Right now the project doesn't work on Darwin and since I already have a
hard time even supporting various GNU/Linux distributions, it doesn't
make sense to have the constant "OMG, OS X builds are failing!" noise
around if the fixup is not going to happen anytime soon.

Signed-off-by: aszlig <aszlig@nix.build>

Since all the Nix expressions are only for building and testing, we
don't need them to be part of the source store path.

So what we do now is explicitly whitelisting all we need to build the
source and run the tests and blacklisting tests/vm, so that whenever we
change any of the Nix expressions that are not directly tied to the
source build, we shouldn't get a rebuild.

Signed-off-by: aszlig <aszlig@nix.build>

So far the GitHub Action workflow only used the basic unit tests but
didn't run the full integration test suite. The reason for that is that
the Meson build file disables integration tests if pytest could not be
found.

Signed-off-by: aszlig <aszlig@nix.build>

The gensyms script returns a linker script like this one for the now
__ip2unix__ symbol introduced in 8e10ef2:

  $ python3 scripts/gensyms.py src/preload.cc
  {
    global: "__ip2unix__)(void"; "socket"; ...
    local: *;
  };

Adding the ")(void" clearly is not what we intended and so we need to
decrease greediness of the regex matching the symbols.

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @etam
Fixes: #10

Regression introduced by 8e10ef2.

On NixOS we build with -fPIC by default and link all executables with
the -pie option (one of the reasons is that it is needed to make ASLR
work). We also built ip2unix with -fPIC until the commit mentioned
above, which accidentally removed it.

I didn't test this on any other distribution, so I didn't notice this
when releasing version 2.1.2.

Unfortunately, I don't even have another distribution at my disposal,
but to make sure we don't accidentally run into this, I added another
test case which builds and runs tests with all hardening flags disabled.

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @etam
Fixes: #11

Some services, particularily the rsession command from RStudio and
possibly a few others use epoll_ctl() for adding the file descriptor of
the socket before actually binding the socket.

Since we need sockaddr information from the bind syscall to be able to
decide whether we need to transform the socket into a Unix domain socket
or not, we have to handle epoll_ctl alongside other socket operations
since once we replace the socket the file descriptor added via epoll_ctl
is no longer valid.

Right now the way we replay epoll_ctl() calls is somewhat dumb, so for
example if the program is doing EPOLL_CTL_ADD, followed by
EPOLL_CTL_MOD, we essentially repeat the same chain even though we could
just shrink it down to one EPOLL_CTL_ADD.

Nevertheless, since epoll_ctl usually is only used once per socket, this
shouldn't be an issue.

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @riedel
Fixes: #6

This one was a leftover from 8e10ef2,
where I introduced it as a development artifact I forgot to clean up.

Signed-off-by: aszlig <aszlig@nix.build>

When introducing replay of epoll_ctl calls, I only implemented a very
minimal test case. However since the problem seemed to persist according
to the bug reporter, I decided to implement a small test case that is
closer to the reporter's actual use case.

Unfortunately (or fortunately?), the test case succeeds on our part, so
we need to debug a bit more and/or improve the test case on our side.

Signed-off-by: aszlig <aszlig@nix.build>

Regression introduced by 0789c18.

The commit in question moved the systemd handling into its dedicated
file and the Meson restructuring accidentally moved the --version-script
argument from ldflags to cflags.

This unfortunately means that since this commit (and thus version 1.1.0)
we're exporting too many symbols.

To make sure this doesn't happen again in the future, I added a small
check to the installCheckPhase of the main derivation, which checks the
expected exported symbols against the ones actually being exported.

Signed-off-by: aszlig <aszlig@nix.build>

Right now, some dependencies needed for the i686-linux build are broken,
so while we could just pin nixpkgs to a working version, it's not really
worth the effort since those program tests are just more heavyweight
tests of tests we already have in our pytest-based suite.

Signed-off-by: aszlig <aszlig@nix.build>

While normal AsciiDoc (and even Asciidoctor) correctly renders the
anchors for the corresponding section when just using <<Section>>, the
GitHub renderer for some reason does not.

Giving an additional reference however fixes this for both AsciiDoc and
GitHub.

Signed-off-by: aszlig <aszlig@nix.build>

We only allow to match slashes outside of character classes, because we
want to adhere to POSIX glob(7) as much as possible.

From the glob(7) manpage:

  Globbing is applied on each of the components of a pathname
  separately. A '/' in a pathname cannot be matched by a '?' or '*'
  wildcard, or by a range like "[.-0]". A range containing an explicit
  '/' character is syntactically incorrect. (POSIX requires that
  syntactically incorrect patterns are left unchanged.)

So essentially when we're scanning the pattern for slashes we no longer
need to take special care about character classes, since they're matched
verbatim.

Additionally, whenever we hit a slash in a character class, we now
immediately mark it as invalid and use literal matching.

Signed-off-by: aszlig <aszlig@nix.build>

When compiling with address sanitiser enabled, we get the following
error during tests:

  ERROR: AddressSanitizer: stack-buffer-overflow on address
                           0x7fffffff61a0 at pc 0x00000041dd5d bp
                           0x7fffffff43f0 sp 0x7fffffff43e8
  READ of size 1 at 0x7fffffff61a0 thread T0
    #0 0x41dd5c in GlobPath::match_cclass(unsigned long*, char const&) ../src/globpath.cc:73
    #1 0x41f0d4 in GlobPath::match() ../src/globpath.cc:237
    #2 0x41f562 in globpath(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&,
                            std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ../src/globpath.cc:298
    #3 0x40e20c in main ../tests/unit/globpath.cc:24
    #4 0x7ffff720ad8a in __libc_start_main (/nix/store/bwzra330vib0ik4d3l8rq6gp6y2ah1fr-glibc-2.30/lib/libc.so.6+0x23d8a)
    #5 0x41ce79 in _start (/build/source/build/tests/unit/test_globpath+0x41ce79)

The reported issue (#15) has a similar output via Valgrind, but both
boil down to the same problem:

If the end square bracket ("]") is missing for a character class
pattern, the loop doesn't check whether we're overflowing the
std::string_view.

I've fixed this by adding a check which immediately discards the
character class as invalid whenever we hit the end of the pattern.

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @etam
Fixes: #15

While not all of these tests are run with full integration tests, we at
least run as much as possible to catch errors such as the one we have
fixed earlier in globpath.

Unfortunately, -fsanitize=address and -fsanitize=thread need to have a
shared library loaded first, but since the meat of our project is a
library to be put in LD_PRELOAD, we're competing with lib[at]san.

Ideally, we'd have some code in our main executable which is able to
detect lib[at]san and then makes sure that the runtime loading behaviour
of the dynamic linker is done properly.

For now however, this is better than having nothing at all.

Signed-off-by: aszlig <aszlig@nix.build>

Version 2.1.2 has introduced a few issues which particularly
surface on non-NixOS systems:

  * The linker script generator has produced bogus output and the linker
    script didn't actually get passed to the linker.
  * Building with -fPIC was accidentally dropped in version 2.1.2.

Both issues were submitted by @etam, who also tested the fixes and
confirmed that they're working on non-NixOS systems. Thanks!

According to the upstream wiki[1], thread sanitizer is not supported on
i686-linux:

> TSan is supported on:
>
>   Linux: x86_64, mips64 (40-bit VMA), aarch64 (39/42-bit VMA),
>          powerpc64 (44/46/47-bit VMA)
>   Mac: x86_64, aarch64 (39-bit VMA)
>   FreeBSD: x86_64
>   NetBSD: x86_64

[1]: https://github.com/google/sanitizers/wiki/ThreadSanitizerCppManual#supported-platforms

Signed-off-by: aszlig <aszlig@nix.build>

I already stumbled on this a while ago[1] but instead of fixing it, I
just disabled epoll for the time being, in the hopes that I would fix it
eventually[TM].

Fortunately, @riedel had the same issue (#6) and while epoll_ctl is only
solving @riedel's issue partially, it's a requisite so I decided to
implement handling for epoll_ctl.

The program in question that uses epoll_ctl is rsession and the reason
why ip2unix could not cope with it so far was because epoll_ctl was
called *between* creating the initial socket and our replacement of said
socket.

This adds support for replaying epoll_ctl calls in the same way as we do
for socket options and ioctls.

In addition to adding a test case which specifically tests rsession, I
also went through the strace output from @riedel and it confirms that
replaying of epoll_ctl calls is working:

  socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) = 6
  epoll_ctl(4, EPOLL_CTL_ADD, 6, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET, {u32=3395039680, u64=94153373135296}}) = 0
  ...
  socket(AF_UNIX, SOCK_STREAM, 0)         = 7
  epoll_ctl(4, EPOLL_CTL_ADD, 7, {EPOLLIN|EPOLLPRI|EPOLLERR|EPOLLHUP|EPOLLET, {u32=3395039680, u64=94153373135296}}) = 0
  dup2(7, 6)                              = 6

[1]: https://github.com/aszlig/avonc/blob/4cf4c89e6305c3339cfb0655792572c56ff561fe/osrm/default.nix#L7-L10

We had references to std::string and std::overflow_error without
including the respective header files. These headers are no longer
implicit since GCC 10, so the build fails.

From https://gcc.gnu.org/gcc-10/porting_to.html#header-dep-changes:

> Some C++ Standard Library headers have been changed to no longer
> include the <stdexcept> header. As such, C++ programs that used
> components defined in <stdexcept> or <string> without explicitly
> including the right headers will no longer compile.
>
> Previously components such as std::runtime_error, std::string and
> std::allocator were implicitly defined after including unrelated
> headers such as <array> and <optional>. Correct code should include
> the appropriate headers for the classes being used.

Signed-off-by: aszlig <aszlig@nix.build>

For some reason, we had one occasion, where GCC (even thouh we use the
-Wzero-as-null-pointer-constant flag) didn't warn about the use of NULL
instead of nullptr, while Clang did emit a warning.

All of the other changes are to prevent -Wparentheses warnings and this
is more like a safety/convention warning rather than a real issue:

  warning: using the result of an assignment as a condition without parentheses
  note: place parentheses around the assignment to silence this warning

So let's say you have a condition like this:

  if (foo = somefun()) {
    ...
  }

If one really wanted to mean "foo == somefun()" instead but forgot to
add another equals sign, this could result in the program not behaving
as intended.

What -Wparentheses does is that it forces one to add extra parentheses
around the condition to explicitly state that it's an assignment, like
this:

  if ((foo = somefun())) {
    ...
  }

Despite fixing the Clang errors, ip2unix currently doesn't fully support
building with Clang yet, but that's something landing a future change
near you. :-)

Signed-off-by: aszlig <aszlig@nix.build>

While most of the changes are fixes, there is one controversial change
that might possibly warrant to move to a version 2.2, which is that we
now also wrap epoll_ctl.

However, since semver states that the minor version should be
incremented whenever there is a change in the _public_ API, I still
think that this belongs to a bugfix version, because the user-facing
part is still 100% the same as 2.1.2 and handling the epoll_ctl syscall
internally is something I'd consider a bugfix, since it unbreaks using
ip2unix for software using epoll.

Additionally in comparison to the last version bump in 678c01c,
we're now *actually* incrementing the version, which I forgot and I just
updated the changelog.

Signed-off-by: aszlig <aszlig@nix.build>