sandbox-ipc 0.4.0

An IPC implementation with an eye toward enabling privilege separation.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

use ::shm::{Access as SharedMemAccess, RangeArgument};
use platform::SendableWinHandle;

use std::{io, mem, ptr};
use std::collections::Bound;

use serde::{Serialize, Deserialize, Serializer, Deserializer};
use winapi::shared::minwindef::{DWORD, FALSE};
use winapi::shared::basetsd::{SIZE_T};
use winapi::um::winnt::{PAGE_READWRITE};
use winapi::um::handleapi::{DuplicateHandle};
use winapi::um::processthreadsapi::{GetCurrentProcess};
use winapi::um::memoryapi::{FILE_MAP_READ, FILE_MAP_WRITE, FILE_MAP_ALL_ACCESS, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW};
use winapi::um::sysinfoapi::{SYSTEM_INFO, GetSystemInfo};
use winhandle::*;

#[derive(Debug)]
pub(crate) struct SharedMem {
    handle: WinHandle,
    size: usize,
}

#[derive(Debug)]
pub(crate) struct SharedMemMap {
    mapping_pointer: *mut u8,
    mapping_len: usize,
    user_pointer: *mut u8,
    user_len: usize,
    access: SharedMemAccess,
    user_offset: usize,
}

unsafe impl Send for SharedMemMap {}
unsafe impl Sync for SharedMemMap {}

impl Drop for SharedMemMap {
    fn drop(&mut self) {
        unsafe {
            if UnmapViewOfFile(self.mapping_pointer as _) == FALSE {
                error!("UnmapViewOfFile failed: {}", io::Error::last_os_error());
            }
        }
    }
}

impl SharedMem {
    pub fn new(size: usize) -> io::Result<SharedMem> {
        unsafe {
            let handle = winapi_handle_call! { log: CreateFileMappingW(
                ptr::null_mut(),
                ptr::null_mut(),
                PAGE_READWRITE,
                high_bits(size),
                (size & 0xFFFFFFFF) as DWORD,
                ptr::null()
            )}?;

            Ok(SharedMem { handle, size })
        }
    }

    pub fn size(&self) -> usize { self.size }

    pub fn clone(&self, access: SharedMemAccess) -> io::Result<SharedMem> {
        let access = match access {
            SharedMemAccess::Read => FILE_MAP_READ,
            SharedMemAccess::ReadWrite => FILE_MAP_ALL_ACCESS,
        };

        unsafe {
            let mut handle = WinHandleTarget::new();
            winapi_bool_call!(DuplicateHandle(
                GetCurrentProcess(), self.handle.get(),
                GetCurrentProcess(), &mut *handle,
                access, FALSE, 0
            ))?;

            Ok(SharedMem { handle: handle.unwrap(), size: self.size })
        }
    }

    pub fn map<R: RangeArgument<usize>>(&self, range: R, access: SharedMemAccess) -> io::Result<SharedMemMap> {
        let raw_access = match access {
            SharedMemAccess::Read => FILE_MAP_READ,
            SharedMemAccess::ReadWrite => FILE_MAP_WRITE,
        };

        let offset = match range.start() {
            Bound::Included(i) => Some(*i),
            Bound::Excluded(i) => i.checked_add(1),
            Bound::Unbounded => Some(0),
        };
        let len = offset.and_then(|offset| match range.end() {
            Bound::Included(i) => i.checked_add(1).and_then(|x| x.checked_sub(offset)),
            Bound::Excluded(i) => i.checked_sub(offset),
            Bound::Unbounded => self.size().checked_sub(offset),
        });

        let (offset, len) = match (offset, len) {
            (Some(offset), Some(len)) if offset + len <= self.size => (offset, len),
            _ => return Err(io::Error::new(io::ErrorKind::InvalidInput, "requested memory map range is out of bounds")),
        };

        // The offset must be a multiple of the page size
        let mapping_offset = match offset % *PAGE_SIZE {
            0 => offset,
            m => offset - m,
        };
        let mapping_len = len + offset - mapping_offset;

        unsafe {
            let addr = MapViewOfFile(
                self.handle.get(),
                raw_access,
                high_bits(mapping_offset),
                (mapping_offset & 0xFFFFFFFF) as DWORD,
                mapping_len as SIZE_T
            );
            if addr.is_null() {
                return Err(io::Error::last_os_error());
            }

            Ok(SharedMemMap {
                mapping_pointer: addr as _,
                mapping_len,
                user_pointer: (addr as *mut u8).offset((offset - mapping_offset) as isize),
                user_len: len,
                access,
                user_offset: offset,
            })
        }
    }
}

impl SharedMemMap {
    pub unsafe fn pointer(&self) -> *mut u8 { self.user_pointer }
    pub fn len(&self) -> usize { self.user_len }
    pub fn access(&self) -> SharedMemAccess { self.access }
    pub fn offset(&self) -> usize { self.user_offset }
}

impl Serialize for SharedMem {
    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
        where S: Serializer
    {
        (SendableWinHandle(&self.handle), self.size).serialize(serializer)
    }
}

impl<'de> Deserialize<'de> for SharedMem {
    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
        where D: Deserializer<'de>
    {
        let (handle, size): (SendableWinHandle, usize) = Deserialize::deserialize(deserializer)?;
        Ok(SharedMem { handle: handle.0, size })
    }
}

lazy_static! {
    static ref PAGE_SIZE: usize = unsafe {
        let mut system_info: SYSTEM_INFO = mem::zeroed();
        GetSystemInfo(&mut system_info);
        system_info.dwPageSize as usize
    };
}

// Rust complains about exceeding bitshifts
#[cfg(target_pointer_width = "32")]
fn high_bits(_x: usize) -> DWORD {
    0
}
#[cfg(not(target_pointer_width = "32"))]
fn high_bits(x: usize) -> DWORD {
    (x >> 32) as DWORD
}