#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

#include <assert.h>
#include <sys/prctl.h>
#ifdef HAVE_VALGRIND
#include <valgrind.h>
#endif

#include "pseccomp.h"
#include "log.h"
#include "utils.h"

static int pseccomp_using_valgrind(void);

static const int default_allowed_syscalls[] = {
    SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
    SCMP_SYS(clock_gettime), SCMP_SYS(set_tid_address),
    SCMP_SYS(exit), SCMP_SYS(exit_group),
    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
    SCMP_SYS(close), SCMP_SYS(wait4),
    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
    SCMP_SYS(clone), SCMP_SYS(execve),
    SCMP_SYS(socket), SCMP_SYS(bind), SCMP_SYS(setsockopt),
    SCMP_SYS(listen), SCMP_SYS(connect), SCMP_SYS(getsockname),
    SCMP_SYS(accept), SCMP_SYS(sendto), SCMP_SYS(recvmsg), SCMP_SYS(recvfrom),
    SCMP_SYS(epoll_create1), SCMP_SYS(epoll_ctl), SCMP_SYS(epoll_pwait),
    SCMP_SYS(poll),
    SCMP_SYS(set_robust_list), SCMP_SYS(getrlimit),
    SCMP_SYS(seccomp), SCMP_SYS(getrusage),
    SCMP_SYS(prctl), SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
    SCMP_SYS(mlock), SCMP_SYS(getrandom),
    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
    SCMP_SYS(open), SCMP_SYS(openat),
    SCMP_SYS(unlink), SCMP_SYS(fstat), SCMP_SYS(access),
    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
    SCMP_SYS(setuid), SCMP_SYS(setgid),
    SCMP_SYS(setreuid), SCMP_SYS(setregid),
    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
    SCMP_SYS(getgroups), SCMP_SYS(getdents),
    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
    SCMP_SYS(unshare), SCMP_SYS(chroot), SCMP_SYS(chdir), SCMP_SYS(mount),
    SCMP_SYS(umount2),
    SCMP_SYS(mknod), SCMP_SYS(mkdir), SCMP_SYS(rmdir),
    SCMP_SYS(statfs), SCMP_SYS(ioctl),
    SCMP_SYS(chown), SCMP_SYS(chmod), SCMP_SYS(setsid), SCMP_SYS(dup2),
    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
};

static const int protocol_disabled_syscalls[] = {
    SCMP_SYS(execve), SCMP_SYS(execveat)
};

static const int jail_allowed_syscalls[] = {
    SCMP_SYS(signalfd), SCMP_SYS(signalfd4),
    SCMP_SYS(rt_sigreturn), SCMP_SYS(rt_sigprocmask),
    SCMP_SYS(rt_sigaction), SCMP_SYS(time), SCMP_SYS(nanosleep),
    SCMP_SYS(exit), SCMP_SYS(exit_group),
    SCMP_SYS(read), SCMP_SYS(write), SCMP_SYS(fcntl), SCMP_SYS(writev),
    SCMP_SYS(close), SCMP_SYS(wait4),
    SCMP_SYS(sigprocmask), SCMP_SYS(tgkill),
    SCMP_SYS(clone), SCMP_SYS(execve),
    SCMP_SYS(mmap), SCMP_SYS(brk), SCMP_SYS(madvise),
    SCMP_SYS(mprotect), SCMP_SYS(munmap), SCMP_SYS(futex),
    SCMP_SYS(open), SCMP_SYS(openat), SCMP_SYS(fstat), SCMP_SYS(access),
    SCMP_SYS(poll),
    SCMP_SYS(lseek), SCMP_SYS(stat), SCMP_SYS(readlink), SCMP_SYS(getcwd),
    SCMP_SYS(lstat), SCMP_SYS(sysinfo),
    SCMP_SYS(setuid), SCMP_SYS(setgid),
    SCMP_SYS(setreuid), SCMP_SYS(setregid),
    SCMP_SYS(getuid), SCMP_SYS(geteuid), SCMP_SYS(getgid), SCMP_SYS(getegid),
    SCMP_SYS(getgroups), SCMP_SYS(getdents),
    SCMP_SYS(getpgrp), SCMP_SYS(setpgid), SCMP_SYS(getpid), SCMP_SYS(kill),
    SCMP_SYS(chdir), SCMP_SYS(mount),
    SCMP_SYS(umount2),
    SCMP_SYS(ioctl),
    SCMP_SYS(sethostname), SCMP_SYS(uname), SCMP_SYS(arch_prctl)
};


static int pseccomp_using_valgrind(void)
{
#ifdef HAVE_VALGRIND
    if (RUNNING_ON_VALGRIND) {
        W("%s", "SECCOMP: running on valgrind, disabled");
        return 1;
    }
#endif
    return 0;
}

int pseccomp_init(pseccomp_ctx **ctx, unsigned int defact_allow)
{
    assert(ctx);

    if (!*ctx)
        *ctx = (pseccomp_ctx *) malloc(sizeof(**ctx));
    assert(*ctx);

    memset(*ctx, 0, sizeof(**ctx));
    (*ctx)->sfilter = seccomp_init(
        (defact_allow ? SCMP_ACT_ALLOW : SCMP_ACT_ERRNO(EINVAL))
    );

    return 0;
}

void pseccomp_free(pseccomp_ctx **ctx)
{
    assert(ctx && *ctx);

    seccomp_release((*ctx)->sfilter);
    free(*ctx);
    (*ctx) = NULL;
}

int pseccomp_set_immutable(void)
{
    if (prctl(PR_SET_DUMPABLE, 0) &&
        prctl(PR_SET_NO_NEW_PRIVS, 1))
    {
        FATAL("%s", "PR_SET_NO_NEW_PRIVS, PR_SET_DUMPABLE");
    }

    return 0;
}

int pseccomp_default_rules(pseccomp_ctx *ctx)
{
    size_t i;

    if (pseccomp_using_valgrind())
        return 0;

    for (i = 0; i < SIZEOF(default_allowed_syscalls); ++i)
        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
            default_allowed_syscalls[i], 0);

    return seccomp_load(ctx->sfilter);
}

int pseccomp_protocol_rules(pseccomp_ctx *ctx)
{
    size_t i;

    if (pseccomp_using_valgrind())
        return 0;

    for (i = 0; i < SIZEOF(protocol_disabled_syscalls); ++i)
        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ERRNO(EINVAL),
            protocol_disabled_syscalls[i], 0);

    return seccomp_load(ctx->sfilter);
}

int pseccomp_jail_rules(pseccomp_ctx *ctx)
{
    size_t i;

    if (pseccomp_using_valgrind())
        return 0;

    for (i = 0; i < SIZEOF(jail_allowed_syscalls); ++i)
        seccomp_rule_add(ctx->sfilter, SCMP_ACT_ALLOW,
            jail_allowed_syscalls[i], 0);

    return seccomp_load(ctx->sfilter);
}