feat: classify libc FFI calls into FS/NET/ENV/PROC via POSIX syscall table, add progress reporting and timing to --deep analysis

Author: bordumb

crates/capsec-deep/libc_calls

@@ -0,0 +1,194 @@
+//! POSIX syscall classification table for `libc` foreign function calls.
+//!
+//! Maps common `libc` function names to ambient authority categories.
+//! `libc` is on the driver's skip list, so the syntactic scanner never sees it —
+//! this table is the only way these calls get classified beyond generic FFI.
+
+use std::collections::HashMap;
+use std::sync::LazyLock;
+
+pub struct LibcClassification {
+    pub category: &'static str,
+    pub subcategory: &'static str,
+    pub risk: &'static str,
+}
+
+static LIBC_TABLE: LazyLock<HashMap<&'static str, LibcClassification>> =
+    LazyLock::new(build_table);
+
+pub fn classify_libc_fn(fn_name: &str) -> Option<&'static LibcClassification> {
+    LIBC_TABLE.get(fn_name)
+}
+
+fn build_table() -> HashMap<&'static str, LibcClassification> {
+    let mut m = HashMap::with_capacity(80);
+
+    // ── Filesystem read ──
+    for name in [
+        "open", "open64", "openat", "openat64", "creat", "creat64",
+        "read", "pread", "pread64", "readv",
+        "readlink", "readlinkat",
+        "stat", "stat64", "fstat", "fstat64", "lstat", "lstat64",
+        "fstatat", "fstatat64",
+        "access", "faccessat",
+        "readdir", "readdir_r", "fdopendir", "opendir",
+        "getdents", "getdents64",
+        "realpath",
+    ] {
+        m.insert(name, LibcClassification {
+            category: "Fs",
+            subcategory: "read",
+            risk: "Medium",
+        });
+    }
+
+    // ── Filesystem write ──
+    for name in [
+        "write", "pwrite", "pwrite64", "writev",
+        "unlink", "unlinkat", "remove",
+        "rename", "renameat", "renameat2",
+        "mkdir", "mkdirat", "rmdir",
+        "truncate", "ftruncate", "ftruncate64",
+        "chmod", "fchmod", "fchmodat",
+        "chown", "fchown", "lchown", "fchownat",
+        "link", "linkat", "symlink", "symlinkat",
+        "close", "fsync", "fdatasync",
+    ] {
+        m.insert(name, LibcClassification {
+            category: "Fs",
+            subcategory: "write",
+            risk: "High",
+        });
+    }
+
+    // ── Filesystem memory-mapped I/O ──
+    for name in ["mmap", "mmap64", "munmap", "mprotect", "msync"] {
+        m.insert(name, LibcClassification {
+            category: "Fs",
+            subcategory: "mmap",
+            risk: "High",
+        });
+    }
+
+    // ── Network ──
+    for name in [
+        "socket", "connect", "bind", "listen",
+        "accept", "accept4",
+        "recv", "recvfrom", "recvmsg",
+        "send", "sendto", "sendmsg",
+        "shutdown",
+        "getaddrinfo", "freeaddrinfo", "getnameinfo",
+        "getsockname", "getpeername",
+        "setsockopt", "getsockopt",
+        "poll", "ppoll",
+        "select", "pselect",
+        "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait", "epoll_pwait",
+        "kqueue", "kevent",
+    ] {
+        m.insert(name, LibcClassification {
+            category: "Net",
+            subcategory: "socket",
+            risk: "High",
+        });
+    }
+
+    // ── Environment read ──
+    for name in ["getenv", "getcwd", "getuid", "geteuid", "getgid", "getegid", "getpid", "getppid"] {
+        m.insert(name, LibcClassification {
+            category: "Env",
+            subcategory: "read",
+            risk: "Medium",
+        });
+    }
+
+    // ── Environment write ──
+    for name in ["setenv", "unsetenv", "putenv", "chdir", "fchdir"] {
+        m.insert(name, LibcClassification {
+            category: "Env",
+            subcategory: "write",
+            risk: "High",
+        });
+    }
+
+    // ── Process ──
+    for name in [
+        "fork", "vfork",
+        "execve", "execvp", "execvpe", "fexecve", "execl", "execlp",
+        "system",
+        "posix_spawn", "posix_spawnp",
+        "kill", "raise",
+        "waitpid", "wait4", "wait",
+        "ptrace",
+        "exit", "_exit",
+    ] {
+        m.insert(name, LibcClassification {
+            category: "Process",
+            subcategory: "spawn",
+            risk: "Critical",
+        });
+    }
+
+    // ── Signal handling (process control) ──
+    for name in ["signal", "sigaction", "sigprocmask", "sigsuspend"] {
+        m.insert(name, LibcClassification {
+            category: "Process",
+            subcategory: "signal",
+            risk: "High",
+        });
+    }
+
+    m
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn filesystem_calls_classified() {
+        for name in ["open", "read", "stat", "readlink", "access"] {
+            let c = classify_libc_fn(name)
+                .unwrap_or_else(|| panic!("{name} should be classified"));
+            assert_eq!(c.category, "Fs", "{name} should be Fs");
+        }
+    }
+
+    #[test]
+    fn network_calls_classified() {
+        for name in ["socket", "connect", "bind", "accept", "send"] {
+            let c = classify_libc_fn(name)
+                .unwrap_or_else(|| panic!("{name} should be classified"));
+            assert_eq!(c.category, "Net", "{name} should be Net");
+        }
+    }
+
+    #[test]
+    fn env_calls_classified() {
+        for name in ["getenv", "getcwd", "setenv", "chdir"] {
+            let c = classify_libc_fn(name)
+                .unwrap_or_else(|| panic!("{name} should be classified"));
+            assert_eq!(c.category, "Env", "{name} should be Env");
+        }
+    }
+
+    #[test]
+    fn process_calls_classified() {
+        for name in ["fork", "execve", "kill", "waitpid", "system"] {
+            let c = classify_libc_fn(name)
+                .unwrap_or_else(|| panic!("{name} should be classified"));
+            assert_eq!(c.category, "Process", "{name} should be Process");
+        }
+    }
+
+    #[test]
+    fn unknown_fn_returns_none() {
+        assert!(classify_libc_fn("some_random_fn").is_none());
+    }
+
+    #[test]
+    fn table_size_sanity() {
+        let table = build_table();
+        assert!(table.len() >= 60, "Table too small: {}", table.len());
+        assert!(table.len() <= 120, "Table too large: {}", table.len());
+    }
+}

crates/capsec-deep/src/libc_table.rs

@@ -12,6 +12,8 @@
 
 #![feature(rustc_private)]
 
+mod libc_table;
+
 extern crate rustc_driver;
 extern crate rustc_hir;
 extern crate rustc_interface;
@@ -204,9 +206,10 @@ impl rustc_driver::Callbacks for CapsecCallbacks {
         let crate_name = tcx.crate_name(LOCAL_CRATE).to_string();
         let crate_version = std::env::var("CAPSEC_CRATE_VERSION").unwrap_or_else(|_| "0.0.0".to_string());
         let debug = std::env::var("CAPSEC_DEEP_DEBUG").is_ok();
+        let progress = std::env::var("CAPSEC_DEEP_PROGRESS").is_ok();
 
-        if debug {
-            eprintln!("[capsec-deep] Analyzing crate: {crate_name}");
+        if debug || progress {
+            eprintln!("  [capsec-deep] analyzing: {crate_name}");
         }
 
         // Skip std/core/alloc — not useful for authority analysis
@@ -320,17 +323,58 @@ impl rustc_driver::Callbacks for CapsecCallbacks {
 
                     // Check 2: FFI — calls to foreign functions
                     if tcx.is_foreign_item(callee_def_id) {
+                        // Classify libc calls into FS/NET/ENV/PROC via POSIX table
+                        let callee_crate_name =
+                            tcx.crate_name(callee_def_id.krate).to_string();
+                        let callee_fn_name = callee_path
+                            .rsplit("::")
+                            .next()
+                            .unwrap_or(&callee_path);
+
+                        let (cat, subcat, risk, desc) =
+                            if callee_crate_name == "libc" {
+                                if let Some(lc) =
+                                    libc_table::classify_libc_fn(callee_fn_name)
+                                {
+                                    (
+                                        lc.category.to_string(),
+                                        lc.subcategory.to_string(),
+                                        lc.risk.to_string(),
+                                        format!(
+                                            "libc::{callee_fn_name}() — {}",
+                                            lc.subcategory
+                                        ),
+                                    )
+                                } else {
+                                    (
+                                        "Ffi".to_string(),
+                                        "ffi_call".to_string(),
+                                        "High".to_string(),
+                                        format!(
+                                            "Calls FFI function {callee_path}()"
+                                        ),
+                                    )
+                                }
+                            } else {
+                                (
+                                    "Ffi".to_string(),
+                                    "ffi_call".to_string(),
+                                    "High".to_string(),
+                                    format!("Calls FFI function {callee_path}()"),
+                                )
+                            };
+
                         findings.push(DeepFinding {
                             file: fn_file.clone(),
                             function: fn_name.clone(),
                             function_line: fn_line,
                             call_line,
                             call_col,
                             call_text: callee_path.clone(),
-                            category: "Ffi".to_string(),
-                            subcategory: "ffi_call".to_string(),
-                            risk: "High".to_string(),
-                            description: format!("Calls FFI function {callee_path}()"),
+                            category: cat,
+                            subcategory: subcat,
+                            risk,
+                            description: desc,
                             is_build_script,
                             crate_name: crate_name.clone(),
                             crate_version: crate_version.clone(),

crates/capsec-deep/src/main.rs

@@ -0,0 +1,29 @@
+unsafe extern "C" {
+    fn open(path: *const u8, flags: i32) -> i32;
+    fn socket(domain: i32, ty: i32, proto: i32) -> i32;
+    fn getenv(name: *const u8) -> *const u8;
+    fn fork() -> i32;
+}
+
+fn read_config() -> i32 {
+    unsafe { open(b"/etc/config\0".as_ptr(), 0) }
+}
+
+fn open_socket() -> i32 {
+    unsafe { socket(2, 1, 0) }
+}
+
+fn check_env() -> *const u8 {
+    unsafe { getenv(b"HOME\0".as_ptr()) }
+}
+
+fn spawn_child() -> i32 {
+    unsafe { fork() }
+}
+
+fn main() {
+    let _ = read_config();
+    let _ = open_socket();
+    let _ = check_env();
+    let _ = spawn_child();
+}

crates/capsec-deep/tests/fixtures/libc_calls.rs

@@ -8,6 +8,7 @@ use crate::discovery::{self, CrateInfo};
 use crate::export_map::{self, CrateExportMap};
 use std::collections::HashMap;
 use std::path::Path;
+use std::time::Instant;
 
 /// Pinned nightly date for capsec-driver. Must match `crates/capsec-deep/rust-toolchain.toml`.
 const PINNED_NIGHTLY: &str = "nightly-2026-02-17";
@@ -37,6 +38,7 @@ pub fn run_deep_analysis(
     fs_read: &impl capsec_core::cap_provider::CapProvider<capsec_core::permission::FsRead>,
     spawn_cap: &impl capsec_core::cap_provider::CapProvider<capsec_core::permission::Spawn>,
 ) -> DeepResult {
+    let start = Instant::now();
     let mut warnings: Vec<String> = Vec::new();
     let output_path =
         std::env::temp_dir().join(format!("capsec-deep-{}.jsonl", std::process::id()));
@@ -75,6 +77,14 @@ pub fn run_deep_analysis(
                 .env("CAPSEC_CRATE_VERSION", "0.0.0")
                 .env("CARGO_TARGET_DIR", &deep_target_dir)
                 .env("RUSTUP_TOOLCHAIN", toolchain)
+                .env(
+                    "CAPSEC_DEEP_PROGRESS",
+                    if std::io::IsTerminal::is_terminal(&std::io::stderr()) {
+                        "1"
+                    } else {
+                        ""
+                    },
+                )
                 .output()
                 .ok()
         });
@@ -123,6 +133,9 @@ pub fn run_deep_analysis(
     // Build export maps from MIR findings
     let export_maps = build_mir_export_maps(&mir_findings, workspace_crates, dep_crates);
 
+    let elapsed = start.elapsed();
+    eprintln!("  Deep analysis took {:.1}s", elapsed.as_secs_f64());
+
     DeepResult {
         findings: mir_findings,
         export_maps,

crates/cargo-capsec/src/deep.rs

@@ -361,13 +361,22 @@ pub fn discover_crates(
             .unwrap_or(Path::new("."))
             .to_path_buf();
 
+        // Check for source in src/ (standard) or at crate root (common for -sys crates
+        // like libgit2-sys which have lib.rs at the root, not in src/)
         let src_dir = manifest_dir.join("src");
+        let source_dir = if src_dir.exists() {
+            Some(src_dir)
+        } else if manifest_dir.join("lib.rs").exists() || manifest_dir.join("main.rs").exists() {
+            Some(manifest_dir.clone())
+        } else {
+            None
+        };
 
-        if src_dir.exists() {
+        if let Some(source_dir) = source_dir {
             crates.push(CrateInfo {
                 name: package.name.clone(),
                 version: package.version.clone(),
-                source_dir: src_dir,
+                source_dir,
                 is_dependency: package.source.is_some(),
                 classification: extract_classification(&package.metadata),
                 package_id: if include_deps {