1/* 2 * Copyright (c) 2000-2007 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/* $NetBSD: sysv_shm.c,v 1.23 1994/07/04 23:25:12 glass Exp $ */ 29 30/* 31 * Copyright (c) 1994 Adam Glass and Charles Hannum. All rights reserved. 32 * 33 * Redistribution and use in source and binary forms, with or without 34 * modification, are permitted provided that the following conditions 35 * are met: 36 * 1. Redistributions of source code must retain the above copyright 37 * notice, this list of conditions and the following disclaimer. 38 * 2. Redistributions in binary form must reproduce the above copyright 39 * notice, this list of conditions and the following disclaimer in the 40 * documentation and/or other materials provided with the distribution. 41 * 3. All advertising materials mentioning features or use of this software 42 * must display the following acknowledgement: 43 * This product includes software developed by Adam Glass and Charles 44 * Hannum. 45 * 4. The names of the authors may not be used to endorse or promote products 46 * derived from this software without specific prior written permission. 47 * 48 * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR 49 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 50 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 51 * IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, 52 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 53 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 54 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 55 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 56 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 57 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 58 */ 59/* 60 * NOTICE: This file was modified by McAfee Research in 2004 to introduce 61 * support for mandatory and extensible security protections. This notice 62 * is included in support of clause 2.2 (b) of the Apple Public License, 63 * Version 2.0. 64 * Copyright (c) 2005-2006 SPARTA, Inc. 65*/ 66 67 68#include <sys/appleapiopts.h> 69#include <sys/param.h> 70#include <sys/systm.h> 71#include <sys/kernel.h> 72#include <sys/shm_internal.h> 73#include <sys/proc_internal.h> 74#include <sys/kauth.h> 75#include <sys/malloc.h> 76#include <sys/mman.h> 77#include <sys/stat.h> 78#include <sys/sysctl.h> 79#include <sys/ipcs.h> 80#include <sys/sysent.h> 81#include <sys/sysproto.h> 82#if CONFIG_MACF 83#include <security/mac_framework.h> 84#endif 85 86#include <bsm/audit_kernel.h> 87 88#include <mach/mach_types.h> 89#include <mach/vm_inherit.h> 90#include <mach/vm_map.h> 91 92#include <mach/mach_vm.h> 93 94#include <vm/vm_map.h> 95#include <vm/vm_protos.h> 96 97#include <kern/locks.h> 98 99/* Uncomment this line to see MAC debugging output. */ 100/* #define MAC_DEBUG */ 101#if CONFIG_MACF_DEBUG 102#define MPRINTF(a) printf a 103#else 104#define MPRINTF(a) 105#endif 106 107#if SYSV_SHM 108static void shminit(void *); 109#if 0 110SYSINIT(sysv_shm, SI_SUB_SYSV_SHM, SI_ORDER_FIRST, shminit, NULL) 111#endif 0 112 113static lck_grp_t *sysv_shm_subsys_lck_grp; 114static lck_grp_attr_t *sysv_shm_subsys_lck_grp_attr; 115static lck_attr_t *sysv_shm_subsys_lck_attr; 116static lck_mtx_t sysv_shm_subsys_mutex; 117 118#define SYSV_SHM_SUBSYS_LOCK() lck_mtx_lock(&sysv_shm_subsys_mutex) 119#define SYSV_SHM_SUBSYS_UNLOCK() lck_mtx_unlock(&sysv_shm_subsys_mutex) 120 121static int oshmctl(void *p, void *uap, void *retval); 122static int shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, int * retval); 123static int shmget_existing(struct shmget_args *uap, int mode, int segnum, int * retval); 124static void shmid_ds_64to32(struct user_shmid_ds *in, struct shmid_ds *out); 125static void shmid_ds_32to64(struct shmid_ds *in, struct user_shmid_ds *out); 126 127/* XXX casting to (sy_call_t *) is bogus, as usual. */ 128static sy_call_t *shmcalls[] = { 129 (sy_call_t *)shmat, (sy_call_t *)oshmctl, 130 (sy_call_t *)shmdt, (sy_call_t *)shmget, 131 (sy_call_t *)shmctl 132}; 133 134#define SHMSEG_FREE 0x0200 135#define SHMSEG_REMOVED 0x0400 136#define SHMSEG_ALLOCATED 0x0800 137#define SHMSEG_WANTED 0x1000 138 139static int shm_last_free, shm_nused, shm_committed; 140struct shmid_kernel *shmsegs; /* 64 bit version */ 141static int shm_inited = 0; 142 143struct shm_handle { 144 void * shm_object; /* vm_offset_t kva; */ 145}; 146 147struct shmmap_state { 148 mach_vm_address_t va; /* user address */ 149 int shmid; /* segment id */ 150}; 151 152static void shm_deallocate_segment(struct shmid_kernel *); 153static int shm_find_segment_by_key(key_t); 154static struct shmid_kernel *shm_find_segment_by_shmid(int); 155static int shm_delete_mapping(struct proc *, struct shmmap_state *, int); 156 157#ifdef __APPLE_API_PRIVATE 158#define DEFAULT_SHMMAX (4 * 1024 * 1024) 159#define DEFAULT_SHMMIN 1 160#define DEFAULT_SHMMNI 32 161#define DEFAULT_SHMSEG 8 162#define DEFAULT_SHMALL 1024 163struct shminfo shminfo = { 164 DEFAULT_SHMMAX, 165 DEFAULT_SHMMIN, 166 DEFAULT_SHMMNI, 167 DEFAULT_SHMSEG, 168 DEFAULT_SHMALL 169}; 170#endif /* __APPLE_API_PRIVATE */ 171 172void sysv_shm_lock_init(void); 173 174static __inline__ time_t 175sysv_shmtime(void) 176{ 177 struct timeval tv; 178 microtime(&tv); 179 return (tv.tv_sec); 180} 181 182/* 183 * This conversion is safe, since if we are converting for a 32 bit process, 184 * then it's value of (struct shmid_ds)->shm_segsz will never exceed 4G. 185 * 186 * NOTE: Source and target may *NOT* overlap! (target is smaller) 187 */ 188static void 189shmid_ds_64to32(struct user_shmid_ds *in, struct shmid_ds *out) 190{ 191 out->shm_perm = in->shm_perm; 192 out->shm_segsz = (size_t)in->shm_segsz; 193 out->shm_lpid = in->shm_lpid; 194 out->shm_cpid = in->shm_cpid; 195 out->shm_nattch = in->shm_nattch; 196 out->shm_atime = in->shm_atime; 197 out->shm_dtime = in->shm_dtime; 198 out->shm_ctime = in->shm_ctime; 199 out->shm_internal = CAST_DOWN(void *,in->shm_internal); 200} 201 202/* 203 * NOTE: Source and target may are permitted to overlap! (source is smaller); 204 * this works because we copy fields in order from the end of the struct to 205 * the beginning. 206 */ 207static void 208shmid_ds_32to64(struct shmid_ds *in, struct user_shmid_ds *out) 209{ 210 out->shm_internal = CAST_USER_ADDR_T(in->shm_internal); 211 out->shm_ctime = in->shm_ctime; 212 out->shm_dtime = in->shm_dtime; 213 out->shm_atime = in->shm_atime; 214 out->shm_nattch = in->shm_nattch; 215 out->shm_cpid = in->shm_cpid; 216 out->shm_lpid = in->shm_lpid; 217 out->shm_segsz = (user_size_t)in->shm_segsz; 218 out->shm_perm = in->shm_perm; 219} 220 221 222static int 223shm_find_segment_by_key(key_t key) 224{ 225 int i; 226 227 for (i = 0; i < shminfo.shmmni; i++) 228 if ((shmsegs[i].u.shm_perm.mode & SHMSEG_ALLOCATED) && 229 shmsegs[i].u.shm_perm._key == key) 230 return i; 231 return -1; 232} 233 234static struct shmid_kernel * 235shm_find_segment_by_shmid(int shmid) 236{ 237 int segnum; 238 struct shmid_kernel *shmseg; 239 240 segnum = IPCID_TO_IX(shmid); 241 if (segnum < 0 || segnum >= shminfo.shmmni) 242 return NULL; 243 shmseg = &shmsegs[segnum]; 244 if ((shmseg->u.shm_perm.mode & (SHMSEG_ALLOCATED | SHMSEG_REMOVED)) 245 != SHMSEG_ALLOCATED || 246 shmseg->u.shm_perm._seq != IPCID_TO_SEQ(shmid)) 247 return NULL; 248 return shmseg; 249} 250 251static void 252shm_deallocate_segment(struct shmid_kernel *shmseg) 253{ 254 struct shm_handle *shm_handle; 255 mach_vm_size_t size; 256 257 shm_handle = CAST_DOWN(void *,shmseg->u.shm_internal); /* tunnel */ 258 size = mach_vm_round_page(shmseg->u.shm_segsz); 259 mach_memory_entry_port_release(shm_handle->shm_object); 260 shm_handle->shm_object = NULL; 261 FREE((caddr_t)shm_handle, M_SHM); 262 shmseg->u.shm_internal = USER_ADDR_NULL; /* tunnel */ 263 shm_committed -= btoc(size); 264 shm_nused--; 265 shmseg->u.shm_perm.mode = SHMSEG_FREE; 266#if CONFIG_MACF 267 /* Reset the MAC label */ 268 mac_sysvshm_label_recycle(shmseg); 269#endif 270} 271 272static int 273shm_delete_mapping(__unused struct proc *p, struct shmmap_state *shmmap_s, 274 int deallocate) 275{ 276 struct shmid_kernel *shmseg; 277 int segnum, result; 278 mach_vm_size_t size; 279 280 segnum = IPCID_TO_IX(shmmap_s->shmid); 281 shmseg = &shmsegs[segnum]; 282 size = mach_vm_round_page(shmseg->u.shm_segsz); /* XXX done for us? */ 283 if (deallocate) { 284 result = mach_vm_deallocate(current_map(), shmmap_s->va, size); 285 if (result != KERN_SUCCESS) 286 return EINVAL; 287 } 288 shmmap_s->shmid = -1; 289 shmseg->u.shm_dtime = sysv_shmtime(); 290 if ((--shmseg->u.shm_nattch <= 0) && 291 (shmseg->u.shm_perm.mode & SHMSEG_REMOVED)) { 292 shm_deallocate_segment(shmseg); 293 shm_last_free = segnum; 294 } 295 return 0; 296} 297 298int 299shmdt(struct proc *p, struct shmdt_args *uap, register_t *retval) 300{ 301#if CONFIG_MACF 302 struct shmid_kernel *shmsegptr; 303#endif 304 struct shmmap_state *shmmap_s; 305 int i; 306 int shmdtret = 0; 307 308 AUDIT_ARG(svipc_addr, uap->shmaddr); 309 310 SYSV_SHM_SUBSYS_LOCK(); 311 312 if (!shm_inited) { 313 shminit(NULL); 314 } 315 shmmap_s = (struct shmmap_state *)p->vm_shm; 316 if (shmmap_s == NULL) { 317 shmdtret = EINVAL; 318 goto shmdt_out; 319 } 320 321 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++) 322 if (shmmap_s->shmid != -1 && 323 shmmap_s->va == (mach_vm_offset_t)uap->shmaddr) 324 break; 325 if (i == shminfo.shmseg) { 326 shmdtret = EINVAL; 327 goto shmdt_out; 328 } 329#if CONFIG_MACF 330 /* 331 * XXX: It might be useful to move this into the shm_delete_mapping 332 * function 333 */ 334 shmsegptr = &shmsegs[IPCID_TO_IX(shmmap_s->shmid)]; 335 shmdtret = mac_sysvshm_check_shmdt(kauth_cred_get(), shmsegptr); 336 if (shmdtret) 337 goto shmdt_out; 338#endif 339 i = shm_delete_mapping(p, shmmap_s, 1); 340 341 if (i == 0) 342 *retval = 0; 343 shmdtret = i; 344shmdt_out: 345 SYSV_SHM_SUBSYS_UNLOCK(); 346 return shmdtret; 347} 348 349int 350shmat(struct proc *p, struct shmat_args *uap, user_addr_t *retval) 351{ 352 int error, i, flags; 353 struct shmid_kernel *shmseg; 354 struct shmmap_state *shmmap_s = NULL; 355 struct shm_handle *shm_handle; 356 mach_vm_address_t attach_va; /* attach address in/out */ 357 mach_vm_size_t map_size; /* size of map entry */ 358 vm_prot_t prot; 359 size_t size; 360 kern_return_t rv; 361 int shmat_ret = 0; 362 363 AUDIT_ARG(svipc_id, uap->shmid); 364 AUDIT_ARG(svipc_addr, uap->shmaddr); 365 366 SYSV_SHM_SUBSYS_LOCK(); 367 368 if (!shm_inited) { 369 shminit(NULL); 370 } 371 372 shmmap_s = (struct shmmap_state *)p->vm_shm; 373 374 if (shmmap_s == NULL) { 375 size = shminfo.shmseg * sizeof(struct shmmap_state); 376 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK); 377 if (shmmap_s == NULL) { 378 shmat_ret = ENOMEM; 379 goto shmat_out; 380 } 381 for (i = 0; i < shminfo.shmseg; i++) 382 shmmap_s[i].shmid = -1; 383 p->vm_shm = (caddr_t)shmmap_s; 384 } 385 shmseg = shm_find_segment_by_shmid(uap->shmid); 386 if (shmseg == NULL) { 387 shmat_ret = EINVAL; 388 goto shmat_out; 389 } 390 391 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm); 392 error = ipcperm(kauth_cred_get(), &shmseg->u.shm_perm, 393 (uap->shmflg & SHM_RDONLY) ? IPC_R : IPC_R|IPC_W); 394 if (error) { 395 shmat_ret = error; 396 goto shmat_out; 397 } 398 399#if CONFIG_MACF 400 error = mac_sysvshm_check_shmat(kauth_cred_get(), shmseg, uap->shmflg); 401 if (error) { 402 shmat_ret = error; 403 goto shmat_out; 404 } 405#endif 406 for (i = 0; i < shminfo.shmseg; i++) { 407 if (shmmap_s->shmid == -1) 408 break; 409 shmmap_s++; 410 } 411 if (i >= shminfo.shmseg) { 412 shmat_ret = EMFILE; 413 goto shmat_out; 414 } 415 416 map_size = mach_vm_round_page(shmseg->u.shm_segsz); 417 prot = VM_PROT_READ; 418 if ((uap->shmflg & SHM_RDONLY) == 0) 419 prot |= VM_PROT_WRITE; 420 flags = MAP_ANON | MAP_SHARED; 421 if (uap->shmaddr) 422 flags |= MAP_FIXED; 423 424 attach_va = (mach_vm_address_t)uap->shmaddr; 425 if (uap->shmflg & SHM_RND) 426 attach_va &= ~(SHMLBA-1); 427 else if ((attach_va & (SHMLBA-1)) != 0) { 428 shmat_ret = EINVAL; 429 goto shmat_out; 430 } 431 432 shm_handle = CAST_DOWN(void *, shmseg->u.shm_internal); /* tunnel */ 433 434 rv = mach_vm_map(current_map(), /* process map */ 435 &attach_va, /* attach address */ 436 map_size, /* segment size */ 437 (mach_vm_offset_t)0, /* alignment mask */ 438 (flags & MAP_FIXED)? VM_FLAGS_FIXED: VM_FLAGS_ANYWHERE, 439 shm_handle->shm_object, 440 (mach_vm_offset_t)0, 441 FALSE, 442 prot, 443 prot, 444 VM_INHERIT_DEFAULT); 445 if (rv != KERN_SUCCESS) 446 goto out; 447 448 rv = mach_vm_inherit(current_map(), attach_va, map_size, VM_INHERIT_SHARE); 449 if (rv != KERN_SUCCESS) { 450 (void)mach_vm_deallocate(current_map(), attach_va, map_size); 451 goto out; 452 } 453 454 shmmap_s->va = attach_va; 455 shmmap_s->shmid = uap->shmid; 456 shmseg->u.shm_lpid = p->p_pid; 457 shmseg->u.shm_atime = sysv_shmtime(); 458 shmseg->u.shm_nattch++; 459 *retval = attach_va; /* XXX return -1 on error */ 460 shmat_ret = 0; 461 goto shmat_out; 462out: 463 switch (rv) { 464 case KERN_INVALID_ADDRESS: 465 case KERN_NO_SPACE: 466 shmat_ret = ENOMEM; 467 case KERN_PROTECTION_FAILURE: 468 shmat_ret = EACCES; 469 default: 470 shmat_ret = EINVAL; 471 } 472shmat_out: 473 SYSV_SHM_SUBSYS_UNLOCK(); 474 return shmat_ret; 475} 476 477static int 478oshmctl(__unused void *p, __unused void *uap, __unused void *retval) 479{ 480 return EINVAL; 481} 482 483/* 484 * Returns: 0 Success 485 * EINVAL 486 * copyout:EFAULT 487 * copyin:EFAULT 488 * ipcperm:EPERM 489 * ipcperm:EACCES 490 */ 491int 492shmctl(__unused struct proc *p, struct shmctl_args *uap, register_t *retval) 493{ 494 int error; 495 kauth_cred_t cred = kauth_cred_get(); 496 struct user_shmid_ds inbuf; 497 struct shmid_kernel *shmseg; 498 size_t shmid_ds_sz = sizeof(struct user_shmid_ds); 499 500 int shmctl_ret = 0; 501 502 AUDIT_ARG(svipc_cmd, uap->cmd); 503 AUDIT_ARG(svipc_id, uap->shmid); 504 505 SYSV_SHM_SUBSYS_LOCK(); 506 507 if (!shm_inited) { 508 shminit(NULL); 509 } 510 511 if (!IS_64BIT_PROCESS(p)) 512 shmid_ds_sz = sizeof(struct shmid_ds); 513 514 shmseg = shm_find_segment_by_shmid(uap->shmid); 515 if (shmseg == NULL) { 516 shmctl_ret = EINVAL; 517 goto shmctl_out; 518 } 519 520 /* XXAUDIT: This is the perms BEFORE any change by this call. This 521 * may not be what is desired. 522 */ 523 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm); 524 525#if CONFIG_MACF 526 error = mac_sysvshm_check_shmctl(cred, shmseg, uap->cmd); 527 if (error) { 528 shmctl_ret = error; 529 goto shmctl_out; 530 } 531#endif 532 switch (uap->cmd) { 533 case IPC_STAT: 534 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_R); 535 if (error) { 536 shmctl_ret = error; 537 goto shmctl_out; 538 } 539 540 if (IS_64BIT_PROCESS(p)) { 541 error = copyout((caddr_t)&shmseg->u, uap->buf, sizeof(struct user_shmid_ds)); 542 } else { 543 struct shmid_ds shmid_ds32; 544 shmid_ds_64to32(&shmseg->u, &shmid_ds32); 545 error = copyout(&shmid_ds32, uap->buf, sizeof(struct shmid_ds)); 546 } 547 if (error) { 548 shmctl_ret = error; 549 goto shmctl_out; 550 } 551 break; 552 case IPC_SET: 553 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M); 554 if (error) { 555 shmctl_ret = error; 556 goto shmctl_out; 557 } 558 if (IS_64BIT_PROCESS(p)) { 559 error = copyin(uap->buf, &inbuf, sizeof(struct user_shmid_ds)); 560 } else { 561 error = copyin(uap->buf, &inbuf, sizeof(struct shmid_ds)); 562 /* convert in place; ugly, but safe */ 563 shmid_ds_32to64((struct shmid_ds *)&inbuf, &inbuf); 564 } 565 if (error) { 566 shmctl_ret = error; 567 goto shmctl_out; 568 } 569 shmseg->u.shm_perm.uid = inbuf.shm_perm.uid; 570 shmseg->u.shm_perm.gid = inbuf.shm_perm.gid; 571 shmseg->u.shm_perm.mode = 572 (shmseg->u.shm_perm.mode & ~ACCESSPERMS) | 573 (inbuf.shm_perm.mode & ACCESSPERMS); 574 shmseg->u.shm_ctime = sysv_shmtime(); 575 break; 576 case IPC_RMID: 577 error = ipcperm(cred, &shmseg->u.shm_perm, IPC_M); 578 if (error) { 579 shmctl_ret = error; 580 goto shmctl_out; 581 } 582 shmseg->u.shm_perm._key = IPC_PRIVATE; 583 shmseg->u.shm_perm.mode |= SHMSEG_REMOVED; 584 if (shmseg->u.shm_nattch <= 0) { 585 shm_deallocate_segment(shmseg); 586 shm_last_free = IPCID_TO_IX(uap->shmid); 587 } 588 break; 589#if 0 590 case SHM_LOCK: 591 case SHM_UNLOCK: 592#endif 593 default: 594 shmctl_ret = EINVAL; 595 goto shmctl_out; 596 } 597 *retval = 0; 598 shmctl_ret = 0; 599shmctl_out: 600 SYSV_SHM_SUBSYS_UNLOCK(); 601 return shmctl_ret; 602} 603 604static int 605shmget_existing(struct shmget_args *uap, int mode, int segnum, int *retval) 606{ 607 struct shmid_kernel *shmseg; 608 int error = 0; 609 610 shmseg = &shmsegs[segnum]; 611 if (shmseg->u.shm_perm.mode & SHMSEG_REMOVED) { 612 /* 613 * This segment is in the process of being allocated. Wait 614 * until it's done, and look the key up again (in case the 615 * allocation failed or it was freed). 616 */ 617 shmseg->u.shm_perm.mode |= SHMSEG_WANTED; 618 error = tsleep((caddr_t)shmseg, PLOCK | PCATCH, "shmget", 0); 619 if (error) 620 return error; 621 return EAGAIN; 622 } 623 624 /* 625 * The low 9 bits of shmflag are the mode bits being requested, which 626 * are the actual mode bits desired on the segment, and not in IPC_R 627 * form; therefore it would be incorrect to call ipcperm() to validate 628 * them; instead, we AND the existing mode with the requested mode, and 629 * verify that it matches the requested mode; otherwise, we fail with 630 * EACCES (access denied). 631 */ 632 if ((shmseg->u.shm_perm.mode & mode) != mode) 633 return EACCES; 634 635#if CONFIG_MACF 636 error = mac_sysvshm_check_shmget(kauth_cred_get(), shmseg, uap->shmflg); 637 if (error) 638 return (error); 639#endif 640 641 if (uap->size && uap->size > shmseg->u.shm_segsz) 642 return EINVAL; 643 644 if ((uap->shmflg & (IPC_CREAT | IPC_EXCL)) == (IPC_CREAT | IPC_EXCL)) 645 return EEXIST; 646 647 *retval = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm); 648 return 0; 649} 650 651static int 652shmget_allocate_segment(struct proc *p, struct shmget_args *uap, int mode, 653 int *retval) 654{ 655 int i, segnum, shmid; 656 kauth_cred_t cred = kauth_cred_get(); 657 struct shmid_kernel *shmseg; 658 struct shm_handle *shm_handle; 659 kern_return_t kret; 660 mach_vm_offset_t user_addr; 661 mach_vm_size_t size; 662 void * mem_object; 663 664 if (uap->size < (user_size_t)shminfo.shmmin || 665 uap->size > (user_size_t)shminfo.shmmax) 666 return EINVAL; 667 if (shm_nused >= shminfo.shmmni) /* any shmids left? */ 668 return ENOSPC; 669 size = mach_vm_round_page(uap->size); 670 if ((user_ssize_t)(shm_committed + btoc(size)) > shminfo.shmall) 671 return ENOMEM; 672 if (shm_last_free < 0) { 673 for (i = 0; i < shminfo.shmmni; i++) 674 if (shmsegs[i].u.shm_perm.mode & SHMSEG_FREE) 675 break; 676 if (i == shminfo.shmmni) 677 panic("shmseg free count inconsistent"); 678 segnum = i; 679 } else { 680 segnum = shm_last_free; 681 shm_last_free = -1; 682 } 683 shmseg = &shmsegs[segnum]; 684 /* 685 * In case we sleep in malloc(), mark the segment present but deleted 686 * so that noone else tries to create the same key. 687 */ 688 kret = mach_vm_allocate(current_map(), &user_addr, size, VM_FLAGS_ANYWHERE); 689 if (kret != KERN_SUCCESS) 690 goto out; 691 692 kret = mach_make_memory_entry_64(current_map(), 693 (memory_object_size_t *)&size, 694 (memory_object_offset_t)user_addr, 695 VM_PROT_DEFAULT, 696 (ipc_port_t *)&mem_object, 0); 697 698 if (kret != KERN_SUCCESS) 699 goto out; 700 701 mach_vm_deallocate(current_map(), user_addr, size); 702 703 shmseg->u.shm_perm.mode = SHMSEG_ALLOCATED | SHMSEG_REMOVED; 704 shmseg->u.shm_perm._key = uap->key; 705 shmseg->u.shm_perm._seq = (shmseg->u.shm_perm._seq + 1) & 0x7fff; 706 MALLOC(shm_handle, struct shm_handle *, sizeof(struct shm_handle), M_SHM, M_WAITOK); 707 if (shm_handle == NULL) { 708 kret = KERN_NO_SPACE; 709 mach_memory_entry_port_release(mem_object); 710 mem_object = NULL; 711 goto out; 712 } 713 shm_handle->shm_object = mem_object; 714 shmid = IXSEQ_TO_IPCID(segnum, shmseg->u.shm_perm); 715 716 shmseg->u.shm_internal = CAST_USER_ADDR_T(shm_handle); /* tunnel */ 717 shmseg->u.shm_perm.cuid = shmseg->u.shm_perm.uid = kauth_cred_getuid(cred); 718 shmseg->u.shm_perm.cgid = shmseg->u.shm_perm.gid = cred->cr_gid; 719 shmseg->u.shm_perm.mode = (shmseg->u.shm_perm.mode & SHMSEG_WANTED) | 720 (mode & ACCESSPERMS) | SHMSEG_ALLOCATED; 721 shmseg->u.shm_segsz = uap->size; 722 shmseg->u.shm_cpid = p->p_pid; 723 shmseg->u.shm_lpid = shmseg->u.shm_nattch = 0; 724 shmseg->u.shm_atime = shmseg->u.shm_dtime = 0; 725#if CONFIG_MACF 726 mac_sysvshm_label_associate(cred, shmseg); 727#endif 728 shmseg->u.shm_ctime = sysv_shmtime(); 729 shm_committed += btoc(size); 730 shm_nused++; 731 AUDIT_ARG(svipc_perm, &shmseg->u.shm_perm); 732 if (shmseg->u.shm_perm.mode & SHMSEG_WANTED) { 733 /* 734 * Somebody else wanted this key while we were asleep. Wake 735 * them up now. 736 */ 737 shmseg->u.shm_perm.mode &= ~SHMSEG_WANTED; 738 wakeup((caddr_t)shmseg); 739 } 740 *retval = shmid; 741 AUDIT_ARG(svipc_id, shmid); 742 return 0; 743out: 744 switch (kret) { 745 case KERN_INVALID_ADDRESS: 746 case KERN_NO_SPACE: 747 return (ENOMEM); 748 case KERN_PROTECTION_FAILURE: 749 return (EACCES); 750 default: 751 return (EINVAL); 752 } 753 754} 755 756int 757shmget(struct proc *p, struct shmget_args *uap, register_t *retval) 758{ 759 int segnum, mode, error; 760 int shmget_ret = 0; 761 762 /* Auditing is actually done in shmget_allocate_segment() */ 763 764 SYSV_SHM_SUBSYS_LOCK(); 765 766 if (!shm_inited) { 767 shminit(NULL); 768 } 769 770 mode = uap->shmflg & ACCESSPERMS; 771 if (uap->key != IPC_PRIVATE) { 772 again: 773 segnum = shm_find_segment_by_key(uap->key); 774 if (segnum >= 0) { 775 error = shmget_existing(uap, mode, segnum, retval); 776 if (error == EAGAIN) 777 goto again; 778 shmget_ret = error; 779 goto shmget_out; 780 } 781 if ((uap->shmflg & IPC_CREAT) == 0) { 782 shmget_ret = ENOENT; 783 goto shmget_out; 784 } 785 } 786 shmget_ret = shmget_allocate_segment(p, uap, mode, retval); 787shmget_out: 788 SYSV_SHM_SUBSYS_UNLOCK(); 789 return shmget_ret; 790 /*NOTREACHED*/ 791 792} 793 794/* XXX actually varargs. */ 795int 796shmsys(struct proc *p, struct shmsys_args *uap, register_t *retval) 797{ 798 799 /* The routine that we are dispatching already does this */ 800 801 if (uap->which >= sizeof(shmcalls)/sizeof(shmcalls[0])) 802 return EINVAL; 803 return ((*shmcalls[uap->which])(p, &uap->a2, retval)); 804} 805 806/* 807 * Return 0 on success, 1 on failure. 808 */ 809int 810shmfork(struct proc *p1, struct proc *p2) 811{ 812 struct shmmap_state *shmmap_s; 813 size_t size; 814 int i; 815 int shmfork_ret = 0; 816 817 SYSV_SHM_SUBSYS_LOCK(); 818 819 if (!shm_inited) { 820 shminit(NULL); 821 } 822 823 size = shminfo.shmseg * sizeof(struct shmmap_state); 824 MALLOC(shmmap_s, struct shmmap_state *, size, M_SHM, M_WAITOK); 825 if (shmmap_s != NULL) { 826 bcopy((caddr_t)p1->vm_shm, (caddr_t)shmmap_s, size); 827 p2->vm_shm = (caddr_t)shmmap_s; 828 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++) 829 if (shmmap_s->shmid != -1) 830 shmsegs[IPCID_TO_IX(shmmap_s->shmid)].u.shm_nattch++; 831 shmfork_ret = 0; 832 goto shmfork_out; 833 } 834 835 shmfork_ret = 1; /* failed to copy to child - ENOMEM */ 836shmfork_out: 837 SYSV_SHM_SUBSYS_UNLOCK(); 838 return shmfork_ret; 839} 840 841void 842shmexit(struct proc *p) 843{ 844 struct shmmap_state *shmmap_s; 845 int i; 846 847 shmmap_s = (struct shmmap_state *)p->vm_shm; 848 849 SYSV_SHM_SUBSYS_LOCK(); 850 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++) 851 if (shmmap_s->shmid != -1) 852 /* 853 * XXX: Should the MAC framework enforce 854 * check here as well. 855 */ 856 shm_delete_mapping(p, shmmap_s, 1); 857 FREE((caddr_t)p->vm_shm, M_SHM); 858 p->vm_shm = NULL; 859 SYSV_SHM_SUBSYS_UNLOCK(); 860} 861 862/* 863 * shmexec() is like shmexit(), only it doesn't delete the mappings, 864 * since the old address space has already been destroyed and the new 865 * one instantiated. Instead, it just does the housekeeping work we 866 * need to do to keep the System V shared memory subsystem sane. 867 */ 868__private_extern__ void 869shmexec(struct proc *p) 870{ 871 struct shmmap_state *shmmap_s; 872 int i; 873 874 shmmap_s = (struct shmmap_state *)p->vm_shm; 875 SYSV_SHM_SUBSYS_LOCK(); 876 for (i = 0; i < shminfo.shmseg; i++, shmmap_s++) 877 if (shmmap_s->shmid != -1) 878 shm_delete_mapping(p, shmmap_s, 0); 879 FREE((caddr_t)p->vm_shm, M_SHM); 880 p->vm_shm = NULL; 881 SYSV_SHM_SUBSYS_UNLOCK(); 882} 883 884void 885shminit(__unused void *dummy) 886{ 887 int i; 888 int s; 889 890 if (!shm_inited) { 891 /* 892 * we store internally 64 bit, since if we didn't, we would 893 * be unable to represent a segment size in excess of 32 bits 894 * with the (struct shmid_ds)->shm_segsz field; also, POSIX 895 * dictates this filed be a size_t, which is 64 bits when 896 * running 64 bit binaries. 897 */ 898 s = sizeof(struct shmid_kernel) * shminfo.shmmni; 899 900 MALLOC(shmsegs, struct shmid_kernel *, s, M_SHM, M_WAITOK); 901 if (shmsegs == NULL) { 902 /* XXX fail safely: leave shared memory uninited */ 903 return; 904 } 905 for (i = 0; i < shminfo.shmmni; i++) { 906 shmsegs[i].u.shm_perm.mode = SHMSEG_FREE; 907 shmsegs[i].u.shm_perm._seq = 0; 908#if CONFIG_MACF 909 mac_sysvshm_label_init(&shmsegs[i]); 910#endif 911 } 912 shm_last_free = 0; 913 shm_nused = 0; 914 shm_committed = 0; 915 shm_inited = 1; 916 } 917} 918/* Initialize the mutex governing access to the SysV shm subsystem */ 919__private_extern__ void 920sysv_shm_lock_init( void ) 921{ 922 923 sysv_shm_subsys_lck_grp_attr = lck_grp_attr_alloc_init(); 924 925 sysv_shm_subsys_lck_grp = lck_grp_alloc_init("sysv_shm_subsys_lock", sysv_shm_subsys_lck_grp_attr); 926 927 sysv_shm_subsys_lck_attr = lck_attr_alloc_init(); 928 lck_mtx_init(&sysv_shm_subsys_mutex, sysv_shm_subsys_lck_grp, sysv_shm_subsys_lck_attr); 929} 930 931/* (struct sysctl_oid *oidp, void *arg1, int arg2, \ 932 struct sysctl_req *req) */ 933static int 934sysctl_shminfo(__unused struct sysctl_oid *oidp, void *arg1, 935 __unused int arg2, struct sysctl_req *req) 936{ 937 int error = 0; 938 int sysctl_shminfo_ret = 0; 939 uint64_t saved_shmmax; 940 941 error = SYSCTL_OUT(req, arg1, sizeof(int64_t)); 942 if (error || req->newptr == USER_ADDR_NULL) 943 return(error); 944 945 SYSV_SHM_SUBSYS_LOCK(); 946 947 /* shmmni can not be changed after SysV SHM has been initialized */ 948 if (shm_inited && arg1 == &shminfo.shmmni) { 949 sysctl_shminfo_ret = EPERM; 950 goto sysctl_shminfo_out; 951 } 952 saved_shmmax = shminfo.shmmax; 953 954 if ((error = SYSCTL_IN(req, arg1, sizeof(int64_t))) != 0) { 955 sysctl_shminfo_ret = error; 956 goto sysctl_shminfo_out; 957 } 958 959 if (arg1 == &shminfo.shmmax) { 960 /* shmmax needs to be page-aligned */ 961 if (shminfo.shmmax & PAGE_MASK_64) { 962 shminfo.shmmax = saved_shmmax; 963 sysctl_shminfo_ret = EINVAL; 964 goto sysctl_shminfo_out; 965 } 966 } 967 sysctl_shminfo_ret = 0; 968sysctl_shminfo_out: 969 SYSV_SHM_SUBSYS_UNLOCK(); 970 return sysctl_shminfo_ret; 971} 972 973static int 974IPCS_shm_sysctl(__unused struct sysctl_oid *oidp, __unused void *arg1, 975 __unused int arg2, struct sysctl_req *req) 976{ 977 int error; 978 int cursor; 979 union { 980 struct IPCS_command u32; 981 struct user_IPCS_command u64; 982 } ipcs; 983 struct shmid_ds shmid_ds32; /* post conversion, 32 bit version */ 984 void *shmid_dsp; 985 size_t ipcs_sz = sizeof(struct user_IPCS_command); 986 size_t shmid_ds_sz = sizeof(struct user_shmid_ds); 987 struct proc *p = current_proc(); 988 989 SYSV_SHM_SUBSYS_LOCK(); 990 991 if (!shm_inited) { 992 shminit(NULL); 993 } 994 995 if (!IS_64BIT_PROCESS(p)) { 996 ipcs_sz = sizeof(struct IPCS_command); 997 shmid_ds_sz = sizeof(struct shmid_ds); 998 } 999 1000 /* Copy in the command structure */ 1001 if ((error = SYSCTL_IN(req, &ipcs, ipcs_sz)) != 0) { 1002 goto ipcs_shm_sysctl_out; 1003 } 1004 1005 if (!IS_64BIT_PROCESS(p)) /* convert in place */ 1006 ipcs.u64.ipcs_data = CAST_USER_ADDR_T(ipcs.u32.ipcs_data); 1007 1008 /* Let us version this interface... */ 1009 if (ipcs.u64.ipcs_magic != IPCS_MAGIC) { 1010 error = EINVAL; 1011 goto ipcs_shm_sysctl_out; 1012 } 1013 1014 switch(ipcs.u64.ipcs_op) { 1015 case IPCS_SHM_CONF: /* Obtain global configuration data */ 1016 if (ipcs.u64.ipcs_datalen != sizeof(struct shminfo)) { 1017 if (ipcs.u64.ipcs_cursor != 0) { /* fwd. compat. */ 1018 error = ENOMEM; 1019 break; 1020 } 1021 error = ERANGE; 1022 break; 1023 } 1024 error = copyout(&shminfo, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen); 1025 break; 1026 1027 case IPCS_SHM_ITER: /* Iterate over existing segments */ 1028 cursor = ipcs.u64.ipcs_cursor; 1029 if (cursor < 0 || cursor >= shminfo.shmmni) { 1030 error = ERANGE; 1031 break; 1032 } 1033 if (ipcs.u64.ipcs_datalen != (int)shmid_ds_sz) { 1034 error = EINVAL; 1035 break; 1036 } 1037 for( ; cursor < shminfo.shmmni; cursor++) { 1038 if (shmsegs[cursor].u.shm_perm.mode & SHMSEG_ALLOCATED) 1039 break; 1040 continue; 1041 } 1042 if (cursor == shminfo.shmmni) { 1043 error = ENOENT; 1044 break; 1045 } 1046 1047 shmid_dsp = &shmsegs[cursor]; /* default: 64 bit */ 1048 1049 /* 1050 * If necessary, convert the 64 bit kernel segment 1051 * descriptor to a 32 bit user one. 1052 */ 1053 if (!IS_64BIT_PROCESS(p)) { 1054 shmid_ds_64to32(shmid_dsp, &shmid_ds32); 1055 shmid_dsp = &shmid_ds32; 1056 } 1057 error = copyout(shmid_dsp, ipcs.u64.ipcs_data, ipcs.u64.ipcs_datalen); 1058 if (!error) { 1059 /* update cursor */ 1060 ipcs.u64.ipcs_cursor = cursor + 1; 1061 1062 if (!IS_64BIT_PROCESS(p)) /* convert in place */ 1063 ipcs.u32.ipcs_data = CAST_DOWN(void *,ipcs.u64.ipcs_data); 1064 error = SYSCTL_OUT(req, &ipcs, ipcs_sz); 1065 } 1066 break; 1067 1068 default: 1069 error = EINVAL; 1070 break; 1071 } 1072ipcs_shm_sysctl_out: 1073 SYSV_SHM_SUBSYS_UNLOCK(); 1074 return(error); 1075} 1076 1077SYSCTL_NODE(_kern, KERN_SYSV, sysv, CTLFLAG_RW|CTLFLAG_LOCKED, 0, "SYSV"); 1078 1079SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmax, CTLTYPE_QUAD | CTLFLAG_RW, 1080 &shminfo.shmmax, 0, &sysctl_shminfo ,"Q","shmmax"); 1081 1082SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmin, CTLTYPE_QUAD | CTLFLAG_RW, 1083 &shminfo.shmmin, 0, &sysctl_shminfo ,"Q","shmmin"); 1084 1085SYSCTL_PROC(_kern_sysv, OID_AUTO, shmmni, CTLTYPE_QUAD | CTLFLAG_RW, 1086 &shminfo.shmmni, 0, &sysctl_shminfo ,"Q","shmmni"); 1087 1088SYSCTL_PROC(_kern_sysv, OID_AUTO, shmseg, CTLTYPE_QUAD | CTLFLAG_RW, 1089 &shminfo.shmseg, 0, &sysctl_shminfo ,"Q","shmseg"); 1090 1091SYSCTL_PROC(_kern_sysv, OID_AUTO, shmall, CTLTYPE_QUAD | CTLFLAG_RW, 1092 &shminfo.shmall, 0, &sysctl_shminfo ,"Q","shmall"); 1093 1094SYSCTL_NODE(_kern_sysv, OID_AUTO, ipcs, CTLFLAG_RW|CTLFLAG_LOCKED, 0, "SYSVIPCS"); 1095 1096SYSCTL_PROC(_kern_sysv_ipcs, OID_AUTO, shm, CTLFLAG_RW|CTLFLAG_ANYBODY, 1097 0, 0, IPCS_shm_sysctl, 1098 "S,IPCS_shm_command", 1099 "ipcs shm command interface"); 1100#endif /* SYSV_SHM */ 1101 1102/* DSEP Review Done pl-20051108-v02 @2743,@2908,@2913,@3009 */ 1103