1 | /* |
2 | * Copyright (c) 2000-2020 Apple Inc. All rights reserved. |
3 | * |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ |
5 | * |
6 | * This file contains Original Code and/or Modifications of Original Code |
7 | * as defined in and that are subject to the Apple Public Source License |
8 | * Version 2.0 (the 'License'). You may not use this file except in |
9 | * compliance with the License. The rights granted to you under the License |
10 | * may not be used to create, or enable the creation or redistribution of, |
11 | * unlawful or unlicensed copies of an Apple operating system, or to |
12 | * circumvent, violate, or enable the circumvention or violation of, any |
13 | * terms of an Apple operating system software license agreement. |
14 | * |
15 | * Please obtain a copy of the License at |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. |
17 | * |
18 | * The Original Code and all software distributed under the License are |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. |
23 | * Please see the License for the specific language governing rights and |
24 | * limitations under the License. |
25 | * |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ |
27 | */ |
28 | /* |
29 | * @OSF_COPYRIGHT@ |
30 | */ |
31 | /* |
32 | * Mach Operating System |
33 | * Copyright (c) 1991,1990,1989 Carnegie Mellon University |
34 | * All Rights Reserved. |
35 | * |
36 | * Permission to use, copy, modify and distribute this software and its |
37 | * documentation is hereby granted, provided that both the copyright |
38 | * notice and this permission notice appear in all copies of the |
39 | * software, derivative works or modified versions, and any portions |
40 | * thereof, and that both notices appear in supporting documentation. |
41 | * |
42 | * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS" |
43 | * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR |
44 | * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE. |
45 | * |
46 | * Carnegie Mellon requests users of this software to return to |
47 | * |
48 | * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU |
49 | * School of Computer Science |
50 | * Carnegie Mellon University |
51 | * Pittsburgh PA 15213-3890 |
52 | * |
53 | * any improvements or extensions that they make and grant Carnegie Mellon |
54 | * the rights to redistribute these changes. |
55 | */ |
56 | /* |
57 | * NOTICE: This file was modified by McAfee Research in 2004 to introduce |
58 | * support for mandatory and extensible security protections. This notice |
59 | * is included in support of clause 2.2 (b) of the Apple Public License, |
60 | * Version 2.0. |
61 | * Copyright (c) 2005-2006 SPARTA, Inc. |
62 | */ |
63 | /* |
64 | */ |
65 | /* |
66 | * File: ipc/mach_port.c |
67 | * Author: Rich Draves |
68 | * Date: 1989 |
69 | * |
70 | * Exported kernel calls. See mach/mach_port.defs. |
71 | */ |
72 | |
73 | #include <mach/port.h> |
74 | #include <mach/kern_return.h> |
75 | #include <mach/notify.h> |
76 | #include <mach/mach_param.h> |
77 | #include <mach/vm_param.h> |
78 | #include <mach/vm_prot.h> |
79 | #include <mach/vm_map.h> |
80 | #include <kern/task.h> |
81 | #include <kern/thread.h> |
82 | #include <kern/exc_guard.h> |
83 | #include <mach/mach_port_server.h> |
84 | #include <vm/vm_map.h> |
85 | #include <vm/vm_kern.h> |
86 | #include <ipc/port.h> |
87 | #include <ipc/ipc_entry.h> |
88 | #include <ipc/ipc_space.h> |
89 | #include <ipc/ipc_object.h> |
90 | #include <ipc/ipc_notify.h> |
91 | #include <ipc/ipc_port.h> |
92 | #include <ipc/ipc_pset.h> |
93 | #include <ipc/ipc_right.h> |
94 | #include <ipc/ipc_kmsg.h> |
95 | #include <ipc/ipc_service_port.h> |
96 | #include <kern/misc_protos.h> |
97 | #include <security/mac_mach_internal.h> |
98 | #include <kern/work_interval.h> |
99 | #include <kern/policy_internal.h> |
100 | #include <kern/coalition.h> |
101 | #include <ipc/ipc_service_port.h> |
102 | #include <kern/mach_filter.h> |
103 | |
104 | |
105 | #if IMPORTANCE_INHERITANCE |
106 | #include <ipc/ipc_importance.h> |
107 | #endif |
108 | |
109 | static TUNABLE(bool, provisional_reply_port_enforced, "-provisional_reply_port_enforced" , false); |
110 | |
111 | extern void qsort(void *a, size_t n, size_t es, int (*cmp)(const void *, const void *)); |
112 | extern int proc_isinitproc(struct proc *p); |
113 | |
114 | static int |
115 | mach_port_name_cmp(const void *_n1, const void *_n2) |
116 | { |
117 | mach_port_name_t n1 = *(const mach_port_name_t *)_n1; |
118 | mach_port_name_t n2 = *(const mach_port_name_t *)_n2; |
119 | |
120 | if (n1 == n2) { |
121 | return 0; |
122 | } |
123 | |
124 | return n1 < n2 ? -1 : 1; |
125 | } |
126 | |
127 | kern_return_t mach_port_get_attributes(ipc_space_t space, mach_port_name_t name, |
128 | int flavor, mach_port_info_t info, mach_msg_type_number_t *count); |
129 | kern_return_t mach_port_get_context(ipc_space_t space, mach_port_name_t name, |
130 | mach_vm_address_t *context); |
131 | kern_return_t mach_port_get_set_status(ipc_space_t space, mach_port_name_t name, |
132 | mach_port_name_t **members, mach_msg_type_number_t *membersCnt); |
133 | extern int exit_with_guard_exception(void *p, mach_exception_data_type_t code, |
134 | mach_exception_data_type_t subcode); |
135 | |
136 | /* |
137 | * Routine: mach_port_names_helper |
138 | * Purpose: |
139 | * A helper function for mach_port_names. |
140 | * |
141 | * Conditions: |
142 | * Space containing entry is [at least] read-locked. |
143 | */ |
144 | static void |
145 | mach_port_names_helper( |
146 | ipc_port_timestamp_t timestamp, |
147 | ipc_entry_t entry, |
148 | mach_port_name_t name, |
149 | mach_port_name_t *names, |
150 | mach_port_type_t *types, |
151 | ipc_entry_num_t *actualp) |
152 | { |
153 | ipc_entry_bits_t bits; |
154 | ipc_port_request_index_t request; |
155 | mach_port_type_t type = 0; |
156 | ipc_entry_num_t actual; |
157 | ipc_port_t port; |
158 | |
159 | bits = entry->ie_bits; |
160 | request = entry->ie_request; |
161 | port = ip_object_to_port(entry->ie_object); |
162 | |
163 | if (bits & MACH_PORT_TYPE_RECEIVE) { |
164 | assert(IP_VALID(port)); |
165 | |
166 | if (request != IE_REQ_NONE) { |
167 | ip_mq_lock(port); |
168 | require_ip_active(port); |
169 | type |= ipc_port_request_type(port, name, index: request); |
170 | ip_mq_unlock(port); |
171 | } |
172 | } else if (bits & MACH_PORT_TYPE_SEND_RIGHTS) { |
173 | mach_port_type_t reqtype; |
174 | |
175 | assert(IP_VALID(port)); |
176 | ip_mq_lock(port); |
177 | |
178 | reqtype = (request != IE_REQ_NONE) ? |
179 | ipc_port_request_type(port, name, index: request) : 0; |
180 | |
181 | /* |
182 | * If the port is alive, or was alive when the mach_port_names |
183 | * started, then return that fact. Otherwise, pretend we found |
184 | * a dead name entry. |
185 | */ |
186 | if (ip_active(port) || IP_TIMESTAMP_ORDER(timestamp, ip_get_death_time(port))) { |
187 | type |= reqtype; |
188 | } else { |
189 | bits &= ~(IE_BITS_TYPE_MASK); |
190 | bits |= MACH_PORT_TYPE_DEAD_NAME; |
191 | /* account for additional reference for dead-name notification */ |
192 | if (reqtype != 0) { |
193 | bits++; |
194 | } |
195 | } |
196 | ip_mq_unlock(port); |
197 | } |
198 | |
199 | type |= IE_BITS_TYPE(bits); |
200 | |
201 | actual = *actualp; |
202 | names[actual] = name; |
203 | types[actual] = type; |
204 | *actualp = actual + 1; |
205 | } |
206 | |
207 | /* |
208 | * Routine: mach_port_names [kernel call] |
209 | * Purpose: |
210 | * Retrieves a list of the rights present in the space, |
211 | * along with type information. (Same as returned |
212 | * by mach_port_type.) The names are returned in |
213 | * no particular order, but they (and the type info) |
214 | * are an accurate snapshot of the space. |
215 | * Conditions: |
216 | * Nothing locked. |
217 | * Returns: |
218 | * KERN_SUCCESS Arrays of names and types returned. |
219 | * KERN_INVALID_TASK The space is null. |
220 | * KERN_INVALID_TASK The space is dead. |
221 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
222 | */ |
223 | |
224 | kern_return_t |
225 | mach_port_names( |
226 | ipc_space_t space, |
227 | mach_port_name_t **namesp, |
228 | mach_msg_type_number_t *namesCnt, |
229 | mach_port_type_t **typesp, |
230 | mach_msg_type_number_t *typesCnt) |
231 | { |
232 | ipc_entry_table_t table; |
233 | ipc_entry_num_t tsize; |
234 | mach_port_index_t index; |
235 | ipc_entry_num_t actual; /* this many names */ |
236 | ipc_port_timestamp_t timestamp; /* logical time of this operation */ |
237 | mach_port_name_t *names; |
238 | mach_port_type_t *types; |
239 | kern_return_t kr; |
240 | |
241 | vm_size_t size; /* size of allocated memory */ |
242 | vm_offset_t addr1 = 0; /* allocated memory, for names */ |
243 | vm_offset_t addr2 = 0; /* allocated memory, for types */ |
244 | vm_map_copy_t memory1; /* copied-in memory, for names */ |
245 | vm_map_copy_t memory2; /* copied-in memory, for types */ |
246 | |
247 | /* safe simplifying assumption */ |
248 | static_assert(sizeof(mach_port_name_t) == sizeof(mach_port_type_t)); |
249 | |
250 | if (space == IS_NULL) { |
251 | return KERN_INVALID_TASK; |
252 | } |
253 | |
254 | size = 0; |
255 | |
256 | for (;;) { |
257 | ipc_entry_num_t bound; |
258 | vm_size_t size_needed; |
259 | |
260 | is_read_lock(space); |
261 | if (!is_active(space)) { |
262 | is_read_unlock(space); |
263 | if (size != 0) { |
264 | kmem_free(map: ipc_kernel_map, addr: addr1, size); |
265 | kmem_free(map: ipc_kernel_map, addr: addr2, size); |
266 | } |
267 | return KERN_INVALID_TASK; |
268 | } |
269 | |
270 | /* upper bound on number of names in the space */ |
271 | bound = ipc_entry_table_count(array: is_active_table(space)); |
272 | size_needed = vm_map_round_page( |
273 | (bound * sizeof(mach_port_name_t)), |
274 | VM_MAP_PAGE_MASK(ipc_kernel_map)); |
275 | |
276 | if (size_needed <= size) { |
277 | break; |
278 | } |
279 | |
280 | is_read_unlock(space); |
281 | |
282 | if (size != 0) { |
283 | kmem_free(map: ipc_kernel_map, addr: addr1, size); |
284 | kmem_free(map: ipc_kernel_map, addr: addr2, size); |
285 | } |
286 | size = size_needed; |
287 | |
288 | kr = kmem_alloc(map: ipc_kernel_map, addrp: &addr1, size, |
289 | flags: KMA_DATA, VM_KERN_MEMORY_IPC); |
290 | if (kr != KERN_SUCCESS) { |
291 | return KERN_RESOURCE_SHORTAGE; |
292 | } |
293 | |
294 | kr = kmem_alloc(map: ipc_kernel_map, addrp: &addr2, size, |
295 | flags: KMA_DATA, VM_KERN_MEMORY_IPC); |
296 | if (kr != KERN_SUCCESS) { |
297 | kmem_free(map: ipc_kernel_map, addr: addr1, size); |
298 | return KERN_RESOURCE_SHORTAGE; |
299 | } |
300 | } |
301 | /* space is read-locked and active */ |
302 | |
303 | names = (mach_port_name_t *) addr1; |
304 | types = (mach_port_type_t *) addr2; |
305 | actual = 0; |
306 | |
307 | timestamp = ipc_port_timestamp(); |
308 | |
309 | table = is_active_table(space); |
310 | tsize = ipc_entry_table_count(array: table); |
311 | |
312 | for (index = 1; index < tsize; index++) { |
313 | ipc_entry_t entry = ipc_entry_table_get_nocheck(array: table, i: index); |
314 | ipc_entry_bits_t bits = entry->ie_bits; |
315 | |
316 | if (IE_BITS_TYPE(bits) != MACH_PORT_TYPE_NONE) { |
317 | mach_port_name_t name; |
318 | |
319 | name = MACH_PORT_MAKE(index, IE_BITS_GEN(bits)); |
320 | mach_port_names_helper(timestamp, entry, name, names, |
321 | types, actualp: &actual); |
322 | } |
323 | } |
324 | |
325 | is_read_unlock(space); |
326 | |
327 | if (actual == 0) { |
328 | memory1 = VM_MAP_COPY_NULL; |
329 | memory2 = VM_MAP_COPY_NULL; |
330 | |
331 | if (size != 0) { |
332 | kmem_free(map: ipc_kernel_map, addr: addr1, size); |
333 | kmem_free(map: ipc_kernel_map, addr: addr2, size); |
334 | } |
335 | } else { |
336 | vm_size_t size_used; |
337 | vm_size_t vm_size_used; |
338 | |
339 | size_used = actual * sizeof(mach_port_name_t); |
340 | vm_size_used = |
341 | vm_map_round_page(size_used, |
342 | VM_MAP_PAGE_MASK(ipc_kernel_map)); |
343 | |
344 | /* |
345 | * Make used memory pageable and get it into |
346 | * copied-in form. Free any unused memory. |
347 | */ |
348 | |
349 | if (size_used < vm_size_used) { |
350 | bzero(s: (char *)addr1 + size_used, n: vm_size_used - size_used); |
351 | bzero(s: (char *)addr2 + size_used, n: vm_size_used - size_used); |
352 | } |
353 | |
354 | kr = vm_map_unwire(map: ipc_kernel_map, start: addr1, end: addr1 + vm_size_used, FALSE); |
355 | assert(kr == KERN_SUCCESS); |
356 | |
357 | kr = vm_map_unwire(map: ipc_kernel_map, start: addr2, end: addr2 + vm_size_used, FALSE); |
358 | assert(kr == KERN_SUCCESS); |
359 | |
360 | kr = vm_map_copyin(src_map: ipc_kernel_map, src_addr: (vm_map_address_t)addr1, |
361 | len: (vm_map_size_t)size_used, TRUE, copy_result: &memory1); |
362 | assert(kr == KERN_SUCCESS); |
363 | |
364 | kr = vm_map_copyin(src_map: ipc_kernel_map, src_addr: (vm_map_address_t)addr2, |
365 | len: (vm_map_size_t)size_used, TRUE, copy_result: &memory2); |
366 | assert(kr == KERN_SUCCESS); |
367 | |
368 | if (vm_size_used != size) { |
369 | kmem_free(map: ipc_kernel_map, |
370 | addr: addr1 + vm_size_used, size: size - vm_size_used); |
371 | kmem_free(map: ipc_kernel_map, |
372 | addr: addr2 + vm_size_used, size: size - vm_size_used); |
373 | } |
374 | } |
375 | |
376 | *namesp = (mach_port_name_t *) memory1; |
377 | *namesCnt = actual; |
378 | *typesp = (mach_port_type_t *) memory2; |
379 | *typesCnt = actual; |
380 | return KERN_SUCCESS; |
381 | } |
382 | |
383 | /* |
384 | * Routine: mach_port_type [kernel call] |
385 | * Purpose: |
386 | * Retrieves the type of a right in the space. |
387 | * The type is a bitwise combination of one or more |
388 | * of the following type bits: |
389 | * MACH_PORT_TYPE_SEND |
390 | * MACH_PORT_TYPE_RECEIVE |
391 | * MACH_PORT_TYPE_SEND_ONCE |
392 | * MACH_PORT_TYPE_PORT_SET |
393 | * MACH_PORT_TYPE_DEAD_NAME |
394 | * In addition, the following pseudo-type bits may be present: |
395 | * MACH_PORT_TYPE_DNREQUEST |
396 | * A dead-name notification is requested. |
397 | * Conditions: |
398 | * Nothing locked. |
399 | * Returns: |
400 | * KERN_SUCCESS Type is returned. |
401 | * KERN_INVALID_TASK The space is null. |
402 | * KERN_INVALID_TASK The space is dead. |
403 | * KERN_INVALID_NAME The name doesn't denote a right. |
404 | */ |
405 | |
406 | kern_return_t |
407 | mach_port_type( |
408 | ipc_space_t space, |
409 | mach_port_name_t name, |
410 | mach_port_type_t *typep) |
411 | { |
412 | mach_port_urefs_t urefs; |
413 | ipc_entry_t entry; |
414 | kern_return_t kr; |
415 | |
416 | if (space == IS_NULL) { |
417 | return KERN_INVALID_TASK; |
418 | } |
419 | |
420 | if (name == MACH_PORT_NULL) { |
421 | return KERN_INVALID_NAME; |
422 | } |
423 | |
424 | if (name == MACH_PORT_DEAD) { |
425 | *typep = MACH_PORT_TYPE_DEAD_NAME; |
426 | return KERN_SUCCESS; |
427 | } |
428 | |
429 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
430 | if (kr != KERN_SUCCESS) { |
431 | return kr; |
432 | } |
433 | |
434 | /* space is write-locked and active */ |
435 | kr = ipc_right_info(space, name, entry, typep, urefsp: &urefs); |
436 | /* space is unlocked */ |
437 | |
438 | #if 1 |
439 | /* JMM - workaround rdar://problem/9121297 (CF being too picky on these bits). */ |
440 | *typep &= ~(MACH_PORT_TYPE_SPREQUEST | MACH_PORT_TYPE_SPREQUEST_DELAYED); |
441 | #endif |
442 | |
443 | return kr; |
444 | } |
445 | |
446 | |
447 | /* |
448 | * Routine: mach_port_allocate_name [kernel call] |
449 | * Purpose: |
450 | * Allocates a right in a space, using a specific name |
451 | * for the new right. Possible rights: |
452 | * MACH_PORT_RIGHT_RECEIVE |
453 | * MACH_PORT_RIGHT_PORT_SET |
454 | * MACH_PORT_RIGHT_DEAD_NAME |
455 | * |
456 | * A new port (allocated with MACH_PORT_RIGHT_RECEIVE) |
457 | * has no extant send or send-once rights and no queued |
458 | * messages. Its queue limit is MACH_PORT_QLIMIT_DEFAULT |
459 | * and its make-send count is 0. It is not a member of |
460 | * a port set. It has no registered no-senders or |
461 | * port-destroyed notification requests. |
462 | * |
463 | * A new port set has no members. |
464 | * |
465 | * A new dead name has one user reference. |
466 | * Conditions: |
467 | * Nothing locked. |
468 | * Returns: |
469 | * KERN_SUCCESS The right is allocated. |
470 | * KERN_INVALID_TASK The space is null. |
471 | * KERN_INVALID_TASK The space is dead. |
472 | * KERN_INVALID_VALUE The name isn't a legal name. |
473 | * KERN_INVALID_VALUE "right" isn't a legal kind of right. |
474 | * KERN_NAME_EXISTS The name already denotes a right. |
475 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
476 | * |
477 | * Restrictions on name allocation: NT bits are reserved by kernel, |
478 | * must be set on any chosen name. Can't do this at all in kernel |
479 | * loaded server. |
480 | */ |
481 | |
482 | kern_return_t |
483 | mach_port_allocate_name( |
484 | ipc_space_t space, |
485 | mach_port_right_t right, |
486 | mach_port_name_t name) |
487 | { |
488 | kern_return_t kr; |
489 | mach_port_qos_t qos = { .name = TRUE }; |
490 | |
491 | if (!MACH_PORT_VALID(name)) { |
492 | return KERN_INVALID_VALUE; |
493 | } |
494 | |
495 | kr = mach_port_allocate_full(task: space, right, MACH_PORT_NULL, |
496 | qos: &qos, name: &name); |
497 | return kr; |
498 | } |
499 | |
500 | /* |
501 | * Routine: mach_port_allocate [kernel call] |
502 | * Purpose: |
503 | * Allocates a right in a space. Like mach_port_allocate_name, |
504 | * except that the implementation picks a name for the right. |
505 | * The name may be any legal name in the space that doesn't |
506 | * currently denote a right. |
507 | * Conditions: |
508 | * Nothing locked. |
509 | * Returns: |
510 | * KERN_SUCCESS The right is allocated. |
511 | * KERN_INVALID_TASK The space is null. |
512 | * KERN_INVALID_TASK The space is dead. |
513 | * KERN_INVALID_VALUE "right" isn't a legal kind of right. |
514 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
515 | * KERN_NO_SPACE No room in space for another right. |
516 | */ |
517 | |
518 | kern_return_t |
519 | mach_port_allocate( |
520 | ipc_space_t space, |
521 | mach_port_right_t right, |
522 | mach_port_name_t *namep) |
523 | { |
524 | kern_return_t kr; |
525 | mach_port_qos_t qos = { }; |
526 | |
527 | kr = mach_port_allocate_full(task: space, right, MACH_PORT_NULL, |
528 | qos: &qos, name: namep); |
529 | return kr; |
530 | } |
531 | |
532 | /* |
533 | * Routine: mach_port_allocate_qos [kernel call] |
534 | * Purpose: |
535 | * Allocates a right, with qos options, in a space. Like |
536 | * mach_port_allocate_name, except that the implementation |
537 | * picks a name for the right. The name may be any legal name |
538 | * in the space that doesn't currently denote a right. |
539 | * Conditions: |
540 | * Nothing locked. |
541 | * Returns: |
542 | * KERN_SUCCESS The right is allocated. |
543 | * KERN_INVALID_TASK The space is null. |
544 | * KERN_INVALID_TASK The space is dead. |
545 | * KERN_INVALID_VALUE "right" isn't a legal kind of right. |
546 | * KERN_INVALID_ARGUMENT The qos request was invalid. |
547 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
548 | * KERN_NO_SPACE No room in space for another right. |
549 | */ |
550 | |
551 | kern_return_t |
552 | mach_port_allocate_qos( |
553 | ipc_space_t space, |
554 | mach_port_right_t right, |
555 | mach_port_qos_t *qosp, |
556 | mach_port_name_t *namep) |
557 | { |
558 | kern_return_t kr; |
559 | |
560 | if (qosp->name) { |
561 | return KERN_INVALID_ARGUMENT; |
562 | } |
563 | kr = mach_port_allocate_full(task: space, right, MACH_PORT_NULL, |
564 | qos: qosp, name: namep); |
565 | return kr; |
566 | } |
567 | |
568 | /* |
569 | * Routine: mach_port_allocate_full [kernel call] |
570 | * Purpose: |
571 | * Allocates a right in a space. Supports the |
572 | * special case of specifying a name. The name may |
573 | * be any legal name in the space that doesn't |
574 | * currently denote a right. |
575 | * |
576 | * While we no longer support users requesting |
577 | * preallocated message for the port, we still |
578 | * check for errors in such requests and then |
579 | * just clear the request. |
580 | * Conditions: |
581 | * Nothing locked. |
582 | * Returns: |
583 | * KERN_SUCCESS The right is allocated. |
584 | * KERN_INVALID_TASK The space is null. |
585 | * KERN_INVALID_TASK The space is dead. |
586 | * KERN_INVALID_VALUE "right" isn't a legal kind of right, or supplied port |
587 | * name is invalid. |
588 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
589 | * KERN_NO_SPACE No room in space for another right. |
590 | */ |
591 | |
592 | kern_return_t |
593 | mach_port_allocate_full( |
594 | ipc_space_t space, |
595 | mach_port_right_t right, |
596 | mach_port_t proto, |
597 | mach_port_qos_t *qosp, |
598 | mach_port_name_t *namep) |
599 | { |
600 | kern_return_t kr; |
601 | |
602 | if (space == IS_NULL) { |
603 | return KERN_INVALID_TASK; |
604 | } |
605 | |
606 | if (proto != MACH_PORT_NULL) { |
607 | return KERN_INVALID_VALUE; |
608 | } |
609 | |
610 | if (qosp->name) { |
611 | if (!MACH_PORT_VALID(*namep)) { |
612 | return KERN_INVALID_VALUE; |
613 | } |
614 | } |
615 | |
616 | /* |
617 | * Don't actually honor prealloc requests anymore, |
618 | * (only mk_timer still uses IP_PREALLOC messages, by hand). |
619 | * |
620 | * (for security reasons, and because it isn't guaranteed anyway). |
621 | * Keep old errors for legacy reasons. |
622 | */ |
623 | if (qosp->prealloc) { |
624 | if (qosp->len > MACH_MSG_SIZE_MAX - MAX_TRAILER_SIZE) { |
625 | return KERN_RESOURCE_SHORTAGE; |
626 | } |
627 | if (right != MACH_PORT_RIGHT_RECEIVE) { |
628 | return KERN_INVALID_VALUE; |
629 | } |
630 | qosp->prealloc = 0; |
631 | } |
632 | |
633 | switch (right) { |
634 | case MACH_PORT_RIGHT_RECEIVE: |
635 | { |
636 | ipc_port_t port; |
637 | |
638 | if (qosp->name) { |
639 | kr = ipc_port_alloc_name(space, flags: IPC_PORT_INIT_MESSAGE_QUEUE, |
640 | name: *namep, portp: &port); |
641 | } else { |
642 | kr = ipc_port_alloc(space, flags: IPC_PORT_INIT_MESSAGE_QUEUE, |
643 | namep, portp: &port); |
644 | } |
645 | if (kr == KERN_SUCCESS) { |
646 | ip_mq_unlock(port); |
647 | } |
648 | break; |
649 | } |
650 | |
651 | case MACH_PORT_RIGHT_PORT_SET: |
652 | { |
653 | ipc_pset_t pset; |
654 | |
655 | if (qosp->name) { |
656 | kr = ipc_pset_alloc_name(space, name: *namep, psetp: &pset); |
657 | } else { |
658 | kr = ipc_pset_alloc(space, namep, psetp: &pset); |
659 | } |
660 | if (kr == KERN_SUCCESS) { |
661 | ips_mq_unlock(pset); |
662 | } |
663 | break; |
664 | } |
665 | |
666 | case MACH_PORT_RIGHT_DEAD_NAME: |
667 | kr = ipc_object_alloc_dead(space, namep); |
668 | break; |
669 | |
670 | default: |
671 | kr = KERN_INVALID_VALUE; |
672 | break; |
673 | } |
674 | |
675 | return kr; |
676 | } |
677 | |
678 | /* |
679 | * Routine: mach_port_destroy [kernel call] |
680 | * Purpose: |
681 | * Cleans up and destroys all rights denoted by a name |
682 | * in a space. The destruction of a receive right |
683 | * destroys the port, unless a port-destroyed request |
684 | * has been made for it; the destruction of a port-set right |
685 | * destroys the port set. |
686 | * Conditions: |
687 | * Nothing locked. |
688 | * Returns: |
689 | * KERN_SUCCESS The name is destroyed. |
690 | * KERN_INVALID_TASK The space is null. |
691 | * KERN_INVALID_TASK The space is dead. |
692 | * KERN_INVALID_NAME The name doesn't denote a right. |
693 | */ |
694 | |
695 | kern_return_t |
696 | mach_port_destroy( |
697 | ipc_space_t space, |
698 | mach_port_name_t name) |
699 | { |
700 | ipc_entry_t entry; |
701 | kern_return_t kr; |
702 | |
703 | if (space == IS_NULL) { |
704 | return KERN_INVALID_TASK; |
705 | } |
706 | |
707 | if (!MACH_PORT_VALID(name)) { |
708 | return KERN_SUCCESS; |
709 | } |
710 | |
711 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
712 | if (kr != KERN_SUCCESS) { |
713 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_NAME); |
714 | return kr; |
715 | } |
716 | /* space is write-locked and active */ |
717 | |
718 | kr = ipc_right_destroy(space, name, entry, TRUE, guard: 0); /* unlocks space */ |
719 | return kr; |
720 | } |
721 | |
722 | /* |
723 | * Routine: mach_port_deallocate [kernel call] |
724 | * Purpose: |
725 | * Deallocates a user reference from a send right, |
726 | * send-once right, dead-name right or a port_set right. |
727 | * May deallocate the right, if this is the last uref, |
728 | * and destroy the name, if it doesn't denote |
729 | * other rights. |
730 | * Conditions: |
731 | * Nothing locked. |
732 | * Returns: |
733 | * KERN_SUCCESS The uref is deallocated. |
734 | * KERN_INVALID_TASK The space is null. |
735 | * KERN_INVALID_TASK The space is dead. |
736 | * KERN_INVALID_NAME The name doesn't denote a right. |
737 | * KERN_INVALID_RIGHT The right isn't correct. |
738 | */ |
739 | |
740 | kern_return_t |
741 | mach_port_deallocate( |
742 | ipc_space_t space, |
743 | mach_port_name_t name) |
744 | { |
745 | ipc_entry_t entry; |
746 | kern_return_t kr; |
747 | |
748 | if (space == IS_NULL) { |
749 | return KERN_INVALID_TASK; |
750 | } |
751 | |
752 | if (!MACH_PORT_VALID(name)) { |
753 | return KERN_SUCCESS; |
754 | } |
755 | |
756 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
757 | if (kr != KERN_SUCCESS) { |
758 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_NAME); |
759 | return kr; |
760 | } |
761 | /* space is write-locked */ |
762 | |
763 | kr = ipc_right_dealloc(space, name, entry); /* unlocks space */ |
764 | return kr; |
765 | } |
766 | |
767 | /* |
768 | * Routine: mach_port_get_refs [kernel call] |
769 | * Purpose: |
770 | * Retrieves the number of user references held by a right. |
771 | * Receive rights, port-set rights, and send-once rights |
772 | * always have one user reference. Returns zero if the |
773 | * name denotes a right, but not the queried right. |
774 | * Conditions: |
775 | * Nothing locked. |
776 | * Returns: |
777 | * KERN_SUCCESS Number of urefs returned. |
778 | * KERN_INVALID_TASK The space is null. |
779 | * KERN_INVALID_TASK The space is dead. |
780 | * KERN_INVALID_VALUE "right" isn't a legal value. |
781 | * KERN_INVALID_NAME The name doesn't denote a right. |
782 | */ |
783 | |
784 | kern_return_t |
785 | mach_port_get_refs( |
786 | ipc_space_t space, |
787 | mach_port_name_t name, |
788 | mach_port_right_t right, |
789 | mach_port_urefs_t *urefsp) |
790 | { |
791 | mach_port_type_t type; |
792 | mach_port_urefs_t urefs; |
793 | ipc_entry_t entry; |
794 | kern_return_t kr; |
795 | |
796 | if (space == IS_NULL) { |
797 | return KERN_INVALID_TASK; |
798 | } |
799 | |
800 | if (right >= MACH_PORT_RIGHT_NUMBER) { |
801 | return KERN_INVALID_VALUE; |
802 | } |
803 | |
804 | if (!MACH_PORT_VALID(name)) { |
805 | if (right == MACH_PORT_RIGHT_SEND || |
806 | right == MACH_PORT_RIGHT_SEND_ONCE) { |
807 | *urefsp = 1; |
808 | return KERN_SUCCESS; |
809 | } |
810 | return KERN_INVALID_NAME; |
811 | } |
812 | |
813 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
814 | if (kr != KERN_SUCCESS) { |
815 | return kr; |
816 | } |
817 | |
818 | /* space is write-locked and active */ |
819 | kr = ipc_right_info(space, name, entry, typep: &type, urefsp: &urefs); |
820 | /* space is unlocked */ |
821 | |
822 | if (kr != KERN_SUCCESS) { |
823 | return kr; |
824 | } |
825 | |
826 | if (type & MACH_PORT_TYPE(right)) { |
827 | switch (right) { |
828 | case MACH_PORT_RIGHT_SEND_ONCE: |
829 | assert(urefs == 1); |
830 | OS_FALLTHROUGH; |
831 | |
832 | case MACH_PORT_RIGHT_PORT_SET: |
833 | case MACH_PORT_RIGHT_RECEIVE: |
834 | *urefsp = 1; |
835 | break; |
836 | |
837 | case MACH_PORT_RIGHT_DEAD_NAME: |
838 | case MACH_PORT_RIGHT_SEND: |
839 | assert(urefs > 0); |
840 | *urefsp = urefs; |
841 | break; |
842 | |
843 | default: |
844 | panic("mach_port_get_refs: strange rights" ); |
845 | } |
846 | } else { |
847 | *urefsp = 0; |
848 | } |
849 | |
850 | return kr; |
851 | } |
852 | |
853 | /* |
854 | * Routine: mach_port_mod_refs |
855 | * Purpose: |
856 | * Modifies the number of user references held by a right. |
857 | * The resulting number of user references must be non-negative. |
858 | * If it is zero, the right is deallocated. If the name |
859 | * doesn't denote other rights, it is destroyed. |
860 | * Conditions: |
861 | * Nothing locked. |
862 | * Returns: |
863 | * KERN_SUCCESS Modified number of urefs. |
864 | * KERN_INVALID_TASK The space is null. |
865 | * KERN_INVALID_TASK The space is dead. |
866 | * KERN_INVALID_VALUE "right" isn't a legal value. |
867 | * KERN_INVALID_NAME The name doesn't denote a right. |
868 | * KERN_INVALID_RIGHT Name doesn't denote specified right. |
869 | * KERN_INVALID_VALUE Impossible modification to urefs. |
870 | * KERN_UREFS_OVERFLOW Urefs would overflow. |
871 | */ |
872 | |
873 | kern_return_t |
874 | mach_port_mod_refs( |
875 | ipc_space_t space, |
876 | mach_port_name_t name, |
877 | mach_port_right_t right, |
878 | mach_port_delta_t delta) |
879 | { |
880 | ipc_entry_t entry; |
881 | kern_return_t kr; |
882 | |
883 | if (space == IS_NULL) { |
884 | return KERN_INVALID_TASK; |
885 | } |
886 | |
887 | if (right >= MACH_PORT_RIGHT_NUMBER) { |
888 | return KERN_INVALID_VALUE; |
889 | } |
890 | |
891 | if (!MACH_PORT_VALID(name)) { |
892 | if (right == MACH_PORT_RIGHT_SEND || |
893 | right == MACH_PORT_RIGHT_SEND_ONCE) { |
894 | return KERN_SUCCESS; |
895 | } |
896 | return KERN_INVALID_NAME; |
897 | } |
898 | |
899 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
900 | if (kr != KERN_SUCCESS) { |
901 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_NAME); |
902 | return kr; |
903 | } |
904 | |
905 | /* space is write-locked and active */ |
906 | |
907 | kr = ipc_right_delta(space, name, entry, right, delta); /* unlocks */ |
908 | return kr; |
909 | } |
910 | |
911 | |
912 | /* |
913 | * Routine: mach_port_peek [kernel call] |
914 | * Purpose: |
915 | * Peek at the message queue for the specified receive |
916 | * right and return info about a message in the queue. |
917 | * |
918 | * On input, seqnop points to a sequence number value |
919 | * to match the message being peeked. If zero is specified |
920 | * as the seqno, the first message in the queue will be |
921 | * peeked. |
922 | * |
923 | * Only the following trailer types are currently supported: |
924 | * MACH_RCV_TRAILER_TYPE(MACH_MSG_TRAILER_FORMAT_0) |
925 | * |
926 | * or'ed with one of these element types: |
927 | * MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_NULL) |
928 | * MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_SEQNO) |
929 | * MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_SENDER) |
930 | * MACH_RCV_TRAILER_ELEMENTS(MACH_RCV_TRAILER_AUDIT) |
931 | * |
932 | * On input, the value pointed to by trailer_sizep must be |
933 | * large enough to hold the requested trailer size. |
934 | * |
935 | * The message sequence number, id, size, requested trailer info |
936 | * and requested trailer size are returned in their respective |
937 | * output parameters upon success. |
938 | * |
939 | * Conditions: |
940 | * Nothing locked. |
941 | * Returns: |
942 | * KERN_SUCCESS Matching message found, out parameters set. |
943 | * KERN_INVALID_TASK The space is null or dead. |
944 | * KERN_INVALID_NAME The name doesn't denote a right. |
945 | * KERN_INVALID_RIGHT Name doesn't denote receive rights. |
946 | * KERN_INVALID_VALUE The input parameter values are out of bounds. |
947 | * KERN_FAILURE The requested message was not found. |
948 | */ |
949 | |
950 | kern_return_t |
951 | mach_port_peek( |
952 | ipc_space_t space, |
953 | mach_port_name_t name, |
954 | mach_msg_trailer_type_t trailer_type, |
955 | mach_port_seqno_t *seqnop, |
956 | mach_msg_size_t *msg_sizep, |
957 | mach_msg_id_t *msg_idp, |
958 | mach_msg_trailer_info_t trailer_infop, |
959 | mach_msg_type_number_t *trailer_sizep) |
960 | { |
961 | ipc_port_t port; |
962 | kern_return_t kr; |
963 | boolean_t found; |
964 | mach_msg_max_trailer_t max_trailer; |
965 | |
966 | if (space == IS_NULL) { |
967 | return KERN_INVALID_TASK; |
968 | } |
969 | |
970 | if (!MACH_PORT_VALID(name)) { |
971 | return KERN_INVALID_RIGHT; |
972 | } |
973 | |
974 | /* |
975 | * We don't allow anything greater than the audit trailer - to avoid |
976 | * leaking the context pointer and to avoid variable-sized context issues. |
977 | */ |
978 | if (GET_RCV_ELEMENTS(trailer_type) > MACH_RCV_TRAILER_AUDIT || |
979 | REQUESTED_TRAILER_SIZE(TRUE, trailer_type) > *trailer_sizep) { |
980 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_VALUE); |
981 | return KERN_INVALID_VALUE; |
982 | } |
983 | |
984 | *trailer_sizep = REQUESTED_TRAILER_SIZE(TRUE, trailer_type); |
985 | |
986 | kr = ipc_port_translate_receive(space, name, portp: &port); |
987 | if (kr != KERN_SUCCESS) { |
988 | mach_port_guard_exception(name, inguard: 0, portguard: 0, |
989 | reason: ((KERN_INVALID_NAME == kr) ? |
990 | kGUARD_EXC_INVALID_NAME : |
991 | kGUARD_EXC_INVALID_RIGHT)); |
992 | return kr; |
993 | } |
994 | |
995 | /* Port locked and active */ |
996 | found = ipc_mqueue_peek_locked(mqueue: &port->ip_messages, msg_seqnop: seqnop, |
997 | msg_sizep, msg_idp, msg_trailerp: &max_trailer, NULL); |
998 | ip_mq_unlock(port); |
999 | |
1000 | if (found != TRUE) { |
1001 | return KERN_FAILURE; |
1002 | } |
1003 | |
1004 | max_trailer.msgh_seqno = *seqnop; |
1005 | memcpy(dst: trailer_infop, src: &max_trailer, n: *trailer_sizep); |
1006 | |
1007 | return KERN_SUCCESS; |
1008 | } |
1009 | |
1010 | /* |
1011 | * Routine: mach_port_set_mscount [kernel call] |
1012 | * Purpose: |
1013 | * Changes a receive right's make-send count. |
1014 | * Conditions: |
1015 | * Nothing locked. |
1016 | * Returns: |
1017 | * KERN_SUCCESS Set make-send count. |
1018 | * KERN_INVALID_TASK The space is null. |
1019 | * KERN_INVALID_TASK The space is dead. |
1020 | * KERN_INVALID_NAME The name doesn't denote a right. |
1021 | * KERN_INVALID_RIGHT Name doesn't denote receive rights. |
1022 | */ |
1023 | |
1024 | kern_return_t |
1025 | mach_port_set_mscount( |
1026 | ipc_space_t space, |
1027 | mach_port_name_t name, |
1028 | mach_port_mscount_t mscount) |
1029 | { |
1030 | ipc_port_t port; |
1031 | kern_return_t kr; |
1032 | |
1033 | if (space == IS_NULL) { |
1034 | return KERN_INVALID_TASK; |
1035 | } |
1036 | |
1037 | if (!MACH_PORT_VALID(name)) { |
1038 | return KERN_INVALID_RIGHT; |
1039 | } |
1040 | |
1041 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1042 | if (kr != KERN_SUCCESS) { |
1043 | return kr; |
1044 | } |
1045 | /* port is locked and active */ |
1046 | |
1047 | port->ip_mscount = mscount; |
1048 | ip_mq_unlock(port); |
1049 | return KERN_SUCCESS; |
1050 | } |
1051 | |
1052 | /* |
1053 | * Routine: mach_port_set_seqno [kernel call] |
1054 | * Purpose: |
1055 | * Changes a receive right's sequence number. |
1056 | * Conditions: |
1057 | * Nothing locked. |
1058 | * Returns: |
1059 | * KERN_SUCCESS Set sequence number. |
1060 | * KERN_INVALID_TASK The space is null. |
1061 | * KERN_INVALID_TASK The space is dead. |
1062 | * KERN_INVALID_NAME The name doesn't denote a right. |
1063 | * KERN_INVALID_RIGHT Name doesn't denote receive rights. |
1064 | */ |
1065 | |
1066 | kern_return_t |
1067 | mach_port_set_seqno( |
1068 | ipc_space_t space, |
1069 | mach_port_name_t name, |
1070 | mach_port_seqno_t seqno) |
1071 | { |
1072 | ipc_port_t port; |
1073 | kern_return_t kr; |
1074 | |
1075 | if (space == IS_NULL) { |
1076 | return KERN_INVALID_TASK; |
1077 | } |
1078 | |
1079 | if (!MACH_PORT_VALID(name)) { |
1080 | return KERN_INVALID_RIGHT; |
1081 | } |
1082 | |
1083 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1084 | if (kr != KERN_SUCCESS) { |
1085 | return kr; |
1086 | } |
1087 | /* port is locked and active */ |
1088 | |
1089 | ipc_mqueue_set_seqno_locked(mqueue: &port->ip_messages, seqno); |
1090 | |
1091 | ip_mq_unlock(port); |
1092 | return KERN_SUCCESS; |
1093 | } |
1094 | |
1095 | /* |
1096 | * Routine: mach_port_get_context [kernel call] |
1097 | * Purpose: |
1098 | * Returns a receive right's context pointer. |
1099 | * Conditions: |
1100 | * Nothing locked. |
1101 | * Returns: |
1102 | * KERN_SUCCESS Set context pointer. |
1103 | * KERN_INVALID_TASK The space is null. |
1104 | * KERN_INVALID_TASK The space is dead. |
1105 | * KERN_INVALID_NAME The name doesn't denote a right. |
1106 | * KERN_INVALID_RIGHT Name doesn't denote receive rights. |
1107 | */ |
1108 | |
1109 | kern_return_t |
1110 | mach_port_get_context( |
1111 | ipc_space_t space, |
1112 | mach_port_name_t name, |
1113 | mach_vm_address_t *context) |
1114 | { |
1115 | ipc_port_t port; |
1116 | kern_return_t kr; |
1117 | |
1118 | if (space == IS_NULL) { |
1119 | return KERN_INVALID_TASK; |
1120 | } |
1121 | |
1122 | if (!MACH_PORT_VALID(name)) { |
1123 | return KERN_INVALID_RIGHT; |
1124 | } |
1125 | |
1126 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1127 | if (kr != KERN_SUCCESS) { |
1128 | return kr; |
1129 | } |
1130 | |
1131 | /* Port locked and active */ |
1132 | |
1133 | /* For strictly guarded ports, return empty context (which acts as guard) */ |
1134 | if (port->ip_strict_guard) { |
1135 | *context = 0; |
1136 | } else { |
1137 | *context = port->ip_context; |
1138 | } |
1139 | |
1140 | ip_mq_unlock(port); |
1141 | return KERN_SUCCESS; |
1142 | } |
1143 | |
1144 | kern_return_t |
1145 | mach_port_get_context_from_user( |
1146 | mach_port_t port, |
1147 | mach_port_name_t name, |
1148 | mach_vm_address_t *context) |
1149 | { |
1150 | kern_return_t kr; |
1151 | |
1152 | ipc_space_t space = convert_port_to_space_read_no_eval(port); |
1153 | |
1154 | if (space == IPC_SPACE_NULL) { |
1155 | return KERN_INVALID_ARGUMENT; |
1156 | } |
1157 | |
1158 | kr = mach_port_get_context(space, name, context); |
1159 | |
1160 | ipc_space_release(space); |
1161 | return kr; |
1162 | } |
1163 | |
1164 | /* |
1165 | * Routine: mach_port_set_context [kernel call] |
1166 | * Purpose: |
1167 | * Changes a receive right's context pointer. |
1168 | * Conditions: |
1169 | * Nothing locked. |
1170 | * Returns: |
1171 | * KERN_SUCCESS Set context pointer. |
1172 | * KERN_INVALID_TASK The space is null. |
1173 | * KERN_INVALID_TASK The space is dead. |
1174 | * KERN_INVALID_NAME The name doesn't denote a right. |
1175 | * KERN_INVALID_RIGHT Name doesn't denote receive rights. |
1176 | */ |
1177 | |
1178 | kern_return_t |
1179 | mach_port_set_context( |
1180 | ipc_space_t space, |
1181 | mach_port_name_t name, |
1182 | mach_vm_address_t context) |
1183 | { |
1184 | ipc_port_t port; |
1185 | kern_return_t kr; |
1186 | |
1187 | if (space == IS_NULL) { |
1188 | return KERN_INVALID_TASK; |
1189 | } |
1190 | |
1191 | if (!MACH_PORT_VALID(name)) { |
1192 | return KERN_INVALID_RIGHT; |
1193 | } |
1194 | |
1195 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1196 | if (kr != KERN_SUCCESS) { |
1197 | return kr; |
1198 | } |
1199 | |
1200 | /* port is locked and active */ |
1201 | if (port->ip_strict_guard) { |
1202 | uint64_t portguard = port->ip_context; |
1203 | ip_mq_unlock(port); |
1204 | /* For strictly guarded ports, disallow overwriting context; Raise Exception */ |
1205 | mach_port_guard_exception(name, inguard: context, portguard, reason: kGUARD_EXC_SET_CONTEXT); |
1206 | return KERN_INVALID_ARGUMENT; |
1207 | } |
1208 | |
1209 | port->ip_context = context; |
1210 | |
1211 | ip_mq_unlock(port); |
1212 | return KERN_SUCCESS; |
1213 | } |
1214 | |
1215 | |
1216 | /* |
1217 | * Routine: mach_port_get_set_status [kernel call] |
1218 | * Purpose: |
1219 | * Retrieves a list of members in a port set. |
1220 | * Returns the space's name for each receive right member. |
1221 | * Conditions: |
1222 | * Nothing locked. |
1223 | * Returns: |
1224 | * KERN_SUCCESS Retrieved list of members. |
1225 | * KERN_INVALID_TASK The space is null. |
1226 | * KERN_INVALID_TASK The space is dead. |
1227 | * KERN_INVALID_NAME The name doesn't denote a right. |
1228 | * KERN_INVALID_RIGHT Name doesn't denote a port set. |
1229 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
1230 | */ |
1231 | |
1232 | kern_return_t |
1233 | mach_port_get_set_status( |
1234 | ipc_space_t space, |
1235 | mach_port_name_t name, |
1236 | mach_port_name_t **members, |
1237 | mach_msg_type_number_t *membersCnt) |
1238 | { |
1239 | __block ipc_entry_num_t actual; /* this many members */ |
1240 | ipc_entry_num_t maxnames; /* space for this many members */ |
1241 | kern_return_t kr; |
1242 | |
1243 | vm_size_t size; /* size of allocated memory */ |
1244 | vm_offset_t addr; /* allocated memory */ |
1245 | vm_map_copy_t memory; /* copied-in memory */ |
1246 | |
1247 | if (space == IS_NULL) { |
1248 | return KERN_INVALID_TASK; |
1249 | } |
1250 | |
1251 | if (!MACH_PORT_VALID(name)) { |
1252 | return KERN_INVALID_RIGHT; |
1253 | } |
1254 | |
1255 | size = VM_MAP_PAGE_SIZE(ipc_kernel_map); /* initial guess */ |
1256 | |
1257 | for (;;) { |
1258 | mach_port_name_t *names; |
1259 | ipc_object_t psobj; |
1260 | ipc_pset_t pset; |
1261 | |
1262 | kr = kmem_alloc(map: ipc_kernel_map, addrp: &addr, size, |
1263 | flags: KMA_DATA, VM_KERN_MEMORY_IPC); |
1264 | if (kr != KERN_SUCCESS) { |
1265 | return KERN_RESOURCE_SHORTAGE; |
1266 | } |
1267 | |
1268 | kr = ipc_object_translate(space, name, MACH_PORT_RIGHT_PORT_SET, objectp: &psobj); |
1269 | if (kr != KERN_SUCCESS) { |
1270 | kmem_free(map: ipc_kernel_map, addr, size); |
1271 | return kr; |
1272 | } |
1273 | |
1274 | /* just use a portset reference from here on out */ |
1275 | pset = ips_object_to_pset(psobj); |
1276 | names = (mach_port_name_t *)addr; |
1277 | maxnames = (ipc_entry_num_t)(size / sizeof(mach_port_name_t)); |
1278 | |
1279 | waitq_set_foreach_member_locked(wqset: &pset->ips_wqset, cb: ^(struct waitq *wq){ |
1280 | if (actual < maxnames) { |
1281 | names[actual] = ip_get_receiver_name(ip_from_waitq(wq)); |
1282 | } |
1283 | actual++; |
1284 | }); |
1285 | |
1286 | /* release the portset reference */ |
1287 | ips_mq_unlock(pset); |
1288 | |
1289 | if (actual <= maxnames) { |
1290 | break; |
1291 | } |
1292 | |
1293 | /* didn't have enough memory; allocate more */ |
1294 | kmem_free(map: ipc_kernel_map, addr, size); |
1295 | size = vm_map_round_page(actual * sizeof(mach_port_name_t), |
1296 | VM_MAP_PAGE_MASK(ipc_kernel_map)) + |
1297 | VM_MAP_PAGE_SIZE(ipc_kernel_map); |
1298 | } |
1299 | |
1300 | if (actual == 0) { |
1301 | memory = VM_MAP_COPY_NULL; |
1302 | |
1303 | kmem_free(map: ipc_kernel_map, addr, size); |
1304 | } else { |
1305 | vm_size_t size_used; |
1306 | vm_size_t vm_size_used; |
1307 | |
1308 | qsort(a: (void *)addr, n: actual, es: sizeof(mach_port_name_t), |
1309 | cmp: mach_port_name_cmp); |
1310 | |
1311 | size_used = actual * sizeof(mach_port_name_t); |
1312 | vm_size_used = vm_map_round_page(size_used, |
1313 | VM_MAP_PAGE_MASK(ipc_kernel_map)); |
1314 | |
1315 | if (size_used < vm_size_used) { |
1316 | bzero(s: (char *)addr + size_used, n: vm_size_used - size_used); |
1317 | } |
1318 | |
1319 | /* |
1320 | * Make used memory pageable and get it into |
1321 | * copied-in form. Free any unused memory. |
1322 | */ |
1323 | |
1324 | kr = vm_map_unwire(map: ipc_kernel_map, start: addr, end: addr + vm_size_used, FALSE); |
1325 | assert(kr == KERN_SUCCESS); |
1326 | |
1327 | kr = vm_map_copyin(src_map: ipc_kernel_map, src_addr: (vm_map_address_t)addr, |
1328 | len: (vm_map_size_t)size_used, TRUE, copy_result: &memory); |
1329 | assert(kr == KERN_SUCCESS); |
1330 | |
1331 | if (vm_size_used != size) { |
1332 | kmem_free(map: ipc_kernel_map, |
1333 | addr: addr + vm_size_used, size: size - vm_size_used); |
1334 | } |
1335 | } |
1336 | |
1337 | *members = (mach_port_name_t *) memory; |
1338 | *membersCnt = actual; |
1339 | return KERN_SUCCESS; |
1340 | } |
1341 | |
1342 | kern_return_t |
1343 | mach_port_get_set_status_from_user( |
1344 | mach_port_t port, |
1345 | mach_port_name_t name, |
1346 | mach_port_name_t **members, |
1347 | mach_msg_type_number_t *membersCnt) |
1348 | { |
1349 | kern_return_t kr; |
1350 | |
1351 | ipc_space_t space = convert_port_to_space_read_no_eval(port); |
1352 | |
1353 | if (space == IPC_SPACE_NULL) { |
1354 | return KERN_INVALID_ARGUMENT; |
1355 | } |
1356 | |
1357 | kr = mach_port_get_set_status(space, name, members, membersCnt); |
1358 | |
1359 | ipc_space_release(space); |
1360 | return kr; |
1361 | } |
1362 | |
1363 | /* |
1364 | * Routine: mach_port_move_member [kernel call] |
1365 | * Purpose: |
1366 | * If after is MACH_PORT_NULL, removes member |
1367 | * from the port set it is in. Otherwise, adds |
1368 | * member to after, removing it from any set |
1369 | * it might already be in. |
1370 | * Conditions: |
1371 | * Nothing locked. |
1372 | * Returns: |
1373 | * KERN_SUCCESS Moved the port. |
1374 | * KERN_INVALID_TASK The space is null. |
1375 | * KERN_INVALID_TASK The space is dead. |
1376 | * KERN_INVALID_NAME Member didn't denote a right. |
1377 | * KERN_INVALID_RIGHT Member didn't denote a receive right. |
1378 | * KERN_INVALID_NAME After didn't denote a right. |
1379 | * KERN_INVALID_RIGHT After didn't denote a port set right. |
1380 | * KERN_NOT_IN_SET |
1381 | * After is MACH_PORT_NULL and Member isn't in a port set. |
1382 | */ |
1383 | |
1384 | kern_return_t |
1385 | mach_port_move_member( |
1386 | ipc_space_t space, |
1387 | mach_port_name_t member, |
1388 | mach_port_name_t after) |
1389 | { |
1390 | ipc_object_t port_obj, ps_obj; |
1391 | ipc_port_t port = IP_NULL; |
1392 | kern_return_t kr; |
1393 | waitq_link_list_t free_l = { }; |
1394 | waitq_link_t link = WQL_NULL; |
1395 | struct waitq_set *keep_waitq_set = NULL; |
1396 | |
1397 | if (space == IS_NULL) { |
1398 | return KERN_INVALID_TASK; |
1399 | } |
1400 | |
1401 | if (!MACH_PORT_VALID(member)) { |
1402 | return KERN_INVALID_RIGHT; |
1403 | } |
1404 | |
1405 | if (after == MACH_PORT_DEAD) { |
1406 | return KERN_INVALID_RIGHT; |
1407 | } |
1408 | |
1409 | if (after != MACH_PORT_NULL) { |
1410 | link = waitq_link_alloc(type: WQT_PORT_SET); |
1411 | kr = ipc_object_translate_two(space, |
1412 | name1: member, MACH_PORT_RIGHT_RECEIVE, objectp1: &port_obj, |
1413 | name2: after, MACH_PORT_RIGHT_PORT_SET, objectp2: &ps_obj); |
1414 | } else { |
1415 | kr = ipc_object_translate(space, |
1416 | name: member, MACH_PORT_RIGHT_RECEIVE, objectp: &port_obj); |
1417 | } |
1418 | if (kr != KERN_SUCCESS) { |
1419 | goto done; |
1420 | } |
1421 | |
1422 | port = ip_object_to_port(port_obj); |
1423 | |
1424 | if (after != MACH_PORT_NULL) { |
1425 | ipc_pset_t nset = ips_object_to_pset(ps_obj); |
1426 | |
1427 | ipc_mqueue_add_locked(mqueue: &port->ip_messages, pset: nset, linkp: &link); |
1428 | ips_mq_unlock(nset); |
1429 | |
1430 | keep_waitq_set = &nset->ips_wqset; |
1431 | } else if (!ip_in_pset(port)) { |
1432 | kr = KERN_NOT_IN_SET; |
1433 | } |
1434 | |
1435 | /* |
1436 | * waitq_unlink_all_locked() doesn't dereference `keep_waitq_set, |
1437 | * but we wouldn't want an ABA issue. Fortunately, while `port` |
1438 | * is locked and linked to `nset`, then `nset` can't be reused/freed. |
1439 | */ |
1440 | waitq_unlink_all_locked(waitq: &port->ip_waitq, except_wqset: keep_waitq_set, free_l: &free_l); |
1441 | |
1442 | ip_mq_unlock(port); |
1443 | |
1444 | waitq_link_free_list(type: WQT_PORT_SET, list: &free_l); |
1445 | done: |
1446 | if (link.wqlh) { |
1447 | waitq_link_free(type: WQT_PORT_SET, link); |
1448 | } |
1449 | |
1450 | return kr; |
1451 | } |
1452 | |
1453 | /* |
1454 | * Routine: mach_service_pd_request_notification_check |
1455 | * Purpose: |
1456 | * Check if requesting port destroyed notification on a service port is allowed. |
1457 | * Conditions: |
1458 | * Assumes service_port is locked and active. |
1459 | */ |
1460 | static bool |
1461 | mach_service_pd_request_notification_check( |
1462 | ipc_port_t service_port, |
1463 | ipc_port_t notify_port |
1464 | ) |
1465 | { |
1466 | #ifdef MACH_BSD |
1467 | |
1468 | uintptr_t task; |
1469 | |
1470 | /* Only launchd should be able to register for port destroyed notification on a service port. */ |
1471 | (void)ipc_port_get_receiver_task_locked(port: service_port, task: &task); |
1472 | if (task && !proc_isinitproc(p: get_bsdtask_info((task_t)task))) { |
1473 | return false; |
1474 | } |
1475 | |
1476 | /* Notify port should indicate immovable receive right owned by launchd. */ |
1477 | if (IP_VALID(notify_port)) { |
1478 | ip_mq_lock(notify_port); |
1479 | (void)ipc_port_get_receiver_task_locked(port: notify_port, task: &task); |
1480 | if (task && !proc_isinitproc(p: get_bsdtask_info((task_t)task))) { |
1481 | ip_mq_unlock(notify_port); |
1482 | return false; |
1483 | } |
1484 | if (!notify_port->ip_immovable_receive) { |
1485 | ip_mq_unlock(notify_port); |
1486 | return false; |
1487 | } |
1488 | ip_mq_unlock(notify_port); |
1489 | } |
1490 | #endif |
1491 | |
1492 | return true; |
1493 | } |
1494 | |
1495 | /* |
1496 | * Routine: mach_port_request_notification [kernel call] |
1497 | * Purpose: |
1498 | * Requests a notification. The caller supplies |
1499 | * a send-once right for the notification to use, |
1500 | * and the call returns the previously registered |
1501 | * send-once right, if any. Possible types: |
1502 | * |
1503 | * MACH_NOTIFY_PORT_DESTROYED |
1504 | * Requests a port-destroyed notification |
1505 | * for a receive right. Sync should be zero. |
1506 | * MACH_NOTIFY_SERVICE_PORT_DESTROYED |
1507 | * Special port destroyed notifications to be |
1508 | * used by launchd for service ports only. |
1509 | * MACH_NOTIFY_NO_SENDERS |
1510 | * Requests a no-senders notification for a |
1511 | * receive right. If there are currently no |
1512 | * senders, sync is less than or equal to the |
1513 | * current make-send count, and a send-once right |
1514 | * is supplied, then an immediate no-senders |
1515 | * notification is generated. |
1516 | * MACH_NOTIFY_DEAD_NAME |
1517 | * Requests a dead-name notification for a send |
1518 | * or receive right. If the name is already a |
1519 | * dead name, sync is non-zero, and a send-once |
1520 | * right is supplied, then an immediate dead-name |
1521 | * notification is generated. |
1522 | * Conditions: |
1523 | * Nothing locked. |
1524 | * Returns: |
1525 | * KERN_SUCCESS Requested a notification. |
1526 | * KERN_INVALID_TASK The space is null. |
1527 | * KERN_INVALID_TASK The space is dead. |
1528 | * KERN_INVALID_VALUE Bad id value. |
1529 | * KERN_INVALID_NAME Name doesn't denote a right. |
1530 | * KERN_INVALID_RIGHT Name doesn't denote appropriate right. |
1531 | * KERN_INVALID_CAPABILITY The notify port is dead. |
1532 | * MACH_NOTIFY_PORT_DESTROYED: |
1533 | * KERN_INVALID_VALUE Sync isn't zero. |
1534 | * KERN_FAILURE Re-registering for this notification or registering for a reply port. |
1535 | * If registering for this notification is not allowed on a service port. |
1536 | * MACH_NOTIFY_NO_SENDERS: |
1537 | * KERN_FAILURE Registering for a reply port. |
1538 | * MACH_NOTIFY_SERVICE_PORT_DESTROYED |
1539 | * KERN_INVALID_CAPABILITY Name is not a service port |
1540 | * KERN_DENIED Only launchd can set this notification or |
1541 | * Launchd tried to register the old port |
1542 | * destroyed notification |
1543 | * MACH_NOTIFY_DEAD_NAME: |
1544 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
1545 | * KERN_INVALID_ARGUMENT Name denotes dead name, but |
1546 | * sync is zero or notify is IP_NULL. |
1547 | * KERN_UREFS_OVERFLOW Name denotes dead name, but |
1548 | * generating immediate notif. would overflow urefs. |
1549 | */ |
1550 | |
1551 | kern_return_t |
1552 | mach_port_request_notification( |
1553 | ipc_space_t space, |
1554 | mach_port_name_t name, |
1555 | mach_msg_id_t id, |
1556 | mach_port_mscount_t sync, |
1557 | ipc_port_t notify, |
1558 | ipc_port_t *previousp) |
1559 | { |
1560 | kern_return_t kr; |
1561 | |
1562 | if (space == IS_NULL) { |
1563 | return KERN_INVALID_TASK; |
1564 | } |
1565 | |
1566 | if (notify == IP_DEAD) { |
1567 | return KERN_INVALID_CAPABILITY; |
1568 | } |
1569 | |
1570 | switch (id) { |
1571 | case MACH_NOTIFY_PORT_DESTROYED: { |
1572 | ipc_port_t port; |
1573 | |
1574 | if (sync != 0) { |
1575 | return KERN_INVALID_VALUE; |
1576 | } |
1577 | |
1578 | if (!MACH_PORT_VALID(name)) { |
1579 | return KERN_INVALID_RIGHT; |
1580 | } |
1581 | |
1582 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1583 | if (kr != KERN_SUCCESS) { |
1584 | return kr; |
1585 | } |
1586 | /* port is locked and active */ |
1587 | |
1588 | /* |
1589 | * you cannot register for port death notifications on a kobject, |
1590 | * kolabel or special reply port. |
1591 | */ |
1592 | if (ip_is_kobject(port) || ip_is_kolabeled(port) || |
1593 | port->ip_specialreply || ip_is_reply_port(port)) { |
1594 | ip_mq_unlock(port); |
1595 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_RIGHT); |
1596 | return KERN_INVALID_RIGHT; |
1597 | } |
1598 | |
1599 | if (service_port_defense_enabled && port->ip_service_port && |
1600 | !mach_service_pd_request_notification_check(service_port: port, notify_port: notify)) { |
1601 | ip_mq_unlock(port); |
1602 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_KERN_FAILURE); |
1603 | return KERN_FAILURE; |
1604 | } |
1605 | |
1606 | /* Allow only one registeration of this notification */ |
1607 | if (ipc_port_has_prdrequest(port)) { |
1608 | ip_mq_unlock(port); |
1609 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_KERN_FAILURE); |
1610 | return KERN_FAILURE; |
1611 | } |
1612 | |
1613 | if (port->ip_has_watchport) { |
1614 | port->ip_twe->twe_pdrequest = notify; |
1615 | } else { |
1616 | port->ip_pdrequest = notify; |
1617 | } |
1618 | ip_mq_unlock(port); |
1619 | *previousp = IP_NULL; |
1620 | break; |
1621 | } |
1622 | |
1623 | case MACH_NOTIFY_NO_SENDERS: { |
1624 | ipc_port_t port; |
1625 | |
1626 | if (!MACH_PORT_VALID(name)) { |
1627 | return KERN_INVALID_RIGHT; |
1628 | } |
1629 | |
1630 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1631 | if (kr != KERN_SUCCESS) { |
1632 | return kr; |
1633 | } |
1634 | /* port is locked and active */ |
1635 | |
1636 | if (ip_is_reply_port(port)) { |
1637 | ip_mq_unlock(port); |
1638 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_RIGHT); |
1639 | return KERN_INVALID_RIGHT; |
1640 | } |
1641 | |
1642 | ipc_port_nsrequest(port, sync, notify, previousp); |
1643 | /* port is unlocked */ |
1644 | break; |
1645 | } |
1646 | |
1647 | case MACH_NOTIFY_SEND_POSSIBLE: |
1648 | case MACH_NOTIFY_DEAD_NAME: { |
1649 | ipc_port_request_opts_t opts = 0; |
1650 | |
1651 | if (!MACH_PORT_VALID(name)) { |
1652 | return KERN_INVALID_ARGUMENT; |
1653 | } |
1654 | |
1655 | if (id == MACH_NOTIFY_SEND_POSSIBLE) { |
1656 | opts |= IPR_SOR_SPREQ_MASK; |
1657 | if (sync) { |
1658 | opts |= IPR_SOR_SPARM_MASK; |
1659 | } |
1660 | } |
1661 | |
1662 | kr = ipc_right_request_alloc(space, name, options: opts, notify, previousp); |
1663 | if (kr != KERN_SUCCESS) { |
1664 | return kr; |
1665 | } |
1666 | break; |
1667 | } |
1668 | |
1669 | default: |
1670 | return KERN_INVALID_VALUE; |
1671 | } |
1672 | |
1673 | return KERN_SUCCESS; |
1674 | } |
1675 | |
1676 | /* |
1677 | * Routine: mach_port_insert_right [kernel call] |
1678 | * Purpose: |
1679 | * Inserts a right into a space, as if the space |
1680 | * voluntarily received the right in a message, |
1681 | * except that the right gets the specified name. |
1682 | * Conditions: |
1683 | * Nothing locked. |
1684 | * Returns: |
1685 | * KERN_SUCCESS Inserted the right. |
1686 | * KERN_INVALID_TASK The space is null. |
1687 | * KERN_INVALID_TASK The space is dead. |
1688 | * KERN_INVALID_VALUE The name isn't a legal name. |
1689 | * KERN_NAME_EXISTS The name already denotes a right. |
1690 | * KERN_INVALID_VALUE Message doesn't carry a port right. |
1691 | * KERN_INVALID_CAPABILITY Port is null or dead. |
1692 | * KERN_UREFS_OVERFLOW Urefs limit would be exceeded. |
1693 | * KERN_RIGHT_EXISTS Space has rights under another name. |
1694 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
1695 | */ |
1696 | |
1697 | kern_return_t |
1698 | mach_port_insert_right( |
1699 | ipc_space_t space, |
1700 | mach_port_name_t name, |
1701 | ipc_port_t poly, |
1702 | mach_msg_type_name_t polyPoly) |
1703 | { |
1704 | if (space == IS_NULL) { |
1705 | return KERN_INVALID_TASK; |
1706 | } |
1707 | |
1708 | if (!MACH_PORT_VALID(name) || |
1709 | !MACH_MSG_TYPE_PORT_ANY_RIGHT(polyPoly)) { |
1710 | return KERN_INVALID_VALUE; |
1711 | } |
1712 | |
1713 | if (!IP_VALID(poly)) { |
1714 | return KERN_INVALID_CAPABILITY; |
1715 | } |
1716 | |
1717 | return ipc_object_copyout_name(space, ip_to_object(poly), |
1718 | msgt_name: polyPoly, name); |
1719 | } |
1720 | |
1721 | /* |
1722 | * Routine: mach_port_extract_right [kernel call] |
1723 | * Purpose: |
1724 | * Extracts a right from a space, as if the space |
1725 | * voluntarily sent the right to the caller. |
1726 | * Conditions: |
1727 | * Nothing locked. |
1728 | * Returns: |
1729 | * KERN_SUCCESS Extracted the right. |
1730 | * KERN_INVALID_TASK The space is null. |
1731 | * KERN_INVALID_TASK The space is dead. |
1732 | * KERN_INVALID_VALUE Requested type isn't a port right. |
1733 | * KERN_INVALID_NAME Name doesn't denote a right. |
1734 | * KERN_INVALID_RIGHT Name doesn't denote appropriate right. |
1735 | */ |
1736 | |
1737 | kern_return_t |
1738 | ( |
1739 | ipc_space_t space, |
1740 | mach_port_name_t name, |
1741 | mach_msg_type_name_t msgt_name, |
1742 | ipc_port_t *poly, |
1743 | mach_msg_type_name_t *polyPoly) |
1744 | { |
1745 | kern_return_t kr; |
1746 | |
1747 | if (space == IS_NULL) { |
1748 | return KERN_INVALID_TASK; |
1749 | } |
1750 | |
1751 | if (!MACH_MSG_TYPE_PORT_ANY(msgt_name)) { |
1752 | return KERN_INVALID_VALUE; |
1753 | } |
1754 | |
1755 | if (!MACH_PORT_VALID(name)) { |
1756 | /* |
1757 | * really should copy out a dead name, if it is a send or |
1758 | * send-once right being copied, but instead return an |
1759 | * error for now. |
1760 | */ |
1761 | return KERN_INVALID_RIGHT; |
1762 | } |
1763 | |
1764 | kr = ipc_object_copyin(space, name, msgt_name, objectp: (ipc_object_t *) poly, context: 0, NULL, |
1765 | copyin_flags: (space == current_space() && msgt_name == MACH_MSG_TYPE_COPY_SEND) ? |
1766 | IPC_OBJECT_COPYIN_FLAGS_ALLOW_IMMOVABLE_SEND : IPC_OBJECT_COPYIN_FLAGS_NONE); |
1767 | |
1768 | if (kr == KERN_SUCCESS) { |
1769 | *polyPoly = ipc_object_copyin_type(msgt_name); |
1770 | } |
1771 | return kr; |
1772 | } |
1773 | |
1774 | /* |
1775 | * Routine: mach_port_get_status_helper [helper] |
1776 | * Purpose: |
1777 | * Populates a mach_port_status_t structure with |
1778 | * port information. |
1779 | * Conditions: |
1780 | * Port needs to be locked |
1781 | * Returns: |
1782 | * None. |
1783 | */ |
1784 | static void |
1785 | mach_port_get_status_helper( |
1786 | ipc_port_t port, |
1787 | mach_port_status_t *statusp) |
1788 | { |
1789 | /* don't leak set IDs, just indicate that the port is in one or not */ |
1790 | statusp->mps_pset = ip_in_pset(port); |
1791 | statusp->mps_seqno = port->ip_messages.imq_seqno; |
1792 | statusp->mps_qlimit = port->ip_messages.imq_qlimit; |
1793 | statusp->mps_msgcount = port->ip_messages.imq_msgcount; |
1794 | |
1795 | statusp->mps_mscount = port->ip_mscount; |
1796 | statusp->mps_sorights = port->ip_sorights; |
1797 | statusp->mps_srights = port->ip_srights > 0; |
1798 | statusp->mps_pdrequest = ipc_port_has_prdrequest(port); |
1799 | statusp->mps_nsrequest = port->ip_nsrequest != IP_NULL; |
1800 | statusp->mps_flags = 0; |
1801 | if (port->ip_impdonation) { |
1802 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_IMP_DONATION; |
1803 | if (port->ip_tempowner) { |
1804 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_TEMPOWNER; |
1805 | if (IIT_NULL != ip_get_imp_task(port)) { |
1806 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_TASKPTR; |
1807 | } |
1808 | } |
1809 | } |
1810 | if (port->ip_guarded) { |
1811 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_GUARDED; |
1812 | if (port->ip_strict_guard) { |
1813 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_STRICT_GUARD; |
1814 | } |
1815 | if (port->ip_immovable_receive) { |
1816 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_GUARD_IMMOVABLE_RECEIVE; |
1817 | } |
1818 | } |
1819 | if (port->ip_no_grant) { |
1820 | statusp->mps_flags |= MACH_PORT_STATUS_FLAG_NO_GRANT; |
1821 | } |
1822 | return; |
1823 | } |
1824 | |
1825 | kern_return_t |
1826 | mach_port_get_attributes( |
1827 | ipc_space_t space, |
1828 | mach_port_name_t name, |
1829 | int flavor, |
1830 | mach_port_info_t info, |
1831 | mach_msg_type_number_t *count) |
1832 | { |
1833 | ipc_port_t port; |
1834 | kern_return_t kr; |
1835 | |
1836 | if (space == IS_NULL) { |
1837 | return KERN_INVALID_TASK; |
1838 | } |
1839 | |
1840 | switch (flavor) { |
1841 | case MACH_PORT_LIMITS_INFO: { |
1842 | mach_port_limits_t *lp = (mach_port_limits_t *)info; |
1843 | |
1844 | if (*count < MACH_PORT_LIMITS_INFO_COUNT) { |
1845 | return KERN_FAILURE; |
1846 | } |
1847 | |
1848 | if (!MACH_PORT_VALID(name)) { |
1849 | *count = 0; |
1850 | break; |
1851 | } |
1852 | |
1853 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1854 | if (kr != KERN_SUCCESS) { |
1855 | return kr; |
1856 | } |
1857 | /* port is locked and active */ |
1858 | |
1859 | lp->mpl_qlimit = port->ip_messages.imq_qlimit; |
1860 | *count = MACH_PORT_LIMITS_INFO_COUNT; |
1861 | ip_mq_unlock(port); |
1862 | break; |
1863 | } |
1864 | |
1865 | case MACH_PORT_RECEIVE_STATUS: { |
1866 | mach_port_status_t *statusp = (mach_port_status_t *)info; |
1867 | |
1868 | if (*count < MACH_PORT_RECEIVE_STATUS_COUNT) { |
1869 | return KERN_FAILURE; |
1870 | } |
1871 | |
1872 | if (!MACH_PORT_VALID(name)) { |
1873 | return KERN_INVALID_RIGHT; |
1874 | } |
1875 | |
1876 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1877 | if (kr != KERN_SUCCESS) { |
1878 | return kr; |
1879 | } |
1880 | /* port is locked and active */ |
1881 | mach_port_get_status_helper(port, statusp); |
1882 | *count = MACH_PORT_RECEIVE_STATUS_COUNT; |
1883 | ip_mq_unlock(port); |
1884 | break; |
1885 | } |
1886 | |
1887 | case MACH_PORT_DNREQUESTS_SIZE: { |
1888 | ipc_port_request_table_t table; |
1889 | |
1890 | if (*count < MACH_PORT_DNREQUESTS_SIZE_COUNT) { |
1891 | return KERN_FAILURE; |
1892 | } |
1893 | |
1894 | if (!MACH_PORT_VALID(name)) { |
1895 | *(int *)info = 0; |
1896 | break; |
1897 | } |
1898 | |
1899 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1900 | if (kr != KERN_SUCCESS) { |
1901 | return kr; |
1902 | } |
1903 | /* port is locked and active */ |
1904 | |
1905 | table = port->ip_requests; |
1906 | if (table == NULL) { |
1907 | *(int *)info = 0; |
1908 | } else { |
1909 | *(int *)info = (int)ipc_port_request_table_count(array: table); |
1910 | } |
1911 | *count = MACH_PORT_DNREQUESTS_SIZE_COUNT; |
1912 | ip_mq_unlock(port); |
1913 | break; |
1914 | } |
1915 | |
1916 | case MACH_PORT_INFO_EXT: { |
1917 | mach_port_info_ext_t *mp_info = (mach_port_info_ext_t *)info; |
1918 | if (*count < MACH_PORT_INFO_EXT_COUNT) { |
1919 | return KERN_FAILURE; |
1920 | } |
1921 | |
1922 | if (!MACH_PORT_VALID(name)) { |
1923 | return KERN_INVALID_RIGHT; |
1924 | } |
1925 | |
1926 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1927 | if (kr != KERN_SUCCESS) { |
1928 | return kr; |
1929 | } |
1930 | /* port is locked and active */ |
1931 | mach_port_get_status_helper(port, statusp: &mp_info->mpie_status); |
1932 | mp_info->mpie_boost_cnt = port->ip_impcount; |
1933 | *count = MACH_PORT_INFO_EXT_COUNT; |
1934 | ip_mq_unlock(port); |
1935 | break; |
1936 | } |
1937 | |
1938 | case MACH_PORT_SERVICE_THROTTLED: { |
1939 | boolean_t *is_throttled = info; |
1940 | |
1941 | if (!MACH_PORT_VALID(name)) { |
1942 | return KERN_INVALID_RIGHT; |
1943 | } |
1944 | |
1945 | kr = ipc_port_translate_receive(space, name, portp: &port); |
1946 | if (kr != KERN_SUCCESS) { |
1947 | return kr; |
1948 | } |
1949 | /* port is locked and active */ |
1950 | |
1951 | if (!port->ip_service_port) { |
1952 | ip_mq_unlock(port); |
1953 | return KERN_INVALID_CAPABILITY; |
1954 | } |
1955 | |
1956 | assert(port->ip_splabel != NULL); |
1957 | *is_throttled = ipc_service_port_label_is_throttled((ipc_service_port_label_t)port->ip_splabel); |
1958 | *count = MACH_PORT_SERVICE_THROTTLED_COUNT; |
1959 | ip_mq_unlock(port); |
1960 | break; |
1961 | } |
1962 | |
1963 | default: |
1964 | return KERN_INVALID_ARGUMENT; |
1965 | /*NOTREACHED*/ |
1966 | } |
1967 | |
1968 | return KERN_SUCCESS; |
1969 | } |
1970 | |
1971 | kern_return_t |
1972 | mach_port_get_attributes_from_user( |
1973 | mach_port_t port, |
1974 | mach_port_name_t name, |
1975 | int flavor, |
1976 | mach_port_info_t info, |
1977 | mach_msg_type_number_t *count) |
1978 | { |
1979 | kern_return_t kr; |
1980 | |
1981 | ipc_space_t space = convert_port_to_space_read_no_eval(port); |
1982 | |
1983 | if (space == IPC_SPACE_NULL) { |
1984 | return KERN_INVALID_ARGUMENT; |
1985 | } |
1986 | |
1987 | kr = mach_port_get_attributes(space, name, flavor, info, count); |
1988 | |
1989 | ipc_space_release(space); |
1990 | return kr; |
1991 | } |
1992 | |
1993 | kern_return_t |
1994 | mach_port_set_attributes( |
1995 | ipc_space_t space, |
1996 | mach_port_name_t name, |
1997 | int flavor, |
1998 | mach_port_info_t info, |
1999 | mach_msg_type_number_t count) |
2000 | { |
2001 | ipc_port_t port; |
2002 | kern_return_t kr; |
2003 | |
2004 | if (space == IS_NULL) { |
2005 | return KERN_INVALID_TASK; |
2006 | } |
2007 | |
2008 | switch (flavor) { |
2009 | case MACH_PORT_LIMITS_INFO: { |
2010 | mach_port_limits_t *mplp = (mach_port_limits_t *)info; |
2011 | |
2012 | if (count < MACH_PORT_LIMITS_INFO_COUNT) { |
2013 | return KERN_FAILURE; |
2014 | } |
2015 | |
2016 | if (mplp->mpl_qlimit > MACH_PORT_QLIMIT_MAX) { |
2017 | return KERN_INVALID_VALUE; |
2018 | } |
2019 | |
2020 | if (!MACH_PORT_VALID(name)) { |
2021 | return KERN_INVALID_RIGHT; |
2022 | } |
2023 | |
2024 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2025 | if (kr != KERN_SUCCESS) { |
2026 | return kr; |
2027 | } |
2028 | /* port is locked and active */ |
2029 | |
2030 | ipc_mqueue_set_qlimit_locked(mqueue: &port->ip_messages, qlimit: mplp->mpl_qlimit); |
2031 | ip_mq_unlock(port); |
2032 | break; |
2033 | } |
2034 | case MACH_PORT_DNREQUESTS_SIZE: { |
2035 | if (count < MACH_PORT_DNREQUESTS_SIZE_COUNT) { |
2036 | return KERN_FAILURE; |
2037 | } |
2038 | |
2039 | if (!MACH_PORT_VALID(name)) { |
2040 | return KERN_INVALID_RIGHT; |
2041 | } |
2042 | |
2043 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2044 | if (kr != KERN_SUCCESS) { |
2045 | return kr; |
2046 | } |
2047 | /* port is locked and active */ |
2048 | ip_mq_unlock(port); |
2049 | break; |
2050 | } |
2051 | case MACH_PORT_TEMPOWNER: { |
2052 | if (!MACH_PORT_VALID(name)) { |
2053 | return KERN_INVALID_RIGHT; |
2054 | } |
2055 | |
2056 | ipc_importance_task_t release_imp_task = IIT_NULL; |
2057 | natural_t assertcnt = 0; |
2058 | |
2059 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2060 | if (kr != KERN_SUCCESS) { |
2061 | return kr; |
2062 | } |
2063 | /* port is locked and active */ |
2064 | |
2065 | /* |
2066 | * don't allow temp-owner importance donation if user |
2067 | * associated it with a kobject already (timer, host_notify target), |
2068 | * or is a special reply port. |
2069 | */ |
2070 | if (ip_is_kobject(port) || port->ip_specialreply) { |
2071 | ip_mq_unlock(port); |
2072 | return KERN_INVALID_ARGUMENT; |
2073 | } |
2074 | |
2075 | if (port->ip_tempowner != 0) { |
2076 | if (IIT_NULL != ip_get_imp_task(port)) { |
2077 | release_imp_task = ip_get_imp_task(port); |
2078 | port->ip_imp_task = IIT_NULL; |
2079 | assertcnt = port->ip_impcount; |
2080 | } |
2081 | } else { |
2082 | assertcnt = port->ip_impcount; |
2083 | } |
2084 | |
2085 | port->ip_impdonation = 1; |
2086 | port->ip_tempowner = 1; |
2087 | ip_mq_unlock(port); |
2088 | |
2089 | #if IMPORTANCE_INHERITANCE |
2090 | /* drop assertions from previous destination task */ |
2091 | if (release_imp_task != IIT_NULL) { |
2092 | assert(ipc_importance_task_is_any_receiver_type(release_imp_task)); |
2093 | if (assertcnt > 0) { |
2094 | ipc_importance_task_drop_internal_assertion(task_imp: release_imp_task, count: assertcnt); |
2095 | } |
2096 | ipc_importance_task_release(task_imp: release_imp_task); |
2097 | } else if (assertcnt > 0) { |
2098 | release_imp_task = current_task()->task_imp_base; |
2099 | if (release_imp_task != IIT_NULL && |
2100 | ipc_importance_task_is_any_receiver_type(task_imp: release_imp_task)) { |
2101 | ipc_importance_task_drop_internal_assertion(task_imp: release_imp_task, count: assertcnt); |
2102 | } |
2103 | } |
2104 | #else |
2105 | if (release_imp_task != IIT_NULL) { |
2106 | ipc_importance_task_release(release_imp_task); |
2107 | } |
2108 | #endif /* IMPORTANCE_INHERITANCE */ |
2109 | |
2110 | break; |
2111 | |
2112 | #if IMPORTANCE_INHERITANCE |
2113 | case MACH_PORT_DENAP_RECEIVER: |
2114 | case MACH_PORT_IMPORTANCE_RECEIVER: |
2115 | if (!MACH_PORT_VALID(name)) { |
2116 | return KERN_INVALID_RIGHT; |
2117 | } |
2118 | |
2119 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2120 | if (kr != KERN_SUCCESS) { |
2121 | return kr; |
2122 | } |
2123 | |
2124 | /* |
2125 | * don't allow importance donation if user associated |
2126 | * it with a kobject already (timer, host_notify target), |
2127 | * or is a special reply port. |
2128 | */ |
2129 | if (ip_is_kobject(port) || port->ip_specialreply) { |
2130 | ip_mq_unlock(port); |
2131 | return KERN_INVALID_ARGUMENT; |
2132 | } |
2133 | |
2134 | /* port is locked and active */ |
2135 | port->ip_impdonation = 1; |
2136 | ip_mq_unlock(port); |
2137 | |
2138 | break; |
2139 | #endif /* IMPORTANCE_INHERITANCE */ |
2140 | } |
2141 | |
2142 | case MACH_PORT_SERVICE_THROTTLED: { |
2143 | boolean_t is_throttled = *info; |
2144 | |
2145 | if (!MACH_PORT_VALID(name)) { |
2146 | return KERN_INVALID_RIGHT; |
2147 | } |
2148 | |
2149 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2150 | if (kr != KERN_SUCCESS) { |
2151 | return kr; |
2152 | } |
2153 | /* port is locked and active */ |
2154 | |
2155 | if (!port->ip_service_port) { |
2156 | ip_mq_unlock(port); |
2157 | return KERN_INVALID_CAPABILITY; |
2158 | } |
2159 | |
2160 | assert(port->ip_splabel != NULL); |
2161 | if (is_throttled) { |
2162 | ipc_service_port_label_set_flag(port_splabel: port->ip_splabel, flag: ISPL_FLAGS_THROTTLED); |
2163 | } else { |
2164 | ipc_service_port_label_clear_flag(port_splabel: port->ip_splabel, flag: ISPL_FLAGS_THROTTLED); |
2165 | } |
2166 | ip_mq_unlock(port); |
2167 | break; |
2168 | } |
2169 | |
2170 | default: |
2171 | return KERN_INVALID_ARGUMENT; |
2172 | /*NOTREACHED*/ |
2173 | } |
2174 | return KERN_SUCCESS; |
2175 | } |
2176 | |
2177 | /* |
2178 | * Routine: mach_port_insert_member [kernel call] |
2179 | * Purpose: |
2180 | * Add the receive right, specified by name, to |
2181 | * a portset. |
2182 | * The port cannot already be a member of the set. |
2183 | * Conditions: |
2184 | * Nothing locked. |
2185 | * Returns: |
2186 | * KERN_SUCCESS Moved the port. |
2187 | * KERN_INVALID_TASK The space is null. |
2188 | * KERN_INVALID_TASK The space is dead. |
2189 | * KERN_INVALID_NAME name didn't denote a right. |
2190 | * KERN_INVALID_RIGHT name didn't denote a receive right. |
2191 | * KERN_INVALID_NAME pset_name didn't denote a right. |
2192 | * KERN_INVALID_RIGHT pset_name didn't denote a portset right. |
2193 | * KERN_ALREADY_IN_SET name was already a member of pset. |
2194 | */ |
2195 | |
2196 | kern_return_t |
2197 | mach_port_insert_member( |
2198 | ipc_space_t space, |
2199 | mach_port_name_t name, |
2200 | mach_port_name_t psname) |
2201 | { |
2202 | ipc_object_t obj; |
2203 | ipc_object_t psobj; |
2204 | kern_return_t kr; |
2205 | ipc_port_t port = IP_NULL; |
2206 | ipc_pset_t pset = IPS_NULL; |
2207 | waitq_link_t link; |
2208 | |
2209 | if (space == IS_NULL) { |
2210 | return KERN_INVALID_TASK; |
2211 | } |
2212 | |
2213 | if (!MACH_PORT_VALID(name) || !MACH_PORT_VALID(psname)) { |
2214 | return KERN_INVALID_RIGHT; |
2215 | } |
2216 | |
2217 | link = waitq_link_alloc(type: WQT_PORT_SET); |
2218 | |
2219 | kr = ipc_object_translate_two(space, |
2220 | name1: name, MACH_PORT_RIGHT_RECEIVE, objectp1: &obj, |
2221 | name2: psname, MACH_PORT_RIGHT_PORT_SET, objectp2: &psobj); |
2222 | if (kr != KERN_SUCCESS) { |
2223 | goto done; |
2224 | } |
2225 | |
2226 | /* obj and psobj are locked (and were locked in that order) */ |
2227 | assert(psobj != IO_NULL); |
2228 | assert(obj != IO_NULL); |
2229 | |
2230 | port = ip_object_to_port(obj); |
2231 | pset = ips_object_to_pset(psobj); |
2232 | |
2233 | kr = ipc_mqueue_add_locked(mqueue: &port->ip_messages, pset, linkp: &link); |
2234 | |
2235 | ips_mq_unlock(pset); |
2236 | ip_mq_unlock(port); |
2237 | |
2238 | done: |
2239 | if (link.wqlh) { |
2240 | waitq_link_free(type: WQT_PORT_SET, link); |
2241 | } |
2242 | |
2243 | return kr; |
2244 | } |
2245 | |
2246 | /* |
2247 | * Routine: mach_port_extract_member [kernel call] |
2248 | * Purpose: |
2249 | * Remove a port from one portset that it is a member of. |
2250 | * Conditions: |
2251 | * Nothing locked. |
2252 | * Returns: |
2253 | * KERN_SUCCESS Moved the port. |
2254 | * KERN_INVALID_TASK The space is null. |
2255 | * KERN_INVALID_TASK The space is dead. |
2256 | * KERN_INVALID_NAME Member didn't denote a right. |
2257 | * KERN_INVALID_RIGHT Member didn't denote a receive right. |
2258 | * KERN_INVALID_NAME After didn't denote a right. |
2259 | * KERN_INVALID_RIGHT After didn't denote a port set right. |
2260 | * KERN_NOT_IN_SET |
2261 | * After is MACH_PORT_NULL and Member isn't in a port set. |
2262 | */ |
2263 | |
2264 | kern_return_t |
2265 | ( |
2266 | ipc_space_t space, |
2267 | mach_port_name_t name, |
2268 | mach_port_name_t psname) |
2269 | { |
2270 | ipc_object_t psobj; |
2271 | ipc_object_t obj; |
2272 | kern_return_t kr; |
2273 | ipc_port_t port = IP_NULL; |
2274 | ipc_pset_t pset = IPS_NULL; |
2275 | waitq_link_t link; |
2276 | |
2277 | if (space == IS_NULL) { |
2278 | return KERN_INVALID_TASK; |
2279 | } |
2280 | |
2281 | if (!MACH_PORT_VALID(name) || !MACH_PORT_VALID(psname)) { |
2282 | return KERN_INVALID_RIGHT; |
2283 | } |
2284 | |
2285 | kr = ipc_object_translate_two(space, |
2286 | name1: name, MACH_PORT_RIGHT_RECEIVE, objectp1: &obj, |
2287 | name2: psname, MACH_PORT_RIGHT_PORT_SET, objectp2: &psobj); |
2288 | if (kr != KERN_SUCCESS) { |
2289 | return kr; |
2290 | } |
2291 | |
2292 | /* obj and psobj are both locked (and were locked in that order) */ |
2293 | assert(psobj != IO_NULL); |
2294 | assert(obj != IO_NULL); |
2295 | |
2296 | port = ip_object_to_port(obj); |
2297 | pset = ips_object_to_pset(psobj); |
2298 | |
2299 | link = waitq_unlink_locked(waitq: &port->ip_waitq, wqset: &pset->ips_wqset); |
2300 | |
2301 | ips_mq_unlock(pset); |
2302 | ip_mq_unlock(port); |
2303 | |
2304 | if (link.wqlh) { |
2305 | waitq_link_free(type: WQT_PORT_SET, link); |
2306 | return KERN_SUCCESS; |
2307 | } |
2308 | |
2309 | return KERN_NOT_IN_SET; |
2310 | } |
2311 | |
2312 | /* |
2313 | * task_set_port_space: |
2314 | * |
2315 | * Obsolete. Set port name space of task to specified size. |
2316 | */ |
2317 | kern_return_t |
2318 | task_set_port_space( |
2319 | ipc_space_t space, |
2320 | __unused int table_entries) |
2321 | { |
2322 | if (space == IS_NULL) { |
2323 | return KERN_INVALID_TASK; |
2324 | } |
2325 | |
2326 | return KERN_SUCCESS; |
2327 | } |
2328 | |
2329 | /* |
2330 | * Routine: mach_port_guard_locked [helper routine] |
2331 | * Purpose: |
2332 | * Sets a new guard for a locked port. |
2333 | * Conditions: |
2334 | * Port Locked. |
2335 | * Returns: |
2336 | * KERN_SUCCESS Port Guarded. |
2337 | * KERN_INVALID_ARGUMENT Port already contains a context/guard. |
2338 | */ |
2339 | static kern_return_t |
2340 | mach_port_guard_locked( |
2341 | ipc_port_t port, |
2342 | uint64_t guard, |
2343 | uint64_t flags) |
2344 | { |
2345 | if (port->ip_context) { |
2346 | return KERN_INVALID_ARGUMENT; |
2347 | } |
2348 | |
2349 | int strict = (flags & MPG_STRICT)? 1 : 0; |
2350 | int immovable_receive = (flags & MPG_IMMOVABLE_RECEIVE)? 1 : 0; |
2351 | |
2352 | port->ip_context = guard; |
2353 | port->ip_guarded = 1; |
2354 | port->ip_strict_guard = strict; |
2355 | /* ip_immovable_receive bit is sticky and can't be un-guarded */ |
2356 | if (!port->ip_immovable_receive) { |
2357 | port->ip_immovable_receive = immovable_receive; |
2358 | } |
2359 | |
2360 | return KERN_SUCCESS; |
2361 | } |
2362 | |
2363 | /* |
2364 | * Routine: mach_port_unguard_locked [helper routine] |
2365 | * Purpose: |
2366 | * Removes guard for a locked port. |
2367 | * Conditions: |
2368 | * Port Locked. |
2369 | * Returns: |
2370 | * KERN_SUCCESS Port Unguarded. |
2371 | * KERN_INVALID_ARGUMENT Port is either unguarded already or guard mismatch. |
2372 | * This also raises a EXC_GUARD exception. |
2373 | */ |
2374 | static kern_return_t |
2375 | mach_port_unguard_locked( |
2376 | ipc_port_t port, |
2377 | mach_port_name_t name, |
2378 | uint64_t guard) |
2379 | { |
2380 | /* Port locked and active */ |
2381 | if (!port->ip_guarded) { |
2382 | /* Port already unguarded; Raise exception */ |
2383 | mach_port_guard_exception(name, inguard: guard, portguard: 0, reason: kGUARD_EXC_UNGUARDED); |
2384 | return KERN_INVALID_ARGUMENT; |
2385 | } |
2386 | |
2387 | if (port->ip_context != guard) { |
2388 | /* Incorrect guard; Raise exception */ |
2389 | mach_port_guard_exception(name, inguard: guard, portguard: port->ip_context, reason: kGUARD_EXC_INCORRECT_GUARD); |
2390 | return KERN_INVALID_ARGUMENT; |
2391 | } |
2392 | |
2393 | port->ip_context = 0; |
2394 | port->ip_guarded = port->ip_strict_guard = 0; |
2395 | /* Don't clear the ip_immovable_receive bit */ |
2396 | |
2397 | return KERN_SUCCESS; |
2398 | } |
2399 | |
2400 | |
2401 | /* |
2402 | * Routine: mach_port_guard_exception [helper routine] |
2403 | * Purpose: |
2404 | * Marks the thread with AST_GUARD for mach port guard violation. |
2405 | * Also saves exception info in thread structure. |
2406 | * Conditions: |
2407 | * None. |
2408 | * Returns: |
2409 | * KERN_FAILURE Thread marked with AST_GUARD. |
2410 | */ |
2411 | void |
2412 | mach_port_guard_exception( |
2413 | mach_port_name_t name, |
2414 | __unused uint64_t inguard, |
2415 | uint64_t portguard, |
2416 | unsigned reason) |
2417 | { |
2418 | mach_exception_code_t code = 0; |
2419 | EXC_GUARD_ENCODE_TYPE(code, GUARD_TYPE_MACH_PORT); |
2420 | EXC_GUARD_ENCODE_FLAVOR(code, reason); |
2421 | EXC_GUARD_ENCODE_TARGET(code, name); |
2422 | mach_exception_subcode_t subcode = (uint64_t)portguard; |
2423 | thread_t t = current_thread(); |
2424 | boolean_t fatal = FALSE; |
2425 | |
2426 | if (reason <= MAX_OPTIONAL_kGUARD_EXC_CODE && |
2427 | (get_threadtask(t)->task_exc_guard & TASK_EXC_GUARD_MP_FATAL)) { |
2428 | fatal = TRUE; |
2429 | } else if (reason <= MAX_FATAL_kGUARD_EXC_CODE) { |
2430 | fatal = TRUE; |
2431 | } |
2432 | thread_guard_violation(t, code, subcode, fatal); |
2433 | } |
2434 | |
2435 | /* |
2436 | * Deliver a soft or hard immovable guard exception. |
2437 | * |
2438 | * Conditions: port is marked as immovable. |
2439 | */ |
2440 | void |
2441 | mach_port_guard_exception_immovable( |
2442 | ipc_space_t space, |
2443 | mach_port_name_t name, |
2444 | mach_port_t port, |
2445 | uint64_t portguard) |
2446 | { |
2447 | if (space == current_space()) { |
2448 | assert(ip_is_immovable_send(port)); |
2449 | |
2450 | boolean_t hard = task_get_control_port_options(task: current_task()) & TASK_CONTROL_PORT_IMMOVABLE_HARD; |
2451 | |
2452 | if (ip_is_control(port)) { |
2453 | assert(task_is_immovable(current_task())); |
2454 | mach_port_guard_exception(name, inguard: 0, portguard, |
2455 | reason: hard ? kGUARD_EXC_IMMOVABLE : kGUARD_EXC_IMMOVABLE_NON_FATAL); |
2456 | } else { |
2457 | /* always fatal exception for non-control port violation */ |
2458 | mach_port_guard_exception(name, inguard: 0, portguard, reason: kGUARD_EXC_IMMOVABLE); |
2459 | } |
2460 | } |
2461 | } |
2462 | |
2463 | /* |
2464 | * Deliver a soft or hard immovable guard exception. |
2465 | * |
2466 | * Conditions: port is marked as immovable and pinned. |
2467 | */ |
2468 | void |
2469 | mach_port_guard_exception_pinned( |
2470 | ipc_space_t space, |
2471 | mach_port_name_t name, |
2472 | __assert_only mach_port_t port, |
2473 | uint64_t portguard) |
2474 | { |
2475 | if (space == current_space()) { |
2476 | assert(ip_is_immovable_send(port)); |
2477 | assert(ip_is_control(port)); /* only task/thread control ports can be pinned */ |
2478 | |
2479 | boolean_t hard = task_get_control_port_options(task: current_task()) & TASK_CONTROL_PORT_PINNED_HARD; |
2480 | |
2481 | assert(task_is_pinned(current_task())); |
2482 | |
2483 | mach_port_guard_exception(name, inguard: 0, portguard, |
2484 | reason: hard ? kGUARD_EXC_MOD_REFS : kGUARD_EXC_MOD_REFS_NON_FATAL); |
2485 | } |
2486 | } |
2487 | |
2488 | /* |
2489 | * Routine: mach_port_guard_ast |
2490 | * Purpose: |
2491 | * Raises an exception for mach port guard violation. |
2492 | * Conditions: |
2493 | * None. |
2494 | * Returns: |
2495 | * None. |
2496 | */ |
2497 | |
2498 | void |
2499 | mach_port_guard_ast(thread_t t, |
2500 | mach_exception_data_type_t code, mach_exception_data_type_t subcode) |
2501 | { |
2502 | unsigned int reason = EXC_GUARD_DECODE_GUARD_FLAVOR(code); |
2503 | task_t task = get_threadtask(t); |
2504 | unsigned int behavior = task->task_exc_guard; |
2505 | bool fatal = true; |
2506 | |
2507 | assert(task == current_task()); |
2508 | assert(task != kernel_task); |
2509 | |
2510 | if (reason <= MAX_FATAL_kGUARD_EXC_CODE) { |
2511 | /* |
2512 | * Fatal Mach port guards - always delivered synchronously if dev mode is on. |
2513 | * Check if anyone has registered for Synchronous EXC_GUARD, if yes then, |
2514 | * deliver it synchronously and then kill the process, else kill the process |
2515 | * and deliver the exception via EXC_CORPSE_NOTIFY. |
2516 | */ |
2517 | if (task_exception_notify(EXC_GUARD, code, subcode, fatal) == KERN_SUCCESS) { |
2518 | task_bsdtask_kill(task); |
2519 | } else { |
2520 | exit_with_guard_exception(p: get_bsdtask_info(task), code, subcode); |
2521 | } |
2522 | } else { |
2523 | /* |
2524 | * Mach port guards controlled by task settings. |
2525 | */ |
2526 | |
2527 | /* Is delivery enabled */ |
2528 | if ((behavior & TASK_EXC_GUARD_MP_DELIVER) == 0) { |
2529 | return; |
2530 | } |
2531 | |
2532 | /* If only once, make sure we're that once */ |
2533 | while (behavior & TASK_EXC_GUARD_MP_ONCE) { |
2534 | uint32_t new_behavior = behavior & ~TASK_EXC_GUARD_MP_DELIVER; |
2535 | |
2536 | if (OSCompareAndSwap(behavior, new_behavior, &task->task_exc_guard)) { |
2537 | break; |
2538 | } |
2539 | behavior = task->task_exc_guard; |
2540 | if ((behavior & TASK_EXC_GUARD_MP_DELIVER) == 0) { |
2541 | return; |
2542 | } |
2543 | } |
2544 | fatal = (task->task_exc_guard & TASK_EXC_GUARD_MP_FATAL) |
2545 | && (reason <= MAX_OPTIONAL_kGUARD_EXC_CODE); |
2546 | kern_return_t sync_exception_result; |
2547 | sync_exception_result = task_exception_notify(EXC_GUARD, code, subcode, fatal); |
2548 | |
2549 | if (task->task_exc_guard & TASK_EXC_GUARD_MP_FATAL) { |
2550 | if (reason > MAX_OPTIONAL_kGUARD_EXC_CODE) { |
2551 | /* generate a simulated crash if not handled synchronously */ |
2552 | if (sync_exception_result != KERN_SUCCESS) { |
2553 | task_violated_guard(code, subcode, NULL, TRUE); |
2554 | } |
2555 | } else { |
2556 | /* |
2557 | * Only generate crash report if synchronous EXC_GUARD wasn't handled, |
2558 | * but it has to die regardless. |
2559 | */ |
2560 | if (sync_exception_result == KERN_SUCCESS) { |
2561 | task_bsdtask_kill(task); |
2562 | } else { |
2563 | exit_with_guard_exception(p: get_bsdtask_info(task), code, subcode); |
2564 | } |
2565 | } |
2566 | } else if (task->task_exc_guard & TASK_EXC_GUARD_MP_CORPSE) { |
2567 | /* Raise exception via corpse fork if not handled synchronously */ |
2568 | if (sync_exception_result != KERN_SUCCESS) { |
2569 | task_violated_guard(code, subcode, NULL, TRUE); |
2570 | } |
2571 | } |
2572 | } |
2573 | } |
2574 | |
2575 | /* |
2576 | * Routine: mach_port_construct [kernel call] |
2577 | * Purpose: |
2578 | * Constructs a mach port with the provided set of options. |
2579 | * Conditions: |
2580 | * None. |
2581 | * Returns: |
2582 | * KERN_SUCCESS The right is allocated. |
2583 | * KERN_INVALID_TASK The space is null. |
2584 | * KERN_INVALID_TASK The space is dead. |
2585 | * KERN_RESOURCE_SHORTAGE Couldn't allocate memory. |
2586 | * KERN_INVALID_VALUE Invalid value passed in options |
2587 | * KERN_INVALID_ARGUMENT Invalid arguments passed in options |
2588 | * KERN_NO_SPACE No room in space for another right. |
2589 | * KERN_FAILURE Illegal option values requested. |
2590 | */ |
2591 | |
2592 | kern_return_t |
2593 | mach_port_construct( |
2594 | ipc_space_t space, |
2595 | mach_port_options_t *options, |
2596 | uint64_t context, |
2597 | mach_port_name_t *name) |
2598 | { |
2599 | kern_return_t kr; |
2600 | ipc_port_t port; |
2601 | ipc_port_init_flags_t init_flags = IPC_PORT_INIT_MESSAGE_QUEUE; |
2602 | void *port_splabel = NULL; |
2603 | bool filter_msgs = FALSE; |
2604 | struct mach_service_port_info sp_info = {}; |
2605 | size_t sp_name_length = 0; |
2606 | user_addr_t service_port_info = 0; |
2607 | |
2608 | uint32_t at_most_one_flags = options->flags & (MPO_SERVICE_PORT | MPO_CONNECTION_PORT | MPO_TG_BLOCK_TRACKING); |
2609 | if (at_most_one_flags & (at_most_one_flags - 1)) { |
2610 | /* at most one of the listed flags can be set */ |
2611 | return KERN_INVALID_ARGUMENT; |
2612 | } |
2613 | |
2614 | at_most_one_flags = options->flags & (MPO_REPLY_PORT | MPO_ENFORCE_REPLY_PORT_SEMANTICS | |
2615 | MPO_PROVISIONAL_ID_PROT_OPTOUT | MPO_PROVISIONAL_REPLY_PORT); |
2616 | if (at_most_one_flags & (at_most_one_flags - 1)) { |
2617 | /* at most one of the listed flags can be set */ |
2618 | return KERN_INVALID_ARGUMENT; |
2619 | } |
2620 | |
2621 | if (space == IS_NULL) { |
2622 | return KERN_INVALID_TASK; |
2623 | } |
2624 | |
2625 | if (options->flags & MPO_INSERT_SEND_RIGHT) { |
2626 | init_flags |= IPC_PORT_INIT_MAKE_SEND_RIGHT; |
2627 | } |
2628 | |
2629 | if (options->flags & MPO_FILTER_MSG) { |
2630 | init_flags |= IPC_PORT_INIT_FILTER_MESSAGE; |
2631 | } |
2632 | |
2633 | if (options->flags & MPO_REPLY_PORT) { |
2634 | init_flags |= IPC_PORT_INIT_REPLY; |
2635 | } |
2636 | |
2637 | if (options->flags & MPO_ENFORCE_REPLY_PORT_SEMANTICS) { |
2638 | init_flags |= IPC_PORT_ENFORCE_REPLY_PORT_SEMANTICS; |
2639 | } |
2640 | |
2641 | if (options->flags & MPO_PROVISIONAL_ID_PROT_OPTOUT) { |
2642 | init_flags |= IPC_PORT_INIT_PROVISIONAL_ID_PROT_OPTOUT; |
2643 | } |
2644 | |
2645 | if (options->flags & MPO_PROVISIONAL_REPLY_PORT) { |
2646 | if (provisional_reply_port_enforced) { |
2647 | init_flags |= IPC_PORT_INIT_REPLY; |
2648 | } else { |
2649 | init_flags |= IPC_PORT_INIT_PROVISIONAL_REPLY; |
2650 | } |
2651 | } |
2652 | |
2653 | if (options->flags & MPO_TG_BLOCK_TRACKING) { |
2654 | /* Check the task role to allow only TASK_GRAPHICS_SERVER to set this option */ |
2655 | if (proc_get_effective_task_policy(task: current_task(), |
2656 | TASK_POLICY_ROLE) != TASK_GRAPHICS_SERVER) { |
2657 | return KERN_DENIED; |
2658 | } |
2659 | |
2660 | /* |
2661 | * Check the work interval port passed in to make sure it is the render server type. |
2662 | * Since the creation of the render server work interval is privileged, this check |
2663 | * acts as a guard to make sure only the render server is setting the thread group |
2664 | * blocking behavior on the port. |
2665 | */ |
2666 | mach_port_name_t wi_port_name = options->work_interval_port; |
2667 | if (work_interval_port_type_render_server(port_name: wi_port_name) == false) { |
2668 | return KERN_INVALID_ARGUMENT; |
2669 | } |
2670 | init_flags |= IPC_PORT_INIT_TG_BLOCK_TRACKING; |
2671 | } |
2672 | |
2673 | if (options->flags & MPO_SERVICE_PORT) { |
2674 | #if !(DEVELOPMENT || DEBUG) |
2675 | #if CONFIG_COALITIONS |
2676 | /* |
2677 | * Allow only launchd to add the service port labels |
2678 | * Not enforcing on development/debug kernels to |
2679 | * support testing |
2680 | */ |
2681 | if (!task_is_in_privileged_coalition(task: current_task(), COALITION_TYPE_JETSAM)) { |
2682 | return KERN_DENIED; |
2683 | } |
2684 | #else /* CONFIG_COALITIONS */ |
2685 | /* |
2686 | * This flag is not used by launchd on simulators |
2687 | */ |
2688 | if (proc_isinitproc(get_bsdtask_info(current_task()))) { |
2689 | return KERN_DENIED; |
2690 | } |
2691 | #endif /* CONFIG_COALITIONS */ |
2692 | #endif /* !(DEVELOPMENT || DEBUG) */ |
2693 | |
2694 | if (task_has_64Bit_addr(current_task())) { |
2695 | service_port_info = CAST_USER_ADDR_T(options->service_port_info64); |
2696 | } else { |
2697 | service_port_info = CAST_USER_ADDR_T(options->service_port_info32); |
2698 | } |
2699 | |
2700 | if (!service_port_info) { |
2701 | return KERN_INVALID_ARGUMENT; |
2702 | } |
2703 | |
2704 | if (copyin(service_port_info, (void *)&sp_info, sizeof(sp_info))) { |
2705 | return KERN_MEMORY_ERROR; |
2706 | } |
2707 | |
2708 | sp_name_length = strnlen(s: sp_info.mspi_string_name, MACH_SERVICE_PORT_INFO_STRING_NAME_MAX_BUF_LEN); |
2709 | if (sp_name_length >= (MACH_SERVICE_PORT_INFO_STRING_NAME_MAX_BUF_LEN)) { |
2710 | return KERN_INVALID_ARGUMENT; |
2711 | } |
2712 | |
2713 | kr = ipc_service_port_label_alloc(sp_info: &sp_info, port_label_ptr: &port_splabel); |
2714 | if (kr != KERN_SUCCESS) { |
2715 | return kr; |
2716 | } |
2717 | /* Always filter messages on service ports */ |
2718 | init_flags |= IPC_PORT_INIT_FILTER_MESSAGE; |
2719 | } |
2720 | |
2721 | if (options->flags & MPO_CONNECTION_PORT) { |
2722 | if (!options->service_port_name) { |
2723 | return KERN_INVALID_ARGUMENT; |
2724 | } |
2725 | |
2726 | kr = ipc_service_port_derive_sblabel(service_port_name: options->service_port_name, sblabel_ptr: &port_splabel, filter_msgs: &filter_msgs); |
2727 | if (kr != KERN_SUCCESS) { |
2728 | return kr; |
2729 | } |
2730 | if (filter_msgs) { |
2731 | init_flags |= IPC_PORT_INIT_FILTER_MESSAGE; |
2732 | } |
2733 | } |
2734 | |
2735 | |
2736 | if (options->flags & MPO_QLIMIT) { |
2737 | const mach_msg_type_number_t count = sizeof(options->mpl) / sizeof(int); |
2738 | static_assert(count >= MACH_PORT_LIMITS_INFO_COUNT); |
2739 | |
2740 | if (options->mpl.mpl_qlimit > MACH_PORT_QLIMIT_MAX) { |
2741 | return KERN_INVALID_VALUE; |
2742 | } |
2743 | } |
2744 | |
2745 | /* Allocate a new port in the IPC space */ |
2746 | kr = ipc_port_alloc(space, flags: init_flags, namep: name, portp: &port); |
2747 | if (kr != KERN_SUCCESS) { |
2748 | if (port_splabel != NULL) { |
2749 | ipc_service_port_label_dealloc(ip_splabel: port_splabel, |
2750 | service_port: (options->flags & MPO_SERVICE_PORT)); |
2751 | } |
2752 | return kr; |
2753 | } |
2754 | /* Port locked and active */ |
2755 | |
2756 | /* Mutate the new port based on flags - see above for error checks */ |
2757 | if (options->flags & MPO_QLIMIT) { |
2758 | ipc_mqueue_set_qlimit_locked(mqueue: &port->ip_messages, qlimit: options->mpl.mpl_qlimit); |
2759 | } |
2760 | |
2761 | if (options->flags & (MPO_IMPORTANCE_RECEIVER | MPO_DENAP_RECEIVER | MPO_TEMPOWNER)) { |
2762 | assert(!port->ip_specialreply); |
2763 | |
2764 | port->ip_impdonation = 1; |
2765 | if (options->flags & MPO_TEMPOWNER) { |
2766 | port->ip_tempowner = 1; |
2767 | } |
2768 | } |
2769 | |
2770 | if (port_splabel != NULL) { |
2771 | port->ip_service_port = (bool)(options->flags & MPO_SERVICE_PORT); |
2772 | port->ip_splabel = port_splabel; |
2773 | |
2774 | /* Check if this is a service port */ |
2775 | if (service_port_defense_enabled && port->ip_service_port) { |
2776 | port->ip_immovable_receive = true; |
2777 | } |
2778 | |
2779 | /* Check if this is a libxpc connection port */ |
2780 | if (!port->ip_service_port) { |
2781 | assert(options->flags & MPO_CONNECTION_PORT); |
2782 | port->ip_immovable_send = true; |
2783 | port->ip_immovable_receive = true; |
2784 | } |
2785 | } |
2786 | |
2787 | if (options->flags & MPO_CONTEXT_AS_GUARD) { |
2788 | uint64_t flags = 0; |
2789 | if (options->flags & MPO_STRICT) { |
2790 | flags |= MPG_STRICT; |
2791 | } |
2792 | if (options->flags & MPO_IMMOVABLE_RECEIVE) { |
2793 | flags |= MPG_IMMOVABLE_RECEIVE; |
2794 | } |
2795 | kr = mach_port_guard_locked(port, guard: context, flags); |
2796 | /* A newly allocated and locked port should always be guarded successfully */ |
2797 | assert(kr == KERN_SUCCESS); |
2798 | if (options->flags & MPO_SERVICE_PORT) { |
2799 | /* |
2800 | * Setting the guard on a service port triggers a special port destroyed notification |
2801 | * that restores the guard when the receive right moves back to launchd. This |
2802 | * must be a strict guard. |
2803 | */ |
2804 | assert((options->flags & MPO_STRICT) == MPO_STRICT); |
2805 | ipc_service_port_label_set_attr(port_splabel, name: *name, context: (mach_port_context_t)context); |
2806 | } |
2807 | } else { |
2808 | port->ip_context = context; |
2809 | if (options->flags & MPO_SERVICE_PORT) { |
2810 | ipc_service_port_label_set_attr(port_splabel, name: *name, context: 0); |
2811 | } |
2812 | } |
2813 | |
2814 | /* Unlock port */ |
2815 | ip_mq_unlock(port); |
2816 | |
2817 | return KERN_SUCCESS; |
2818 | } |
2819 | |
2820 | /* |
2821 | * Routine: mach_port_destruct [kernel call] |
2822 | * Purpose: |
2823 | * Destroys a mach port with appropriate guard |
2824 | * Conditions: |
2825 | * None. |
2826 | * Returns: |
2827 | * KERN_SUCCESS The name is destroyed. |
2828 | * KERN_INVALID_TASK The space is null. |
2829 | * KERN_INVALID_TASK The space is dead. |
2830 | * KERN_INVALID_NAME The name doesn't denote a right. |
2831 | * KERN_INVALID_RIGHT The right isn't correct. |
2832 | * KERN_INVALID_VALUE The delta for send right is incorrect. |
2833 | * KERN_INVALID_ARGUMENT Port is either unguarded already or guard mismatch. |
2834 | * This also raises a EXC_GUARD exception. |
2835 | */ |
2836 | |
2837 | kern_return_t |
2838 | mach_port_destruct( |
2839 | ipc_space_t space, |
2840 | mach_port_name_t name, |
2841 | mach_port_delta_t srdelta, |
2842 | uint64_t guard) |
2843 | { |
2844 | kern_return_t kr; |
2845 | ipc_entry_t entry; |
2846 | |
2847 | if (space == IS_NULL) { |
2848 | return KERN_INVALID_TASK; |
2849 | } |
2850 | |
2851 | if (!MACH_PORT_VALID(name)) { |
2852 | return KERN_INVALID_NAME; |
2853 | } |
2854 | |
2855 | /* Remove reference for receive right */ |
2856 | kr = ipc_right_lookup_write(space, name, entryp: &entry); |
2857 | if (kr != KERN_SUCCESS) { |
2858 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_NAME); |
2859 | return kr; |
2860 | } |
2861 | /* space is write-locked and active */ |
2862 | kr = ipc_right_destruct(space, name, entry, srdelta, guard); /* unlocks */ |
2863 | |
2864 | return kr; |
2865 | } |
2866 | |
2867 | /* |
2868 | * Routine: mach_port_guard [kernel call] |
2869 | * Purpose: |
2870 | * Guard a mach port with specified guard value. |
2871 | * The context field of the port is used as the guard. |
2872 | * Conditions: |
2873 | * None. |
2874 | * Returns: |
2875 | * KERN_SUCCESS The name is destroyed. |
2876 | * KERN_INVALID_TASK The space is null. |
2877 | * KERN_INVALID_TASK The space is dead. |
2878 | * KERN_INVALID_NAME The name doesn't denote a right. |
2879 | * KERN_INVALID_RIGHT The right isn't correct. |
2880 | * KERN_INVALID_ARGUMENT Port already contains a context/guard. |
2881 | */ |
2882 | kern_return_t |
2883 | mach_port_guard( |
2884 | ipc_space_t space, |
2885 | mach_port_name_t name, |
2886 | uint64_t guard, |
2887 | boolean_t strict) |
2888 | { |
2889 | kern_return_t kr; |
2890 | ipc_port_t port; |
2891 | uint64_t flags = 0; |
2892 | |
2893 | if (space == IS_NULL) { |
2894 | return KERN_INVALID_TASK; |
2895 | } |
2896 | |
2897 | if (!MACH_PORT_VALID(name)) { |
2898 | return KERN_INVALID_NAME; |
2899 | } |
2900 | |
2901 | /* Guard can be applied only to receive rights */ |
2902 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2903 | if (kr != KERN_SUCCESS) { |
2904 | mach_port_guard_exception(name, inguard: 0, portguard: 0, |
2905 | reason: ((KERN_INVALID_NAME == kr) ? |
2906 | kGUARD_EXC_INVALID_NAME : |
2907 | kGUARD_EXC_INVALID_RIGHT)); |
2908 | return kr; |
2909 | } |
2910 | |
2911 | /* Port locked and active */ |
2912 | if (strict) { |
2913 | flags = MPG_STRICT; |
2914 | } |
2915 | |
2916 | kr = mach_port_guard_locked(port, guard, flags); |
2917 | ip_mq_unlock(port); |
2918 | |
2919 | if (KERN_INVALID_ARGUMENT == kr) { |
2920 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_ARGUMENT); |
2921 | } |
2922 | |
2923 | return kr; |
2924 | } |
2925 | |
2926 | /* |
2927 | * Routine: mach_port_unguard [kernel call] |
2928 | * Purpose: |
2929 | * Unguard a mach port with specified guard value. |
2930 | * Conditions: |
2931 | * None. |
2932 | * Returns: |
2933 | * KERN_SUCCESS The name is destroyed. |
2934 | * KERN_INVALID_TASK The space is null. |
2935 | * KERN_INVALID_TASK The space is dead. |
2936 | * KERN_INVALID_NAME The name doesn't denote a right. |
2937 | * KERN_INVALID_RIGHT The right isn't correct. |
2938 | * KERN_INVALID_ARGUMENT Port is either unguarded already or guard mismatch. |
2939 | * This also raises a EXC_GUARD exception. |
2940 | */ |
2941 | kern_return_t |
2942 | mach_port_unguard( |
2943 | ipc_space_t space, |
2944 | mach_port_name_t name, |
2945 | uint64_t guard) |
2946 | { |
2947 | kern_return_t kr; |
2948 | ipc_port_t port; |
2949 | |
2950 | if (space == IS_NULL) { |
2951 | return KERN_INVALID_TASK; |
2952 | } |
2953 | |
2954 | if (!MACH_PORT_VALID(name)) { |
2955 | return KERN_INVALID_NAME; |
2956 | } |
2957 | |
2958 | kr = ipc_port_translate_receive(space, name, portp: &port); |
2959 | if (kr != KERN_SUCCESS) { |
2960 | mach_port_guard_exception(name, inguard: 0, portguard: 0, |
2961 | reason: ((KERN_INVALID_NAME == kr) ? |
2962 | kGUARD_EXC_INVALID_NAME : |
2963 | kGUARD_EXC_INVALID_RIGHT)); |
2964 | return kr; |
2965 | } |
2966 | |
2967 | /* Port locked and active */ |
2968 | kr = mach_port_unguard_locked(port, name, guard); |
2969 | ip_mq_unlock(port); |
2970 | |
2971 | return kr; |
2972 | } |
2973 | |
2974 | /* |
2975 | * Routine: mach_port_guard_with_flags [kernel call] |
2976 | * Purpose: |
2977 | * Guard a mach port with specified guard value and guard flags. |
2978 | * The context field of the port is used as the guard. |
2979 | * Conditions: |
2980 | * Should hold receive right for that port |
2981 | * Returns: |
2982 | * KERN_SUCCESS The name is destroyed. |
2983 | * KERN_INVALID_TASK The space is null. |
2984 | * KERN_INVALID_TASK The space is dead. |
2985 | * KERN_INVALID_NAME The name doesn't denote a right. |
2986 | * KERN_INVALID_RIGHT The right isn't correct. |
2987 | * KERN_INVALID_ARGUMENT Port already contains a context/guard. |
2988 | * KERN_INVALID_CAPABILITY Cannot set MPG_IMMOVABLE_RECEIVE flag for a port with |
2989 | * a movable port-destroyed notification port |
2990 | */ |
2991 | kern_return_t |
2992 | mach_port_guard_with_flags( |
2993 | ipc_space_t space, |
2994 | mach_port_name_t name, |
2995 | uint64_t guard, |
2996 | uint64_t flags) |
2997 | { |
2998 | kern_return_t kr; |
2999 | ipc_port_t port; |
3000 | |
3001 | if (space == IS_NULL) { |
3002 | return KERN_INVALID_TASK; |
3003 | } |
3004 | |
3005 | if (!MACH_PORT_VALID(name)) { |
3006 | return KERN_INVALID_NAME; |
3007 | } |
3008 | |
3009 | kr = ipc_port_translate_receive(space, name, portp: &port); |
3010 | if (kr != KERN_SUCCESS) { |
3011 | mach_port_guard_exception(name, inguard: 0, portguard: 0, |
3012 | reason: ((KERN_INVALID_NAME == kr) ? |
3013 | kGUARD_EXC_INVALID_NAME : |
3014 | kGUARD_EXC_INVALID_RIGHT)); |
3015 | return kr; |
3016 | } |
3017 | |
3018 | /* Port locked and active */ |
3019 | kr = mach_port_guard_locked(port, guard, flags); |
3020 | ip_mq_unlock(port); |
3021 | |
3022 | if (KERN_INVALID_ARGUMENT == kr) { |
3023 | mach_port_guard_exception(name, inguard: 0, portguard: 0, reason: kGUARD_EXC_INVALID_ARGUMENT); |
3024 | } |
3025 | |
3026 | return kr; |
3027 | } |
3028 | |
3029 | /* |
3030 | * Routine: mach_port_swap_guard [kernel call] |
3031 | * Purpose: |
3032 | * Swap guard value. |
3033 | * Conditions: |
3034 | * Port should already be guarded. |
3035 | * Returns: |
3036 | * KERN_SUCCESS The name is destroyed. |
3037 | * KERN_INVALID_TASK The space is null. |
3038 | * KERN_INVALID_TASK The space is dead. |
3039 | * KERN_INVALID_NAME The name doesn't denote a right. |
3040 | * KERN_INVALID_RIGHT The right isn't correct. |
3041 | * KERN_INVALID_ARGUMENT Port doesn't contain a guard; is strictly guarded |
3042 | * or the old_guard doesnt match the context |
3043 | */ |
3044 | kern_return_t |
3045 | mach_port_swap_guard( |
3046 | ipc_space_t space, |
3047 | mach_port_name_t name, |
3048 | uint64_t old_guard, |
3049 | uint64_t new_guard) |
3050 | { |
3051 | kern_return_t kr; |
3052 | ipc_port_t port; |
3053 | |
3054 | if (space == IS_NULL) { |
3055 | return KERN_INVALID_TASK; |
3056 | } |
3057 | |
3058 | if (!MACH_PORT_VALID(name)) { |
3059 | return KERN_INVALID_NAME; |
3060 | } |
3061 | |
3062 | kr = ipc_port_translate_receive(space, name, portp: &port); |
3063 | if (kr != KERN_SUCCESS) { |
3064 | mach_port_guard_exception(name, inguard: 0, portguard: 0, |
3065 | reason: ((KERN_INVALID_NAME == kr) ? |
3066 | kGUARD_EXC_INVALID_NAME : |
3067 | kGUARD_EXC_INVALID_RIGHT)); |
3068 | return kr; |
3069 | } |
3070 | |
3071 | /* Port locked and active */ |
3072 | if (!port->ip_guarded) { |
3073 | ip_mq_unlock(port); |
3074 | mach_port_guard_exception(name, inguard: old_guard, portguard: 0, reason: kGUARD_EXC_UNGUARDED); |
3075 | return KERN_INVALID_ARGUMENT; |
3076 | } |
3077 | |
3078 | if (port->ip_strict_guard) { |
3079 | uint64_t portguard = port->ip_context; |
3080 | ip_mq_unlock(port); |
3081 | /* For strictly guarded ports, disallow overwriting context; Raise Exception */ |
3082 | mach_port_guard_exception(name, inguard: old_guard, portguard, reason: kGUARD_EXC_SET_CONTEXT); |
3083 | return KERN_INVALID_ARGUMENT; |
3084 | } |
3085 | |
3086 | if (port->ip_context != old_guard) { |
3087 | uint64_t portguard = port->ip_context; |
3088 | ip_mq_unlock(port); |
3089 | mach_port_guard_exception(name, inguard: old_guard, portguard, reason: kGUARD_EXC_INCORRECT_GUARD); |
3090 | return KERN_INVALID_ARGUMENT; |
3091 | } |
3092 | |
3093 | port->ip_context = new_guard; |
3094 | |
3095 | ip_mq_unlock(port); |
3096 | |
3097 | return KERN_SUCCESS; |
3098 | } |
3099 | |
3100 | kern_return_t |
3101 | mach_port_is_connection_for_service( |
3102 | ipc_space_t space, |
3103 | mach_port_name_t connection_port_name, |
3104 | mach_port_name_t service_port_name, |
3105 | uint64_t *filter_policy_id) |
3106 | { |
3107 | mach_port_t service_port; |
3108 | mach_port_t connection_port; |
3109 | void *service_port_sblabel = NULL; |
3110 | void *conn_port_sblabel = NULL; |
3111 | |
3112 | kern_return_t ret; |
3113 | |
3114 | if (space == IS_NULL) { |
3115 | return KERN_INVALID_TASK; |
3116 | } |
3117 | |
3118 | if (!MACH_PORT_VALID(connection_port_name) || !MACH_PORT_VALID(service_port_name)) { |
3119 | return KERN_INVALID_NAME; |
3120 | } |
3121 | |
3122 | if (!filter_policy_id) { |
3123 | return KERN_INVALID_ARGUMENT; |
3124 | } |
3125 | |
3126 | if (!mach_msg_filter_at_least(MACH_MSG_FILTER_CALLBACKS_VERSION_1)) { |
3127 | return KERN_NOT_SUPPORTED; |
3128 | } |
3129 | |
3130 | ret = ipc_port_translate_receive(space, name: service_port_name, portp: &service_port); |
3131 | if (ret) { |
3132 | return ret; |
3133 | } |
3134 | |
3135 | if (!service_port->ip_service_port) { |
3136 | ip_mq_unlock(service_port); |
3137 | return KERN_INVALID_CAPABILITY; |
3138 | } |
3139 | |
3140 | /* Port is locked and active */ |
3141 | service_port_sblabel = ipc_service_port_get_sblabel(port: service_port); |
3142 | if (service_port_sblabel) { |
3143 | mach_msg_filter_retain_sblabel_callback(service_port_sblabel); |
3144 | } |
3145 | ip_mq_unlock(service_port); |
3146 | |
3147 | if (!service_port_sblabel) { |
3148 | /* Nothing to check */ |
3149 | *filter_policy_id = 0; |
3150 | return KERN_SUCCESS; |
3151 | } |
3152 | |
3153 | ret = ipc_port_translate_receive(space, name: connection_port_name, portp: &connection_port); |
3154 | if (ret) { |
3155 | mach_msg_filter_dealloc_service_port_sblabel_callback(service_port_sblabel); |
3156 | return ret; |
3157 | } |
3158 | /* Port is locked and active */ |
3159 | conn_port_sblabel = ipc_service_port_get_sblabel(port: connection_port); |
3160 | if (conn_port_sblabel) { |
3161 | mach_msg_filter_retain_sblabel_callback(conn_port_sblabel); |
3162 | } |
3163 | ip_mq_unlock(connection_port); |
3164 | |
3165 | /* This callback will release the sblabel references */ |
3166 | ret = mach_msg_filter_get_connection_port_filter_policy_callback(service_port_sblabel, |
3167 | conn_port_sblabel, filter_policy_id); |
3168 | |
3169 | return ret; |
3170 | } |
3171 | |
3172 | #if CONFIG_SERVICE_PORT_INFO |
3173 | kern_return_t |
3174 | mach_port_get_service_port_info( |
3175 | ipc_space_read_t space, |
3176 | mach_port_name_t name, |
3177 | mach_service_port_info_t sp_info) |
3178 | { |
3179 | ipc_port_t port; |
3180 | kern_return_t kr; |
3181 | |
3182 | if (space == IS_NULL) { |
3183 | return KERN_INVALID_TASK; |
3184 | } |
3185 | |
3186 | if (sp_info == NULL) { |
3187 | return KERN_INVALID_ARGUMENT; |
3188 | } |
3189 | |
3190 | if (!MACH_PORT_VALID(name)) { |
3191 | return KERN_INVALID_RIGHT; |
3192 | } |
3193 | |
3194 | kr = ipc_port_translate_receive(space, name, portp: &port); |
3195 | if (kr != KERN_SUCCESS) { |
3196 | return kr; |
3197 | } |
3198 | /* port is locked and active */ |
3199 | |
3200 | if (!port->ip_service_port) { |
3201 | ip_mq_unlock(port); |
3202 | return KERN_INVALID_CAPABILITY; |
3203 | } |
3204 | |
3205 | assert(port->ip_splabel != NULL); |
3206 | ipc_service_port_label_get_info(port_splabel: (ipc_service_port_label_t)port->ip_splabel, info: sp_info); |
3207 | ip_mq_unlock(port); |
3208 | |
3209 | return KERN_SUCCESS; |
3210 | } |
3211 | |
3212 | #else /* CONFIG_SERVICE_PORT_INFO */ |
3213 | |
3214 | kern_return_t |
3215 | mach_port_get_service_port_info( |
3216 | __unused ipc_space_read_t space, |
3217 | __unused mach_port_name_t name, |
3218 | __unused mach_service_port_info_t sp_info) |
3219 | { |
3220 | return KERN_NOT_SUPPORTED; |
3221 | } |
3222 | #endif /* CONFIG_SERVICE_PORT_INFO */ |
3223 | |
3224 | kern_return_t |
3225 | mach_port_assert_attributes( |
3226 | ipc_space_t space, |
3227 | mach_port_name_t name, |
3228 | int flavor, |
3229 | mach_port_info_t info, |
3230 | mach_msg_type_number_t count) |
3231 | { |
3232 | ipc_port_t port; |
3233 | kern_return_t kr; |
3234 | |
3235 | if (space == IS_NULL) { |
3236 | return KERN_INVALID_TASK; |
3237 | } |
3238 | |
3239 | switch (flavor) { |
3240 | case MACH_PORT_GUARD_INFO: { |
3241 | mach_port_guard_info_t *mpgi = (mach_port_guard_info_t *)(void *)info; |
3242 | |
3243 | if (count < MACH_PORT_GUARD_INFO_COUNT) { |
3244 | return KERN_FAILURE; |
3245 | } |
3246 | |
3247 | if (!MACH_PORT_VALID(name)) { |
3248 | return KERN_INVALID_RIGHT; |
3249 | } |
3250 | |
3251 | kr = ipc_port_translate_receive(space, name, portp: &port); |
3252 | if (kr != KERN_SUCCESS) { |
3253 | return kr; |
3254 | } |
3255 | /* port is locked and active */ |
3256 | |
3257 | /* Check if guard value matches else kill the process using fatal guard exception */ |
3258 | if (!port->ip_guarded) { |
3259 | ip_mq_unlock(port); |
3260 | /* Port already unguarded; Raise exception */ |
3261 | mach_port_guard_exception(name, inguard: mpgi->mpgi_guard, portguard: 0, reason: kGUARD_EXC_UNGUARDED); |
3262 | return KERN_INVALID_ARGUMENT; |
3263 | } |
3264 | |
3265 | if (!port->ip_strict_guard || (port->ip_context != mpgi->mpgi_guard)) { |
3266 | ip_mq_unlock(port); |
3267 | /* Incorrect guard; Raise exception */ |
3268 | mach_port_guard_exception(name, inguard: mpgi->mpgi_guard, portguard: port->ip_context, reason: kGUARD_EXC_INCORRECT_GUARD); |
3269 | return KERN_INVALID_ARGUMENT; |
3270 | } |
3271 | |
3272 | ip_mq_unlock(port); |
3273 | break; |
3274 | } |
3275 | default: |
3276 | return KERN_INVALID_ARGUMENT; |
3277 | } |
3278 | return KERN_SUCCESS; |
3279 | } |
3280 | |