Signed-off-by: Simon McVittie <smcv@collabora.com>

This makes the API surface area a lot smaller.

We still need _int_dlopen() because we need a function per shim, with
the API of dlopen(), but with an implementation that knows the capsule
handle for the shim.

Signed-off-by: Simon McVittie <smcv@collabora.com>

We only need to store these once per namespace, not once per capsule
that shares a namespace.

Signed-off-by: Simon McVittie <smcv@collabora.com>

To preallocate data structures during metadata gathering, we need to
know ahead of time which capsules will be sharing a namespace. If we
need more flexibility later, we'll have to change from one
capsule_namespace per prefix to one capsule_namespace per
(prefix, discriminator) tuple, where the discriminator is something
from the metadata that identifies the desired equivalence classes of
libraries.

(In practice it's going to be easier to bind-mount the same prefix
into multiple places.)

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

This enforces the following invariants:

* Capsules and capsule_metadata are related 1:1
* All valid capsules are present in the list
* Only valid capsules are present in the list

Signed-off-by: Simon McVittie <smcv@collabora.com>

It isn't API, so it gets an underscore prefix; and it is the (only)
global list of capsule_metadata structures, so name it to indicate that.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Define a capsule mete-data struct which can be declared globally
per-proxy to allow libcapsule to manage a set of capsules and
merge them into one namespace if they share a /host prefix.

This allows us to have one capsule per proxied library, each
with the correct soname instead of one monolithic blob capsule
which can only have one soname.

Conflicts:
	capsule/capsule-dlmopen.c
	capsule/capsule-init.c
	capsule/capsule-wrappers.c

The base address is a perfectly valid address, which we could
dereference if we wanted to, so it should be a pointer. The start of
the PT_DYNAMIC program header isn't an address (it's relative to base)
so make it a mere integer.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

This means less code needs to be parachuted into the library using
libcapsule, and less state needs to be held there - which opens the
way for more than one capsule to co-exist in the same link chain.

Conflicts:
	capsule/capsule-dlmopen.c
	capsule/capsule-init.c

Conflicts:
	tests/libtest.sh

This has the advantage that out-of-tree code and in-tree code can
both include the header the same way.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Nobody is ever going to use this library via gobject-introspection
(we hope), but its annotations are as good a pattern as any other
and gtk-doc presents them nicely, so we might as well use them for
documentation.

Signed-off-by: Simon McVittie <smcv@collabora.com>

This is a char *-based version of the usual GError pattern.

Signed-off-by: Simon McVittie <smcv@collabora.com>

*error is to be freed by the caller, but the result of dlerror() is in
static or thread-local storage, so we need to copy it.

Signed-off-by: Simon McVittie <smcv@collabora.com>

The dlsym wrapper needs to cache the implementation of dlsym that's
in the GOT at the point when it (the wrapper) is installed.

Moving the implementation of the wrapper helper to capsule_init's
file so that capsule_init can set some static state to do this for
us.

This is enough to make openarena work.

Signed-off-by: Simon McVittie <smcv@collabora.com>

Signed-off-by: Simon McVittie <smcv@collabora.com>

In addition to wrapping dlopen() inside the capsule we need to
wrap dlsym() outside the capsule in order to allow libraries
that use a dlopen()/dlsym() pattern to work transparently.

capsule_shim_dlsym() bundles most of the standard logic we
expect such wrappers to use.

Not encountered this bug in practice but it is potentially there
and waiting for us.

When munging the ELF data structures from the capsule-export code path
via dl_iterate_phdr, we get the dynamic section size as a callback arg
so we can double-check we haven't ended up outside the memory region
we expect to be working on.

Unfortunately when using link_map traversal to do the same sort of thing
to install wrapper functions inside the capsule we don't have this
information. We were using SIZE_MAX on ELFCLASS64 to pass a "big enough"
size parameter but this calculation does not work on ELFCLASS32.

Rather than go out of our way to produce a bogus-but-big-enough value
we now pass 0 for the size and have the called functions know that they
can't do the double-check if passed a size of 0.

The last entry in the dyn section should have a D_TAG of DT_NULL
anyway so we'll only crash off the end of the dynamic section if
the linker is broken or malicious (which is probably not worth
defending against, all things considered).

The code path that installs wrappers inside the capsule is the same
as the one that scribbles capsule functions out into the rest of the
application - however if we don't want to turn on noisy debug in the
ELF handling paths all the time - so we cheat and turn it on around
the ELF munging call from the wrap function only if DEBUG_WRAPPERS
is already in the flags.