package org.elasticsearch.nativeaccess;

import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.Map;
import org.elasticsearch.logging.Logger;
import org.elasticsearch.nativeaccess.NativeAccess;
import org.elasticsearch.nativeaccess.lib.LinuxCLibrary;
import org.elasticsearch.nativeaccess.lib.NativeLibraryProvider;
import org.elasticsearch.nativeaccess.lib.PosixCLibrary;

/* loaded from: input_file:org/elasticsearch/nativeaccess/LinuxNativeAccess.class */
class LinuxNativeAccess extends PosixNativeAccess {
    private static final int STATX_BLOCKS = 1024;
    static final int SECCOMP_SET_MODE_FILTER = 1;
    static final int SECCOMP_FILTER_FLAG_TSYNC = 1;
    static final int PR_GET_NO_NEW_PRIVS = 39;
    static final int PR_SET_NO_NEW_PRIVS = 38;
    static final int PR_GET_SECCOMP = 21;
    static final int PR_SET_SECCOMP = 22;
    static final long SECCOMP_MODE_FILTER = 2;
    static final int BPF_LD = 0;
    static final int BPF_W = 0;
    static final int BPF_ABS = 32;
    static final int BPF_JMP = 5;
    static final int BPF_JEQ = 16;
    static final int BPF_JGE = 48;
    static final int BPF_JGT = 32;
    static final int BPF_RET = 6;
    static final int BPF_K = 0;
    static final int SECCOMP_RET_ERRNO = 327680;
    static final int SECCOMP_RET_DATA = 65535;
    static final int SECCOMP_RET_ALLOW = 2147418112;
    static final int EACCES = 13;
    static final int EFAULT = 14;
    static final int EINVAL = 22;
    static final int ENOSYS = 38;
    static final int SECCOMP_DATA_NR_OFFSET = 0;
    static final int SECCOMP_DATA_ARCH_OFFSET = 4;
    private static final Map<String, Arch> ARCHITECTURES = Map.of("amd64", new Arch(-1073741762, 1073741823, 57, 58, 59, 322, 317), "aarch64", new Arch(-1073741641, -1, 1079, 1071, 221, 281, 277));
    private final LinuxCLibrary linuxLibc;
    private final Systemd systemd;

    /* loaded from: input_file:org/elasticsearch/nativeaccess/LinuxNativeAccess$Arch.class */
    static final class Arch extends Record {
        private final int audit;
        private final int limit;
        private final int fork;
        private final int vfork;
        private final int execve;
        private final int execveat;
        private final int seccomp;

        Arch(int i, int i2, int i3, int i4, int i5, int i6, int i7) {
            this.audit = i;
            this.limit = i2;
            this.fork = i3;
            this.vfork = i4;
            this.execve = i5;
            this.execveat = i6;
            this.seccomp = i7;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Arch.class), Arch.class, "audit;limit;fork;vfork;execve;execveat;seccomp", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->audit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->limit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->fork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->vfork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execve:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execveat:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->seccomp:I").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Arch.class), Arch.class, "audit;limit;fork;vfork;execve;execveat;seccomp", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->audit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->limit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->fork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->vfork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execve:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execveat:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->seccomp:I").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Arch.class, Object.class), Arch.class, "audit;limit;fork;vfork;execve;execveat;seccomp", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->audit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->limit:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->fork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->vfork:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execve:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->execveat:I", "FIELD:Lorg/elasticsearch/nativeaccess/LinuxNativeAccess$Arch;->seccomp:I").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public int audit() {
            return this.audit;
        }

        public int limit() {
            return this.limit;
        }

        public int fork() {
            return this.fork;
        }

        public int vfork() {
            return this.vfork;
        }

        public int execve() {
            return this.execve;
        }

        public int execveat() {
            return this.execveat;
        }

        public int seccomp() {
            return this.seccomp;
        }
    }

    static LinuxCLibrary.SockFilter BPF_STMT(int i, int i2) {
        return new LinuxCLibrary.SockFilter((short) i, (byte) 0, (byte) 0, i2);
    }

    static LinuxCLibrary.SockFilter BPF_JUMP(int i, int i2, int i3, int i4) {
        return new LinuxCLibrary.SockFilter((short) i, (byte) i3, (byte) i4, i2);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LinuxNativeAccess(NativeLibraryProvider nativeLibraryProvider) {
        super("Linux", nativeLibraryProvider, new PosixConstants(-1L, 9, 1, 8, 64, 144, BPF_JGE, 64));
        this.linuxLibc = (LinuxCLibrary) nativeLibraryProvider.getLibrary(LinuxCLibrary.class);
        String str = System.getenv("NOTIFY_SOCKET");
        if (str == null) {
            this.systemd = null;
        } else {
            logger.debug("Systemd socket path: {}", new Object[]{str});
            this.systemd = new Systemd((PosixCLibrary) nativeLibraryProvider.getLibrary(PosixCLibrary.class), str, newBuffer(64));
        }
    }

    @Override // org.elasticsearch.nativeaccess.PosixNativeAccess
    protected long getMaxThreads() {
        return getRLimit(6, "max number of threads");
    }

    @Override // org.elasticsearch.nativeaccess.AbstractNativeAccess, org.elasticsearch.nativeaccess.NativeAccess
    public Systemd systemd() {
        return this.systemd;
    }

    @Override // org.elasticsearch.nativeaccess.PosixNativeAccess
    protected void logMemoryLimitInstructions() {
        String property = System.getProperty("user.name");
        logger.warn("These can be adjusted by modifying /etc/security/limits.conf, for example:\n\t# allow user '{}' mlockall\n\t{} soft memlock unlimited\n\t{} hard memlock unlimited", new Object[]{property, property, property});
        logger.warn("If you are logged in interactively, you will have to re-login for the new limits to take effect.");
    }

    @Override // org.elasticsearch.nativeaccess.PosixNativeAccess
    protected boolean nativePreallocate(int i, long j, long j2) {
        if (this.linuxLibc.fallocate(i, 0, j, j2 - j) == 0) {
            return true;
        }
        logger.warn("fallocate failed: " + this.libc.strerror(this.libc.errno()));
        return false;
    }

    @Override // org.elasticsearch.nativeaccess.NativeAccess
    public void tryInstallExecSandbox() {
        String property = System.getProperty("os.arch");
        Arch arch = ARCHITECTURES.get(property);
        if (arch == null) {
            throw new UnsupportedOperationException("seccomp unavailable: '" + property + "' architecture unsupported");
        }
        long syscall = this.linuxLibc.syscall(arch.seccomp, -140219812, 0, 0L);
        if (syscall != -1) {
            throw new UnsupportedOperationException("seccomp unavailable: seccomp(BOGUS_OPERATION) returned " + syscall);
        }
        int errno = this.libc.errno();
        switch (errno) {
            case 22:
            case 38:
                long syscall2 = this.linuxLibc.syscall(arch.seccomp, 1, -140219812, 0L);
                if (syscall2 != -1) {
                    throw new UnsupportedOperationException("seccomp unavailable: seccomp(SECCOMP_SET_MODE_FILTER, BOGUS_FLAG) returned " + syscall2);
                }
                int errno2 = this.libc.errno();
                switch (errno2) {
                    case 22:
                    case 38:
                        long prctl = this.linuxLibc.prctl(-140219812, 0L, 0L, 0L, 0L);
                        if (prctl != -1) {
                            throw new UnsupportedOperationException("seccomp unavailable: prctl(BOGUS_OPTION) returned " + prctl);
                        }
                        int errno3 = this.libc.errno();
                        switch (errno3) {
                            case 22:
                            case 38:
                                switch (this.linuxLibc.prctl(PR_GET_NO_NEW_PRIVS, 0L, 0L, 0L, 0L)) {
                                    case 0:
                                    case 1:
                                        switch (this.linuxLibc.prctl(PR_GET_SECCOMP, 0L, 0L, 0L, 0L)) {
                                            case 0:
                                            case 2:
                                                if (this.linuxLibc.prctl(22, SECCOMP_MODE_FILTER, 0L, 0L, 0L) != 0) {
                                                    int errno4 = this.libc.errno();
                                                    switch (errno4) {
                                                        case EFAULT /* 14 */:
                                                            break;
                                                        case 22:
                                                            throw new UnsupportedOperationException("seccomp unavailable: CONFIG_SECCOMP_FILTER not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed");
                                                        default:
                                                            throw new UnsupportedOperationException("prctl(PR_SET_SECCOMP): " + this.libc.strerror(errno4));
                                                    }
                                                }
                                                if (this.linuxLibc.prctl(38, 1L, 0L, 0L, 0L) != 0) {
                                                    throw new UnsupportedOperationException("prctl(PR_SET_NO_NEW_PRIVS): " + this.libc.strerror(this.libc.errno()));
                                                }
                                                if (this.linuxLibc.prctl(PR_GET_NO_NEW_PRIVS, 0L, 0L, 0L, 0L) != 1) {
                                                    throw new UnsupportedOperationException("seccomp filter did not really succeed: prctl(PR_GET_NO_NEW_PRIVS): " + this.libc.strerror(this.libc.errno()));
                                                }
                                                LinuxCLibrary.SockFProg newSockFProg = this.linuxLibc.newSockFProg(new LinuxCLibrary.SockFilter[]{BPF_STMT(32, 4), BPF_JUMP(PR_GET_SECCOMP, arch.audit, 0, 7), BPF_STMT(32, 0), BPF_JUMP(37, arch.limit, 5, 0), BPF_JUMP(PR_GET_SECCOMP, arch.fork, 4, 0), BPF_JUMP(PR_GET_SECCOMP, arch.vfork, 3, 0), BPF_JUMP(PR_GET_SECCOMP, arch.execve, 2, 0), BPF_JUMP(PR_GET_SECCOMP, arch.execveat, 1, 0), BPF_STMT(6, SECCOMP_RET_ALLOW), BPF_STMT(6, 327693)});
                                                boolean z = true;
                                                if (this.linuxLibc.syscall(arch.seccomp, 1, 1, newSockFProg.address()) != 0) {
                                                    z = false;
                                                    int errno5 = this.libc.errno();
                                                    if (logger.isDebugEnabled()) {
                                                        logger.debug("seccomp(SECCOMP_SET_MODE_FILTER): {}, falling back to prctl(PR_SET_SECCOMP)...", new Object[]{this.libc.strerror(errno5)});
                                                    }
                                                    if (this.linuxLibc.prctl(22, SECCOMP_MODE_FILTER, newSockFProg.address(), 0L, 0L) != 0) {
                                                        throw new UnsupportedOperationException("seccomp(SECCOMP_SET_MODE_FILTER): " + this.libc.strerror(errno5) + ", prctl(PR_SET_SECCOMP): " + this.libc.strerror(this.libc.errno()));
                                                    }
                                                }
                                                if (this.linuxLibc.prctl(PR_GET_SECCOMP, 0L, 0L, 0L, 0L) != 2) {
                                                    throw new UnsupportedOperationException("seccomp filter installation did not really succeed. seccomp(PR_GET_SECCOMP): " + this.libc.strerror(this.libc.errno()));
                                                }
                                                Logger logger = logger;
                                                Object[] objArr = new Object[1];
                                                objArr[0] = z ? "all" : "app";
                                                logger.debug("Linux seccomp filter installation successful, threads: [{}]", objArr);
                                                this.execSandboxState = z ? NativeAccess.ExecSandboxState.ALL_THREADS : NativeAccess.ExecSandboxState.EXISTING_THREADS;
                                                return;
                                            default:
                                                int errno6 = this.libc.errno();
                                                if (errno6 != 22) {
                                                    throw new UnsupportedOperationException("prctl(PR_GET_SECCOMP): " + this.libc.strerror(errno6));
                                                }
                                                throw new UnsupportedOperationException("seccomp unavailable: CONFIG_SECCOMP not compiled into kernel, CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER are needed");
                                        }
                                    default:
                                        int errno7 = this.libc.errno();
                                        if (errno7 != 22) {
                                            throw new UnsupportedOperationException("prctl(PR_GET_NO_NEW_PRIVS): " + this.libc.strerror(errno7));
                                        }
                                        throw new UnsupportedOperationException("seccomp unavailable: requires kernel 3.5+ with CONFIG_SECCOMP and CONFIG_SECCOMP_FILTER compiled in");
                                }
                            default:
                                throw new UnsupportedOperationException("prctl(BOGUS_OPTION): " + this.libc.strerror(errno3));
                        }
                    default:
                        throw new UnsupportedOperationException("seccomp(SECCOMP_SET_MODE_FILTER, BOGUS_FLAG): " + this.libc.strerror(errno2));
                }
            default:
                throw new UnsupportedOperationException("seccomp(BOGUS_OPERATION): " + this.libc.strerror(errno));
        }
    }
}
