// Copyright 2018 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_ #define MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_ #include "base/macros.h" #include "build/build_config.h" #include "mojo/core/scoped_process_handle.h" #include "mojo/public/cpp/platform/platform_handle.h" #if defined(OS_MACOSX) && !defined(OS_IOS) #include #endif #if defined(OS_WIN) #include #endif namespace mojo { namespace core { // Owns a PlatformHandle which may actually belong to another process. On // Windows and (sometimes) Mac, handles in a message object may take on values // which only have meaning in the context of a remote process. // // This class provides a safe way of scoping the lifetime of such handles so // that they don't leak when transmission can't be completed. class PlatformHandleInTransit { public: PlatformHandleInTransit(); explicit PlatformHandleInTransit(PlatformHandle handle); PlatformHandleInTransit(PlatformHandleInTransit&&); ~PlatformHandleInTransit(); PlatformHandleInTransit& operator=(PlatformHandleInTransit&&); // Accessor for the owned handle. Must be owned by the calling process. const PlatformHandle& handle() const { DCHECK(!owning_process_.is_valid()); return handle_; } // Returns the process which owns this handle. If this is invalid, the handle // is owned by the current process. const ScopedProcessHandle& owning_process() const { return owning_process_; } // Takes ownership of the held handle as-is. The handle must belong to the // current process. PlatformHandle TakeHandle(); // Discards the handle owned by this object. The implication is that its // value has been successfully communicated to the owning process and the // calling process is no longer responsible for managing the handle's // lifetime. void CompleteTransit(); // Transfers ownership of this (local) handle to |target_process|. bool TransferToProcess(ScopedProcessHandle target_process); #if defined(OS_WIN) HANDLE remote_handle() const { return remote_handle_; } // Returns a new local handle, with ownership of |handle| being transferred // from |owning_process| to the caller. static PlatformHandle TakeIncomingRemoteHandle( HANDLE handle, base::ProcessHandle owning_process); #endif #if defined(OS_MACOSX) && !defined(OS_IOS) // Creates a special wrapper holding an unowned Mach port name. This may refer // to a send or receive right in a remote task (process), and is used for // cases where message must retain such an object as one of its attached // handles. We're OK for now with leaking in any scenario where a lack of // strict ownership could cause leakage. See https://crbug.com/855930 for more // details. static PlatformHandleInTransit CreateForMachPortName(mach_port_t name); bool is_mach_port_name() const { return mach_port_name_ != MACH_PORT_NULL; } mach_port_t mach_port_name() const { return mach_port_name_; } #endif private: #if defined(OS_WIN) // We don't use a ScopedHandle (or, by extension, PlatformHandle) here because // the handle verifier expects all handle values to be owned by this process. // On Windows we use |handle_| for locally owned handles and |remote_handle_| // otherwise. On all other platforms we use |handle_| regardless of ownership. HANDLE remote_handle_ = INVALID_HANDLE_VALUE; #endif PlatformHandle handle_; ScopedProcessHandle owning_process_; #if defined(OS_MACOSX) && !defined(OS_IOS) mach_port_t mach_port_name_ = MACH_PORT_NULL; #endif DISALLOW_COPY_AND_ASSIGN(PlatformHandleInTransit); }; } // namespace core } // namespace mojo #endif // MOJO_CORE_PLATFORM_HANDLE_IN_TRANSIT_H_