package container

/*
#include <linux/landlock.h>
#include <sys/syscall.h>
*/
import "C"
import (
	"syscall"
	"unsafe"

	"hakurei.app/container/seccomp"
)

const (
	LANDLOCK_CREATE_RULESET_VERSION     = C.LANDLOCK_CREATE_RULESET_VERSION
	LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET = C.LANDLOCK_SCOPE_ABSTRACT_UNIX_SOCKET
	LANDLOCK_SCOPE_SIGNAL               = C.LANDLOCK_SCOPE_SIGNAL
)

type RulesetAttr = C.struct_landlock_ruleset_attr

func NewRulesetAttr(scoped int) RulesetAttr { return RulesetAttr{scoped: C.__u64(scoped)} }

/* TODO: remove everything above this */

func LandlockCreateRuleset(rulesetAttr *RulesetAttr, flags uintptr) (fd int, err error) {
	var pointer, size uintptr
	// NULL needed for abi version
	if rulesetAttr != nil {
		pointer = uintptr(unsafe.Pointer(rulesetAttr))
		size = unsafe.Sizeof(*rulesetAttr)
	}

	rulesetFd, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_CREATE_RULESET, pointer, size, flags)
	fd = int(rulesetFd)
	err = errno

	if fd < 0 {
		return
	}

	if rulesetAttr != nil { // not a fd otherwise
		syscall.CloseOnExec(fd)
	}
	return fd, nil
}

func LandlockGetABI() (int, error) {
	return LandlockCreateRuleset(nil, LANDLOCK_CREATE_RULESET_VERSION)
}

func LandlockRestrictSelf(rulesetFd int, flags uintptr) error {
	r, _, errno := syscall.Syscall(seccomp.SYS_LANDLOCK_RESTRICT_SELF, uintptr(rulesetFd), flags, 0)
	if r != 0 {
		return errno
	}
	return nil
}