xnu-1699.24.23.tar.gz

[apple/xnu.git] / iokit / Kernel / IOUserClient.cpp
diff --git a/iokit/Kernel/IOUserClient.cpp b/iokit/Kernel/IOUserClient.cpp

index bb451f8c44ea54780394ce60aa3413f9f2d6a184..32ce10c0f80bfbc9e4ad4340283ce2d131f469a1 100644 (file)
--- a/iokit/Kernel/IOUserClient.cpp
+++ b/iokit/Kernel/IOUserClient.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1998-2006 Apple Computer, Inc. All rights reserved.
+ * Copyright (c) 1998-2008 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   * 
@@ -27,6 +27,7 @@
   */
  
  
+#include <libkern/c++/OSKext.h>
  #include <IOKit/IOKitServer.h>
  #include <IOKit/IOKitKeysPrivate.h>
  #include <IOKit/IOUserClient.h>
@@ -34,8 +35,24 @@
  #include <IOKit/IORegistryEntry.h>
  #include <IOKit/IOCatalogue.h>
  #include <IOKit/IOMemoryDescriptor.h>
+#include <IOKit/IOBufferMemoryDescriptor.h>
  #include <IOKit/IOLib.h>
+#include <IOKit/IOStatisticsPrivate.h>
+#include <IOKit/IOTimeStamp.h>
+#include <libkern/OSDebug.h>
  #include <sys/proc.h>
+#include <sys/kauth.h>
+
+#if CONFIG_MACF
+
+extern "C" {
+#include <security/mac_framework.h>
+};
+#include <sys/kauth.h>
+
+#define IOMACF_LOG 0
+
+#endif /* CONFIG_MACF */
  
  #include <IOKit/assert.h>
  
@@ -45,7 +62,7 @@
  #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x))
  #define SCALAR32(x) ((uint32_t )x)
  #define ARG32(x)    ((void *)SCALAR32(x))
-#define REF64(x)    ((io_user_reference_t)((natural_t)(x)))
+#define REF64(x)    ((io_user_reference_t)((UInt64)(x)))
  #define REF32(x)    ((int)(x))
  
  enum
@@ -54,6 +71,32 @@ enum
      kIOUCAsync64Flag = 1ULL
  };
  
+#if IOKITSTATS
+
+#define IOStatisticsRegisterCounter() \
+do { \
+       reserved->counter = IOStatistics::registerUserClient(this); \
+} while (0)
+
+#define IOStatisticsUnregisterCounter() \
+do { \
+       if (reserved) \
+               IOStatistics::unregisterUserClient(reserved->counter); \
+} while (0)
+
+#define IOStatisticsClientCall() \
+do { \
+       IOStatistics::countUserClientCall(client); \
+} while (0)
+
+#else
+
+#define IOStatisticsRegisterCounter()
+#define IOStatisticsUnregisterCounter()
+#define IOStatisticsClientCall()
+
+#endif /* IOKITSTATS */
+
  /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
  
  // definitions we should get from osfmk
@@ -85,6 +128,7 @@ extern ipc_port_t master_device_port;
  
  extern void iokit_retain_port( ipc_port_t port );
  extern void iokit_release_port( ipc_port_t port );
+extern void iokit_release_port_send( ipc_port_t port );
  
  extern kern_return_t iokit_switch_object_port( ipc_port_t port, io_object_t obj, ipc_kobject_type_t type );
  
@@ -210,7 +254,7 @@ bool IOMachPort::noMoreSendersForObject( OSObject * obj,
  
         machPort = (IOMachPort *) dict->getObject( (const OSSymbol *) obj );
         if( machPort) {
-           destroyed = (machPort->mscount == *mscount);
+           destroyed = (machPort->mscount <= *mscount);
             if( destroyed)
                 dict->removeObject( (const OSSymbol *) obj );
             else
@@ -379,9 +423,11 @@ iokit_client_died( io_object_t obj, ipc_port_t /* port */,
  
      if( IKOT_IOKIT_CONNECT == type)
      {
-       if( (client = OSDynamicCast( IOUserClient, obj )))
+       if( (client = OSDynamicCast( IOUserClient, obj ))) {
+               IOStatisticsClientCall();
             client->clientDied();
      }
+    }
      else if( IKOT_IOKIT_OBJECT == type)
      {
         if( (map = OSDynamicCast( IOMemoryMap, obj )))
@@ -422,7 +468,7 @@ public:
      virtual void free();
  
      static bool _handler( void * target,
-                          void * ref, IOService * newService );
+                          void * ref, IOService * newService, IONotifier * notifier );
      virtual bool handler( void * ref, IOService * newService );
  
      virtual OSObject * getNextObject();
@@ -436,7 +482,7 @@ class IOServiceMessageUserNotification : public IOUserNotification
          mach_msg_header_t              msgHdr;
         mach_msg_body_t                 msgBody;
         mach_msg_port_descriptor_t      ports[1];
-        OSNotificationHeader64         notifyHeader;
+        OSNotificationHeader64         notifyHeader __attribute__ ((packed));
      };
  
      PingMsg *          pingMsg;
@@ -587,7 +633,7 @@ void IOServiceUserNotification::free( void )
  }
  
  bool IOServiceUserNotification::_handler( void * target,
-                                    void * ref, IOService * newService )
+                                    void * ref, IOService * newService, IONotifier * notifier )
  {
      return( ((IOServiceUserNotification *) target)->handler( ref, newService ));
  }
@@ -621,13 +667,13 @@ bool IOServiceUserNotification::handler( void * ref,
         else
              pingMsg->msgHdr.msgh_local_port = NULL;
  
-        kr = mach_msg_send_from_kernel( &pingMsg->msgHdr,
+        kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
                                          pingMsg->msgHdr.msgh_size);
         if( port)
             iokit_release_port( port );
  
          if( KERN_SUCCESS != kr)
-            IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+            IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
      }
  
      return( true );
@@ -754,7 +800,7 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
         else
         {
             data->messageArgument[0] |= (data->messageArgument[0] << 32);
-           argSize = sizeof(messageArgument);
+           argSize = sizeof(uint32_t);
         }
      }
      else
@@ -772,7 +818,7 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
      pingMsg->ports[0].name = providerPort;
      thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
      pingMsg->msgHdr.msgh_local_port = thisPort;
-    kr = mach_msg_send_from_kernel( &pingMsg->msgHdr,
+    kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
                                     pingMsg->msgHdr.msgh_size);
      if( thisPort)
         iokit_release_port( thisPort );
@@ -780,7 +826,7 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
         iokit_release_port( providerPort );
  
      if( KERN_SUCCESS != kr)
-        IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+        IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
  
      return( kIOReturnSuccess );
  }
@@ -807,10 +853,10 @@ void IOUserClient::setAsyncReference(OSAsyncReference asyncRef,
                                       mach_port_t wakePort,
                                       void *callback, void *refcon)
  {
-    asyncRef[kIOAsyncReservedIndex]      = ((natural_t) wakePort) 
+    asyncRef[kIOAsyncReservedIndex]      = ((uintptr_t) wakePort) 
                                          | (kIOUCAsync0Flags & asyncRef[kIOAsyncReservedIndex]);
-    asyncRef[kIOAsyncCalloutFuncIndex]   = (natural_t) callback;
-    asyncRef[kIOAsyncCalloutRefconIndex] = (natural_t) refcon;
+    asyncRef[kIOAsyncCalloutFuncIndex]   = (uintptr_t) callback;
+    asyncRef[kIOAsyncCalloutRefconIndex] = (uintptr_t) refcon;
  }
  
  void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
@@ -823,7 +869,7 @@ void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
      asyncRef[kIOAsyncCalloutRefconIndex] = refcon;
  }
  
-inline OSDictionary * CopyConsoleUser(UInt32 uid)
+static OSDictionary * CopyConsoleUser(UInt32 uid)
  {
         OSArray * array;
         OSDictionary * user = 0; 
@@ -847,6 +893,29 @@ inline OSDictionary * CopyConsoleUser(UInt32 uid)
      return user;
  }
  
+static OSDictionary * CopyUserOnConsole(void)
+{
+    OSArray * array;
+    OSDictionary * user = 0; 
+    
+    if ((array = OSDynamicCast(OSArray,
+       IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey))))
+    {
+       for (unsigned int idx = 0;
+               (user = OSDynamicCast(OSDictionary, array->getObject(idx)));
+               idx++)
+       {
+           if (kOSBooleanTrue == user->getObject(gIOConsoleSessionOnConsoleKey))
+           {
+               user->retain();
+               break;
+           }
+       }
+       array->release();
+    }
+    return (user);
+}
+
  IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                              const char * privilegeName )
  {
@@ -857,26 +926,71 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
      OSDictionary *          user;
      bool                    secureConsole;
  
-    if ((secureConsole = !strcmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess)))
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeForeground, 
+                sizeof(kIOClientPrivilegeForeground)))
+    {
+       /* is graphics access denied for current task? */
+       if (proc_get_task_selfgpuacc_deny() != 0) 
+               return (kIOReturnNotPrivileged);
+       else 
+               return (kIOReturnSuccess);
+    }
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeConsoleSession,
+                                sizeof(kIOClientPrivilegeConsoleSession)))
+    {
+       kauth_cred_t cred;
+       proc_t       p;
+
+        task = (task_t) securityToken;
+       if (!task)
+           task = current_task();
+       p = (proc_t) get_bsdtask_info(task);
+       kr = kIOReturnNotPrivileged;
+
+       if (p && (cred = kauth_cred_proc_ref(p)))
+       {
+           user = CopyUserOnConsole();
+           if (user)
+           {
+               OSNumber * num;
+               if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionAuditIDKey)))
+                 && (cred->cr_audit.as_aia_p->ai_asid == (au_asid_t) num->unsigned32BitValue()))
+               {
+                   kr = kIOReturnSuccess;
+               }
+               user->release();
+           }
+           kauth_cred_unref(&cred);
+       }
+       return (kr);
+    }
+
+    if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess,
+            sizeof(kIOClientPrivilegeSecureConsoleProcess))))
          task = (task_t)((IOUCProcessToken *)securityToken)->token;
      else
          task = (task_t)securityToken;
-    
+
      count = TASK_SECURITY_TOKEN_COUNT;
      kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
  
      if (KERN_SUCCESS != kr)
      {}
-    else if (!strcmp(privilegeName, kIOClientPrivilegeAdministrator)) {
+    else if (!strncmp(privilegeName, kIOClientPrivilegeAdministrator, 
+                sizeof(kIOClientPrivilegeAdministrator))) {
          if (0 != token.val[0])
              kr = kIOReturnNotPrivileged;
-    } else if (!strcmp(privilegeName, kIOClientPrivilegeLocalUser)) {
+    } else if (!strncmp(privilegeName, kIOClientPrivilegeLocalUser,
+                sizeof(kIOClientPrivilegeLocalUser))) {
          user = CopyConsoleUser(token.val[0]);
          if ( user )
              user->release();
          else
              kr = kIOReturnNotPrivileged;            
-    } else if (secureConsole || !strcmp(privilegeName, kIOClientPrivilegeConsoleUser)) {
+    } else if (secureConsole || !strncmp(privilegeName, kIOClientPrivilegeConsoleUser,
+                                    sizeof(kIOClientPrivilegeConsoleUser))) {
          user = CopyConsoleUser(token.val[0]);
          if ( user ) {
              if (user->getObject(gIOConsoleSessionOnConsoleKey) != kOSBooleanTrue)
@@ -898,28 +1012,28 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
  
  bool IOUserClient::init()
  {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::init(OSDictionary * dictionary)
  {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init(dictionary);
+       if (getPropertyTable() || super::init(dictionary))
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::initWithTask(task_t owningTask,
                                  void * securityID,
                                  UInt32 type )
-{
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+{      
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::initWithTask(task_t owningTask,
@@ -935,11 +1049,30 @@ bool IOUserClient::initWithTask(task_t owningTask,
      return( ok );
  }
  
+bool IOUserClient::reserve()
+{              
+       if(!reserved) {
+               reserved = IONew(ExpansionData, 1);
+               if (!reserved) {
+                       return false;
+               }
+       }
+
+       IOStatisticsRegisterCounter();
+       
+       return true;
+}
+
  void IOUserClient::free()
  {
      if( mappings)
          mappings->release();
+               
+    IOStatisticsUnregisterCounter();
  
+    if (reserved)
+        IODelete(reserved, ExpansionData, 1);
+               
      super::free();
  }
  
@@ -966,6 +1099,14 @@ IOReturn IOUserClient::registerNotificationPort(
      return( kIOReturnUnsupported);
  }
  
+IOReturn IOUserClient::registerNotificationPort(
+               mach_port_t port,
+               UInt32          type,
+               io_user_reference_t refCon)
+{
+    return (registerNotificationPort(port, type, (UInt32) refCon));
+}
+
  IOReturn IOUserClient::getNotificationSemaphore( UInt32 notification_type,
                                      semaphore_t * semaphore )
  {
@@ -984,29 +1125,16 @@ IOReturn IOUserClient::clientMemoryForType( UInt32 type,
      return( kIOReturnUnsupported);
  }
  
+#if !__LP64__
  IOMemoryMap * IOUserClient::mapClientMemory( 
         IOOptionBits            type,
         task_t                  task,
         IOOptionBits            mapFlags,
         IOVirtualAddress        atAddress )
  {
-    IOReturn           err;
-    IOOptionBits       options = 0;
-    IOMemoryDescriptor * memory;
-    IOMemoryMap *      map = 0;
-
-    err = clientMemoryForType( (UInt32) type, &options, &memory );
-
-    if( memory && (kIOReturnSuccess == err)) {
-
-        options = (options & ~kIOMapUserOptionsMask)
-               | (mapFlags & kIOMapUserOptionsMask);
-       map = memory->map( task, atAddress, options );
-       memory->release();
-    }
-
-    return( map );
+    return (NULL);
  }
+#endif
  
  IOMemoryMap * IOUserClient::mapClientMemory64( 
         IOOptionBits            type,
@@ -1094,6 +1222,25 @@ getTargetAndTrapForIndex(IOService ** targetP, UInt32 index)
        return trap;
  }
  
+IOReturn IOUserClient::releaseAsyncReference64(OSAsyncReference64 reference)
+{
+    mach_port_t port;
+    port = (mach_port_t) (reference[0] & ~kIOUCAsync0Flags);
+
+    if (MACH_PORT_NULL != port)
+       iokit_release_port_send(port);
+
+    return (kIOReturnSuccess);
+}
+
+IOReturn IOUserClient::releaseNotificationPort(mach_port_t port)
+{
+    if (MACH_PORT_NULL != port)
+       iokit_release_port_send(port);
+
+    return (kIOReturnSuccess);
+}
+
  IOReturn IOUserClient::sendAsyncResult(OSAsyncReference reference,
                                         IOReturn result, void *args[], UInt32 numArgs)
  {
@@ -1131,8 +1278,7 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
             {
                 OSNotificationHeader64   notifyHdr;
                 IOAsyncCompletionContent asyncContent;
-               uint32_t                 pad;
-               io_user_reference_t      args[kMaxAsyncArgs];
+               io_user_reference_t      args[kMaxAsyncArgs] __attribute__ ((packed));
             } msg64;
         } m;
      };
@@ -1159,7 +1305,6 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
             sizeof(replyMsg.msgHdr) + sizeof(replyMsg.m.msg64) 
             - (kMaxAsyncArgs - numArgs) * sizeof(io_user_reference_t);
         replyMsg.m.msg64.notifyHdr.size = sizeof(IOAsyncCompletionContent)
-                                       + sizeof(uint32_t)
                                         + numArgs * sizeof(io_user_reference_t);
         replyMsg.m.msg64.notifyHdr.type = kIOAsyncCompletionNotificationType;
         bcopy(reference, replyMsg.m.msg64.notifyHdr.reference, sizeof(OSAsyncReference64));
@@ -1189,10 +1334,10 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
             replyMsg.m.msg32.args[idx] = REF32(args[idx]);
      }
  
-     kr = mach_msg_send_from_kernel( &replyMsg.msgHdr,
+     kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
              replyMsg.msgHdr.msgh_size);
      if( KERN_SUCCESS != kr)
-        IOLog("%s: mach_msg_send_from_kernel {%x}\n", __FILE__, kr );
+        IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
      return kr;
  }
  
@@ -1212,16 +1357,16 @@ kern_return_t is_io_object_get_class(
         io_name_t className )
  {
         const OSMetaClass* my_obj = NULL;
-
-    if( !object)
-        return( kIOReturnBadArgument );
+       
+       if( !object)
+               return( kIOReturnBadArgument );
                 
         my_obj = object->getMetaClass();
         if (!my_obj) {
                 return (kIOReturnNotFound);
         }
         
-    strcpy( className, my_obj->getClassName());
+    strlcpy( className, my_obj->getClassName(), sizeof(io_name_t));
      return( kIOReturnSuccess );
  }
  
@@ -1405,9 +1550,9 @@ kern_return_t is_io_service_match_property_table_ool(
         kern_return_t *result,
         boolean_t *matches )
  {
-    kern_return_t      kr;
-    vm_offset_t        data;
-    vm_map_offset_t    map_data;
+    kern_return_t        kr;
+    vm_offset_t          data;
+    vm_map_offset_t      map_data;
  
      kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
      data = CAST_DOWN(vm_offset_t, map_data);
@@ -1528,10 +1673,9 @@ static kern_return_t internal_io_service_add_notification(
          if( !userNotify)
             continue;
  
-        notify = IOService::addNotification( sym, dict,
+        notify = IOService::addMatchingNotification( sym, dict,
                                               &userNotify->_handler, userNotify );
         if( notify) {
-            dict = 0;
              *notification = userNotify;
             userNotify->setNotification( notify );
             err = kIOReturnSuccess;
@@ -1649,6 +1793,7 @@ kern_return_t is_io_service_add_notification_old(
         io_name_t notification_type,
         io_string_t matching,
         mach_port_t port,
+       // for binary compatibility reasons, this must be natural_t for ILP32
         natural_t ref,
         io_object_t * notification )
  {
@@ -1753,6 +1898,7 @@ kern_return_t is_io_connect_get_notification_semaphore(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->getNotificationSemaphore( (UInt32) notification_type,
                                                semaphore ));
  }
@@ -1933,10 +2079,22 @@ kern_return_t is_io_registry_entry_get_location_in_plane(
          return( kIOReturnNotFound );
  }
  
+/* Routine io_registry_entry_get_registry_entry_id */
+kern_return_t is_io_registry_entry_get_registry_entry_id(
+       io_object_t registry_entry,
+       uint64_t *entry_id )
+{
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+    *entry_id = entry->getRegistryEntryID();
+
+    return (kIOReturnSuccess);
+}
+
  // Create a vm_map_copy_t or kalloc'ed data for memory
  // to be copied out. ipc will free after the copyout.
  
-static kern_return_t copyoutkdata( void * data, vm_size_t len,
+static kern_return_t copyoutkdata( const void * data, vm_size_t len,
                                      io_buf_ptr_t * buf )
  {
      kern_return_t      err;
@@ -2150,11 +2308,17 @@ kern_return_t is_io_registry_entry_set_properties
          obj = OSUnserializeXML( (const char *) data );
         vm_deallocate( kernel_map, data, propertiesCnt );
  
-        if( obj) {
+       if (!obj)
+           res = kIOReturnBadArgument;
+#if CONFIG_MACF
+       else if (0 != mac_iokit_check_set_properties(kauth_cred_get(),
+           registry_entry, obj))
+           res = kIOReturnNotPermitted;
+#endif
+       else
              res = entry->setProperties( obj );
-            obj->release();
-        } else
-            res = kIOReturnBadArgument;
+       if (obj)
+           obj->release();
      } else
          res = err;
  
@@ -2205,11 +2369,15 @@ kern_return_t is_io_service_get_busy_state(
  /* Routine io_service_get_state */
  kern_return_t is_io_service_get_state(
         io_object_t _service,
-       uint64_t *state )
+       uint64_t *state,
+       uint32_t *busy_state,
+       uint64_t *accumulated_busy_time )
  {
      CHECK( IOService, _service, service );
  
-    *state = service->getState();
+    *state                 = service->getState();
+    *busy_state            = service->getBusyState();
+    *accumulated_busy_time = service->getAccumulatedBusyTime();
  
      return( kIOReturnSuccess );
  }
@@ -2219,9 +2387,15 @@ kern_return_t is_io_service_wait_quiet(
         io_object_t _service,
         mach_timespec_t wait_time )
  {
+    uint64_t    timeoutNS;
+    
      CHECK( IOService, _service, service );
  
-    return( service->waitQuiet( &wait_time ));
+    timeoutNS = wait_time.tv_sec;
+    timeoutNS *= kSecondScale;
+    timeoutNS += wait_time.tv_nsec;
+    
+    return( service->waitQuiet(timeoutNS) );
  }
  
  /* Routine io_service_request_probe */
@@ -2234,30 +2408,6 @@ kern_return_t is_io_service_request_probe(
      return( service->requestProbe( options ));
  }
  
-
-/* Routine io_service_open */
-kern_return_t is_io_service_open(
-       io_object_t _service,
-       task_t owningTask,
-       uint32_t connect_type,
-       io_object_t *connection )
-{
-    IOUserClient       *       client;
-    IOReturn                   err;
-
-    CHECK( IOService, _service, service );
-
-    err = service->newUserClient( owningTask, (void *) owningTask,
-               connect_type, 0, &client );
-
-    if( err == kIOReturnSuccess) {
-       assert( OSDynamicCast(IOUserClient, client) );
-       *connection = client;
-    }
-
-    return( err);
-}
-
  /* Routine io_service_open_ndr */
  kern_return_t is_io_service_open_extended(
         io_object_t _service,
@@ -2333,16 +2483,26 @@ kern_return_t is_io_service_open_extended(
             disallowAccess = (crossEndian
                 && (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
                 && (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
-
-           if (disallowAccess)
+            if (disallowAccess) res = kIOReturnUnsupported;
+#if CONFIG_MACF
+           else if (0 != mac_iokit_check_open(kauth_cred_get(), client, connect_type))
+               res = kIOReturnNotPermitted;
+#endif
+           if (kIOReturnSuccess != res)
             {
+               IOStatisticsClientCall();
                 client->clientClose();
                 client->release();
                 client = 0;
-               res = kIOReturnUnsupported;
                 break;
             }
             client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
+           OSString * creatorName = IOCopyLogNameForPID(proc_selfpid());
+           if (creatorName)
+           {
+               client->setProperty(kIOUserClientCreatorKey, creatorName);
+               creatorName->release();
+           }
         }
      }
      while (false);
@@ -2363,6 +2523,7 @@ kern_return_t is_io_service_close(
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      client->clientClose();
  
      return( kIOReturnSuccess );
@@ -2395,8 +2556,9 @@ kern_return_t is_io_connect_set_notification_port(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->registerNotificationPort( port, notification_type,
-                                               reference ));
+                                               (io_user_reference_t) reference ));
  }
  
  /* Routine io_connect_set_notification_port */
@@ -2408,6 +2570,7 @@ kern_return_t is_io_connect_set_notification_port_64(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->registerNotificationPort( port, notification_type,
                                                 reference ));
  }
@@ -2428,6 +2591,7 @@ kern_return_t is_io_connect_map_memory_into_task
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      map = client->mapClientMemory64( memory_type, into_task, flags, *address );
  
      if( map) {
@@ -2486,6 +2650,8 @@ kern_return_t is_io_connect_map_memory(
      return (err);
  }
  
+} /* extern "C" */
+
  IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
  {
      OSIterator *  iter;
@@ -2513,6 +2679,8 @@ IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
      return (map);
  }
  
+extern "C" {
+
  /* Routine io_connect_unmap_memory_from_task */
  kern_return_t is_io_connect_unmap_memory_from_task
  (
@@ -2528,6 +2696,7 @@ kern_return_t is_io_connect_unmap_memory_from_task
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory );
  
      if( memory && (kIOReturnSuccess == err)) {
@@ -2549,7 +2718,7 @@ kern_return_t is_io_connect_unmap_memory_from_task
                 name = IOMachPort::makeSendRightForTask( from_task, map, IKOT_IOKIT_OBJECT );
             if (name)
             {
-               map->unmap();
+               map->userClientUnmap();
                 err = iokit_mod_send_right( from_task, name, -2 );
                 err = kIOReturnSuccess;
             }
@@ -2590,6 +2759,7 @@ kern_return_t is_io_connect_add_client(
      CHECK( IOUserClient, connection, client );
      CHECK( IOUserClient, connect_to, to );
  
+    IOStatisticsClientCall();
      return( client->connectClient( to ) );
  }
  
@@ -2604,9 +2774,8 @@ kern_return_t is_io_connect_set_properties(
      return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result ));
  }
  
-
  /* Routine io_user_client_method */
-kern_return_t is_io_connect_method
+kern_return_t is_io_connect_method_var_output
  (
         io_connect_t connection,
         uint32_t selector,
@@ -2616,12 +2785,104 @@ kern_return_t is_io_connect_method
         mach_msg_type_number_t inband_inputCnt,
         mach_vm_address_t ool_input,
         mach_vm_size_t ool_input_size,
+       io_struct_inband_t inband_output,
+       mach_msg_type_number_t *inband_outputCnt,
         io_scalar_inband64_t scalar_output,
         mach_msg_type_number_t *scalar_outputCnt,
+       io_buf_ptr_t *var_output,
+       mach_msg_type_number_t *var_outputCnt
+)
+{
+    CHECK( IOUserClient, connection, client );
+
+    IOExternalMethodArguments args;
+    IOReturn ret;
+    IOMemoryDescriptor * inputMD  = 0;
+    OSObject *           structureVariableOutputData = 0;
+
+    bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.version = kIOExternalMethodArgumentsCurrentVersion;
+
+    args.selector = selector;
+
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = &structureVariableOutputData;
+
+    args.scalarInput = scalar_input;
+    args.scalarInputCount = scalar_inputCnt;
+    args.structureInput = inband_input;
+    args.structureInputSize = inband_inputCnt;
+
+    if (ool_input)
+       inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 
+                                                   kIODirectionOut, current_task());
+
+    args.structureInputDescriptor = inputMD;
+
+    args.scalarOutput = scalar_output;
+    args.scalarOutputCount = *scalar_outputCnt;
+    args.structureOutput = inband_output;
+    args.structureOutputSize = *inband_outputCnt;
+    args.structureOutputDescriptor = NULL;
+    args.structureOutputDescriptorSize = 0;
+
+    IOStatisticsClientCall();
+    ret = client->externalMethod( selector, &args );
+
+    *scalar_outputCnt = args.scalarOutputCount;
+    *inband_outputCnt = args.structureOutputSize;
+
+    if (var_outputCnt && var_output && (kIOReturnSuccess == ret))
+    {
+       OSSerialize * serialize;
+       OSData      * data;
+       vm_size_t     len;
+
+       if ((serialize = OSDynamicCast(OSSerialize, structureVariableOutputData)))
+       {
+           len = serialize->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(serialize->text(), len, var_output);
+       }
+       else if ((data = OSDynamicCast(OSData, structureVariableOutputData)))
+       {
+           len = data->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(data->getBytesNoCopy(), len, var_output);
+       }
+       else
+       {
+           ret = kIOReturnUnderrun;
+       }
+    }
+
+    if (inputMD)
+       inputMD->release();
+    if (structureVariableOutputData)
+       structureVariableOutputData->release();
+
+    return (ret);
+}
+
+/* Routine io_user_client_method */
+kern_return_t is_io_connect_method
+(
+       io_connect_t connection,
+       uint32_t selector,
+       io_scalar_inband64_t scalar_input,
+       mach_msg_type_number_t scalar_inputCnt,
+       io_struct_inband_t inband_input,
+       mach_msg_type_number_t inband_inputCnt,
+       mach_vm_address_t ool_input,
+       mach_vm_size_t ool_input_size,
         io_struct_inband_t inband_output,
         mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
         mach_vm_address_t ool_output,
-       mach_vm_size_t * ool_output_size
+       mach_vm_size_t *ool_output_size
  )
  {
      CHECK( IOUserClient, connection, client );
@@ -2636,9 +2897,10 @@ kern_return_t is_io_connect_method
  
      args.selector = selector;
  
-    args.asyncWakePort       = MACH_PORT_NULL;
-    args.asyncReference      = 0;
-    args.asyncReferenceCount = 0;
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = 0;
  
      args.scalarInput = scalar_input;
      args.scalarInputCount = scalar_inputCnt;
@@ -2656,15 +2918,16 @@ kern_return_t is_io_connect_method
      args.structureOutput = inband_output;
      args.structureOutputSize = *inband_outputCnt;
  
-    if (ool_output)
+    if (ool_output && ool_output_size)
      {
         outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 
                                                     kIODirectionIn, current_task());
      }
  
      args.structureOutputDescriptor = outputMD;
-    args.structureOutputDescriptorSize = *ool_output_size;
+    args.structureOutputDescriptorSize = ool_output_size ? *ool_output_size : 0;
  
+    IOStatisticsClientCall();
      ret = client->externalMethod( selector, &args );
  
      *scalar_outputCnt = args.scalarOutputCount;
@@ -2693,10 +2956,10 @@ kern_return_t is_io_connect_async_method
         mach_msg_type_number_t inband_inputCnt,
         mach_vm_address_t ool_input,
         mach_vm_size_t ool_input_size,
-       io_scalar_inband64_t scalar_output,
-       mach_msg_type_number_t *scalar_outputCnt,
         io_struct_inband_t inband_output,
         mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
         mach_vm_address_t ool_output,
         mach_vm_size_t * ool_output_size
  )
@@ -2746,6 +3009,7 @@ kern_return_t is_io_connect_async_method
      args.structureOutputDescriptor = outputMD;
      args.structureOutputDescriptorSize = *ool_output_size;
  
+    IOStatisticsClientCall();
      ret = client->externalMethod( selector, &args );
  
      *inband_outputCnt = args.structureOutputSize;
@@ -2783,8 +3047,8 @@ kern_return_t is_io_connect_method_scalarI_scalarO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   _output, outputCount,
                     NULL, &struct_outputCnt,
+                   _output, outputCount,
                     0, &ool_output_size);
  
      for (i = 0; i < *outputCount; i++)
@@ -2902,8 +3166,8 @@ kern_return_t is_io_async_method_scalarI_scalarO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   _output, outputCount,
                     NULL, &struct_outputCnt,
+                   _output, outputCount,
                     0, &ool_output_size);
  
      for (i = 0; i < *outputCount; i++)
@@ -2942,8 +3206,8 @@ kern_return_t is_io_async_method_scalarI_structureO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -2979,8 +3243,8 @@ kern_return_t is_io_async_method_scalarI_structureI(
                     _input, inputCount, 
                     inputStruct, inputStructCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3010,8 +3274,8 @@ kern_return_t is_io_async_method_structureI_structureO(
                     NULL, 0, 
                     input, inputCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3130,8 +3394,8 @@ kern_return_t is_io_connect_method_scalarI_structureO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3142,7 +3406,7 @@ kern_return_t shim_io_connect_method_scalarI_structureO(
          const io_user_scalar_t * input,
          mach_msg_type_number_t inputCount,
          io_struct_inband_t             output,
-        mach_msg_type_number_t *       outputCount )
+        IOByteCount *  outputCount )
  {
      IOMethod           func;
      IOReturn           err;
@@ -3303,8 +3567,8 @@ kern_return_t is_io_connect_method_scalarI_structureI(
                     _input, inputCount, 
                     inputStruct, inputStructCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3476,8 +3740,8 @@ kern_return_t is_io_connect_method_structureI_structureO(
                     NULL, 0, 
                     input, inputCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3487,7 +3751,7 @@ kern_return_t shim_io_connect_method_structureI_structureO(
          io_struct_inband_t             input,
          mach_msg_type_number_t inputCount,
          io_struct_inband_t             output,
-        mach_msg_type_number_t *       outputCount )
+        IOByteCount *  outputCount )
  {
      IOMethod           func;
      IOReturn           err = kIOReturnBadArgument;
@@ -3636,7 +3900,7 @@ kern_return_t is_io_make_matching(
              err = kIOReturnNoMemory;
             continue;
          } else
-            strcpy( matching, s->text());
+            strlcpy(matching, s->text(), sizeof(io_string_t));
      }
      while( false);
  
@@ -3665,15 +3929,19 @@ kern_return_t is_io_catalog_send_data(
      if( master_port != master_device_port)
          return kIOReturnNotPrivileged;
  
-    // FIXME: This is a hack. Should have own function for removeKernelLinker()
-    if( (flag != kIOCatalogRemoveKernelLinker && flag != kIOCatalogKextdFinishedLaunching) && ( !inData || !inDataCount) )
+    if( (flag != kIOCatalogRemoveKernelLinker && 
+            flag != kIOCatalogKextdActive &&
+            flag != kIOCatalogKextdFinishedLaunching) && 
+        ( !inData || !inDataCount) ) 
+    {
          return kIOReturnBadArgument;
+    }
  
      if (inData) {
          vm_map_offset_t map_data;
  
          kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
-       data = CAST_DOWN(vm_offset_t, map_data);
+               data = CAST_DOWN(vm_offset_t, map_data);
  
          if( kr != KERN_SUCCESS)
              return kr;
@@ -3691,6 +3959,23 @@ kern_return_t is_io_catalog_send_data(
      }
  
      switch ( flag ) {
+        case kIOCatalogResetDrivers:
+        case kIOCatalogResetDriversNoMatch: {
+                OSArray * array;
+
+                array = OSDynamicCast(OSArray, obj);
+                if (array) {
+                    if ( !gIOCatalogue->resetAndAddDrivers(array, 
+                        flag == kIOCatalogResetDrivers) ) {
+
+                        kr = kIOReturnError;
+                    }
+                } else {
+                    kr = kIOReturnBadArgument;
+                }
+            }
+            break;
+
          case kIOCatalogAddDrivers: 
          case kIOCatalogAddDriversNoMatch: {
                  OSArray * array;
@@ -3740,21 +4025,31 @@ kern_return_t is_io_catalog_send_data(
              }
              break;
  
-        case kIOCatalogRemoveKernelLinker: {
-                if (gIOCatalogue->removeKernelLinker() != KERN_SUCCESS) {
-                    kr = kIOReturnError;
-                } else {
-                    kr = kIOReturnSuccess;
-                }
-            }
+        case kIOCatalogRemoveKernelLinker:
+            kr = KERN_NOT_SUPPORTED;
+            break;
+
+        case kIOCatalogKextdActive:
+#if !NO_KEXTD
+            IOServiceTrace(IOSERVICE_KEXTD_ALIVE, 0, 0, 0, 0);
+            OSKext::setKextdActive();
+
+           /* Dump all nonloaded startup extensions; kextd will now send them
+            * down on request.
+            */
+            OSKext::flushNonloadedKexts( /* flushPrelinkedKexts */ false);
+#endif
+            kr = kIOReturnSuccess;
              break;
  
          case kIOCatalogKextdFinishedLaunching: {
  #if !NO_KEXTD
                  static bool clearedBusy = false;
+
                  if (!clearedBusy) {
                      IOService * serviceRoot = IOService::getServiceRoot();
                      if (serviceRoot) {
+                        IOServiceTrace(IOSERVICE_KEXTD_READY, 0, 0, 0, 0);
                          serviceRoot->adjustBusy(-1);
                          clearedBusy = true;
                      }
@@ -3792,6 +4087,7 @@ kern_return_t is_io_catalog_terminate(
          return( kr );
  
      switch ( flag ) {
+#if !defined(SECURE_KERNEL)
          case kIOCatalogServiceTerminate:
              OSIterator *       iter;
              IOService *                service;
@@ -3821,6 +4117,7 @@ kern_return_t is_io_catalog_terminate(
              kr = gIOCatalogue->terminateDriversForModule(name,
                                          flag == kIOCatalogModuleUnload);
              break;
+#endif
  
          default:
              kr = kIOReturnBadArgument;
@@ -3892,7 +4189,9 @@ kern_return_t is_io_catalog_get_gen_count(
      return kIOReturnSuccess;
  }
  
-/* Routine io_catalog_module_loaded */
+/* Routine io_catalog_module_loaded.
+ * Is invoked from IOKitLib's IOCatalogueModuleLoaded(). Doesn't seem to be used.
+ */
  kern_return_t is_io_catalog_module_loaded(
          mach_port_t            master_port,
          io_name_t               name)
@@ -3957,11 +4256,14 @@ kern_return_t iokit_user_client_trap(struct iokit_user_client_trap_args *args)
      return result;
  }
  
+} /* extern "C" */
+
  IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args,
                                         IOExternalMethodDispatch * dispatch, OSObject * target, void * reference )
  {
      IOReturn    err;
      IOService * object;
+    IOByteCount structureOutputSize;
  
      if (dispatch)
      {
@@ -4002,6 +4304,7 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         return (err);
      }
  
+
      // pre-Leopard API's don't do ool structs
      if (args->structureInputDescriptor || args->structureOutputDescriptor)
      {
@@ -4009,6 +4312,8 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         return (err);
      }
  
+    structureOutputSize = args->structureOutputSize;
+
      if (args->asyncWakePort)
      {
         IOExternalAsyncMethod * method;
@@ -4016,6 +4321,13 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) )
             return (kIOReturnUnsupported);
  
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       /* is graphics access denied for current task? */
+       if (proc_get_task_selfgpuacc_deny() != 0) 
+            return (kIOReturnNotPermitted);
+    }
+
         switch (method->flags & kIOUCTypeMask)
         {
             case kIOUCScalarIStructI:
@@ -4059,12 +4371,20 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         if( !(method = getTargetAndMethodForIndex(&object, selector)) )
             return (kIOReturnUnsupported);
  
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       /* is graphics access denied for current task? */
+       if (proc_get_task_selfgpuacc_deny() != 0) 
+            return (kIOReturnNotPermitted);
+    
+    }
+
         switch (method->flags & kIOUCTypeMask)
         {
             case kIOUCScalarIStructI:
                 err = shim_io_connect_method_scalarI_structureI( method, object,
                                         args->scalarInput, args->scalarInputCount,
-                                       (char *)args->structureInput, args->structureInputSize );
+                                       (char *) args->structureInput, args->structureInputSize );
                 break;
  
             case kIOUCScalarIScalarO:
@@ -4076,14 +4396,14 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
             case kIOUCScalarIStructO:
                 err = shim_io_connect_method_scalarI_structureO( method, object,
                                         args->scalarInput, args->scalarInputCount,
-                                       (char *) args->structureOutput, &args->structureOutputSize );
+                                       (char *) args->structureOutput, &structureOutputSize );
                 break;
  
  
             case kIOUCStructIStructO:
                 err = shim_io_connect_method_structureI_structureO( method, object,
-                                       (char *)args->structureInput, args->structureInputSize,
-                                       (char *) args->structureOutput, &args->structureOutputSize );
+                                       (char *) args->structureInput, args->structureInputSize,
+                                       (char *) args->structureOutput, &structureOutputSize );
                 break;
  
             default:
@@ -4091,14 +4411,20 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
                 break;
         }
      }
+
+    args->structureOutputSize = structureOutputSize;
+
      return (err);
  }
  
  
-};     /* extern "C" */
-
-OSMetaClassDefineReservedUsed(IOUserClient, 0);
+#if __LP64__
+OSMetaClassDefineReservedUnused(IOUserClient, 0);
  OSMetaClassDefineReservedUnused(IOUserClient, 1);
+#else
+OSMetaClassDefineReservedUsed(IOUserClient, 0);
+OSMetaClassDefineReservedUsed(IOUserClient, 1);
+#endif
  OSMetaClassDefineReservedUnused(IOUserClient, 2);
  OSMetaClassDefineReservedUnused(IOUserClient, 3);
  OSMetaClassDefineReservedUnused(IOUserClient, 4);