtMapViewOfSection.
-// Changes of this structure must be synchronized with changes of PatchInfo32
-// on sandbox/win/src/wow64.cc.
-struct PatchInfo {
- HANDLE dll_load; // Event to signal the broker.
- HANDLE continue_load; // Event to wait for the broker.
- HANDLE section; // First argument of the call.
- NtMapViewOfSectionFunction orig_MapViewOfSection;
- NtSignalAndWaitForSingleObjectFunction signal_and_wait;
- void* patch_location;
-};
-
-// Interception of NtMapViewOfSection on the child process.
-// It should never be called directly. This function provides the means to
-// detect dlls being loaded, so we can patch them if needed.
-NTSTATUS WINAPI TargetNtMapViewOfSection(
- PatchInfo* patch_info, HANDLE process, PVOID* base, ULONG_PTR zero_bits,
- SIZE_T commit_size, PLARGE_INTEGER offset, PSIZE_T view_size,
- SECTION_INHERIT inherit, ULONG allocation_type, ULONG protect);
-
-// Marker of the end of TargetNtMapViewOfSection.
-NTSTATUS WINAPI TargetEnd();
-
-} // extern "C"
-
-} // namespace sandbox
-
-#endif // SANDBOX_WOW_HELPER_TARGET_CODE_H__
diff --git a/security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc b/security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
deleted file mode 100644
index af76cbc13..000000000
--- a/security/sandbox/chromium/sandbox/win/wow_helper/wow_helper.cc
+++ /dev/null
@@ -1,87 +0,0 @@
-// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-// Wow_helper.exe is a simple Win32 64-bit executable designed to help to
-// sandbox a 32 bit application running on a 64 bit OS. The basic idea is to
-// perform a 64 bit interception of the target process and notify the 32-bit
-// broker process whenever a DLL is being loaded. This allows the broker to
-// setup the interceptions (32-bit) properly on the target.
-
-#include <windows.h>
-#include <stddef.h>
-
-#include <string>
-
-#include "sandbox/win/wow_helper/service64_resolver.h"
-#include "sandbox/win/wow_helper/target_code.h"
-
-namespace sandbox {
-
-// Performs the interception of NtMapViewOfSection on the 64-bit version of
-// ntdll.dll. 'thunk' is the buffer on the address space of process 'child',
-// that will be used to store the information about the patch.
-int PatchNtdll(HANDLE child, void* thunk, size_t thunk_bytes) {
- wchar_t* ntdll_name = L"ntdll.dll";
- HMODULE ntdll_base = ::GetModuleHandle(ntdll_name);
- if (!ntdll_base)
- return 100;
-
- Service64ResolverThunk resolver(child);
- size_t used = resolver.GetThunkSize();
- char* code = reinterpret_cast<char*>(thunk) + used;
- NTSTATUS ret = resolver.Setup(ntdll_base, NULL, "NtMapViewOfSection", NULL,
- code, thunk, thunk_bytes, NULL);
- if (!NT_SUCCESS(ret))
- return 101;
-
- size_t size = reinterpret_cast<char*>(&TargetEnd) -
- reinterpret_cast<char*>(&TargetNtMapViewOfSection);
-
- if (size + used > thunk_bytes)
- return 102;
-
- SIZE_T written;
- if (!::WriteProcessMemory(child, code, &TargetNtMapViewOfSection, size,
- &written))
- return 103;
-
- if (size != written)
- return 104;
-
- return 0;
-}
-
-} // namespace sandbox
-
-// We must receive two arguments: the process id of the target to intercept and
-// the address of a page of memory on that process that will be used for the
-// interception. We receive the address because the broker will cleanup the
-// patch when the work is performed.
-//
-// It should be noted that we don't wait until the real work is done; this
-// program quits as soon as the 64-bit interception is performed.
-int wWinMain(HINSTANCE, HINSTANCE, wchar_t* command_line, int) {
- static_assert(sizeof(void*) > sizeof(DWORD), "unsupported 32 bits");
- if (!command_line)
- return 1;
-
- wchar_t* next;
- DWORD process_id = wcstoul(command_line, &next, 0);
- if (!process_id)
- return 2;
-
- DWORD access = PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE;
- HANDLE child = ::OpenProcess(access, FALSE, process_id);
- if (!child)
- return 3;
-
- DWORD buffer = wcstoul(next, NULL, 0);
- if (!buffer)
- return 4;
-
- void* thunk = reinterpret_cast<void*>(static_cast<ULONG_PTR>(buffer));
-
- const size_t kPageSize = 4096;
- return sandbox::PatchNtdll(child, thunk, kPageSize);
-}
diff --git a/security/sandbox/linux/LinuxCapabilities.cpp b/security/sandbox/linux/LinuxCapabilities.cpp
deleted file mode 100644
index 87e24a009..000000000
--- a/security/sandbox/linux/LinuxCapabilities.cpp
+++ /dev/null
@@ -1,28 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "LinuxCapabilities.h"
-
-#include <unistd.h>
-#include <sys/syscall.h>
-
-namespace mozilla {
-
-bool
-LinuxCapabilities::GetCurrent() {
- __user_cap_header_struct header = { _LINUX_CAPABILITY_VERSION_3, 0 };
- return syscall(__NR_capget, &header, &mBits) == 0
- && header.version == _LINUX_CAPABILITY_VERSION_3;
-}
-
-bool
-LinuxCapabilities::SetCurrentRaw() const {
- __user_cap_header_struct header = { _LINUX_CAPABILITY_VERSION_3, 0 };
- return syscall(__NR_capset, &header, &mBits) == 0
- && header.version == _LINUX_CAPABILITY_VERSION_3;
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/LinuxCapabilities.h b/security/sandbox/linux/LinuxCapabilities.h
deleted file mode 100644
index 9d3220841..000000000
--- a/security/sandbox/linux/LinuxCapabilities.h
+++ /dev/null
@@ -1,128 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_LinuxCapabilities_h
-#define mozilla_LinuxCapabilities_h
-
-#include <linux/capability.h>
-#include <stdint.h>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/Attributes.h"
-#include "mozilla/PodOperations.h"
-
-// This class is a relatively simple interface to manipulating the
-// capabilities of a Linux process/thread; see the capabilities(7) man
-// page for background information.
-
-// Unfortunately, Android's kernel headers omit some definitions
-// needed for the low-level capability interface. They're part of the
-// stable syscall ABI, so it's safe to include them here.
-#ifndef _LINUX_CAPABILITY_VERSION_3
-#define _LINUX_CAPABILITY_VERSION_3 0x20080522
-#define _LINUX_CAPABILITY_U32S_3 2
-#endif
-#ifndef CAP_TO_INDEX
-#define CAP_TO_INDEX(x) ((x) >> 5)
-#define CAP_TO_MASK(x) (1 << ((x) & 31))
-#endif
-
-namespace mozilla {
-
-class LinuxCapabilities final
-{
-public:
- // A class to represent a bit within the capability sets as an lvalue.
- class BitRef {
- __u32& mWord;
- __u32 mMask;
- friend class LinuxCapabilities;
- BitRef(__u32& aWord, uint32_t aMask) : mWord(aWord), mMask(aMask) { }
- BitRef(const BitRef& aBit) : mWord(aBit.mWord), mMask(aBit.mMask) { }
- public:
- MOZ_IMPLICIT operator bool() const {
- return mWord & mMask;
- }
- BitRef& operator=(bool aSetTo) {
- if (aSetTo) {
- mWord |= mMask;
- } else {
- mWord &= mMask;
- }
- return *this;
- }
- };
-
- // The default value is the empty set.
- LinuxCapabilities() { PodArrayZero(mBits); }
-
- // Get the current thread's capability sets and assign them to this
- // object. Returns whether it succeeded and sets errno on failure.
- // Shouldn't fail unless the kernel is very old.
- bool GetCurrent();
-
- // Try to set the current thread's capability sets to those
- // specified in this object. Returns whether it succeeded and sets
- // errno on failure.
- bool SetCurrentRaw() const;
-
- // The capability model requires that the permitted set always be a
- // superset of the effective and inheritable sets. This method
- // expands the permitted set as needed and then sets the current
- // thread's capabilities, as described above.
- bool SetCurrent() {
- Normalize();
- return SetCurrentRaw();
- }
-
- void Normalize() {
- for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; ++i) {
- mBits[i].permitted |= mBits[i].effective | mBits[i].inheritable;
- }
- }
-
- bool AnyEffective() const {
- for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; ++i) {
- if (mBits[i].effective != 0) {
- return true;
- }
- }
- return false;
- }
-
- // These three methods expose individual bits in the three
- // capability sets as objects that can be used as bool lvalues.
- // The argument is the capability number, as defined in
- // the <linux/capability.h> header.
- BitRef Effective(unsigned aCap)
- {
- return GenericBitRef(&__user_cap_data_struct::effective, aCap);
- }
-
- BitRef Permitted(unsigned aCap)
- {
- return GenericBitRef(&__user_cap_data_struct::permitted, aCap);
- }
-
- BitRef Inheritable(unsigned aCap)
- {
- return GenericBitRef(&__user_cap_data_struct::inheritable, aCap);
- }
-
-private:
- __user_cap_data_struct mBits[_LINUX_CAPABILITY_U32S_3];
-
- BitRef GenericBitRef(__u32 __user_cap_data_struct::* aField, unsigned aCap)
- {
- // Please don't pass untrusted data as the capability number.
- MOZ_ASSERT(CAP_TO_INDEX(aCap) < _LINUX_CAPABILITY_U32S_3);
- return BitRef(mBits[CAP_TO_INDEX(aCap)].*aField, CAP_TO_MASK(aCap));
- }
-};
-
-} // namespace mozilla
-
-#endif // mozilla_LinuxCapabilities_h
diff --git a/security/sandbox/linux/LinuxSched.h b/security/sandbox/linux/LinuxSched.h
deleted file mode 100644
index 148067d34..000000000
--- a/security/sandbox/linux/LinuxSched.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_LinuxSched_h
-#define mozilla_LinuxSched_h
-
-#include <linux/sched.h>
-
-// Some build environments, in particular the Android NDK, don't
-// define some of the newer clone/unshare flags ("newer" relatively
-// speaking; CLONE_NEWUTS is present since kernel 2.6.19 in 2006).
-
-#ifndef CLONE_NEWUTS
-#define CLONE_NEWUTS 0x04000000
-#endif
-#ifndef CLONE_NEWIPC
-#define CLONE_NEWIPC 0x08000000
-#endif
-#ifndef CLONE_NEWUSER
-#define CLONE_NEWUSER 0x10000000
-#endif
-#ifndef CLONE_NEWPID
-#define CLONE_NEWPID 0x20000000
-#endif
-#ifndef CLONE_NEWNET
-#define CLONE_NEWNET 0x40000000
-#endif
-#ifndef CLONE_IO
-#define CLONE_IO 0x80000000
-#endif
-
-#endif
diff --git a/security/sandbox/linux/Sandbox.cpp b/security/sandbox/linux/Sandbox.cpp
deleted file mode 100644
index 80a18f855..000000000
--- a/security/sandbox/linux/Sandbox.cpp
+++ /dev/null
@@ -1,609 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "Sandbox.h"
-
-#include "LinuxCapabilities.h"
-#include "LinuxSched.h"
-#include "SandboxBrokerClient.h"
-#include "SandboxChroot.h"
-#include "SandboxFilter.h"
-#include "SandboxInternal.h"
-#include "SandboxLogging.h"
-#include "SandboxUtil.h"
-
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <linux/futex.h>
-#include <pthread.h>
-#include <signal.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/prctl.h>
-#include <sys/ptrace.h>
-#include <sys/syscall.h>
-#include <sys/time.h>
-#include <unistd.h>
-
-#include "mozilla/Atomics.h"
-#include "mozilla/Maybe.h"
-#include "mozilla/SandboxInfo.h"
-#include "mozilla/UniquePtr.h"
-#include "mozilla/Unused.h"
-#include "sandbox/linux/bpf_dsl/codegen.h"
-#include "sandbox/linux/bpf_dsl/dump_bpf.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/bpf_dsl/policy_compiler.h"
-#include "sandbox/linux/bpf_dsl/seccomp_macros.h"
-#include "sandbox/linux/seccomp-bpf/trap.h"
-#include "sandbox/linux/system_headers/linux_filter.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-#if defined(ANDROID)
-#include "sandbox/linux/system_headers/linux_ucontext.h"
-#endif
-
-#ifdef MOZ_ASAN
-// Copy libsanitizer declarations to avoid depending on ASAN headers.
-// See also bug 1081242 comment #4.
-extern "C" {
-namespace __sanitizer {
-// Win64 uses long long, but this is Linux.
-typedef signed long sptr;
-} // namespace __sanitizer
-
-typedef struct {
- int coverage_sandboxed;
- __sanitizer::sptr coverage_fd;
- unsigned int coverage_max_block_size;
-} __sanitizer_sandbox_arguments;
-
-MOZ_IMPORT_API void
-__sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);
-} // extern "C"
-#endif // MOZ_ASAN
-
-// Signal number used to enable seccomp on each thread.
-int gSeccompTsyncBroadcastSignum = 0;
-
-namespace mozilla {
-
-// This is initialized by SandboxSetCrashFunc().
-SandboxCrashFunc gSandboxCrashFunc;
-
-static UniquePtr<SandboxChroot> gChrootHelper;
-static void (*gChromiumSigSysHandler)(int, siginfo_t*, void*);
-
-// Test whether a ucontext, interpreted as the state after a syscall,
-// indicates the given error. See also sandbox::Syscall::PutValueInUcontext.
-static bool
-ContextIsError(const ucontext_t *aContext, int aError)
-{
- // Avoid integer promotion warnings. (The unary addition makes
- // the decltype not evaluate to a reference type.)
- typedef decltype(+SECCOMP_RESULT(aContext)) reg_t;
-
-#ifdef __mips__
- return SECCOMP_PARM4(aContext) != 0
- && SECCOMP_RESULT(aContext) == static_cast<reg_t>(aError);
-#else
- return SECCOMP_RESULT(aContext) == static_cast<reg_t>(-aError);
-#endif
-}
-
-/**
- * This is the SIGSYS handler function. It delegates to the Chromium
- * TrapRegistry handler (see InstallSigSysHandler, below) and, if the
- * trap handler installed by the policy would fail with ENOSYS,
- * crashes the process. This allows unintentional policy failures to
- * be reported as crash dumps and fixed. It also logs information
- * about the failed system call.
- *
- * Note that this could be invoked in parallel on multiple threads and
- * that it could be in async signal context (e.g., intercepting an
- * open() called from an async signal handler).
- */
-static void
-SigSysHandler(int nr, siginfo_t *info, void *void_context)
-{
- ucontext_t *ctx = static_cast<ucontext_t*>(void_context);
- // This shouldn't ever be null, but the Chromium handler checks for
- // that and refrains from crashing, so let's not crash release builds:
- MOZ_DIAGNOSTIC_ASSERT(ctx);
- if (!ctx) {
- return;
- }
-
- // Save a copy of the context before invoking the trap handler,
- // which will overwrite one or more registers with the return value.
- ucontext_t savedCtx = *ctx;
-
- gChromiumSigSysHandler(nr, info, ctx);
- if (!ContextIsError(ctx, ENOSYS)) {
- return;
- }
-
- pid_t pid = getpid();
- unsigned long syscall_nr = SECCOMP_SYSCALL(&savedCtx);
- unsigned long args[6];
- args[0] = SECCOMP_PARM1(&savedCtx);
- args[1] = SECCOMP_PARM2(&savedCtx);
- args[2] = SECCOMP_PARM3(&savedCtx);
- args[3] = SECCOMP_PARM4(&savedCtx);
- args[4] = SECCOMP_PARM5(&savedCtx);
- args[5] = SECCOMP_PARM6(&savedCtx);
-
- // TODO, someday when this is enabled on MIPS: include the two extra
- // args in the error message.
- SANDBOX_LOG_ERROR("seccomp sandbox violation: pid %d, syscall %d,"
- " args %d %d %d %d %d %d. Killing process.",
- pid, syscall_nr,
- args[0], args[1], args[2], args[3], args[4], args[5]);
-
- // Bug 1017393: record syscall number somewhere useful.
- info->si_addr = reinterpret_cast<void*>(syscall_nr);
-
- gSandboxCrashFunc(nr, info, &savedCtx);
- _exit(127);
-}
-
-/**
- * This function installs the SIGSYS handler. This is slightly
- * complicated because we want to use Chromium's handler to dispatch
- * to specific trap handlers defined in the policy, but we also need
- * the full original signal context to give to Breakpad for crash
- * dumps. So we install Chromium's handler first, then retrieve its
- * address so our replacement can delegate to it.
- */
-static void
-InstallSigSysHandler(void)
-{
- struct sigaction act;
-
- // Ensure that the Chromium handler is installed.
- Unused << sandbox::Trap::Registry();
-
- // If the signal handling state isn't as expected, crash now instead
- // of crashing later (and more confusingly) when SIGSYS happens.
-
- if (sigaction(SIGSYS, nullptr, &act) != 0) {
- MOZ_CRASH("Couldn't read old SIGSYS disposition");
- }
- if ((act.sa_flags & SA_SIGINFO) != SA_SIGINFO) {
- MOZ_CRASH("SIGSYS not already set to a siginfo handler?");
- }
- MOZ_RELEASE_ASSERT(act.sa_sigaction);
- gChromiumSigSysHandler = act.sa_sigaction;
- act.sa_sigaction = SigSysHandler;
- // Currently, SA_NODEFER should already be set by the Chromium code,
- // but it's harmless to ensure that it's set:
- MOZ_ASSERT(act.sa_flags & SA_NODEFER);
- act.sa_flags |= SA_NODEFER;
- if (sigaction(SIGSYS, &act, nullptr) < 0) {
- MOZ_CRASH("Couldn't change SIGSYS disposition");
- }
-}
-
-/**
- * This function installs the syscall filter, a.k.a. seccomp. The
- * aUseTSync flag indicates whether this should apply to all threads
- * in the process -- which will fail if the kernel doesn't support
- * that -- or only the current thread.
- *
- * SECCOMP_MODE_FILTER is the "bpf" mode of seccomp which allows
- * to pass a bpf program (in our case, it contains a syscall
- * whitelist).
- *
- * PR_SET_NO_NEW_PRIVS ensures that it is impossible to grant more
- * syscalls to the process beyond this point (even after fork()), and
- * prevents gaining capabilities (e.g., by exec'ing a setuid root
- * program). The kernel won't allow seccomp-bpf without doing this,
- * because otherwise it could be used for privilege escalation attacks.
- *
- * Returns false if the filter was already installed (see the
- * PR_SET_NO_NEW_PRIVS rule in SandboxFilter.cpp). Crashes on any
- * other error condition.
- *
- * @see SandboxInfo
- * @see BroadcastSetThreadSandbox
- */
-static bool MOZ_MUST_USE
-InstallSyscallFilter(const sock_fprog *aProg, bool aUseTSync)
-{
- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) {
- if (!aUseTSync && errno == ETXTBSY) {
- return false;
- }
- SANDBOX_LOG_ERROR("prctl(PR_SET_NO_NEW_PRIVS) failed: %s", strerror(errno));
- MOZ_CRASH("prctl(PR_SET_NO_NEW_PRIVS)");
- }
-
- if (aUseTSync) {
- if (syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
- SECCOMP_FILTER_FLAG_TSYNC, aProg) != 0) {
- SANDBOX_LOG_ERROR("thread-synchronized seccomp failed: %s",
- strerror(errno));
- MOZ_CRASH("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)");
- }
- } else {
- if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, (unsigned long)aProg, 0, 0)) {
- SANDBOX_LOG_ERROR("prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER) failed: %s",
- strerror(errno));
- MOZ_CRASH("seccomp+tsync failed, but kernel supports tsync");
- }
- }
- return true;
-}
-
-// Use signals for permissions that need to be set per-thread.
-// The communication channel from the signal handler back to the main thread.
-static mozilla::Atomic<int> gSetSandboxDone;
-// Pass the filter itself through a global.
-const sock_fprog* gSetSandboxFilter;
-
-// We have to dynamically allocate the signal number; see bug 1038900.
-// This function returns the first realtime signal currently set to
-// default handling (i.e., not in use), or 0 if none could be found.
-//
-// WARNING: if this function or anything similar to it (including in
-// external libraries) is used on multiple threads concurrently, there
-// will be a race condition.
-static int
-FindFreeSignalNumber()
-{
- for (int signum = SIGRTMAX; signum >= SIGRTMIN; --signum) {
- struct sigaction sa;
-
- if (sigaction(signum, nullptr, &sa) == 0 &&
- (sa.sa_flags & SA_SIGINFO) == 0 &&
- sa.sa_handler == SIG_DFL) {
- return signum;
- }
- }
- return 0;
-}
-
-// Returns true if sandboxing was enabled, or false if sandboxing
-// already was enabled. Crashes if sandboxing could not be enabled.
-static bool
-SetThreadSandbox()
-{
- return InstallSyscallFilter(gSetSandboxFilter, false);
-}
-
-static void
-SetThreadSandboxHandler(int signum)
-{
- // The non-zero number sent back to the main thread indicates
- // whether action was taken.
- if (SetThreadSandbox()) {
- gSetSandboxDone = 2;
- } else {
- gSetSandboxDone = 1;
- }
- // Wake up the main thread. See the FUTEX_WAIT call, below, for an
- // explanation.
- syscall(__NR_futex, reinterpret_cast<int*>(&gSetSandboxDone),
- FUTEX_WAKE, 1);
-}
-
-static void
-EnterChroot()
-{
- if (gChrootHelper) {
- gChrootHelper->Invoke();
- gChrootHelper = nullptr;
- }
-}
-
-static void
-BroadcastSetThreadSandbox(const sock_fprog* aFilter)
-{
- pid_t pid, tid, myTid;
- DIR *taskdp;
- struct dirent *de;
-
- // This function does not own *aFilter, so this global needs to
- // always be zeroed before returning.
- gSetSandboxFilter = aFilter;
-
- static_assert(sizeof(mozilla::Atomic<int>) == sizeof(int),
- "mozilla::Atomic<int> isn't represented by an int");
- pid = getpid();
- myTid = syscall(__NR_gettid);
- taskdp = opendir("/proc/self/task");
- if (taskdp == nullptr) {
- SANDBOX_LOG_ERROR("opendir /proc/self/task: %s\n", strerror(errno));
- MOZ_CRASH();
- }
-
- EnterChroot();
-
- // In case this races with a not-yet-deprivileged thread cloning
- // itself, repeat iterating over all threads until we find none
- // that are still privileged.
- bool sandboxProgress;
- do {
- sandboxProgress = false;
- // For each thread...
- while ((de = readdir(taskdp))) {
- char *endptr;
- tid = strtol(de->d_name, &endptr, 10);
- if (*endptr != '\0' || tid <= 0) {
- // Not a task ID.
- continue;
- }
- if (tid == myTid) {
- // Drop this thread's privileges last, below, so we can
- // continue to signal other threads.
- continue;
- }
-
- MOZ_RELEASE_ASSERT(gSeccompTsyncBroadcastSignum != 0);
-
- // Reset the futex cell and signal.
- gSetSandboxDone = 0;
- if (syscall(__NR_tgkill, pid, tid, gSeccompTsyncBroadcastSignum) != 0) {
- if (errno == ESRCH) {
- SANDBOX_LOG_ERROR("Thread %d unexpectedly exited.", tid);
- // Rescan threads, in case it forked before exiting.
- sandboxProgress = true;
- continue;
- }
- SANDBOX_LOG_ERROR("tgkill(%d,%d): %s\n", pid, tid, strerror(errno));
- MOZ_CRASH();
- }
- // It's unlikely, but if the thread somehow manages to exit
- // after receiving the signal but before entering the signal
- // handler, we need to avoid blocking forever.
- //
- // Using futex directly lets the signal handler send the wakeup
- // from an async signal handler (pthread mutex/condvar calls
- // aren't allowed), and to use a relative timeout that isn't
- // affected by changes to the system clock (not possible with
- // POSIX semaphores).
- //
- // If a thread doesn't respond within a reasonable amount of
- // time, but still exists, we crash -- the alternative is either
- // blocking forever or silently losing security, and it
- // shouldn't actually happen.
- static const int crashDelay = 10; // seconds
- struct timespec timeLimit;
- clock_gettime(CLOCK_MONOTONIC, &timeLimit);
- timeLimit.tv_sec += crashDelay;
- while (true) {
- static const struct timespec futexTimeout = { 0, 10*1000*1000 }; // 10ms
- // Atomically: if gSetSandboxDone == 0, then sleep.
- if (syscall(__NR_futex, reinterpret_cast<int*>(&gSetSandboxDone),
- FUTEX_WAIT, 0, &futexTimeout) != 0) {
- if (errno != EWOULDBLOCK && errno != ETIMEDOUT && errno != EINTR) {
- SANDBOX_LOG_ERROR("FUTEX_WAIT: %s\n", strerror(errno));
- MOZ_CRASH();
- }
- }
- // Did the handler finish?
- if (gSetSandboxDone > 0) {
- if (gSetSandboxDone == 2) {
- sandboxProgress = true;
- }
- break;
- }
- // Has the thread ceased to exist?
- if (syscall(__NR_tgkill, pid, tid, 0) != 0) {
- if (errno == ESRCH) {
- SANDBOX_LOG_ERROR("Thread %d unexpectedly exited.", tid);
- }
- // Rescan threads, in case it forked before exiting.
- // Also, if it somehow failed in a way that wasn't ESRCH,
- // and still exists, that will be handled on the next pass.
- sandboxProgress = true;
- break;
- }
- struct timespec now;
- clock_gettime(CLOCK_MONOTONIC, &now);
- if (now.tv_sec > timeLimit.tv_sec ||
- (now.tv_sec == timeLimit.tv_sec &&
- now.tv_nsec > timeLimit.tv_nsec)) {
- SANDBOX_LOG_ERROR("Thread %d unresponsive for %d seconds."
- " Killing process.",
- tid, crashDelay);
- MOZ_CRASH();
- }
- }
- }
- rewinddir(taskdp);
- } while (sandboxProgress);
-
- void (*oldHandler)(int);
- oldHandler = signal(gSeccompTsyncBroadcastSignum, SIG_DFL);
- gSeccompTsyncBroadcastSignum = 0;
- if (oldHandler != SetThreadSandboxHandler) {
- // See the comment on FindFreeSignalNumber about race conditions.
- SANDBOX_LOG_ERROR("handler for signal %d was changed to %p!",
- gSeccompTsyncBroadcastSignum, oldHandler);
- MOZ_CRASH();
- }
- Unused << closedir(taskdp);
- // And now, deprivilege the main thread:
- SetThreadSandbox();
- gSetSandboxFilter = nullptr;
-}
-
-static void
-ApplySandboxWithTSync(sock_fprog* aFilter)
-{
- EnterChroot();
- // At this point we're committed to using tsync, because the signal
- // broadcast workaround needs to access procfs. (Unless chroot
- // isn't used... but this failure shouldn't happen in the first
- // place, so let's not make extra special cases for it.)
- if (!InstallSyscallFilter(aFilter, true)) {
- MOZ_CRASH();
- }
-}
-
-// Common code for sandbox startup.
-static void
-SetCurrentProcessSandbox(UniquePtr<sandbox::bpf_dsl::Policy> aPolicy)
-{
- MOZ_ASSERT(gSandboxCrashFunc);
-
- // Note: PolicyCompiler borrows the policy and registry for its
- // lifetime, but does not take ownership of them.
- sandbox::bpf_dsl::PolicyCompiler compiler(aPolicy.get(),
- sandbox::Trap::Registry());
- sandbox::CodeGen::Program program = compiler.Compile();
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- sandbox::bpf_dsl::DumpBPF::PrintProgram(program);
- }
-
- InstallSigSysHandler();
-
-#ifdef MOZ_ASAN
- __sanitizer_sandbox_arguments asanArgs;
- asanArgs.coverage_sandboxed = 1;
- asanArgs.coverage_fd = -1;
- asanArgs.coverage_max_block_size = 0;
- __sanitizer_sandbox_on_notify(&asanArgs);
-#endif
-
- // The syscall takes a C-style array, so copy the vector into one.
- size_t programLen = program.size();
- UniquePtr<sock_filter[]> flatProgram(new sock_filter[programLen]);
- for (auto i = program.begin(); i != program.end(); ++i) {
- flatProgram[i - program.begin()] = *i;
- }
-
- sock_fprog fprog;
- fprog.filter = flatProgram.get();
- fprog.len = static_cast<unsigned short>(programLen);
- MOZ_RELEASE_ASSERT(static_cast<size_t>(fprog.len) == programLen);
-
- const SandboxInfo info = SandboxInfo::Get();
- if (info.Test(SandboxInfo::kHasSeccompTSync)) {
- if (info.Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("using seccomp tsync");
- }
- ApplySandboxWithTSync(&fprog);
- } else {
- if (info.Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("no tsync support; using signal broadcast");
- }
- BroadcastSetThreadSandbox(&fprog);
- }
- MOZ_RELEASE_ASSERT(!gChrootHelper, "forgot to chroot");
-}
-
-void
-SandboxEarlyInit(GeckoProcessType aType)
-{
- const SandboxInfo info = SandboxInfo::Get();
- if (info.Test(SandboxInfo::kUnexpectedThreads)) {
- return;
- }
- MOZ_RELEASE_ASSERT(IsSingleThreaded());
-
- // Which kinds of resource isolation (of those that need to be set
- // up at this point) can be used by this process?
- bool canChroot = false;
- bool canUnshareNet = false;
- bool canUnshareIPC = false;
-
- switch (aType) {
- case GeckoProcessType_Default:
- MOZ_ASSERT(false, "SandboxEarlyInit in parent process");
- return;
- default:
- // Other cases intentionally left blank.
- break;
- }
-
- // If TSYNC is not supported, set up signal handler
- // used to enable seccomp on each thread.
- if (!info.Test(SandboxInfo::kHasSeccompTSync)) {
- gSeccompTsyncBroadcastSignum = FindFreeSignalNumber();
- if (gSeccompTsyncBroadcastSignum == 0) {
- SANDBOX_LOG_ERROR("No available signal numbers!");
- MOZ_CRASH();
- }
-
- void (*oldHandler)(int);
- oldHandler = signal(gSeccompTsyncBroadcastSignum, SetThreadSandboxHandler);
- if (oldHandler != SIG_DFL) {
- // See the comment on FindFreeSignalNumber about race conditions.
- SANDBOX_LOG_ERROR("signal %d in use by handler %p!\n",
- gSeccompTsyncBroadcastSignum, oldHandler);
- MOZ_CRASH();
- }
- }
-
- // If there's nothing to do, then we're done.
- if (!canChroot && !canUnshareNet && !canUnshareIPC) {
- return;
- }
-
- {
- LinuxCapabilities existingCaps;
- if (existingCaps.GetCurrent() && existingCaps.AnyEffective()) {
- SANDBOX_LOG_ERROR("PLEASE DO NOT RUN THIS AS ROOT. Strange things may"
- " happen when capabilities are dropped.");
- }
- }
-
- // If capabilities can't be gained, then nothing can be done.
- if (!info.Test(SandboxInfo::kHasUserNamespaces)) {
- // Drop any existing capabilities; unsharing the user namespace
- // would implicitly drop them, so if we're running in a broken
- // configuration where that would matter (e.g., running as root
- // from a non-root-owned mode-0700 directory) this means it will
- // break the same way on all kernels and be easier to troubleshoot.
- LinuxCapabilities().SetCurrent();
- return;
- }
-
- // The failure cases for the various unshares, and setting up the
- // chroot helper, don't strictly need to be fatal -- but they also
- // shouldn't fail on any reasonable system, so let's take the small
- // risk of breakage over the small risk of quietly providing less
- // security than we expect. (Unlike in SandboxInfo, this is in the
- // child process, so crashing here isn't as severe a response to the
- // unexpected.)
- if (!UnshareUserNamespace()) {
- SANDBOX_LOG_ERROR("unshare(CLONE_NEWUSER): %s", strerror(errno));
- // If CanCreateUserNamespace (SandboxInfo.cpp) returns true, then
- // the unshare shouldn't have failed.
- MOZ_CRASH("unshare(CLONE_NEWUSER)");
- }
- // No early returns after this point! We need to drop the
- // capabilities that were gained by unsharing the user namesapce.
-
- if (canUnshareIPC && syscall(__NR_unshare, CLONE_NEWIPC) != 0) {
- SANDBOX_LOG_ERROR("unshare(CLONE_NEWIPC): %s", strerror(errno));
- MOZ_CRASH("unshare(CLONE_NEWIPC)");
- }
-
- if (canUnshareNet && syscall(__NR_unshare, CLONE_NEWNET) != 0) {
- SANDBOX_LOG_ERROR("unshare(CLONE_NEWNET): %s", strerror(errno));
- MOZ_CRASH("unshare(CLONE_NEWNET)");
- }
-
- if (canChroot) {
- gChrootHelper = MakeUnique<SandboxChroot>();
- if (!gChrootHelper->Prepare()) {
- SANDBOX_LOG_ERROR("failed to set up chroot helper");
- MOZ_CRASH("SandboxChroot::Prepare");
- }
- }
-
- if (!LinuxCapabilities().SetCurrent()) {
- SANDBOX_LOG_ERROR("dropping capabilities: %s", strerror(errno));
- MOZ_CRASH("can't drop capabilities");
- }
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/Sandbox.h b/security/sandbox/linux/Sandbox.h
deleted file mode 100644
index 9d1c3d4b3..000000000
--- a/security/sandbox/linux/Sandbox.h
+++ /dev/null
@@ -1,24 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_Sandbox_h
-#define mozilla_Sandbox_h
-
-#include "mozilla/Types.h"
-#include "nsXULAppAPI.h"
-
-// This defines the entry points for a content process to start
-// sandboxing itself. See also SandboxInfo.h for what parts of
-// sandboxing are enabled/supported.
-
-namespace mozilla {
-
-// This must be called early, while the process is still single-threaded.
-MOZ_EXPORT void SandboxEarlyInit(GeckoProcessType aType);
-
-} // namespace mozilla
-
-#endif // mozilla_Sandbox_h
diff --git a/security/sandbox/linux/SandboxBrokerClient.cpp b/security/sandbox/linux/SandboxBrokerClient.cpp
deleted file mode 100644
index 68744ad02..000000000
--- a/security/sandbox/linux/SandboxBrokerClient.cpp
+++ /dev/null
@@ -1,247 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxBrokerClient.h"
-#include "SandboxInfo.h"
-#include "SandboxLogging.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/NullPtr.h"
-#include "base/strings/safe_sprintf.h"
-
-namespace mozilla {
-
-SandboxBrokerClient::SandboxBrokerClient(int aFd)
-: mFileDesc(aFd)
-{
-}
-
-SandboxBrokerClient::~SandboxBrokerClient()
-{
- close(mFileDesc);
-}
-
-int
-SandboxBrokerClient::DoCall(const Request* aReq, const char* aPath,
- const char* aPath2, void* aResponseBuff,
- bool expectFd)
-{
- // Remap /proc/self to the actual pid, so that the broker can open
- // it. This happens here instead of in the broker to follow the
- // principle of least privilege and keep the broker as simple as
- // possible. (Note: when pid namespaces happen, this will also need
- // to remap the inner pid to the outer pid.)
- // We only remap the first path.
- static const char kProcSelf[] = "/proc/self/";
- static const size_t kProcSelfLen = sizeof(kProcSelf) - 1;
- const char* path = aPath;
- // This buffer just needs to be large enough for any such path that
- // the policy would actually allow. sizeof("/proc/2147483647/") == 18.
- char rewrittenPath[64];
- if (strncmp(aPath, kProcSelf, kProcSelfLen) == 0) {
- ssize_t len =
- base::strings::SafeSPrintf(rewrittenPath, "/proc/%d/%s",
- getpid(), aPath + kProcSelfLen);
- if (static_cast<size_t>(len) < sizeof(rewrittenPath)) {
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("rewriting %s -> %s", aPath, rewrittenPath);
- }
- path = rewrittenPath;
- } else {
- SANDBOX_LOG_ERROR("not rewriting unexpectedly long path %s", aPath);
- }
- }
-
- struct iovec ios[3];
- int respFds[2];
-
- // Set up iovecs for request + path.
- ios[0].iov_base = const_cast<Request*>(aReq);
- ios[0].iov_len = sizeof(*aReq);
- ios[1].iov_base = const_cast<char*>(path);
- ios[1].iov_len = strlen(path) + 1;
- if (aPath2 != nullptr) {
- ios[2].iov_base = const_cast<char*>(aPath2);
- ios[2].iov_len = strlen(aPath2) + 1;
- } else {
- ios[2].iov_base = 0;
- ios[2].iov_len = 0;
- }
- if (ios[1].iov_len > kMaxPathLen) {
- return -ENAMETOOLONG;
- }
- if (ios[2].iov_len > kMaxPathLen) {
- return -ENAMETOOLONG;
- }
-
- // Create response socket and send request.
- if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, respFds) < 0) {
- return -errno;
- }
- const ssize_t sent = SendWithFd(mFileDesc, ios, 3, respFds[1]);
- const int sendErrno = errno;
- MOZ_ASSERT(sent < 0 ||
- static_cast<size_t>(sent) == ios[0].iov_len
- + ios[1].iov_len
- + ios[2].iov_len);
- close(respFds[1]);
- if (sent < 0) {
- close(respFds[0]);
- return -sendErrno;
- }
-
- // Set up iovecs for response.
- Response resp;
- ios[0].iov_base = &resp;
- ios[0].iov_len = sizeof(resp);
- if (aResponseBuff) {
- ios[1].iov_base = aResponseBuff;
- ios[1].iov_len = aReq->mBufSize;
- } else {
- ios[1].iov_base = nullptr;
- ios[1].iov_len = 0;
- }
-
- // Wait for response and return appropriately.
- int openedFd = -1;
- const ssize_t recvd = RecvWithFd(respFds[0], ios, aResponseBuff ? 2 : 1,
- expectFd ? &openedFd : nullptr);
- const int recvErrno = errno;
- close(respFds[0]);
- if (recvd < 0) {
- return -recvErrno;
- }
- if (recvd == 0) {
- SANDBOX_LOG_ERROR("Unexpected EOF, op %d flags 0%o path %s",
- aReq->mOp, aReq->mFlags, path);
- return -EIO;
- }
- MOZ_ASSERT(static_cast<size_t>(recvd) <= ios[0].iov_len + ios[1].iov_len);
- // Some calls such as readlink return a size if successful
- if (resp.mError >= 0) {
- // Success!
- if (expectFd) {
- MOZ_ASSERT(openedFd >= 0);
- return openedFd;
- }
- return resp.mError;
- }
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- // Keep in mind that "rejected" files can include ones that don't
- // actually exist, if it's something that's optional or part of a
- // search path (e.g., shared libraries). In those cases, this
- // error message is expected.
- SANDBOX_LOG_ERROR("Rejected errno %d op %d flags 0%o path %s",
- resp.mError, aReq->mOp, aReq->mFlags, path);
- }
- if (openedFd >= 0) {
- close(openedFd);
- }
- return resp.mError;
-}
-
-int
-SandboxBrokerClient::Open(const char* aPath, int aFlags)
-{
- Request req = { SANDBOX_FILE_OPEN, aFlags, 0 };
- int maybeFd = DoCall(&req, aPath, nullptr, nullptr, true);
- if (maybeFd >= 0) {
- // NSPR has opinions about file flags. Fix O_CLOEXEC.
- if ((aFlags & O_CLOEXEC) == 0) {
- fcntl(maybeFd, F_SETFD, 0);
- }
- }
- return maybeFd;
-}
-
-int
-SandboxBrokerClient::Access(const char* aPath, int aMode)
-{
- Request req = { SANDBOX_FILE_ACCESS, aMode, 0 };
- return DoCall(&req, aPath, nullptr, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Stat(const char* aPath, statstruct* aStat)
-{
- Request req = { SANDBOX_FILE_STAT, 0, sizeof(statstruct) };
- return DoCall(&req, aPath, nullptr, (void*)aStat, false);
-}
-
-int
-SandboxBrokerClient::LStat(const char* aPath, statstruct* aStat)
-{
- Request req = { SANDBOX_FILE_STAT, O_NOFOLLOW, sizeof(statstruct) };
- return DoCall(&req, aPath, nullptr, (void*)aStat, false);
-}
-
-int
-SandboxBrokerClient::Chmod(const char* aPath, int aMode)
-{
- Request req = {SANDBOX_FILE_CHMOD, aMode, 0};
- return DoCall(&req, aPath, nullptr, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Link(const char* aOldPath, const char* aNewPath)
-{
- Request req = {SANDBOX_FILE_LINK, 0, 0};
- return DoCall(&req, aOldPath, aNewPath, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Symlink(const char* aOldPath, const char* aNewPath)
-{
- Request req = {SANDBOX_FILE_SYMLINK, 0, 0};
- return DoCall(&req, aOldPath, aNewPath, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Rename(const char* aOldPath, const char* aNewPath)
-{
- Request req = {SANDBOX_FILE_RENAME, 0, 0};
- return DoCall(&req, aOldPath, aNewPath, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Mkdir(const char* aPath, int aMode)
-{
- Request req = {SANDBOX_FILE_MKDIR, aMode, 0};
- return DoCall(&req, aPath, nullptr, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Unlink(const char* aPath)
-{
- Request req = {SANDBOX_FILE_UNLINK, 0, 0};
- return DoCall(&req, aPath, nullptr, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Rmdir(const char* aPath)
-{
- Request req = {SANDBOX_FILE_RMDIR, 0, 0};
- return DoCall(&req, aPath, nullptr, nullptr, false);
-}
-
-int
-SandboxBrokerClient::Readlink(const char* aPath, void* aBuff, size_t aSize)
-{
- Request req = {SANDBOX_FILE_READLINK, 0, aSize};
- return DoCall(&req, aPath, nullptr, aBuff, false);
-}
-
-} // namespace mozilla
-
diff --git a/security/sandbox/linux/SandboxBrokerClient.h b/security/sandbox/linux/SandboxBrokerClient.h
deleted file mode 100644
index 06db2f183..000000000
--- a/security/sandbox/linux/SandboxBrokerClient.h
+++ /dev/null
@@ -1,58 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxBrokerClient_h
-#define mozilla_SandboxBrokerClient_h
-
-#include "broker/SandboxBrokerCommon.h"
-#include "broker/SandboxBrokerUtils.h"
-
-#include "mozilla/Attributes.h"
-
-// This is the client for the sandbox broker described in
-// broker/SandboxBroker.h; its constructor takes the file descriptor
-// returned by SandboxBroker::Create, passed to the child over IPC.
-//
-// The operations exposed here can be called from any thread and in
-// async signal handlers, like the corresponding system calls. The
-// intended use is from a seccomp-bpf SIGSYS handler, to transparently
-// replace those syscalls, but they could also be used directly.
-
-struct stat;
-
-namespace mozilla {
-
-class SandboxBrokerClient final : private SandboxBrokerCommon {
- public:
- explicit SandboxBrokerClient(int aFd);
- ~SandboxBrokerClient();
-
- int Open(const char* aPath, int aFlags);
- int Access(const char* aPath, int aMode);
- int Stat(const char* aPath, statstruct* aStat);
- int LStat(const char* aPath, statstruct* aStat);
- int Chmod(const char* aPath, int aMode);
- int Link(const char* aPath, const char* aPath2);
- int Mkdir(const char* aPath, int aMode);
- int Symlink(const char* aOldPath, const char* aNewPath);
- int Rename(const char* aOldPath, const char* aNewPath);
- int Unlink(const char* aPath);
- int Rmdir(const char* aPath);
- int Readlink(const char* aPath, void* aBuf, size_t aBufSize);
-
- private:
- int mFileDesc;
-
- int DoCall(const Request* aReq,
- const char* aPath,
- const char* aPath2,
- void *aReponseBuff,
- bool expectFd);
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxBrokerClient_h
diff --git a/security/sandbox/linux/SandboxChroot.cpp b/security/sandbox/linux/SandboxChroot.cpp
deleted file mode 100644
index 2091bfe05..000000000
--- a/security/sandbox/linux/SandboxChroot.cpp
+++ /dev/null
@@ -1,212 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxChroot.h"
-
-#include "SandboxLogging.h"
-#include "LinuxCapabilities.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "base/posix/eintr_wrapper.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/DebugOnly.h"
-#include "mozilla/NullPtr.h"
-
-#define MOZ_ALWAYS_ZERO(e) MOZ_ALWAYS_TRUE((e) == 0)
-
-namespace mozilla {
-
-SandboxChroot::SandboxChroot()
-{
- pthread_mutexattr_t attr;
- MOZ_ALWAYS_ZERO(pthread_mutexattr_init(&attr));
- MOZ_ALWAYS_ZERO(pthread_mutexattr_settype(&attr, PTHREAD_MUTEX_ERRORCHECK));
- MOZ_ALWAYS_ZERO(pthread_mutex_init(&mMutex, &attr));
- MOZ_ALWAYS_ZERO(pthread_cond_init(&mWakeup, nullptr));
- mCommand = NO_THREAD;
-}
-
-SandboxChroot::~SandboxChroot()
-{
- SendCommand(JUST_EXIT);
- MOZ_ALWAYS_ZERO(pthread_mutex_destroy(&mMutex));
- MOZ_ALWAYS_ZERO(pthread_cond_destroy(&mWakeup));
-}
-
-bool
-SandboxChroot::SendCommand(Command aComm)
-{
- MOZ_ALWAYS_ZERO(pthread_mutex_lock(&mMutex));
- if (mCommand == NO_THREAD) {
- MOZ_RELEASE_ASSERT(aComm == JUST_EXIT);
- MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
- return false;
- } else {
- MOZ_ASSERT(mCommand == NO_COMMAND);
- mCommand = aComm;
- MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
- MOZ_ALWAYS_ZERO(pthread_cond_signal(&mWakeup));
- void *retval;
- if (pthread_join(mThread, &retval) != 0 || retval != nullptr) {
- MOZ_CRASH("Failed to stop privileged chroot thread");
- }
- MOZ_ASSERT(mCommand == NO_THREAD);
- }
- return true;
-}
-
-static void
-AlwaysClose(int fd)
-{
- if (IGNORE_EINTR(close(fd)) != 0) {
- SANDBOX_LOG_ERROR("close: %s", strerror(errno));
- MOZ_CRASH("failed to close()");
- }
-}
-
-static int
-OpenDeletedDirectory()
-{
- // We don't need this directory to persist between invocations of
- // the program (nor need it to be cleaned up if something goes wrong
- // here, because mkdtemp will choose a fresh name), so /tmp as
- // specified by FHS is adequate.
- //
- // However, this needs a filesystem where a deleted directory can
- // still be used, and /tmp is sometimes not that; e.g., aufs(5),
- // often used for containers, will cause the chroot() to fail with
- // ESTALE (bug 1162965). So this uses /dev/shm if possible instead.
- char tmpPath[] = "/tmp/mozsandbox.XXXXXX";
- char shmPath[] = "/dev/shm/mozsandbox.XXXXXX";
- char* path;
- if (mkdtemp(shmPath)) {
- path = shmPath;
- } else if (mkdtemp(tmpPath)) {
- path = tmpPath;
- } else {
- SANDBOX_LOG_ERROR("mkdtemp: %s", strerror(errno));
- return -1;
- }
- int fd = HANDLE_EINTR(open(path, O_RDONLY | O_DIRECTORY));
- if (fd < 0) {
- SANDBOX_LOG_ERROR("open %s: %s", path, strerror(errno));
- // Try to clean up. Shouldn't fail, but livable if it does.
- DebugOnly<bool> ok = HANDLE_EINTR(rmdir(path)) == 0;
- MOZ_ASSERT(ok);
- return -1;
- }
- if (HANDLE_EINTR(rmdir(path)) != 0) {
- SANDBOX_LOG_ERROR("rmdir %s: %s", path, strerror(errno));
- AlwaysClose(fd);
- return -1;
- }
- return fd;
-}
-
-bool
-SandboxChroot::Prepare()
-{
- LinuxCapabilities caps;
- if (!caps.GetCurrent() || !caps.Effective(CAP_SYS_CHROOT)) {
- SANDBOX_LOG_ERROR("don't have permission to chroot");
- return false;
- }
- mFd = OpenDeletedDirectory();
- if (mFd < 0) {
- SANDBOX_LOG_ERROR("failed to create empty directory for chroot");
- return false;
- }
- MOZ_ALWAYS_ZERO(pthread_mutex_lock(&mMutex));
- MOZ_ASSERT(mCommand == NO_THREAD);
- if (pthread_create(&mThread, nullptr, StaticThreadMain, this) != 0) {
- MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
- SANDBOX_LOG_ERROR("pthread_create: %s", strerror(errno));
- return false;
- }
- while (mCommand != NO_COMMAND) {
- MOZ_ASSERT(mCommand == NO_THREAD);
- MOZ_ALWAYS_ZERO(pthread_cond_wait(&mWakeup, &mMutex));
- }
- MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
- return true;
-}
-
-void
-SandboxChroot::Invoke()
-{
- MOZ_ALWAYS_TRUE(SendCommand(DO_CHROOT));
-}
-
-static bool
-ChrootToFileDesc(int fd)
-{
- if (fchdir(fd) != 0) {
- SANDBOX_LOG_ERROR("fchdir: %s", strerror(errno));
- return false;
- }
- if (chroot(".") != 0) {
- SANDBOX_LOG_ERROR("chroot: %s", strerror(errno));
- return false;
- }
- return true;
-}
-
-/* static */ void*
-SandboxChroot::StaticThreadMain(void* aVoidPtr)
-{
- static_cast<SandboxChroot*>(aVoidPtr)->ThreadMain();
- return nullptr;
-}
-
-void
-SandboxChroot::ThreadMain()
-{
- // First, drop everything that isn't CAP_SYS_CHROOT. (This code
- // assumes that this thread already has effective CAP_SYS_CHROOT,
- // because Prepare() checked for it before creating this thread.)
- LinuxCapabilities caps;
- caps.Effective(CAP_SYS_CHROOT) = true;
- if (!caps.SetCurrent()) {
- SANDBOX_LOG_ERROR("capset: %s", strerror(errno));
- MOZ_CRASH("Can't limit chroot thread's capabilities");
- }
-
- MOZ_ALWAYS_ZERO(pthread_mutex_lock(&mMutex));
- MOZ_ASSERT(mCommand == NO_THREAD);
- mCommand = NO_COMMAND;
- MOZ_ALWAYS_ZERO(pthread_cond_signal(&mWakeup));
- while (mCommand == NO_COMMAND) {
- MOZ_ALWAYS_ZERO(pthread_cond_wait(&mWakeup, &mMutex));
- }
- if (mCommand == DO_CHROOT) {
- MOZ_ASSERT(mFd >= 0);
- if (!ChrootToFileDesc(mFd)) {
- MOZ_CRASH("Failed to chroot");
- }
- } else {
- MOZ_ASSERT(mCommand == JUST_EXIT);
- }
- if (mFd >= 0) {
- AlwaysClose(mFd);
- mFd = -1;
- }
- mCommand = NO_THREAD;
- MOZ_ALWAYS_ZERO(pthread_mutex_unlock(&mMutex));
- // Drop the remaining capabilities; see note in SandboxChroot.h
- // about the potential unreliability of pthread_join.
- if (!LinuxCapabilities().SetCurrent()) {
- MOZ_CRASH("can't drop capabilities");
- }
-}
-
-} // namespace mozilla
-
-#undef MOZ_ALWAYS_ZERO
diff --git a/security/sandbox/linux/SandboxChroot.h b/security/sandbox/linux/SandboxChroot.h
deleted file mode 100644
index 3ad89b732..000000000
--- a/security/sandbox/linux/SandboxChroot.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxChroot_h
-#define mozilla_SandboxChroot_h
-
-#include <pthread.h>
-
-#include "mozilla/Attributes.h"
-
-// This class uses the chroot(2) system call and Linux namespaces to
-// revoke the process's access to the filesystem. It requires that
-// the process be able to create user namespaces; this is the
-// kHasUserNamespaces in SandboxInfo.h.
-//
-// Usage: call Prepare() from a thread with CAP_SYS_CHROOT in its
-// effective capability set, then later call Invoke() when ready to
-// drop filesystem access. Prepare() creates a thread to do the
-// chrooting, so the caller can (and should!) drop its own
-// capabilities afterwards. When Invoke() returns, the thread will
-// have exited.
-//
-// (Exception: on Android/B2G <= KitKat, because of how pthread_join
-// is implemented, the thread may still exist, but it will not have
-// capabilities. Accordingly, on such systems, be careful about
-// namespaces or other resources the thread might have inherited.)
-//
-// Prepare() can fail (return false); for example, if it doesn't have
-// CAP_SYS_CHROOT or if it can't create a directory to chroot into.
-//
-// The root directory will be empty and deleted, so the process will
-// not be able to create new entries in it regardless of permissions.
-
-namespace mozilla {
-
-class SandboxChroot final {
-public:
- SandboxChroot();
- ~SandboxChroot();
- bool Prepare();
- void Invoke();
-private:
- enum Command {
- NO_THREAD,
- NO_COMMAND,
- DO_CHROOT,
- JUST_EXIT,
- };
-
- pthread_t mThread;
- pthread_mutex_t mMutex;
- pthread_cond_t mWakeup;
- Command mCommand;
- int mFd;
-
- void ThreadMain();
- static void* StaticThreadMain(void* aVoidPtr);
- bool SendCommand(Command aComm);
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxChroot_h
diff --git a/security/sandbox/linux/SandboxFilter.cpp b/security/sandbox/linux/SandboxFilter.cpp
deleted file mode 100644
index afaf53cec..000000000
--- a/security/sandbox/linux/SandboxFilter.cpp
+++ /dev/null
@@ -1,343 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxFilter.h"
-#include "SandboxFilterUtil.h"
-
-#include "SandboxBrokerClient.h"
-#include "SandboxInfo.h"
-#include "SandboxInternal.h"
-#include "SandboxLogging.h"
-
-#include "mozilla/UniquePtr.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <linux/ipc.h>
-#include <linux/net.h>
-#include <linux/prctl.h>
-#include <linux/sched.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
-#include <sys/syscall.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-using namespace sandbox::bpf_dsl;
-#define CASES SANDBOX_BPF_DSL_CASES
-
-// Fill in defines in case of old headers.
-// (Warning: these are wrong on PA-RISC.)
-#ifndef MADV_NOHUGEPAGE
-#define MADV_NOHUGEPAGE 15
-#endif
-#ifndef MADV_DONTDUMP
-#define MADV_DONTDUMP 16
-#endif
-
-// Added in Linux 4.5; see bug 1303813.
-#ifndef MADV_FREE
-#define MADV_FREE 8
-#endif
-
-#ifndef PR_SET_PTRACER
-#define PR_SET_PTRACER 0x59616d61
-#endif
-
-// To avoid visual confusion between "ifdef ANDROID" and "ifndef ANDROID":
-#ifndef ANDROID
-#define DESKTOP
-#endif
-
-// This file defines the seccomp-bpf system call filter policies.
-// See also SandboxFilterUtil.h, for the CASES_FOR_* macros and
-// SandboxFilterBase::Evaluate{Socket,Ipc}Call.
-//
-// One important difference from how Chromium bpf_dsl filters are
-// normally interpreted: returning -ENOSYS from a Trap() handler
-// indicates an unexpected system call; SigSysHandler() in Sandbox.cpp
-// will detect this, request a crash dump, and terminate the process.
-// This does not apply to using Error(ENOSYS) in the policy, so that
-// can be used if returning an actual ENOSYS is needed.
-
-namespace mozilla {
-
-// This class whitelists everything used by the sandbox itself, by the
-// core IPC code, by the crash reporter, or other core code.
-class SandboxPolicyCommon : public SandboxPolicyBase
-{
-protected:
- typedef const sandbox::arch_seccomp_data& ArgsRef;
-
- static intptr_t BlockedSyscallTrap(ArgsRef aArgs, void *aux) {
- MOZ_ASSERT(!aux);
- return -ENOSYS;
- }
-
-private:
-#if defined(ANDROID) && ANDROID_VERSION < 16
- // Bug 1093893: Translate tkill to tgkill for pthread_kill; fixed in
- // bionic commit 10c8ce59a (in JB and up; API level 16 = Android 4.1).
- static intptr_t TKillCompatTrap(const sandbox::arch_seccomp_data& aArgs,
- void *aux)
- {
- return syscall(__NR_tgkill, getpid(), aArgs.args[0], aArgs.args[1]);
- }
-#endif
-
- static intptr_t SetNoNewPrivsTrap(ArgsRef& aArgs, void* aux) {
- if (gSetSandboxFilter == nullptr) {
- // Called after BroadcastSetThreadSandbox finished, therefore
- // not our doing and not expected.
- return BlockedSyscallTrap(aArgs, nullptr);
- }
- // Signal that the filter is already in place.
- return -ETXTBSY;
- }
-
-public:
- virtual ResultExpr InvalidSyscall() const override {
- return Trap(BlockedSyscallTrap, nullptr);
- }
-
- virtual ResultExpr ClonePolicy(ResultExpr failPolicy) const {
- // Allow use for simple thread creation (pthread_create) only.
-
- // WARNING: s390 and cris pass the flags in the second arg -- see
- // CLONE_BACKWARDS2 in arch/Kconfig in the kernel source -- but we
- // don't support seccomp-bpf on those archs yet.
- Arg<int> flags(0);
-
- // The glibc source hasn't changed the thread creation clone flags
- // since 2004, so this *should* be safe to hard-code. Bionic's
- // value has changed a few times, and has converged on the same one
- // as glibc; allow any of them.
- static const int flags_common = CLONE_VM | CLONE_FS | CLONE_FILES |
- CLONE_SIGHAND | CLONE_THREAD | CLONE_SYSVSEM;
- static const int flags_modern = flags_common | CLONE_SETTLS |
- CLONE_PARENT_SETTID | CLONE_CHILD_CLEARTID;
-
- // Can't use CASES here because its decltype magic infers const
- // int instead of regular int and bizarre voluminous errors issue
- // forth from the depths of the standard library implementation.
- return Switch(flags)
-#ifdef ANDROID
- .Case(flags_common | CLONE_DETACHED, Allow()) // <= JB 4.2
- .Case(flags_common, Allow()) // JB 4.3 or KK 4.4
-#endif
- .Case(flags_modern, Allow()) // Android L or glibc
- .Default(failPolicy);
- }
-
- virtual ResultExpr PrctlPolicy() const {
- // Note: this will probably need PR_SET_VMA if/when it's used on
- // Android without being overridden by an allow-all policy, and
- // the constant will need to be defined locally.
- Arg<int> op(0);
- return Switch(op)
- .CASES((PR_GET_SECCOMP, // BroadcastSetThreadSandbox, etc.
- PR_SET_NAME, // Thread creation
- PR_SET_DUMPABLE, // Crash reporting
- PR_SET_PTRACER), // Debug-mode crash handling
- Allow())
- .Default(InvalidSyscall());
- }
-
- virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const override {
- switch (aCall) {
- case SYS_RECVMSG:
- case SYS_SENDMSG:
- return Some(Allow());
- default:
- return Nothing();
- }
- }
-
- virtual ResultExpr EvaluateSyscall(int sysno) const override {
- switch (sysno) {
- // Timekeeping
- case __NR_clock_gettime: {
- Arg<clockid_t> clk_id(0);
- return If(clk_id == CLOCK_MONOTONIC, Allow())
-#ifdef CLOCK_MONOTONIC_COARSE
- .ElseIf(clk_id == CLOCK_MONOTONIC_COARSE, Allow())
-#endif
- .ElseIf(clk_id == CLOCK_PROCESS_CPUTIME_ID, Allow())
- .ElseIf(clk_id == CLOCK_REALTIME, Allow())
-#ifdef CLOCK_REALTIME_COARSE
- .ElseIf(clk_id == CLOCK_REALTIME_COARSE, Allow())
-#endif
- .ElseIf(clk_id == CLOCK_THREAD_CPUTIME_ID, Allow())
- .Else(InvalidSyscall());
- }
- case __NR_gettimeofday:
-#ifdef __NR_time
- case __NR_time:
-#endif
- case __NR_nanosleep:
- return Allow();
-
- // Thread synchronization
- case __NR_futex:
- // FIXME: This could be more restrictive....
- return Allow();
-
- // Asynchronous I/O
- case __NR_epoll_wait:
- case __NR_epoll_pwait:
- case __NR_epoll_ctl:
- case __NR_ppoll:
- case __NR_poll:
- return Allow();
-
- // Used when requesting a crash dump.
- case __NR_pipe:
- return Allow();
-
- // Metadata of opened files
- CASES_FOR_fstat:
- return Allow();
-
- // Simple I/O
- case __NR_write:
- case __NR_read:
- case __NR_readv:
- case __NR_writev: // see SandboxLogging.cpp
- CASES_FOR_lseek:
- return Allow();
-
- // Memory mapping
- CASES_FOR_mmap:
- case __NR_munmap:
- return Allow();
-
- // Signal handling
-#if defined(ANDROID) || defined(MOZ_ASAN)
- case __NR_sigaltstack:
-#endif
- CASES_FOR_sigreturn:
- CASES_FOR_sigprocmask:
- CASES_FOR_sigaction:
- return Allow();
-
- // Send signals within the process (raise(), profiling, etc.)
- case __NR_tgkill: {
- Arg<pid_t> tgid(0);
- return If(tgid == getpid(), Allow())
- .Else(InvalidSyscall());
- }
-
-#if defined(ANDROID) && ANDROID_VERSION < 16
- // Polyfill with tgkill; see above.
- case __NR_tkill:
- return Trap(TKillCompatTrap, nullptr);
-#endif
-
- // Yield
- case __NR_sched_yield:
- return Allow();
-
- // Thread creation.
- case __NR_clone:
- return ClonePolicy(InvalidSyscall());
-
- // More thread creation.
-#ifdef __NR_set_robust_list
- case __NR_set_robust_list:
- return Allow();
-#endif
-#ifdef ANDROID
- case __NR_set_tid_address:
- return Allow();
-#endif
-
- // prctl
- case __NR_prctl: {
- if (SandboxInfo::Get().Test(SandboxInfo::kHasSeccompTSync)) {
- return PrctlPolicy();
- }
-
- Arg<int> option(0);
- return If(option == PR_SET_NO_NEW_PRIVS,
- Trap(SetNoNewPrivsTrap, nullptr))
- .Else(PrctlPolicy());
- }
-
- // NSPR can call this when creating a thread, but it will accept a
- // polite "no".
- case __NR_getpriority:
- // But if thread creation races with sandbox startup, that call
- // could succeed, and then we get one of these:
- case __NR_setpriority:
- return Error(EACCES);
-
- // Stack bounds are obtained via pthread_getattr_np, which calls
- // this but doesn't actually need it:
- case __NR_sched_getaffinity:
- return Error(ENOSYS);
-
- // Read own pid/tid.
- case __NR_getpid:
- case __NR_gettid:
- return Allow();
-
- // Discard capabilities
- case __NR_close:
- return Allow();
-
- // Machine-dependent stuff
-#ifdef __arm__
- case __ARM_NR_breakpoint:
- case __ARM_NR_cacheflush:
- case __ARM_NR_usr26: // FIXME: do we actually need this?
- case __ARM_NR_usr32:
- case __ARM_NR_set_tls:
- return Allow();
-#endif
-
- // Needed when being debugged:
- case __NR_restart_syscall:
- return Allow();
-
- // Terminate threads or the process
- case __NR_exit:
- case __NR_exit_group:
- return Allow();
-
-#ifdef MOZ_ASAN
- // ASAN's error reporter wants to know if stderr is a tty.
- case __NR_ioctl: {
- Arg<int> fd(0);
- return If(fd == STDERR_FILENO, Allow())
- .Else(InvalidSyscall());
- }
-
- // ...and before compiler-rt r209773, it will call readlink on
- // /proc/self/exe and use the cached value only if that fails:
- case __NR_readlink:
- case __NR_readlinkat:
- return Error(ENOENT);
-
- // ...and if it found an external symbolizer, it will try to run it:
- // (See also bug 1081242 comment #7.)
- CASES_FOR_stat:
- return Error(ENOENT);
-#endif
-
- default:
- return SandboxPolicyBase::EvaluateSyscall(sysno);
- }
- }
-};
-
-// The process-type-specific syscall rules start here:
-
-}
diff --git a/security/sandbox/linux/SandboxFilter.h b/security/sandbox/linux/SandboxFilter.h
deleted file mode 100644
index b6031d30e..000000000
--- a/security/sandbox/linux/SandboxFilter.h
+++ /dev/null
@@ -1,23 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxFilter_h
-#define mozilla_SandboxFilter_h
-
-#include "mozilla/Atomics.h"
-#include "mozilla/UniquePtr.h"
-
-namespace sandbox {
-namespace bpf_dsl {
-class Policy;
-}
-}
-
-namespace mozilla {
-
-} // namespace mozilla
-
-#endif
diff --git a/security/sandbox/linux/SandboxFilterUtil.cpp b/security/sandbox/linux/SandboxFilterUtil.cpp
deleted file mode 100644
index 04fd6709c..000000000
--- a/security/sandbox/linux/SandboxFilterUtil.cpp
+++ /dev/null
@@ -1,121 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxFilterUtil.h"
-
-#ifndef ANDROID
-#include <linux/ipc.h>
-#endif
-#include <linux/net.h>
-
-#include "mozilla/UniquePtr.h"
-#include "sandbox/linux/bpf_dsl/bpf_dsl.h"
-
-// Older kernel headers (mostly Android, but also some older desktop
-// distributions) are missing some or all of these:
-#ifndef SYS_ACCEPT4
-#define SYS_ACCEPT4 18
-#endif
-#ifndef SYS_RECVMMSG
-#define SYS_RECVMMSG 19
-#endif
-#ifndef SYS_SENDMMSG
-#define SYS_SENDMMSG 20
-#endif
-
-using namespace sandbox::bpf_dsl;
-#define CASES SANDBOX_BPF_DSL_CASES
-
-namespace mozilla {
-
-sandbox::bpf_dsl::ResultExpr
-SandboxPolicyBase::EvaluateSyscall(int aSysno) const {
- switch (aSysno) {
-#ifdef __NR_socketcall
- case __NR_socketcall: {
- Arg<int> call(0);
- UniquePtr<Caser<int>> acc(new Caser<int>(Switch(call)));
- for (int i = SYS_SOCKET; i <= SYS_SENDMMSG; ++i) {
- auto thisCase = EvaluateSocketCall(i);
- // Optimize out cases that are equal to the default.
- if (thisCase) {
- acc.reset(new Caser<int>(acc->Case(i, *thisCase)));
- }
- }
- return acc->Default(InvalidSyscall());
- }
-#ifndef ANDROID
- case __NR_ipc: {
- Arg<int> callAndVersion(0);
- auto call = callAndVersion & 0xFFFF;
- UniquePtr<Caser<int>> acc(new Caser<int>(Switch(call)));
- for (int i = SEMOP; i <= DIPC; ++i) {
- auto thisCase = EvaluateIpcCall(i);
- // Optimize out cases that are equal to the default.
- if (thisCase) {
- acc.reset(new Caser<int>(acc->Case(i, *thisCase)));
- }
- }
- return acc->Default(InvalidSyscall());
- }
-#endif // ANDROID
-#endif // __NR_socketcall
-#define DISPATCH_SOCKETCALL(sysnum, socketnum) \
- case sysnum: \
- return EvaluateSocketCall(socketnum).valueOr(InvalidSyscall())
-#ifdef __NR_socket
- DISPATCH_SOCKETCALL(__NR_socket, SYS_SOCKET);
- DISPATCH_SOCKETCALL(__NR_bind, SYS_BIND);
- DISPATCH_SOCKETCALL(__NR_connect, SYS_CONNECT);
- DISPATCH_SOCKETCALL(__NR_listen, SYS_LISTEN);
-#ifdef __NR_accept
- DISPATCH_SOCKETCALL(__NR_accept, SYS_ACCEPT);
-#endif
- DISPATCH_SOCKETCALL(__NR_getsockname, SYS_GETSOCKNAME);
- DISPATCH_SOCKETCALL(__NR_getpeername, SYS_GETPEERNAME);
- DISPATCH_SOCKETCALL(__NR_socketpair, SYS_SOCKETPAIR);
-#ifdef __NR_send
- DISPATCH_SOCKETCALL(__NR_send, SYS_SEND);
- DISPATCH_SOCKETCALL(__NR_recv, SYS_RECV);
-#endif // __NR_send
- DISPATCH_SOCKETCALL(__NR_sendto, SYS_SENDTO);
- DISPATCH_SOCKETCALL(__NR_recvfrom, SYS_RECVFROM);
- DISPATCH_SOCKETCALL(__NR_shutdown, SYS_SHUTDOWN);
- DISPATCH_SOCKETCALL(__NR_setsockopt, SYS_SETSOCKOPT);
- DISPATCH_SOCKETCALL(__NR_getsockopt, SYS_GETSOCKOPT);
- DISPATCH_SOCKETCALL(__NR_sendmsg, SYS_SENDMSG);
- DISPATCH_SOCKETCALL(__NR_recvmsg, SYS_RECVMSG);
- DISPATCH_SOCKETCALL(__NR_accept4, SYS_ACCEPT4);
- DISPATCH_SOCKETCALL(__NR_recvmmsg, SYS_RECVMMSG);
- DISPATCH_SOCKETCALL(__NR_sendmmsg, SYS_SENDMMSG);
-#endif // __NR_socket
-#undef DISPATCH_SOCKETCALL
-#ifndef __NR_socketcall
-#ifndef ANDROID
-#define DISPATCH_SYSVCALL(sysnum, ipcnum) \
- case sysnum: \
- return EvaluateIpcCall(ipcnum).valueOr(InvalidSyscall())
- DISPATCH_SYSVCALL(__NR_semop, SEMOP);
- DISPATCH_SYSVCALL(__NR_semget, SEMGET);
- DISPATCH_SYSVCALL(__NR_semctl, SEMCTL);
- DISPATCH_SYSVCALL(__NR_semtimedop, SEMTIMEDOP);
- DISPATCH_SYSVCALL(__NR_msgsnd, MSGSND);
- DISPATCH_SYSVCALL(__NR_msgrcv, MSGRCV);
- DISPATCH_SYSVCALL(__NR_msgget, MSGGET);
- DISPATCH_SYSVCALL(__NR_msgctl, MSGCTL);
- DISPATCH_SYSVCALL(__NR_shmat, SHMAT);
- DISPATCH_SYSVCALL(__NR_shmdt, SHMDT);
- DISPATCH_SYSVCALL(__NR_shmget, SHMGET);
- DISPATCH_SYSVCALL(__NR_shmctl, SHMCTL);
-#undef DISPATCH_SYSVCALL
-#endif // ANDROID
-#endif // __NR_socketcall
- default:
- return InvalidSyscall();
- }
-}
-
-}
diff --git a/security/sandbox/linux/SandboxFilterUtil.h b/security/sandbox/linux/SandboxFilterUtil.h
deleted file mode 100644
index fb9afa79f..000000000
--- a/security/sandbox/linux/SandboxFilterUtil.h
+++ /dev/null
@@ -1,148 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxFilterUtil_h
-#define mozilla_SandboxFilterUtil_h
-
-// This header file exists to hold helper code for SandboxFilter.cpp,
-// to make that file easier to read for anyone trying to understand
-// the filter policy. It's mostly about smoothing out differences
-// between different Linux architectures.
-
-#include "mozilla/Maybe.h"
-#include "sandbox/linux/bpf_dsl/policy.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace mozilla {
-
-// This class handles syscalls for BSD socket and SysV IPC operations.
-// On 32-bit x86 they're multiplexed via socketcall(2) and ipc(2),
-// respectively; on most other architectures they're individual system
-// calls. It translates the syscalls into socketcall/ipc selector
-// values, because those are defined (even if not used) for all
-// architectures.
-//
-// This EvaluateSyscall() routine always returns InvalidSyscall() for
-// everything else. It's assumed that subclasses will be implementing
-// a whitelist policy, so they can handle what they're whitelisting
-// and then defer to this class in the default case.
-class SandboxPolicyBase : public sandbox::bpf_dsl::Policy
-{
-public:
- using ResultExpr = sandbox::bpf_dsl::ResultExpr;
-
- virtual ResultExpr EvaluateSyscall(int aSysno) const override;
- virtual Maybe<ResultExpr> EvaluateSocketCall(int aCall) const {
- return Nothing();
- }
-#ifndef ANDROID
- // Android doesn't use SysV IPC (and doesn't define the selector
- // constants in its headers), so this isn't implemented there.
- virtual Maybe<ResultExpr> EvaluateIpcCall(int aCall) const {
- return Nothing();
- }
-#endif
-
-#ifdef __NR_socketcall
- // socketcall(2) takes the actual call's arguments via a pointer, so
- // seccomp-bpf can't inspect them; ipc(2) takes them at different indices.
- static const bool kSocketCallHasArgs = false;
- static const bool kIpcCallNormalArgs = false;
-#else
- // Otherwise, the bpf_dsl Arg<> class can be used normally.
- static const bool kSocketCallHasArgs = true;
- static const bool kIpcCallNormalArgs = true;
-#endif
-};
-
-} // namespace mozilla
-
-// "Machine independent" pseudo-syscall numbers, to deal with arch
-// dependencies. (Most 32-bit archs started with 32-bit off_t; older
-// archs started with 16-bit uid_t/gid_t; 32-bit registers can't hold
-// a 64-bit offset for mmap; and so on.)
-//
-// For some of these, the "old" syscalls are also in use in some
-// cases; see, e.g., the handling of RT vs. non-RT signal syscalls.
-
-#ifdef __NR_mmap2
-#define CASES_FOR_mmap case __NR_mmap2
-#else
-#define CASES_FOR_mmap case __NR_mmap
-#endif
-
-#ifdef __NR_fchown32
-#define CASES_FOR_fchown case __NR_fchown32: case __NR_fchown
-#else
-#define CASES_FOR_fchown case __NR_fchown
-#endif
-
-#ifdef __NR_getuid32
-#define CASES_FOR_getuid case __NR_getuid32
-#define CASES_FOR_getgid case __NR_getgid32
-#define CASES_FOR_geteuid case __NR_geteuid32
-#define CASES_FOR_getegid case __NR_getegid32
-#define CASES_FOR_getresuid case __NR_getresuid32: case __NR_getresuid
-#define CASES_FOR_getresgid case __NR_getresgid32: case __NR_getresgid
-// The set*id syscalls are omitted; we'll probably never need to allow them.
-#else
-#define CASES_FOR_getuid case __NR_getuid
-#define CASES_FOR_getgid case __NR_getgid
-#define CASES_FOR_geteuid case __NR_geteuid
-#define CASES_FOR_getegid case __NR_getegid
-#define CASES_FOR_getresuid case __NR_getresuid
-#define CASES_FOR_getresgid case __NR_getresgid
-#endif
-
-#ifdef __NR_stat64
-#define CASES_FOR_stat case __NR_stat64
-#define CASES_FOR_lstat case __NR_lstat64
-#define CASES_FOR_fstat case __NR_fstat64
-#define CASES_FOR_fstatat case __NR_fstatat64
-#define CASES_FOR_statfs case __NR_statfs64: case __NR_statfs
-#define CASES_FOR_fstatfs case __NR_fstatfs64: case __NR_fstatfs
-#define CASES_FOR_fcntl case __NR_fcntl64
-// We're using the 32-bit version on 32-bit desktop for some reason.
-#define CASES_FOR_getdents case __NR_getdents64: case __NR_getdents
-// FIXME: we might not need the compat cases for these on non-Android:
-#define CASES_FOR_lseek case __NR_lseek: case __NR__llseek
-#define CASES_FOR_ftruncate case __NR_ftruncate: case __NR_ftruncate64
-#else
-#define CASES_FOR_stat case __NR_stat
-#define CASES_FOR_lstat case __NR_lstat
-#define CASES_FOR_fstatat case __NR_newfstatat
-#define CASES_FOR_fstat case __NR_fstat
-#define CASES_FOR_fstatfs case __NR_fstatfs
-#define CASES_FOR_statfs case __NR_statfs
-#define CASES_FOR_fcntl case __NR_fcntl
-#define CASES_FOR_getdents case __NR_getdents
-#define CASES_FOR_lseek case __NR_lseek
-#define CASES_FOR_ftruncate case __NR_ftruncate
-#endif
-
-#ifdef __NR_sigprocmask
-#define CASES_FOR_sigprocmask case __NR_sigprocmask: case __NR_rt_sigprocmask
-#define CASES_FOR_sigaction case __NR_sigaction: case __NR_rt_sigaction
-#define CASES_FOR_sigreturn case __NR_sigreturn: case __NR_rt_sigreturn
-#else
-#define CASES_FOR_sigprocmask case __NR_rt_sigprocmask
-#define CASES_FOR_sigaction case __NR_rt_sigaction
-#define CASES_FOR_sigreturn case __NR_rt_sigreturn
-#endif
-
-#ifdef __NR__newselect
-#define CASES_FOR_select case __NR__newselect
-#else
-#define CASES_FOR_select case __NR_select
-#endif
-
-#ifdef __NR_ugetrlimit
-#define CASES_FOR_getrlimit case __NR_ugetrlimit
-#else
-#define CASES_FOR_getrlimit case __NR_getrlimit
-#endif
-
-#endif // mozilla_SandboxFilterUtil_h
diff --git a/security/sandbox/linux/SandboxHooks.cpp b/security/sandbox/linux/SandboxHooks.cpp
deleted file mode 100644
index eaaf56982..000000000
--- a/security/sandbox/linux/SandboxHooks.cpp
+++ /dev/null
@@ -1,72 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include <dlfcn.h>
-#include <signal.h>
-#include <errno.h>
-
-#include "mozilla/Types.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-
-// Signal number used to enable seccomp on each thread.
-extern int gSeccompTsyncBroadcastSignum;
-
-// This file defines a hook for sigprocmask() and pthread_sigmask().
-// Bug 1176099: some threads block SIGSYS signal which breaks our seccomp-bpf
-// sandbox. To avoid this, we intercept the call and remove SIGSYS.
-//
-// ENOSYS indicates an error within the hook function itself.
-static int HandleSigset(int (*aRealFunc)(int, const sigset_t*, sigset_t*),
- int aHow, const sigset_t* aSet,
- sigset_t* aOldSet, bool aUseErrno)
-{
- if (!aRealFunc) {
- if (aUseErrno) {
- errno = ENOSYS;
- return -1;
- }
-
- return ENOSYS;
- }
-
- // Avoid unnecessary work
- if (aSet == NULL || aHow == SIG_UNBLOCK) {
- return aRealFunc(aHow, aSet, aOldSet);
- }
-
- sigset_t newSet = *aSet;
- if (sigdelset(&newSet, SIGSYS) != 0 ||
- (gSeccompTsyncBroadcastSignum &&
- sigdelset(&newSet, gSeccompTsyncBroadcastSignum) != 0)) {
- if (aUseErrno) {
- errno = ENOSYS;
- return -1;
- }
-
- return ENOSYS;
- }
-
- return aRealFunc(aHow, &newSet, aOldSet);
-}
-
-extern "C" MOZ_EXPORT int
-sigprocmask(int how, const sigset_t* set, sigset_t* oldset)
-{
- static auto sRealFunc = (int (*)(int, const sigset_t*, sigset_t*))
- dlsym(RTLD_NEXT, "sigprocmask");
-
- return HandleSigset(sRealFunc, how, set, oldset, true);
-}
-
-extern "C" MOZ_EXPORT int
-pthread_sigmask(int how, const sigset_t* set, sigset_t* oldset)
-{
- static auto sRealFunc = (int (*)(int, const sigset_t*, sigset_t*))
- dlsym(RTLD_NEXT, "pthread_sigmask");
-
- return HandleSigset(sRealFunc, how, set, oldset, false);
-}
diff --git a/security/sandbox/linux/SandboxInfo.cpp b/security/sandbox/linux/SandboxInfo.cpp
deleted file mode 100644
index 2eb65e39c..000000000
--- a/security/sandbox/linux/SandboxInfo.cpp
+++ /dev/null
@@ -1,259 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxInfo.h"
-#include "SandboxLogging.h"
-#include "LinuxSched.h"
-
-#include <errno.h>
-#include <stdlib.h>
-#include <sys/prctl.h>
-#include <sys/stat.h>
-#include <sys/syscall.h>
-#include <sys/wait.h>
-#include <unistd.h>
-
-#include "base/posix/eintr_wrapper.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/ArrayUtils.h"
-#include "sandbox/linux/system_headers/linux_seccomp.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-#ifdef MOZ_VALGRIND
-#include <valgrind/valgrind.h>
-#endif
-
-
-// A note about assertions: in general, the worst thing this module
-// should be able to do is disable sandboxing features, so release
-// asserts or MOZ_CRASH should be avoided, even for seeming
-// impossibilities like an unimplemented syscall returning success
-// (which has happened: https://crbug.com/439795 ).
-//
-// MOZ_DIAGNOSTIC_ASSERT (debug builds, plus Nightly/Aurora non-debug)
-// is probably the best choice for conditions that shouldn't be able
-// to fail without the help of bugs in the kernel or system libraries.
-//
-// Regardless of assertion type, whatever condition caused it to fail
-// should generally also disable the corresponding feature on builds
-// that omit the assertion.
-
-namespace mozilla {
-
-// Bug 1229136: this is copied from ../SandboxUtil.cpp to avoid
-// complicated build issues; renamespaced to avoid the possibility of
-// symbol conflict.
-namespace {
-
-static bool
-IsSingleThreaded()
-{
- // This detects the thread count indirectly. /proc/<pid>/task has a
- // subdirectory for each thread in <pid>'s thread group, and the
- // link count on the "task" directory follows Unix expectations: the
- // link from its parent, the "." link from itself, and the ".." link
- // from each subdirectory; thus, 2+N links for N threads.
- struct stat sb;
- if (stat("/proc/self/task", &sb) < 0) {
- MOZ_DIAGNOSTIC_ASSERT(false, "Couldn't access /proc/self/task!");
- return false;
- }
- MOZ_DIAGNOSTIC_ASSERT(sb.st_nlink >= 3);
- return sb.st_nlink == 3;
-}
-
-} // anonymous namespace
-
-static bool
-HasSeccompBPF()
-{
- // Allow simulating the absence of seccomp-bpf support, for testing.
- if (getenv("MOZ_FAKE_NO_SANDBOX")) {
- return false;
- }
-
- // Valgrind and the sandbox don't interact well, probably because Valgrind
- // does various system calls which aren't allowed, even if Firefox itself
- // is playing by the rules.
-# if defined(MOZ_VALGRIND)
- if (RUNNING_ON_VALGRIND) {
- return false;
- }
-# endif
-
- // Determine whether seccomp-bpf is supported by trying to
- // enable it with an invalid pointer for the filter. This will
- // fail with EFAULT if supported and EINVAL if not, without
- // changing the process's state.
-
- int rv = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, nullptr);
- MOZ_DIAGNOSTIC_ASSERT(rv == -1, "prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER,"
- " nullptr) didn't fail");
- MOZ_DIAGNOSTIC_ASSERT(errno == EFAULT || errno == EINVAL);
- return rv == -1 && errno == EFAULT;
-}
-
-static bool
-HasSeccompTSync()
-{
- // Similar to above, but for thread-sync mode. See also Chromium's
- // sandbox::SandboxBPF::SupportsSeccompThreadFilterSynchronization
- if (getenv("MOZ_FAKE_NO_SECCOMP_TSYNC")) {
- return false;
- }
- int rv = syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER,
- SECCOMP_FILTER_FLAG_TSYNC, nullptr);
- MOZ_DIAGNOSTIC_ASSERT(rv == -1, "seccomp(..., SECCOMP_FILTER_FLAG_TSYNC,"
- " nullptr) didn't fail");
- MOZ_DIAGNOSTIC_ASSERT(errno == EFAULT || errno == EINVAL || errno == ENOSYS);
- return rv == -1 && errno == EFAULT;
-}
-
-static bool
-HasUserNamespaceSupport()
-{
- // Note: the /proc/<pid>/ns/* files track setns(2) support, which in
- // some cases (e.g., pid) significantly postdates kernel support for
- // the namespace type, so in general this type of check could be a
- // false negative. However, for user namespaces, any kernel new
- // enough for the feature to be usable for us has setns support
- // (v3.8), so this is okay.
- //
- // The non-user namespaces all default to "y" in init/Kconfig, but
- // check them explicitly in case someone has a weird custom config.
- static const char* const paths[] = {
- "/proc/self/ns/user",
- "/proc/self/ns/pid",
- "/proc/self/ns/net",
- "/proc/self/ns/ipc",
- };
- for (size_t i = 0; i < ArrayLength(paths); ++i) {
- if (access(paths[i], F_OK) == -1) {
- MOZ_ASSERT(errno == ENOENT);
- return false;
- }
- }
- return true;
-}
-
-static bool
-CanCreateUserNamespace()
-{
- // Unfortunately, the only way to verify that this process can
- // create a new user namespace is to actually create one; because
- // this process's namespaces shouldn't be side-effected (yet), it's
- // necessary to clone (and collect) a child process. See also
- // Chromium's sandbox::Credentials::SupportsNewUserNS.
- //
- // This is somewhat more expensive than the other tests, so it's
- // cached in the environment to prevent child processes from having
- // to re-run the test.
- //
- // This is run at static initializer time, while single-threaded, so
- // locking isn't needed to access the environment.
- static const char kCacheEnvName[] = "MOZ_ASSUME_USER_NS";
- const char* cached = getenv(kCacheEnvName);
- if (cached) {
- return cached[0] > '0';
- }
-
- // Valgrind might allow the clone, but doesn't know what to do with
- // unshare. Check for that by unsharing nothing. (Valgrind will
- // probably need sandboxing disabled entirely, but no need to break
- // things worse than strictly necessary.)
- if (syscall(__NR_unshare, 0) != 0) {
-#ifdef MOZ_VALGRIND
- MOZ_ASSERT(errno == ENOSYS);
-#else
- // If something else can cause that call to fail, we's like to know
- // about it; the right way to handle it might not be the same.
- MOZ_ASSERT(false);
-#endif
- return false;
- }
-
- pid_t pid = syscall(__NR_clone, SIGCHLD | CLONE_NEWUSER,
- nullptr, nullptr, nullptr, nullptr);
- if (pid == 0) {
- // In the child. Do as little as possible.
- _exit(0);
- }
- if (pid == -1) {
- // Failure.
- MOZ_ASSERT(errno == EINVAL || // unsupported
- errno == EPERM || // root-only, or we're already chrooted
- errno == EUSERS); // already at user namespace nesting limit
- setenv(kCacheEnvName, "0", 1);
- return false;
- }
- // Otherwise, in the parent and successful.
- bool waitpid_ok = HANDLE_EINTR(waitpid(pid, nullptr, 0)) == pid;
- MOZ_ASSERT(waitpid_ok);
- if (!waitpid_ok) {
- return false;
- }
- setenv(kCacheEnvName, "1", 1);
- return true;
-}
-
-/* static */
-SandboxInfo SandboxInfo::sSingleton = SandboxInfo();
-
-SandboxInfo::SandboxInfo() {
- int flags = 0;
- static_assert(sizeof(flags) >= sizeof(Flags), "enum Flags fits in an int");
-
- if (HasSeccompBPF()) {
- flags |= kHasSeccompBPF;
- if (HasSeccompTSync()) {
- flags |= kHasSeccompTSync;
- }
- }
-
- // Detect the threading-problem signal from the parent process.
- if (getenv("MOZ_SANDBOX_UNEXPECTED_THREADS")) {
- flags |= kUnexpectedThreads;
- } else {
- if (HasUserNamespaceSupport()) {
- flags |= kHasPrivilegedUserNamespaces;
- if (CanCreateUserNamespace()) {
- flags |= kHasUserNamespaces;
- }
- }
- }
-
- if (getenv("MOZ_SANDBOX_VERBOSE")) {
- flags |= kVerbose;
- }
-
- mFlags = static_cast<Flags>(flags);
-}
-
-/* static */ void
-SandboxInfo::ThreadingCheck()
-{
- // Allow MOZ_SANDBOX_UNEXPECTED_THREADS to be set manually for testing.
- if (IsSingleThreaded() &&
- !getenv("MOZ_SANDBOX_UNEXPECTED_THREADS")) {
- return;
- }
- SANDBOX_LOG_ERROR("unexpected multithreading found; this prevents using"
- " namespace sandboxing.%s",
- // getenv isn't thread-safe, but see below.
- getenv("LD_PRELOAD") ? " (If you're LD_PRELOAD'ing"
- " nVidia GL: that's not necessary for Gecko.)" : "");
-
- // Propagate this information for use by child processes. (setenv
- // isn't thread-safe, but other threads are from non-Gecko code so
- // they wouldn't be using NSPR; we have to hope for the best.)
- setenv("MOZ_SANDBOX_UNEXPECTED_THREADS", "1", 0);
- int flags = sSingleton.mFlags;
- flags |= kUnexpectedThreads;
- flags &= ~(kHasUserNamespaces | kHasPrivilegedUserNamespaces);
- sSingleton.mFlags = static_cast<Flags>(flags);
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/SandboxInfo.h b/security/sandbox/linux/SandboxInfo.h
deleted file mode 100644
index 1999ac392..000000000
--- a/security/sandbox/linux/SandboxInfo.h
+++ /dev/null
@@ -1,81 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxInfo_h
-#define mozilla_SandboxInfo_h
-
-#include "mozilla/Types.h"
-
-// Information on what parts of sandboxing are enabled in this build
-// and/or supported by the system.
-
-namespace mozilla {
-
-class SandboxInfo {
-public:
- // No need to prevent copying; this is essentially just a const int.
- SandboxInfo(const SandboxInfo& aOther) : mFlags(aOther.mFlags) { }
-
- // Flags are checked at initializer time; this returns them.
- static const SandboxInfo& Get() { return sSingleton; }
-
- enum Flags {
- // System call filtering; kernel config option CONFIG_SECCOMP_FILTER.
- kHasSeccompBPF = 1 << 0,
- // Config flag MOZ_CONTENT_SANDBOX; env var MOZ_DISABLE_CONTENT_SANDBOX.
- kEnabledForContent = 1 << 1,
- // Config flag MOZ_GMP_SANDBOX; env var MOZ_DISABLE_GMP_SANDBOX.
- kEnabledForMedia = 1 << 2,
- // Env var MOZ_SANDBOX_VERBOSE.
- kVerbose = 1 << 3,
- // Kernel can atomically set system call filtering on entire thread group.
- kHasSeccompTSync = 1 << 4,
- // Can this process create user namespaces? (Man page user_namespaces(7).)
- kHasUserNamespaces = 1 << 5,
- // Could a more privileged process have user namespaces, even if we can't?
- kHasPrivilegedUserNamespaces = 1 << 6,
- // Env var MOZ_PERMISSIVE_CONTENT_SANDBOX
- kPermissive = 1 << 7,
- // Something is creating threads when we need to still be single-threaded.
- kUnexpectedThreads = 1 << 8,
- };
-
- bool Test(Flags aFlag) const { return (mFlags & aFlag) == aFlag; }
-
- // Returns true if SetContentProcessSandbox may be called.
- bool CanSandboxContent() const
- {
- return !Test(kEnabledForContent) || Test(kHasSeccompBPF);
- }
-
- // Returns true if SetMediaPluginSandbox may be called.
- bool CanSandboxMedia() const
- {
- return !Test(kEnabledForMedia) || Test(kHasSeccompBPF);
- }
-
- // For telemetry / crash annotation uses.
- uint32_t AsInteger() const {
- return mFlags;
- }
-
- // For bug 1222500 or anything else like it: On desktop, this is
- // called in the parent process at a point when it should still be
- // single-threaded, to check that the SandboxEarlyInit() call in a
- // child process is early enough to be single-threaded. If not,
- // kUnexpectedThreads is set and affected flags (user namespaces;
- // possibly others in the future) are cleared.
- static MOZ_EXPORT void ThreadingCheck();
-private:
- enum Flags mFlags;
- // This should be const, but has to allow for ThreadingCheck.
- static MOZ_EXPORT SandboxInfo sSingleton;
- SandboxInfo();
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxInfo_h
diff --git a/security/sandbox/linux/SandboxInternal.h b/security/sandbox/linux/SandboxInternal.h
deleted file mode 100644
index 90a688421..000000000
--- a/security/sandbox/linux/SandboxInternal.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxInternal_h
-#define mozilla_SandboxInternal_h
-
-#include <signal.h>
-
-#include "mozilla/Types.h"
-
-struct sock_fprog;
-
-namespace mozilla {
-
-// SandboxCrash() has to be in libxul to use internal interfaces, but
-// its caller in libmozsandbox.
-// See also bug 1101170.
-
-typedef void (*SandboxCrashFunc)(int, siginfo_t*, void*);
-extern MOZ_EXPORT SandboxCrashFunc gSandboxCrashFunc;
-extern const sock_fprog* gSetSandboxFilter;
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxInternal_h
diff --git a/security/sandbox/linux/SandboxLogging.cpp b/security/sandbox/linux/SandboxLogging.cpp
deleted file mode 100644
index 19196a75a..000000000
--- a/security/sandbox/linux/SandboxLogging.cpp
+++ /dev/null
@@ -1,60 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxLogging.h"
-
-#ifdef ANDROID
-#include <android/log.h>
-#endif
-#include <algorithm>
-#include <stdio.h>
-#include <string.h>
-#include <sys/uio.h>
-#include <unistd.h>
-
-#include "base/posix/eintr_wrapper.h"
-
-namespace mozilla {
-
-// Alters an iovec array to remove the first `toDrop` bytes. This
-// complexity is necessary because writev can return a short write
-// (e.g., if stderr is a pipe and the buffer is almost full).
-static void
-IOVecDrop(struct iovec* iov, int iovcnt, size_t toDrop)
-{
- while (toDrop > 0 && iovcnt > 0) {
- size_t toDropHere = std::min(toDrop, iov->iov_len);
- iov->iov_base = static_cast<char*>(iov->iov_base) + toDropHere;
- iov->iov_len -= toDropHere;
- toDrop -= toDropHere;
- ++iov;
- --iovcnt;
- }
-}
-
-void
-SandboxLogError(const char* message)
-{
-#ifdef ANDROID
- // This uses writev internally and appears to be async signal safe.
- __android_log_write(ANDROID_LOG_ERROR, "Sandbox", message);
-#endif
- static const char logPrefix[] = "Sandbox: ", logSuffix[] = "\n";
- struct iovec iovs[3] = {
- { const_cast<char*>(logPrefix), sizeof(logPrefix) - 1 },
- { const_cast<char*>(message), strlen(message) },
- { const_cast<char*>(logSuffix), sizeof(logSuffix) - 1 },
- };
- while (iovs[2].iov_len > 0) {
- ssize_t written = HANDLE_EINTR(writev(STDERR_FILENO, iovs, 3));
- if (written <= 0) {
- break;
- }
- IOVecDrop(iovs, 3, static_cast<size_t>(written));
- }
-}
-
-}
diff --git a/security/sandbox/linux/SandboxLogging.h b/security/sandbox/linux/SandboxLogging.h
deleted file mode 100644
index 88891adfb..000000000
--- a/security/sandbox/linux/SandboxLogging.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxLogging_h
-#define mozilla_SandboxLogging_h
-
-// This header defines the SANDBOX_LOG_ERROR macro used in the Linux
-// sandboxing code. It uses Android logging on Android and writes to
-// stderr otherwise. Android logging has severity levels; currently
-// only "error" severity is exposed here, and this isn't marked when
-// writing to stderr.
-//
-// The format strings are processed by Chromium SafeSPrintf, which
-// doesn't accept size modifiers or %u because it uses C++11 variadic
-// templates to obtain the actual argument types; all decimal integer
-// formatting uses %d. See safe_sprintf.h for more details.
-
-// Build SafeSPrintf without assertions to avoid a dependency on
-// Chromium logging. This doesn't affect safety; it just means that
-// type mismatches (pointer vs. integer) always result in unexpanded
-// %-directives instead of crashing. See also the moz.build files,
-// which apply NDEBUG to the .cc file.
-#ifndef NDEBUG
-#define NDEBUG 1
-#include "base/strings/safe_sprintf.h"
-#undef NDEBUG
-#else
-#include "base/strings/safe_sprintf.h"
-#endif
-
-namespace mozilla {
-// Logs the formatted string (marked with "error" severity, if supported).
-void SandboxLogError(const char* aMessage);
-}
-
-#define SANDBOX_LOG_LEN 256
-
-// Formats a log message and logs it (with "error" severity, if supported).
-//
-// Note that SafeSPrintf doesn't accept size modifiers or %u; all
-// decimal integers are %d, because it uses C++11 variadic templates
-// to use the actual argument type.
-#define SANDBOX_LOG_ERROR(fmt, args...) do { \
- char _sandboxLogBuf[SANDBOX_LOG_LEN]; \
- ::base::strings::SafeSPrintf(_sandboxLogBuf, fmt, ## args); \
- ::mozilla::SandboxLogError(_sandboxLogBuf); \
-} while(0)
-
-#endif // mozilla_SandboxLogging_h
diff --git a/security/sandbox/linux/SandboxUtil.cpp b/security/sandbox/linux/SandboxUtil.cpp
deleted file mode 100644
index 999329882..000000000
--- a/security/sandbox/linux/SandboxUtil.cpp
+++ /dev/null
@@ -1,106 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxUtil.h"
-
-#include "LinuxCapabilities.h"
-#include "LinuxSched.h"
-#include "SandboxLogging.h"
-
-#include <fcntl.h>
-#include <sys/stat.h>
-#include <sys/syscall.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#include "mozilla/Assertions.h"
-#include "mozilla/Sprintf.h"
-#include "mozilla/Unused.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace mozilla {
-
-bool
-IsSingleThreaded()
-{
- // This detects the thread count indirectly. /proc/<pid>/task has a
- // subdirectory for each thread in <pid>'s thread group, and the
- // link count on the "task" directory follows Unix expectations: the
- // link from its parent, the "." link from itself, and the ".." link
- // from each subdirectory; thus, 2+N links for N threads.
- struct stat sb;
- if (stat("/proc/self/task", &sb) < 0) {
- MOZ_DIAGNOSTIC_ASSERT(false, "Couldn't access /proc/self/task!");
- return false;
- }
- MOZ_DIAGNOSTIC_ASSERT(sb.st_nlink >= 3);
- return sb.st_nlink == 3;
-}
-
-static bool
-WriteStringToFile(const char* aPath, const char* aStr, const size_t aLen)
-{
- int fd = open(aPath, O_WRONLY);
- if (fd < 0) {
- return false;
- }
- ssize_t written = write(fd, aStr, aLen);
- if (close(fd) != 0 || written != ssize_t(aLen)) {
- return false;
- }
- return true;
-}
-
-bool
-UnshareUserNamespace()
-{
- // The uid and gid need to be retrieved before the unshare; see
- // below.
- uid_t uid = getuid();
- gid_t gid = getgid();
- char buf[80];
-
- if (syscall(__NR_unshare, CLONE_NEWUSER) != 0) {
- return false;
- }
-
- // As mentioned in the header, this function sets up uid/gid
- // mappings that preserve the process's previous ids. Mapping the
- // uid/gid to something is necessary in order to nest user
- // namespaces (not used yet, but we'll need this in the future for
- // pid namespace support), and leaving the ids unchanged is the
- // least confusing option.
- //
- // In recent kernels (3.19, 3.18.2, 3.17.8), for security reasons,
- // establishing gid mappings will fail unless the process first
- // revokes its ability to call setgroups() by using a /proc node
- // added in the same set of patches.
- //
- // Note that /proc/self points to the thread group leader, not the
- // current thread. However, CLONE_NEWUSER can be unshared only in a
- // single-threaded process, so those are equivalent if we reach this
- // point.
- int len = SprintfLiteral(buf, "%u %u 1\n", uid, uid);
- if (len >= int(sizeof(buf)) || len < 0) {
- return false;
- }
- if (!WriteStringToFile("/proc/self/uid_map", buf, size_t(len))) {
- MOZ_CRASH("Failed to write /proc/self/uid_map");
- }
-
- Unused << WriteStringToFile("/proc/self/setgroups", "deny", 4);
-
- len = SprintfLiteral(buf, "%u %u 1\n", gid, gid);
- if (len >= int(sizeof(buf)) || len < 0) {
- return false;
- }
- if (!WriteStringToFile("/proc/self/gid_map", buf, size_t(len))) {
- MOZ_CRASH("Failed to write /proc/self/gid_map");
- }
- return true;
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/SandboxUtil.h b/security/sandbox/linux/SandboxUtil.h
deleted file mode 100644
index 7bd84f798..000000000
--- a/security/sandbox/linux/SandboxUtil.h
+++ /dev/null
@@ -1,21 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxUtil_h
-#define mozilla_SandboxUtil_h
-
-namespace mozilla {
-
-bool IsSingleThreaded();
-
-// Unshare the user namespace, and set up id mappings so that the
-// process's subjective uid and gid are unchanged. This will always
-// fail if the process is multithreaded.
-bool UnshareUserNamespace();
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxUtil_h
diff --git a/security/sandbox/linux/broker/SandboxBroker.cpp b/security/sandbox/linux/broker/SandboxBroker.cpp
deleted file mode 100644
index a31d1fc66..000000000
--- a/security/sandbox/linux/broker/SandboxBroker.cpp
+++ /dev/null
@@ -1,731 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxBroker.h"
-#include "SandboxInfo.h"
-#include "SandboxLogging.h"
-#include "SandboxBrokerUtils.h"
-
-#include <dirent.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#ifdef XP_LINUX
-#include <sys/prctl.h>
-#endif
-
-#ifdef MOZ_WIDGET_GONK
-#include <private/android_filesystem_config.h>
-#include <sys/syscall.h>
-#endif
-
-#include "mozilla/Assertions.h"
-#include "mozilla/DebugOnly.h"
-#include "mozilla/Move.h"
-#include "mozilla/NullPtr.h"
-#include "mozilla/Sprintf.h"
-#include "mozilla/ipc/FileDescriptor.h"
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-namespace mozilla {
-
-// This constructor signals failure by setting mFileDesc and aClientFd to -1.
-SandboxBroker::SandboxBroker(UniquePtr<const Policy> aPolicy, int aChildPid,
- int& aClientFd)
- : mChildPid(aChildPid), mPolicy(Move(aPolicy))
-{
- int fds[2];
- if (0 != socketpair(AF_UNIX, SOCK_SEQPACKET, 0, fds)) {
- SANDBOX_LOG_ERROR("SandboxBroker: socketpair failed: %s", strerror(errno));
- mFileDesc = -1;
- aClientFd = -1;
- return;
- }
- mFileDesc = fds[0];
- aClientFd = fds[1];
-
- if (!PlatformThread::Create(0, this, &mThread)) {
- SANDBOX_LOG_ERROR("SandboxBroker: thread creation failed: %s",
- strerror(errno));
- close(mFileDesc);
- close(aClientFd);
- mFileDesc = -1;
- aClientFd = -1;
- }
-}
-
-UniquePtr<SandboxBroker>
-SandboxBroker::Create(UniquePtr<const Policy> aPolicy, int aChildPid,
- ipc::FileDescriptor& aClientFdOut)
-{
- int clientFd;
- // Can't use MakeUnique here because the constructor is private.
- UniquePtr<SandboxBroker> rv(new SandboxBroker(Move(aPolicy), aChildPid,
- clientFd));
- if (clientFd < 0) {
- rv = nullptr;
- } else {
- aClientFdOut = ipc::FileDescriptor(clientFd);
- }
- return Move(rv);
-}
-
-SandboxBroker::~SandboxBroker() {
- // If the constructor failed, there's nothing to be done here.
- if (mFileDesc < 0) {
- return;
- }
-
- shutdown(mFileDesc, SHUT_RD);
- // The thread will now get EOF even if the client hasn't exited.
- PlatformThread::Join(mThread);
- // Now that the thread has exited, the fd will no longer be accessed.
- close(mFileDesc);
- // Having ensured that this object outlives the thread, this
- // destructor can now return.
-}
-
-SandboxBroker::Policy::Policy() { }
-SandboxBroker::Policy::~Policy() { }
-
-SandboxBroker::Policy::Policy(const Policy& aOther) {
- for (auto iter = aOther.mMap.ConstIter(); !iter.Done(); iter.Next()) {
- mMap.Put(iter.Key(), iter.Data());
- }
-}
-
-// Chromium
-// sandbox/linux/syscall_broker/broker_file_permission.cc
-// Async signal safe
-bool
-SandboxBroker::Policy::ValidatePath(const char* path) const {
- if (!path)
- return false;
-
- const size_t len = strlen(path);
- // No empty paths
- if (len == 0)
- return false;
- // Paths must be absolute and not relative
- if (path[0] != '/')
- return false;
- // No trailing / (but "/" is valid)
- if (len > 1 && path[len - 1] == '/')
- return false;
- // No trailing /.
- if (len >= 2 && path[len - 2] == '/' && path[len - 1] == '.')
- return false;
- // No trailing /..
- if (len >= 3 && path[len - 3] == '/' && path[len - 2] == '.' &&
- path[len - 1] == '.')
- return false;
- // No /../ anywhere
- for (size_t i = 0; i < len; i++) {
- if (path[i] == '/' && (len - i) > 3) {
- if (path[i + 1] == '.' && path[i + 2] == '.' && path[i + 3] == '/') {
- return false;
- }
- }
- }
- return true;
-}
-
-void
-SandboxBroker::Policy::AddPath(int aPerms, const char* aPath,
- AddCondition aCond)
-{
- nsDependentCString path(aPath);
- MOZ_ASSERT(path.Length() <= kMaxPathLen);
- int perms;
- if (aCond == AddIfExistsNow) {
- struct stat statBuf;
- if (lstat(aPath, &statBuf) != 0) {
- return;
- }
- }
- if (!mMap.Get(path, &perms)) {
- perms = MAY_ACCESS;
- } else {
- MOZ_ASSERT(perms & MAY_ACCESS);
- }
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("policy for %s: %d -> %d", aPath, perms, perms | aPerms);
- }
- perms |= aPerms;
- mMap.Put(path, perms);
-}
-
-void
-SandboxBroker::Policy::AddTree(int aPerms, const char* aPath)
-{
- struct stat statBuf;
-
- if (stat(aPath, &statBuf) != 0) {
- return;
- }
- if (!S_ISDIR(statBuf.st_mode)) {
- AddPath(aPerms, aPath, AddAlways);
- } else {
- DIR* dirp = opendir(aPath);
- if (!dirp) {
- return;
- }
- while (struct dirent* de = readdir(dirp)) {
- if (strcmp(de->d_name, ".") == 0 || strcmp(de->d_name, "..") == 0) {
- continue;
- }
- // Note: could optimize the string handling.
- nsAutoCString subPath;
- subPath.Assign(aPath);
- subPath.Append('/');
- subPath.Append(de->d_name);
- AddTree(aPerms, subPath.get());
- }
- closedir(dirp);
- }
-}
-
-void
-SandboxBroker::Policy::AddDir(int aPerms, const char* aPath)
-{
- struct stat statBuf;
-
- if (stat(aPath, &statBuf) != 0) {
- return;
- }
-
- if (!S_ISDIR(statBuf.st_mode)) {
- return;
- }
-
- nsDependentCString path(aPath);
- MOZ_ASSERT(path.Length() <= kMaxPathLen - 1);
- // Enforce trailing / on aPath
- if (path[path.Length() - 1] != '/') {
- path.Append('/');
- }
- int origPerms;
- if (!mMap.Get(path, &origPerms)) {
- origPerms = MAY_ACCESS;
- } else {
- MOZ_ASSERT(origPerms & MAY_ACCESS);
- }
- int newPerms = origPerms | aPerms | RECURSIVE;
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("policy for %s: %d -> %d", aPath, origPerms, newPerms);
- }
- mMap.Put(path, newPerms);
-}
-
-void
-SandboxBroker::Policy::AddPrefix(int aPerms, const char* aDir,
- const char* aPrefix)
-{
- size_t prefixLen = strlen(aPrefix);
- DIR* dirp = opendir(aDir);
- struct dirent* de;
- if (!dirp) {
- return;
- }
- while ((de = readdir(dirp))) {
- if (strncmp(de->d_name, aPrefix, prefixLen) == 0) {
- nsAutoCString subPath;
- subPath.Assign(aDir);
- subPath.Append('/');
- subPath.Append(de->d_name);
- AddPath(aPerms, subPath.get(), AddAlways);
- }
- }
- closedir(dirp);
-}
-
-int
-SandboxBroker::Policy::Lookup(const nsACString& aPath) const
-{
- // Early exit for paths explicitly found in the
- // whitelist.
- // This means they will not gain extra permissions
- // from recursive paths.
- int perms = mMap.Get(aPath);
- if (perms) {
- return perms;
- }
-
- // Not a legally constructed path
- if (!ValidatePath(PromiseFlatCString(aPath).get()))
- return 0;
-
- // Now it's either an illegal access, or a recursive
- // directory permission. We'll have to check the entire
- // whitelist for the best match (slower).
- int allPerms = 0;
- for (auto iter = mMap.ConstIter(); !iter.Done(); iter.Next()) {
- const nsACString& whiteListPath = iter.Key();
- const int& perms = iter.Data();
-
- if (!(perms & RECURSIVE))
- continue;
-
- // passed part starts with something on the whitelist
- if (StringBeginsWith(aPath, whiteListPath)) {
- allPerms |= perms;
- }
- }
-
- // Strip away the RECURSIVE flag as it doesn't
- // necessarily apply to aPath.
- return allPerms & ~RECURSIVE;
-}
-
-static bool
-AllowOperation(int aReqFlags, int aPerms)
-{
- int needed = 0;
- if (aReqFlags & R_OK) {
- needed |= SandboxBroker::MAY_READ;
- }
- if (aReqFlags & W_OK) {
- needed |= SandboxBroker::MAY_WRITE;
- }
- // We don't really allow executing anything,
- // so in true unix tradition we hijack this
- // for directories.
- if (aReqFlags & X_OK) {
- needed |= SandboxBroker::MAY_CREATE;
- }
- return (aPerms & needed) == needed;
-}
-
-static bool
-AllowAccess(int aReqFlags, int aPerms)
-{
- if (aReqFlags & ~(R_OK|W_OK|F_OK)) {
- return false;
- }
- int needed = 0;
- if (aReqFlags & R_OK) {
- needed |= SandboxBroker::MAY_READ;
- }
- if (aReqFlags & W_OK) {
- needed |= SandboxBroker::MAY_WRITE;
- }
- return (aPerms & needed) == needed;
-}
-
-// These flags are added to all opens to prevent possible side-effects
-// on this process. These shouldn't be relevant to the child process
-// in any case due to the sandboxing restrictions on it. (See also
-// the use of MSG_CMSG_CLOEXEC in SandboxBrokerCommon.cpp).
-static const int kRequiredOpenFlags = O_CLOEXEC | O_NOCTTY;
-
-// Linux originally assigned a flag bit to O_SYNC but implemented the
-// semantics standardized as O_DSYNC; later, that bit was renamed and
-// a new bit was assigned to the full O_SYNC, and O_SYNC was redefined
-// to be both bits. As a result, this #define is needed to compensate
-// for outdated kernel headers like Android's.
-#define O_SYNC_NEW 04010000
-static const int kAllowedOpenFlags =
- O_APPEND | O_ASYNC | O_DIRECT | O_DIRECTORY | O_EXCL | O_LARGEFILE
- | O_NOATIME | O_NOCTTY | O_NOFOLLOW | O_NONBLOCK | O_NDELAY | O_SYNC_NEW
- | O_TRUNC | O_CLOEXEC | O_CREAT;
-#undef O_SYNC_NEW
-
-static bool
-AllowOpen(int aReqFlags, int aPerms)
-{
- if (aReqFlags & ~O_ACCMODE & ~kAllowedOpenFlags) {
- return false;
- }
- int needed;
- switch(aReqFlags & O_ACCMODE) {
- case O_RDONLY:
- needed = SandboxBroker::MAY_READ;
- break;
- case O_WRONLY:
- needed = SandboxBroker::MAY_WRITE;
- break;
- case O_RDWR:
- needed = SandboxBroker::MAY_READ | SandboxBroker::MAY_WRITE;
- break;
- default:
- return false;
- }
- if (aReqFlags & O_CREAT) {
- needed |= SandboxBroker::MAY_CREATE;
- }
- return (aPerms & needed) == needed;
-}
-
-static int
-DoStat(const char* aPath, void* aBuff, int aFlags)
-{
- if (aFlags & O_NOFOLLOW) {
- return lstatsyscall(aPath, (statstruct*)aBuff);
- }
- return statsyscall(aPath, (statstruct*)aBuff);
-}
-
-static int
-DoLink(const char* aPath, const char* aPath2,
- SandboxBrokerCommon::Operation aOper)
-{
- if (aOper == SandboxBrokerCommon::Operation::SANDBOX_FILE_LINK) {
- return link(aPath, aPath2);
- } else if (aOper == SandboxBrokerCommon::Operation::SANDBOX_FILE_SYMLINK) {
- return symlink(aPath, aPath2);
- }
- MOZ_CRASH("SandboxBroker: Unknown link operation");
-}
-
-size_t
-SandboxBroker::ConvertToRealPath(char* aPath, size_t aBufSize, size_t aPathLen)
-{
- if (strstr(aPath, "..") != NULL) {
- char* result = realpath(aPath, NULL);
- if (result != NULL) {
- strncpy(aPath, result, aBufSize);
- aPath[aBufSize - 1] = '\0';
- free(result);
- // Size changed, but guaranteed to be 0 terminated
- aPathLen = strlen(aPath);
- }
- // ValidatePath will handle failure to translate
- }
- return aPathLen;
-}
-
-void
-SandboxBroker::ThreadMain(void)
-{
- char threadName[16];
- SprintfLiteral(threadName, "FS Broker %d", mChildPid);
- PlatformThread::SetName(threadName);
-
- // Permissive mode can only be enabled through an environment variable,
- // therefore it is sufficient to fetch the value once
- // before the main thread loop starts
- bool permissive = SandboxInfo::Get().Test(SandboxInfo::kPermissive);
-
-#ifdef MOZ_WIDGET_GONK
-#ifdef __NR_setreuid32
- static const long nr_setreuid = __NR_setreuid32;
- static const long nr_setregid = __NR_setregid32;
-#else
- static const long nr_setreuid = __NR_setreuid;
- static const long nr_setregid = __NR_setregid;
-#endif
- if (syscall(nr_setregid, getgid(), AID_APP + mChildPid) != 0 ||
- syscall(nr_setreuid, getuid(), AID_APP + mChildPid) != 0) {
- MOZ_CRASH("SandboxBroker: failed to drop privileges");
- }
-#endif
-
- while (true) {
- struct iovec ios[2];
- // We will receive the path strings in 1 buffer and split them back up.
- char recvBuf[2 * (kMaxPathLen + 1)];
- char pathBuf[kMaxPathLen + 1];
- char pathBuf2[kMaxPathLen + 1];
- size_t pathLen;
- size_t pathLen2;
- char respBuf[kMaxPathLen + 1]; // Also serves as struct stat
- Request req;
- Response resp;
- int respfd;
-
- // Make sure stat responses fit in the response buffer
- MOZ_ASSERT((kMaxPathLen + 1) > sizeof(struct stat));
-
- // This makes our string handling below a bit less error prone.
- memset(recvBuf, 0, sizeof(recvBuf));
-
- ios[0].iov_base = &req;
- ios[0].iov_len = sizeof(req);
- ios[1].iov_base = recvBuf;
- ios[1].iov_len = sizeof(recvBuf);
-
- const ssize_t recvd = RecvWithFd(mFileDesc, ios, 2, &respfd);
- if (recvd == 0) {
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("EOF from pid %d", mChildPid);
- }
- break;
- }
- // It could be possible to continue after errors and short reads,
- // at least in some cases, but protocol violation indicates a
- // hostile client, so terminate the broker instead.
- if (recvd < 0) {
- SANDBOX_LOG_ERROR("bad read from pid %d: %s",
- mChildPid, strerror(errno));
- shutdown(mFileDesc, SHUT_RD);
- break;
- }
- if (recvd < static_cast<ssize_t>(sizeof(req))) {
- SANDBOX_LOG_ERROR("bad read from pid %d (%d < %d)",
- mChildPid, recvd, sizeof(req));
- shutdown(mFileDesc, SHUT_RD);
- break;
- }
- if (respfd == -1) {
- SANDBOX_LOG_ERROR("no response fd from pid %d", mChildPid);
- shutdown(mFileDesc, SHUT_RD);
- break;
- }
-
- // Initialize the response with the default failure.
- memset(&resp, 0, sizeof(resp));
- memset(&respBuf, 0, sizeof(respBuf));
- resp.mError = -EACCES;
- ios[0].iov_base = &resp;
- ios[0].iov_len = sizeof(resp);
- ios[1].iov_base = nullptr;
- ios[1].iov_len = 0;
- int openedFd = -1;
-
- // Clear permissions
- int perms;
-
- // Find end of first string, make sure the buffer is still
- // 0 terminated.
- size_t recvBufLen = static_cast<size_t>(recvd) - sizeof(req);
- if (recvBufLen > 0 && recvBuf[recvBufLen - 1] != 0) {
- SANDBOX_LOG_ERROR("corrupted path buffer from pid %d", mChildPid);
- shutdown(mFileDesc, SHUT_RD);
- break;
- }
-
- // First path should fit in maximum path length buffer.
- size_t first_len = strlen(recvBuf);
- if (first_len <= kMaxPathLen) {
- strcpy(pathBuf, recvBuf);
- // Skip right over the terminating 0, and try to copy in the
- // second path, if any. If there's no path, this will hit a
- // 0 immediately (we nulled the buffer before receiving).
- // We do not assume the second path is 0-terminated, this is
- // enforced below.
- strncpy(pathBuf2, recvBuf + first_len + 1, kMaxPathLen + 1);
-
- // First string is guaranteed to be 0-terminated.
- pathLen = first_len;
-
- // Look up the first pathname but first translate relative paths.
- pathLen = ConvertToRealPath(pathBuf, sizeof(pathBuf), pathLen);
- perms = mPolicy->Lookup(nsDependentCString(pathBuf, pathLen));
-
- // Same for the second path.
- pathLen2 = strnlen(pathBuf2, kMaxPathLen);
- if (pathLen2 > 0) {
- // Force 0 termination.
- pathBuf2[pathLen2] = '\0';
- pathLen2 = ConvertToRealPath(pathBuf2, sizeof(pathBuf2), pathLen2);
- int perms2 = mPolicy->Lookup(nsDependentCString(pathBuf2, pathLen2));
-
- // Take the intersection of the permissions for both paths.
- perms &= perms2;
- }
- } else {
- // Failed to receive intelligible paths.
- perms = 0;
- }
-
- // And now perform the operation if allowed.
- if (perms & CRASH_INSTEAD) {
- // This is somewhat nonmodular, but it works.
- resp.mError = -ENOSYS;
- } else if (permissive || perms & MAY_ACCESS) {
- // If the operation was only allowed because of permissive mode, log it.
- if (permissive && !(perms & MAY_ACCESS)) {
- AuditPermissive(req.mOp, req.mFlags, perms, pathBuf);
- }
-
- switch(req.mOp) {
- case SANDBOX_FILE_OPEN:
- if (permissive || AllowOpen(req.mFlags, perms)) {
- // Permissions for O_CREAT hardwired to 0600; if that's
- // ever a problem we can change the protocol (but really we
- // should be trying to remove uses of MAY_CREATE, not add
- // new ones).
- openedFd = open(pathBuf, req.mFlags | kRequiredOpenFlags, 0600);
- if (openedFd >= 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_ACCESS:
- if (permissive || AllowAccess(req.mFlags, perms)) {
- // This can't use access() itself because that uses the ruid
- // and not the euid. In theory faccessat() with AT_EACCESS
- // would work, but Linux doesn't actually implement the
- // flags != 0 case; glibc has a hack which doesn't even work
- // in this case so it'll ignore the flag, and Bionic just
- // passes through the syscall and always ignores the flags.
- //
- // Instead, because we've already checked the requested
- // r/w/x bits against the policy, just return success if the
- // file exists and hope that's close enough.
- if (stat(pathBuf, (struct stat*)&respBuf) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_STAT:
- if (DoStat(pathBuf, (struct stat*)&respBuf, req.mFlags) == 0) {
- resp.mError = 0;
- ios[1].iov_base = &respBuf;
- ios[1].iov_len = req.mBufSize;
- } else {
- resp.mError = -errno;
- }
- break;
-
- case SANDBOX_FILE_CHMOD:
- if (permissive || AllowOperation(W_OK, perms)) {
- if (chmod(pathBuf, req.mFlags) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_LINK:
- case SANDBOX_FILE_SYMLINK:
- if (permissive || AllowOperation(W_OK, perms)) {
- if (DoLink(pathBuf, pathBuf2, req.mOp) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_RENAME:
- if (permissive || AllowOperation(W_OK, perms)) {
- if (rename(pathBuf, pathBuf2) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_MKDIR:
- if (permissive || AllowOperation(W_OK | X_OK, perms)) {
- if (mkdir(pathBuf, req.mFlags) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_UNLINK:
- if (permissive || AllowOperation(W_OK, perms)) {
- if (unlink(pathBuf) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_RMDIR:
- if (permissive || AllowOperation(W_OK | X_OK, perms)) {
- if (rmdir(pathBuf) == 0) {
- resp.mError = 0;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
-
- case SANDBOX_FILE_READLINK:
- if (permissive || AllowOperation(R_OK, perms)) {
- ssize_t respSize = readlink(pathBuf, (char*)&respBuf, sizeof(respBuf));
- if (respSize >= 0) {
- resp.mError = respSize;
- ios[1].iov_base = &respBuf;
- ios[1].iov_len = respSize;
- } else {
- resp.mError = -errno;
- }
- } else {
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
- break;
- }
- } else {
- MOZ_ASSERT(perms == 0);
- AuditDenial(req.mOp, req.mFlags, perms, pathBuf);
- }
-
- const size_t numIO = ios[1].iov_len > 0 ? 2 : 1;
- DebugOnly<const ssize_t> sent = SendWithFd(respfd, ios, numIO, openedFd);
- close(respfd);
- MOZ_ASSERT(sent < 0 ||
- static_cast<size_t>(sent) == ios[0].iov_len + ios[1].iov_len);
-
- if (openedFd >= 0) {
- close(openedFd);
- }
- }
-}
-
-void
-SandboxBroker::AuditPermissive(int aOp, int aFlags, int aPerms, const char* aPath)
-{
- MOZ_RELEASE_ASSERT(SandboxInfo::Get().Test(SandboxInfo::kPermissive));
-
- struct stat statBuf;
-
- if (lstat(aPath, &statBuf) == 0) {
- // Path exists, set errno to 0 to indicate "success".
- errno = 0;
- }
-
- SANDBOX_LOG_ERROR("SandboxBroker: would have denied op=%d rflags=%o perms=%d path=%s for pid=%d" \
- " permissive=1 error=\"%s\"", aOp, aFlags, aPerms,
- aPath, mChildPid, strerror(errno));
-}
-
-void
-SandboxBroker::AuditDenial(int aOp, int aFlags, int aPerms, const char* aPath)
-{
- if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) {
- SANDBOX_LOG_ERROR("SandboxBroker: denied op=%d rflags=%o perms=%d path=%s for pid=%d" \
- " error=\"%s\"", aOp, aFlags, aPerms, aPath, mChildPid,
- strerror(errno));
- }
-}
-
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/broker/SandboxBroker.h b/security/sandbox/linux/broker/SandboxBroker.h
deleted file mode 100644
index bb4570a64..000000000
--- a/security/sandbox/linux/broker/SandboxBroker.h
+++ /dev/null
@@ -1,132 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxBroker_h
-#define mozilla_SandboxBroker_h
-
-#include "mozilla/SandboxBrokerCommon.h"
-
-#include "base/platform_thread.h"
-#include "mozilla/Attributes.h"
-#include "mozilla/UniquePtr.h"
-#include "nsDataHashtable.h"
-#include "nsHashKeys.h"
-#include "nsString.h"
-
-namespace mozilla {
-
-namespace ipc {
-class FileDescriptor;
-}
-
-// This class implements a broker for filesystem operations requested
-// by a sandboxed child process -- opening files and accessing their
-// metadata. (This is necessary in order to restrict access by path;
-// seccomp-bpf can filter only on argument register values, not
-// parameters passed in memory like pathnames.)
-//
-// The broker currently runs on a thread in the parent process (with
-// effective uid changed on B2G), which is for memory efficiency
-// (compared to forking a process) and simplicity (compared to having
-// a separate executable and serializing/deserializing the policy).
-//
-// See also ../SandboxBrokerClient.h for the corresponding client.
-
-class SandboxBroker final
- : private SandboxBrokerCommon
- , public PlatformThread::Delegate
-{
- public:
- enum Perms {
- MAY_ACCESS = 1 << 0,
- MAY_READ = 1 << 1,
- MAY_WRITE = 1 << 2,
- MAY_CREATE = 1 << 3,
- // This flag is for testing policy changes -- when the client is
- // used with the seccomp-bpf integration, an access to this file
- // will invoke a crash dump with the context of the syscall.
- // (This overrides all other flags.)
- CRASH_INSTEAD = 1 << 4,
- // Applies to everything below this path, including subdirs created
- // at runtime
- RECURSIVE = 1 << 5,
- };
- // Bitwise operations on enum values return ints, so just use int in
- // the hash table type (and below) to avoid cluttering code with casts.
- typedef nsDataHashtable<nsCStringHashKey, int> PathMap;
-
- class Policy {
- PathMap mMap;
- public:
- Policy();
- Policy(const Policy& aOther);
- ~Policy();
-
- enum AddCondition {
- AddIfExistsNow,
- AddAlways,
- };
- // Typically, files that don't exist at policy creation time don't
- // need to be whitelisted, but this allows adding entries for
- // them if they'll exist later. See also the overload below.
- void AddPath(int aPerms, const char* aPath, AddCondition aCond);
- // This adds all regular files (not directories) in the tree
- // rooted at the given path.
- void AddTree(int aPerms, const char* aPath);
- // A directory, and all files and directories under it, even those
- // added after creation (the dir itself must exist).
- void AddDir(int aPerms, const char* aPath);
- // All files in a directory with a given prefix; useful for devices.
- void AddPrefix(int aPerms, const char* aDir, const char* aPrefix);
- // Default: add file if it exists when creating policy or if we're
- // conferring permission to create it (log files, etc.).
- void AddPath(int aPerms, const char* aPath) {
- AddPath(aPerms, aPath,
- (aPerms & MAY_CREATE) ? AddAlways : AddIfExistsNow);
- }
- int Lookup(const nsACString& aPath) const;
- int Lookup(const char* aPath) const {
- return Lookup(nsDependentCString(aPath));
- }
- private:
- // ValidatePath checks |path| and returns true if these conditions are met
- // * Greater than 0 length
- // * Is an absolute path
- // * No trailing slash
- // * No /../ path traversal
- bool ValidatePath(const char* path) const;
- };
-
- // Constructing a broker involves creating a socketpair and a
- // background thread to handle requests, so it can fail. If this
- // returns nullptr, do not use the value of aClientFdOut.
- static UniquePtr<SandboxBroker>
- Create(UniquePtr<const Policy> aPolicy, int aChildPid,
- ipc::FileDescriptor& aClientFdOut);
- virtual ~SandboxBroker();
-
- private:
- PlatformThreadHandle mThread;
- int mFileDesc;
- const int mChildPid;
- const UniquePtr<const Policy> mPolicy;
-
- SandboxBroker(UniquePtr<const Policy> aPolicy, int aChildPid,
- int& aClientFd);
- void ThreadMain(void) override;
- void AuditPermissive(int aOp, int aFlags, int aPerms, const char* aPath);
- void AuditDenial(int aOp, int aFlags, int aPerms, const char* aPath);
- // Remap relative paths to absolute paths.
- size_t ConvertToRealPath(char* aPath, size_t aBufSize, size_t aPathLen);
-
- // Holding a UniquePtr should disallow copying, but to make that explicit:
- SandboxBroker(const SandboxBroker&) = delete;
- void operator=(const SandboxBroker&) = delete;
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxBroker_h
diff --git a/security/sandbox/linux/broker/SandboxBrokerCommon.cpp b/security/sandbox/linux/broker/SandboxBrokerCommon.cpp
deleted file mode 100644
index fe7bc8c45..000000000
--- a/security/sandbox/linux/broker/SandboxBrokerCommon.cpp
+++ /dev/null
@@ -1,120 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxBrokerCommon.h"
-
-#include "mozilla/Assertions.h"
-
-#include <errno.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#ifndef MSG_CMSG_CLOEXEC
-#ifdef XP_LINUX
-// As always, Android's kernel headers are somewhat old.
-#define MSG_CMSG_CLOEXEC 0x40000000
-#else
-// Most of this code can support other POSIX OSes, but being able to
-// receive fds and atomically make them close-on-exec is important,
-// because this is running in a multithreaded process that can fork.
-// In the future, if the broker becomes a dedicated executable, this
-// can change.
-#error "No MSG_CMSG_CLOEXEC?"
-#endif // XP_LINUX
-#endif // MSG_CMSG_CLOEXEC
-
-namespace mozilla {
-
-/* static */ ssize_t
-SandboxBrokerCommon::RecvWithFd(int aFd, const iovec* aIO, size_t aNumIO,
- int* aPassedFdPtr)
-{
- struct msghdr msg = {};
- msg.msg_iov = const_cast<iovec*>(aIO);
- msg.msg_iovlen = aNumIO;
-
- char cmsg_buf[CMSG_SPACE(sizeof(int))];
- if (aPassedFdPtr) {
- msg.msg_control = cmsg_buf;
- msg.msg_controllen = sizeof(cmsg_buf);
- *aPassedFdPtr = -1;
- }
-
- ssize_t rv;
- do {
- // MSG_CMSG_CLOEXEC is needed to prevent the parent process from
- // accidentally leaking a copy of the child's response socket to a
- // new child process. (The child won't be able to exec, so this
- // doesn't matter as much for that direction.)
- rv = recvmsg(aFd, &msg, MSG_CMSG_CLOEXEC);
- } while (rv < 0 && errno == EINTR);
-
- if (rv <= 0) {
- return rv;
- }
- if (msg.msg_controllen > 0) {
- MOZ_ASSERT(aPassedFdPtr);
- struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
- if (cmsg->cmsg_level == SOL_SOCKET &&
- cmsg->cmsg_type == SCM_RIGHTS) {
- int* fds = reinterpret_cast<int*>(CMSG_DATA(cmsg));
- if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) {
- // A client could, for example, send an extra 32-bit int if
- // CMSG_SPACE pads to 64-bit size_t alignment. If so, treat
- // it as an error, but also don't leak the fds.
- for (size_t i = 0; CMSG_LEN(sizeof(int) * i) < cmsg->cmsg_len; ++i) {
- close(fds[i]);
- }
- errno = EMSGSIZE;
- return -1;
- }
- *aPassedFdPtr = fds[0];
- } else {
- errno = EPROTO;
- return -1;
- }
- }
- if (msg.msg_flags & (MSG_TRUNC | MSG_CTRUNC)) {
- if (aPassedFdPtr && *aPassedFdPtr >= 0) {
- close(*aPassedFdPtr);
- *aPassedFdPtr = -1;
- }
- errno = EMSGSIZE;
- return -1;
- }
-
- return rv;
-}
-
-/* static */ ssize_t
-SandboxBrokerCommon::SendWithFd(int aFd, const iovec* aIO, size_t aNumIO,
- int aPassedFd)
-{
- struct msghdr msg = {};
- msg.msg_iov = const_cast<iovec*>(aIO);
- msg.msg_iovlen = aNumIO;
-
- char cmsg_buf[CMSG_SPACE(sizeof(int))];
- if (aPassedFd != -1) {
- msg.msg_control = cmsg_buf;
- msg.msg_controllen = sizeof(cmsg_buf);
- struct cmsghdr* cmsg = CMSG_FIRSTHDR(&msg);
- cmsg->cmsg_level = SOL_SOCKET;
- cmsg->cmsg_type = SCM_RIGHTS;
- cmsg->cmsg_len = CMSG_LEN(sizeof(int));
- *reinterpret_cast<int*>(CMSG_DATA(cmsg)) = aPassedFd;
- }
-
- ssize_t rv;
- do {
- rv = sendmsg(aFd, &msg, MSG_NOSIGNAL);
- } while (rv < 0 && errno == EINTR);
-
- return rv;
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/broker/SandboxBrokerCommon.h b/security/sandbox/linux/broker/SandboxBrokerCommon.h
deleted file mode 100644
index dbd17e0b9..000000000
--- a/security/sandbox/linux/broker/SandboxBrokerCommon.h
+++ /dev/null
@@ -1,72 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxBrokerCommon_h
-#define mozilla_SandboxBrokerCommon_h
-
-#include <sys/types.h>
-
-struct iovec;
-
-// This file defines the protocol between the filesystem broker,
-// described in SandboxBroker.h, and its client, described in
-// ../SandboxBrokerClient.h; and it defines some utility functions
-// used by both.
-//
-// In order to keep the client simple while allowing it to be thread
-// safe and async signal safe, the main broker socket is used only for
-// requests; responses arrive on a per-request socketpair sent with
-// the request. (This technique is also used by Chromium and Breakpad.)
-
-namespace mozilla {
-
-class SandboxBrokerCommon {
-public:
- enum Operation {
- SANDBOX_FILE_OPEN,
- SANDBOX_FILE_ACCESS,
- SANDBOX_FILE_STAT,
- SANDBOX_FILE_CHMOD,
- SANDBOX_FILE_LINK,
- SANDBOX_FILE_SYMLINK,
- SANDBOX_FILE_MKDIR,
- SANDBOX_FILE_RENAME,
- SANDBOX_FILE_RMDIR,
- SANDBOX_FILE_UNLINK,
- SANDBOX_FILE_READLINK,
- };
-
- struct Request {
- Operation mOp;
- // For open, flags; for access, "mode"; for stat, O_NOFOLLOW for lstat.
- int mFlags;
- // Size of return value buffer, if any
- size_t mBufSize;
- // The rest of the packet is the pathname.
- // SCM_RIGHTS for response socket attached.
- };
-
- struct Response {
- // Syscall result, -errno if failure, or 0 for no error
- int mError;
- // Followed by struct stat for stat/lstat.
- // SCM_RIGHTS attached for successful open.
- };
-
- // This doesn't need to be the system's maximum path length, just
- // the largest path that would be allowed by any policy. (It's used
- // to size a stack-allocated buffer.)
- static const size_t kMaxPathLen = 4096;
-
- static ssize_t RecvWithFd(int aFd, const iovec* aIO, size_t aNumIO,
- int* aPassedFdPtr);
- static ssize_t SendWithFd(int aFd, const iovec* aIO, size_t aNumIO,
- int aPassedFd);
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxBrokerCommon_h
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
deleted file mode 100644
index c3a15ea3d..000000000
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp
+++ /dev/null
@@ -1,50 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxBrokerPolicyFactory.h"
-#include "SandboxInfo.h"
-
-#include "mozilla/ClearOnShutdown.h"
-#include "mozilla/Preferences.h"
-#include "nsPrintfCString.h"
-#include "nsString.h"
-#include "nsThreadUtils.h"
-#include "nsXULAppAPI.h"
-#include "SpecialSystemDirectory.h"
-
-#ifdef ANDROID
-#include "cutils/properties.h"
-#endif
-
-namespace mozilla {
-
-/* static */ bool
-SandboxBrokerPolicyFactory::IsSystemSupported() {
-#ifdef ANDROID
- char hardware[PROPERTY_VALUE_MAX];
- int length = property_get("ro.hardware", hardware, nullptr);
- // "goldfish" -> emulator. Other devices can be added when we're
- // reasonably sure they work. Eventually this won't be needed....
- if (length > 0 && strcmp(hardware, "goldfish") == 0) {
- return true;
- }
-
- // When broker is running in permissive mode, we enable it
- // automatically regardless of the device.
- if (SandboxInfo::Get().Test(SandboxInfo::kPermissive)) {
- return true;
- }
-#endif
- return false;
-}
-
-SandboxBrokerPolicyFactory::SandboxBrokerPolicyFactory()
-{
- // Policy entries that are the same in every process go here, and
- // are cached over the lifetime of the factory.
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h b/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
deleted file mode 100644
index bf9be9856..000000000
--- a/security/sandbox/linux/broker/SandboxBrokerPolicyFactory.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_SandboxBrokerPolicyFactory_h
-#define mozilla_SandboxBrokerPolicyFactory_h
-
-#include "mozilla/SandboxBroker.h"
-
-namespace mozilla {
-
-class SandboxBrokerPolicyFactory {
-public:
- SandboxBrokerPolicyFactory();
-
-private:
- UniquePtr<const SandboxBroker::Policy> mCommonContentPolicy;
- // B2G devices tend to have hardware-specific paths used by device
- // drivers, so rollout of filesystem isolation will need per-device
- // testing. This predicate allows that to happen gradually.
- static bool IsSystemSupported();
-};
-
-} // namespace mozilla
-
-#endif // mozilla_SandboxBrokerPolicyFactory_h
diff --git a/security/sandbox/linux/broker/SandboxBrokerUtils.h b/security/sandbox/linux/broker/SandboxBrokerUtils.h
deleted file mode 100644
index 1db4f4411..000000000
--- a/security/sandbox/linux/broker/SandboxBrokerUtils.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-#ifndef mozilla_SandboxBrokerUtils_h
-#define mozilla_SandboxBrokerUtils_h
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include "sandbox/linux/system_headers/linux_syscalls.h"
-
-// On 32-bit Linux, stat calls are translated by libc into stat64
-// calls. We'll intercept those and handle them in the stat functions
-// but must be sure to use the right structure layout.
-
-#if defined(__NR_stat64)
-typedef struct stat64 statstruct;
-#define statsyscall stat64
-#define lstatsyscall lstat64
-#elif defined(__NR_stat)
-typedef struct stat statstruct;
-#define statsyscall stat
-#define lstatsyscall lstat
-#else
-#error Missing stat syscall include.
-#endif
-
-#endif // mozilla_SandboxBrokerUtils_h
diff --git a/security/sandbox/linux/broker/moz.build b/security/sandbox/linux/broker/moz.build
deleted file mode 100644
index 343a5cfad..000000000
--- a/security/sandbox/linux/broker/moz.build
+++ /dev/null
@@ -1,37 +0,0 @@
-# -*- Mode: python; python-indent: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS.mozilla += [
- 'SandboxBroker.h',
- 'SandboxBrokerCommon.h',
- 'SandboxBrokerPolicyFactory.h',
-]
-
-SOURCES += [
- 'SandboxBroker.cpp',
- 'SandboxBrokerCommon.cpp',
- 'SandboxBrokerPolicyFactory.cpp',
-]
-
-if CONFIG['OS_TARGET'] == 'Android':
- if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'gonk':
- DEFINES['HAVE_ANDROID_OS'] = True
-
-LOCAL_INCLUDES += [
- '/security/sandbox/linux', # SandboxLogging.h, SandboxInfo.h
-]
-
-# Need this for mozilla::ipc::FileDescriptor etc.
-include('/ipc/chromium/chromium-config.mozbuild')
-
-# Need this for safe_sprintf.h used by SandboxLogging.h,
-# but it has to be after ipc/chromium/src.
-LOCAL_INCLUDES += [
- '/security/sandbox/chromium',
-]
-
-
-FINAL_LIBRARY = 'xul'
diff --git a/security/sandbox/linux/glue/SandboxCrash.cpp b/security/sandbox/linux/glue/SandboxCrash.cpp
deleted file mode 100644
index 8ead16bdf..000000000
--- a/security/sandbox/linux/glue/SandboxCrash.cpp
+++ /dev/null
@@ -1,131 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// This file needs to be linked into libxul, so it can access the JS
-// stack and the crash reporter. Everything else in this directory
-// should be able to be linked into its own shared library, in order
-// to be able to isolate sandbox/chromium from ipc/chromium.
-
-#include "SandboxInternal.h"
-#include "SandboxLogging.h"
-
-#include <unistd.h>
-#include <sys/syscall.h>
-
-#include "mozilla/Unused.h"
-#include "mozilla/dom/Exceptions.h"
-#include "nsContentUtils.h"
-#include "mozilla/StackWalk.h"
-#include "nsString.h"
-#include "nsThreadUtils.h"
-
-namespace mozilla {
-
-// Log JS stack info in the same place as the sandbox violation
-// message. Useful in case the responsible code is JS and all we have
-// are logs and a minidump with the C++ stacks (e.g., on TBPL).
-static void
-SandboxLogJSStack(void)
-{
- if (!NS_IsMainThread()) {
- // This might be a worker thread... or it might be a non-JS
- // thread, or a non-NSPR thread. There's isn't a good API for
- // dealing with this, yet.
- return;
- }
- if (!nsContentUtils::XPConnect()) {
- // There is no content (e.g., the process is a media plugin), in
- // which case this will probably crash and definitely not work.
- return;
- }
- nsCOMPtr<nsIStackFrame> frame = dom::GetCurrentJSStack();
- // If we got a stack, we must have a current JSContext. This is icky. :(
- // Would be better if GetCurrentJSStack() handed out the JSContext it ended up
- // using or something.
- JSContext* cx = frame ? nsContentUtils::GetCurrentJSContext() : nullptr;
- for (int i = 0; frame != nullptr; ++i) {
- nsAutoString fileName, funName;
- int32_t lineNumber;
-
- // Don't stop unwinding if an attribute can't be read.
- fileName.SetIsVoid(true);
- Unused << frame->GetFilename(cx, fileName);
- lineNumber = 0;
- Unused << frame->GetLineNumber(cx, &lineNumber);
- funName.SetIsVoid(true);
- Unused << frame->GetName(cx, funName);
-
- if (!funName.IsVoid() || !fileName.IsVoid()) {
- SANDBOX_LOG_ERROR("JS frame %d: %s %s line %d", i,
- funName.IsVoid() ?
- "(anonymous)" : NS_ConvertUTF16toUTF8(funName).get(),
- fileName.IsVoid() ?
- "(no file)" : NS_ConvertUTF16toUTF8(fileName).get(),
- lineNumber);
- }
-
- nsCOMPtr<nsIStackFrame> nextFrame;
- nsresult rv = frame->GetCaller(cx, getter_AddRefs(nextFrame));
- NS_ENSURE_SUCCESS_VOID(rv);
- frame = nextFrame;
- }
-}
-
-static void SandboxPrintStackFrame(uint32_t aFrameNumber, void *aPC, void *aSP,
- void *aClosure)
-{
- char buf[1024];
- MozCodeAddressDetails details;
-
- MozDescribeCodeAddress(aPC, &details);
- MozFormatCodeAddressDetails(buf, sizeof(buf), aFrameNumber, aPC, &details);
- SANDBOX_LOG_ERROR("frame %s", buf);
-}
-
-static void
-SandboxLogCStack()
-{
- // Skip 3 frames: one for this module, one for the signal handler in
- // libmozsandbox, and one for the signal trampoline.
- //
- // Warning: this might not print any stack frames. MozStackWalk
- // can't walk past the signal trampoline on ARM (bug 968531), and
- // x86 frame pointer walking may or may not work (bug 1082276).
-
- MozStackWalk(SandboxPrintStackFrame, /* skip */ 3, /* max */ 0,
- nullptr, 0, nullptr);
- SANDBOX_LOG_ERROR("end of stack.");
-}
-
-static void
-SandboxCrash(int nr, siginfo_t *info, void *void_context)
-{
- pid_t pid = getpid(), tid = syscall(__NR_gettid);
- bool dumped = false;
-
- if (!dumped) {
- SANDBOX_LOG_ERROR("crash reporter is disabled (or failed);"
- " trying stack trace:");
- SandboxLogCStack();
- }
-
- // Do this last, in case it crashes or deadlocks.
- SandboxLogJSStack();
-
- // Try to reraise, so the parent sees that this process crashed.
- // (If tgkill is forbidden, then seccomp will raise SIGSYS, which
- // also accomplishes that goal.)
- signal(SIGSYS, SIG_DFL);
- syscall(__NR_tgkill, pid, tid, nr);
-}
-
-static void __attribute__((constructor))
-SandboxSetCrashFunc()
-{
- gSandboxCrashFunc = SandboxCrash;
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/glue/moz.build b/security/sandbox/linux/glue/moz.build
deleted file mode 100644
index 0d40dcd63..000000000
--- a/security/sandbox/linux/glue/moz.build
+++ /dev/null
@@ -1,29 +0,0 @@
-# -*- Mode: python; python-indent: 4; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOURCES += [
- '../../chromium/base/strings/safe_sprintf.cc',
- '../SandboxLogging.cpp',
- 'SandboxCrash.cpp',
-]
-
-# Avoid Chromium logging dependency, because this is going into
-# libxul. See also the comment in SandboxLogging.h.
-SOURCES['../../chromium/base/strings/safe_sprintf.cc'].flags += ['-DNDEBUG']
-
-LOCAL_INCLUDES += [
- '/security/sandbox/chromium',
- '/security/sandbox/linux',
-]
-
-USE_LIBS += [
- 'mozsandbox',
-]
-
-FINAL_LIBRARY = 'xul'
-
-if CONFIG['GNU_CXX']:
- CXXFLAGS += ['-Wno-error=shadow']
diff --git a/security/sandbox/linux/gtest/TestBroker.cpp b/security/sandbox/linux/gtest/TestBroker.cpp
deleted file mode 100644
index a311e181a..000000000
--- a/security/sandbox/linux/gtest/TestBroker.cpp
+++ /dev/null
@@ -1,626 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest/gtest.h"
-
-#include "broker/SandboxBroker.h"
-#include "broker/SandboxBrokerUtils.h"
-#include "SandboxBrokerClient.h"
-
-#include <errno.h>
-#include <fcntl.h>
-#include <pthread.h>
-#include <stdlib.h>
-#include <sched.h>
-#include <semaphore.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <time.h>
-#include <unistd.h>
-
-#include "mozilla/Atomics.h"
-#include "mozilla/NullPtr.h"
-#include "mozilla/PodOperations.h"
-#include "mozilla/UniquePtr.h"
-#include "mozilla/ipc/FileDescriptor.h"
-
-namespace mozilla {
-
-static const int MAY_ACCESS = SandboxBroker::MAY_ACCESS;
-static const int MAY_READ = SandboxBroker::MAY_READ;
-static const int MAY_WRITE = SandboxBroker::MAY_WRITE;
-static const int MAY_CREATE = SandboxBroker::MAY_CREATE;
-static const auto AddAlways = SandboxBroker::Policy::AddAlways;
-
-class SandboxBrokerTest : public ::testing::Test
-{
- UniquePtr<SandboxBroker> mServer;
- UniquePtr<SandboxBrokerClient> mClient;
-
- UniquePtr<const SandboxBroker::Policy> GetPolicy() const;
-
- template<class C, void (C::* Main)()>
- static void* ThreadMain(void* arg) {
- (static_cast<C*>(arg)->*Main)();
- return nullptr;
- }
-
-protected:
- int Open(const char* aPath, int aFlags) {
- return mClient->Open(aPath, aFlags);
- }
- int Access(const char* aPath, int aMode) {
- return mClient->Access(aPath, aMode);
- }
- int Stat(const char* aPath, statstruct* aStat) {
- return mClient->Stat(aPath, aStat);
- }
- int LStat(const char* aPath, statstruct* aStat) {
- return mClient->LStat(aPath, aStat);
- }
- int Chmod(const char* aPath, int aMode) {
- return mClient->Chmod(aPath, aMode);
- }
- int Link(const char* aPath, const char* bPath) {
- return mClient->Link(aPath, bPath);
- }
- int Mkdir(const char* aPath, int aMode) {
- return mClient->Mkdir(aPath, aMode);
- }
- int Symlink(const char* aPath, const char* bPath) {
- return mClient->Symlink(aPath, bPath);
- }
- int Rename(const char* aPath, const char* bPath) {
- return mClient->Rename(aPath, bPath);
- }
- int Rmdir(const char* aPath) {
- return mClient->Rmdir(aPath);
- }
- int Unlink(const char* aPath) {
- return mClient->Unlink(aPath);
- }
- ssize_t Readlink(const char* aPath, char* aBuff, size_t aSize) {
- return mClient->Readlink(aPath, aBuff, aSize);
- }
-
- virtual void SetUp() {
- ipc::FileDescriptor fd;
-
- mServer = SandboxBroker::Create(GetPolicy(), getpid(), fd);
- ASSERT_NE(mServer, nullptr);
- ASSERT_TRUE(fd.IsValid());
- auto rawFD = fd.ClonePlatformHandle();
- mClient.reset(new SandboxBrokerClient(rawFD.release()));
- }
-
- template<class C, void (C::* Main)()>
- void StartThread(pthread_t *aThread) {
- ASSERT_EQ(0, pthread_create(aThread, nullptr, ThreadMain<C, Main>,
- static_cast<C*>(this)));
- }
-
- template<class C, void (C::* Main)()>
- void RunOnManyThreads() {
- static const int kNumThreads = 5;
- pthread_t threads[kNumThreads];
- for (int i = 0; i < kNumThreads; ++i) {
- StartThread<C, Main>(&threads[i]);
- }
- for (int i = 0; i < kNumThreads; ++i) {
- void* retval;
- ASSERT_EQ(pthread_join(threads[i], &retval), 0);
- ASSERT_EQ(retval, static_cast<void*>(nullptr));
- }
- }
-
-public:
- void MultiThreadOpenWorker();
- void MultiThreadStatWorker();
-};
-
-UniquePtr<const SandboxBroker::Policy>
-SandboxBrokerTest::GetPolicy() const
-{
- UniquePtr<SandboxBroker::Policy> policy(new SandboxBroker::Policy());
-
- policy->AddPath(MAY_READ | MAY_WRITE, "/dev/null", AddAlways);
- policy->AddPath(MAY_READ, "/dev/zero", AddAlways);
- policy->AddPath(MAY_READ, "/var/empty/qwertyuiop", AddAlways);
- policy->AddPath(MAY_ACCESS, "/proc/self", AddAlways); // Warning: Linux-specific.
- policy->AddPath(MAY_READ | MAY_WRITE, "/tmp", AddAlways);
- policy->AddPath(MAY_READ | MAY_WRITE | MAY_CREATE, "/tmp/blublu", AddAlways);
- policy->AddPath(MAY_READ | MAY_WRITE | MAY_CREATE, "/tmp/blublublu", AddAlways);
-
- return Move(policy);
-}
-
-TEST_F(SandboxBrokerTest, OpenForRead)
-{
- int fd;
-
- fd = Open("/dev/null", O_RDONLY);
- ASSERT_GE(fd, 0) << "Opening /dev/null failed.";
- close(fd);
- fd = Open("/dev/zero", O_RDONLY);
- ASSERT_GE(fd, 0) << "Opening /dev/zero failed.";
- close(fd);
- fd = Open("/var/empty/qwertyuiop", O_RDONLY);
- EXPECT_EQ(-ENOENT, fd) << "Opening allowed but nonexistent file succeeded.";
- fd = Open("/proc/self", O_RDONLY);
- EXPECT_EQ(-EACCES, fd) << "Opening stat-only file for read succeeded.";
- fd = Open("/proc/self/stat", O_RDONLY);
- EXPECT_EQ(-EACCES, fd) << "Opening disallowed file succeeded.";
-}
-
-TEST_F(SandboxBrokerTest, OpenForWrite)
-{
- int fd;
-
- fd = Open("/dev/null", O_WRONLY);
- ASSERT_GE(fd, 0) << "Opening /dev/null write-only failed.";
- close(fd);
- fd = Open("/dev/null", O_RDWR);
- ASSERT_GE(fd, 0) << "Opening /dev/null read/write failed.";
- close(fd);
- fd = Open("/dev/zero", O_WRONLY);
- ASSERT_EQ(-EACCES, fd) << "Opening read-only-by-policy file write-only succeeded.";
- fd = Open("/dev/zero", O_RDWR);
- ASSERT_EQ(-EACCES, fd) << "Opening read-only-by-policy file read/write succeeded.";
-}
-
-TEST_F(SandboxBrokerTest, SimpleRead)
-{
- int fd;
- char c;
-
- fd = Open("/dev/null", O_RDONLY);
- ASSERT_GE(fd, 0);
- EXPECT_EQ(0, read(fd, &c, 1));
- close(fd);
- fd = Open("/dev/zero", O_RDONLY);
- ASSERT_GE(fd, 0);
- ASSERT_EQ(1, read(fd, &c, 1));
- EXPECT_EQ(c, '\0');
-}
-
-TEST_F(SandboxBrokerTest, Access)
-{
- EXPECT_EQ(0, Access("/dev/null", F_OK));
- EXPECT_EQ(0, Access("/dev/null", R_OK));
- EXPECT_EQ(0, Access("/dev/null", W_OK));
- EXPECT_EQ(0, Access("/dev/null", R_OK|W_OK));
- EXPECT_EQ(-EACCES, Access("/dev/null", X_OK));
- EXPECT_EQ(-EACCES, Access("/dev/null", R_OK|X_OK));
-
- EXPECT_EQ(0, Access("/dev/zero", R_OK));
- EXPECT_EQ(-EACCES, Access("/dev/zero", W_OK));
- EXPECT_EQ(-EACCES, Access("/dev/zero", R_OK|W_OK));
-
- EXPECT_EQ(-ENOENT, Access("/var/empty/qwertyuiop", R_OK));
- EXPECT_EQ(-EACCES, Access("/var/empty/qwertyuiop", W_OK));
-
- EXPECT_EQ(0, Access("/proc/self", F_OK));
- EXPECT_EQ(-EACCES, Access("/proc/self", R_OK));
-
- EXPECT_EQ(-EACCES, Access("/proc/self/stat", F_OK));
-}
-
-TEST_F(SandboxBrokerTest, Stat)
-{
- statstruct realStat, brokeredStat;
- ASSERT_EQ(0, statsyscall("/dev/null", &realStat)) << "Shouldn't ever fail!";
- EXPECT_EQ(0, Stat("/dev/null", &brokeredStat));
- EXPECT_EQ(realStat.st_ino, brokeredStat.st_ino);
- EXPECT_EQ(realStat.st_rdev, brokeredStat.st_rdev);
-
- EXPECT_EQ(-ENOENT, Stat("/var/empty/qwertyuiop", &brokeredStat));
- EXPECT_EQ(-EACCES, Stat("/dev", &brokeredStat));
-
- EXPECT_EQ(0, Stat("/proc/self", &brokeredStat));
- EXPECT_TRUE(S_ISDIR(brokeredStat.st_mode));
-}
-
-TEST_F(SandboxBrokerTest, LStat)
-{
- statstruct realStat, brokeredStat;
- ASSERT_EQ(0, lstatsyscall("/dev/null", &realStat));
- EXPECT_EQ(0, LStat("/dev/null", &brokeredStat));
- EXPECT_EQ(realStat.st_ino, brokeredStat.st_ino);
- EXPECT_EQ(realStat.st_rdev, brokeredStat.st_rdev);
-
- EXPECT_EQ(-ENOENT, LStat("/var/empty/qwertyuiop", &brokeredStat));
- EXPECT_EQ(-EACCES, LStat("/dev", &brokeredStat));
-
- EXPECT_EQ(0, LStat("/proc/self", &brokeredStat));
- EXPECT_TRUE(S_ISLNK(brokeredStat.st_mode));
-}
-
-static void PrePostTestCleanup(void)
-{
- unlink("/tmp/blublu");
- rmdir("/tmp/blublu");
- unlink("/tmp/nope");
- rmdir("/tmp/nope");
- unlink("/tmp/blublublu");
- rmdir("/tmp/blublublu");
-}
-
-TEST_F(SandboxBrokerTest, Chmod)
-{
- PrePostTestCleanup();
-
- int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
- ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
- close(fd);
- // Set read only. SandboxBroker enforces 0600 mode flags.
- ASSERT_EQ(0, Chmod("/tmp/blublu", S_IRUSR));
- // SandboxBroker doesn't use real access(), it just checks against
- // the policy. So it can't see the change in permisions here.
- // This won't work:
- // EXPECT_EQ(-EACCES, Access("/tmp/blublu", W_OK));
- statstruct realStat;
- EXPECT_EQ(0, statsyscall("/tmp/blublu", &realStat));
- EXPECT_EQ((mode_t)S_IRUSR, realStat.st_mode & 0777);
-
- ASSERT_EQ(0, Chmod("/tmp/blublu", S_IRUSR | S_IWUSR));
- EXPECT_EQ(0, statsyscall("/tmp/blublu", &realStat));
- EXPECT_EQ((mode_t)(S_IRUSR | S_IWUSR), realStat.st_mode & 0777);
- EXPECT_EQ(0, unlink("/tmp/blublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Link)
-{
- PrePostTestCleanup();
-
- int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
- ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
- close(fd);
- ASSERT_EQ(0, Link("/tmp/blublu", "/tmp/blublublu"));
- EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
- // Not whitelisted target path
- EXPECT_EQ(-EACCES, Link("/tmp/blublu", "/tmp/nope"));
- EXPECT_EQ(0, unlink("/tmp/blublublu"));
- EXPECT_EQ(0, unlink("/tmp/blublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Symlink)
-{
- PrePostTestCleanup();
-
- int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
- ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
- close(fd);
- ASSERT_EQ(0, Symlink("/tmp/blublu", "/tmp/blublublu"));
- EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
- statstruct aStat;
- ASSERT_EQ(0, lstatsyscall("/tmp/blublublu", &aStat));
- EXPECT_EQ((mode_t)S_IFLNK, aStat.st_mode & S_IFMT);
- // Not whitelisted target path
- EXPECT_EQ(-EACCES, Symlink("/tmp/blublu", "/tmp/nope"));
- EXPECT_EQ(0, unlink("/tmp/blublublu"));
- EXPECT_EQ(0, unlink("/tmp/blublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Mkdir)
-{
- PrePostTestCleanup();
-
- ASSERT_EQ(0, mkdir("/tmp/blublu", 0600))
- << "Creating dir /tmp/blublu failed.";
- EXPECT_EQ(0, Access("/tmp/blublu", F_OK));
- // Not whitelisted target path
- EXPECT_EQ(-EACCES, Mkdir("/tmp/nope", 0600))
- << "Creating dir without MAY_CREATE succeed.";
- EXPECT_EQ(0, rmdir("/tmp/blublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Rename)
-{
- PrePostTestCleanup();
-
- ASSERT_EQ(0, mkdir("/tmp/blublu", 0600))
- << "Creating dir /tmp/blublu failed.";
- EXPECT_EQ(0, Access("/tmp/blublu", F_OK));
- ASSERT_EQ(0, Rename("/tmp/blublu", "/tmp/blublublu"));
- EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
- EXPECT_EQ(-ENOENT , Access("/tmp/blublu", F_OK));
- // Not whitelisted target path
- EXPECT_EQ(-EACCES, Rename("/tmp/blublublu", "/tmp/nope"))
- << "Renaming dir without write access succeed.";
- EXPECT_EQ(0, rmdir("/tmp/blublublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Rmdir)
-{
- PrePostTestCleanup();
-
- ASSERT_EQ(0, mkdir("/tmp/blublu", 0600))
- << "Creating dir /tmp/blublu failed.";
- EXPECT_EQ(0, Access("/tmp/blublu", F_OK));
- ASSERT_EQ(0, Rmdir("/tmp/blublu"));
- EXPECT_EQ(-ENOENT, Access("/tmp/blublu", F_OK));
- // Bypass sandbox to create a non-deletable dir
- ASSERT_EQ(0, mkdir("/tmp/nope", 0600));
- EXPECT_EQ(-EACCES, Rmdir("/tmp/nope"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Unlink)
-{
- PrePostTestCleanup();
-
- int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
- ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
- close(fd);
- EXPECT_EQ(0, Access("/tmp/blublu", F_OK));
- EXPECT_EQ(0, Unlink("/tmp/blublu"));
- EXPECT_EQ(-ENOENT , Access("/tmp/blublu", F_OK));
- // Bypass sandbox to write a non-deletable file
- fd = open("/tmp/nope", O_WRONLY | O_CREAT, 0600);
- ASSERT_GE(fd, 0) << "Opening /tmp/nope for writing failed.";
- close(fd);
- EXPECT_EQ(-EACCES, Unlink("/tmp/nope"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, Readlink)
-{
- PrePostTestCleanup();
-
- int fd = Open("/tmp/blublu", O_WRONLY | O_CREAT);
- ASSERT_GE(fd, 0) << "Opening /tmp/blublu for writing failed.";
- close(fd);
- ASSERT_EQ(0, Symlink("/tmp/blublu", "/tmp/blublublu"));
- EXPECT_EQ(0, Access("/tmp/blublublu", F_OK));
- char linkBuff[256];
- EXPECT_EQ(11, Readlink("/tmp/blublublu", linkBuff, sizeof(linkBuff)));
- linkBuff[11] = '\0';
- EXPECT_EQ(0, strcmp(linkBuff, "/tmp/blublu"));
-
- PrePostTestCleanup();
-}
-
-TEST_F(SandboxBrokerTest, MultiThreadOpen) {
- RunOnManyThreads<SandboxBrokerTest,
- &SandboxBrokerTest::MultiThreadOpenWorker>();
-}
-void SandboxBrokerTest::MultiThreadOpenWorker() {
- static const int kNumLoops = 10000;
-
- for (int i = 1; i <= kNumLoops; ++i) {
- int nullfd = Open("/dev/null", O_RDONLY);
- int zerofd = Open("/dev/zero", O_RDONLY);
- ASSERT_GE(nullfd, 0) << "Loop " << i << "/" << kNumLoops;
- ASSERT_GE(zerofd, 0) << "Loop " << i << "/" << kNumLoops;
- char c;
- ASSERT_EQ(0, read(nullfd, &c, 1)) << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ(1, read(zerofd, &c, 1)) << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ('\0', c) << "Loop " << i << "/" << kNumLoops;
- close(nullfd);
- close(zerofd);
- }
-}
-
-TEST_F(SandboxBrokerTest, MultiThreadStat) {
- RunOnManyThreads<SandboxBrokerTest,
- &SandboxBrokerTest::MultiThreadStatWorker>();
-}
-void SandboxBrokerTest::MultiThreadStatWorker() {
- static const int kNumLoops = 7500;
- statstruct nullStat, zeroStat, selfStat;
- dev_t realNullDev, realZeroDev;
- ino_t realSelfInode;
-
- ASSERT_EQ(0, statsyscall("/dev/null", &nullStat)) << "Shouldn't ever fail!";
- ASSERT_EQ(0, statsyscall("/dev/zero", &zeroStat)) << "Shouldn't ever fail!";
- ASSERT_EQ(0, lstatsyscall("/proc/self", &selfStat)) << "Shouldn't ever fail!";
- ASSERT_TRUE(S_ISLNK(selfStat.st_mode)) << "Shouldn't ever fail!";
- realNullDev = nullStat.st_rdev;
- realZeroDev = zeroStat.st_rdev;
- realSelfInode = selfStat.st_ino;
- for (int i = 1; i <= kNumLoops; ++i) {
- ASSERT_EQ(0, Stat("/dev/null", &nullStat))
- << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ(0, Stat("/dev/zero", &zeroStat))
- << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ(0, LStat("/proc/self", &selfStat))
- << "Loop " << i << "/" << kNumLoops;
-
- ASSERT_EQ(realNullDev, nullStat.st_rdev)
- << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ(realZeroDev, zeroStat.st_rdev)
- << "Loop " << i << "/" << kNumLoops;
- ASSERT_TRUE(S_ISLNK(selfStat.st_mode))
- << "Loop " << i << "/" << kNumLoops;
- ASSERT_EQ(realSelfInode, selfStat.st_ino)
- << "Loop " << i << "/" << kNumLoops;
- }
-}
-
-#if 0
-class SandboxBrokerSigStress : public SandboxBrokerTest
-{
- int mSigNum;
- struct sigaction mOldAction;
- Atomic<void*> mVoidPtr;
-
- static void SigHandler(int aSigNum, siginfo_t* aSigInfo, void *aCtx) {
- ASSERT_EQ(SI_QUEUE, aSigInfo->si_code);
- SandboxBrokerSigStress* that =
- static_cast<SandboxBrokerSigStress*>(aSigInfo->si_value.sival_ptr);
- ASSERT_EQ(that->mSigNum, aSigNum);
- that->DoSomething();
- }
-
-protected:
- Atomic<int> mTestIter;
- sem_t mSemaphore;
-
- void SignalThread(pthread_t aThread) {
- union sigval sv;
- sv.sival_ptr = this;
- ASSERT_NE(0, mSigNum);
- ASSERT_EQ(0, pthread_sigqueue(aThread, mSigNum, sv));
- }
-
- virtual void SetUp() {
- ASSERT_EQ(0, sem_init(&mSemaphore, 0, 0));
- mVoidPtr = nullptr;
- mSigNum = 0;
- for (int sigNum = SIGRTMIN; sigNum < SIGRTMAX; ++sigNum) {
- ASSERT_EQ(0, sigaction(sigNum, nullptr, &mOldAction));
- if ((mOldAction.sa_flags & SA_SIGINFO) == 0 &&
- mOldAction.sa_handler == SIG_DFL) {
- struct sigaction newAction;
- PodZero(&newAction);
- newAction.sa_flags = SA_SIGINFO;
- newAction.sa_sigaction = SigHandler;
- ASSERT_EQ(0, sigaction(sigNum, &newAction, nullptr));
- mSigNum = sigNum;
- break;
- }
- }
- ASSERT_NE(mSigNum, 0);
-
- SandboxBrokerTest::SetUp();
- }
-
- virtual void TearDown() {
- ASSERT_EQ(0, sem_destroy(&mSemaphore));
- if (mSigNum != 0) {
- ASSERT_EQ(0, sigaction(mSigNum, &mOldAction, nullptr));
- }
- if (mVoidPtr) {
- free(mVoidPtr);
- }
- }
-
- void DoSomething();
-
-public:
- void MallocWorker();
- void FreeWorker();
-};
-
-TEST_F(SandboxBrokerSigStress, StressTest)
-{
- static const int kIters = 6250;
- static const int kNsecPerIterPerIter = 4;
- struct timespec delay = { 0, 0 };
- pthread_t threads[2];
-
- mTestIter = kIters;
-
- StartThread<SandboxBrokerSigStress,
- &SandboxBrokerSigStress::MallocWorker>(&threads[0]);
- StartThread<SandboxBrokerSigStress,
- &SandboxBrokerSigStress::FreeWorker>(&threads[1]);
-
- for (int i = kIters; i > 0; --i) {
- SignalThread(threads[i % 2]);
- while (sem_wait(&mSemaphore) == -1 && errno == EINTR)
- /* retry */;
- ASSERT_EQ(i - 1, mTestIter);
- delay.tv_nsec += kNsecPerIterPerIter;
- struct timespec req = delay, rem;
- while (nanosleep(&req, &rem) == -1 && errno == EINTR) {
- req = rem;
- }
- }
- void *retval;
- ASSERT_EQ(0, pthread_join(threads[0], &retval));
- ASSERT_EQ(nullptr, retval);
- ASSERT_EQ(0, pthread_join(threads[1], &retval));
- ASSERT_EQ(nullptr, retval);
-}
-
-void
-SandboxBrokerSigStress::MallocWorker()
-{
- static const size_t kSize = 64;
-
- void* mem = malloc(kSize);
- while (mTestIter > 0) {
- ASSERT_NE(mem, mVoidPtr);
- mem = mVoidPtr.exchange(mem);
- if (mem) {
- sched_yield();
- } else {
- mem = malloc(kSize);
- }
- }
- if (mem) {
- free(mem);
- }
-}
-
-void
-SandboxBrokerSigStress::FreeWorker()
-{
- void *mem = nullptr;
- while (mTestIter > 0) {
- mem = mVoidPtr.exchange(mem);
- if (mem) {
- free(mem);
- mem = nullptr;
- } else {
- sched_yield();
- }
- }
-}
-
-void
-SandboxBrokerSigStress::DoSomething()
-{
- int fd;
- char c;
- struct stat st;
-
- //fprintf(stderr, "Don't try this at home: %d\n", static_cast<int>(mTestIter));
- switch (mTestIter % 5) {
- case 0:
- fd = Open("/dev/null", O_RDWR);
- ASSERT_GE(fd, 0);
- ASSERT_EQ(0, read(fd, &c, 1));
- close(fd);
- break;
- case 1:
- fd = Open("/dev/zero", O_RDONLY);
- ASSERT_GE(fd, 0);
- ASSERT_EQ(1, read(fd, &c, 1));
- ASSERT_EQ('\0', c);
- close(fd);
- break;
- case 2:
- ASSERT_EQ(0, Access("/dev/null", W_OK));
- break;
- case 3:
- ASSERT_EQ(0, Stat("/proc/self", &st));
- ASSERT_TRUE(S_ISDIR(st.st_mode));
- break;
- case 4:
- ASSERT_EQ(0, LStat("/proc/self", &st));
- ASSERT_TRUE(S_ISLNK(st.st_mode));
- break;
- }
- mTestIter--;
- sem_post(&mSemaphore);
-}
-#endif
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/gtest/TestBrokerPolicy.cpp b/security/sandbox/linux/gtest/TestBrokerPolicy.cpp
deleted file mode 100644
index 474458446..000000000
--- a/security/sandbox/linux/gtest/TestBrokerPolicy.cpp
+++ /dev/null
@@ -1,98 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest/gtest.h"
-
-#include "broker/SandboxBroker.h"
-
-namespace mozilla {
-
-static const int MAY_ACCESS = SandboxBroker::MAY_ACCESS;
-static const int MAY_READ = SandboxBroker::MAY_READ;
-static const int MAY_WRITE = SandboxBroker::MAY_WRITE;
-//static const int MAY_CREATE = SandboxBroker::MAY_CREATE;
-//static const int RECURSIVE = SandboxBroker::RECURSIVE;
-static const auto AddAlways = SandboxBroker::Policy::AddAlways;
-
-TEST(SandboxBrokerPolicyLookup, Simple)
-{
- SandboxBroker::Policy p;
- p.AddPath(MAY_READ, "/dev/urandom", AddAlways);
-
- EXPECT_NE(0, p.Lookup("/dev/urandom")) << "Added path not found.";
- EXPECT_EQ(MAY_ACCESS | MAY_READ, p.Lookup("/dev/urandom"))
- << "Added path found with wrong perms.";
- EXPECT_EQ(0, p.Lookup("/etc/passwd")) << "Non-added path was found.";
-}
-
-TEST(SandboxBrokerPolicyLookup, CopyCtor)
-{
- SandboxBroker::Policy psrc;
- psrc.AddPath(MAY_READ | MAY_WRITE, "/dev/null", AddAlways);
- SandboxBroker::Policy pdst(psrc);
- psrc.AddPath(MAY_READ, "/dev/zero", AddAlways);
- pdst.AddPath(MAY_READ, "/dev/urandom", AddAlways);
-
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, psrc.Lookup("/dev/null"))
- << "Common path absent in copy source.";
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, pdst.Lookup("/dev/null"))
- << "Common path absent in copy destination.";
-
- EXPECT_EQ(MAY_ACCESS | MAY_READ, psrc.Lookup("/dev/zero"))
- << "Source-only path is absent.";
- EXPECT_EQ(0, pdst.Lookup("/dev/zero"))
- << "Source-only path is present in copy destination.";
-
- EXPECT_EQ(0, psrc.Lookup("/dev/urandom"))
- << "Destination-only path is present in copy source.";
- EXPECT_EQ(MAY_ACCESS | MAY_READ, pdst.Lookup("/dev/urandom"))
- << "Destination-only path is absent.";
-
- EXPECT_EQ(0, psrc.Lookup("/etc/passwd"))
- << "Non-added path is present in copy source.";
- EXPECT_EQ(0, pdst.Lookup("/etc/passwd"))
- << "Non-added path is present in copy source.";
-}
-
-TEST(SandboxBrokerPolicyLookup, Recursive)
-{
- SandboxBroker::Policy psrc;
- psrc.AddPath(MAY_READ | MAY_WRITE, "/dev/null", AddAlways);
- psrc.AddPath(MAY_READ, "/dev/zero", AddAlways);
- psrc.AddPath(MAY_READ, "/dev/urandom", AddAlways);
-
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, psrc.Lookup("/dev/null"))
- << "Basic path is present.";
- EXPECT_EQ(MAY_ACCESS | MAY_READ, psrc.Lookup("/dev/zero"))
- << "Basic path has no extra flags";
-
- psrc.AddDir(MAY_READ | MAY_WRITE, "/dev/");
-
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, psrc.Lookup("/dev/random"))
- << "Permission via recursive dir.";
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, psrc.Lookup("/dev/sd/0"))
- << "Permission via recursive dir, nested deeper";
- EXPECT_EQ(0, psrc.Lookup("/dev/sd/0/"))
- << "Invalid path format.";
- EXPECT_EQ(0, psrc.Lookup("/usr/dev/sd"))
- << "Match must be a prefix.";
-
- psrc.AddDir(MAY_READ, "/dev/sd/");
- EXPECT_EQ(MAY_ACCESS | MAY_READ | MAY_WRITE, psrc.Lookup("/dev/sd/0"))
- << "Extra permissions from parent path granted.";
- EXPECT_EQ(0, psrc.Lookup("/dev/.."))
- << "Refuse attempted subdir escape.";
-
- psrc.AddDir(MAY_READ, "/tmp");
- EXPECT_EQ(MAY_ACCESS | MAY_READ, psrc.Lookup("/tmp/good/a"))
- << "Check whether dir add with no trailing / was sucessful.";
- EXPECT_EQ(0, psrc.Lookup("/tmp_good_but_bad"))
- << "Enforce terminator on directories.";
- EXPECT_EQ(0, psrc.Lookup("/tmp/."))
- << "Do not allow opening a directory handle.";
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/gtest/TestSandboxUtil.cpp b/security/sandbox/linux/gtest/TestSandboxUtil.cpp
deleted file mode 100644
index cd29813f9..000000000
--- a/security/sandbox/linux/gtest/TestSandboxUtil.cpp
+++ /dev/null
@@ -1,44 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this file,
- * You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "gtest/gtest.h"
-
-#include "SandboxUtil.h"
-#include "SandboxInfo.h"
-
-#include <pthread.h>
-
-namespace mozilla {
-
-// In order to test IsSingleThreaded when the test-running process is
-// single-threaded, before assorted XPCOM components have created many
-// additional threads, a static initializer is used.
-
-namespace {
-
-struct EarlyTest {
- bool mWasSingleThreaded;
-
- EarlyTest()
- : mWasSingleThreaded(IsSingleThreaded())
- { }
-};
-
-static const EarlyTest gEarlyTest;
-
-} // namespace
-
-TEST(SandboxUtil, IsSingleThreaded)
-{
- // If the test system if affected by kUnexpectedThreads, (1) there's
- // no point in doing this test, and (2) if that happens on Mozilla
- // CI then burning the tree is an appropriate response.
- ASSERT_FALSE(SandboxInfo::Get().Test(SandboxInfo::kUnexpectedThreads));
- EXPECT_TRUE(gEarlyTest.mWasSingleThreaded);
- EXPECT_FALSE(IsSingleThreaded());
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/linux/gtest/moz.build b/security/sandbox/linux/gtest/moz.build
deleted file mode 100644
index 7aecc7fe3..000000000
--- a/security/sandbox/linux/gtest/moz.build
+++ /dev/null
@@ -1,27 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-Library('sandboxtest')
-
-SOURCES = [
- '../SandboxBrokerClient.cpp',
- '../SandboxUtil.cpp',
- 'TestBroker.cpp',
- 'TestBrokerPolicy.cpp',
- 'TestSandboxUtil.cpp',
-]
-
-LOCAL_INCLUDES += [
- '/security/sandbox/linux',
-]
-
-include('/ipc/chromium/chromium-config.mozbuild')
-
-LOCAL_INCLUDES += [
- '/security/sandbox/chromium',
-]
-
-FINAL_LIBRARY = 'xul-gtest'
diff --git a/security/sandbox/linux/moz.build b/security/sandbox/linux/moz.build
deleted file mode 100644
index 4273da955..000000000
--- a/security/sandbox/linux/moz.build
+++ /dev/null
@@ -1,116 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SharedLibrary('mozsandbox')
-
-# Depend on mozglue if and only if it's a shared library;
-# this needs to match mozglue/build/moz.build:
-if CONFIG['OS_TARGET'] == 'Android':
- USE_LIBS += [
- 'mozglue',
- ]
-
-EXPORTS.mozilla += [
- 'Sandbox.h',
- 'SandboxInfo.h',
-]
-
-SOURCES += [
- '../chromium-shim/base/logging.cpp',
- '../chromium/base/at_exit.cc',
- '../chromium/base/callback_internal.cc',
- '../chromium/base/lazy_instance.cc',
- '../chromium/base/memory/ref_counted.cc',
- '../chromium/base/memory/singleton.cc',
- '../chromium/base/strings/safe_sprintf.cc',
- '../chromium/base/strings/string16.cc',
- '../chromium/base/strings/string_piece.cc',
- '../chromium/base/strings/string_util.cc',
- '../chromium/base/strings/string_util_constants.cc',
- '../chromium/base/strings/stringprintf.cc',
- '../chromium/base/strings/utf_string_conversion_utils.cc',
- '../chromium/base/strings/utf_string_conversions.cc',
- '../chromium/base/synchronization/condition_variable_posix.cc',
- '../chromium/base/synchronization/lock.cc',
- '../chromium/base/synchronization/lock_impl_posix.cc',
- '../chromium/base/synchronization/waitable_event_posix.cc',
- '../chromium/base/third_party/icu/icu_utf.cc',
- '../chromium/base/threading/platform_thread_internal_posix.cc',
- '../chromium/base/threading/platform_thread_linux.cc',
- '../chromium/base/threading/platform_thread_posix.cc',
- '../chromium/base/threading/thread_collision_warner.cc',
- '../chromium/base/threading/thread_id_name_manager.cc',
- '../chromium/base/threading/thread_local_posix.cc',
- '../chromium/base/threading/thread_restrictions.cc',
- '../chromium/base/time/time.cc',
- '../chromium/base/time/time_posix.cc',
- '../chromium/sandbox/linux/bpf_dsl/bpf_dsl.cc',
- '../chromium/sandbox/linux/bpf_dsl/codegen.cc',
- '../chromium/sandbox/linux/bpf_dsl/dump_bpf.cc',
- '../chromium/sandbox/linux/bpf_dsl/policy.cc',
- '../chromium/sandbox/linux/bpf_dsl/policy_compiler.cc',
- '../chromium/sandbox/linux/bpf_dsl/syscall_set.cc',
- '../chromium/sandbox/linux/seccomp-bpf/die.cc',
- '../chromium/sandbox/linux/seccomp-bpf/syscall.cc',
- '../chromium/sandbox/linux/seccomp-bpf/trap.cc',
- '../chromium/sandbox/linux/services/syscall_wrappers.cc',
- 'broker/SandboxBrokerCommon.cpp',
- 'LinuxCapabilities.cpp',
- 'Sandbox.cpp',
- 'SandboxBrokerClient.cpp',
- 'SandboxChroot.cpp',
- 'SandboxFilter.cpp',
- 'SandboxFilterUtil.cpp',
- 'SandboxHooks.cpp',
- 'SandboxInfo.cpp',
- 'SandboxLogging.cpp',
- 'SandboxUtil.cpp',
-]
-
-# This copy of SafeSPrintf doesn't need to avoid the Chromium logging
-# dependency like the one in libxul does, but this way the behavior is
-# consistent. See also the comment in SandboxLogging.h.
-SOURCES['../chromium/base/strings/safe_sprintf.cc'].flags += ['-DNDEBUG']
-
-# Keep clang and GCC from warning about intentional 'switch' fallthrough in icu_utf.cc:
-if CONFIG['CLANG_CXX'] or CONFIG['GNU_CXX']:
- SOURCES['../chromium/base/third_party/icu/icu_utf.cc'].flags += ['-Wno-implicit-fallthrough']
-
-if CONFIG['GNU_CXX']:
- CXXFLAGS += ['-Wno-shadow']
- SOURCES['../chromium/sandbox/linux/services/syscall_wrappers.cc'].flags += [
- '-Wno-empty-body',
- ]
-
-# gcc lto likes to put the top level asm in syscall.cc in a different partition
-# from the function using it which breaks the build. Work around that by
-# forcing there to be only one partition.
-if '-flto' in CONFIG['OS_CXXFLAGS'] and not CONFIG['CLANG_CXX']:
- LDFLAGS += ['--param lto-partitions=1']
-
-DEFINES['NS_NO_XPCOM'] = True
-DISABLE_STL_WRAPPING = True
-
-LOCAL_INCLUDES += ['/security/sandbox/linux']
-LOCAL_INCLUDES += ['/security/sandbox/chromium-shim']
-LOCAL_INCLUDES += ['/security/sandbox/chromium']
-LOCAL_INCLUDES += ['/nsprpub']
-
-
-if CONFIG['OS_TARGET'] != 'Android':
- # Needed for clock_gettime with glibc < 2.17:
- OS_LIBS += [
- 'rt',
- ]
-
-DIRS += [
- 'broker',
- 'glue',
-]
-
-TEST_DIRS += [
- 'gtest',
-]
diff --git a/security/sandbox/mac/Sandbox.h b/security/sandbox/mac/Sandbox.h
deleted file mode 100644
index b2e1a7ec5..000000000
--- a/security/sandbox/mac/Sandbox.h
+++ /dev/null
@@ -1,65 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_Sandbox_h
-#define mozilla_Sandbox_h
-
-#include <string>
-
-enum MacSandboxType {
- MacSandboxType_Default = 0,
- MacSandboxType_Plugin,
- MacSandboxType_Content,
- MacSandboxType_Invalid
-};
-
-enum MacSandboxPluginType {
- MacSandboxPluginType_Default = 0,
- MacSandboxPluginType_GMPlugin_Default, // Any Gecko Media Plugin
- MacSandboxPluginType_GMPlugin_OpenH264, // Gecko Media Plugin, OpenH264
- MacSandboxPluginType_GMPlugin_EME, // Gecko Media Plugin, EME
- MacSandboxPluginType_GMPlugin_EME_Widevine, // Gecko Media Plugin, Widevine
- MacSandboxPluginType_Invalid
-};
-
-typedef struct _MacSandboxPluginInfo {
- _MacSandboxPluginInfo()
- : type(MacSandboxPluginType_Default) {}
- _MacSandboxPluginInfo(const struct _MacSandboxPluginInfo& other)
- : type(other.type), pluginPath(other.pluginPath),
- pluginBinaryPath(other.pluginBinaryPath) {}
- MacSandboxPluginType type;
- std::string pluginPath;
- std::string pluginBinaryPath;
-} MacSandboxPluginInfo;
-
-typedef struct _MacSandboxInfo {
- _MacSandboxInfo()
- : type(MacSandboxType_Default), level(0) {}
- _MacSandboxInfo(const struct _MacSandboxInfo& other)
- : type(other.type), level(other.level),
- hasSandboxedProfile(other.hasSandboxedProfile),
- pluginInfo(other.pluginInfo),
- appPath(other.appPath), appBinaryPath(other.appBinaryPath),
- appDir(other.appDir), appTempDir(other.appTempDir),
- profileDir(other.profileDir) {}
- MacSandboxType type;
- int32_t level;
- bool hasSandboxedProfile;
- MacSandboxPluginInfo pluginInfo;
- std::string appPath;
- std::string appBinaryPath;
- std::string appDir;
- std::string appTempDir;
- std::string profileDir;
-} MacSandboxInfo;
-
-namespace mozilla {
-
-bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage);
-
-} // namespace mozilla
-
-#endif // mozilla_Sandbox_h
diff --git a/security/sandbox/mac/Sandbox.mm b/security/sandbox/mac/Sandbox.mm
deleted file mode 100644
index ae1612ffa..000000000
--- a/security/sandbox/mac/Sandbox.mm
+++ /dev/null
@@ -1,489 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-// The Mac sandbox module is a static library (a Library in moz.build terms)
-// that can be linked into any binary (for example plugin-container or XUL).
-// It must not have dependencies on any other Mozilla module. This is why,
-// for example, it has its own OS X version detection code, rather than
-// linking to nsCocoaFeatures.mm in XUL.
-
-#include "Sandbox.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <CoreFoundation/CoreFoundation.h>
-
-#include "mozilla/Assertions.h"
-
-// XXX There are currently problems with the /usr/include/sandbox.h file on
-// some/all of the Macs in Mozilla's build system. For the time being (until
-// this problem is resolved), we refer directly to what we need from it,
-// rather than including it here.
-extern "C" int sandbox_init(const char *profile, uint64_t flags, char **errorbuf);
-extern "C" void sandbox_free_error(char *errorbuf);
-
-#define MAC_OS_X_VERSION_10_0_HEX 0x00001000
-#define MAC_OS_X_VERSION_10_6_HEX 0x00001060
-#define MAC_OS_X_VERSION_10_7_HEX 0x00001070
-#define MAC_OS_X_VERSION_10_8_HEX 0x00001080
-#define MAC_OS_X_VERSION_10_9_HEX 0x00001090
-#define MAC_OS_X_VERSION_10_10_HEX 0x000010A0
-
-// Note about "major", "minor" and "bugfix" in the following code:
-//
-// The code decomposes an OS X version number into these components, and in
-// doing so follows Apple's terminology in Gestalt.h. But this is very
-// misleading, because in other contexts Apple uses the "minor" component of
-// an OS X version number to indicate a "major" release (for example the "9"
-// in OS X 10.9.5), and the "bugfix" component to indicate a "minor" release
-// (for example the "5" in OS X 10.9.5).
-
-class OSXVersion {
-public:
- static int32_t OSXVersionMinor();
-
-private:
- static void GetSystemVersion(int32_t& aMajor, int32_t& aMinor, int32_t& aBugFix);
- static int32_t GetVersionNumber();
- static int32_t mOSXVersion;
-};
-
-int32_t OSXVersion::mOSXVersion = -1;
-
-int32_t OSXVersion::OSXVersionMinor()
-{
- return (GetVersionNumber() & 0xF0) >> 4;
-}
-
-void
-OSXVersion::GetSystemVersion(int32_t& aMajor, int32_t& aMinor, int32_t& aBugFix)
-{
- SInt32 major = 0, minor = 0, bugfix = 0;
-
- CFURLRef url =
- CFURLCreateWithString(kCFAllocatorDefault,
- CFSTR("file:///System/Library/CoreServices/SystemVersion.plist"),
- NULL);
- CFReadStreamRef stream =
- CFReadStreamCreateWithFile(kCFAllocatorDefault, url);
- CFReadStreamOpen(stream);
- CFDictionaryRef sysVersionPlist = (CFDictionaryRef)
- CFPropertyListCreateWithStream(kCFAllocatorDefault,
- stream, 0, kCFPropertyListImmutable,
- NULL, NULL);
- CFReadStreamClose(stream);
- CFRelease(stream);
- CFRelease(url);
-
- CFStringRef versionString = (CFStringRef)
- CFDictionaryGetValue(sysVersionPlist, CFSTR("ProductVersion"));
- CFArrayRef versions =
- CFStringCreateArrayBySeparatingStrings(kCFAllocatorDefault,
- versionString, CFSTR("."));
- CFIndex count = CFArrayGetCount(versions);
- if (count > 0) {
- CFStringRef component = (CFStringRef) CFArrayGetValueAtIndex(versions, 0);
- major = CFStringGetIntValue(component);
- if (count > 1) {
- component = (CFStringRef) CFArrayGetValueAtIndex(versions, 1);
- minor = CFStringGetIntValue(component);
- if (count > 2) {
- component = (CFStringRef) CFArrayGetValueAtIndex(versions, 2);
- bugfix = CFStringGetIntValue(component);
- }
- }
- }
- CFRelease(sysVersionPlist);
- CFRelease(versions);
-
- // If 'major' isn't what we expect, assume the oldest version of OS X we
- // currently support (OS X 10.6).
- if (major != 10) {
- aMajor = 10; aMinor = 6; aBugFix = 0;
- } else {
- aMajor = major; aMinor = minor; aBugFix = bugfix;
- }
-}
-
-int32_t
-OSXVersion::GetVersionNumber()
-{
- if (mOSXVersion == -1) {
- int32_t major, minor, bugfix;
- GetSystemVersion(major, minor, bugfix);
- mOSXVersion = MAC_OS_X_VERSION_10_0_HEX + (minor << 4) + bugfix;
- }
- return mOSXVersion;
-}
-
-namespace mozilla {
-
-static const char pluginSandboxRules[] =
- "(version 1)\n"
- "(deny default)\n"
- "(allow signal (target self))\n"
- "(allow sysctl-read)\n"
- "(allow iokit-open (iokit-user-client-class \"IOHIDParamUserClient\"))\n"
- "(allow mach-lookup\n"
- " (global-name \"com.apple.cfprefsd.agent\")\n"
- " (global-name \"com.apple.cfprefsd.daemon\")\n"
- " (global-name \"com.apple.system.opendirectoryd.libinfo\")\n"
- " (global-name \"com.apple.system.logger\")\n"
- " (global-name \"com.apple.ls.boxd\"))\n"
- "(allow file-read*\n"
- " (regex #\"^/etc$\")\n"
- " (regex #\"^/dev/u?random$\")\n"
- " (literal \"/usr/share/icu/icudt51l.dat\")\n"
- " (regex #\"^/System/Library/Displays/Overrides/*\")\n"
- " (regex #\"^/System/Library/CoreServices/CoreTypes.bundle/*\")\n"
- " (regex #\"^/System/Library/PrivateFrameworks/*\")\n"
- " (regex #\"^/usr/lib/libstdc\\+\\+\\..*dylib$\")\n"
- " (literal \"%s\")\n"
- " (literal \"%s\")\n"
- " (literal \"%s\"))\n";
-
-static const char widevinePluginSandboxRulesAddend[] =
- "(allow mach-lookup (global-name \"com.apple.windowserver.active\"))\n";
-
-static const char contentSandboxRules[] =
- "(version 1)\n"
- "\n"
- "(define sandbox-level %d)\n"
- "(define macosMinorVersion %d)\n"
- "(define appPath \"%s\")\n"
- "(define appBinaryPath \"%s\")\n"
- "(define appDir \"%s\")\n"
- "(define appTempDir \"%s\")\n"
- "(define hasProfileDir %d)\n"
- "(define profileDir \"%s\")\n"
- "(define home-path \"%s\")\n"
- "\n"
- "; Allow read access to standard system paths.\n"
- "(allow file-read*\n"
- " (require-all (file-mode #o0004)\n"
- " (require-any (subpath \"/Library/Filesystems/NetFSPlugins\")\n"
- " (subpath \"/System\")\n"
- " (subpath \"/private/var/db/dyld\")\n"
- " (subpath \"/usr/lib\")\n"
- " (subpath \"/usr/share\"))))\n"
- "\n"
- "(allow file-read-metadata\n"
- " (literal \"/etc\")\n"
- " (literal \"/tmp\")\n"
- " (literal \"/var\")\n"
- " (literal \"/private/etc/localtime\"))\n"
- "\n"
- "; Allow read access to standard special files.\n"
- "(allow file-read*\n"
- " (literal \"/dev/autofs_nowait\")\n"
- " (literal \"/dev/random\")\n"
- " (literal \"/dev/urandom\"))\n"
- "\n"
- "(allow file-read*\n"
- " file-write-data\n"
- " (literal \"/dev/null\")\n"
- " (literal \"/dev/zero\"))\n"
- "\n"
- "(allow file-read*\n"
- " file-write-data\n"
- " file-ioctl\n"
- " (literal \"/dev/dtracehelper\"))\n"
- "\n"
- "; Used to read hw.ncpu, hw.physicalcpu_max, kern.ostype, and others\n"
- "(allow sysctl-read)\n"
- "\n"
- "(begin\n"
- " (deny default)\n"
- " (debug deny)\n"
- "\n"
- " (define resolving-literal literal)\n"
- " (define resolving-subpath subpath)\n"
- " (define resolving-regex regex)\n"
- "\n"
- " (define container-path appPath)\n"
- " (define appdir-path appDir)\n"
- " (define var-folders-re \"^/private/var/folders/[^/][^/]\")\n"
- " (define var-folders2-re (string-append var-folders-re \"/[^/]+/[^/]\"))\n"
- "\n"
- " (define (home-regex home-relative-regex)\n"
- " (resolving-regex (string-append \"^\" (regex-quote home-path) home-relative-regex)))\n"
- " (define (home-subpath home-relative-subpath)\n"
- " (resolving-subpath (string-append home-path home-relative-subpath)))\n"
- " (define (home-literal home-relative-literal)\n"
- " (resolving-literal (string-append home-path home-relative-literal)))\n"
- "\n"
- " (define (profile-subpath profile-relative-subpath)\n"
- " (resolving-subpath (string-append profileDir profile-relative-subpath)))\n"
- "\n"
- " (define (var-folders-regex var-folders-relative-regex)\n"
- " (resolving-regex (string-append var-folders-re var-folders-relative-regex)))\n"
- " (define (var-folders2-regex var-folders2-relative-regex)\n"
- " (resolving-regex (string-append var-folders2-re var-folders2-relative-regex)))\n"
- "\n"
- " (define (allow-shared-preferences-read domain)\n"
- " (begin\n"
- " (if (defined? `user-preference-read)\n"
- " (allow user-preference-read (preference-domain domain)))\n"
- " (allow file-read*\n"
- " (home-literal (string-append \"/Library/Preferences/\" domain \".plist\"))\n"
- " (home-regex (string-append \"/Library/Preferences/ByHost/\" (regex-quote domain) \"\\..*\\.plist$\")))\n"
- " ))\n"
- "\n"
- " (define (allow-shared-list domain)\n"
- " (allow file-read*\n"
- " (home-regex (string-append \"/Library/Preferences/\" (regex-quote domain)))))\n"
- "\n"
- " (allow ipc-posix-shm\n"
- " (ipc-posix-name-regex \"^/tmp/com.apple.csseed:\")\n"
- " (ipc-posix-name-regex \"^CFPBS:\")\n"
- " (ipc-posix-name-regex \"^AudioIO\"))\n"
- "\n"
- " (allow file-read-metadata\n"
- " (literal \"/home\")\n"
- " (literal \"/net\")\n"
- " (regex \"^/private/tmp/KSInstallAction\\.\")\n"
- " (var-folders-regex \"/\")\n"
- " (home-subpath \"/Library\"))\n"
- "\n"
- " (allow signal (target self))\n"
- " (allow job-creation (literal \"/Library/CoreMediaIO/Plug-Ins/DAL\"))\n"
- " (allow iokit-set-properties (iokit-property \"IOAudioControlValue\"))\n"
- "\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.coreservices.launchservicesd\")\n"
- " (global-name \"com.apple.coreservices.appleevents\")\n"
- " (global-name \"com.apple.pasteboard.1\")\n"
- " (global-name \"com.apple.window_proxies\")\n"
- " (global-name \"com.apple.windowserver.active\")\n"
- " (global-name \"com.apple.audio.coreaudiod\")\n"
- " (global-name \"com.apple.audio.audiohald\")\n"
- " (global-name \"com.apple.PowerManagement.control\")\n"
- " (global-name \"com.apple.cmio.VDCAssistant\")\n"
- " (global-name \"com.apple.SystemConfiguration.configd\")\n"
- " (global-name \"com.apple.iconservices\")\n"
- " (global-name \"com.apple.cookied\")\n"
- " (global-name \"com.apple.cache_delete\")\n"
- " (global-name \"com.apple.pluginkit.pkd\")\n"
- " (global-name \"com.apple.bird\")\n"
- " (global-name \"com.apple.ocspd\")\n"
- " (global-name \"com.apple.cmio.AppleCameraAssistant\")\n"
- " (global-name \"com.apple.DesktopServicesHelper\"))\n"
- "\n"
- "; bug 1312273\n"
- " (if (= macosMinorVersion 9)\n"
- " (allow mach-lookup (global-name \"com.apple.xpcd\")))\n"
- "\n"
- " (if (>= macosMinorVersion 13)\n"
- " (allow mach-lookup\n"
- " ; bug 1376163\n"
- " (global-name \"com.apple.audio.AudioComponentRegistrar\")\n"
- " ; bug 1392988\n"
- " (xpc-service-name \"com.apple.coremedia.videodecoder\")\n"
- " (xpc-service-name \"com.apple.coremedia.videoencoder\")))\n"
- "\n"
- " (allow iokit-open\n"
- " (iokit-user-client-class \"IOHIDParamUserClient\")\n"
- " (iokit-user-client-class \"IOAudioControlUserClient\")\n"
- " (iokit-user-client-class \"IOAudioEngineUserClient\")\n"
- " (iokit-user-client-class \"IGAccelDevice\")\n"
- " (iokit-user-client-class \"nvDevice\")\n"
- " (iokit-user-client-class \"nvSharedUserClient\")\n"
- " (iokit-user-client-class \"nvFermiGLContext\")\n"
- " (iokit-user-client-class \"IGAccelGLContext\")\n"
- " (iokit-user-client-class \"IGAccelSharedUserClient\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextMain\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextMedia\")\n"
- " (iokit-user-client-class \"IGAccelVideoContextVEBox\")\n"
- " (iokit-user-client-class \"RootDomainUserClient\")\n"
- " (iokit-user-client-class \"IOUSBDeviceUserClientV2\")\n"
- " (iokit-user-client-class \"IOUSBInterfaceUserClientV2\"))\n"
- "\n"
- "; depending on systems, the 1st, 2nd or both rules are necessary\n"
- " (allow-shared-preferences-read \"com.apple.HIToolbox\")\n"
- " (allow file-read-data (literal \"/Library/Preferences/com.apple.HIToolbox.plist\"))\n"
- "\n"
- " (allow-shared-preferences-read \"com.apple.ATS\")\n"
- " (allow file-read-data (literal \"/Library/Preferences/.GlobalPreferences.plist\"))\n"
- "\n"
- " (allow file-read*\n"
- " (subpath \"/Library/Fonts\")\n"
- " (subpath \"/Library/Audio/Plug-Ins\")\n"
- " (subpath \"/Library/CoreMediaIO/Plug-Ins/DAL\")\n"
- " (subpath \"/Library/Spelling\")\n"
- " (literal \"/\")\n"
- " (literal \"/private/tmp\")\n"
- " (literal \"/private/var/tmp\")\n"
- "\n"
- " (home-literal \"/.CFUserTextEncoding\")\n"
- " (home-literal \"/Library/Preferences/com.apple.DownloadAssessment.plist\")\n"
- " (home-subpath \"/Library/Colors\")\n"
- " (home-subpath \"/Library/Fonts\")\n"
- " (home-subpath \"/Library/FontCollections\")\n"
- " (home-subpath \"/Library/Keyboard Layouts\")\n"
- " (home-subpath \"/Library/Input Methods\")\n"
- " (home-subpath \"/Library/Spelling\")\n"
- "\n"
- " (subpath appdir-path)\n"
- "\n"
- " (literal appPath)\n"
- " (literal appBinaryPath))\n"
- "\n"
- " (allow-shared-list \"org.mozilla.plugincontainer\")\n"
- "\n"
- "; the following rule should be removed when microphone access\n"
- "; is brokered through the content process\n"
- " (allow device-microphone)\n"
- "\n"
- " (allow file* (var-folders2-regex \"/com\\.apple\\.IntlDataCache\\.le$\"))\n"
- " (allow file-read*\n"
- " (var-folders2-regex \"/com\\.apple\\.IconServices/\")\n"
- " (var-folders2-regex \"/[^/]+\\.mozrunner/extensions/[^/]+/chrome/[^/]+/content/[^/]+\\.j(s|ar)$\"))\n"
- "\n"
- " (allow file-write* (var-folders2-regex \"/org\\.chromium\\.[a-zA-Z0-9]*$\"))\n"
- "\n"
- "; Per-user and system-wide Extensions dir\n"
- " (allow file-read*\n"
- " (home-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\")\n"
- " (resolving-regex \"/Library/Application Support/[^/]+/Extensions/[^/]/\"))\n"
- "\n"
- "; The following rules impose file access restrictions which get\n"
- "; more restrictive in higher levels. When file-origin-specific\n"
- "; content processes are used for file:// origin browsing, the\n"
- "; global file-read* permission should be removed from each level.\n"
- "\n"
- "; level 1: global read access permitted, no global write access\n"
- " (if (= sandbox-level 1) (allow file-read*))\n"
- "\n"
- "; level 2: global read access permitted, no global write access,\n"
- "; no read/write access to ~/Library,\n"
- "; no read/write access to $PROFILE,\n"
- "; read access permitted to $PROFILE/{extensions,weave}\n"
- " (if (= sandbox-level 2)\n"
- " (if (not (zero? hasProfileDir))\n"
- " ; we have a profile dir\n"
- " (begin\n"
- " (allow file-read* (require-all\n"
- " (require-not (home-subpath \"/Library\"))\n"
- " (require-not (subpath profileDir))))\n"
- " (allow file-read*\n"
- " (profile-subpath \"/extensions\")\n"
- " (profile-subpath \"/weave\")))\n"
- " ; we don't have a profile dir\n"
- " (allow file-read* (require-not (home-subpath \"/Library\")))))\n"
- "\n"
- "; accelerated graphics\n"
- " (allow-shared-preferences-read \"com.apple.opengl\")\n"
- " (allow-shared-preferences-read \"com.nvidia.OpenGL\")\n"
- " (allow mach-lookup\n"
- " (global-name \"com.apple.cvmsServ\"))\n"
- " (allow iokit-open\n"
- " (iokit-connection \"IOAccelerator\")\n"
- " (iokit-user-client-class \"IOAccelerationUserClient\")\n"
- " (iokit-user-client-class \"IOSurfaceRootUserClient\")\n"
- " (iokit-user-client-class \"IOSurfaceSendRight\")\n"
- " (iokit-user-client-class \"IOFramebufferSharedUserClient\")\n"
- " (iokit-user-client-class \"AppleSNBFBUserClient\")\n"
- " (iokit-user-client-class \"AGPMClient\")\n"
- " (iokit-user-client-class \"AppleGraphicsControlClient\")\n"
- " (iokit-user-client-class \"AppleGraphicsPolicyClient\"))\n"
- "\n"
- "; bug 1153809\n"
- " (allow iokit-open\n"
- " (iokit-user-client-class \"NVDVDContextTesla\")\n"
- " (iokit-user-client-class \"Gen6DVDContext\"))\n"
- "\n"
- "; bug 1201935\n"
- " (allow file-read*\n"
- " (home-subpath \"/Library/Caches/TemporaryItems\"))\n"
- "\n"
- "; bug 1237847\n"
- " (allow file-read*\n"
- " (subpath appTempDir))\n"
- " (allow file-write*\n"
- " (subpath appTempDir))\n"
- "\n"
- "; bug 1324610\n"
- " (allow network-outbound (literal \"/private/var/run/cupsd\"))\n"
-#ifdef DEBUG
- "\n"
- "; bug 1303987\n"
- " (allow file-write* (var-folders-regex \"/\"))\n"
-#endif
- ")\n";
-
-bool StartMacSandbox(MacSandboxInfo aInfo, std::string &aErrorMessage)
-{
- char *profile = NULL;
- if (aInfo.type == MacSandboxType_Plugin) {
- asprintf(&profile, pluginSandboxRules,
- aInfo.pluginInfo.pluginBinaryPath.c_str(),
- aInfo.appPath.c_str(),
- aInfo.appBinaryPath.c_str());
-
- if (profile &&
- aInfo.pluginInfo.type == MacSandboxPluginType_GMPlugin_EME_Widevine) {
- char *widevineProfile = NULL;
- asprintf(&widevineProfile, "%s%s", profile,
- widevinePluginSandboxRulesAddend);
- free(profile);
- profile = widevineProfile;
- }
- }
- else if (aInfo.type == MacSandboxType_Content) {
- MOZ_ASSERT(aInfo.level >= 1);
- if (aInfo.level >= 1) {
- asprintf(&profile, contentSandboxRules, aInfo.level,
- OSXVersion::OSXVersionMinor(),
- aInfo.appPath.c_str(),
- aInfo.appBinaryPath.c_str(),
- aInfo.appDir.c_str(),
- aInfo.appTempDir.c_str(),
- aInfo.hasSandboxedProfile ? 1 : 0,
- aInfo.profileDir.c_str(),
- getenv("HOME"));
- } else {
- fprintf(stderr,
- "Content sandbox disabled due to sandbox level setting\n");
- return false;
- }
- }
- else {
- char *msg = NULL;
- asprintf(&msg, "Unexpected sandbox type %u", aInfo.type);
- if (msg) {
- aErrorMessage.assign(msg);
- free(msg);
- }
- return false;
- }
-
- if (!profile) {
- fprintf(stderr, "Out of memory in StartMacSandbox()!\n");
- return false;
- }
-
- char *errorbuf = NULL;
- int rv = sandbox_init(profile, 0, &errorbuf);
- if (rv) {
- if (errorbuf) {
- char *msg = NULL;
- asprintf(&msg, "sandbox_init() failed with error \"%s\"", errorbuf);
- if (msg) {
- aErrorMessage.assign(msg);
- free(msg);
- }
- fprintf(stderr, "profile: %s\n", profile);
- sandbox_free_error(errorbuf);
- }
- }
- free(profile);
- if (rv) {
- return false;
- }
-
- return true;
-}
-
-} // namespace mozilla
diff --git a/security/sandbox/mac/moz.build b/security/sandbox/mac/moz.build
deleted file mode 100644
index 28aa06bfa..000000000
--- a/security/sandbox/mac/moz.build
+++ /dev/null
@@ -1,15 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS.mozilla += [
- 'Sandbox.h',
-]
-
-SOURCES += [
- 'Sandbox.mm',
-]
-
-Library('mozsandbox');
diff --git a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt b/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
deleted file mode 100644
index 62c2dac0b..000000000
--- a/security/sandbox/modifications-to-chromium-to-reapply-after-upstream-merge.txt
+++ /dev/null
@@ -1,9 +0,0 @@
-Please add a link to the bugzilla bug and patch name that should be re-applied.
-Also, please update any existing links to their actual mozilla-central changeset.
-
-https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part4.patch
-https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part5.patch
-https://hg.mozilla.org/mozilla-central/rev/7df8d6639971
-https://bugzilla.mozilla.org/show_bug.cgi?id=1287426 bug1287426part7.patch
-https://bugzilla.mozilla.org/show_bug.cgi?id=1273372 bug1273372part2.patch
-https://bugzilla.mozilla.org/show_bug.cgi?id=1273372 bug1273372part3.patch
diff --git a/security/sandbox/moz-chromium-commit-status.txt b/security/sandbox/moz-chromium-commit-status.txt
deleted file mode 100644
index 501e18b4b..000000000
--- a/security/sandbox/moz-chromium-commit-status.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-Chromium Commit Directory / File (relative to security/sandbox/)
----------------------------------------- ------------------------------------------------
-4ec79b7f2379a60cdc15599e93255c0fa417f1ed chromium
-611754aea9d1c0ba5c7980fa267fd005dc249b85 chromium/sandbox/win/src/policy_target.cc
diff --git a/security/sandbox/moz.build b/security/sandbox/moz.build
deleted file mode 100644
index 1420d6498..000000000
--- a/security/sandbox/moz.build
+++ /dev/null
@@ -1,176 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-BROWSER_CHROME_MANIFESTS += ['test/browser.ini']
-
-with Files('**'):
- BUG_COMPONENT = ('Core', 'Security: Process Sandboxing')
-
-if CONFIG['OS_ARCH'] == 'Linux':
- DIRS += ['linux']
-elif CONFIG['OS_ARCH'] == 'Darwin':
- DIRS += ['mac']
-elif CONFIG['OS_ARCH'] == 'WINNT':
- Library('sandbox_s')
- FORCE_STATIC_LIB = True
-
- DIRS += [
- 'win/src/sandboxbroker',
- 'win/src/sandboxtarget',
- ]
-
- if (CONFIG['CPU_ARCH'] == 'x86' and CONFIG['_MSC_VER'] and not
- CONFIG['CLANG_CL']):
- DIRS += ['win/wow_helper']
-
- EXPORTS.mozilla.sandboxing += [
- 'chromium-shim/sandbox/win/loggingCallbacks.h',
- 'chromium-shim/sandbox/win/loggingTypes.h',
- 'chromium-shim/sandbox/win/sandboxLogging.h',
- 'win/SandboxInitialization.h',
- ]
-
- SOURCES += [
- 'chromium-shim/base/files/file_path.cpp',
- 'chromium-shim/base/logging.cpp',
- 'chromium-shim/sandbox/win/sandboxLogging.cpp',
- 'chromium/base/at_exit.cc',
- 'chromium/base/base_switches.cc',
- 'chromium/base/callback_internal.cc',
- 'chromium/base/cpu.cc',
- 'chromium/base/debug/alias.cc',
- 'chromium/base/debug/profiler.cc',
- 'chromium/base/hash.cc',
- 'chromium/base/lazy_instance.cc',
- 'chromium/base/location.cc',
- 'chromium/base/memory/ref_counted.cc',
- 'chromium/base/memory/singleton.cc',
- 'chromium/base/strings/nullable_string16.cc',
- 'chromium/base/strings/string_number_conversions.cc',
- 'chromium/base/strings/string_piece.cc',
- 'chromium/base/strings/string_split.cc',
- 'chromium/base/strings/string_util.cc',
- 'chromium/base/strings/string_util_constants.cc',
- 'chromium/base/strings/stringprintf.cc',
- 'chromium/base/strings/utf_string_conversion_utils.cc',
- 'chromium/base/strings/utf_string_conversions.cc',
- 'chromium/base/synchronization/lock.cc',
- 'chromium/base/synchronization/lock_impl_win.cc',
- 'chromium/base/third_party/dmg_fp/dtoa.cc',
- 'chromium/base/third_party/dmg_fp/g_fmt.cc',
- 'chromium/base/third_party/icu/icu_utf.cc',
- 'chromium/base/third_party/superfasthash/superfasthash.c',
- 'chromium/base/threading/platform_thread_win.cc',
- 'chromium/base/threading/thread_collision_warner.cc',
- 'chromium/base/threading/thread_id_name_manager.cc',
- 'chromium/base/threading/thread_local_win.cc',
- 'chromium/base/threading/thread_restrictions.cc',
- 'chromium/base/time/time.cc',
- 'chromium/base/time/time_win.cc',
- 'chromium/base/win/pe_image.cc',
- 'chromium/base/win/scoped_handle.cc',
- 'chromium/base/win/scoped_process_information.cc',
- 'chromium/base/win/startup_information.cc',
- 'chromium/base/win/windows_version.cc',
- 'chromium/sandbox/win/src/acl.cc',
- 'chromium/sandbox/win/src/app_container.cc',
- 'chromium/sandbox/win/src/broker_services.cc',
- 'chromium/sandbox/win/src/crosscall_server.cc',
- 'chromium/sandbox/win/src/eat_resolver.cc',
- 'chromium/sandbox/win/src/filesystem_dispatcher.cc',
- 'chromium/sandbox/win/src/filesystem_interception.cc',
- 'chromium/sandbox/win/src/filesystem_policy.cc',
- 'chromium/sandbox/win/src/handle_closer.cc',
- 'chromium/sandbox/win/src/handle_closer_agent.cc',
- 'chromium/sandbox/win/src/handle_dispatcher.cc',
- 'chromium/sandbox/win/src/handle_interception.cc',
- 'chromium/sandbox/win/src/handle_policy.cc',
- 'chromium/sandbox/win/src/interception.cc',
- 'chromium/sandbox/win/src/interception_agent.cc',
- 'chromium/sandbox/win/src/job.cc',
- 'chromium/sandbox/win/src/named_pipe_dispatcher.cc',
- 'chromium/sandbox/win/src/named_pipe_interception.cc',
- 'chromium/sandbox/win/src/named_pipe_policy.cc',
- 'chromium/sandbox/win/src/policy_broker.cc',
- 'chromium/sandbox/win/src/policy_engine_opcodes.cc',
- 'chromium/sandbox/win/src/policy_engine_processor.cc',
- 'chromium/sandbox/win/src/policy_low_level.cc',
- 'chromium/sandbox/win/src/policy_target.cc',
- 'chromium/sandbox/win/src/process_mitigations.cc',
- 'chromium/sandbox/win/src/process_mitigations_win32k_dispatcher.cc',
- 'chromium/sandbox/win/src/process_mitigations_win32k_interception.cc',
- 'chromium/sandbox/win/src/process_mitigations_win32k_policy.cc',
- 'chromium/sandbox/win/src/process_thread_dispatcher.cc',
- 'chromium/sandbox/win/src/process_thread_interception.cc',
- 'chromium/sandbox/win/src/process_thread_policy.cc',
- 'chromium/sandbox/win/src/registry_dispatcher.cc',
- 'chromium/sandbox/win/src/registry_interception.cc',
- 'chromium/sandbox/win/src/registry_policy.cc',
- 'chromium/sandbox/win/src/resolver.cc',
- 'chromium/sandbox/win/src/restricted_token.cc',
- 'chromium/sandbox/win/src/restricted_token_utils.cc',
- 'chromium/sandbox/win/src/sandbox.cc',
- 'chromium/sandbox/win/src/sandbox_globals.cc',
- 'chromium/sandbox/win/src/sandbox_nt_util.cc',
- 'chromium/sandbox/win/src/sandbox_policy_base.cc',
- 'chromium/sandbox/win/src/sandbox_rand.cc',
- 'chromium/sandbox/win/src/sandbox_utils.cc',
- 'chromium/sandbox/win/src/service_resolver.cc',
- 'chromium/sandbox/win/src/sharedmem_ipc_client.cc',
- 'chromium/sandbox/win/src/sharedmem_ipc_server.cc',
- 'chromium/sandbox/win/src/sid.cc',
- 'chromium/sandbox/win/src/sync_dispatcher.cc',
- 'chromium/sandbox/win/src/sync_interception.cc',
- 'chromium/sandbox/win/src/sync_policy.cc',
- 'chromium/sandbox/win/src/target_interceptions.cc',
- 'chromium/sandbox/win/src/target_process.cc',
- 'chromium/sandbox/win/src/target_services.cc',
- 'chromium/sandbox/win/src/top_level_dispatcher.cc',
- 'chromium/sandbox/win/src/win2k_threadpool.cc',
- 'chromium/sandbox/win/src/win_utils.cc',
- 'chromium/sandbox/win/src/window.cc',
- 'win/SandboxInitialization.cpp',
- ]
-
- if CONFIG['CPU_ARCH'] == 'x86_64':
- SOURCES += [
- 'chromium/sandbox/win/src/interceptors_64.cc',
- 'chromium/sandbox/win/src/resolver_64.cc',
- 'chromium/sandbox/win/src/service_resolver_64.cc',
- 'chromium/sandbox/win/src/Wow64_64.cc',
- ]
- else:
- SOURCES += [
- 'chromium/sandbox/win/src/resolver_32.cc',
- 'chromium/sandbox/win/src/service_resolver_32.cc',
- 'chromium/sandbox/win/src/sidestep/ia32_modrm_map.cpp',
- 'chromium/sandbox/win/src/sidestep/ia32_opcode_map.cpp',
- 'chromium/sandbox/win/src/sidestep/mini_disassembler.cpp',
- 'chromium/sandbox/win/src/sidestep/preamble_patcher_with_stub.cpp',
- 'chromium/sandbox/win/src/sidestep_resolver.cc',
- 'chromium/sandbox/win/src/Wow64.cc',
- ]
-
- for var in ('UNICODE', '_UNICODE', 'NS_NO_XPCOM', 'SANDBOX_EXPORTS',
- '_CRT_RAND_S', 'CHROMIUM_SANDBOX_BUILD'):
- DEFINES[var] = True
-
- LOCAL_INCLUDES += ['/security/sandbox/chromium-shim']
- LOCAL_INCLUDES += ['/security/sandbox/chromium']
- LOCAL_INCLUDES += ['/nsprpub']
-
- DISABLE_STL_WRAPPING = True
-
- # Suppress warnings in third-party code.
- if CONFIG['_MSC_VER']:
- CXXFLAGS += [
- '-wd4275', # non dll-interface class exception used as base for dll-interface class
- '-wd4717', # recursive on all control paths, function will cause runtime stack overflow
- '-wd4996', # 'GetVersionExW': was declared deprecated
- '-wd4302', # 'reinterpret_cast': truncation from 'LPCSTR' to 'WORD'
- '-wd4311', # 'reinterpret_cast': pointer truncation from 'LPOVERLAPPED' to 'DWORD'
- '-wd4312', # 'reinterpret_cast': conversion from 'DWORD' to 'LPOVERLAPPED' of greater size
- ]
diff --git a/security/sandbox/test/browser.ini b/security/sandbox/test/browser.ini
deleted file mode 100644
index 7e3e96ea4..000000000
--- a/security/sandbox/test/browser.ini
+++ /dev/null
@@ -1,11 +0,0 @@
-# Any copyright is dedicated to the Public Domain.
-# http://creativecommons.org/publicdomain/zero/1.0/
-[DEFAULT]
-tags = contentsandbox
-support-files =
- browser_content_sandbox_utils.js
-
-skip-if = !e10s
-[browser_content_sandbox_fs.js]
-skip-if = !e10s
-[browser_content_sandbox_syscalls.js]
diff --git a/security/sandbox/test/browser_content_sandbox_fs.js b/security/sandbox/test/browser_content_sandbox_fs.js
deleted file mode 100644
index 946f86bb9..000000000
--- a/security/sandbox/test/browser_content_sandbox_fs.js
+++ /dev/null
@@ -1,169 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
- .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
- "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test exercises file I/O from the content process using OS.File
- * methods to validate that calls that are meant to be blocked by content
- * sandboxing are blocked.
- */
-
-// Creates file at |path| and returns a promise that resolves with true
-// if the file was successfully created, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function createFile(path) {
- Components.utils.import("resource://gre/modules/osfile.jsm");
- let encoder = new TextEncoder();
- let array = encoder.encode("WRITING FROM CONTENT PROCESS");
- return OS.File.writeAtomic(path, array).then(function(value) {
- return true;
- }, function(reason) {
- return false;
- });
-}
-
-// Deletes file at |path| and returns a promise that resolves with true
-// if the file was successfully deleted, otherwise false. Include imports
-// so this can be safely serialized and run remotely by ContentTask.spawn.
-function deleteFile(path) {
- Components.utils.import("resource://gre/modules/osfile.jsm");
- return OS.File.remove(path, {ignoreAbsent: false}).then(function(value) {
- return true;
- }).catch(function(err) {
- return false;
- });
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports filesystem sandboxing.
-function isContentFileIOSandboxed(level) {
- let fileIOSandboxMinLevel = 0;
-
- // Set fileIOSandboxMinLevel to the lowest level that has
- // content filesystem sandboxing enabled. For now, this
- // varies across Windows, Mac, Linux, other.
- switch (Services.appinfo.OS) {
- case "WINNT":
- fileIOSandboxMinLevel = 1;
- break;
- case "Darwin":
- fileIOSandboxMinLevel = 1;
- break;
- case "Linux":
- fileIOSandboxMinLevel = 2;
- break;
- default:
- Assert.ok(false, "Unknown OS");
- }
-
- return (level >= fileIOSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests attempting to write to a file in the home directory from the
-// content process--expected to fail.
-//
-// Tests attempting to write to a file in the content temp directory
-// from the content process--expected to succeed. On Mac and Windows,
-// use "ContentTmpD", but on Linux use "TmpD" until Linux uses the
-// content temp dir key.
-//
-add_task(function*() {
- // This test is only relevant in e10s
- if (!gMultiProcessBrowser) {
- ok(false, "e10s is enabled");
- info("e10s is not enabled, exiting");
- return;
- }
-
- let level = 0;
- let prefExists = true;
-
- // Read the security.sandbox.content.level pref.
- // If the pref isn't set and we're running on Linux on !isNightly(),
- // exit without failing. The Linux content sandbox is only enabled
- // on Nightly at this time.
- try {
- level = prefs.getIntPref("security.sandbox.content.level");
- } catch (e) {
- prefExists = false;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
- }
-
- ok(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(level > 0, "content sandbox enabled for !nightly.");
- return;
- }
-
- info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
- if (level == 0) {
- info("content sandbox is not enabled, exiting");
- return;
- }
-
- let isFileIOSandboxed = isContentFileIOSandboxed(level);
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(isFileIOSandboxed, "content file I/O sandbox enabled for !nightly.");
- return;
- }
-
- // Content sandbox enabled, but level doesn't include file I/O sandboxing.
- ok(isFileIOSandboxed, "content file I/O sandboxing is enabled.");
- if (!isFileIOSandboxed) {
- info("content sandbox level too low for file I/O tests, exiting\n");
- return;
- }
-
- let browser = gBrowser.selectedBrowser;
-
- {
- // test if the content process can create in $HOME, this should fail
- let homeFile = fileInHomeDir();
- let path = homeFile.path;
- let fileCreated = yield ContentTask.spawn(browser, path, createFile);
- ok(fileCreated == false, "creating a file in home dir is not permitted");
- if (fileCreated == true) {
- // content process successfully created the file, now remove it
- homeFile.remove(false);
- }
- }
-
- {
- // test if the content process can create a temp file, should pass
- let path = fileInTempDir().path;
- let fileCreated = yield ContentTask.spawn(browser, path, createFile);
- if (!fileCreated && isWin()) {
- // TODO: fix 1329294 and enable this test for Windows.
- // Not using todo() because this only fails on automation.
- info("ignoring failure to write to content temp due to 1329294\n");
- return;
- }
- ok(fileCreated == true, "creating a file in content temp is permitted");
- // now delete the file
- let fileDeleted = yield ContentTask.spawn(browser, path, deleteFile);
- ok(fileDeleted == true, "deleting a file in content temp is permitted");
- }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_syscalls.js b/security/sandbox/test/browser_content_sandbox_syscalls.js
deleted file mode 100644
index d56456966..000000000
--- a/security/sandbox/test/browser_content_sandbox_syscalls.js
+++ /dev/null
@@ -1,223 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-var prefs = Cc["@mozilla.org/preferences-service;1"]
- .getService(Ci.nsIPrefBranch);
-
-Services.scriptloader.loadSubScript("chrome://mochitests/content/browser/" +
- "security/sandbox/test/browser_content_sandbox_utils.js", this);
-
-/*
- * This test is for executing system calls in content processes to validate
- * that calls that are meant to be blocked by content sandboxing are blocked.
- * We use the term system calls loosely so that any OS API call such as
- * fopen could be included.
- */
-
-// Calls the native execv library function. Include imports so this can be
-// safely serialized and run remotely by ContentTask.spawn.
-function callExec(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib, cmd} = args;
- let libc = ctypes.open(lib);
- let exec = libc.declare("execv", ctypes.default_abi,
- ctypes.int, ctypes.char.ptr);
- let rv = exec(cmd);
- libc.close();
- return (rv);
-}
-
-// Calls the native fork syscall.
-function callFork(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib} = args;
- let libc = ctypes.open(lib);
- let fork = libc.declare("fork", ctypes.default_abi, ctypes.int);
- let rv = fork();
- libc.close();
- return (rv);
-}
-
-// Calls the native open/close syscalls.
-function callOpen(args) {
- Components.utils.import("resource://gre/modules/ctypes.jsm");
- let {lib, path, flags} = args;
- let libc = ctypes.open(lib);
- let open = libc.declare("open", ctypes.default_abi,
- ctypes.int, ctypes.char.ptr, ctypes.int);
- let close = libc.declare("close", ctypes.default_abi,
- ctypes.int, ctypes.int);
- let fd = open(path, flags);
- close(fd);
- libc.close();
- return (fd);
-}
-
-// open syscall flags
-function openWriteCreateFlags() {
- Assert.ok(isMac() || isLinux());
- if (isMac()) {
- let O_WRONLY = 0x001;
- let O_CREAT = 0x200;
- return (O_WRONLY | O_CREAT);
- } else {
- // Linux
- let O_WRONLY = 0x01;
- let O_CREAT = 0x40;
- return (O_WRONLY | O_CREAT);
- }
-}
-
-// Returns the name of the native library needed for native syscalls
-function getOSLib() {
- switch (Services.appinfo.OS) {
- case "WINNT":
- return "kernel32.dll";
- case "Darwin":
- return "libc.dylib";
- case "Linux":
- return "libc.so.6";
- default:
- Assert.ok(false, "Unknown OS");
- }
-}
-
-// Returns a harmless command to execute with execv
-function getOSExecCmd() {
- Assert.ok(!isWin());
- return ("/bin/cat");
-}
-
-// Returns true if the current content sandbox level, passed in
-// the |level| argument, supports syscall sandboxing.
-function areContentSyscallsSandboxed(level) {
- let syscallsSandboxMinLevel = 0;
-
- // Set syscallsSandboxMinLevel to the lowest level that has
- // syscall sandboxing enabled. For now, this varies across
- // Windows, Mac, Linux, other.
- switch (Services.appinfo.OS) {
- case "WINNT":
- syscallsSandboxMinLevel = 1;
- break;
- case "Darwin":
- syscallsSandboxMinLevel = 1;
- break;
- case "Linux":
- syscallsSandboxMinLevel = 2;
- break;
- default:
- Assert.ok(false, "Unknown OS");
- }
-
- return (level >= syscallsSandboxMinLevel);
-}
-
-//
-// Drive tests for a single content process.
-//
-// Tests executing OS API calls in the content process. Limited to Mac
-// and Linux calls for now.
-//
-add_task(function*() {
- // This test is only relevant in e10s
- if (!gMultiProcessBrowser) {
- ok(false, "e10s is enabled");
- info("e10s is not enabled, exiting");
- return;
- }
-
- let level = 0;
- let prefExists = true;
-
- // Read the security.sandbox.content.level pref.
- // If the pref isn't set and we're running on Linux on !isNightly(),
- // exit without failing. The Linux content sandbox is only enabled
- // on Nightly at this time.
- try {
- level = prefs.getIntPref("security.sandbox.content.level");
- } catch (e) {
- prefExists = false;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
- }
-
- ok(prefExists, "pref security.sandbox.content.level exists");
- if (!prefExists) {
- return;
- }
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(level > 0, "content sandbox enabled for !nightly.");
- return;
- }
-
- info(`security.sandbox.content.level=${level}`);
- ok(level > 0, "content sandbox is enabled.");
- if (level == 0) {
- info("content sandbox is not enabled, exiting");
- return;
- }
-
- let areSyscallsSandboxed = areContentSyscallsSandboxed(level);
-
- // Special case Linux on !isNightly
- if (isLinux() && !isNightly()) {
- todo(areSyscallsSandboxed, "content syscall sandbox enabled for !nightly.");
- return;
- }
-
- // Content sandbox enabled, but level doesn't include syscall sandboxing.
- ok(areSyscallsSandboxed, "content syscall sandboxing is enabled.");
- if (!areSyscallsSandboxed) {
- info("content sandbox level too low for syscall tests, exiting\n");
- return;
- }
-
- let browser = gBrowser.selectedBrowser;
- let lib = getOSLib();
-
- // use execv syscall
- // (causes content process to be killed on Linux)
- if (isMac()) {
- // exec something harmless, this should fail
- let cmd = getOSExecCmd();
- let rv = yield ContentTask.spawn(browser, {lib, cmd}, callExec);
- ok(rv == -1, `exec(${cmd}) is not permitted`);
- }
-
- // use open syscall
- if (isLinux() || isMac())
- {
- // open a file for writing in $HOME, this should fail
- let path = fileInHomeDir().path;
- let flags = openWriteCreateFlags();
- let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
- ok(fd < 0, "opening a file for writing in home is not permitted");
- }
-
- // use open syscall
- if (isLinux() || isMac())
- {
- // open a file for writing in the content temp dir, this should work
- // and the open handler in the content process closes the file for us
- let path = fileInTempDir().path;
- let flags = openWriteCreateFlags();
- let fd = yield ContentTask.spawn(browser, {lib, path, flags}, callOpen);
- ok(fd >= 0, "opening a file for writing in content temp is permitted");
- }
-
- // use fork syscall
- if (isLinux() || isMac())
- {
- let rv = yield ContentTask.spawn(browser, {lib}, callFork);
- ok(rv == -1, "calling fork is not permitted");
- }
-});
diff --git a/security/sandbox/test/browser_content_sandbox_utils.js b/security/sandbox/test/browser_content_sandbox_utils.js
deleted file mode 100644
index 0e9d01352..000000000
--- a/security/sandbox/test/browser_content_sandbox_utils.js
+++ /dev/null
@@ -1,57 +0,0 @@
-/* Any copyright is dedicated to the Public Domain.
- * http://creativecommons.org/publicdomain/zero/1.0/ */
-
-const uuidGenerator = Cc["@mozilla.org/uuid-generator;1"]
- .getService(Ci.nsIUUIDGenerator);
-
-/*
- * Utility functions for the browser content sandbox tests.
- */
-
-function isMac() { return Services.appinfo.OS == "Darwin" }
-function isWin() { return Services.appinfo.OS == "WINNT" }
-function isLinux() { return Services.appinfo.OS == "Linux" }
-
-function isNightly() {
- let version = SpecialPowers.Cc["@mozilla.org/xre/app-info;1"].
- getService(SpecialPowers.Ci.nsIXULAppInfo).version;
- return (version.endsWith("a1"));
-}
-
-function uuid() {
- return uuidGenerator.generateUUID().toString();
-}
-
-// Returns a file object for a new file in the home dir ($HOME/<UUID>).
-function fileInHomeDir() {
- // get home directory, make sure it exists
- let homeDir = Services.dirsvc.get("Home", Ci.nsILocalFile);
- Assert.ok(homeDir.exists(), "Home dir exists");
- Assert.ok(homeDir.isDirectory(), "Home dir is a directory");
-
- // build a file object for a new file named $HOME/<UUID>
- let homeFile = homeDir.clone();
- homeFile.appendRelativePath(uuid());
- Assert.ok(!homeFile.exists(), homeFile.path + " does not exist");
- return (homeFile);
-}
-
-// Returns a file object for a new file in the content temp dir (.../<UUID>).
-function fileInTempDir() {
- let contentTempKey = "ContentTmpD";
- if (Services.appinfo.OS == "Linux") {
- // Linux builds don't use the content-specific temp key
- contentTempKey = "TmpD";
- }
-
- // get the content temp dir, make sure it exists
- let ctmp = Services.dirsvc.get(contentTempKey, Ci.nsILocalFile);
- Assert.ok(ctmp.exists(), "Content temp dir exists");
- Assert.ok(ctmp.isDirectory(), "Content temp dir is a directory");
-
- // build a file object for a new file in content temp
- let tempFile = ctmp.clone();
- tempFile.appendRelativePath(uuid());
- Assert.ok(!tempFile.exists(), tempFile.path + " does not exist");
- return (tempFile);
-}
diff --git a/security/sandbox/win/SandboxInitialization.cpp b/security/sandbox/win/SandboxInitialization.cpp
deleted file mode 100644
index e587c2598..000000000
--- a/security/sandbox/win/SandboxInitialization.cpp
+++ /dev/null
@@ -1,81 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "SandboxInitialization.h"
-
-#include "sandbox/win/src/sandbox_factory.h"
-
-namespace mozilla {
-namespace sandboxing {
-
-static sandbox::TargetServices*
-InitializeTargetServices()
-{
- sandbox::TargetServices* targetServices =
- sandbox::SandboxFactory::GetTargetServices();
- if (!targetServices) {
- return nullptr;
- }
-
- if (targetServices->Init() != sandbox::SBOX_ALL_OK) {
- return nullptr;
- }
-
- return targetServices;
-}
-
-sandbox::TargetServices*
-GetInitializedTargetServices()
-{
- static sandbox::TargetServices* sInitializedTargetServices =
- InitializeTargetServices();
-
- return sInitializedTargetServices;
-}
-
-void
-LowerSandbox()
-{
- GetInitializedTargetServices()->LowerToken();
-}
-
-static sandbox::BrokerServices*
-InitializeBrokerServices()
-{
- sandbox::BrokerServices* brokerServices =
- sandbox::SandboxFactory::GetBrokerServices();
- if (!brokerServices) {
- return nullptr;
- }
-
- if (brokerServices->Init() != sandbox::SBOX_ALL_OK) {
- return nullptr;
- }
-
- // Comment below copied from Chromium code.
- // Precreate the desktop and window station used by the renderers.
- // IMPORTANT: This piece of code needs to run as early as possible in the
- // process because it will initialize the sandbox broker, which requires
- // the process to swap its window station. During this time all the UI
- // will be broken. This has to run before threads and windows are created.
- sandbox::TargetPolicy* policy = brokerServices->CreatePolicy();
- sandbox::ResultCode result = policy->CreateAlternateDesktop(true);
- policy->Release();
-
- return brokerServices;
-}
-
-sandbox::BrokerServices*
-GetInitializedBrokerServices()
-{
- static sandbox::BrokerServices* sInitializedBrokerServices =
- InitializeBrokerServices();
-
- return sInitializedBrokerServices;
-}
-
-} // sandboxing
-} // mozilla
diff --git a/security/sandbox/win/SandboxInitialization.h b/security/sandbox/win/SandboxInitialization.h
deleted file mode 100644
index e5be08904..000000000
--- a/security/sandbox/win/SandboxInitialization.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef mozilla_sandboxing_SandboxInitialization_h
-#define mozilla_sandboxing_SandboxInitialization_h
-
-namespace sandbox {
-class BrokerServices;
-class TargetServices;
-}
-
-// Things that use this file will probably want access to the IsSandboxedProcess
-// function defined in one of the Chromium sandbox cc files.
-extern "C" bool IsSandboxedProcess();
-
-namespace mozilla {
-// Note the Chromium code just uses a bare sandbox namespace, which makes using
-// sandbox for our namespace painful.
-namespace sandboxing {
-
-/**
- * Initializes (if required) and returns the Chromium sandbox TargetServices.
- *
- * @return the TargetServices or null if the creation or initialization failed.
- */
-sandbox::TargetServices* GetInitializedTargetServices();
-
-/**
- * Lowers the permissions on the process sandbox.
- * Provided because the GMP sandbox needs to be lowered from the executable.
- */
-void LowerSandbox();
-
-/**
- * Initializes (if required) and returns the Chromium sandbox BrokerServices.
- *
- * @return the BrokerServices or null if the creation or initialization failed.
- */
-sandbox::BrokerServices* GetInitializedBrokerServices();
-
-} // sandboxing
-} // mozilla
-
-#endif // mozilla_sandboxing_SandboxInitialization_h
diff --git a/security/sandbox/win/src/sandboxbroker/moz.build b/security/sandbox/win/src/sandboxbroker/moz.build
deleted file mode 100644
index 4a9d01cc5..000000000
--- a/security/sandbox/win/src/sandboxbroker/moz.build
+++ /dev/null
@@ -1,33 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-SOURCES += [
- 'sandboxBroker.cpp',
-]
-
-EXPORTS += [
- 'sandboxBroker.h',
-]
-
-for var in ('UNICODE', '_UNICODE', 'SANDBOX_EXPORTS'):
- DEFINES[var] = True
-
-LOCAL_INCLUDES += [
- '/security/sandbox/chromium',
-]
-
-DISABLE_STL_WRAPPING = True
-
-OS_LIBS += [
- 'dbghelp',
-]
-
-if CONFIG['_MSC_VER']:
- CXXFLAGS += [
- '-wd4275', # non dll-interface class exception used as base for dll-interface class
- ]
-
-FINAL_LIBRARY = 'xul'
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp b/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
deleted file mode 100644
index d3aab815f..000000000
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.cpp
+++ /dev/null
@@ -1,471 +0,0 @@
-/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#include "sandboxBroker.h"
-
-#include "base/win/windows_version.h"
-#include "mozilla/Assertions.h"
-#include "mozilla/Logging.h"
-#include "sandbox/win/src/sandbox.h"
-#include "sandbox/win/src/security_level.h"
-
-namespace mozilla
-{
-
-sandbox::BrokerServices *SandboxBroker::sBrokerService = nullptr;
-
-static LazyLogModule sSandboxBrokerLog("SandboxBroker");
-
-#define LOG_E(...) MOZ_LOG(sSandboxBrokerLog, LogLevel::Error, (__VA_ARGS__))
-
-/* static */
-void
-SandboxBroker::Initialize(sandbox::BrokerServices* aBrokerServices)
-{
- sBrokerService = aBrokerServices;
-}
-
-SandboxBroker::SandboxBroker()
-{
- if (sBrokerService) {
- mPolicy = sBrokerService->CreatePolicy();
- } else {
- mPolicy = nullptr;
- }
-}
-
-bool
-SandboxBroker::LaunchApp(const wchar_t *aPath,
- const wchar_t *aArguments,
- const bool aEnableLogging,
- void **aProcessHandle)
-{
- if (!sBrokerService || !mPolicy) {
- return false;
- }
-
- // Set stdout and stderr, to allow inheritance for logging.
- mPolicy->SetStdoutHandle(::GetStdHandle(STD_OUTPUT_HANDLE));
- mPolicy->SetStderrHandle(::GetStdHandle(STD_ERROR_HANDLE));
-
- // If logging enabled, set up the policy.
- if (aEnableLogging) {
- ApplyLoggingPolicy();
- }
-
-#if defined(DEBUG)
- // Allow write access to TEMP directory in debug builds for logging purposes.
- // The path from GetTempPathW can have a length up to MAX_PATH + 1, including
- // the null, so we need MAX_PATH + 2, so we can add an * to the end.
- wchar_t tempPath[MAX_PATH + 2];
- uint32_t pathLen = ::GetTempPathW(MAX_PATH + 1, tempPath);
- if (pathLen > 0) {
- // GetTempPath path ends with \ and returns the length without the null.
- tempPath[pathLen] = L'*';
- tempPath[pathLen + 1] = L'\0';
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY, tempPath);
- }
-#endif
-
- // Ceate the sandboxed process
- PROCESS_INFORMATION targetInfo = {0};
- sandbox::ResultCode result;
- result = sBrokerService->SpawnTarget(aPath, aArguments, mPolicy, &targetInfo);
- if (sandbox::SBOX_ALL_OK != result) {
- return false;
- }
-
- // The sandboxed process is started in a suspended state, resume it now that
- // we've set things up.
- ResumeThread(targetInfo.hThread);
- CloseHandle(targetInfo.hThread);
-
- // Return the process handle to the caller
- *aProcessHandle = targetInfo.hProcess;
-
- return true;
-}
-
-#define SANDBOX_ENSURE_SUCCESS(result, message) \
- do { \
- MOZ_ASSERT(sandbox::SBOX_ALL_OK == result, message); \
- if (sandbox::SBOX_ALL_OK != result) \
- return false; \
- } while (0)
-
-bool
-SandboxBroker::SetSecurityLevelForPluginProcess(int32_t aSandboxLevel)
-{
- if (!mPolicy) {
- return false;
- }
-
- sandbox::JobLevel jobLevel;
- sandbox::TokenLevel accessTokenLevel;
- sandbox::IntegrityLevel initialIntegrityLevel;
- sandbox::IntegrityLevel delayedIntegrityLevel;
-
- if (aSandboxLevel > 2) {
- jobLevel = sandbox::JOB_UNPROTECTED;
- accessTokenLevel = sandbox::USER_LIMITED;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else if (aSandboxLevel == 2) {
- jobLevel = sandbox::JOB_UNPROTECTED;
- accessTokenLevel = sandbox::USER_INTERACTIVE;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_LOW;
- } else {
- jobLevel = sandbox::JOB_NONE;
- accessTokenLevel = sandbox::USER_NON_ADMIN;
- initialIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
- delayedIntegrityLevel = sandbox::INTEGRITY_LEVEL_MEDIUM;
- }
-
- sandbox::ResultCode result = mPolicy->SetJobLevel(jobLevel,
- 0 /* ui_exceptions */);
- SANDBOX_ENSURE_SUCCESS(result,
- "Setting job level failed, have you set memory limit when jobLevel == JOB_NONE?");
-
- result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS,
- accessTokenLevel);
- SANDBOX_ENSURE_SUCCESS(result,
- "Lockdown level cannot be USER_UNPROTECTED or USER_LAST if initial level was USER_RESTRICTED_SAME_ACCESS");
-
- result = mPolicy->SetIntegrityLevel(initialIntegrityLevel);
- SANDBOX_ENSURE_SUCCESS(result,
- "SetIntegrityLevel should never fail, what happened?");
-
- result = mPolicy->SetDelayedIntegrityLevel(delayedIntegrityLevel);
- SANDBOX_ENSURE_SUCCESS(result,
- "SetDelayedIntegrityLevel should never fail, what happened?");
-
- sandbox::MitigationFlags mitigations =
- sandbox::MITIGATION_BOTTOM_UP_ASLR |
- sandbox::MITIGATION_HEAP_TERMINATE |
- sandbox::MITIGATION_SEHOP |
- sandbox::MITIGATION_DEP_NO_ATL_THUNK |
- sandbox::MITIGATION_DEP;
-
- result = mPolicy->SetProcessMitigations(mitigations);
- SANDBOX_ENSURE_SUCCESS(result,
- "Invalid flags for SetProcessMitigations.");
-
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // Add the policy for the client side of the crash server pipe.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\gecko-crash-server-pipe.*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The NPAPI process needs to be able to duplicate shared memory to the
- // content process and broker process, which are Section type handles.
- // Content and broker are for e10s and non-e10s cases.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_ANY,
- L"Section");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER,
- L"Section");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The following is required for the Java plugin.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\jpi2_pid*_pipe*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // These register keys are used by the file-browser dialog box. They
- // remember the most-recently-used folders.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSavePidlMRU\\*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_ANY,
- L"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRULegacy\\*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- return true;
-}
-
-bool
-SandboxBroker::SetSecurityLevelForGMPlugin(SandboxLevel aLevel)
-{
- if (!mPolicy) {
- return false;
- }
-
- auto result = mPolicy->SetJobLevel(sandbox::JOB_LOCKDOWN, 0);
- SANDBOX_ENSURE_SUCCESS(result,
- "SetJobLevel should never fail with these arguments, what happened?");
- auto level = (aLevel == Restricted) ?
- sandbox::USER_RESTRICTED : sandbox::USER_LOCKDOWN;
- result = mPolicy->SetTokenLevel(sandbox::USER_RESTRICTED_SAME_ACCESS, level);
- SANDBOX_ENSURE_SUCCESS(result,
- "SetTokenLevel should never fail with these arguments, what happened?");
-
- result = mPolicy->SetAlternateDesktop(true);
- SANDBOX_ENSURE_SUCCESS(result,
- "Failed to create alternate desktop for sandbox.");
-
- result = mPolicy->SetIntegrityLevel(sandbox::INTEGRITY_LEVEL_LOW);
- MOZ_ASSERT(sandbox::SBOX_ALL_OK == result,
- "SetIntegrityLevel should never fail with these arguments, what happened?");
-
- result =
- mPolicy->SetDelayedIntegrityLevel(sandbox::INTEGRITY_LEVEL_UNTRUSTED);
- SANDBOX_ENSURE_SUCCESS(result,
- "SetIntegrityLevel should never fail with these arguments, what happened?");
-
- sandbox::MitigationFlags mitigations =
- sandbox::MITIGATION_BOTTOM_UP_ASLR |
- sandbox::MITIGATION_HEAP_TERMINATE |
- sandbox::MITIGATION_SEHOP |
- sandbox::MITIGATION_DEP_NO_ATL_THUNK |
- sandbox::MITIGATION_DEP;
-
- result = mPolicy->SetProcessMitigations(mitigations);
- SANDBOX_ENSURE_SUCCESS(result,
- "Invalid flags for SetProcessMitigations.");
-
- mitigations =
- sandbox::MITIGATION_STRICT_HANDLE_CHECKS |
- sandbox::MITIGATION_DLL_SEARCH_ORDER;
-
- result = mPolicy->SetDelayedProcessMitigations(mitigations);
- SANDBOX_ENSURE_SUCCESS(result,
- "Invalid flags for SetDelayedProcessMitigations.");
-
- // Add the policy for the client side of a pipe. It is just a file
- // in the \pipe\ namespace. We restrict it to pipes that start with
- // "chrome." so the sandboxed process cannot connect to system services.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\chrome.*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // Add the policy for the client side of the crash server pipe.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- L"\\??\\pipe\\gecko-crash-server-pipe.*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
-#ifdef DEBUG
- // The plugin process can't create named events, but we'll
- // make an exception for the events used in logging. Removing
- // this will break EME in debug builds.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
- sandbox::TargetPolicy::EVENTS_ALLOW_ANY,
- L"ChromeIPCLog.*");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-#endif
-
- // The following rules were added because, during analysis of an EME
- // plugin during development, these registry keys were accessed when
- // loading the plugin. Commenting out these policy exceptions caused
- // plugin loading to fail, so they are necessary for proper functioning
- // of at least one EME plugin.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\Control Panel\\Desktop");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\LanguageConfiguration");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
-
- // The following rules were added because, during analysis of an EME
- // plugin during development, these registry keys were accessed when
- // loading the plugin. Commenting out these policy exceptions did not
- // cause anything to break during initial testing, but might cause
- // unforeseen issues down the road.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MUI\\Settings");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Control Panel\\Desktop");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SideBySide\\PreferExternalManifest");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
- // The following rules were added to allow a GMP to be loaded when any
- // AppLocker DLL rules are specified. If the rules specifically block the DLL
- // then it will not load.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_READONLY,
- L"\\Device\\SrpDevice");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\GP\\");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
- // On certain Windows versions there is a double slash before GP in the path.
- result = mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Srp\\\\GP\\");
- SANDBOX_ENSURE_SUCCESS(result,
- "With these static arguments AddRule should never fail, what happened?");
-
-
- return true;
-}
-#undef SANDBOX_ENSURE_SUCCESS
-
-bool
-SandboxBroker::AllowReadFile(wchar_t const *file)
-{
- if (!mPolicy) {
- return false;
- }
-
- auto result =
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_READONLY,
- file);
- if (sandbox::SBOX_ALL_OK != result) {
- LOG_E("Failed (ResultCode %d) to add read access to: %S", result, file);
- return false;
- }
-
- return true;
-}
-
-bool
-SandboxBroker::AllowReadWriteFile(wchar_t const *file)
-{
- if (!mPolicy) {
- return false;
- }
-
- auto result =
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_ANY,
- file);
- if (sandbox::SBOX_ALL_OK != result) {
- LOG_E("Failed (ResultCode %d) to add read/write access to: %S",
- result, file);
- return false;
- }
-
- return true;
-}
-
-bool
-SandboxBroker::AllowDirectory(wchar_t const *dir)
-{
- if (!mPolicy) {
- return false;
- }
-
- auto result =
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_FILES,
- sandbox::TargetPolicy::FILES_ALLOW_DIR_ANY,
- dir);
- if (sandbox::SBOX_ALL_OK != result) {
- LOG_E("Failed (ResultCode %d) to add directory access to: %S", result, dir);
- return false;
- }
-
- return true;
-}
-
-bool
-SandboxBroker::AddTargetPeer(HANDLE aPeerProcess)
-{
- if (!sBrokerService) {
- return false;
- }
-
- sandbox::ResultCode result = sBrokerService->AddTargetPeer(aPeerProcess);
- return (sandbox::SBOX_ALL_OK == result);
-}
-
-void
-SandboxBroker::ApplyLoggingPolicy()
-{
- MOZ_ASSERT(mPolicy);
-
- // Add dummy rules, so that we can log in the interception code.
- // We already have a file interception set up for the client side of pipes.
- // Also, passing just "dummy" for file system policy causes win_utils.cc
- // IsReparsePoint() to loop.
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_NAMED_PIPES,
- sandbox::TargetPolicy::NAMEDPIPES_ALLOW_ANY, L"dummy");
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_PROCESS,
- sandbox::TargetPolicy::PROCESS_MIN_EXEC, L"dummy");
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_REGISTRY,
- sandbox::TargetPolicy::REG_ALLOW_READONLY,
- L"HKEY_CURRENT_USER\\dummy");
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_SYNC,
- sandbox::TargetPolicy::EVENTS_ALLOW_READONLY, L"dummy");
- mPolicy->AddRule(sandbox::TargetPolicy::SUBSYS_HANDLES,
- sandbox::TargetPolicy::HANDLES_DUP_BROKER, L"dummy");
-}
-
-SandboxBroker::~SandboxBroker()
-{
- if (mPolicy) {
- mPolicy->Release();
- mPolicy = nullptr;
- }
-}
-
-}
diff --git a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h b/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
deleted file mode 100644
index 7f1f1597f..000000000
--- a/security/sandbox/win/src/sandboxbroker/sandboxBroker.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __SECURITY_SANDBOX_SANDBOXBROKER_H__
-#define __SECURITY_SANDBOX_SANDBOXBROKER_H__
-
-#include <stdint.h>
-#include <windows.h>
-
-namespace sandbox {
- class BrokerServices;
- class TargetPolicy;
-}
-
-namespace mozilla {
-
-class SandboxBroker
-{
-public:
- SandboxBroker();
-
- static void Initialize(sandbox::BrokerServices* aBrokerServices);
-
- bool LaunchApp(const wchar_t *aPath,
- const wchar_t *aArguments,
- const bool aEnableLogging,
- void **aProcessHandle);
- virtual ~SandboxBroker();
-
- // Security levels for different types of processes
- bool SetSecurityLevelForPluginProcess(int32_t aSandboxLevel);
- enum SandboxLevel {
- LockDown,
- Restricted
- };
- bool SetSecurityLevelForGMPlugin(SandboxLevel aLevel);
-
- // File system permissions
- bool AllowReadFile(wchar_t const *file);
- bool AllowReadWriteFile(wchar_t const *file);
- bool AllowDirectory(wchar_t const *dir);
-
- // Exposes AddTargetPeer from broker services, so that none sandboxed
- // processes can be added as handle duplication targets.
- bool AddTargetPeer(HANDLE aPeerProcess);
-
- // Set up dummy interceptions via the broker, so we can log calls.
- void ApplyLoggingPolicy();
-
-private:
- static sandbox::BrokerServices *sBrokerService;
- sandbox::TargetPolicy *mPolicy;
-};
-
-} // mozilla
-
-#endif
diff --git a/security/sandbox/win/src/sandboxtarget/moz.build b/security/sandbox/win/src/sandboxtarget/moz.build
deleted file mode 100644
index 7315a34ed..000000000
--- a/security/sandbox/win/src/sandboxtarget/moz.build
+++ /dev/null
@@ -1,20 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-EXPORTS.mozilla += [
- 'sandboxTarget.h',
-]
-
-SOURCES += [
- 'sandboxTarget.cpp',
-]
-
-LOCAL_INCLUDES += [
- '/security/sandbox/chromium',
- '/security/sandbox/chromium-shim',
-]
-
-FINAL_LIBRARY = 'xul'
diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp b/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp
deleted file mode 100644
index a989b3625..000000000
--- a/security/sandbox/win/src/sandboxtarget/sandboxTarget.cpp
+++ /dev/null
@@ -1,21 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#define TARGET_SANDBOX_EXPORTS
-#include "sandboxTarget.h"
-
-namespace mozilla {
-
-// We need to define this function out of line so that clang-cl doesn't inline
-// it.
-/* static */ SandboxTarget*
-SandboxTarget::Instance()
-{
- static SandboxTarget sb;
- return &sb;
-}
-
-}
diff --git a/security/sandbox/win/src/sandboxtarget/sandboxTarget.h b/security/sandbox/win/src/sandboxtarget/sandboxTarget.h
deleted file mode 100644
index f46a2ce70..000000000
--- a/security/sandbox/win/src/sandboxtarget/sandboxTarget.h
+++ /dev/null
@@ -1,83 +0,0 @@
-/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
-/* vim: set ts=8 sts=2 et sw=2 tw=80: */
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-
-#ifndef __SECURITY_SANDBOX_SANDBOXTARGET_H__
-#define __SECURITY_SANDBOX_SANDBOXTARGET_H__
-
-#include <windows.h>
-
-#include "mozilla/Assertions.h"
-#include "base/MissingBasicTypes.h"
-#include "sandbox/win/src/sandbox.h"
-
-namespace mozilla {
-
-class SandboxTarget
-{
-public:
- /**
- * Obtains a pointer to the singleton instance
- */
- static SandboxTarget* Instance();
-
- /**
- * Used by the application to pass in the target services that provide certain
- * functions to the sandboxed code.
- * The target services must already be initialized.
- *
- * @param aTargetServices The target services that will be used
- */
- void SetTargetServices(sandbox::TargetServices* aTargetServices)
- {
- MOZ_ASSERT(aTargetServices);
- MOZ_ASSERT(!mTargetServices,
- "Sandbox TargetServices must only be set once.");
-
- mTargetServices = aTargetServices;
- }
-
- /**
- * Called by the library that wants to "start" the sandbox, i.e. change to the
- * more secure delayed / lockdown policy.
- */
- void StartSandbox()
- {
- if (mTargetServices) {
- mTargetServices->LowerToken();
- }
- }
-
- /**
- * Used to duplicate handles via the broker process. The permission for the
- * handle type and target process has to have been set on the sandbox policy.
- */
- bool BrokerDuplicateHandle(HANDLE aSourceHandle, DWORD aTargetProcessId,
- HANDLE* aTargetHandle, DWORD aDesiredAccess,
- DWORD aOptions)
- {
- if (!mTargetServices) {
- return false;
- }
-
- sandbox::ResultCode result =
- mTargetServices->DuplicateHandle(aSourceHandle, aTargetProcessId,
- aTargetHandle, aDesiredAccess, aOptions);
- return (sandbox::SBOX_ALL_OK == result);
- }
-
-protected:
- SandboxTarget() :
- mTargetServices(nullptr)
- {
- }
-
- sandbox::TargetServices* mTargetServices;
-};
-
-
-} // mozilla
-
-#endif
diff --git a/security/sandbox/win/wow_helper/Makefile.in b/security/sandbox/win/wow_helper/Makefile.in
deleted file mode 100644
index aee81f3fe..000000000
--- a/security/sandbox/win/wow_helper/Makefile.in
+++ /dev/null
@@ -1,47 +0,0 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-# We need to build a 64-bits binary during a 32-bits build. This requires
-# a different compiler and different library paths. Until the build system
-# supports this natively.
-
-# Some Make magic to avoid CXX and LIB being evaluated when nothing
-# is built in this directory
-lazy = $(if $(___$(1)),,$(eval ___$(1) := $(2)))$(___$(1))
-
-# We could use the `which` python module, but it needs more code to handle
-# the situation where CXX points to an absolute path. But using the shell
-# which returns a msys path, while we need a windows path. So force msys
-# to do the conversion for us by calling python with an environment variable
-# with the result of the call to `which`. Then munge that path to add the
-# x64 cross-compiler path.
-ifdef MOZ_USING_COMPILER_WRAPPER
-ORIG_CXX := cl
-else
-ORIG_CXX := $(CXX)
-endif
-CXX = $(call lazy,CXX,"$$(subst amd64_x86/x86_amd64/,amd64/,$$(shell CL=`which "$(ORIG_CXX)"` $(PYTHON) -c 'import os; print os.path.dirname(os.environ["CL"])')/x86_amd64/cl.exe)")
-
-MOZ_WINCONSOLE = 0
-
-include $(topsrcdir)/config/config.mk
-
-# Munge the LIB variable to contain paths to the x64 CRT and system libraries.
-# Unconveniently, none of the paths have the same convention, including the
-# compiler path above.
-LIB = $(call lazy,LIB,$$(shell python -c 'import os; print ";".join(s.lower().replace(os.sep, "/").replace("/vc/lib", "/vc/lib/amd64").replace("/um/x86", "/um/x64").replace("/ucrt/x86", "/ucrt/x64") for s in os.environ["LIB"].split(";"))'))
-
-CXXFLAGS := $(filter-out -arch:%,$(CXXFLAGS))
-
-# OS_COMPILE_CXXFLAGS includes mozilla-config.h, which contains x86-specific
-# defines breaking the build.
-OS_COMPILE_CXXFLAGS :=
-
-# LNK1246: '/SAFESEH' not compatible with 'x64' target machine
-LDFLAGS := $(filter-out -SAFESEH,$(LDFLAGS))
-
-# When targetting x64, we need to specify a subsystem of at least 5.02, because
-# the 5.01 value we inherit from the x86 parts is silently ignored, making the
-# linker default to 6.00 (Vista) as of VS2013.
-WIN32_GUI_EXE_LDFLAGS=-SUBSYSTEM:WINDOWS,5.02
diff --git a/security/sandbox/win/wow_helper/moz.build b/security/sandbox/win/wow_helper/moz.build
deleted file mode 100644
index d9c307def..000000000
--- a/security/sandbox/win/wow_helper/moz.build
+++ /dev/null
@@ -1,30 +0,0 @@
-# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
-# vim: set filetype=python:
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-
-Program('wow_helper')
-
-SOURCES += [ '../../chromium/sandbox/win/wow_helper/' + f for f in (
- 'service64_resolver.cc',
- 'target_code.cc',
- 'wow_helper.cc',
-)]
-
-LOCAL_INCLUDES += [
- '../../',
- '../../../',
- '../../chromium/',
-]
-
-DISABLE_STL_WRAPPING = True
-
-DEFINES['UNICODE'] = True
-
-USE_STATIC_LIBS = True
-
-# The rules in Makefile.in only force the use of the 64-bits compiler, not
-# the 64-bits linker, and the 32-bits linker can't do 64-bits compilation for
-# PGO, so disable PGO, which is not interesting for this small binary anyways.
-NO_PGO = True