use confstr(_CS_DARWIN_USER_TEMP_DIR, ...) as a TMPDIR fallback on Darwin

[madsmtm]

Rebased version of #100824, FCP has completed there. Motivation from #100824 (comment):

This is a behavioral change in an edge case on Darwin platforms (macOS, iOS, ...).

Specifically, this changes it so that iff TMPDIR is unset in the environment, then we use confstr(_CS_DARWIN_USER_TEMP_DIR, ...) to query the user temporary directory (previously we just returned "/tmp"). If this fails (probably possible in a sandboxed program), only then do we fallback to "/tmp" (as before).

The motivations here are two-fold:

1. This is better for security, and is in line with the platform security recommendations, as it is unavailable to other users (although it is the same value as seen by all other processes run by the same user).
2. This is a more consistent fallback for when getenv("TMPDIR") is unavailable, as $TMPDIR is usually initialized to the DARWIN_USER_TEMP_DIR.

It seems quite unlikely that anybody will break because of this, and I think it falls under the carve-out we have for platform specific behavior: https://doc.rust-lang.org/nightly/std/io/index.html#platform-specific-behavior.

Closes #99608.
Closes #100824.

@rustbot label O-apple T-libs-api

r? Dylan-DPC

[rustbot]

r? @Mark-Simulacrum

rustbot has assigned @Mark-Simulacrum.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[thomcc]

Rebased version of #100824

You own for doing this, it had totally fallen off my radar.

[madsmtm]

Ah, seems like we'll have to implement this in miri too. I'll try to whip up a PR there.
@rustbot blocked

Unless you know that such functions are generally not wanted in Miri, and that we should instead ignore the test?

[madsmtm]

... never mind, that's a larger endeavour, and I'm not sure it's really desired for Miri to implement confstr, so I've opted to not use it when running under Miri for now.

@rustbot ready