1 /*
2 * Copyright (c) 2000-2016 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * @OSF_COPYRIGHT@
30 */
31 /*
32 * Mach Operating System
33 * Copyright (c) 1991,1990,1989 Carnegie Mellon University
34 * All Rights Reserved.
35 *
36 * Permission to use, copy, modify and distribute this software and its
37 * documentation is hereby granted, provided that both the copyright
38 * notice and this permission notice appear in all copies of the
39 * software, derivative works or modified versions, and any portions
40 * thereof, and that both notices appear in supporting documentation.
41 *
42 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
43 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
44 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
45 *
46 * Carnegie Mellon requests users of this software to return to
47 *
48 * Software Distribution Coordinator or [email protected]
49 * School of Computer Science
50 * Carnegie Mellon University
51 * Pittsburgh PA 15213-3890
52 *
53 * any improvements or extensions that they make and grant Carnegie Mellon
54 * the rights to redistribute these changes.
55 */
56 /*
57 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
58 * support for mandatory and extensible security protections. This notice
59 * is included in support of clause 2.2 (b) of the Apple Public License,
60 * Version 2.0.
61 */
62 /*
63 */
64 /*
65 * File: ipc/ipc_space.h
66 * Author: Rich Draves
67 * Date: 1989
68 *
69 * Definitions for IPC spaces of capabilities.
70 */
71
72 #ifndef _IPC_IPC_SPACE_H_
73 #define _IPC_IPC_SPACE_H_
74
75 #include <mach/mach_types.h>
76 #include <mach/boolean.h>
77 #include <mach/kern_return.h>
78 #include <mach/vm_types.h>
79
80 #include <sys/appleapiopts.h>
81
82 #ifdef MACH_KERNEL_PRIVATE
83 #include <ptrauth.h>
84 #include <kern/smr.h>
85 #include <ipc/ipc_entry.h>
86 #include <ipc/ipc_types.h>
87
88 #include <os/refcnt.h>
89 #endif
90
91 __BEGIN_DECLS
92
93 #ifdef MACH_KERNEL_PRIVATE
94
95 /*
96 * Every task has a space of IPC capabilities.
97 * IPC operations like send and receive use this space.
98 * IPC kernel calls manipulate the space of the target task.
99 *
100 * Every space has a non-NULL is_table with is_table[0].ie_size entries.
101 *
102 * Only one thread can be growing the space at a time. Others
103 * that need it grown wait for the first. We do almost all the
104 * work with the space unlocked, so lookups proceed pretty much
105 * unaffected while the grow operation is underway.
106 */
107
108 typedef natural_t ipc_space_refs_t;
109 #define IS_ENTROPY_CNT 1 /* per-space entropy pool size */
110
111 #define IS_FLAGS_BITS 6
112 #if CONFIG_PROC_RESOURCE_LIMITS
113 #define IS_ABOVE_SOFT_LIMIT_NOTIFY 0x01 /* space has hit the soft limit */
114 #define IS_ABOVE_HARD_LIMIT_NOTIFY 0x02 /* space has hit the hard limit */
115 #define IS_SOFT_LIMIT_NOTIFIED 0x04 /* Sent soft limit notification */
116 #define IS_HARD_LIMIT_NOTIFIED 0x08 /* Sent hard limit notification */
117 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
118 #define IS_AT_MAX_LIMIT_NOTIFY 0x10 /* space has hit the max limit */
119 #define IS_AT_MAX_LIMIT_NOTIFIED 0x20 /* sent max limit notification */
120
121 /* is_telemetry flags */
122 __options_decl(is_telemetry_t, uint8_t, {
123 IS_HAS_BOOTSTRAP_PORT_TELEMETRY = 0x01, /* space has emitted a bootstrap port telemetry */
124 IS_HAS_CREATE_PRP_TELEMETRY = 0x02, /* space has emitted a create provisional reply port telemetry */
125 IS_HAS_SERVICE_PORT_TELEMETRY = 0x04, /* space has emitted a service port telemetry */
126 IS_HAS_MOVE_PRP_TELEMETRY = 0x08, /* space has emitted a move provisional reply port telemetry */
127 });
128
129 struct ipc_space {
130 lck_ticket_t is_lock;
131 os_ref_atomic_t is_bits; /* holds refs, active, growing */
132 ipc_entry_num_t is_table_hashed;/* count of hashed elements */
133 ipc_entry_num_t is_table_free; /* count of free elements */
134 unsigned int is_entropy[IS_ENTROPY_CNT]; /* pool of entropy taken from RNG */
135 struct bool_gen is_prng;
136 SMR_POINTER(ipc_entry_table_t XNU_PTRAUTH_SIGNED_PTR("ipc_space.is_table")) is_table; /* an array of entries */
137 task_t XNU_PTRAUTH_SIGNED_PTR("ipc_space.is_task") is_task; /* associated task */
138 unsigned long is_policy; /* manually dPACed, ipc_space_policy_t */
139 thread_t is_grower; /* thread growing the space */
140 ipc_label_t is_label; /* [private] mandatory access label */
141 ipc_entry_num_t is_low_mod; /* lowest modified entry during growth */
142 ipc_entry_num_t is_high_mod; /* highest modified entry during growth */
143 #if CONFIG_PROC_RESOURCE_LIMITS
144 ipc_entry_num_t is_table_size_soft_limit; /* resource_notify is sent when the table size hits this limit */
145 ipc_entry_num_t is_table_size_hard_limit; /* same as soft limit except the task is killed soon after data collection */
146 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
147 _Atomic is_telemetry_t is_telemetry; /* rate limit each type of telemetry to once per space */
148 };
149
150 #define IS_NULL ((ipc_space_t) 0)
151 #define IS_INSPECT_NULL ((ipc_space_inspect_t) 0)
152
153 static inline uintptr_t
ipc_space_policy_discriminator(ipc_space_t is)154 ipc_space_policy_discriminator(ipc_space_t is)
155 {
156 uint16_t base = ptrauth_string_discriminator("ipc_space.is_policy");
157
158 return ptrauth_blend_discriminator(&is->is_policy, base);
159 }
160
161 static inline ipc_space_policy_t
ipc_space_policy(ipc_space_t is)162 ipc_space_policy(ipc_space_t is)
163 {
164 unsigned long policy = is->is_policy;
165
166 return (ipc_space_policy_t)(unsigned long)ptrauth_auth_data(
167 __unsafe_forge_single(void *, policy),
168 ptrauth_key_process_independent_data,
169 ipc_space_policy_discriminator(is));
170 }
171
172 static inline void
ipc_space_set_policy(ipc_space_t is,ipc_space_policy_t policy)173 ipc_space_set_policy(ipc_space_t is, ipc_space_policy_t policy)
174 {
175 is->is_policy = (unsigned long)ptrauth_sign_unauthenticated(
176 (void *)(unsigned long)policy,
177 ptrauth_key_process_independent_data,
178 ipc_space_policy_discriminator(is));
179 }
180
181 static inline bool
is_bits_set(ipc_space_t is,uint32_t bit)182 is_bits_set(ipc_space_t is, uint32_t bit)
183 {
184 return (os_atomic_or_orig(&is->is_bits, bit, relaxed) & bit) == 0;
185 }
186
187 static inline bool
is_bits_clear(ipc_space_t is,uint32_t bit)188 is_bits_clear(ipc_space_t is, uint32_t bit)
189 {
190 return (os_atomic_andnot_orig(&is->is_bits, bit, relaxed) & bit) != 0;
191 }
192
193 static inline bool
is_bits_test(ipc_space_t is,uint32_t bit)194 is_bits_test(ipc_space_t is, uint32_t bit)
195 {
196 return os_ref_get_raw_mask(&is->is_bits) & bit;
197 }
198
199 #define is_active(is) (smr_unsafe_load(&(is)->is_table) != 0UL)
200 #define is_growing(is) ((is)->is_grower != THREAD_NULL)
201
202 static inline ipc_entry_table_t
is_active_table(ipc_space_t space)203 is_active_table(ipc_space_t space)
204 {
205 ipc_entry_table_t table;
206
207 table = smr_serialized_load(&space->is_table);
208 assert(table != NULL);
209 return table;
210 }
211
212 #if CONFIG_PROC_RESOURCE_LIMITS
213 #define is_above_soft_limit_notify(is) is_bits_test(is, IS_ABOVE_SOFT_LIMIT_NOTIFY)
214 #define is_above_hard_limit_notify(is) is_bits_test(is, IS_ABOVE_HARD_LIMIT_NOTIFY)
215
216 static inline void
is_above_soft_limit_send_notification(ipc_space_t is)217 is_above_soft_limit_send_notification(ipc_space_t is)
218 {
219 is_bits_set(is, IS_ABOVE_SOFT_LIMIT_NOTIFY);
220 }
221
222 static inline void
is_above_hard_limit_send_notification(ipc_space_t is)223 is_above_hard_limit_send_notification(ipc_space_t is)
224 {
225 is_bits_set(is, IS_ABOVE_HARD_LIMIT_NOTIFY);
226 }
227
228 #define is_soft_limit_already_notified(is) is_bits_test(is, IS_SOFT_LIMIT_NOTIFIED)
229 #define is_hard_limit_already_notified(is) is_bits_test(is, IS_HARD_LIMIT_NOTIFIED)
230
231 static inline void
is_soft_limit_notified(ipc_space_t is)232 is_soft_limit_notified(ipc_space_t is)
233 {
234 is_bits_set(is, IS_SOFT_LIMIT_NOTIFIED);
235 }
236
237 static inline void
is_hard_limit_notified(ipc_space_t is)238 is_hard_limit_notified(ipc_space_t is)
239 {
240 is_bits_set(is, IS_HARD_LIMIT_NOTIFIED);
241 }
242
243 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
244
245 #define is_at_max_limit_notify(is) is_bits_test(is, IS_AT_MAX_LIMIT_NOTIFY)
246 #define is_at_max_limit_already_notified(is) is_bits_test(is, IS_AT_MAX_LIMIT_NOTIFIED)
247
248 static inline void
is_at_max_limit_send_notification(ipc_space_t is)249 is_at_max_limit_send_notification(ipc_space_t is)
250 {
251 is_bits_set(is, IS_AT_MAX_LIMIT_NOTIFY);
252 }
253
254 static inline void
is_at_max_limit_notified(ipc_space_t is)255 is_at_max_limit_notified(ipc_space_t is)
256 {
257 is_bits_set(is, IS_AT_MAX_LIMIT_NOTIFIED);
258 }
259
260 extern ipc_space_t ipc_space_kernel;
261 extern ipc_space_t ipc_space_reply;
262 extern lck_grp_t ipc_lck_grp;
263 extern lck_attr_t ipc_lck_attr;
264
265 #define is_read_lock(is) ipc_space_lock(is)
266 #define is_read_unlock(is) ipc_space_unlock(is)
267
268 #define is_write_lock(is) ipc_space_lock(is)
269 #define is_write_unlock(is) ipc_space_unlock(is)
270 #define is_write_sleep(is) ipc_space_lock_sleep(is)
271
272 #define is_reference(is) ipc_space_reference(is)
273 #define is_release(is) ipc_space_release(is)
274
275 extern void ipc_space_lock(
276 ipc_space_t space);
277
278 extern void ipc_space_unlock(
279 ipc_space_t space);
280
281 extern void ipc_space_lock_sleep(
282 ipc_space_t space);
283
284 extern void ipc_space_retire_table(
285 ipc_entry_table_t table);
286
287 /* Create a special IPC space */
288 extern ipc_space_t ipc_space_create_special(void);
289
290 /* Create a new IPC space */
291 extern kern_return_t ipc_space_create(
292 ipc_label_t label,
293 ipc_space_t *spacep);
294
295 /* Change the label on an existing space */
296 extern kern_return_t ipc_space_label(
297 ipc_space_t space,
298 ipc_label_t label);
299
300 /* Add a label to an existing space */
301 extern kern_return_t ipc_space_add_label(
302 ipc_space_t space,
303 ipc_label_t label);
304
305 /* Mark a space as dead and cleans up the entries*/
306 extern void ipc_space_terminate(
307 ipc_space_t space);
308
309 /* Permute the order of a range within an IPC space */
310 extern void ipc_space_rand_freelist(
311 ipc_space_t space,
312 ipc_entry_t table,
313 mach_port_index_t bottom,
314 mach_port_index_t top);
315
316 #if CONFIG_PROC_RESOURCE_LIMITS
317 /* Set limits on a space's size */
318 extern kern_return_t ipc_space_set_table_size_limits(
319 ipc_space_t space,
320 ipc_entry_num_t soft_limit,
321 ipc_entry_num_t hard_limit);
322
323 extern void ipc_space_check_limit_exceeded(
324 ipc_space_t space);
325 #endif /* CONFIG_PROC_RESOURCE_LIMITS */
326
327 extern bool ipc_space_check_table_size_limit(
328 ipc_space_t space,
329 ipc_entry_num_t *current_limit,
330 ipc_entry_num_t *soft_limit,
331 ipc_entry_num_t *hard_limit);
332
333 extern void ipc_space_set_at_max_limit(
334 ipc_space_t space);
335
336 #endif /* MACH_KERNEL_PRIVATE */
337
338 /* Take a reference on a space */
339 extern void ipc_space_reference(
340 ipc_space_t space);
341
342 /* Realase a reference on a space */
343 extern void ipc_space_release(
344 ipc_space_t space);
345
346 __END_DECLS
347
348 #endif /* _IPC_IPC_SPACE_H_ */
349