1 | /* |
2 | * Copyright (c) 2000-2016 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * @OSF_COPYRIGHT@ |
30 | */ |
31 | /* |
32 | * Mach Operating System |
33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University |
34 | * All Rights Reserved. |
35 | * |
36 | * Permission to use, copy, modify and distribute this software and its |
37 | * documentation is hereby granted, provided that both the copyright |
38 | * notice and this permission notice appear in all copies of the |
39 | * software, derivative works or modified versions, and any portions |
40 | * thereof, and that both notices appear in supporting documentation. |
41 | * |
42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" |
43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR |
44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. |
45 | * |
46 | * Carnegie Mellon requests users of this software to return to |
47 | * |
48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU |
49 | * School of Computer Science |
50 | * Carnegie Mellon University |
51 | * Pittsburgh PA 15213-3890 |
52 | * |
53 | * any improvements or extensions that they make and grant Carnegie Mellon |
54 | * the rights to redistribute these changes. |
55 | */ |
56 | /* |
57 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce |
58 | * support for mandatory and extensible security protections. This notice |
59 | * is included in support of clause 2.2 (b) of the Apple Public License, |
60 | * Version 2.0. |
61 | * Copyright (c) 2005 SPARTA, Inc. |
62 | */ |
63 | /* |
64 | */ |
65 | /* |
66 | * File: kern/ipc_kobject.c |
67 | * Author: Rich Draves |
68 | * Date: 1989 |
69 | * |
70 | * Functions for letting a port represent a kernel object. |
71 | */ |
72 | |
73 | #include <mach_debug.h> |
74 | #include <mach_ipc_test.h> |
75 | #include <mach/mig.h> |
76 | #include <mach/port.h> |
77 | #include <mach/kern_return.h> |
78 | #include <mach/message.h> |
79 | #include <mach/mig_errors.h> |
80 | #include <mach/notify.h> |
81 | #include <mach/ndr.h> |
82 | #include <mach/vm_param.h> |
83 | |
84 | #include <mach/mach_vm_server.h> |
85 | #include <mach/mach_port_server.h> |
86 | #include <mach/mach_host_server.h> |
87 | #include <mach/host_priv_server.h> |
88 | #include <mach/host_security_server.h> |
89 | #include <mach/clock_server.h> |
90 | #include <mach/clock_priv_server.h> |
91 | #include <mach/lock_set_server.h> |
92 | #include <mach/memory_entry_server.h> |
93 | #include <mach/memory_object_control_server.h> |
94 | #include <mach/memory_object_default_server.h> |
95 | #include <mach/processor_server.h> |
96 | #include <mach/processor_set_server.h> |
97 | #include <mach/task_server.h> |
98 | #include <mach/mach_voucher_server.h> |
99 | #include <mach/mach_voucher_attr_control_server.h> |
100 | #ifdef VM32_SUPPORT |
101 | #include <mach/vm32_map_server.h> |
102 | #endif |
103 | #include <mach/thread_act_server.h> |
104 | |
105 | #include <mach/exc_server.h> |
106 | #include <mach/mach_exc_server.h> |
107 | |
108 | #include <device/device_types.h> |
109 | #include <device/device_server.h> |
110 | |
111 | #include <UserNotification/UNDReplyServer.h> |
112 | |
113 | #if CONFIG_AUDIT |
114 | #include <kern/audit_sessionport.h> |
115 | #endif |
116 | |
117 | #if MACH_MACHINE_ROUTINES |
118 | #include <machine/machine_routines.h> |
119 | #endif /* MACH_MACHINE_ROUTINES */ |
120 | #if XK_PROXY |
121 | #include <uk_xkern/xk_uproxy_server.h> |
122 | #endif /* XK_PROXY */ |
123 | |
124 | #include <kern/ipc_tt.h> |
125 | #include <kern/ipc_mig.h> |
126 | #include <kern/ipc_misc.h> |
127 | #include <kern/ipc_kobject.h> |
128 | #include <kern/host_notify.h> |
129 | #include <kern/mk_timer.h> |
130 | #include <kern/misc_protos.h> |
131 | #include <ipc/ipc_kmsg.h> |
132 | #include <ipc/ipc_port.h> |
133 | #include <ipc/ipc_voucher.h> |
134 | #include <kern/sync_sema.h> |
135 | #include <kern/counters.h> |
136 | #include <kern/work_interval.h> |
137 | |
138 | #include <vm/vm_protos.h> |
139 | |
140 | #include <security/mac_mach_internal.h> |
141 | |
142 | extern char *proc_name_address(void *p); |
143 | extern int proc_pid(void *p); |
144 | |
145 | /* |
146 | * Routine: ipc_kobject_notify |
147 | * Purpose: |
148 | * Deliver notifications to kobjects that care about them. |
149 | */ |
150 | boolean_t |
151 | ipc_kobject_notify( |
152 | mach_msg_header_t *, |
153 | mach_msg_header_t *); |
154 | |
155 | typedef struct { |
156 | mach_msg_id_t num; |
157 | mig_routine_t routine; |
158 | int size; |
159 | #if MACH_COUNTERS |
160 | mach_counter_t callcount; |
161 | #endif |
162 | } mig_hash_t; |
163 | |
164 | #define MAX_MIG_ENTRIES 1031 |
165 | #define MIG_HASH(x) (x) |
166 | |
167 | #ifndef max |
168 | #define max(a,b) (((a) > (b)) ? (a) : (b)) |
169 | #endif /* max */ |
170 | |
171 | static mig_hash_t mig_buckets[MAX_MIG_ENTRIES]; |
172 | static int mig_table_max_displ; |
173 | static mach_msg_size_t mig_reply_size = sizeof(mig_reply_error_t); |
174 | |
175 | |
176 | |
177 | const struct mig_subsystem *mig_e[] = { |
178 | (const struct mig_subsystem *)&mach_vm_subsystem, |
179 | (const struct mig_subsystem *)&mach_port_subsystem, |
180 | (const struct mig_subsystem *)&mach_host_subsystem, |
181 | (const struct mig_subsystem *)&host_priv_subsystem, |
182 | (const struct mig_subsystem *)&host_security_subsystem, |
183 | (const struct mig_subsystem *)&clock_subsystem, |
184 | (const struct mig_subsystem *)&clock_priv_subsystem, |
185 | (const struct mig_subsystem *)&processor_subsystem, |
186 | (const struct mig_subsystem *)&processor_set_subsystem, |
187 | (const struct mig_subsystem *)&is_iokit_subsystem, |
188 | (const struct mig_subsystem *)&lock_set_subsystem, |
189 | (const struct mig_subsystem *)&task_subsystem, |
190 | (const struct mig_subsystem *)&thread_act_subsystem, |
191 | #ifdef VM32_SUPPORT |
192 | (const struct mig_subsystem *)&vm32_map_subsystem, |
193 | #endif |
194 | (const struct mig_subsystem *)&UNDReply_subsystem, |
195 | (const struct mig_subsystem *)&mach_voucher_subsystem, |
196 | (const struct mig_subsystem *)&mach_voucher_attr_control_subsystem, |
197 | (const struct mig_subsystem *)&memory_entry_subsystem, |
198 | |
199 | #if XK_PROXY |
200 | (const struct mig_subsystem *)&do_uproxy_xk_uproxy_subsystem, |
201 | #endif /* XK_PROXY */ |
202 | #if MACH_MACHINE_ROUTINES |
203 | (const struct mig_subsystem *)&MACHINE_SUBSYSTEM, |
204 | #endif /* MACH_MACHINE_ROUTINES */ |
205 | #if MCMSG && iPSC860 |
206 | (const struct mig_subsystem *)&mcmsg_info_subsystem, |
207 | #endif /* MCMSG && iPSC860 */ |
208 | (const struct mig_subsystem *)&catch_exc_subsystem, |
209 | (const struct mig_subsystem *)&catch_mach_exc_subsystem, |
210 | |
211 | }; |
212 | |
213 | void |
214 | mig_init(void) |
215 | { |
216 | unsigned int i, n = sizeof(mig_e)/sizeof(const struct mig_subsystem *); |
217 | int howmany; |
218 | mach_msg_id_t j, pos, nentry, range; |
219 | |
220 | for (i = 0; i < n; i++) { |
221 | range = mig_e[i]->end - mig_e[i]->start; |
222 | if (!mig_e[i]->start || range < 0) |
223 | panic("the msgh_ids in mig_e[] aren't valid!" ); |
224 | |
225 | for (j = 0; j < range; j++) { |
226 | if (mig_e[i]->routine[j].stub_routine) { |
227 | /* Only put real entries in the table */ |
228 | nentry = j + mig_e[i]->start; |
229 | for (pos = MIG_HASH(nentry) % MAX_MIG_ENTRIES, howmany = 1; |
230 | mig_buckets[pos].num; |
231 | pos++, pos = pos % MAX_MIG_ENTRIES, howmany++) { |
232 | if (mig_buckets[pos].num == nentry) { |
233 | printf("message id = %d\n" , nentry); |
234 | panic("multiple entries with the same msgh_id" ); |
235 | } |
236 | if (howmany == MAX_MIG_ENTRIES) |
237 | panic("the mig dispatch table is too small" ); |
238 | } |
239 | |
240 | mig_buckets[pos].num = nentry; |
241 | mig_buckets[pos].routine = mig_e[i]->routine[j].stub_routine; |
242 | if (mig_e[i]->routine[j].max_reply_msg) |
243 | mig_buckets[pos].size = mig_e[i]->routine[j].max_reply_msg; |
244 | else |
245 | mig_buckets[pos].size = mig_e[i]->maxsize; |
246 | |
247 | mig_table_max_displ = max(howmany, mig_table_max_displ); |
248 | } |
249 | } |
250 | } |
251 | printf("mig_table_max_displ = %d\n" , mig_table_max_displ); |
252 | } |
253 | |
254 | |
255 | /* |
256 | * Routine: ipc_kobject_server |
257 | * Purpose: |
258 | * Handle a message sent to the kernel. |
259 | * Generates a reply message. |
260 | * Version for Untyped IPC. |
261 | * Conditions: |
262 | * Nothing locked. |
263 | */ |
264 | |
265 | ipc_kmsg_t |
266 | ipc_kobject_server( |
267 | ipc_kmsg_t request, |
268 | mach_msg_option_t __unused option) |
269 | { |
270 | mach_msg_size_t reply_size; |
271 | ipc_kmsg_t reply; |
272 | kern_return_t kr; |
273 | ipc_port_t *destp; |
274 | ipc_port_t replyp = IPC_PORT_NULL; |
275 | mach_msg_format_0_trailer_t *trailer; |
276 | mig_hash_t *ptr; |
277 | task_t task = TASK_NULL; |
278 | uint32_t exec_token; |
279 | boolean_t exec_token_changed = FALSE; |
280 | int request_msgh_id = request->ikm_header->msgh_id; |
281 | |
282 | /* |
283 | * Find out corresponding mig_hash entry if any |
284 | */ |
285 | { |
286 | unsigned int i = (unsigned int)MIG_HASH(request_msgh_id); |
287 | int max_iter = mig_table_max_displ; |
288 | |
289 | do { |
290 | ptr = &mig_buckets[i++ % MAX_MIG_ENTRIES]; |
291 | } while (request_msgh_id != ptr->num && ptr->num && --max_iter); |
292 | |
293 | if (!ptr->routine || request_msgh_id != ptr->num) { |
294 | ptr = (mig_hash_t *)0; |
295 | reply_size = mig_reply_size; |
296 | } else { |
297 | reply_size = ptr->size; |
298 | #if MACH_COUNTER |
299 | ptr->callcount++; |
300 | #endif |
301 | } |
302 | } |
303 | |
304 | /* round up for trailer size */ |
305 | reply_size += MAX_TRAILER_SIZE; |
306 | reply = ipc_kmsg_alloc(reply_size); |
307 | |
308 | if (reply == IKM_NULL) { |
309 | printf("ipc_kobject_server: dropping request\n" ); |
310 | ipc_kmsg_trace_send(request, option); |
311 | ipc_kmsg_destroy(request); |
312 | return IKM_NULL; |
313 | } |
314 | |
315 | /* |
316 | * Initialize reply message. |
317 | */ |
318 | { |
319 | #define InP ((mach_msg_header_t *) request->ikm_header) |
320 | #define OutP ((mig_reply_error_t *) reply->ikm_header) |
321 | |
322 | /* |
323 | * MIG should really assure no data leakage - |
324 | * but until it does, pessimistically zero the |
325 | * whole reply buffer. |
326 | */ |
327 | bzero((void *)OutP, reply_size); |
328 | |
329 | OutP->NDR = NDR_record; |
330 | OutP->Head.msgh_size = sizeof(mig_reply_error_t); |
331 | |
332 | OutP->Head.msgh_bits = |
333 | MACH_MSGH_BITS_SET(MACH_MSGH_BITS_LOCAL(InP->msgh_bits), 0, 0, 0); |
334 | OutP->Head.msgh_remote_port = InP->msgh_local_port; |
335 | OutP->Head.msgh_local_port = MACH_PORT_NULL; |
336 | OutP->Head.msgh_voucher_port = MACH_PORT_NULL; |
337 | OutP->Head.msgh_id = InP->msgh_id + 100; |
338 | |
339 | #undef InP |
340 | #undef OutP |
341 | } |
342 | |
343 | /* |
344 | * Find the routine to call, and call it |
345 | * to perform the kernel function |
346 | */ |
347 | ipc_kmsg_trace_send(request, option); |
348 | { |
349 | if (ptr) { |
350 | /* |
351 | * Check if the port is a task port, if its a task port then |
352 | * snapshot the task exec token before the mig routine call. |
353 | */ |
354 | ipc_port_t port = request->ikm_header->msgh_remote_port; |
355 | if (IP_VALID(port) && ip_kotype(port) == IKOT_TASK) { |
356 | task = convert_port_to_task_with_exec_token(port, &exec_token); |
357 | } |
358 | |
359 | (*ptr->routine)(request->ikm_header, reply->ikm_header); |
360 | |
361 | /* Check if the exec token changed during the mig routine */ |
362 | if (task != TASK_NULL) { |
363 | if (exec_token != task->exec_token) { |
364 | exec_token_changed = TRUE; |
365 | } |
366 | task_deallocate(task); |
367 | } |
368 | |
369 | kernel_task->messages_received++; |
370 | } |
371 | else { |
372 | if (!ipc_kobject_notify(request->ikm_header, reply->ikm_header)){ |
373 | #if DEVELOPMENT || DEBUG |
374 | printf("ipc_kobject_server: bogus kernel message, id=%d\n" , |
375 | request->ikm_header->msgh_id); |
376 | #endif /* DEVELOPMENT || DEBUG */ |
377 | _MIG_MSGID_INVALID(request->ikm_header->msgh_id); |
378 | |
379 | ((mig_reply_error_t *) reply->ikm_header)->RetCode |
380 | = MIG_BAD_ID; |
381 | } |
382 | else |
383 | kernel_task->messages_received++; |
384 | } |
385 | kernel_task->messages_sent++; |
386 | } |
387 | |
388 | /* |
389 | * Destroy destination. The following code differs from |
390 | * ipc_object_destroy in that we release the send-once |
391 | * right instead of generating a send-once notification |
392 | * (which would bring us here again, creating a loop). |
393 | * It also differs in that we only expect send or |
394 | * send-once rights, never receive rights. |
395 | * |
396 | * We set msgh_remote_port to IP_NULL so that the kmsg |
397 | * destroy routines don't try to destroy the port twice. |
398 | */ |
399 | destp = (ipc_port_t *) &request->ikm_header->msgh_remote_port; |
400 | switch (MACH_MSGH_BITS_REMOTE(request->ikm_header->msgh_bits)) { |
401 | case MACH_MSG_TYPE_PORT_SEND: |
402 | ipc_port_release_send(*destp); |
403 | break; |
404 | |
405 | case MACH_MSG_TYPE_PORT_SEND_ONCE: |
406 | ipc_port_release_sonce(*destp); |
407 | break; |
408 | |
409 | default: |
410 | panic("ipc_kobject_server: strange destination rights" ); |
411 | } |
412 | *destp = IP_NULL; |
413 | |
414 | /* |
415 | * Destroy voucher. The kernel MIG servers never take ownership |
416 | * of vouchers sent in messages. Swallow any such rights here. |
417 | */ |
418 | if (IP_VALID(request->ikm_voucher)) { |
419 | assert(MACH_MSG_TYPE_PORT_SEND == |
420 | MACH_MSGH_BITS_VOUCHER(request->ikm_header->msgh_bits)); |
421 | ipc_port_release_send(request->ikm_voucher); |
422 | request->ikm_voucher = IP_NULL; |
423 | } |
424 | |
425 | if (!(reply->ikm_header->msgh_bits & MACH_MSGH_BITS_COMPLEX) && |
426 | ((mig_reply_error_t *) reply->ikm_header)->RetCode != KERN_SUCCESS) |
427 | kr = ((mig_reply_error_t *) reply->ikm_header)->RetCode; |
428 | else |
429 | kr = KERN_SUCCESS; |
430 | |
431 | if ((kr == KERN_SUCCESS) || (kr == MIG_NO_REPLY)) { |
432 | /* |
433 | * The server function is responsible for the contents |
434 | * of the message. The reply port right is moved |
435 | * to the reply message, and we have deallocated |
436 | * the destination port right, so we just need |
437 | * to free the kmsg. |
438 | */ |
439 | ipc_kmsg_free(request); |
440 | |
441 | } else { |
442 | /* |
443 | * The message contents of the request are intact. |
444 | * Destroy everthing except the reply port right, |
445 | * which is needed in the reply message. |
446 | */ |
447 | request->ikm_header->msgh_local_port = MACH_PORT_NULL; |
448 | ipc_kmsg_destroy(request); |
449 | } |
450 | |
451 | replyp = (ipc_port_t)reply->ikm_header->msgh_remote_port; |
452 | |
453 | if (kr == MIG_NO_REPLY) { |
454 | /* |
455 | * The server function will send a reply message |
456 | * using the reply port right, which it has saved. |
457 | */ |
458 | |
459 | ipc_kmsg_free(reply); |
460 | |
461 | return IKM_NULL; |
462 | } else if (!IP_VALID(replyp)) { |
463 | /* |
464 | * Can't queue the reply message if the destination |
465 | * (the reply port) isn't valid. |
466 | */ |
467 | |
468 | ipc_kmsg_destroy(reply); |
469 | |
470 | return IKM_NULL; |
471 | } else if (replyp->ip_receiver == ipc_space_kernel) { |
472 | /* |
473 | * Don't send replies to kobject kernel ports |
474 | */ |
475 | #if DEVELOPMENT || DEBUG |
476 | printf("%s: refusing to send reply to kobject %d port (id:%d)\n" , |
477 | __func__, ip_kotype(replyp), request_msgh_id); |
478 | #endif /* DEVELOPMENT || DEBUG */ |
479 | ipc_kmsg_destroy(reply); |
480 | return IKM_NULL; |
481 | } |
482 | |
483 | /* Fail the MIG call if the task exec token changed during the call */ |
484 | if (kr == KERN_SUCCESS && exec_token_changed) { |
485 | /* |
486 | * Create a new reply msg with error and destroy the old reply msg. |
487 | */ |
488 | ipc_kmsg_t new_reply = ipc_kmsg_alloc(reply_size); |
489 | |
490 | if (new_reply == IKM_NULL) { |
491 | printf("ipc_kobject_server: dropping request\n" ); |
492 | ipc_kmsg_destroy(reply); |
493 | return IKM_NULL; |
494 | } |
495 | /* |
496 | * Initialize the new reply message. |
497 | */ |
498 | { |
499 | #define OutP_new ((mig_reply_error_t *) new_reply->ikm_header) |
500 | #define OutP_old ((mig_reply_error_t *) reply->ikm_header) |
501 | |
502 | bzero((void *)OutP_new, reply_size); |
503 | |
504 | OutP_new->NDR = OutP_old->NDR; |
505 | OutP_new->Head.msgh_size = sizeof(mig_reply_error_t); |
506 | OutP_new->Head.msgh_bits = OutP_old->Head.msgh_bits & ~MACH_MSGH_BITS_COMPLEX; |
507 | OutP_new->Head.msgh_remote_port = OutP_old->Head.msgh_remote_port; |
508 | OutP_new->Head.msgh_local_port = MACH_PORT_NULL; |
509 | OutP_new->Head.msgh_voucher_port = MACH_PORT_NULL; |
510 | OutP_new->Head.msgh_id = OutP_old->Head.msgh_id; |
511 | |
512 | /* Set the error as KERN_INVALID_TASK */ |
513 | OutP_new->RetCode = KERN_INVALID_TASK; |
514 | |
515 | #undef OutP_new |
516 | #undef OutP_old |
517 | } |
518 | |
519 | /* |
520 | * Destroy everything in reply except the reply port right, |
521 | * which is needed in the new reply message. |
522 | */ |
523 | reply->ikm_header->msgh_remote_port = MACH_PORT_NULL; |
524 | ipc_kmsg_destroy(reply); |
525 | |
526 | reply = new_reply; |
527 | } |
528 | |
529 | trailer = (mach_msg_format_0_trailer_t *) |
530 | ((vm_offset_t)reply->ikm_header + (int)reply->ikm_header->msgh_size); |
531 | |
532 | trailer->msgh_sender = KERNEL_SECURITY_TOKEN; |
533 | trailer->msgh_trailer_type = MACH_MSG_TRAILER_FORMAT_0; |
534 | trailer->msgh_trailer_size = MACH_MSG_TRAILER_MINIMUM_SIZE; |
535 | |
536 | return reply; |
537 | } |
538 | |
539 | /* |
540 | * Routine: ipc_kobject_set |
541 | * Purpose: |
542 | * Make a port represent a kernel object of the given type. |
543 | * The caller is responsible for handling refs for the |
544 | * kernel object, if necessary. |
545 | * Conditions: |
546 | * Nothing locked. The port must be active if setting |
547 | * a kobject linkage. Clearing a linkage is OK on an |
548 | * inactive port. |
549 | */ |
550 | void |
551 | ipc_kobject_set( |
552 | ipc_port_t port, |
553 | ipc_kobject_t kobject, |
554 | ipc_kobject_type_t type) |
555 | { |
556 | ip_lock(port); |
557 | ipc_kobject_set_atomically(port, kobject, type); |
558 | ip_unlock(port); |
559 | } |
560 | |
561 | void |
562 | ipc_kobject_set_atomically( |
563 | ipc_port_t port, |
564 | ipc_kobject_t kobject, |
565 | ipc_kobject_type_t type) |
566 | { |
567 | assert(type == IKOT_NONE || ip_active(port)); |
568 | #if MACH_ASSERT |
569 | port->ip_spares[2] = (port->ip_bits & IO_BITS_KOTYPE); |
570 | #endif /* MACH_ASSERT */ |
571 | port->ip_bits = (port->ip_bits &~ IO_BITS_KOTYPE) | type; |
572 | port->ip_kobject = kobject; |
573 | } |
574 | |
575 | /* |
576 | * Routine: ipc_kobject_destroy |
577 | * Purpose: |
578 | * Release any kernel object resources associated |
579 | * with the port, which is being destroyed. |
580 | * |
581 | * This should only be needed when resources are |
582 | * associated with a user's port. In the normal case, |
583 | * when the kernel is the receiver, the code calling |
584 | * ipc_port_dealloc_kernel should clean up the resources. |
585 | * Conditions: |
586 | * The port is not locked, but it is dead. |
587 | */ |
588 | |
589 | void |
590 | ipc_kobject_destroy( |
591 | ipc_port_t port) |
592 | { |
593 | switch (ip_kotype(port)) { |
594 | |
595 | case IKOT_TIMER: |
596 | mk_timer_port_destroy(port); |
597 | break; |
598 | |
599 | case IKOT_NAMED_ENTRY: |
600 | mach_destroy_memory_entry(port); |
601 | break; |
602 | |
603 | case IKOT_HOST_NOTIFY: |
604 | host_notify_port_destroy(port); |
605 | break; |
606 | |
607 | default: |
608 | break; |
609 | } |
610 | } |
611 | |
612 | |
613 | boolean_t |
614 | ipc_kobject_notify( |
615 | mach_msg_header_t *, |
616 | mach_msg_header_t *) |
617 | { |
618 | mach_msg_max_trailer_t * trailer; |
619 | ipc_port_t port = (ipc_port_t) request_header->msgh_remote_port; |
620 | |
621 | ((mig_reply_error_t *) reply_header)->RetCode = MIG_NO_REPLY; |
622 | |
623 | trailer = (mach_msg_max_trailer_t *) |
624 | ((vm_offset_t)request_header + request_header->msgh_size); |
625 | |
626 | /* |
627 | * The kobject notification is privileged and can change the |
628 | * refcount on kernel-internal objects - make sure |
629 | * that the message wasn't faked! |
630 | */ |
631 | if (0 != bcmp(&trailer->msgh_audit, &KERNEL_AUDIT_TOKEN, |
632 | sizeof(trailer->msgh_audit))) { |
633 | return FALSE; |
634 | } |
635 | if (0 != bcmp(&trailer->msgh_sender, &KERNEL_SECURITY_TOKEN, |
636 | sizeof(trailer->msgh_sender))) { |
637 | return FALSE; |
638 | } |
639 | |
640 | switch (request_header->msgh_id) { |
641 | case MACH_NOTIFY_NO_SENDERS: |
642 | switch (ip_kotype(port)) { |
643 | case IKOT_VOUCHER: |
644 | ipc_voucher_notify(request_header); |
645 | return TRUE; |
646 | |
647 | case IKOT_VOUCHER_ATTR_CONTROL: |
648 | ipc_voucher_attr_control_notify(request_header); |
649 | return TRUE; |
650 | |
651 | case IKOT_SEMAPHORE: |
652 | semaphore_notify(request_header); |
653 | return TRUE; |
654 | |
655 | case IKOT_TASK: |
656 | task_port_notify(request_header); |
657 | return TRUE; |
658 | |
659 | case IKOT_NAMED_ENTRY: |
660 | ip_lock(port); |
661 | |
662 | /* |
663 | * Bring the sequence number and mscount in |
664 | * line with ipc_port_destroy assertion. |
665 | */ |
666 | port->ip_mscount = 0; |
667 | port->ip_messages.imq_seqno = 0; |
668 | ipc_port_destroy(port); /* releases lock */ |
669 | return TRUE; |
670 | |
671 | case IKOT_UPL: |
672 | upl_no_senders( |
673 | request_header->msgh_remote_port, |
674 | (mach_port_mscount_t) |
675 | ((mach_no_senders_notification_t *) |
676 | request_header)->not_count); |
677 | reply_header->msgh_remote_port = MACH_PORT_NULL; |
678 | return TRUE; |
679 | |
680 | #if CONFIG_AUDIT |
681 | case IKOT_AU_SESSIONPORT: |
682 | audit_session_nosenders(request_header); |
683 | return TRUE; |
684 | #endif |
685 | case IKOT_FILEPORT: |
686 | fileport_notify(request_header); |
687 | return TRUE; |
688 | |
689 | case IKOT_WORK_INTERVAL: |
690 | work_interval_port_notify(request_header); |
691 | return TRUE; |
692 | |
693 | } |
694 | break; |
695 | |
696 | case MACH_NOTIFY_PORT_DELETED: |
697 | case MACH_NOTIFY_PORT_DESTROYED: |
698 | case MACH_NOTIFY_SEND_ONCE: |
699 | case MACH_NOTIFY_DEAD_NAME: |
700 | break; |
701 | |
702 | default: |
703 | return FALSE; |
704 | } |
705 | switch (ip_kotype(port)) { |
706 | |
707 | #ifdef IOKIT |
708 | case IKOT_IOKIT_OBJECT: |
709 | case IKOT_IOKIT_CONNECT: |
710 | case IKOT_IOKIT_IDENT: |
711 | { |
712 | return iokit_notify(request_header); |
713 | } |
714 | #endif |
715 | case IKOT_TASK_RESUME: |
716 | { |
717 | return task_suspension_notify(request_header); |
718 | } |
719 | |
720 | default: |
721 | return FALSE; |
722 | } |
723 | } |
724 | |