Following commit 2e3685f217,
make sure all backends check this flag and return correct error codes.
Normally this is not mandatory, since the kernel looks up
the directory entry to be removed, and fails if the system call
is inappropriate (e.g., calling rmdir() on a regular file).
This happens before FUSE_UNLINK or FUSE_RMDIR is sent to the server.
However, when not in exclusive mode, there is a short window that
TOCTOU problem may occur, which may lead to undesired behavior
(e.g., deletion of a non-empty directory) or even the corruption of
bookmark storage if not properly checked.
Also explain this flag in the user manual.
In readonly mode, we're not using the current time as timestamp,
thus a bad system time won't hurt.
Also in Chromium backend, use zero timestamp for the bookmark root
dir, to accomodate this change (no one cares about it anyway).
When updating timestamps, make sure that the corresponding
microsecond value fits in a single signed 64-bit integer,
so that it won't result in an integer overflow, which is UB.
Also forbid timestamps before the Unix epoch, since working with
negative time_t is problematic.
This check does not apply to current timestamp, however,
add a check on backend startup to ensure sane system time.
There's no need to validate `tv_nsec`, since the kernel already
does that for us.
Do not expose UTIME_OMIT to backends, but instead specify
which timestamps to update with flags.
This allows us to further refactor backend code, especially
the Chromium backend.
- `hashmap_insert()` no longer takes key as argument, and
takes the pointer to be associated with the entry as argument.
- Rename `hashmap_entry_delete` -> `hashmap_delete`.
- Make `user_data` the first argument for `hashmap_walk_func`.
- Other misc renames.
- Use negated errno as return value.
- Do not consider deletion of the watched file as a fatal error,
and use a separate error code to distinguish between them.
- Lazy-init worker: Starts watching upon the first call to
watcher_poll().
- Always lazy-init watcher when possible.
- Add a check in `backend_create()` that fails when the bookmark
storage does not exist, so that function behavior is more
consistent on different platforms with and without sandboxing.
- Only check Landlock flags on Linux.
Fix a regression in commit d1dac54b72 where sys/stat.h is no longer
included in backend_firefox.c and backend_chromium.c.
It has to be explicitly included for the UTIME_xxx macros.
There were bad code changes that cause the compiler to complain or
panic, but went unnoticed since they are only built if toggled with
`--enable-xxx` or `--disable-xxx` during build configuration.
Fix them altogether.
Do not check if the bookmark title is a valid filename,
as we said in the user manual.
However, we should ensure that the string does not contain
NUL characters, since we assume that a valid bookmark storage
should not contain bookmarks with such names.