Merge remote-tracking branch 'savannah/master' into native-comp

author: Andrea Corallo 2021-04-13 12:06:23 +0200
committer: Andrea Corallo 2021-04-13 12:06:23 +0200
commit: b064ddd3f600ed28e62b09d556ecced5f80d9883 (patch)
tree: 2ddf4889f385beb34cd064f245a7e59265377c37 /src
parent: 2d23f19e7d5ff8a1ec1a188dcd530c185029d1f8 (diff)
parent: 6de79542e43ece9a12ebc032c275a6c3fee0b73b (diff)
download: emacs-b064ddd3f600ed28e62b09d556ecced5f80d9883.tar.gz
emacs-b064ddd3f600ed28e62b09d556ecced5f80d9883.zip
2 files changed, 217 insertions, 138 deletions
diff --git a/src/emacs.c b/src/emacs.c
index d353679b0f0..e5940ce1de6 100644
--- a/src/emacs.c
+++ b/src/emacs.c
@@ -62,6 +62,21 @@ along with GNU Emacs.  If not, see <https://www.gnu.org/licenses/>.  */
 # include <sys/socket.h>
 #endif
+#if defined HAVE_LINUX_SECCOMP_H && defined HAVE_LINUX_FILTER_H \
+  && HAVE_DECL_SECCOMP_SET_MODE_FILTER                          \
+  && HAVE_DECL_SECCOMP_FILTER_FLAG_TSYNC
+# define SECCOMP_USABLE 1
+#else
+# define SECCOMP_USABLE 0
+#endif
+#if SECCOMP_USABLE
+# include <linux/seccomp.h>
+# include <linux/filter.h>
+# include <sys/prctl.h>
+# include <sys/syscall.h>
+#endif
 #ifdef HAVE_WINDOW_SYSTEM
 #include TERM_HEADER
 #endif /* HAVE_WINDOW_SYSTEM */
@@ -242,6 +257,11 @@ Initialization options:\n\
 --dump-file FILE            read dumped state from FILE\n\
 ",
 #endif
+#if SECCOMP_USABLE
+    "\
+--sandbox=FILE              read Seccomp BPF filter from FILE\n\
+"
+#endif
    "\
 --no-build-details          do not add build details such as time stamps\n\
 --no-desktop                do not load a saved desktop\n\
@@ -977,12 +997,195 @@ load_pdump (int argc, char **argv, char const *original_pwd)
 }
 #endif /* HAVE_PDUMPER */
+#if SECCOMP_USABLE
+/* Wrapper function for the `seccomp' system call on GNU/Linux.  This
+   system call usually doesn't have a wrapper function.  See the
+   manual page of `seccomp' for the signature.  */
+static int
+emacs_seccomp (unsigned int operation, unsigned int flags, void *args)
+{
+#ifdef SYS_seccomp
+  return syscall (SYS_seccomp, operation, flags, args);
+#else
+  errno = ENOSYS;
+  return -1;
+#endif
+}
+/* Read SIZE bytes into BUFFER.  Return the number of bytes read, or
+   -1 if reading failed altogether.  */
+static ptrdiff_t
+read_full (int fd, void *buffer, ptrdiff_t size)
+{
+  eassert (0 <= fd);
+  eassert (buffer != NULL);
+  eassert (0 <= size);
+  enum
+  {
+  /* See MAX_RW_COUNT in sysdep.c.  */
+#ifdef MAX_RW_COUNT
+    max_size = MAX_RW_COUNT
+#else
+    max_size = INT_MAX >> 18 << 18
+#endif
+  };
+  if (PTRDIFF_MAX < size || max_size < size)
+    {
+      errno = EFBIG;
+      return -1;
+    }
+  char *ptr = buffer;
+  ptrdiff_t read = 0;
+  while (size != 0)
+    {
+      ptrdiff_t n = emacs_read (fd, ptr, size);
+      if (n < 0)
+        return -1;
+      if (n == 0)
+        break;  /* Avoid infinite loop on encountering EOF.  */
+      eassert (n <= size);
+      size -= n;
+      ptr += n;
+      read += n;
+    }
+  return read;
+}
+/* Attempt to load Secure Computing filters from FILE.  Return false
+   if that doesn't work for some reason.  */
+static bool
+load_seccomp (const char *file)
+{
+  bool success = false;
+  void *buffer = NULL;
+  int fd
+    = emacs_open_noquit (file, O_RDONLY | O_CLOEXEC | O_BINARY, 0);
+  if (fd < 0)
+    {
+      emacs_perror ("open");
+      goto out;
+    }
+  struct stat stat;
+  if (fstat (fd, &stat) != 0)
+    {
+      emacs_perror ("fstat");
+      goto out;
+    }
+  if (! S_ISREG (stat.st_mode))
+    {
+      fprintf (stderr, "seccomp file %s is not regular\n", file);
+      goto out;
+    }
+  struct sock_fprog program;
+  if (stat.st_size <= 0 || SIZE_MAX <= stat.st_size
+      || PTRDIFF_MAX <= stat.st_size
+      || stat.st_size % sizeof *program.filter != 0)
+    {
+      fprintf (stderr, "seccomp filter %s has invalid size %ld\n",
+               file, (long) stat.st_size);
+      goto out;
+    }
+  size_t size = stat.st_size;
+  size_t count = size / sizeof *program.filter;
+  eassert (0 < count && count < SIZE_MAX);
+  if (USHRT_MAX < count)
+    {
+      fprintf (stderr, "seccomp filter %s is too big\n", file);
+      goto out;
+    }
+  /* Try reading one more byte to detect file size changes.  */
+  buffer = malloc (size + 1);
+  if (buffer == NULL)
+    {
+      emacs_perror ("malloc");
+      goto out;
+    }
+  ptrdiff_t read = read_full (fd, buffer, size + 1);
+  if (read < 0)
+    {
+      emacs_perror ("read");
+      goto out;
+    }
+  eassert (read <= SIZE_MAX);
+  if (read != size)
+    {
+      fprintf (stderr,
+               "seccomp filter %s changed size while reading\n",
+               file);
+      goto out;
+    }
+  if (emacs_close (fd) != 0)
+    emacs_perror ("close");  /* not a fatal error */
+  fd = -1;
+  program.len = count;
+  program.filter = buffer;
+  /* See man page of `seccomp' why this is necessary.  Note that we
+     intentionally don't check the return value: a parent process
+     might have made this call before, in which case it would fail;
+     or, if enabling privilege-restricting mode fails, the `seccomp'
+     syscall will fail anyway.  */
+  prctl (PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
+  /* Install the filter.  Make sure that potential other threads can't
+     escape it.  */
+  if (emacs_seccomp (SECCOMP_SET_MODE_FILTER,
+                     SECCOMP_FILTER_FLAG_TSYNC, &program)
+      != 0)
+    {
+      emacs_perror ("seccomp");
+      goto out;
+    }
+  success = true;
+ out:
+  if (0 <= fd)
+    emacs_close (fd);
+  free (buffer);
+  return success;
+}
+/* Load Secure Computing filter from file specified with the --seccomp
+   option.  Exit if that fails.  */
+static void
+maybe_load_seccomp (int argc, char **argv)
+{
+  int skip_args = 0;
+  char *file = NULL;
+  while (skip_args < argc - 1)
+    {
+      if (argmatch (argv, argc, "-seccomp", "--seccomp", 9, &file,
+                    &skip_args)
+          || argmatch (argv, argc, "--", NULL, 2, NULL, &skip_args))
+        break;
+      ++skip_args;
+    }
+  if (file == NULL)
+    return;
+  if (! load_seccomp (file))
+    fatal ("cannot enable seccomp filter from %s", file);
+}
+#endif  /* SECCOMP_USABLE */
 int
 main (int argc, char **argv)
 {
  /* Variable near the bottom of the stack, and aligned appropriately
     for pointers.  */
  void *stack_bottom_variable;
+  /* First, check whether we should apply a seccomp filter.  This
+     should come at the very beginning to allow the filter to protect
+     the initialization phase.  */
+#if SECCOMP_USABLE
+  maybe_load_seccomp (argc, argv);
+#endif
  bool no_loadup = false;
  char *junk = 0;
  char *dname_arg = 0;
@@ -2179,12 +2382,15 @@ static const struct standard_args standard_args[] =
  { "-color", "--color", 5, 0},
  { "-no-splash", "--no-splash", 3, 0 },
  { "-no-desktop", "--no-desktop", 3, 0 },
-  /* The following two must be just above the file-name args, to get
+  /* The following three must be just above the file-name args, to get
     them out of our way, but without mixing them with file names.  */
  { "-temacs", "--temacs", 1, 1 },
 #ifdef HAVE_PDUMPER
  { "-dump-file", "--dump-file", 1, 1 },
 #endif
+#if SECCOMP_USABLE
+  { "-seccomp", "--seccomp", 1, 1 },
+#endif
 #ifdef HAVE_NS
  { "-NSAutoLaunch", 0, 5, 1 },
  { "-NXAutoLaunch", 0, 5, 1 },
diff --git a/src/xdisp.c b/src/xdisp.c
index a405d51f803..50d9040057a 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -13607,8 +13607,9 @@ redisplay_tab_bar (struct frame *f)
 /* Get information about the tab-bar item which is displayed in GLYPH
   on frame F.  Return in *PROP_IDX the index where tab-bar item
-   properties start in F->tab_bar_items.  Value is false if
+   properties start in F->tab_bar_items.  Return in CLOSE_P an
-   GLYPH doesn't display a tab-bar item.  */
+   indication whether the click was on the close-tab icon of the tab.
+   Value is false if GLYPH doesn't display a tab-bar item.  */
 static bool
 tab_bar_item_info (struct frame *f, struct glyph *glyph,
@@ -13654,7 +13655,6 @@ static int
 get_tab_bar_item (struct frame *f, int x, int y, struct glyph **glyph,
                   int *hpos, int *vpos, int *prop_idx, bool *close_p)
 {
-  Mouse_HLInfo *hlinfo = MOUSE_HL_INFO (f);
  struct window *w = XWINDOW (f->tab_bar_window);
  int area;
@@ -13668,18 +13668,7 @@ get_tab_bar_item (struct frame *f, int x, int y, struct glyph **glyph,
  if (!tab_bar_item_info (f, *glyph, prop_idx, close_p))
    return -1;
-  /* Is mouse on the highlighted item?  */
+  return *prop_idx == f->last_tab_bar_item ? 0 : 1;
-  if (EQ (f->tab_bar_window, hlinfo->mouse_face_window)
-      && *vpos >= hlinfo->mouse_face_beg_row
-      && *vpos <= hlinfo->mouse_face_end_row
-      && (*vpos > hlinfo->mouse_face_beg_row
-          || *hpos >= hlinfo->mouse_face_beg_col)
-      && (*vpos < hlinfo->mouse_face_end_row
-          || *hpos < hlinfo->mouse_face_end_col
-          || hlinfo->mouse_face_past_end))
-    return 0;
-  return 1;
 }
@@ -13693,7 +13682,6 @@ void
 handle_tab_bar_click (struct frame *f, int x, int y, bool down_p,
                      int modifiers)
 {
-  Mouse_HLInfo *hlinfo = MOUSE_HL_INFO (f);
  struct window *w = XWINDOW (f->tab_bar_window);
  int hpos, vpos, prop_idx;
  bool close_p;
@@ -13701,47 +13689,27 @@ handle_tab_bar_click (struct frame *f, int x, int y, bool down_p,
  Lisp_Object enabled_p;
  int ts;
-  /* If not on the highlighted tab-bar item, and mouse-highlight is
-     non-nil, return.  This is so we generate the tab-bar button
-     click only when the mouse button is released on the same item as
-     where it was pressed.  However, when mouse-highlight is disabled,
-     generate the click when the button is released regardless of the
-     highlight, since tab-bar items are not highlighted in that
-     case.  */
  frame_to_window_pixel_xy (w, &x, &y);
  ts = get_tab_bar_item (f, x, y, &glyph, &hpos, &vpos, &prop_idx, &close_p);
  if (ts == -1
-      || (ts != 0 && !NILP (Vmouse_highlight)))
+      /* If the button is released on a tab other than the one where
+         it was pressed, don't generate the tab-bar button click event.  */
+      || (ts != 0 && !down_p))
    return;
-  /* When mouse-highlight is off, generate the click for the item
-     where the button was pressed, disregarding where it was
-     released.  */
-  if (NILP (Vmouse_highlight) && !down_p)
-    prop_idx = f->last_tab_bar_item;
  /* If item is disabled, do nothing.  */
  enabled_p = AREF (f->tab_bar_items, prop_idx + TAB_BAR_ITEM_ENABLED_P);
  if (NILP (enabled_p))
    return;
  if (down_p)
-    {
+    f->last_tab_bar_item = prop_idx; /* record the pressed tab */
-      /* Show item in pressed state.  */
-      if (!NILP (Vmouse_highlight))
-        show_mouse_face (hlinfo, DRAW_IMAGE_SUNKEN);
-      f->last_tab_bar_item = prop_idx;
-    }
  else
    {
      Lisp_Object key, frame;
      struct input_event event;
      EVENT_INIT (event);
-      /* Show item in released state.  */
-      if (!NILP (Vmouse_highlight))
-        show_mouse_face (hlinfo, DRAW_IMAGE_RAISED);
      key = AREF (f->tab_bar_items, prop_idx + TAB_BAR_ITEM_KEY);
      XSETFRAME (frame, f);
@@ -13754,97 +13722,6 @@ handle_tab_bar_click (struct frame *f, int x, int y, bool down_p,
    }
 }
-/* Possibly highlight a tab-bar item on frame F when mouse moves to
-   tab-bar window-relative coordinates X/Y.  Called from
-   note_mouse_highlight.  */
-static void
-note_tab_bar_highlight (struct frame *f, int x, int y)
-{
-  Lisp_Object window = f->tab_bar_window;
-  struct window *w = XWINDOW (window);
-  Mouse_HLInfo *hlinfo = MOUSE_HL_INFO (f);
-  int hpos, vpos;
-  struct glyph *glyph;
-  struct glyph_row *row;
-  int i;
-  Lisp_Object enabled_p;
-  int prop_idx;
-  bool close_p;
-  enum draw_glyphs_face draw = DRAW_IMAGE_RAISED;
-  int rc;
-  /* Function note_mouse_highlight is called with negative X/Y
-     values when mouse moves outside of the frame.  */
-  if (x <= 0 || y <= 0)
-    {
-      clear_mouse_face (hlinfo);
-      return;
-    }
-  rc = get_tab_bar_item (f, x, y, &glyph, &hpos, &vpos, &prop_idx, &close_p);
-  if (rc < 0)
-    {
-      /* Not on tab-bar item.  */
-      clear_mouse_face (hlinfo);
-      return;
-    }
-  else if (rc == 0)
-    /* On same tab-bar item as before.  */
-    goto set_help_echo;
-  clear_mouse_face (hlinfo);
-  bool mouse_down_p = false;
-#ifndef HAVE_NS
-  /* Mouse is down, but on different tab-bar item?  */
-  Display_Info *dpyinfo = FRAME_DISPLAY_INFO (f);
-  mouse_down_p = (gui_mouse_grabbed (dpyinfo)
-                  && f == dpyinfo->last_mouse_frame);
-  if (mouse_down_p && f->last_tab_bar_item != prop_idx)
-    return;
-#endif
-  draw = mouse_down_p ? DRAW_IMAGE_SUNKEN : DRAW_IMAGE_RAISED;
-  /* If tab-bar item is not enabled, don't highlight it.  */
-  enabled_p = AREF (f->tab_bar_items, prop_idx + TAB_BAR_ITEM_ENABLED_P);
-  if (!NILP (enabled_p) && !NILP (Vmouse_highlight))
-    {
-      /* Compute the x-position of the glyph.  In front and past the
-         image is a space.  We include this in the highlighted area.  */
-      row = MATRIX_ROW (w->current_matrix, vpos);
-      for (i = x = 0; i < hpos; ++i)
-        x += row->glyphs[TEXT_AREA][i].pixel_width;
-      /* Record this as the current active region.  */
-      hlinfo->mouse_face_beg_col = hpos;
-      hlinfo->mouse_face_beg_row = vpos;
-      hlinfo->mouse_face_beg_x = x;
-      hlinfo->mouse_face_past_end = false;
-      hlinfo->mouse_face_end_col = hpos + 1;
-      hlinfo->mouse_face_end_row = vpos;
-      hlinfo->mouse_face_end_x = x + glyph->pixel_width;
-      hlinfo->mouse_face_window = window;
-      hlinfo->mouse_face_face_id = TAB_BAR_FACE_ID;
-      /* Display it as active.  */
-      show_mouse_face (hlinfo, draw);
-    }
- set_help_echo:
-  /* Set help_echo_string to a help string to display for this tab-bar item.
-     XTread_socket does the rest.  */
-  help_echo_object = help_echo_window = Qnil;
-  help_echo_pos = -1;
-  help_echo_string = AREF (f->tab_bar_items, prop_idx + TAB_BAR_ITEM_HELP);
-  if (NILP (help_echo_string))
-    help_echo_string = AREF (f->tab_bar_items, prop_idx + TAB_BAR_ITEM_CAPTION);
-}
 #endif /* HAVE_WINDOW_SYSTEM */
 /* Find the tab-bar item at X coordinate and return its information.  */
@@ -33537,13 +33414,9 @@ note_mouse_highlight (struct frame *f, int x, int y)
  frame_to_window_pixel_xy (w, &x, &y);
 #if defined (HAVE_WINDOW_SYSTEM)
-  /* Handle tab-bar window differently since it doesn't display a
+  /* We don't highlight tab-bar buttons.  */
-     buffer.  */
  if (EQ (window, f->tab_bar_window))
-    {
+    return;
-      note_tab_bar_highlight (f, x, y);
-      return;
-    }
 #endif
 #if defined (HAVE_WINDOW_SYSTEM) && ! defined (HAVE_EXT_TOOL_BAR)
author	Andrea Corallo	2021-04-13 12:06:23 +0200
committer	Andrea Corallo	2021-04-13 12:06:23 +0200
commit	b064ddd3f600ed28e62b09d556ecced5f80d9883 (patch)
tree	2ddf4889f385beb34cd064f245a7e59265377c37 /src
parent	2d23f19e7d5ff8a1ec1a188dcd530c185029d1f8 (diff)
parent	6de79542e43ece9a12ebc032c275a6c3fee0b73b (diff)
download	emacs-b064ddd3f600ed28e62b09d556ecced5f80d9883.tar.gz emacs-b064ddd3f600ed28e62b09d556ecced5f80d9883.zip