Map and eradicate uses of kernel addresses as IDs for userspace

[Jakub Jermář]

The kernel (still) intentionally leaks kernel addresses at various places in order to provide identifiers to userspace.

In the past it used to identify calls this way, but this behavior has been replaced by using capabilities. There are still some other uses in other contexts that this ticket aims to map and eventually eradicate.

Note that using kernel addresses as userspace IDs is bad for two reasons:

1. leaking addresses of kernel objects represents a security risk and
2. kernel addresses use a global namespace (unlike task-local capability handles), so this precludes some light forms of virtualisation on the namespace-level

The following list enumerates the individual cases:

• ipc_forward sets phone_t *newphone in call->data.phone
• ipc_forward sets TASK->taskid (another global ID) in call->data.task_id
• _ipc_call_actions_internal sets phone_t *phone in call->data.phone
• _ipc_call_actions_internal sets caller->task_id in call->data.task_id
• sys_ipc_wait_for_call sets call->priv in call->data.phone
• event_enqueue sets TASK->taskid in call->data.task_id
• _ipc_answer_free_call sets TASK->taskid in call->data.task_id

[Jakub Jermář]

I address the phone hash part of the problem in ​PR 48.

[Jakub Jermář]

Commit 676900501376128cbb87ed9ea866e1bfbb52a5db stopped using kernel addresses as IDs. The task IDs and thread IDs are still global, but are not as bad as IDs derived directly from a kernel address. Moreover, they should naturally disappear with the kernel switching over to using capabilities for tasks and threads in the future. I feel I made this ticket justice.