diff --git a/lib/mammoth/src/endpoint_server.cpp b/lib/mammoth/src/endpoint_server.cpp index 9e67cb6..6059f8d 100644 --- a/lib/mammoth/src/endpoint_server.cpp +++ b/lib/mammoth/src/endpoint_server.cpp @@ -9,8 +9,7 @@ void EndpointServerThreadBootstrap(void* endpoint_server) { glcr::ErrorOr> EndpointServer::CreateClient() { uint64_t client_cap; - // FIXME: Restrict permissions to send-only here. - RET_ERR(ZCapDuplicate(endpoint_cap_, &client_cap)); + RET_ERR(ZCapDuplicate(endpoint_cap_, ~(kZionPerm_Read), &client_cap)); return EndpointClient::AdoptEndpoint(client_cap); } diff --git a/lib/mammoth/src/port_server.cpp b/lib/mammoth/src/port_server.cpp index c684104..3cc99e9 100644 --- a/lib/mammoth/src/port_server.cpp +++ b/lib/mammoth/src/port_server.cpp @@ -13,9 +13,8 @@ PortServer PortServer::AdoptCap(z_cap_t cap) { return PortServer(cap); } PortServer::PortServer(z_cap_t port_cap) : port_cap_(port_cap) {} glcr::ErrorOr PortServer::CreateClient() { - // FIXME: Restrict permissions. z_cap_t new_port; - RET_ERR(ZCapDuplicate(port_cap_, &new_port)); + RET_ERR(ZCapDuplicate(port_cap_, ~(kZionPerm_Read), &new_port)); return PortClient::AdoptPort(new_port); } diff --git a/sys/denali/lib/denali/denali.yunq.server.cpp b/sys/denali/lib/denali/denali.yunq.server.cpp index 3e523da..7411bac 100644 --- a/sys/denali/lib/denali/denali.yunq.server.cpp +++ b/sys/denali/lib/denali/denali.yunq.server.cpp @@ -31,8 +31,7 @@ void DenaliServerBaseThreadBootstrap(void* server_base) { glcr::ErrorOr DenaliServerBase::CreateClient() { uint64_t client_cap; - // FIXME: Restrict permissions to send-only here. - RET_ERR(ZCapDuplicate(endpoint_, &client_cap)); + RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap)); return DenaliClient(client_cap); } diff --git a/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp b/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp index eea064d..65d36fd 100644 --- a/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp +++ b/sys/victoriafalls/lib/victoriafalls/victoriafalls.yunq.server.cpp @@ -31,8 +31,7 @@ void VFSServerBaseThreadBootstrap(void* server_base) { glcr::ErrorOr VFSServerBase::CreateClient() { uint64_t client_cap; - // FIXME: Restrict permissions to send-only here. - RET_ERR(ZCapDuplicate(endpoint_, &client_cap)); + RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap)); return VFSClient(client_cap); } diff --git a/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp b/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp index ffa25aa..f2e695b 100644 --- a/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp +++ b/sys/yellowstone/lib/yellowstone/yellowstone.yunq.server.cpp @@ -31,8 +31,7 @@ void YellowstoneServerBaseThreadBootstrap(void* server_base) { glcr::ErrorOr YellowstoneServerBase::CreateClient() { uint64_t client_cap; - // FIXME: Restrict permissions to send-only here. - RET_ERR(ZCapDuplicate(endpoint_, &client_cap)); + RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap)); return YellowstoneClient(client_cap); } diff --git a/sys/yellowstone/yellowstone_server.cpp b/sys/yellowstone/yellowstone_server.cpp index 4cb5ea3..39b767b 100644 --- a/sys/yellowstone/yellowstone_server.cpp +++ b/sys/yellowstone/yellowstone_server.cpp @@ -60,7 +60,7 @@ glcr::ErrorCode YellowstoneServer::HandleGetAhciInfo(const Empty&, glcr::ErrorCode YellowstoneServer::HandleGetDenali(const Empty&, DenaliInfo& info) { z_cap_t new_denali; - check(ZCapDuplicate(denali_cap_, &new_denali)); + check(ZCapDuplicate(denali_cap_, kZionPerm_All, &new_denali)); info.set_denali_endpoint(new_denali); info.set_device_id(device_id_); info.set_lba_offset(lba_offset_); diff --git a/yunq/server.cpp.jinja b/yunq/server.cpp.jinja index 590027d..00ba26b 100644 --- a/yunq/server.cpp.jinja +++ b/yunq/server.cpp.jinja @@ -31,8 +31,7 @@ void {{interface.name}}ServerBaseThreadBootstrap(void* server_base) { glcr::ErrorOr<{{interface.name}}Client> {{interface.name}}ServerBase::CreateClient() { uint64_t client_cap; - // FIXME: Restrict permissions to send-only here. - RET_ERR(ZCapDuplicate(endpoint_, &client_cap)); + RET_ERR(ZCapDuplicate(endpoint_, ~(kZionPerm_Read), &client_cap)); return {{interface.name}}Client(client_cap); } diff --git a/zion/include/zcall.h b/zion/include/zcall.h index ff8b797..643a2e3 100644 --- a/zion/include/zcall.h +++ b/zion/include/zcall.h @@ -55,7 +55,7 @@ SYS5(ReplyPortSend, z_cap_t, reply_port_cap, uint64_t, num_bytes, const void*, SYS5(ReplyPortRecv, z_cap_t, reply_port_cap, uint64_t*, num_bytes, void*, data, uint64_t*, num_caps, z_cap_t*, caps); -SYS2(CapDuplicate, z_cap_t, cap_in, z_cap_t*, cap_out); +SYS3(CapDuplicate, z_cap_t, cap_in, z_perm_t, perm_mask, z_cap_t*, cap_out); SYS1(MutexCreate, z_cap_t*, mutex_cap); SYS1(MutexLock, z_cap_t, mutex_cap); diff --git a/zion/include/ztypes.h b/zion/include/ztypes.h index 3870e4e..a6eda52 100644 --- a/zion/include/ztypes.h +++ b/zion/include/ztypes.h @@ -67,6 +67,7 @@ const uint64_t kZionDebug = 0x1'0000; * ------------------------------*/ typedef uint64_t z_cap_t; +typedef uint64_t z_perm_t; const uint64_t kZionInvalidCapability = 0x0; @@ -87,6 +88,9 @@ const uint64_t kZionPerm_SpawnThread = 0x200; const uint64_t kZionPerm_Lock = 0x100; const uint64_t kZionPerm_Release = 0x200; +const z_perm_t kZionPerm_None = 0; +const z_perm_t kZionPerm_All = -1; + /* ------------------------------ * Process Init Types * diff --git a/zion/syscall/capability.cpp b/zion/syscall/capability.cpp index b386fcb..c30f6a9 100644 --- a/zion/syscall/capability.cpp +++ b/zion/syscall/capability.cpp @@ -13,6 +13,8 @@ z_err_t CapDuplicate(ZCapDuplicateReq* req) { if (!(cap->permissions() & kZionPerm_Duplicate)) { return glcr::CAP_PERMISSION_DENIED; } - *req->cap_out = proc.AddExistingCapability(cap); + + *req->cap_out = proc.AddNewCapability(cap->raw_obj(), + cap->permissions() & req->perm_mask); return glcr::OK; }