master
1/*
2 * Copyright (c) 2000-2006 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28/*
29 * @OSF_COPYRIGHT@
30 */
31/*
32 * Mach Operating System
33 * Copyright (c) 1991,1990,1989,1988,1987 Carnegie Mellon University
34 * All Rights Reserved.
35 *
36 * Permission to use, copy, modify and distribute this software and its
37 * documentation is hereby granted, provided that both the copyright
38 * notice and this permission notice appear in all copies of the
39 * software, derivative works or modified versions, and any portions
40 * thereof, and that both notices appear in supporting documentation.
41 *
42 * CARNEGIE MELLON ALLOWS FREE USE OF THIS SOFTWARE IN ITS "AS IS"
43 * CONDITION. CARNEGIE MELLON DISCLAIMS ANY LIABILITY OF ANY KIND FOR
44 * ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.
45 *
46 * Carnegie Mellon requests users of this software to return to
47 *
48 * Software Distribution Coordinator or Software.Distribution@CS.CMU.EDU
49 * School of Computer Science
50 * Carnegie Mellon University
51 * Pittsburgh PA 15213-3890
52 *
53 * any improvements or extensions that they make and grant Carnegie Mellon
54 * the rights to redistribute these changes.
55 */
56/*
57 * NOTICE: This file was modified by McAfee Research in 2004 to introduce
58 * support for mandatory and extensible security protections. This notice
59 * is included in support of clause 2.2 (b) of the Apple Public License,
60 * Version 2.0.
61 */
62/*
63 */
64/*
65 * File: mach/port.h
66 *
67 * Definition of a Mach port
68 *
69 * Mach ports are the endpoints to Mach-implemented communications
70 * channels (usually uni-directional message queues, but other types
71 * also exist).
72 *
73 * Unique collections of these endpoints are maintained for each
74 * Mach task. Each Mach port in the task's collection is given a
75 * [task-local] name to identify it - and the the various "rights"
76 * held by the task for that specific endpoint.
77 *
78 * This header defines the types used to identify these Mach ports
79 * and the various rights associated with them. For more info see:
80 *
81 * <mach/mach_port.h> - manipulation of port rights in a given space
82 * <mach/message.h> - message queue [and port right passing] mechanism
83 *
84 */
85
86#ifndef _MACH_PORT_H_
87#define _MACH_PORT_H_
88
89#include <sys/cdefs.h>
90#include <stdint.h>
91#include <mach/boolean.h>
92#include <mach/machine/vm_types.h>
93
94/*
95 * mach_port_name_t - the local identity for a Mach port
96 *
97 * The name is Mach port namespace specific. It is used to
98 * identify the rights held for that port by the task whose
99 * namespace is implied [or specifically provided].
100 *
101 * Use of this type usually implies just a name - no rights.
102 * See mach_port_t for a type that implies a "named right."
103 *
104 */
105
106typedef natural_t mach_port_name_t;
107typedef mach_port_name_t *mach_port_name_array_t;
108
109
110/*
111 * mach_port_t - a named port right
112 *
113 * In user-space, "rights" are represented by the name of the
114 * right in the Mach port namespace. Even so, this type is
115 * presented as a unique one to more clearly denote the presence
116 * of a right coming along with the name.
117 *
118 * Often, various rights for a port held in a single name space
119 * will coalesce and are, therefore, be identified by a single name
120 * [this is the case for send and receive rights]. But not
121 * always [send-once rights currently get a unique name for
122 * each right].
123 *
124 */
125
126#include <sys/_types.h>
127#include <sys/_types/_mach_port_t.h>
128
129
130typedef mach_port_t *mach_port_array_t;
131
132/*
133 * MACH_PORT_NULL is a legal value that can be carried in messages.
134 * It indicates the absence of any port or port rights. (A port
135 * argument keeps the message from being "simple", even if the
136 * value is MACH_PORT_NULL.) The value MACH_PORT_DEAD is also a legal
137 * value that can be carried in messages. It indicates
138 * that a port right was present, but it died.
139 */
140
141#define MACH_PORT_NULL 0 /* intentional loose typing */
142#define MACH_PORT_DEAD ((mach_port_name_t) ~0)
143#define MACH_PORT_VALID(name) \
144 (((name) != MACH_PORT_NULL) && \
145 ((name) != MACH_PORT_DEAD))
146
147
148/*
149 * For kernel-selected [assigned] port names, the name is
150 * comprised of two parts: a generation number and an index.
151 * This approach keeps the exact same name from being generated
152 * and reused too quickly [to catch right/reference counting bugs].
153 * The dividing line between the constituent parts is exposed so
154 * that efficient "mach_port_name_t to data structure pointer"
155 * conversion implementation can be made.
156 */
157
158#define MACH_PORT_INDEX(name) ((name) >> 8)
159#define MACH_PORT_GEN(name) (((name) & 0xff) << 24)
160#define MACH_PORT_MAKE(index, gen) (((index) << 8) | ((gen) >> 24))
161
162/*
163 * These are the different rights a task may have for a port.
164 * The MACH_PORT_RIGHT_* definitions are used as arguments
165 * to mach_port_allocate, mach_port_get_refs, etc, to specify
166 * a particular right to act upon. The mach_port_names and
167 * mach_port_type calls return bitmasks using the MACH_PORT_TYPE_*
168 * definitions. This is because a single name may denote
169 * multiple rights.
170 */
171
172typedef natural_t mach_port_right_t;
173
174#define MACH_PORT_RIGHT_SEND ((mach_port_right_t) 0)
175#define MACH_PORT_RIGHT_RECEIVE ((mach_port_right_t) 1)
176#define MACH_PORT_RIGHT_SEND_ONCE ((mach_port_right_t) 2)
177#define MACH_PORT_RIGHT_PORT_SET ((mach_port_right_t) 3)
178#define MACH_PORT_RIGHT_DEAD_NAME ((mach_port_right_t) 4)
179#define MACH_PORT_RIGHT_LABELH ((mach_port_right_t) 5) /* obsolete right */
180#define MACH_PORT_RIGHT_NUMBER ((mach_port_right_t) 6) /* right not implemented */
181
182#define MACH_PORT_TYPE(right) \
183 ((mach_port_type_t)(((mach_port_type_t) 1) \
184 << ((right) + ((mach_port_right_t) 16))))
185
186typedef natural_t mach_port_type_t;
187typedef mach_port_type_t *mach_port_type_array_t;
188
189#define MACH_PORT_TYPE_NONE ((mach_port_type_t) 0L)
190#define MACH_PORT_TYPE_SEND MACH_PORT_TYPE(MACH_PORT_RIGHT_SEND)
191#define MACH_PORT_TYPE_RECEIVE MACH_PORT_TYPE(MACH_PORT_RIGHT_RECEIVE)
192#define MACH_PORT_TYPE_SEND_ONCE MACH_PORT_TYPE(MACH_PORT_RIGHT_SEND_ONCE)
193#define MACH_PORT_TYPE_PORT_SET MACH_PORT_TYPE(MACH_PORT_RIGHT_PORT_SET)
194#define MACH_PORT_TYPE_DEAD_NAME MACH_PORT_TYPE(MACH_PORT_RIGHT_DEAD_NAME)
195#define MACH_PORT_TYPE_LABELH MACH_PORT_TYPE(MACH_PORT_RIGHT_LABELH) /* obsolete */
196/* Dummy type bits that mach_port_type/mach_port_names can return. */
197#define MACH_PORT_TYPE_DNREQUEST 0x80000000
198#define MACH_PORT_TYPE_SPREQUEST 0x40000000
199#define MACH_PORT_TYPE_SPREQUEST_DELAYED 0x20000000
200
201/* Convenient combinations. */
202
203#define MACH_PORT_TYPE_SEND_RECEIVE \
204 (MACH_PORT_TYPE_SEND|MACH_PORT_TYPE_RECEIVE)
205#define MACH_PORT_TYPE_SEND_RIGHTS \
206 (MACH_PORT_TYPE_SEND|MACH_PORT_TYPE_SEND_ONCE)
207#define MACH_PORT_TYPE_PORT_RIGHTS \
208 (MACH_PORT_TYPE_SEND_RIGHTS|MACH_PORT_TYPE_RECEIVE)
209#define MACH_PORT_TYPE_PORT_OR_DEAD \
210 (MACH_PORT_TYPE_PORT_RIGHTS|MACH_PORT_TYPE_DEAD_NAME)
211#define MACH_PORT_TYPE_ALL_RIGHTS \
212 (MACH_PORT_TYPE_PORT_OR_DEAD|MACH_PORT_TYPE_PORT_SET)
213
214/* User-references for capabilities. */
215
216typedef natural_t mach_port_urefs_t;
217typedef integer_t mach_port_delta_t; /* change in urefs */
218
219/* Attributes of ports. (See mach_port_get_receive_status.) */
220
221typedef natural_t mach_port_seqno_t; /* sequence number */
222typedef natural_t mach_port_mscount_t; /* make-send count */
223typedef natural_t mach_port_msgcount_t; /* number of msgs */
224typedef natural_t mach_port_rights_t; /* number of rights */
225
226/*
227 * Are there outstanding send rights for a given port?
228 */
229#define MACH_PORT_SRIGHTS_NONE 0 /* no srights */
230#define MACH_PORT_SRIGHTS_PRESENT 1 /* srights */
231typedef unsigned int mach_port_srights_t; /* status of send rights */
232
233typedef struct mach_port_status {
234 mach_port_rights_t mps_pset; /* count of containing port sets */
235 mach_port_seqno_t mps_seqno; /* sequence number */
236 mach_port_mscount_t mps_mscount; /* make-send count */
237 mach_port_msgcount_t mps_qlimit; /* queue limit */
238 mach_port_msgcount_t mps_msgcount; /* number in the queue */
239 mach_port_rights_t mps_sorights; /* how many send-once rights */
240 boolean_t mps_srights; /* do send rights exist? */
241 boolean_t mps_pdrequest; /* port-deleted requested? */
242 boolean_t mps_nsrequest; /* no-senders requested? */
243 natural_t mps_flags; /* port flags */
244} mach_port_status_t;
245
246/* System-wide values for setting queue limits on a port */
247#define MACH_PORT_QLIMIT_ZERO (0)
248#define MACH_PORT_QLIMIT_BASIC (5)
249#define MACH_PORT_QLIMIT_SMALL (16)
250#define MACH_PORT_QLIMIT_LARGE (1024)
251#define MACH_PORT_QLIMIT_KERNEL (65534)
252#define MACH_PORT_QLIMIT_MIN MACH_PORT_QLIMIT_ZERO
253#define MACH_PORT_QLIMIT_DEFAULT MACH_PORT_QLIMIT_BASIC
254#define MACH_PORT_QLIMIT_MAX MACH_PORT_QLIMIT_LARGE
255
256typedef struct mach_port_limits {
257 mach_port_msgcount_t mpl_qlimit; /* number of msgs */
258} mach_port_limits_t;
259
260/* Possible values for mps_flags (part of mach_port_status_t) */
261#define MACH_PORT_STATUS_FLAG_TEMPOWNER 0x01
262#define MACH_PORT_STATUS_FLAG_GUARDED 0x02
263#define MACH_PORT_STATUS_FLAG_STRICT_GUARD 0x04
264#define MACH_PORT_STATUS_FLAG_IMP_DONATION 0x08
265#define MACH_PORT_STATUS_FLAG_REVIVE 0x10
266#define MACH_PORT_STATUS_FLAG_TASKPTR 0x20
267#define MACH_PORT_STATUS_FLAG_GUARD_IMMOVABLE_RECEIVE 0x40
268#define MACH_PORT_STATUS_FLAG_NO_GRANT 0x80 /* Obsolete */
269
270typedef struct mach_port_info_ext {
271 mach_port_status_t mpie_status;
272 mach_port_msgcount_t mpie_boost_cnt;
273 uint32_t reserved[6];
274} mach_port_info_ext_t;
275
276typedef struct mach_port_guard_info {
277 uint64_t mpgi_guard; /* guard value */
278} mach_port_guard_info_t;
279
280typedef integer_t *mach_port_info_t; /* varying array of natural_t */
281
282/* Flavors for mach_port_get/set/assert_attributes() */
283typedef int mach_port_flavor_t;
284#define MACH_PORT_LIMITS_INFO 1 /* uses mach_port_limits_t */
285#define MACH_PORT_RECEIVE_STATUS 2 /* uses mach_port_status_t */
286#define MACH_PORT_DNREQUESTS_SIZE 3 /* info is int */
287#define MACH_PORT_TEMPOWNER 4 /* indicates receive right will be reassigned to another task */
288#define MACH_PORT_IMPORTANCE_RECEIVER 5 /* indicates recieve right accepts priority donation */
289#define MACH_PORT_DENAP_RECEIVER 6 /* indicates receive right accepts de-nap donation */
290#define MACH_PORT_INFO_EXT 7 /* uses mach_port_info_ext_t */
291#define MACH_PORT_GUARD_INFO 8 /* asserts if the strict guard value is correct */
292#define MACH_PORT_SERVICE_THROTTLED 9 /* info is an integer that indicates if service port is throttled or not */
293
294#define MACH_PORT_LIMITS_INFO_COUNT ((natural_t) \
295 (sizeof(mach_port_limits_t)/sizeof(natural_t)))
296#define MACH_PORT_RECEIVE_STATUS_COUNT ((natural_t) \
297 (sizeof(mach_port_status_t)/sizeof(natural_t)))
298#define MACH_PORT_DNREQUESTS_SIZE_COUNT 1
299#define MACH_PORT_INFO_EXT_COUNT ((natural_t) \
300 (sizeof(mach_port_info_ext_t)/sizeof(natural_t)))
301#define MACH_PORT_GUARD_INFO_COUNT ((natural_t) \
302 (sizeof(mach_port_guard_info_t)/sizeof(natural_t)))
303#define MACH_PORT_SERVICE_THROTTLED_COUNT 1
304
305/*
306 * Structure used to pass information about port allocation requests.
307 * Must be padded to 64-bits total length.
308 */
309typedef struct mach_port_qos {
310 unsigned int name:1; /* name given */
311 unsigned int prealloc:1; /* prealloced message */
312 boolean_t pad1:30;
313 natural_t len;
314} mach_port_qos_t;
315
316/*
317 * Structure used to pass information about the service port
318 */
319#define MACH_SERVICE_PORT_INFO_STRING_NAME_MAX_BUF_LEN 255 /* Maximum length of the port string name buffer */
320
321typedef struct mach_service_port_info {
322 char mspi_string_name[MACH_SERVICE_PORT_INFO_STRING_NAME_MAX_BUF_LEN]; /* Service port's string name */
323 uint8_t mspi_domain_type; /* Service port domain */
324} mach_service_port_info_data_t;
325
326#define MACH_SERVICE_PORT_INFO_COUNT ((char) \
327 (sizeof(mach_service_port_info_data_t)/sizeof(char)))
328
329typedef struct mach_service_port_info * mach_service_port_info_t;
330
331/*
332 * Platform binaries are not allowed to send OOL port array to any port.
333 *
334 * MACH_MSG_OOL_PORTS_DESCRIPTOR are allowed to be sent ONLY to receive
335 * rights that are explicitly allow to receive that descriptor.
336 *
337 * Such ports have a dedicated port type, and are created using the
338 * MPO_CONNECTION_PORT_WITH_PORT_ARRAY flag.
339 *
340 * Creation of such ports requires the binary to have the following entitlement.
341 */
342#define MACH_PORT_CONNECTION_PORT_WITH_PORT_ARRAY "com.apple.developer.allow-connection-port-with-port-array"
343
344/* Allows 1p process to create provisional reply port (to be rename to weak reply port) */
345#define MACH_PORT_PROVISIONAL_REPLY_ENTITLEMENT "com.apple.private.allow-weak-reply-port"
346
347/*
348 * Flags for mach_port_options (used for
349 * invocation of mach_port_construct).
350 * Indicates attributes to be set for the newly
351 * allocated port.
352 */
353
354/* MPO options flags */
355#define MPO_CONTEXT_AS_GUARD 0x01 /* Add guard to the port */
356#define MPO_QLIMIT 0x02 /* Set qlimit for the port msg queue */
357#define MPO_TEMPOWNER 0x04 /* Set the tempowner bit of the port */
358#define MPO_IMPORTANCE_RECEIVER 0x08 /* Mark the port as importance receiver */
359#define MPO_INSERT_SEND_RIGHT 0x10 /* Insert a send right for the port */
360#define MPO_STRICT 0x20 /* Apply strict guarding for port */
361#define MPO_DENAP_RECEIVER 0x40 /* Mark the port as App de-nap receiver */
362#define MPO_IMMOVABLE_RECEIVE 0x80 /* Mark the port as immovable; protected by the guard context */
363#define MPO_FILTER_MSG 0x100 /* Allow message filtering */
364#define MPO_TG_BLOCK_TRACKING 0x200 /* Track blocking relationship for thread group during sync IPC */
365#define MPO_ENFORCE_REPLY_PORT_SEMANTICS 0x2000 /* When talking to this port, local port of mach msg needs to follow reply port semantics.*/
366/* This service port has requested security hardening */
367#define MPO_STRICT_SERVICE_PORT (MPO_SERVICE_PORT | MPO_ENFORCE_REPLY_PORT_SEMANTICS)
368
369#define MPO_OPTIONS_MASK \
370 (MPO_CONTEXT_AS_GUARD | \
371 MPO_QLIMIT | \
372 MPO_TEMPOWNER | \
373 MPO_IMPORTANCE_RECEIVER | \
374 MPO_INSERT_SEND_RIGHT | \
375 MPO_STRICT | \
376 MPO_DENAP_RECEIVER | \
377 MPO_IMMOVABLE_RECEIVE | \
378 MPO_FILTER_MSG | \
379 MPO_TG_BLOCK_TRACKING | \
380 MPO_ENFORCE_REPLY_PORT_SEMANTICS)
381
382/* MPO port type flags */
383#define MPO_MAKE_PORT_TYPE(a, b) (((a & 0x7) << 14) | ((b & 0x7) << 10))
384#define MPO_PORT_TYPE_MASK MPO_MAKE_PORT_TYPE(0x7, 0x7) /* 0x1dc00 */
385/* These need to be defined for libxpc and other clients who `#ifdef` */
386 #define MPO_PORT MPO_PORT
387 #define MPO_SERVICE_PORT MPO_SERVICE_PORT
388 #define MPO_CONNECTION_PORT MPO_CONNECTION_PORT
389 #define MPO_REPLY_PORT MPO_REPLY_PORT
390 #define MPO_PROVISIONAL_REPLY_PORT MPO_PROVISIONAL_REPLY_PORT
391 #define MPO_EXCEPTION_PORT MPO_EXCEPTION_PORT
392 #define MPO_CONNECTION_PORT_WITH_PORT_ARRAY MPO_CONNECTION_PORT_WITH_PORT_ARRAY
393__options_decl(mpo_flags_t, uint32_t, {
394 /* Your classic IOT_PORT, an uninteresting message queue */
395 MPO_PORT = MPO_MAKE_PORT_TYPE(0, 0), /* 0x0 */
396 /* Create a service port with the given name; should be used only by launchd */
397 MPO_SERVICE_PORT = MPO_MAKE_PORT_TYPE(0, 1), /* 0x400 */
398 /* Derive new peer connection port from a given service port */
399 MPO_CONNECTION_PORT = MPO_MAKE_PORT_TYPE(0, 2), /* 0x800 */
400 /* Designate port as a reply port */
401 MPO_REPLY_PORT = MPO_MAKE_PORT_TYPE(0, 4), /* 0x1000 */
402 /* Designate port as a provisional (fake) reply port */
403 MPO_PROVISIONAL_REPLY_PORT = MPO_MAKE_PORT_TYPE(1, 0), /* 0x4000 */
404 /* Used for hardened exceptions - immovable */
405 MPO_EXCEPTION_PORT = MPO_MAKE_PORT_TYPE(2, 0), /* 0x8000 */
406 /* Can receive OOL port array descriptors */
407 MPO_CONNECTION_PORT_WITH_PORT_ARRAY = MPO_MAKE_PORT_TYPE(4, 0), /* 0x10000 */
408});
409#define MPO_UNUSED_BITS ~(MPO_OPTIONS_MASK | MPO_PORT_TYPE_MASK)
410
411/* Denotes an anonymous service */
412#define MPO_ANONYMOUS_SERVICE (MACH_PORT_DEAD - 1)
413
414/*
415 * Structure to define optional attributes for a newly
416 * constructed port.
417 */
418typedef struct mach_port_options {
419 uint32_t flags;
420 mach_port_limits_t mpl; /* Message queue limit for port */
421 union {
422 uint64_t reserved[2]; /* Reserved */
423 mach_port_name_t work_interval_port; /* Work interval port */
424 mach_service_port_info_t service_port_info; /* Service port (MPO_SERVICE_PORT) */
425 mach_port_name_t service_port_name; /* Service port (MPO_CONNECTION_PORT) */
426 };
427}mach_port_options_t;
428
429typedef mach_port_options_t *mach_port_options_ptr_t;
430
431/* Mach Port Guarding definitions */
432
433/*
434 * EXC_GUARD represents a guard violation for both
435 * mach ports and file descriptors. GUARD_TYPE_ is used
436 * to differentiate among them.
437 */
438#define GUARD_TYPE_MACH_PORT 0x1
439
440/*
441 * Reasons for exception for a guarded mach port
442 *
443 * Arguments are documented in doc/mach_ipc/guard_exceptions.md,
444 * please update when adding a new type.
445 *
446 * Note: these had been designed as bitfields,
447 * hence the weird spaced values,
448 * but are truly an enum, please add new values in the "holes".
449 */
450enum mach_port_guard_exception_codes {
451 kGUARD_EXC_NONE = 0, /* never sent */
452 kGUARD_EXC_DESTROY = 1,
453 kGUARD_EXC_MOD_REFS = 2,
454 kGUARD_EXC_INVALID_OPTIONS = 3,
455 kGUARD_EXC_SET_CONTEXT = 4,
456 kGUARD_EXC_THREAD_SET_STATE = 5,
457 kGUARD_EXC_EXCEPTION_BEHAVIOR_ENFORCE = 6,
458 kGUARD_EXC_SERVICE_PORT_VIOLATION_FATAL = 7, /* unused, for future sp defense enablement */
459 kGUARD_EXC_UNGUARDED = 8,
460 kGUARD_EXC_KOBJECT_REPLY_PORT_SEMANTICS = 9,
461 kGUARD_EXC_REQUIRE_REPLY_PORT_SEMANTICS = 10,
462 kGUARD_EXC_INCORRECT_GUARD = 16,
463 kGUARD_EXC_IMMOVABLE = 32,
464 kGUARD_EXC_STRICT_REPLY = 64,
465 kGUARD_EXC_INVALID_NOTIFICATION_REQ = 65,
466 kGUARD_EXC_INVALID_MPO_ENTITLEMENT = 66,
467 kGUARD_EXC_DESCRIPTOR_VIOLATION = 67,
468 kGUARD_EXC_MSG_FILTERED = 128,
469 /* start of [optionally] non-fatal guards */
470 kGUARD_EXC_INVALID_RIGHT = 256,
471 kGUARD_EXC_INVALID_NAME = 512,
472 kGUARD_EXC_INVALID_VALUE = 1u << 10,
473 kGUARD_EXC_INVALID_ARGUMENT = 1u << 11, /* really kGUARD_EXC_ALREADY_GUARDED */
474 kGUARD_EXC_RIGHT_EXISTS = 1u << 12, /* unused */
475 kGUARD_EXC_KERN_NO_SPACE = 1u << 13, /* unused */
476 kGUARD_EXC_KERN_FAILURE = 1u << 14, /* really kGUARD_EXC_INVALID_PDREQUEST */
477 kGUARD_EXC_KERN_RESOURCE = 1u << 15, /* unused */
478 kGUARD_EXC_SEND_INVALID_REPLY = 1u << 16,
479 kGUARD_EXC_SEND_INVALID_VOUCHER = 1u << 17,
480 kGUARD_EXC_SEND_INVALID_RIGHT = 1u << 18,
481 kGUARD_EXC_RCV_INVALID_NAME = 1u << 19,
482 /* start of always non-fatal guards */
483 kGUARD_EXC_RCV_GUARDED_DESC = 0x00100000, /* for development only */
484 kGUARD_EXC_SERVICE_PORT_VIOLATION_NON_FATAL = 0x00100001, /* unused, for future sp defense enablement */
485 kGUARD_EXC_PROVISIONAL_REPLY_PORT = 0x00100002,
486 kGUARD_EXC_OOL_PORT_ARRAY_CREATION = 0x00100003, /* unused */
487 kGUARD_EXC_MOVE_PROVISIONAL_REPLY_PORT = 0x00100004,
488 kGUARD_EXC_REPLY_PORT_SINGLE_SO_RIGHT = 0x00100005,
489 kGUARD_EXC_MOD_REFS_NON_FATAL = 1u << 21,
490 kGUARD_EXC_IMMOVABLE_NON_FATAL = 1u << 22, /* unused*/
491};
492
493#define MAX_FATAL_kGUARD_EXC_CODE kGUARD_EXC_MSG_FILTERED
494#define MAX_OPTIONAL_kGUARD_EXC_CODE kGUARD_EXC_RCV_INVALID_NAME
495
496
497/*
498 * Mach port guard flags.
499 */
500#define MPG_FLAGS_NONE 0x00
501
502/*
503 * These flags are used as bits in the subcode of kGUARD_EXC_STRICT_REPLY exceptions.
504 */
505#define MPG_FLAGS_STRICT_REPLY_INVALID_VOUCHER 0x04
506#define MPG_FLAGS_STRICT_REPLY_MISMATCHED_PERSONA 0x10
507
508/*
509 * These flags are used as bits in the subcode of kGUARD_EXC_MOD_REFS exceptions.
510 */
511#define MPG_FLAGS_MOD_REFS_PINNED_DEALLOC 0x01
512#define MPG_FLAGS_MOD_REFS_PINNED_DESTROY 0x02
513#define MPG_FLAGS_MOD_REFS_PINNED_COPYIN 0x03
514
515/*
516 * These flags are used as bits in the subcode of kGUARD_EXC_INVALID_RIGHT exceptions.
517 */
518#define MPG_FLAGS_INVALID_RIGHT_RECV 0x01 /* does not have receive right */
519#define MPG_FLAGS_INVALID_RIGHT_DELTA 0x02 /* ipc_right_delta() */
520#define MPG_FLAGS_INVALID_RIGHT_DESTRUCT 0x03 /* ipc_right_destruct() */
521#define MPG_FLAGS_INVALID_RIGHT_COPYIN 0x04 /* ipc_right_copyin() */
522#define MPG_FLAGS_INVALID_RIGHT_DEALLOC 0x05 /* ipc_right_dealloc() */
523#define MPG_FLAGS_INVALID_RIGHT_DEALLOC_KERNEL 0x06 /* mach_port_deallocate_kernel() */
524#define MPG_FLAGS_INVALID_RIGHT_TRANSLATE_PORT 0x07 /* port in ipc_object_translate_port_pset() */
525#define MPG_FLAGS_INVALID_RIGHT_TRANSLATE_PSET 0x08 /* pset in ipc_object_translate_port_pset() */
526
527/*
528 * These flags are used as bits in the subcode of kGUARD_EXC_INVALID_VALUE exceptions.
529 */
530#define MPG_FLAGS_INVALID_VALUE_PEEK 0x01 /* mach_port_peek() */
531#define MPG_FLAGS_INVALID_VALUE_DELTA 0x02 /* ipc_right_delta() */
532#define MPG_FLAGS_INVALID_VALUE_DESTRUCT 0x03 /* ipc_right_destruct() */
533
534/*
535 * These flags are used as bits in the subcode of kGUARD_EXC_KERN_FAILURE exceptions.
536 */
537#define MPG_FLAGS_KERN_FAILURE_TASK 0x01 /* task other than launchd arm pd on service ports */
538#define MPG_FLAGS_KERN_FAILURE_NOTIFY_TYPE 0x02 /* not using IOT_NOTIFICATION_PORT for pd notification */
539#define MPG_FLAGS_KERN_FAILURE_NOTIFY_RECV 0x03 /* notification port not owned by launchd */
540#define MPG_FLAGS_KERN_FAILURE_MULTI_NOTI 0x04 /* register multiple pd notification */
541
542/*
543 * These flags are used as bits in the subcode of kGUARD_EXC_SEND_INVALID_RIGHT exceptions.
544 */
545#define MPG_FLAGS_SEND_INVALID_RIGHT_PORT 0x01 /* ipc_kmsg_copyin_port_descriptor() */
546#define MPG_FLAGS_SEND_INVALID_RIGHT_OOL_PORT 0x02 /* ipc_kmsg_copyin_ool_ports_descriptor() */
547#define MPG_FLAGS_SEND_INVALID_RIGHT_GUARDED 0x03 /* ipc_kmsg_copyin_guarded_port_descriptor */
548
549/*
550 * These flags are used as bits in the subcode of kGUARD_EXC_INVALID_OPTIONS exceptions.
551 */
552#define MPG_FLAGS_INVALID_OPTIONS_OOL_DISP 0x01 /* ipc_kmsg_copyin_ool_ports_descriptor() */
553#define MPG_FLAGS_INVALID_OPTIONS_OOL_ARRAYS 0x02 /* ipc_validate_kmsg_header_from_user() */
554#define MPG_FLAGS_INVALID_OPTIONS_OOL_RIGHT 0x03 /* ipc_validate_kmsg_header_from_user() */
555
556/*
557 * Flags for mach_port_guard_with_flags. These flags extend
558 * the attributes associated with a guarded port.
559 */
560#define MPG_STRICT 0x01 /* Apply strict guarding for a port */
561#define MPG_IMMOVABLE_RECEIVE 0x02 /* Receive right cannot be moved out of the space */
562
563#if !__DARWIN_UNIX03 && !defined(_NO_PORT_T_FROM_MACH)
564/*
565 * Mach 3.0 renamed everything to have mach_ in front of it.
566 * These types and macros are provided for backward compatibility
567 * but are deprecated.
568 */
569typedef mach_port_t port_t;
570typedef mach_port_name_t port_name_t;
571typedef mach_port_name_t *port_name_array_t;
572
573#define PORT_NULL ((port_t) 0)
574#define PORT_DEAD ((port_t) ~0)
575#define PORT_VALID(name) \
576 ((port_t)(name) != PORT_NULL && (port_t)(name) != PORT_DEAD)
577
578#endif /* !__DARWIN_UNIX03 && !_NO_PORT_T_FROM_MACH */
579
580#endif /* _MACH_PORT_H_ */