| 1 | /* |
|---|---|
| 2 | * Copyright (c) 2000-2016 Apple Inc. All rights reserved. |
| 3 | * |
| 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
| 5 | * |
| 6 | * This file contains Original Code and/or Modifications of Original Code |
| 7 | * as defined in and that are subject to the Apple Public Source License |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in |
| 9 | * compliance with the License. The rights granted to you under the License |
| 10 | * may not be used to create, or enable the creation or redistribution of, |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any |
| 13 | * terms of an Apple operating system software license agreement. |
| 14 | * |
| 15 | * Please obtain a copy of the License at |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
| 17 | * |
| 18 | * The Original Code and all software distributed under the License are |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
| 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
| 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
| 23 | * Please see the License for the specific language governing rights and |
| 24 | * limitations under the License. |
| 25 | * |
| 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
| 27 | */ |
| 28 | /* |
| 29 | * @OSF_COPYRIGHT@ |
| 30 | */ |
| 31 | /* |
| 32 | * Mach Operating System |
| 33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University |
| 34 | * All Rights Reserved. |
| 35 | * |
| 36 | * Permission to use, copy, modify and distribute this software and its |
| 37 | * documentation is hereby granted, provided that both the copyright |
| 38 | * notice and this permission notice appear in all copies of the |
| 39 | * software, derivative works or modified versions, and any portions |
| 40 | * thereof, and that both notices appear in supporting documentation. |
| 41 | * |
| 42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" |
| 43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR |
| 44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. |
| 45 | * |
| 46 | * Carnegie Mellon requests users of this software to return to |
| 47 | * |
| 48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU |
| 49 | * School of Computer Science |
| 50 | * Carnegie Mellon University |
| 51 | * Pittsburgh PA 15213-3890 |
| 52 | * |
| 53 | * any improvements or extensions that they make and grant Carnegie Mellon |
| 54 | * the rights to redistribute these changes. |
| 55 | */ |
| 56 | /* |
| 57 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce |
| 58 | * support for mandatory and extensible security protections. This notice |
| 59 | * is included in support of clause 2.2 (b) of the Apple Public License, |
| 60 | * Version 2.0. |
| 61 | * Copyright (c) 2005 SPARTA, Inc. |
| 62 | */ |
| 63 | /* |
| 64 | */ |
| 65 | /* |
| 66 | * File: kern/ipc_kobject.c |
| 67 | * Author: Rich Draves |
| 68 | * Date: 1989 |
| 69 | * |
| 70 | * Functions for letting a port represent a kernel object. |
| 71 | */ |
| 72 | |
| 73 | #include <mach_debug.h> |
| 74 | #include <mach_ipc_test.h> |
| 75 | #include <mach/mig.h> |
| 76 | #include <mach/port.h> |
| 77 | #include <mach/kern_return.h> |
| 78 | #include <mach/message.h> |
| 79 | #include <mach/mig_errors.h> |
| 80 | #include <mach/notify.h> |
| 81 | #include <mach/ndr.h> |
| 82 | #include <mach/vm_param.h> |
| 83 | |
| 84 | #include <mach/mach_vm_server.h> |
| 85 | #include <mach/mach_port_server.h> |
| 86 | #include <mach/mach_host_server.h> |
| 87 | #include <mach/host_priv_server.h> |
| 88 | #include <mach/host_security_server.h> |
| 89 | #include <mach/clock_server.h> |
| 90 | #include <mach/clock_priv_server.h> |
| 91 | #include <mach/lock_set_server.h> |
| 92 | #include <mach/memory_entry_server.h> |
| 93 | #include <mach/memory_object_control_server.h> |
| 94 | #include <mach/memory_object_default_server.h> |
| 95 | #include <mach/processor_server.h> |
| 96 | #include <mach/processor_set_server.h> |
| 97 | #include <mach/task_server.h> |
| 98 | #include <mach/mach_voucher_server.h> |
| 99 | #include <mach/mach_voucher_attr_control_server.h> |
| 100 | #ifdef VM32_SUPPORT |
| 101 | #include <mach/vm32_map_server.h> |
| 102 | #endif |
| 103 | #include <mach/thread_act_server.h> |
| 104 | |
| 105 | #include <mach/exc_server.h> |
| 106 | #include <mach/mach_exc_server.h> |
| 107 | |
| 108 | #include <device/device_types.h> |
| 109 | #include <device/device_server.h> |
| 110 | |
| 111 | #include <UserNotification/UNDReplyServer.h> |
| 112 | |
| 113 | #if CONFIG_AUDIT |
| 114 | #include <kern/audit_sessionport.h> |
| 115 | #endif |
| 116 | |
| 117 | #if MACH_MACHINE_ROUTINES |
| 118 | #include <machine/machine_routines.h> |
| 119 | #endif /* MACH_MACHINE_ROUTINES */ |
| 120 | #if XK_PROXY |
| 121 | #include <uk_xkern/xk_uproxy_server.h> |
| 122 | #endif /* XK_PROXY */ |
| 123 | |
| 124 | #include <kern/ipc_tt.h> |
| 125 | #include <kern/ipc_mig.h> |
| 126 | #include <kern/ipc_misc.h> |
| 127 | #include <kern/ipc_kobject.h> |
| 128 | #include <kern/host_notify.h> |
| 129 | #include <kern/mk_timer.h> |
| 130 | #include <kern/misc_protos.h> |
| 131 | #include <ipc/ipc_kmsg.h> |
| 132 | #include <ipc/ipc_port.h> |
| 133 | #include <ipc/ipc_voucher.h> |
| 134 | #include <kern/sync_sema.h> |
| 135 | #include <kern/counters.h> |
| 136 | #include <kern/work_interval.h> |
| 137 | |
| 138 | #include <vm/vm_protos.h> |
| 139 | |
| 140 | #include <security/mac_mach_internal.h> |
| 141 | |
| 142 | extern char *proc_name_address(void *p); |
| 143 | extern int proc_pid(void *p); |
| 144 | |
| 145 | /* |
| 146 | * Routine: ipc_kobject_notify |
| 147 | * Purpose: |
| 148 | * Deliver notifications to kobjects that care about them. |
| 149 | */ |
| 150 | boolean_t |
| 151 | ipc_kobject_notify( |
| 152 | mach_msg_header_t *request_header, |
| 153 | mach_msg_header_t *reply_header); |
| 154 | |
| 155 | typedef struct { |
| 156 | mach_msg_id_t num; |
| 157 | mig_routine_t routine; |
| 158 | int size; |
| 159 | #if MACH_COUNTERS |
| 160 | mach_counter_t callcount; |
| 161 | #endif |
| 162 | } mig_hash_t; |
| 163 | |
| 164 | #define MAX_MIG_ENTRIES 1031 |
| 165 | #define MIG_HASH(x) (x) |
| 166 | |
| 167 | #ifndef max |
| 168 | #define max(a,b) (((a) > (b)) ? (a) : (b)) |
| 169 | #endif /* max */ |
| 170 | |
| 171 | static mig_hash_t mig_buckets[MAX_MIG_ENTRIES]; |
| 172 | static int mig_table_max_displ; |
| 173 | static mach_msg_size_t mig_reply_size = sizeof(mig_reply_error_t); |
| 174 | |
| 175 | |
| 176 | |
| 177 | const struct mig_subsystem *mig_e[] = { |
| 178 | (const struct mig_subsystem *)&mach_vm_subsystem, |
| 179 | (const struct mig_subsystem *)&mach_port_subsystem, |
| 180 | (const struct mig_subsystem *)&mach_host_subsystem, |
| 181 | (const struct mig_subsystem *)&host_priv_subsystem, |
| 182 | (const struct mig_subsystem *)&host_security_subsystem, |
| 183 | (const struct mig_subsystem *)&clock_subsystem, |
| 184 | (const struct mig_subsystem *)&clock_priv_subsystem, |
| 185 | (const struct mig_subsystem *)&processor_subsystem, |
| 186 | (const struct mig_subsystem *)&processor_set_subsystem, |
| 187 | (const struct mig_subsystem *)&is_iokit_subsystem, |
| 188 | (const struct mig_subsystem *)&lock_set_subsystem, |
| 189 | (const struct mig_subsystem *)&task_subsystem, |
| 190 | (const struct mig_subsystem *)&thread_act_subsystem, |
| 191 | #ifdef VM32_SUPPORT |
| 192 | (const struct mig_subsystem *)&vm32_map_subsystem, |
| 193 | #endif |
| 194 | (const struct mig_subsystem *)&UNDReply_subsystem, |
| 195 | (const struct mig_subsystem *)&mach_voucher_subsystem, |
| 196 | (const struct mig_subsystem *)&mach_voucher_attr_control_subsystem, |
| 197 | (const struct mig_subsystem *)&memory_entry_subsystem, |
| 198 | |
| 199 | #if XK_PROXY |
| 200 | (const struct mig_subsystem *)&do_uproxy_xk_uproxy_subsystem, |
| 201 | #endif /* XK_PROXY */ |
| 202 | #if MACH_MACHINE_ROUTINES |
| 203 | (const struct mig_subsystem *)&MACHINE_SUBSYSTEM, |
| 204 | #endif /* MACH_MACHINE_ROUTINES */ |
| 205 | #if MCMSG && iPSC860 |
| 206 | (const struct mig_subsystem *)&mcmsg_info_subsystem, |
| 207 | #endif /* MCMSG && iPSC860 */ |
| 208 | (const struct mig_subsystem *)&catch_exc_subsystem, |
| 209 | (const struct mig_subsystem *)&catch_mach_exc_subsystem, |
| 210 | |
| 211 | }; |
| 212 | |
| 213 | void |
| 214 | mig_init(void) |
| 215 | { |
| 216 | unsigned int i, n = sizeof(mig_e)/sizeof(const struct mig_subsystem *); |
| 217 | int howmany; |
| 218 | mach_msg_id_t j, pos, nentry, range; |
| 219 | |
| 220 | for (i = 0; i < n; i++) { |
| 221 | range = mig_e[i]->end - mig_e[i]->start; |
| 222 | if (!mig_e[i]->start || range < 0) |
| 223 | panic("the msgh_ids in mig_e[] aren't valid!"); |
| 224 | |
| 225 | for (j = 0; j < range; j++) { |
| 226 | if (mig_e[i]->routine[j].stub_routine) { |
| 227 | /* Only put real entries in the table */ |
| 228 | nentry = j + mig_e[i]->start; |
| 229 | for (pos = MIG_HASH(nentry) % MAX_MIG_ENTRIES, howmany = 1; |
| 230 | mig_buckets[pos].num; |
| 231 | pos++, pos = pos % MAX_MIG_ENTRIES, howmany++) { |
| 232 | if (mig_buckets[pos].num == nentry) { |
| 233 | printf("message id = %d\n", nentry); |
| 234 | panic("multiple entries with the same msgh_id"); |
| 235 | } |
| 236 | if (howmany == MAX_MIG_ENTRIES) |
| 237 | panic("the mig dispatch table is too small"); |
| 238 | } |
| 239 | |
| 240 | mig_buckets[pos].num = nentry; |
| 241 | mig_buckets[pos].routine = mig_e[i]->routine[j].stub_routine; |
| 242 | if (mig_e[i]->routine[j].max_reply_msg) |
| 243 | mig_buckets[pos].size = mig_e[i]->routine[j].max_reply_msg; |
| 244 | else |
| 245 | mig_buckets[pos].size = mig_e[i]->maxsize; |
| 246 | |
| 247 | mig_table_max_displ = max(howmany, mig_table_max_displ); |
| 248 | } |
| 249 | } |
| 250 | } |
| 251 | printf("mig_table_max_displ = %d\n", mig_table_max_displ); |
| 252 | } |
| 253 | |
| 254 | |
| 255 | /* |
| 256 | * Routine: ipc_kobject_server |
| 257 | * Purpose: |
| 258 | * Handle a message sent to the kernel. |
| 259 | * Generates a reply message. |
| 260 | * Version for Untyped IPC. |
| 261 | * Conditions: |
| 262 | * Nothing locked. |
| 263 | */ |
| 264 | |
| 265 | ipc_kmsg_t |
| 266 | ipc_kobject_server( |
| 267 | ipc_kmsg_t request, |
| 268 | mach_msg_option_t __unused option) |
| 269 | { |
| 270 | mach_msg_size_t reply_size; |
| 271 | ipc_kmsg_t reply; |
| 272 | kern_return_t kr; |
| 273 | ipc_port_t *destp; |
| 274 | ipc_port_t replyp = IPC_PORT_NULL; |
| 275 | mach_msg_format_0_trailer_t *trailer; |
| 276 | mig_hash_t *ptr; |
| 277 | task_t task = TASK_NULL; |
| 278 | uint32_t exec_token; |
| 279 | boolean_t exec_token_changed = FALSE; |
| 280 | int request_msgh_id = request->ikm_header->msgh_id; |
| 281 | |
| 282 | /* |
| 283 | * Find out corresponding mig_hash entry if any |
| 284 | */ |
| 285 | { |
| 286 | unsigned int i = (unsigned int)MIG_HASH(request_msgh_id); |
| 287 | int max_iter = mig_table_max_displ; |
| 288 | |
| 289 | do { |
| 290 | ptr = &mig_buckets[i++ % MAX_MIG_ENTRIES]; |
| 291 | } while (request_msgh_id != ptr->num && ptr->num && --max_iter); |
| 292 | |
| 293 | if (!ptr->routine || request_msgh_id != ptr->num) { |
| 294 | ptr = (mig_hash_t *)0; |
| 295 | reply_size = mig_reply_size; |
| 296 | } else { |
| 297 | reply_size = ptr->size; |
| 298 | #if MACH_COUNTER |
| 299 | ptr->callcount++; |
| 300 | #endif |
| 301 | } |
| 302 | } |
| 303 | |
| 304 | /* round up for trailer size */ |
| 305 | reply_size += MAX_TRAILER_SIZE; |
| 306 | reply = ipc_kmsg_alloc(reply_size); |
| 307 | |
| 308 | if (reply == IKM_NULL) { |
| 309 | printf("ipc_kobject_server: dropping request\n"); |
| 310 | ipc_kmsg_trace_send(request, option); |
| 311 | ipc_kmsg_destroy(request); |
| 312 | return IKM_NULL; |
| 313 | } |
| 314 | |
| 315 | /* |
| 316 | * Initialize reply message. |
| 317 | */ |
| 318 | { |
| 319 | #define InP ((mach_msg_header_t *) request->ikm_header) |
| 320 | #define OutP ((mig_reply_error_t *) reply->ikm_header) |
| 321 | |
| 322 | /* |
| 323 | * MIG should really assure no data leakage - |
| 324 | * but until it does, pessimistically zero the |
| 325 | * whole reply buffer. |
| 326 | */ |
| 327 | bzero((void *)OutP, reply_size); |
| 328 | |
| 329 | OutP->NDR = NDR_record; |
| 330 | OutP->Head.msgh_size = sizeof(mig_reply_error_t); |
| 331 | |
| 332 | OutP->Head.msgh_bits = |
| 333 | MACH_MSGH_BITS_SET(MACH_MSGH_BITS_LOCAL(InP->msgh_bits), 0, 0, 0); |
| 334 | OutP->Head.msgh_remote_port = InP->msgh_local_port; |
| 335 | OutP->Head.msgh_local_port = MACH_PORT_NULL; |
| 336 | OutP->Head.msgh_voucher_port = MACH_PORT_NULL; |
| 337 | OutP->Head.msgh_id = InP->msgh_id + 100; |
| 338 | |
| 339 | #undef InP |
| 340 | #undef OutP |
| 341 | } |
| 342 | |
| 343 | /* |
| 344 | * Find the routine to call, and call it |
| 345 | * to perform the kernel function |
| 346 | */ |
| 347 | ipc_kmsg_trace_send(request, option); |
| 348 | { |
| 349 | if (ptr) { |
| 350 | /* |
| 351 | * Check if the port is a task port, if its a task port then |
| 352 | * snapshot the task exec token before the mig routine call. |
| 353 | */ |
| 354 | ipc_port_t port = request->ikm_header->msgh_remote_port; |
| 355 | if (IP_VALID(port) && ip_kotype(port) == IKOT_TASK) { |
| 356 | task = convert_port_to_task_with_exec_token(port, &exec_token); |
| 357 | } |
| 358 | |
| 359 | (*ptr->routine)(request->ikm_header, reply->ikm_header); |
| 360 | |
| 361 | /* Check if the exec token changed during the mig routine */ |
| 362 | if (task != TASK_NULL) { |
| 363 | if (exec_token != task->exec_token) { |
| 364 | exec_token_changed = TRUE; |
| 365 | } |
| 366 | task_deallocate(task); |
| 367 | } |
| 368 | |
| 369 | kernel_task->messages_received++; |
| 370 | } |
| 371 | else { |
| 372 | if (!ipc_kobject_notify(request->ikm_header, reply->ikm_header)){ |
| 373 | #if DEVELOPMENT || DEBUG |
| 374 | printf("ipc_kobject_server: bogus kernel message, id=%d\n", |
| 375 | request->ikm_header->msgh_id); |
| 376 | #endif /* DEVELOPMENT || DEBUG */ |
| 377 | _MIG_MSGID_INVALID(request->ikm_header->msgh_id); |
| 378 | |
| 379 | ((mig_reply_error_t *) reply->ikm_header)->RetCode |
| 380 | = MIG_BAD_ID; |
| 381 | } |
| 382 | else |
| 383 | kernel_task->messages_received++; |
| 384 | } |
| 385 | kernel_task->messages_sent++; |
| 386 | } |
| 387 | |
| 388 | /* |
| 389 | * Destroy destination. The following code differs from |
| 390 | * ipc_object_destroy in that we release the send-once |
| 391 | * right instead of generating a send-once notification |
| 392 | * (which would bring us here again, creating a loop). |
| 393 | * It also differs in that we only expect send or |
| 394 | * send-once rights, never receive rights. |
| 395 | * |
| 396 | * We set msgh_remote_port to IP_NULL so that the kmsg |
| 397 | * destroy routines don't try to destroy the port twice. |
| 398 | */ |
| 399 | destp = (ipc_port_t *) &request->ikm_header->msgh_remote_port; |
| 400 | switch (MACH_MSGH_BITS_REMOTE(request->ikm_header->msgh_bits)) { |
| 401 | case MACH_MSG_TYPE_PORT_SEND: |
| 402 | ipc_port_release_send(*destp); |
| 403 | break; |
| 404 | |
| 405 | case MACH_MSG_TYPE_PORT_SEND_ONCE: |
| 406 | ipc_port_release_sonce(*destp); |
| 407 | break; |
| 408 | |
| 409 | default: |
| 410 | panic("ipc_kobject_server: strange destination rights"); |
| 411 | } |
| 412 | *destp = IP_NULL; |
| 413 | |
| 414 | /* |
| 415 | * Destroy voucher. The kernel MIG servers never take ownership |
| 416 | * of vouchers sent in messages. Swallow any such rights here. |
| 417 | */ |
| 418 | if (IP_VALID(request->ikm_voucher)) { |
| 419 | assert(MACH_MSG_TYPE_PORT_SEND == |
| 420 | MACH_MSGH_BITS_VOUCHER(request->ikm_header->msgh_bits)); |
| 421 | ipc_port_release_send(request->ikm_voucher); |
| 422 | request->ikm_voucher = IP_NULL; |
| 423 | } |
| 424 | |
| 425 | if (!(reply->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) && |
| 426 | ((mig_reply_error_t *) reply->ikm_header)->RetCode != KERN_SUCCESS) |
| 427 | kr = ((mig_reply_error_t *) reply->ikm_header)->RetCode; |
| 428 | else |
| 429 | kr = KERN_SUCCESS; |
| 430 | |
| 431 | if ((kr == KERN_SUCCESS) || (kr == MIG_NO_REPLY)) { |
| 432 | /* |
| 433 | * The server function is responsible for the contents |
| 434 | * of the message. The reply port right is moved |
| 435 | * to the reply message, and we have deallocated |
| 436 | * the destination port right, so we just need |
| 437 | * to free the kmsg. |
| 438 | */ |
| 439 | ipc_kmsg_free(request); |
| 440 | |
| 441 | } else { |
| 442 | /* |
| 443 | * The message contents of the request are intact. |
| 444 | * Destroy everthing except the reply port right, |
| 445 | * which is needed in the reply message. |
| 446 | */ |
| 447 | request->ikm_header->msgh_local_port = MACH_PORT_NULL; |
| 448 | ipc_kmsg_destroy(request); |
| 449 | } |
| 450 | |
| 451 | replyp = (ipc_port_t)reply->ikm_header->msgh_remote_port; |
| 452 | |
| 453 | if (kr == MIG_NO_REPLY) { |
| 454 | /* |
| 455 | * The server function will send a reply message |
| 456 | * using the reply port right, which it has saved. |
| 457 | */ |
| 458 | |
| 459 | ipc_kmsg_free(reply); |
| 460 | |
| 461 | return IKM_NULL; |
| 462 | } else if (!IP_VALID(replyp)) { |
| 463 | /* |
| 464 | * Can't queue the reply message if the destination |
| 465 | * (the reply port) isn't valid. |
| 466 | */ |
| 467 | |
| 468 | ipc_kmsg_destroy(reply); |
| 469 | |
| 470 | return IKM_NULL; |
| 471 | } else if (replyp->ip_receiver == ipc_space_kernel) { |
| 472 | /* |
| 473 | * Don't send replies to kobject kernel ports |
| 474 | */ |
| 475 | #if DEVELOPMENT || DEBUG |
| 476 | printf("%s: refusing to send reply to kobject %d port (id:%d)\n", |
| 477 | __func__, ip_kotype(replyp), request_msgh_id); |
| 478 | #endif /* DEVELOPMENT || DEBUG */ |
| 479 | ipc_kmsg_destroy(reply); |
| 480 | return IKM_NULL; |
| 481 | } |
| 482 | |
| 483 | /* Fail the MIG call if the task exec token changed during the call */ |
| 484 | if (kr == KERN_SUCCESS && exec_token_changed) { |
| 485 | /* |
| 486 | * Create a new reply msg with error and destroy the old reply msg. |
| 487 | */ |
| 488 | ipc_kmsg_t new_reply = ipc_kmsg_alloc(reply_size); |
| 489 | |
| 490 | if (new_reply == IKM_NULL) { |
| 491 | printf("ipc_kobject_server: dropping request\n"); |
| 492 | ipc_kmsg_destroy(reply); |
| 493 | return IKM_NULL; |
| 494 | } |
| 495 | /* |
| 496 | * Initialize the new reply message. |
| 497 | */ |
| 498 | { |
| 499 | #define OutP_new ((mig_reply_error_t *) new_reply->ikm_header) |
| 500 | #define OutP_old ((mig_reply_error_t *) reply->ikm_header) |
| 501 | |
| 502 | bzero((void *)OutP_new, reply_size); |
| 503 | |
| 504 | OutP_new->NDR = OutP_old->NDR; |
| 505 | OutP_new->Head.msgh_size = sizeof(mig_reply_error_t); |
| 506 | OutP_new->Head.msgh_bits = OutP_old->Head.msgh_bits & ~MACH_MSGH_BITS_COMPLEX; |
| 507 | OutP_new->Head.msgh_remote_port = OutP_old->Head.msgh_remote_port; |
| 508 | OutP_new->Head.msgh_local_port = MACH_PORT_NULL; |
| 509 | OutP_new->Head.msgh_voucher_port = MACH_PORT_NULL; |
| 510 | OutP_new->Head.msgh_id = OutP_old->Head.msgh_id; |
| 511 | |
| 512 | /* Set the error as KERN_INVALID_TASK */ |
| 513 | OutP_new->RetCode = KERN_INVALID_TASK; |
| 514 | |
| 515 | #undef OutP_new |
| 516 | #undef OutP_old |
| 517 | } |
| 518 | |
| 519 | /* |
| 520 | * Destroy everything in reply except the reply port right, |
| 521 | * which is needed in the new reply message. |
| 522 | */ |
| 523 | reply->ikm_header->msgh_remote_port = MACH_PORT_NULL; |
| 524 | ipc_kmsg_destroy(reply); |
| 525 | |
| 526 | reply = new_reply; |
| 527 | } |
| 528 | |
| 529 | trailer = (mach_msg_format_0_trailer_t *) |
| 530 | ((vm_offset_t)reply->ikm_header + (int)reply->ikm_header->msgh_size); |
| 531 | |
| 532 | trailer->msgh_sender = KERNEL_SECURITY_TOKEN; |
| 533 | trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0; |
| 534 | trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE; |
| 535 | |
| 536 | return reply; |
| 537 | } |
| 538 | |
| 539 | /* |
| 540 | * Routine: ipc_kobject_set |
| 541 | * Purpose: |
| 542 | * Make a port represent a kernel object of the given type. |
| 543 | * The caller is responsible for handling refs for the |
| 544 | * kernel object, if necessary. |
| 545 | * Conditions: |
| 546 | * Nothing locked. The port must be active if setting |
| 547 | * a kobject linkage. Clearing a linkage is OK on an |
| 548 | * inactive port. |
| 549 | */ |
| 550 | void |
| 551 | ipc_kobject_set( |
| 552 | ipc_port_t port, |
| 553 | ipc_kobject_t kobject, |
| 554 | ipc_kobject_type_t type) |
| 555 | { |
| 556 | ip_lock(port); |
| 557 | ipc_kobject_set_atomically(port, kobject, type); |
| 558 | ip_unlock(port); |
| 559 | } |
| 560 | |
| 561 | void |
| 562 | ipc_kobject_set_atomically( |
| 563 | ipc_port_t port, |
| 564 | ipc_kobject_t kobject, |
| 565 | ipc_kobject_type_t type) |
| 566 | { |
| 567 | assert(type == IKOT_NONE || ip_active(port)); |
| 568 | #if MACH_ASSERT |
| 569 | port->ip_spares[2] = (port->ip_bits & IO_BITS_KOTYPE); |
| 570 | #endif /* MACH_ASSERT */ |
| 571 | port->ip_bits = (port->ip_bits &~ IO_BITS_KOTYPE) | type; |
| 572 | port->ip_kobject = kobject; |
| 573 | } |
| 574 | |
| 575 | /* |
| 576 | * Routine: ipc_kobject_destroy |
| 577 | * Purpose: |
| 578 | * Release any kernel object resources associated |
| 579 | * with the port, which is being destroyed. |
| 580 | * |
| 581 | * This should only be needed when resources are |
| 582 | * associated with a user's port. In the normal case, |
| 583 | * when the kernel is the receiver, the code calling |
| 584 | * ipc_port_dealloc_kernel should clean up the resources. |
| 585 | * Conditions: |
| 586 | * The port is not locked, but it is dead. |
| 587 | */ |
| 588 | |
| 589 | void |
| 590 | ipc_kobject_destroy( |
| 591 | ipc_port_t port) |
| 592 | { |
| 593 | switch (ip_kotype(port)) { |
| 594 | |
| 595 | case IKOT_TIMER: |
| 596 | mk_timer_port_destroy(port); |
| 597 | break; |
| 598 | |
| 599 | case IKOT_NAMED_ENTRY: |
| 600 | mach_destroy_memory_entry(port); |
| 601 | break; |
| 602 | |
| 603 | case IKOT_HOST_NOTIFY: |
| 604 | host_notify_port_destroy(port); |
| 605 | break; |
| 606 | |
| 607 | default: |
| 608 | break; |
| 609 | } |
| 610 | } |
| 611 | |
| 612 | |
| 613 | boolean_t |
| 614 | ipc_kobject_notify( |
| 615 | mach_msg_header_t *request_header, |
| 616 | mach_msg_header_t *reply_header) |
| 617 | { |
| 618 | mach_msg_max_trailer_t * trailer; |
| 619 | ipc_port_t port = (ipc_port_t) request_header->msgh_remote_port; |
| 620 | |
| 621 | ((mig_reply_error_t *) reply_header)->RetCode = MIG_NO_REPLY; |
| 622 | |
| 623 | trailer = (mach_msg_max_trailer_t *) |
| 624 | ((vm_offset_t)request_header + request_header->msgh_size); |
| 625 | |
| 626 | /* |
| 627 | * The kobject notification is privileged and can change the |
| 628 | * refcount on kernel-internal objects - make sure |
| 629 | * that the message wasn't faked! |
| 630 | */ |
| 631 | if (0 != bcmp(&trailer->msgh_audit, &KERNEL_AUDIT_TOKEN, |
| 632 | sizeof(trailer->msgh_audit))) { |
| 633 | return FALSE; |
| 634 | } |
| 635 | if (0 != bcmp(&trailer->msgh_sender, &KERNEL_SECURITY_TOKEN, |
| 636 | sizeof(trailer->msgh_sender))) { |
| 637 | return FALSE; |
| 638 | } |
| 639 | |
| 640 | switch (request_header->msgh_id) { |
| 641 | case MACH_NOTIFY_NO_SENDERS: |
| 642 | switch (ip_kotype(port)) { |
| 643 | case IKOT_VOUCHER: |
| 644 | ipc_voucher_notify(request_header); |
| 645 | return TRUE; |
| 646 | |
| 647 | case IKOT_VOUCHER_ATTR_CONTROL: |
| 648 | ipc_voucher_attr_control_notify(request_header); |
| 649 | return TRUE; |
| 650 | |
| 651 | case IKOT_SEMAPHORE: |
| 652 | semaphore_notify(request_header); |
| 653 | return TRUE; |
| 654 | |
| 655 | case IKOT_TASK: |
| 656 | task_port_notify(request_header); |
| 657 | return TRUE; |
| 658 | |
| 659 | case IKOT_NAMED_ENTRY: |
| 660 | ip_lock(port); |
| 661 | |
| 662 | /* |
| 663 | * Bring the sequence number and mscount in |
| 664 | * line with ipc_port_destroy assertion. |
| 665 | */ |
| 666 | port->ip_mscount = 0; |
| 667 | port->ip_messages.imq_seqno = 0; |
| 668 | ipc_port_destroy(port); /* releases lock */ |
| 669 | return TRUE; |
| 670 | |
| 671 | case IKOT_UPL: |
| 672 | upl_no_senders( |
| 673 | request_header->msgh_remote_port, |
| 674 | (mach_port_mscount_t) |
| 675 | ((mach_no_senders_notification_t *) |
| 676 | request_header)->not_count); |
| 677 | reply_header->msgh_remote_port = MACH_PORT_NULL; |
| 678 | return TRUE; |
| 679 | |
| 680 | #if CONFIG_AUDIT |
| 681 | case IKOT_AU_SESSIONPORT: |
| 682 | audit_session_nosenders(request_header); |
| 683 | return TRUE; |
| 684 | #endif |
| 685 | case IKOT_FILEPORT: |
| 686 | fileport_notify(request_header); |
| 687 | return TRUE; |
| 688 | |
| 689 | case IKOT_WORK_INTERVAL: |
| 690 | work_interval_port_notify(request_header); |
| 691 | return TRUE; |
| 692 | |
| 693 | } |
| 694 | break; |
| 695 | |
| 696 | case MACH_NOTIFY_PORT_DELETED: |
| 697 | case MACH_NOTIFY_PORT_DESTROYED: |
| 698 | case MACH_NOTIFY_SEND_ONCE: |
| 699 | case MACH_NOTIFY_DEAD_NAME: |
| 700 | break; |
| 701 | |
| 702 | default: |
| 703 | return FALSE; |
| 704 | } |
| 705 | switch (ip_kotype(port)) { |
| 706 | |
| 707 | #ifdef IOKIT |
| 708 | case IKOT_IOKIT_OBJECT: |
| 709 | case IKOT_IOKIT_CONNECT: |
| 710 | case IKOT_IOKIT_IDENT: |
| 711 | { |
| 712 | return iokit_notify(request_header); |
| 713 | } |
| 714 | #endif |
| 715 | case IKOT_TASK_RESUME: |
| 716 | { |
| 717 | return task_suspension_notify(request_header); |
| 718 | } |
| 719 | |
| 720 | default: |
| 721 | return FALSE; |
| 722 | } |
| 723 | } |
| 724 |
Generated on 2018-Dec-24 from project xnu revision 4903.221.2
Powered by 
Code Browser 2.1
Generator usage only permitted with license.