xnu-2782.1.97.tar.gz

[apple/xnu.git] / iokit / Kernel / IOUserClient.cpp
diff --git a/iokit/Kernel/IOUserClient.cpp b/iokit/Kernel/IOUserClient.cpp

index 7f2c78d1350a45dfbedfc11ebe50f8416c3326f7..9f3587844c70067f063d0b33023290b3287e823b 100644 (file)
--- a/iokit/Kernel/IOUserClient.cpp
+++ b/iokit/Kernel/IOUserClient.cpp
@@ -1,5 +1,5 @@
  /*
- * Copyright (c) 1998-2008 Apple Inc. All rights reserved.
+ * Copyright (c) 1998-2014 Apple Inc. All rights reserved.
   *
   * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   * 
@@ -37,8 +37,24 @@
  #include <IOKit/IOMemoryDescriptor.h>
  #include <IOKit/IOBufferMemoryDescriptor.h>
  #include <IOKit/IOLib.h>
+#include <IOKit/IOStatisticsPrivate.h>
+#include <IOKit/IOTimeStamp.h>
+#include <IOKit/system.h>
  #include <libkern/OSDebug.h>
  #include <sys/proc.h>
+#include <sys/kauth.h>
+#include <sys/codesign.h>
+
+#if CONFIG_MACF
+
+extern "C" {
+#include <security/mac_framework.h>
+};
+#include <sys/kauth.h>
+
+#define IOMACF_LOG 0
+
+#endif /* CONFIG_MACF */
  
  #include <IOKit/assert.h>
  
@@ -47,7 +63,7 @@
  
  #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x))
  #define SCALAR32(x) ((uint32_t )x)
-#define ARG32(x)    ((void *)SCALAR32(x))
+#define ARG32(x)    ((void *)(uintptr_t)SCALAR32(x))
  #define REF64(x)    ((io_user_reference_t)((UInt64)(x)))
  #define REF32(x)    ((int)(x))
  
@@ -57,6 +73,32 @@ enum
      kIOUCAsync64Flag = 1ULL
  };
  
+#if IOKITSTATS
+
+#define IOStatisticsRegisterCounter() \
+do { \
+       reserved->counter = IOStatistics::registerUserClient(this); \
+} while (0)
+
+#define IOStatisticsUnregisterCounter() \
+do { \
+       if (reserved) \
+               IOStatistics::unregisterUserClient(reserved->counter); \
+} while (0)
+
+#define IOStatisticsClientCall() \
+do { \
+       IOStatistics::countUserClientCall(client); \
+} while (0)
+
+#else
+
+#define IOStatisticsRegisterCounter()
+#define IOStatisticsUnregisterCounter()
+#define IOStatisticsClientCall()
+
+#endif /* IOKITSTATS */
+
  /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
  
  // definitions we should get from osfmk
@@ -331,7 +373,6 @@ public:
  };
  
  /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
  extern "C" {
  
  // functions called from osfmk/device/iokit_rpc.c
@@ -383,9 +424,11 @@ iokit_client_died( io_object_t obj, ipc_port_t /* port */,
  
      if( IKOT_IOKIT_CONNECT == type)
      {
-       if( (client = OSDynamicCast( IOUserClient, obj )))
+       if( (client = OSDynamicCast( IOUserClient, obj ))) {
+               IOStatisticsClientCall();
             client->clientDied();
      }
+    }
      else if( IKOT_IOKIT_OBJECT == type)
      {
         if( (map = OSDynamicCast( IOMemoryMap, obj )))
@@ -538,6 +581,9 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
                                        void * reference, vm_size_t referenceSize,
                                        bool clientIs64 )
  {
+    if( !super::init())
+        return( false );
+
      newSet = OSArray::withCapacity( 1 );
      if( !newSet)
          return( false );
@@ -563,7 +609,7 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
      pingMsg->notifyHeader.type = type;
      bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
  
-    return( super::init() );
+    return( true );
  }
  
  void IOServiceUserNotification::free( void )
@@ -580,8 +626,12 @@ void IOServiceUserNotification::free( void )
  
      super::free();
  
-    if( _pingMsg && _msgSize)
-        IOFree( _pingMsg, _msgSize);
+    if( _pingMsg && _msgSize) {
+               if (_pingMsg->msgHdr.msgh_remote_port) {
+                       iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+               }
+        IOFree(_pingMsg, _msgSize);
+       }
  
      if( _lastEntry)
          _lastEntry->release();
@@ -625,8 +675,10 @@ bool IOServiceUserNotification::handler( void * ref,
         else
              pingMsg->msgHdr.msgh_local_port = NULL;
  
-        kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
-                                        pingMsg->msgHdr.msgh_size);
+        kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr,
+                                                    pingMsg->msgHdr.msgh_size,
+                                                    (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+                                                    0);
         if( port)
             iokit_release_port( port );
  
@@ -673,6 +725,8 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type,
                                 void * reference, vm_size_t referenceSize, vm_size_t extraSize,
                                 bool client64 )
  {
+    if( !super::init())
+        return( false );
  
      if (referenceSize > sizeof(OSAsyncReference64))
          return( false );
@@ -707,7 +761,7 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type,
      pingMsg->notifyHeader.type                 = type;
      bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
  
-    return( super::init() );
+    return( true );
  }
  
  void IOServiceMessageUserNotification::free( void )
@@ -720,8 +774,12 @@ void IOServiceMessageUserNotification::free( void )
  
      super::free();
  
-    if( _pingMsg && _msgSize)
+    if( _pingMsg && _msgSize) {
+               if (_pingMsg->msgHdr.msgh_remote_port) {
+                       iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+               }
          IOFree( _pingMsg, _msgSize);
+       }
  }
  
  IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref,
@@ -744,8 +802,8 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
  
      if (kIOMessageCopyClientID == messageType)
      {
-       *((void **) messageArgument) = IOCopyLogNameForPID(owningPID);
-       return (kIOReturnSuccess);
+        *((void **) messageArgument) = OSNumber::withNumber(owningPID, 32);
+        return (kIOReturnSuccess);
      }
  
      data->messageType = messageType;
@@ -767,6 +825,15 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
              argSize = kIOUserNotifyMaxMessageSize;
          bcopy( messageArgument, data->messageArgument, argSize );
      }
+
+    // adjust message size for ipc restrictions
+    natural_t type;
+    type = pingMsg->notifyHeader.type;
+    type &= ~(kIOKitNoticationMsgSizeMask << kIOKitNoticationTypeSizeAdjShift);
+    type |= ((argSize & kIOKitNoticationMsgSizeMask) << kIOKitNoticationTypeSizeAdjShift);
+    pingMsg->notifyHeader.type = type;
+    argSize = (argSize + kIOKitNoticationMsgSizeMask) & ~kIOKitNoticationMsgSizeMask;
+
      pingMsg->msgHdr.msgh_size = msgSize - pingMsg->notifyHeader.size
          + sizeof( IOServiceInterestContent64 )
          - sizeof( data->messageArgument)
@@ -776,8 +843,10 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
      pingMsg->ports[0].name = providerPort;
      thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
      pingMsg->msgHdr.msgh_local_port = thisPort;
-    kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
-                                   pingMsg->msgHdr.msgh_size);
+    kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr,
+                                                pingMsg->msgHdr.msgh_size,
+                                                (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+                                                0);
      if( thisPort)
         iokit_release_port( thisPort );
      if( providerPort)
@@ -827,6 +896,16 @@ void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
      asyncRef[kIOAsyncCalloutRefconIndex] = refcon;
  }
  
+void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
+                                       mach_port_t wakePort,
+                                       mach_vm_address_t callback, io_user_reference_t refcon, task_t task)
+{
+    setAsyncReference64(asyncRef, wakePort, callback, refcon);
+    if (vm_map_is_64bit(get_task_map(task))) {
+            asyncRef[kIOAsyncReservedIndex] |= kIOUCAsync64Flag;
+    }
+}
+
  static OSDictionary * CopyConsoleUser(UInt32 uid)
  {
         OSArray * array;
@@ -851,6 +930,52 @@ static OSDictionary * CopyConsoleUser(UInt32 uid)
      return user;
  }
  
+static OSDictionary * CopyUserOnConsole(void)
+{
+    OSArray * array;
+    OSDictionary * user = 0; 
+    
+    if ((array = OSDynamicCast(OSArray,
+       IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey))))
+    {
+       for (unsigned int idx = 0;
+               (user = OSDynamicCast(OSDictionary, array->getObject(idx)));
+               idx++)
+       {
+           if (kOSBooleanTrue == user->getObject(gIOConsoleSessionOnConsoleKey))
+           {
+               user->retain();
+               break;
+           }
+       }
+       array->release();
+    }
+    return (user);
+}
+
+IOReturn IOUserClient::clientHasAuthorization( task_t task,
+                                               IOService * service )
+{
+    proc_t p;
+    
+    p = (proc_t) get_bsdtask_info(task);
+    if (p)
+    {
+        uint64_t authorizationID;
+
+        authorizationID = proc_uniqueid(p);
+        if (authorizationID)
+        {
+            if (service->getAuthorizationID() == authorizationID)
+            {
+                return (kIOReturnSuccess);
+            }
+        }
+    }
+
+    return (kIOReturnNotPermitted);
+}
+
  IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                              const char * privilegeName )
  {
@@ -861,12 +986,52 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
      OSDictionary *          user;
      bool                    secureConsole;
  
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeForeground, 
+                sizeof(kIOClientPrivilegeForeground)))
+    {
+       if (task_is_gpu_denied(current_task()))
+               return (kIOReturnNotPrivileged);
+       else
+               return (kIOReturnSuccess);
+    }
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeConsoleSession,
+                                sizeof(kIOClientPrivilegeConsoleSession)))
+    {
+       kauth_cred_t cred;
+       proc_t       p;
+
+        task = (task_t) securityToken;
+       if (!task)
+           task = current_task();
+       p = (proc_t) get_bsdtask_info(task);
+       kr = kIOReturnNotPrivileged;
+
+       if (p && (cred = kauth_cred_proc_ref(p)))
+       {
+           user = CopyUserOnConsole();
+           if (user)
+           {
+               OSNumber * num;
+               if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionAuditIDKey)))
+                 && (cred->cr_audit.as_aia_p->ai_asid == (au_asid_t) num->unsigned32BitValue()))
+               {
+                   kr = kIOReturnSuccess;
+               }
+               user->release();
+           }
+           kauth_cred_unref(&cred);
+       }
+       return (kr);
+    }
+
      if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess,
              sizeof(kIOClientPrivilegeSecureConsoleProcess))))
          task = (task_t)((IOUCProcessToken *)securityToken)->token;
      else
          task = (task_t)securityToken;
-    
+
      count = TASK_SECURITY_TOKEN_COUNT;
      kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
  
@@ -904,30 +1069,106 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
      return (kr);
  }
  
+OSObject * IOUserClient::copyClientEntitlement( task_t task,
+                                                const char * entitlement )
+{
+#define        MAX_ENTITLEMENTS_LEN    (128 * 1024)
+
+       proc_t p = NULL;
+       pid_t pid = 0;
+       char procname[MAXCOMLEN + 1] = "";
+       size_t len = 0;
+       void *entitlements_blob = NULL;
+       char *entitlements_data = NULL;
+       OSObject *entitlements_obj = NULL;
+       OSDictionary *entitlements = NULL;
+       OSString *errorString = NULL;
+       OSObject *value = NULL;
+
+       p = (proc_t)get_bsdtask_info(task);
+       if (p == NULL)
+               goto fail;
+       pid = proc_pid(p);
+       proc_name(pid, procname, (int)sizeof(procname));
+
+       if (cs_entitlements_blob_get(p, &entitlements_blob, &len) != 0)
+               goto fail;
+
+       if (len <= offsetof(CS_GenericBlob, data))
+               goto fail;
+
+       /*
+        * Per <rdar://problem/11593877>, enforce a limit on the amount of XML
+        * we'll try to parse in the kernel.
+        */
+       len -= offsetof(CS_GenericBlob, data);
+       if (len > MAX_ENTITLEMENTS_LEN) {
+               IOLog("failed to parse entitlements for %s[%u]: %lu bytes of entitlements exceeds maximum of %u\n", procname, pid, len, MAX_ENTITLEMENTS_LEN);
+               goto fail;
+       }
+
+       /*
+        * OSUnserializeXML() expects a nul-terminated string, but that isn't
+        * what is stored in the entitlements blob.  Copy the string and
+        * terminate it.
+        */
+       entitlements_data = (char *)IOMalloc(len + 1);
+       if (entitlements_data == NULL)
+               goto fail;
+       memcpy(entitlements_data, ((CS_GenericBlob *)entitlements_blob)->data, len);
+       entitlements_data[len] = '\0';
+
+       entitlements_obj = OSUnserializeXML(entitlements_data, len + 1, &errorString);
+       if (errorString != NULL) {
+               IOLog("failed to parse entitlements for %s[%u]: %s\n", procname, pid, errorString->getCStringNoCopy());
+               goto fail;
+       }
+       if (entitlements_obj == NULL)
+               goto fail;
+
+       entitlements = OSDynamicCast(OSDictionary, entitlements_obj);
+       if (entitlements == NULL)
+               goto fail;
+
+       /* Fetch the entitlement value from the dictionary. */
+       value = entitlements->getObject(entitlement);
+       if (value != NULL)
+               value->retain();
+
+fail:
+       if (entitlements_data != NULL)
+               IOFree(entitlements_data, len + 1);
+       if (entitlements_obj != NULL)
+               entitlements_obj->release();
+       if (errorString != NULL)
+               errorString->release();
+       return value;
+}
+
  bool IOUserClient::init()
  {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::init(OSDictionary * dictionary)
  {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init(dictionary);
+       if (getPropertyTable() || super::init(dictionary))
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::initWithTask(task_t owningTask,
                                  void * securityID,
                                  UInt32 type )
-{
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+{      
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
  }
  
  bool IOUserClient::initWithTask(task_t owningTask,
@@ -943,11 +1184,30 @@ bool IOUserClient::initWithTask(task_t owningTask,
      return( ok );
  }
  
+bool IOUserClient::reserve()
+{              
+    if(!reserved) {
+       reserved = IONew(ExpansionData, 1);
+       if (!reserved) {
+           return false;
+       }
+    }
+    setTerminateDefer(NULL, true);
+    IOStatisticsRegisterCounter();
+    
+    return true;
+}
+
  void IOUserClient::free()
  {
      if( mappings)
          mappings->release();
+               
+    IOStatisticsUnregisterCounter();
  
+    if (reserved)
+        IODelete(reserved, ExpansionData, 1);
+               
      super::free();
  }
  
@@ -1041,7 +1301,6 @@ IOReturn IOUserClient::exportObjectToClient(task_t task,
      mach_port_name_t   name;
  
      name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT );
-    assert( name );
  
      *(mach_port_name_t *)clientObj = name;
      return kIOReturnSuccess;
@@ -1135,8 +1394,20 @@ IOReturn IOUserClient::sendAsyncResult(OSAsyncReference reference,
      return (sendAsyncResult64(reference64, result, args64, numArgs));
  }
  
+IOReturn IOUserClient::sendAsyncResult64WithOptions(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
+{
+       return _sendAsyncResult64(reference, result, args, numArgs, options);
+}
+
  IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
                                          IOReturn result, io_user_reference_t args[], UInt32 numArgs)
+{
+        return _sendAsyncResult64(reference, result, args, numArgs, 0);
+}
+
+IOReturn IOUserClient::_sendAsyncResult64(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
  {
      struct ReplyMsg
      {
@@ -1209,9 +1480,15 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
             replyMsg.m.msg32.args[idx] = REF32(args[idx]);
      }
  
-     kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
-            replyMsg.msgHdr.msgh_size);
-    if( KERN_SUCCESS != kr)
+       if ((options & kIOUserNotifyOptionCanDrop) != 0) { 
+               kr = mach_msg_send_from_kernel_with_options( &replyMsg.msgHdr,
+                                                                                replyMsg.msgHdr.msgh_size, MACH_SEND_TIMEOUT, MACH_MSG_TIMEOUT_NONE);
+       } else {
+               /* Fail on full queue. */
+               kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
+                                                                                replyMsg.msgHdr.msgh_size);
+       }
+    if ((KERN_SUCCESS != kr) && (MACH_SEND_TIMED_OUT != kr))
          IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
      return kr;
  }
@@ -1226,6 +1503,17 @@ extern "C" {
         if( !(out = OSDynamicCast( cls, obj)))  \
             return( kIOReturnBadArgument )
  
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Routine io_server_version */
+kern_return_t is_io_server_version(
+       mach_port_t master_port,
+       uint64_t *version)
+{
+    *version = IOKIT_SERVER_VERSION;
+    return (kIOReturnSuccess);
+}
+
  /* Routine io_object_get_class */
  kern_return_t is_io_object_get_class(
         io_object_t object,
@@ -1391,11 +1679,12 @@ kern_return_t is_io_iterator_is_valid(
      return( kIOReturnSuccess );
  }
  
-/* Routine io_service_match_property_table */
-kern_return_t is_io_service_match_property_table(
+
+static kern_return_t internal_io_service_match_property_table(
         io_service_t _service,
-       io_string_t matching,
-       boolean_t *matches )
+       const char * matching,
+       mach_msg_type_number_t matching_size,
+       boolean_t *matches)
  {
      CHECK( IOService, _service, service );
  
@@ -1403,8 +1692,8 @@ kern_return_t is_io_service_match_property_table(
      OSObject *         obj;
      OSDictionary *     dict;
  
-    obj = OSUnserializeXML( matching );
-
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
      if( (dict = OSDynamicCast( OSDictionary, obj))) {
          *matches = service->passiveMatch( dict );
         kr = kIOReturnSuccess;
@@ -1417,6 +1706,16 @@ kern_return_t is_io_service_match_property_table(
      return( kr );
  }
  
+/* Routine io_service_match_property_table */
+kern_return_t is_io_service_match_property_table(
+       io_service_t service,
+       io_string_t matching,
+       boolean_t *matches )
+{
+    return (internal_io_service_match_property_table(service, matching, 0, matches));
+}
+
+
  /* Routine io_service_match_property_table_ool */
  kern_return_t is_io_service_match_property_table_ool(
         io_object_t service,
@@ -1434,18 +1733,28 @@ kern_return_t is_io_service_match_property_table_ool(
  
      if( KERN_SUCCESS == kr) {
          // must return success after vm_map_copyout() succeeds
-       *result = is_io_service_match_property_table( service,
-               (char *) data, matches );
+       *result = internal_io_service_match_property_table(service,
+               (const char *)data, matchingCnt, matches );
         vm_deallocate( kernel_map, data, matchingCnt );
      }
  
      return( kr );
  }
  
-/* Routine io_service_get_matching_services */
-kern_return_t is_io_service_get_matching_services(
+/* Routine io_service_match_property_table_bin */
+kern_return_t is_io_service_match_property_table_bin(
+       io_object_t service,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       boolean_t *matches)
+{
+    return (internal_io_service_match_property_table(service, matching, matchingCnt, matches));
+}
+
+static kern_return_t internal_io_service_get_matching_services(
         mach_port_t master_port,
-       io_string_t matching,
+       const char * matching,
+       mach_msg_type_number_t matching_size,
         io_iterator_t *existing )
  {
      kern_return_t      kr;
@@ -1455,8 +1764,8 @@ kern_return_t is_io_service_get_matching_services(
      if( master_port != master_device_port)
          return( kIOReturnNotPrivileged);
  
-    obj = OSUnserializeXML( matching );
-
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
      if( (dict = OSDynamicCast( OSDictionary, obj))) {
          *existing = IOService::getMatchingServices( dict );
         kr = kIOReturnSuccess;
@@ -1469,6 +1778,15 @@ kern_return_t is_io_service_get_matching_services(
      return( kr );
  }
  
+/* Routine io_service_get_matching_services */
+kern_return_t is_io_service_get_matching_services(
+       mach_port_t master_port,
+       io_string_t matching,
+       io_iterator_t *existing )
+{
+    return (internal_io_service_get_matching_services(master_port, matching, 0, existing));
+}
+
  /* Routine io_service_get_matching_services_ool */
  kern_return_t is_io_service_get_matching_services_ool(
         mach_port_t master_port,
@@ -1486,18 +1804,101 @@ kern_return_t is_io_service_get_matching_services_ool(
  
      if( KERN_SUCCESS == kr) {
          // must return success after vm_map_copyout() succeeds
-       *result = is_io_service_get_matching_services( master_port,
-                       (char *) data, existing );
+       *result = internal_io_service_get_matching_services(master_port,
+                       (const char *) data, matchingCnt, existing);
+       vm_deallocate( kernel_map, data, matchingCnt );
+    }
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_services_bin */
+kern_return_t is_io_service_get_matching_services_bin(
+       mach_port_t master_port,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       io_object_t *existing)
+{
+    return (internal_io_service_get_matching_services(master_port, matching, matchingCnt, existing));
+}
+
+
+static kern_return_t internal_io_service_get_matching_service(
+       mach_port_t master_port,
+       const char * matching,
+       mach_msg_type_number_t matching_size,
+       io_service_t *service )
+{
+    kern_return_t      kr;
+    OSObject *         obj;
+    OSDictionary *     dict;
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
+    if( (dict = OSDynamicCast( OSDictionary, obj))) {
+        *service = IOService::copyMatchingService( dict );
+       kr = *service ? kIOReturnSuccess : kIOReturnNotFound;
+    } else
+       kr = kIOReturnBadArgument;
+
+    if( obj)
+        obj->release();
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_service */
+kern_return_t is_io_service_get_matching_service(
+       mach_port_t master_port,
+       io_string_t matching,
+       io_service_t *service )
+{
+    return (internal_io_service_get_matching_service(master_port, matching, 0, service));
+}
+
+/* Routine io_service_get_matching_services_ool */
+kern_return_t is_io_service_get_matching_service_ool(
+       mach_port_t master_port,
+       io_buf_ptr_t matching,
+       mach_msg_type_number_t matchingCnt,
+       kern_return_t *result,
+       io_object_t *service )
+{
+    kern_return_t      kr;
+    vm_offset_t        data;
+    vm_map_offset_t    map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+       *result = internal_io_service_get_matching_service(master_port,
+                       (const char *) data, matchingCnt, service );
         vm_deallocate( kernel_map, data, matchingCnt );
      }
  
      return( kr );
  }
  
+/* Routine io_service_get_matching_service_bin */
+kern_return_t is_io_service_get_matching_service_bin(
+       mach_port_t master_port,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       io_object_t *service)
+{
+    return (internal_io_service_get_matching_service(master_port, matching, matchingCnt, service));
+}
+
  static kern_return_t internal_io_service_add_notification(
         mach_port_t master_port,
         io_name_t notification_type,
-       io_string_t matching,
+       const char * matching,
+       size_t matching_size,
         mach_port_t port,
         void * reference,
         vm_size_t referenceSize,
@@ -1511,7 +1912,6 @@ static kern_return_t internal_io_service_add_notification(
      IOReturn                   err;
      unsigned long int          userMsgType;
  
-
      if( master_port != master_device_port)
          return( kIOReturnNotPrivileged);
  
@@ -1521,8 +1921,16 @@ static kern_return_t internal_io_service_add_notification(
          if( !(sym = OSSymbol::withCString( notification_type )))
             err = kIOReturnNoResources;
  
-        if( !(dict = OSDynamicCast( OSDictionary,
-                    OSUnserializeXML( matching )))) {
+       if (matching_size)
+       {
+            dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size));
+       }
+       else
+       {
+           dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching));
+       }
+
+        if (!dict) {
              err = kIOReturnBadArgument;
             continue;
         }
@@ -1542,6 +1950,7 @@ static kern_return_t internal_io_service_add_notification(
  
          if( userNotify && !userNotify->init( port, userMsgType,
                                               reference, referenceSize, client64)) {
+                       iokit_release_port_send(port);
              userNotify->release();
              userNotify = 0;
          }
@@ -1579,7 +1988,7 @@ kern_return_t is_io_service_add_notification(
         io_object_t * notification )
  {
      return (internal_io_service_add_notification(master_port, notification_type, 
-               matching, port, &reference[0], sizeof(io_async_ref_t),
+               matching, 0, port, &reference[0], sizeof(io_async_ref_t),
                 false, notification));
  }
  
@@ -1594,10 +2003,43 @@ kern_return_t is_io_service_add_notification_64(
         io_object_t *notification )
  {
      return (internal_io_service_add_notification(master_port, notification_type, 
-               matching, wake_port, &reference[0], sizeof(io_async_ref64_t),
+               matching, 0, wake_port, &reference[0], sizeof(io_async_ref64_t),
                 true, notification));
  }
  
+/* Routine io_service_add_notification_bin */
+kern_return_t is_io_service_add_notification_bin
+(
+       mach_port_t master_port,
+       io_name_t notification_type,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       mach_port_t wake_port,
+       io_async_ref_t reference,
+       mach_msg_type_number_t referenceCnt,
+       io_object_t *notification)
+{
+    return (internal_io_service_add_notification(master_port, notification_type, 
+               matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref_t),
+               false, notification));
+}
+
+/* Routine io_service_add_notification_bin_64 */
+kern_return_t is_io_service_add_notification_bin_64
+(
+       mach_port_t master_port,
+       io_name_t notification_type,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       mach_port_t wake_port,
+       io_async_ref64_t reference,
+       mach_msg_type_number_t referenceCnt,
+       io_object_t *notification)
+{
+    return (internal_io_service_add_notification(master_port, notification_type, 
+               matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref64_t),
+               true, notification));
+}
  
  static kern_return_t internal_io_service_add_notification_ool(
         mach_port_t master_port,
@@ -1621,7 +2063,7 @@ static kern_return_t internal_io_service_add_notification_ool(
      if( KERN_SUCCESS == kr) {
          // must return success after vm_map_copyout() succeeds
         *result = internal_io_service_add_notification( master_port, notification_type,
-                       (char *) data, wake_port, reference, referenceSize, client64, notification );
+                       (char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
         vm_deallocate( kernel_map, data, matchingCnt );
      }
  
@@ -1703,6 +2145,7 @@ static kern_return_t internal_io_service_add_interest_notification(
                                               reference, referenceSize,
                                              kIOUserNotifyMaxMessageSize,
                                              client64 )) {
+                       iokit_release_port_send(port);
              userNotify->release();
              userNotify = 0;
          }
@@ -1760,7 +2203,7 @@ kern_return_t is_io_service_acknowledge_notification(
  {
      CHECK( IOService, _service, service );
  
-    return( service->acknowledgeNotification( (IONotificationRef) notify_ref,
+    return( service->acknowledgeNotification( (IONotificationRef)(uintptr_t) notify_ref,
                                                (IOOptionBits) response ));
      
  }
@@ -1773,6 +2216,7 @@ kern_return_t is_io_connect_get_notification_semaphore(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->getNotificationSemaphore( (UInt32) notification_type,
                                                semaphore ));
  }
@@ -1968,7 +2412,7 @@ kern_return_t is_io_registry_entry_get_registry_entry_id(
  // Create a vm_map_copy_t or kalloc'ed data for memory
  // to be copied out. ipc will free after the copyout.
  
-static kern_return_t copyoutkdata( void * data, vm_size_t len,
+static kern_return_t copyoutkdata( const void * data, vm_size_t len,
                                      io_buf_ptr_t * buf )
  {
      kern_return_t      err;
@@ -2003,6 +2447,11 @@ kern_return_t is_io_registry_entry_get_property_bytes(
  
      CHECK( IORegistryEntry, registry_entry, entry );
  
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
      obj = entry->copyProperty(property_name);
      if( !obj)
          return( kIOReturnNoResources );
@@ -2060,6 +2509,11 @@ kern_return_t is_io_registry_entry_get_property(
  
      CHECK( IORegistryEntry, registry_entry, entry );
  
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
      obj = entry->copyProperty(property_name);
      if( !obj)
          return( kIOReturnNotFound );
@@ -2069,7 +2523,6 @@ kern_return_t is_io_registry_entry_get_property(
          obj->release();
         return( kIOReturnNoMemory );
      }
-    s->clearText();
  
      if( obj->serialize( s )) {
          len = s->getLength();
@@ -2100,6 +2553,11 @@ kern_return_t is_io_registry_entry_get_property_recursively(
  
      CHECK( IORegistryEntry, registry_entry, entry );
  
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
      obj = entry->copyProperty( property_name,
                                 IORegistryEntry::getPlane( plane ), options);
      if( !obj)
@@ -2111,8 +2569,6 @@ kern_return_t is_io_registry_entry_get_property_recursively(
         return( kIOReturnNoMemory );
      }
  
-    s->clearText();
-
      if( obj->serialize( s )) {
          len = s->getLength();
          *propertiesCnt = len;
@@ -2127,32 +2583,218 @@ kern_return_t is_io_registry_entry_get_property_recursively(
      return( err );
  }
  
-/* Routine io_registry_entry_get_properties */
-kern_return_t is_io_registry_entry_get_properties(
-       io_object_t registry_entry,
-       io_buf_ptr_t *properties,
-       mach_msg_type_number_t *propertiesCnt )
+#if CONFIG_MACF
+
+static kern_return_t
+filteredProperties(IORegistryEntry *entry, OSDictionary *properties, OSDictionary **filteredp)
  {
-    kern_return_t      err;
-    vm_size_t          len;
+    kern_return_t      err = 0;
+    OSDictionary       *filtered = NULL;
+    OSCollectionIterator *iter = NULL;
+    OSSymbol           *key;
+    OSObject           *p;
+    kauth_cred_t       cred = kauth_cred_get();
  
-    CHECK( IORegistryEntry, registry_entry, entry );
+    if (properties == NULL)
+       return kIOReturnUnsupported;
  
-    OSSerialize * s = OSSerialize::withCapacity(4096);
-    if( !s)
-       return( kIOReturnNoMemory );
+    if ((iter = OSCollectionIterator::withCollection(properties)) == NULL ||
+        (filtered = OSDictionary::withCapacity(properties->getCapacity())) == NULL) {
+       err = kIOReturnNoMemory;
+       goto out;
+    }
+
+    while ((p = iter->getNextObject()) != NULL) {
+       if ((key = OSDynamicCast(OSSymbol, p)) == NULL ||
+           mac_iokit_check_get_property(cred, entry, key->getCStringNoCopy()) != 0)
+           continue;
+       filtered->setObject(key, properties->getObject(key));
+    }
+
+out:
+    if (iter != NULL)
+       iter->release();
+    *filteredp = filtered;
+    return err;
+}
+
+#endif
+
+/* Routine io_registry_entry_get_properties */
+kern_return_t is_io_registry_entry_get_properties(
+       io_object_t registry_entry,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt )
+{
+    kern_return_t      err = 0;
+    vm_size_t          len;
+
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+    OSSerialize * s = OSSerialize::withCapacity(4096);
+    if( !s)
+       return( kIOReturnNoMemory );
+
+    if (!entry->serializeProperties(s))
+       err = kIOReturnUnsupported;
+
+#if CONFIG_MACF
+    if (!err && mac_iokit_check_filter_properties(kauth_cred_get(), entry)) {
+       OSObject *propobj = OSUnserializeXML(s->text(), s->getLength());
+       OSDictionary *filteredprops = NULL;
+       err = filteredProperties(entry, OSDynamicCast(OSDictionary, propobj), &filteredprops);
+       if (propobj) propobj->release();
+
+       if (!err) {
+           s->clearText();
+           if (!filteredprops->serialize(s))
+               err = kIOReturnUnsupported;
+       }
+       if (filteredprops != NULL)
+           filteredprops->release();
+    }
+#endif /* CONFIG_MACF */
+
+    if (!err) {
+       len = s->getLength();
+       *propertiesCnt = len;
+       err = copyoutkdata( s->text(), len, properties );
+    }
+
+    s->release();
+    return( err );
+}
+
+#if CONFIG_MACF
+
+struct GetPropertiesEditorRef
+{
+    kauth_cred_t      cred;
+    IORegistryEntry * entry;
+    OSCollection    * root;
+};
+
+static const OSMetaClassBase *
+GetPropertiesEditor(void                  * reference,
+                                       OSSerialize           * s, 
+                                       OSCollection          * container, 
+                                       const OSSymbol        * name,
+                                       const OSMetaClassBase * value)
+{
+    GetPropertiesEditorRef * ref = (typeof(ref)) reference;
+
+    if (!ref->root) ref->root = container;
+    if (ref->root == container)
+       {
+               if (0 != mac_iokit_check_get_property(ref->cred, ref->entry, name->getCStringNoCopy())) 
+               {
+                       value = 0;
+               }
+       }
+       if (value) value->retain();
+    return (value);
+}
+
+#endif /* CONFIG_MACF */
+
+/* Routine io_registry_entry_get_properties */
+kern_return_t is_io_registry_entry_get_properties_bin(
+       io_object_t registry_entry,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt)
+{
+    kern_return_t             err = kIOReturnSuccess;
+    vm_size_t                 len;
+    OSSerialize          * s;
+    OSSerialize::Editor    editor = 0;
+    void                 * editRef = 0;
+
+    CHECK(IORegistryEntry, registry_entry, entry);
+
+#if CONFIG_MACF
+    GetPropertiesEditorRef ref;
+    if (mac_iokit_check_filter_properties(kauth_cred_get(), entry))
+    {
+       editor    = &GetPropertiesEditor;
+       editRef   = &ref;
+       ref.cred  = kauth_cred_get();
+       ref.entry = entry;
+       ref.root  = 0;
+    }
+#endif
+
+    s = OSSerialize::binaryWithCapacity(4096, editor, editRef);
+    if (!s) return (kIOReturnNoMemory);
+
+    if (!entry->serializeProperties(s)) err = kIOReturnUnsupported;
+
+    if (kIOReturnSuccess == err)
+    {
+               len = s->getLength();
+               *propertiesCnt = len;
+               err = copyoutkdata(s->text(), len, properties);
+    }
+    s->release();
+
+    return (err);
+}
+
+/* Routine io_registry_entry_get_property_bin */
+kern_return_t is_io_registry_entry_get_property_bin(
+       io_object_t registry_entry,
+       io_name_t plane,
+       io_name_t property_name,
+       uint32_t options,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt )
+{
+    kern_return_t      err;
+    vm_size_t          len;
+    OSObject *         obj;
+    const OSSymbol *    sym;
+
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
+    if ((kIORegistryIterateRecursively & options) && plane[0])
+    {
+       obj = entry->copyProperty(property_name,
+                                 IORegistryEntry::getPlane(plane), options);
+    }
+    else
+    {
+       obj = entry->copyProperty(property_name);
+    }
+
+    if( !obj)
+        return( kIOReturnNotFound );
  
-    s->clearText();
+    sym = OSSymbol::withCString(property_name);
+    if (sym)
+    {
+        if (gIORemoveOnReadProperties->containsObject(sym)) entry->removeProperty(sym);
+        sym->release();
+    }
  
-    if( entry->serializeProperties( s )) {
+    OSSerialize * s = OSSerialize::binaryWithCapacity(4096);
+    if( !s) {
+        obj->release();
+       return( kIOReturnNoMemory );
+    }
+
+    if( obj->serialize( s )) {
          len = s->getLength();
          *propertiesCnt = len;
          err = copyoutkdata( s->text(), len, properties );
  
-    } else
-        err = kIOReturnUnsupported;
+    } else err = kIOReturnUnsupported; 
  
      s->release();
+    obj->release();
  
      return( err );
  }
@@ -2173,20 +2815,34 @@ kern_return_t is_io_registry_entry_set_properties
  
      CHECK( IORegistryEntry, registry_entry, entry );
  
+    if( propertiesCnt > sizeof(io_struct_inband_t) * 1024)
+        return( kIOReturnMessageTooLarge);
+
      err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
      data = CAST_DOWN(vm_offset_t, map_data);
  
      if( KERN_SUCCESS == err) {
  
          // must return success after vm_map_copyout() succeeds
-        obj = OSUnserializeXML( (const char *) data );
+        obj = OSUnserializeXML( (const char *) data, propertiesCnt );
         vm_deallocate( kernel_map, data, propertiesCnt );
  
-        if( obj) {
-            res = entry->setProperties( obj );
-            obj->release();
-        } else
-            res = kIOReturnBadArgument;
+       if (!obj)
+           res = kIOReturnBadArgument;
+#if CONFIG_MACF
+       else if (0 != mac_iokit_check_set_properties(kauth_cred_get(),
+           registry_entry, obj))
+       {
+           res = kIOReturnNotPermitted;
+       }
+#endif
+       else
+       {
+           res = entry->setProperties( obj );
+       }
+
+       if (obj)
+           obj->release();
      } else
          res = err;
  
@@ -2276,28 +2932,33 @@ kern_return_t is_io_service_request_probe(
      return( service->requestProbe( options ));
  }
  
-
-/* Routine io_service_open */
-kern_return_t is_io_service_open(
+/* Routine io_service_get_authorization_id */
+kern_return_t is_io_service_get_authorization_id(
         io_object_t _service,
-       task_t owningTask,
-       uint32_t connect_type,
-       io_object_t *connection )
+       uint64_t *authorization_id )
  {
-    IOUserClient       *       client;
-    IOReturn                   err;
+    kern_return_t         kr;
  
      CHECK( IOService, _service, service );
  
-    err = service->newUserClient( owningTask, (void *) owningTask,
-               connect_type, 0, &client );
+    kr = IOUserClient::clientHasPrivilege( (void *) current_task(),
+                                            kIOClientPrivilegeAdministrator );
+    if( kIOReturnSuccess != kr)
+        return( kr );
  
-    if( err == kIOReturnSuccess) {
-       assert( OSDynamicCast(IOUserClient, client) );
-       *connection = client;
-    }
+    *authorization_id = service->getAuthorizationID();
  
-    return( err);
+    return( kr );
+}
+
+/* Routine io_service_set_authorization_id */
+kern_return_t is_io_service_set_authorization_id(
+       io_object_t _service,
+       uint64_t authorization_id )
+{
+    CHECK( IOService, _service, service );
+
+    return( service->setAuthorizationID( authorization_id ) );
  }
  
  /* Routine io_service_open_ndr */
@@ -2328,13 +2989,16 @@ kern_return_t is_io_service_open_extended(
             vm_offset_t     data;
             vm_map_offset_t map_data;
  
+           if( propertiesCnt > sizeof(io_struct_inband_t))
+               return( kIOReturnMessageTooLarge);
+
             err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
             res = err;
             data = CAST_DOWN(vm_offset_t, map_data);
             if (KERN_SUCCESS == err)
             {
                 // must return success after vm_map_copyout() succeeds
-               obj = OSUnserializeXML( (const char *) data );
+               obj = OSUnserializeXML( (const char *) data, propertiesCnt );
                 vm_deallocate( kernel_map, data, propertiesCnt );
                 propertiesDict = OSDynamicCast(OSDictionary, obj);
                 if (!propertiesDict)
@@ -2375,13 +3039,17 @@ kern_return_t is_io_service_open_extended(
             disallowAccess = (crossEndian
                 && (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
                 && (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
-
-           if (disallowAccess)
+            if (disallowAccess) res = kIOReturnUnsupported;
+#if CONFIG_MACF
+           else if (0 != mac_iokit_check_open(kauth_cred_get(), client, connect_type))
+               res = kIOReturnNotPermitted;
+#endif
+           if (kIOReturnSuccess != res)
             {
+               IOStatisticsClientCall();
                 client->clientClose();
                 client->release();
                 client = 0;
-               res = kIOReturnUnsupported;
                 break;
             }
             client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
@@ -2391,6 +3059,7 @@ kern_return_t is_io_service_open_extended(
                 client->setProperty(kIOUserClientCreatorKey, creatorName);
                 creatorName->release();
             }
+           client->setTerminateDefer(service, false);
         }
      }
      while (false);
@@ -2411,6 +3080,7 @@ kern_return_t is_io_service_close(
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      client->clientClose();
  
      return( kIOReturnSuccess );
@@ -2443,6 +3113,7 @@ kern_return_t is_io_connect_set_notification_port(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->registerNotificationPort( port, notification_type,
                                                 (io_user_reference_t) reference ));
  }
@@ -2456,6 +3127,7 @@ kern_return_t is_io_connect_set_notification_port_64(
  {
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      return( client->registerNotificationPort( port, notification_type,
                                                 reference ));
  }
@@ -2476,6 +3148,7 @@ kern_return_t is_io_connect_map_memory_into_task
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      map = client->mapClientMemory64( memory_type, into_task, flags, *address );
  
      if( map) {
@@ -2490,7 +3163,6 @@ kern_return_t is_io_connect_map_memory_into_task
             mach_port_name_t name __unused =
                 IOMachPort::makeSendRightForTask(
                                      into_task, map, IKOT_IOKIT_OBJECT );
-            assert( name );
  
          } else {
              // keep it with the user client
@@ -2515,8 +3187,8 @@ kern_return_t is_io_connect_map_memory(
         io_object_t     connect,
         uint32_t        type,
         task_t          task,
-       vm_address_t *  mapAddr,
-       vm_size_t    *  mapSize,
+       uint32_t  *     mapAddr,
+       uint32_t  *     mapSize,
         uint32_t        flags )
  {
      IOReturn         err;
@@ -2534,6 +3206,8 @@ kern_return_t is_io_connect_map_memory(
      return (err);
  }
  
+} /* extern "C" */
+
  IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
  {
      OSIterator *  iter;
@@ -2561,6 +3235,8 @@ IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
      return (map);
  }
  
+extern "C" {
+
  /* Routine io_connect_unmap_memory_from_task */
  kern_return_t is_io_connect_unmap_memory_from_task
  (
@@ -2576,6 +3252,7 @@ kern_return_t is_io_connect_unmap_memory_from_task
  
      CHECK( IOUserClient, connection, client );
  
+    IOStatisticsClientCall();
      err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory );
  
      if( memory && (kIOReturnSuccess == err)) {
@@ -2617,7 +3294,7 @@ kern_return_t is_io_connect_unmap_memory(
         io_object_t     connect,
         uint32_t        type,
         task_t          task,
-       vm_address_t    mapAddr )
+       uint32_t        mapAddr )
  {
      IOReturn           err;
      mach_vm_address_t   address;
@@ -2638,6 +3315,7 @@ kern_return_t is_io_connect_add_client(
      CHECK( IOUserClient, connection, client );
      CHECK( IOUserClient, connect_to, to );
  
+    IOStatisticsClientCall();
      return( client->connectClient( to ) );
  }
  
@@ -2652,9 +3330,8 @@ kern_return_t is_io_connect_set_properties(
      return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result ));
  }
  
-
  /* Routine io_user_client_method */
-kern_return_t is_io_connect_method
+kern_return_t is_io_connect_method_var_output
  (
         io_connect_t connection,
         uint32_t selector,
@@ -2664,12 +3341,105 @@ kern_return_t is_io_connect_method
         mach_msg_type_number_t inband_inputCnt,
         mach_vm_address_t ool_input,
         mach_vm_size_t ool_input_size,
+       io_struct_inband_t inband_output,
+       mach_msg_type_number_t *inband_outputCnt,
         io_scalar_inband64_t scalar_output,
         mach_msg_type_number_t *scalar_outputCnt,
+       io_buf_ptr_t *var_output,
+       mach_msg_type_number_t *var_outputCnt
+)
+{
+    CHECK( IOUserClient, connection, client );
+
+    IOExternalMethodArguments args;
+    IOReturn ret;
+    IOMemoryDescriptor * inputMD  = 0;
+    OSObject *           structureVariableOutputData = 0;
+
+    bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.version = kIOExternalMethodArgumentsCurrentVersion;
+
+    args.selector = selector;
+
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = &structureVariableOutputData;
+
+    args.scalarInput = scalar_input;
+    args.scalarInputCount = scalar_inputCnt;
+    args.structureInput = inband_input;
+    args.structureInputSize = inband_inputCnt;
+
+    if (ool_input)
+       inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 
+                                                   kIODirectionOut, current_task());
+
+    args.structureInputDescriptor = inputMD;
+
+    args.scalarOutput = scalar_output;
+    args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
+    args.structureOutput = inband_output;
+    args.structureOutputSize = *inband_outputCnt;
+    args.structureOutputDescriptor = NULL;
+    args.structureOutputDescriptorSize = 0;
+
+    IOStatisticsClientCall();
+    ret = client->externalMethod( selector, &args );
+
+    *scalar_outputCnt = args.scalarOutputCount;
+    *inband_outputCnt = args.structureOutputSize;
+
+    if (var_outputCnt && var_output && (kIOReturnSuccess == ret))
+    {
+       OSSerialize * serialize;
+       OSData      * data;
+       vm_size_t     len;
+
+       if ((serialize = OSDynamicCast(OSSerialize, structureVariableOutputData)))
+       {
+           len = serialize->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(serialize->text(), len, var_output);
+       }
+       else if ((data = OSDynamicCast(OSData, structureVariableOutputData)))
+       {
+           len = data->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(data->getBytesNoCopy(), len, var_output);
+       }
+       else
+       {
+           ret = kIOReturnUnderrun;
+       }
+    }
+
+    if (inputMD)
+       inputMD->release();
+    if (structureVariableOutputData)
+       structureVariableOutputData->release();
+
+    return (ret);
+}
+
+/* Routine io_user_client_method */
+kern_return_t is_io_connect_method
+(
+       io_connect_t connection,
+       uint32_t selector,
+       io_scalar_inband64_t scalar_input,
+       mach_msg_type_number_t scalar_inputCnt,
+       io_struct_inband_t inband_input,
+       mach_msg_type_number_t inband_inputCnt,
+       mach_vm_address_t ool_input,
+       mach_vm_size_t ool_input_size,
         io_struct_inband_t inband_output,
         mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
         mach_vm_address_t ool_output,
-       mach_vm_size_t * ool_output_size
+       mach_vm_size_t *ool_output_size
  )
  {
      CHECK( IOUserClient, connection, client );
@@ -2684,9 +3454,10 @@ kern_return_t is_io_connect_method
  
      args.selector = selector;
  
-    args.asyncWakePort       = MACH_PORT_NULL;
-    args.asyncReference      = 0;
-    args.asyncReferenceCount = 0;
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = 0;
  
      args.scalarInput = scalar_input;
      args.scalarInputCount = scalar_inputCnt;
@@ -2701,18 +3472,20 @@ kern_return_t is_io_connect_method
  
      args.scalarOutput = scalar_output;
      args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
      args.structureOutput = inband_output;
      args.structureOutputSize = *inband_outputCnt;
  
-    if (ool_output)
+    if (ool_output && ool_output_size)
      {
         outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 
                                                     kIODirectionIn, current_task());
      }
  
      args.structureOutputDescriptor = outputMD;
-    args.structureOutputDescriptorSize = *ool_output_size;
+    args.structureOutputDescriptorSize = ool_output_size ? *ool_output_size : 0;
  
+    IOStatisticsClientCall();
      ret = client->externalMethod( selector, &args );
  
      *scalar_outputCnt = args.scalarOutputCount;
@@ -2741,10 +3514,10 @@ kern_return_t is_io_connect_async_method
         mach_msg_type_number_t inband_inputCnt,
         mach_vm_address_t ool_input,
         mach_vm_size_t ool_input_size,
-       io_scalar_inband64_t scalar_output,
-       mach_msg_type_number_t *scalar_outputCnt,
         io_struct_inband_t inband_output,
         mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
         mach_vm_address_t ool_output,
         mach_vm_size_t * ool_output_size
  )
@@ -2782,6 +3555,7 @@ kern_return_t is_io_connect_async_method
  
      args.scalarOutput = scalar_output;
      args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
      args.structureOutput = inband_output;
      args.structureOutputSize = *inband_outputCnt;
  
@@ -2794,6 +3568,7 @@ kern_return_t is_io_connect_async_method
      args.structureOutputDescriptor = outputMD;
      args.structureOutputDescriptorSize = *ool_output_size;
  
+    IOStatisticsClientCall();
      ret = client->externalMethod( selector, &args );
  
      *inband_outputCnt = args.structureOutputSize;
@@ -2824,6 +3599,7 @@ kern_return_t is_io_connect_method_scalarI_scalarO(
      mach_msg_type_number_t struct_outputCnt = 0;
      mach_vm_size_t ool_output_size = 0;
  
+    bzero(&_output[0], sizeof(_output));
      for (i = 0; i < inputCount; i++)
         _input[i] = SCALAR64(input[i]);
         
@@ -2831,8 +3607,8 @@ kern_return_t is_io_connect_method_scalarI_scalarO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   _output, outputCount,
                     NULL, &struct_outputCnt,
+                   _output, outputCount,
                     0, &ool_output_size);
  
      for (i = 0; i < *outputCount; i++)
@@ -2854,6 +3630,7 @@ kern_return_t shim_io_connect_method_scalarI_scalarO(
      IOReturn           err;
      err = kIOReturnBadArgument;
  
+    bzero(&_output[0], sizeof(_output));
      do {
  
         if( inputCount != method->count0)
@@ -2935,6 +3712,7 @@ kern_return_t is_io_async_method_scalarI_scalarO(
      io_scalar_inband64_t _output;
      io_async_ref64_t _reference;
  
+    bzero(&_output[0], sizeof(_output));
      for (i = 0; i < referenceCnt; i++)
         _reference[i] = REF64(reference[i]);
  
@@ -2950,8 +3728,8 @@ kern_return_t is_io_async_method_scalarI_scalarO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   _output, outputCount,
                     NULL, &struct_outputCnt,
+                   _output, outputCount,
                     0, &ool_output_size);
  
      for (i = 0; i < *outputCount; i++)
@@ -2990,8 +3768,8 @@ kern_return_t is_io_async_method_scalarI_structureO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3027,8 +3805,8 @@ kern_return_t is_io_async_method_scalarI_structureI(
                     _input, inputCount, 
                     inputStruct, inputStructCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3058,8 +3836,8 @@ kern_return_t is_io_async_method_structureI_structureO(
                     NULL, 0, 
                     input, inputCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3081,6 +3859,7 @@ kern_return_t shim_io_async_method_scalarI_scalarO(
      IOReturn           err;
      io_async_ref_t     reference;
  
+    bzero(&_output[0], sizeof(_output));
      for (i = 0; i < asyncReferenceCount; i++)
         reference[i] = REF32(asyncReference[i]);
  
@@ -3178,8 +3957,8 @@ kern_return_t is_io_connect_method_scalarI_structureO(
                     _input, inputCount, 
                     NULL, 0,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3351,8 +4130,8 @@ kern_return_t is_io_connect_method_scalarI_structureI(
                     _input, inputCount, 
                     inputStruct, inputStructCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3394,25 +4173,25 @@ kern_return_t shim_io_connect_method_scalarI_structureI(
             case 4:
                 err = (object->*func)( ARG32(input[0]), ARG32(input[1]), (void *)  input[2],
                                         ARG32(input[3]),
-                                       inputStruct, (void *)inputStructCount );
+                                       inputStruct, (void *)(uintptr_t)inputStructCount );
                 break;
             case 3:
                 err = (object->*func)( ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0 );
                 break;
             case 2:
                 err = (object->*func)( ARG32(input[0]), ARG32(input[1]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0 );
                 break;
             case 1:
                 err = (object->*func)( ARG32(input[0]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0 );
                 break;
             case 0:
-               err = (object->*func)( inputStruct, (void *)inputStructCount,
+               err = (object->*func)( inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0, 0 );
                 break;
  
@@ -3473,29 +4252,29 @@ kern_return_t shim_io_async_method_scalarI_structureI(
                  err = (object->*func)( reference,
                                          ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                                          ARG32(input[3]),
-                                        inputStruct, (void *)inputStructCount );
+                                        inputStruct, (void *)(uintptr_t)inputStructCount );
                  break;
              case 3:
                  err = (object->*func)( reference,
                                          ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                          0 );
                  break;
              case 2:
                  err = (object->*func)( reference,
                                          ARG32(input[0]), ARG32(input[1]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                          0, 0 );
                  break;
              case 1:
                  err = (object->*func)( reference,
                                          ARG32(input[0]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                          0, 0, 0 );
                  break;
              case 0:
                  err = (object->*func)( reference,
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                          0, 0, 0, 0 );
                  break;
  
@@ -3524,8 +4303,8 @@ kern_return_t is_io_connect_method_structureI_structureO(
                     NULL, 0, 
                     input, inputCount,
                     0, 0,
-                   NULL, &scalar_outputCnt,
                     output, outputCount,
+                   NULL, &scalar_outputCnt,
                     0, &ool_output_size));
  }
  
@@ -3560,12 +4339,12 @@ kern_return_t shim_io_connect_method_structureI_structureO(
         if( method->count1) {
             if( method->count0) {
                 err = (object->*func)( input, output,
-                                       (void *)inputCount, outputCount, 0, 0 );
+                                       (void *)(uintptr_t)inputCount, outputCount, 0, 0 );
             } else {
                 err = (object->*func)( output, outputCount, 0, 0, 0, 0 );
             }
         } else {
-               err = (object->*func)( input, (void *)inputCount, 0, 0, 0, 0 );
+               err = (object->*func)( input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
         }
      }
      while( false);
@@ -3615,84 +4394,18 @@ kern_return_t shim_io_async_method_structureI_structureO(
              if( method->count0) {
                  err = (object->*func)( reference,
                                         input, output,
-                                        (void *)inputCount, outputCount, 0, 0 );
+                                        (void *)(uintptr_t)inputCount, outputCount, 0, 0 );
              } else {
                  err = (object->*func)( reference,
                                         output, outputCount, 0, 0, 0, 0 );
              }
          } else {
                  err = (object->*func)( reference,
-                                       input, (void *)inputCount, 0, 0, 0, 0 );
-        }
-    }
-    while( false);
-
-    return( err);
-}
-
-/* Routine io_make_matching */
-kern_return_t is_io_make_matching(
-       mach_port_t         master_port,
-       uint32_t            type,
-       uint32_t                options,
-        io_struct_inband_t     input,
-        mach_msg_type_number_t inputCount,
-       io_string_t     matching )
-{
-    OSSerialize *      s;
-    IOReturn           err = kIOReturnSuccess;
-    OSDictionary *     dict;
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-
-    switch( type) {
-
-       case kIOServiceMatching:
-            dict = IOService::serviceMatching( gIOServiceKey );
-           break;
-
-       case kIOBSDNameMatching:
-           dict = IOBSDNameMatching( (const char *) input );
-           break;
-
-       case kIOOFPathMatching:
-           dict = IOOFPathMatching( (const char *) input,
-                                    matching, sizeof( io_string_t));
-           break;
-
-       default:
-           dict = 0;
-    }
-
-    if( !dict)
-       return( kIOReturnUnsupported);
-
-    do {
-        s = OSSerialize::withCapacity(4096);
-        if( !s) {
-            err = kIOReturnNoMemory;
-           continue;
-       }
-        s->clearText();
-        if( !dict->serialize( s )) {
-            err = kIOReturnUnsupported;
-           continue;
+                                       input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
          }
-
-        if( s->getLength() > sizeof( io_string_t)) {
-            err = kIOReturnNoMemory;
-           continue;
-        } else
-            strlcpy(matching, s->text(), sizeof(io_string_t));
      }
      while( false);
  
-    if( s)
-       s->release();
-    if( dict)
-       dict->release();
-
      return( err);
  }
  
@@ -3724,6 +4437,9 @@ kern_return_t is_io_catalog_send_data(
      if (inData) {
          vm_map_offset_t map_data;
  
+        if( inDataCount > sizeof(io_struct_inband_t) * 1024)
+            return( kIOReturnMessageTooLarge);
+
          kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
                 data = CAST_DOWN(vm_offset_t, map_data);
  
@@ -3733,7 +4449,7 @@ kern_return_t is_io_catalog_send_data(
          // must return success after vm_map_copyout() succeeds
  
          if( inDataCount ) {
-            obj = (OSObject *)OSUnserializeXML((const char *)data);
+            obj = (OSObject *)OSUnserializeXML((const char *)data, inDataCount);
              vm_deallocate( kernel_map, data, inDataCount );
              if( !obj) {
                  *result = kIOReturnNoMemory;
@@ -3743,6 +4459,23 @@ kern_return_t is_io_catalog_send_data(
      }
  
      switch ( flag ) {
+        case kIOCatalogResetDrivers:
+        case kIOCatalogResetDriversNoMatch: {
+                OSArray * array;
+
+                array = OSDynamicCast(OSArray, obj);
+                if (array) {
+                   if ( !gIOCatalogue->resetAndAddDrivers(array,
+                        flag == kIOCatalogResetDrivers) ) {
+
+                        kr = kIOReturnError;
+                    }
+                } else {
+                    kr = kIOReturnBadArgument;
+                }
+            }
+            break;
+
          case kIOCatalogAddDrivers: 
          case kIOCatalogAddDriversNoMatch: {
                  OSArray * array;
@@ -3798,6 +4531,7 @@ kern_return_t is_io_catalog_send_data(
  
          case kIOCatalogKextdActive:
  #if !NO_KEXTD
+            IOServiceTrace(IOSERVICE_KEXTD_ALIVE, 0, 0, 0, 0);
              OSKext::setKextdActive();
  
             /* Dump all nonloaded startup extensions; kextd will now send them
@@ -3815,6 +4549,7 @@ kern_return_t is_io_catalog_send_data(
                  if (!clearedBusy) {
                      IOService * serviceRoot = IOService::getServiceRoot();
                      if (serviceRoot) {
+                        IOServiceTrace(IOSERVICE_KEXTD_READY, 0, 0, 0, 0);
                          serviceRoot->adjustBusy(-1);
                          clearedBusy = true;
                      }
@@ -3852,6 +4587,7 @@ kern_return_t is_io_catalog_terminate(
          return( kr );
  
      switch ( flag ) {
+#if !defined(SECURE_KERNEL)
          case kIOCatalogServiceTerminate:
              OSIterator *       iter;
              IOService *                service;
@@ -3881,6 +4617,7 @@ kern_return_t is_io_catalog_terminate(
              kr = gIOCatalogue->terminateDriversForModule(name,
                                          flag == kIOCatalogModuleUnload);
              break;
+#endif
  
          default:
              kr = kIOReturnBadArgument;
@@ -3909,8 +4646,6 @@ kern_return_t is_io_catalog_get_data(
      if ( !s )
          return kIOReturnNoMemory;
  
-    s->clearText();
-
      kr = gIOCatalogue->serializeData(flag, s);
  
      if ( kr == kIOReturnSuccess ) {
@@ -4019,6 +4754,8 @@ kern_return_t iokit_user_client_trap(struct iokit_user_client_trap_args *args)
      return result;
  }
  
+} /* extern "C" */
+
  IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args,
                                         IOExternalMethodDispatch * dispatch, OSObject * target, void * reference )
  {
@@ -4082,6 +4819,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) )
             return (kIOReturnUnsupported);
  
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
+
         switch (method->flags & kIOUCTypeMask)
         {
             case kIOUCScalarIStructI:
@@ -4125,6 +4868,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
         if( !(method = getTargetAndMethodForIndex(&object, selector)) )
             return (kIOReturnUnsupported);
  
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
+
         switch (method->flags & kIOUCTypeMask)
         {
             case kIOUCScalarIStructI:
@@ -4164,8 +4913,6 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
  }
  
  
-};     /* extern "C" */
-
  #if __LP64__
  OSMetaClassDefineReservedUnused(IOUserClient, 0);
  OSMetaClassDefineReservedUnused(IOUserClient, 1);