Commit Graph

20 Commits

Author SHA1 Message Date
Sami Uddin bedd171d5d shared: memfd_create: try MFD_NOEXEC_SEAL
Effective from Linux 6.3 onward, this creates the memfd without execute
permissions and prevents that setting from ever being changed. A
run-time fallback is made to not using MFD_NOEXEC_SEAL when
weston compiled on Linux >= 6.3 is run on Linux < 6.3.

Signed-off-by: Sami Uddin <sami.uddin@astc-design.com>
2024-05-15 16:27:17 +09:30
Pekka Paalanen 99b2b958f9 shared: introduce os_fd_clear_cloexec()
This function will be used between fork() and exec() to remove the
close-on-exec flag. The first user will be compositor/xwayland.c.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Pekka Paalanen 0260b8a0b5 shared: fcntl uses int, not long
fcntl(2) manual says the return type is int, and that F_SETFD takes an
int. So use int.

Noticed by code inspection.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.com>
2022-07-12 08:30:22 +00:00
Maxime Roussin-Bélanger 5d10fe0264 shared: fix typos
Signed-off-by: Maxime Roussin-Bélanger <maxime.roussinbelanger@gmail.com>
2021-02-24 10:00:32 -05:00
Frank Binns 77d06f7b8b shared: fix unused variable warning
Fix the following build warning by moving the 'seals' declaration inside the
HAVE_MEMFD_CREATE guard:

  ../shared/os-compatibility.c: In function ‘os_ro_anonymous_file_get_fd’:
  ../shared/os-compatibility.c:341:6: warning: unused variable ‘seals’ [-Wunused-variable]
    int seals, fd;
        ^

Signed-off-by: Frank Binns <frank.binns@imgtec.com>
2020-06-24 11:11:31 +01:00
Sebastian Wick f0d3a61491 shared: guard all the seal logic behind HAVE_MEMFD_CREATE
The initial version of os_ro_anonymous_file missed two guards around the
seal logic which leads to a compilation error on older systems.

Also make the check for a read-only file symmetric in
os_ro_anonymous_file_get_fd and os_ro_anonymous_file_put_fd.

Signed-off-by: Sebastian Wick <sebastian@sebastianwick.net>
2020-02-05 10:40:25 +01:00
James Hilliard 7b36f171d0 unconditionally include sys/mman.h in os-compatibility.c
Fixes:
../shared/os-compatibility.c:273:25: error: ‘PROT_READ’ undeclared (first use in this function); did you mean ‘LOCK_READ’?
  map = mmap(NULL, size, PROT_READ | PROT_WRITE, MAP_SHARED, file->fd, 0);
                         ^~~~~~~~~
                         LOCK_READ

Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
2020-02-02 16:07:41 -07:00
Sebastian Wick 178f17e25d shared: add read-only anonymous file abstraction
The ro_anonymous_file is an abstraction around anonymous read-only files.
os_ro_anonymous_file_create creates such a file with the contents passed
in data. Subsequent calls to os_ro_anonymous_file_get_fd return a fd
that's ready to be send over the socket.
When mapmode is RO_ANONYMOUS_FILE_MAPMODE_PRIVATE the fd is only
guaranteed to be mmap-able readonly with MAP_PRIVATE but does not
require duplicating the file for each resource when memfd_create is
available. RO_ANONYMOUS_FILE_MAPMODE_SHARED may be used when the client
must be able to map the file with MAP_SHARED but it also means that the
file has to be duplicated even when memfd_create is available.

See also:
weston commit 76829fc4ea
wayland commit 905c0a341ddf0a885811d19e2b79c65a3f1d210c

Signed-off-by: Sebastian Wick <sebastian@sebastianwick.net>
2019-11-01 02:44:58 +01:00
Emmanuel Gil Peyrot deae98ef45 shared: Use memfd_create() when available
This (so-far) Linux-only API lets users create file descriptors purely
in memory, without any backing file on the filesystem and the race
condition which could ensue when unlink()ing it.

It also allows seals to be placed on the file, ensuring to every other
process that we won’t be allowed to shrink the contents, potentially
causing a SIGBUS when they try reading it.

This patch is best viewed with the -w option of git log -p.

It is an almost exact copy of Wayland commit
6908c8c85a2e33e5654f64a55cd4f847bf385cae, see
https://gitlab.freedesktop.org/wayland/wayland/merge_requests/4

Signed-off-by: Emmanuel Gil Peyrot <linkmauve@linkmauve.fr>
2019-10-24 07:32:17 +00:00
Derek Foreman 5ef6bd7eee
os: Check for EINTR on ftruncate()
The man page indicates that ftruncate() can set errno to EINTR, so test
for this.

I have not actually been able to provoke an EINTR error from ftruncate()
in testing though.

Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
2017-03-24 21:02:30 +01:00
Derek Foreman 91d4bce7c3
os: Check for EINTR on posix_fallocate()
posix_fallocate() can return EINTR and need to be restarted - I've hit
this when running weston-terminal under gdb.

Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Reviewed-by: Quentin Glidic <sardemff7+git@sardemff7.net>
2017-03-24 21:00:54 +01:00
Abdur Rehman b5f838d90f shared: fix a typo in a comment
Signed-off-by: Abdur Rehman <arehmanq199@gmail.com>
Reviewed-by: Yong Bakos <ybakos@humanoriented.com>
2017-01-03 11:59:09 +00:00
Derek Foreman 6bc33d63cf log: Open log file CLOEXEC so child processes don't get the fd
Reviewed-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
Reviewed-by: Bryce Harrington <bryce@osg.samsung.com>
Signed-off-by: Derek Foreman <derekf@osg.samsung.com>
2015-07-16 19:28:36 -07:00
Bryce Harrington 6c6164c5ba shared: Update boilerplate from MIT X11 license to MIT Expat license 2015-06-15 13:04:18 -07:00
Pekka Paalanen 5b4ddbc11e os: use posix_fallocate in creating sharable buffers
If posix_fallocate is available, use it instead of ftruncate. Unlike
ftruncate, when posix_fallocate succeeds, it guarantees that you cannot
run out of disk space, when later writing to the mmap()'ed file.

With posix_fallocate, if os_create_anonymous_file() succeeds, the
program cannot get a SIGBUS later from accessing this file via mmap. If
there is insufficient disk space, the function fails and errno is set to
ENOSPC.

This is useful on systems, that limit the available buffer space by
having XDG_RUNTIME_DIR on a small tmpfs.

Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
2013-12-02 16:20:27 -08:00
Daniel Stone c228e23b05 configure.ac: Enable AC_USE_SYSTEM_EXTENSIONS
AC_USE_SYSTEM_EXTENSIONS enables _XOPEN_SOURCE, _GNU_SOURCE and similar
macros to expose the largest extent of functionality supported by the
underlying system.  This is required since these macros are often
limiting rather than merely additive, e.g. _XOPEN_SOURCE will actually
on some systems hide declarations which are not part of the X/Open spec.

Since this goes into config.h rather than the command line, ensure all
source is consistently including config.h before anything else,
including system libraries.  This doesn't need to be guarded by a
HAVE_CONFIG_H ifdef, which was only ever a hangover from the X.Org
modular transition.

Signed-off-by: Daniel Stone <daniel@fooishbar.org>

[pq: rebased and converted more files]
2013-06-05 01:16:34 -04:00
Pekka Paalanen b7a9498a8e compositor: add fallback strchrnul()
Android does not have this function.

Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
2012-06-12 12:29:13 -04:00
Pekka Paalanen 1da1b8f3f1 Rewrite shm buffer file allocation v2
We had duplicated code in many places, using hardcoded paths for
temporary files into more than one path. Some cases did not bother with
O_CLOEXEC, and all hardcoded paths that might not exist.

Add an OS helper function for creating a unique anonymous file with
close-on-exec semantics. The helper uses $XDG_RUNTIME_DIR as the
directory for a file.

This patch unifies the buffer file creation in both Weston and the
clients.

As simple clients are better not linking to libshared, as it would
require e.g. Cairo, they pull the OS compatibility code directly.

Android does not have mkostemp(), so a configure test is added for it,
and a fallback used if it is not available.

Changes in v2:
	remove all the alternate possible directory definitions and use
	XDG_RUNTIME_DIR only, and fail is it is not set.

Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
2012-06-06 13:26:30 -04:00
Pekka Paalanen 647f2bfd2a window: add wrapper for EPOLL_CLOEXEC
Android does not have EPOLL_CLOEXEC, so add a fallback.

Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
2012-05-31 13:53:51 -04:00
Pekka Paalanen 51aaf646db compositor: work around missing SOCK_CLOEXEC
Android does not have SOCK_CLOEXEC, so implement a wrapper that falls
back.

Signed-off-by: Pekka Paalanen <ppaalanen@gmail.com>
2012-05-31 13:52:20 -04:00