1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef MOJO_CORE_CHANNEL_H_
6 #define MOJO_CORE_CHANNEL_H_
7 
8 #include <vector>
9 
10 #include "base/macros.h"
11 #include "base/memory/ref_counted.h"
12 #include "base/process/process_handle.h"
13 #include "base/task_runner.h"
14 #include "build/build_config.h"
15 #include "mojo/core/connection_params.h"
16 #include "mojo/core/platform_handle_in_transit.h"
17 #include "mojo/core/scoped_process_handle.h"
18 #include "mojo/public/cpp/platform/platform_handle.h"
19 
20 namespace mojo {
21 namespace core {
22 
23 const size_t kChannelMessageAlignment = 8;
24 
IsAlignedForChannelMessage(size_t n)25 constexpr bool IsAlignedForChannelMessage(size_t n) {
26   return n % kChannelMessageAlignment == 0;
27 }
28 
29 // Channel provides a thread-safe interface to read and write arbitrary
30 // delimited messages over an underlying I/O channel, optionally transferring
31 // one or more platform handles in the process.
32 class MOJO_SYSTEM_IMPL_EXPORT Channel
33     : public base::RefCountedThreadSafe<Channel> {
34  public:
35   struct Message;
36 
37   using MessagePtr = std::unique_ptr<Message>;
38 
39   // A message to be written to a channel.
40   struct MOJO_SYSTEM_IMPL_EXPORT Message {
41     enum class MessageType : uint16_t {
42       // An old format normal message, that uses the LegacyHeader.
43       // Only used on Android and ChromeOS.
44       // TODO(https://crbug.com/695645): remove legacy support when Arc++ has
45       // updated to Mojo with normal versioned messages.
46       NORMAL_LEGACY = 0,
47 #if defined(OS_MACOSX)
48       // A control message containing handles to echo back.
49       HANDLES_SENT,
50       // A control message containing handles that can now be closed.
51       HANDLES_SENT_ACK,
52 #endif
53       // A normal message that uses Header and can contain extra header values.
54       NORMAL,
55     };
56 
57 #pragma pack(push, 1)
58     // Old message wire format for ChromeOS and Android, used by NORMAL_LEGACY
59     // messages.
60     struct LegacyHeader {
61       // Message size in bytes, including the header.
62       uint32_t num_bytes;
63 
64       // Number of attached handles.
65       uint16_t num_handles;
66 
67       MessageType message_type;
68     };
69 
70     // Header used by NORMAL messages.
71     // To preserve backward compatibility with LegacyHeader, the num_bytes and
72     // message_type field must be at the same offset as in LegacyHeader.
73     struct Header {
74       // Message size in bytes, including the header.
75       uint32_t num_bytes;
76 
77       // Total size of header, including extra header data (i.e. HANDLEs on
78       // windows).
79       uint16_t num_header_bytes;
80 
81       MessageType message_type;
82 
83       // Number of attached handles. May be less than the reserved handle
84       // storage size in this message on platforms that serialise handles as
85       // data (i.e. HANDLEs on Windows, Mach ports on OSX).
86       uint16_t num_handles;
87 
88       char padding[6];
89     };
90 
91 #if defined(OS_MACOSX) && !defined(OS_IOS)
92     struct MachPortsEntry {
93       // Index of Mach port in the original vector of PlatformHandleInTransits.
94       uint16_t index;
95 
96       // Mach port name.
97       uint32_t mach_port;
98       static_assert(sizeof(mach_port_t) <= sizeof(uint32_t),
99                     "mach_port_t must be no larger than uint32_t");
100     };
101     static_assert(sizeof(MachPortsEntry) == 6,
102                   "sizeof(MachPortsEntry) must be 6 bytes");
103 
104     // Structure of the extra header field when present on OSX.
105     struct MachPortsExtraHeader {
106       // Actual number of Mach ports encoded in the extra header.
107       uint16_t num_ports;
108 
109       // Array of encoded Mach ports. If |num_ports| > 0, |entries[0]| through
110       // to |entries[num_ports-1]| inclusive are valid.
111       MachPortsEntry entries[0];
112     };
113     static_assert(sizeof(MachPortsExtraHeader) == 2,
114                   "sizeof(MachPortsExtraHeader) must be 2 bytes");
115 #elif defined(OS_FUCHSIA)
116     struct HandleInfoEntry {
117       // The FDIO type associated with one or more handles, or zero for handles
118       // that do not belong to FDIO.
119       uint8_t type;
120       // Zero for non-FDIO handles, otherwise the number of handles to consume
121       // to generate an FDIO file-descriptor wrapper.
122       uint8_t count;
123     };
124 #elif defined(OS_WIN)
125     struct HandleEntry {
126       // The windows HANDLE. HANDLEs are guaranteed to fit inside 32-bits.
127       // See: https://msdn.microsoft.com/en-us/library/aa384203(VS.85).aspx
128       uint32_t handle;
129     };
130     static_assert(sizeof(HandleEntry) == 4,
131                   "sizeof(HandleEntry) must be 4 bytes");
132 #endif
133 #pragma pack(pop)
134 
135     // Allocates and owns a buffer for message data with enough capacity for
136     // |payload_size| bytes plus a header, plus |max_handles| platform handles.
137     Message(size_t payload_size, size_t max_handles);
138     Message(size_t payload_size, size_t max_handles, MessageType message_type);
139     Message(size_t capacity, size_t payload_size, size_t max_handles);
140     Message(size_t capacity,
141             size_t max_handles,
142             size_t payload_size,
143             MessageType message_type);
144     ~Message();
145 
146     // Constructs a Message from serialized message data, optionally coming from
147     // a known remote process.
148     static MessagePtr Deserialize(
149         const void* data,
150         size_t data_num_bytes,
151         base::ProcessHandle from_process = base::kNullProcessHandle);
152 
dataMessage153     const void* data() const { return data_; }
data_num_bytesMessage154     size_t data_num_bytes() const { return size_; }
155 
156     // The current capacity of the message buffer, not counting internal header
157     // data.
158     size_t capacity() const;
159 
160     // Extends the portion of the total message capacity which contains
161     // meaningful payload data. Storage capacity which falls outside of this
162     // range is not transmitted when the message is sent.
163     //
164     // If the message's current capacity is not large enough to accommodate the
165     // new payload size, it will be reallocated accordingly.
166     void ExtendPayload(size_t new_payload_size);
167 
168     const void* extra_header() const;
169     void* mutable_extra_header();
170     size_t extra_header_size() const;
171 
172     void* mutable_payload();
173     const void* payload() const;
174     size_t payload_size() const;
175 
176     size_t num_handles() const;
177     bool has_handles() const;
178 #if defined(OS_MACOSX) && !defined(OS_IOS)
179     bool has_mach_ports() const;
180 #endif
181 
182     bool is_legacy_message() const;
183     LegacyHeader* legacy_header() const;
184     Header* header() const;
185 
186     // Note: SetHandles() and TakeHandles() invalidate any previous value of
187     // handles().
188     void SetHandles(std::vector<PlatformHandle> new_handles);
189     void SetHandles(std::vector<PlatformHandleInTransit> new_handles);
190     std::vector<PlatformHandleInTransit> TakeHandles();
191     // Version of TakeHandles that returns a vector of platform handles suitable
192     // for transfer over an underlying OS mechanism. i.e. file descriptors over
193     // a unix domain socket. Any handle that cannot be transferred this way,
194     // such as Mach ports, will be removed.
195     std::vector<PlatformHandleInTransit> TakeHandlesForTransport();
196 
197     void SetVersionForTest(uint16_t version_number);
198 
199    private:
200     // The message data buffer.
201     char* data_ = nullptr;
202 
203     // The capacity of the buffer at |data_|.
204     size_t capacity_ = 0;
205 
206     // The size of the message. This is the portion of |data_| that should
207     // be transmitted if the message is written to a channel. Includes all
208     // headers and user payload.
209     size_t size_ = 0;
210 
211     // Maximum number of handles which may be attached to this message.
212     size_t max_handles_ = 0;
213 
214     std::vector<PlatformHandleInTransit> handle_vector_;
215 
216 #if defined(OS_WIN)
217     // On Windows, handles are serialised into the extra header section.
218     HandleEntry* handles_ = nullptr;
219 #elif defined(OS_MACOSX) && !defined(OS_IOS)
220     // On OSX, handles are serialised into the extra header section.
221     MachPortsExtraHeader* mach_ports_header_ = nullptr;
222 #endif
223 
224     DISALLOW_COPY_AND_ASSIGN(Message);
225   };
226 
227   // Error types which may be reported by a Channel instance to its delegate.
228   enum class Error {
229     // The remote end of the channel has been closed, either explicitly or
230     // because the process which hosted it is gone.
231     kDisconnected,
232 
233     // For connection-oriented channels (e.g. named pipes), an unexpected error
234     // occurred during channel connection.
235     kConnectionFailed,
236 
237     // Some incoming data failed validation, implying either a buggy or
238     // compromised sender.
239     kReceivedMalformedData,
240   };
241 
242   // Delegate methods are called from the I/O task runner with which the Channel
243   // was created (see Channel::Create).
244   class Delegate {
245    public:
~Delegate()246     virtual ~Delegate() {}
247 
248     // Notify of a received message. |payload| is not owned and must not be
249     // retained; it will be null if |payload_size| is 0. |handles| are
250     // transferred to the callee.
251     virtual void OnChannelMessage(const void* payload,
252                                   size_t payload_size,
253                                   std::vector<PlatformHandle> handles) = 0;
254 
255     // Notify that an error has occured and the Channel will cease operation.
256     virtual void OnChannelError(Error error) = 0;
257   };
258 
259   // Creates a new Channel around a |platform_handle|, taking ownership of the
260   // handle. All I/O on the handle will be performed on |io_task_runner|.
261   // Note that ShutDown() MUST be called on the Channel some time before
262   // |delegate| is destroyed.
263   static scoped_refptr<Channel> Create(
264       Delegate* delegate,
265       ConnectionParams connection_params,
266       scoped_refptr<base::TaskRunner> io_task_runner);
267 
268   // Request that the channel be shut down. This should always be called before
269   // releasing the last reference to a Channel to ensure that it's cleaned up
270   // on its I/O task runner's thread.
271   //
272   // Delegate methods will no longer be invoked after this call.
273   void ShutDown();
274 
275   // Sets the process handle of the remote endpoint to which this Channel is
276   // connected. If called at all, must be called only once, and before Start().
set_remote_process(ScopedProcessHandle remote_process)277   void set_remote_process(ScopedProcessHandle remote_process) {
278     DCHECK(!remote_process_.is_valid());
279     remote_process_ = std::move(remote_process);
280   }
remote_process()281   const ScopedProcessHandle& remote_process() const { return remote_process_; }
282 
283   // Begin processing I/O events. Delegate methods must only be invoked after
284   // this call.
285   virtual void Start() = 0;
286 
287   // Stop processing I/O events.
288   virtual void ShutDownImpl() = 0;
289 
290   // Queues an outgoing message on the Channel. This message will either
291   // eventually be written or will fail to write and trigger
292   // Delegate::OnChannelError.
293   virtual void Write(MessagePtr message) = 0;
294 
295   // Causes the platform handle to leak when this channel is shut down instead
296   // of closing it.
297   virtual void LeakHandle() = 0;
298 
299  protected:
300   explicit Channel(Delegate* delegate);
301   virtual ~Channel();
302 
delegate()303   Delegate* delegate() const { return delegate_; }
304 
305   // Called by the implementation when it wants somewhere to stick data.
306   // |*buffer_capacity| may be set by the caller to indicate the desired buffer
307   // size. If 0, a sane default size will be used instead.
308   //
309   // Returns the address of a buffer which can be written to, and indicates its
310   // actual capacity in |*buffer_capacity|.
311   char* GetReadBuffer(size_t* buffer_capacity);
312 
313   // Called by the implementation when new data is available in the read
314   // buffer. Returns false to indicate an error. Upon success,
315   // |*next_read_size_hint| will be set to a recommended size for the next
316   // read done by the implementation.
317   bool OnReadComplete(size_t bytes_read, size_t* next_read_size_hint);
318 
319   // Called by the implementation when something goes horribly wrong. It is NOT
320   // OK to call this synchronously from any public interface methods.
321   void OnError(Error error);
322 
323   // Retrieves the set of platform handles read for a given message.
324   // |extra_header| and |extra_header_size| correspond to the extra header data.
325   // Depending on the Channel implementation, this body may encode platform
326   // handles, or handles may be stored and managed elsewhere by the
327   // implementation.
328   //
329   // Returns |false| on unrecoverable error (i.e. the Channel should be closed).
330   // Returns |true| otherwise. Note that it is possible on some platforms for an
331   // insufficient number of handles to be available when this call is made, but
332   // this is not necessarily an error condition. In such cases this returns
333   // |true| but |*handles| will also be reset to null.
334   //
335   // If the implementation sets |*deferred| to |true|, it assumes responsibility
336   // for dispatching the message eventually. It must copy |payload| to retain
337   // it for later transmission.
338   virtual bool GetReadPlatformHandles(const void* payload,
339                                       size_t payload_size,
340                                       size_t num_handles,
341                                       const void* extra_header,
342                                       size_t extra_header_size,
343                                       std::vector<PlatformHandle>* handles,
344                                       bool* deferred) = 0;
345 
346   // Handles a received control message. Returns |true| if the message is
347   // accepted, or |false| otherwise.
348   virtual bool OnControlMessage(Message::MessageType message_type,
349                                 const void* payload,
350                                 size_t payload_size,
351                                 std::vector<PlatformHandle> handles);
352 
353  private:
354   friend class base::RefCountedThreadSafe<Channel>;
355 
356   class ReadBuffer;
357 
358   Delegate* delegate_;
359   const std::unique_ptr<ReadBuffer> read_buffer_;
360 
361   // Handle to the process on the other end of this Channel, iff known.
362   ScopedProcessHandle remote_process_;
363 
364   DISALLOW_COPY_AND_ASSIGN(Channel);
365 };
366 
367 }  // namespace core
368 }  // namespace mojo
369 
370 #endif  // MOJO_CORE_CHANNEL_H_
371