Add rights for get/set options. Update message pipe and data pipe APIs. Rationale for having separate get/set options rights: Otherwise, you can control the abilities to read from a data pipe consumer and set its options independently, but the abilities to write to a data pipe producer and set its options are tied to a single right. Still to do separately: I still have to update docs for other APIs. Also, I can't really test these in a reasonable way until I've implemented MojoGetRights() and MojoReduceRights(). R=azani@chromium.org Review URL: https://codereview.chromium.org/1963053003 .
diff --git a/mojo/edk/system/core.cc b/mojo/edk/system/core.cc index 1f2ba7e..a8c2007 100644 --- a/mojo/edk/system/core.cc +++ b/mojo/edk/system/core.cc
@@ -441,7 +441,7 @@ UserPointer<const MojoDataPipeProducerOptions> options) { RefPtr<Dispatcher> dispatcher; MojoResult result = GetDispatcherAndCheckRights( - data_pipe_producer_handle, MOJO_HANDLE_RIGHT_WRITE, + data_pipe_producer_handle, MOJO_HANDLE_RIGHT_SET_OPTIONS, EntrypointClass::DATA_PIPE_PRODUCER, &dispatcher); if (result != MOJO_RESULT_OK) return result; @@ -455,7 +455,7 @@ uint32_t options_num_bytes) { RefPtr<Dispatcher> dispatcher; MojoResult result = GetDispatcherAndCheckRights( - data_pipe_producer_handle, MOJO_HANDLE_RIGHT_READ, + data_pipe_producer_handle, MOJO_HANDLE_RIGHT_GET_OPTIONS, EntrypointClass::DATA_PIPE_PRODUCER, &dispatcher); if (result != MOJO_RESULT_OK) return result; @@ -508,7 +508,7 @@ UserPointer<const MojoDataPipeConsumerOptions> options) { RefPtr<Dispatcher> dispatcher; MojoResult result = GetDispatcherAndCheckRights( - data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_WRITE, + data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_SET_OPTIONS, EntrypointClass::DATA_PIPE_CONSUMER, &dispatcher); if (result != MOJO_RESULT_OK) return result; @@ -522,7 +522,7 @@ uint32_t options_num_bytes) { RefPtr<Dispatcher> dispatcher; MojoResult result = GetDispatcherAndCheckRights( - data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_READ, + data_pipe_consumer_handle, MOJO_HANDLE_RIGHT_GET_OPTIONS, EntrypointClass::DATA_PIPE_CONSUMER, &dispatcher); if (result != MOJO_RESULT_OK) return result;
diff --git a/mojo/edk/system/core_test_base.cc b/mojo/edk/system/core_test_base.cc index d44c60c..ed98702 100644 --- a/mojo/edk/system/core_test_base.cc +++ b/mojo/edk/system/core_test_base.cc
@@ -226,11 +226,11 @@ MojoHandle CoreTestBase::CreateMockHandle(CoreTestBase::MockHandleInfo* info) { CHECK(core_); auto dispatcher = MockDispatcher::Create(info); - MojoHandle rv = core_->AddHandle( - Handle(std::move(dispatcher), - MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER | - MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE | - MOJO_HANDLE_RIGHT_EXECUTE)); + MojoHandle rv = core_->AddHandle(Handle( + std::move(dispatcher), + MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER | + MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE | + MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS)); CHECK_NE(rv, MOJO_HANDLE_INVALID); return rv; }
diff --git a/mojo/edk/system/data_pipe_consumer_dispatcher.h b/mojo/edk/system/data_pipe_consumer_dispatcher.h index a9c99c3..cee289b 100644 --- a/mojo/edk/system/data_pipe_consumer_dispatcher.h +++ b/mojo/edk/system/data_pipe_consumer_dispatcher.h
@@ -23,7 +23,7 @@ // The default/standard rights for a data pipe consumer handle. static constexpr MojoHandleRights kDefaultHandleRights = MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ | - MOJO_HANDLE_RIGHT_WRITE; + MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS; static util::RefPtr<DataPipeConsumerDispatcher> Create() { return AdoptRef(new DataPipeConsumerDispatcher());
diff --git a/mojo/edk/system/data_pipe_producer_dispatcher.h b/mojo/edk/system/data_pipe_producer_dispatcher.h index 415b756..a821ac6 100644 --- a/mojo/edk/system/data_pipe_producer_dispatcher.h +++ b/mojo/edk/system/data_pipe_producer_dispatcher.h
@@ -22,8 +22,8 @@ public: // The default/standard rights for a data pipe consumer handle. static constexpr MojoHandleRights kDefaultHandleRights = - MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ | - MOJO_HANDLE_RIGHT_WRITE; + MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_WRITE | + MOJO_HANDLE_RIGHT_GET_OPTIONS | MOJO_HANDLE_RIGHT_SET_OPTIONS; static util::RefPtr<DataPipeProducerDispatcher> Create() { return AdoptRef(new DataPipeProducerDispatcher());
diff --git a/mojo/edk/system/handle_unittest.cc b/mojo/edk/system/handle_unittest.cc index e1022f5..8c630ed 100644 --- a/mojo/edk/system/handle_unittest.cc +++ b/mojo/edk/system/handle_unittest.cc
@@ -123,6 +123,8 @@ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_TRANSFER)); EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_READ)); EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_WRITE)); + EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS)); + EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_SET_OPTIONS)); } { @@ -134,6 +136,8 @@ EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_TRANSFER)); EXPECT_TRUE(h.has_all_rights(MOJO_HANDLE_RIGHT_READ)); EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_WRITE)); + EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS)); + EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_SET_OPTIONS)); EXPECT_TRUE( h.has_all_rights(MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_READ)); @@ -142,6 +146,8 @@ MOJO_HANDLE_RIGHT_WRITE)); EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_WRITE)); + EXPECT_FALSE(h.has_all_rights(MOJO_HANDLE_RIGHT_GET_OPTIONS | + MOJO_HANDLE_RIGHT_SET_OPTIONS)); EXPECT_EQ(MOJO_RESULT_OK, h.dispatcher->Close()); }
diff --git a/mojo/edk/system/message_pipe_dispatcher.h b/mojo/edk/system/message_pipe_dispatcher.h index 968e318..9921644 100644 --- a/mojo/edk/system/message_pipe_dispatcher.h +++ b/mojo/edk/system/message_pipe_dispatcher.h
@@ -24,7 +24,8 @@ // The default/standard rights for a message pipe handle. static constexpr MojoHandleRights kDefaultHandleRights = MOJO_HANDLE_RIGHT_TRANSFER | MOJO_HANDLE_RIGHT_READ | - MOJO_HANDLE_RIGHT_WRITE; + MOJO_HANDLE_RIGHT_WRITE | MOJO_HANDLE_RIGHT_GET_OPTIONS | + MOJO_HANDLE_RIGHT_SET_OPTIONS; // The default options to use for |MojoCreateMessagePipe()|. (Real uses // should obtain this via |ValidateCreateOptions()| with a null |in_options|;
diff --git a/mojo/edk/system/shared_buffer_dispatcher.h b/mojo/edk/system/shared_buffer_dispatcher.h index 0dd2fc0..70e2158 100644 --- a/mojo/edk/system/shared_buffer_dispatcher.h +++ b/mojo/edk/system/shared_buffer_dispatcher.h
@@ -36,8 +36,7 @@ // duplicable by default. static constexpr MojoHandleRights kDefaultHandleRights = MOJO_HANDLE_RIGHT_DUPLICATE | MOJO_HANDLE_RIGHT_TRANSFER | - MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE | - MOJO_HANDLE_RIGHT_EXECUTE; + MOJO_HANDLE_RIGHT_READ | MOJO_HANDLE_RIGHT_WRITE; // The default options to use for |MojoCreateSharedBuffer()|. (Real uses // should obtain this via |ValidateCreateOptions()| with a null |in_options|;
diff --git a/mojo/public/c/system/data_pipe.h b/mojo/public/c/system/data_pipe.h index 3cef5d4..994a12b 100644 --- a/mojo/public/c/system/data_pipe.h +++ b/mojo/public/c/system/data_pipe.h
@@ -135,7 +135,12 @@ // // On success, |*data_pipe_producer_handle| will be set to the handle for the // producer and |*data_pipe_consumer_handle| will be set to the handle for the -// consumer. (On failure, they are not modified.) +// consumer. (On failure, they are not modified.) The producer handle will have +// (at least) the following rights: |MOJO_HANDLE_RIGHT_TRANSFER|, +// |MOJO_HANDLE_RIGHT_WRITE|, |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and +// |MOJO_HANDLE_RIGHT_SET_OPTIONS|. The consumer handle will have (at least) the +// following rights: |MOJO_HANDLE_RIGHT_TRANSFER|, |MOJO_HANDLE_RIGHT_READ|, +// |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and |MOJO_HANDLE_RIGHT_SET_OPTIONS| // // Returns: // |MOJO_RESULT_OK| on success. @@ -156,7 +161,8 @@ // from either handle as well. // |MojoSetDataPipeProducerOptions()|: Sets options for the data pipe producer -// handle |data_pipe_producer_handle|. +// handle |data_pipe_producer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_SET_OPTIONS| right). // // |options| may be set to null to reset back to the default options. // @@ -169,6 +175,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_producer_handle| is not a valid data pipe producer handle or // |*options| is invalid). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not +// have the |MOJO_HANDLE_RIGHT_SET_OPTIONS| right. // |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in // some transaction (that, e.g., may result in it being invalidated, such // as being sent in a message). @@ -177,9 +185,10 @@ const struct MojoDataPipeProducerOptions* options); // Optional in. // |MojoGetDataPipeProducerOptions()|: Gets options for the data pipe producer -// handle |data_pipe_producer_handle|. |options| should be non-null and point to -// a buffer of size |options_num_bytes|; |options_num_bytes| should be at least -// 8 (the size of the first, and currently only, version of +// handle |data_pipe_producer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_GET_OPTIONS| right). |options| should be non-null and +// point to a buffer of size |options_num_bytes|; |options_num_bytes| should be +// at least 8 (the size of the first, and currently only, version of // |MojoDataPipeProducerOptions|). // // On success, |*options| will be filled with information about the given @@ -194,6 +203,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_producer_handle| is not a valid data pipe producer handle, // |*options| is null, or |options_num_bytes| is too small). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not +// have the |MOJO_HANDLE_RIGHT_GET_OPTIONS| right. // |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in // some transaction (that, e.g., may result in it being invalidated, such // as being sent in a message). @@ -203,8 +214,9 @@ uint32_t options_num_bytes); // In. // |MojoWriteData()|: Writes the given data to the data pipe producer given by -// |data_pipe_producer_handle|. |elements| points to data of size |*num_bytes|; -// |*num_bytes| should be a multiple of the data pipe's element size. If +// |data_pipe_producer_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE| +// right). |elements| points to data of size |*num_bytes|; |*num_bytes| should +// be a multiple of the data pipe's element size. If // |MOJO_WRITE_DATA_FLAG_ALL_OR_NONE| is set in |flags|, either all the data // will be written or none is. // @@ -214,9 +226,10 @@ // Returns: // |MOJO_RESULT_OK| on success. // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., -// |data_pipe_producer_dispatcher| is not a handle to a data pipe -// producer or |*num_bytes| is not a multiple of the data pipe's element -// size). +// |data_pipe_producer_handle| is not a handle to a data pipe producer or +// |*num_bytes| is not a multiple of the data pipe's element size). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not +// have the |MOJO_HANDLE_RIGHT_WRITE| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer handle has been // closed. // |MOJO_RESULT_OUT_OF_RANGE| if |flags| has @@ -238,8 +251,9 @@ MojoWriteDataFlags flags); // In. // |MojoBeginWriteData()|: Begins a two-phase write to the data pipe producer -// given by |data_pipe_producer_handle|. On success, |*buffer| will be a pointer -// to which the caller can write |*buffer_num_bytes| bytes of data. There are +// given by |data_pipe_producer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_WRITE| right). On success, |*buffer| will be a pointer to +// which the caller can write |*buffer_num_bytes| bytes of data. There are // currently no flags allowed, so |flags| should be |MOJO_WRITE_DATA_FLAG_NONE|. // // During a two-phase write, |data_pipe_producer_handle| is *not* writable. @@ -257,6 +271,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_producer_handle| is not a handle to a data pipe producer or // flags has |MOJO_WRITE_DATA_FLAG_ALL_OR_NONE| set). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not +// have the |MOJO_HANDLE_RIGHT_WRITE| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer handle has been // closed. // |MOJO_RESULT_BUSY| if |data_pipe_producer_handle| is currently in use in @@ -272,13 +288,13 @@ MojoWriteDataFlags flags); // In. // |MojoEndWriteData()|: Ends a two-phase write to the data pipe producer given -// by |data_pipe_producer_handle| that was begun by a call to -// |MojoBeginWriteData()| on the same handle. |num_bytes_written| should -// indicate the amount of data actually written; it must be less than or equal -// to the value of |*buffer_num_bytes| output by |MojoBeginWriteData()| and must -// be a multiple of the element size. The buffer given by |*buffer| from -// |MojoBeginWriteData()| must have been filled with exactly |num_bytes_written| -// bytes of data. +// by |data_pipe_producer_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE| +// right) that was begun by a call to |MojoBeginWriteData()| on the same handle. +// |num_bytes_written| should indicate the amount of data actually written; it +// must be less than or equal to the value of |*buffer_num_bytes| output by +// |MojoBeginWriteData()| and must be a multiple of the element size. The buffer +// given by |*buffer| from |MojoBeginWriteData()| must have been filled with +// exactly |num_bytes_written| bytes of data. // // On failure, the two-phase write (if any) is ended (so the handle may become // writable again, if there's space available) but no data written to |*buffer| @@ -290,6 +306,8 @@ // |data_pipe_producer_handle| is not a handle to a data pipe producer or // |num_bytes_written| is invalid (greater than the maximum value provided // by |MojoBeginWriteData()| or not a multiple of the element size). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_producer_handle| does not +// have the |MOJO_HANDLE_RIGHT_WRITE| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer is not in a // two-phase write (e.g., |MojoBeginWriteData()| was not called or // |MojoEndWriteData()| has already been called). @@ -300,7 +318,8 @@ uint32_t num_bytes_written); // In. // |MojoSetDataPipeConsumerOptions()|: Sets options for the data pipe consumer -// handle |data_pipe_consumer_handle|. +// handle |data_pipe_consumer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_SET_OPTIONS| right). // // |options| may be set to null to reset back to the default options. // @@ -313,6 +332,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_consumer_handle| is not a valid data pipe consumer handle or // |*options| is invalid). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not +// have the |MOJO_HANDLE_RIGHT_SET_OPTIONS| right. // |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in // some transaction (that, e.g., may result in it being invalidated, such // as being sent in a message). @@ -321,9 +342,10 @@ const struct MojoDataPipeConsumerOptions* options); // Optional in. // |MojoGetDataPipeConsumerOptions()|: Gets options for the data pipe consumer -// handle |data_pipe_consumer_handle|. |options| should be non-null and point to -// a buffer of size |options_num_bytes|; |options_num_bytes| should be at least -// 8 (the size of the first, and currently only, version of +// handle |data_pipe_consumer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_GET_OPTIONS| right). |options| should be non-null and +// point to a buffer of size |options_num_bytes|; |options_num_bytes| should be +// at least 8 (the size of the first, and currently only, version of // |MojoDataPipeConsumerOptions|). // // On success, |*options| will be filled with information about the given @@ -338,6 +360,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_consumer_handle| is not a valid data pipe consumer handle, // |*options| is null, or |options_num_bytes| is too small). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not +// have the |MOJO_HANDLE_RIGHT_GET_OPTIONS| right. // |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in // some transaction (that, e.g., may result in it being invalidated, such // as being sent in a message). @@ -347,8 +371,9 @@ uint32_t options_num_bytes); // In. // |MojoReadData()|: Reads data from the data pipe consumer given by -// |data_pipe_consumer_handle|. May also be used to discard data or query the -// amount of data available. +// |data_pipe_consumer_handle| (which must have the |MOJO_HANDLE_RIGHT_READ| +// right). May also be used to discard data or query the amount of data +// available. // // If |flags| has neither |MOJO_READ_DATA_FLAG_DISCARD| nor // |MOJO_READ_DATA_FLAG_QUERY| set, this tries to read up to |*num_bytes| (which @@ -379,6 +404,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_consumer_handle| is invalid, the combination of flags in // |flags| is invalid, etc.). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not +// have the |MOJO_HANDLE_RIGHT_READ| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer handle has been // closed and data (or the required amount of data) was not available to // be read or discarded. @@ -399,8 +426,9 @@ MojoReadDataFlags flags); // In. // |MojoBeginReadData()|: Begins a two-phase read from the data pipe consumer -// given by |data_pipe_consumer_handle|. On success, |*buffer| will be a pointer -// from which the caller can read |*buffer_num_bytes| bytes of data. There are +// given by |data_pipe_consumer_handle| (which must have the +// |MOJO_HANDLE_RIGHT_READ| right). On success, |*buffer| will be a pointer from +// which the caller can read |*buffer_num_bytes| bytes of data. There are // currently no valid flags, so |flags| must be |MOJO_READ_DATA_FLAG_NONE|. // // During a two-phase read, |data_pipe_consumer_handle| is *not* readable. @@ -417,6 +445,8 @@ // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., // |data_pipe_consumer_handle| is not a handle to a data pipe consumer, // or |flags| has invalid flags set). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not +// have the |MOJO_HANDLE_RIGHT_READ| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe producer handle has been // closed. // |MOJO_RESULT_BUSY| if |data_pipe_consumer_handle| is currently in use in @@ -432,11 +462,11 @@ MojoReadDataFlags flags); // In. // |MojoEndReadData()|: Ends a two-phase read from the data pipe consumer given -// by |data_pipe_consumer_handle| that was begun by a call to -// |MojoBeginReadData()| on the same handle. |num_bytes_read| should indicate -// the amount of data actually read; it must be less than or equal to the value -// of |*buffer_num_bytes| output by |MojoBeginReadData()| and must be a multiple -// of the element size. +// by |data_pipe_consumer_handle| (which must have the |MOJO_HANDLE_RIGHT_READ| +// right) that was begun by a call to |MojoBeginReadData()| on the same handle. +// |num_bytes_read| should indicate the amount of data actually read; it must be +// less than or equal to the value of |*buffer_num_bytes| output by +// |MojoBeginReadData()| and must be a multiple of the element size. // // On failure, the two-phase read (if any) is ended (so the handle may become // readable again) but no data is "removed" from the data pipe. @@ -447,6 +477,8 @@ // |data_pipe_consumer_handle| is not a handle to a data pipe consumer or // |num_bytes_written| is greater than the maximum value provided by // |MojoBeginReadData()| or not a multiple of the element size). +// |MOJO_RESULT_PERMISSION_DENIED| if |data_pipe_consumer_handle| does not +// have the |MOJO_HANDLE_RIGHT_READ| right. // |MOJO_RESULT_FAILED_PRECONDITION| if the data pipe consumer is not in a // two-phase read (e.g., |MojoBeginReadData()| was not called or // |MojoEndReadData()| has already been called).
diff --git a/mojo/public/c/system/handle.h b/mojo/public/c/system/handle.h index dbedd4a..096a248 100644 --- a/mojo/public/c/system/handle.h +++ b/mojo/public/c/system/handle.h
@@ -33,8 +33,8 @@ // message). // |MOJO_HANDLE_RIGHT_WRITE| - Right to "write" to the handle (e.g., write a // message). -// |MOJO_HANDLE_RIGHT_EXECUTE| - Right to "execute" using the handle (e.g., -// map a buffer as executable code). +// |MOJO_HANDLE_RIGHT_GET_OPTIONS| - Right to get a handle's options. +// |MOJO_HANDLE_RIGHT_SET_OPTIONS| - Right to set a handle's options. // // TODO(vtl): Add rights support/checking to existing handle types. @@ -45,7 +45,8 @@ #define MOJO_HANDLE_RIGHT_TRANSFER ((MojoHandleRights)1 << 1) #define MOJO_HANDLE_RIGHT_READ ((MojoHandleRights)1 << 2) #define MOJO_HANDLE_RIGHT_WRITE ((MojoHandleRights)1 << 3) -#define MOJO_HANDLE_RIGHT_EXECUTE ((MojoHandleRights)1 << 4) +#define MOJO_HANDLE_RIGHT_GET_OPTIONS ((MojoHandleRights)1 << 4) +#define MOJO_HANDLE_RIGHT_SET_OPTIONS ((MojoHandleRights)1 << 5) // |MojoHandleSignals|: Used to specify signals that can be waited on for a // handle (and which can be triggered), e.g., the ability to read or write to
diff --git a/mojo/public/c/system/message_pipe.h b/mojo/public/c/system/message_pipe.h index cc57d8c..ea3dcc3 100644 --- a/mojo/public/c/system/message_pipe.h +++ b/mojo/public/c/system/message_pipe.h
@@ -63,7 +63,10 @@ // |options| may be set to null for a message pipe with the default options. // // On success, |*message_pipe_handle0| and |*message_pipe_handle1| are set to -// handles for the two endpoints (ports) for the message pipe. +// handles for the two endpoints (ports) for the message pipe. Both handles have +// (at least) the following rights: |MOJO_HANDLE_RIGHT_TRANSFER|, +// |MOJO_HANDLE_RIGHT_READ|, |MOJO_HANDLE_RIGHT_WRITE|, +// |MOJO_HANDLE_RIGHT_GET_OPTIONS|, and |MOJO_HANDLE_RIGHT_SET_OPTIONS|. // // Returns: // |MOJO_RESULT_OK| on success. @@ -78,22 +81,25 @@ MojoHandle* MOJO_RESTRICT message_pipe_handle1); // Out. // |MojoWriteMessage()|: Writes a message to the message pipe endpoint given by -// |message_pipe_handle|, with message data specified by |bytes| of size -// |num_bytes| and attached handles specified by |handles| of count -// |num_handles|, and options specified by |flags|. If there is no message data, -// |bytes| may be null, in which case |num_bytes| must be zero. If there are no -// attached handles, |handles| may be null, in which case |num_handles| must be -// zero. +// |message_pipe_handle| (which must have the |MOJO_HANDLE_RIGHT_WRITE| right), +// with message data specified by |bytes| of size |num_bytes| and attached +// handles specified by |handles| of count |num_handles|, and options specified +// by |flags|. If there is no message data, |bytes| may be null, in which case +// |num_bytes| must be zero. If there are no attached handles, |handles| may be +// null, in which case |num_handles| must be zero. // // If handles are attached, on success the handles will no longer be valid (the // receiver will receive equivalent, but logically different, handles). Handles -// to be sent should not be in simultaneous use (e.g., on another thread). +// to be sent should not be in simultaneous use (e.g., on another thread). On +// failure, any handles to be attached will remain valid. // // Returns: // |MOJO_RESULT_OK| on success (i.e., the message was enqueued). // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., if // |message_pipe_handle| is not a valid handle, or some of the // requirements above are not satisfied). +// |MOJO_RESULT_PERMISSION_DENIED| if |message_pipe_handle| does not have the +// |MOJO_HANDLE_RIGHT_WRITE| right. // |MOJO_RESULT_RESOURCE_EXHAUSTED| if some system limit has been reached, or // the number of handles to send is too large (TODO(vtl): reconsider the // latter case). @@ -116,12 +122,13 @@ uint32_t num_handles, // In. MojoWriteMessageFlags flags); // In. -// |MojoReadMessage()|: Reads the next message from a message pipe, or indicates -// the size of the message if it cannot fit in the provided buffers. The message -// will be read in its entirety or not at all; if it is not, it will remain -// enqueued unless the |MOJO_READ_MESSAGE_FLAG_MAY_DISCARD| flag was passed. At -// most one message will be consumed from the queue, and the return value will -// indicate whether a message was successfully read. +// |MojoReadMessage()|: Reads the next message from the message pipe endpoint +// given by |message_pipe_handle| (which must have the |MOJO_HANDLE_RIGHT_READ| +// right) or indicates the size of the message if it cannot fit in the provided +// buffers. The message will be read in its entirety or not at all; if it is +// not, it will remain enqueued unless the |MOJO_READ_MESSAGE_FLAG_MAY_DISCARD| +// flag was passed. At most one message will be consumed from the queue, and the +// return value will indicate whether a message was successfully read. // // |num_bytes| and |num_handles| are optional in/out parameters that on input // must be set to the sizes of the |bytes| and |handles| arrays, and on output @@ -140,6 +147,8 @@ // |MOJO_RESULT_OK| on success (i.e., a message was actually read). // |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid. // |MOJO_RESULT_FAILED_PRECONDITION| if the other endpoint has been closed. +// |MOJO_RESULT_PERMISSION_DENIED| if |message_pipe_handle| does not have the +// |MOJO_HANDLE_RIGHT_READ| right. // |MOJO_RESULT_RESOURCE_EXHAUSTED| if the message was too large to fit in the // provided buffer(s). The message will have been left in the queue or // discarded, depending on flags.