package org.elasticsearch.bootstrap;

import com.sun.jna.Library;
import com.sun.jna.Memory;
import com.sun.jna.Native;
import com.sun.jna.NativeLong;
import com.sun.jna.Pointer;
import com.sun.jna.Structure;
import com.sun.jna.ptr.PointerByReference;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.nio.ByteOrder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.lucene.util.Constants;
import org.apache.lucene.util.IOUtils;
import org.elasticsearch.bootstrap.JNACLibrary;
import org.elasticsearch.bootstrap.JNAKernel32Library;
import org.elasticsearch.common.logging.ESLogger;
import org.elasticsearch.common.logging.Loggers;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp.class */
public final class Seccomp {
    private static final ESLogger logger = Loggers.getLogger(Seccomp.class);
    private static final LinuxLibrary linux_libc;
    static final int SECCOMP_SET_MODE_FILTER = 1;
    static final int SECCOMP_FILTER_FLAG_TSYNC = 1;
    static final int PR_GET_NO_NEW_PRIVS = 39;
    static final int PR_SET_NO_NEW_PRIVS = 38;
    static final int PR_GET_SECCOMP = 21;
    static final int PR_SET_SECCOMP = 22;
    static final long SECCOMP_MODE_FILTER = 2;
    static final int BPF_LD = 0;
    static final int BPF_W = 0;
    static final int BPF_ABS = 32;
    static final int BPF_JMP = 5;
    static final int BPF_JEQ = 16;
    static final int BPF_JGE = 48;
    static final int BPF_JGT = 32;
    static final int BPF_RET = 6;
    static final int BPF_K = 0;
    static final int SECCOMP_RET_ERRNO = 327680;
    static final int SECCOMP_RET_DATA = 65535;
    static final int SECCOMP_RET_ALLOW = 2147418112;
    static final int EACCES = 13;
    static final int EFAULT = 14;
    static final int EINVAL = 22;
    static final int ENOSYS = 38;
    static final int SECCOMP_DATA_NR_OFFSET = 0;
    static final int SECCOMP_DATA_ARCH_OFFSET = 4;
    private static final Map<String, Arch> ARCHITECTURES;
    private static final MacLibrary libc_mac;
    static final int SANDBOX_NAMED = 1;
    static final String SANDBOX_RULES = "(version 1) (allow default) (deny process-fork) (deny process-exec)";
    private static final SolarisLibrary libc_solaris;
    static final int PRIV_OFF = 1;
    static final String PRIV_ALLSETS;
    static final String PRIV_PROC_FORK = "proc_fork";
    static final String PRIV_PROC_EXEC = "proc_exec";
    static final boolean OPENBSD;
    static final int RLIMIT_NPROC = 7;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$Arch.class */
    public static class Arch {
        final int audit;
        final int limit;
        final int fork;
        final int vfork;
        final int execve;
        final int execveat;
        final int seccomp;

        Arch(int i, int i2, int i3, int i4, int i5, int i6, int i7) {
            this.audit = i;
            this.limit = i2;
            this.fork = i3;
            this.vfork = i4;
            this.execve = i5;
            this.execveat = i6;
            this.seccomp = i7;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$LinuxLibrary.class */
    public interface LinuxLibrary extends Library {
        int prctl(int i, NativeLong nativeLong, NativeLong nativeLong2, NativeLong nativeLong3, NativeLong nativeLong4);

        NativeLong syscall(NativeLong nativeLong, Object... objArr);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$MacLibrary.class */
    public interface MacLibrary extends Library {
        int sandbox_init(String str, long j, PointerByReference pointerByReference);

        void sandbox_free_error(Pointer pointer);
    }

    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$SockFProg.class */
    public static final class SockFProg extends Structure implements Structure.ByReference {
        public short len;
        public Pointer filter;

        public SockFProg(SockFilter[] sockFilterArr) {
            this.len = (short) sockFilterArr.length;
            Memory memory = new Memory(this.len * 8);
            ByteBuffer byteBuffer = memory.getByteBuffer(0L, this.len * 8);
            byteBuffer.order(ByteOrder.nativeOrder());
            for (SockFilter sockFilter : sockFilterArr) {
                byteBuffer.putShort(sockFilter.code);
                byteBuffer.put(sockFilter.jt);
                byteBuffer.put(sockFilter.jf);
                byteBuffer.putInt(sockFilter.k);
            }
            this.filter = memory;
        }

        protected List<String> getFieldOrder() {
            return Arrays.asList("len", "filter");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$SockFilter.class */
    public static final class SockFilter {
        short code;
        byte jt;
        byte jf;
        int k;

        SockFilter(short s, byte b, byte b2, int i) {
            this.code = s;
            this.jt = b;
            this.jf = b2;
            this.k = i;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-303.zip:modules/system/layers/fuse/org/elasticsearch/main/elasticsearch-2.2.0.jar:org/elasticsearch/bootstrap/Seccomp$SolarisLibrary.class */
    public interface SolarisLibrary extends Library {
        int priv_set(int i, String str, String... strArr);
    }

    Seccomp() {
    }

    static SockFilter BPF_STMT(int i, int i2) {
        return new SockFilter((short) i, (byte) 0, (byte) 0, i2);
    }

    static SockFilter BPF_JUMP(int i, int i2, int i3, int i4) {
        return new SockFilter((short) i, (byte) i3, (byte) i4, i2);
    }

    private static int linux_prctl(int i, long j, long j2, long j3, long j4) {
        return linux_libc.prctl(i, new NativeLong(j), new NativeLong(j2), new NativeLong(j3), new NativeLong(j4));
    }

    private static long linux_syscall(long j, Object... objArr) {
        return linux_libc.syscall(new NativeLong(j), objArr).longValue();
    }

    private static int linuxImpl() {
        Arch arch = ARCHITECTURES.get(Constants.OS_ARCH);
        if (!(Constants.LINUX && arch != null)) {
            throw new UnsupportedOperationException("seccomp unavailable: '" + Constants.OS_ARCH + "' architecture unsupported");
        }
        if (linux_libc == null) {
            throw new UnsupportedOperationException("seccomp unavailable: could not link methods. requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in");
        }
        if (linux_syscall(999L, new Object[0]) >= 0 || Native.getLastError() != 38) {
            throw new UnsupportedOperationException("seccomp unavailable: your kernel is buggy and you should upgrade");
        }
        long linux_syscall = linux_syscall(arch.seccomp, -140219812);
        if (linux_syscall != -1) {
            throw new UnsupportedOperationException("seccomp unavailable: seccomp(BOGUS_OPERATION) returned " + linux_syscall);
        }
        int lastError = Native.getLastError();
        switch (lastError) {
            case 22:
            case 38:
                long linux_syscall2 = linux_syscall(arch.seccomp, 1, -140219812);
                if (linux_syscall2 != -1) {
                    throw new UnsupportedOperationException("seccomp unavailable: seccomp(SECCOMP_SET_MODE_FILTER, BOGUS_FLAG) returned " + linux_syscall2);
                }
                int lastError2 = Native.getLastError();
                switch (lastError2) {
                    case 22:
                    case 38:
                        long linux_prctl = linux_prctl(-140219812, 0L, 0L, 0L, 0L);
                        if (linux_prctl != -1) {
                            throw new UnsupportedOperationException("seccomp unavailable: prctl(BOGUS_OPTION) returned " + linux_prctl);
                        }
                        int lastError3 = Native.getLastError();
                        switch (lastError3) {
                            case 22:
                            case 38:
                                switch (linux_prctl(39, 0L, 0L, 0L, 0L)) {
                                    case 0:
                                    case 1:
                                        switch (linux_prctl(21, 0L, 0L, 0L, 0L)) {
                                            case 0:
                                            case 2:
                                                if (linux_prctl(22, 2L, 0L, 0L, 0L) != 0) {
                                                    int lastError4 = Native.getLastError();
                                                    switch (lastError4) {
                                                        case 14:
                                                            break;
                                                        case 22:
                                                            throw new UnsupportedOperationException("seccomp unavailable: CONFIG_SECCOMP_FILTER not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed");
                                                        default:
                                                            throw new UnsupportedOperationException("prctl(PR_SET_SECCOMP): " + JNACLibrary.strerror(lastError4));
                                                    }
                                                }
                                                if (linux_prctl(38, 1L, 0L, 0L, 0L) != 0) {
                                                    throw new UnsupportedOperationException("prctl(PR_SET_NO_NEW_PRIVS): " + JNACLibrary.strerror(Native.getLastError()));
                                                }
                                                if (linux_prctl(39, 0L, 0L, 0L, 0L) != 1) {
                                                    throw new UnsupportedOperationException("seccomp filter did not really succeed: prctl(PR_GET_NO_NEW_PRIVS): " + JNACLibrary.strerror(Native.getLastError()));
                                                }
                                                SockFProg sockFProg = new SockFProg(new SockFilter[]{BPF_STMT(32, 4), BPF_JUMP(21, arch.audit, 0, 7), BPF_STMT(32, 0), BPF_JUMP(37, arch.limit, 5, 0), BPF_JUMP(21, arch.fork, 4, 0), BPF_JUMP(21, arch.vfork, 3, 0), BPF_JUMP(21, arch.execve, 2, 0), BPF_JUMP(21, arch.execveat, 1, 0), BPF_STMT(6, SECCOMP_RET_ALLOW), BPF_STMT(6, 327693)});
                                                sockFProg.write();
                                                long nativeValue = Pointer.nativeValue(sockFProg.getPointer());
                                                int i = 1;
                                                if (linux_syscall(arch.seccomp, 1, 1, new NativeLong(nativeValue)) != 0) {
                                                    i = 0;
                                                    int lastError5 = Native.getLastError();
                                                    if (logger.isDebugEnabled()) {
                                                        logger.debug("seccomp(SECCOMP_SET_MODE_FILTER): " + JNACLibrary.strerror(lastError5) + ", falling back to prctl(PR_SET_SECCOMP)...", new Object[0]);
                                                    }
                                                    if (linux_prctl(22, 2L, nativeValue, 0L, 0L) != 0) {
                                                        throw new UnsupportedOperationException("seccomp(SECCOMP_SET_MODE_FILTER): " + JNACLibrary.strerror(lastError5) + ", prctl(PR_SET_SECCOMP): " + JNACLibrary.strerror(Native.getLastError()));
                                                    }
                                                }
                                                if (linux_prctl(21, 0L, 0L, 0L, 0L) != 2) {
                                                    throw new UnsupportedOperationException("seccomp filter installation did not really succeed. seccomp(PR_GET_SECCOMP): " + JNACLibrary.strerror(Native.getLastError()));
                                                }
                                                ESLogger eSLogger = logger;
                                                Object[] objArr = new Object[1];
                                                objArr[0] = i == 1 ? "all" : org.osgi.framework.Constants.FRAMEWORK_BUNDLE_PARENT_APP;
                                                eSLogger.debug("Linux seccomp filter installation successful, threads: [{}]", objArr);
                                                return i;
                                            default:
                                                int lastError6 = Native.getLastError();
                                                if (lastError6 == 22) {
                                                    throw new UnsupportedOperationException("seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed");
                                                }
                                                throw new UnsupportedOperationException("prctl(PR_GET_SECCOMP): " + JNACLibrary.strerror(lastError6));
                                        }
                                    default:
                                        int lastError7 = Native.getLastError();
                                        if (lastError7 == 22) {
                                            throw new UnsupportedOperationException("seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in");
                                        }
                                        throw new UnsupportedOperationException("prctl(PR_GET_NO_NEW_PRIVS): " + JNACLibrary.strerror(lastError7));
                                }
                            default:
                                throw new UnsupportedOperationException("prctl(BOGUS_OPTION): " + JNACLibrary.strerror(lastError3));
                        }
                    default:
                        throw new UnsupportedOperationException("seccomp(SECCOMP_SET_MODE_FILTER, BOGUS_FLAG): " + JNACLibrary.strerror(lastError2));
                }
            default:
                throw new UnsupportedOperationException("seccomp(BOGUS_OPERATION): " + JNACLibrary.strerror(lastError));
        }
    }

    private static void macImpl(Path path) throws IOException {
        if (!Constants.MAC_OS_X) {
            throw new IllegalStateException("bug: should not be trying to initialize seatbelt for an unsupported OS");
        }
        if (libc_mac == null) {
            throw new UnsupportedOperationException("seatbelt unavailable: could not link methods. requires Leopard or above.");
        }
        Path createTempFile = Files.createTempFile(path, "es", "sb", new FileAttribute[0]);
        Files.write(createTempFile, Collections.singleton(SANDBOX_RULES), StandardCharsets.UTF_8, new OpenOption[0]);
        try {
            PointerByReference pointerByReference = new PointerByReference();
            if (libc_mac.sandbox_init(createTempFile.toAbsolutePath().toString(), 1L, pointerByReference) != 0) {
                Pointer value = pointerByReference.getValue();
                UnsupportedOperationException unsupportedOperationException = new UnsupportedOperationException("sandbox_init(): " + value.getString(0L));
                libc_mac.sandbox_free_error(value);
                throw unsupportedOperationException;
            }
            logger.debug("OS X seatbelt initialization successful", new Object[0]);
            if (1 != 0) {
                Files.delete(createTempFile);
            } else {
                IOUtils.deleteFilesIgnoringExceptions(createTempFile);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                Files.delete(createTempFile);
            } else {
                IOUtils.deleteFilesIgnoringExceptions(createTempFile);
            }
            throw th;
        }
    }

    static void solarisImpl() {
        if (!Constants.SUN_OS) {
            throw new IllegalStateException("bug: should not be trying to initialize priv_set for an unsupported OS");
        }
        if (libc_solaris == null) {
            throw new UnsupportedOperationException("priv_set unavailable: could not link methods. requires Solaris 10+");
        }
        if (libc_solaris.priv_set(1, PRIV_ALLSETS, PRIV_PROC_FORK, PRIV_PROC_EXEC, null) != 0) {
            throw new UnsupportedOperationException("priv_set unavailable: priv_set(): " + JNACLibrary.strerror(Native.getLastError()));
        }
        logger.debug("Solaris priv_set initialization successful", new Object[0]);
    }

    static void bsdImpl() {
        if (!(Constants.FREE_BSD || OPENBSD || Constants.MAC_OS_X)) {
            throw new IllegalStateException("bug: should not be trying to initialize RLIMIT_NPROC for an unsupported OS");
        }
        JNACLibrary.Rlimit rlimit = new JNACLibrary.Rlimit();
        rlimit.rlim_cur.setValue(0L);
        rlimit.rlim_max.setValue(0L);
        if (JNACLibrary.setrlimit(7, rlimit) != 0) {
            throw new UnsupportedOperationException("RLIMIT_NPROC unavailable: " + JNACLibrary.strerror(Native.getLastError()));
        }
        logger.debug("BSD RLIMIT_NPROC initialization successful", new Object[0]);
    }

    static void windowsImpl() {
        if (!Constants.WINDOWS) {
            throw new IllegalStateException("bug: should not be trying to initialize ActiveProcessLimit for an unsupported OS");
        }
        JNAKernel32Library jNAKernel32Library = JNAKernel32Library.getInstance();
        Pointer CreateJobObjectW = jNAKernel32Library.CreateJobObjectW(null, null);
        if (CreateJobObjectW == null) {
            throw new UnsupportedOperationException("CreateJobObject: " + Native.getLastError());
        }
        try {
            JNAKernel32Library.JOBOBJECT_BASIC_LIMIT_INFORMATION jobobject_basic_limit_information = new JNAKernel32Library.JOBOBJECT_BASIC_LIMIT_INFORMATION();
            jobobject_basic_limit_information.write();
            if (!jNAKernel32Library.QueryInformationJobObject(CreateJobObjectW, 2, jobobject_basic_limit_information.getPointer(), jobobject_basic_limit_information.size(), null)) {
                throw new UnsupportedOperationException("QueryInformationJobObject: " + Native.getLastError());
            }
            jobobject_basic_limit_information.read();
            jobobject_basic_limit_information.ActiveProcessLimit = 1;
            jobobject_basic_limit_information.LimitFlags = 8;
            jobobject_basic_limit_information.write();
            if (!jNAKernel32Library.SetInformationJobObject(CreateJobObjectW, 2, jobobject_basic_limit_information.getPointer(), jobobject_basic_limit_information.size())) {
                throw new UnsupportedOperationException("SetInformationJobObject: " + Native.getLastError());
            }
            if (!jNAKernel32Library.AssignProcessToJobObject(CreateJobObjectW, jNAKernel32Library.GetCurrentProcess())) {
                throw new UnsupportedOperationException("AssignProcessToJobObject: " + Native.getLastError());
            }
            logger.debug("Windows ActiveProcessLimit initialization successful", new Object[0]);
        } finally {
            jNAKernel32Library.CloseHandle(CreateJobObjectW);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int init(Path path) throws Throwable {
        if (Constants.LINUX) {
            return linuxImpl();
        }
        if (Constants.MAC_OS_X) {
            bsdImpl();
            macImpl(path);
            return 1;
        }
        if (Constants.SUN_OS) {
            solarisImpl();
            return 1;
        }
        if (Constants.FREE_BSD || OPENBSD) {
            bsdImpl();
            return 1;
        }
        if (!Constants.WINDOWS) {
            throw new UnsupportedOperationException("syscall filtering not supported for OS: '" + Constants.OS_NAME + "'");
        }
        windowsImpl();
        return 1;
    }

    static {
        LinuxLibrary linuxLibrary = null;
        if (Constants.LINUX) {
            try {
                linuxLibrary = (LinuxLibrary) Native.loadLibrary("c", LinuxLibrary.class);
            } catch (UnsatisfiedLinkError e) {
                logger.warn("unable to link C library. native methods (seccomp) will be disabled.", e, new Object[0]);
            }
        }
        linux_libc = linuxLibrary;
        HashMap hashMap = new HashMap();
        hashMap.put("amd64", new Arch(-1073741762, 1073741823, 57, 58, 59, 322, 317));
        hashMap.put("i386", new Arch(1073741827, -1, 2, 190, 11, 358, 354));
        ARCHITECTURES = Collections.unmodifiableMap(hashMap);
        MacLibrary macLibrary = null;
        if (Constants.MAC_OS_X) {
            try {
                macLibrary = (MacLibrary) Native.loadLibrary("c", MacLibrary.class);
            } catch (UnsatisfiedLinkError e2) {
                logger.warn("unable to link C library. native methods (seatbelt) will be disabled.", e2, new Object[0]);
            }
        }
        libc_mac = macLibrary;
        SolarisLibrary solarisLibrary = null;
        if (Constants.SUN_OS) {
            try {
                solarisLibrary = (SolarisLibrary) Native.loadLibrary("c", SolarisLibrary.class);
            } catch (UnsatisfiedLinkError e3) {
                logger.warn("unable to link C library. native methods (priv_set) will be disabled.", e3, new Object[0]);
            }
        }
        libc_solaris = solarisLibrary;
        PRIV_ALLSETS = null;
        OPENBSD = Constants.OS_NAME.startsWith("OpenBSD");
    }
}
