libsandbox: unify wrapper funcs

Unify a lot of duplicated code in the wrapper-funcs handling.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>

39 files changed, 246 insertions, 655 deletions

diff --git a/libsandbox/wrapper-funcs/__wrapper_simple.c b/libsandbox/wrapper-funcs/__wrapper_simple.c
new file mode 100644
index 0000000..8bdc22b
--- /dev/null
+++ b/libsandbox/wrapper-funcs/__wrapper_simple.c
@@ -0,0 +1,36 @@
+/*
+ * generic wrapper.
+ *
+ * Copyright 1999-2008 Gentoo Foundation
+ * Licensed under the GPL-2
+ */
+
+#ifndef WRAPPER_ARGS_PROTO
+# error WRAPPER_ARGS_PROTO needs to be defined
+#endif
+#ifndef WRAPPER_RET_TYPE
+# define WRAPPER_RET_TYPE int
+#endif
+#ifndef WRAPPER_RET_DEFAULT
+# define WRAPPER_RET_DEFAULT -1
+#endif
+#ifndef WRAPPER_PRE_CHECKS
+# define WRAPPER_PRE_CHECKS()
+#endif
+
+extern WRAPPER_RET_TYPE EXTERN_NAME(WRAPPER_ARGS_PROTO);
+static WRAPPER_RET_TYPE (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL;
+
+WRAPPER_RET_TYPE WRAPPER_NAME(WRAPPER_ARGS_PROTO)
+{
+	WRAPPER_RET_TYPE result = WRAPPER_RET_DEFAULT;
+
+	WRAPPER_PRE_CHECKS();
+
+	if (WRAPPER_SAFE()) {
+		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME, WRAPPER_SYMVER);
+		result = WRAPPER_TRUE_NAME(WRAPPER_ARGS);
+	}
+
+	return result;
+}
diff --git a/libsandbox/wrapper-funcs/__xmknod.c b/libsandbox/wrapper-funcs/__xmknod.c
index 563ddab..2f4cf33 100644
--- a/libsandbox/wrapper-funcs/__xmknod.c
+++ b/libsandbox/wrapper-funcs/__xmknod.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int ver, const char *pathname, __mode_t mode, __dev_t *dev
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(ver, pathname, mode, dev);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int ver, const char *pathname, __mode_t mode, __dev_t *dev
+#define WRAPPER_ARGS ver, pathname, mode, dev
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/access.c b/libsandbox/wrapper-funcs/access.c
index 9823e1d..895566f 100644
--- a/libsandbox/wrapper-funcs/access.c
+++ b/libsandbox/wrapper-funcs/access.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, int mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_ACCESS(pathname, mode)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname, mode);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname, int mode
+#define WRAPPER_ARGS pathname, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_ACCESS(pathname, mode)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/chmod.c b/libsandbox/wrapper-funcs/chmod.c
index a57c1d0..2a0b513 100644
--- a/libsandbox/wrapper-funcs/chmod.c
+++ b/libsandbox/wrapper-funcs/chmod.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *path, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(path, mode);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *path, mode_t mode
+#define WRAPPER_ARGS path, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/chown.c b/libsandbox/wrapper-funcs/chown.c
index c692f9e..bbf5fd6 100644
--- a/libsandbox/wrapper-funcs/chown.c
+++ b/libsandbox/wrapper-funcs/chown.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *path, uid_t owner, gid_t group
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(path, owner, group);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *path, uid_t owner, gid_t group
+#define WRAPPER_ARGS path, owner, group
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/creat.c b/libsandbox/wrapper-funcs/creat.c
index b38e956..2d73c27 100644
--- a/libsandbox/wrapper-funcs/creat.c
+++ b/libsandbox/wrapper-funcs/creat.c
@@ -8,12 +8,13 @@
  *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
+#define WRAPPER_ARGS_PROTO const char *pathname, mode_t mode
+#define WRAPPER_ARGS pathname, mode
+extern int EXTERN_NAME(WRAPPER_ARGS_PROTO);
 /* XXX: We use the open() call to simulate creat() */
-/* static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL; */
+/* static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL; */
 
-int WRAPPER_NAME(WRAPPER_ARGS)
+int WRAPPER_NAME(WRAPPER_ARGS_PROTO)
 {
 	int result = -1;
 
diff --git a/libsandbox/wrapper-funcs/creat64.c b/libsandbox/wrapper-funcs/creat64.c
index 7c30d44..b892808 100644
--- a/libsandbox/wrapper-funcs/creat64.c
+++ b/libsandbox/wrapper-funcs/creat64.c
@@ -8,12 +8,13 @@
  *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
+#define WRAPPER_ARGS_PROTO const char *pathname, mode_t mode
+#define WRAPPER_ARGS pathname, mode
+extern int EXTERN_NAME(WRAPPER_ARGS_PROTO);
 /* XXX: We use the open64() call to simulate creat64() */
-/* static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL; */
+/* static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL; */
 
-int WRAPPER_NAME(WRAPPER_ARGS)
+int WRAPPER_NAME(WRAPPER_ARGS_PROTO)
 {
 	int result = -1;
 
diff --git a/libsandbox/wrapper-funcs/execve.c b/libsandbox/wrapper-funcs/execve.c
index d239eb1..cc8f7a8 100644
--- a/libsandbox/wrapper-funcs/execve.c
+++ b/libsandbox/wrapper-funcs/execve.c
@@ -8,9 +8,10 @@
  *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *filename, char *const argv[], char *const envp[]
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#define WRAPPER_ARGS_PROTO const char *filename, char *const argv[], char *const envp[]
+#define WRAPPER_ARGS filename, argv, envp
+extern int EXTERN_NAME(WRAPPER_ARGS_PROTO);
+static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL;
 
 /* See to see if this an ELF and if so, is it static which we can't wrap */
 void check_exec(const char *filename)
@@ -64,7 +65,7 @@ void check_exec(const char *filename)
 	close(fd);
 }
 
-int WRAPPER_NAME(WRAPPER_ARGS)
+int WRAPPER_NAME(WRAPPER_ARGS_PROTO)
 {
 	char **my_env = NULL;
 	char *entry;
diff --git a/libsandbox/wrapper-funcs/faccessat.c b/libsandbox/wrapper-funcs/faccessat.c
index 8a55d77..c053f19 100644
--- a/libsandbox/wrapper-funcs/faccessat.c
+++ b/libsandbox/wrapper-funcs/faccessat.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, int mode, int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_ACCESS_AT(dirfd, pathname, mode)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, pathname, mode, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, int mode, int flags
+#define WRAPPER_ARGS dirfd, pathname, mode, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_ACCESS_AT(dirfd, pathname, mode)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/fchmodat.c b/libsandbox/wrapper-funcs/fchmodat.c
index 6a1490a..a548cbc 100644
--- a/libsandbox/wrapper-funcs/fchmodat.c
+++ b/libsandbox/wrapper-funcs/fchmodat.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *path, mode_t mode, int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, path, mode, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *path, mode_t mode, int flags
+#define WRAPPER_ARGS dirfd, path, mode, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/fchownat.c b/libsandbox/wrapper-funcs/fchownat.c
index c2e99c0..a4f15f1 100644
--- a/libsandbox/wrapper-funcs/fchownat.c
+++ b/libsandbox/wrapper-funcs/fchownat.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *path, uid_t owner, gid_t group, int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, path, owner, group, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *path, uid_t owner, gid_t group, int flags
+#define WRAPPER_ARGS dirfd, path, owner, group, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/fopen.c b/libsandbox/wrapper-funcs/fopen.c
index 0316723..18c5a7f 100644
--- a/libsandbox/wrapper-funcs/fopen.c
+++ b/libsandbox/wrapper-funcs/fopen.c
@@ -3,34 +3,29 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, const char *mode
-extern FILE *WRAPPER_NAME(WRAPPER_ARGS);
-static FILE *(*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#define WRAPPER_ARGS_PROTO const char *pathname, const char *mode
+#define WRAPPER_ARGS pathname, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_OPEN_CHAR(pathname, mode)
+#define WRAPPER_RET_TYPE FILE *
+#define WRAPPER_RET_DEFAULT NULL
 
-FILE *WRAPPER_NAME(WRAPPER_ARGS)
+#ifndef SB_FOPEN_PRE_CHECK
+#define SB_FOPEN_PRE_CHECK
+static inline bool sb_fopen_pre_check(WRAPPER_ARGS_PROTO)
 {
-	FILE *result = NULL;
-	int old_errno = errno;
-	struct stat st;
-
+	save_errno();
 	if ((NULL != mode) && (mode[0] == 'r')) {
-		/* XXX: If we're trying to read, fail normally if file does
-		 *      not stat */
+		/* If we're trying to read, fail normally if file does not stat */
+		struct stat st;
 		if (-1 == stat(pathname, &st))
-			return NULL;
-	}
-	errno = old_errno;
-
-	if (FUNCTION_SANDBOX_SAFE_OPEN_CHAR(pathname, mode)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname, mode);
+			return false;
 	}
-
-	return result;
+	restore_errno();
+	return true;
 }
+#endif
+#define WRAPPER_PRE_CHECKS() if (!sb_fopen_pre_check(WRAPPER_ARGS)) return result;
+
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/futimesat.c b/libsandbox/wrapper-funcs/futimesat.c
index efa9653..c66d442 100644
--- a/libsandbox/wrapper-funcs/futimesat.c
+++ b/libsandbox/wrapper-funcs/futimesat.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS int dirfd, const char *filename, const struct timeval times[]
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, filename)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, filename, times);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *filename, const struct timeval times[]
+#define WRAPPER_ARGS dirfd, filename, times
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, filename)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/getcwd.c b/libsandbox/wrapper-funcs/getcwd.c
index 23626ca..5814f3d 100644
--- a/libsandbox/wrapper-funcs/getcwd.c
+++ b/libsandbox/wrapper-funcs/getcwd.c
@@ -8,11 +8,12 @@
  *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS char *buf, size_t size
-extern char *WRAPPER_NAME(WRAPPER_ARGS);
-static char *(*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#define WRAPPER_ARGS_PROTO char *buf, size_t size
+#define WRAPPER_ARGS dirfd, filename, times
+extern char *WRAPPER_NAME(WRAPPER_ARGS_PROTO);
+static char *(*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL;
 
-char *WRAPPER_NAME(WRAPPER_ARGS)
+char *WRAPPER_NAME(WRAPPER_ARGS_PROTO)
 {
 	char *result = NULL;
 
diff --git a/libsandbox/wrapper-funcs/lchown.c b/libsandbox/wrapper-funcs/lchown.c
index bb86b25..e78031f 100644
--- a/libsandbox/wrapper-funcs/lchown.c
+++ b/libsandbox/wrapper-funcs/lchown.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *path, uid_t owner, gid_t group
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(path, owner, group);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *path, uid_t owner, gid_t group
+#define WRAPPER_ARGS path, owner, group
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/link.c b/libsandbox/wrapper-funcs/link.c
index caa330d..d9aaa1e 100644
--- a/libsandbox/wrapper-funcs/link.c
+++ b/libsandbox/wrapper-funcs/link.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *oldpath, const char *newpath
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(newpath)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(oldpath, newpath);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *oldpath, const char *newpath
+#define WRAPPER_ARGS oldpath, newpath
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/linkat.c b/libsandbox/wrapper-funcs/linkat.c
index 2db52b0..819adb6 100644
--- a/libsandbox/wrapper-funcs/linkat.c
+++ b/libsandbox/wrapper-funcs/linkat.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS int olddirfd, const char *oldpath, int newdirfd, const char *newpath, int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(olddirfd, oldpath, newdirfd, newpath, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int olddirfd, const char *oldpath, int newdirfd, const char *newpath, int flags
+#define WRAPPER_ARGS olddirfd, oldpath, newdirfd, newpath, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/lutimes.c b/libsandbox/wrapper-funcs/lutimes.c
index fabb1ab..d91a211 100644
--- a/libsandbox/wrapper-funcs/lutimes.c
+++ b/libsandbox/wrapper-funcs/lutimes.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *filename, const struct timeval times[]
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(filename)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(filename, times);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *filename, const struct timeval times[]
+#define WRAPPER_ARGS filename, times
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(filename)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/mkdir.c b/libsandbox/wrapper-funcs/mkdir.c
index 342a94c..430233f 100644
--- a/libsandbox/wrapper-funcs/mkdir.c
+++ b/libsandbox/wrapper-funcs/mkdir.c
@@ -5,36 +5,9 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	struct stat st;
-	int result = -1, old_errno = errno;
-	char canonic[SB_PATH_MAX];
-
-	if (-1 == canonicalize(pathname, canonic))
-		/* Path is too long to canonicalize, do not fail, but just let
-		 * the real function handle it (see bug #94630 and #21766). */
-		if (ENAMETOOLONG != errno)
-			return -1;
-
-	/* XXX: Hack to prevent errors if the directory exist,
-	 * and are not writable - we rather return EEXIST rather
-	 * than failing */
-	if (0 == lstat(canonic, &st)) {
-		errno = EEXIST;
-		return -1;
-	}
-	errno = old_errno;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname, mode);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname, mode_t mode
+#define WRAPPER_ARGS pathname, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#define sb_mkdirat_pre_check sb_mkdir_pre_check
+#include "mkdirat.c"
+#undef sb_mkdirat_pre_check
diff --git a/libsandbox/wrapper-funcs/mkdirat.c b/libsandbox/wrapper-funcs/mkdirat.c
index 2d559b1..1788df7 100644
--- a/libsandbox/wrapper-funcs/mkdirat.c
+++ b/libsandbox/wrapper-funcs/mkdirat.c
@@ -5,36 +5,35 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#ifndef WRAPPER_ARGS_PROTO /* let mkdir() use us */
+# define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, mode_t mode
+# define WRAPPER_ARGS dirfd, pathname, mode
+# define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)
+#endif
 
-int WRAPPER_NAME(WRAPPER_ARGS)
+static inline bool sb_mkdirat_pre_check(WRAPPER_ARGS_PROTO)
 {
-	struct stat st;
-	int result = -1, old_errno = errno;
 	char canonic[SB_PATH_MAX];
+	save_errno();
 
 	if (-1 == canonicalize(pathname, canonic))
 		/* Path is too long to canonicalize, do not fail, but just let
 		 * the real function handle it (see bug #94630 and #21766). */
 		if (ENAMETOOLONG != errno)
-			return -1;
+			return false;
 
 	/* XXX: Hack to prevent errors if the directory exist,
 	 * and are not writable - we rather return EEXIST rather
 	 * than failing */
+	struct stat st;
 	if (0 == lstat(canonic, &st)) {
 		errno = EEXIST;
-		return -1;
+		return false;
 	}
-	errno = old_errno;
 
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, pathname, mode);
-	}
-
-	return result;
+	restore_errno();
+	return true;
 }
+#define WRAPPER_PRE_CHECKS() if (!sb_mkdirat_pre_check(WRAPPER_ARGS)) return result;
+
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/mkfifo.c b/libsandbox/wrapper-funcs/mkfifo.c
index 7000222..246643a 100644
--- a/libsandbox/wrapper-funcs/mkfifo.c
+++ b/libsandbox/wrapper-funcs/mkfifo.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname, mode);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname, mode_t mode
+#define WRAPPER_ARGS pathname, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/mkfifoat.c b/libsandbox/wrapper-funcs/mkfifoat.c
index b0a9e33..fe1b8e9 100644
--- a/libsandbox/wrapper-funcs/mkfifoat.c
+++ b/libsandbox/wrapper-funcs/mkfifoat.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, mode_t mode
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, pathname, mode);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, mode_t mode
+#define WRAPPER_ARGS dirfd, pathname, mode
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/mknod.c b/libsandbox/wrapper-funcs/mknod.c
index 0e0cff9..d0b52cc 100644
--- a/libsandbox/wrapper-funcs/mknod.c
+++ b/libsandbox/wrapper-funcs/mknod.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, mode_t mode, dev_t dev
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname, mode, dev);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname, mode_t mode, dev_t dev
+#define WRAPPER_ARGS pathname, mode, dev
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/mknodat.c b/libsandbox/wrapper-funcs/mknodat.c
index 8bc6b45..50a235e 100644
--- a/libsandbox/wrapper-funcs/mknodat.c
+++ b/libsandbox/wrapper-funcs/mknodat.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, mode_t mode, dev_t dev
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, pathname, mode, dev);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, mode_t mode, dev_t dev
+#define WRAPPER_ARGS dirfd, pathname, mode, dev
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/open.c b/libsandbox/wrapper-funcs/open.c
index dda8c98..ef649ca 100644
--- a/libsandbox/wrapper-funcs/open.c
+++ b/libsandbox/wrapper-funcs/open.c
@@ -3,44 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *pathname, int flags, ...
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-/* Eventually, there is a third parameter: it's mode_t mode */
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	va_list ap;
-	int mode = 0;
-	int result = -1;
-	int old_errno = errno;
-	struct stat st;
-
-	if (flags & O_CREAT) {
-		va_start(ap, flags);
-		mode = va_arg(ap, int);
-		va_end(ap);
-	} else {
-		/* XXX: If we're not trying to create, fail normally if
-		 *      file does not stat */
-		if (-1 == stat(pathname, &st))
-			return -1;
-	}
-	errno = old_errno;
-
-	if (FUNCTION_SANDBOX_SAFE_OPEN_INT(pathname, flags)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		if (flags & O_CREAT)
-			result = WRAPPER_TRUE_NAME(pathname, flags, mode);
-		else
-			result = WRAPPER_TRUE_NAME(pathname, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname, int flags, ...
+#define WRAPPER_ARGS pathname, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_OPEN_INT(pathname, flags)
+#include "openat.c"
diff --git a/libsandbox/wrapper-funcs/openat.c b/libsandbox/wrapper-funcs/openat.c
index 02e9b07..3df904f 100644
--- a/libsandbox/wrapper-funcs/openat.c
+++ b/libsandbox/wrapper-funcs/openat.c
@@ -3,24 +3,28 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, int flags, ...
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#ifndef WRAPPER_ARGS_PROTO /* let open() use us */
+# define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, int flags, ...
+# define WRAPPER_ARGS dirfd, pathname, flags
+# define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_OPEN_INT_AT(dirfd, pathname, flags)
+# define USE_AT 1
+#else
+# define USE_AT 0
+#endif
+
+extern int EXTERN_NAME(WRAPPER_ARGS_PROTO);
+static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS_PROTO) = NULL;
 
 /* Eventually, there is a third parameter: it's mode_t mode */
-int WRAPPER_NAME(WRAPPER_ARGS)
+int WRAPPER_NAME(WRAPPER_ARGS_PROTO)
 {
 	va_list ap;
 	int mode = 0;
 	int result = -1;
-	int old_errno = errno;
-	struct stat st;
 
+	save_errno();
 	if (flags & O_CREAT) {
 		va_start(ap, flags);
 		mode = va_arg(ap, int);
@@ -28,19 +32,23 @@ int WRAPPER_NAME(WRAPPER_ARGS)
 	} else {
 		/* XXX: If we're not trying to create, fail normally if
 		 *      file does not stat */
+		struct stat st;
+#if USE_AT
 		if (dirfd == AT_FDCWD || pathname[0] == '/')
+#endif
+#undef USE_AT
 			if (-1 == stat(pathname, &st))
 				return -1;
 	}
-	errno = old_errno;
+	restore_errno();
 
-	if (FUNCTION_SANDBOX_SAFE_OPEN_INT_AT(dirfd, pathname, flags)) {
+	if (WRAPPER_SAFE()) {
 		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
 			    WRAPPER_SYMVER);
 		if (flags & O_CREAT)
-			result = WRAPPER_TRUE_NAME(dirfd, pathname, flags, mode);
+			result = WRAPPER_TRUE_NAME(WRAPPER_ARGS, mode);
 		else
-			result = WRAPPER_TRUE_NAME(dirfd, pathname, flags);
+			result = WRAPPER_TRUE_NAME(WRAPPER_ARGS);
 	}
 
 	return result;
diff --git a/libsandbox/wrapper-funcs/openat64.c b/libsandbox/wrapper-funcs/openat64.c
index d88b30b..b410af2 100644
--- a/libsandbox/wrapper-funcs/openat64.c
+++ b/libsandbox/wrapper-funcs/openat64.c
@@ -3,9 +3,6 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
 #include "__64_pre.h"
diff --git a/libsandbox/wrapper-funcs/opendir.c b/libsandbox/wrapper-funcs/opendir.c
index 46d9e30..2db2582 100644
--- a/libsandbox/wrapper-funcs/opendir.c
+++ b/libsandbox/wrapper-funcs/opendir.c
@@ -5,19 +5,9 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *name
-extern DIR *WRAPPER_NAME(WRAPPER_ARGS);
-static DIR *(*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-DIR *WRAPPER_NAME(WRAPPER_ARGS)
-{
-	DIR *result = NULL;
-
-	if (FUNCTION_SANDBOX_SAFE(name)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(name);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *name
+#define WRAPPER_ARGS name
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(name)
+#define WRAPPER_RET_TYPE DIR *
+#define WRAPPER_RET_DEFAULT NULL
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/rename.c b/libsandbox/wrapper-funcs/rename.c
index 4ca2c39..1a194c9 100644
--- a/libsandbox/wrapper-funcs/rename.c
+++ b/libsandbox/wrapper-funcs/rename.c
@@ -3,26 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *oldpath, const char *newpath
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(oldpath) &&
-	    FUNCTION_SANDBOX_SAFE(newpath))
-	{
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(oldpath, newpath);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *oldpath, const char *newpath
+#define WRAPPER_ARGS oldpath, newpath
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(oldpath) && FUNCTION_SANDBOX_SAFE(newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/renameat.c b/libsandbox/wrapper-funcs/renameat.c
index 4e6b6e6..951fea1 100644
--- a/libsandbox/wrapper-funcs/renameat.c
+++ b/libsandbox/wrapper-funcs/renameat.c
@@ -3,26 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS int olddirfd, const char *oldpath, int newdirfd, const char *newpath
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(olddirfd, oldpath) &&
-	    FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath))
-	{
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(olddirfd, oldpath, newdirfd, newpath);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int olddirfd, const char *oldpath, int newdirfd, const char *newpath
+#define WRAPPER_ARGS olddirfd, oldpath, newdirfd, newpath
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(olddirfd, oldpath) && FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/rmdir.c b/libsandbox/wrapper-funcs/rmdir.c
index c3fce12..5348b2e 100644
--- a/libsandbox/wrapper-funcs/rmdir.c
+++ b/libsandbox/wrapper-funcs/rmdir.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *pathname
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname
+#define WRAPPER_ARGS pathname
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/symlink.c b/libsandbox/wrapper-funcs/symlink.c
index 85d9922..9fbb597 100644
--- a/libsandbox/wrapper-funcs/symlink.c
+++ b/libsandbox/wrapper-funcs/symlink.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *oldpath, const char *newpath
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(newpath)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(oldpath, newpath);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *oldpath, const char *newpath
+#define WRAPPER_ARGS oldpath, newpath
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/symlinkat.c b/libsandbox/wrapper-funcs/symlinkat.c
index 4bf390f..30c8db9 100644
--- a/libsandbox/wrapper-funcs/symlinkat.c
+++ b/libsandbox/wrapper-funcs/symlinkat.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *oldpath, int newdirfd, const char *newpath
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(oldpath, newdirfd, newpath);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *oldpath, int newdirfd, const char *newpath
+#define WRAPPER_ARGS oldpath, newdirfd, newpath
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(newdirfd, newpath)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/truncate.c b/libsandbox/wrapper-funcs/truncate.c
index 2297daf..0b90467 100644
--- a/libsandbox/wrapper-funcs/truncate.c
+++ b/libsandbox/wrapper-funcs/truncate.c
@@ -3,24 +3,9 @@
  *
  * Copyright 1999-2008 Gentoo Foundation
  * Licensed under the GPL-2
- *
- *  Partly Copyright (C) 1998-9 Pancrazio `Ezio' de Mauro <p@demauro.net>,
- *  as some of the InstallWatch code was used.
  */
 
-#define WRAPPER_ARGS const char *path, off_t length
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(path)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(path, length);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *path, off_t length
+#define WRAPPER_ARGS path, length
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(path)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/unlink.c b/libsandbox/wrapper-funcs/unlink.c
index a5db943..2d7f560 100644
--- a/libsandbox/wrapper-funcs/unlink.c
+++ b/libsandbox/wrapper-funcs/unlink.c
@@ -5,35 +5,9 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *pathname
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1, old_errno = errno;
-	char canonic[SB_PATH_MAX];
-
-	if (-1 == canonicalize(pathname, canonic))
-		/* Path is too long to canonicalize, do not fail, but just let
-		 * the real function handle it (see bug #94630 and #21766). */
-		if (ENAMETOOLONG != errno)
-			return -1;
-
-	/* XXX: Hack to make sure sandboxed process cannot remove
-	 * a device node, bug #79836. */
-	if ((0 == strncmp(canonic, "/dev/null", 9)) ||
-	    (0 == strncmp(canonic, "/dev/zero", 9))) {
-		errno = EACCES;
-		return result;
-	}
-	errno = old_errno;
-
-	if (FUNCTION_SANDBOX_SAFE(pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(pathname);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *pathname
+#define WRAPPER_ARGS pathname
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(pathname)
+#define sb_unlinkat_pre_check sb_unlink_pre_check
+#include "unlinkat.c"
+#undef sb_unlinkat_pre_check
diff --git a/libsandbox/wrapper-funcs/unlinkat.c b/libsandbox/wrapper-funcs/unlinkat.c
index f2980fa..02a3e20 100644
--- a/libsandbox/wrapper-funcs/unlinkat.c
+++ b/libsandbox/wrapper-funcs/unlinkat.c
@@ -5,35 +5,34 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS int dirfd, const char *pathname, int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
+#ifndef WRAPPER_ARGS_PROTO /* let unlink() use us */
+# define WRAPPER_ARGS_PROTO int dirfd, const char *pathname, int flags
+# define WRAPPER_ARGS dirfd, pathname, flags
+# define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)
+#endif
 
-int WRAPPER_NAME(WRAPPER_ARGS)
+static inline bool sb_unlinkat_pre_check(WRAPPER_ARGS_PROTO)
 {
-	int result = -1, old_errno = errno;
 	char canonic[SB_PATH_MAX];
+	save_errno();
 
 	if (-1 == canonicalize(pathname, canonic))
 		/* Path is too long to canonicalize, do not fail, but just let
 		 * the real function handle it (see bug #94630 and #21766). */
 		if (ENAMETOOLONG != errno)
-			return -1;
+			return false;
 
 	/* XXX: Hack to make sure sandboxed process cannot remove
 	 * a device node, bug #79836. */
 	if ((0 == strncmp(canonic, "/dev/null", 9)) ||
 	    (0 == strncmp(canonic, "/dev/zero", 9))) {
 		errno = EACCES;
-		return result;
+		return false;
 	}
-	errno = old_errno;
 
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, pathname)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, pathname, flags);
-	}
-
-	return result;
+	restore_errno();
+	return true;
 }
+#define WRAPPER_PRE_CHECKS() if (!sb_unlinkat_pre_check(WRAPPER_ARGS)) return result;
+
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/utime.c b/libsandbox/wrapper-funcs/utime.c
index e708f9f..cf3e505 100644
--- a/libsandbox/wrapper-funcs/utime.c
+++ b/libsandbox/wrapper-funcs/utime.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *filename, const struct utimbuf *times
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(filename)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(filename, times);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *filename, const struct utimbuf *times
+#define WRAPPER_ARGS filename, times
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(filename)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/utimensat.c b/libsandbox/wrapper-funcs/utimensat.c
index 7afad79..54346f7 100644
--- a/libsandbox/wrapper-funcs/utimensat.c
+++ b/libsandbox/wrapper-funcs/utimensat.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS int dirfd, const char *filename, const struct timespec times[], int flags
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE_AT(dirfd, filename)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(dirfd, filename, times, flags);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO int dirfd, const char *filename, const struct timespec times[], int flags
+#define WRAPPER_ARGS dirfd, filename, times, flags
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE_AT(dirfd, filename)
+#include "__wrapper_simple.c"
diff --git a/libsandbox/wrapper-funcs/utimes.c b/libsandbox/wrapper-funcs/utimes.c
index e31b96e..7869366 100644
--- a/libsandbox/wrapper-funcs/utimes.c
+++ b/libsandbox/wrapper-funcs/utimes.c
@@ -5,19 +5,7 @@
  * Licensed under the GPL-2
  */
 
-#define WRAPPER_ARGS const char *filename, const struct timeval times[]
-extern int EXTERN_NAME(WRAPPER_ARGS);
-static int (*WRAPPER_TRUE_NAME)(WRAPPER_ARGS) = NULL;
-
-int WRAPPER_NAME(WRAPPER_ARGS)
-{
-	int result = -1;
-
-	if (FUNCTION_SANDBOX_SAFE(filename)) {
-		check_dlsym(WRAPPER_TRUE_NAME, WRAPPER_SYMNAME,
-			    WRAPPER_SYMVER);
-		result = WRAPPER_TRUE_NAME(filename, times);
-	}
-
-	return result;
-}
+#define WRAPPER_ARGS_PROTO const char *filename, const struct timeval times[]
+#define WRAPPER_ARGS filename, times
+#define WRAPPER_SAFE() FUNCTION_SANDBOX_SAFE(filename)
+#include "__wrapper_simple.c"