1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "base/mac/mach_port_util.h"
6 
7 #include "base/logging.h"
8 
9 namespace base {
10 
11 namespace {
12 
13 // Struct for sending a complex Mach message.
14 struct MachSendComplexMessage {
15   mach_msg_header_t header;
16   mach_msg_body_t body;
17   mach_msg_port_descriptor_t data;
18 };
19 
20 // Struct for receiving a complex message.
21 struct MachReceiveComplexMessage {
22   mach_msg_header_t header;
23   mach_msg_body_t body;
24   mach_msg_port_descriptor_t data;
25   mach_msg_trailer_t trailer;
26 };
27 
28 }  // namespace
29 
SendMachPort(mach_port_t endpoint,mach_port_t port_to_send,int disposition)30 kern_return_t SendMachPort(mach_port_t endpoint,
31                            mach_port_t port_to_send,
32                            int disposition) {
33   MachSendComplexMessage send_msg;
34   send_msg.header.msgh_bits =
35       MACH_MSGH_BITS(MACH_MSG_TYPE_MOVE_SEND_ONCE, 0) | MACH_MSGH_BITS_COMPLEX;
36   send_msg.header.msgh_size = sizeof(send_msg);
37   send_msg.header.msgh_remote_port = endpoint;
38   send_msg.header.msgh_local_port = MACH_PORT_NULL;
39   send_msg.header.msgh_reserved = 0;
40   send_msg.header.msgh_id = 0;
41   send_msg.body.msgh_descriptor_count = 1;
42   send_msg.data.name = port_to_send;
43   send_msg.data.disposition = disposition;
44   send_msg.data.type = MACH_MSG_PORT_DESCRIPTOR;
45 
46   kern_return_t kr =
47       mach_msg(&send_msg.header, MACH_SEND_MSG | MACH_SEND_TIMEOUT,
48                send_msg.header.msgh_size,
49                0,                // receive limit
50                MACH_PORT_NULL,   // receive name
51                0,                // timeout
52                MACH_PORT_NULL);  // notification port
53 
54   if (kr != KERN_SUCCESS)
55     mach_port_deallocate(mach_task_self(), endpoint);
56 
57   return kr;
58 }
59 
ReceiveMachPort(mach_port_t port_to_listen_on)60 base::mac::ScopedMachSendRight ReceiveMachPort(mach_port_t port_to_listen_on) {
61   MachReceiveComplexMessage recv_msg;
62   mach_msg_header_t* recv_hdr = &recv_msg.header;
63   recv_hdr->msgh_local_port = port_to_listen_on;
64   recv_hdr->msgh_size = sizeof(recv_msg);
65 
66   kern_return_t kr =
67       mach_msg(recv_hdr, MACH_RCV_MSG | MACH_RCV_TIMEOUT, 0,
68                recv_hdr->msgh_size, port_to_listen_on, 0, MACH_PORT_NULL);
69   if (kr != KERN_SUCCESS)
70     return base::mac::ScopedMachSendRight(MACH_PORT_NULL);
71   if (recv_msg.header.msgh_id != 0)
72     return base::mac::ScopedMachSendRight(MACH_PORT_NULL);
73   return base::mac::ScopedMachSendRight(recv_msg.data.name);
74 }
75 
CreateIntermediateMachPort(mach_port_t task_port,base::mac::ScopedMachSendRight port_to_insert,MachCreateError * error_code)76 mach_port_name_t CreateIntermediateMachPort(
77     mach_port_t task_port,
78     base::mac::ScopedMachSendRight port_to_insert,
79     MachCreateError* error_code) {
80   DCHECK_NE(mach_task_self(), task_port);
81   DCHECK_NE(static_cast<mach_port_name_t>(MACH_PORT_NULL), task_port);
82 
83   // Make a port with receive rights in the destination task.
84   mach_port_name_t endpoint;
85   kern_return_t kr =
86       mach_port_allocate(task_port, MACH_PORT_RIGHT_RECEIVE, &endpoint);
87   if (kr != KERN_SUCCESS) {
88     if (error_code)
89       *error_code = MachCreateError::ERROR_MAKE_RECEIVE_PORT;
90     return MACH_PORT_NULL;
91   }
92 
93   // Change its message queue limit so that it accepts one message.
94   mach_port_limits limits = {};
95   limits.mpl_qlimit = 1;
96   kr = mach_port_set_attributes(task_port, endpoint, MACH_PORT_LIMITS_INFO,
97                                 reinterpret_cast<mach_port_info_t>(&limits),
98                                 MACH_PORT_LIMITS_INFO_COUNT);
99   if (kr != KERN_SUCCESS) {
100     if (error_code)
101       *error_code = MachCreateError::ERROR_SET_ATTRIBUTES;
102     mach_port_deallocate(task_port, endpoint);
103     return MACH_PORT_NULL;
104   }
105 
106   // Get a send right.
107   mach_port_t send_once_right;
108   mach_msg_type_name_t send_right_type;
109   kr =
110       mach_port_extract_right(task_port, endpoint, MACH_MSG_TYPE_MAKE_SEND_ONCE,
111                               &send_once_right, &send_right_type);
112   if (kr != KERN_SUCCESS) {
113     if (error_code)
114       *error_code = MachCreateError::ERROR_EXTRACT_DEST_RIGHT;
115     mach_port_deallocate(task_port, endpoint);
116     return MACH_PORT_NULL;
117   }
118   DCHECK_EQ(static_cast<mach_msg_type_name_t>(MACH_MSG_TYPE_PORT_SEND_ONCE),
119             send_right_type);
120 
121   // This call takes ownership of |send_once_right|.
122   kr = base::SendMachPort(
123       send_once_right, port_to_insert.get(), MACH_MSG_TYPE_COPY_SEND);
124   if (kr != KERN_SUCCESS) {
125     if (error_code)
126       *error_code = MachCreateError::ERROR_SEND_MACH_PORT;
127     mach_port_deallocate(task_port, endpoint);
128     return MACH_PORT_NULL;
129   }
130 
131   // Endpoint is intentionally leaked into the destination task. An IPC must be
132   // sent to the destination task so that it can clean up this port.
133   return endpoint;
134 }
135 
136 }  // namespace base
137