armybox 0.3.0

A memory-safe #[no_std] BusyBox/Toybox clone in Rust - 299 Unix utilities in ~500KB
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752

//! Low-level I/O primitives using libc
//!
//! This module provides basic I/O operations without std dependency.
//!
//! # Safety Architecture
//!
//! This module wraps unsafe libc functions to provide a safer Rust interface.
//! The general safety principles followed are:
//!
//! 1. **Path handling**: All path arguments are `&[u8]` and are copied into
//!    a null-terminated buffer before passing to libc. Paths longer than
//!    `PATH_MAX` (4096 bytes) are rejected with an error return.
//!
//! 2. **Buffer management**: Functions that fill buffers (like `read`, `getcwd`)
//!    take mutable slices and respect their bounds.
//!
//! 3. **Pointer validity**: Functions returning pointers (`getenv`, `ttyname`)
//!    return `Option` types and document lifetime constraints.
//!
//! 4. **Error handling**: System call errors are propagated as negative return
//!    values or `None`, matching POSIX conventions.
//!
//! # Thread Safety
//!
//! Most functions in this module are thread-safe as they wrap thread-safe
//! POSIX functions. Exceptions are documented on the individual functions.
//! Notable non-thread-safe operations include:
//! - `getenv()` - returned data can be invalidated by concurrent `setenv()`
//! - Functions using `readdir()` on the same `DIR*` from multiple threads

#[cfg(feature = "alloc")]
use alloc::vec::Vec;

use core::ptr;

/// Portable ioctl request type.
///
/// musl libc defines `ioctl(fd, request: c_int, ...)` while glibc uses
/// `ioctl(fd, request: c_ulong, ...)`. This type alias allows ioctl
/// request constants to compile correctly on both targets.
#[cfg(target_env = "musl")]
pub type IoctlReq = libc::c_int;
/// Portable ioctl request type (c_ulong on glibc, c_int on musl).
#[cfg(not(target_env = "musl"))]
pub type IoctlReq = libc::c_ulong;

/// Maximum path length supported (matches PATH_MAX on Linux)
pub const PATH_MAX: usize = 4096;

/// Copy a path into a null-terminated buffer
///
/// Returns `true` if successful, `false` if path is too long.
/// This is a safe helper that ensures proper null termination.
#[inline]
pub fn path_to_cstr(path: &[u8], buf: &mut [u8; PATH_MAX]) -> bool {
    if path.len() >= PATH_MAX {
        return false;
    }
    buf[..path.len()].copy_from_slice(path);
    buf[path.len()] = 0;
    true
}

/// Write all bytes to a file descriptor
pub fn write_all(fd: i32, buf: &[u8]) -> isize {
    let mut written = 0;
    while written < buf.len() {
        let ret = unsafe {
            libc::write(
                fd,
                buf[written..].as_ptr() as *const libc::c_void,
                buf.len() - written,
            )
        };
        if ret < 0 {
            return ret;
        }
        written += ret as usize;
    }
    written as isize
}

/// Write all bytes to fd (alias for write_all returning isize)
pub fn write_all_fd(fd: i32, buf: &[u8]) -> isize {
    write_all(fd, buf)
}

/// Write all bytes and return count written
pub fn write_all_count(fd: i32, buf: &[u8]) -> usize {
    let mut written = 0;
    while written < buf.len() {
        let ret = unsafe {
            libc::write(
                fd,
                buf[written..].as_ptr() as *const libc::c_void,
                buf.len() - written,
            )
        };
        if ret < 0 {
            break;
        }
        written += ret as usize;
    }
    written
}

/// Write a string literal to fd
pub fn write_str(fd: i32, s: &[u8]) -> isize {
    write_all(fd, s)
}

/// Write a number to fd
pub fn write_num(fd: i32, mut n: u64) -> isize {
    if n == 0 {
        return write_str(fd, b"0");
    }

    let mut buf = [0u8; 20];
    let mut i = buf.len();

    while n > 0 {
        i -= 1;
        buf[i] = b'0' + (n % 10) as u8;
        n /= 10;
    }

    write_all(fd, &buf[i..])
}

/// Write a signed number to fd
pub fn write_signed(fd: i32, n: i64) -> isize {
    if n < 0 {
        write_str(fd, b"-");
        write_num(fd, (-n) as u64)
    } else {
        write_num(fd, n as u64)
    }
}

/// Read from file descriptor into buffer
pub fn read(fd: i32, buf: &mut [u8]) -> isize {
    unsafe {
        libc::read(fd, buf.as_mut_ptr() as *mut libc::c_void, buf.len())
    }
}

/// Read entire file into Vec
#[cfg(feature = "alloc")]
pub fn read_all(fd: i32) -> Vec<u8> {
    let mut result = Vec::new();
    let mut buf = [0u8; 4096];

    loop {
        let n = read(fd, &mut buf);
        if n <= 0 {
            break;
        }
        result.extend_from_slice(&buf[..n as usize]);
    }

    result
}

/// Open a file
pub fn open(path: &[u8], flags: i32, mode: u32) -> i32 {
    // Ensure null-terminated path
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::open(path_buf.as_ptr() as *const i8, flags, mode) }
}

/// Close a file descriptor
pub fn close(fd: i32) -> i32 {
    unsafe { libc::close(fd) }
}

/// Create a zeroed stat buffer
///
/// This is safe because `libc::stat` is a POD type (Plain Old Data)
/// that can be safely zero-initialized. Using this helper centralizes
/// the unsafe `mem::zeroed()` call.
#[inline]
pub fn stat_zeroed() -> libc::stat {
    // SAFETY: libc::stat is a C struct with no invariants that would be
    // violated by zero initialization. All fields are numeric types.
    unsafe { core::mem::zeroed() }
}

/// Get file status
pub fn stat(path: &[u8], buf: &mut libc::stat) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::stat(path_buf.as_ptr() as *const i8, buf) }
}

/// Get file status (no follow symlinks)
pub fn lstat(path: &[u8], buf: &mut libc::stat) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::lstat(path_buf.as_ptr() as *const i8, buf) }
}

/// Get file status from fd
pub fn fstat(fd: i32, buf: &mut libc::stat) -> i32 {
    unsafe { libc::fstat(fd, buf) }
}

/// Create a directory
pub fn mkdir(path: &[u8], mode: u32) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::mkdir(path_buf.as_ptr() as *const i8, mode as libc::mode_t) }
}

/// Remove a directory
pub fn rmdir(path: &[u8]) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::rmdir(path_buf.as_ptr() as *const i8) }
}

/// Unlink (remove) a file
pub fn unlink(path: &[u8]) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::unlink(path_buf.as_ptr() as *const i8) }
}

/// Rename a file
pub fn rename(old: &[u8], new: &[u8]) -> i32 {
    let mut old_buf = [0u8; 4096];
    let mut new_buf = [0u8; 4096];

    if old.len() >= old_buf.len() || new.len() >= new_buf.len() {
        return -1;
    }

    old_buf[..old.len()].copy_from_slice(old);
    old_buf[old.len()] = 0;
    new_buf[..new.len()].copy_from_slice(new);
    new_buf[new.len()] = 0;

    unsafe { libc::rename(old_buf.as_ptr() as *const i8, new_buf.as_ptr() as *const i8) }
}

/// Create a symlink
pub fn symlink(target: &[u8], linkpath: &[u8]) -> i32 {
    let mut target_buf = [0u8; 4096];
    let mut link_buf = [0u8; 4096];

    if target.len() >= target_buf.len() || linkpath.len() >= link_buf.len() {
        return -1;
    }

    target_buf[..target.len()].copy_from_slice(target);
    target_buf[target.len()] = 0;
    link_buf[..linkpath.len()].copy_from_slice(linkpath);
    link_buf[linkpath.len()] = 0;

    unsafe { libc::symlink(target_buf.as_ptr() as *const i8, link_buf.as_ptr() as *const i8) }
}

/// Create a hard link
pub fn link(old: &[u8], new: &[u8]) -> i32 {
    let mut old_buf = [0u8; 4096];
    let mut new_buf = [0u8; 4096];

    if old.len() >= old_buf.len() || new.len() >= new_buf.len() {
        return -1;
    }

    old_buf[..old.len()].copy_from_slice(old);
    old_buf[old.len()] = 0;
    new_buf[..new.len()].copy_from_slice(new);
    new_buf[new.len()] = 0;

    unsafe { libc::link(old_buf.as_ptr() as *const i8, new_buf.as_ptr() as *const i8) }
}

/// Change file permissions
pub fn chmod(path: &[u8], mode: u32) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::chmod(path_buf.as_ptr() as *const i8, mode as libc::mode_t) }
}

/// Change working directory
pub fn chdir(path: &[u8]) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::chdir(path_buf.as_ptr() as *const i8) }
}

/// Get current working directory
#[cfg(feature = "alloc")]
pub fn getcwd() -> Option<Vec<u8>> {
    let mut buf = [0u8; 4096];
    let ret = unsafe { libc::getcwd(buf.as_mut_ptr() as *mut i8, buf.len()) };

    if ret.is_null() {
        None
    } else {
        let len = buf.iter().position(|&c| c == 0).unwrap_or(buf.len());
        Some(buf[..len].to_vec())
    }
}

/// Get current working directory (no alloc version)
#[cfg(not(feature = "alloc"))]
pub fn getcwd(buf: &mut [u8]) -> bool {
    let ret = unsafe { libc::getcwd(buf.as_mut_ptr() as *mut i8, buf.len()) };
    !ret.is_null()
}

/// Read symbolic link
pub fn readlink(path: &[u8], buf: &mut [u8]) -> isize {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() { return -1; }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::readlink(path_buf.as_ptr() as *const i8, buf.as_mut_ptr() as *mut i8, buf.len()) }
}

/// Get canonical path
pub fn realpath(path: &[u8], buf: &mut [u8]) -> isize {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() { return -1; }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    let ret = unsafe { libc::realpath(path_buf.as_ptr() as *const i8, buf.as_mut_ptr() as *mut i8) };
    if ret.is_null() {
        -1
    } else {
        strlen_arr(buf) as isize
    }
}

/// Open directory for reading
pub fn opendir(path: &[u8]) -> *mut libc::DIR {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return ptr::null_mut();
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::opendir(path_buf.as_ptr() as *const i8) }
}

/// Read directory entry
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn readdir(dir: *mut libc::DIR) -> *mut libc::dirent {
    unsafe { libc::readdir(dir) }
}

/// Close directory
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn closedir(dir: *mut libc::DIR) -> i32 {
    unsafe { libc::closedir(dir) }
}

/// Get user ID
pub fn getuid() -> u32 {
    unsafe { libc::getuid() }
}

/// Get effective user ID
pub fn geteuid() -> u32 {
    unsafe { libc::geteuid() }
}

/// Get group ID
pub fn getgid() -> u32 {
    unsafe { libc::getgid() }
}

/// Get effective group ID
pub fn getegid() -> u32 {
    unsafe { libc::getegid() }
}

/// Check file access permissions (POSIX access())
pub fn access(path: &[u8], mode: i32) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::access(path_buf.as_ptr() as *const i8, mode) }
}

/// Get process ID
pub fn getpid() -> i32 {
    unsafe { libc::getpid() }
}

/// Get parent process ID
pub fn getppid() -> i32 {
    unsafe { libc::getppid() }
}

/// Get hostname
#[cfg(feature = "alloc")]
pub fn gethostname() -> Option<Vec<u8>> {
    let mut buf = [0u8; 256];
    let ret = unsafe { libc::gethostname(buf.as_mut_ptr() as *mut i8, buf.len()) };

    if ret != 0 {
        None
    } else {
        let len = buf.iter().position(|&c| c == 0).unwrap_or(buf.len());
        Some(buf[..len].to_vec())
    }
}

/// Sleep for seconds
pub fn sleep(secs: u32) {
    unsafe { libc::sleep(secs); }
}

/// Sleep for microseconds
pub fn usleep(usecs: u32) {
    unsafe { libc::usleep(usecs); }
}

/// Duplicate file descriptor
pub fn dup(fd: i32) -> i32 {
    unsafe { libc::dup(fd) }
}

/// Duplicate file descriptor to specific fd
pub fn dup2(old: i32, new: i32) -> i32 {
    unsafe { libc::dup2(old, new) }
}

/// Seek in file
pub fn lseek(fd: i32, offset: i64, whence: i32) -> i64 {
    unsafe { libc::lseek(fd, offset as libc::off_t, whence) as i64 }
}

/// Truncate file
pub fn ftruncate(fd: i32, length: i64) -> i32 {
    unsafe { libc::ftruncate(fd, length as libc::off_t) }
}

/// Sync filesystem
pub fn sync() {
    unsafe { libc::sync(); }
}

/// Check if fd is a tty
pub fn isatty(fd: i32) -> bool {
    unsafe { libc::isatty(fd) != 0 }
}

/// Get terminal name
#[cfg(feature = "alloc")]
pub fn ttyname(fd: i32) -> Option<Vec<u8>> {
    let ptr = unsafe { libc::ttyname(fd) };
    if ptr.is_null() {
        None
    } else {
        let mut len = 0;
        while unsafe { *ptr.add(len) } != 0 {
            len += 1;
        }
        let slice = unsafe { core::slice::from_raw_parts(ptr as *const u8, len) };
        Some(slice.to_vec())
    }
}

/// Get environment variable
///
/// # Safety Warning
/// The returned slice points to libc-managed memory. This memory can be
/// invalidated by any call to `setenv`, `unsetenv`, or `putenv`. The caller
/// must copy the data if it needs to persist across such calls.
///
/// The `'static` lifetime is a lie - the data is only valid until the
/// environment is modified. This is an inherent limitation of the POSIX API.
///
/// # Example
/// ```ignore
/// // SAFE: immediate use
/// if let Some(val) = getenv(b"PATH") {
///     io::write_all(1, val);
/// }
///
/// // DANGEROUS: storing reference across setenv
/// let path = getenv(b"PATH");
/// setenv(b"FOO", b"bar"); // path may now be invalid!
/// ```
pub fn getenv(name: &[u8]) -> Option<&'static [u8]> {
    let mut name_buf = [0u8; 256];
    if name.len() >= name_buf.len() {
        return None;
    }
    name_buf[..name.len()].copy_from_slice(name);
    name_buf[name.len()] = 0;

    // SAFETY: libc::getenv returns a pointer to environment memory.
    // This memory is managed by libc and can be invalidated by setenv/unsetenv.
    let ptr = unsafe { libc::getenv(name_buf.as_ptr() as *const i8) };
    if ptr.is_null() {
        None
    } else {
        // SAFETY: We scan for null terminator with a reasonable limit (via strlen)
        let len = strlen(ptr as *const u8);
        // SAFETY: The slice is valid as long as no environment modification occurs.
        // The 'static lifetime is technically incorrect but matches POSIX semantics.
        Some(unsafe { core::slice::from_raw_parts(ptr as *const u8, len) })
    }
}

/// Set an environment variable
///
/// Sets the environment variable `name` to `value`. If `overwrite` is true,
/// an existing variable will be replaced; otherwise it will be left unchanged.
///
/// # Returns
/// 0 on success, -1 on error (e.g., out of memory or invalid name).
///
/// # Safety Note
/// This function invalidates any pointers previously returned by `getenv()`
/// for any environment variable, not just the one being set.
pub fn setenv(name: &[u8], value: &[u8], overwrite: bool) -> i32 {
    // Validate name doesn't contain '=' or is empty
    if name.is_empty() || name.contains(&b'=') {
        return -1;
    }

    let mut name_buf = [0u8; 256];
    let mut value_buf = [0u8; 4096];

    if name.len() >= name_buf.len() || value.len() >= value_buf.len() {
        return -1;
    }

    name_buf[..name.len()].copy_from_slice(name);
    name_buf[name.len()] = 0;
    value_buf[..value.len()].copy_from_slice(value);
    value_buf[value.len()] = 0;

    // SAFETY: Both buffers are properly null-terminated and within bounds.
    // The libc function copies the data, so our stack buffers can go out of scope.
    unsafe {
        libc::setenv(
            name_buf.as_ptr() as *const i8,
            value_buf.as_ptr() as *const i8,
            if overwrite { 1 } else { 0 },
        )
    }
}

/// Unset (remove) an environment variable
///
/// # Returns
/// 0 on success, -1 on error.
///
/// # Safety Note
/// This function may invalidate pointers previously returned by `getenv()`.
pub fn unsetenv(name: &[u8]) -> i32 {
    if name.is_empty() || name.contains(&b'=') {
        return -1;
    }

    let mut name_buf = [0u8; 256];
    if name.len() >= name_buf.len() {
        return -1;
    }

    name_buf[..name.len()].copy_from_slice(name);
    name_buf[name.len()] = 0;

    // SAFETY: Buffer is properly null-terminated.
    unsafe { libc::unsetenv(name_buf.as_ptr() as *const i8) }
}

/// Send signal to process
pub fn kill(pid: i32, sig: i32) -> i32 {
    unsafe { libc::kill(pid, sig) }
}

/// Execute program
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn execve(path: &[u8], argv: *const *const i8, envp: *const *const i8) -> i32 {
    let mut path_buf = [0u8; 4096];
    if path.len() >= path_buf.len() {
        return -1;
    }
    path_buf[..path.len()].copy_from_slice(path);
    path_buf[path.len()] = 0;

    unsafe { libc::execve(path_buf.as_ptr() as *const i8, argv, envp) }
}

/// Fork process
pub fn fork() -> i32 {
    unsafe { libc::fork() }
}

/// Wait for child process
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn wait(status: *mut i32) -> i32 {
    unsafe { libc::wait(status) }
}

/// Wait for specific process
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn waitpid(pid: i32, status: *mut i32, options: i32) -> i32 {
    unsafe { libc::waitpid(pid, status, options) }
}

/// Get uname info
pub fn uname(buf: &mut libc::utsname) -> i32 {
    unsafe { libc::uname(buf) }
}

/// Exit process
pub fn exit(code: i32) -> ! {
    unsafe { libc::_exit(code); }
}

// ============================================================================
// Helper functions for argument parsing
// ============================================================================

/// Get C string length with a safety limit
///
/// This function limits scanning to 1MB to prevent runaway reads on
/// non-terminated strings. Returns the length excluding null terminator.
#[allow(clippy::not_unsafe_ptr_arg_deref)]
pub fn strlen(s: *const u8) -> usize {
    const MAX_STRLEN: usize = 1024 * 1024; // 1MB safety limit
    let mut len = 0;
    while len < MAX_STRLEN {
        if unsafe { *s.add(len) } == 0 {
            break;
        }
        len += 1;
    }
    len
}

/// String length for array
pub fn strlen_arr(s: &[u8]) -> usize {
    s.iter().position(|&c| c == 0).unwrap_or(s.len())
}

/// Convert C string pointer to slice
///
/// # Safety
/// The caller must ensure:
/// - `s` is a valid, non-null pointer to a null-terminated C string
/// - The memory remains valid for the `'static` lifetime (or the caller
///   must ensure the slice is not used after the memory is freed)
/// - The string is properly null-terminated within allocated bounds
///
/// The `'static` lifetime is often incorrect - callers should typically
/// constrain the actual lifetime based on the source of the pointer.
pub unsafe fn cstr_to_slice(s: *const u8) -> &'static [u8] {
    debug_assert!(!s.is_null(), "cstr_to_slice called with null pointer");
    let len = strlen(s);
    // SAFETY: Caller guarantees pointer validity and null termination.
    // The 'static lifetime is the caller's responsibility to honor.
    unsafe { core::slice::from_raw_parts(s, len) }
}

/// Compare byte slices
pub fn bytes_eq(a: &[u8], b: &[u8]) -> bool {
    a.len() == b.len() && a.iter().zip(b).all(|(x, y)| x == y)
}

/// Check if slice starts with prefix
pub fn starts_with(s: &[u8], prefix: &[u8]) -> bool {
    s.len() >= prefix.len() && &s[..prefix.len()] == prefix
}

/// Get dirent name as u8 slice
///
/// On Linux, d_name is [i8; 256], we need to convert to u8.
///
/// # Safety
/// The caller must ensure:
/// - `entry` is a valid pointer to a `libc::dirent` structure
/// - The dirent was obtained from a valid `readdir()` call
/// - The pointer remains valid (not invalidated by `closedir` or another `readdir`)
///
/// The returned slice is only valid until the next `readdir()` call on the
/// same directory stream, or until `closedir()` is called.
///
/// # Returns
/// A tuple of (name_slice, length). The slice does NOT include the null terminator.
pub unsafe fn dirent_name(entry: *const libc::dirent) -> (&'static [u8], usize) {
    debug_assert!(!entry.is_null(), "dirent_name called with null pointer");
    // SAFETY: Caller guarantees entry is a valid dirent pointer.
    // d_name is a fixed-size array within the struct, so access is safe.
    unsafe {
        let name_ptr = (*entry).d_name.as_ptr();
        let mut len = 0;
        // Limit to 255 to stay within d_name bounds (256 bytes including null)
        while len < 255 && *name_ptr.add(len) != 0 {
            len += 1;
        }
        let slice = core::slice::from_raw_parts(name_ptr as *const u8, len);
        (slice, len)
    }
}