add sandboxing hints

fmt.h

@@ -2,6 +2,8 @@
 #ifndef FMT_H
 #define FMT_H
 
+/* sandboxing note: None of these functions call any syscalls */
+
 /* for size_t: */
 #include <stddef.h>
 /* for uint32_t */

io.h

@@ -18,72 +18,87 @@ extern "C" {
 
 /* like open(s,O_RDONLY) */
 /* return 1 if ok, 0 on error */
+/* sandboxing: open(2) (glibc: openat(2)) */
 att_read(2)
 att_write(1)
 int io_readfile(int64* d,const char* filename);
 
 /* like open(s,O_WRONLY|O_CREAT|O_TRUNC,0600) */
 /* return 1 if ok, 0 on error */
+/* sandboxing: open(2) (glibc: openat(2)) */
 att_read(2)
 att_write(1)
 int io_createfile(int64* d,const char* filename);
 
 /* like open(s,O_RDWR) */
 /* return 1 if ok, 0 on error */
+/* sandboxing: open(2) (glibc: openat(2)) */
 att_read(2)
 att_write(1)
 int io_readwritefile(int64* d,const char* filename);
 
 /* like open(s,O_WRONLY|O_APPEND|O_CREAT,0600) */
 /* return 1 if ok, 0 on error */
+/* sandboxing: open(2) (glibc: openat(2)) */
 att_read(2)
 att_write(1)
 int io_appendfile(int64* d,const char* filename);
 
 /* like pipe(d) */
 /* return 1 if ok, 0 on error */
+/* sandboxing: pipe(2), close(2), mmap(2), munmap(2), linux: epoll_create(2), bsd: kqueue(2), solaris: open(2) on /dev/poll, oldlinux: sigprocmask(2), fcntl(2) */
 att_write(1)
 int io_pipe(int64* d);
 
 /* like socketpair() */
 /* return 1 if ok, 0 on error */
+/* sandboxing: socketpair(2), close(2), mmap(2), munmap(2), linux: epoll_create(2), bsd: kqueue(2), solaris: open(2) /dev/poll, oldlinux: sigprocmask(2), fcntl(2) */
 att_write(1)
 int io_socketpair(int64* d);
 
 /* non-blocking read(), -1 for EAGAIN and -3+errno for other errors */
+/* sandboxing: poll(2), setitimer(2), read(2) */
 att_writen(2, 3)
 int64 io_tryread(int64 d,char* buf,int64 len);
 
 /* blocking read(), with -3 instead of -1 for errors */
+/* sandboxing: poll(2), read(2) */
 att_writen(2, 3)
 int64 io_waitread(int64 d,char* buf,int64 len);
 
 /* non-blocking write(), -1 for EAGAIN and -3+errno for other errors */
+/* sandboxing: poll(2), setitimer(2), write(2) */
 att_readn(2, 3)
 int64 io_trywrite(int64 d,const char* buf,int64 len);
 
 /* blocking write(), with -3 instead of -1 for errors */
+/* sandboxing: poll(2), write(2) */
 att_readn(2, 3)
 int64 io_waitwrite(int64 d,const char* buf,int64 len);
 
 /* modify timeout attribute of file descriptor */
+/* sandboxing: calls no syscalls */
 void io_timeout(int64 d,tai6464 t);
 
 /* like io_tryread but will return -2,errno=ETIMEDOUT if d has a timeout
  * associated and it is passed without input being there */
+/* sandboxing: poll(2), setitimer(2), gettimeofday(2), read(2) */
 att_writen(2, 3)
 int64 io_tryreadtimeout(int64 d,char* buf,int64 len);
 
 /* like io_trywrite but will return -2,errno=ETIMEDOUT if d has a timeout
  * associated and it is passed without being able to write */
+/* sandboxing: poll(2), setitimer(2), gettimeofday(2), write(2) */
 att_readn(2, 3)
 int64 io_trywritetimeout(int64 d,const char* buf,int64 len);
 
+/* sandboxing: linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 void io_wantread(int64 d);
 void io_wantwrite(int64 d);
 void io_dontwantread(int64 d);
 void io_dontwantwrite(int64 d);
 
+/* sandboxing: close(2), linux: epoll_wait(2), linux: epoll_ctl(2), bsd: kevent(2), solaris: ioctl(2), oldlinux: sigwaitinfo(2), oldlinux: sigtimedwait(2), oldlinux: signal(2), realloc(3): mmap/mremap/munmap/brk/brk2, poll(2) */
 void io_wait();
 void io_waituntil(tai6464 t);
 int64 io_waituntil2(int64 milliseconds);
@@ -91,20 +106,25 @@ void io_check();
 
 /* signal that read/accept/whatever returned EAGAIN */
 /* needed for SIGIO and epoll */
+/* sandboxing: linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 void io_eagain(int64 d);  /* do not use, API was a bad idea */
 #define HAVE_EAGAIN_READWRITE
 void io_eagain_read(int64 d);	/* use these ones */
 void io_eagain_write(int64 d);
 
 /* return next descriptor from io_wait that can be read from */
+/* sandboxing: linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 int64 io_canread();
 /* return next descriptor from io_wait that can be written to */
+/* sandboxing: linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 int64 io_canwrite();
 
 /* return next descriptor with expired timeout */
+/* sandboxing: calls no syscalls */
 int64 io_timeouted();
 
 /* is this fd over its timeout? */
+/* sandboxing: calls no syscalls */
 int io_timedout(int64 d);
 
 /* 1 means: have IO_FD_CANWRITE, IO_FD_BLOCK and IO_FD_NONBLOCK,
@@ -117,40 +137,51 @@ enum io_fd_flags {
 };
 
 /* put d on internal data structure, return 1 on success, 0 on error */
+/* sandboxing: fcntl(2), mmap(2), munmap(2), linux: epoll_create(2), bsd: kqueue(2), solaris: open(2) on /dev/poll, oldlinux: sigprocmask(2), fcntl(2) */
 int io_fd(int64 d);		/* use this for sockets before you called connect() or accept() */
 int io_fd_canwrite(int64 d);	/* use this for connected sockets (assumes socket is writable) */
 int io_fd_flags(int64 d,int flags);	/* can be used to tell io_fd to skip one syscall */
 
+/* sandboxing: calls no syscalls */
 att_write(2)
 void io_setcookie(int64 d,void* cookie);
 
+/* sandboxing: calls no syscalls */
 void* io_getcookie(int64 d);
 
 /* put descriptor in non-blocking mode */
+/* sandboxing: fcntl(2) */
 void io_nonblock(int64 d);
 /* put descriptor in blocking mode */
+/* sandboxing: fcntl(2) */
 void io_block(int64 d);
 /* put descriptor in close-on-exec mode */
+/* sandboxing: fcntl(2) */
 void io_closeonexec(int64 d);
 
+/* sandboxing: munmap(2), close(2) */
 void io_close(int64 d);
 
 /* Free the internal data structures from libio.
  * This only makes sense if you run your program in a malloc checker and
  * these produce false alarms.  Your OS will free these automatically on
  * process termination. */
+/* sandboxing: free(3): munmap(2) */
 void io_finishandshutdown(void);
 
 /* send n bytes from file fd starting at offset off to socket s */
 /* return number of bytes written */
+/* sandboxing: sendfile(2), fallback: write(2), fallback: mmap(2), fallback: munmap(2), fallback: lseek(2), fallback: pread(2), fallback: read(2), linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 int64 io_sendfile(int64 s,int64 fd,uint64 off,uint64 n);
 
 /* Pass fd over sock (must be a unix domain socket) to other process.
  * Return 0 if ok, -1 on error, setting errno. */
+/* sandboxing: sendmsg(2) */
 int io_passfd(int64 sock,int64 fd);
 
 /* Receive fd over sock (must be a unix domain socket) from other
  * process.  Return sock if ok, -1 on error, setting errno. */
+/* sandboxing: recvmsg(2) */
 int64 io_receivefd(int64 sock);
 
 int io_starteventloopthread(unsigned int threads);
@@ -168,10 +199,12 @@ int io_queueforwrite(int64 d);
 typedef int64 (*io_write_callback)(int64 s,const void* buf,uint64 n);
 
 /* used internally, but hey, who knows */
+/* sandboxing: write(2), mmap(2), munmap(2), lseek(2), pread(2), read(2), linux: epoll_ctl(2), bsd: kevent(2), solaris: write(2), oldlinux: poll(2) */
 int64 io_mmapwritefile(int64 out,int64 in,uint64 off,uint64 bytes,io_write_callback writecb);
 
 /* only needed for debugging, will print some stats into the buffer to
  * aid in debugging the state machine if a descriptor loops or so */
+/* sandboxing: calls no syscalls */
 unsigned int io_debugstring(int64 s,char* buf,unsigned int bufsize);
 
 #ifdef __MINGW32__

scan.h

@@ -2,6 +2,8 @@
 #ifndef SCAN_H
 #define SCAN_H
 
+/* sandboxing note: None of these functions call any syscalls */
+
 /* for size_t: */
 #include <stddef.h>
 /* for uint32_t: */