* admin/merge-gnulib (GNULIB_MODULES): Add file-has-acl.
* lib/file-has-acl.c: New file, copied from Gnulib.
* lib/gnulib.mk.in, m4/gnulib-comp.m4: Regenerate.
* lib-src/emacsclient.c: Include acl.h, for file_has_acl.
(O_PATH): Default to O_SEARCH, which is good enough here.
(union local_sockaddr): New type.
(socket_status): Remove, replacing with ...
(connect_socket): New function. All callers changed.
This function checks for ownership and permissions issues with the
parent directory of the socket file, instead of checking the
owner of the socket (which does not help security).
(socknamesize): Move to file scope.
(local_sockname): New arg S. No need to pass socknamesize.
UID arg is now uid_t. All callers changed. Get file descriptor
of parent directory of socket, to foil some symlink attacks.
Do not follow symlinks to that directory.
(set_local_socket): Create the socket here instead of on
each attempt to connect it. Fall back from XDG_RUNTIME_DIR
to /tmp only if the former fails due to ENOENT. Adjust
permission-failure diagnostic to match changed behavior.
This addresses Bug#33847, which complained about emacsclient in a
safer XDG environment not connecting to an Emacs server running in
a less-safe enviroment outside XDG. The patch fixes a
longstanding issue with emacsclient permission checking.
It’s ineffective to look at the permission of the socket file
itself; on some platforms, these permissions are ignored anyway.
What matters are the permissions on the parent directory of the
socket file, as these are what make symlink attacks possible.
Change the permissions check accordingly, and also refuse to
follow symlinks to that parent directory. These changes make it
OK for emacsclient to fall back from XDG_RUNTIME_DIR to the
traditionally less-safe /tmp/emacsNNNN directories, since /tmp is
universally sticky nowadays.
* lib-src/etags.c (regexp): Omit member force_explicit_name,
since it’s always true. All uses removed. This lets us
remove calls to strlen (name) where GCC isn’t smart enough
to deduce that name must be nonnull.
* lib-src/movemail.c (main): Fix bug that could cause
link (tempname, NULL) to be called.
* src/emacs.c (argmatch): Break check into two ‘if’s,
since GCC doesn’t seem to be smart enough to check the single ‘if’.
* src/gtkutil.c (xg_update_menu_item): Fix bug where strcmp
could be given a NULL arg.
* src/xfont.c (xfont_list_family): Use nonnull value for dummy
initial value.
Correct the previous fix (did not correctly handle qualified types).
Also fix the following issues:
- remove module name (+ dot) from tags, as prefixing module name is
often inconsistent in code and may cause tags to be too specific.
- now tag 0-arity predicates and functions (':- func foo_14.')
- now tag one-word declarations (':- interface.')
* lib-src/etags.c (mercury_pr): Pass the correct NAME and NAMELEN
arguments to 'make_tag'.
(mercury_decl): Return more information about the declaration or
definition it finds. This allows mercury_pr to be smarter.
(Bug#47408)
The previous lack of support was due to incorrect calls to 'make_tag'
in 'mercury_pr', which caused 'pfnote' to refrain from adding Mercury
tags to the list of recorded tags.
* lib-src/etags.c (mercury_pr): Pass the correct NAME and NAMELEN
arguments to 'make_tag'.
* test/manual/etags/CTAGS.good: Adjust to the above change.
Tag declarations starting lines with ':-'.
By default, all declarations are tagged. Optionally, first
predicate or functions in clauses can be tagged as in Prolog
support using '--declarations'. (Bug#47408).
* lib-src/etags.c (test_objc_is_mercury, Mercury_functions)
(mercury_skip_comment, mercury_decl, mercury_pr):
Implement Mercury support. As Mercury and Objective-C have
the same file extension .m, a heuristic test tries to detect
the language.
* doc/man/etags.1: Document the change. Add Mercury-specific
behavior for '--declarations'. This option tags first
predicates or functions in clauses in addition to declarations.
* lib-src/etags.c (Rust_functions): New function to make tags for rust
files.
(Rust_help, Rust_suffixes): New constant.
* doc/emacs/maintaining.texi (Tag Syntax): Add Rust item.
* doc/man/etags.1: Add Rust (bug#46055).
Casting NULL is not a constant expression (Bug#47951).
* lib-src/seccomp-filter.c (main): Turn check for null pointer
representation into a runtime assertion.
If we're missing SECCOMP_SET_MODE_FILTER, the seccomp-filter build
fails. Reuse the existing HAVE_SECCOMP configuration variable, which
checks for these macros.
* configure.ac (HAVE_SECCOMP): Substitute in Makefile.in.
* lib-src/Makefile.in (HAVE_SECCOMP): New variable.
(SECCOMP_FILTER): Define only if HAVE_SECCOMP.
This is useful when starting Emacs with a Seccomp filter enabled,
e.g. using 'bwrap'.
* lib-src/seccomp-filter.c (main): Generate new Seccomp files.
* lib-src/Makefile.in (all)
(seccomp-filter.bpf seccomp-filter.pfc seccomp-filter-exec.bpf
seccomp-filter-exec.pfc): Generate new Seccomp files.
* .gitignore: Ignore new Seccomp files.
* test/src/emacs-tests.el (emacs-tests/bwrap/allows-stdout): New unit
test.
Only Linux 4.14 and later contain the required support for
SECCOMP_RET_KILL_PROCESS.
* lib-src/Makefile.in (SECCOMP_FILTER): Define only if we run at least
Linux 4.14.
We need at list version 2.4.0 of libseccomp for seccomp-filter.c to
build cleanly.
* configure.ac: Use pkg-config to check for libseccomp.
* lib-src/Makefile.in (HAVE_LIBSECCOMP, LIBSECCOMP_LIBS)
(LIBSECCOMP_CFLAGS): New variables.
(SECCOMP_FILTER, seccomp-filter$(EXEEXT)): Use them.
The seccomp filters are always architecture-specific, and
seccomp-filter.c right now only supports x86-64.
* lib-src/Makefile.in (SECCOMP_FILTER): New variable.
(DONT_INSTALL, all, seccomp-filter$(EXEEXT)): Use it.
The binary uses the 'seccomp' helper library. The library isn't
needed to load the generated Secure Computing filter.
* configure.ac: Check for 'seccomp' header and library.
* lib-src/seccomp-filter.c: New helper binary to generate a generic
Secure Computing filter for GNU/Linux.
* lib-src/Makefile.in (DONT_INSTALL): Add 'seccomp-filter' helper
binary if possible.
(all): Add Secure Computing filter file if possible.
(seccomp-filter$(EXEEXT)): Compile helper binary.
(seccomp-filter.bpf seccomp-filter.pfc): Generate filter files.
* test/src/emacs-tests.el (emacs-tests/seccomp/allows-stdout)
(emacs-tests/seccomp/forbids-subprocess): New unit tests.
* test/Makefile.in (src/emacs-tests.log): Add dependency on the helper
binary.
* configure.ac: Instead of AC_CHECK_HEADER, use AC_COMPILE_IFELSE
with X11/Intrinsic.h when checking for X11/extensions/Xrender.h.
This suppresses a bogus "report a bug to bug-gnu-emacs" diagnostic
from 'configure' in Solaris 10.
(SETUP_SLAVE_PTY): Adjust to recent renaming of forkin to
std_in in callproc.c. Needed on Solaris and Unixware.
* lib-src/Makefile.in (LIB_GETRANDOM, LIBS_ETAGS): New vars,
needed because on Solaris 10 the Gnulib tempname module now needs
the -lrt library for clock_gettime. Throw in the LIB_GETRANDOM
stuff too while we’re at it; from getrandom.m4 it seems to be
needed for MingW.
(LIBS_MOVE, etags_libs): Use them.
* src/callproc.c [SETUP_SLAVE_PTY]: Include sys/stream.h
and sys/stropts.h, for SETUP_SLAVE_PTY’s definiens.
* src/process.c [NEED_BSDTTY]: Don’t include bsdtty.h; hasn’t been
needed in years.
[USG5_4]: Don’t include sys/stream.h or sys/stropts.h; these
directives havbe been moved to callproc.c because the only use of
SETUP_SLAVE_PTY is there now.
The latest Gnulib merge brought in free-posix, which causes 'free'
to preserve errno. This lets us simplify some Emacs code that
calls 'free'.
* admin/merge-gnulib (GNULIB_MODULES): Add free-posix.
This module is pulled in by canonicalize-lgpl anyway,
so we might as well rely on it.
* lib-src/emacsclient.c (get_current_dir_name):
Sync better with src/sysdep.c.
* lib-src/etags.c (process_file_name, etags_mktmp):
* lib-src/update-game-score.c (unlock_file):
* src/fileio.c (file_accessible_directory_p):
* src/sysdep.c (get_current_dir_name_or_unreachable):
Simplify by assuming that 'free' preserves errno.
* src/alloc.c (malloc_unblock_input):
Preserve errno, so that xfree preserves errno.
* src/sysdep.c (get_current_dir_name_or_unreachable):
Simplify by using strdup instead of malloc+memcpy.
No need for realloc (and the old code leaked memory anyway on
failure); just use free+malloc.
* lib-src/etags.c: Set allocated and lastlen to zero, after
freeing last ptr in Erlang_functions to prevent dereferencing NULL
pointer (bug#45122).
Copyright-paperwork-exempt: yes
(cherry picked from commit 2d8f0364fc)
* lib-src/etags.c: Set allocated and lastlen to zero, after
freeing last ptr in Erlang_functions to prevent dereferencing NULL
pointer (bug#45122).
Copyright-paperwork-exempt: yes
* src/emacs.c (main): Mark the return from strerror as a constant,
since it shouldn't be changed (bug#43982).
* lib-src/movemail.c (pfatal_and_delete): Ditto.
Copyright-paperwork-exempt: yes
* lib-src/emacsclient.c (set_local_socket): Don't output the
warning if both -a and --quiet are specified (bug#16117).
Inspired by a patch from Scott Turner <srt19170@gmail.com>.
* lib-src/etags.c (pfnote): Instead of raising an assertion when
we get an empty tag name, return immediately. (Bug#41465)
* test/manual/etags/ETAGS.good_1:
* test/manual/etags/ETAGS.good_2:
* test/manual/etags/ETAGS.good_3:
* test/manual/etags/ETAGS.good_4:
* test/manual/etags/ETAGS.good_5:
* test/manual/etags/ETAGS.good_6: Adapt to latest changes in
etags.
Code is supposed to use the filename module now.
* admin/merge-gnulib (GNULIB_MODULES): Replace dosname with filename.
* lib/dosname.h: Remove this forwarding stub.
* lib/gnulib.mk.in, m4/gnulib-comp.m4: Regenerate.
* lib-src/emacsclient.c, src/fileio.c:
Include filename.h instead of dosname.h.
Original problem report by N. Jackson in:
https://lists.gnu.org/r/emacs-devel/2020-03/msg00047.html
I found some other warnings when I used gcc, and fixed them
with this patch.
* lib-src/etags.c: Include verify.h.
(xnmalloc, xnrealloc): Tell the compiler that NITEMS is
nononnegative and ITEM_SIZE is positive.
* src/conf_post.h (__has_attribute_returns_nonnull)
(ATTRIBUTE_RETURNS_NONNULL): New macros.
* src/editfns.c (Fuser_full_name): Don’t assume Fuser_login_name
returns non-nil.
* src/intervals.c (rotate_right, rotate_left, update_interval):
* src/intervals.h (LENGTH, LEFT_TOTAL_LENGTH, RIGHT_TOTAL_LENGTH):
Use TOTAL_LENGTH0 or equivalent on intervals that might be null.
* src/intervals.h (TOTAL_LENGTH): Assume arg is nonnull.
(TOTAL_LENGTH0): New macro, with the old TOTAL_LENGTH meaning.
(make_interval, split_interval_right): Add ATTRIBUTE_RETURNS_NONNULL.
* src/pdumper.c (dump_check_dump_off): Now returns void, since
no caller uses the return value. Redo assert to pacify GCC.
(decode_emacs_reloc): Add a seemingly-random eassume to pacify GCC.
Ugly, and I suspect due to a bug in GCC.
* doc/emacs/custom.texi (Find Init): Update description of how Emacs
finds its init file directory and the interaction with
$XDG_CONFIG_HOME
(Early Init File): Correct XDG location of early-init.el
* etc/NEWS: Update description to make it clear the ~/.emacs.d is
preferred, even if the XDG location exists.
* lisp/startup.el: Prefer ~/.emacs.d even if the XDG location exists.
* lib-src/emacsclient.c (open_config): Prefer home directory the XDG
location.