1 /*
2                                     __
3                                    / _|
4   __ _ _   _ _ __ ___  _ __ __ _  | |_ ___  ___ ___
5  / _` | | | | '__/ _ \| '__/ _` | |  _/ _ \/ __/ __|
6 | (_| | |_| | | | (_) | | | (_| | | || (_) \__ \__ \
7  \__,_|\__,_|_|  \___/|_|  \__,_| |_| \___/|___/___/
8 
9 Copyright (C) 2018 The Android Open Source Project.
10 Copyright (C) 2018-2019 Aurora Free Open Source Software.
11 
12 This file is part of the Aurora Free Open Source Software. This
13 organization promote free and open source software that you can
14 redistribute and/or modify under the terms of the GNU Lesser General
15 Public License Version 3 as published by the Free Software Foundation or
16 (at your option) any later version approved by the Aurora Free Open Source
17 Software Organization. The license is available in the package root path
18 as 'LICENSE' file. Please review the following information to ensure the
19 GNU Lesser General Public License version 3 requirements will be met:
20 https://www.gnu.org/licenses/lgpl.html .
21 
22 Alternatively, this file may be used under the terms of the GNU General
23 Public License version 3 or later as published by the Free Software
24 Foundation. Please review the following information to ensure the GNU
25 General Public License requirements will be met:
26 https://www.gnu.org/licenses/gpl-3.0.html.
27 
28 NOTE: All products, services or anything associated to trademarks and
29 service marks used or referenced on this file are the property of their
30 respective companies/owners or its subsidiaries. Other names and brands
31 may be claimed as the property of others.
32 
33 For more info about intellectual property visit: aurorafoss.org or
34 directly send an email to: contact (at) aurorafoss.org .
35 
36 This file has bindings for an existing code, part of The Android Open Source
37 Project implementation. Check it out at android.googlesource.com .
38 */
39 
40 module aurorafw.android.platform.fdsan;
41 
42 version (Android):
43 extern (C):
44 @system:
45 nothrow:
46 @nogc:
47 
48 /*
49  * Error checking for close(2).
50  *
51  * Mishandling of file descriptor ownership is a common source of errors that
52  * can be extremely difficult to diagnose. Mistakes like the following can
53  * result in seemingly 'impossible' failures showing up on other threads that
54  * happened to try to open a file descriptor between the buggy code's close and
55  * fclose:
56  *
57  *     int print(int fd) {
58  *         int rc;
59  *         char buf[128];
60  *         while ((rc = read(fd, buf, sizeof(buf))) > 0) {
61  *             printf("%.*s", rc);
62  *         }
63  *         close(fd);
64  *     }
65  *
66  *     int bug() {
67  *         FILE* f = fopen("foo", "r");
68  *         print(fileno(f));
69  *         fclose(f);
70  *     }
71  *
72  * To make it easier to find this class of bugs, bionic provides a method to
73  * require that file descriptors are closed by their owners. File descriptors
74  * can be associated with tags with which they must be closed. This allows
75  * objects that conceptually own an fd (FILE*, unique_fd, etc.) to use their
76  * own address at the tag, to enforce that closure of the fd must come as a
77  * result of their own destruction (fclose, ~unique_fd, etc.)
78  *
79  * By default, a file descriptor's tag is 0, and close(fd) is equivalent to
80  * closing fd with the tag 0.
81  */
82 
83 /*
84  * For improved diagnostics, the type of a file descriptors owner can be
85  * encoded in the most significant byte of the owner tag. Values of 0 and 0xff
86  * are ignored, which allows for raw pointers to be used as owner tags without
87  * modification.
88  */
89 enum android_fdsan_owner_type
90 {
91     /*
92      * Generic Java or native owners.
93      *
94      * Generic Java objects always use 255 as their type, using identityHashCode
95      * as the value of the tag, leaving bits 33-56 unset. Native pointers are sign
96      * extended from 48-bits of virtual address space, and so can have the MSB
97      * set to 255 as well. Use the value of bits 49-56 to distinguish between
98      * these cases.
99      */
100     ANDROID_FDSAN_OWNER_TYPE_GENERIC_00 = 0,
101     ANDROID_FDSAN_OWNER_TYPE_GENERIC_FF = 255,
102 
103     /* FILE* */
104     ANDROID_FDSAN_OWNER_TYPE_FILE = 1,
105 
106     /* DIR* */
107     ANDROID_FDSAN_OWNER_TYPE_DIR = 2,
108 
109     /* android::base::unique_fd */
110     ANDROID_FDSAN_OWNER_TYPE_UNIQUE_FD = 3,
111 
112     /* java.io.FileInputStream */
113     ANDROID_FDSAN_OWNER_TYPE_FILEINPUTSTREAM = 251,
114 
115     /* java.io.FileOutputStream */
116     ANDROID_FDSAN_OWNER_TYPE_FILEOUTPUTSTREAM = 252,
117 
118     /* java.io.RandomAccessFile */
119     ANDROID_FDSAN_OWNER_TYPE_RANDOMACCESSFILE = 253,
120 
121     /* android.os.ParcelFileDescriptor */
122     ANDROID_FDSAN_OWNER_TYPE_PARCELFILEDESCRIPTOR = 254
123 }
124 
125 /*
126  * Create an owner tag with the specified type and least significant 56 bits of tag.
127  */
128 
129 ulong android_fdsan_create_owner_tag (android_fdsan_owner_type type, ulong tag);
130 
131 /*
132  * Exchange a file descriptor's tag.
133  *
134  * Logs and aborts if the fd's tag does not match expected_tag.
135  */
136 void android_fdsan_exchange_owner_tag (int fd, ulong expected_tag, ulong new_tag);
137 
138 /*
139  * Close a file descriptor with a tag, and resets the tag to 0.
140  *
141  * Logs and aborts if the tag is incorrect.
142  */
143 int android_fdsan_close_with_tag (int fd, ulong tag);
144 /* __ANDROID_API__ >= __ANDROID_API_FUTURE__ */
145 
146 enum android_fdsan_error_level
147 {
148     // No errors.
149     ANDROID_FDSAN_ERROR_LEVEL_DISABLED = 0,
150 
151     // Warn once(ish) on error, and then downgrade to ANDROID_FDSAN_ERROR_LEVEL_DISABLED.
152     ANDROID_FDSAN_ERROR_LEVEL_WARN_ONCE = 1,
153 
154     // Warn always on error.
155     ANDROID_FDSAN_ERROR_LEVEL_WARN_ALWAYS = 2,
156 
157     // Abort on error.
158     ANDROID_FDSAN_ERROR_LEVEL_FATAL = 3
159 }
160 
161 /*
162  * Get the error level.
163  */
164 
165 android_fdsan_error_level android_fdsan_get_error_level ();
166 
167 /*
168  * Set the error level and return the previous state.
169  *
170  * Error checking is automatically disabled in the child of a fork, to maintain
171  * compatibility with code that forks, blindly closes FDs, and then execs.
172  *
173  * In cases such as the zygote, where the child has no intention of calling
174  * exec, call this function to reenable fdsan checks.
175  *
176  * This function is not thread-safe and does not synchronize with checks of the
177  * value, and so should probably only be called in single-threaded contexts
178  * (e.g. postfork).
179  */
180 android_fdsan_error_level android_fdsan_set_error_level (android_fdsan_error_level new_level);
181 /* __ANDROID_API__ >= __ANDROID_API_FUTURE__ */
182