monitor_api/

lib.rs

//! This crate exists to break a circular dependency between twz-rt and monitor. We use extern
//! symbols so that we can just call into the monitor without having to have it as an explicit
//! dependency.

#![feature(linkage)]
#![feature(thread_local)]
#![feature(pointer_is_aligned_to)]
#![feature(tuple_trait)]
#![allow(unexpected_cfgs)]
use std::{
    alloc::Layout,
    cell::UnsafeCell,
    marker::{PhantomData, Tuple},
    ptr::NonNull,
    sync::{
        atomic::{AtomicPtr, AtomicU32, AtomicU64, Ordering},
        OnceLock,
    },
};

pub use dynlink::{
    context::NewCompartmentFlags,
    tls::{Tcb, TlsRegion},
};
use secgate::{
    util::{Descriptor, Handle},
    Crossing, DynamicSecGate,
};
use twizzler_abi::{
    object::{ObjID, MAX_SIZE, NULLPAGE_SIZE},
    syscall::{sys_thread_sync, ThreadSync, ThreadSyncReference, ThreadSyncWake},
};
use twizzler_rt_abi::{
    bindings::{binding_info, ctor_set},
    debug::{DlPhdrInfo, LinkMap, LoadedImageId},
    error::{ArgumentError, TwzError},
    thread::ThreadSpawnArgs,
};

#[secgate::gatecall]
pub fn monitor_rt_get_library_info(desc: Descriptor) -> Result<LibraryInfoRaw, TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_spawn_thread(
    args: ThreadSpawnArgs,
    thread_pointer: usize,
    stack_pointer: usize,
) -> Result<ObjID, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_get_comp_config() -> Result<usize, TwzError> {}
#[secgate::gatecall]
pub fn monitor_rt_get_library_handle(
    compartment: Option<Descriptor>,
    lib_n: usize,
) -> Result<Descriptor, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_get_compartment_handle(compartment: ObjID) -> Result<Descriptor, TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_get_compartment_info(
    desc: Option<Descriptor>,
) -> Result<CompartmentInfoRaw, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_compartment_dynamic_gate(
    desc: Option<Descriptor>,
    name_len: usize,
) -> Result<usize, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_get_compartment_deps(
    desc: Option<Descriptor>,
    dep_n: usize,
) -> Result<Descriptor, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_get_compartment_thread(
    desc: Option<Descriptor>,
    dep_n: usize,
) -> Result<ThreadInfo, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_lookup_compartment(name_len: usize) -> Result<Descriptor, TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_load_compartment(
    root_object: ObjID,
    name_len: u64,
    args_len: u64,
    env_len: u64,
    flags: u32,
    config: u64,
) -> Result<Descriptor, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_compartment_wait(desc: Option<Descriptor>, flags: u64) -> Result<u64, TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_drop_compartment_handle(desc: Descriptor) -> Result<(), TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_load_library(
    compartment: Option<Descriptor>,
    id: Option<ObjID>,
    name_len: usize,
) -> Result<(Descriptor, usize), TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_drop_library_handle(desc: Descriptor) -> Result<(), TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_object_map(
    id: ObjID,
    flags: twizzler_rt_abi::object::MapFlags,
) -> Result<crate::MappedObjectAddrs, TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_object_pair_map(
    id: ObjID,
    flags: twizzler_rt_abi::object::MapFlags,
    id2: ObjID,
    flags2: twizzler_rt_abi::object::MapFlags,
) -> Result<(crate::MappedObjectAddrs, crate::MappedObjectAddrs), TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_object_unmap(
    id: ObjID,
    flags: twizzler_rt_abi::object::MapFlags,
) -> Result<(), TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_get_thread_simple_buffer() -> Result<ObjID, TwzError> {}
#[secgate::gatecall]
pub fn monitor_rt_comp_ctrl(cmd: MonitorCompControlCmd) -> Result<Option<i32>, TwzError> {}
#[secgate::gatecall]
pub fn monitor_rt_stats() -> Result<MonitorStats, TwzError> {}
#[secgate::gatecall]
pub fn monitor_rt_set_nameroot(root: ObjID) -> Result<(), TwzError> {}
#[secgate::gatecall]
pub fn monitor_rt_post_signal(
    comp: Option<ObjID>,
    signal: u64,
    flags: PostSignalFlags,
) -> Result<(), TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_libname_map(namelen: usize, id: ObjID) -> Result<(), TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_libname_unmap(namelen: Option<usize>, id: Option<ObjID>) -> Result<(), TwzError> {
}

#[secgate::gatecall]
pub fn monitor_rt_set_controller(comp: ObjID, controller: ObjID) -> Result<(), TwzError> {}

#[secgate::gatecall]
pub fn monitor_rt_lookup_compartment_id(id: ObjID) -> Result<Descriptor, TwzError> {}

/// Look up a symbol by name, searching within the library identified by `lib_desc`
/// (or across all libraries in the caller's compartment if `lib_desc` is `None`).
/// The symbol name (as UTF-8 bytes) must be written to the per-thread simple buffer before
/// calling, and `name_len` must be the number of bytes written.
/// Returns the relocated symbol address (as a `usize`) on success.
#[secgate::gatecall]
pub fn monitor_rt_lookup_symbol(
    lib_desc: Option<Descriptor>,
    name_len: usize,
) -> Result<usize, TwzError> {
}
/// Shared data between the monitor and a compartment runtime. Written to by the monitor, and
/// read-only from the compartment.
#[repr(C)]
pub struct SharedCompConfig {
    /// The security context that this compartment derives from. Read-only, will not be
    /// overwritten.
    pub sctx: ObjID,
    // Pointer to the current TLS template. Read-only by compartment, writable by monitor.
    tls_template: AtomicPtr<TlsTemplateInfo>,
    /// The root library ID for this compartment. May be None if no libraries have been loaded.
    pub root_library_id: Option<LoadedImageId>,
    pub posted_signals: AtomicU64,
    pub loader_config: CompartmentLoaderConfig,
}

struct CompConfigFinder {
    config: *const SharedCompConfig,
}

// Safety: the compartment config address is stable over the life of the compartment and doesn't
// change after init.
unsafe impl Sync for CompConfigFinder {}
unsafe impl Send for CompConfigFinder {}

static COMP_CONFIG: OnceLock<CompConfigFinder> = OnceLock::new();

/// Get a reference to this compartment's [SharedCompConfig].
pub fn get_comp_config() -> &'static SharedCompConfig {
    unsafe {
        COMP_CONFIG
            .get_or_init(|| CompConfigFinder {
                config: monitor_rt_get_comp_config().unwrap() as *const _,
            })
            .config
            .as_ref()
            .unwrap()
    }
}

/// Tries to set the comp config pointer. May fail, as this can only be set once.
/// The comp config pointer is automatically determined if [get_comp_config] is called
/// without comp config being set, by cross-compartment call into monitor.
pub fn set_comp_config(cfg: &'static SharedCompConfig) -> Result<(), ()> {
    COMP_CONFIG
        .set(CompConfigFinder { config: cfg })
        .map_err(|_| ())
}

/// Information about a monitor-generated TLS template.
#[repr(C)]
#[derive(Clone, Copy, Debug)]
pub struct TlsTemplateInfo {
    pub gen: u64,
    pub layout: Layout,
    pub alloc_base: NonNull<u8>,
    pub tp_offset: usize,
    pub dtv_offset: usize,
    pub num_dtv_entries: usize,
    pub module_top_offset: usize,
}

// Safety: this type is designed to pass pointers to thread-local memory across boundaries, so we
// assert this is safe.
unsafe impl Send for TlsTemplateInfo {}
unsafe impl Sync for TlsTemplateInfo {}

impl From<TlsRegion> for TlsTemplateInfo {
    fn from(value: TlsRegion) -> Self {
        let offset = |ptr: NonNull<u8>| -> usize {
            unsafe {
                ptr.as_ptr()
                    .byte_offset_from(value.alloc_base.as_ptr())
                    .try_into()
                    .unwrap()
            }
        };
        Self {
            gen: value.gen,
            layout: value.layout,
            alloc_base: value.alloc_base,
            num_dtv_entries: value.num_dtv_entries,
            tp_offset: offset(value.thread_pointer),
            dtv_offset: offset(value.dtv.cast()),
            module_top_offset: offset(value.module_top),
        }
    }
}

impl TlsTemplateInfo {
    /// Initialize a newly allocated memory region with a TLS template and TCB data.
    ///
    /// # Safety
    /// The new pointer must point to a memory region that meets the requirements in self.layout.
    pub unsafe fn init_new_tls_region<T>(&self, new: *mut u8, tcb_data: T) -> *mut Tcb<T> {
        assert!(new.is_aligned_to(self.layout.align()));
        // Step 1: copy the template to the new memory.
        core::ptr::copy_nonoverlapping(self.alloc_base.as_ptr(), new, self.layout.size());

        let tcb = new.add(self.tp_offset) as *mut Tcb<T>;
        let dtv_ptr = new.add(self.dtv_offset) as *mut *mut u8;
        let dtv = core::slice::from_raw_parts_mut(dtv_ptr, self.num_dtv_entries);

        // Step 2a: "relocate" the pointers inside the DTV. First entry is the gen count, so skip
        // that.
        for entry in dtv.iter_mut().skip(1) {
            let offset = (*entry).byte_offset_from(self.alloc_base.as_ptr());
            *entry = new.byte_offset(offset);
        }

        // Step 2b: DTV[0] holds the TLS generation ID.
        let dtv_0 = dtv_ptr as *mut u64;
        *dtv_0 = self.gen;

        // Step 3: Update the TCB data, including pointer to DTV and self.
        {
            let tcb = tcb.as_mut().unwrap();
            tcb.dtv = dtv_ptr as *const usize;
            tcb.self_ptr = tcb;
            tcb.runtime_data = tcb_data;
        }

        tcb
    }
}

impl SharedCompConfig {
    pub fn new(
        sctx: ObjID,
        tls_template: *mut TlsTemplateInfo,
        loader_config: CompartmentLoaderConfig,
    ) -> Self {
        Self {
            sctx,
            tls_template: AtomicPtr::new(tls_template),
            root_library_id: None,
            posted_signals: AtomicU64::new(0),
            loader_config,
        }
    }

    /// Set the current TLS template for a compartment. Only the monitor can call this.
    pub fn set_tls_template(&self, ptr: *mut TlsTemplateInfo) {
        self.tls_template.store(ptr, Ordering::SeqCst);
    }

    /// Get the current TLS template for the compartment.
    pub fn get_tls_template(&self) -> *const TlsTemplateInfo {
        self.tls_template.load(Ordering::SeqCst)
    }

    pub fn read_posted_signals(&self) -> u64 {
        self.posted_signals.swap(0, Ordering::SeqCst)
    }

    pub fn peek_posted_signals(&self) -> u64 {
        self.posted_signals.load(Ordering::SeqCst)
    }

    pub fn post_signal(&self, signal: u64) {
        self.posted_signals.fetch_or(1 << signal, Ordering::SeqCst);
        let _ = sys_thread_sync(
            &mut [ThreadSync::new_wake(ThreadSyncWake::new(
                ThreadSyncReference::Virtual(&self.posted_signals),
                usize::MAX,
            ))],
            None,
        );
    }
}

/// Contains information about a library loaded into the address space.
#[derive(Debug)]
pub struct LibraryInfo<'a> {
    /// The library's name
    pub name: String,
    /// The compartment of the library
    pub compartment_id: ObjID,
    /// The object ID that the library was loaded from
    pub objid: ObjID,
    /// The start address of range the library was loaded to
    pub start: *const u8,
    /// Length of range library was loaded to
    pub len: usize,
    /// The DlPhdrInfo for this library
    pub dl_info: DlPhdrInfo,
    /// The link_map structure for this library
    pub link_map: LinkMap,
    /// The slot of the library text.
    pub slot: usize,
    _pd: PhantomData<&'a ()>,
    internal_name: Vec<u8>,
}

impl<'a> LibraryInfo<'a> {
    pub fn from_raw(raw: LibraryInfoRaw) -> Self {
        let name = lazy_sb::read_bytes_from_sb(raw.name_len);
        let mut this = Self {
            name: lazy_sb::read_string_from_sb(raw.name_len),
            compartment_id: raw.compartment_id,
            objid: raw.objid,
            start: raw.start,
            len: raw.len,
            dl_info: raw.dl_info,
            slot: raw.slot,
            _pd: PhantomData,
            internal_name: name,
            link_map: raw.link_map,
        };
        this.dl_info.name = this.internal_name.as_ptr().cast();
        this
    }
}

/// A handle to a loaded library. On drop, the library may unload.
#[derive(Debug)]
pub struct LibraryHandle {
    desc: Descriptor,
}

impl LibraryHandle {
    /// Get the library info.
    pub fn info(&self) -> LibraryInfo<'_> {
        LibraryInfo::from_raw(monitor_rt_get_library_info(self.desc).unwrap())
    }

    /// Get the descriptor for this handle.
    pub fn desc(&self) -> Descriptor {
        self.desc
    }

    pub fn into_raw(self) -> Descriptor {
        let desc = self.desc;
        core::mem::forget(self);
        desc
    }
}

/// A builder-type for loading libraries.
pub struct LibraryLoader<'a> {
    id: Option<ObjID>,
    name: String,
    comp: Option<&'a CompartmentHandle>,
}

impl<'a> LibraryLoader<'a> {
    /// Make a new LibraryLoader.
    pub fn new(name: impl ToString, id: Option<ObjID>) -> Self {
        Self {
            name: name.to_string(),
            id,
            comp: None,
        }
    }

    /// Load the library in the given compartment.
    pub fn in_compartment(&'a mut self, comp: &'a CompartmentHandle) -> &'a mut Self {
        self.comp = Some(comp);
        self
    }

    /// Load the library.
    pub fn load(&self) -> Result<LibraryHandle, TwzError> {
        let len = lazy_sb::write_bytes_to_sb(self.name.as_bytes());
        let (desc, ctor_len): (Descriptor, usize) =
            monitor_rt_load_library(self.comp.map(|comp| comp.desc).flatten(), self.id, len)?;

        // Call ctors.
        let ctors = lazy_sb::read_bytes_from_sb(ctor_len);
        let ctor_slice = unsafe {
            core::slice::from_raw_parts(
                ctors.as_ptr().cast::<ctor_set>(),
                ctor_len / core::mem::size_of::<ctor_set>(),
            )
        };
        for ctor in ctor_slice {
            unsafe {
                let init_array = core::slice::from_raw_parts(ctor.init_array, ctor.init_array_len);
                for func in init_array {
                    if let Some(f) = func {
                        f();
                    }
                }
                if let Some(f) = ctor.legacy_init {
                    f();
                }
            }
        }

        Ok(LibraryHandle { desc })
    }
}

/// A compartment handle. On drop, the compartment may be unloaded.
pub struct CompartmentHandle {
    desc: Option<Descriptor>,
}

impl CompartmentHandle {
    /// Get the compartment info.
    pub fn info(&self) -> CompartmentInfo<'_> {
        CompartmentInfo::from_raw(monitor_rt_get_compartment_info(self.desc).unwrap())
    }

    /// Get the descriptor for this handle, or None if the handle refers to the current compartment.
    pub fn desc(&self) -> Option<Descriptor> {
        self.desc
    }

    pub unsafe fn dynamic_gate<A: Tuple + Crossing + Copy, R: Crossing + Copy>(
        &self,
        name: &str,
    ) -> Result<DynamicSecGate<'_, A, R>, TwzError> {
        let name_len = lazy_sb::write_bytes_to_sb(name.as_bytes());
        let address = monitor_rt_compartment_dynamic_gate(self.desc, name_len)?;
        Ok(DynamicSecGate::new(address))
    }

    pub fn signal(&self, sig: u64) -> Result<(), TwzError> {
        let target = self.info().id;
        monitor_rt_post_signal(Some(target), sig, PostSignalFlags::empty())
    }
}

/// A builder-type for loading compartments.
pub struct CompartmentLoader {
    name: String,
    root_object: ObjID,
    args: Vec<String>,
    env: Option<Vec<String>>,
    flags: NewCompartmentFlags,
    config: CompartmentLoaderConfig,
    _fd_spec: Vec<binding_info>,
}

fn load_fd_specs_from_runtime() -> Vec<binding_info> {
    let mut v = vec![binding_info::default(); 8];
    loop {
        let len =
            unsafe { twizzler_rt_abi::bindings::twz_rt_fd_read_binds(v.as_mut_ptr(), v.len()) };
        if len == v.len() {
            v.extend_from_slice(&[binding_info::default(); 8]);
        } else {
            v.truncate(len);
            break;
        }
    }
    v
}

impl CompartmentLoader {
    /// Make a new compartment loader.
    pub fn new(
        compname: impl ToString,
        exename: impl ToString,
        root_object: ObjID,
        flags: NewCompartmentFlags,
    ) -> Self {
        let mut config = CompartmentLoaderConfig::default();
        let fd_spec = load_fd_specs_from_runtime();
        config.with_fd_spec(&fd_spec);
        Self {
            name: format!("{}::{}", compname.to_string(), exename.to_string()),
            flags,
            env: None,
            args: vec![],
            config,
            root_object,
            _fd_spec: fd_spec,
        }
    }

    pub fn with_controller(&mut self, con: ControllerOption) -> &mut Self {
        self.config.controller = con;
        self
    }

    pub fn with_fd_specs<'a>(&'a mut self, spec: &'a [binding_info]) -> &'a mut Self {
        self.config.with_fd_spec(spec);
        self
    }

    /// Append args to this compartment.
    pub fn args<S: ToString>(&mut self, args: impl IntoIterator<Item = S>) -> &mut Self {
        for arg in args.into_iter() {
            self.args.push(arg.to_string())
        }
        self
    }

    /// Set the environment for the compartment
    pub fn env<S: ToString>(&mut self, env: impl IntoIterator<Item = S>) -> &mut Self {
        self.env = Some(env.into_iter().map(|s| s.to_string()).collect());
        self
    }

    /// Load the compartment.
    pub fn load(&self) -> Result<CompartmentHandle, TwzError> {
        fn get_current_env() -> Vec<String> {
            std::env::vars()
                .map(|(var, val)| format!("{}={}", var, val))
                .collect()
        }
        let name_len = self.name.as_bytes().len();
        let args_len = self
            .args
            .iter()
            .fold(0, |acc, arg| acc + arg.as_bytes().len() + 1);
        let env = self.env.clone().unwrap_or_else(|| get_current_env());
        let envs_len = env
            .iter()
            .fold(0, |acc, arg| acc + arg.as_bytes().len() + 1);
        let mut bytes = self.name.as_bytes().to_vec();
        for arg in &self.args {
            bytes.extend_from_slice(arg.as_bytes());
            bytes.push(0);
        }
        for env in env {
            bytes.extend_from_slice(env.as_bytes());
            bytes.push(0);
        }
        let len = lazy_sb::write_bytes_to_sb(&bytes);
        if len < envs_len + args_len + name_len {
            return Err(ArgumentError::InvalidArgument.into());
        }
        let desc = monitor_rt_load_compartment(
            self.root_object,
            name_len as u64,
            args_len as u64,
            envs_len as u64,
            self.flags.bits(),
            (&self.config as *const _) as usize as u64,
        )?;
        Ok(CompartmentHandle { desc: Some(desc) })
    }
}

impl Handle for CompartmentHandle {
    type OpenError = TwzError;

    type OpenInfo = ObjID;

    fn open(info: Self::OpenInfo) -> Result<Self, Self::OpenError>
    where
        Self: Sized,
    {
        let desc = monitor_rt_get_compartment_handle(info)?;
        Ok(CompartmentHandle { desc: Some(desc) })
    }

    fn release(&mut self) {
        if let Some(desc) = self.desc {
            let _ = monitor_rt_drop_compartment_handle(desc);
        }
    }
}

impl Drop for CompartmentHandle {
    fn drop(&mut self) {
        self.release();
    }
}

impl Handle for LibraryHandle {
    type OpenError = TwzError;

    type OpenInfo = (Option<Descriptor>, usize);

    fn open(info: Self::OpenInfo) -> Result<Self, Self::OpenError>
    where
        Self: Sized,
    {
        let desc = monitor_rt_get_library_handle(info.0, info.1)?;
        Ok(LibraryHandle { desc })
    }

    fn release(&mut self) {
        let _ = monitor_rt_drop_library_handle(self.desc);
    }
}

impl Drop for LibraryHandle {
    fn drop(&mut self) {
        self.release()
    }
}

/// Information about a compartment.
#[derive(Clone, Debug)]
pub struct CompartmentInfo<'a> {
    /// The name of the compartment.
    pub name: String,
    /// The instance ID.
    pub id: ObjID,
    /// The security context.
    pub sctx: ObjID,
    /// The compartment flags and status.
    pub flags: CompartmentFlags,
    /// Number of libraries
    pub nr_libs: usize,
    /// Exit code of the main thread (valid when EXITED flag is set).
    pub exit_code: u64,
    _pd: PhantomData<&'a ()>,
}

impl<'a> CompartmentInfo<'a> {
    fn from_raw(raw: CompartmentInfoRaw) -> Self {
        Self {
            name: lazy_sb::read_string_from_sb(raw.name_len),
            id: raw.id,
            sctx: raw.sctx,
            flags: CompartmentFlags::from_bits_truncate(raw.flags),
            nr_libs: raw.nr_libs,
            exit_code: raw.exit_code,
            _pd: PhantomData,
        }
    }
}

impl CompartmentHandle {
    /// Get a handle to the current compartment.
    pub fn current() -> Self {
        Self { desc: None }
    }

    /// Lookup a compartment by name.
    pub fn lookup(name: impl AsRef<str>) -> Result<Self, TwzError> {
        let name_len = lazy_sb::write_bytes_to_sb(name.as_ref().as_bytes());
        Ok(Self {
            desc: Some(monitor_rt_lookup_compartment(name_len)?),
        })
    }

    /// Lookup a compartment by ID.
    pub fn lookup_id(name: ObjID) -> Result<Self, TwzError> {
        Ok(Self {
            desc: Some(monitor_rt_lookup_compartment_id(name)?),
        })
    }

    /// Get an iterator over this compartment's dependencies.
    pub fn deps(&self) -> CompartmentDepsIter<'_> {
        CompartmentDepsIter::new(self)
    }

    /// Get the root library for this compartment.
    pub fn root(&self) -> LibraryHandle {
        self.libs().next().unwrap()
    }

    /// Get an iterator over the libraries for this compartment.
    pub fn libs(&self) -> LibraryIter<'_> {
        LibraryIter::new(self)
    }

    /// Get an iterator over the libraries for this compartment.
    pub fn threads(&self) -> CompartmentThreadsIter<'_> {
        CompartmentThreadsIter::new(self)
    }

    pub fn wait(&self, flags: CompartmentFlags) -> CompartmentFlags {
        CompartmentFlags::from_bits_truncate(
            monitor_rt_compartment_wait(self.desc(), flags.bits()).unwrap(),
        )
    }
}

/// An iterator over libraries in a compartment.
pub struct LibraryIter<'a> {
    n: usize,
    comp: &'a CompartmentHandle,
}

impl<'a> LibraryIter<'a> {
    fn new(comp: &'a CompartmentHandle) -> Self {
        Self { n: 0, comp }
    }
}

impl<'a> Iterator for LibraryIter<'a> {
    type Item = LibraryHandle;

    fn next(&mut self) -> Option<Self::Item> {
        let handle = LibraryHandle::open((self.comp.desc, self.n)).ok();
        if handle.is_some() {
            self.n += 1;
        }
        handle
    }
}

/// An iterator over a compartment's dependencies.
pub struct CompartmentDepsIter<'a> {
    n: usize,
    comp: &'a CompartmentHandle,
}

impl<'a> CompartmentDepsIter<'a> {
    fn new(comp: &'a CompartmentHandle) -> Self {
        Self { n: 0, comp }
    }
}

impl<'a> Iterator for CompartmentDepsIter<'a> {
    type Item = CompartmentHandle;

    fn next(&mut self) -> Option<Self::Item> {
        let desc = monitor_rt_get_compartment_deps(self.comp.desc, self.n).ok()?;
        self.n += 1;
        Some(CompartmentHandle { desc: Some(desc) })
    }

    fn nth(&mut self, n: usize) -> Option<Self::Item> {
        self.n += n;
        self.next()
    }
}

/// An iterator over a compartment's threads.
pub struct CompartmentThreadsIter<'a> {
    n: usize,
    comp: &'a CompartmentHandle,
}

impl<'a> CompartmentThreadsIter<'a> {
    fn new(comp: &'a CompartmentHandle) -> Self {
        Self { n: 0, comp }
    }
}

impl<'a> Iterator for CompartmentThreadsIter<'a> {
    type Item = ThreadInfo;

    fn next(&mut self) -> Option<Self::Item> {
        let info = monitor_rt_get_compartment_thread(self.comp.desc, self.n).ok()?;
        self.n += 1;
        Some(info)
    }

    fn nth(&mut self, n: usize) -> Option<Self::Item> {
        self.n += n;
        self.next()
    }
}

bitflags::bitflags! {
    /// Compartment state flags.
    #[derive(Clone, Debug, Copy, PartialEq, PartialOrd, Ord, Eq, Hash)]
    pub struct CompartmentFlags : u64 {
        /// Compartment is ready (loaded, reloacated, runtime started and ctors run).
        const READY = 0x1;
        /// Compartment is a binary, not a library.
        const IS_BINARY = 0x2;
        /// Compartment runtime thread may exit.
        const THREAD_CAN_EXIT = 0x4;
        /// Compartment thread has been started once.
        const STARTED = 0x8;
        /// Compartment destructors have run.
        const DESTRUCTED = 0x10;
        /// Compartment thread has exited.
        const EXITED = 0x20;
    }
}

/// Contains raw mapping addresses, for use when translating to object handles for the runtime.
#[derive(Copy, Clone, PartialEq, PartialOrd, Ord, Eq, Debug)]
pub struct MappedObjectAddrs {
    pub slot: usize,
    pub start: usize,
    pub meta: usize,
}

impl MappedObjectAddrs {
    pub fn new(slot: usize) -> Self {
        Self {
            start: slot * MAX_SIZE,
            meta: (slot + 1) * MAX_SIZE - NULLPAGE_SIZE,
            slot,
        }
    }
}

/// Get stats from the monitor
pub fn stats() -> Option<MonitorStats> {
    monitor_rt_stats().ok()
}

mod lazy_sb {
    //! A per-thread per-compartment simple buffer used for transferring strings between
    //! compartments and the monitor. This is necessary because the monitor runs at too low of a
    //! level for us to use nice shared memory techniques. This is simpler and more secure.
    use std::cell::{OnceCell, RefCell};

    use secgate::util::SimpleBuffer;
    use twizzler_rt_abi::object::MapFlags;

    struct LazyThreadSimpleBuffer {
        sb: OnceCell<SimpleBuffer>,
    }

    impl LazyThreadSimpleBuffer {
        const fn new() -> Self {
            Self {
                sb: OnceCell::new(),
            }
        }

        fn init() -> SimpleBuffer {
            let id = super::monitor_rt_get_thread_simple_buffer()
                .expect("failed to get per-thread monitor simple buffer");
            let oh =
                twizzler_rt_abi::object::twz_rt_map_object(id, MapFlags::READ | MapFlags::WRITE)
                    .unwrap();
            SimpleBuffer::new(oh)
        }

        fn read(&mut self, buf: &mut [u8]) -> usize {
            let sb = self.sb.get_or_init(|| Self::init());
            sb.read(buf)
        }

        fn write(&mut self, buf: &[u8]) -> usize {
            if self.sb.get().is_none() {
                // Unwrap-Ok: we know it's empty.
                self.sb.set(Self::init()).unwrap();
            }
            let sb = self.sb.get_mut().unwrap();
            sb.write(buf)
        }
    }

    #[thread_local]
    static LAZY_SB: RefCell<LazyThreadSimpleBuffer> = RefCell::new(LazyThreadSimpleBuffer::new());

    pub(super) fn read_string_from_sb(len: usize) -> String {
        let mut buf = vec![0u8; len];
        let len = LAZY_SB.borrow_mut().read(&mut buf);
        String::from_utf8_lossy(&buf[0..len]).to_string()
    }

    pub(super) fn read_bytes_from_sb(len: usize) -> Vec<u8> {
        let mut buf = vec![0u8; len];
        let len = LAZY_SB.borrow_mut().read(&mut buf);
        buf.truncate(len);
        buf
    }

    pub(super) fn write_bytes_to_sb(buf: &[u8]) -> usize {
        LAZY_SB.borrow_mut().write(buf)
    }
}

pub const THREAD_STARTED: u32 = 1;
#[repr(C)]
pub struct RuntimeThreadControl {
    pub id: UnsafeCell<u32>,
    pub did_exit: UnsafeCell<u32>,
    // Need to keep a lock for the ID, though we don't expect to use it much.
    pub internal_lock: AtomicU32,
    pub flags: AtomicU32,
    pub stack_canary: u64,
    pub libc_data: [u64; 16],
}

impl Default for RuntimeThreadControl {
    fn default() -> Self {
        Self::new(0)
    }
}

impl RuntimeThreadControl {
    pub const fn new(id: u32) -> Self {
        Self {
            internal_lock: AtomicU32::new(0),
            flags: AtomicU32::new(0),
            id: UnsafeCell::new(id),
            did_exit: UnsafeCell::new(0),
            stack_canary: 0,
            libc_data: [0; 16],
        }
    }

    fn write_lock(&self) {
        loop {
            let old = self.internal_lock.fetch_or(1, Ordering::Acquire);
            if old == 0 {
                break;
            }
        }
    }

    fn write_unlock(&self) {
        self.internal_lock.fetch_and(!1, Ordering::Release);
    }

    fn read_lock(&self) {
        loop {
            let old = self.internal_lock.fetch_add(2, Ordering::Acquire);
            // If this happens, something has gone very wrong.
            if old > i32::MAX as u32 {
                twizzler_rt_abi::core::twz_rt_abort();
            }
            if old & 1 == 0 {
                break;
            }
        }
    }

    fn read_unlock(&self) {
        self.internal_lock.fetch_sub(2, Ordering::Release);
    }

    pub fn set_id(&self, id: u32) {
        self.write_lock();
        unsafe {
            *self.id.get().as_mut().unwrap() = id;
        }
        self.write_unlock();
    }

    pub fn id(&self) -> u32 {
        self.read_lock();
        let id = unsafe { *self.id.get().as_ref().unwrap() };
        self.read_unlock();
        id
    }
}

pub fn post_signal(
    target: Option<ObjID>,
    signal: u64,
    flags: PostSignalFlags,
) -> Result<(), TwzError> {
    monitor_rt_post_signal(target, signal, flags)
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct MonitorStats {
    pub space: SpaceStats,
    pub thread_mgr: ThreadMgrStats,
    pub comp_mgr: CompartmentMgrStats,
    pub handles: HandleStats,
    pub dynlink: DynlinkStats,
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct SpaceStats {
    pub mapped: usize,
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct ThreadMgrStats {
    pub nr_threads: usize,
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct CompartmentMgrStats {
    pub nr_compartments: usize,
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct HandleStats {
    pub nr_comp_handles: usize,
    pub nr_lib_handles: usize,
}

#[derive(Copy, Clone, Debug)]
#[repr(C)]
pub struct DynlinkStats {
    pub nr_libs: usize,
    pub nr_comps: usize,
}

#[derive(Debug, Copy, Clone)]
#[repr(C)]
#[allow(dead_code)]
pub enum MonitorCompControlCmd {
    RuntimeReady,
    RuntimePostMain,
}

#[repr(C)]
#[derive(Clone, Copy, Debug)]
pub struct LibraryInfoRaw {
    pub name_len: usize,
    pub compartment_id: ObjID,
    pub objid: ObjID,
    pub slot: usize,
    pub start: *const u8,
    pub len: usize,
    pub dl_info: DlPhdrInfo,
    pub link_map: LinkMap,
    pub desc: Descriptor,
}

unsafe impl Crossing for LibraryInfoRaw {}

#[repr(C)]
#[derive(Clone, Copy, Debug)]
pub struct CompartmentInfoRaw {
    pub name_len: usize,
    pub id: ObjID,
    pub sctx: ObjID,
    pub flags: u64,
    pub nr_libs: usize,
    /// Exit code of the compartment's main thread (valid when EXITED flag is set).
    pub exit_code: u64,
}

#[derive(Debug, Clone, PartialEq, PartialOrd, Ord, Eq, Hash, Copy)]
#[repr(C)]
pub struct ThreadInfo {
    pub repr_id: ObjID,
}

/// Reserved instance ID for the security monitor.
pub const MONITOR_INSTANCE_ID: ObjID = ObjID::new(0);

bitflags::bitflags! {
    #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
    pub struct PostSignalFlags : u32 {
        const GROUP = 1;
        const CONTROLLER = 2;
    }
}

#[repr(C)]
#[derive(Default, Copy, Clone, Debug)]
#[allow(dead_code)]
pub enum ControllerOption {
    #[default]
    Inherit,
    NoController,
    Object(ObjID),
}

#[repr(C)]
#[derive(Default, Copy, Clone, Debug)]
#[allow(dead_code)]
pub struct CompartmentLoaderConfig {
    pub controller: ControllerOption,
    pub fd_spec: *const binding_info,
    pub fd_spec_len: usize,
}

impl CompartmentLoaderConfig {
    #[allow(dead_code)]
    pub fn with_controller(&mut self, controller: ControllerOption) -> &mut Self {
        self.controller = controller;
        self
    }

    #[allow(dead_code)]
    pub fn with_fd_spec<'a>(&'a mut self, spec: &'a [binding_info]) -> &'a mut Self {
        self.fd_spec = spec.as_ptr();
        self.fd_spec_len = spec.len();
        self
    }

    #[allow(dead_code)]
    pub fn fd_spec(&self) -> &[binding_info] {
        unsafe { core::slice::from_raw_parts(self.fd_spec, self.fd_spec_len) }
    }
}

pub fn libname_map(name: &str, id: ObjID) -> Result<(), TwzError> {
    let namelen = lazy_sb::write_bytes_to_sb(name.as_bytes());
    monitor_rt_libname_map(namelen, id)
}

pub fn libname_unmap(name: Option<&str>, id: Option<ObjID>) -> Result<(), TwzError> {
    let namelen = name.map(|name| lazy_sb::write_bytes_to_sb(name.as_bytes()));
    monitor_rt_libname_unmap(namelen, id)
}

/// Look up a library by name in the caller's compartment. Returns a library handle descriptor.
pub fn lookup_library_by_name(name: &str) -> Result<secgate::util::Descriptor, TwzError> {
    LibraryHandle::open((None, lazy_sb::write_bytes_to_sb(name.as_bytes())))
        .map(|handle| handle.desc())
}

/// Look up a symbol by name. If `lib_desc` is `None`, searches across all libraries in the
/// caller's compartment (RTLD_DEFAULT semantics). Returns the relocated symbol address.
pub fn lookup_symbol_by_name(
    lib_desc: Option<secgate::util::Descriptor>,
    name: &str,
) -> Result<usize, TwzError> {
    let name_len = lazy_sb::write_bytes_to_sb(name.as_bytes());
    monitor_rt_lookup_symbol(lib_desc, name_len)
}