c51cd5fe91
Before safecopies, the IO_ENDPT and DL_ENDPT message fields were needed to know which actual process to copy data from/to, as that process may not always be the caller. Now that we have full safecopy support, these fields have become useless for that purpose: the owner of the grant is *always* the caller. Allowing the caller to supply another endpoint is in fact dangerous, because the callee may then end up using a grant from a third party. One could call this a variant of the confused deputy problem. From now on, safecopy calls should always use the caller's endpoint as grant owner. This fully obsoletes the DL_ENDPT field in the inet/ethernet protocol. IO_ENDPT has other uses besides identifying the grant owner though. This patch renames IO_ENDPT to USER_ENDPT, not only because that is a more fitting name (it should never be used for I/O after all), but also in order to intentionally break any old system source code outside the base system. If this patch breaks your code, fixing it is fairly simple: - DL_ENDPT should be replaced with m_source; - IO_ENDPT should be replaced with m_source when used for safecopies; - IO_ENDPT should be replaced with USER_ENDPT for any other use, e.g. when setting REP_ENDPT, matching requests in CANCEL calls, getting DEV_SELECT flags, and retrieving of the real user process's endpoint in DEV_OPEN. The changes in this patch are binary backward compatible. |
||
---|---|---|
.. | ||
arch/i386 | ||
system | ||
clock.c | ||
clock.h | ||
config.h | ||
const.h | ||
cpulocals.c | ||
cpulocals.h | ||
debug.c | ||
debug.h | ||
extract-errno.sh | ||
extract-mfield.sh | ||
extract-mtype.sh | ||
glo.h | ||
interrupt.c | ||
interrupt.h | ||
ipc.h | ||
kernel.h | ||
main.c | ||
Makefile | ||
perf.h | ||
priv.h | ||
proc.c | ||
proc.h | ||
profile.c | ||
profile.h | ||
proto.h | ||
smp.c | ||
smp.h | ||
spinlock.h | ||
start.c | ||
system.c | ||
system.h | ||
table.c | ||
type.h | ||
utility.c | ||
vm.h | ||
watchdog.c | ||
watchdog.h |