Map and eradicate uses of kernel addresses as IDs for userspace

[Jakub Jermář]

The kernel (still) intentionally leaks kernel addresses at various places in order to provide identifiers to userspace.

In the past it used to identify calls this way, but this behavior has been replaced by using capabilities. There are still some other uses in other contexts that this ticket aims to map and eventually eradicate.

Note that using kernel addresses as userspace IDs is bad for two reasons:

1. leaking addresses of kernel objects represents a security risk and
2. kernel addresses use a global namespace (unlike task-local capability handles), so this precludes some light forms of virtualisation on the namespace-level

The following list enumerates the individual cases:

• ipc_forward sets phone_t *newphone in call→data.phone
• ipc_forward sets TASK→taskid (another global ID) in call→data.task_id
• _ipc_call_actions_internal sets phone_t *phone in call→data.phone
• _ipc_call_actions_internal sets caller→task_id in call→data.task_id
• sys_ipc_wait_for_call sets call→priv in call→data.phone
• event_enqueue sets TASK→taskid in call→data.task_id
• _ipc_answer_free_call sets TASK→taskid in call→data.task_id