If the X server is started without a '-auth' argument, then
it gets started wide open to all local users on the system.
This isn't a great default access model, but changing it in
Xorg at this point would break backward compatibility.
Xwayland, on the other hand is new, and much more targeted
in scope. It could, in theory, be changed to allow the much
more secure default of a "user who started X server can connect
clients to that server."
This commit paves the way for that change, by adding a mechanism
for DDXs to opt-in to that behavior. They merely need to call
LocalAccessScopeUser()
in their init functions.
A subsequent commit will add that call for Xwayland.
Signed-off-by: Ray Strode <rstrode@redhat.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Uses reallocarray to perform integer overflow detection when allocating
an array, using NULL as the previous pointer to force a new allocation.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
Wrapper for realloc() that checks for overflow when multiplying
arguments together, so we don't have to add overflow checks to
every single call. For documentation on usage, see:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/calloc.3
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Acked-by: Matt Turner <mattst88@gmail.com>
The xnfcalloc() macro took two arguments but simply multiplied them
together without checking for overflow and defeating any overflow
checking that calloc() might have done. Let's not do that.
The original XNFcalloc() function is left for now to preserve driver
ABI, but is marked as deprecated so it can be removed in a future round
of ABI break/cleanup.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matt Turner <mattst88@gmail.com>
The comment lies, shm hasn't used this code since:
commit fdef7be5c8
Author: Alan Coopersmith <alan.coopersmith@sun.com>
Date: Tue Oct 9 18:44:04 2007 -0700
Sun bug 6589829: include zoneid of shm segment in access [...]
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Even though -Wcomment doesn't mind it (in gcc or clang), the appearance
of */* confuses the syntax highlighter of some editors (eg. vim), and
causes warnings in MSVC.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
When the Xwayland server is socket-activated, we need to connect and
initialize the window manager before the activating client gets to
proceed with connecting. We do this by passing a socket file
descriptor for the window manager connection to the Xwayland server,
which then uses this new function to set it up as an X client.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This function was written to allow the X server to inherit the listen
socket from launchd on OS X. The code is not specific to OS X though
and will be useful for on-demand launched Xwayland servers.
Signed-off-by: Kristian Høgsberg <krh@bitplanet.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
This lets us stop using the 'pointer' typedef in Xdefs.h as 'pointer'
is used throughout the X server for other things, and having duplicate
names generates compiler warnings.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Applications may end up allocating a bunch of shmfence objects, each
of which uses a file descriptor, which must be kept open lest some
other client ask for a copy of it later on.
Lacking an API that can turn a memory mapping back into a file
descriptor, about the best we can do is push the file descriptors out
of the way of other X clients so that we don't run out of the ability
to accept new connections.
This uses fcntl F_GETFD to push the FD up above MAXCLIENTS.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
req_fds and SetReqFds in include/dixstruct.h
ReadFdFromClient, WriteFdToClient and the FD flushing in os/io.c
Signed-off-by: Keith Packard <keithp@keithp.com>
This passes a file descriptor from the client to the server, which is
then mmap'd
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
This adds two interfaces:
void SetReqFds(ClientPtr client, int req_fds)
Marks the number of file descriptors expected for this
request. Call this before any request processing so that
any un-retrieved file descriptors will be closed
automatically.
int ReadFdFromClient(ClientPtr client)
Reads the next queued file descriptor from the connection. If
this request is not expecting any more file descriptors, or
if there are no more file descriptors available from the
connection, then this will return -1.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
InitOutput.c: In function ‘OsVendorInit’:
InitOutput.c:630:29: warning: assignment left-hand side might be a candidate for a format attribute [-Wmissing-format-attribute]
winprocarg.c: In function ‘ddxProcessArgument’:
winprocarg.c:231:29: warning: assignment left-hand side might be a candidate for a format attribute [-Wmissing-format-attribute]
Signed-off-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Popen and Pclose are never used on Windows, so don't bother to even
try to define them.
System(s) was defined as system(s), but the two users of that
function are in xkb, which carefully redefines that as
Win32System. Move Win32System and Win32TempDir to os/utils.c, renaming
Win32System to be just System, which simplifies the xkb code
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Each DDX currently calls OsReleaseSIGIO in case it was suspended when
the server regen started. This causes a BUG to occur if SIGIO was
*not* blocked at that time. Instead of relying on each DDX, make the
OS layer reliably reset all signal state at server init time, ensuring
that signals are suitably unblocked and that the various signal state
counting variables are set back to zero.
Signed-off-by: Keith Packard <keithp@keithp.com>
Let the dix be in charge of changing the sigprocmask so we only have one
entity that changes it.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Keith Packard <keithp@keithp.com>
ErrorF() is not signal safe. Use ErrorSigSafe() whenever an error
message may be logged in signal context.
[whot: edited to "ErrorFSigSafe"]
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
[whot: edited to use varargs, squashed commit below]
Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
os: fix vararg length calculation
Make %u and %x sizeof(unsigned int), %p sizeof(void*). This is printf
behaviour and we can't guarantee that void* is uint64_t anyway.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Chase Douglas <chase.douglas@canonical.com>
This is strictly the application of the script 'x-indent-all.sh'
from util/modular. Compared to the patch that Daniel posted in
January, I've added a few indent flags:
-bap
-psl
-T PrivatePtr
-T pmWait
-T _XFUNCPROTOBEGIN
-T _XFUNCPROTOEND
-T _X_EXPORT
The typedefs were needed to make the output of sdksyms.sh match the
previous output, otherwise, the code is formatted badly enough that
sdksyms.sh generates incorrect output.
The generated code was compared with the previous version and found to
be essentially identical -- "assert" line numbers and BUILD_TIME were
the only differences found.
The comparison was done with this script:
dir1=$1
dir2=$2
for dir in $dir1 $dir2; do
(cd $dir && find . -name '*.o' | while read file; do
dir=`dirname $file`
base=`basename $file .o`
dump=$dir/$base.dump
objdump -d $file > $dump
done)
done
find $dir1 -name '*.dump' | while read dump; do
otherdump=`echo $dump | sed "s;$dir1;$dir2;"`
diff -u $dump $otherdump
done
Signed-off-by: Keith Packard <keithp@keithp.com>
Acked-by: Daniel Stone <daniel@fooishbar.org>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Almost all of the places the string is assigned point to a literal
string constant, so use const char * for those, and const char **
for function calls that return it via an argument. Fortunately
the top level function, ClientAuthorized, which returns the string
as its return value is called from only one place, ProcEstablishConnection.
ProcEstablishConnection stores either that return value or a string literal
in char *reason. It only uses reason as an argument to SendConnSetup.
SendConnSetup passes the reason argument to strlen & WriteToClient,
both of which already have const qualifiers on their args.
Thus added const to the reason variable in ProcEstablishConnection
and the reason argument to SendConnSetup.
Fixes gcc warnings:
dispatch.c: In function 'ProcEstablishConnection':
dispatch.c:3711:9: warning: assignment discards qualifiers from pointer target type
auth.c: In function 'CheckAuthorization':
auth.c:218:14: warning: assignment discards qualifiers from pointer target type
auth.c:220:20: warning: assignment discards qualifiers from pointer target type
connection.c: In function 'ClientAuthorized':
connection.c:683:3: warning: return discards qualifiers from pointer target type
mitauth.c: In function 'MitCheckCookie':
mitauth.c:88:13: warning: assignment discards qualifiers from pointer target type
xdmauth.c:259:14: warning: assignment discards qualifiers from pointer target type
xdmauth.c:270:14: warning: assignment discards qualifiers from pointer target type
xdmauth.c:277:11: warning: assignment discards qualifiers from pointer target type
xdmauth.c:293:15: warning: assignment discards qualifiers from pointer target type
xdmauth.c:313:14: warning: assignment discards qualifiers from pointer target type
xdmauth.c:322:11: warning: assignment discards qualifiers from pointer target type
rpcauth.c: In function 'SecureRPCCheck':
rpcauth.c:136:10: warning: assignment discards qualifiers from pointer target type
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
gcc was warning from storing string constants in a char *name field:
auth.c:64:1: warning: initialization discards qualifiers from pointer target type
auth.c:72:1: warning: initialization discards qualifiers from pointer target type
auth.c:81:1: warning: initialization discards qualifiers from pointer target type
Making the field const requires changing AuthorizationFromID to take
a const char ** pointer for the name argument which it sets to point
to the matching name entry.
Changing that argument requires changing its sole caller in the security
extension to pass the address of a const char * variable to it, which it
can do, since the only thing it does with the returned name is to pass
it back to the RemoveAuthorization function that already expects a const
char *name.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jamey Sharp <jamey@minilop.net>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Replace multiple methods of checking for functions with AC_CHECK_FUNCS
Replace multiple methods of selecting fallback funcs with AC_REPLACE_FUNCS
Replace HAS_* and NEED_* #defines with autogenerated HAVE_*
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
Silencing more gcc -Wwrite-strings warnings
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Linux test code fixed by: Keith Packard <keithp@keithp.com>
Any pad bytes in replies are written to the client from a zeroed
array. However, record extension tries to incorrectly access the pad
bytes from the end of reply data.
Signed-off-by: Rami Ylimäki <rami.ylimaki@vincit.fi>
Reviewed-by: Erkki Seppälä <erkki.seppala@vincit.fi>
LogVHdrMessageVerb allows a custom header to be inserted in a log message,
between the Log system's MessageType string, and a formatted variable
message body. The custom header can itself be a formatted variable string.
These functions can be used, for example, by driver abstraction layers to
format specific driver messages in a standard format, but do it in a way
that is efficient, obeys the log-layers verbosity settings, and is safe
to use in signal handlers (because they don't call malloc), even for
types besides X_NONE.
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Instead of just closing the log when everything is done, put one more
message in stating that we're actually terminating. Users or scripts that
look at the Xorg.log will then know that a) the server has terminated
properly and b) why the server terminated (to some degree, given that most
real-world errors will be caused by AbortServer()).
Acked-by: Gaetan Nadon <memsize@videotron.ca>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
Tested-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Tested-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Provides a portable implementation of this common allocating sprintf()
API found in many, but not yet all, of the platforms we support.
If the platform provides vasprintf() we simply wrap it, otherwise we
implement it - either way callers can use it regardless of platform.
Since not all platforms guarantee to NULL out the return pointer on
failure, we don't either, and require callers to check the return
value for -1.
The old Xprintf() API is deprecated, but left for compatibility for now.
The new API is added in a new header so that it can be used in parts of
the server such as hw/xfree86/parser that don't include all the server
headers.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mikhail Gusarov <dottedmag@dottedmag.net>
The following happens otherwise (with -Wall -Werror):
| In file included from /usr/include/X11/Xfuncs.h:47,
| from ../../include/misc.h:112,
| from ../../include/screenint.h:52,
| from ../../include/scrnintstr.h:52,
| from ../../dix/cursor.c:58:
| /usr/include/string.h:534: error: conflicting types for ‘xstrcasecmp’
| ../../include/os.h:488: note: previous declaration of ‘xstrcasecmp’ was here
| /usr/include/string.h:538: error: conflicting types for ‘xstrncasecmp’
| ../../include/os.h:493: note: previous declaration of ‘xstrncasecmp’ was here
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Cyril Brulebois <kibi@debian.org>
Doesn't seem to be any reason to just not pass the error string
as another argument directly to LogVWrite()
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Mikhail Gusarov <dottedmag@dottedmag.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
According to Xserver-spec, they were part of the now-deleted DBE "Idioms"
code. The last callers of them were removed in commits fe616f9230 &
3d64290547.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>
Use the values from xproto rather than duplicating the effort
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Keith Packard <keithp@keithp.com>