]> git.saurik.com Git - apple/xnu.git/blobdiff - iokit/Kernel/IOUserClient.cpp
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-2782.1.97.tar.gz
[apple/xnu.git] / iokit / Kernel / IOUserClient.cpp
diff --git a/iokit/Kernel/IOUserClient.cpp b/iokit/Kernel/IOUserClient.cpp
index 7f2c78d1350a45dfbedfc11ebe50f8416c3326f7..9f3587844c70067f063d0b33023290b3287e823b 100644 (file)
--- a/iokit/Kernel/IOUserClient.cpp
+++ b/iokit/Kernel/IOUserClient.cpp
@@ -1,5 +1,5 @@
 /*
 /*
- * Copyright (c) 1998-2008 Apple Inc. All rights reserved.
+ * Copyright (c) 1998-2014 Apple Inc. All rights reserved.
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
  *
  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
  * 
@@ -37,8 +37,24 @@
 #include <IOKit/IOMemoryDescriptor.h>
 #include <IOKit/IOBufferMemoryDescriptor.h>
 #include <IOKit/IOLib.h>
 #include <IOKit/IOMemoryDescriptor.h>
 #include <IOKit/IOBufferMemoryDescriptor.h>
 #include <IOKit/IOLib.h>
+#include <IOKit/IOStatisticsPrivate.h>
+#include <IOKit/IOTimeStamp.h>
+#include <IOKit/system.h>
 #include <libkern/OSDebug.h>
 #include <sys/proc.h>
 #include <libkern/OSDebug.h>
 #include <sys/proc.h>
+#include <sys/kauth.h>
+#include <sys/codesign.h>
+
+#if CONFIG_MACF
+
+extern "C" {
+#include <security/mac_framework.h>
+};
+#include <sys/kauth.h>
+
+#define IOMACF_LOG 0
+
+#endif /* CONFIG_MACF */
 
 #include <IOKit/assert.h>
 
 
 #include <IOKit/assert.h>
 
@@ -47,7 +63,7 @@
 
 #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x))
 #define SCALAR32(x) ((uint32_t )x)
 
 #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x))
 #define SCALAR32(x) ((uint32_t )x)
-#define ARG32(x)    ((void *)SCALAR32(x))
+#define ARG32(x)    ((void *)(uintptr_t)SCALAR32(x))
 #define REF64(x)    ((io_user_reference_t)((UInt64)(x)))
 #define REF32(x)    ((int)(x))
 
 #define REF64(x)    ((io_user_reference_t)((UInt64)(x)))
 #define REF32(x)    ((int)(x))
 
@@ -57,6 +73,32 @@ enum
     kIOUCAsync64Flag = 1ULL
 };
 
     kIOUCAsync64Flag = 1ULL
 };
 
+#if IOKITSTATS
+
+#define IOStatisticsRegisterCounter() \
+do { \
+       reserved->counter = IOStatistics::registerUserClient(this); \
+} while (0)
+
+#define IOStatisticsUnregisterCounter() \
+do { \
+       if (reserved) \
+               IOStatistics::unregisterUserClient(reserved->counter); \
+} while (0)
+
+#define IOStatisticsClientCall() \
+do { \
+       IOStatistics::countUserClientCall(client); \
+} while (0)
+
+#else
+
+#define IOStatisticsRegisterCounter()
+#define IOStatisticsUnregisterCounter()
+#define IOStatisticsClientCall()
+
+#endif /* IOKITSTATS */
+
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 // definitions we should get from osfmk
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 
 // definitions we should get from osfmk
@@ -331,7 +373,6 @@ public:
 };
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
 };
 
 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
-
 extern "C" {
 
 // functions called from osfmk/device/iokit_rpc.c
 extern "C" {
 
 // functions called from osfmk/device/iokit_rpc.c
@@ -383,9 +424,11 @@ iokit_client_died( io_object_t obj, ipc_port_t /* port */,
 
     if( IKOT_IOKIT_CONNECT == type)
     {
 
     if( IKOT_IOKIT_CONNECT == type)
     {
-       if( (client = OSDynamicCast( IOUserClient, obj )))
+       if( (client = OSDynamicCast( IOUserClient, obj ))) {
+               IOStatisticsClientCall();
            client->clientDied();
     }
            client->clientDied();
     }
+    }
     else if( IKOT_IOKIT_OBJECT == type)
     {
        if( (map = OSDynamicCast( IOMemoryMap, obj )))
     else if( IKOT_IOKIT_OBJECT == type)
     {
        if( (map = OSDynamicCast( IOMemoryMap, obj )))
@@ -538,6 +581,9 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
                                       void * reference, vm_size_t referenceSize,
                                       bool clientIs64 )
 {
                                       void * reference, vm_size_t referenceSize,
                                       bool clientIs64 )
 {
+    if( !super::init())
+        return( false );
+
     newSet = OSArray::withCapacity( 1 );
     if( !newSet)
         return( false );
     newSet = OSArray::withCapacity( 1 );
     if( !newSet)
         return( false );
@@ -563,7 +609,7 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type,
     pingMsg->notifyHeader.type = type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
     pingMsg->notifyHeader.type = type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
-    return( super::init() );
+    return( true );
 }
 
 void IOServiceUserNotification::free( void )
 }
 
 void IOServiceUserNotification::free( void )
@@ -580,8 +626,12 @@ void IOServiceUserNotification::free( void )
 
     super::free();
 
 
     super::free();
 
-    if( _pingMsg && _msgSize)
-        IOFree( _pingMsg, _msgSize);
+    if( _pingMsg && _msgSize) {
+               if (_pingMsg->msgHdr.msgh_remote_port) {
+                       iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+               }
+        IOFree(_pingMsg, _msgSize);
+       }
 
     if( _lastEntry)
         _lastEntry->release();
 
     if( _lastEntry)
         _lastEntry->release();
@@ -625,8 +675,10 @@ bool IOServiceUserNotification::handler( void * ref,
        else
             pingMsg->msgHdr.msgh_local_port = NULL;
 
        else
             pingMsg->msgHdr.msgh_local_port = NULL;
 
-        kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
-                                        pingMsg->msgHdr.msgh_size);
+        kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr,
+                                                    pingMsg->msgHdr.msgh_size,
+                                                    (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+                                                    0);
        if( port)
            iokit_release_port( port );
 
        if( port)
            iokit_release_port( port );
 
@@ -673,6 +725,8 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type,
                                void * reference, vm_size_t referenceSize, vm_size_t extraSize,
                                bool client64 )
 {
                                void * reference, vm_size_t referenceSize, vm_size_t extraSize,
                                bool client64 )
 {
+    if( !super::init())
+        return( false );
 
     if (referenceSize > sizeof(OSAsyncReference64))
         return( false );
 
     if (referenceSize > sizeof(OSAsyncReference64))
         return( false );
@@ -707,7 +761,7 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type,
     pingMsg->notifyHeader.type                 = type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
     pingMsg->notifyHeader.type                 = type;
     bcopy( reference, pingMsg->notifyHeader.reference, referenceSize );
 
-    return( super::init() );
+    return( true );
 }
 
 void IOServiceMessageUserNotification::free( void )
 }
 
 void IOServiceMessageUserNotification::free( void )
@@ -720,8 +774,12 @@ void IOServiceMessageUserNotification::free( void )
 
     super::free();
 
 
     super::free();
 
-    if( _pingMsg && _msgSize)
+    if( _pingMsg && _msgSize) {
+               if (_pingMsg->msgHdr.msgh_remote_port) {
+                       iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port);
+               }
         IOFree( _pingMsg, _msgSize);
         IOFree( _pingMsg, _msgSize);
+       }
 }
 
 IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref,
 }
 
 IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref,
@@ -744,8 +802,8 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
 
     if (kIOMessageCopyClientID == messageType)
     {
 
     if (kIOMessageCopyClientID == messageType)
     {
-       *((void **) messageArgument) = IOCopyLogNameForPID(owningPID);
-       return (kIOReturnSuccess);
+        *((void **) messageArgument) = OSNumber::withNumber(owningPID, 32);
+        return (kIOReturnSuccess);
     }
 
     data->messageType = messageType;
     }
 
     data->messageType = messageType;
@@ -767,6 +825,15 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
             argSize = kIOUserNotifyMaxMessageSize;
         bcopy( messageArgument, data->messageArgument, argSize );
     }
             argSize = kIOUserNotifyMaxMessageSize;
         bcopy( messageArgument, data->messageArgument, argSize );
     }
+
+    // adjust message size for ipc restrictions
+    natural_t type;
+    type = pingMsg->notifyHeader.type;
+    type &= ~(kIOKitNoticationMsgSizeMask << kIOKitNoticationTypeSizeAdjShift);
+    type |= ((argSize & kIOKitNoticationMsgSizeMask) << kIOKitNoticationTypeSizeAdjShift);
+    pingMsg->notifyHeader.type = type;
+    argSize = (argSize + kIOKitNoticationMsgSizeMask) & ~kIOKitNoticationMsgSizeMask;
+
     pingMsg->msgHdr.msgh_size = msgSize - pingMsg->notifyHeader.size
         + sizeof( IOServiceInterestContent64 )
         - sizeof( data->messageArgument)
     pingMsg->msgHdr.msgh_size = msgSize - pingMsg->notifyHeader.size
         + sizeof( IOServiceInterestContent64 )
         - sizeof( data->messageArgument)
@@ -776,8 +843,10 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref,
     pingMsg->ports[0].name = providerPort;
     thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
     pingMsg->msgHdr.msgh_local_port = thisPort;
     pingMsg->ports[0].name = providerPort;
     thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT );
     pingMsg->msgHdr.msgh_local_port = thisPort;
-    kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr,
-                                   pingMsg->msgHdr.msgh_size);
+    kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr,
+                                                pingMsg->msgHdr.msgh_size,
+                                                (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE),
+                                                0);
     if( thisPort)
        iokit_release_port( thisPort );
     if( providerPort)
     if( thisPort)
        iokit_release_port( thisPort );
     if( providerPort)
@@ -827,6 +896,16 @@ void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
     asyncRef[kIOAsyncCalloutRefconIndex] = refcon;
 }
 
     asyncRef[kIOAsyncCalloutRefconIndex] = refcon;
 }
 
+void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef,
+                                       mach_port_t wakePort,
+                                       mach_vm_address_t callback, io_user_reference_t refcon, task_t task)
+{
+    setAsyncReference64(asyncRef, wakePort, callback, refcon);
+    if (vm_map_is_64bit(get_task_map(task))) {
+            asyncRef[kIOAsyncReservedIndex] |= kIOUCAsync64Flag;
+    }
+}
+
 static OSDictionary * CopyConsoleUser(UInt32 uid)
 {
        OSArray * array;
 static OSDictionary * CopyConsoleUser(UInt32 uid)
 {
        OSArray * array;
@@ -851,6 +930,52 @@ static OSDictionary * CopyConsoleUser(UInt32 uid)
     return user;
 }
 
     return user;
 }
 
+static OSDictionary * CopyUserOnConsole(void)
+{
+    OSArray * array;
+    OSDictionary * user = 0; 
+    
+    if ((array = OSDynamicCast(OSArray,
+       IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey))))
+    {
+       for (unsigned int idx = 0;
+               (user = OSDynamicCast(OSDictionary, array->getObject(idx)));
+               idx++)
+       {
+           if (kOSBooleanTrue == user->getObject(gIOConsoleSessionOnConsoleKey))
+           {
+               user->retain();
+               break;
+           }
+       }
+       array->release();
+    }
+    return (user);
+}
+
+IOReturn IOUserClient::clientHasAuthorization( task_t task,
+                                               IOService * service )
+{
+    proc_t p;
+    
+    p = (proc_t) get_bsdtask_info(task);
+    if (p)
+    {
+        uint64_t authorizationID;
+
+        authorizationID = proc_uniqueid(p);
+        if (authorizationID)
+        {
+            if (service->getAuthorizationID() == authorizationID)
+            {
+                return (kIOReturnSuccess);
+            }
+        }
+    }
+
+    return (kIOReturnNotPermitted);
+}
+
 IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                             const char * privilegeName )
 {
 IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
                                             const char * privilegeName )
 {
@@ -861,12 +986,52 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
     OSDictionary *          user;
     bool                    secureConsole;
 
     OSDictionary *          user;
     bool                    secureConsole;
 
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeForeground, 
+                sizeof(kIOClientPrivilegeForeground)))
+    {
+       if (task_is_gpu_denied(current_task()))
+               return (kIOReturnNotPrivileged);
+       else
+               return (kIOReturnSuccess);
+    }
+
+    if (!strncmp(privilegeName, kIOClientPrivilegeConsoleSession,
+                                sizeof(kIOClientPrivilegeConsoleSession)))
+    {
+       kauth_cred_t cred;
+       proc_t       p;
+
+        task = (task_t) securityToken;
+       if (!task)
+           task = current_task();
+       p = (proc_t) get_bsdtask_info(task);
+       kr = kIOReturnNotPrivileged;
+
+       if (p && (cred = kauth_cred_proc_ref(p)))
+       {
+           user = CopyUserOnConsole();
+           if (user)
+           {
+               OSNumber * num;
+               if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionAuditIDKey)))
+                 && (cred->cr_audit.as_aia_p->ai_asid == (au_asid_t) num->unsigned32BitValue()))
+               {
+                   kr = kIOReturnSuccess;
+               }
+               user->release();
+           }
+           kauth_cred_unref(&cred);
+       }
+       return (kr);
+    }
+
     if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess,
             sizeof(kIOClientPrivilegeSecureConsoleProcess))))
         task = (task_t)((IOUCProcessToken *)securityToken)->token;
     else
         task = (task_t)securityToken;
     if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess,
             sizeof(kIOClientPrivilegeSecureConsoleProcess))))
         task = (task_t)((IOUCProcessToken *)securityToken)->token;
     else
         task = (task_t)securityToken;
-    
+
     count = TASK_SECURITY_TOKEN_COUNT;
     kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
 
     count = TASK_SECURITY_TOKEN_COUNT;
     kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count );
 
@@ -904,30 +1069,106 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken,
     return (kr);
 }
 
     return (kr);
 }
 
+OSObject * IOUserClient::copyClientEntitlement( task_t task,
+                                                const char * entitlement )
+{
+#define        MAX_ENTITLEMENTS_LEN    (128 * 1024)
+
+       proc_t p = NULL;
+       pid_t pid = 0;
+       char procname[MAXCOMLEN + 1] = "";
+       size_t len = 0;
+       void *entitlements_blob = NULL;
+       char *entitlements_data = NULL;
+       OSObject *entitlements_obj = NULL;
+       OSDictionary *entitlements = NULL;
+       OSString *errorString = NULL;
+       OSObject *value = NULL;
+
+       p = (proc_t)get_bsdtask_info(task);
+       if (p == NULL)
+               goto fail;
+       pid = proc_pid(p);
+       proc_name(pid, procname, (int)sizeof(procname));
+
+       if (cs_entitlements_blob_get(p, &entitlements_blob, &len) != 0)
+               goto fail;
+
+       if (len <= offsetof(CS_GenericBlob, data))
+               goto fail;
+
+       /*
+        * Per <rdar://problem/11593877>, enforce a limit on the amount of XML
+        * we'll try to parse in the kernel.
+        */
+       len -= offsetof(CS_GenericBlob, data);
+       if (len > MAX_ENTITLEMENTS_LEN) {
+               IOLog("failed to parse entitlements for %s[%u]: %lu bytes of entitlements exceeds maximum of %u\n", procname, pid, len, MAX_ENTITLEMENTS_LEN);
+               goto fail;
+       }
+
+       /*
+        * OSUnserializeXML() expects a nul-terminated string, but that isn't
+        * what is stored in the entitlements blob.  Copy the string and
+        * terminate it.
+        */
+       entitlements_data = (char *)IOMalloc(len + 1);
+       if (entitlements_data == NULL)
+               goto fail;
+       memcpy(entitlements_data, ((CS_GenericBlob *)entitlements_blob)->data, len);
+       entitlements_data[len] = '\0';
+
+       entitlements_obj = OSUnserializeXML(entitlements_data, len + 1, &errorString);
+       if (errorString != NULL) {
+               IOLog("failed to parse entitlements for %s[%u]: %s\n", procname, pid, errorString->getCStringNoCopy());
+               goto fail;
+       }
+       if (entitlements_obj == NULL)
+               goto fail;
+
+       entitlements = OSDynamicCast(OSDictionary, entitlements_obj);
+       if (entitlements == NULL)
+               goto fail;
+
+       /* Fetch the entitlement value from the dictionary. */
+       value = entitlements->getObject(entitlement);
+       if (value != NULL)
+               value->retain();
+
+fail:
+       if (entitlements_data != NULL)
+               IOFree(entitlements_data, len + 1);
+       if (entitlements_obj != NULL)
+               entitlements_obj->release();
+       if (errorString != NULL)
+               errorString->release();
+       return value;
+}
+
 bool IOUserClient::init()
 {
 bool IOUserClient::init()
 {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
 }
 
 bool IOUserClient::init(OSDictionary * dictionary)
 {
 }
 
 bool IOUserClient::init(OSDictionary * dictionary)
 {
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init(dictionary);
+       if (getPropertyTable() || super::init(dictionary))
+               return reserve();
+       
+       return false;
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
                                 void * securityID,
                                 UInt32 type )
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
                                 void * securityID,
                                 UInt32 type )
-{
-    if( getPropertyTable())
-        return true;
-    else
-        return super::init();
+{      
+       if (getPropertyTable() || super::init())
+               return reserve();
+       
+       return false;
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
 }
 
 bool IOUserClient::initWithTask(task_t owningTask,
@@ -943,11 +1184,30 @@ bool IOUserClient::initWithTask(task_t owningTask,
     return( ok );
 }
 
     return( ok );
 }
 
+bool IOUserClient::reserve()
+{              
+    if(!reserved) {
+       reserved = IONew(ExpansionData, 1);
+       if (!reserved) {
+           return false;
+       }
+    }
+    setTerminateDefer(NULL, true);
+    IOStatisticsRegisterCounter();
+    
+    return true;
+}
+
 void IOUserClient::free()
 {
     if( mappings)
         mappings->release();
 void IOUserClient::free()
 {
     if( mappings)
         mappings->release();
+               
+    IOStatisticsUnregisterCounter();
 
 
+    if (reserved)
+        IODelete(reserved, ExpansionData, 1);
+               
     super::free();
 }
 
     super::free();
 }
 
@@ -1041,7 +1301,6 @@ IOReturn IOUserClient::exportObjectToClient(task_t task,
     mach_port_name_t   name;
 
     name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT );
     mach_port_name_t   name;
 
     name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT );
-    assert( name );
 
     *(mach_port_name_t *)clientObj = name;
     return kIOReturnSuccess;
 
     *(mach_port_name_t *)clientObj = name;
     return kIOReturnSuccess;
@@ -1135,8 +1394,20 @@ IOReturn IOUserClient::sendAsyncResult(OSAsyncReference reference,
     return (sendAsyncResult64(reference64, result, args64, numArgs));
 }
 
     return (sendAsyncResult64(reference64, result, args64, numArgs));
 }
 
+IOReturn IOUserClient::sendAsyncResult64WithOptions(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
+{
+       return _sendAsyncResult64(reference, result, args, numArgs, options);
+}
+
 IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
                                         IOReturn result, io_user_reference_t args[], UInt32 numArgs)
 IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
                                         IOReturn result, io_user_reference_t args[], UInt32 numArgs)
+{
+        return _sendAsyncResult64(reference, result, args, numArgs, 0);
+}
+
+IOReturn IOUserClient::_sendAsyncResult64(OSAsyncReference64 reference,
+                                        IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options)
 {
     struct ReplyMsg
     {
 {
     struct ReplyMsg
     {
@@ -1209,9 +1480,15 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference,
            replyMsg.m.msg32.args[idx] = REF32(args[idx]);
     }
 
            replyMsg.m.msg32.args[idx] = REF32(args[idx]);
     }
 
-     kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
-            replyMsg.msgHdr.msgh_size);
-    if( KERN_SUCCESS != kr)
+       if ((options & kIOUserNotifyOptionCanDrop) != 0) { 
+               kr = mach_msg_send_from_kernel_with_options( &replyMsg.msgHdr,
+                                                                                replyMsg.msgHdr.msgh_size, MACH_SEND_TIMEOUT, MACH_MSG_TIMEOUT_NONE);
+       } else {
+               /* Fail on full queue. */
+               kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr,
+                                                                                replyMsg.msgHdr.msgh_size);
+       }
+    if ((KERN_SUCCESS != kr) && (MACH_SEND_TIMED_OUT != kr))
         IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
     return kr;
 }
         IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr );
     return kr;
 }
@@ -1226,6 +1503,17 @@ extern "C" {
        if( !(out = OSDynamicCast( cls, obj)))  \
            return( kIOReturnBadArgument )
 
        if( !(out = OSDynamicCast( cls, obj)))  \
            return( kIOReturnBadArgument )
 
+/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
+
+/* Routine io_server_version */
+kern_return_t is_io_server_version(
+       mach_port_t master_port,
+       uint64_t *version)
+{
+    *version = IOKIT_SERVER_VERSION;
+    return (kIOReturnSuccess);
+}
+
 /* Routine io_object_get_class */
 kern_return_t is_io_object_get_class(
        io_object_t object,
 /* Routine io_object_get_class */
 kern_return_t is_io_object_get_class(
        io_object_t object,
@@ -1391,11 +1679,12 @@ kern_return_t is_io_iterator_is_valid(
     return( kIOReturnSuccess );
 }
 
     return( kIOReturnSuccess );
 }
 
-/* Routine io_service_match_property_table */
-kern_return_t is_io_service_match_property_table(
+
+static kern_return_t internal_io_service_match_property_table(
        io_service_t _service,
        io_service_t _service,
-       io_string_t matching,
-       boolean_t *matches )
+       const char * matching,
+       mach_msg_type_number_t matching_size,
+       boolean_t *matches)
 {
     CHECK( IOService, _service, service );
 
 {
     CHECK( IOService, _service, service );
 
@@ -1403,8 +1692,8 @@ kern_return_t is_io_service_match_property_table(
     OSObject *         obj;
     OSDictionary *     dict;
 
     OSObject *         obj;
     OSDictionary *     dict;
 
-    obj = OSUnserializeXML( matching );
-
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
     if( (dict = OSDynamicCast( OSDictionary, obj))) {
         *matches = service->passiveMatch( dict );
        kr = kIOReturnSuccess;
     if( (dict = OSDynamicCast( OSDictionary, obj))) {
         *matches = service->passiveMatch( dict );
        kr = kIOReturnSuccess;
@@ -1417,6 +1706,16 @@ kern_return_t is_io_service_match_property_table(
     return( kr );
 }
 
     return( kr );
 }
 
+/* Routine io_service_match_property_table */
+kern_return_t is_io_service_match_property_table(
+       io_service_t service,
+       io_string_t matching,
+       boolean_t *matches )
+{
+    return (internal_io_service_match_property_table(service, matching, 0, matches));
+}
+
+
 /* Routine io_service_match_property_table_ool */
 kern_return_t is_io_service_match_property_table_ool(
        io_object_t service,
 /* Routine io_service_match_property_table_ool */
 kern_return_t is_io_service_match_property_table_ool(
        io_object_t service,
@@ -1434,18 +1733,28 @@ kern_return_t is_io_service_match_property_table_ool(
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
-       *result = is_io_service_match_property_table( service,
-               (char *) data, matches );
+       *result = internal_io_service_match_property_table(service,
+               (const char *)data, matchingCnt, matches );
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
     return( kr );
 }
 
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
     return( kr );
 }
 
-/* Routine io_service_get_matching_services */
-kern_return_t is_io_service_get_matching_services(
+/* Routine io_service_match_property_table_bin */
+kern_return_t is_io_service_match_property_table_bin(
+       io_object_t service,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       boolean_t *matches)
+{
+    return (internal_io_service_match_property_table(service, matching, matchingCnt, matches));
+}
+
+static kern_return_t internal_io_service_get_matching_services(
        mach_port_t master_port,
        mach_port_t master_port,
-       io_string_t matching,
+       const char * matching,
+       mach_msg_type_number_t matching_size,
        io_iterator_t *existing )
 {
     kern_return_t      kr;
        io_iterator_t *existing )
 {
     kern_return_t      kr;
@@ -1455,8 +1764,8 @@ kern_return_t is_io_service_get_matching_services(
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
-    obj = OSUnserializeXML( matching );
-
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
     if( (dict = OSDynamicCast( OSDictionary, obj))) {
         *existing = IOService::getMatchingServices( dict );
        kr = kIOReturnSuccess;
     if( (dict = OSDynamicCast( OSDictionary, obj))) {
         *existing = IOService::getMatchingServices( dict );
        kr = kIOReturnSuccess;
@@ -1469,6 +1778,15 @@ kern_return_t is_io_service_get_matching_services(
     return( kr );
 }
 
     return( kr );
 }
 
+/* Routine io_service_get_matching_services */
+kern_return_t is_io_service_get_matching_services(
+       mach_port_t master_port,
+       io_string_t matching,
+       io_iterator_t *existing )
+{
+    return (internal_io_service_get_matching_services(master_port, matching, 0, existing));
+}
+
 /* Routine io_service_get_matching_services_ool */
 kern_return_t is_io_service_get_matching_services_ool(
        mach_port_t master_port,
 /* Routine io_service_get_matching_services_ool */
 kern_return_t is_io_service_get_matching_services_ool(
        mach_port_t master_port,
@@ -1486,18 +1804,101 @@ kern_return_t is_io_service_get_matching_services_ool(
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
 
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
-       *result = is_io_service_get_matching_services( master_port,
-                       (char *) data, existing );
+       *result = internal_io_service_get_matching_services(master_port,
+                       (const char *) data, matchingCnt, existing);
+       vm_deallocate( kernel_map, data, matchingCnt );
+    }
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_services_bin */
+kern_return_t is_io_service_get_matching_services_bin(
+       mach_port_t master_port,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       io_object_t *existing)
+{
+    return (internal_io_service_get_matching_services(master_port, matching, matchingCnt, existing));
+}
+
+
+static kern_return_t internal_io_service_get_matching_service(
+       mach_port_t master_port,
+       const char * matching,
+       mach_msg_type_number_t matching_size,
+       io_service_t *service )
+{
+    kern_return_t      kr;
+    OSObject *         obj;
+    OSDictionary *     dict;
+
+    if( master_port != master_device_port)
+        return( kIOReturnNotPrivileged);
+
+    obj = matching_size ? OSUnserializeXML(matching, matching_size)
+                       : OSUnserializeXML(matching);
+    if( (dict = OSDynamicCast( OSDictionary, obj))) {
+        *service = IOService::copyMatchingService( dict );
+       kr = *service ? kIOReturnSuccess : kIOReturnNotFound;
+    } else
+       kr = kIOReturnBadArgument;
+
+    if( obj)
+        obj->release();
+
+    return( kr );
+}
+
+/* Routine io_service_get_matching_service */
+kern_return_t is_io_service_get_matching_service(
+       mach_port_t master_port,
+       io_string_t matching,
+       io_service_t *service )
+{
+    return (internal_io_service_get_matching_service(master_port, matching, 0, service));
+}
+
+/* Routine io_service_get_matching_services_ool */
+kern_return_t is_io_service_get_matching_service_ool(
+       mach_port_t master_port,
+       io_buf_ptr_t matching,
+       mach_msg_type_number_t matchingCnt,
+       kern_return_t *result,
+       io_object_t *service )
+{
+    kern_return_t      kr;
+    vm_offset_t        data;
+    vm_map_offset_t    map_data;
+
+    kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
+    data = CAST_DOWN(vm_offset_t, map_data);
+
+    if( KERN_SUCCESS == kr) {
+        // must return success after vm_map_copyout() succeeds
+       *result = internal_io_service_get_matching_service(master_port,
+                       (const char *) data, matchingCnt, service );
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
     return( kr );
 }
 
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
     return( kr );
 }
 
+/* Routine io_service_get_matching_service_bin */
+kern_return_t is_io_service_get_matching_service_bin(
+       mach_port_t master_port,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       io_object_t *service)
+{
+    return (internal_io_service_get_matching_service(master_port, matching, matchingCnt, service));
+}
+
 static kern_return_t internal_io_service_add_notification(
        mach_port_t master_port,
        io_name_t notification_type,
 static kern_return_t internal_io_service_add_notification(
        mach_port_t master_port,
        io_name_t notification_type,
-       io_string_t matching,
+       const char * matching,
+       size_t matching_size,
        mach_port_t port,
        void * reference,
        vm_size_t referenceSize,
        mach_port_t port,
        void * reference,
        vm_size_t referenceSize,
@@ -1511,7 +1912,6 @@ static kern_return_t internal_io_service_add_notification(
     IOReturn                   err;
     unsigned long int          userMsgType;
 
     IOReturn                   err;
     unsigned long int          userMsgType;
 
-
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
     if( master_port != master_device_port)
         return( kIOReturnNotPrivileged);
 
@@ -1521,8 +1921,16 @@ static kern_return_t internal_io_service_add_notification(
         if( !(sym = OSSymbol::withCString( notification_type )))
            err = kIOReturnNoResources;
 
         if( !(sym = OSSymbol::withCString( notification_type )))
            err = kIOReturnNoResources;
 
-        if( !(dict = OSDynamicCast( OSDictionary,
-                    OSUnserializeXML( matching )))) {
+       if (matching_size)
+       {
+            dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size));
+       }
+       else
+       {
+           dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching));
+       }
+
+        if (!dict) {
             err = kIOReturnBadArgument;
            continue;
        }
             err = kIOReturnBadArgument;
            continue;
        }
@@ -1542,6 +1950,7 @@ static kern_return_t internal_io_service_add_notification(
 
         if( userNotify && !userNotify->init( port, userMsgType,
                                              reference, referenceSize, client64)) {
 
         if( userNotify && !userNotify->init( port, userMsgType,
                                              reference, referenceSize, client64)) {
+                       iokit_release_port_send(port);
             userNotify->release();
             userNotify = 0;
         }
             userNotify->release();
             userNotify = 0;
         }
@@ -1579,7 +1988,7 @@ kern_return_t is_io_service_add_notification(
        io_object_t * notification )
 {
     return (internal_io_service_add_notification(master_port, notification_type, 
        io_object_t * notification )
 {
     return (internal_io_service_add_notification(master_port, notification_type, 
-               matching, port, &reference[0], sizeof(io_async_ref_t),
+               matching, 0, port, &reference[0], sizeof(io_async_ref_t),
                false, notification));
 }
 
                false, notification));
 }
 
@@ -1594,10 +2003,43 @@ kern_return_t is_io_service_add_notification_64(
        io_object_t *notification )
 {
     return (internal_io_service_add_notification(master_port, notification_type, 
        io_object_t *notification )
 {
     return (internal_io_service_add_notification(master_port, notification_type, 
-               matching, wake_port, &reference[0], sizeof(io_async_ref64_t),
+               matching, 0, wake_port, &reference[0], sizeof(io_async_ref64_t),
                true, notification));
 }
 
                true, notification));
 }
 
+/* Routine io_service_add_notification_bin */
+kern_return_t is_io_service_add_notification_bin
+(
+       mach_port_t master_port,
+       io_name_t notification_type,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       mach_port_t wake_port,
+       io_async_ref_t reference,
+       mach_msg_type_number_t referenceCnt,
+       io_object_t *notification)
+{
+    return (internal_io_service_add_notification(master_port, notification_type, 
+               matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref_t),
+               false, notification));
+}
+
+/* Routine io_service_add_notification_bin_64 */
+kern_return_t is_io_service_add_notification_bin_64
+(
+       mach_port_t master_port,
+       io_name_t notification_type,
+       io_struct_inband_t matching,
+       mach_msg_type_number_t matchingCnt,
+       mach_port_t wake_port,
+       io_async_ref64_t reference,
+       mach_msg_type_number_t referenceCnt,
+       io_object_t *notification)
+{
+    return (internal_io_service_add_notification(master_port, notification_type, 
+               matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref64_t),
+               true, notification));
+}
 
 static kern_return_t internal_io_service_add_notification_ool(
        mach_port_t master_port,
 
 static kern_return_t internal_io_service_add_notification_ool(
        mach_port_t master_port,
@@ -1621,7 +2063,7 @@ static kern_return_t internal_io_service_add_notification_ool(
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
        *result = internal_io_service_add_notification( master_port, notification_type,
     if( KERN_SUCCESS == kr) {
         // must return success after vm_map_copyout() succeeds
        *result = internal_io_service_add_notification( master_port, notification_type,
-                       (char *) data, wake_port, reference, referenceSize, client64, notification );
+                       (char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification );
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
        vm_deallocate( kernel_map, data, matchingCnt );
     }
 
@@ -1703,6 +2145,7 @@ static kern_return_t internal_io_service_add_interest_notification(
                                              reference, referenceSize,
                                             kIOUserNotifyMaxMessageSize,
                                             client64 )) {
                                              reference, referenceSize,
                                             kIOUserNotifyMaxMessageSize,
                                             client64 )) {
+                       iokit_release_port_send(port);
             userNotify->release();
             userNotify = 0;
         }
             userNotify->release();
             userNotify = 0;
         }
@@ -1760,7 +2203,7 @@ kern_return_t is_io_service_acknowledge_notification(
 {
     CHECK( IOService, _service, service );
 
 {
     CHECK( IOService, _service, service );
 
-    return( service->acknowledgeNotification( (IONotificationRef) notify_ref,
+    return( service->acknowledgeNotification( (IONotificationRef)(uintptr_t) notify_ref,
                                               (IOOptionBits) response ));
     
 }
                                               (IOOptionBits) response ));
     
 }
@@ -1773,6 +2216,7 @@ kern_return_t is_io_connect_get_notification_semaphore(
 {
     CHECK( IOUserClient, connection, client );
 
 {
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     return( client->getNotificationSemaphore( (UInt32) notification_type,
                                               semaphore ));
 }
     return( client->getNotificationSemaphore( (UInt32) notification_type,
                                               semaphore ));
 }
@@ -1968,7 +2412,7 @@ kern_return_t is_io_registry_entry_get_registry_entry_id(
 // Create a vm_map_copy_t or kalloc'ed data for memory
 // to be copied out. ipc will free after the copyout.
 
 // Create a vm_map_copy_t or kalloc'ed data for memory
 // to be copied out. ipc will free after the copyout.
 
-static kern_return_t copyoutkdata( void * data, vm_size_t len,
+static kern_return_t copyoutkdata( const void * data, vm_size_t len,
                                     io_buf_ptr_t * buf )
 {
     kern_return_t      err;
                                     io_buf_ptr_t * buf )
 {
     kern_return_t      err;
@@ -2003,6 +2447,11 @@ kern_return_t is_io_registry_entry_get_property_bytes(
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNoResources );
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNoResources );
@@ -2060,6 +2509,11 @@ kern_return_t is_io_registry_entry_get_property(
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNotFound );
     obj = entry->copyProperty(property_name);
     if( !obj)
         return( kIOReturnNotFound );
@@ -2069,7 +2523,6 @@ kern_return_t is_io_registry_entry_get_property(
         obj->release();
        return( kIOReturnNoMemory );
     }
         obj->release();
        return( kIOReturnNoMemory );
     }
-    s->clearText();
 
     if( obj->serialize( s )) {
         len = s->getLength();
 
     if( obj->serialize( s )) {
         len = s->getLength();
@@ -2100,6 +2553,11 @@ kern_return_t is_io_registry_entry_get_property_recursively(
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
     obj = entry->copyProperty( property_name,
                                IORegistryEntry::getPlane( plane ), options);
     if( !obj)
     obj = entry->copyProperty( property_name,
                                IORegistryEntry::getPlane( plane ), options);
     if( !obj)
@@ -2111,8 +2569,6 @@ kern_return_t is_io_registry_entry_get_property_recursively(
        return( kIOReturnNoMemory );
     }
 
        return( kIOReturnNoMemory );
     }
 
-    s->clearText();
-
     if( obj->serialize( s )) {
         len = s->getLength();
         *propertiesCnt = len;
     if( obj->serialize( s )) {
         len = s->getLength();
         *propertiesCnt = len;
@@ -2127,32 +2583,218 @@ kern_return_t is_io_registry_entry_get_property_recursively(
     return( err );
 }
 
     return( err );
 }
 
-/* Routine io_registry_entry_get_properties */
-kern_return_t is_io_registry_entry_get_properties(
-       io_object_t registry_entry,
-       io_buf_ptr_t *properties,
-       mach_msg_type_number_t *propertiesCnt )
+#if CONFIG_MACF
+
+static kern_return_t
+filteredProperties(IORegistryEntry *entry, OSDictionary *properties, OSDictionary **filteredp)
 {
 {
-    kern_return_t      err;
-    vm_size_t          len;
+    kern_return_t      err = 0;
+    OSDictionary       *filtered = NULL;
+    OSCollectionIterator *iter = NULL;
+    OSSymbol           *key;
+    OSObject           *p;
+    kauth_cred_t       cred = kauth_cred_get();
 
 
-    CHECK( IORegistryEntry, registry_entry, entry );
+    if (properties == NULL)
+       return kIOReturnUnsupported;
 
 
-    OSSerialize * s = OSSerialize::withCapacity(4096);
-    if( !s)
-       return( kIOReturnNoMemory );
+    if ((iter = OSCollectionIterator::withCollection(properties)) == NULL ||
+        (filtered = OSDictionary::withCapacity(properties->getCapacity())) == NULL) {
+       err = kIOReturnNoMemory;
+       goto out;
+    }
+
+    while ((p = iter->getNextObject()) != NULL) {
+       if ((key = OSDynamicCast(OSSymbol, p)) == NULL ||
+           mac_iokit_check_get_property(cred, entry, key->getCStringNoCopy()) != 0)
+           continue;
+       filtered->setObject(key, properties->getObject(key));
+    }
+
+out:
+    if (iter != NULL)
+       iter->release();
+    *filteredp = filtered;
+    return err;
+}
+
+#endif
+
+/* Routine io_registry_entry_get_properties */
+kern_return_t is_io_registry_entry_get_properties(
+       io_object_t registry_entry,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt )
+{
+    kern_return_t      err = 0;
+    vm_size_t          len;
+
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+    OSSerialize * s = OSSerialize::withCapacity(4096);
+    if( !s)
+       return( kIOReturnNoMemory );
+
+    if (!entry->serializeProperties(s))
+       err = kIOReturnUnsupported;
+
+#if CONFIG_MACF
+    if (!err && mac_iokit_check_filter_properties(kauth_cred_get(), entry)) {
+       OSObject *propobj = OSUnserializeXML(s->text(), s->getLength());
+       OSDictionary *filteredprops = NULL;
+       err = filteredProperties(entry, OSDynamicCast(OSDictionary, propobj), &filteredprops);
+       if (propobj) propobj->release();
+
+       if (!err) {
+           s->clearText();
+           if (!filteredprops->serialize(s))
+               err = kIOReturnUnsupported;
+       }
+       if (filteredprops != NULL)
+           filteredprops->release();
+    }
+#endif /* CONFIG_MACF */
+
+    if (!err) {
+       len = s->getLength();
+       *propertiesCnt = len;
+       err = copyoutkdata( s->text(), len, properties );
+    }
+
+    s->release();
+    return( err );
+}
+
+#if CONFIG_MACF
+
+struct GetPropertiesEditorRef
+{
+    kauth_cred_t      cred;
+    IORegistryEntry * entry;
+    OSCollection    * root;
+};
+
+static const OSMetaClassBase *
+GetPropertiesEditor(void                  * reference,
+                                       OSSerialize           * s, 
+                                       OSCollection          * container, 
+                                       const OSSymbol        * name,
+                                       const OSMetaClassBase * value)
+{
+    GetPropertiesEditorRef * ref = (typeof(ref)) reference;
+
+    if (!ref->root) ref->root = container;
+    if (ref->root == container)
+       {
+               if (0 != mac_iokit_check_get_property(ref->cred, ref->entry, name->getCStringNoCopy())) 
+               {
+                       value = 0;
+               }
+       }
+       if (value) value->retain();
+    return (value);
+}
+
+#endif /* CONFIG_MACF */
+
+/* Routine io_registry_entry_get_properties */
+kern_return_t is_io_registry_entry_get_properties_bin(
+       io_object_t registry_entry,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt)
+{
+    kern_return_t             err = kIOReturnSuccess;
+    vm_size_t                 len;
+    OSSerialize          * s;
+    OSSerialize::Editor    editor = 0;
+    void                 * editRef = 0;
+
+    CHECK(IORegistryEntry, registry_entry, entry);
+
+#if CONFIG_MACF
+    GetPropertiesEditorRef ref;
+    if (mac_iokit_check_filter_properties(kauth_cred_get(), entry))
+    {
+       editor    = &GetPropertiesEditor;
+       editRef   = &ref;
+       ref.cred  = kauth_cred_get();
+       ref.entry = entry;
+       ref.root  = 0;
+    }
+#endif
+
+    s = OSSerialize::binaryWithCapacity(4096, editor, editRef);
+    if (!s) return (kIOReturnNoMemory);
+
+    if (!entry->serializeProperties(s)) err = kIOReturnUnsupported;
+
+    if (kIOReturnSuccess == err)
+    {
+               len = s->getLength();
+               *propertiesCnt = len;
+               err = copyoutkdata(s->text(), len, properties);
+    }
+    s->release();
+
+    return (err);
+}
+
+/* Routine io_registry_entry_get_property_bin */
+kern_return_t is_io_registry_entry_get_property_bin(
+       io_object_t registry_entry,
+       io_name_t plane,
+       io_name_t property_name,
+       uint32_t options,
+       io_buf_ptr_t *properties,
+       mach_msg_type_number_t *propertiesCnt )
+{
+    kern_return_t      err;
+    vm_size_t          len;
+    OSObject *         obj;
+    const OSSymbol *    sym;
+
+    CHECK( IORegistryEntry, registry_entry, entry );
+
+#if CONFIG_MACF
+    if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name))
+        return kIOReturnNotPermitted;
+#endif
+
+    if ((kIORegistryIterateRecursively & options) && plane[0])
+    {
+       obj = entry->copyProperty(property_name,
+                                 IORegistryEntry::getPlane(plane), options);
+    }
+    else
+    {
+       obj = entry->copyProperty(property_name);
+    }
+
+    if( !obj)
+        return( kIOReturnNotFound );
 
 
-    s->clearText();
+    sym = OSSymbol::withCString(property_name);
+    if (sym)
+    {
+        if (gIORemoveOnReadProperties->containsObject(sym)) entry->removeProperty(sym);
+        sym->release();
+    }
 
 
-    if( entry->serializeProperties( s )) {
+    OSSerialize * s = OSSerialize::binaryWithCapacity(4096);
+    if( !s) {
+        obj->release();
+       return( kIOReturnNoMemory );
+    }
+
+    if( obj->serialize( s )) {
         len = s->getLength();
         *propertiesCnt = len;
         err = copyoutkdata( s->text(), len, properties );
 
         len = s->getLength();
         *propertiesCnt = len;
         err = copyoutkdata( s->text(), len, properties );
 
-    } else
-        err = kIOReturnUnsupported;
+    } else err = kIOReturnUnsupported; 
 
     s->release();
 
     s->release();
+    obj->release();
 
     return( err );
 }
 
     return( err );
 }
@@ -2173,20 +2815,34 @@ kern_return_t is_io_registry_entry_set_properties
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
 
     CHECK( IORegistryEntry, registry_entry, entry );
 
+    if( propertiesCnt > sizeof(io_struct_inband_t) * 1024)
+        return( kIOReturnMessageTooLarge);
+
     err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
     data = CAST_DOWN(vm_offset_t, map_data);
 
     if( KERN_SUCCESS == err) {
 
         // must return success after vm_map_copyout() succeeds
     err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
     data = CAST_DOWN(vm_offset_t, map_data);
 
     if( KERN_SUCCESS == err) {
 
         // must return success after vm_map_copyout() succeeds
-        obj = OSUnserializeXML( (const char *) data );
+        obj = OSUnserializeXML( (const char *) data, propertiesCnt );
        vm_deallocate( kernel_map, data, propertiesCnt );
 
        vm_deallocate( kernel_map, data, propertiesCnt );
 
-        if( obj) {
-            res = entry->setProperties( obj );
-            obj->release();
-        } else
-            res = kIOReturnBadArgument;
+       if (!obj)
+           res = kIOReturnBadArgument;
+#if CONFIG_MACF
+       else if (0 != mac_iokit_check_set_properties(kauth_cred_get(),
+           registry_entry, obj))
+       {
+           res = kIOReturnNotPermitted;
+       }
+#endif
+       else
+       {
+           res = entry->setProperties( obj );
+       }
+
+       if (obj)
+           obj->release();
     } else
         res = err;
 
     } else
         res = err;
 
@@ -2276,28 +2932,33 @@ kern_return_t is_io_service_request_probe(
     return( service->requestProbe( options ));
 }
 
     return( service->requestProbe( options ));
 }
 
-
-/* Routine io_service_open */
-kern_return_t is_io_service_open(
+/* Routine io_service_get_authorization_id */
+kern_return_t is_io_service_get_authorization_id(
        io_object_t _service,
        io_object_t _service,
-       task_t owningTask,
-       uint32_t connect_type,
-       io_object_t *connection )
+       uint64_t *authorization_id )
 {
 {
-    IOUserClient       *       client;
-    IOReturn                   err;
+    kern_return_t         kr;
 
     CHECK( IOService, _service, service );
 
 
     CHECK( IOService, _service, service );
 
-    err = service->newUserClient( owningTask, (void *) owningTask,
-               connect_type, 0, &client );
+    kr = IOUserClient::clientHasPrivilege( (void *) current_task(),
+                                            kIOClientPrivilegeAdministrator );
+    if( kIOReturnSuccess != kr)
+        return( kr );
 
 
-    if( err == kIOReturnSuccess) {
-       assert( OSDynamicCast(IOUserClient, client) );
-       *connection = client;
-    }
+    *authorization_id = service->getAuthorizationID();
 
 
-    return( err);
+    return( kr );
+}
+
+/* Routine io_service_set_authorization_id */
+kern_return_t is_io_service_set_authorization_id(
+       io_object_t _service,
+       uint64_t authorization_id )
+{
+    CHECK( IOService, _service, service );
+
+    return( service->setAuthorizationID( authorization_id ) );
 }
 
 /* Routine io_service_open_ndr */
 }
 
 /* Routine io_service_open_ndr */
@@ -2328,13 +2989,16 @@ kern_return_t is_io_service_open_extended(
            vm_offset_t     data;
            vm_map_offset_t map_data;
 
            vm_offset_t     data;
            vm_map_offset_t map_data;
 
+           if( propertiesCnt > sizeof(io_struct_inband_t))
+               return( kIOReturnMessageTooLarge);
+
            err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
            res = err;
            data = CAST_DOWN(vm_offset_t, map_data);
            if (KERN_SUCCESS == err)
            {
                // must return success after vm_map_copyout() succeeds
            err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties );
            res = err;
            data = CAST_DOWN(vm_offset_t, map_data);
            if (KERN_SUCCESS == err)
            {
                // must return success after vm_map_copyout() succeeds
-               obj = OSUnserializeXML( (const char *) data );
+               obj = OSUnserializeXML( (const char *) data, propertiesCnt );
                vm_deallocate( kernel_map, data, propertiesCnt );
                propertiesDict = OSDynamicCast(OSDictionary, obj);
                if (!propertiesDict)
                vm_deallocate( kernel_map, data, propertiesCnt );
                propertiesDict = OSDynamicCast(OSDictionary, obj);
                if (!propertiesDict)
@@ -2375,13 +3039,17 @@ kern_return_t is_io_service_open_extended(
            disallowAccess = (crossEndian
                && (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
                && (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
            disallowAccess = (crossEndian
                && (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey))
                && (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey)));
-
-           if (disallowAccess)
+            if (disallowAccess) res = kIOReturnUnsupported;
+#if CONFIG_MACF
+           else if (0 != mac_iokit_check_open(kauth_cred_get(), client, connect_type))
+               res = kIOReturnNotPermitted;
+#endif
+           if (kIOReturnSuccess != res)
            {
            {
+               IOStatisticsClientCall();
                client->clientClose();
                client->release();
                client = 0;
                client->clientClose();
                client->release();
                client = 0;
-               res = kIOReturnUnsupported;
                break;
            }
            client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
                break;
            }
            client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey));
@@ -2391,6 +3059,7 @@ kern_return_t is_io_service_open_extended(
                client->setProperty(kIOUserClientCreatorKey, creatorName);
                creatorName->release();
            }
                client->setProperty(kIOUserClientCreatorKey, creatorName);
                creatorName->release();
            }
+           client->setTerminateDefer(service, false);
        }
     }
     while (false);
        }
     }
     while (false);
@@ -2411,6 +3080,7 @@ kern_return_t is_io_service_close(
 
     CHECK( IOUserClient, connection, client );
 
 
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     client->clientClose();
 
     return( kIOReturnSuccess );
     client->clientClose();
 
     return( kIOReturnSuccess );
@@ -2443,6 +3113,7 @@ kern_return_t is_io_connect_set_notification_port(
 {
     CHECK( IOUserClient, connection, client );
 
 {
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     return( client->registerNotificationPort( port, notification_type,
                                                (io_user_reference_t) reference ));
 }
     return( client->registerNotificationPort( port, notification_type,
                                                (io_user_reference_t) reference ));
 }
@@ -2456,6 +3127,7 @@ kern_return_t is_io_connect_set_notification_port_64(
 {
     CHECK( IOUserClient, connection, client );
 
 {
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     return( client->registerNotificationPort( port, notification_type,
                                                reference ));
 }
     return( client->registerNotificationPort( port, notification_type,
                                                reference ));
 }
@@ -2476,6 +3148,7 @@ kern_return_t is_io_connect_map_memory_into_task
 
     CHECK( IOUserClient, connection, client );
 
 
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     map = client->mapClientMemory64( memory_type, into_task, flags, *address );
 
     if( map) {
     map = client->mapClientMemory64( memory_type, into_task, flags, *address );
 
     if( map) {
@@ -2490,7 +3163,6 @@ kern_return_t is_io_connect_map_memory_into_task
            mach_port_name_t name __unused =
                IOMachPort::makeSendRightForTask(
                                     into_task, map, IKOT_IOKIT_OBJECT );
            mach_port_name_t name __unused =
                IOMachPort::makeSendRightForTask(
                                     into_task, map, IKOT_IOKIT_OBJECT );
-            assert( name );
 
         } else {
             // keep it with the user client
 
         } else {
             // keep it with the user client
@@ -2515,8 +3187,8 @@ kern_return_t is_io_connect_map_memory(
        io_object_t     connect,
        uint32_t        type,
        task_t          task,
        io_object_t     connect,
        uint32_t        type,
        task_t          task,
-       vm_address_t *  mapAddr,
-       vm_size_t    *  mapSize,
+       uint32_t  *     mapAddr,
+       uint32_t  *     mapSize,
        uint32_t        flags )
 {
     IOReturn         err;
        uint32_t        flags )
 {
     IOReturn         err;
@@ -2534,6 +3206,8 @@ kern_return_t is_io_connect_map_memory(
     return (err);
 }
 
     return (err);
 }
 
+} /* extern "C" */
+
 IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
 {
     OSIterator *  iter;
 IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
 {
     OSIterator *  iter;
@@ -2561,6 +3235,8 @@ IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem)
     return (map);
 }
 
     return (map);
 }
 
+extern "C" {
+
 /* Routine io_connect_unmap_memory_from_task */
 kern_return_t is_io_connect_unmap_memory_from_task
 (
 /* Routine io_connect_unmap_memory_from_task */
 kern_return_t is_io_connect_unmap_memory_from_task
 (
@@ -2576,6 +3252,7 @@ kern_return_t is_io_connect_unmap_memory_from_task
 
     CHECK( IOUserClient, connection, client );
 
 
     CHECK( IOUserClient, connection, client );
 
+    IOStatisticsClientCall();
     err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory );
 
     if( memory && (kIOReturnSuccess == err)) {
     err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory );
 
     if( memory && (kIOReturnSuccess == err)) {
@@ -2617,7 +3294,7 @@ kern_return_t is_io_connect_unmap_memory(
        io_object_t     connect,
        uint32_t        type,
        task_t          task,
        io_object_t     connect,
        uint32_t        type,
        task_t          task,
-       vm_address_t    mapAddr )
+       uint32_t        mapAddr )
 {
     IOReturn           err;
     mach_vm_address_t   address;
 {
     IOReturn           err;
     mach_vm_address_t   address;
@@ -2638,6 +3315,7 @@ kern_return_t is_io_connect_add_client(
     CHECK( IOUserClient, connection, client );
     CHECK( IOUserClient, connect_to, to );
 
     CHECK( IOUserClient, connection, client );
     CHECK( IOUserClient, connect_to, to );
 
+    IOStatisticsClientCall();
     return( client->connectClient( to ) );
 }
 
     return( client->connectClient( to ) );
 }
 
@@ -2652,9 +3330,8 @@ kern_return_t is_io_connect_set_properties(
     return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result ));
 }
 
     return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result ));
 }
 
-
 /* Routine io_user_client_method */
 /* Routine io_user_client_method */
-kern_return_t is_io_connect_method
+kern_return_t is_io_connect_method_var_output
 (
        io_connect_t connection,
        uint32_t selector,
 (
        io_connect_t connection,
        uint32_t selector,
@@ -2664,12 +3341,105 @@ kern_return_t is_io_connect_method
        mach_msg_type_number_t inband_inputCnt,
        mach_vm_address_t ool_input,
        mach_vm_size_t ool_input_size,
        mach_msg_type_number_t inband_inputCnt,
        mach_vm_address_t ool_input,
        mach_vm_size_t ool_input_size,
+       io_struct_inband_t inband_output,
+       mach_msg_type_number_t *inband_outputCnt,
        io_scalar_inband64_t scalar_output,
        mach_msg_type_number_t *scalar_outputCnt,
        io_scalar_inband64_t scalar_output,
        mach_msg_type_number_t *scalar_outputCnt,
+       io_buf_ptr_t *var_output,
+       mach_msg_type_number_t *var_outputCnt
+)
+{
+    CHECK( IOUserClient, connection, client );
+
+    IOExternalMethodArguments args;
+    IOReturn ret;
+    IOMemoryDescriptor * inputMD  = 0;
+    OSObject *           structureVariableOutputData = 0;
+
+    bzero(&args.__reserved[0], sizeof(args.__reserved));
+    args.version = kIOExternalMethodArgumentsCurrentVersion;
+
+    args.selector = selector;
+
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = &structureVariableOutputData;
+
+    args.scalarInput = scalar_input;
+    args.scalarInputCount = scalar_inputCnt;
+    args.structureInput = inband_input;
+    args.structureInputSize = inband_inputCnt;
+
+    if (ool_input)
+       inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, 
+                                                   kIODirectionOut, current_task());
+
+    args.structureInputDescriptor = inputMD;
+
+    args.scalarOutput = scalar_output;
+    args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
+    args.structureOutput = inband_output;
+    args.structureOutputSize = *inband_outputCnt;
+    args.structureOutputDescriptor = NULL;
+    args.structureOutputDescriptorSize = 0;
+
+    IOStatisticsClientCall();
+    ret = client->externalMethod( selector, &args );
+
+    *scalar_outputCnt = args.scalarOutputCount;
+    *inband_outputCnt = args.structureOutputSize;
+
+    if (var_outputCnt && var_output && (kIOReturnSuccess == ret))
+    {
+       OSSerialize * serialize;
+       OSData      * data;
+       vm_size_t     len;
+
+       if ((serialize = OSDynamicCast(OSSerialize, structureVariableOutputData)))
+       {
+           len = serialize->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(serialize->text(), len, var_output);
+       }
+       else if ((data = OSDynamicCast(OSData, structureVariableOutputData)))
+       {
+           len = data->getLength();
+           *var_outputCnt = len;
+           ret = copyoutkdata(data->getBytesNoCopy(), len, var_output);
+       }
+       else
+       {
+           ret = kIOReturnUnderrun;
+       }
+    }
+
+    if (inputMD)
+       inputMD->release();
+    if (structureVariableOutputData)
+       structureVariableOutputData->release();
+
+    return (ret);
+}
+
+/* Routine io_user_client_method */
+kern_return_t is_io_connect_method
+(
+       io_connect_t connection,
+       uint32_t selector,
+       io_scalar_inband64_t scalar_input,
+       mach_msg_type_number_t scalar_inputCnt,
+       io_struct_inband_t inband_input,
+       mach_msg_type_number_t inband_inputCnt,
+       mach_vm_address_t ool_input,
+       mach_vm_size_t ool_input_size,
        io_struct_inband_t inband_output,
        mach_msg_type_number_t *inband_outputCnt,
        io_struct_inband_t inband_output,
        mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
        mach_vm_address_t ool_output,
        mach_vm_address_t ool_output,
-       mach_vm_size_t * ool_output_size
+       mach_vm_size_t *ool_output_size
 )
 {
     CHECK( IOUserClient, connection, client );
 )
 {
     CHECK( IOUserClient, connection, client );
@@ -2684,9 +3454,10 @@ kern_return_t is_io_connect_method
 
     args.selector = selector;
 
 
     args.selector = selector;
 
-    args.asyncWakePort       = MACH_PORT_NULL;
-    args.asyncReference      = 0;
-    args.asyncReferenceCount = 0;
+    args.asyncWakePort               = MACH_PORT_NULL;
+    args.asyncReference              = 0;
+    args.asyncReferenceCount         = 0;
+    args.structureVariableOutputData = 0;
 
     args.scalarInput = scalar_input;
     args.scalarInputCount = scalar_inputCnt;
 
     args.scalarInput = scalar_input;
     args.scalarInputCount = scalar_inputCnt;
@@ -2701,18 +3472,20 @@ kern_return_t is_io_connect_method
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
-    if (ool_output)
+    if (ool_output && ool_output_size)
     {
        outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 
                                                    kIODirectionIn, current_task());
     }
 
     args.structureOutputDescriptor = outputMD;
     {
        outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, 
                                                    kIODirectionIn, current_task());
     }
 
     args.structureOutputDescriptor = outputMD;
-    args.structureOutputDescriptorSize = *ool_output_size;
+    args.structureOutputDescriptorSize = ool_output_size ? *ool_output_size : 0;
 
 
+    IOStatisticsClientCall();
     ret = client->externalMethod( selector, &args );
 
     *scalar_outputCnt = args.scalarOutputCount;
     ret = client->externalMethod( selector, &args );
 
     *scalar_outputCnt = args.scalarOutputCount;
@@ -2741,10 +3514,10 @@ kern_return_t is_io_connect_async_method
        mach_msg_type_number_t inband_inputCnt,
        mach_vm_address_t ool_input,
        mach_vm_size_t ool_input_size,
        mach_msg_type_number_t inband_inputCnt,
        mach_vm_address_t ool_input,
        mach_vm_size_t ool_input_size,
-       io_scalar_inband64_t scalar_output,
-       mach_msg_type_number_t *scalar_outputCnt,
        io_struct_inband_t inband_output,
        mach_msg_type_number_t *inband_outputCnt,
        io_struct_inband_t inband_output,
        mach_msg_type_number_t *inband_outputCnt,
+       io_scalar_inband64_t scalar_output,
+       mach_msg_type_number_t *scalar_outputCnt,
        mach_vm_address_t ool_output,
        mach_vm_size_t * ool_output_size
 )
        mach_vm_address_t ool_output,
        mach_vm_size_t * ool_output_size
 )
@@ -2782,6 +3555,7 @@ kern_return_t is_io_connect_async_method
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
 
     args.scalarOutput = scalar_output;
     args.scalarOutputCount = *scalar_outputCnt;
+    bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0]));
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
     args.structureOutput = inband_output;
     args.structureOutputSize = *inband_outputCnt;
 
@@ -2794,6 +3568,7 @@ kern_return_t is_io_connect_async_method
     args.structureOutputDescriptor = outputMD;
     args.structureOutputDescriptorSize = *ool_output_size;
 
     args.structureOutputDescriptor = outputMD;
     args.structureOutputDescriptorSize = *ool_output_size;
 
+    IOStatisticsClientCall();
     ret = client->externalMethod( selector, &args );
 
     *inband_outputCnt = args.structureOutputSize;
     ret = client->externalMethod( selector, &args );
 
     *inband_outputCnt = args.structureOutputSize;
@@ -2824,6 +3599,7 @@ kern_return_t is_io_connect_method_scalarI_scalarO(
     mach_msg_type_number_t struct_outputCnt = 0;
     mach_vm_size_t ool_output_size = 0;
 
     mach_msg_type_number_t struct_outputCnt = 0;
     mach_vm_size_t ool_output_size = 0;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < inputCount; i++)
        _input[i] = SCALAR64(input[i]);
        
     for (i = 0; i < inputCount; i++)
        _input[i] = SCALAR64(input[i]);
        
@@ -2831,8 +3607,8 @@ kern_return_t is_io_connect_method_scalarI_scalarO(
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
-                   _output, outputCount,
                    NULL, &struct_outputCnt,
                    NULL, &struct_outputCnt,
+                   _output, outputCount,
                    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
                    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
@@ -2854,6 +3630,7 @@ kern_return_t shim_io_connect_method_scalarI_scalarO(
     IOReturn           err;
     err = kIOReturnBadArgument;
 
     IOReturn           err;
     err = kIOReturnBadArgument;
 
+    bzero(&_output[0], sizeof(_output));
     do {
 
        if( inputCount != method->count0)
     do {
 
        if( inputCount != method->count0)
@@ -2935,6 +3712,7 @@ kern_return_t is_io_async_method_scalarI_scalarO(
     io_scalar_inband64_t _output;
     io_async_ref64_t _reference;
 
     io_scalar_inband64_t _output;
     io_async_ref64_t _reference;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < referenceCnt; i++)
        _reference[i] = REF64(reference[i]);
 
     for (i = 0; i < referenceCnt; i++)
        _reference[i] = REF64(reference[i]);
 
@@ -2950,8 +3728,8 @@ kern_return_t is_io_async_method_scalarI_scalarO(
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
-                   _output, outputCount,
                    NULL, &struct_outputCnt,
                    NULL, &struct_outputCnt,
+                   _output, outputCount,
                    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
                    0, &ool_output_size);
 
     for (i = 0; i < *outputCount; i++)
@@ -2990,8 +3768,8 @@ kern_return_t is_io_async_method_scalarI_structureO(
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    output, outputCount,
                    output, outputCount,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3027,8 +3805,8 @@ kern_return_t is_io_async_method_scalarI_structureI(
                    _input, inputCount, 
                    inputStruct, inputStructCount,
                    0, 0,
                    _input, inputCount, 
                    inputStruct, inputStructCount,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    NULL, &inband_outputCnt,
                    NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3058,8 +3836,8 @@ kern_return_t is_io_async_method_structureI_structureO(
                    NULL, 0, 
                    input, inputCount,
                    0, 0,
                    NULL, 0, 
                    input, inputCount,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    output, outputCount,
                    output, outputCount,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3081,6 +3859,7 @@ kern_return_t shim_io_async_method_scalarI_scalarO(
     IOReturn           err;
     io_async_ref_t     reference;
 
     IOReturn           err;
     io_async_ref_t     reference;
 
+    bzero(&_output[0], sizeof(_output));
     for (i = 0; i < asyncReferenceCount; i++)
        reference[i] = REF32(asyncReference[i]);
 
     for (i = 0; i < asyncReferenceCount; i++)
        reference[i] = REF32(asyncReference[i]);
 
@@ -3178,8 +3957,8 @@ kern_return_t is_io_connect_method_scalarI_structureO(
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
                    _input, inputCount, 
                    NULL, 0,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    output, outputCount,
                    output, outputCount,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3351,8 +4130,8 @@ kern_return_t is_io_connect_method_scalarI_structureI(
                    _input, inputCount, 
                    inputStruct, inputStructCount,
                    0, 0,
                    _input, inputCount, 
                    inputStruct, inputStructCount,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    NULL, &inband_outputCnt,
                    NULL, &inband_outputCnt,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3394,25 +4173,25 @@ kern_return_t shim_io_connect_method_scalarI_structureI(
            case 4:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]), (void *)  input[2],
                                        ARG32(input[3]),
            case 4:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]), (void *)  input[2],
                                        ARG32(input[3]),
-                                       inputStruct, (void *)inputStructCount );
+                                       inputStruct, (void *)(uintptr_t)inputStructCount );
                break;
            case 3:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                break;
            case 3:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                        0 );
                break;
            case 2:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]),
                                        0 );
                break;
            case 2:
                err = (object->*func)( ARG32(input[0]), ARG32(input[1]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                        0, 0 );
                break;
            case 1:
                err = (object->*func)( ARG32(input[0]),
                                        0, 0 );
                break;
            case 1:
                err = (object->*func)( ARG32(input[0]),
-                                       inputStruct, (void *)inputStructCount,
+                                       inputStruct, (void *)(uintptr_t)inputStructCount,
                                        0, 0, 0 );
                break;
            case 0:
                                        0, 0, 0 );
                break;
            case 0:
-               err = (object->*func)( inputStruct, (void *)inputStructCount,
+               err = (object->*func)( inputStruct, (void *)(uintptr_t)inputStructCount,
                                        0, 0, 0, 0 );
                break;
 
                                        0, 0, 0, 0 );
                break;
 
@@ -3473,29 +4252,29 @@ kern_return_t shim_io_async_method_scalarI_structureI(
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                                         ARG32(input[3]),
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                                         ARG32(input[3]),
-                                        inputStruct, (void *)inputStructCount );
+                                        inputStruct, (void *)(uintptr_t)inputStructCount );
                 break;
             case 3:
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
                 break;
             case 3:
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]), ARG32(input[2]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0 );
                 break;
             case 2:
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]),
                                         0 );
                 break;
             case 2:
                 err = (object->*func)( reference,
                                         ARG32(input[0]), ARG32(input[1]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0 );
                 break;
             case 1:
                 err = (object->*func)( reference,
                                         ARG32(input[0]),
                                         0, 0 );
                 break;
             case 1:
                 err = (object->*func)( reference,
                                         ARG32(input[0]),
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0 );
                 break;
             case 0:
                 err = (object->*func)( reference,
                                         0, 0, 0 );
                 break;
             case 0:
                 err = (object->*func)( reference,
-                                        inputStruct, (void *)inputStructCount,
+                                        inputStruct, (void *)(uintptr_t)inputStructCount,
                                         0, 0, 0, 0 );
                 break;
 
                                         0, 0, 0, 0 );
                 break;
 
@@ -3524,8 +4303,8 @@ kern_return_t is_io_connect_method_structureI_structureO(
                    NULL, 0, 
                    input, inputCount,
                    0, 0,
                    NULL, 0, 
                    input, inputCount,
                    0, 0,
-                   NULL, &scalar_outputCnt,
                    output, outputCount,
                    output, outputCount,
+                   NULL, &scalar_outputCnt,
                    0, &ool_output_size));
 }
 
                    0, &ool_output_size));
 }
 
@@ -3560,12 +4339,12 @@ kern_return_t shim_io_connect_method_structureI_structureO(
        if( method->count1) {
            if( method->count0) {
                err = (object->*func)( input, output,
        if( method->count1) {
            if( method->count0) {
                err = (object->*func)( input, output,
-                                       (void *)inputCount, outputCount, 0, 0 );
+                                       (void *)(uintptr_t)inputCount, outputCount, 0, 0 );
            } else {
                err = (object->*func)( output, outputCount, 0, 0, 0, 0 );
            }
        } else {
            } else {
                err = (object->*func)( output, outputCount, 0, 0, 0, 0 );
            }
        } else {
-               err = (object->*func)( input, (void *)inputCount, 0, 0, 0, 0 );
+               err = (object->*func)( input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
        }
     }
     while( false);
        }
     }
     while( false);
@@ -3615,84 +4394,18 @@ kern_return_t shim_io_async_method_structureI_structureO(
             if( method->count0) {
                 err = (object->*func)( reference,
                                        input, output,
             if( method->count0) {
                 err = (object->*func)( reference,
                                        input, output,
-                                        (void *)inputCount, outputCount, 0, 0 );
+                                        (void *)(uintptr_t)inputCount, outputCount, 0, 0 );
             } else {
                 err = (object->*func)( reference,
                                        output, outputCount, 0, 0, 0, 0 );
             }
         } else {
                 err = (object->*func)( reference,
             } else {
                 err = (object->*func)( reference,
                                        output, outputCount, 0, 0, 0, 0 );
             }
         } else {
                 err = (object->*func)( reference,
-                                       input, (void *)inputCount, 0, 0, 0, 0 );
-        }
-    }
-    while( false);
-
-    return( err);
-}
-
-/* Routine io_make_matching */
-kern_return_t is_io_make_matching(
-       mach_port_t         master_port,
-       uint32_t            type,
-       uint32_t                options,
-        io_struct_inband_t     input,
-        mach_msg_type_number_t inputCount,
-       io_string_t     matching )
-{
-    OSSerialize *      s;
-    IOReturn           err = kIOReturnSuccess;
-    OSDictionary *     dict;
-
-    if( master_port != master_device_port)
-        return( kIOReturnNotPrivileged);
-
-    switch( type) {
-
-       case kIOServiceMatching:
-            dict = IOService::serviceMatching( gIOServiceKey );
-           break;
-
-       case kIOBSDNameMatching:
-           dict = IOBSDNameMatching( (const char *) input );
-           break;
-
-       case kIOOFPathMatching:
-           dict = IOOFPathMatching( (const char *) input,
-                                    matching, sizeof( io_string_t));
-           break;
-
-       default:
-           dict = 0;
-    }
-
-    if( !dict)
-       return( kIOReturnUnsupported);
-
-    do {
-        s = OSSerialize::withCapacity(4096);
-        if( !s) {
-            err = kIOReturnNoMemory;
-           continue;
-       }
-        s->clearText();
-        if( !dict->serialize( s )) {
-            err = kIOReturnUnsupported;
-           continue;
+                                       input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 );
         }
         }
-
-        if( s->getLength() > sizeof( io_string_t)) {
-            err = kIOReturnNoMemory;
-           continue;
-        } else
-            strlcpy(matching, s->text(), sizeof(io_string_t));
     }
     while( false);
 
     }
     while( false);
 
-    if( s)
-       s->release();
-    if( dict)
-       dict->release();
-
     return( err);
 }
 
     return( err);
 }
 
@@ -3724,6 +4437,9 @@ kern_return_t is_io_catalog_send_data(
     if (inData) {
         vm_map_offset_t map_data;
 
     if (inData) {
         vm_map_offset_t map_data;
 
+        if( inDataCount > sizeof(io_struct_inband_t) * 1024)
+            return( kIOReturnMessageTooLarge);
+
         kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
                data = CAST_DOWN(vm_offset_t, map_data);
 
         kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData);
                data = CAST_DOWN(vm_offset_t, map_data);
 
@@ -3733,7 +4449,7 @@ kern_return_t is_io_catalog_send_data(
         // must return success after vm_map_copyout() succeeds
 
         if( inDataCount ) {
         // must return success after vm_map_copyout() succeeds
 
         if( inDataCount ) {
-            obj = (OSObject *)OSUnserializeXML((const char *)data);
+            obj = (OSObject *)OSUnserializeXML((const char *)data, inDataCount);
             vm_deallocate( kernel_map, data, inDataCount );
             if( !obj) {
                 *result = kIOReturnNoMemory;
             vm_deallocate( kernel_map, data, inDataCount );
             if( !obj) {
                 *result = kIOReturnNoMemory;
@@ -3743,6 +4459,23 @@ kern_return_t is_io_catalog_send_data(
     }
 
     switch ( flag ) {
     }
 
     switch ( flag ) {
+        case kIOCatalogResetDrivers:
+        case kIOCatalogResetDriversNoMatch: {
+                OSArray * array;
+
+                array = OSDynamicCast(OSArray, obj);
+                if (array) {
+                   if ( !gIOCatalogue->resetAndAddDrivers(array,
+                        flag == kIOCatalogResetDrivers) ) {
+
+                        kr = kIOReturnError;
+                    }
+                } else {
+                    kr = kIOReturnBadArgument;
+                }
+            }
+            break;
+
         case kIOCatalogAddDrivers: 
         case kIOCatalogAddDriversNoMatch: {
                 OSArray * array;
         case kIOCatalogAddDrivers: 
         case kIOCatalogAddDriversNoMatch: {
                 OSArray * array;
@@ -3798,6 +4531,7 @@ kern_return_t is_io_catalog_send_data(
 
         case kIOCatalogKextdActive:
 #if !NO_KEXTD
 
         case kIOCatalogKextdActive:
 #if !NO_KEXTD
+            IOServiceTrace(IOSERVICE_KEXTD_ALIVE, 0, 0, 0, 0);
             OSKext::setKextdActive();
 
            /* Dump all nonloaded startup extensions; kextd will now send them
             OSKext::setKextdActive();
 
            /* Dump all nonloaded startup extensions; kextd will now send them
@@ -3815,6 +4549,7 @@ kern_return_t is_io_catalog_send_data(
                 if (!clearedBusy) {
                     IOService * serviceRoot = IOService::getServiceRoot();
                     if (serviceRoot) {
                 if (!clearedBusy) {
                     IOService * serviceRoot = IOService::getServiceRoot();
                     if (serviceRoot) {
+                        IOServiceTrace(IOSERVICE_KEXTD_READY, 0, 0, 0, 0);
                         serviceRoot->adjustBusy(-1);
                         clearedBusy = true;
                     }
                         serviceRoot->adjustBusy(-1);
                         clearedBusy = true;
                     }
@@ -3852,6 +4587,7 @@ kern_return_t is_io_catalog_terminate(
         return( kr );
 
     switch ( flag ) {
         return( kr );
 
     switch ( flag ) {
+#if !defined(SECURE_KERNEL)
         case kIOCatalogServiceTerminate:
             OSIterator *       iter;
             IOService *                service;
         case kIOCatalogServiceTerminate:
             OSIterator *       iter;
             IOService *                service;
@@ -3881,6 +4617,7 @@ kern_return_t is_io_catalog_terminate(
             kr = gIOCatalogue->terminateDriversForModule(name,
                                         flag == kIOCatalogModuleUnload);
             break;
             kr = gIOCatalogue->terminateDriversForModule(name,
                                         flag == kIOCatalogModuleUnload);
             break;
+#endif
 
         default:
             kr = kIOReturnBadArgument;
 
         default:
             kr = kIOReturnBadArgument;
@@ -3909,8 +4646,6 @@ kern_return_t is_io_catalog_get_data(
     if ( !s )
         return kIOReturnNoMemory;
 
     if ( !s )
         return kIOReturnNoMemory;
 
-    s->clearText();
-
     kr = gIOCatalogue->serializeData(flag, s);
 
     if ( kr == kIOReturnSuccess ) {
     kr = gIOCatalogue->serializeData(flag, s);
 
     if ( kr == kIOReturnSuccess ) {
@@ -4019,6 +4754,8 @@ kern_return_t iokit_user_client_trap(struct iokit_user_client_trap_args *args)
     return result;
 }
 
     return result;
 }
 
+} /* extern "C" */
+
 IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args,
                                        IOExternalMethodDispatch * dispatch, OSObject * target, void * reference )
 {
 IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args,
                                        IOExternalMethodDispatch * dispatch, OSObject * target, void * reference )
 {
@@ -4082,6 +4819,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
        if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) )
            return (kIOReturnUnsupported);
 
        if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) )
            return (kIOReturnUnsupported);
 
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
+
        switch (method->flags & kIOUCTypeMask)
        {
            case kIOUCScalarIStructI:
        switch (method->flags & kIOUCTypeMask)
        {
            case kIOUCScalarIStructI:
@@ -4125,6 +4868,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
        if( !(method = getTargetAndMethodForIndex(&object, selector)) )
            return (kIOReturnUnsupported);
 
        if( !(method = getTargetAndMethodForIndex(&object, selector)) )
            return (kIOReturnUnsupported);
 
+    if (kIOUCForegroundOnly & method->flags)
+    {
+       if (task_is_gpu_denied(current_task()))
+            return (kIOReturnNotPermitted);
+    }
+
        switch (method->flags & kIOUCTypeMask)
        {
            case kIOUCScalarIStructI:
        switch (method->flags & kIOUCTypeMask)
        {
            case kIOUCScalarIStructI:
@@ -4164,8 +4913,6 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume
 }
 
 
 }
 
 
-};     /* extern "C" */
-
 #if __LP64__
 OSMetaClassDefineReservedUnused(IOUserClient, 0);
 OSMetaClassDefineReservedUnused(IOUserClient, 1);
 #if __LP64__
 OSMetaClassDefineReservedUnused(IOUserClient, 0);
 OSMetaClassDefineReservedUnused(IOUserClient, 1);
mirror of XNU