IPC privileges fixes

Kernel:
o Remove s_ipc_sendrec, instead using s_ipc_to for all send primitives
o Centralize s_ipc_to bit manipulation,
  - disallowing assignment of bits pointing to unused priv structs;
  - preventing send-to-self by not setting bit for own priv struct;
  - preserving send mask matrix symmetry in all cases
o Add IPC send mask checks to SENDA, which were missing entirely somehow
o Slightly improve IPC stats accounting for SENDA
o Remove SYSTEM from user processes' send mask
o Half-fix the dependency between boot image order and process numbers,
  - correcting the table order of the boot processes;
  - documenting the order requirement needed for proper send masks;
  - warning at boot time if the order is violated

RS:
o Add support in /etc/drivers.conf for servers that talk to user processes,
  - disallowing IPC to user processes if no "ipc" field is present
  - adding a special "USER" label to explicitly allow IPC to user processes
o Always apply IPC masks when specified; remove -i flag from service(8)
o Use kernel send mask symmetry to delay adding IPC permissions for labels
  that do not exist yet, adding them to that label's process upon creation
o Add VM to ipc permissions list for rtl8139 and fxp in drivers.conf

Left to future fixes:
o Removal of the table order vs process numbers dependency altogether,
  possibly using per-process send list structures as used for SYSTEM calls
o Proper assignment of send masks to boot processes;
  some of the assigned (~0) masks are much wider than necessary
o Proper assignment of IPC send masks for many more servers in drivers.conf
o Removal of the debugging warning about the now legitimate case where RS's
  add_forward_ipc cannot find the IPC destination's label yet

kernel/system.c

@@ -12,6 +12,8 @@
  * In addition to the main sys_task() entry point, which starts the main loop,
  * there are several other minor entry points:
  *   get_priv:		assign privilege structure to user or system process
+ *   set_sendto_bit:	allow a process to send messages to a new target
+ *   unset_sendto_bit:	disallow a process from sending messages to a target
  *   send_sig:		send a signal directly to a system process
  *   cause_sig:		take action to cause a signal to occur via PM
  *   umap_bios:		map virtual address in BIOS_SEG to physical 
@@ -290,6 +292,46 @@ int proc_type;				/* system or user process flag */
   return(OK);
 }
 
+/*===========================================================================*
+ *				set_sendto_bit				     *
+ *===========================================================================*/
+PUBLIC void set_sendto_bit(struct proc *rp, int id)
+{
+/* Allow a process to send messages to the process(es) associated with the
+ * system privilege structure with the given ID. 
+ */
+  struct proc *rrp;			/* receiver process */
+
+  /* Disallow the process from sending to a system privilege structure with no
+   * associated process, and disallow the process from sending to itself.
+   */
+  if (id_to_nr(id) == NONE || priv_id(rp) == id)
+	return;
+
+  set_sys_bit(priv(rp)->s_ipc_to, id);
+
+  /* The process that this process can now send to, must be able to reply.
+   * Therefore, its send mask should be updated as well.
+   */
+  rrp = proc_addr(id_to_nr(id));
+  if (!iskernelp(rrp))
+	set_sys_bit(priv(rrp)->s_ipc_to, priv_id(rp));
+}
+
+/*===========================================================================*
+ *				unset_sendto_bit			     *
+ *===========================================================================*/
+PUBLIC void unset_sendto_bit(struct proc *rp, int id)
+{
+/* Prevent a process from sending to another process. Retain the send mask
+ * symmetry by also unsetting the bit for the other direction.
+ */
+
+  unset_sys_bit(priv(rp)->s_ipc_to, id);
+
+  unset_sys_bit(priv_addr(id)->s_ipc_to, priv_id(rp));
+}
+
 /*===========================================================================*
  *				send_sig				     *
  *===========================================================================*/