Server/driver protocols: no longer allow third-party copies.

Before safecopies, the IO_ENDPT and DL_ENDPT message fields were needed to know which actual process to copy data from/to, as that process may not always be the caller. Now that we have full safecopy support, these fields have become useless for that purpose: the owner of the grant is *always* the caller. Allowing the caller to supply another endpoint is in fact dangerous, because the callee may then end up using a grant from a third party. One could call this a variant of the confused deputy problem. From now on, safecopy calls should always use the caller's endpoint as grant owner. This fully obsoletes the DL_ENDPT field in the inet/ethernet protocol. IO_ENDPT has other uses besides identifying the grant owner though. This patch renames IO_ENDPT to USER_ENDPT, not only because that is a more fitting name (it should never be used for I/O after all), but also in order to intentionally break any old system source code outside the base system. If this patch breaks your code, fixing it is fairly simple: - DL_ENDPT should be replaced with m_source; - IO_ENDPT should be replaced with m_source when used for safecopies; - IO_ENDPT should be replaced with USER_ENDPT for any other use, e.g. when setting REP_ENDPT, matching requests in CANCEL calls, getting DEV_SELECT flags, and retrieving of the real user process's endpoint in DEV_OPEN. The changes in this patch are binary backward compatible.
2011-04-11 17:35:05 +00:00
parent 4e86b0d53f
commit c51cd5fe91
52 changed files with 351 additions and 343 deletions
--- a/common/include/minix/audio_fw.h
+++ b/common/include/minix/audio_fw.h
@@ -55,11 +55,11 @@ typedef struct {
 	int BufLength;
 	int RevivePending;                        /* process waiting for this dev? */
 	int ReviveStatus;                         /* return val when proc unblocked */
-	int ReviveProcNr;                         /* the process to unblock */
+	endpoint_t ReviveProcNr;                  /* the process to unblock */
 	cp_grant_id_t ReviveGrant;		  /* grant id associated with io */
 	void *UserBuf;                            /* address of user's data buffer */
 	int ReadyToRevive;                        /* are we ready to revive process?*/
-	int NotifyProcNr;                         /* process to send notify to (FS) */
+	endpoint_t SourceProcNr;                  /* process to send notify to (FS) */
 	u32_t FragSize;                           /* dma fragment size */
 	char *DmaBuf;        /* the dma buffer; extra space for 
 												  page alignment */
--- a/common/include/minix/com.h
+++ b/common/include/minix/com.h
@@ -222,7 +222,7 @@

 /* Field names for messages to block and character device drivers. */
 #define DEVICE    	m2_i1	/* major-minor device */
-#define IO_ENDPT	m2_i2	/* which (proc/endpoint) wants I/O? */
+#define USER_ENDPT	m2_i2	/* which endpoint initiated this call? */
 #define COUNT   	m2_i3	/* how many bytes to transfer */
 #define REQUEST 	m2_i3 	/* ioctl request code */
 #define POSITION	m2_l1	/* file offset (low 4 bytes) */
@@ -286,7 +286,7 @@
 #define DL_TASK_REPLY	(DL_RS_BASE + 2)

 /* Field names for data link layer messages. */
-#define DL_ENDPT	m2_i2
+#define DL_ENDPT_LEGACY	m2_i2	/* obsolete; will be removed */
 #define DL_COUNT	m2_i3
 #define DL_MODE		m2_l1
 #define DL_FLAGS	m2_l1
@@ -454,6 +454,9 @@
 #define ABRT_MON_LEN	m1_i3	/* length of monitor params */
 #define ABRT_MON_ADDR   m1_p1	/* virtual address of monitor params */

+/* Field names for SYS_IOPENABLE. */
+#define IOP_ENDPT	m2_l1	/* target endpoint */
+
 /* Field names for _UMAP, _VIRCOPY, _PHYSCOPY. */
 #define CP_SRC_SPACE 	m5_s1	/* T or D space (stack is also D) */
 #define CP_SRC_ENDPT	m5_i1	/* process to copy from */