syd 3.52.0

//
// Syd: rock-solid application kernel
// src/cookie.rs: Syscall argument cookies
//
// Copyright (c) 2025, 2026 Ali Polatel <alip@chesswob.org>
//
// SPDX-License-Identifier: GPL-3.0

use std::{
    ffi::CStr,
    io::IoSlice,
    mem::MaybeUninit,
    num::NonZeroUsize,
    os::fd::{AsFd, AsRawFd, FromRawFd, RawFd},
    ptr,
    ptr::NonNull,
    sync::LazyLock,
};

use libc::{
    accept4, c_char, c_int, c_long, c_uint, c_void, dev_t, gid_t, mode_t, off64_t, off_t, shutdown,
    sockaddr, socket, socketpair, socklen_t, syscall, uid_t, SYS_close, SYS_close_range,
    SYS_execveat, SYS_faccessat2, SYS_fchdir, SYS_fchmod, SYS_fchmodat, SYS_fchown, SYS_fchownat,
    SYS_fgetxattr, SYS_flistxattr, SYS_fremovexattr, SYS_fsetxattr, SYS_getdents64, SYS_linkat,
    SYS_lremovexattr, SYS_lsetxattr, SYS_memfd_create, SYS_mkdirat, SYS_mknodat, SYS_openat2,
    SYS_pidfd_getfd, SYS_pidfd_open, SYS_pidfd_send_signal, SYS_pipe2, SYS_ptrace, SYS_renameat2,
    SYS_symlinkat, SYS_umask, SYS_uname, SYS_unlinkat, SHUT_RD, SHUT_RDWR, SHUT_WR,
};
use nix::{
    errno::Errno,
    fcntl::{AtFlags, OFlag},
    sys::{
        mman::{mmap_anonymous, MapFlags, ProtFlags},
        socket::{bind, connect, Shutdown, SockFlag, SockaddrLike, SockaddrStorage},
        stat::{Mode, SFlag},
    },
    unistd::{AccessFlags, Gid, Pid, Uid, UnlinkatFlags},
    NixPath,
};

use crate::{
    compat::{
        pack_cmsg_buf, set_vma_anon_name, AddressFamily, Cmsg, FallocateFlags, MFdFlags, MmsgHdr,
        MsgFlags, MsgHdr, OpenHow, RecvMsg, RenameFlags, SecretMemFlags, SockType, TimeSpec64,
    },
    config::HAVE_PIDFD_THREAD,
    confine::resolve_syscall,
    fd::{SafeOwnedFd, AT_EXECVE_CHECK, PIDFD_THREAD},
    path::{empty_argv, empty_envp, empty_path},
    proc::proc_tgid,
    ptrace::PtraceRequest,
    rng::fillrandom,
    sealbox::{getpagesize, mprotect_none, mprotect_readonly, mseal},
    uts::UtsName,
};

/// A platform-sized secure cookie
///
/// 32 bits on 32-bit, 64 bits on 64-bit targets.
#[cfg(target_pointer_width = "32")]
pub(crate) type Cookie = u32;
#[cfg(target_pointer_width = "64")]
pub(crate) type Cookie = u64;

/// Cookie index enumeration for accessing sealed pool.
#[repr(usize)]
#[derive(Debug, Clone, Copy)]
#[expect(missing_docs)]
pub enum CookieIdx {
    Accept4Arg4 = 0,
    Accept4Arg5,
    BindArg3,
    BindArg4,
    BindArg5,
    CloseArg1,
    CloseArg2,
    CloseArg3,
    CloseArg4,
    CloseArg5,
    CloseRangeArg3,
    CloseRangeArg4,
    CloseRangeArg5,
    ConnectArg3,
    ConnectArg4,
    ConnectArg5,
    ExecveatArg5,
    Faccessat2Arg4,
    Faccessat2Arg5,
    FallocateArg4,
    FallocateArg5,
    FchdirArg1,
    FchdirArg2,
    FchdirArg3,
    FchdirArg4,
    FchdirArg5,
    FchmodArg2,
    FchmodArg3,
    FchmodArg4,
    FchmodArg5,
    Fchmodat2Arg4,
    Fchmodat2Arg5,
    FchmodatArg3,
    FchmodatArg4,
    FchmodatArg5,
    FchownArg3,
    FchownArg4,
    FchownArg5,
    FchownatArg5,
    FgetxattrArg4,
    FgetxattrArg5,
    FlistxattrArg3,
    FlistxattrArg4,
    FlistxattrArg5,
    FremovexattrArg2,
    FremovexattrArg3,
    FremovexattrArg4,
    FremovexattrArg5,
    FsetxattrArg5,
    Ftruncate64Arg3,
    Ftruncate64Arg4,
    Ftruncate64Arg5,
    FtruncateArg2,
    FtruncateArg3,
    FtruncateArg4,
    FtruncateArg5,
    Getdents64Arg3,
    Getdents64Arg4,
    Getdents64Arg5,
    LinkatArg5_1, // without AT_EMPTY_PATH
    LinkatArg5_2, // with AT_EMPTY_PATH
    LremovexattrArg2,
    LremovexattrArg3,
    LremovexattrArg4,
    LremovexattrArg5,
    LsetxattrArg5,
    MemfdCreateArg2,
    MemfdCreateArg3,
    MemfdCreateArg4,
    MemfdCreateArg5,
    MemfdSecretArg1,
    MemfdSecretArg2,
    MemfdSecretArg3,
    MemfdSecretArg4,
    MemfdSecretArg5,
    MkdiratArg3,
    MkdiratArg4,
    MkdiratArg5,
    MknodatArg4,
    MknodatArg5,
    Openat2Arg4,
    Openat2Arg5,
    PidfdGetInfoArg3,
    PidfdGetInfoArg4,
    PidfdGetInfoArg5,
    PidfdGetfdArg3,
    PidfdGetfdArg4,
    PidfdGetfdArg5,
    PidfdOpenArg2,
    PidfdOpenArg3,
    PidfdOpenArg4,
    PidfdOpenArg5,
    PidfdSendSignalArg4,
    PidfdSendSignalArg5,
    Pipe2Arg2,
    Pipe2Arg3,
    Pipe2Arg4,
    Pipe2Arg5,
    ProcmapQueryArg3,
    ProcmapQueryArg4,
    ProcmapQueryArg5,
    PtraceArg4,
    PtraceArg5,
    RecvMmsgArg4,
    RecvMmsgArg5,
    RecvMsgArg2,
    RecvMsgArg3,
    RecvMsgArg4,
    RecvMsgArg5,
    Renameat2Arg5,
    SeccompIoctlNotifAddfdArg3,
    SeccompIoctlNotifAddfdArg4,
    SeccompIoctlNotifAddfdArg5,
    SeccompIoctlNotifSendArg3,
    SeccompIoctlNotifSendArg4,
    SeccompIoctlNotifSendArg5,
    SendMmsgArg3,
    SendMmsgArg4,
    SendMmsgArg5,
    SendMsgArg3,
    SendMsgArg4,
    SendMsgArg5,
    Sendfile64Arg4,
    Sendfile64Arg5,
    SendfileArg4,
    SendfileArg5,
    ShutdownArg2,
    ShutdownArg3,
    ShutdownArg4,
    ShutdownArg5,
    SocketArg3,
    SocketArg4,
    SocketArg5,
    SocketpairArg4,
    SocketpairArg5,
    SymlinkatArg3,
    SymlinkatArg4,
    SymlinkatArg5,
    Truncate64Arg3,
    Truncate64Arg4,
    Truncate64Arg5,
    TruncateArg2,
    TruncateArg3,
    TruncateArg4,
    TruncateArg5,
    UmaskArg1,
    UmaskArg2,
    UmaskArg3,
    UmaskArg4,
    UmaskArg5,
    UnameArg1,
    UnameArg2,
    UnameArg3,
    UnameArg4,
    UnameArg5,
    UnlinkatArg3,
    UnlinkatArg4,
    UnlinkatArg5,
    UtimensatArg4,
    UtimensatArg5,
}

impl CookieIdx {
    /// Number of cookie indices.
    pub const COUNT: usize = Self::UtimensatArg5 as usize + 1;
}

/// Sealed syscall cookie pool containing all syscall argument cookies in a
/// single, hardened memory region. This region is:
/// 1. Allocated with mmap as a single contiguous anonymous mapping
/// 2. Guarded by PROT_NONE pages from below and above
/// 3. Populated with a single fillrandom(2) call
/// 4. Made read-only with mprotect(PROT_READ)
/// 5. Named "syd" via prctl(PR_SET_VMA)
/// 6. Sealed with mseal(2) to prevent remapping
///
/// # Invariants
///
/// ptr points into a PROT_READ mapping containing CookieIdx::COUNT
/// contiguous Cookie values. Mapping layout is [PROT_NONE guard]
/// [PROT_READ data][PROT_NONE guard] and is never munmap'd after
/// initialization.
pub struct SyscookiePool {
    /// Raw pointer into data region (after lower guard page).
    ptr: *const Cookie,
    /// Full mapping pointer (including guards) for bookkeeping.
    #[expect(dead_code)]
    map_ptr: NonNull<c_void>,
    /// Total mapping length (guards + data region).
    #[expect(dead_code)]
    map_len: NonZeroUsize,
}

// SAFETY: SyscookiePool is read-only after initialization and sealed with mseal(2).
unsafe impl Sync for SyscookiePool {}
// SAFETY: SyscookiePool is read-only after initialization and sealed with mseal(2).
unsafe impl Send for SyscookiePool {}

/// VMA name for cookie pool.
const VMA_NAME: &CStr = c" Syd: cookie/pool";

impl SyscookiePool {
    // Allocate and initialize cookie pool.
    fn new() -> Result<Self, Errno> {
        let page = getpagesize()?;
        let cookie_size = size_of::<Cookie>();
        let data_size = cookie_size
            .checked_mul(CookieIdx::COUNT)
            .ok_or(Errno::EINVAL)?;
        let data_pages = data_size
            .checked_next_multiple_of(page)
            .ok_or(Errno::EINVAL)?;

        // Total layout: [guard page]+[data pages]+[guard page]
        let total_size = page
            .checked_add(data_pages)
            .and_then(|s| s.checked_add(page))
            .ok_or(Errno::EINVAL)?;
        let map_len = NonZeroUsize::new(total_size).ok_or(Errno::EINVAL)?;

        // Allocate entire region as PROT_READ | PROT_WRITE initially.
        //
        // SAFETY: Valid length and flags guaranteed.
        let map_ptr = unsafe {
            mmap_anonymous(
                None,
                map_len,
                ProtFlags::PROT_READ | ProtFlags::PROT_WRITE,
                MapFlags::MAP_PRIVATE,
            )?
        };

        // Calculate data region pointer (after lower guard).
        //
        // SAFETY: We allocated at least page + data_pages + page bytes.
        let data_ptr = unsafe { map_ptr.as_ptr().add(page) };

        // Fill data region with random bytes using a single getrandom(2) call.
        //
        // SAFETY: data_ptr is valid for data_pages bytes.
        let data_slice =
            unsafe { std::slice::from_raw_parts_mut(data_ptr.cast::<u8>(), data_pages) };
        fillrandom(data_slice)?;

        // Make lower guard page PROT_NONE.
        let guard_len = NonZeroUsize::new(page).ok_or(Errno::EINVAL)?;
        mprotect_none(map_ptr, guard_len)?;

        // Make upper guard page PROT_NONE.
        //
        // SAFETY: map_ptr + page + data_pages is within allocated region.
        let upper_guard_ptr = unsafe {
            NonNull::new_unchecked(map_ptr.as_ptr().add(page).add(data_pages).cast::<c_void>())
        };
        mprotect_none(upper_guard_ptr, guard_len)?;

        // Make data region read-only.
        let data_region = NonZeroUsize::new(data_pages).ok_or(Errno::EINVAL)?;
        // SAFETY: map_ptr + page is start of data region.
        let data_region_ptr =
            unsafe { NonNull::new_unchecked(map_ptr.as_ptr().add(page).cast::<c_void>()) };
        mprotect_readonly(data_region_ptr, data_region)?;

        // Set VMA name to "syd::cookie::pool" in debug mode.
        let _ = set_vma_anon_name(data_region_ptr, data_region, Some(VMA_NAME));

        // Seal entire mapping to prevent remapping.
        //
        // ENOSYS: mseal(2) not implemented (Linux >= 6.10)
        // EPERM: Sealing only supported on 64-bit CPUs.
        match mseal(map_ptr, map_len) {
            Ok(_) | Err(Errno::EPERM | Errno::ENOSYS) => {}
            Err(errno) => return Err(errno),
        }

        // INVARIANT: ptr points to first Cookie in data region.
        Ok(SyscookiePool {
            ptr: data_ptr.cast::<Cookie>(),
            map_ptr,
            map_len,
        })
    }

    /// Get a cookie by index.
    #[inline(always)]
    pub fn get(&self, idx: CookieIdx) -> Cookie {
        // SAFETY: Index is bounds-checked by enum, data is read-only.
        unsafe { *self.ptr.add(idx as usize) }
    }
}

/// Global sealed syscall cookie pool.
#[expect(clippy::disallowed_methods)]
pub static SYSCOOKIE_POOL: LazyLock<SyscookiePool> =
    LazyLock::new(|| SyscookiePool::new().expect("failed to initialize syscall cookie pool"));

/// Safe close(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_close(fd: RawFd) -> Result<(), Errno> {
    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. All remaining arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_close,
            fd,
            SYSCOOKIE_POOL.get(CookieIdx::CloseArg1),
            SYSCOOKIE_POOL.get(CookieIdx::CloseArg2),
            SYSCOOKIE_POOL.get(CookieIdx::CloseArg3),
            SYSCOOKIE_POOL.get(CookieIdx::CloseArg4),
            SYSCOOKIE_POOL.get(CookieIdx::CloseArg5),
        )
    })
    .map(drop)
}

/// Safe close_range(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_close_range(first: c_uint, last: c_uint, flags: c_uint) -> Result<(), Errno> {
    // SAFETY:
    // 1. first and last are valid fd range bounds.
    // 2. flags is caller-provided.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_close_range,
            first,
            last,
            flags,
            SYSCOOKIE_POOL.get(CookieIdx::CloseRangeArg3),
            SYSCOOKIE_POOL.get(CookieIdx::CloseRangeArg4),
            SYSCOOKIE_POOL.get(CookieIdx::CloseRangeArg5),
        )
    })
    .map(drop)
}

/// Safe openat2(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_openat2<Fd: AsFd, P: NixPath + ?Sized>(
    dirfd: Fd,
    path: &P,
    mut how: OpenHow,
) -> Result<SafeOwnedFd, Errno> {
    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. dirfd is valid file descriptor.
        // 2. cstr is a NUL-terminated CStr from NixPath.
        // 3. how is a valid OpenHow struct
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_openat2,
                dirfd.as_fd().as_raw_fd(),
                cstr.as_ptr(),
                ptr::addr_of_mut!(how),
                size_of::<OpenHow>(),
                SYSCOOKIE_POOL.get(CookieIdx::Openat2Arg4),
                SYSCOOKIE_POOL.get(CookieIdx::Openat2Arg5),
            )
        }
    })?;

    // SAFETY:
    //
    // openat2(2) returns a valid fd on success.
    #[expect(clippy::cast_possible_truncation)]
    Errno::result(res).map(|r| unsafe { SafeOwnedFd::from_raw_fd(r as RawFd) })
}

/// socket(2) may be multiplexed by socketcall(2).
pub static SYS_SOCKET: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("socket"));

/// Safe socket(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_socket(
    domain: AddressFamily,
    stype: SockType,
    flags: SockFlag,
    proto: c_int,
) -> Result<SafeOwnedFd, Errno> {
    let domain = domain.as_raw();
    let stype = stype.as_raw() | flags.bits();

    if let Some(sys_socket) = *SYS_SOCKET {
        // SAFETY:
        // 1. domain, stype, and proto are caller-provided integers.
        // 2. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys_socket,
                domain,
                stype,
                proto,
                SYSCOOKIE_POOL.get(CookieIdx::SocketArg3),
                SYSCOOKIE_POOL.get(CookieIdx::SocketArg4),
                SYSCOOKIE_POOL.get(CookieIdx::SocketArg5),
            )
        })
        .map(|fd| fd as RawFd)
    } else {
        // SAFETY:
        // socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        Errno::result(unsafe { socket(domain, stype, proto) })
    }
    .map(|fd| {
        // SAFETY: socket returns a valid FD on success.
        unsafe { SafeOwnedFd::from_raw_fd(fd) }
    })
}

/// socketpair(2) may be multiplexed by socketcall(2).
pub static SYS_SOCKETPAIR: LazyLock<Option<c_long>> =
    LazyLock::new(|| resolve_syscall("socketpair"));

/// Safe socketpair(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_socketpair(
    domain: AddressFamily,
    stype: SockType,
    proto: c_int,
    flags: SockFlag,
) -> Result<(SafeOwnedFd, SafeOwnedFd), Errno> {
    let mut fds = [-1, -1];
    let domain = domain.as_raw();
    let stype = stype.as_raw() | flags.bits();

    if let Some(sys_socketpair) = *SYS_SOCKETPAIR {
        // SAFETY:
        // 1. domain, stype, and proto are caller-provided integers.
        // 2. fds is a writable 2-element array.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_socketpair,
                domain,
                stype,
                proto,
                fds.as_mut_ptr(),
                SYSCOOKIE_POOL.get(CookieIdx::SocketpairArg4),
                SYSCOOKIE_POOL.get(CookieIdx::SocketpairArg5),
            )
        })?;
    } else {
        // SAFETY:
        // socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        Errno::result(unsafe { socketpair(domain, stype, proto, fds.as_mut_ptr()) })?;
    }

    // SAFETY: socketpair returns valid FDs on success.
    unsafe {
        Ok((
            SafeOwnedFd::from_raw_fd(fds[0]),
            SafeOwnedFd::from_raw_fd(fds[1]),
        ))
    }
}

/// accept4(2) may be multiplexed by socketcall(2).
pub static SYS_ACCEPT4: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("accept4"));

/// SockaddrStorage with added size information.
#[derive(Debug)]
pub struct SizedSockaddrStorage {
    /// Address buffer
    pub addr: SockaddrStorage,
    /// Address size
    pub size: socklen_t,
}

/// Safe accept4(2) confined by syscall cookies.
///
/// When want_src_addr is true, returns peer's source address and its length.
#[inline(always)]
pub(crate) fn safe_accept4<Fd: AsFd>(
    fd: Fd,
    flags: SockFlag,
    want_src_addr: bool,
) -> Result<(SafeOwnedFd, Option<SizedSockaddrStorage>), Errno> {
    if want_src_addr {
        let mut storage = MaybeUninit::<libc::sockaddr_storage>::zeroed();
        #[expect(clippy::cast_possible_truncation)]
        let mut size = size_of::<libc::sockaddr_storage>() as socklen_t;

        let fd = do_accept4(fd, storage.as_mut_ptr().cast(), &raw mut size, flags)?;

        // SAFETY: accept4 returned success, storage is initialised up to size bytes.
        let addr = unsafe { SockaddrStorage::from_raw(storage.as_ptr().cast(), Some(size)) }
            .ok_or(Errno::EINVAL)?;
        let addr = SizedSockaddrStorage { addr, size };

        Ok((fd, Some(addr)))
    } else {
        let fd = do_accept4(fd, ptr::null_mut(), ptr::null_mut(), flags)?;
        Ok((fd, None))
    }
}

/// accept4(2) syscall with cookie confinement.
#[inline(always)]
fn do_accept4<Fd: AsFd>(
    fd: Fd,
    addr: *mut sockaddr,
    len: *mut socklen_t,
    flags: SockFlag,
) -> Result<SafeOwnedFd, Errno> {
    if let Some(sys_accept4) = *SYS_ACCEPT4 {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. addr and len are valid or NULL.
        // 3. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys_accept4,
                fd.as_fd().as_raw_fd(),
                addr,
                len,
                flags.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg4),
                SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg5),
            )
        })
        .map(|fd| {
            // SAFETY: accept4(2) returns a valid fd on success.
            unsafe { SafeOwnedFd::from_raw_fd(fd as RawFd) }
        })
    } else {
        // SAFETY: socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        Errno::result(unsafe { accept4(fd.as_fd().as_raw_fd(), addr, len, flags.bits()) }).map(
            |fd| {
                // SAFETY: accept4(2) returns a valid fd on success.
                unsafe { SafeOwnedFd::from_raw_fd(fd) }
            },
        )
    }
}

/// bind(2) may be multiplexed by socketcall(2).
pub(crate) static SYS_BIND: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("bind"));

/// Safe bind(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_bind<Fd: AsFd>(fd: Fd, addr: &dyn SockaddrLike) -> Result<(), Errno> {
    if let Some(sys_bind) = *SYS_BIND {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. addr.as_ptr() and addr.len() from SockaddrLike.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_bind,
                fd.as_fd().as_raw_fd(),
                addr.as_ptr(),
                addr.len(),
                SYSCOOKIE_POOL.get(CookieIdx::BindArg3),
                SYSCOOKIE_POOL.get(CookieIdx::BindArg4),
                SYSCOOKIE_POOL.get(CookieIdx::BindArg5),
            )
        })
        .map(drop)
    } else {
        // socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        bind(fd.as_fd().as_raw_fd(), addr)
    }
}

/// connect(2) may be multiplexed by socketcall(2).
pub static SYS_CONNECT: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("connect"));

/// Safe connect(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_connect<Fd: AsFd>(fd: Fd, addr: &dyn SockaddrLike) -> Result<(), Errno> {
    if let Some(sys_connect) = *SYS_CONNECT {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. addr.as_ptr() and addr.len() from SockaddrLike.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_connect,
                fd.as_fd().as_raw_fd(),
                addr.as_ptr(),
                addr.len(),
                SYSCOOKIE_POOL.get(CookieIdx::ConnectArg3),
                SYSCOOKIE_POOL.get(CookieIdx::ConnectArg4),
                SYSCOOKIE_POOL.get(CookieIdx::ConnectArg5),
            )
        })
        .map(drop)
    } else {
        // socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        connect(fd.as_fd().as_raw_fd(), addr)
    }
}

/// shutdown(2) may be multiplexed by socketcall(2).
///
/// This is used by syd-tor(1) only, syd(1) does not hook into shutdown(2).
pub static SYS_SHUTDOWN: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("shutdown"));

/// Safe shutdown(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_shutdown<Fd: AsFd>(fd: Fd, how: Shutdown) -> Result<(), Errno> {
    let how = match how {
        Shutdown::Read => SHUT_RD,
        Shutdown::Write => SHUT_WR,
        Shutdown::Both => SHUT_RDWR,
    };

    if let Some(sys_shutdown) = *SYS_SHUTDOWN {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. how is derived from Shutdown enum.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_shutdown,
                fd.as_fd().as_raw_fd(),
                how,
                SYSCOOKIE_POOL.get(CookieIdx::ShutdownArg2),
                SYSCOOKIE_POOL.get(CookieIdx::ShutdownArg3),
                SYSCOOKIE_POOL.get(CookieIdx::ShutdownArg4),
                SYSCOOKIE_POOL.get(CookieIdx::ShutdownArg5),
            )
        })
        .map(drop)
    } else {
        // SAFETY: socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        Errno::result(unsafe { shutdown(fd.as_fd().as_raw_fd(), how) }).map(drop)
    }
}

/// sendmsg(2) may be multiplexed by socketcall(2).
pub static SYS_SENDMSG: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("sendmsg"));

/// Safe sendmsg(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_sendmsg<Fd: AsFd, S: SockaddrLike>(
    fd: Fd,
    iov: &[IoSlice<'_>],
    cmsgs: &[Cmsg<'_>],
    flags: MsgFlags,
    addr: Option<&S>,
) -> Result<usize, Errno> {
    let fd = fd.as_fd().as_raw_fd();
    let flags = flags.bits();

    let mut msg_buf = pack_cmsg_buf(cmsgs)?;
    let mut msg_hdr = MsgHdr::default();
    if let Some(addr) = addr {
        msg_hdr.set_addr(addr);
    }
    msg_hdr.set_iov(iov);
    msg_hdr.set_control(&mut msg_buf);
    let msg_hdr = msg_hdr.as_mut_ptr().cast();

    if let Some(sys_sendmsg) = *SYS_SENDMSG {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. msg_hdr is a valid msghdr pointer.
        // 3. flags are from caller.
        // 4. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_sign_loss)]
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys_sendmsg,
                fd,
                msg_hdr,
                flags,
                SYSCOOKIE_POOL.get(CookieIdx::SendMsgArg3),
                SYSCOOKIE_POOL.get(CookieIdx::SendMsgArg4),
                SYSCOOKIE_POOL.get(CookieIdx::SendMsgArg5),
            )
        })
        .map(|r| r as usize)
    } else {
        // SAFETY: socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        #[expect(clippy::cast_sign_loss)]
        Errno::result(unsafe { libc::sendmsg(fd, msg_hdr, flags) }).map(|r| r as usize)
    }
}

/// sendmmsg(2) may be multiplexed by socketcall(2).
pub static SYS_SENDMMSG: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("sendmmsg"));

/// Safe sendmmsg(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_sendmmsg<Fd: AsFd>(
    fd: Fd,
    msgvec: &mut [MmsgHdr],
    flags: MsgFlags,
) -> Result<usize, Errno> {
    let fd = fd.as_fd().as_raw_fd();
    let flags = flags.bits();

    // MmsgHdr is repr(transparent) over libc::mmsghdr.
    let msglen: c_uint = msgvec.len().try_into().or(Err(Errno::EOVERFLOW))?;
    let msgvec = msgvec.as_mut_ptr().cast();

    if let Some(sys_sendmmsg) = *SYS_SENDMMSG {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. msgvec is a valid mmsghdr array.
        // 3. msglen is array length.
        // 4. flags are from caller.
        // 5. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_sign_loss)]
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys_sendmmsg,
                fd,
                msgvec,
                msglen,
                flags,
                SYSCOOKIE_POOL.get(CookieIdx::SendMmsgArg4),
                SYSCOOKIE_POOL.get(CookieIdx::SendMmsgArg5),
            )
        })
        .map(|r| r as usize)
    } else {
        // SAFETY: socketcall(2) on multiplexed architecture.
        #[expect(clippy::cast_sign_loss)]
        #[expect(clippy::as_underscore)]
        Errno::result(unsafe { libc::sendmmsg(fd, msgvec, msglen, flags as _) }).map(|r| r as usize)
    }
}

/// recvmsg(2) may be multiplexed by socketcall(2).
pub static SYS_RECVMSG: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("recvmsg"));

/// Safe recvmsg(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_recvmsg<'a, Fd: AsFd>(
    fd: Fd,
    msghdr: &'a mut MsgHdr,
    flags: MsgFlags,
) -> Result<RecvMsg<'a>, Errno> {
    let fd = fd.as_fd().as_raw_fd();
    let flags = flags.bits();

    // MsgHdr is repr(transparent) over libc::msghdr.
    let msgptr = msghdr.as_mut_ptr().cast();

    #[expect(clippy::cast_sign_loss)]
    let bytes = if let Some(sys_recvmsg) = *SYS_RECVMSG {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. msghdr is a valid msghdr pointer.
        // 3. flags are from caller.
        // 4. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys_recvmsg,
                fd,
                msgptr,
                flags,
                SYSCOOKIE_POOL.get(CookieIdx::RecvMsgArg3),
                SYSCOOKIE_POOL.get(CookieIdx::RecvMsgArg4),
                SYSCOOKIE_POOL.get(CookieIdx::RecvMsgArg5),
            )
        })
        .map(|r| r as usize)
    } else {
        // SAFETY: socketcall(2) on multiplexed architecture.
        // Use libc version for convenience.
        Errno::result(unsafe { libc::recvmsg(fd, msgptr, flags) }).map(|r| r as usize)
    }?;

    Ok(RecvMsg {
        bytes,
        msghdr,
        flags: msghdr.msg_flags(),
    })
}

/// recvmmsg(2) may be multiplexed by socketcall(2).
pub static SYS_RECVMMSG: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("recvmmsg"));

/// recvmmsg_time64(2) may not be available on all architectures.
pub static SYS_RECVMMSG_TIME64: LazyLock<Option<c_long>> =
    LazyLock::new(|| resolve_syscall("recvmmsg_time64"));

/// Safe recvmmsg(2) confined by syscall cookies.
///
/// Tries recvmmsg_time64(2) first, then recvmmsg(2), then socketcall(2) fallback.
// On 32-bit, recvmmsg(2) is time32 variant which takes old_timespec32* for timeout.
// On 64-bit, recvmmsg(2) takes native timespec (same as time64) for timeout.
#[inline(always)]
pub(crate) fn safe_recvmmsg<Fd: AsFd>(
    fd: Fd,
    msgvec: &mut [MmsgHdr],
    flags: MsgFlags,
    timeout: Option<&mut TimeSpec64>,
) -> Result<usize, Errno> {
    let fd = fd.as_fd().as_raw_fd();
    let flags = flags.bits();

    // MmsgHdr is repr(transparent) over libc::mmsghdr.
    let msglen: c_uint = msgvec.len().try_into().or(Err(Errno::EOVERFLOW))?;
    let msgvec = msgvec.as_mut_ptr().cast();

    if let Some(sys) = *SYS_RECVMMSG_TIME64 {
        // TimeSpec64 matches Linux kernel layout.
        let timeout = match timeout {
            Some(timeout) => std::ptr::from_mut(timeout).cast::<c_void>(),
            None => std::ptr::null_mut(),
        };

        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. msgvec is a valid mmsghdr array.
        // 3. msglen is array length.
        // 4. flags are from caller.
        // 5. timeout is valid or NULL.
        // 6. Trailing argument is a sealed cookie.
        #[expect(clippy::cast_sign_loss)]
        #[expect(clippy::cast_possible_truncation)]
        Errno::result(unsafe {
            syscall(
                sys,
                fd,
                msgvec,
                msglen,
                flags,
                timeout,
                SYSCOOKIE_POOL.get(CookieIdx::RecvMmsgArg5),
            )
        })
        .map(|r| r as usize)
    } else if let Some(sys) = *SYS_RECVMMSG {
        #[cfg(target_pointer_width = "32")]
        {
            use crate::compat::TimeSpec32;

            // Convert Timespec64 to 32-bit with overflow check.
            let mut timeout32;
            let timeout32 = if let Some(timeout) = timeout.as_deref() {
                timeout32 = TimeSpec32::try_from(*timeout)?;
                &raw mut timeout32 as *mut c_void
            } else {
                std::ptr::null_mut()
            };

            // SAFETY:
            // 1. fd is a valid file descriptor.
            // 2. msgvec is a valid mmsghdr array.
            // 3. msglen is array length.
            // 4. flags are from caller.
            // 5. timeout32 is valid or NULL.
            // 6. Trailing argument is a sealed cookie.
            #[expect(clippy::cast_sign_loss)]
            #[expect(clippy::cast_possible_truncation)]
            Errno::result(unsafe {
                syscall(
                    sys,
                    fd,
                    msgvec,
                    msglen,
                    flags,
                    timeout32,
                    SYSCOOKIE_POOL.get(CookieIdx::RecvMmsgArg5),
                )
            })
            .map(|r| r as usize)
        }
        #[cfg(not(target_pointer_width = "32"))]
        {
            // TimeSpec64 matches Linux kernel layout.
            let timeout = match timeout {
                Some(timeout) => std::ptr::from_mut(timeout).cast::<c_void>(),
                None => std::ptr::null_mut(),
            };

            // SAFETY:
            // 1. fd is a valid file descriptor.
            // 2. msgvec is a valid mmsghdr array.
            // 3. msglen is array length.
            // 4. flags are from caller.
            // 5. timeout is valid or NULL.
            // 6. Trailing argument is a sealed cookie.
            #[expect(clippy::cast_sign_loss)]
            #[expect(clippy::cast_possible_truncation)]
            Errno::result(unsafe {
                syscall(
                    sys,
                    fd,
                    msgvec,
                    msglen,
                    flags,
                    timeout,
                    SYSCOOKIE_POOL.get(CookieIdx::RecvMmsgArg5),
                )
            })
            .map(|r| r as usize)
        }
    } else {
        // TimeSpec64 matches Linux kernel layout.
        let timeout = match timeout {
            Some(timeout) => std::ptr::from_mut(timeout).cast::<c_void>(),
            None => std::ptr::null_mut(),
        };

        // SAFETY: socketcall(2) on multiplexed architecture.
        #[expect(clippy::cast_sign_loss)]
        #[expect(clippy::as_underscore)]
        Errno::result(unsafe { libc::recvmmsg(fd, msgvec, msglen, flags as _, timeout.cast()) })
            .map(|r| r as usize)
    }
}

/// Safe memfd_create(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_memfd_create<P: NixPath + ?Sized>(
    name: &P,
    flags: MFdFlags,
) -> Result<SafeOwnedFd, Errno> {
    // Name limit is 249 bytes,
    // excluding terminating null byte.
    if name.len() > 249 {
        return Err(Errno::EINVAL);
    }

    let res = name.with_nix_path(|cstr| {
        // SAFETY:
        // 1. cstr is a NUL-terminated Cstr.
        // 2. length validated to be <= 249.
        // 3. flags are from MfdFlags.
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_memfd_create,
                cstr.as_ptr(),
                flags.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::MemfdCreateArg2),
                SYSCOOKIE_POOL.get(CookieIdx::MemfdCreateArg3),
                SYSCOOKIE_POOL.get(CookieIdx::MemfdCreateArg4),
                SYSCOOKIE_POOL.get(CookieIdx::MemfdCreateArg5),
            )
        }
    })?;

    // SAFETY:
    //
    // memfd_create(2) returns a valid fd on success.
    #[expect(clippy::cast_possible_truncation)]
    Errno::result(res).map(|r| unsafe { SafeOwnedFd::from_raw_fd(r as RawFd) })
}

// memfd_secret(2) may not be available (e.g. on loongarch64), and libc::SYS_memfd_secret may not be defined.
// Therefore we query number using libseccomp.
static SYS_MEMFD_SECRET: LazyLock<Option<c_long>> =
    LazyLock::new(|| resolve_syscall("memfd_secret"));

/// Safe memfd_secret(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_memfd_secret(flags: SecretMemFlags) -> Result<SafeOwnedFd, Errno> {
    let sys_memfd_secret = SYS_MEMFD_SECRET.ok_or(Errno::ENOSYS)?;

    // SAFETY:
    // 1. flags is from SecretMemFlags.
    // 2. All remaining arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            sys_memfd_secret,
            flags.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::MemfdSecretArg1),
            SYSCOOKIE_POOL.get(CookieIdx::MemfdSecretArg2),
            SYSCOOKIE_POOL.get(CookieIdx::MemfdSecretArg3),
            SYSCOOKIE_POOL.get(CookieIdx::MemfdSecretArg4),
            SYSCOOKIE_POOL.get(CookieIdx::MemfdSecretArg5),
        )
    })
    .map(|r| {
        // SAFETY: memfd_create(2) returns a valid fd on success.
        #[expect(clippy::cast_possible_truncation)]
        unsafe {
            SafeOwnedFd::from_raw_fd(r as RawFd)
        }
    })
}

/// Safe renameat2(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_renameat2<Fd1: AsFd, Fd2: AsFd, P1: NixPath + ?Sized, P2: NixPath + ?Sized>(
    old_dirfd: Fd1,
    old_path: &P1,
    new_dirfd: Fd2,
    new_path: &P2,
    flags: RenameFlags,
) -> Result<(), Errno> {
    let res = old_path.with_nix_path(|old_cstr| {
        new_path.with_nix_path(|new_cstr| {
            // SAFETY:
            // 1. Both dirfds are valid file descriptors.
            // 2. Both paths are NUL-terminated CStr from NixPath.
            // 3. flags are from RenameFlags.
            // 4. Trailing argument is a sealed cookie.
            unsafe {
                syscall(
                    SYS_renameat2,
                    old_dirfd.as_fd().as_raw_fd(),
                    old_cstr.as_ptr(),
                    new_dirfd.as_fd().as_raw_fd(),
                    new_cstr.as_ptr(),
                    flags.bits(),
                    SYSCOOKIE_POOL.get(CookieIdx::Renameat2Arg5),
                )
            }
        })
    })??;
    Errno::result(res).map(drop)
}

// fchmodat2(2) may not be available, and libc::SYS_fchmodat2 may not be defined.
// Therefore we query number using libseccomp.
static SYS_FCHMODAT2: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("fchmodat2"));

/// truncate(2) may be aliased to truncate64(2) by libc.
static SYS_TRUNCATE: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("truncate"));

/// truncate64(2) may not always be available via libc.
// This is not present on some architectures.
#[allow(dead_code)]
static SYS_TRUNCATE64: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("truncate64"));

/// ftruncate(2) may be aliased to ftruncate64(2) by libc.
static SYS_FTRUNCATE: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("ftruncate"));

/// ftruncate64(2) may not always be available via libc.
// This is not present on some architectures.
#[allow(dead_code)]
static SYS_FTRUNCATE64: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("ftruncate64"));

/// sendfile(2) may be aliased to sendfile64(2) by libc.
static SYS_SENDFILE: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("sendfile"));

/// sendfile64(2) may not always be available (absent on 64-bit native).
pub static SYS_SENDFILE64: LazyLock<Option<c_long>> =
    LazyLock::new(|| resolve_syscall("sendfile64"));

/// Safe truncate(2) confined by syscall cookies.
pub(crate) fn safe_truncate<P: NixPath + ?Sized>(path: &P, len: off_t) -> Result<(), Errno> {
    // On ILP32 where off_t is 64-bit, dispatch to truncate64 ABI.
    if size_of::<off_t>() > size_of::<c_long>() {
        return safe_truncate64(path, off64_t::from(len));
    }

    let sys_truncate = SYS_TRUNCATE.ok_or(Errno::ENOSYS)?;
    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. cstr is a NUL-terminated CStr from NixPath.
        // 2. len is a valid off_t.
        // 3. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                sys_truncate,
                cstr.as_ptr(),
                len,
                SYSCOOKIE_POOL.get(CookieIdx::TruncateArg2),
                SYSCOOKIE_POOL.get(CookieIdx::TruncateArg3),
                SYSCOOKIE_POOL.get(CookieIdx::TruncateArg4),
                SYSCOOKIE_POOL.get(CookieIdx::TruncateArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe truncate64(2) confined by syscall cookies.
pub(crate) fn safe_truncate64<P: NixPath + ?Sized>(path: &P, len: off64_t) -> Result<(), Errno> {
    #[cfg(not(any(
        target_pointer_width = "64",
        all(target_arch = "x86_64", target_pointer_width = "32"),
        target_arch = "x86",
        target_arch = "arm",
        target_arch = "powerpc",
        target_arch = "m68k",
        target_arch = "mips",
        target_arch = "mips32r6",
    )))]
    {
        compile_error!("BUG: safe_truncate64 is not implemented for this architecture!");
    }

    #[cfg(any(
        target_pointer_width = "64",
        all(target_arch = "x86_64", target_pointer_width = "32"),
    ))]
    {
        safe_truncate(path, len)
    }

    #[cfg(any(target_arch = "m68k", target_arch = "x86",))]
    {
        let sys_truncate64 = SYS_TRUNCATE64.ok_or(Errno::ENOSYS)?;

        let val = len as u64;
        let low = (val & 0xFFFF_FFFF) as c_long;
        let high = (val >> 32) as c_long;
        let (a, b) = if cfg!(target_endian = "little") {
            (low, high)
        } else {
            (high, low)
        };

        let res = path.with_nix_path(|cstr| {
            // SAFETY:
            // 1. cstr is a NUL-terminated CStr from NixPath.
            // 2. a and b are split high/low halves of 64-bit offset.
            // 3. Trailing arguments are sealed cookies.
            unsafe {
                syscall(
                    sys_truncate64,
                    cstr.as_ptr(),
                    a,
                    b,
                    SYSCOOKIE_POOL.get(CookieIdx::Truncate64Arg3),
                    SYSCOOKIE_POOL.get(CookieIdx::Truncate64Arg4),
                    SYSCOOKIE_POOL.get(CookieIdx::Truncate64Arg5),
                )
            }
        })?;
        Errno::result(res).map(drop)
    }

    #[cfg(any(
        target_arch = "arm",
        target_arch = "powerpc",
        target_arch = "mips",
        target_arch = "mips32r6"
    ))]
    {
        let sys_truncate64 = SYS_TRUNCATE64.ok_or(Errno::ENOSYS)?;

        let val = len as u64;
        let low = (val & 0xFFFF_FFFF) as c_long;
        let high = (val >> 32) as c_long;
        let (a, b) = if cfg!(target_endian = "little") {
            (low, high)
        } else {
            (high, low)
        };

        let res = path.with_nix_path(|cstr| {
            // SAFETY:
            // 1. cstr is a NUL-terminated CStr from NixPath.
            // 2. a and b are split high/low halves of 64-bit offset.
            // 3. Trailing arguments are sealed cookies.
            unsafe {
                syscall(
                    sys_truncate64,
                    cstr.as_ptr(),
                    0 as c_long,
                    a,
                    b,
                    SYSCOOKIE_POOL.get(CookieIdx::Truncate64Arg4),
                    SYSCOOKIE_POOL.get(CookieIdx::Truncate64Arg5),
                )
            }
        })?;
        Errno::result(res).map(drop)
    }
}

/// Safe ftruncate(2) confined by syscall cookies.
pub(crate) fn safe_ftruncate<Fd: AsFd>(fd: Fd, len: off_t) -> Result<(), Errno> {
    // On ILP32 where off_t is 64-bit, dispatch to ftruncate64 ABI.
    if size_of::<off_t>() > size_of::<c_long>() {
        return safe_ftruncate64(fd, off64_t::from(len));
    }

    let sys_ftruncate = SYS_FTRUNCATE.ok_or(Errno::ENOSYS)?;

    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. len is a valid off_t.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            sys_ftruncate,
            fd.as_fd().as_raw_fd(),
            len,
            SYSCOOKIE_POOL.get(CookieIdx::FtruncateArg2),
            SYSCOOKIE_POOL.get(CookieIdx::FtruncateArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FtruncateArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FtruncateArg5),
        )
    })
    .map(drop)
}

/// Safe ftruncate64(2) confined by syscall cookies.
pub(crate) fn safe_ftruncate64<Fd: AsFd>(fd: Fd, len: off64_t) -> Result<(), Errno> {
    #[cfg(not(any(
        target_pointer_width = "64",
        all(target_arch = "x86_64", target_pointer_width = "32"),
        target_arch = "x86",
        target_arch = "arm",
        target_arch = "powerpc",
        target_arch = "m68k",
        target_arch = "mips",
        target_arch = "mips32r6",
    )))]
    {
        compile_error!("BUG: safe_ftruncate64 is not implemented for this architecture!");
    }

    #[cfg(any(
        target_pointer_width = "64",
        all(target_arch = "x86_64", target_pointer_width = "32"),
    ))]
    {
        safe_ftruncate(fd, len)
    }

    #[cfg(any(target_arch = "m68k", target_arch = "x86",))]
    {
        let sys_ftruncate64 = SYS_FTRUNCATE64.ok_or(Errno::ENOSYS)?;

        let val = len as u64;
        let low = (val & 0xFFFF_FFFF) as c_long;
        let high = (val >> 32) as c_long;
        let (a, b) = if cfg!(target_endian = "little") {
            (low, high)
        } else {
            (high, low)
        };

        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. a and b are split 64-bit offset.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_ftruncate64,
                fd.as_fd().as_raw_fd(),
                a,
                b,
                SYSCOOKIE_POOL.get(CookieIdx::Ftruncate64Arg3),
                SYSCOOKIE_POOL.get(CookieIdx::Ftruncate64Arg4),
                SYSCOOKIE_POOL.get(CookieIdx::Ftruncate64Arg5),
            )
        })
        .map(drop)
    }

    #[cfg(any(
        target_arch = "arm",
        target_arch = "powerpc",
        target_arch = "mips",
        target_arch = "mips32r6"
    ))]
    {
        let sys_ftruncate64 = SYS_FTRUNCATE64.ok_or(Errno::ENOSYS)?;

        let val = len as u64;
        let low = (val & 0xFFFF_FFFF) as c_long;
        let high = (val >> 32) as c_long;
        let (a, b) = if cfg!(target_endian = "little") {
            (low, high)
        } else {
            (high, low)
        };

        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. a and b are split 64-bit offset.
        // 3. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(
                sys_ftruncate64,
                fd.as_fd().as_raw_fd(),
                0 as c_long,
                a,
                b,
                SYSCOOKIE_POOL.get(CookieIdx::Ftruncate64Arg4),
                SYSCOOKIE_POOL.get(CookieIdx::Ftruncate64Arg5),
            )
        })
        .map(drop)
    }
}

/// Safe fallocate(2) confined by syscall cookies.
pub(crate) fn safe_fallocate<Fd: AsFd>(
    fd: Fd,
    mode: FallocateFlags,
    offset: off64_t,
    len: off64_t,
) -> Result<(), Errno> {
    // On 64-bit architectures, fallocate(2) uses 4 register slots:
    //   (fd, mode, offset, len)
    // leaving arg4 and arg5 available for cookies.
    //
    // On 32-bit architectures, fallocate(2) uses all 6 slots:
    //   (fd, mode, off_hi, off_lo, len_hi, len_lo)
    // so we fall back to libc::fallocate64 without cookies.
    #[cfg(target_pointer_width = "64")]
    {
        // SAFETY:
        // 1. fd is a valid file descriptor.
        // 2. mode is from FallocateFlags.
        // 3. offset and len are valid off64_t.
        // 4. Trailing arguments are sealed cookied.
        Errno::result(unsafe {
            syscall(
                libc::SYS_fallocate,
                fd.as_fd().as_raw_fd(),
                mode.bits(),
                offset,
                len,
                SYSCOOKIE_POOL.get(CookieIdx::FallocateArg4),
                SYSCOOKIE_POOL.get(CookieIdx::FallocateArg5),
            )
        })
        .map(drop)
    }

    #[cfg(target_pointer_width = "32")]
    {
        crate::fs::fallocate64(fd, mode, offset, len)
    }
}

/// Safe unlinkat(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_unlinkat<Fd: AsFd, P: NixPath + ?Sized>(
    dirfd: Fd,
    path: &P,
    flag: UnlinkatFlags,
) -> Result<(), Errno> {
    let atflag = match flag {
        UnlinkatFlags::RemoveDir => AtFlags::AT_REMOVEDIR,
        UnlinkatFlags::NoRemoveDir => AtFlags::empty(),
    };

    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. dirfd is a valid file descriptor.
        // 2. cstr is a NUL-terminated CStr from NixPath.
        // 3. atflag is from AtFlags.
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_unlinkat,
                dirfd.as_fd().as_raw_fd(),
                cstr.as_ptr(),
                atflag.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::UnlinkatArg3),
                SYSCOOKIE_POOL.get(CookieIdx::UnlinkatArg4),
                SYSCOOKIE_POOL.get(CookieIdx::UnlinkatArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe linkat(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_linkat<Fd1: AsFd, Fd2: AsFd, P1: NixPath + ?Sized, P2: NixPath + ?Sized>(
    olddirfd: Fd1,
    oldpath: &P1,
    newdirfd: Fd2,
    newpath: &P2,
    flag: AtFlags,
) -> Result<(), Errno> {
    let res = oldpath.with_nix_path(|oldcstr| {
        newpath.with_nix_path(|newcstr| {
            // SAFETY:
            // 1. Both dirfds are valid file descriptors.
            // 2. Both paths are NUL-terminated CStr from NixPath.
            // 3. flag is from AtFlags.
            // 4. Trailing arguments are sealed cookies.
            unsafe {
                syscall(
                    SYS_linkat,
                    olddirfd.as_fd().as_raw_fd(),
                    oldcstr.as_ptr(),
                    newdirfd.as_fd().as_raw_fd(),
                    newcstr.as_ptr(),
                    flag.bits(),
                    SYSCOOKIE_POOL.get(CookieIdx::LinkatArg5_1),
                )
            }
        })
    })??;
    Errno::result(res).map(drop)
}

/// Safe linkat(2) with AT_EMPTY_PATH confined by syscall cookies.
///
/// Requires CAP_DAC_READ_SEARCH capability.
#[inline(always)]
pub(crate) fn safe_fdlink<Fd1: AsFd, Fd2: AsFd, P1: NixPath + ?Sized>(
    olddirfd: Fd1,
    newdirfd: Fd2,
    newpath: &P1,
) -> Result<(), Errno> {
    let res = newpath.with_nix_path(|newcstr| {
        // SAFETY:
        // 1. Both dirfds are valid file descriptors.
        // 2. Both paths are NUL-terminated CStr from NixPath.
        // 3. flag is from AtFlags.
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_linkat,
                olddirfd.as_fd().as_raw_fd(),
                empty_path() as *const c_char,
                newdirfd.as_fd().as_raw_fd(),
                newcstr.as_ptr(),
                AtFlags::AT_EMPTY_PATH.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::LinkatArg5_2),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe symlinkat(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_symlinkat<Fd: AsFd, P1: NixPath + ?Sized, P2: NixPath + ?Sized>(
    path1: &P1,
    dirfd: Fd,
    path2: &P2,
) -> Result<(), Errno> {
    let res = path1.with_nix_path(|path1| {
        path2.with_nix_path(|path2| {
            // SAFETY:
            // 1. dirfd is a valid file descriptor.
            // 2. paths are NUL-terminated CStr from NixPath.
            // 3. Trailing arguments are sealed cookies.
            unsafe {
                syscall(
                    SYS_symlinkat,
                    path1.as_ptr(),
                    dirfd.as_fd().as_raw_fd(),
                    path2.as_ptr(),
                    SYSCOOKIE_POOL.get(CookieIdx::SymlinkatArg3),
                    SYSCOOKIE_POOL.get(CookieIdx::SymlinkatArg4),
                    SYSCOOKIE_POOL.get(CookieIdx::SymlinkatArg5),
                )
            }
        })
    })??;
    Errno::result(res).map(drop)
}

/// Safe mkdirat(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_mkdirat<Fd: AsFd, P: NixPath + ?Sized>(
    dirfd: Fd,
    path: &P,
    mode: Mode,
) -> Result<(), Errno> {
    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. dirfd is a valid file descriptor.
        // 2. cstr is a valid NUL-terminated CStr via NixPath.
        // 3. mode is from Mode.
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_mkdirat,
                dirfd.as_fd().as_raw_fd(),
                cstr.as_ptr(),
                mode.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::MkdiratArg3),
                SYSCOOKIE_POOL.get(CookieIdx::MkdiratArg4),
                SYSCOOKIE_POOL.get(CookieIdx::MkdiratArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe mknodat(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_mknodat<Fd: AsFd, P: NixPath + ?Sized>(
    dirfd: Fd,
    path: &P,
    kind: SFlag,
    perm: Mode,
    dev: dev_t,
) -> Result<(), Errno> {
    let mode = kind.bits() | perm.bits();

    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. dirfd is a valid file descriptor.
        // 2. cstr is a valid NUL-terminated CStr via NixPath.
        // 3. mode is from SFlag and Mode.
        // 4. dev is explicitly truncated to unsigned 32-bit.
        // 5. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_mknodat,
                dirfd.as_fd().as_raw_fd(),
                cstr.as_ptr(),
                mode,
                (dev & 0xFFFF_FFFF) as libc::c_ulong,
                SYSCOOKIE_POOL.get(CookieIdx::MknodatArg4),
                SYSCOOKIE_POOL.get(CookieIdx::MknodatArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe getdents64(2) confined by syscall cookies.
#[expect(clippy::cast_possible_truncation)]
#[expect(clippy::cast_sign_loss)]
pub fn safe_getdents64<Fd: AsFd>(fd: Fd, buf: &mut [u8]) -> Result<usize, Errno> {
    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. buf is a valid mutable slice.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_getdents64,
            fd.as_fd().as_raw_fd(),
            buf.as_mut_ptr().cast::<c_void>(),
            buf.len(),
            SYSCOOKIE_POOL.get(CookieIdx::Getdents64Arg3),
            SYSCOOKIE_POOL.get(CookieIdx::Getdents64Arg4),
            SYSCOOKIE_POOL.get(CookieIdx::Getdents64Arg5),
        )
    })
    .map(|size| size as usize)
}

/// Safe fchdir(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_fchdir<Fd: AsFd>(dirfd: Fd) -> Result<(), Errno> {
    // SAFETY:
    // 1. dirfd is a valid file descriptor.
    // 2. All remaining arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_fchdir,
            dirfd.as_fd().as_raw_fd(),
            SYSCOOKIE_POOL.get(CookieIdx::FchdirArg1),
            SYSCOOKIE_POOL.get(CookieIdx::FchdirArg2),
            SYSCOOKIE_POOL.get(CookieIdx::FchdirArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FchdirArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FchdirArg5),
        )
    })
    .map(drop)
}

/// Safe faccessat2(2) confined by syscall cookies.
///
/// This calls faccessat2(2) with AT_EMPTY_PATH under the hood.
pub fn safe_faccess<Fd: AsFd>(fd: Fd, mode: AccessFlags, mut flags: AtFlags) -> Result<(), Errno> {
    // Remove AT_SYMLINK_NOFOLLOW and add AT_EMPTY_PATH to flags.
    flags.remove(AtFlags::AT_SYMLINK_NOFOLLOW);
    flags.insert(AtFlags::AT_EMPTY_PATH);

    // SAFETY: No libc wrapper for faccessat2 yet.
    Errno::result(unsafe {
        syscall(
            SYS_faccessat2,
            fd.as_fd().as_raw_fd(),
            empty_path() as *const c_char,
            mode.bits(),
            flags.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::Faccessat2Arg4),
            SYSCOOKIE_POOL.get(CookieIdx::Faccessat2Arg5),
        )
    })
    .map(drop)
}

/// Safe execveat(2) for executability check confined by syscall cookie.
///
/// This uses AT_EXECVE_CHECK | AT_EMPTY_PATH to check if file
/// referenced by fd is executable, without actually executing it.
/// Requires Linux >= 6.14.
// No HAVE_AT_EXECVE_CHECK check happens here, see syd::fd::check_executable.
#[inline(always)]
pub fn safe_execve_check<Fd: AsFd>(fd: Fd) -> Result<(), Errno> {
    let flags = (AT_EXECVE_CHECK | AtFlags::AT_EMPTY_PATH).bits();

    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. path, argv, and envp are static empty sentinels.
    // 3. Trailing argument is a sealed cookie.
    Errno::result(unsafe {
        syscall(
            SYS_execveat,
            fd.as_fd().as_raw_fd(),
            empty_path() as *const c_char,
            empty_argv() as *const *const c_char,
            empty_envp() as *const *const c_char,
            flags,
            SYSCOOKIE_POOL.get(CookieIdx::ExecveatArg5),
        )
    })
    .map(drop)
}

/// Safe fchmodat(2) confined by syscall cookies.
///
/// Note: fchmodat(2) does not have a flags argument and always follows symlinks.
#[inline(always)]
pub(crate) fn safe_fchmodat<Fd: AsFd, P: NixPath + ?Sized>(
    dirfd: Fd,
    path: &P,
    mode: Mode,
) -> Result<(), Errno> {
    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. dirfd is a valid file descriptor.
        // 2. cstr is a NUL-terminated CStr via NixPath.
        // 3. mode is from Mode.
        // 4. Trailing arguments are sealed cookies.
        unsafe {
            syscall(
                SYS_fchmodat,
                dirfd.as_fd().as_raw_fd(),
                cstr.as_ptr(),
                mode.bits(),
                SYSCOOKIE_POOL.get(CookieIdx::FchmodatArg3),
                SYSCOOKIE_POOL.get(CookieIdx::FchmodatArg4),
                SYSCOOKIE_POOL.get(CookieIdx::FchmodatArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe fchmod(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_fchmod<Fd: AsFd>(fd: Fd, mode: Mode) -> Result<(), Errno> {
    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. mode is from Mode.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_fchmod,
            fd.as_fd().as_raw_fd(),
            mode.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::FchmodArg2),
            SYSCOOKIE_POOL.get(CookieIdx::FchmodArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FchmodArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FchmodArg5),
        )
    })
    .map(drop)
}

/// Safe fchmodat2(2) confined by syscall cookies.
///
/// This variant uses AT_EMPTY_PATH with fchmodat2(2) for fd-based chmod.
#[inline(always)]
pub(crate) fn safe_fchmodat2<Fd: AsFd>(dirfd: Fd, mode: Mode) -> Result<(), Errno> {
    let sys_fchmodat2 = SYS_FCHMODAT2.ok_or(Errno::ENOSYS)?;

    // SAFETY:
    // 1. dirfd is a valid file descriptor.
    // 2. path is static empty sentinel.
    // 3. mode is from Mode.
    // 4. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            sys_fchmodat2,
            dirfd.as_fd().as_raw_fd(),
            empty_path() as *const c_char,
            mode.bits(),
            AtFlags::AT_EMPTY_PATH.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::Fchmodat2Arg4),
            SYSCOOKIE_POOL.get(CookieIdx::Fchmodat2Arg5),
        )
    })
    .map(drop)
}

/// Safe fchown(2) confined by syscall cookies.
#[inline(always)]
pub(crate) fn safe_fchown<Fd: AsFd>(
    fd: Fd,
    owner: Option<Uid>,
    group: Option<Gid>,
) -> Result<(), Errno> {
    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. uid and gid are from chown_raw_ids.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        let (uid, gid) = chown_raw_ids(owner, group);
        syscall(
            SYS_fchown,
            fd.as_fd().as_raw_fd(),
            uid,
            gid,
            SYSCOOKIE_POOL.get(CookieIdx::FchownArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FchownArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FchownArg5),
        )
    })
    .map(drop)
}

/// Safe fchownat(2) confined by syscall cookies.
///
/// This calls fchownat(2) with AT_EMPTY_PATH under the hood.
#[inline(always)]
pub(crate) fn safe_fchownat<Fd: AsFd>(
    dirfd: Fd,
    owner: Option<Uid>,
    group: Option<Gid>,
) -> Result<(), Errno> {
    // SAFETY:
    // 1. dirfd is a valid file descriptor.
    // 2. path is static empty sentinel.
    // 3. uid and gid are from chown_raw_ids.
    // 4. Trailing argument is a sealed cookie.
    Errno::result(unsafe {
        let (uid, gid) = chown_raw_ids(owner, group);
        syscall(
            SYS_fchownat,
            dirfd.as_fd().as_raw_fd(),
            empty_path() as *const c_char,
            uid,
            gid,
            AtFlags::AT_EMPTY_PATH.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::FchownatArg5),
        )
    })
    .map(drop)
}

// Computes raw UID and GID values to pass to a *chown call.
// Borrowed from nix-0.31.0.
// Cast is not unnecessary on all platforms.
#[allow(clippy::unnecessary_cast)]
fn chown_raw_ids(owner: Option<Uid>, group: Option<Gid>) -> (uid_t, gid_t) {
    // According to POSIX specification, -1 is used to indicate that
    // owner and group are not to be changed. Since uid_t and gid_t are
    // unsigned types, we have to wrap around to get -1.
    let uid = owner
        .map(Into::into)
        .unwrap_or_else(|| (0 as uid_t).wrapping_sub(1));

    let gid = group
        .map(Into::into)
        .unwrap_or_else(|| (0 as gid_t).wrapping_sub(1));
    (uid, gid)
}

/// Safe uname(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_uname() -> Result<UtsName, Errno> {
    let mut name = UtsName::default();

    // SAFETY:
    // 1. name is a valid, writable stack-allocated UtsName.
    // 2. All remaining arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_uname,
            &raw mut name,
            SYSCOOKIE_POOL.get(CookieIdx::UnameArg1),
            SYSCOOKIE_POOL.get(CookieIdx::UnameArg2),
            SYSCOOKIE_POOL.get(CookieIdx::UnameArg3),
            SYSCOOKIE_POOL.get(CookieIdx::UnameArg4),
            SYSCOOKIE_POOL.get(CookieIdx::UnameArg5),
        )
    })?;

    Ok(name)
}

/// Safe (2) confined by syscall cookies.
#[inline(always)]
pub fn safe_umask(mode: Mode) -> Mode {
    // SAFETY:
    // 1. mode is from Mode.
    // 2. All remaining arguments are sealed cookies.
    // 3. umask(2) always succeeds.
    #[expect(clippy::cast_possible_truncation)]
    #[expect(clippy::cast_sign_loss)]
    let prev = unsafe {
        syscall(
            SYS_umask,
            mode.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::UmaskArg1),
            SYSCOOKIE_POOL.get(CookieIdx::UmaskArg2),
            SYSCOOKIE_POOL.get(CookieIdx::UmaskArg3),
            SYSCOOKIE_POOL.get(CookieIdx::UmaskArg4),
            SYSCOOKIE_POOL.get(CookieIdx::UmaskArg5),
        )
    } as mode_t;
    #[expect(clippy::disallowed_methods)]
    Mode::from_bits(prev).expect("[BUG] umask returned invalid Mode")
}

/// utimensat(2) may be multiplexed by socketcall-like mechanism on some arches.
pub static SYS_UTIMENSAT: LazyLock<Option<c_long>> = LazyLock::new(|| resolve_syscall("utimensat"));

/// utimensat_time64(2) may not be available on all architectures.
pub static SYS_UTIMENSAT_TIME64: LazyLock<Option<c_long>> =
    LazyLock::new(|| resolve_syscall("utimensat_time64"));

/// Safe utimensat(2) confined by syscall cookies.
///
/// Uses AT_EMPTY_PATH for fd-based timestamp updates.
/// Tries utimensat_time64(2) first, then utimensat(2).
// On 32-bit, utimensat(2) takes old_timespec32 which is {i32, i32} per entry.
// On 64-bit, utimensat(2) takes native timespec (same as time64).
#[inline(always)]
pub(crate) fn safe_utimensat<Fd: AsFd>(
    dirfd: Fd,
    atime: &TimeSpec64,
    mtime: &TimeSpec64,
) -> Result<(), Errno> {
    let fd = dirfd.as_fd().as_raw_fd();
    let path = empty_path() as *const c_char;
    let flags = AtFlags::AT_EMPTY_PATH.bits() as c_int;
    let cookie4 = SYSCOOKIE_POOL.get(CookieIdx::UtimensatArg4);
    let cookie5 = SYSCOOKIE_POOL.get(CookieIdx::UtimensatArg5);

    if let Some(sys) = *SYS_UTIMENSAT_TIME64 {
        let times: [TimeSpec64; 2] = [*atime, *mtime];

        // SAFETY:
        // 1. dirfd is a valid file descriptor.
        // 2. path is static empty sentinel.
        // 3. times is a valid TimeSpec64 array.
        // 4. flags is AT_EMPTY_PATH.
        // 5. Trailing arguments are sealed cookies.
        Errno::result(unsafe {
            syscall(sys, fd, path, &raw const times[0], flags, cookie4, cookie5)
        })
        .map(drop)
    } else if let Some(sys) = *SYS_UTIMENSAT {
        #[cfg(target_pointer_width = "32")]
        {
            use crate::compat::TimeSpec32;

            // Convert Timespec64 to 32-bit with overflow check.
            let times32: [TimeSpec32; 2] =
                [TimeSpec32::try_from(*atime)?, TimeSpec32::try_from(*mtime)?];

            // SAFETY:
            // 1. dirfd is a valid file descriptor.
            // 2. path is static empty sentinel.
            // 3. times32 is a valid Timespec32 array.
            // 4. flags is AT_EMPTY_PATH.
            // 5. Trailing arguments are sealed cookies.
            Errno::result(unsafe {
                syscall(
                    sys,
                    fd,
                    path,
                    &raw const times32[0],
                    flags,
                    cookie4,
                    cookie5,
                )
            })
            .map(drop)
        }
        #[cfg(not(target_pointer_width = "32"))]
        {
            let times: [TimeSpec64; 2] = [*atime, *mtime];

            // SAFETY:
            // 1. dirfd is a valid file descriptor.
            // 2. path is static empty sentinel.
            // 3. times is a valid TimeSpec64 array.
            // 4. flags is AT_EMPTY_PATH.
            // 5. Trailing arguments are sealed cookies.
            Errno::result(unsafe {
                syscall(sys, fd, path, &raw const times[0], flags, cookie4, cookie5)
            })
            .map(drop)
        }
    } else {
        Err(Errno::ENOSYS)
    }
}

/// Safe fgetxattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_fgetxattr<Fd: AsFd>(
    fd: Fd,
    name: &CStr,
    mut value: Option<&mut Vec<u8>>,
) -> Result<usize, Errno> {
    let (val, len) = match value.as_mut() {
        Some(v) => (v.as_mut_ptr() as *mut c_void, v.capacity()),
        None => (ptr::null_mut(), 0),
    };

    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. name is a NUL-terminated CStr.
    // 3. val and len are from caller's Vec capacity or NULL/0.
    // 4. Trailing arguments are sealed cookies.
    let res = unsafe {
        syscall(
            SYS_fgetxattr,
            fd.as_fd().as_raw_fd(),
            name.as_ptr(),
            val,
            len,
            SYSCOOKIE_POOL.get(CookieIdx::FgetxattrArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FgetxattrArg5),
        )
    };

    #[expect(clippy::cast_possible_truncation)]
    #[expect(clippy::cast_sign_loss)]
    let n = Errno::result(res).map(|r| r as usize)?;

    if let Some(value) = value {
        // SAFETY: fgetxattr(2) wrote n bytes into reserved capacity.
        unsafe { value.set_len(n) };
    }

    Ok(n)
}

/// Safe flistxattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_flistxattr<Fd: AsFd>(fd: Fd, mut list: Option<&mut Vec<u8>>) -> Result<usize, Errno> {
    let (ptr, cap) = match list.as_mut() {
        Some(b) => (b.as_mut_ptr().cast::<c_char>(), b.capacity()),
        None => (ptr::null_mut(), 0),
    };

    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. ptr/cap come from caller's Vec capacity or NULL/0.
    // 3. Trailing arguments are sealed cookies.
    let res = unsafe {
        syscall(
            SYS_flistxattr,
            fd.as_fd().as_raw_fd(),
            ptr,
            cap,
            SYSCOOKIE_POOL.get(CookieIdx::FlistxattrArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FlistxattrArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FlistxattrArg5),
        )
    };

    #[expect(clippy::cast_possible_truncation)]
    #[expect(clippy::cast_sign_loss)]
    let n = Errno::result(res).map(|r| r as usize)?;

    if let Some(list) = list {
        // SAFETY: flistxattr(2) wrote n bytes into reserved capacity.
        unsafe { list.set_len(n) };
    }

    Ok(n)
}

/// Safe fremovexattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_fremovexattr<Fd: AsFd>(fd: Fd, name: &CStr) -> Result<(), Errno> {
    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. name is a NUL-terminated CStr.
    // 3. Trailing arguments are sealed cookied.
    Errno::result(unsafe {
        syscall(
            SYS_fremovexattr,
            fd.as_fd().as_raw_fd(),
            name.as_ptr(),
            SYSCOOKIE_POOL.get(CookieIdx::FremovexattrArg2),
            SYSCOOKIE_POOL.get(CookieIdx::FremovexattrArg3),
            SYSCOOKIE_POOL.get(CookieIdx::FremovexattrArg4),
            SYSCOOKIE_POOL.get(CookieIdx::FremovexattrArg5),
        )
    })
    .map(drop)
}

/// Safe lremovexattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_lremovexattr<P: NixPath + ?Sized>(path: &P, name: &CStr) -> Result<(), Errno> {
    let res = path.with_nix_path(|cstr| {
        // SAFETY:
        // 1. cstr is a NUL-terminated CStr via NixPath.
        // 2. name is a NUL-terminated CStr.
        // 3. Trailing arguments are sealed cookied.
        unsafe {
            syscall(
                SYS_lremovexattr,
                cstr.as_ptr(),
                name.as_ptr(),
                SYSCOOKIE_POOL.get(CookieIdx::LremovexattrArg2),
                SYSCOOKIE_POOL.get(CookieIdx::LremovexattrArg3),
                SYSCOOKIE_POOL.get(CookieIdx::LremovexattrArg4),
                SYSCOOKIE_POOL.get(CookieIdx::LremovexattrArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe fsetxattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_fsetxattr<Fd: AsFd>(
    fd: Fd,
    name: &CStr,
    value: Option<&[u8]>,
    flags: c_int,
) -> Result<(), Errno> {
    let (val, len) = if let Some(value) = value.as_ref() {
        let val = value.as_ptr() as *const c_void;
        let len = value.len();
        (val, len)
    } else {
        (ptr::null(), 0)
    };

    // SAFETY:
    // 1. fd is a valid file descriptor.
    // 2. name is a NUL-terminated CStr.
    // 3. val and len are from caller's byte slice or NULL/0.
    // 4. Trailing argument is a sealed cookie.
    Errno::result(unsafe {
        syscall(
            SYS_fsetxattr,
            fd.as_fd().as_raw_fd(),
            name.as_ptr(),
            val,
            len,
            flags,
            SYSCOOKIE_POOL.get(CookieIdx::FsetxattrArg5),
        )
    })
    .map(drop)
}

/// Safe lsetxattr(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_lsetxattr<P: NixPath + ?Sized>(
    path: &P,
    name: &CStr,
    value: Option<&[u8]>,
    flags: c_int,
) -> Result<(), Errno> {
    let (val, len) = if let Some(value) = value.as_ref() {
        let val = value.as_ptr() as *const c_void;
        let len = value.len();
        (val, len)
    } else {
        (ptr::null(), 0)
    };

    let res = path.with_nix_path(|c_path| {
        // SAFETY:
        // 1. c_path is a NUL-terminated CStr via NixPath.
        // 2. name is a NUL-terminated CStr.
        // 3. val and len are from caller's byte slice or NULL/0.
        // 4. flags are from caller.
        // 5. Trailing argument is a sealed cookie.
        unsafe {
            syscall(
                SYS_lsetxattr,
                c_path.as_ptr(),
                name.as_ptr(),
                val,
                len,
                flags,
                SYSCOOKIE_POOL.get(CookieIdx::LsetxattrArg5),
            )
        }
    })?;
    Errno::result(res).map(drop)
}

/// Safe pipe2(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_pipe2(flags: OFlag) -> Result<(SafeOwnedFd, SafeOwnedFd), Errno> {
    let mut fds = MaybeUninit::<[SafeOwnedFd; 2]>::uninit();

    // SAFETY:
    // 1. fds is a valid, writable MaybeUninit array.
    // 2. flags are from OFlag.
    // 3. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_pipe2,
            fds.as_mut_ptr(),
            flags.bits(),
            SYSCOOKIE_POOL.get(CookieIdx::Pipe2Arg2),
            SYSCOOKIE_POOL.get(CookieIdx::Pipe2Arg3),
            SYSCOOKIE_POOL.get(CookieIdx::Pipe2Arg4),
            SYSCOOKIE_POOL.get(CookieIdx::Pipe2Arg5),
        )
    })?;

    // SAFETY: pipe2 returns valid FDs on success.
    let [read, write] = unsafe { fds.assume_init() };
    Ok((read, write))
}

/// Safe sendfile(2)/sendfile64(2) confined by syscall cookies.
///
/// Tries sendfile64(2) first, and falls back to sendfile(2).
#[inline(always)]
pub fn safe_sendfile<Fd1: AsFd, Fd2: AsFd>(
    out_fd: Fd1,
    in_fd: Fd2,
    count: usize,
) -> Result<usize, Errno> {
    if let Some(sys_sendfile64) = *SYS_SENDFILE64 {
        // SAFETY:
        // 1. Both fds are valid file descriptors.
        // 2. Offset is NULL to copy from current position.
        // 3. Count is from caller.
        // 4. Trailing arguments are sealed cookies.
        #[expect(clippy::cast_possible_truncation)]
        #[expect(clippy::cast_sign_loss)]
        return Errno::result(unsafe {
            syscall(
                sys_sendfile64,
                out_fd.as_fd().as_raw_fd(),
                in_fd.as_fd().as_raw_fd(),
                ptr::null_mut::<i64>(),
                count,
                SYSCOOKIE_POOL.get(CookieIdx::Sendfile64Arg4),
                SYSCOOKIE_POOL.get(CookieIdx::Sendfile64Arg5),
            )
        })
        .map(|n| n as usize);
    }

    let sys_sendfile = SYS_SENDFILE.ok_or(Errno::ENOSYS)?;

    // SAFETY:
    // 1. Both fds are valid file descriptors.
    // 2. Offset is NULL to copy from current position.
    // 3. Count is from caller.
    // 4. Trailing arguments are sealed cookies.
    #[expect(clippy::cast_possible_truncation)]
    #[expect(clippy::cast_sign_loss)]
    Errno::result(unsafe {
        syscall(
            sys_sendfile,
            out_fd.as_fd().as_raw_fd(),
            in_fd.as_fd().as_raw_fd(),
            ptr::null_mut::<i64>(),
            count,
            SYSCOOKIE_POOL.get(CookieIdx::SendfileArg4),
            SYSCOOKIE_POOL.get(CookieIdx::SendfileArg5),
        )
    })
    .map(|n| n as usize)
}

/// Safe pidfd_open(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_pidfd_open(pid: Pid, mut flags: u32) -> Result<SafeOwnedFd, Errno> {
    // Use PIDFD_THREAD if available, pass-through PIDFD_NONBLOCK.
    let pid = if *HAVE_PIDFD_THREAD || flags & PIDFD_THREAD == 0 {
        pid
    } else {
        flags &= !PIDFD_THREAD;
        proc_tgid(pid)?
    };

    // SAFETY:
    // 1. pid_fd is a valid file descriptor.
    // 2. flags were validated above.
    // 3. Trailing arguments are sealed cookies.
    #[expect(clippy::cast_possible_truncation)]
    Errno::result(unsafe {
        syscall(
            SYS_pidfd_open,
            pid.as_raw(),
            flags,
            SYSCOOKIE_POOL.get(CookieIdx::PidfdOpenArg2),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdOpenArg3),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdOpenArg4),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdOpenArg5),
        )
    })
    .map(|fd| {
        // SAFETY: pidfd_open(2) returned success, fd is valid.
        unsafe { SafeOwnedFd::from_raw_fd(fd as RawFd) }
    })
}

/// Safe pidfd_getfd(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_pidfd_getfd<Fd: AsFd>(pid_fd: Fd, remote_fd: RawFd) -> Result<SafeOwnedFd, Errno> {
    // SAFETY:
    // 1. pid_fd is a valid file descriptor.
    // 2. remote_fd is target file descriptor number.
    // 3. flags argument is zero.
    // 4. Trailing arguments are sealed cookies.
    #[expect(clippy::cast_possible_truncation)]
    Errno::result(unsafe {
        syscall(
            SYS_pidfd_getfd,
            pid_fd.as_fd().as_raw_fd(),
            remote_fd,
            0,
            SYSCOOKIE_POOL.get(CookieIdx::PidfdGetfdArg3),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdGetfdArg4),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdGetfdArg5),
        )
    })
    .map(|fd| {
        // SAFETY: pidfd_getfd(2) returned success, fd is valid.
        unsafe { SafeOwnedFd::from_raw_fd(fd as RawFd) }
    })
}

/// Safe pidfd_send_signal(2) confined by syscall cookies.
#[inline(always)]
pub fn safe_pidfd_send_signal<Fd: AsFd>(pid_fd: Fd, sig: i32) -> Result<(), Errno> {
    // SAFETY:
    // 1. pid_fd is a valid file descriptor.
    // 2. sig is a valid signal number (or 0 for liveness check).
    // 3. siginfo is NULL.
    // 4. flags is zero.
    // 5. Trailing arguments are sealed cookies.
    Errno::result(unsafe {
        syscall(
            SYS_pidfd_send_signal,
            pid_fd.as_fd().as_raw_fd(),
            sig,
            0,
            0,
            SYSCOOKIE_POOL.get(CookieIdx::PidfdSendSignalArg4),
            SYSCOOKIE_POOL.get(CookieIdx::PidfdSendSignalArg5),
        )
    })
    .map(drop)
}

/// Safe wrapper for pidfd_send_signal(2) with signal 0 confined by syscall cookies.
#[inline(always)]
pub fn safe_pidfd_is_alive<Fd: AsFd>(pid_fd: Fd) -> Result<(), Errno> {
    safe_pidfd_send_signal(pid_fd, 0)
}

/// Safe ptrace(2) confined by syscall cookies.
///
/// # Safety
///
/// Same safety requirements as libc::ptrace.
/// The addr and data pointers must be valid for given request.
#[inline(always)]
pub unsafe fn safe_ptrace(
    request: PtraceRequest,
    pid: c_int,
    addr: *mut c_void,
    data: *mut c_void,
) -> c_long {
    // SAFETY:
    // 1. request is a valid PtraceRequest.
    // 2. pid is a valid tracee pid.
    // 3. Validity of addr and data is up to caller.
    // 4. Trailing arguments are sealed cookies.
    unsafe {
        syscall(
            SYS_ptrace,
            request,
            pid,
            addr,
            data,
            SYSCOOKIE_POOL.get(CookieIdx::PtraceArg4),
            SYSCOOKIE_POOL.get(CookieIdx::PtraceArg5),
        )
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_cookie_idx_1() {
        assert_eq!(CookieIdx::Accept4Arg4 as usize, 0);
    }

    #[test]
    fn test_cookie_idx_2() {
        assert_eq!(CookieIdx::UtimensatArg5 as usize, CookieIdx::COUNT - 1);
    }

    #[test]
    fn test_cookie_idx_3() {
        assert!(CookieIdx::COUNT > 0);
    }

    #[test]
    fn test_cookie_idx_4() {
        assert!(CookieIdx::COUNT > 100);
    }

    #[test]
    fn test_cookie_idx_5() {
        assert_eq!(
            CookieIdx::Accept4Arg5 as usize,
            CookieIdx::Accept4Arg4 as usize + 1
        );
    }

    #[test]
    fn test_cookie_idx_6() {
        assert_eq!(
            CookieIdx::BindArg3 as usize,
            CookieIdx::Accept4Arg5 as usize + 1
        );
    }

    #[test]
    fn test_cookie_idx_7() {
        let idx = CookieIdx::CloseArg1;
        let cloned = idx;
        assert_eq!(idx as usize, cloned as usize);
    }

    #[test]
    fn test_cookie_idx_8() {
        let s = format!("{:?}", CookieIdx::Accept4Arg4);
        assert_eq!(s, "Accept4Arg4");
    }

    #[test]
    fn test_syscookie_pool_1() {
        let a = SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg4);
        let b = SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg4);
        assert_eq!(a, b);
    }

    #[test]
    fn test_syscookie_pool_2() {
        let a = SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg4);
        let b = SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg5);
        assert_ne!(a, b);
    }

    #[test]
    fn test_syscookie_pool_3() {
        let first = SYSCOOKIE_POOL.get(CookieIdx::Accept4Arg4);
        let last = SYSCOOKIE_POOL.get(CookieIdx::UnlinkatArg5);
        assert_ne!(first, last);
    }

    #[test]
    fn test_syscookie_pool_4() {
        let v1 = SYSCOOKIE_POOL.get(CookieIdx::CloseArg1);
        let v2 = SYSCOOKIE_POOL.get(CookieIdx::CloseArg1);
        let v3 = SYSCOOKIE_POOL.get(CookieIdx::CloseArg1);
        assert_eq!(v1, v2);
        assert_eq!(v2, v3);
    }

    #[test]
    fn test_syscookie_pool_5() {
        let mut all_zero = true;
        for i in 0..CookieIdx::COUNT {
            let idx: CookieIdx = unsafe { std::mem::transmute(i) };
            if SYSCOOKIE_POOL.get(idx) != 0 {
                all_zero = false;
                break;
            }
        }
        assert!(!all_zero);
    }
}