We don't and probably never will have any pa_atod() callers that would
require "NaN" to be accepted, so let's filter those out in pa_atod(),
instead of requiring the callers to handle not-a-numbers appropriately
(which they generally forget to do).
pa_atou(), pa_atol() and pa_atod() are stricter than the libc
counterparts (the PA functions reject strings that have trailing extra
stuff in them). I have been under the impression that the PA functions
only accept "obviously valid numbers", that is, I have assumed that
these would be rejected: " 42" (leading whitespace), "" (empty
string) and "-18446744073709551615" in case of pa_atou().
I noticed that empty strings are accepted, however, and on closer
inspection I found that leading whitespace is accepted too, and even
that pa_atou() thinks that "-18446744073709551615" is the same thing
as "1"! This patch makes the parsing functions more strict, so that
they indeed only accept "obviously valid numbers". I decided to also
disallow leading plus signs, just because I don't like them.
In src/pulsecore/core-util.c:set_nice() we currently use a temporary
dbus-connection to set the nice-level via rtkit. However, we never
close that connection. This is fine, as the connection is shared and
dbus-core will manage it. But no other part of pulseaudio (except
set_scheduler()) uses the libdbus1 managed connections. Therefore,
we effectively end up with an unused dbus-connection that is not
integrated into any main-loop. dbus-daemon will send bus-notifications
to the connection (as libdbus1 installs matches for those by default
(it has to!)) until the outgoing queue is full. Thus, we waste several
KBs (or MBs? I didn't look it up) of memory for a message queue that
is never dispatched.
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
FSF addresses used in PA sources are no longer valid and rpmlint
generates numerous warnings during packaging because of this.
This patch changes all FSF addresses to FSF web page according to
the GPL how-to: https://www.gnu.org/licenses/gpl-howto.en.html
Done automatically by sed-ing through sources.
mingw32 does not have "getuid", so ifdef it properly.
Reported-by: Michael DePaulo <mikedep333@gmail.com>
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Usually, PA will use the PULSE_SERVER X11 property instead of using XDG_RUNTIME_DIR,
so this environment variable does not matter.
If this property is not available, or if one is using the pacmd cli protocol,
the client will go ahead and call pa_make_secure_dir on XDG_RUNTIME_DIR/pulse.
This will either fail (if you're another regular user), or succeed (if you're root).
Both scenarios are bad - failing will cause the connection to fail, and succeeding
is even worse, as it can cause *other* connections to fail (as the directory
ownership has changed).
Instead fail and complain loudly.
BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=83007
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
on systems lacking #defines HAVE_ACCEPT4, HAVE_PIPE2, SOCK_CLOEXEC
pulsecore/core-util.c: In function 'pa_open_cloexec':
pulsecore/core-util.c:3348:1: warning: label 'finish' defined but not used [-Wunused-label]
pulsecore/core-util.c: In function 'pa_socket_cloexec':
pulsecore/core-util.c:3370:1: warning: label 'finish' defined but not used [-Wunused-label]
pulsecore/core-util.c: In function 'pa_pipe_cloexec':
pulsecore/core-util.c:3393:1: warning: label 'finish' defined but not used [-Wunused-label]
pulsecore/core-util.c: In function 'pa_accept_cloexec':
pulsecore/core-util.c:3415:1: warning: label 'finish' defined but not used [-Wunused-label]
Signed-off-by: Peter Meerwald <pmeerw@pmeerw.net>
Initially (in commit ef422fa4ae),
pa_make_secure_dir followed a simple principle: "make a directory, or,
if it exists, check that it is suitable". Later this evolved into "make
a directory, or, if it exists, ensure that it is suitable". But the
check remained.
The check is now neither sufficient nor necessary. On POSIX-compliant
systems, the fstat results being checked are actually post-conditions of
fchmod and fchown. And on systems implementing POSIX ACLs, fstat only
reflects a part of the information relevant to the security of the
directory permissions, so PulseAudio could accept an existing insecure
directory anyway.
Also, the check still fires on non-POSIX-compliant filesystems like CIFS.
As a user cannot do anything to fix it, just accept insecure permissions
in this case.
set_scheduler() assumes that if sys/resource.h was found then we will
find RLIMIT_RTTIME there, but this is a non-POSIX extension on Linux.
Change the check to ensure that RLIMIT_RTTIME is actually defined.
Linux indeed defines this as a macro, and POSIX specifies that the other
RLIMIT_ constants must be macros, so having this as an #ifdef seems
correct.
This reverts commit c327850d9e as
the workaround in that commit is no longer needed after the real
bug has been fixed.
Conflicts:
src/pulsecore/core-util.c
Commit 7e344b5 hade the side effect of forcing every socket to
be non-blocking on Windows. This is because of a (documented)
side effect of WSAEventSelect(). So we need to make sure to restore
blocking behaviour afterwards for relevant sockets.
This code is from heftig, but the mistake that I'm fixing here is my
own. Before applying heftig's patch, I downgraded the level of one of
the log messages. I managed to downgrade a different message than what
I intended, so now I'm undoing that mistake.
In the default configuration, PulseAudio's rlimit-rttime is set to
1000000 (100%), which is higher than what RealtimeKit requires from
its clients (200000, 20%).
Make an attempt to still get realtime scheduling by clamping the
current RLIMIT_RTTIME to what RealtimeKit accepts. Warn about doing
this.
The old code accepted any word that started with "y", "Y",
"n", "N", "t", "T", "f" or "F". Fix this by having
a whitelist of full strings instead of checking just the
first letter.
When compiling without HAVE_SYMLINK the runtime dir is a real directory,
which is attempted to be created. In the case it already exists we shouldn't
error out. The HAVE_SYMLINK-enabled code already does this.
On Windows, fdsem.c:flush() fails because sockets are set to non-blocking
mode, since pa_read() returns -1 (and errno == EWOULDBLOCK). I guess pa_read()
is expected to block in this case so make it actually block by calling poll().
This makes updating of permissions on existing directories optional with
pa_make_secure_dir() and pa_make_secure_parent_dir(). This makes sure
that the recursive directory creation doesn't end up modifying existing
directories, and also fixes a problem where creating an auth cookie
(specifically ~/.esd_auth) would end up modifying permissions on ~.
Thanks to Frédéric Danis for reporting this.
realpath() on OS X behaves GNUish and accepts NULL for resolved_name
only on 10.6 and higher. Older versions will crash, if resolved_name is
NULL.
All versions define PATH_MAX, though. Better play it safe and use the
generic PATH_MAX version of pa_realpath on Mac OS X systems.
Signed-off-by: Mihai Moldovan <ionic@ionic.de>
This makes pa_make_secure_dir() create any missing parent directories in
the given path as well. This is useful, for example, on a pristine
system with a clean $HOME that needs ~/.config/pulse/ to be created when
~/.config does not exist.
If ~/.pulse/ already exists we stick to it in order not to lose
configuration and so that pulse configuration may still be shared across
the network with different PA versions.
XDG_SESSION_COOKIE was supposed to be used for access control to the
session and should not be exposed to other users.
Replace usage of XDG_SESSION_COOKIE by XDG_SESSION_ID which is the right
choice here since it is actually a proper session ID that may be
published.
When the runtime path gets long (which can happen on some NFS
mounts where $HOME is not just /home/$USER), it can grow
longer the 108 char limit imposed by sockaddr_un.sun_path.
This just calls realpath which should ultimately point into
/tmp in most cases and result in a much smaller path.
Only do this when we are adding on a name component to the
runtime path so creating the actual symlink will still get
the original, long name, but this shouldn't be a problem
as it never goes into the sockaddr_un.sun_path.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=44680
This adds a pa_str_in_list() to check for a given string in a
space-separated list of strings. For now, this is merely present to
avoid duplication of role matching code (intended roles can be a
space-separate list) across modules.
