// SPDX-License-Identifier: GPL-2.0-or-later

/* PASST - Plug A Simple Socket Transport
 *  for qemu/UNIX domain socket mode
 *
 * PASTA - Pack A Subtle Tap Abstraction
 *  for network namespace/tap device mode
 *
 * passt-repair.c - Privileged helper to set/clear TCP_REPAIR on sockets
 *
 * Copyright (c) 2025 Red Hat GmbH
 * Author: Stefano Brivio <sbrivio@redhat.com>
 *
 * Connect to passt via UNIX domain socket, receive sockets via SCM_RIGHTS along
 * with byte commands mapping to TCP_REPAIR values, and switch repair mode on or
 * off. Reply by echoing the command. Exit on EOF.
 */

#include <assert.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <errno.h>
#include <stddef.h>
#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <unistd.h>
#include <netdb.h>

#include <netinet/tcp.h>

#include <linux/audit.h>
#include <linux/capability.h>
#include <linux/filter.h>
#include <linux/seccomp.h>

#include "seccomp_repair.h"

#define SCM_MAX_FD 253 /* From Linux kernel (include/net/scm.h), not in UAPI */
static_assert(SCM_MAX_FD < UCHAR_MAX, "Batch sizes must fit in 8 bits");

#define die(status, ...)			\
	do {					\
		fprintf(stderr, __VA_ARGS__);	\
		fprintf(stderr, "\n");		\
		_exit(status);			\
	} while (0)

#define die_errno(...)					\
	do {						\
		int err_ = errno;			\
		fprintf(stderr, __VA_ARGS__);		\
		fprintf(stderr, ": %d\n", err_);	\
		_exit(1);				\
	} while (0)

/**
 * main() - Entry point and whole program with loop
 * @argc:	Argument count, must be 2
 * @argv:	Argument: path of UNIX domain socket to connect to
 *
 * Return: 0 on success (EOF), 1 on error, 2 on usage error
 *
 * #syscalls:repair connect setsockopt write close exit_group
 * #syscalls:repair socket s390x:socketcall i686:socketcall
 * #syscalls:repair recvfrom recvmsg arm:recv ppc64le:recv
 * #syscalls:repair sendto sendmsg arm:send ppc64le:send
 */
int main(int argc, char **argv)
{
	char buf[CMSG_SPACE(sizeof(int) * SCM_MAX_FD)]
	     __attribute__ ((aligned(__alignof__(struct cmsghdr))));
	struct sockaddr_un a = { AF_UNIX, "" };
	int fds[SCM_MAX_FD], s, ret, i, n = 0;
	struct sock_fprog prog;
	int8_t cmd = INT8_MAX;
	struct cmsghdr *cmsg;
	struct msghdr msg;
	struct iovec iov;
	uint8_t reply;
	size_t fdlen;
	int op;

	prctl(PR_SET_DUMPABLE, 0);

	prog.len = (unsigned short)sizeof(filter_repair) /
				   sizeof(filter_repair[0]);
	prog.filter = filter_repair;
	if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) ||
	    prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog))
		die_errno("Failed to apply seccomp filter");

	iov = (struct iovec){ &cmd, sizeof(cmd) };
	msg = (struct msghdr){ .msg_name = NULL, .msg_namelen = 0,
			       .msg_iov = &iov, .msg_iovlen = 1,
			       .msg_control = buf,
			       .msg_controllen = sizeof(buf),
			       .msg_flags = 0 };
	cmsg = CMSG_FIRSTHDR(&msg);

	if (argc != 2)
		die(2, "Usage: %s PATH", argv[0]);

	ret = snprintf(a.sun_path, sizeof(a.sun_path), "%s", argv[1]);
	if (ret <= 0 || ret >= (int)sizeof(a.sun_path))
		die(2, "Invalid socket path: %s", argv[1]);

	if ((s = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
		die_errno("Failed to create AF_UNIX socket");

	if (connect(s, (struct sockaddr *)&a, sizeof(a)))
		die_errno("Failed to connect to %s", argv[1]);

loop:
	ret = recvmsg(s, &msg, 0);
	if (ret < 0) {
		if (errno == ECONNRESET)
			ret = 0;
		else
			die_errno("Failed to read message");
	}

	if (!ret)	/* Done */
		_exit(0);

	if (!cmsg || cmsg->cmsg_type != SCM_RIGHTS)
		die(1, "No/bad ancillary data from peer");

	fdlen = ((char *)cmsg + cmsg->cmsg_len) - (char *)CMSG_DATA(cmsg);
	if (fdlen % sizeof(int) != 0 || fdlen > sizeof(fds))
		die(1, "Invalid SCM_RIGHTS payload length %zu from peer", fdlen);
	n = fdlen / sizeof(int);

	memcpy(fds, CMSG_DATA(cmsg), fdlen);

	if (cmd != TCP_REPAIR_ON && cmd != TCP_REPAIR_OFF &&
	    cmd != TCP_REPAIR_OFF_NO_WP)
		die(1, "Unsupported command 0x%04x", cmd);

	op = cmd;

	for (i = 0; i < n; i++) {
		if (setsockopt(fds[i], SOL_TCP, TCP_REPAIR, &op, sizeof(op))) {
			fprintf(stderr,
				"Setting TCP_REPAIR to %i on socket %i: %d\n",
				op, fds[i], errno);
			break;
		}
	}

	if (i < n)
		fprintf(stderr, "Failed to handle %d/%d sockets", n - i, n);

	reply = i;

	/* Close all _our_, even if we failed to setsockopt() on some */
	for (i = 0; i < n; i++) {
		if (close(fds[i]))
			/* This is unlikely, but would be painful to debug if it
			 * ever did happen and we didn't report it.
			 */
			die_errno("Couldn't close socket %i", fds[i]);
	}


	/* Confirm by sending number of fds succesfully handled back */
	if (send(s, &reply, sizeof(reply), 0) < 0)
		die_errno("Reply to %i", op);

	goto loop;

	return 0;
}