X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/b0d623f7f2ae71ed96e60569f61f9a9a27016e80..04b8595b18b1b41ac7a206e4b3d51a635f8413d7:/iokit/Kernel/IOUserClient.cpp diff --git a/iokit/Kernel/IOUserClient.cpp b/iokit/Kernel/IOUserClient.cpp index 7f2c78d13..9f3587844 100644 --- a/iokit/Kernel/IOUserClient.cpp +++ b/iokit/Kernel/IOUserClient.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998-2008 Apple Inc. All rights reserved. + * Copyright (c) 1998-2014 Apple Inc. All rights reserved. * * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ * @@ -37,8 +37,24 @@ #include #include #include +#include +#include +#include #include #include +#include +#include + +#if CONFIG_MACF + +extern "C" { +#include +}; +#include + +#define IOMACF_LOG 0 + +#endif /* CONFIG_MACF */ #include @@ -47,7 +63,7 @@ #define SCALAR64(x) ((io_user_scalar_t)((unsigned int)x)) #define SCALAR32(x) ((uint32_t )x) -#define ARG32(x) ((void *)SCALAR32(x)) +#define ARG32(x) ((void *)(uintptr_t)SCALAR32(x)) #define REF64(x) ((io_user_reference_t)((UInt64)(x))) #define REF32(x) ((int)(x)) @@ -57,6 +73,32 @@ enum kIOUCAsync64Flag = 1ULL }; +#if IOKITSTATS + +#define IOStatisticsRegisterCounter() \ +do { \ + reserved->counter = IOStatistics::registerUserClient(this); \ +} while (0) + +#define IOStatisticsUnregisterCounter() \ +do { \ + if (reserved) \ + IOStatistics::unregisterUserClient(reserved->counter); \ +} while (0) + +#define IOStatisticsClientCall() \ +do { \ + IOStatistics::countUserClientCall(client); \ +} while (0) + +#else + +#define IOStatisticsRegisterCounter() +#define IOStatisticsUnregisterCounter() +#define IOStatisticsClientCall() + +#endif /* IOKITSTATS */ + /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ // definitions we should get from osfmk @@ -331,7 +373,6 @@ public: }; /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ - extern "C" { // functions called from osfmk/device/iokit_rpc.c @@ -383,9 +424,11 @@ iokit_client_died( io_object_t obj, ipc_port_t /* port */, if( IKOT_IOKIT_CONNECT == type) { - if( (client = OSDynamicCast( IOUserClient, obj ))) + if( (client = OSDynamicCast( IOUserClient, obj ))) { + IOStatisticsClientCall(); client->clientDied(); } + } else if( IKOT_IOKIT_OBJECT == type) { if( (map = OSDynamicCast( IOMemoryMap, obj ))) @@ -538,6 +581,9 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type, void * reference, vm_size_t referenceSize, bool clientIs64 ) { + if( !super::init()) + return( false ); + newSet = OSArray::withCapacity( 1 ); if( !newSet) return( false ); @@ -563,7 +609,7 @@ bool IOServiceUserNotification::init( mach_port_t port, natural_t type, pingMsg->notifyHeader.type = type; bcopy( reference, pingMsg->notifyHeader.reference, referenceSize ); - return( super::init() ); + return( true ); } void IOServiceUserNotification::free( void ) @@ -580,8 +626,12 @@ void IOServiceUserNotification::free( void ) super::free(); - if( _pingMsg && _msgSize) - IOFree( _pingMsg, _msgSize); + if( _pingMsg && _msgSize) { + if (_pingMsg->msgHdr.msgh_remote_port) { + iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port); + } + IOFree(_pingMsg, _msgSize); + } if( _lastEntry) _lastEntry->release(); @@ -625,8 +675,10 @@ bool IOServiceUserNotification::handler( void * ref, else pingMsg->msgHdr.msgh_local_port = NULL; - kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr, - pingMsg->msgHdr.msgh_size); + kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr, + pingMsg->msgHdr.msgh_size, + (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE), + 0); if( port) iokit_release_port( port ); @@ -673,6 +725,8 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type, void * reference, vm_size_t referenceSize, vm_size_t extraSize, bool client64 ) { + if( !super::init()) + return( false ); if (referenceSize > sizeof(OSAsyncReference64)) return( false ); @@ -707,7 +761,7 @@ bool IOServiceMessageUserNotification::init( mach_port_t port, natural_t type, pingMsg->notifyHeader.type = type; bcopy( reference, pingMsg->notifyHeader.reference, referenceSize ); - return( super::init() ); + return( true ); } void IOServiceMessageUserNotification::free( void ) @@ -720,8 +774,12 @@ void IOServiceMessageUserNotification::free( void ) super::free(); - if( _pingMsg && _msgSize) + if( _pingMsg && _msgSize) { + if (_pingMsg->msgHdr.msgh_remote_port) { + iokit_release_port_send(_pingMsg->msgHdr.msgh_remote_port); + } IOFree( _pingMsg, _msgSize); + } } IOReturn IOServiceMessageUserNotification::_handler( void * target, void * ref, @@ -744,8 +802,8 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref, if (kIOMessageCopyClientID == messageType) { - *((void **) messageArgument) = IOCopyLogNameForPID(owningPID); - return (kIOReturnSuccess); + *((void **) messageArgument) = OSNumber::withNumber(owningPID, 32); + return (kIOReturnSuccess); } data->messageType = messageType; @@ -767,6 +825,15 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref, argSize = kIOUserNotifyMaxMessageSize; bcopy( messageArgument, data->messageArgument, argSize ); } + + // adjust message size for ipc restrictions + natural_t type; + type = pingMsg->notifyHeader.type; + type &= ~(kIOKitNoticationMsgSizeMask << kIOKitNoticationTypeSizeAdjShift); + type |= ((argSize & kIOKitNoticationMsgSizeMask) << kIOKitNoticationTypeSizeAdjShift); + pingMsg->notifyHeader.type = type; + argSize = (argSize + kIOKitNoticationMsgSizeMask) & ~kIOKitNoticationMsgSizeMask; + pingMsg->msgHdr.msgh_size = msgSize - pingMsg->notifyHeader.size + sizeof( IOServiceInterestContent64 ) - sizeof( data->messageArgument) @@ -776,8 +843,10 @@ IOReturn IOServiceMessageUserNotification::handler( void * ref, pingMsg->ports[0].name = providerPort; thisPort = iokit_port_for_object( this, IKOT_IOKIT_OBJECT ); pingMsg->msgHdr.msgh_local_port = thisPort; - kr = mach_msg_send_from_kernel_proper( &pingMsg->msgHdr, - pingMsg->msgHdr.msgh_size); + kr = mach_msg_send_from_kernel_with_options( &pingMsg->msgHdr, + pingMsg->msgHdr.msgh_size, + (MACH_SEND_MSG | MACH_SEND_ALWAYS | MACH_SEND_IMPORTANCE), + 0); if( thisPort) iokit_release_port( thisPort ); if( providerPort) @@ -827,6 +896,16 @@ void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef, asyncRef[kIOAsyncCalloutRefconIndex] = refcon; } +void IOUserClient::setAsyncReference64(OSAsyncReference64 asyncRef, + mach_port_t wakePort, + mach_vm_address_t callback, io_user_reference_t refcon, task_t task) +{ + setAsyncReference64(asyncRef, wakePort, callback, refcon); + if (vm_map_is_64bit(get_task_map(task))) { + asyncRef[kIOAsyncReservedIndex] |= kIOUCAsync64Flag; + } +} + static OSDictionary * CopyConsoleUser(UInt32 uid) { OSArray * array; @@ -851,6 +930,52 @@ static OSDictionary * CopyConsoleUser(UInt32 uid) return user; } +static OSDictionary * CopyUserOnConsole(void) +{ + OSArray * array; + OSDictionary * user = 0; + + if ((array = OSDynamicCast(OSArray, + IORegistryEntry::getRegistryRoot()->copyProperty(gIOConsoleUsersKey)))) + { + for (unsigned int idx = 0; + (user = OSDynamicCast(OSDictionary, array->getObject(idx))); + idx++) + { + if (kOSBooleanTrue == user->getObject(gIOConsoleSessionOnConsoleKey)) + { + user->retain(); + break; + } + } + array->release(); + } + return (user); +} + +IOReturn IOUserClient::clientHasAuthorization( task_t task, + IOService * service ) +{ + proc_t p; + + p = (proc_t) get_bsdtask_info(task); + if (p) + { + uint64_t authorizationID; + + authorizationID = proc_uniqueid(p); + if (authorizationID) + { + if (service->getAuthorizationID() == authorizationID) + { + return (kIOReturnSuccess); + } + } + } + + return (kIOReturnNotPermitted); +} + IOReturn IOUserClient::clientHasPrivilege( void * securityToken, const char * privilegeName ) { @@ -861,12 +986,52 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken, OSDictionary * user; bool secureConsole; + + if (!strncmp(privilegeName, kIOClientPrivilegeForeground, + sizeof(kIOClientPrivilegeForeground))) + { + if (task_is_gpu_denied(current_task())) + return (kIOReturnNotPrivileged); + else + return (kIOReturnSuccess); + } + + if (!strncmp(privilegeName, kIOClientPrivilegeConsoleSession, + sizeof(kIOClientPrivilegeConsoleSession))) + { + kauth_cred_t cred; + proc_t p; + + task = (task_t) securityToken; + if (!task) + task = current_task(); + p = (proc_t) get_bsdtask_info(task); + kr = kIOReturnNotPrivileged; + + if (p && (cred = kauth_cred_proc_ref(p))) + { + user = CopyUserOnConsole(); + if (user) + { + OSNumber * num; + if ((num = OSDynamicCast(OSNumber, user->getObject(gIOConsoleSessionAuditIDKey))) + && (cred->cr_audit.as_aia_p->ai_asid == (au_asid_t) num->unsigned32BitValue())) + { + kr = kIOReturnSuccess; + } + user->release(); + } + kauth_cred_unref(&cred); + } + return (kr); + } + if ((secureConsole = !strncmp(privilegeName, kIOClientPrivilegeSecureConsoleProcess, sizeof(kIOClientPrivilegeSecureConsoleProcess)))) task = (task_t)((IOUCProcessToken *)securityToken)->token; else task = (task_t)securityToken; - + count = TASK_SECURITY_TOKEN_COUNT; kr = task_info( task, TASK_SECURITY_TOKEN, (task_info_t) &token, &count ); @@ -904,30 +1069,106 @@ IOReturn IOUserClient::clientHasPrivilege( void * securityToken, return (kr); } +OSObject * IOUserClient::copyClientEntitlement( task_t task, + const char * entitlement ) +{ +#define MAX_ENTITLEMENTS_LEN (128 * 1024) + + proc_t p = NULL; + pid_t pid = 0; + char procname[MAXCOMLEN + 1] = ""; + size_t len = 0; + void *entitlements_blob = NULL; + char *entitlements_data = NULL; + OSObject *entitlements_obj = NULL; + OSDictionary *entitlements = NULL; + OSString *errorString = NULL; + OSObject *value = NULL; + + p = (proc_t)get_bsdtask_info(task); + if (p == NULL) + goto fail; + pid = proc_pid(p); + proc_name(pid, procname, (int)sizeof(procname)); + + if (cs_entitlements_blob_get(p, &entitlements_blob, &len) != 0) + goto fail; + + if (len <= offsetof(CS_GenericBlob, data)) + goto fail; + + /* + * Per , enforce a limit on the amount of XML + * we'll try to parse in the kernel. + */ + len -= offsetof(CS_GenericBlob, data); + if (len > MAX_ENTITLEMENTS_LEN) { + IOLog("failed to parse entitlements for %s[%u]: %lu bytes of entitlements exceeds maximum of %u\n", procname, pid, len, MAX_ENTITLEMENTS_LEN); + goto fail; + } + + /* + * OSUnserializeXML() expects a nul-terminated string, but that isn't + * what is stored in the entitlements blob. Copy the string and + * terminate it. + */ + entitlements_data = (char *)IOMalloc(len + 1); + if (entitlements_data == NULL) + goto fail; + memcpy(entitlements_data, ((CS_GenericBlob *)entitlements_blob)->data, len); + entitlements_data[len] = '\0'; + + entitlements_obj = OSUnserializeXML(entitlements_data, len + 1, &errorString); + if (errorString != NULL) { + IOLog("failed to parse entitlements for %s[%u]: %s\n", procname, pid, errorString->getCStringNoCopy()); + goto fail; + } + if (entitlements_obj == NULL) + goto fail; + + entitlements = OSDynamicCast(OSDictionary, entitlements_obj); + if (entitlements == NULL) + goto fail; + + /* Fetch the entitlement value from the dictionary. */ + value = entitlements->getObject(entitlement); + if (value != NULL) + value->retain(); + +fail: + if (entitlements_data != NULL) + IOFree(entitlements_data, len + 1); + if (entitlements_obj != NULL) + entitlements_obj->release(); + if (errorString != NULL) + errorString->release(); + return value; +} + bool IOUserClient::init() { - if( getPropertyTable()) - return true; - else - return super::init(); + if (getPropertyTable() || super::init()) + return reserve(); + + return false; } bool IOUserClient::init(OSDictionary * dictionary) { - if( getPropertyTable()) - return true; - else - return super::init(dictionary); + if (getPropertyTable() || super::init(dictionary)) + return reserve(); + + return false; } bool IOUserClient::initWithTask(task_t owningTask, void * securityID, UInt32 type ) -{ - if( getPropertyTable()) - return true; - else - return super::init(); +{ + if (getPropertyTable() || super::init()) + return reserve(); + + return false; } bool IOUserClient::initWithTask(task_t owningTask, @@ -943,11 +1184,30 @@ bool IOUserClient::initWithTask(task_t owningTask, return( ok ); } +bool IOUserClient::reserve() +{ + if(!reserved) { + reserved = IONew(ExpansionData, 1); + if (!reserved) { + return false; + } + } + setTerminateDefer(NULL, true); + IOStatisticsRegisterCounter(); + + return true; +} + void IOUserClient::free() { if( mappings) mappings->release(); + + IOStatisticsUnregisterCounter(); + if (reserved) + IODelete(reserved, ExpansionData, 1); + super::free(); } @@ -1041,7 +1301,6 @@ IOReturn IOUserClient::exportObjectToClient(task_t task, mach_port_name_t name; name = IOMachPort::makeSendRightForTask( task, obj, IKOT_IOKIT_OBJECT ); - assert( name ); *(mach_port_name_t *)clientObj = name; return kIOReturnSuccess; @@ -1135,8 +1394,20 @@ IOReturn IOUserClient::sendAsyncResult(OSAsyncReference reference, return (sendAsyncResult64(reference64, result, args64, numArgs)); } +IOReturn IOUserClient::sendAsyncResult64WithOptions(OSAsyncReference64 reference, + IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options) +{ + return _sendAsyncResult64(reference, result, args, numArgs, options); +} + IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference, IOReturn result, io_user_reference_t args[], UInt32 numArgs) +{ + return _sendAsyncResult64(reference, result, args, numArgs, 0); +} + +IOReturn IOUserClient::_sendAsyncResult64(OSAsyncReference64 reference, + IOReturn result, io_user_reference_t args[], UInt32 numArgs, IOOptionBits options) { struct ReplyMsg { @@ -1209,9 +1480,15 @@ IOReturn IOUserClient::sendAsyncResult64(OSAsyncReference64 reference, replyMsg.m.msg32.args[idx] = REF32(args[idx]); } - kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr, - replyMsg.msgHdr.msgh_size); - if( KERN_SUCCESS != kr) + if ((options & kIOUserNotifyOptionCanDrop) != 0) { + kr = mach_msg_send_from_kernel_with_options( &replyMsg.msgHdr, + replyMsg.msgHdr.msgh_size, MACH_SEND_TIMEOUT, MACH_MSG_TIMEOUT_NONE); + } else { + /* Fail on full queue. */ + kr = mach_msg_send_from_kernel_proper( &replyMsg.msgHdr, + replyMsg.msgHdr.msgh_size); + } + if ((KERN_SUCCESS != kr) && (MACH_SEND_TIMED_OUT != kr)) IOLog("%s: mach_msg_send_from_kernel_proper {%x}\n", __FILE__, kr ); return kr; } @@ -1226,6 +1503,17 @@ extern "C" { if( !(out = OSDynamicCast( cls, obj))) \ return( kIOReturnBadArgument ) +/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ + +/* Routine io_server_version */ +kern_return_t is_io_server_version( + mach_port_t master_port, + uint64_t *version) +{ + *version = IOKIT_SERVER_VERSION; + return (kIOReturnSuccess); +} + /* Routine io_object_get_class */ kern_return_t is_io_object_get_class( io_object_t object, @@ -1391,11 +1679,12 @@ kern_return_t is_io_iterator_is_valid( return( kIOReturnSuccess ); } -/* Routine io_service_match_property_table */ -kern_return_t is_io_service_match_property_table( + +static kern_return_t internal_io_service_match_property_table( io_service_t _service, - io_string_t matching, - boolean_t *matches ) + const char * matching, + mach_msg_type_number_t matching_size, + boolean_t *matches) { CHECK( IOService, _service, service ); @@ -1403,8 +1692,8 @@ kern_return_t is_io_service_match_property_table( OSObject * obj; OSDictionary * dict; - obj = OSUnserializeXML( matching ); - + obj = matching_size ? OSUnserializeXML(matching, matching_size) + : OSUnserializeXML(matching); if( (dict = OSDynamicCast( OSDictionary, obj))) { *matches = service->passiveMatch( dict ); kr = kIOReturnSuccess; @@ -1417,6 +1706,16 @@ kern_return_t is_io_service_match_property_table( return( kr ); } +/* Routine io_service_match_property_table */ +kern_return_t is_io_service_match_property_table( + io_service_t service, + io_string_t matching, + boolean_t *matches ) +{ + return (internal_io_service_match_property_table(service, matching, 0, matches)); +} + + /* Routine io_service_match_property_table_ool */ kern_return_t is_io_service_match_property_table_ool( io_object_t service, @@ -1434,18 +1733,28 @@ kern_return_t is_io_service_match_property_table_ool( if( KERN_SUCCESS == kr) { // must return success after vm_map_copyout() succeeds - *result = is_io_service_match_property_table( service, - (char *) data, matches ); + *result = internal_io_service_match_property_table(service, + (const char *)data, matchingCnt, matches ); vm_deallocate( kernel_map, data, matchingCnt ); } return( kr ); } -/* Routine io_service_get_matching_services */ -kern_return_t is_io_service_get_matching_services( +/* Routine io_service_match_property_table_bin */ +kern_return_t is_io_service_match_property_table_bin( + io_object_t service, + io_struct_inband_t matching, + mach_msg_type_number_t matchingCnt, + boolean_t *matches) +{ + return (internal_io_service_match_property_table(service, matching, matchingCnt, matches)); +} + +static kern_return_t internal_io_service_get_matching_services( mach_port_t master_port, - io_string_t matching, + const char * matching, + mach_msg_type_number_t matching_size, io_iterator_t *existing ) { kern_return_t kr; @@ -1455,8 +1764,8 @@ kern_return_t is_io_service_get_matching_services( if( master_port != master_device_port) return( kIOReturnNotPrivileged); - obj = OSUnserializeXML( matching ); - + obj = matching_size ? OSUnserializeXML(matching, matching_size) + : OSUnserializeXML(matching); if( (dict = OSDynamicCast( OSDictionary, obj))) { *existing = IOService::getMatchingServices( dict ); kr = kIOReturnSuccess; @@ -1469,6 +1778,15 @@ kern_return_t is_io_service_get_matching_services( return( kr ); } +/* Routine io_service_get_matching_services */ +kern_return_t is_io_service_get_matching_services( + mach_port_t master_port, + io_string_t matching, + io_iterator_t *existing ) +{ + return (internal_io_service_get_matching_services(master_port, matching, 0, existing)); +} + /* Routine io_service_get_matching_services_ool */ kern_return_t is_io_service_get_matching_services_ool( mach_port_t master_port, @@ -1486,18 +1804,101 @@ kern_return_t is_io_service_get_matching_services_ool( if( KERN_SUCCESS == kr) { // must return success after vm_map_copyout() succeeds - *result = is_io_service_get_matching_services( master_port, - (char *) data, existing ); + *result = internal_io_service_get_matching_services(master_port, + (const char *) data, matchingCnt, existing); + vm_deallocate( kernel_map, data, matchingCnt ); + } + + return( kr ); +} + +/* Routine io_service_get_matching_services_bin */ +kern_return_t is_io_service_get_matching_services_bin( + mach_port_t master_port, + io_struct_inband_t matching, + mach_msg_type_number_t matchingCnt, + io_object_t *existing) +{ + return (internal_io_service_get_matching_services(master_port, matching, matchingCnt, existing)); +} + + +static kern_return_t internal_io_service_get_matching_service( + mach_port_t master_port, + const char * matching, + mach_msg_type_number_t matching_size, + io_service_t *service ) +{ + kern_return_t kr; + OSObject * obj; + OSDictionary * dict; + + if( master_port != master_device_port) + return( kIOReturnNotPrivileged); + + obj = matching_size ? OSUnserializeXML(matching, matching_size) + : OSUnserializeXML(matching); + if( (dict = OSDynamicCast( OSDictionary, obj))) { + *service = IOService::copyMatchingService( dict ); + kr = *service ? kIOReturnSuccess : kIOReturnNotFound; + } else + kr = kIOReturnBadArgument; + + if( obj) + obj->release(); + + return( kr ); +} + +/* Routine io_service_get_matching_service */ +kern_return_t is_io_service_get_matching_service( + mach_port_t master_port, + io_string_t matching, + io_service_t *service ) +{ + return (internal_io_service_get_matching_service(master_port, matching, 0, service)); +} + +/* Routine io_service_get_matching_services_ool */ +kern_return_t is_io_service_get_matching_service_ool( + mach_port_t master_port, + io_buf_ptr_t matching, + mach_msg_type_number_t matchingCnt, + kern_return_t *result, + io_object_t *service ) +{ + kern_return_t kr; + vm_offset_t data; + vm_map_offset_t map_data; + + kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching ); + data = CAST_DOWN(vm_offset_t, map_data); + + if( KERN_SUCCESS == kr) { + // must return success after vm_map_copyout() succeeds + *result = internal_io_service_get_matching_service(master_port, + (const char *) data, matchingCnt, service ); vm_deallocate( kernel_map, data, matchingCnt ); } return( kr ); } +/* Routine io_service_get_matching_service_bin */ +kern_return_t is_io_service_get_matching_service_bin( + mach_port_t master_port, + io_struct_inband_t matching, + mach_msg_type_number_t matchingCnt, + io_object_t *service) +{ + return (internal_io_service_get_matching_service(master_port, matching, matchingCnt, service)); +} + static kern_return_t internal_io_service_add_notification( mach_port_t master_port, io_name_t notification_type, - io_string_t matching, + const char * matching, + size_t matching_size, mach_port_t port, void * reference, vm_size_t referenceSize, @@ -1511,7 +1912,6 @@ static kern_return_t internal_io_service_add_notification( IOReturn err; unsigned long int userMsgType; - if( master_port != master_device_port) return( kIOReturnNotPrivileged); @@ -1521,8 +1921,16 @@ static kern_return_t internal_io_service_add_notification( if( !(sym = OSSymbol::withCString( notification_type ))) err = kIOReturnNoResources; - if( !(dict = OSDynamicCast( OSDictionary, - OSUnserializeXML( matching )))) { + if (matching_size) + { + dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching, matching_size)); + } + else + { + dict = OSDynamicCast(OSDictionary, OSUnserializeXML(matching)); + } + + if (!dict) { err = kIOReturnBadArgument; continue; } @@ -1542,6 +1950,7 @@ static kern_return_t internal_io_service_add_notification( if( userNotify && !userNotify->init( port, userMsgType, reference, referenceSize, client64)) { + iokit_release_port_send(port); userNotify->release(); userNotify = 0; } @@ -1579,7 +1988,7 @@ kern_return_t is_io_service_add_notification( io_object_t * notification ) { return (internal_io_service_add_notification(master_port, notification_type, - matching, port, &reference[0], sizeof(io_async_ref_t), + matching, 0, port, &reference[0], sizeof(io_async_ref_t), false, notification)); } @@ -1594,10 +2003,43 @@ kern_return_t is_io_service_add_notification_64( io_object_t *notification ) { return (internal_io_service_add_notification(master_port, notification_type, - matching, wake_port, &reference[0], sizeof(io_async_ref64_t), + matching, 0, wake_port, &reference[0], sizeof(io_async_ref64_t), true, notification)); } +/* Routine io_service_add_notification_bin */ +kern_return_t is_io_service_add_notification_bin +( + mach_port_t master_port, + io_name_t notification_type, + io_struct_inband_t matching, + mach_msg_type_number_t matchingCnt, + mach_port_t wake_port, + io_async_ref_t reference, + mach_msg_type_number_t referenceCnt, + io_object_t *notification) +{ + return (internal_io_service_add_notification(master_port, notification_type, + matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref_t), + false, notification)); +} + +/* Routine io_service_add_notification_bin_64 */ +kern_return_t is_io_service_add_notification_bin_64 +( + mach_port_t master_port, + io_name_t notification_type, + io_struct_inband_t matching, + mach_msg_type_number_t matchingCnt, + mach_port_t wake_port, + io_async_ref64_t reference, + mach_msg_type_number_t referenceCnt, + io_object_t *notification) +{ + return (internal_io_service_add_notification(master_port, notification_type, + matching, matchingCnt, wake_port, &reference[0], sizeof(io_async_ref64_t), + true, notification)); +} static kern_return_t internal_io_service_add_notification_ool( mach_port_t master_port, @@ -1621,7 +2063,7 @@ static kern_return_t internal_io_service_add_notification_ool( if( KERN_SUCCESS == kr) { // must return success after vm_map_copyout() succeeds *result = internal_io_service_add_notification( master_port, notification_type, - (char *) data, wake_port, reference, referenceSize, client64, notification ); + (char *) data, matchingCnt, wake_port, reference, referenceSize, client64, notification ); vm_deallocate( kernel_map, data, matchingCnt ); } @@ -1703,6 +2145,7 @@ static kern_return_t internal_io_service_add_interest_notification( reference, referenceSize, kIOUserNotifyMaxMessageSize, client64 )) { + iokit_release_port_send(port); userNotify->release(); userNotify = 0; } @@ -1760,7 +2203,7 @@ kern_return_t is_io_service_acknowledge_notification( { CHECK( IOService, _service, service ); - return( service->acknowledgeNotification( (IONotificationRef) notify_ref, + return( service->acknowledgeNotification( (IONotificationRef)(uintptr_t) notify_ref, (IOOptionBits) response )); } @@ -1773,6 +2216,7 @@ kern_return_t is_io_connect_get_notification_semaphore( { CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); return( client->getNotificationSemaphore( (UInt32) notification_type, semaphore )); } @@ -1968,7 +2412,7 @@ kern_return_t is_io_registry_entry_get_registry_entry_id( // Create a vm_map_copy_t or kalloc'ed data for memory // to be copied out. ipc will free after the copyout. -static kern_return_t copyoutkdata( void * data, vm_size_t len, +static kern_return_t copyoutkdata( const void * data, vm_size_t len, io_buf_ptr_t * buf ) { kern_return_t err; @@ -2003,6 +2447,11 @@ kern_return_t is_io_registry_entry_get_property_bytes( CHECK( IORegistryEntry, registry_entry, entry ); +#if CONFIG_MACF + if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name)) + return kIOReturnNotPermitted; +#endif + obj = entry->copyProperty(property_name); if( !obj) return( kIOReturnNoResources ); @@ -2060,6 +2509,11 @@ kern_return_t is_io_registry_entry_get_property( CHECK( IORegistryEntry, registry_entry, entry ); +#if CONFIG_MACF + if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name)) + return kIOReturnNotPermitted; +#endif + obj = entry->copyProperty(property_name); if( !obj) return( kIOReturnNotFound ); @@ -2069,7 +2523,6 @@ kern_return_t is_io_registry_entry_get_property( obj->release(); return( kIOReturnNoMemory ); } - s->clearText(); if( obj->serialize( s )) { len = s->getLength(); @@ -2100,6 +2553,11 @@ kern_return_t is_io_registry_entry_get_property_recursively( CHECK( IORegistryEntry, registry_entry, entry ); +#if CONFIG_MACF + if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name)) + return kIOReturnNotPermitted; +#endif + obj = entry->copyProperty( property_name, IORegistryEntry::getPlane( plane ), options); if( !obj) @@ -2111,8 +2569,6 @@ kern_return_t is_io_registry_entry_get_property_recursively( return( kIOReturnNoMemory ); } - s->clearText(); - if( obj->serialize( s )) { len = s->getLength(); *propertiesCnt = len; @@ -2127,32 +2583,218 @@ kern_return_t is_io_registry_entry_get_property_recursively( return( err ); } -/* Routine io_registry_entry_get_properties */ -kern_return_t is_io_registry_entry_get_properties( - io_object_t registry_entry, - io_buf_ptr_t *properties, - mach_msg_type_number_t *propertiesCnt ) +#if CONFIG_MACF + +static kern_return_t +filteredProperties(IORegistryEntry *entry, OSDictionary *properties, OSDictionary **filteredp) { - kern_return_t err; - vm_size_t len; + kern_return_t err = 0; + OSDictionary *filtered = NULL; + OSCollectionIterator *iter = NULL; + OSSymbol *key; + OSObject *p; + kauth_cred_t cred = kauth_cred_get(); - CHECK( IORegistryEntry, registry_entry, entry ); + if (properties == NULL) + return kIOReturnUnsupported; - OSSerialize * s = OSSerialize::withCapacity(4096); - if( !s) - return( kIOReturnNoMemory ); + if ((iter = OSCollectionIterator::withCollection(properties)) == NULL || + (filtered = OSDictionary::withCapacity(properties->getCapacity())) == NULL) { + err = kIOReturnNoMemory; + goto out; + } + + while ((p = iter->getNextObject()) != NULL) { + if ((key = OSDynamicCast(OSSymbol, p)) == NULL || + mac_iokit_check_get_property(cred, entry, key->getCStringNoCopy()) != 0) + continue; + filtered->setObject(key, properties->getObject(key)); + } + +out: + if (iter != NULL) + iter->release(); + *filteredp = filtered; + return err; +} + +#endif + +/* Routine io_registry_entry_get_properties */ +kern_return_t is_io_registry_entry_get_properties( + io_object_t registry_entry, + io_buf_ptr_t *properties, + mach_msg_type_number_t *propertiesCnt ) +{ + kern_return_t err = 0; + vm_size_t len; + + CHECK( IORegistryEntry, registry_entry, entry ); + + OSSerialize * s = OSSerialize::withCapacity(4096); + if( !s) + return( kIOReturnNoMemory ); + + if (!entry->serializeProperties(s)) + err = kIOReturnUnsupported; + +#if CONFIG_MACF + if (!err && mac_iokit_check_filter_properties(kauth_cred_get(), entry)) { + OSObject *propobj = OSUnserializeXML(s->text(), s->getLength()); + OSDictionary *filteredprops = NULL; + err = filteredProperties(entry, OSDynamicCast(OSDictionary, propobj), &filteredprops); + if (propobj) propobj->release(); + + if (!err) { + s->clearText(); + if (!filteredprops->serialize(s)) + err = kIOReturnUnsupported; + } + if (filteredprops != NULL) + filteredprops->release(); + } +#endif /* CONFIG_MACF */ + + if (!err) { + len = s->getLength(); + *propertiesCnt = len; + err = copyoutkdata( s->text(), len, properties ); + } + + s->release(); + return( err ); +} + +#if CONFIG_MACF + +struct GetPropertiesEditorRef +{ + kauth_cred_t cred; + IORegistryEntry * entry; + OSCollection * root; +}; + +static const OSMetaClassBase * +GetPropertiesEditor(void * reference, + OSSerialize * s, + OSCollection * container, + const OSSymbol * name, + const OSMetaClassBase * value) +{ + GetPropertiesEditorRef * ref = (typeof(ref)) reference; + + if (!ref->root) ref->root = container; + if (ref->root == container) + { + if (0 != mac_iokit_check_get_property(ref->cred, ref->entry, name->getCStringNoCopy())) + { + value = 0; + } + } + if (value) value->retain(); + return (value); +} + +#endif /* CONFIG_MACF */ + +/* Routine io_registry_entry_get_properties */ +kern_return_t is_io_registry_entry_get_properties_bin( + io_object_t registry_entry, + io_buf_ptr_t *properties, + mach_msg_type_number_t *propertiesCnt) +{ + kern_return_t err = kIOReturnSuccess; + vm_size_t len; + OSSerialize * s; + OSSerialize::Editor editor = 0; + void * editRef = 0; + + CHECK(IORegistryEntry, registry_entry, entry); + +#if CONFIG_MACF + GetPropertiesEditorRef ref; + if (mac_iokit_check_filter_properties(kauth_cred_get(), entry)) + { + editor = &GetPropertiesEditor; + editRef = &ref; + ref.cred = kauth_cred_get(); + ref.entry = entry; + ref.root = 0; + } +#endif + + s = OSSerialize::binaryWithCapacity(4096, editor, editRef); + if (!s) return (kIOReturnNoMemory); + + if (!entry->serializeProperties(s)) err = kIOReturnUnsupported; + + if (kIOReturnSuccess == err) + { + len = s->getLength(); + *propertiesCnt = len; + err = copyoutkdata(s->text(), len, properties); + } + s->release(); + + return (err); +} + +/* Routine io_registry_entry_get_property_bin */ +kern_return_t is_io_registry_entry_get_property_bin( + io_object_t registry_entry, + io_name_t plane, + io_name_t property_name, + uint32_t options, + io_buf_ptr_t *properties, + mach_msg_type_number_t *propertiesCnt ) +{ + kern_return_t err; + vm_size_t len; + OSObject * obj; + const OSSymbol * sym; + + CHECK( IORegistryEntry, registry_entry, entry ); + +#if CONFIG_MACF + if (0 != mac_iokit_check_get_property(kauth_cred_get(), entry, property_name)) + return kIOReturnNotPermitted; +#endif + + if ((kIORegistryIterateRecursively & options) && plane[0]) + { + obj = entry->copyProperty(property_name, + IORegistryEntry::getPlane(plane), options); + } + else + { + obj = entry->copyProperty(property_name); + } + + if( !obj) + return( kIOReturnNotFound ); - s->clearText(); + sym = OSSymbol::withCString(property_name); + if (sym) + { + if (gIORemoveOnReadProperties->containsObject(sym)) entry->removeProperty(sym); + sym->release(); + } - if( entry->serializeProperties( s )) { + OSSerialize * s = OSSerialize::binaryWithCapacity(4096); + if( !s) { + obj->release(); + return( kIOReturnNoMemory ); + } + + if( obj->serialize( s )) { len = s->getLength(); *propertiesCnt = len; err = copyoutkdata( s->text(), len, properties ); - } else - err = kIOReturnUnsupported; + } else err = kIOReturnUnsupported; s->release(); + obj->release(); return( err ); } @@ -2173,20 +2815,34 @@ kern_return_t is_io_registry_entry_set_properties CHECK( IORegistryEntry, registry_entry, entry ); + if( propertiesCnt > sizeof(io_struct_inband_t) * 1024) + return( kIOReturnMessageTooLarge); + err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties ); data = CAST_DOWN(vm_offset_t, map_data); if( KERN_SUCCESS == err) { // must return success after vm_map_copyout() succeeds - obj = OSUnserializeXML( (const char *) data ); + obj = OSUnserializeXML( (const char *) data, propertiesCnt ); vm_deallocate( kernel_map, data, propertiesCnt ); - if( obj) { - res = entry->setProperties( obj ); - obj->release(); - } else - res = kIOReturnBadArgument; + if (!obj) + res = kIOReturnBadArgument; +#if CONFIG_MACF + else if (0 != mac_iokit_check_set_properties(kauth_cred_get(), + registry_entry, obj)) + { + res = kIOReturnNotPermitted; + } +#endif + else + { + res = entry->setProperties( obj ); + } + + if (obj) + obj->release(); } else res = err; @@ -2276,28 +2932,33 @@ kern_return_t is_io_service_request_probe( return( service->requestProbe( options )); } - -/* Routine io_service_open */ -kern_return_t is_io_service_open( +/* Routine io_service_get_authorization_id */ +kern_return_t is_io_service_get_authorization_id( io_object_t _service, - task_t owningTask, - uint32_t connect_type, - io_object_t *connection ) + uint64_t *authorization_id ) { - IOUserClient * client; - IOReturn err; + kern_return_t kr; CHECK( IOService, _service, service ); - err = service->newUserClient( owningTask, (void *) owningTask, - connect_type, 0, &client ); + kr = IOUserClient::clientHasPrivilege( (void *) current_task(), + kIOClientPrivilegeAdministrator ); + if( kIOReturnSuccess != kr) + return( kr ); - if( err == kIOReturnSuccess) { - assert( OSDynamicCast(IOUserClient, client) ); - *connection = client; - } + *authorization_id = service->getAuthorizationID(); - return( err); + return( kr ); +} + +/* Routine io_service_set_authorization_id */ +kern_return_t is_io_service_set_authorization_id( + io_object_t _service, + uint64_t authorization_id ) +{ + CHECK( IOService, _service, service ); + + return( service->setAuthorizationID( authorization_id ) ); } /* Routine io_service_open_ndr */ @@ -2328,13 +2989,16 @@ kern_return_t is_io_service_open_extended( vm_offset_t data; vm_map_offset_t map_data; + if( propertiesCnt > sizeof(io_struct_inband_t)) + return( kIOReturnMessageTooLarge); + err = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) properties ); res = err; data = CAST_DOWN(vm_offset_t, map_data); if (KERN_SUCCESS == err) { // must return success after vm_map_copyout() succeeds - obj = OSUnserializeXML( (const char *) data ); + obj = OSUnserializeXML( (const char *) data, propertiesCnt ); vm_deallocate( kernel_map, data, propertiesCnt ); propertiesDict = OSDynamicCast(OSDictionary, obj); if (!propertiesDict) @@ -2375,13 +3039,17 @@ kern_return_t is_io_service_open_extended( disallowAccess = (crossEndian && (kOSBooleanTrue != service->getProperty(kIOUserClientCrossEndianCompatibleKey)) && (kOSBooleanTrue != client->getProperty(kIOUserClientCrossEndianCompatibleKey))); - - if (disallowAccess) + if (disallowAccess) res = kIOReturnUnsupported; +#if CONFIG_MACF + else if (0 != mac_iokit_check_open(kauth_cred_get(), client, connect_type)) + res = kIOReturnNotPermitted; +#endif + if (kIOReturnSuccess != res) { + IOStatisticsClientCall(); client->clientClose(); client->release(); client = 0; - res = kIOReturnUnsupported; break; } client->sharedInstance = (0 != client->getProperty(kIOUserClientSharedInstanceKey)); @@ -2391,6 +3059,7 @@ kern_return_t is_io_service_open_extended( client->setProperty(kIOUserClientCreatorKey, creatorName); creatorName->release(); } + client->setTerminateDefer(service, false); } } while (false); @@ -2411,6 +3080,7 @@ kern_return_t is_io_service_close( CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); client->clientClose(); return( kIOReturnSuccess ); @@ -2443,6 +3113,7 @@ kern_return_t is_io_connect_set_notification_port( { CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); return( client->registerNotificationPort( port, notification_type, (io_user_reference_t) reference )); } @@ -2456,6 +3127,7 @@ kern_return_t is_io_connect_set_notification_port_64( { CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); return( client->registerNotificationPort( port, notification_type, reference )); } @@ -2476,6 +3148,7 @@ kern_return_t is_io_connect_map_memory_into_task CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); map = client->mapClientMemory64( memory_type, into_task, flags, *address ); if( map) { @@ -2490,7 +3163,6 @@ kern_return_t is_io_connect_map_memory_into_task mach_port_name_t name __unused = IOMachPort::makeSendRightForTask( into_task, map, IKOT_IOKIT_OBJECT ); - assert( name ); } else { // keep it with the user client @@ -2515,8 +3187,8 @@ kern_return_t is_io_connect_map_memory( io_object_t connect, uint32_t type, task_t task, - vm_address_t * mapAddr, - vm_size_t * mapSize, + uint32_t * mapAddr, + uint32_t * mapSize, uint32_t flags ) { IOReturn err; @@ -2534,6 +3206,8 @@ kern_return_t is_io_connect_map_memory( return (err); } +} /* extern "C" */ + IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem) { OSIterator * iter; @@ -2561,6 +3235,8 @@ IOMemoryMap * IOUserClient::removeMappingForDescriptor(IOMemoryDescriptor * mem) return (map); } +extern "C" { + /* Routine io_connect_unmap_memory_from_task */ kern_return_t is_io_connect_unmap_memory_from_task ( @@ -2576,6 +3252,7 @@ kern_return_t is_io_connect_unmap_memory_from_task CHECK( IOUserClient, connection, client ); + IOStatisticsClientCall(); err = client->clientMemoryForType( (UInt32) memory_type, &options, &memory ); if( memory && (kIOReturnSuccess == err)) { @@ -2617,7 +3294,7 @@ kern_return_t is_io_connect_unmap_memory( io_object_t connect, uint32_t type, task_t task, - vm_address_t mapAddr ) + uint32_t mapAddr ) { IOReturn err; mach_vm_address_t address; @@ -2638,6 +3315,7 @@ kern_return_t is_io_connect_add_client( CHECK( IOUserClient, connection, client ); CHECK( IOUserClient, connect_to, to ); + IOStatisticsClientCall(); return( client->connectClient( to ) ); } @@ -2652,9 +3330,8 @@ kern_return_t is_io_connect_set_properties( return( is_io_registry_entry_set_properties( connection, properties, propertiesCnt, result )); } - /* Routine io_user_client_method */ -kern_return_t is_io_connect_method +kern_return_t is_io_connect_method_var_output ( io_connect_t connection, uint32_t selector, @@ -2664,12 +3341,105 @@ kern_return_t is_io_connect_method mach_msg_type_number_t inband_inputCnt, mach_vm_address_t ool_input, mach_vm_size_t ool_input_size, + io_struct_inband_t inband_output, + mach_msg_type_number_t *inband_outputCnt, io_scalar_inband64_t scalar_output, mach_msg_type_number_t *scalar_outputCnt, + io_buf_ptr_t *var_output, + mach_msg_type_number_t *var_outputCnt +) +{ + CHECK( IOUserClient, connection, client ); + + IOExternalMethodArguments args; + IOReturn ret; + IOMemoryDescriptor * inputMD = 0; + OSObject * structureVariableOutputData = 0; + + bzero(&args.__reserved[0], sizeof(args.__reserved)); + args.version = kIOExternalMethodArgumentsCurrentVersion; + + args.selector = selector; + + args.asyncWakePort = MACH_PORT_NULL; + args.asyncReference = 0; + args.asyncReferenceCount = 0; + args.structureVariableOutputData = &structureVariableOutputData; + + args.scalarInput = scalar_input; + args.scalarInputCount = scalar_inputCnt; + args.structureInput = inband_input; + args.structureInputSize = inband_inputCnt; + + if (ool_input) + inputMD = IOMemoryDescriptor::withAddressRange(ool_input, ool_input_size, + kIODirectionOut, current_task()); + + args.structureInputDescriptor = inputMD; + + args.scalarOutput = scalar_output; + args.scalarOutputCount = *scalar_outputCnt; + bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0])); + args.structureOutput = inband_output; + args.structureOutputSize = *inband_outputCnt; + args.structureOutputDescriptor = NULL; + args.structureOutputDescriptorSize = 0; + + IOStatisticsClientCall(); + ret = client->externalMethod( selector, &args ); + + *scalar_outputCnt = args.scalarOutputCount; + *inband_outputCnt = args.structureOutputSize; + + if (var_outputCnt && var_output && (kIOReturnSuccess == ret)) + { + OSSerialize * serialize; + OSData * data; + vm_size_t len; + + if ((serialize = OSDynamicCast(OSSerialize, structureVariableOutputData))) + { + len = serialize->getLength(); + *var_outputCnt = len; + ret = copyoutkdata(serialize->text(), len, var_output); + } + else if ((data = OSDynamicCast(OSData, structureVariableOutputData))) + { + len = data->getLength(); + *var_outputCnt = len; + ret = copyoutkdata(data->getBytesNoCopy(), len, var_output); + } + else + { + ret = kIOReturnUnderrun; + } + } + + if (inputMD) + inputMD->release(); + if (structureVariableOutputData) + structureVariableOutputData->release(); + + return (ret); +} + +/* Routine io_user_client_method */ +kern_return_t is_io_connect_method +( + io_connect_t connection, + uint32_t selector, + io_scalar_inband64_t scalar_input, + mach_msg_type_number_t scalar_inputCnt, + io_struct_inband_t inband_input, + mach_msg_type_number_t inband_inputCnt, + mach_vm_address_t ool_input, + mach_vm_size_t ool_input_size, io_struct_inband_t inband_output, mach_msg_type_number_t *inband_outputCnt, + io_scalar_inband64_t scalar_output, + mach_msg_type_number_t *scalar_outputCnt, mach_vm_address_t ool_output, - mach_vm_size_t * ool_output_size + mach_vm_size_t *ool_output_size ) { CHECK( IOUserClient, connection, client ); @@ -2684,9 +3454,10 @@ kern_return_t is_io_connect_method args.selector = selector; - args.asyncWakePort = MACH_PORT_NULL; - args.asyncReference = 0; - args.asyncReferenceCount = 0; + args.asyncWakePort = MACH_PORT_NULL; + args.asyncReference = 0; + args.asyncReferenceCount = 0; + args.structureVariableOutputData = 0; args.scalarInput = scalar_input; args.scalarInputCount = scalar_inputCnt; @@ -2701,18 +3472,20 @@ kern_return_t is_io_connect_method args.scalarOutput = scalar_output; args.scalarOutputCount = *scalar_outputCnt; + bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0])); args.structureOutput = inband_output; args.structureOutputSize = *inband_outputCnt; - if (ool_output) + if (ool_output && ool_output_size) { outputMD = IOMemoryDescriptor::withAddressRange(ool_output, *ool_output_size, kIODirectionIn, current_task()); } args.structureOutputDescriptor = outputMD; - args.structureOutputDescriptorSize = *ool_output_size; + args.structureOutputDescriptorSize = ool_output_size ? *ool_output_size : 0; + IOStatisticsClientCall(); ret = client->externalMethod( selector, &args ); *scalar_outputCnt = args.scalarOutputCount; @@ -2741,10 +3514,10 @@ kern_return_t is_io_connect_async_method mach_msg_type_number_t inband_inputCnt, mach_vm_address_t ool_input, mach_vm_size_t ool_input_size, - io_scalar_inband64_t scalar_output, - mach_msg_type_number_t *scalar_outputCnt, io_struct_inband_t inband_output, mach_msg_type_number_t *inband_outputCnt, + io_scalar_inband64_t scalar_output, + mach_msg_type_number_t *scalar_outputCnt, mach_vm_address_t ool_output, mach_vm_size_t * ool_output_size ) @@ -2782,6 +3555,7 @@ kern_return_t is_io_connect_async_method args.scalarOutput = scalar_output; args.scalarOutputCount = *scalar_outputCnt; + bzero(&scalar_output[0], *scalar_outputCnt * sizeof(scalar_output[0])); args.structureOutput = inband_output; args.structureOutputSize = *inband_outputCnt; @@ -2794,6 +3568,7 @@ kern_return_t is_io_connect_async_method args.structureOutputDescriptor = outputMD; args.structureOutputDescriptorSize = *ool_output_size; + IOStatisticsClientCall(); ret = client->externalMethod( selector, &args ); *inband_outputCnt = args.structureOutputSize; @@ -2824,6 +3599,7 @@ kern_return_t is_io_connect_method_scalarI_scalarO( mach_msg_type_number_t struct_outputCnt = 0; mach_vm_size_t ool_output_size = 0; + bzero(&_output[0], sizeof(_output)); for (i = 0; i < inputCount; i++) _input[i] = SCALAR64(input[i]); @@ -2831,8 +3607,8 @@ kern_return_t is_io_connect_method_scalarI_scalarO( _input, inputCount, NULL, 0, 0, 0, - _output, outputCount, NULL, &struct_outputCnt, + _output, outputCount, 0, &ool_output_size); for (i = 0; i < *outputCount; i++) @@ -2854,6 +3630,7 @@ kern_return_t shim_io_connect_method_scalarI_scalarO( IOReturn err; err = kIOReturnBadArgument; + bzero(&_output[0], sizeof(_output)); do { if( inputCount != method->count0) @@ -2935,6 +3712,7 @@ kern_return_t is_io_async_method_scalarI_scalarO( io_scalar_inband64_t _output; io_async_ref64_t _reference; + bzero(&_output[0], sizeof(_output)); for (i = 0; i < referenceCnt; i++) _reference[i] = REF64(reference[i]); @@ -2950,8 +3728,8 @@ kern_return_t is_io_async_method_scalarI_scalarO( _input, inputCount, NULL, 0, 0, 0, - _output, outputCount, NULL, &struct_outputCnt, + _output, outputCount, 0, &ool_output_size); for (i = 0; i < *outputCount; i++) @@ -2990,8 +3768,8 @@ kern_return_t is_io_async_method_scalarI_structureO( _input, inputCount, NULL, 0, 0, 0, - NULL, &scalar_outputCnt, output, outputCount, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3027,8 +3805,8 @@ kern_return_t is_io_async_method_scalarI_structureI( _input, inputCount, inputStruct, inputStructCount, 0, 0, - NULL, &scalar_outputCnt, NULL, &inband_outputCnt, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3058,8 +3836,8 @@ kern_return_t is_io_async_method_structureI_structureO( NULL, 0, input, inputCount, 0, 0, - NULL, &scalar_outputCnt, output, outputCount, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3081,6 +3859,7 @@ kern_return_t shim_io_async_method_scalarI_scalarO( IOReturn err; io_async_ref_t reference; + bzero(&_output[0], sizeof(_output)); for (i = 0; i < asyncReferenceCount; i++) reference[i] = REF32(asyncReference[i]); @@ -3178,8 +3957,8 @@ kern_return_t is_io_connect_method_scalarI_structureO( _input, inputCount, NULL, 0, 0, 0, - NULL, &scalar_outputCnt, output, outputCount, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3351,8 +4130,8 @@ kern_return_t is_io_connect_method_scalarI_structureI( _input, inputCount, inputStruct, inputStructCount, 0, 0, - NULL, &scalar_outputCnt, NULL, &inband_outputCnt, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3394,25 +4173,25 @@ kern_return_t shim_io_connect_method_scalarI_structureI( case 4: err = (object->*func)( ARG32(input[0]), ARG32(input[1]), (void *) input[2], ARG32(input[3]), - inputStruct, (void *)inputStructCount ); + inputStruct, (void *)(uintptr_t)inputStructCount ); break; case 3: err = (object->*func)( ARG32(input[0]), ARG32(input[1]), ARG32(input[2]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0 ); break; case 2: err = (object->*func)( ARG32(input[0]), ARG32(input[1]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0 ); break; case 1: err = (object->*func)( ARG32(input[0]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0, 0 ); break; case 0: - err = (object->*func)( inputStruct, (void *)inputStructCount, + err = (object->*func)( inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0, 0, 0 ); break; @@ -3473,29 +4252,29 @@ kern_return_t shim_io_async_method_scalarI_structureI( err = (object->*func)( reference, ARG32(input[0]), ARG32(input[1]), ARG32(input[2]), ARG32(input[3]), - inputStruct, (void *)inputStructCount ); + inputStruct, (void *)(uintptr_t)inputStructCount ); break; case 3: err = (object->*func)( reference, ARG32(input[0]), ARG32(input[1]), ARG32(input[2]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0 ); break; case 2: err = (object->*func)( reference, ARG32(input[0]), ARG32(input[1]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0 ); break; case 1: err = (object->*func)( reference, ARG32(input[0]), - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0, 0 ); break; case 0: err = (object->*func)( reference, - inputStruct, (void *)inputStructCount, + inputStruct, (void *)(uintptr_t)inputStructCount, 0, 0, 0, 0 ); break; @@ -3524,8 +4303,8 @@ kern_return_t is_io_connect_method_structureI_structureO( NULL, 0, input, inputCount, 0, 0, - NULL, &scalar_outputCnt, output, outputCount, + NULL, &scalar_outputCnt, 0, &ool_output_size)); } @@ -3560,12 +4339,12 @@ kern_return_t shim_io_connect_method_structureI_structureO( if( method->count1) { if( method->count0) { err = (object->*func)( input, output, - (void *)inputCount, outputCount, 0, 0 ); + (void *)(uintptr_t)inputCount, outputCount, 0, 0 ); } else { err = (object->*func)( output, outputCount, 0, 0, 0, 0 ); } } else { - err = (object->*func)( input, (void *)inputCount, 0, 0, 0, 0 ); + err = (object->*func)( input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 ); } } while( false); @@ -3615,84 +4394,18 @@ kern_return_t shim_io_async_method_structureI_structureO( if( method->count0) { err = (object->*func)( reference, input, output, - (void *)inputCount, outputCount, 0, 0 ); + (void *)(uintptr_t)inputCount, outputCount, 0, 0 ); } else { err = (object->*func)( reference, output, outputCount, 0, 0, 0, 0 ); } } else { err = (object->*func)( reference, - input, (void *)inputCount, 0, 0, 0, 0 ); - } - } - while( false); - - return( err); -} - -/* Routine io_make_matching */ -kern_return_t is_io_make_matching( - mach_port_t master_port, - uint32_t type, - uint32_t options, - io_struct_inband_t input, - mach_msg_type_number_t inputCount, - io_string_t matching ) -{ - OSSerialize * s; - IOReturn err = kIOReturnSuccess; - OSDictionary * dict; - - if( master_port != master_device_port) - return( kIOReturnNotPrivileged); - - switch( type) { - - case kIOServiceMatching: - dict = IOService::serviceMatching( gIOServiceKey ); - break; - - case kIOBSDNameMatching: - dict = IOBSDNameMatching( (const char *) input ); - break; - - case kIOOFPathMatching: - dict = IOOFPathMatching( (const char *) input, - matching, sizeof( io_string_t)); - break; - - default: - dict = 0; - } - - if( !dict) - return( kIOReturnUnsupported); - - do { - s = OSSerialize::withCapacity(4096); - if( !s) { - err = kIOReturnNoMemory; - continue; - } - s->clearText(); - if( !dict->serialize( s )) { - err = kIOReturnUnsupported; - continue; + input, (void *)(uintptr_t)inputCount, 0, 0, 0, 0 ); } - - if( s->getLength() > sizeof( io_string_t)) { - err = kIOReturnNoMemory; - continue; - } else - strlcpy(matching, s->text(), sizeof(io_string_t)); } while( false); - if( s) - s->release(); - if( dict) - dict->release(); - return( err); } @@ -3724,6 +4437,9 @@ kern_return_t is_io_catalog_send_data( if (inData) { vm_map_offset_t map_data; + if( inDataCount > sizeof(io_struct_inband_t) * 1024) + return( kIOReturnMessageTooLarge); + kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t)inData); data = CAST_DOWN(vm_offset_t, map_data); @@ -3733,7 +4449,7 @@ kern_return_t is_io_catalog_send_data( // must return success after vm_map_copyout() succeeds if( inDataCount ) { - obj = (OSObject *)OSUnserializeXML((const char *)data); + obj = (OSObject *)OSUnserializeXML((const char *)data, inDataCount); vm_deallocate( kernel_map, data, inDataCount ); if( !obj) { *result = kIOReturnNoMemory; @@ -3743,6 +4459,23 @@ kern_return_t is_io_catalog_send_data( } switch ( flag ) { + case kIOCatalogResetDrivers: + case kIOCatalogResetDriversNoMatch: { + OSArray * array; + + array = OSDynamicCast(OSArray, obj); + if (array) { + if ( !gIOCatalogue->resetAndAddDrivers(array, + flag == kIOCatalogResetDrivers) ) { + + kr = kIOReturnError; + } + } else { + kr = kIOReturnBadArgument; + } + } + break; + case kIOCatalogAddDrivers: case kIOCatalogAddDriversNoMatch: { OSArray * array; @@ -3798,6 +4531,7 @@ kern_return_t is_io_catalog_send_data( case kIOCatalogKextdActive: #if !NO_KEXTD + IOServiceTrace(IOSERVICE_KEXTD_ALIVE, 0, 0, 0, 0); OSKext::setKextdActive(); /* Dump all nonloaded startup extensions; kextd will now send them @@ -3815,6 +4549,7 @@ kern_return_t is_io_catalog_send_data( if (!clearedBusy) { IOService * serviceRoot = IOService::getServiceRoot(); if (serviceRoot) { + IOServiceTrace(IOSERVICE_KEXTD_READY, 0, 0, 0, 0); serviceRoot->adjustBusy(-1); clearedBusy = true; } @@ -3852,6 +4587,7 @@ kern_return_t is_io_catalog_terminate( return( kr ); switch ( flag ) { +#if !defined(SECURE_KERNEL) case kIOCatalogServiceTerminate: OSIterator * iter; IOService * service; @@ -3881,6 +4617,7 @@ kern_return_t is_io_catalog_terminate( kr = gIOCatalogue->terminateDriversForModule(name, flag == kIOCatalogModuleUnload); break; +#endif default: kr = kIOReturnBadArgument; @@ -3909,8 +4646,6 @@ kern_return_t is_io_catalog_get_data( if ( !s ) return kIOReturnNoMemory; - s->clearText(); - kr = gIOCatalogue->serializeData(flag, s); if ( kr == kIOReturnSuccess ) { @@ -4019,6 +4754,8 @@ kern_return_t iokit_user_client_trap(struct iokit_user_client_trap_args *args) return result; } +} /* extern "C" */ + IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArguments * args, IOExternalMethodDispatch * dispatch, OSObject * target, void * reference ) { @@ -4082,6 +4819,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume if( !(method = getAsyncTargetAndMethodForIndex(&object, selector)) ) return (kIOReturnUnsupported); + if (kIOUCForegroundOnly & method->flags) + { + if (task_is_gpu_denied(current_task())) + return (kIOReturnNotPermitted); + } + switch (method->flags & kIOUCTypeMask) { case kIOUCScalarIStructI: @@ -4125,6 +4868,12 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume if( !(method = getTargetAndMethodForIndex(&object, selector)) ) return (kIOReturnUnsupported); + if (kIOUCForegroundOnly & method->flags) + { + if (task_is_gpu_denied(current_task())) + return (kIOReturnNotPermitted); + } + switch (method->flags & kIOUCTypeMask) { case kIOUCScalarIStructI: @@ -4164,8 +4913,6 @@ IOReturn IOUserClient::externalMethod( uint32_t selector, IOExternalMethodArgume } -}; /* extern "C" */ - #if __LP64__ OSMetaClassDefineReservedUnused(IOUserClient, 0); OSMetaClassDefineReservedUnused(IOUserClient, 1);