// Copyright (c) 2018, Sylabs Inc. All rights reserved.
// This software is licensed under a 3-clause BSD license. Please consult the
// LICENSE.md file distributed with the sources of this project regarding your
// rights to use or distribute this software.

package capabilities

import (
	"sort"
	"strings"
)

const (
	// Permitted capability string constant.
	Permitted string = "permitted"
	// Effective capability string constant.
	Effective = "effective"
	// Inheritable capability string constant.
	Inheritable = "inheritable"
	// Ambient capability string constant.
	Ambient = "ambient"
	// Bounding capability string constant.
	Bounding = "bounding"
)

type capability struct {
	Name        string
	Value       uint
	Description string
}

var (
	capChown = &capability{
		Name:  "CAP_CHOWN",
		Value: 0,
		Description: `CAP_CHOWN
	Make arbitrary changes to file UIDs and GIDs (see chown(2)).`,
	}

	capDacOverride = &capability{
		Name:  "CAP_DAC_OVERRIDE",
		Value: 1,
		Description: `CAP_DAC_OVERRIDE
	Bypass file read, write, and execute permission checks. (DAC is an abbreviation of "discretionary access control".)`,
	}

	capDacReadSearch = &capability{
		Name:  "CAP_DAC_READ_SEARCH",
		Value: 2,
		Description: `CAP_DAC_READ_SEARCH
	* Bypass file read permission checks and directory read and execute permission checks.
	* Invoke open_by_handle_at(2).`,
	}

	capFowner = &capability{
		Name:  "CAP_FOWNER",
		Value: 3,
		Description: `CAP_FOWNER
	* Bypass permission checks on operations that normally require the filesystem UID of the process to match the UID of
	  the file (e.g., chmod(2), utime(2)), excluding those operations covered by CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH.
	* set extended file attributes (see chattr(1)) on arbitrary files.
	* set Access Control Lists (ACLs) on arbitrary files.
	* ignore directory sticky bit on file deletion.
	* specify O_NOATIME for arbitrary files in open(2) and fcntl(2).`,
	}

	capFsetid = &capability{
		Name:  "CAP_FSETID",
		Value: 4,
		Description: `CAP_FSETID
	Don't  clear set-user-ID and set-group-ID mode bits when a file is modified; set the set-group-ID bit for a file whose
	GID does not match the filesystem or any of the supplementary GIDs of the calling process.`,
	}

	capKill = &capability{
		Name:  "CAP_KILL",
		Value: 5,
		Description: `CAP_KILL
	Bypass permission checks for sending signals (see kill(2)). This includes use of the ioctl(2) KDSIGACCEPT operation.`,
	}

	capSetgid = &capability{
		Name:  "CAP_SETGID",
		Value: 6,
		Description: `CAP_SETGID
	Make arbitrary manipulations of process GIDs and supplementary GID list; forge GID when passing socket credentials via
	UNIX domain sockets; write a group ID mapping in a user namespace (see user_namespaces(7)).`,
	}

	capSetuid = &capability{
		Name:  "CAP_SETUID",
		Value: 7,
		Description: `CAP_SETUID
	Make arbitrary manipulations of process UIDs (setuid(2), setreuid(2), setresuid(2), setfsuid(2)); forge UID when pass‐
	ing socket credentials via UNIX domain sockets; write a user ID mapping in a user namespace (see user_namespaces(7)).`,
	}

	capSetpcap = &capability{
		Name:  "CAP_SETPCAP",
		Value: 8,
		Description: `CAP_SETPCAP
	If file capabilities are not supported: grant or remove any capability in the caller's permitted capability set to or
	from any other process. (This property of CAP_SETPCAP is not available when the kernel is configured to support file
	capabilities, since CAP_SETPCAP has entirely different semantics for such kernels.)

	If file capabilities are supported: add any capability from the calling thread's bounding set to its inheritable set;
	drop capabilities from the bounding set (via prctl(2) PR_CAPBSET_DROP); make changes to the securebits flags.`,
	}

	capLinuxImmutable = &capability{
		Name:  "CAP_LINUX_IMMUTABLE",
		Value: 9,
		Description: `CAP_LINUX_IMMUTABLE
	Set the FS_APPEND_FL and FS_IMMUTABLE_FL inode flags (see chattr(1)).`,
	}

	capNetBindService = &capability{
		Name:  "CAP_NET_BIND_SERVICE",
		Value: 10,
		Description: `CAP_NET_BIND_SERVICE
	Bind a socket to Internet domain privileged ports (port numbers less than 1024).`,
	}

	capNetBroadcast = &capability{
		Name:  "CAP_NET_BROADCAST",
		Value: 11,
		Description: `CAP_NET_BROADCAST
	(Unused)  Make socket broadcasts, and listen to multicasts.`,
	}

	capNetAdmin = &capability{
		Name:  "CAP_NET_ADMIN",
		Value: 12,
		Description: `CAP_NET_ADMIN
	Perform various network-related operations:
	* interface configuration.
	* administration of IP firewall, masquerading, and accounting.
	* modify routing tables.
	* bind to any address for transparent proxying.
	* set type-of-service (TOS)
	* clear driver statistics.
	* set promiscuous mode.
	* enabling multicasting.
	* use setsockopt(2) to set the following socket options: SO_DEBUG, SO_MARK, SO_PRIORITY (for a priority outside the
	  range 0 to 6), SO_RCVBUFFORCE, and SO_SNDBUFFORCE.`,
	}

	capNetRaw = &capability{
		Name:  "CAP_NET_RAW",
		Value: 13,
		Description: `CAP_NET_RAW
	* use RAW and PACKET sockets.
	* bind to any address for transparent proxying.`,
	}

	capIpcLock = &capability{
		Name:  "CAP_IPC_LOCK",
		Value: 14,
		Description: `CAP_IPC_LOCK
	Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).`,
	}

	capIpcOwner = &capability{
		Name:  "CAP_IPC_OWNER",
		Value: 15,
		Description: `CAP_IPC_OWNER
	Bypass permission checks for operations on System V IPC objects.`,
	}

	capSysModule = &capability{
		Name:  "CAP_SYS_MODULE",
		Value: 16,
		Description: `CAP_SYS_MODULE
	Load and unload kernel modules (see init_module(2) and delete_module(2)); in kernels before 2.6.25: drop capabilities
	from the system-wide capability bounding set.`,
	}

	capSysRawio = &capability{
		Name:  "CAP_SYS_RAWIO",
		Value: 17,
		Description: `CAP_SYS_RAWIO
	* Perform I/O port operations (iopl(2) and ioperm(2)).
	* access /proc/kcore.
	* employ the FIBMAP ioctl(2) operation.
	* open devices for accessing x86 model-specific registers (MSRs, see msr(4)).
	* update /proc/sys/vm/mmap_min_addr.
	* create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr.
	* map files in /proc/bus/pci.
	* open /dev/mem and /dev/kmem.
	* perform various SCSI device commands.
	* perform certain operations on hpsa(4) and cciss(4) devices.
	* perform a range of device-specific operations on other devices.`,
	}

	capSysChroot = &capability{
		Name:  "CAP_SYS_CHROOT",
		Value: 18,
		Description: `CAP_SYS_CHROOT
	Use chroot(2).`,
	}

	capSysPtrace = &capability{
		Name:  "CAP_SYS_PTRACE",
		Value: 19,
		Description: `CAP_SYS_PTRACE
	*  Trace arbitrary processes using ptrace(2).
	*  apply get_robust_list(2) to arbitrary processes.
	*  transfer data to or from the memory of arbitrary processes using process_vm_readv(2) and process_vm_writev(2).
	*  inspect processes using kcmp(2).`,
	}

	capSysPacct = &capability{
		Name:  "CAP_SYS_PACCT",
		Value: 20,
		Description: `CAP_SYS_PACCT
	Use acct(2).`,
	}

	capSysAdmin = &capability{
		Name:  "CAP_SYS_ADMIN",
		Value: 21,
		Description: `CAP_SYS_ADMIN
	* Perform a range of system administration operations including: quotactl(2), mount(2), umount(2), swapon(2),
	  swapoff(2), sethostname(2), and setdomainname(2).
	* perform privileged syslog(2) operations (since Linux 2.6.37, CAP_SYSLOG should be used to permit such operations).
	* perform VM86_REQUEST_IRQ vm86(2) command.
	* perform IPC_SET and IPC_RMID operations on arbitrary System V IPC objects.
	* override RLIMIT_NPROC resource limit.
	* perform operations on trusted and security Extended Attributes (see xattr(7)).
	* use lookup_dcookie(2).
	* use ioprio_set(2) to assign IOPRIO_CLASS_RT and (before Linux 2.6.25) IOPRIO_CLASS_IDLE I/O scheduling classes.
	* forge PID when passing socket credentials via UNIX domain sockets.
	* exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files
	  (e.g., accept(2), execve(2), open(2), pipe(2)).
	* employ CLONE_* flags that create new namespaces with clone(2) and unshare(2) (but, since Linux 3.8, creating user
	  namespaces does not require any capability).
	* call perf_event_open(2).
	* access privileged perf event information.
	* call setns(2) (requires CAP_SYS_ADMIN in the target namespace).
	* call fanotify_init(2).
	* call bpf(2).
	* perform KEYCTL_CHOWN and KEYCTL_SETPERM keyctl(2) operations.
	* perform madvise(2) MADV_HWPOISON operation.
	* employ the TIOCSTI ioctl(2) to insert characters into the input queue of a terminal other than the caller's control‐
	  ling terminal.
	* employ the obsolete nfsservctl(2) system call.
	* employ the obsolete bdflush(2) system call.
	* perform various privileged block-device ioctl(2) operations.
	* perform various privileged filesystem ioctl(2) operations.
	* perform administrative operations on many device drivers.`,
	}

	capSysBoot = &capability{
		Name:  "CAP_SYS_BOOT",
		Value: 22,
		Description: `CAP_SYS_BOOT
	Use reboot(2) and kexec_load(2).`,
	}

	capSysNice = &capability{
		Name:  "CAP_SYS_NICE",
		Value: 23,
		Description: `CAP_SYS_NICE
	* Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.
	* set real-time scheduling policies for calling process, and set scheduling policies and priorities for arbitrary
	  processes (sched_setscheduler(2), sched_setparam(2), shed_setattr(2)).
	* set CPU affinity for arbitrary processes (sched_setaffinity(2)).
	* set I/O scheduling class and priority for arbitrary processes (ioprio_set(2)).
	* apply migrate_pages(2) to arbitrary processes and allow processes to be migrated to arbitrary nodes.
	* apply move_pages(2) to arbitrary processes.
	* use the MPOL_MF_MOVE_ALL flag with mbind(2) and move_pages(2).`,
	}

	capSysResource = &capability{
		Name:  "CAP_SYS_RESOURCE",
		Value: 24,
		Description: `CAP_SYS_RESOURCE
	* Use reserved space on ext2 filesystems.
	* make ioctl(2) calls controlling ext3 journaling.
	* override disk quota limits.
	* increase resource limits (see setrlimit(2)).
	* override RLIMIT_NPROC resource limit.
	* override maximum number of consoles on console allocation.
	* override maximum number of keymaps.
	* allow more than 64hz interrupts from the real-time clock.
	* raise msg_qbytes limit for a System V message queue above the limit in /proc/sys/kernel/msgmnb (see msgop(2) and
	  msgctl(2)).
	* override the /proc/sys/fs/pipe-size-max limit when setting the capacity of a pipe using the F_SETPIPE_SZ fcntl(2)
	  command.
	* use F_SETPIPE_SZ to increase the capacity of a pipe above the limit specified by /proc/sys/fs/pipe-max-size.
	* override /proc/sys/fs/mqueue/queues_max limit when creating POSIX message queues (see mq_overview(7)).
	* employ prctl(2) PR_SET_MM operation.
	* set /proc/PID/oom_score_adj to a value lower than the value last set by a process with CAP_SYS_RESOURCE.`,
	}

	capSysTime = &capability{
		Name:  "CAP_SYS_TIME",
		Value: 25,
		Description: `CAP_SYS_TIME
	Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.`,
	}

	capSysTtyConfig = &capability{
		Name:  "CAP_SYS_TTY_CONFIG",
		Value: 26,
		Description: `CAP_SYS_TTY_CONFIG
	Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.`,
	}

	capMknod = &capability{
		Name:  "CAP_MKNOD",
		Value: 27,
		Description: `CAP_SYS_MKNOD (since Linux 2.4)
	Create special files using mknod(2).`,
	}

	capLease = &capability{
		Name:  "CAP_LEASE",
		Value: 28,
		Description: `CAP_LEASE (since Linux 2.4)
	Establish leases on arbitrary files (see fcntl(2)).`,
	}

	capAuditWrite = &capability{
		Name:  "CAP_AUDIT_WRITE",
		Value: 29,
		Description: `CAP_AUDIT_WRITE (since Linux 2.6.11)
	Write records to kernel auditing log.`,
	}

	capAuditControl = &capability{
		Name:  "CAP_AUDIT_CONTROL",
		Value: 30,
		Description: `CAP_AUDIT_CONTROL (since Linux 2.6.11)
	Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.`,
	}

	capSetfcap = &capability{
		Name:  "CAP_SETFCAP",
		Value: 31,
		Description: `CAP_SETFCAP (since Linux 2.6.24)
	Set file capabilities.`,
	}

	capMacOverride = &capability{
		Name:  "CAP_MAC_OVERRIDE",
		Value: 32,
		Description: `CAP_MAC_OVERRIDE (since Linux 2.6.25)
	Allow MAC configuration or state changes. Implemented for the Smack LSM.`,
	}

	capMacAdmin = &capability{
		Name:  "CAP_MAC_ADMIN",
		Value: 33,
		Description: `CAP_MAC_ADMIN (since Linux 2.6.25)
	Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).`,
	}

	capSyslog = &capability{
		Name:  "CAP_SYSLOG",
		Value: 34,
		Description: `CAP_SYSLOG (since Linux 2.6.37)
	* Perform privileged syslog(2) operations. See syslog(2) for information on which operations require privilege.
	* View kernel addresses exposed via /proc and other interfaces when /proc/sys/kernel/kptr_restrict has the value 1.
	  (See the discussion of the kptr_restrict in proc(5).)`,
	}

	capWakeAlarm = &capability{
		Name:  "CAP_WAKE_ALARM",
		Value: 35,
		Description: `CAP_WAKE_ALARM (since Linux 3.0)
	Trigger something that will wake up the system (set CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM timers).`,
	}

	capBlockSuspend = &capability{
		Name:  "CAP_BLOCK_SUSPEND",
		Value: 36,
		Description: `CAP_BLOCK_SUSPEND (since Linux 3.5)
	Employ features that can block system suspend (epoll(7) EPOLLWAKEUP, /proc/sys/wake_lock).`,
	}

	capAuditRead = &capability{
		Name:  "CAP_AUDIT_READ",
		Value: 37,
		Description: `CAP_AUDIT_READ (since Linux 3.16)
	Allow reading the audit log via a multicast netlink socket.`,
	}

	capPerfmon = &capability{
		Name:  "CAP_PERFMON",
		Value: 38,
		Description: `CAP_PERFMON (since Linux 5.8)
	Employ various performance-monitoring mechanisms, including:
	* call perf_event_open(2);
	* employ various BPF operations that have performance implications.`,
	}

	capBPF = &capability{
		Name:  "CAP_BPF",
		Value: 39,
		Description: `CAP_BPF (since Linux 5.8)
	Employ privileged BPF operations; see bpf(2) and bpf-helpers(7).`,
	}

	capCheckpointRestore = &capability{
		Name:  "CAP_CHECKPOINT_RESTORE",
		Value: 40,
		Description: `CAP_CHECKPOINT_RESTORE (since Linux 5.9)
	* Update /proc/sys/kernel/ns_last_pid (see pid_namespaces(7));
	* employ the set_tid feature of clone3(2);
	* read the contents of the symbolic links in /proc/[pid]/map_files for other processes.`,
	}
)

// Map maps each capability name to a struct with details about the capability.
var Map = map[string]*capability{
	"CAP_CHOWN":              capChown,
	"CAP_DAC_OVERRIDE":       capDacOverride,
	"CAP_DAC_READ_SEARCH":    capDacReadSearch,
	"CAP_FOWNER":             capFowner,
	"CAP_FSETID":             capFsetid,
	"CAP_KILL":               capKill,
	"CAP_SETGID":             capSetgid,
	"CAP_SETUID":             capSetuid,
	"CAP_SETPCAP":            capSetpcap,
	"CAP_LINUX_IMMUTABLE":    capLinuxImmutable,
	"CAP_NET_BIND_SERVICE":   capNetBindService,
	"CAP_NET_BROADCAST":      capNetBroadcast,
	"CAP_NET_ADMIN":          capNetAdmin,
	"CAP_NET_RAW":            capNetRaw,
	"CAP_IPC_LOCK":           capIpcLock,
	"CAP_IPC_OWNER":          capIpcOwner,
	"CAP_SYS_MODULE":         capSysModule,
	"CAP_SYS_RAWIO":          capSysRawio,
	"CAP_SYS_CHROOT":         capSysChroot,
	"CAP_SYS_PTRACE":         capSysPtrace,
	"CAP_SYS_PACCT":          capSysPacct,
	"CAP_SYS_ADMIN":          capSysAdmin,
	"CAP_SYS_BOOT":           capSysBoot,
	"CAP_SYS_NICE":           capSysNice,
	"CAP_SYS_RESOURCE":       capSysResource,
	"CAP_SYS_TIME":           capSysTime,
	"CAP_SYS_TTY_CONFIG":     capSysTtyConfig,
	"CAP_MKNOD":              capMknod,
	"CAP_LEASE":              capLease,
	"CAP_AUDIT_WRITE":        capAuditWrite,
	"CAP_AUDIT_CONTROL":      capAuditControl,
	"CAP_SETFCAP":            capSetfcap,
	"CAP_MAC_OVERRIDE":       capMacOverride,
	"CAP_MAC_ADMIN":          capMacAdmin,
	"CAP_SYSLOG":             capSyslog,
	"CAP_WAKE_ALARM":         capWakeAlarm,
	"CAP_BLOCK_SUSPEND":      capBlockSuspend,
	"CAP_AUDIT_READ":         capAuditRead,
	"CAP_PERFMON":            capPerfmon,
	"CAP_BPF":                capBPF,
	"CAP_CHECKPOINT_RESTORE": capCheckpointRestore,
}

// Normalize takes a slice of capabilities, normalizes and unwraps CAP_ALL.
// The return values are a two slices: normalized capabilities slice that
// are valid and a slice with unrecognized capabilities.
func Normalize(capabilities []string) ([]string, []string) {
	const capAll = "CAP_ALL"

	capabilities = normalize(capabilities)

	//nolint:prealloc
	var included []string
	var excluded []string
	for _, capb := range capabilities {
		if capb == capAll {
			// do not reallocate memory if already did
			// this will NOT panic in case of nil slice
			excluded = excluded[:0]
			included = included[:0]
			for capb := range Map {
				included = append(included, capb)
			}
			break
		}
		if _, ok := Map[capb]; !ok {
			excluded = append(excluded, capb)
			continue
		}
		included = append(included, capb)
	}

	return RemoveDuplicated(included), RemoveDuplicated(excluded)
}

// Split takes a list of capabilities separated by commas and
// returns a string list with normalized capability name and a
// second list with unrecognized capabilities.
func Split(caps string) ([]string, []string) {
	if caps == "" {
		return []string{}, []string{}
	}
	return Normalize(strings.Split(caps, ","))
}

// RemoveDuplicated removes duplicated capabilities from provided list.
// It does not make copy of a passed list.
func RemoveDuplicated(caps []string) []string {
	for i := 0; i < len(caps); i++ {
		for j := i + 1; j < len(caps); j++ {
			if caps[i] == caps[j] {
				caps[j] = caps[len(caps)-1]
				caps = caps[:len(caps)-1]
				j--
			}
		}
	}
	return caps
}

func normalize(capabilities []string) []string {
	const capPrefix = "CAP_"
	for i, capb := range capabilities {
		capb = strings.TrimSpace(capb)
		capb = strings.ToUpper(capb)
		if !strings.HasPrefix(capb, capPrefix) {
			capb = capPrefix + capb
		}
		capabilities[i] = capb
	}
	return capabilities
}

// ToStrings returns a list of string CAP_ values from a uint64 capability set.
// If a capability bit is set that is not in Map, it is ignored.
func ToStrings(c uint64) []string {
	s := []string{}
	for _, cap := range Map {
		if c&uint64(1<<cap.Value) != 0 {
			s = append(s, cap.Name)
		}
	}
	sort.Strings(s)
	return s
}