Add rights for get/set options. Update message pipe and data pipe APIs.
Rationale for having separate get/set options rights: Otherwise, you can
control the abilities to read from a data pipe consumer and set its
options independently, but the abilities to write to a data pipe
producer and set its options are tied to a single right.
Still to do separately: I still have to update docs for other APIs.
Also, I can't really test these in a reasonable way until I've
implemented MojoGetRights() and MojoReduceRights().
R=azani@chromium.org
Review URL: https://codereview.chromium.org/1963053003 .
diff --git a/mojo/edk/system/core.cc b/mojo/edk/system/core.cc
index 1f2ba7e..a8c2007 100644
--- a/mojo/edk/system/core.cc
+++ b/mojo/edk/system/core.cc
@@ -441,7 +441,7 @@
UserPointer<const MojoDataPipeProducerOptions> options) {
RefPtr<Dispatcher> dispatcher;
MojoResult result = GetDispatcherAndCheckRights(
- data_pipe_producer_handle, MOJO_HANDLE_RIGHT_WRITE,
+ data_pipe_producer_handle, MOJO_HANDLE_RIGHT_SET_OPTIONS,
EntrypointClass::DATA_PIPE_PRODUCER, &dispatcher);
if (result != MOJO_RESULT_OK)
return result;
@@ -455,7 +455,7 @@
uint32_t options_num_bytes) {
RefPtr<Dispatcher> dispatcher;
MojoResult result = GetDispatcherAndCheckRights(
- data_pipe_producer_handle, MOJO_HANDLE_RIGHT_READ,
+ data_pipe_producer_handle, MOJO_HANDLE_RIGHT_GET_OPTIONS,
EntrypointClass::DATA_PIPE_PRODUCER, &dispatcher);
if (result != MOJO_RESULT_OK)
return result;
@@ -508,7 +508,7 @@
UserPointer<const MojoDataPipeConsumerOptions> options) {
RefPtr<Dispatcher> dispatcher;
MojoResult result = GetDispatcherAndCheckRights(
- data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_WRITE,
+ data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_SET_OPTIONS,
EntrypointClass::DATA_PIPE_CONSUMER, &dispatcher);
if (result != MOJO_RESULT_OK)
return result;
@@ -522,7 +522,7 @@
uint32_t options_num_bytes) {
RefPtr<Dispatcher> dispatcher;
MojoResult result = GetDispatcherAndCheckRights(
- data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_READ,
+ data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_GET_OPTIONS,
EntrypointClass::DATA_PIPE_CONSUMER, &dispatcher);
if (result != MOJO_RESULT_OK)
return result;
diff --git a/mojo/edk/system/core_test_base.cc b/mojo/edk/system/core_test_base.cc
index d44c60c..ed98702 100644
--- a/mojo/edk/system/core_test_base.cc
+++ b/mojo/edk/system/core_test_base.cc
@@ -226,11 +226,11 @@
MojoHandle CoreTestBase::CreateMockHandle(CoreTestBase::MockHandleInfo* info) {
CHECK(core_);
auto dispatcher = MockDispatcher::Create(info);
- MojoHandle rv = core_->AddHandle(
- Handle(std::move(dispatcher),
- MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER |
- MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE |
- MOJO_HANDLE_RIGHT_EXECUTE));
+ MojoHandle rv = core_->AddHandle(Handle(
+ std::move(dispatcher),
+ MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER |
+ MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE |
+ MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS));
CHECK_NE(rv, MOJO_HANDLE_INVALID);
return rv;
}
diff --git a/mojo/edk/system/data_pipe_consumer_dispatcher.h b/mojo/edk/system/data_pipe_consumer_dispatcher.h
index a9c99c3..cee289b 100644
--- a/mojo/edk/system/data_pipe_consumer_dispatcher.h
+++ b/mojo/edk/system/data_pipe_consumer_dispatcher.h
@@ -23,7 +23,7 @@
// The default/standard rights for a data pipe consumer handle.
static constexpr MojoHandleRights kDefaultHandleRights =
MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ |
- MOJO_HANDLE_RIGHT_WRITE;
+ MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS;
static util::RefPtr<DataPipeConsumerDispatcher> Create() {
return AdoptRef(new DataPipeConsumerDispatcher());
diff --git a/mojo/edk/system/data_pipe_producer_dispatcher.h b/mojo/edk/system/data_pipe_producer_dispatcher.h
index 415b756..a821ac6 100644
--- a/mojo/edk/system/data_pipe_producer_dispatcher.h
+++ b/mojo/edk/system/data_pipe_producer_dispatcher.h
@@ -22,8 +22,8 @@
public:
// The default/standard rights for a data pipe consumer handle.
static constexpr MojoHandleRights kDefaultHandleRights =
- MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ |
- MOJO_HANDLE_RIGHT_WRITE;
+ MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_WRITE |
+ MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS;
static util::RefPtr<DataPipeProducerDispatcher> Create() {
return AdoptRef(new DataPipeProducerDispatcher());
diff --git a/mojo/edk/system/handle_unittest.cc b/mojo/edk/system/handle_unittest.cc
index e1022f5..8c630ed 100644
--- a/mojo/edk/system/handle_unittest.cc
+++ b/mojo/edk/system/handle_unittest.cc
@@ -123,6 +123,8 @@
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_TRANSFER));
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_READ));
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_WRITE));
+ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS));
+ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_SET_OPTIONS));
}
{
@@ -134,6 +136,8 @@
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_TRANSFER));
EXPECT_TRUE(h.has_all_rights(MOJO_HANDLE_RIGHT_READ));
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_WRITE));
+ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS));
+ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_SET_OPTIONS));
EXPECT_TRUE(
h.has_all_rights(MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_READ));
@@ -142,6 +146,8 @@
MOJO_HANDLE_RIGHT_WRITE));
EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_DUPLICATE |
MOJO_HANDLE_RIGHT_WRITE));
+ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS |
+ MOJO_HANDLE_RIGHT_SET_OPTIONS));
EXPECT_EQ(MOJO_RESULT_OK, h.dispatcher->Close());
}
diff --git a/mojo/edk/system/message_pipe_dispatcher.h b/mojo/edk/system/message_pipe_dispatcher.h
index 968e318..9921644 100644
--- a/mojo/edk/system/message_pipe_dispatcher.h
+++ b/mojo/edk/system/message_pipe_dispatcher.h
@@ -24,7 +24,8 @@
// The default/standard rights for a message pipe handle.
static constexpr MojoHandleRights kDefaultHandleRights =
MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ |
- MOJO_HANDLE_RIGHT_WRITE;
+ MOJO_HANDLE_RIGHT_WRITE | MOJO_HANDLE_RIGHT_GET_OPTIONS |
+ MOJO_HANDLE_RIGHT_SET_OPTIONS;
// The default options to use for |MojoCreateMessagePipe()|. (Real uses
// should obtain this via |ValidateCreateOptions()| with a null |in_options|;
diff --git a/mojo/edk/system/shared_buffer_dispatcher.h b/mojo/edk/system/shared_buffer_dispatcher.h
index 0dd2fc0..70e2158 100644
--- a/mojo/edk/system/shared_buffer_dispatcher.h
+++ b/mojo/edk/system/shared_buffer_dispatcher.h
@@ -36,8 +36,7 @@
// duplicable by default.
static constexpr MojoHandleRights kDefaultHandleRights =
MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER |
- MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE |
- MOJO_HANDLE_RIGHT_EXECUTE;
+ MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE;
// The default options to use for |MojoCreateSharedBuffer()|. (Real uses
// should obtain this via |ValidateCreateOptions()| with a null |in_options|;
diff --git a/mojo/public/c/system/data_pipe.h b/mojo/public/c/system/data_pipe.h
index 3cef5d4..994a12b 100644
--- a/mojo/public/c/system/data_pipe.h
+++ b/mojo/public/c/system/data_pipe.h
@@ -135,7 +135,12 @@
//
// On success, |*data_pipe_producer_handle| will be set to the handle for the
// producer and |*data_pipe_consumer_handle| will be set to the handle for the
-// consumer. (On failure, they are not modified.)
+// consumer. (On failure, they are not modified.) The producer handle will have
+// (at least) the following rights: |MOJO_HANDLE_RIGHT_TRANSFER|,
+// |MOJO_HANDLE_RIGHT_WRITE|, |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and
+// |MOJO_HANDLE_RIGHT_SET_OPTIONS|. The consumer handle will have (at least) the
+// following rights: |MOJO_HANDLE_RIGHT_TRANSFER|, |MOJO_HANDLE_RIGHT_READ|,
+// |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and |MOJO_HANDLE_RIGHT_SET_OPTIONS|
//
// Returns:
// |MOJO_RESULT_OK| on success.
@@ -156,7 +161,8 @@
// from either handle as well.
// |MojoSetDataPipeProducerOptions()|: Sets options for the data pipe producer
-// handle |data_pipe_producer_handle|.
+// handle |data_pipe_producer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_SET_OPTIONS| right).
//
// |options| may be set to null to reset back to the default options.
//
@@ -169,6 +175,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_producer_handle| is not a valid data pipe producer handle or
// |*options| is invalid).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_SET_OPTIONS| right.
// |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in
// some transaction (that, e.g., may result in it being invalidated, such
// as being sent in a message).
@@ -177,9 +185,10 @@
const struct MojoDataPipeProducerOptions* options); // Optional in.
// |MojoGetDataPipeProducerOptions()|: Gets options for the data pipe producer
-// handle |data_pipe_producer_handle|. |options| should be non-null and point to
-// a buffer of size |options_num_bytes|; |options_num_bytes| should be at least
-// 8 (the size of the first, and currently only, version of
+// handle |data_pipe_producer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_GET_OPTIONS| right). |options| should be non-null and
+// point to a buffer of size |options_num_bytes|; |options_num_bytes| should be
+// at least 8 (the size of the first, and currently only, version of
// |MojoDataPipeProducerOptions|).
//
// On success, |*options| will be filled with information about the given
@@ -194,6 +203,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_producer_handle| is not a valid data pipe producer handle,
// |*options| is null, or |options_num_bytes| is too small).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_GET_OPTIONS| right.
// |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in
// some transaction (that, e.g., may result in it being invalidated, such
// as being sent in a message).
@@ -203,8 +214,9 @@
uint32_t options_num_bytes); // In.
// |MojoWriteData()|: Writes the given data to the data pipe producer given by
-// |data_pipe_producer_handle|. |elements| points to data of size |*num_bytes|;
-// |*num_bytes| should be a multiple of the data pipe's element size. If
+// |data_pipe_producer_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE|
+// right). |elements| points to data of size |*num_bytes|; |*num_bytes| should
+// be a multiple of the data pipe's element size. If
// |MOJO_WRITE_DATA_FLAG_ALL_OR_NONE| is set in |flags|, either all the data
// will be written or none is.
//
@@ -214,9 +226,10 @@
// Returns:
// |MOJO_RESULT_OK| on success.
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
-// |data_pipe_producer_dispatcher| is not a handle to a data pipe
-// producer or |*num_bytes| is not a multiple of the data pipe's element
-// size).
+// |data_pipe_producer_handle| is not a handle to a data pipe producer or
+// |*num_bytes| is not a multiple of the data pipe's element size).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_WRITE| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer handle has been
// closed.
// |MOJO_RESULT_OUT_OF_RANGE| if |flags| has
@@ -238,8 +251,9 @@
MojoWriteDataFlags flags); // In.
// |MojoBeginWriteData()|: Begins a two-phase write to the data pipe producer
-// given by |data_pipe_producer_handle|. On success, |*buffer| will be a pointer
-// to which the caller can write |*buffer_num_bytes| bytes of data. There are
+// given by |data_pipe_producer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_WRITE| right). On success, |*buffer| will be a pointer to
+// which the caller can write |*buffer_num_bytes| bytes of data. There are
// currently no flags allowed, so |flags| should be |MOJO_WRITE_DATA_FLAG_NONE|.
//
// During a two-phase write, |data_pipe_producer_handle| is *not* writable.
@@ -257,6 +271,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_producer_handle| is not a handle to a data pipe producer or
// flags has |MOJO_WRITE_DATA_FLAG_ALL_OR_NONE| set).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_WRITE| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer handle has been
// closed.
// |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in
@@ -272,13 +288,13 @@
MojoWriteDataFlags flags); // In.
// |MojoEndWriteData()|: Ends a two-phase write to the data pipe producer given
-// by |data_pipe_producer_handle| that was begun by a call to
-// |MojoBeginWriteData()| on the same handle. |num_bytes_written| should
-// indicate the amount of data actually written; it must be less than or equal
-// to the value of |*buffer_num_bytes| output by |MojoBeginWriteData()| and must
-// be a multiple of the element size. The buffer given by |*buffer| from
-// |MojoBeginWriteData()| must have been filled with exactly |num_bytes_written|
-// bytes of data.
+// by |data_pipe_producer_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE|
+// right) that was begun by a call to |MojoBeginWriteData()| on the same handle.
+// |num_bytes_written| should indicate the amount of data actually written; it
+// must be less than or equal to the value of |*buffer_num_bytes| output by
+// |MojoBeginWriteData()| and must be a multiple of the element size. The buffer
+// given by |*buffer| from |MojoBeginWriteData()| must have been filled with
+// exactly |num_bytes_written| bytes of data.
//
// On failure, the two-phase write (if any) is ended (so the handle may become
// writable again, if there's space available) but no data written to |*buffer|
@@ -290,6 +306,8 @@
// |data_pipe_producer_handle| is not a handle to a data pipe producer or
// |num_bytes_written| is invalid (greater than the maximum value provided
// by |MojoBeginWriteData()| or not a multiple of the element size).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_WRITE| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer is not in a
// two-phase write (e.g., |MojoBeginWriteData()| was not called or
// |MojoEndWriteData()| has already been called).
@@ -300,7 +318,8 @@
uint32_t num_bytes_written); // In.
// |MojoSetDataPipeConsumerOptions()|: Sets options for the data pipe consumer
-// handle |data_pipe_consumer_handle|.
+// handle |data_pipe_consumer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_SET_OPTIONS| right).
//
// |options| may be set to null to reset back to the default options.
//
@@ -313,6 +332,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_consumer_handle| is not a valid data pipe consumer handle or
// |*options| is invalid).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_SET_OPTIONS| right.
// |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in
// some transaction (that, e.g., may result in it being invalidated, such
// as being sent in a message).
@@ -321,9 +342,10 @@
const struct MojoDataPipeConsumerOptions* options); // Optional in.
// |MojoGetDataPipeConsumerOptions()|: Gets options for the data pipe consumer
-// handle |data_pipe_consumer_handle|. |options| should be non-null and point to
-// a buffer of size |options_num_bytes|; |options_num_bytes| should be at least
-// 8 (the size of the first, and currently only, version of
+// handle |data_pipe_consumer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_GET_OPTIONS| right). |options| should be non-null and
+// point to a buffer of size |options_num_bytes|; |options_num_bytes| should be
+// at least 8 (the size of the first, and currently only, version of
// |MojoDataPipeConsumerOptions|).
//
// On success, |*options| will be filled with information about the given
@@ -338,6 +360,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_consumer_handle| is not a valid data pipe consumer handle,
// |*options| is null, or |options_num_bytes| is too small).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_GET_OPTIONS| right.
// |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in
// some transaction (that, e.g., may result in it being invalidated, such
// as being sent in a message).
@@ -347,8 +371,9 @@
uint32_t options_num_bytes); // In.
// |MojoReadData()|: Reads data from the data pipe consumer given by
-// |data_pipe_consumer_handle|. May also be used to discard data or query the
-// amount of data available.
+// |data_pipe_consumer_handle| (which must have the |MOJO_HANDLE_RIGHT_READ|
+// right). May also be used to discard data or query the amount of data
+// available.
//
// If |flags| has neither |MOJO_READ_DATA_FLAG_DISCARD| nor
// |MOJO_READ_DATA_FLAG_QUERY| set, this tries to read up to |*num_bytes| (which
@@ -379,6 +404,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_consumer_handle| is invalid, the combination of flags in
// |flags| is invalid, etc.).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_READ| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer handle has been
// closed and data (or the required amount of data) was not available to
// be read or discarded.
@@ -399,8 +426,9 @@
MojoReadDataFlags flags); // In.
// |MojoBeginReadData()|: Begins a two-phase read from the data pipe consumer
-// given by |data_pipe_consumer_handle|. On success, |*buffer| will be a pointer
-// from which the caller can read |*buffer_num_bytes| bytes of data. There are
+// given by |data_pipe_consumer_handle| (which must have the
+// |MOJO_HANDLE_RIGHT_READ| right). On success, |*buffer| will be a pointer from
+// which the caller can read |*buffer_num_bytes| bytes of data. There are
// currently no valid flags, so |flags| must be |MOJO_READ_DATA_FLAG_NONE|.
//
// During a two-phase read, |data_pipe_consumer_handle| is *not* readable.
@@ -417,6 +445,8 @@
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g.,
// |data_pipe_consumer_handle| is not a handle to a data pipe consumer,
// or |flags| has invalid flags set).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_READ| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer handle has been
// closed.
// |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in
@@ -432,11 +462,11 @@
MojoReadDataFlags flags); // In.
// |MojoEndReadData()|: Ends a two-phase read from the data pipe consumer given
-// by |data_pipe_consumer_handle| that was begun by a call to
-// |MojoBeginReadData()| on the same handle. |num_bytes_read| should indicate
-// the amount of data actually read; it must be less than or equal to the value
-// of |*buffer_num_bytes| output by |MojoBeginReadData()| and must be a multiple
-// of the element size.
+// by |data_pipe_consumer_handle| (which must have the |MOJO_HANDLE_RIGHT_READ|
+// right) that was begun by a call to |MojoBeginReadData()| on the same handle.
+// |num_bytes_read| should indicate the amount of data actually read; it must be
+// less than or equal to the value of |*buffer_num_bytes| output by
+// |MojoBeginReadData()| and must be a multiple of the element size.
//
// On failure, the two-phase read (if any) is ended (so the handle may become
// readable again) but no data is "removed" from the data pipe.
@@ -447,6 +477,8 @@
// |data_pipe_consumer_handle| is not a handle to a data pipe consumer or
// |num_bytes_written| is greater than the maximum value provided by
// |MojoBeginReadData()| or not a multiple of the element size).
+// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not
+// have the |MOJO_HANDLE_RIGHT_READ| right.
// |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer is not in a
// two-phase read (e.g., |MojoBeginReadData()| was not called or
// |MojoEndReadData()| has already been called).
diff --git a/mojo/public/c/system/handle.h b/mojo/public/c/system/handle.h
index dbedd4a..096a248 100644
--- a/mojo/public/c/system/handle.h
+++ b/mojo/public/c/system/handle.h
@@ -33,8 +33,8 @@
// message).
// |MOJO_HANDLE_RIGHT_WRITE| - Right to "write" to the handle (e.g., write a
// message).
-// |MOJO_HANDLE_RIGHT_EXECUTE| - Right to "execute" using the handle (e.g.,
-// map a buffer as executable code).
+// |MOJO_HANDLE_RIGHT_GET_OPTIONS| - Right to get a handle's options.
+// |MOJO_HANDLE_RIGHT_SET_OPTIONS| - Right to set a handle's options.
//
// TODO(vtl): Add rights support/checking to existing handle types.
@@ -45,7 +45,8 @@
#define MOJO_HANDLE_RIGHT_TRANSFER ((MojoHandleRights)1 << 1)
#define MOJO_HANDLE_RIGHT_READ ((MojoHandleRights)1 << 2)
#define MOJO_HANDLE_RIGHT_WRITE ((MojoHandleRights)1 << 3)
-#define MOJO_HANDLE_RIGHT_EXECUTE ((MojoHandleRights)1 << 4)
+#define MOJO_HANDLE_RIGHT_GET_OPTIONS ((MojoHandleRights)1 << 4)
+#define MOJO_HANDLE_RIGHT_SET_OPTIONS ((MojoHandleRights)1 << 5)
// |MojoHandleSignals|: Used to specify signals that can be waited on for a
// handle (and which can be triggered), e.g., the ability to read or write to
diff --git a/mojo/public/c/system/message_pipe.h b/mojo/public/c/system/message_pipe.h
index cc57d8c..ea3dcc3 100644
--- a/mojo/public/c/system/message_pipe.h
+++ b/mojo/public/c/system/message_pipe.h
@@ -63,7 +63,10 @@
// |options| may be set to null for a message pipe with the default options.
//
// On success, |*message_pipe_handle0| and |*message_pipe_handle1| are set to
-// handles for the two endpoints (ports) for the message pipe.
+// handles for the two endpoints (ports) for the message pipe. Both handles have
+// (at least) the following rights: |MOJO_HANDLE_RIGHT_TRANSFER|,
+// |MOJO_HANDLE_RIGHT_READ|, |MOJO_HANDLE_RIGHT_WRITE|,
+// |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and |MOJO_HANDLE_RIGHT_SET_OPTIONS|.
//
// Returns:
// |MOJO_RESULT_OK| on success.
@@ -78,22 +81,25 @@
MojoHandle* MOJO_RESTRICT message_pipe_handle1); // Out.
// |MojoWriteMessage()|: Writes a message to the message pipe endpoint given by
-// |message_pipe_handle|, with message data specified by |bytes| of size
-// |num_bytes| and attached handles specified by |handles| of count
-// |num_handles|, and options specified by |flags|. If there is no message data,
-// |bytes| may be null, in which case |num_bytes| must be zero. If there are no
-// attached handles, |handles| may be null, in which case |num_handles| must be
-// zero.
+// |message_pipe_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE| right),
+// with message data specified by |bytes| of size |num_bytes| and attached
+// handles specified by |handles| of count |num_handles|, and options specified
+// by |flags|. If there is no message data, |bytes| may be null, in which case
+// |num_bytes| must be zero. If there are no attached handles, |handles| may be
+// null, in which case |num_handles| must be zero.
//
// If handles are attached, on success the handles will no longer be valid (the
// receiver will receive equivalent, but logically different, handles). Handles
-// to be sent should not be in simultaneous use (e.g., on another thread).
+// to be sent should not be in simultaneous use (e.g., on another thread). On
+// failure, any handles to be attached will remain valid.
//
// Returns:
// |MOJO_RESULT_OK| on success (i.e., the message was enqueued).
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., if
// |message_pipe_handle| is not a valid handle, or some of the
// requirements above are not satisfied).
+// |MOJO_RESULT_PERMISSION_DENIED| if |message_pipe_handle| does not have the
+// |MOJO_HANDLE_RIGHT_WRITE| right.
// |MOJO_RESULT_RESOURCE_EXHAUSTED| if some system limit has been reached, or
// the number of handles to send is too large (TODO(vtl): reconsider the
// latter case).
@@ -116,12 +122,13 @@
uint32_t num_handles, // In.
MojoWriteMessageFlags flags); // In.
-// |MojoReadMessage()|: Reads the next message from a message pipe, or indicates
-// the size of the message if it cannot fit in the provided buffers. The message
-// will be read in its entirety or not at all; if it is not, it will remain
-// enqueued unless the |MOJO_READ_MESSAGE_FLAG_MAY_DISCARD| flag was passed. At
-// most one message will be consumed from the queue, and the return value will
-// indicate whether a message was successfully read.
+// |MojoReadMessage()|: Reads the next message from the message pipe endpoint
+// given by |message_pipe_handle| (which must have the |MOJO_HANDLE_RIGHT_READ|
+// right) or indicates the size of the message if it cannot fit in the provided
+// buffers. The message will be read in its entirety or not at all; if it is
+// not, it will remain enqueued unless the |MOJO_READ_MESSAGE_FLAG_MAY_DISCARD|
+// flag was passed. At most one message will be consumed from the queue, and the
+// return value will indicate whether a message was successfully read.
//
// |num_bytes| and |num_handles| are optional in/out parameters that on input
// must be set to the sizes of the |bytes| and |handles| arrays, and on output
@@ -140,6 +147,8 @@
// |MOJO_RESULT_OK| on success (i.e., a message was actually read).
// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid.
// |MOJO_RESULT_FAILED_PRECONDITION| if the other endpoint has been closed.
+// |MOJO_RESULT_PERMISSION_DENIED| if |message_pipe_handle| does not have the
+// |MOJO_HANDLE_RIGHT_READ| right.
// |MOJO_RESULT_RESOURCE_EXHAUSTED| if the message was too large to fit in the
// provided buffer(s). The message will have been left in the queue or
// discarded, depending on flags.
