Commit Graph

446 Commits

Author SHA1 Message Date
Jia Tan eea78216d2 xz: Fix Capsicum sandbox compile error.
user_abort_pipe[] was still being used instead of the parameters.
2024-02-23 20:27:15 +08:00
Lasse Collin de4337fd89 xz: Landlock: Fix error message if input file is a directory.
If xz is given a directory, it should look like this:

    $ xz /usr/bin
    xz: /usr/bin: Is a directory, skipping

The Landlock rules didn't allow opening directories for reading:

    $ xz /usr/bin
    xz: /usr/bin: Permission denied

The simplest fix was to allow opening directories for reading.
While it's a bit silly to allow it solely for the error message,
it shouldn't make the sandbox significantly weaker.

The single-file use case (like when called from GNU tar) is
still as strict as possible: all Landlock restrictions are
enabled before (de)compression starts.
2024-02-22 15:18:25 +02:00
Lasse Collin 4ce300ce08 xz: Delete old commented-out code. 2024-02-17 23:07:35 +02:00
Lasse Collin cae9a5e0bf xz: Use stricter pledge(2) and Landlock sandbox.
This makes these sandboxing methods stricter when no files are
created or deleted. That is, it's a middle ground between the
initial sandbox and the strictest single-file-to-stdout sandbox:
this allows opening files for reading but output has to go to stdout.
2024-02-17 23:07:35 +02:00
Lasse Collin 02e3505991 xz: Support Landlock ABI version 4.
Linux 6.7 added support for ABI version 4 which restricts
TCP connections which xz won't need and thus those can be
forbidden now. Since the ABI version is handled at runtime,
supporting version 4 won't cause any compatibility issues.

Note that new enough kernel headers are required to get
version 4 support enabled at build time.
2024-02-17 23:07:35 +02:00
Lasse Collin 374868d81d xz: Move sandboxing code to sandbox.c and improve Landlock sandbox.
Landlock is now always used just like pledge(2) is: first in more
permissive mode and later (under certain common conditions) in
a strict mode that doesn't allow opening more files.

I put pledge(2) first in sandbox.c because it's the simplest API
to use and still somewhat fine-grained for basic applications.
So it's the simplest thing to understand for anyone reading sandbox.c.
2024-02-17 23:07:35 +02:00
Lasse Collin 7312dfbb02 xz: Tweak comments. 2024-02-17 23:07:35 +02:00
Lasse Collin c701a5909a xz: Fix message_init() description.
Also explicitly initialize progress_automatic to make it clear
that it can be read before message_init() sets it. Static variable
was initialized to false by default already so this is only for
clarity.
2024-02-17 23:07:35 +02:00
Lasse Collin 8af7db854f xz: Mention lzmainfo if trying to use 'lzma --list'.
This kind of fixes the problem reported here:
https://bugs.launchpad.net/ubuntu/+source/xz-utils/+bug/1291020
2024-02-14 18:31:16 +02:00
Lasse Collin 0709c2b2d7 xz: Fix outdated threading related info on the man page. 2024-02-14 18:31:16 +02:00
Lasse Collin 22af94128b Add SPDX license identifier into 0BSD source code files. 2024-02-14 18:31:16 +02:00
Lasse Collin 689e0228ba Change most public domain parts to 0BSD.
Translations and doc/xz-file-format.txt and doc/lzma-file-format.txt
were not touched.

COPYING.0BSD was added.
2024-02-14 18:31:12 +02:00
Lasse Collin 6daa4d0ea4 xz: Use threaded mode by defaut (as if --threads=0 was used).
This hopefully does more good than bad:

  + It's faster by default.

  + Only the threaded compressor creates files that
    can be decompressed in threaded mode.

  - Compression ratio is worse, usually not too much though.
    When it matters, -T1 must be used.

  - Memory usage increases.

  - Scripts that assume single-threaded mode but don't use -T1 will
    possibly use too much resources, for example, if they run
    multiple xz processes in parallel to compress multiple files.

  - Output from single-threaded and multi-threaded compressors
    differ but such changes could happen for other reasons too
    (they just haven't happened since 5.0.0).
2024-01-23 18:29:28 +02:00
Lasse Collin 6133a3f300 xz: Man page: Add more examples of LZMA2 options with BCJ filters. 2024-01-23 23:05:47 +08:00
Jia Tan db5eb5f563 xz: Update xz -lvv for RISC-V filter.
Version 5.6.0 will be shown, even though upcoming alphas and betas
will be able to support this filter. 5.6.0 looks nicer in the output and
people shouldn't be encouraged to use an unstable version in production
in any way.
2024-01-23 23:05:47 +08:00
Jia Tan b26a898693 xz: Update message in --long-help for RISC-V Filter. 2024-01-23 23:05:47 +08:00
Jia Tan 283f778908 xz: Update the man page for the RISC-V Filter.
A special note was added to suggest using four-byte alignment when the
compressed instruction extension is not present in a RISC-V binary.
2024-01-23 23:05:47 +08:00
Jia Tan 440a2eccb0 liblzma: Add RISC-V BCJ filter.
The new Filter ID is 0x0B.

Thanks to Chien Wong <m@xv97.com> for the initial version of the Filter,
the xz CLI updates, and the Autotools build system modifications.

Thanks to Igor Pavlov for his many contributions to the design of
the filter.
2024-01-23 23:05:41 +08:00
Jia Tan 22d86192f8 xz: Update website URLs in the man pages. 2024-01-19 23:08:14 +08:00
Jia Tan 710cbc186c xz: Add a comment to Capsicum sandbox setup.
This comment is repeated in xzdec.c to help remind us why all the
capabilities are removed from stdin in certain situations.
2023-12-21 20:53:27 +08:00
Kian-Meng Ang 424d46ead8 xz: Fix typo 2023-11-30 23:08:05 +08:00
Lasse Collin 12b89bcc99 xz: Tweak a comment. 2023-11-23 17:39:10 +02:00
Jia Tan 2ab2e4b5a5 xz: Use is_tty() in message.c. 2023-11-23 22:40:27 +08:00
Jia Tan 584e3a258f xz: Create separate is_tty() function.
The new is_tty() will report if a file descriptor is a terminal or not.
On POSIX systems, it is a wrapper around isatty(). However, the native
Windows implementation of isatty() will return true for all character
devices, not just terminals. So is_tty() has a special case for Windows
so it can use alternative Windows API functions to determine if a file
descriptor is a terminal.

This fixes a bug with MSVC and MinGW-w64 builds that refused to read from
or write to non-terminal character devices because xz thought it was a
terminal. For instance:

    xz foo -c > /dev/null

would fail because /dev/null was assumed to be a terminal.
2023-11-23 22:40:20 +08:00
Lasse Collin 659aca0d69 xz: Move the check for --suffix with --format=raw a few lines earlier.
Now it reads from argv[] instead of args->arg_names.
2023-11-18 01:56:09 +08:00
Jia Tan 2a732aba22 xz: Fix a bug with --files and --files0 in raw mode without a suffix.
The following command caused a segmentation fault:

    xz -Fraw --lzma1 --files=foo

when foo was a valid file. The usage of --files or --files0 was not
being checked when compressing or decompressing in raw mode without a
suffix. The suffix checking code was meant to validate that all files
to be processed are "-" (if not writing to standard out), meaning the
data is only coming from standard in. In this case, there were no file
names to check since --files and --files0 store their file name in a
different place.

Later code assumed the suffix was set and caused a segmentation fault.
Now, the above command results in an error.
2023-11-17 23:16:55 +08:00
Jia Tan f481523baa xz: Refactor suffix test with raw format.
The previous version set opt_stdout, but this caused an issue with
copying an input file to standard out when decompressing an unknown file
type. The following needs to result in an error:

    echo foo | xz -df

since -c, --stdout is not used. This fixes the previous error by not
setting opt_stdout.
2023-11-15 23:40:13 +08:00
Jia Tan 837ea40b1c xz: Move suffix check after stdout mode is detected.
This fixes a bug introduced in cc5aa9ab13
when the suffix check was initially moved. This caused a situation that
previously worked:

    echo foo | xz -Fraw --lzma1 | wc -c

to fail because the old code knew that this would write to standard out
so a suffix was not needed.
2023-11-14 20:27:46 +08:00
Jia Tan d4f4a4d040 xz: Detect when all data will be written to standard out earlier.
If the -c, --stdout argument is not used, then we can still detect when
the data will be written to standard out if all of the provided
filenames are "-" (denoting standard in) or if no filenames are
provided.
2023-11-14 20:27:04 +08:00
Lasse Collin 8276c7f41c xz: Support basic sandboxing with Linux Landlock (ABI versions 1-3).
It is enabled only when decompressing one file to stdout,
similar to how Capsicum is used.

Landlock was added in Linux 5.13.
2023-10-22 19:03:52 +03:00
Lasse Collin 2e2cd11535 Simplify detection of Capsicum support.
This removes support for FreeBSD 10.0 and 10.1 which used
<sys/capability.h> instead of <sys/capsicum.h>. Support for
FreeBSD 10.1 ended on 2016-12-31. So now FreeBSD >= 10.2 is
required to enable Capsicum support.

This also removes support for Capsicum on Linux (libcaprights)
which seems to have been unmaintained since 2017 and Linux 4.11:
https://github.com/google/capsicum-linux
2023-10-22 19:03:52 +03:00
Lasse Collin c57858b60e xz/Windows: Allow clock_gettime with POSIX threads.
If winpthreads are used for threading, it's OK to use clock_gettime()
from winpthreads too.
2023-10-22 18:59:45 +03:00
Lasse Collin 46fd991cd2 xz/Windows: Ensure that clock_gettime() isn't used with MinGW-w64.
This commit alone doesn't change anything in the real-world:

  - configure.ac currently checks for clock_gettime() only
    when using pthreads.

  - CMakeLists.txt doesn't check for clock_gettime() on Windows.

So clock_gettime() wasn't used with MinGW-w64 before either.

clock_gettime() provides monotonic time and it's better than
gettimeofday() in this sense. But clock_gettime() is defined
in winpthreads, and liblzma or xz needs nothing else from
winpthreads. By avoiding clock_gettime(), we avoid the dependency on
libwinpthread-1.dll or the need to link against the static version.

As a bonus, GetTickCount64() and MinGW-w64's gettimeofday() can be
faster than clock_gettime(CLOCK_MONOTONIC, &tv). The resolution
is more than good enough for the progress indicator in xz.
2023-10-22 18:59:45 +03:00
Lasse Collin cdb4d91f24 xz/Windows: Use GetTickCount64() with MinGW-w64 if using Vista threads. 2023-10-22 18:59:45 +03:00
Jia Tan eaebdef4d4 xz: Change quoting style from `...' to '...'. 2023-09-24 22:10:18 +08:00
Lasse Collin 2a9929af0a xz: Windows: Don't (de)compress to special files like "con" or "nul".
Before this commit, the following writes "foo" to the
console and deletes the input file:

    echo foo | xz > con_xz
    xz --suffix=_xz --decompress con_xz

It cannot happen without --suffix because names like con.xz
are also special and so attempting to decompress con.xz
(or compress con to con.xz) will already fail when opening
the input file.

Similar thing is possible when compressing. The following
writes to "nul" and the input file "n" is deleted.

    echo foo | xz > n
    xz --suffix=ul n

Now xz checks if the destination is a special file before
continuing. DOS/DJGPP version had a check for this but
Windows (and OS/2) didn't.
2023-09-22 20:16:40 +03:00
Lasse Collin 217958d887 xz, xzdec, lzmainfo: Use tuklib_attr_noreturn.
For compatibility with C23's [[noreturn]], tuklib_attr_noreturn
must be at the beginning of declaration (before "extern" or
"static", and even before any GNU C's __attribute__).

This commit also moves all other function attributes to
the beginning of function declarations. "extern" is kept
at the beginning of a line so the attributes are listed on
separate lines before "extern" or "static".
2023-09-22 20:06:27 +03:00
Lasse Collin 18a66fbac0 Remove incorrect uses of __attribute__((__malloc__)).
xrealloc() is obviously incorrect, modern GCC docs even
mention realloc() as an example where this attribute
cannot be used.

liblzma's lzma_alloc() and lzma_alloc_zero() would be
correct uses most of the time but custom allocators
may use a memory pool or otherwise hold the pointer
so aliasing issues could happen in theory.

The xstrdup() case likely was correct but I removed it anyway.
Now there are no __malloc__ attributes left in the code.
The allocations aren't in hot paths so this should make
no practical difference.
2023-09-22 20:06:27 +03:00
Lasse Collin 79334e7f20 MSVC: xz: Make file_io.c and file_io.h compatible with MSVC.
Thanks to Kelvin Lee for the original patches
and testing the modifications I made.
2023-09-22 20:00:38 +03:00
Lasse Collin c660b8d78b MSVC: xz: Use GetTickCount64() to implement mytime_now().
It's available since Windows Vista.
2023-09-22 20:00:38 +03:00
Kelvin Lee 5c6f892d41 MSVC: xz: Use _stricmp() instead of strcasecmp() in suffix.c. 2023-09-22 20:00:38 +03:00
Kelvin Lee e241051f50 MSVC: xz: Use _isatty() from <io.h> to implement isatty(). 2023-09-22 20:00:38 +03:00
Kelvin Lee d14bba8fc2 MSVC: xz: Use _fileno() instead of fileno(). 2023-09-22 20:00:38 +03:00
Kelvin Lee cfd1054b9b MSVC: Don't #include <unistd.h>. 2023-09-22 20:00:37 +03:00
Lasse Collin eccf128665 xz: Refactor thousand separator detection and disable it on MSVC.
Now the two variations of the format strings are created with
a macro, and the whole detection code can be easily disabled
on platforms where thousand separator formatting is known to
not work (MSVC has no support, and on DJGPP 2.05 it can have
problems in some cases).
2023-08-31 19:50:05 +03:00
Lasse Collin f7093cd9d1 xz: Fix a too relaxed assertion and remove uses of SSIZE_MAX.
SSIZE_MAX isn't readily available on MSVC. Removing it means
that there is one thing less to worry when porting to MSVC.
2023-08-31 18:14:43 +03:00
Lasse Collin 16068f6c30 xz: Omit an empty paragraph on the man page. 2023-08-02 17:15:12 +03:00
Dimitri Papadopoulos Orfanos 42df7c7aa1
Docs: Fix typos found by codespell 2023-07-31 20:02:21 +08:00
Lasse Collin b6b7d06585 xz: Translate the second "%s: " in message.c since French needs "%s : ".
This string is used to print a filename when using "xz -v" and
stderr isn't a terminal.
2023-07-18 17:37:33 +03:00
Lasse Collin be644042c3 xz: Make "%s: %s" translatable because French needs "%s : %s". 2023-07-18 17:34:18 +03:00