| // Copyright 2019 The Fuchsia Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| library zx; |
| |
| @transport("Syscall") |
| closed protocol Job { |
| /// ## Summary |
| /// |
| /// Create a new job. |
| /// |
| /// ## Declaration |
| /// |
| /// ```c |
| /// #include <zircon/syscalls.h> |
| /// |
| /// zx_status_t zx_job_create(zx_handle_t parent_job, |
| /// uint32_t options, |
| /// zx_handle_t* out); |
| /// ``` |
| /// |
| /// ## Description |
| /// |
| /// `zx_job_create()` creates a new child [job object](/docs/reference/kernel_objects/job.md) given a |
| /// parent job. |
| /// |
| /// Upon success a handle for the new job is returned. |
| /// |
| /// The kernel keeps track of and restricts the "height" of a job, which is its |
| /// distance from the root job. It is illegal to create a job under a parent whose |
| /// height exceeds an internal "max height" value. (It is, however, legal to create |
| /// a process under such a job.) |
| /// |
| /// Job handles may be waited on (TODO(cpu): expand this) |
| /// |
| /// ## Rights |
| /// |
| /// *parent_job* must be of type `ZX_OBJ_TYPE_JOB` and have `ZX_RIGHT_MANAGE_JOB`. |
| /// |
| /// ## Return value |
| /// |
| /// `zx_job_create()` returns `ZX_OK` and a handle to the new job |
| /// (via *out*) on success. In the event of failure, a negative error value |
| /// is returned. |
| /// |
| /// ## Errors |
| /// |
| /// `ZX_ERR_BAD_HANDLE` *parent_job* is not a valid handle. |
| /// |
| /// `ZX_ERR_WRONG_TYPE` *parent_job* is not a job handle. |
| /// |
| /// `ZX_ERR_INVALID_ARGS` *options* is nonzero, or *out* is an invalid pointer. |
| /// |
| /// `ZX_ERR_ACCESS_DENIED` *parent_job* does not have the `ZX_RIGHT_WRITE` or |
| /// `ZX_RIGHT_MANAGE_JOB` right. |
| /// |
| /// `ZX_ERR_OUT_OF_RANGE` The height of *parent_job* is too large to create a child job. |
| /// |
| /// `ZX_ERR_NO_MEMORY` Failure due to lack of memory. |
| /// There is no good way for userspace to handle this (unlikely) error. |
| /// In a future build this error will no longer occur. |
| /// |
| /// `ZX_ERR_BAD_STATE` The parent job object is in the dead state. |
| /// |
| /// ## See also |
| /// |
| /// - [`zx_object_get_property()`] |
| /// - [`zx_process_create()`] |
| /// - [`zx_task_kill()`] |
| /// |
| /// [`zx_object_get_property()`]: object_get_property.md |
| /// [`zx_process_create()`]: process_create.md |
| /// [`zx_task_kill()`]: task_kill.md |
| strict Create(resource struct { |
| parent_job Handle:JOB; |
| options uint32; |
| }) -> (resource struct { |
| out Handle:JOB; |
| }) error Status; |
| |
| /// ## Summary |
| /// |
| /// Set job security and resource policies. |
| /// |
| /// ## Declaration |
| /// |
| /// ```c |
| /// #include <zircon/syscalls.h> |
| /// |
| /// zx_status_t zx_job_set_policy(zx_handle_t handle, |
| /// uint32_t options, |
| /// uint32_t topic, |
| /// const void* policy, |
| /// uint32_t policy_size); |
| /// ``` |
| /// |
| /// ## Description |
| /// |
| /// Sets one or more security and/or resource policies to an empty job. The job's |
| /// effective policies is the combination of the parent's effective policies and |
| /// the policies specified in *policy*. The effect in the case of conflict between |
| /// the existing policies and the new policies is controlled by *options* values: |
| /// |
| /// + `ZX_JOB_POL_RELATIVE` : policy is applied for the conditions not specifically |
| /// overridden by the parent policy. |
| /// + `ZX_JOB_POL_ABSOLUTE` : policy is applied for all conditions in *policy* or |
| /// the syscall fails. |
| /// |
| /// After this call succeeds any new child process or child job will have the new |
| /// effective policy applied to it. |
| /// |
| /// *topic* indicates the *policy* format. Supported values are `ZX_JOB_POL_BASIC_V1`, |
| /// `ZX_JOB_POL_BASIC_V2` and `ZX_JOB_POL_TIMER_SLACK`. |
| /// |
| /// ### `ZX_JOB_POL_BASIC_V2 and V1` |
| /// |
| /// A *topic* of `ZX_JOB_POL_BASIC_V2` indicates that *policy* is an array of *count* |
| /// entries of: |
| /// |
| /// ``` |
| /// typedef struct zx_policy_basic { |
| /// uint32_t condition; |
| /// uint32_t action; |
| /// uint32_t flags; |
| /// } zx_policy_basic_v2_t; |
| /// |
| /// ``` |
| /// |
| /// A *topic* of `ZX_JOB_POL_BASIC_V1` indicates that *policy* is an array of *count* |
| /// entries of: |
| /// |
| /// ``` |
| /// // Deprecated. Use zx_policy_basic_v2_t. |
| /// typedef struct zx_policy_basic { |
| /// uint32_t condition; |
| /// uint32_t policy; |
| /// } zx_policy_basic_v1_t; |
| /// |
| /// ``` |
| /// |
| /// Where *condition* is one of |
| /// |
| /// + `ZX_POL_BAD_HANDLE` a process under this job is attempting to |
| /// issue a syscall with an invalid handle. In this case, |
| /// `ZX_POL_ACTION_ALLOW` and `ZX_POL_ACTION_DENY` are equivalent: |
| /// if the syscall returns, it will always return the error |
| /// `ZX_ERR_BAD_HANDLE`. |
| /// + `ZX_POL_WRONG_OBJECT` a process under this job is attempting to |
| /// issue a syscall with a handle that does not support such operation. |
| /// + `ZX_POL_VMAR_WX` a process under this job is attempting to map an |
| /// address region with write-execute access. |
| /// + `ZX_POL_NEW_VMO` a process under this job is attempting to create |
| /// a new vm object. |
| /// + `ZX_POL_NEW_CHANNEL` a process under this job is attempting to create |
| /// a new channel. |
| /// + `ZX_POL_NEW_EVENT` a process under this job is attempting to create |
| /// a new event. |
| /// + `ZX_POL_NEW_EVENTPAIR` a process under this job is attempting to create |
| /// a new event pair. |
| /// + `ZX_POL_NEW_PORT` a process under this job is attempting to create |
| /// a new port. |
| /// + `ZX_POL_NEW_SOCKET` a process under this job is attempting to create |
| /// a new socket. |
| /// + `ZX_POL_NEW_FIFO` a process under this job is attempting to create |
| /// a new fifo. |
| /// + `ZX_POL_NEW_TIMER` a process under this job is attempting to create |
| /// a new timer. |
| /// + `ZX_POL_NEW_PROCESS` a process under this job is attempting to create |
| /// a new process. |
| /// + `ZX_POL_NEW_PROFILE` a process under this job is attempting to create |
| /// a new profile. |
| /// + `ZX_POL_NEW_PAGER` a process under this job is attempting to create |
| /// a new VMO pager. |
| /// + `ZX_POL_AMBIENT_MARK_VMO_EXEC` a process under this job is attempting |
| /// to use [`zx_vmo_replace_as_executable()`] with a `ZX_HANDLE_INVALID` |
| /// as the second argument rather than a valid `ZX_RSRC_KIND_SYSTEM` resource with base |
| /// `ZX_RSRC_SYSTEM_VMEX_BASE`. |
| /// + `ZX_POL_NEW_ANY` is a special *condition* that stands for all of |
| /// the above `ZX_NEW` conditions such as `ZX_POL_NEW_VMO`, |
| /// `ZX_POL_NEW_CHANNEL`, `ZX_POL_NEW_EVENT`, `ZX_POL_NEW_EVENTPAIR`, |
| /// `ZX_POL_NEW_PORT`, `ZX_POL_NEW_SOCKET`, `ZX_POL_NEW_FIFO`, |
| /// and any future `ZX_NEW` policy. This will include any new |
| /// kernel objects that do not require a parent object for creation. |
| /// + `ZX_POL_NEW_IOB` a process under this job is attempting to create |
| /// a new IOBuffer. |
| /// |
| /// Where *policy* for `ZX_JOB_POL_BASIC_V1` or *action* for `ZX_JOB_POL_BASIC_V2` |
| /// is one of |
| /// |
| /// + `ZX_POL_ACTION_ALLOW` allow *condition*. |
| /// + `ZX_POL_ACTION_DENY` prevent *condition*. |
| /// + `ZX_POL_ACTION_ALLOW_EXCEPTION` generate an exception via the debug port. |
| /// An exception generated this way acts as a breakpoint. The thread may be |
| /// resumed after the exception. Once resumed, the *condition* triggering the |
| /// exception will be allowed to complete as if no policy violation occurred. |
| /// + `ZX_POL_ACTION_DENY_EXCEPTION` just like `ZX_POL_ACTION_ALLOW_EXCEPTION`, |
| /// but after resuming, the *condition* will be denied, usually resulting in |
| /// `ZX_ERR_ACCESS_DENIED`. |
| /// + `ZX_POL_ACTION_KILL` terminate the process. |
| /// |
| /// Where *flags* is one of |
| /// |
| /// + `ZX_POL_OVERRIDE_ALLOW` Allow to change this policy on child Jobs. |
| /// + `ZX_POL_OVERRIDE_DENY` Don't allow to change this policy on child jobs. |
| /// |
| /// Regardless of the override mode, as long a Job has any children its policy cannot |
| /// be mutated. |
| /// |
| /// ### `ZX_JOB_POL_TIMER_SLACK` |
| /// |
| /// A *topic* of `ZX_JOB_POL_TIMER_SLACK` indicates that *policy* is: |
| /// |
| /// ``` |
| /// typedef struct zx_policy_timer_slack { |
| /// zx_duration_t min_slack; |
| /// uint32_t default_mode; |
| /// } zx_policy_timer_slack_t; |
| /// |
| /// ``` |
| /// |
| /// *min_slack* specifies the minimum amount of slack applied to timers and |
| /// deadline-based events created by the job. |
| /// |
| /// If the parent job's *min_slack* is greater than the specified *min_slack* then |
| /// the parent job's value is used instead. In other words, a job's *min_slack* is |
| /// the maximum of the specified value and its parent job's *min_slack*. |
| /// |
| /// *default_mode* specifies how slack will be applied when not otherwise indicated |
| /// by the syscall arguments. A job's *default_mode* may be set regardless of its |
| /// parent job's *default_mode*. The possible values for *default_mode* are: |
| /// |
| /// + `ZX_TIMER_SLACK_CENTER` |
| /// + `ZX_TIMER_SLACK_EARLY` |
| /// + `ZX_TIMER_SLACK_LATE` |
| /// |
| /// See [timer slack](/docs/concepts/kernel/timer_slack.md) for more information. |
| /// |
| /// When setting timer slack policy, *options* must be `ZX_JOB_POL_RELATIVE` and |
| /// `count` must be 1. |
| /// |
| /// ## Rights |
| /// |
| /// *handle* must be of type `ZX_OBJ_TYPE_JOB` and have `ZX_RIGHT_SET_POLICY`. |
| /// |
| /// ## Return value |
| /// |
| /// `zx_job_set_policy()` returns `ZX_OK` on success. In the event of failure, |
| /// a negative error value is returned. |
| /// |
| /// ## Notes |
| /// |
| /// The `ZX_POL_BAD_HANDLE` policy never applies when calling [`zx_object_get_info()`] |
| /// with the topic `ZX_INFO_HANDLE_VALID`. All other topics and all other syscalls that |
| /// take handles are subject to the policy if active. |
| /// |
| /// ## Errors |
| /// |
| /// `ZX_ERR_INVALID_ARGS` *policy* was not a valid pointer, or *count* was 0, |
| /// or *policy* was not `ZX_JOB_POL_RELATIVE` or `ZX_JOB_POL_ABSOLUTE`, or |
| /// *topic* was not `ZX_JOB_POL_BASIC`. |
| /// |
| /// `ZX_ERR_BAD_HANDLE` *handle* is not valid handle. |
| /// |
| /// `ZX_ERR_WRONG_TYPE` *handle* is not a job handle. |
| /// |
| /// `ZX_ERR_ACCESS_DENIED` *handle* does not have `ZX_POL_RIGHT_SET` right. |
| /// |
| /// `ZX_ERR_BAD_STATE` the job has existing jobs or processes alive. |
| /// |
| /// `ZX_ERR_OUT_OF_RANGE` *count* is bigger than `ZX_POL_MAX` or *condition* is |
| /// bigger than `ZX_POL_MAX`. |
| /// |
| /// `ZX_ERR_ALREADY_EXISTS` existing policy conflicts with the new policy. |
| /// |
| /// `ZX_ERR_NOT_SUPPORTED` an entry in *policy* has an invalid value. |
| /// |
| /// `ZX_ERR_NO_MEMORY` Failure due to lack of memory. |
| /// There is no good way for userspace to handle this (unlikely) error. |
| /// In a future build this error will no longer occur. |
| /// |
| /// ## See also |
| /// |
| /// - [`zx_job_create()`] |
| /// - [`zx_object_get_info()`] |
| /// - [`zx_process_create()`] |
| /// |
| /// [`zx_job_create()`]: job_create.md |
| /// [`zx_object_get_info()`]: object_get_info.md |
| /// [`zx_process_create()`]: process_create.md |
| /// [`zx_vmo_replace_as_executable()`]: vmo_replace_as_executable.md |
| strict SetPolicy(resource struct { |
| handle Handle:JOB; |
| options uint32; |
| topic uint32; |
| @voidptr |
| @size32 |
| policy vector<byte>:MAX; |
| }) -> () error Status; |
| |
| /// ## Summary |
| /// |
| /// Set a process as critical to a job. |
| /// |
| /// ## Declaration |
| /// |
| /// ```c |
| /// #include <zircon/syscalls.h> |
| /// |
| /// zx_status_t zx_job_set_critical(zx_handle_t job, |
| /// uint32_t options, |
| /// zx_handle_t process); |
| /// ``` |
| /// |
| /// ## Description |
| /// |
| /// Sets *process* as critical to *job*. When *process* terminates, *job* will be |
| /// terminated as if [`zx_task_kill()`] was called on it. The return code used will |
| /// be `ZX_TASK_RETCODE_CRITICAL_PROCESS_KILL`. |
| /// |
| /// The *job* specified must be the parent of *process*, or an ancestor. |
| /// |
| /// If *options* is `ZX_JOB_CRITICAL_PROCESS_RETCODE_NONZERO`, then *job* will |
| /// only be terminated if *process* has a non-zero return code. |
| /// |
| /// ## Rights |
| /// |
| /// *job* must have `ZX_RIGHT_DESTROY`. |
| /// |
| /// *process* must have `ZX_RIGHT_WAIT`. |
| /// |
| /// ## Return value |
| /// |
| /// `zx_job_set_critical()` returns `ZX_OK` on success. In the event of failure, a |
| /// negative error value is returned. |
| /// |
| /// ## Errors |
| /// |
| /// `ZX_ERR_BAD_HANDLE` *job* or *process* is not a valid handle. |
| /// |
| /// `ZX_ERR_WRONG_TYPE` *job* or *process* is not a job handle. |
| /// |
| /// `ZX_ERR_INVALID_ARGS` *options* is not 0 or |
| /// `ZX_JOB_CRITICAL_PROCESS_RETCODE_NONZERO`, or *job* is not the parent of |
| /// *process*, or an ancestor. |
| /// |
| /// `ZX_ERR_ALREADY_BOUND` *process* has already been set as critical to a job. |
| /// |
| /// `ZX_ERR_ACCESS_DENIED` *job* does not have `ZX_RIGHT_DESTROY` or *process* |
| /// does not have `ZX_RIGHT_WAIT`. |
| /// |
| /// ## See also |
| /// |
| /// - [`zx_job_create()`] |
| /// - [`zx_process_create()`] |
| /// - [`zx_task_kill()`] |
| /// |
| /// [`zx_job_create()`]: job_create.md |
| /// [`zx_process_create()`]: process_create.md |
| /// [`zx_task_kill()`]: task_kill.md |
| strict SetCritical(resource struct { |
| job Handle:JOB; |
| options uint32; |
| process Handle:PROCESS; |
| }) -> () error Status; |
| }; |