In the unlikely event of a failure in creating processes, signal
masks will fall from the panels above you. Secure your mask before
telling your child what to do, since it won't exist, and you will
instead cause the server itself to be replaced by a shell running
the target program.
Found by Coverity #53397: Missing break in switch
Execution falls through to the next case statement or default;
this might indicate a common typo.
In System: Missing break statement between cases in switch statement (CWE-484)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Keith Packard <keithp@keithp.com>
This disables the tcp listen socket by default. Then, it
uses a new xtrans interface, TRANS(Listen), to provide a command line
option to re-enable those if desired.
v2: Leave unix socket enabled by default. Add configure options.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
This should have been part of d0da0e9c3b
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Keith Packard <keithp@keithp.com>
Almost every situation of someone running indirect GLX is a mistake
that results in X Server crashes. Indirect GLX is the cause of
regular security vulnerabilities, and rarely provides any capability
to the user. Just disable it unless someone wants to enable it for
their special use case (using +iglx on the command line).
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Add -displayfd into -help text. It was mentioned in the man page but seem to have been missed from the -help text.
Signed-off-by: Keith Packard <keithp@keithp.com>
The attack surface for indirect GLX is huge, and it's of no use to
most people (if you get an indirect GL context, you're better served
by a immediate X error than actually trying to use an indirect GL
context and finding out that it doesn't support doing anything you
want, slowly). This flag gives you a chance to disable indirect GLX
in environments where you just don't need it.
I put in both the '+' and '-' arguments right now, so that it's easy
to patch the value to change the default policy.
Signed-off-by: Eric Anholt <eric@anholt.net>
Acked-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
There's no sense verifying that we can create the lock file and then
ignoring the return value from write.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Handle -displayfd and an explicit display number sensibly, e.g. use the
explicitly specified display number, and write it to the displayfd
v2: displayfd might be 0, so use -1 as invalid value
v3: Rebase for addition of NoListenAll flag
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Kristian Høgsberg <krh@bitplanet.net>
A socket-activated server will receive its listening sockets from the
parent process and should not create its own sockets. This patch
introduces a NoListen flag that can be set by a DDX to prevent
the server from creating the sockets. When NoListen is enabled, we
also disable the server lock checking, since the parent process is
responsible for checking the lock before picking the display name and
creating the sockets.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
This reverts commit d0339a5c66.
seriously, what the fuck? Are we making xstrdup() return a const char now too?
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
We call atoi() on the server's display to get the socket but otherwise use the
unmodified display for log file name, xkb paths, etc. This results in
Xorg :banana being the equivalent of Xorg :0, except for the log files being
in /var/log/Xorg.banana.log. I'm not sure there's a good use-case for this
behaviour.
Check the display for something that looks reasonable, i.e. digits only, but
do allow for :0.0 (i.e. digits, followed by a period, followed by one or two
digits).
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Applications may end up allocating a bunch of shmfence objects, each
of which uses a file descriptor, which must be kept open lest some
other client ask for a copy of it later on.
Lacking an API that can turn a memory mapping back into a file
descriptor, about the best we can do is push the file descriptors out
of the way of other X clients so that we don't run out of the ability
to accept new connections.
This uses fcntl F_GETFD to push the FD up above MAXCLIENTS.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
The selection of which clock to use for this function was not actually
getting used when fetching the final clock value.
Reported-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Keith Packard <keithp@keithp.com>
It's already not optional at configure time, this just makes it so at
build time too.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Truncating the fraction part leads to a test failure where -1203.30 is
printed as -1203.29. Round this to the nearest value instead by adding
0.5 before converting to an integer
Signed-off-by: Keith Packard <keithp@keithp.com>
This is the lazy man's %f support. Print the decimal part of the number,
then append a decimal point, then print the first two digits of the
fractional part. So %f in sigsafe printing is really %.2f.
No boundary checks in place here.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
The formatter confused address operators preceded by casts with
bitwise-and expressions, placing spaces on either side of both.
That syntax isn't used by ordinary address operators, however,
so fix them for consistency.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
setitimer() and SIGALRM aren't available on WIN32, so smart scheduler
code cannot be built. Provide only stubs for smart scheduler timer
code, and disable smart scheduler by default.
Signed-off-by: Ryan Pavlik <rpavlik@iastate.edu>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Tested-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Fix compilation of OsBlockSIGIO with -Werror=return-type when SIGIO isn't
defined.
/jhbuild/checkout/xorg/xserver/os/utils.c: In function 'OsBlockSIGIO':
/jhbuild/checkout/xorg/xserver/os/utils.c:1248:1: error: control reaches end of non-void function [-Wreturn-type]
v2: Shuffle around to avoid writing unreachable code
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Tested-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
MinGW doesn't have sigaction, so this patch is needed for building.
No attempt is made to actually install the fatal error signal handler, as MinGW
will simply terminate the process rather than deliver a fatal signal.
Also avoid using strsignal
Signed-off-by: Ryan Pavlik <rpavlik@iastate.edu>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Tested-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
MinGW and MSVC lack the POSIX functions to compile the lock file code.
Signed-off-by: Ryan Pavlik <rpavlik@iastate.edu>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Calling OsReleaseSignal() inside the signal handler releases SIGIO, causing
the signal handler to be called again from within the handler.
Practical use-case: when synaptics calls TimerSet in the signal handler,
this causes the signals to be released, eventually hanging the server.
Regression introduced in 08962951de.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Fix Win32TempDir() in the case where we fell back to checking the TMP
environment variable. It looks like this has been wrong since forever.
Signed-off-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Popen and Pclose are never used on Windows, so don't bother to even
try to define them.
System(s) was defined as system(s), but the two users of that
function are in xkb, which carefully redefines that as
Win32System. Move Win32System and Win32TempDir to os/utils.c, renaming
Win32System to be just System, which simplifies the xkb code
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
No-one ever did anything with this variable except assign its default
value to it.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
If failing to disable a protocol specified by -nolisten failed, we'd
throw a FatalError and bomb startup entirely. From poking at xtrans, it
looks like the only way we can get a failure here is because we've
specified a protocol name which doesn't exist, which probably doesn't
constitute a security risk.
And it makes it possible to start gdm even though you've built with
--disable-tcp-transport.
Signed-off-by: Daniel Stone <daniel@fooishbar.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Each DDX currently calls OsReleaseSIGIO in case it was suspended when
the server regen started. This causes a BUG to occur if SIGIO was
*not* blocked at that time. Instead of relying on each DDX, make the
OS layer reliably reset all signal state at server init time, ensuring
that signals are suitably unblocked and that the various signal state
counting variables are set back to zero.
Signed-off-by: Keith Packard <keithp@keithp.com>
Let the dix be in charge of changing the sigprocmask so we only have one
entity that changes it.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This will be used for checking for proper logging when in signal
context.
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This option specifies a file descriptor in the launching process. X
will scan for an available display number and write that number back to
the launching process, at the same time as SIGUSR1 generation. This
means display managers don't need to guess at available display numbers.
As a consequence, if X fails to start when using -displayfd, it's not
because the display was in use, so there's no point in retrying the X
launch on a higher display number.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Tested-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
And instead of initializing to NULL, then resetting to LOCKDIR almost
immediately (before ever using the NULL value), skip directly to setting
it to LOCKDIR.
tmppath variable is only used as input for generating the path name
via calls to strlen, sprintf, etc.
Fixes gcc warning of:
utils.c: In function 'LockServer':
utils.c:259:11: warning: assignment discards qualifiers from pointer target type
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Silencing more gcc -Wwrite-strings warnings
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
This batch is the straightforward set - others are more complex and
need more analysis to determine right size to pass.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Use fchmod() to change permissions of the lock file instead
of chmod(), thus avoid the race that can be exploited to set
a symbolic link to any file or directory in the system.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
use O_NOFOLLOW to open the existing lock file, so symbolic links
aren't followed, thus avoid revealing if it point to an existing
file.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Add support for multi-seat-aware input device hotplugging. This
implements the multi-seat scheme explained here:
http://www.freedesktop.org/wiki/Software/systemd/multiseat
This introduces a new X server switch "-seat" which allows configuration
of the seat to enumerate hotplugging devices on. If specified the value
of this parameter will also be exported as root window property
Xorg_Seat.
To properly support input hotplugging devices need to be tagged in udev
according to the seat they are on. Untagged devices are assumed to be on
the default seat "seat0". If no "-seat" parameter is passed only devices
on "seat0" are used. This means that the new scheme is perfectly
compatible with existing setups which have no tagged input devices.
Note that the -seat switch takes a completely generic identifier, and
that it has no effect on non-Linux systems. In fact, on other OSes a
completely different identifier scheme for seats could be used but still
be exposed with the Xorg_Seat and -seat.
I tried to follow the coding style of the surrounding code blocks if
there was any one could follow.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
