]> git.saurik.com Git - apple/xnu.git/blob - bsd/kern/kern_exec.c
projects / apple / xnu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
xnu-1228.3.13.tar.gz
[apple/xnu.git] / bsd / kern / kern_exec.c
1 /*
2 * Copyright (c) 2000-2007 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /* Copyright (c) 1995 NeXT Computer, Inc. All Rights Reserved */
29 /*
30 * Mach Operating System
31 * Copyright (c) 1987 Carnegie-Mellon University
32 * All rights reserved. The CMU software License Agreement specifies
33 * the terms and conditions for use and redistribution.
34 */
35
36 #include <cputypes.h>
37
38 /*-
39 * Copyright (c) 1982, 1986, 1991, 1993
40 * The Regents of the University of California. All rights reserved.
41 * (c) UNIX System Laboratories, Inc.
42 * All or some portions of this file are derived from material licensed
43 * to the University of California by American Telephone and Telegraph
44 * Co. or Unix System Laboratories, Inc. and are reproduced herein with
45 * the permission of UNIX System Laboratories, Inc.
46 *
47 * Redistribution and use in source and binary forms, with or without
48 * modification, are permitted provided that the following conditions
49 * are met:
50 * 1. Redistributions of source code must retain the above copyright
51 * notice, this list of conditions and the following disclaimer.
52 * 2. Redistributions in binary form must reproduce the above copyright
53 * notice, this list of conditions and the following disclaimer in the
54 * documentation and/or other materials provided with the distribution.
55 * 3. All advertising materials mentioning features or use of this software
56 * must display the following acknowledgement:
57 * This product includes software developed by the University of
58 * California, Berkeley and its contributors.
59 * 4. Neither the name of the University nor the names of its contributors
60 * may be used to endorse or promote products derived from this software
61 * without specific prior written permission.
62 *
63 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
64 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
65 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
66 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
67 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
68 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
69 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
70 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
71 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
72 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
73 * SUCH DAMAGE.
74 *
75 * from: @(#)kern_exec.c 8.1 (Berkeley) 6/10/93
76 */
77 /*
78 * NOTICE: This file was modified by SPARTA, Inc. in 2005 to introduce
79 * support for mandatory and extensible security protections. This notice
80 * is included in support of clause 2.2 (b) of the Apple Public License,
81 * Version 2.0.
82 */
83 #include <machine/reg.h>
84
85 #include <sys/param.h>
86 #include <sys/systm.h>
87 #include <sys/filedesc.h>
88 #include <sys/kernel.h>
89 #include <sys/proc_internal.h>
90 #include <sys/kauth.h>
91 #include <sys/user.h>
92 #include <sys/socketvar.h>
93 #include <sys/malloc.h>
94 #include <sys/namei.h>
95 #include <sys/mount_internal.h>
96 #include <sys/vnode_internal.h>
97 #include <sys/file_internal.h>
98 #include <sys/stat.h>
99 #include <sys/uio_internal.h>
100 #include <sys/acct.h>
101 #include <sys/exec.h>
102 #include <sys/kdebug.h>
103 #include <sys/signal.h>
104 #include <sys/aio_kern.h>
105 #include <sys/sysproto.h>
106 #if SYSV_SHM
107 #include <sys/shm_internal.h> /* shmexec() */
108 #endif
109 #include <sys/ubc_internal.h> /* ubc_map() */
110 #include <sys/spawn.h>
111 #include <sys/spawn_internal.h>
112 #include <sys/codesign.h>
113
114 #include <bsm/audit_kernel.h>
115
116 #include <ipc/ipc_types.h>
117
118 #include <mach/mach_types.h>
119 #include <mach/task.h>
120 #include <mach/thread_act.h>
121 #include <mach/vm_map.h>
122 #include <mach/mach_vm.h>
123 #include <mach/vm_param.h>
124
125 #if CONFIG_MACF
126 #include <security/mac.h>
127 #include <security/mac_mach_internal.h>
128 #endif
129
130 #include <vm/vm_map.h>
131 #include <vm/vm_kern.h>
132 #include <vm/vm_protos.h>
133 #include <vm/vm_kern.h>
134
135 #if CONFIG_DTRACE
136 /* Do not include dtrace.h, it redefines kmem_[alloc/free] */
137 extern void (*dtrace_fasttrap_exec_ptr)(proc_t);
138 extern void (*dtrace_helpers_cleanup)(proc_t);
139 extern void dtrace_lazy_dofs_destroy(proc_t);
140
141 #include <sys/dtrace_ptss.h>
142 #endif
143
144 /* support for child creation in exec after vfork */
145 thread_t fork_create_child(task_t parent_task, proc_t child_proc, int inherit_memory, int is64bit);
146 void vfork_exit(proc_t p, int rv);
147 int setsigvec(proc_t, int, struct __user_sigaction *);
148
149 /*
150 * Mach things for which prototypes are unavailable from Mach headers
151 */
152 void ipc_task_reset(
153 task_t task);
154 void ipc_thread_reset(
155 thread_t thread);
156 kern_return_t ipc_object_copyin(
157 ipc_space_t space,
158 mach_port_name_t name,
159 mach_msg_type_name_t msgt_name,
160 ipc_object_t *objectp);
161 void ipc_port_release_send(ipc_port_t);
162
163 extern struct savearea *get_user_regs(thread_t);
164
165
166 #include <kern/thread.h>
167 #include <kern/task.h>
168 #include <kern/ast.h>
169 #include <kern/mach_loader.h>
170 #include <mach-o/fat.h>
171 #include <mach-o/loader.h>
172 #include <machine/vmparam.h>
173 #include <sys/imgact.h>
174
175 #include <sys/sdt.h>
176
177
178 /*
179 * SIZE_MAXPTR The maximum size of a user space pointer, in bytes
180 * SIZE_IMG_STRSPACE The available string space, minus two pointers; we
181 * define it interms of the maximum, since we don't
182 * know the pointer size going in, until after we've
183 * parsed the executable image.
184 */
185 #define SIZE_MAXPTR 8 /* 64 bits */
186 #define SIZE_IMG_STRSPACE (NCARGS - 2 * SIZE_MAXPTR)
187
188 /*
189 * EAI_ITERLIMIT The maximum number of times to iterate an image
190 * activator in exec_activate_image() before treating
191 * it as malformed/corrupt.
192 */
193 #define EAI_ITERLIMIT 10
194
195 extern vm_map_t bsd_pageable_map;
196 extern struct fileops vnops;
197
198 #define ROUND_PTR(type, addr) \
199 (type *)( ( (unsigned)(addr) + 16 - 1) \
200 & ~(16 - 1) )
201
202 struct image_params; /* Forward */
203 static int exec_activate_image(struct image_params *imgp);
204 static int exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp);
205 static int load_return_to_errno(load_return_t lrtn);
206 static int execargs_alloc(struct image_params *imgp);
207 static int execargs_free(struct image_params *imgp);
208 static int exec_check_permissions(struct image_params *imgp);
209 static int exec_extract_strings(struct image_params *imgp);
210 static int exec_handle_sugid(struct image_params *imgp);
211 static int sugid_scripts = 0;
212 SYSCTL_INT (_kern, OID_AUTO, sugid_scripts, CTLFLAG_RW, &sugid_scripts, 0, "");
213 static kern_return_t create_unix_stack(vm_map_t map, user_addr_t user_stack,
214 int customstack, proc_t p);
215 static int copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size);
216 static void exec_resettextvp(proc_t, struct image_params *);
217
218 /* We don't want this one exported */
219 __private_extern__
220 int open1(vfs_context_t, struct nameidata *, int, struct vnode_attr *, register_t *);
221
222 /*
223 * exec_add_string
224 *
225 * Add the requested string to the string space area.
226 *
227 * Parameters; struct image_params * image parameter block
228 * user_addr_t string to add to strings area
229 *
230 * Returns: 0 Success
231 * !0 Failure errno from copyinstr()
232 *
233 * Implicit returns:
234 * (imgp->ip_strendp) updated location of next add, if any
235 * (imgp->ip_strspace) updated byte count of space remaining
236 */
237 static int
238 exec_add_string(struct image_params *imgp, user_addr_t str)
239 {
240 int error = 0;
241
242 do {
243 size_t len = 0;
244 if (imgp->ip_strspace <= 0) {
245 error = E2BIG;
246 break;
247 }
248 if (IS_UIO_SYS_SPACE(imgp->ip_seg)) {
249 char *kstr = CAST_DOWN(char *,str); /* SAFE */
250 error = copystr(kstr, imgp->ip_strendp, imgp->ip_strspace, &len);
251 } else {
252 error = copyinstr(str, imgp->ip_strendp, imgp->ip_strspace,
253 &len);
254 }
255 imgp->ip_strendp += len;
256 imgp->ip_strspace -= len;
257 } while (error == ENAMETOOLONG);
258
259 return error;
260 }
261
262 /*
263 * exec_save_path
264 *
265 * To support new app package launching for Mac OS X, the dyld needs the
266 * first argument to execve() stored on the user stack.
267 *
268 * Save the executable path name at the top of the strings area and set
269 * the argument vector pointer to the location following that to indicate
270 * the start of the argument and environment tuples, setting the remaining
271 * string space count to the size of the string area minus the path length
272 * and a reserve for two pointers.
273 *
274 * Parameters; struct image_params * image parameter block
275 * char * path used to invoke program
276 * int segment from which path comes
277 *
278 * Returns: int 0 Success
279 * EFAULT Bad address
280 * copy[in]str:EFAULT Bad address
281 * copy[in]str:ENAMETOOLONG Filename too long
282 *
283 * Implicit returns:
284 * (imgp->ip_strings) saved path
285 * (imgp->ip_strspace) space remaining in ip_strings
286 * (imgp->ip_argv) beginning of argument list
287 * (imgp->ip_strendp) start of remaining copy area
288 *
289 * Note: We have to do this before the initial namei() since in the
290 * path contains symbolic links, namei() will overwrite the
291 * original path buffer contents. If the last symbolic link
292 * resolved was a relative pathname, we would lose the original
293 * "path", which could be an absolute pathname. This might be
294 * unacceptable for dyld.
295 */
296 static int
297 exec_save_path(struct image_params *imgp, user_addr_t path, int seg)
298 {
299 int error;
300 size_t len;
301 char *kpath = CAST_DOWN(char *,path); /* SAFE */
302
303 imgp->ip_strendp = imgp->ip_strings;
304 imgp->ip_strspace = SIZE_IMG_STRSPACE;
305
306 len = MIN(MAXPATHLEN, imgp->ip_strspace);
307
308 switch(seg) {
309 case UIO_USERSPACE32:
310 case UIO_USERSPACE64: /* Same for copyin()... */
311 error = copyinstr(path, imgp->ip_strings, len, &len);
312 break;
313 case UIO_SYSSPACE32:
314 error = copystr(kpath, imgp->ip_strings, len, &len);
315 break;
316 default:
317 error = EFAULT;
318 break;
319 }
320
321 if (!error) {
322 imgp->ip_strendp += len;
323 imgp->ip_strspace -= len;
324 imgp->ip_argv = imgp->ip_strendp;
325 }
326
327 return(error);
328 }
329
330 #ifdef IMGPF_POWERPC
331 /*
332 * exec_powerpc32_imgact
333 *
334 * Implicitly invoke the PowerPC handler for a byte-swapped image magic
335 * number. This may happen either as a result of an attempt to invoke a
336 * PowerPC image directly, or indirectly as the interpreter used in an
337 * interpreter script.
338 *
339 * Parameters; struct image_params * image parameter block
340 *
341 * Returns: -1 not an PowerPC image (keep looking)
342 * -3 Success: exec_archhandler_ppc: relookup
343 * >0 Failure: exec_archhandler_ppc: error number
344 *
345 * Note: This image activator does not handle the case of a direct
346 * invocation of the exec_archhandler_ppc, since in that case, the
347 * exec_archhandler_ppc itself is not a PowerPC binary; instead,
348 * binary image activators must recognize the exec_archhandler_ppc;
349 * This is managed in exec_check_permissions().
350 *
351 * Note: This image activator is limited to 32 bit powerpc images;
352 * if support for 64 bit powerpc images is desired, it would
353 * be more in line with this design to write a separate 64 bit
354 * image activator.
355 */
356 static int
357 exec_powerpc32_imgact(struct image_params *imgp)
358 {
359 struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
360 int error;
361 size_t len = 0;
362
363 /*
364 * Make sure it's a PowerPC binary. If we've already redirected
365 * from an interpreted file once, don't do it again.
366 */
367 if (mach_header->magic != MH_CIGAM) {
368 /*
369 * If it's a cross-architecture 64 bit binary, then claim
370 * it, but refuse to run it.
371 */
372 if (mach_header->magic == MH_CIGAM_64)
373 return (EBADARCH);
374 return (-1);
375 }
376
377 /* If there is no exec_archhandler_ppc, we can't run it */
378 if (exec_archhandler_ppc.path[0] == 0)
379 return (EBADARCH);
380
381 /* Remember the type of the original file for later grading */
382 if (!imgp->ip_origcputype) {
383 imgp->ip_origcputype =
384 OSSwapBigToHostInt32(mach_header->cputype);
385 imgp->ip_origcpusubtype =
386 OSSwapBigToHostInt32(mach_header->cpusubtype);
387 }
388
389 /*
390 * The PowerPC flag will be set by the exec_check_permissions()
391 * call anyway; however, we set this flag here so that the relookup
392 * in execve() does not follow symbolic links, as a side effect.
393 */
394 imgp->ip_flags |= IMGPF_POWERPC;
395
396 /* impute an interpreter */
397 error = copystr(exec_archhandler_ppc.path, imgp->ip_interp_name,
398 IMG_SHSIZE, &len);
399 if (error)
400 return (error);
401
402 /*
403 * provide a replacement string for p->p_comm; we have to use an
404 * an alternate buffer for this, rather than replacing it directly,
405 * since the exec may fail and return to the parent. In that case,
406 * we would have erroneously changed the parent p->p_comm instead.
407 */
408 strlcpy(imgp->ip_p_comm, imgp->ip_ndp->ni_cnd.cn_nameptr, MAXCOMLEN);
409
410 return (-3);
411 }
412 #endif /* IMGPF_POWERPC */
413
414
415 /*
416 * exec_shell_imgact
417 *
418 * Image activator for interpreter scripts. If the image begins with the
419 * characters "#!", then it is an interpreter script. Verify that we are
420 * not already executing in PowerPC mode, and that the length of the script
421 * line indicating the interpreter is not in excess of the maximum allowed
422 * size. If this is the case, then break out the arguments, if any, which
423 * are separated by white space, and copy them into the argument save area
424 * as if they were provided on the command line before all other arguments.
425 * The line ends when we encounter a comment character ('#') or newline.
426 *
427 * Parameters; struct image_params * image parameter block
428 *
429 * Returns: -1 not an interpreter (keep looking)
430 * -3 Success: interpreter: relookup
431 * >0 Failure: interpreter: error number
432 *
433 * A return value other than -1 indicates subsequent image activators should
434 * not be given the opportunity to attempt to activate the image.
435 */
436 static int
437 exec_shell_imgact(struct image_params *imgp)
438 {
439 char *vdata = imgp->ip_vdata;
440 char *ihp;
441 char *line_endp;
442 char *interp;
443 char temp[16];
444 proc_t p;
445 struct fileproc *fp;
446 int fd;
447 int error;
448 size_t len;
449
450 /*
451 * Make sure it's a shell script. If we've already redirected
452 * from an interpreted file once, don't do it again.
453 *
454 * Note: We disallow PowerPC, since the expectation is that we
455 * may run a PowerPC interpreter, but not an interpret a PowerPC
456 * image. This is consistent with historical behaviour.
457 */
458 if (vdata[0] != '#' ||
459 vdata[1] != '!' ||
460 (imgp->ip_flags & IMGPF_INTERPRET) != 0) {
461 return (-1);
462 }
463
464 #ifdef IMGPF_POWERPC
465 if ((imgp->ip_flags & IMGPF_POWERPC) != 0)
466 return (EBADARCH);
467 #endif /* IMGPF_POWERPC */
468
469 imgp->ip_flags |= IMGPF_INTERPRET;
470
471 /* Check to see if SUGID scripts are permitted. If they aren't then
472 * clear the SUGID bits.
473 * imgp->ip_vattr is known to be valid.
474 */
475 if (sugid_scripts == 0) {
476 imgp->ip_origvattr->va_mode &= ~(VSUID | VSGID);
477 }
478
479 /* Find the nominal end of the interpreter line */
480 for( ihp = &vdata[2]; *ihp != '\n' && *ihp != '#'; ihp++) {
481 if (ihp >= &vdata[IMG_SHSIZE])
482 return (ENOEXEC);
483 }
484
485 line_endp = ihp;
486 ihp = &vdata[2];
487 /* Skip over leading spaces - until the interpreter name */
488 while ( ihp < line_endp && ((*ihp == ' ') || (*ihp == '\t')))
489 ihp++;
490
491 /*
492 * Find the last non-whitespace character before the end of line or
493 * the beginning of a comment; this is our new end of line.
494 */
495 for (;line_endp > ihp && ((*line_endp == ' ') || (*line_endp == '\t')); line_endp--)
496 continue;
497
498 /* Empty? */
499 if (line_endp == ihp)
500 return (ENOEXEC);
501
502 /* copy the interpreter name */
503 interp = imgp->ip_interp_name;
504 while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t'))
505 *interp++ = *ihp++;
506 *interp = '\0';
507
508 exec_save_path(imgp, CAST_USER_ADDR_T(imgp->ip_interp_name),
509 UIO_SYSSPACE32);
510
511 ihp = &vdata[2];
512 while (ihp < line_endp) {
513 /* Skip leading whitespace before each argument */
514 while ((*ihp == ' ') || (*ihp == '\t'))
515 ihp++;
516
517 if (ihp >= line_endp)
518 break;
519
520 /* We have an argument; copy it */
521 while ((ihp < line_endp) && (*ihp != ' ') && (*ihp != '\t')) {
522 *imgp->ip_strendp++ = *ihp++;
523 imgp->ip_strspace--;
524 }
525 *imgp->ip_strendp++ = 0;
526 imgp->ip_strspace--;
527 imgp->ip_argc++;
528 }
529
530 /*
531 * If we have a SUID oder SGID script, create a file descriptor
532 * from the vnode and pass /dev/fd/%d instead of the actual
533 * path name so that the script does not get opened twice
534 */
535 if (imgp->ip_origvattr->va_mode & (VSUID | VSGID)) {
536 p = vfs_context_proc(imgp->ip_vfs_context);
537 error = falloc(p, &fp, &fd, imgp->ip_vfs_context);
538 if (error)
539 return(error);
540
541 fp->f_fglob->fg_flag = FREAD;
542 fp->f_fglob->fg_type = DTYPE_VNODE;
543 fp->f_fglob->fg_ops = &vnops;
544 fp->f_fglob->fg_data = (caddr_t)imgp->ip_vp;
545
546 proc_fdlock(p);
547 procfdtbl_releasefd(p, fd, NULL);
548 fp_drop(p, fd, fp, 1);
549 proc_fdunlock(p);
550 vnode_ref(imgp->ip_vp);
551
552 snprintf(temp, sizeof(temp), "/dev/fd/%d", fd);
553 error = copyoutstr(temp, imgp->ip_user_fname, sizeof(temp), &len);
554 if (error)
555 return(error);
556 }
557
558 return (-3);
559 }
560
561
562
563 /*
564 * exec_fat_imgact
565 *
566 * Image activator for fat 1.0 binaries. If the binary is fat, then we
567 * need to select an image from it internally, and make that the image
568 * we are going to attempt to execute. At present, this consists of
569 * reloading the first page for the image with a first page from the
570 * offset location indicated by the fat header.
571 *
572 * Parameters; struct image_params * image parameter block
573 *
574 * Returns: -1 not a fat binary (keep looking)
575 * -2 Success: encapsulated binary: reread
576 * >0 Failure: error number
577 *
578 * Important: This image activator is byte order neutral.
579 *
580 * Note: A return value other than -1 indicates subsequent image
581 * activators should not be given the opportunity to attempt
582 * to activate the image.
583 *
584 * If we find an encapsulated binary, we make no assertions
585 * about its validity; instead, we leave that up to a rescan
586 * for an activator to claim it, and, if it is claimed by one,
587 * that activator is responsible for determining validity.
588 */
589 static int
590 exec_fat_imgact(struct image_params *imgp)
591 {
592 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
593 kauth_cred_t cred = kauth_cred_proc_ref(p);
594 struct fat_header *fat_header = (struct fat_header *)imgp->ip_vdata;
595 struct _posix_spawnattr *psa = NULL;
596 struct fat_arch fat_arch;
597 int resid, error;
598 load_return_t lret;
599
600 /* Make sure it's a fat binary */
601 if ((fat_header->magic != FAT_MAGIC) &&
602 (fat_header->magic != FAT_CIGAM)) {
603 error = -1;
604 goto bad;
605 }
606
607 /* If posix_spawn binprefs exist, respect those prefs. */
608 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
609 if (psa != NULL && psa->psa_binprefs[0] != 0) {
610 struct fat_arch *arches = (struct fat_arch *) (fat_header + 1);
611 int nfat_arch = 0, pr = 0, f = 0;
612
613 nfat_arch = OSSwapBigToHostInt32(fat_header->nfat_arch);
614 /* Check each preference listed against all arches in header */
615 for (pr = 0; pr < NBINPREFS; pr++) {
616 cpu_type_t pref = psa->psa_binprefs[pr];
617 if (pref == 0) {
618 /* No suitable arch in the pref list */
619 error = EBADARCH;
620 goto bad;
621 }
622
623 if (pref == CPU_TYPE_ANY) {
624 /* Fall through to regular grading */
625 break;
626 }
627
628 for (f = 0; f < nfat_arch; f++) {
629 cpu_type_t archtype = OSSwapBigToHostInt32(
630 arches[f].cputype);
631 cpu_type_t archsubtype = OSSwapBigToHostInt32(
632 arches[f].cpusubtype) & ~CPU_SUBTYPE_MASK;
633 if (pref == archtype &&
634 grade_binary(archtype, archsubtype)) {
635 /* We have a winner! */
636 fat_arch.cputype = archtype;
637 fat_arch.cpusubtype = archsubtype;
638 fat_arch.offset = OSSwapBigToHostInt32(
639 arches[f].offset);
640 fat_arch.size = OSSwapBigToHostInt32(
641 arches[f].size);
642 fat_arch.align = OSSwapBigToHostInt32(
643 arches[f].align);
644 goto use_arch;
645 }
646 }
647 }
648 }
649
650 /* Look up our preferred architecture in the fat file. */
651 lret = fatfile_getarch_affinity(imgp->ip_vp,
652 (vm_offset_t)fat_header,
653 &fat_arch,
654 (p->p_flag & P_AFFINITY));
655 if (lret != LOAD_SUCCESS) {
656 error = load_return_to_errno(lret);
657 goto bad;
658 }
659
660 use_arch:
661 /* Read the Mach-O header out of fat_arch */
662 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata,
663 PAGE_SIZE, fat_arch.offset,
664 UIO_SYSSPACE32, (IO_UNIT|IO_NODELOCKED),
665 cred, &resid, p);
666 if (error) {
667 goto bad;
668 }
669
670 /* Did we read a complete header? */
671 if (resid) {
672 error = EBADEXEC;
673 goto bad;
674 }
675
676 /* Success. Indicate we have identified an encapsulated binary */
677 error = -2;
678 imgp->ip_arch_offset = (user_size_t)fat_arch.offset;
679 imgp->ip_arch_size = (user_size_t)fat_arch.size;
680
681 bad:
682 kauth_cred_unref(&cred);
683 return (error);
684 }
685
686 /*
687 * exec_mach_imgact
688 *
689 * Image activator for mach-o 1.0 binaries.
690 *
691 * Parameters; struct image_params * image parameter block
692 *
693 * Returns: -1 not a fat binary (keep looking)
694 * -2 Success: encapsulated binary: reread
695 * >0 Failure: error number
696 * EBADARCH Mach-o binary, but with an unrecognized
697 * architecture
698 * ENOMEM No memory for child process after -
699 * can only happen after vfork()
700 *
701 * Important: This image activator is NOT byte order neutral.
702 *
703 * Note: A return value other than -1 indicates subsequent image
704 * activators should not be given the opportunity to attempt
705 * to activate the image.
706 *
707 * TODO: More gracefully handle failures after vfork
708 */
709 static int
710 exec_mach_imgact(struct image_params *imgp)
711 {
712 struct mach_header *mach_header = (struct mach_header *)imgp->ip_vdata;
713 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
714 int error = 0;
715 int vfexec = 0;
716 task_t task;
717 task_t new_task = NULL; /* protected by vfexec */
718 thread_t thread;
719 struct uthread *uthread;
720 vm_map_t old_map = VM_MAP_NULL;
721 vm_map_t map;
722 load_return_t lret;
723 load_result_t load_result;
724 struct _posix_spawnattr *psa = NULL;
725
726 /*
727 * make sure it's a Mach-O 1.0 or Mach-O 2.0 binary; the difference
728 * is a reserved field on the end, so for the most part, we can
729 * treat them as if they were identical.
730 */
731 if ((mach_header->magic != MH_MAGIC) &&
732 (mach_header->magic != MH_MAGIC_64)) {
733 error = -1;
734 goto bad;
735 }
736
737 switch (mach_header->filetype) {
738 case MH_DYLIB:
739 case MH_BUNDLE:
740 error = -1;
741 goto bad;
742 }
743
744 if (!imgp->ip_origcputype) {
745 imgp->ip_origcputype = mach_header->cputype;
746 imgp->ip_origcpusubtype = mach_header->cpusubtype;
747 }
748
749 task = current_task();
750 thread = current_thread();
751 uthread = get_bsdthread_info(thread);
752
753 if (uthread->uu_flag & UT_VFORK)
754 vfexec = 1; /* Mark in exec */
755
756 if ((mach_header->cputype & CPU_ARCH_ABI64) == CPU_ARCH_ABI64)
757 imgp->ip_flags |= IMGPF_IS_64BIT;
758
759 /* If posix_spawn binprefs exist, respect those prefs. */
760 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
761 if (psa != NULL && psa->psa_binprefs[0] != 0) {
762 int pr = 0;
763 for (pr = 0; pr < NBINPREFS; pr++) {
764 cpu_type_t pref = psa->psa_binprefs[pr];
765 if (pref == 0) {
766 /* No suitable arch in the pref list */
767 error = EBADARCH;
768 goto bad;
769 }
770
771 if (pref == CPU_TYPE_ANY) {
772 /* Jump to regular grading */
773 goto grade;
774 }
775
776 if (pref == imgp->ip_origcputype) {
777 /* We have a match! */
778 goto grade;
779 }
780 }
781 error = EBADARCH;
782 goto bad;
783 }
784 grade:
785 if (!grade_binary(imgp->ip_origcputype & ~CPU_SUBTYPE_LIB64,
786 imgp->ip_origcpusubtype & ~CPU_SUBTYPE_MASK)) {
787 error = EBADARCH;
788 goto bad;
789 }
790
791 /* Copy in arguments/environment from the old process */
792 error = exec_extract_strings(imgp);
793 if (error)
794 goto bad;
795
796 /*
797 * Hack for binary compatability; put three NULs on the end of the
798 * string area, and round it up to the next word boundary. This
799 * ensures padding with NULs to the boundary.
800 */
801 imgp->ip_strendp[0] = 0;
802 imgp->ip_strendp[1] = 0;
803 imgp->ip_strendp[2] = 0;
804 imgp->ip_strendp += (((imgp->ip_strendp - imgp->ip_strings) + NBPW-1) & ~(NBPW-1));
805
806 #ifdef IMGPF_POWERPC
807 /*
808 * XXX
809 *
810 * Should be factored out; this is here because we might be getting
811 * invoked this way as the result of a shell script, and the check
812 * in exec_check_permissions() is not interior to the jump back up
813 * to the "encapsulated_binary:" label in exec_activate_image().
814 */
815 if (imgp->ip_vattr->va_fsid == exec_archhandler_ppc.fsid &&
816 imgp->ip_vattr->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) {
817 imgp->ip_flags |= IMGPF_POWERPC;
818 }
819 #endif /* IMGPF_POWERPC */
820
821 if (vfexec) {
822 imgp->ip_vfork_thread = fork_create_child(task, p, FALSE, (imgp->ip_flags & IMGPF_IS_64BIT));
823 if (imgp->ip_vfork_thread == NULL) {
824 error = ENOMEM;
825 goto bad;
826 }
827 /* reset local idea of thread, uthread, task */
828 thread = imgp->ip_vfork_thread;
829 uthread = get_bsdthread_info(thread);
830 task = new_task = get_threadtask(thread);
831 map = get_task_map(task);
832 } else {
833 map = VM_MAP_NULL;
834 }
835
836 /*
837 * We set these flags here; this is OK, since if we fail after
838 * this point, we have already destroyed the parent process anyway.
839 */
840 if (imgp->ip_flags & IMGPF_IS_64BIT) {
841 task_set_64bit(task, TRUE);
842 OSBitOrAtomic(P_LP64, (UInt32 *)&p->p_flag);
843 } else {
844 task_set_64bit(task, FALSE);
845 OSBitAndAtomic(~((uint32_t)P_LP64), (UInt32 *)&p->p_flag);
846 }
847
848 /*
849 * Load the Mach-O file.
850 */
851
852 /*
853 * NOTE: An error after this point indicates we have potentially
854 * destroyed or overwrote some process state while attempting an
855 * execve() following a vfork(), which is an unrecoverable condition.
856 */
857
858 /*
859 * We reset the task to 64-bit (or not) here. It may have picked up
860 * a new map, and we need that to reflect its true 64-bit nature.
861 */
862
863 task_set_64bit(task,
864 ((imgp->ip_flags & IMGPF_IS_64BIT) == IMGPF_IS_64BIT));
865
866 /*
867 * Actually load the image file we previously decided to load.
868 */
869 lret = load_machfile(imgp, mach_header, thread, map, &load_result);
870
871 if (lret != LOAD_SUCCESS) {
872 error = load_return_to_errno(lret);
873 goto badtoolate;
874 }
875
876 vm_map_set_user_wire_limit(get_task_map(task), p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur);
877
878 /*
879 * Set code-signing flags if this binary is signed, or if parent has
880 * requested them on exec.
881 */
882 if (load_result.csflags & CS_VALID) {
883 imgp->ip_csflags |= load_result.csflags &
884 (CS_VALID|
885 CS_HARD|CS_KILL|CS_EXEC_SET_HARD|CS_EXEC_SET_KILL);
886 } else {
887 imgp->ip_csflags &= ~CS_VALID;
888 }
889
890 if (p->p_csflags & CS_EXEC_SET_HARD)
891 imgp->ip_csflags |= CS_HARD;
892 if (p->p_csflags & CS_EXEC_SET_KILL)
893 imgp->ip_csflags |= CS_KILL;
894
895
896 /* load_machfile() maps the vnode */
897 (void)ubc_map(imgp->ip_vp, PROT_READ | PROT_EXEC);
898
899 /*
900 * Set up the system reserved areas in the new address space.
901 */
902 vm_map_exec(get_task_map(task),
903 task,
904 (void *) p->p_fd->fd_rdir,
905 #ifdef IMGPF_POWERPC
906 imgp->ip_flags & IMGPF_POWERPC ?
907 CPU_TYPE_POWERPC :
908 #endif
909 cpu_type());
910
911 /*
912 * Close file descriptors
913 * which specify close-on-exec.
914 */
915 fdexec(p);
916
917 /*
918 * deal with set[ug]id.
919 */
920 error = exec_handle_sugid(imgp);
921
922 proc_knote(p, NOTE_EXEC);
923
924 if (!vfexec && (p->p_lflag & P_LTRACED))
925 psignal(p, SIGTRAP);
926
927 if (error) {
928 goto badtoolate;
929 }
930
931 if (load_result.unixproc &&
932 create_unix_stack(get_task_map(task),
933 load_result.user_stack,
934 load_result.customstack,
935 p) != KERN_SUCCESS) {
936 error = load_return_to_errno(LOAD_NOSPACE);
937 goto badtoolate;
938 }
939
940 if (vfexec) {
941 old_map = vm_map_switch(get_task_map(task));
942 }
943
944 if (load_result.unixproc) {
945 user_addr_t ap;
946
947 /*
948 * Copy the strings area out into the new process address
949 * space.
950 */
951 ap = p->user_stack;
952 error = exec_copyout_strings(imgp, &ap);
953 if (error) {
954 if (vfexec)
955 vm_map_switch(old_map);
956 goto badtoolate;
957 }
958 /* Set the stack */
959 thread_setuserstack(thread, ap);
960 }
961
962 if (load_result.dynlinker) {
963 uint64_t ap;
964
965 /* Adjust the stack */
966 if (imgp->ip_flags & IMGPF_IS_64BIT) {
967 ap = thread_adjuserstack(thread, -8);
968 error = copyoutptr(load_result.mach_header, ap, 8);
969 } else {
970 ap = thread_adjuserstack(thread, -4);
971 error = suword(ap, load_result.mach_header);
972 }
973 if (error) {
974 if (vfexec)
975 vm_map_switch(old_map);
976 goto badtoolate;
977 }
978 }
979
980 if (vfexec) {
981 vm_map_switch(old_map);
982 }
983 /* Set the entry point */
984 thread_setentrypoint(thread, load_result.entry_point);
985
986 /* Stop profiling */
987 stopprofclock(p);
988
989 /*
990 * Reset signal state.
991 */
992 execsigs(p, thread);
993
994 /*
995 * need to cancel async IO requests that can be cancelled and wait for those
996 * already active. MAY BLOCK!
997 */
998 _aio_exec( p );
999
1000 #if SYSV_SHM
1001 /* FIXME: Till vmspace inherit is fixed: */
1002 if (!vfexec && p->vm_shm)
1003 shmexec(p);
1004 #endif
1005 #if SYSV_SEM
1006 /* Clean up the semaphores */
1007 semexit(p);
1008 #endif
1009
1010 /*
1011 * Remember file name for accounting.
1012 */
1013 p->p_acflag &= ~AFORK;
1014 /* If the translated name isn't NULL, then we want to use
1015 * that translated name as the name we show as the "real" name.
1016 * Otherwise, use the name passed into exec.
1017 */
1018 if (0 != imgp->ip_p_comm[0]) {
1019 bcopy((caddr_t)imgp->ip_p_comm, (caddr_t)p->p_comm,
1020 sizeof(p->p_comm));
1021 } else {
1022 if (imgp->ip_ndp->ni_cnd.cn_namelen > MAXCOMLEN)
1023 imgp->ip_ndp->ni_cnd.cn_namelen = MAXCOMLEN;
1024 bcopy((caddr_t)imgp->ip_ndp->ni_cnd.cn_nameptr, (caddr_t)p->p_comm,
1025 (unsigned)imgp->ip_ndp->ni_cnd.cn_namelen);
1026 p->p_comm[imgp->ip_ndp->ni_cnd.cn_namelen] = '\0';
1027 }
1028
1029 #if CONFIG_DTRACE
1030 /*
1031 * Invalidate any predicate evaluation already cached for this thread by DTrace.
1032 * That's because we've just stored to p_comm and DTrace refers to that when it
1033 * evaluates the "execname" special variable. uid and gid may have changed as well.
1034 */
1035 dtrace_set_thread_predcache(current_thread(), 0);
1036
1037 /*
1038 * Free any outstanding lazy dof entries. It is imperative we
1039 * always call dtrace_lazy_dofs_destroy, rather than null check
1040 * and call if !NULL. If we NULL test, during lazy dof faulting
1041 * we can race with the faulting code and proceed from here to
1042 * beyond the helpers cleanup. The lazy dof faulting will then
1043 * install new helpers which no longer belong to this process!
1044 */
1045 dtrace_lazy_dofs_destroy(p);
1046
1047
1048 /*
1049 * Clean up any DTrace helpers for the process.
1050 */
1051 if (p->p_dtrace_helpers != NULL && dtrace_helpers_cleanup) {
1052 (*dtrace_helpers_cleanup)(p);
1053 }
1054
1055 /*
1056 * Cleanup the DTrace provider associated with this process.
1057 */
1058 proc_lock(p);
1059 if (p->p_dtrace_probes && dtrace_fasttrap_exec_ptr) {
1060 (*dtrace_fasttrap_exec_ptr)(p);
1061 }
1062 proc_unlock(p);
1063 #endif
1064
1065 if (kdebug_enable) {
1066 long dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4;
1067
1068 /*
1069 * Collect the pathname for tracing
1070 */
1071 kdbg_trace_string(p, &dbg_arg1, &dbg_arg2, &dbg_arg3, &dbg_arg4);
1072
1073 if (vfexec) {
1074 KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
1075 p->p_pid ,0,0,0, (unsigned int)thread);
1076 KERNEL_DEBUG_CONSTANT1((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
1077 dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, (unsigned int)thread);
1078 } else {
1079 KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_DATA, 2)) | DBG_FUNC_NONE,
1080 p->p_pid ,0,0,0,0);
1081 KERNEL_DEBUG_CONSTANT((TRACEDBG_CODE(DBG_TRACE_STRING, 2)) | DBG_FUNC_NONE,
1082 dbg_arg1, dbg_arg2, dbg_arg3, dbg_arg4, 0);
1083 }
1084 }
1085
1086 #ifdef IMGPF_POWERPC
1087 /*
1088 * Mark the process as powerpc or not. If powerpc, set the affinity
1089 * flag, which will be used for grading binaries in future exec's
1090 * from the process.
1091 */
1092 if (((imgp->ip_flags & IMGPF_POWERPC) != 0))
1093 OSBitOrAtomic(P_TRANSLATED, (UInt32 *)&p->p_flag);
1094 else
1095 #endif /* IMGPF_POWERPC */
1096 OSBitAndAtomic(~((uint32_t)P_TRANSLATED), (UInt32 *)&p->p_flag);
1097 OSBitAndAtomic(~((uint32_t)P_AFFINITY), (UInt32 *)&p->p_flag);
1098
1099 /*
1100 * If posix_spawned with the START_SUSPENDED flag, stop the
1101 * process before it runs.
1102 */
1103 if (imgp->ip_px_sa != NULL) {
1104 psa = (struct _posix_spawnattr *) imgp->ip_px_sa;
1105 if (psa->psa_flags & POSIX_SPAWN_START_SUSPENDED) {
1106 proc_lock(p);
1107 p->p_stat = SSTOP;
1108 proc_unlock(p);
1109 (void) task_suspend(p->task);
1110 }
1111 }
1112
1113 /*
1114 * mark as execed, wakeup the process that vforked (if any) and tell
1115 * it that it now has it's own resources back
1116 */
1117 OSBitOrAtomic(P_EXEC, (UInt32 *)&p->p_flag);
1118 if (p->p_pptr && (p->p_lflag & P_LPPWAIT)) {
1119 proc_lock(p);
1120 p->p_lflag &= ~P_LPPWAIT;
1121 proc_unlock(p);
1122 wakeup((caddr_t)p->p_pptr);
1123 }
1124
1125 if (vfexec && (p->p_lflag & P_LTRACED)) {
1126 psignal_vfork(p, new_task, thread, SIGTRAP);
1127 }
1128
1129 badtoolate:
1130 if (vfexec) {
1131 task_deallocate(new_task);
1132 thread_deallocate(thread);
1133 if (error)
1134 error = 0;
1135 }
1136
1137 bad:
1138 return(error);
1139 }
1140
1141
1142
1143
1144 /*
1145 * Our image activator table; this is the table of the image types we are
1146 * capable of loading. We list them in order of preference to ensure the
1147 * fastest image load speed.
1148 *
1149 * XXX hardcoded, for now; should use linker sets
1150 */
1151 struct execsw {
1152 int (*ex_imgact)(struct image_params *);
1153 const char *ex_name;
1154 } execsw[] = {
1155 { exec_mach_imgact, "Mach-o Binary" },
1156 { exec_fat_imgact, "Fat Binary" },
1157 #ifdef IMGPF_POWERPC
1158 { exec_powerpc32_imgact, "PowerPC binary" },
1159 #endif /* IMGPF_POWERPC */
1160 { exec_shell_imgact, "Interpreter Script" },
1161 { NULL, NULL}
1162 };
1163
1164
1165 /*
1166 * exec_activate_image
1167 *
1168 * Description: Iterate through the available image activators, and activate
1169 * the image associated with the imgp structure. We start with
1170 * the
1171 *
1172 * Parameters: struct image_params * Image parameter block
1173 *
1174 * Returns: 0 Success
1175 * EBADEXEC The executable is corrupt/unknown
1176 * execargs_alloc:EINVAL Invalid argument
1177 * execargs_alloc:EACCES Permission denied
1178 * execargs_alloc:EINTR Interrupted function
1179 * execargs_alloc:ENOMEM Not enough space
1180 * exec_save_path:EFAULT Bad address
1181 * exec_save_path:ENAMETOOLONG Filename too long
1182 * exec_check_permissions:EACCES Permission denied
1183 * exec_check_permissions:ENOEXEC Executable file format error
1184 * exec_check_permissions:ETXTBSY Text file busy [misuse of error code]
1185 * exec_check_permissions:???
1186 * namei:???
1187 * vn_rdwr:??? [anything vn_rdwr can return]
1188 * <ex_imgact>:??? [anything an imgact can return]
1189 */
1190 static int
1191 exec_activate_image(struct image_params *imgp)
1192 {
1193 struct nameidata nd;
1194 int error;
1195 int resid;
1196 int once = 1; /* save SGUID-ness for interpreted files */
1197 int i;
1198 int iterlimit = EAI_ITERLIMIT;
1199
1200 error = execargs_alloc(imgp);
1201 if (error)
1202 goto bad;
1203
1204 /*
1205 * XXXAUDIT: Note: the double copyin introduces an audit
1206 * race. To correct this race, we must use a single
1207 * copyin(), e.g. by passing a flag to namei to indicate an
1208 * external path buffer is being used.
1209 */
1210 error = exec_save_path(imgp, imgp->ip_user_fname, imgp->ip_seg);
1211 if (error) {
1212 goto bad;
1213 }
1214
1215 DTRACE_PROC1(exec, uintptr_t, imgp->ip_strings);
1216
1217 NDINIT(&nd, LOOKUP, FOLLOW | LOCKLEAF | AUDITVNPATH1,
1218 imgp->ip_seg, imgp->ip_user_fname, imgp->ip_vfs_context);
1219
1220 again:
1221 error = namei(&nd);
1222 if (error)
1223 goto bad;
1224 imgp->ip_ndp = &nd; /* successful namei(); call nameidone() later */
1225 imgp->ip_vp = nd.ni_vp; /* if set, need to vnode_put() at some point */
1226
1227 error = exec_check_permissions(imgp);
1228 if (error)
1229 goto bad;
1230
1231 /* Copy; avoid invocation of an interpreter overwriting the original */
1232 if (once) {
1233 once = 0;
1234 *imgp->ip_origvattr = *imgp->ip_vattr;
1235 }
1236
1237 error = vn_rdwr(UIO_READ, imgp->ip_vp, imgp->ip_vdata, PAGE_SIZE, 0,
1238 UIO_SYSSPACE32, IO_NODELOCKED,
1239 vfs_context_ucred(imgp->ip_vfs_context),
1240 &resid, vfs_context_proc(imgp->ip_vfs_context));
1241 if (error)
1242 goto bad;
1243
1244 encapsulated_binary:
1245 /* Limit the number of iterations we will attempt on each binary */
1246 if (--iterlimit == 0) {
1247 error = EBADEXEC;
1248 goto bad;
1249 }
1250 error = -1;
1251 for(i = 0; error == -1 && execsw[i].ex_imgact != NULL; i++) {
1252
1253 error = (*execsw[i].ex_imgact)(imgp);
1254
1255 switch (error) {
1256 /* case -1: not claimed: continue */
1257 case -2: /* Encapsulated binary */
1258 goto encapsulated_binary;
1259
1260 case -3: /* Interpreter */
1261 #if CONFIG_MACF
1262 /*
1263 * Copy the script label for later use. Note that
1264 * the label can be different when the script is
1265 * actually read by the interpreter.
1266 */
1267 if (imgp->ip_scriptlabelp)
1268 mac_vnode_label_free(imgp->ip_scriptlabelp);
1269 imgp->ip_scriptlabelp = mac_vnode_label_alloc();
1270 if (imgp->ip_scriptlabelp == NULL) {
1271 error = ENOMEM;
1272 break;
1273 }
1274 mac_vnode_label_copy(imgp->ip_vp->v_label,
1275 imgp->ip_scriptlabelp);
1276 #endif
1277 vnode_put(imgp->ip_vp);
1278 imgp->ip_vp = NULL; /* already put */
1279 nd.ni_cnd.cn_nameiop = LOOKUP;
1280 nd.ni_cnd.cn_flags = (nd.ni_cnd.cn_flags & HASBUF) |
1281 (FOLLOW | LOCKLEAF);
1282
1283 #ifdef IMGPF_POWERPC
1284 /*
1285 * PowerPC does not follow symlinks because the
1286 * code which sets exec_archhandler_ppc.fsid and
1287 * exec_archhandler_ppc.fileid doesn't follow them.
1288 */
1289 if (imgp->ip_flags & IMGPF_POWERPC)
1290 nd.ni_cnd.cn_flags &= ~FOLLOW;
1291 #endif /* IMGPF_POWERPC */
1292
1293 nd.ni_segflg = UIO_SYSSPACE32;
1294 nd.ni_dirp = CAST_USER_ADDR_T(imgp->ip_interp_name);
1295 goto again;
1296
1297 default:
1298 break;
1299 }
1300 }
1301
1302 /*
1303 * Call out to allow 3rd party notification of exec.
1304 * Ignore result of kauth_authorize_fileop call.
1305 */
1306 if (error == 0 && kauth_authorize_fileop_has_listeners()) {
1307 kauth_authorize_fileop(vfs_context_ucred(imgp->ip_vfs_context),
1308 KAUTH_FILEOP_EXEC,
1309 (uintptr_t)nd.ni_vp, 0);
1310 }
1311
1312 bad:
1313 if (imgp->ip_strings)
1314 execargs_free(imgp);
1315 if (imgp->ip_ndp)
1316 nameidone(imgp->ip_ndp);
1317
1318 return (error);
1319 }
1320
1321 /*
1322 * exec_handle_port_actions
1323 *
1324 * Description: Go through the _posix_port_actions_t contents,
1325 * calling task_set_special_port and task_set_exception_ports
1326 * for the current task.
1327 *
1328 * Parameters: struct image_params * Image parameter block
1329 *
1330 * Returns: 0 Success
1331 * KERN_FAILURE Failure
1332 */
1333 static int
1334 exec_handle_port_actions(struct image_params *imgp)
1335 {
1336 _posix_spawn_port_actions_t pacts = imgp->ip_px_spa;
1337 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1338 _ps_port_action_t *act = NULL;
1339 task_t task = p->task;
1340 ipc_port_t port = NULL;
1341 kern_return_t ret = KERN_SUCCESS;
1342 int i;
1343
1344 for (i = 0; i < pacts->pspa_count; i++) {
1345 act = &pacts->pspa_actions[i];
1346
1347 ret = ipc_object_copyin(get_task_ipcspace(current_task()),
1348 (mach_port_name_t) act->new_port,
1349 MACH_MSG_TYPE_COPY_SEND,
1350 (ipc_object_t *) &port);
1351
1352 if (ret)
1353 return ret;
1354
1355 switch (act->port_type) {
1356 case PSPA_SPECIAL:
1357 ret = task_set_special_port(task,
1358 act->which,
1359 port);
1360 break;
1361 case PSPA_EXCEPTION:
1362 ret = task_set_exception_ports(task,
1363 act->mask,
1364 port,
1365 act->behavior,
1366 act->flavor);
1367 break;
1368 default:
1369 ret = KERN_FAILURE;
1370 }
1371 /* action failed, so release port resources */
1372 if (ret) {
1373 ipc_port_release_send(port);
1374 return ret;
1375 }
1376 }
1377
1378 return ret;
1379 }
1380
1381 /*
1382 * exec_handle_file_actions
1383 *
1384 * Description: Go through the _posix_file_actions_t contents applying the
1385 * open, close, and dup2 operations to the open file table for
1386 * the current process.
1387 *
1388 * Parameters: struct image_params * Image parameter block
1389 *
1390 * Returns: 0 Success
1391 * ???
1392 *
1393 * Note: Actions are applied in the order specified, with the credential
1394 * of the parent process. This is done to permit the parent
1395 * process to utilize POSIX_SPAWN_RESETIDS to drop privilege in
1396 * the child following operations the child may in fact not be
1397 * normally permitted to perform.
1398 */
1399 static int
1400 exec_handle_file_actions(struct image_params *imgp)
1401 {
1402 int error = 0;
1403 int action;
1404 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
1405 _posix_spawn_file_actions_t px_sfap = imgp->ip_px_sfa;
1406 register_t ival[2]; /* dummy retval for system calls) */
1407
1408 for (action = 0; action < px_sfap->psfa_act_count; action++) {
1409 _psfa_action_t *psfa = &px_sfap->psfa_act_acts[ action];
1410
1411 switch(psfa->psfaa_type) {
1412 case PSFA_OPEN: {
1413 /*
1414 * Open is different, in that it requires the use of
1415 * a path argument, which is normally copied in from
1416 * user space; because of this, we have to support an
1417 * open from kernel space that passes an address space
1418 * context oof UIO_SYSSPACE, and casts the address
1419 * argument to a user_addr_t.
1420 */
1421 struct vnode_attr va;
1422 struct nameidata nd;
1423 int mode = psfa->psfaa_openargs.psfao_mode;
1424 struct dup2_args dup2a;
1425 struct close_nocancel_args ca;
1426 int origfd;
1427
1428 VATTR_INIT(&va);
1429 /* Mask off all but regular access permissions */
1430 mode = ((mode &~ p->p_fd->fd_cmask) & ALLPERMS) & ~S_ISTXT;
1431 VATTR_SET(&va, va_mode, mode & ACCESSPERMS);
1432
1433 NDINIT(&nd, LOOKUP, FOLLOW | AUDITVNPATH1, UIO_SYSSPACE,
1434 CAST_USER_ADDR_T(psfa->psfaa_openargs.psfao_path),
1435 imgp->ip_vfs_context);
1436
1437 error = open1(imgp->ip_vfs_context,
1438 &nd,
1439 psfa->psfaa_openargs.psfao_oflag,
1440 &va,
1441 ival);
1442
1443 /*
1444 * If there's an error, or we get the right fd by
1445 * accident, then drop out here. This is easier that
1446 * rearchitecting all the open code to preallocate fd
1447 * slots, and internally taking one as an argument.
1448 */
1449 if (error || ival[0] == psfa->psfaa_filedes)
1450 break;
1451
1452 origfd = ival[0];
1453 /*
1454 * If we didn't fall out from an error, we ended up
1455 * with the wrong fd; so now we've got to try to dup2
1456 * it to the right one.
1457 */
1458 dup2a.from = origfd;
1459 dup2a.to = psfa->psfaa_filedes;
1460
1461 /*
1462 * The dup2() system call implementation sets
1463 * ival to newfd in the success case, but we
1464 * can ignore that, since if we didn't get the
1465 * fd we wanted, the error will stop us.
1466 */
1467 error = dup2(p, &dup2a, ival);
1468 if (error)
1469 break;
1470
1471 /*
1472 * Finally, close the original fd.
1473 */
1474 ca.fd = origfd;
1475
1476 error = close_nocancel(p, &ca, ival);
1477 }
1478 break;
1479
1480 case PSFA_DUP2: {
1481 struct dup2_args dup2a;
1482
1483 dup2a.from = psfa->psfaa_filedes;
1484 dup2a.to = psfa->psfaa_openargs.psfao_oflag;
1485
1486 /*
1487 * The dup2() system call implementation sets
1488 * ival to newfd in the success case, but we
1489 * can ignore that, since if we didn't get the
1490 * fd we wanted, the error will stop us.
1491 */
1492 error = dup2(p, &dup2a, ival);
1493 }
1494 break;
1495
1496 case PSFA_CLOSE: {
1497 struct close_nocancel_args ca;
1498
1499 ca.fd = psfa->psfaa_filedes;
1500
1501 error = close_nocancel(p, &ca, ival);
1502 }
1503 break;
1504
1505 default:
1506 error = EINVAL;
1507 break;
1508 }
1509 /* All file actions failures are considered fatal, per POSIX */
1510 if (error)
1511 break;
1512 }
1513
1514 return (error);
1515 }
1516
1517
1518 /*
1519 * posix_spawn
1520 *
1521 * Parameters: uap->pid Pointer to pid return area
1522 * uap->fname File name to exec
1523 * uap->argp Argument list
1524 * uap->envp Environment list
1525 *
1526 * Returns: 0 Success
1527 * EINVAL Invalid argument
1528 * ENOTSUP Not supported
1529 * ENOEXEC Executable file format error
1530 * exec_activate_image:EINVAL Invalid argument
1531 * exec_activate_image:EACCES Permission denied
1532 * exec_activate_image:EINTR Interrupted function
1533 * exec_activate_image:ENOMEM Not enough space
1534 * exec_activate_image:EFAULT Bad address
1535 * exec_activate_image:ENAMETOOLONG Filename too long
1536 * exec_activate_image:ENOEXEC Executable file format error
1537 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
1538 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
1539 * exec_activate_image:???
1540 * mac_execve_enter:???
1541 *
1542 * TODO: More gracefully handle failures after vfork
1543 * Expect to need __mac_posix_spawn() at some point...
1544 * Handle posix_spawnattr_t
1545 * Handle posix_spawn_file_actions_t
1546 */
1547 int
1548 posix_spawn(proc_t ap, struct posix_spawn_args *uap, register_t *retval)
1549 {
1550 proc_t p = ap; /* quiet bogus GCC vfork() warning */
1551 user_addr_t pid = uap->pid;
1552 register_t ival[2]; /* dummy retval for vfork() */
1553 struct image_params image_params, *imgp;
1554 struct vnode_attr va;
1555 struct vnode_attr origva;
1556 struct uthread *uthread = 0; /* compiler complains if not set to 0*/
1557 int error, sig;
1558 task_t task;
1559 int numthreads;
1560 char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */
1561 int is_64 = IS_64BIT_PROCESS(p);
1562 int undo_vfork = 0;
1563 struct vfs_context context;
1564 struct user__posix_spawn_args_desc px_args;
1565 struct _posix_spawnattr px_sa;
1566 _posix_spawn_file_actions_t px_sfap = NULL;
1567 _posix_spawn_port_actions_t px_spap = NULL;
1568 struct __user_sigaction vec;
1569
1570 imgp = &image_params;
1571
1572 /* Initialize the common data in the image_params structure */
1573 bzero(imgp, sizeof(*imgp));
1574 imgp->ip_user_fname = uap->path;
1575 imgp->ip_user_argv = uap->argv;
1576 imgp->ip_user_envv = uap->envp;
1577 imgp->ip_vattr = &va;
1578 imgp->ip_origvattr = &origva;
1579 imgp->ip_vfs_context = &context;
1580 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
1581 imgp->ip_p_comm = alt_p_comm; /* for PowerPC */
1582 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
1583
1584 if (uap->adesc != USER_ADDR_NULL) {
1585 if(is_64) {
1586 error = copyin(uap->adesc, &px_args, sizeof(px_args));
1587 } else {
1588 struct _posix_spawn_args_desc px_args32;
1589
1590 error = copyin(uap->adesc, &px_args32, sizeof(px_args32));
1591
1592 /*
1593 * Convert arguments descriptor from external 32 bit
1594 * representation to internal 64 bit representation
1595 */
1596 px_args.attr_size = px_args32.attr_size;
1597 px_args.attrp = CAST_USER_ADDR_T(px_args32.attrp);
1598 px_args.file_actions_size = px_args32.file_actions_size;
1599 px_args.file_actions = CAST_USER_ADDR_T(px_args32.file_actions);
1600 px_args.port_actions_size = px_args32.port_actions_size;
1601 px_args.port_actions = CAST_USER_ADDR_T(px_args32.port_actions);
1602 }
1603 if (error)
1604 goto bad;
1605
1606 if (px_args.attr_size != 0) {
1607 /*
1608 * This could lose some of the port_actions pointer,
1609 * but we already have it from px_args.
1610 */
1611 if ((error = copyin(px_args.attrp, &px_sa, sizeof(px_sa))) != 0)
1612 goto bad;
1613
1614 imgp->ip_px_sa = &px_sa;
1615 }
1616 if (px_args.file_actions_size != 0) {
1617 /* Limit file_actions to allowed number of open files */
1618 int maxfa = (p->p_limit ? p->p_rlimit[RLIMIT_NOFILE].rlim_cur : NOFILE);
1619 if (px_args.file_actions_size < PSF_ACTIONS_SIZE(1) ||
1620 px_args.file_actions_size > PSF_ACTIONS_SIZE(maxfa)) {
1621 error = EINVAL;
1622 goto bad;
1623 }
1624 MALLOC(px_sfap, _posix_spawn_file_actions_t, px_args.file_actions_size, M_TEMP, M_WAITOK);
1625 if (px_sfap == NULL) {
1626 error = ENOMEM;
1627 goto bad;
1628 }
1629 imgp->ip_px_sfa = px_sfap;
1630
1631 if ((error = copyin(px_args.file_actions, px_sfap,
1632 px_args.file_actions_size)) != 0)
1633 goto bad;
1634 }
1635 if (px_args.port_actions_size != 0) {
1636 /* Limit port_actions to one page of data */
1637 if (px_args.port_actions_size < PS_PORT_ACTIONS_SIZE(1) ||
1638 px_args.port_actions_size > PAGE_SIZE) {
1639 error = EINVAL;
1640 goto bad;
1641 }
1642
1643 MALLOC(px_spap, _posix_spawn_port_actions_t,
1644 px_args.port_actions_size, M_TEMP, M_WAITOK);
1645 if (px_spap == NULL) {
1646 error = ENOMEM;
1647 goto bad;
1648 }
1649 imgp->ip_px_spa = px_spap;
1650
1651 if ((error = copyin(px_args.port_actions, px_spap,
1652 px_args.port_actions_size)) != 0)
1653 goto bad;
1654 }
1655 }
1656
1657 if (imgp->ip_px_sa == NULL || !(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)){
1658 if ((error = vfork(p, NULL, ival)) != 0)
1659 goto bad;
1660 undo_vfork = 1;
1661 }
1662
1663 /* "reenter the kernel" on a new vfork()'ed process */
1664 uthread = get_bsdthread_info(current_thread());
1665 if (undo_vfork)
1666 p = uthread->uu_proc;
1667
1668 context.vc_thread = current_thread();
1669 context.vc_ucred = p->p_ucred; /* XXX must NOT be kauth_cred_get() */
1670
1671 /*
1672 * Post fdcopy(), pre exec_handle_sugid() - this is where we want
1673 * to handle the file_actions. Since vfork() also ends up setting
1674 * us into the parent process group, and saved off the signal flags,
1675 * this is also where we want to handle the spawn flags.
1676 */
1677 /* Has spawn file actions? */
1678 if (imgp->ip_px_sfa != NULL &&
1679 (error = exec_handle_file_actions(imgp)) != 0) {
1680 goto bad;
1681 }
1682
1683 /* Has spawn port actions? */
1684 if (imgp->ip_px_spa != NULL) {
1685 /* Only allowed when not under vfork */
1686 if (!(px_sa.psa_flags & POSIX_SPAWN_SETEXEC)) {
1687 error = ENOTSUP;
1688 goto bad;
1689 }
1690 if((error = exec_handle_port_actions(imgp)) != 0)
1691 goto bad;
1692 }
1693
1694 /* Has spawn attr? */
1695 if (imgp->ip_px_sa != NULL) {
1696 /* Set the process group ID of the child process */
1697 if (px_sa.psa_flags & POSIX_SPAWN_SETPGROUP) {
1698 struct setpgid_args spga;
1699 spga.pid = p->p_pid;
1700 spga.pgid = px_sa.psa_pgroup;
1701 /*
1702 * Effectively, call setpgid() system call; works
1703 * because there are no pointer arguments.
1704 */
1705 if((error = setpgid(p, &spga, ival)) != 0)
1706 goto bad;
1707 }
1708 /*
1709 * Reset UID/GID to parent's RUID/RGID; This works only
1710 * because the operation occurs *after* the vfork() and
1711 * before the call to exec_handle_sugid() by the image
1712 * activator called from exec_activate_image().
1713 *
1714 * The use of p_ucred is safe, since we are acting on the
1715 * new process, and it has no threads other than the one
1716 * we are creating for it.
1717 */
1718 if (px_sa.psa_flags & POSIX_SPAWN_RESETIDS) {
1719 kauth_cred_t my_cred = p->p_ucred;
1720 kauth_cred_t my_new_cred = kauth_cred_setuidgid(my_cred, my_cred->cr_ruid, my_cred->cr_rgid);
1721 if (my_new_cred != my_cred)
1722 p->p_ucred = my_new_cred;
1723 }
1724 /*
1725 * Mask a list of signals, instead of them being unmasked, if
1726 * they were unmasked in the parent; note that some signals
1727 * are not maskable.
1728 */
1729 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGMASK)
1730 uthread->uu_sigmask = (px_sa.psa_sigmask & ~sigcantmask);
1731 /*
1732 * Default a list of signals instead of ignoring them, if
1733 * they were ignored in the parent.
1734 */
1735 if (px_sa.psa_flags & POSIX_SPAWN_SETSIGDEF) {
1736 vec.sa_handler = SIG_DFL;
1737 vec.sa_tramp = 0;
1738 vec.sa_mask = 0;
1739 vec.sa_flags = 0;
1740 for (sig = 0; sig < NSIG; sig++)
1741 if (px_sa.psa_sigdefault && 1 << sig) {
1742 error = setsigvec(p, sig, &vec);
1743 }
1744 }
1745 }
1746
1747 /*
1748 * XXXAUDIT: Currently, we only audit the pathname of the binary.
1749 * There may also be poor interaction with dyld.
1750 */
1751
1752 task = current_task();
1753
1754 /* If we're not in vfork, don't permit a mutithreaded task to exec */
1755 if (!(uthread->uu_flag & UT_VFORK)) {
1756 if (task != kernel_task) {
1757 numthreads = get_task_numacts(task);
1758 if (numthreads <= 0 ) {
1759 error = EINVAL;
1760 goto bad;
1761 }
1762 if (numthreads > 1) {
1763 error = ENOTSUP;
1764 goto bad;
1765 }
1766 }
1767 }
1768
1769 #if MAC_SPAWN /* XXX */
1770 if (uap->mac_p != USER_ADDR_NULL) {
1771 error = mac_execve_enter(uap->mac_p, imgp);
1772 if (error)
1773 goto bad;
1774 }
1775 #endif
1776
1777 if ((error = exec_activate_image(imgp)) != 0)
1778 goto bad;
1779 bad:
1780 /* Image not claimed by any activator? */
1781 if (error == -1)
1782 error = ENOEXEC;
1783 if (error == 0) {
1784 exec_resettextvp(p, imgp);
1785 }
1786 if (imgp->ip_vp)
1787 vnode_put(imgp->ip_vp);
1788 if (imgp->ip_strings)
1789 execargs_free(imgp);
1790 if (imgp->ip_px_sfa != NULL)
1791 FREE(imgp->ip_px_sfa, M_TEMP);
1792 if (imgp->ip_px_spa != NULL)
1793 FREE(imgp->ip_px_spa, M_TEMP);
1794
1795 #if CONFIG_MACF
1796 if (imgp->ip_execlabelp)
1797 mac_cred_label_free(imgp->ip_execlabelp);
1798 if (imgp->ip_scriptlabelp)
1799 mac_vnode_label_free(imgp->ip_scriptlabelp);
1800 #endif
1801 if (undo_vfork) {
1802 if (error) {
1803 DTRACE_PROC1(exec__failure, int, error);
1804 vfork_exit(p, W_EXITCODE(-1, 0));
1805 } else {
1806 DTRACE_PROC(exec__success);
1807 }
1808 /*
1809 * Returning to the parent process...
1810 *
1811 * If the parent wants the pid, copy it out
1812 */
1813 if (pid != USER_ADDR_NULL)
1814 (void)suword(pid, p->p_pid);
1815 retval[0] = error;
1816 /*
1817 * Override inherited code signing flags with the
1818 * ones for the process that is being successfully
1819 * loaded
1820 */
1821 proc_lock(p);
1822 p->p_csflags = imgp->ip_csflags;
1823 proc_unlock(p);
1824 vfork_return(p, NULL, error);
1825 (void)thread_resume(imgp->ip_vfork_thread);
1826 }
1827
1828 if (!error) {
1829 /*
1830 * Override inherited code signing flags with the
1831 * ones for the process that is being successfully
1832 * loaded
1833 */
1834 proc_lock(p);
1835 p->p_csflags = imgp->ip_csflags;
1836 proc_unlock(p);
1837 DTRACE_PROC(exec__success);
1838 } else {
1839 DTRACE_PROC1(exec__failure, int, error);
1840 }
1841
1842 return(error);
1843 }
1844
1845
1846 /*
1847 * execve
1848 *
1849 * Parameters: uap->fname File name to exec
1850 * uap->argp Argument list
1851 * uap->envp Environment list
1852 *
1853 * Returns: 0 Success
1854 * __mac_execve:EINVAL Invalid argument
1855 * __mac_execve:ENOTSUP Invalid argument
1856 * __mac_execve:EACCES Permission denied
1857 * __mac_execve:EINTR Interrupted function
1858 * __mac_execve:ENOMEM Not enough space
1859 * __mac_execve:EFAULT Bad address
1860 * __mac_execve:ENAMETOOLONG Filename too long
1861 * __mac_execve:ENOEXEC Executable file format error
1862 * __mac_execve:ETXTBSY Text file busy [misuse of error code]
1863 * __mac_execve:???
1864 *
1865 * TODO: Dynamic linker header address on stack is copied via suword()
1866 */
1867 /* ARGSUSED */
1868 int
1869 execve(proc_t p, struct execve_args *uap, register_t *retval)
1870 {
1871 struct __mac_execve_args muap;
1872 int err;
1873
1874 muap.fname = uap->fname;
1875 muap.argp = uap->argp;
1876 muap.envp = uap->envp;
1877 muap.mac_p = USER_ADDR_NULL;
1878 err = __mac_execve(p, &muap, retval);
1879
1880 return(err);
1881 }
1882
1883 /*
1884 * __mac_execve
1885 *
1886 * Parameters: uap->fname File name to exec
1887 * uap->argp Argument list
1888 * uap->envp Environment list
1889 * uap->mac_p MAC label supplied by caller
1890 *
1891 * Returns: 0 Success
1892 * EINVAL Invalid argument
1893 * ENOTSUP Not supported
1894 * ENOEXEC Executable file format error
1895 * exec_activate_image:EINVAL Invalid argument
1896 * exec_activate_image:EACCES Permission denied
1897 * exec_activate_image:EINTR Interrupted function
1898 * exec_activate_image:ENOMEM Not enough space
1899 * exec_activate_image:EFAULT Bad address
1900 * exec_activate_image:ENAMETOOLONG Filename too long
1901 * exec_activate_image:ENOEXEC Executable file format error
1902 * exec_activate_image:ETXTBSY Text file busy [misuse of error code]
1903 * exec_activate_image:EBADEXEC The executable is corrupt/unknown
1904 * exec_activate_image:???
1905 * mac_execve_enter:???
1906 *
1907 * TODO: Dynamic linker header address on stack is copied via suword()
1908 */
1909 int
1910 __mac_execve(proc_t p, struct __mac_execve_args *uap, register_t *retval)
1911 {
1912 struct image_params image_params, *imgp;
1913 struct vnode_attr va;
1914 struct vnode_attr origva;
1915 struct uthread *uthread;
1916 int error;
1917 task_t task;
1918 int numthreads;
1919 char alt_p_comm[sizeof(p->p_comm)] = {0}; /* for PowerPC */
1920 int is_64 = IS_64BIT_PROCESS(p);
1921 struct vfs_context context;
1922
1923 context.vc_thread = current_thread();
1924 context.vc_ucred = kauth_cred_proc_ref(p); /* XXX must NOT be kauth_cred_get() */
1925
1926 imgp = &image_params;
1927
1928 /* Initialize the common data in the image_params structure */
1929 bzero(imgp, sizeof(*imgp));
1930 imgp->ip_user_fname = uap->fname;
1931 imgp->ip_user_argv = uap->argp;
1932 imgp->ip_user_envv = uap->envp;
1933 imgp->ip_vattr = &va;
1934 imgp->ip_origvattr = &origva;
1935 imgp->ip_vfs_context = &context;
1936 imgp->ip_flags = (is_64 ? IMGPF_WAS_64BIT : IMGPF_NONE);
1937 imgp->ip_p_comm = alt_p_comm; /* for PowerPC */
1938 imgp->ip_seg = (is_64 ? UIO_USERSPACE64 : UIO_USERSPACE32);
1939
1940 /*
1941 * XXXAUDIT: Currently, we only audit the pathname of the binary.
1942 * There may also be poor interaction with dyld.
1943 */
1944
1945 task = current_task();
1946 uthread = get_bsdthread_info(current_thread());
1947
1948 /* If we're not in vfork, don't permit a mutithreaded task to exec */
1949 if (!(uthread->uu_flag & UT_VFORK)) {
1950 if (task != kernel_task) {
1951 proc_lock(p);
1952 numthreads = get_task_numacts(task);
1953 if (numthreads <= 0 ) {
1954 proc_unlock(p);
1955 kauth_cred_unref(&context.vc_ucred);
1956 return(EINVAL);
1957 }
1958 if (numthreads > 1) {
1959 proc_unlock(p);
1960 kauth_cred_unref(&context.vc_ucred);
1961 return(ENOTSUP);
1962 }
1963 proc_unlock(p);
1964 }
1965 }
1966
1967 #if CONFIG_MACF
1968 if (uap->mac_p != USER_ADDR_NULL) {
1969 error = mac_execve_enter(uap->mac_p, imgp);
1970 if (error) {
1971 kauth_cred_unref(&context.vc_ucred);
1972 return (error);
1973 }
1974 }
1975 #endif
1976
1977 proc_transstart(p, 0);
1978 error = exec_activate_image(imgp);
1979 proc_transend(p, 0);
1980
1981 kauth_cred_unref(&context.vc_ucred);
1982
1983 /* Image not claimed by any activator? */
1984 if (error == -1)
1985 error = ENOEXEC;
1986
1987 if (error == 0) {
1988 exec_resettextvp(p, imgp);
1989 }
1990 if (imgp->ip_vp != NULLVP)
1991 vnode_put(imgp->ip_vp);
1992 if (imgp->ip_strings)
1993 execargs_free(imgp);
1994 #if CONFIG_MACF
1995 if (imgp->ip_execlabelp)
1996 mac_cred_label_free(imgp->ip_execlabelp);
1997 if (imgp->ip_scriptlabelp)
1998 mac_vnode_label_free(imgp->ip_scriptlabelp);
1999 #endif
2000 if (!error) {
2001 /*
2002 * Override inherited code signing flags with the
2003 * ones for the process that is being successfully
2004 * loaded
2005 */
2006 proc_lock(p);
2007 p->p_csflags = imgp->ip_csflags;
2008 proc_unlock(p);
2009 DTRACE_PROC(exec__success);
2010
2011 if (uthread->uu_flag & UT_VFORK) {
2012 vfork_return(p, retval, p->p_pid);
2013 (void)thread_resume(imgp->ip_vfork_thread);
2014 }
2015 } else {
2016 DTRACE_PROC1(exec__failure, int, error);
2017 }
2018
2019 return(error);
2020 }
2021
2022
2023 /*
2024 * copyinptr
2025 *
2026 * Description: Copy a pointer in from user space to a user_addr_t in kernel
2027 * space, based on 32/64 bitness of the user space
2028 *
2029 * Parameters: froma User space address
2030 * toptr Address of kernel space user_addr_t
2031 * ptr_size 4/8, based on 'froma' address space
2032 *
2033 * Returns: 0 Success
2034 * EFAULT Bad 'froma'
2035 *
2036 * Implicit returns:
2037 * *ptr_size Modified
2038 */
2039 static int
2040 copyinptr(user_addr_t froma, user_addr_t *toptr, int ptr_size)
2041 {
2042 int error;
2043
2044 if (ptr_size == 4) {
2045 /* 64 bit value containing 32 bit address */
2046 unsigned int i;
2047
2048 error = copyin(froma, &i, 4);
2049 *toptr = CAST_USER_ADDR_T(i); /* SAFE */
2050 } else {
2051 error = copyin(froma, toptr, 8);
2052 }
2053 return (error);
2054 }
2055
2056
2057 /*
2058 * copyoutptr
2059 *
2060 * Description: Copy a pointer out from a user_addr_t in kernel space to
2061 * user space, based on 32/64 bitness of the user space
2062 *
2063 * Parameters: ua User space address to copy to
2064 * ptr Address of kernel space user_addr_t
2065 * ptr_size 4/8, based on 'ua' address space
2066 *
2067 * Returns: 0 Success
2068 * EFAULT Bad 'ua'
2069 *
2070 * Implicit returns:
2071 * *ptr_size Modified
2072 */
2073 static int
2074 copyoutptr(user_addr_t ua, user_addr_t ptr, int ptr_size)
2075 {
2076 int error;
2077
2078 if (ptr_size == 4) {
2079 /* 64 bit value containing 32 bit address */
2080 unsigned int i = CAST_DOWN(unsigned int,ua); /* SAFE */
2081
2082 error = copyout(&i, ptr, 4);
2083 } else {
2084 error = copyout(&ua, ptr, 8);
2085 }
2086 return (error);
2087 }
2088
2089
2090 /*
2091 * exec_copyout_strings
2092 *
2093 * Copy out the strings segment to user space. The strings segment is put
2094 * on a preinitialized stack frame.
2095 *
2096 * Parameters: struct image_params * the image parameter block
2097 * int * a pointer to the stack offset variable
2098 *
2099 * Returns: 0 Success
2100 * !0 Faiure: errno
2101 *
2102 * Implicit returns:
2103 * (*stackp) The stack offset, modified
2104 *
2105 * Note: The strings segment layout is backward, from the beginning
2106 * of the top of the stack to consume the minimal amount of
2107 * space possible; the returned stack pointer points to the
2108 * end of the area consumed (stacks grow upward).
2109 *
2110 * argc is an int; arg[i] are pointers; env[i] are pointers;
2111 * exec_path is a pointer; the 0's are (void *)NULL's
2112 *
2113 * The stack frame layout is:
2114 *
2115 * +-------------+
2116 * sp-> | argc |
2117 * +-------------+
2118 * | arg[0] |
2119 * +-------------+
2120 * :
2121 * :
2122 * +-------------+
2123 * | arg[argc-1] |
2124 * +-------------+
2125 * | 0 |
2126 * +-------------+
2127 * | env[0] |
2128 * +-------------+
2129 * :
2130 * :
2131 * +-------------+
2132 * | env[n] |
2133 * +-------------+
2134 * | 0 |
2135 * +-------------+
2136 * | exec_path | In MacOS X PR2 Beaker2E the path passed to exec() is
2137 * +-------------+ passed on the stack just after the trailing 0 of the
2138 * | 0 | the envp[] array as a pointer to a string.
2139 * +-------------+
2140 * | PATH AREA |
2141 * +-------------+
2142 * | STRING AREA |
2143 * :
2144 * :
2145 * | | <- p->user_stack
2146 * +-------------+
2147 *
2148 * Although technically a part of the STRING AREA, we treat the PATH AREA as
2149 * a separate entity. This allows us to align the beginning of the PATH AREA
2150 * to a pointer boundary so that the exec_path, env[i], and argv[i] pointers
2151 * which preceed it on the stack are properly aligned.
2152 *
2153 * TODO: argc copied with suword(), which takes a 64 bit address
2154 */
2155 static int
2156 exec_copyout_strings(struct image_params *imgp, user_addr_t *stackp)
2157 {
2158 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
2159 int ptr_size = (imgp->ip_flags & IMGPF_IS_64BIT) ? 8 : 4;
2160 char *argv = imgp->ip_argv; /* modifiable copy of argv */
2161 user_addr_t string_area; /* *argv[], *env[] */
2162 user_addr_t path_area; /* package launch path */
2163 user_addr_t ptr_area; /* argv[], env[], exec_path */
2164 user_addr_t stack;
2165 int stringc = imgp->ip_argc + imgp->ip_envc;
2166 int len;
2167 int error;
2168 int strspace;
2169
2170 stack = *stackp;
2171
2172 unsigned patharea_len = imgp->ip_argv - imgp->ip_strings;
2173 int envc_add = 0;
2174
2175 /*
2176 * Set up pointers to the beginning of the string area, the beginning
2177 * of the path area, and the beginning of the pointer area (actually,
2178 * the location of argc, an int, which may be smaller than a pointer,
2179 * but we use ptr_size worth of space for it, for alignment).
2180 */
2181 string_area = stack - (((imgp->ip_strendp - imgp->ip_strings) + ptr_size-1) & ~(ptr_size-1)) - ptr_size;
2182 path_area = string_area - ((patharea_len + ptr_size-1) & ~(ptr_size-1));
2183 ptr_area = path_area - ((imgp->ip_argc + imgp->ip_envc + 4 + envc_add) * ptr_size) - ptr_size /*argc*/;
2184
2185 /* Return the initial stack address: the location of argc */
2186 *stackp = ptr_area;
2187
2188 /*
2189 * Record the size of the arguments area so that sysctl_procargs()
2190 * can return the argument area without having to parse the arguments.
2191 */
2192 proc_lock(p);
2193 p->p_argc = imgp->ip_argc;
2194 p->p_argslen = (int)(stack - path_area);
2195 proc_unlock(p);
2196
2197
2198 /*
2199 * Support for new app package launching for Mac OS X allocates
2200 * the "path" at the begining of the imgp->ip_strings buffer.
2201 * copy it just before the string area.
2202 */
2203 len = 0;
2204 error = copyoutstr(imgp->ip_strings, path_area,
2205 patharea_len,
2206 (size_t *)&len);
2207 if (error)
2208 goto bad;
2209
2210
2211 /* Save a NULL pointer below it */
2212 (void)copyoutptr(0LL, path_area - ptr_size, ptr_size);
2213
2214 /* Save the pointer to "path" just below it */
2215 (void)copyoutptr(path_area, path_area - 2*ptr_size, ptr_size);
2216
2217 /*
2218 * ptr_size for 2 NULL one each ofter arg[argc -1] and env[n]
2219 * ptr_size for argc
2220 * skip over saved path, ptr_size for pointer to path,
2221 * and ptr_size for the NULL after pointer to path.
2222 */
2223
2224 /* argc (int32, stored in a ptr_size area) */
2225 (void)suword(ptr_area, imgp->ip_argc);
2226 ptr_area += sizeof(int);
2227 /* pad to ptr_size, if 64 bit image, to ensure user stack alignment */
2228 if (imgp->ip_flags & IMGPF_IS_64BIT) {
2229 (void)suword(ptr_area, 0); /* int, not long: ignored */
2230 ptr_area += sizeof(int);
2231 }
2232
2233 #if CONFIG_DTRACE
2234 p->p_dtrace_argv = ptr_area; /* user_addr_t &argv[0] for dtrace convenience */
2235 #endif /* CONFIG_DTRACE */
2236
2237 /*
2238 * We use (string_area - path_area) here rather than the more
2239 * intuitive (imgp->ip_argv - imgp->ip_strings) because we are
2240 * interested in the length of the PATH_AREA in user space,
2241 * rather than the actual length of the execution path, since
2242 * it includes alignment padding of the PATH_AREA + STRING_AREA
2243 * to a ptr_size boundary.
2244 */
2245 strspace = SIZE_IMG_STRSPACE - (string_area - path_area);
2246 for (;;) {
2247 if (stringc == imgp->ip_envc) {
2248 /* argv[n] = NULL */
2249 (void)copyoutptr(0LL, ptr_area, ptr_size);
2250 ptr_area += ptr_size;
2251 #if CONFIG_DTRACE
2252 p->p_dtrace_envp = ptr_area; /* user_addr_t &env[0] for dtrace convenience */
2253 #endif /* CONFIG_DTRACE */
2254 }
2255 if (--stringc < 0)
2256 break;
2257
2258 /* pointer: argv[n]/env[n] */
2259 (void)copyoutptr(string_area, ptr_area, ptr_size);
2260
2261 /* string : argv[n][]/env[n][] */
2262 do {
2263 if (strspace <= 0) {
2264 error = E2BIG;
2265 break;
2266 }
2267 error = copyoutstr(argv, string_area,
2268 (unsigned)strspace,
2269 (size_t *)&len);
2270 string_area += len;
2271 argv += len;
2272 strspace -= len;
2273 } while (error == ENAMETOOLONG);
2274 if (error == EFAULT || error == E2BIG)
2275 break; /* bad stack - user's problem */
2276 ptr_area += ptr_size;
2277 }
2278 /* env[n] = NULL */
2279 (void)copyoutptr(0LL, ptr_area, ptr_size);
2280
2281 bad:
2282 return(error);
2283 }
2284
2285
2286 /*
2287 * exec_extract_strings
2288 *
2289 * Copy arguments and environment from user space into work area; we may
2290 * have already copied some early arguments into the work area, and if
2291 * so, any arguments opied in are appended to those already there.
2292 *
2293 * Parameters: struct image_params * the image parameter block
2294 *
2295 * Returns: 0 Success
2296 * !0 Failure: errno
2297 *
2298 * Implicit returns;
2299 * (imgp->ip_argc) Count of arguments, updated
2300 * (imgp->ip_envc) Count of environment strings, updated
2301 *
2302 *
2303 * Note: The argument and environment vectors are user space pointers
2304 * to arrays of user space pointers.
2305 */
2306 static int
2307 exec_extract_strings(struct image_params *imgp)
2308 {
2309 int error = 0;
2310 int ptr_size = (imgp->ip_flags & IMGPF_WAS_64BIT) ? 8 : 4;
2311 user_addr_t argv = imgp->ip_user_argv;
2312 user_addr_t envv = imgp->ip_user_envv;
2313
2314 /*
2315 * If the argument vector is NULL, this is the system startup
2316 * bootstrap from load_init_program(), and there's nothing to do
2317 */
2318 if (imgp->ip_user_argv == 0LL)
2319 goto bad;
2320
2321 /* Now, get rest of arguments */
2322
2323 /*
2324 * If we are running an interpreter, replace the av[0] that was
2325 * passed to execve() with the fully qualified path name that was
2326 * passed to execve() for interpreters which do not use the PATH
2327 * to locate their script arguments.
2328 */
2329 if((imgp->ip_flags & IMGPF_INTERPRET) != 0 && argv != 0LL) {
2330 user_addr_t arg;
2331
2332 error = copyinptr(argv, &arg, ptr_size);
2333 if (error)
2334 goto bad;
2335 if (arg != 0LL && arg != (user_addr_t)-1) {
2336 argv += ptr_size;
2337 error = exec_add_string(imgp, imgp->ip_user_fname);
2338 if (error)
2339 goto bad;
2340 imgp->ip_argc++;
2341 }
2342 }
2343
2344 while (argv != 0LL) {
2345 user_addr_t arg;
2346
2347 error = copyinptr(argv, &arg, ptr_size);
2348 if (error)
2349 goto bad;
2350
2351 argv += ptr_size;
2352 if (arg == 0LL) {
2353 break;
2354 } else if (arg == (user_addr_t)-1) {
2355 /* Um... why would it be -1? */
2356 error = EFAULT;
2357 goto bad;
2358 }
2359 /*
2360 * av[n...] = arg[n]
2361 */
2362 error = exec_add_string(imgp, arg);
2363 if (error)
2364 goto bad;
2365 imgp->ip_argc++;
2366 }
2367
2368 /* Now, get the environment */
2369 while (envv != 0LL) {
2370 user_addr_t env;
2371
2372 error = copyinptr(envv, &env, ptr_size);
2373 if (error)
2374 goto bad;
2375
2376 envv += ptr_size;
2377 if (env == 0LL) {
2378 break;
2379 } else if (env == (user_addr_t)-1) {
2380 error = EFAULT;
2381 goto bad;
2382 }
2383 /*
2384 * av[n...] = env[n]
2385 */
2386 error = exec_add_string(imgp, env);
2387 if (error)
2388 goto bad;
2389 imgp->ip_envc++;
2390 }
2391 bad:
2392 return error;
2393 }
2394
2395
2396 #define unix_stack_size(p) (p->p_rlimit[RLIMIT_STACK].rlim_cur)
2397
2398 /*
2399 * exec_check_permissions
2400 *
2401 * Decription: Verify that the file that is being attempted to be executed
2402 * is in fact allowed to be executed based on it POSIX file
2403 * permissions and other access control criteria
2404 *
2405 * Parameters: struct image_params * the image parameter block
2406 *
2407 * Returns: 0 Success
2408 * EACCES Permission denied
2409 * ENOEXEC Executable file format error
2410 * ETXTBSY Text file busy [misuse of error code]
2411 * vnode_getattr:???
2412 * vnode_authorize:???
2413 */
2414 static int
2415 exec_check_permissions(struct image_params *imgp)
2416 {
2417 struct vnode *vp = imgp->ip_vp;
2418 struct vnode_attr *vap = imgp->ip_vattr;
2419 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
2420 int error;
2421 kauth_action_t action;
2422
2423 /* Only allow execution of regular files */
2424 if (!vnode_isreg(vp))
2425 return (EACCES);
2426
2427 /* Get the file attributes that we will be using here and elsewhere */
2428 VATTR_INIT(vap);
2429 VATTR_WANTED(vap, va_uid);
2430 VATTR_WANTED(vap, va_gid);
2431 VATTR_WANTED(vap, va_mode);
2432 VATTR_WANTED(vap, va_fsid);
2433 VATTR_WANTED(vap, va_fileid);
2434 VATTR_WANTED(vap, va_data_size);
2435 if ((error = vnode_getattr(vp, vap, imgp->ip_vfs_context)) != 0)
2436 return (error);
2437
2438 /*
2439 * Ensure that at least one execute bit is on - otherwise root
2440 * will always succeed, and we don't want to happen unless the
2441 * file really is executable.
2442 */
2443 if ((vap->va_mode & (S_IXUSR | S_IXGRP | S_IXOTH)) == 0)
2444 return (EACCES);
2445
2446 /* Disallow zero length files */
2447 if (vap->va_data_size == 0)
2448 return (ENOEXEC);
2449
2450 imgp->ip_arch_offset = (user_size_t)0;
2451 imgp->ip_arch_size = vap->va_data_size;
2452
2453 /* Disable setuid-ness for traced programs or if MNT_NOSUID */
2454 if ((vp->v_mount->mnt_flag & MNT_NOSUID) || (p->p_lflag & P_LTRACED)) {
2455 vap->va_mode &= ~(VSUID | VSGID);
2456 #if CONFIG_MACF
2457 imgp->ip_no_trans = 1;
2458 #endif
2459 }
2460
2461 #if CONFIG_MACF
2462 error = mac_vnode_check_exec(imgp->ip_vfs_context, vp, imgp);
2463 if (error)
2464 return (error);
2465 #endif
2466
2467 /* Check for execute permission */
2468 action = KAUTH_VNODE_EXECUTE;
2469 /* Traced images must also be readable */
2470 if (p->p_lflag & P_LTRACED)
2471 action |= KAUTH_VNODE_READ_DATA;
2472 if ((error = vnode_authorize(vp, NULL, action, imgp->ip_vfs_context)) != 0)
2473 return (error);
2474
2475 #if 0
2476 /* Don't let it run if anyone had it open for writing */
2477 vnode_lock(vp);
2478 if (vp->v_writecount) {
2479 panic("going to return ETXTBSY %x", vp);
2480 vnode_unlock(vp);
2481 return (ETXTBSY);
2482 }
2483 vnode_unlock(vp);
2484 #endif
2485
2486
2487 #ifdef IMGPF_POWERPC
2488 /*
2489 * If the file we are about to attempt to load is the exec_handler_ppc,
2490 * which is determined by matching the vattr fields against previously
2491 * cached values, then we set the PowerPC environment flag.
2492 */
2493 if (vap->va_fsid == exec_archhandler_ppc.fsid &&
2494 vap->va_fileid == (uint64_t)((u_long)exec_archhandler_ppc.fileid)) {
2495 imgp->ip_flags |= IMGPF_POWERPC;
2496 }
2497 #endif /* IMGPF_POWERPC */
2498
2499 /* XXX May want to indicate to underlying FS that vnode is open */
2500
2501 return (error);
2502 }
2503
2504
2505 /*
2506 * exec_handle_sugid
2507 *
2508 * Initially clear the P_SUGID in the process flags; if an SUGID process is
2509 * exec'ing a non-SUGID image, then this is the point of no return.
2510 *
2511 * If the image being activated is SUGID, then replace the credential with a
2512 * copy, disable tracing (unless the tracing process is root), reset the
2513 * mach task port to revoke it, set the P_SUGID bit,
2514 *
2515 * If the saved user and group ID will be changing, then make sure it happens
2516 * to a new credential, rather than a shared one.
2517 *
2518 * Set the security token (this is probably obsolete, given that the token
2519 * should not technically be separate from the credential itself).
2520 *
2521 * Parameters: struct image_params * the image parameter block
2522 *
2523 * Returns: void No failure indication
2524 *
2525 * Implicit returns:
2526 * <process credential> Potentially modified/replaced
2527 * <task port> Potentially revoked
2528 * <process flags> P_SUGID bit potentially modified
2529 * <security token> Potentially modified
2530 */
2531 static int
2532 exec_handle_sugid(struct image_params *imgp)
2533 {
2534 kauth_cred_t cred = vfs_context_ucred(imgp->ip_vfs_context);
2535 proc_t p = vfs_context_proc(imgp->ip_vfs_context);
2536 int i;
2537 int is_member = 0;
2538 int error = 0;
2539 struct vnode *dev_null = NULLVP;
2540 #if CONFIG_MACF
2541 kauth_cred_t my_cred;
2542 #endif
2543
2544 #if CONFIG_MACF
2545 int mac_transition;
2546 mac_transition = mac_cred_check_label_update_execve(imgp->ip_vfs_context, imgp->ip_vp,
2547 imgp->ip_scriptlabelp, imgp->ip_execlabelp, p);
2548 #endif
2549
2550 OSBitAndAtomic(~((uint32_t)P_SUGID), (UInt32 *)&p->p_flag);
2551
2552 /*
2553 * Order of the following is important; group checks must go last,
2554 * as we use the success of the 'is_member' check combined with the
2555 * failure of the explicit match to indicate that we will be setting
2556 * the egid of the process even though the new process did not
2557 * require VSUID/VSGID bits in order for it to set the new group as
2558 * its egid.
2559 *
2560 * Note: Technically, by this we are implying a call to
2561 * setegid() in the new process, rather than implying
2562 * it used its VSGID bit to set the effective group,
2563 * even though there is no code in that process to make
2564 * such a call.
2565 */
2566 if (((imgp->ip_origvattr->va_mode & VSUID) != 0 &&
2567 kauth_cred_getuid(cred) != imgp->ip_origvattr->va_uid) ||
2568 #if CONFIG_MACF
2569 mac_transition || /* A policy wants to transition */
2570 #endif
2571 ((imgp->ip_origvattr->va_mode & VSGID) != 0 &&
2572 ((kauth_cred_ismember_gid(cred, imgp->ip_origvattr->va_gid, &is_member) || !is_member) ||
2573 (cred->cr_gid != imgp->ip_origvattr->va_gid)))) {
2574
2575 /*
2576 * Replace the credential with a copy of itself if euid or
2577 * egid change.
2578 *
2579 * Note: setuid binaries will automatically opt out of
2580 * group resolver participation as a side effect
2581 * of this operation. This is an intentional
2582 * part of the security model, which requires a
2583 * participating credential be established by
2584 * escalating privilege, setting up all other
2585 * aspects of the credential including whether
2586 * or not to participate in external group
2587 * membership resolution, then dropping their
2588 * effective privilege to that of the desired
2589 * final credential state.
2590 */
2591 if (imgp->ip_origvattr->va_mode & VSUID) {
2592 p->p_ucred = kauth_cred_setresuid(p->p_ucred, KAUTH_UID_NONE, imgp->ip_origvattr->va_uid, imgp->ip_origvattr->va_uid, KAUTH_UID_NONE);
2593 }
2594 if (imgp->ip_origvattr->va_mode & VSGID) {
2595 p->p_ucred = kauth_cred_setresgid(p->p_ucred, KAUTH_GID_NONE, imgp->ip_origvattr->va_gid, imgp->ip_origvattr->va_gid);
2596 }
2597
2598 #if CONFIG_MACF
2599 /*
2600 * XXXMAC: In FreeBSD, we set P_SUGID on a MAC transition
2601 * to protect against debuggers being attached by an
2602 * insufficiently privileged process onto the result of
2603 * a transition to a more privileged credential. This is
2604 * too conservative on FreeBSD, but we need to do
2605 * something similar here, or risk vulnerability.
2606 *
2607 * Before we make the call into the MAC policies, get a new
2608 * duplicate credential, so they can modify it without
2609 * modifying any others sharing it.
2610 */
2611 if (mac_transition && !imgp->ip_no_trans) {
2612 kauth_proc_label_update_execve(p,
2613 imgp->ip_vfs_context,
2614 imgp->ip_vp,
2615 imgp->ip_scriptlabelp, imgp->ip_execlabelp);
2616
2617 my_cred = kauth_cred_proc_ref(p);
2618 mac_task_label_update_cred(my_cred, p->task);
2619 kauth_cred_unref(&my_cred);
2620 }
2621 #endif
2622 /*
2623 * Have mach reset the task and thread ports.
2624 * We don't want anyone who had the ports before
2625 * a setuid exec to be able to access/control the
2626 * task/thread after.
2627 */
2628 if (current_task() == p->task) {
2629 ipc_task_reset(p->task);
2630 ipc_thread_reset(current_thread());
2631 }
2632
2633 /*
2634 * If 'is_member' is non-zero, then we passed the VSUID and
2635 * MACF checks, and successfully determined that the previous
2636 * cred was a member of the VSGID group, but that it was not
2637 * the default at the time of the execve. So we don't set the
2638 * P_SUGID on the basis of simply running this code.
2639 */
2640 if (!is_member)
2641 OSBitOrAtomic(P_SUGID, (UInt32 *)&p->p_flag);
2642
2643 /* Cache the vnode for /dev/null the first time around */
2644 if (dev_null == NULLVP) {
2645 struct nameidata nd1;
2646
2647 NDINIT(&nd1, LOOKUP, FOLLOW, UIO_SYSSPACE32,
2648 CAST_USER_ADDR_T("/dev/null"),
2649 imgp->ip_vfs_context);
2650
2651 if ((error = vn_open(&nd1, FREAD, 0)) == 0) {
2652 dev_null = nd1.ni_vp;
2653 /*
2654 * vn_open returns with both a use_count
2655 * and an io_count on the found vnode
2656 * drop the io_count, but keep the use_count
2657 */
2658 vnode_put(nd1.ni_vp);
2659 }
2660 }
2661
2662 /* Radar 2261856; setuid security hole fix */
2663 /* Patch from OpenBSD: A. Ramesh */
2664 /*
2665 * XXX For setuid processes, attempt to ensure that
2666 * stdin, stdout, and stderr are already allocated.
2667 * We do not want userland to accidentally allocate
2668 * descriptors in this range which has implied meaning
2669 * to libc.
2670 */
2671 if (dev_null != NULLVP) {
2672 for (i = 0; i < 3; i++) {
2673 struct fileproc *fp;
2674 int indx;
2675
2676 if (p->p_fd->fd_ofiles[i] != NULL)
2677 continue;
2678
2679 if ((error = falloc(p, &fp, &indx, imgp->ip_vfs_context)) != 0)
2680 continue;
2681
2682 if ((error = vnode_ref_ext(dev_null, FREAD)) != 0) {
2683 fp_free(p, indx, fp);
2684 break;
2685 }
2686
2687 fp->f_fglob->fg_flag = FREAD;
2688 fp->f_fglob->fg_type = DTYPE_VNODE;
2689 fp->f_fglob->fg_ops = &vnops;
2690 fp->f_fglob->fg_data = (caddr_t)dev_null;
2691
2692 proc_fdlock(p);
2693 procfdtbl_releasefd(p, indx, NULL);
2694 fp_drop(p, indx, fp, 1);
2695 proc_fdunlock(p);
2696 }
2697 /*
2698 * for now we need to drop the reference immediately
2699 * since we don't have any mechanism in place to
2700 * release it before starting to unmount "/dev"
2701 * during a reboot/shutdown
2702 */
2703 vnode_rele(dev_null);
2704 dev_null = NULLVP;
2705 }
2706 }
2707
2708 /*
2709 * Implement the semantic where the effective user and group become
2710 * the saved user and group in exec'ed programs.
2711 */
2712 p->p_ucred = kauth_cred_setsvuidgid(p->p_ucred, kauth_cred_getuid(p->p_ucred), p->p_ucred->cr_gid);
2713
2714 /* XXX Obsolete; security token should not be separate from cred */
2715 set_security_token(p);
2716
2717 return(error);
2718 }
2719
2720
2721 /*
2722 * create_unix_stack
2723 *
2724 * Description: Set the user stack address for the process to the provided
2725 * address. If a custom stack was not set as a result of the
2726 * load process (i.e. as specified by the image file for the
2727 * executable), then allocate the stack in the provided map and
2728 * set up appropriate guard pages for enforcing administrative
2729 * limits on stack growth, if they end up being needed.
2730 *
2731 * Parameters: p Process to set stack on
2732 * user_stack Address to set stack for process to
2733 * customstack FALSE if no custom stack in binary
2734 * map Address map in which to allocate the
2735 * new stack, if 'customstack' is FALSE
2736 *
2737 * Returns: KERN_SUCCESS Stack successfully created
2738 * !KERN_SUCCESS Mach failure code
2739 */
2740 static kern_return_t
2741 create_unix_stack(vm_map_t map, user_addr_t user_stack, int customstack,
2742 proc_t p)
2743 {
2744 mach_vm_size_t size, prot_size;
2745 mach_vm_offset_t addr, prot_addr;
2746 kern_return_t kr;
2747
2748 proc_lock(p);
2749 p->user_stack = user_stack;
2750 proc_unlock(p);
2751
2752 if (!customstack) {
2753 /*
2754 * Allocate enough space for the maximum stack size we
2755 * will ever authorize and an extra page to act as
2756 * a guard page for stack overflows.
2757 */
2758 size = mach_vm_round_page(MAXSSIZ);
2759 #if STACK_GROWTH_UP
2760 addr = mach_vm_trunc_page(user_stack);
2761 #else /* STACK_GROWTH_UP */
2762 addr = mach_vm_trunc_page(user_stack - size);
2763 #endif /* STACK_GROWTH_UP */
2764 kr = mach_vm_allocate(map, &addr, size,
2765 VM_MAKE_TAG(VM_MEMORY_STACK) |
2766 VM_FLAGS_FIXED);
2767 if (kr != KERN_SUCCESS) {
2768 return kr;
2769 }
2770 /*
2771 * And prevent access to what's above the current stack
2772 * size limit for this process.
2773 */
2774 prot_addr = addr;
2775 #if STACK_GROWTH_UP
2776 prot_addr += unix_stack_size(p);
2777 #endif /* STACK_GROWTH_UP */
2778 prot_addr = mach_vm_round_page(prot_addr);
2779 prot_size = mach_vm_trunc_page(size - unix_stack_size(p));
2780 kr = mach_vm_protect(map,
2781 prot_addr,
2782 prot_size,
2783 FALSE,
2784 VM_PROT_NONE);
2785 if (kr != KERN_SUCCESS) {
2786 (void) mach_vm_deallocate(map, addr, size);
2787 return kr;
2788 }
2789 }
2790 return KERN_SUCCESS;
2791 }
2792
2793 #include <sys/reboot.h>
2794
2795 static char init_program_name[128] = "/sbin/launchd";
2796
2797 struct execve_args init_exec_args;
2798
2799 /*
2800 * load_init_program
2801 *
2802 * Description: Load the "init" program; in most cases, this will be "launchd"
2803 *
2804 * Parameters: p Process to call execve() to create
2805 * the "init" program
2806 *
2807 * Returns: (void)
2808 *
2809 * Notes: The process that is passed in is the first manufactured
2810 * process on the system, and gets here via bsd_ast() firing
2811 * for the first time. This is done to ensure that bsd_init()
2812 * has run to completion.
2813 */
2814 void
2815 load_init_program(proc_t p)
2816 {
2817 vm_offset_t init_addr;
2818 int argc = 0;
2819 char *argv[3];
2820 int error;
2821 register_t retval[2];
2822
2823 /*
2824 * Copy out program name.
2825 */
2826
2827 init_addr = VM_MIN_ADDRESS;
2828 (void) vm_allocate(current_map(), &init_addr, PAGE_SIZE,
2829 VM_FLAGS_ANYWHERE);
2830 if (init_addr == 0)
2831 init_addr++;
2832
2833 (void) copyout((caddr_t) init_program_name, CAST_USER_ADDR_T(init_addr),
2834 (unsigned) sizeof(init_program_name)+1);
2835
2836 argv[argc++] = (char *) init_addr;
2837 init_addr += sizeof(init_program_name);
2838 init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
2839
2840 /*
2841 * Put out first (and only) argument, similarly.
2842 * Assumes everything fits in a page as allocated
2843 * above.
2844 */
2845 if (boothowto & RB_SINGLE) {
2846 const char *init_args = "-s";
2847
2848 copyout(init_args, CAST_USER_ADDR_T(init_addr),
2849 strlen(init_args));
2850
2851 argv[argc++] = (char *)init_addr;
2852 init_addr += strlen(init_args);
2853 init_addr = (vm_offset_t)ROUND_PTR(char, init_addr);
2854
2855 }
2856
2857 /*
2858 * Null-end the argument list
2859 */
2860 argv[argc] = NULL;
2861
2862 /*
2863 * Copy out the argument list.
2864 */
2865
2866 (void) copyout((caddr_t) argv, CAST_USER_ADDR_T(init_addr),
2867 (unsigned) sizeof(argv));
2868
2869 /*
2870 * Set up argument block for fake call to execve.
2871 */
2872
2873 init_exec_args.fname = CAST_USER_ADDR_T(argv[0]);
2874 init_exec_args.argp = CAST_USER_ADDR_T((char **)init_addr);
2875 init_exec_args.envp = CAST_USER_ADDR_T(0);
2876
2877 /*
2878 * So that mach_init task is set with uid,gid 0 token
2879 */
2880 set_security_token(p);
2881
2882 error = execve(p,&init_exec_args,retval);
2883 if (error)
2884 panic("Process 1 exec of %s failed, errno %d\n",
2885 init_program_name, error);
2886 }
2887
2888 /*
2889 * load_return_to_errno
2890 *
2891 * Description: Convert a load_return_t (Mach error) to an errno (BSD error)
2892 *
2893 * Parameters: lrtn Mach error number
2894 *
2895 * Returns: (int) BSD error number
2896 * 0 Success
2897 * EBADARCH Bad architecture
2898 * EBADMACHO Bad Mach object file
2899 * ESHLIBVERS Bad shared library version
2900 * ENOMEM Out of memory/resource shortage
2901 * EACCES Access denied
2902 * ENOENT Entry not found (usually "file does
2903 * does not exist")
2904 * EIO An I/O error occurred
2905 * EBADEXEC The executable is corrupt/unknown
2906 */
2907 static int
2908 load_return_to_errno(load_return_t lrtn)
2909 {
2910 switch (lrtn) {
2911 case LOAD_SUCCESS:
2912 return 0;
2913 case LOAD_BADARCH:
2914 return EBADARCH;
2915 case LOAD_BADMACHO:
2916 return EBADMACHO;
2917 case LOAD_SHLIB:
2918 return ESHLIBVERS;
2919 case LOAD_NOSPACE:
2920 case LOAD_RESOURCE:
2921 return ENOMEM;
2922 case LOAD_PROTECT:
2923 return EACCES;
2924 case LOAD_ENOENT:
2925 return ENOENT;
2926 case LOAD_IOERROR:
2927 return EIO;
2928 case LOAD_FAILURE:
2929 default:
2930 return EBADEXEC;
2931 }
2932 }
2933
2934 #include <mach/mach_types.h>
2935 #include <mach/vm_prot.h>
2936 #include <mach/semaphore.h>
2937 #include <mach/sync_policy.h>
2938 #include <kern/clock.h>
2939 #include <mach/kern_return.h>
2940
2941 extern semaphore_t execve_semaphore;
2942
2943 /*
2944 * execargs_alloc
2945 *
2946 * Description: Allocate the block of memory used by the execve arguments.
2947 * At the same time, we allocate a page so that we can read in
2948 * the first page of the image.
2949 *
2950 * Parameters: struct image_params * the image parameter block
2951 *
2952 * Returns: 0 Success
2953 * EINVAL Invalid argument
2954 * EACCES Permission denied
2955 * EINTR Interrupted function
2956 * ENOMEM Not enough space
2957 *
2958 * Notes: This is a temporary allocation into the kernel address space
2959 * to enable us to copy arguments in from user space. This is
2960 * necessitated by not mapping the process calling execve() into
2961 * the kernel address space during the execve() system call.
2962 *
2963 * We assemble the argument and environment, etc., into this
2964 * region before copying it as a single block into the child
2965 * process address space (at the top or bottom of the stack,
2966 * depending on which way the stack grows; see the function
2967 * exec_copyout_strings() for details).
2968 *
2969 * This ends up with a second (possibly unnecessary) copy compared
2970 * with assembing the data directly into the child address space,
2971 * instead, but since we cannot be guaranteed that the parent has
2972 * not modified its environment, we can't really know that it's
2973 * really a block there as well.
2974 */
2975 static int
2976 execargs_alloc(struct image_params *imgp)
2977 {
2978 kern_return_t kret;
2979
2980 kret = semaphore_wait(execve_semaphore);
2981 if (kret != KERN_SUCCESS)
2982 switch (kret) {
2983 default:
2984 return (EINVAL);
2985 case KERN_INVALID_ADDRESS:
2986 case KERN_PROTECTION_FAILURE:
2987 return (EACCES);
2988 case KERN_ABORTED:
2989 case KERN_OPERATION_TIMED_OUT:
2990 return (EINTR);
2991 }
2992
2993 kret = kmem_alloc_pageable(bsd_pageable_map, (vm_offset_t *)&imgp->ip_strings, NCARGS + PAGE_SIZE);
2994 imgp->ip_vdata = imgp->ip_strings + NCARGS;
2995 if (kret != KERN_SUCCESS) {
2996 semaphore_signal(execve_semaphore);
2997 return (ENOMEM);
2998 }
2999 return (0);
3000 }
3001
3002 /*
3003 * execargs_free
3004 *
3005 * Description: Free the block of memory used by the execve arguments and the
3006 * first page of the executable by a previous call to the function
3007 * execargs_alloc().
3008 *
3009 * Parameters: struct image_params * the image parameter block
3010 *
3011 * Returns: 0 Success
3012 * EINVAL Invalid argument
3013 * EINTR Oeration interrupted
3014 */
3015 static int
3016 execargs_free(struct image_params *imgp)
3017 {
3018 kern_return_t kret;
3019
3020 kmem_free(bsd_pageable_map, (vm_offset_t)imgp->ip_strings, NCARGS + PAGE_SIZE);
3021 imgp->ip_strings = NULL;
3022
3023 kret = semaphore_signal(execve_semaphore);
3024 switch (kret) {
3025 case KERN_INVALID_ADDRESS:
3026 case KERN_PROTECTION_FAILURE:
3027 return (EINVAL);
3028 case KERN_ABORTED:
3029 case KERN_OPERATION_TIMED_OUT:
3030 return (EINTR);
3031 case KERN_SUCCESS:
3032 return(0);
3033 default:
3034 return (EINVAL);
3035 }
3036 }
3037
3038 static void
3039 exec_resettextvp(proc_t p, struct image_params *imgp)
3040 {
3041 vnode_t vp;
3042 off_t offset;
3043 vnode_t tvp = p->p_textvp;
3044 int ret;
3045
3046 vp = imgp->ip_vp;
3047 offset = imgp->ip_arch_offset;
3048
3049 if (vp == NULLVP)
3050 panic("exec_resettextvp: expected valid vp");
3051
3052 ret = vnode_ref(vp);
3053 proc_lock(p);
3054 if (ret == 0) {
3055 p->p_textvp = vp;
3056 p->p_textoff = offset;
3057 } else {
3058 p->p_textvp = NULLVP; /* this is paranoia */
3059 p->p_textoff = 0;
3060 }
3061 proc_unlock(p);
3062
3063 if ( tvp != NULLVP) {
3064 if (vnode_getwithref(tvp) == 0) {
3065 vnode_rele(tvp);
3066 vnode_put(tvp);
3067 }
3068 }
3069
3070 }
3071
mirror of XNU