/*
 * SPDX-License-Identifier: BSD-3-Clause
 *
 * Copyright (c) 1982, 1986, 1989, 1991, 1993
 *      The Regents of the University of California.  All rights reserved.
 * (c) UNIX System Laboratories, Inc.
 * All or some portions of this file are derived from material licensed
 * to the University of California by American Telephone and Telegraph
 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
 * the permission of UNIX System Laboratories, Inc.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#include <sys/param.h>
#include <sys/acct.h>
#include <sys/compressor.h>
#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/proc.h>
#include <sys/signalvar.h>
#include <sys/racct.h>
#include <sys/resourcevar.h>
#include <sys/rmlock.h>
#include <sys/sysctl.h>
#include <sys/syslog.h>
#include <sys/ucoredump.h>
#include <sys/wait.h>

static int coredump(struct thread *td, const char **);

int compress_user_cores = 0;

static SLIST_HEAD(, coredumper) coredumpers =
    SLIST_HEAD_INITIALIZER(coredumpers);
static struct rmlock    coredump_rmlock;
RM_SYSINIT(coredump_lock, &coredump_rmlock, "coredump_lock");

static int kern_logsigexit = 1;
SYSCTL_INT(_kern, KERN_LOGSIGEXIT, logsigexit, CTLFLAG_RW,
    &kern_logsigexit, 0,
    "Log processes quitting on abnormal signals to syslog(3)");

static int sugid_coredump;
SYSCTL_INT(_kern, OID_AUTO, sugid_coredump, CTLFLAG_RWTUN,
    &sugid_coredump, 0, "Allow setuid and setgid processes to dump core");

static int do_coredump = 1;
SYSCTL_INT(_kern, OID_AUTO, coredump, CTLFLAG_RW,
        &do_coredump, 0, "Enable/Disable coredumps");

static int
sysctl_compress_user_cores(SYSCTL_HANDLER_ARGS)
{
        int error, val;

        val = compress_user_cores;
        error = sysctl_handle_int(oidp, &val, 0, req);
        if (error != 0 || req->newptr == NULL)
                return (error);
        if (val != 0 && !compressor_avail(val))
                return (EINVAL);
        compress_user_cores = val;
        return (error);
}
SYSCTL_PROC(_kern, OID_AUTO, compress_user_cores,
    CTLTYPE_INT | CTLFLAG_RWTUN | CTLFLAG_NEEDGIANT, 0, sizeof(int),
    sysctl_compress_user_cores, "I",
    "Enable compression of user corefiles ("
    __XSTRING(COMPRESS_GZIP) " = gzip, "
    __XSTRING(COMPRESS_ZSTD) " = zstd)");

int compress_user_cores_level = 6;
SYSCTL_INT(_kern, OID_AUTO, compress_user_cores_level, CTLFLAG_RWTUN,
    &compress_user_cores_level, 0,
    "Corefile compression level");

void
coredumper_register(struct coredumper *cd)
{

        blockcount_init(&cd->cd_refcount);
        rm_wlock(&coredump_rmlock);
        SLIST_INSERT_HEAD(&coredumpers, cd, cd_entry);
        rm_wunlock(&coredump_rmlock);
}

void
coredumper_unregister(struct coredumper *cd)
{

        rm_wlock(&coredump_rmlock);
        SLIST_REMOVE(&coredumpers, cd, coredumper, cd_entry);
        rm_wunlock(&coredump_rmlock);

        /*
         * Wait for any in-process coredumps to finish before returning.
         */
        blockcount_wait(&cd->cd_refcount, NULL, "dumpwait", 0);
}

/*
 * Force the current process to exit with the specified signal, dumping core
 * if appropriate.  We bypass the normal tests for masked and caught signals,
 * allowing unrecoverable failures to terminate the process without changing
 * signal state.  Mark the accounting record with the signal termination.
 * If dumping core, save the signal number for the debugger.  Calls exit and
 * does not return.
 */
void
sigexit(struct thread *td, int sig)
{
        struct proc *p = td->td_proc;
        int rv;
        bool logexit;

        PROC_LOCK_ASSERT(p, MA_OWNED);
        proc_set_p2_wexit(p);

        p->p_acflag |= AXSIG;
        if ((p->p_flag2 & P2_LOGSIGEXIT_CTL) == 0)
                logexit = kern_logsigexit != 0;
        else
                logexit = (p->p_flag2 & P2_LOGSIGEXIT_ENABLE) != 0;

        /*
         * We must be single-threading to generate a core dump.  This
         * ensures that the registers in the core file are up-to-date.
         * Also, the ELF dump handler assumes that the thread list doesn't
         * change out from under it.
         *
         * XXX If another thread attempts to single-thread before us
         *     (e.g. via fork()), we won't get a dump at all.
         */
        if (sig_do_core(sig) && thread_single(p, SINGLE_NO_EXIT) == 0) {
                const char *err = NULL;

                p->p_sig = sig;
                /*
                 * Log signals which would cause core dumps
                 * (Log as LOG_INFO to appease those who don't want
                 * these messages.)
                 * XXX : Todo, as well as euid, write out ruid too
                 * Note that coredump() drops proc lock.
                 */
                rv = coredump(td, &err);
                if (rv == 0) {
                        MPASS(err == NULL);
                        sig |= WCOREFLAG;
                } else if (err == NULL) {
                        switch (rv) {
                        case EFAULT:
                                err = "bad address";
                                break;
                        case EINVAL:
                                err = "invalild argument";
                                break;
                        case EFBIG:
                                err = "too large";
                                break;
                        default:
                                err = "other error";
                                break;
                        }
                }
                if (logexit)
                        log(LOG_INFO,
                            "pid %d (%s), jid %d, uid %d: exited on "
                            "signal %d (%s%s)\n", p->p_pid, p->p_comm,
                            p->p_ucred->cr_prison->pr_id,
                            td->td_ucred->cr_uid, sig &~ WCOREFLAG,
                            err != NULL ? "no core dump - " : "core dumped",
                            err != NULL ? err : "");
        } else
                PROC_UNLOCK(p);
        exit1(td, 0, sig);
        /* NOTREACHED */
}


/*
 * Dump a process' core.  The main routine does some
 * policy checking, and creates the name of the coredump;
 * then it passes on a vnode and a size limit to the process-specific
 * coredump routine if there is one; if there _is not_ one, it returns
 * ENOSYS; otherwise it returns the error from the process-specific routine.
 */
static int
coredump(struct thread *td, const char **errmsg)
{
        struct coredumper *iter, *chosen;
        struct proc *p = td->td_proc;
        struct rm_priotracker tracker;
        off_t limit;
        int error, priority;

        PROC_LOCK_ASSERT(p, MA_OWNED);
        MPASS((p->p_flag & P_HADTHREADS) == 0 || p->p_singlethread == td);

        if (!do_coredump || (!sugid_coredump && (p->p_flag & P_SUGID) != 0) ||
            (p->p_flag2 & P2_NOTRACE) != 0) {
                PROC_UNLOCK(p);

                if (!do_coredump)
                        *errmsg = "denied by kern.coredump";
                else if ((p->p_flag2 & P2_NOTRACE) != 0)
                        *errmsg = "process has trace disabled";
                else
                        *errmsg = "sugid process denied by kern.sugid_coredump";
                return (EFAULT);
        }

        /*
         * Note that the bulk of limit checking is done after
         * the corefile is created.  The exception is if the limit
         * for corefiles is 0, in which case we don't bother
         * creating the corefile at all.  This layout means that
         * a corefile is truncated instead of not being created,
         * if it is larger than the limit.
         */
        limit = (off_t)lim_cur(td, RLIMIT_CORE);
        if (limit == 0 || racct_get_available(p, RACCT_CORE) == 0) {
                PROC_UNLOCK(p);
                *errmsg = "coredumpsize limit is 0";
                return (EFBIG);
        }

        rm_rlock(&coredump_rmlock, &tracker);
        priority = -1;
        chosen = NULL;
        SLIST_FOREACH(iter, &coredumpers, cd_entry) {
                if (iter->cd_probe == NULL) {
                        /*
                         * If we haven't found anything of a higher priority
                         * yet, we'll call this a GENERIC.  Ideally, we want
                         * coredumper modules to include a probe function.
                         */
                        if (priority < 0) {
                                priority = COREDUMPER_GENERIC;
                                chosen = iter;
                        }

                        continue;
                }

                error = (*iter->cd_probe)(td);
                if (error < 0)
                        continue;

                /*
                 * Higher priority than previous options.
                 */
                if (error > priority) {
                        priority = error;
                        chosen = iter;
                }
        }

        /*
         * Acquire our refcount before we drop the lock so that
         * coredumper_unregister() can safely assume that the refcount will only
         * go down once it's dropped the rmlock.
         */
        blockcount_acquire(&chosen->cd_refcount, 1);
        rm_runlock(&coredump_rmlock, &tracker);

        /* Currently, we always have the vnode dumper built in. */
        MPASS(chosen != NULL);
        error = ((*chosen->cd_handle)(td, limit));
        PROC_LOCK_ASSERT(p, MA_NOTOWNED);

        blockcount_release(&chosen->cd_refcount, 1);

        return (error);
}