util.h

/* util.h
 * Copyright 2012 The ChromiumOS Authors
 * Use of this source code is governed by a BSD-style license that can be
 * found in the LICENSE file.
 *
 * Logging and other utility functions.
 */

#ifndef _UTIL_H_
#define _UTIL_H_

#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <syslog.h>
#include <unistd.h>

#include "libsyscalls.h"

#ifdef __cplusplus
extern "C" {
#endif

/*
 * Silence compiler warnings for unused variables/functions.
 *
 * If the definition is actually used, the attribute should be removed, but if
 * it's forgotten or left in place, it doesn't cause a problem.
 *
 * If the definition is actually unused, the compiler is free to remove it from
 * the output so as to save size.  If you want to make sure the definition is
 * kept (e.g. for ABI compatibility), look at the "used" attribute instead.
 */
#define attribute_unused __attribute__((__unused__))

/*
 * Mark the symbol as "weak" in the ELF output.  This provides a fallback symbol
 * that may be overriden at link time.  See this page for more details:
 * https://en.wikipedia.org/wiki/Weak_symbol
 */
#define attribute_weak __attribute__((__weak__))

/*
 * Mark the function as a printf-style function.
 * @format_idx The index in the function argument list where the format string
 *             is passed (where the first argument is "1").
 * @check_idx The index in the function argument list where the first argument
 *            used in the format string is passed.
 * Some examples:
 *   foo([1] const char *format, [2] ...): format=1 check=2
 *   foo([1] int, [2] const char *format, [3] ...): format=2 check=3
 *   foo([1] const char *format, [2] const char *, [3] ...): format=1 check=3
 */
#define attribute_printf(format_idx, check_idx) \
	__attribute__((__format__(__printf__, format_idx, check_idx)))

#ifndef __cplusplus
/* If writing C++, use std::unique_ptr with a destructor instead. */

/*
 * Mark a local variable for automatic cleanup when exiting its scope.
 * See attribute_cleanup_fp as an example below.
 * Make sure any variable using this is always initialized to something.
 * @func The function to call on (a pointer to) the variable.
 */
#define attribute_cleanup(func) \
	__attribute__((__cleanup__(func)))

/*
 * Automatically close a FILE* when exiting its scope.
 * Make sure the pointer is always initialized.
 * Some examples:
 *   attribute_cleanup_fp FILE *fp = fopen(...);
 *   attribute_cleanup_fp FILE *fp = NULL;
 *   ...
 *   fp = fopen(...);
 *
 * NB: This will automatically close the underlying fd, so do not use this
 * with fdopen calls if the fd should be left open.
 */
#define attribute_cleanup_fp attribute_cleanup(_cleanup_fp)
static inline void _cleanup_fp(FILE **fp)
{
	if (*fp)
		fclose(*fp);
}

/*
 * Automatically close a fd when exiting its scope.
 * Make sure the fd is always initialized.
 * Some examples:
 *   attribute_cleanup_fd int fd = open(...);
 *   attribute_cleanup_fd int fd = -1;
 *   ...
 *   fd = open(...);
 *
 * NB: Be careful when using this with attribute_cleanup_fp and fdopen.
 */
#define attribute_cleanup_fd attribute_cleanup(_cleanup_fd)
static inline void _cleanup_fd(int *fd)
{
	if (*fd >= 0)
		close(*fd);
}

/*
 * Automatically free a heap allocation when exiting its scope.
 * Make sure the pointer is always initialized.
 * Some examples:
 *   attribute_cleanup_str char *s = strdup(...);
 *   attribute_cleanup_str char *s = NULL;
 *   ...
 *   s = strdup(...);
 */
#define attribute_cleanup_str attribute_cleanup(_cleanup_str)
static inline void _cleanup_str(char **ptr)
{
	free(*ptr);
}

#endif /* __cplusplus */

/* clang-format off */
#define die(_msg, ...) \
	do_fatal_log(LOG_ERR, "libminijail[%d]: " _msg, getpid(), ## __VA_ARGS__)

#define pdie(_msg, ...) \
	die(_msg ": %m", ## __VA_ARGS__)

#define warn(_msg, ...) \
	do_log(LOG_WARNING, "libminijail[%d]: " _msg, getpid(), ## __VA_ARGS__)

#define pwarn(_msg, ...) \
	warn(_msg ": %m", ## __VA_ARGS__)

#define info(_msg, ...) \
	do_log(LOG_INFO, "libminijail[%d]: " _msg, getpid(), ## __VA_ARGS__)

#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
/* clang-format on */

extern const char *const log_syscalls[];
extern const size_t log_syscalls_len;

enum logging_system_t {
	/* Log to syslog. This is the default. */
	LOG_TO_SYSLOG = 0,

	/* Log to a file descriptor. */
	LOG_TO_FD,
};

/*
 * Even though this function internally calls abort(2)/exit(2), it is
 * intentionally not marked with the noreturn attribute. When marked as
 * noreturn, clang coalesces several of the do_fatal_log() calls in methods that
 * have a large number of such calls (like minijail_enter()), making it
 * impossible for breakpad to correctly identify the line where it was called,
 * making the backtrace somewhat useless.
 */
extern void do_fatal_log(int priority, const char *format, ...)
    attribute_printf(2, 3);

extern void do_log(int priority, const char *format, ...)
    attribute_printf(2, 3);

static inline int is_android(void)
{
#if defined(__ANDROID__)
	return 1;
#else
	return 0;
#endif
}

static inline bool compiled_with_asan(void)
{
#if defined(__SANITIZE_ADDRESS__)
	/* For gcc. */
	return true;
#elif defined(__has_feature)
	/* For clang. */
	return __has_feature(address_sanitizer) ||
	       __has_feature(hwaddress_sanitizer);
#else
	return false;
#endif
}

void __asan_init(void) attribute_weak;
void __hwasan_init(void) attribute_weak;

static inline bool running_with_asan(void)
{
	/*
	 * There are some configurations under which ASan needs a dynamic (as
	 * opposed to compile-time) test. Some Android processes that start
	 * before /data is mounted run with non-instrumented libminijail.so, so
	 * the symbol-sniffing code must be present to make the right decision.
	 */
	return compiled_with_asan() || &__asan_init != 0 || &__hwasan_init != 0;
}

static inline bool debug_logging_allowed(void)
{
#if defined(ALLOW_DEBUG_LOGGING)
	return true;
#else
	return false;
#endif
}

static inline bool seccomp_default_ret_log(void)
{
#if defined(SECCOMP_DEFAULT_RET_LOG)
	return true;
#else
	return false;
#endif
}

static inline bool block_symlinks_in_bindmount_paths(void)
{
#if defined(BLOCK_SYMLINKS_IN_BINDMOUNT_PATHS)
	return true;
#else
	return false;
#endif
}

static inline bool block_symlinks_in_noninit_mountns_tmp(void)
{
#if defined(BLOCK_SYMLINKS_IN_NONINIT_MOUNTNS_TMP)
	return true;
#else
	return false;
#endif
}

static inline size_t get_num_syscalls(void)
{
	return syscall_table_size;
}

int lookup_syscall(const char *name, size_t *ind);
const char *lookup_syscall_name(int nr);

long int parse_single_constant(char *constant_str, char **endptr);
long int parse_constant(char *constant_str, char **endptr);
int parse_size(size_t *size, const char *sizespec);

char *strip(char *s);

/*
 * streq: determine whether two strings are equal.
 */
static inline bool streq(const char *s1, const char *s2)
{
	return strcmp(s1, s2) == 0;
}

/*
 * tokenize: locate the next token in @stringp using the @delim
 * @stringp A pointer to the string to scan for tokens
 * @delim   The delimiter to split by
 *
 * Note that, unlike strtok, @delim is not a set of characters, but the full
 * delimiter.  e.g. "a,;b,;c" with a delim of ",;" will yield ["a","b","c"].
 *
 * Note that, unlike strtok, this may return an empty token.  e.g. "a,,b" with
 * strtok will yield ["a","b"], but this will yield ["a","","b"].
 */
char *tokenize(char **stringp, const char *delim);

char *path_join(const char *external_path, const char *internal_path);

/*
 * path_is_parent: checks whether @parent is a parent of @child.
 * Note: this function does not evaluate '.' or '..' nor does it resolve
 * symlinks.
 */
bool path_is_parent(const char *parent, const char *child);

/*
 * consumebytes: consumes @length bytes from a buffer @buf of length @buflength
 * @length    Number of bytes to consume
 * @buf       Buffer to consume from
 * @buflength Size of @buf
 *
 * Returns a pointer to the base of the bytes, or NULL for errors.
 */
void *consumebytes(size_t length, char **buf, size_t *buflength);

/*
 * consumestr: consumes a C string from a buffer @buf of length @length
 * @buf    Buffer to consume
 * @length Length of buffer
 *
 * Returns a pointer to the base of the string, or NULL for errors.
 */
char *consumestr(char **buf, size_t *buflength);

/*
 * init_logging: initializes the module-wide logging.
 * @logger       The logging system to use.
 * @fd           The file descriptor to log into. Ignored unless
 *               @logger = LOG_TO_FD.
 * @min_priority The minimum priority to display. Corresponds to syslog's
 *               priority parameter. Ignored unless @logger = LOG_TO_FD.
 */
void init_logging(enum logging_system_t logger, int fd, int min_priority);

/*
 * minjail_free_env: Frees an environment array plus the environment strings it
 * points to. The environment and its constituent strings must have been
 * allocated (as opposed to pointing to static data), e.g. by using
 * minijail_copy_env() and minijail_setenv().
 *
 * @env The environment to free.
 */
void minijail_free_env(char **env);

/*
 * minjail_copy_env: Copy an environment array (such as passed to execve),
 * duplicating the environment strings and the array pointing at them.
 *
 * @env The environment to copy.
 *
 * Returns a pointer to the copied environment or NULL on memory allocation
 * failure.
 */
char **minijail_copy_env(char *const *env);

/*
 * minjail_setenv: Set an environment variable in @env. Semantics match the
 * standard setenv() function, but this operates on @env, not the global
 * environment. @env must be dynamically allocated (as opposed to pointing to
 * static data), e.g. via minijail_copy_env(). @name and @value get copied into
 * newly-allocated memory.
 *
 * @env       Address of the environment to modify. Might be re-allocated to
 *            make room for the new entry.
 * @name      Name of the key to set.
 * @value     The value to set.
 * @overwrite Whether to replace the existing value for @name. If non-zero and
 *            the entry is already present, no changes will be made.
 *
 * Returns 0 and modifies *@env on success, returns an error code otherwise.
 */
int minijail_setenv(char ***env, const char *name, const char *value,
		    int overwrite);

/*
 * getmultiline: This is like getline() but supports line wrapping with \.
 *
 * @lineptr    Address of a buffer that a mutli-line is stored.
 * @n          Number of bytes stored in *lineptr.
 * @stream     Input stream to read from.
 *
 * Returns number of bytes read or -1 on failure to read (including EOF).
 */
ssize_t getmultiline(char **lineptr, size_t *n, FILE *stream);

/*
 * minjail_getenv: Get an environment variable from @envp. Semantics match the
 * standard getenv() function, but this operates on @envp, not the global
 * environment (usually referred to as `extern char **environ`).
 *
 * @env       Address of the environment to read from.
 * @name      Name of the key to get.
 *
 * Returns a pointer to the corresponding environment value. The caller must
 * take care not to modify the pointed value, as this points directly to memory
 * pointed to by @envp.
 * If the environment variable name is not found, returns NULL.
 */
char *minijail_getenv(char **env, const char *name);

/*
 * minjail_unsetenv: Clear the environment variable @name from the @envp array
 * of pointers to strings that have the KEY=VALUE format. If the operation is
 * successful, the array will contain one item less than before the call.
 * Only the first occurence is removed.
 *
 * @envp      Address of the environment to clear the variable from.
 * @name      Name of the variable to clear.
 *
 * Returns false and modifies *@envp on success, returns true otherwise.
 */
bool minijail_unsetenv(char **envp, const char *name);

#ifdef __cplusplus
}; /* extern "C" */
#endif

#endif /* _UTIL_H_ */